-
Notifications
You must be signed in to change notification settings - Fork 217
Federated Identity Credential (FIC) with a Managed Service Identity (MSI)
Jean-Marc Prieur edited this page Oct 18, 2024
·
1 revision
Setting up a Federated Identity Credential (FIC) with a Managed Service Identity (MSI) using Microsoft Identity Web involves several steps. Here's a high-level overview to get you started:
-
Create a User-Assigned Managed Identity:
- In the Azure portal, navigate to your resource group and create a new user-assigned managed identity.
-
Configure Federated Identity Credential:
- Go to the Microsoft Entra ID (formerly Azure AD) and configure a federated identity credential for your managed identity. This involves setting up the issuer and subject values to establish a trust relationship with your external identity provider. For details see Configure a user-assigned managed identity to trust an external identity provider
-
Set Up Microsoft Identity Web:
- In your .NET application, use Microsoft.Identity.Web to handle authentication. You can configure it in your
appsettings.jsonfile. Here’s a sample configuration:{ "AzureAd": { "Instance": "https://login.microsoftonline.com/", "TenantId": "your-tenant-id", "ClientId": "your-client-id", "ClientCredentials": [ { "SourceType": "SignedAssertionFromManagedIdentity", "ManagedIdentityClientId": "your-managed-identity-client-id" } ] } }
- In your .NET application, use Microsoft.Identity.Web to handle authentication. You can configure it in your
-
Code Integration:
-
In your application code, use the
Microsoft.Identity.Weblibrary to acquire tokens and call downstream APIs. Here’s a basic example for a web app:services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApp(Configuration, "AzureAd") .EnableTokenAcquisitionToCallDownstreamApi() .AddInMemoryTokenCaches();
or, for a web API:
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApi(Configuration, "AzureAd") .EnableTokenAcquisitionToCallDownstreamApi() .AddInMemoryTokenCaches();
or, for a daemon app:
var tokenAcquirerFactory = TokenAcquirerFactory.GetDefaultInstance(); tokenAcquirerFactory.Services.AddMicrosoftGraph(); var sp = tokenAcquirerFactory.Build();
-
-
Testing and Validation:
- Ensure your application can successfully acquire tokens and access the required resources using the configured managed identity.
For detailed steps and additional configurations, you can refer to the Microsoft documentation¹ and the Microsoft Identity Web GitHub page².
- Home
- Why use Microsoft Identity Web?
- Web apps
- Web APIs
- Using certificates
- Minimal support for .NET FW Classic
- Logging
- Azure AD B2C limitations
- Samples
- Web apps
- Web app samples
- Web app template
- Call an API from a web app
- Managing incremental consent and conditional access
- Web app troubleshooting
- Deploy to App Services Linux containers or with proxies
- SameSite cookies
- Hybrid SPA
- Web APIs
- Web API samples
- Web API template
- Call an API from a web API
- Token Decryption
- Web API troubleshooting
- web API protected by ACLs instead of app roles
- gRPC apps
- Azure Functions
- Long running processes in web APIs
- Authorization policies
- Generic API
- Customization
- Logging
- Calling graph with specific scopes/tenant
- Multiple Authentication Schemes
- Utility classes
- Setting FIC+MSI
- Mixing web app and web API
- Deploying to Azure App Services
- Azure AD B2C issuer claim support
- Performance
- specify Microsoft Graph scopes and app-permissions
- Integrate with Azure App Services authentication
- Ajax calls and incremental consent and conditional access
- Back channel proxys
- Client capabilities