How to assign multiple user-managed-identities to Azure Web App depending on the AD user

New Contributor

I have a single Azure Web App that connects back to Azure Flexible Postgres using AD authentication.


I've managed to add the AD Administrator to Postgres and add two user managed identities as Postgres roles (both of which have different permissions and access to different database tables).


The Azure Web App is set up with Authentication on a single tenant, and I have restricted access to certain AD users/groups within the Enterprise Application.


What I want is to be able to assign the two different user managed identities to different active directory users, who I have granted access to the application. This is to define what data they are able to view within the application (given the different Postgres roles assigned to the two different user managed identities).


However, how do I do this if I add the two user-managed-identities to the Azure Web App? Currently any user who has access to the application can request access tokens for either user managed identity, so long as they know the Object ID of the managed identity.


The access token is being generated within the app by the node version of @azure/identity with the following commands:

const credential = new DefaultAzureCredential({ managedIdentityClientId: '<client-id-of-user-assigned-identity>' })
const accessToken = await credential.getToken("")


This poses an additional question - how would I pass the client ID of the managed identity to the application, depending on the AD user, as I don't wish to hard code this into the application. One assumes if it's possible to link a managed identity to a AD User (as I am seeking to do here), it should be possible to get this dynamically, however I see no option for this within the custom claims options for JWT, and when I try and add custom options (that aren't within the drop down lists), I get an error about adding signing keys.


Is this scenario possible? I really don't want to have to have two applications to manage the two different postgres user permissions!





1 Reply
best response confirmed by motasem13 (Microsoft)
User-Managed-Identities are for applications to use when connecting to resources that support Azure AD authentication. They should not be directly manipulated by AAD Users (User objects) themselves. Applications use managed identities to obtain Azure AD tokens without having to manage any credentials, unlike Users who can manage their own credentials directly. What you should be leveraging are role-based access controls and I would suggest looking at creating custom roles if the out-of-box role based access control permissions don't meet what you are looking for. However, since this is more within the Postgres DB itself, you would be best served utilizing DB roles within Postgres itself: