Question posted in 
I’m in a situation where I’m not sure how to proceed. In our application landscape, we’re implementing Managed Identities for our microservices. Currently, I’m working on an API (API-1) where I grant access to the database and other resources based on a System Assigned Managed Identity. However, this API also needs to retrieve some of its data from another API (API-2) with delegated user_impersonation permissions.
I can retrieve a token on behalf of the user in API-1 using the following code:
var builder = ConfidentialClientApplicationBuilder
.Create(clientInformation.ClientId)
.WithAuthority($"https://login.microsoftonline.com/{clientInformation.TenantId}")
.WithClientSecret(clientSecret);
var userAssertion = new UserAssertion(currentAccessToken, "urn:ietf:params:oauth:grant-type:jwt-bearer");
var application = builder.Build();
var onBehalfOfBuilder = application.AcquireTokenOnBehalfOf(scopes, userAssertion);
var authenticationResult = await onBehalfOfBuilder.ExecuteAsync(cancellationToken).ConfigureAwait(false);
return authenticationResult.AccessToken;
However, this code uses an AppRegistration (ClientId/ClientSecret), and minimizing the use of ClientSecrets is precisely what we aim for with the implementation of Managed Identities. Is there a piece of code or configuration where we can retrieve a token on behalf of the Managed Identity for the user, utilizing the delegated user_imperonate permission? The only thing I can find is setting Application permissions on the Managed Identity using a PowerShell script.
Question 1: Is it possible to assign delegated permissions to a Managed Identity?
Question 2: Am I making a conceptual mistake by attempting to retrieve a token from a backend API using delegated permissions?
2
Answers
No.
Not necessarily, on-behalf-of flow is meant for this scenario.
Managed Identities do not support on-behalf-of.
You can only request a token for a certain resource from the Managed Identity endpoint, it’s not possible to specify the token you received.
UR Question 1
Delegated permissions allow a service or application to act on behalf of a user, typically with user consent. Managed Identities support this scenario through Azure AD’s OAuth 2.0 protocol, where the Managed Identity can obtain an access token for a resource with the required delegated permissions.
you can define the required permissions in the Azure AD app registration associated with the resource (API-2).
Configure the access control (IAM) for the resource to grant the Managed Identity the necessary permissions.
Once the permissions are assigned, the Managed Identity can request access tokens for the resource using its identity.
and for UR next Question
retrieving a token from a backend API using delegated permissions is a common scenario, especially in a microservices architecture where services need to interact with each other on behalf of users. This allows your API (API-1) to access resources protected by another API (API-2) on behalf of the signed-in user, without needing to expose sensitive information like client secrets.
To achieve this with Managed Identities, you need to:
make sure that the Managed Identity associated with API-1 has been granted the necessary delegated permissions to access API-2.
Use the Managed Identity’s credentials to obtain an access token for API-2, specifying the appropriate scopes and using the OAuth 2.0 protocol.
how you can obtain an access token for API-2 using a Managed Identity in C#: