cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Managed Identity for Azure App Services
By
vijaysaayi
Published Sep 25 2020 04:53 AM 25.9K Views
vijaysaayi
Microsoft
‎Sep 25 2020 04:53 AM

Managed Identity for Azure App Services

‎Sep 25 2020 04:53 AM

Azure App Services supports an interesting feature called Manage Identity from Azure Active Directory.
This allows your App Services to easily connect to Azure Resources such as Azure KeyVault, Azure Storage, Azure SQL . The complete list of resources that support this feature are available in the following document:
Azure Services that support managed identities - Azure AD | Microsoft Docs

You could refer to our documentation for more details on this feature here

MSI-Validator helps you troubleshoot issues with Managed Identity for Azure App Services.
The link to download this tool is available in the attachments section of the blog.

 

Installation Steps:

  1. Download the zip file from the attachments.
    Current version - v1.0.0.0
  2. Extract it to the local folder.
  3. Drag and drop "msi-validator.exe" to the Kudu console of the App Service (https://<webapp-name>.scm.azurewebsites.net)01- Download and installation.png

Commands:

  1. To Get an Access Token :
    msi-validator get-token -r <resource>​

Valid Arguments for resource = keyvault, storage, sql
Sample:
msi-validator get-token -r keyvault
msi-validator get-token -r storage
msi-validator get-token -r sql
  2. To Test the connection
    msi-validator test-connection -r <resource> -e <endpoint>

Valid Arguments for resource = keyvault, storage, sql

Sample:

msi-validator test-connection -r "keyvault" -e "https://<keyvault-name>.vault.azure.net/secrets/<secret-key>"
msi-validator.exe test-connection -r storage -e https://<storage-name>.blob.core.windows.net/<container-name>/<blob-path>
msi-validator.exe test-connection -r sql -e "Data Source=<server-name>.database.windows.net;Initial Catalog=<database-name>;"
​

Troubleshooting:

  1. From the Identity Blade of the App Service, ensure that Managed Identity is turned on.
    00 - check in azure portal.png
  2. Navigate to Kudu Console (https://<webapp-name>.scm.azurewebsites.net) > Environment Section and search for MSI (Ctrl + F)
    02 - check env variables.png

    The Environmental Variables "MSI_ENDPOINT" and "MSI_SECRET" would have been set automatically.

  3. Run the command "msi-validator get-token -r <resource>" and check if a token is being returned.
    03 - inspect the token.png
    An access token should be returned.
    Otherwise, it indicates that MSI service has issues reaching out to Azure Active Directory to fetch a token.


    Things to check :

    • Does the App Service have regional VNet Integration / is the App in ASE?
      Are there any User Defined Routes on the subnet to which the App Service is integrated ?
      If Yes , is the device to which the traffic is force tunneled, blocking any Azure Active Directory Dependency ?
    • Do you still face the issue if Managed Identity is disabled and enabled again ?

  4. Run the command "msi-validator test-connection -r <resource> -e "<endpoint>" " and check if data is returned from the resource or inspect the error message..

    KeyVault:
    From the below error message, we see that the App Service doesn’t have necessary permissions to access the KeyVault.     04 - keyvault issue.png
    Resolution:
  1. Navigate to the Access Policies Blade of KeyVault from the Azure Portal.
  2. Click on "+ Add Access Policy"
     05 - keyvault select access policies.png
  3. Provide the necessary permission.
    06 - select permissions.png
  4. Choose the Service Principal (name of the App Service)
    07 - select service principal.png

Storage:

08 - storage issue.png

Resolution :
Navigate to the Access Control IAM) > Add Role assignment and choose the necessary storage related permission. The roles should be configured as per your application's use case.
09 - storage role assginments.png

SQL:
The application could fail while connecting to Azure SQL using MSI with the error message: "Unable to connect to SQL. Exception : Login failed for user '<token-identified principal>'"

10 - sql issue.png

Resolution:
If you want, you can add the identity to an Azure AD group, then grant SQL Database access to the Azure AD group instead of the identity. For example, the following commands add the managed identity from the previous step to a new group called myAzureSQLDBAccessGroup: 

 

groupid=$(az ad group create --display-name myAzureSQLDBAccessGroup --mail-nickname myAzureSQLDBAccessGroup --query objectId --output tsv)
msiobjectid=$(az webapp identity show --resource-group myResourceGroup --name <app-name> --query principalId --output tsv)
az ad group member add --group $groupid --member-id $msiobjectid
az ad group member list -g $groupid

 

 

In the Cloud Shell, sign in to SQL Database by using the SQLCMD command. Replace <server-name> with your server name, <db-name> with the database name your app uses, and <aad-user-name> and <aad-password> with your Azure AD user's credentials.

 

 

sqlcmd -S <server-name>.database.windows.net -d <db-name> -U <aad-user-name> -P "<aad-password>" -G -l 30

 

 

In the SQL prompt for the database you want, run the following commands to grant the permissions your app needs. For example,

 

 

CREATE USER [<identity-name>] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [<identity-name>];
ALTER ROLE db_datawriter ADD MEMBER [<identity-name>];
ALTER ROLE db_ddladmin ADD MEMBER [<identity-name>];
GO

 

 

<identity-name> is the name of the managed identity in Azure AD. If the identity is system-assigned, the name always the same as the name of your App Service app. To grant permissions for an Azure AD group, use the group's display name instead (for example, myAzureSQLDBAccessGroup).

Type EXIT to return to the Cloud Shell prompt.
The back-end services of managed identities also maintains a token cache that updates the token for a target resource only when it expires. If you make a mistake configuring your SQL Database permissions and try to modify the permissions after trying to get a token with your app, you don't actually get a new token with the updated permissions until the cached token expires.

Modify connection string

Remember that the same changes you made in Web.config or appsettings.json works with the managed identity, so the only thing to do is to remove the existing connection string in App Service, which Visual Studio created deploying your app the first time. Use the following command, but replace <app-name> with the name of your app.

 

 

az webapp config connection-string delete --resource-group myResourceGroup --name <app-name> --setting-names MyDbConnection

 

 

You could refer to our official documentation regarding this at Tutorial: Access data with managed identity - Azure App Service | Microsoft Docs

 

GitHub Link :

https://github.com/vijaysaayi/MSI-Validator/tree/master 

msi-validator v1.0.0.0.zip
9 Comments
visundar
Microsoft
‎May 06 2021 11:19 AM
‎May 06 2021 11:19 AM

Is this available for checking in Linux machines?

0 Likes
Like
SunnyLiu
Copper Contributor
‎May 10 2021 05:40 AM
‎May 10 2021 05:40 AM

there's no file to download?

 

0 Likes
Like
vijaysaayi
Microsoft
‎May 13 2021 08:51 AM
‎May 13 2021 08:51 AM

Hello @visundar , Currently the tool is supported for Windows based App Services only.

@SunnyLiu : You can download the zip file from the attachments section, which is under GitHub link  msi-validator v1.0.0.0.zip

0 Likes
Like
BizTalkers
Copper Contributor
‎Jul 28 2021 08:45 AM
‎Jul 28 2021 08:45 AM

Thanks for creating the tool. I have followed the steps to create the "contained user" with a name that matches that if the function app and added to the roles. However, I'm still getting back "Login failed for user '<token-identified principal>'. I wonder if there's any way to find out why?

0 Likes
Like
vijaysaayi
Microsoft
‎Aug 02 2021 07:53 AM
‎Aug 02 2021 07:53 AM

@BizTalkers : I understand that you are using a function app to connect SQL Server and you are getting the error message "Login failed for user '<token-identified principal>'. You have provided access to a newly created user with the name as that of function app. 

 

I assume that you are using System assigned identity and hence you are using the name of the webapp as the issue. In case you are using User assigned identity, the name of the user that you are creating in Azure SQL server should be the name of the identity.

 

Are you able to get a token from App Service ? If so this isolates that App Service is able to reach out to Azure AD to get a token. 

We need to understand why Azure SQL server says login failed for user.

 

Few things to check at this point is 
1. Is connection string valid ?

2. Are we passing token when we make request to Azure Sql server.

3. We need to review the configuration of the user to understand the cause of the issue.

 

 

0 Likes
Like
IlyaMiropolsky
Microsoft
‎Oct 25 2021 07:45 AM
‎Oct 25 2021 07:45 AM

exe file is missing from the zip attachment. Could you restore it?

0 Likes
Like
vijaysaayi
Microsoft
‎Oct 25 2021 09:12 AM
‎Oct 25 2021 09:12 AM

@IlyaMiropolsky : As discussed, the download link is https://techcommunity.microsoft.com/gxcuf89792/attachments/gxcuf89792/AppsonAzureBlog/160/1/msi-vali... 

0 Likes
Like
sreddy101685
Copper Contributor
‎Jan 27 2023 11:00 AM
‎Jan 27 2023 11:00 AM

Does this work for User Assigned Identity?

Luis_Rivera
Microsoft
‎Feb 13 2023 09:21 AM
‎Feb 13 2023 09:21 AM

Hello, 

 

Just in case someone is wondering, it looks like there is a second version of MSI validator available here: https://github.com/vijaysaayi/MSI-Validator/tree/master 

 

The .exe is not available so you have to manually download the SLN project and build it in Visual Studio.

 

This version works with user assigned identities

0 Likes
Like
Version history
Last update:
‎Sep 30 2020 07:51 AM
Updated by: