You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/frontdoor/origin-authentication-with-managed-identities.md
+13-10Lines changed: 13 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,7 +13,7 @@ ms.date: 05/12/2025
13
13
14
14
Managed identities provided by Microsoft Entra ID enables your Azure Front Door Standard/Premium instance to securely access other Microsoft Entra protected resources, such as Azure Blob Storage, without the need to manage credentials. For more information, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md).
15
15
16
-
After you enable managed identity for Azure Front Door and granting the managed identity necessary permissions to your origin, Front Door will use the managed identity to obtain an access token from Microsoft Entra ID for accessing the specified resource. After successfully obtaining the token, the policy will set the value of the token in the Authorization header using the Bearer scheme. Front Door caches the token until it expires.
16
+
After you enable managed identity for Azure Front Door and granting the managed identity necessary permissions to your origin, Front Door will use the managed identity to obtain an access token from Microsoft Entra ID for accessing the specified resource. After successfully obtaining the token, Front Door will set the value of the token in the Authorization header using the Bearer scheme and then forward the request to the origin. Front Door caches the token until it expires.
17
17
18
18
> [!Note]
19
19
> This feature is not currently supported for private link enabled origins within Front Door.
@@ -68,7 +68,11 @@ Before setting up managed identity for Azure Front Door, ensure you have an Azur
68
68
## Associating the identity to an Origin Group
69
69
70
70
> [!Note]
71
-
> The association will not work if the origin group contains any origins with private link enabled and/or the forwarding/accepted/health probe protocol is set to HTTP.
71
+
> The association will only work if
72
+
> 1) the origin group does not contain any origins with private link enabled.
73
+
> 2) the health probe protocol is set to 'HTTPS' under origin group settings.
74
+
> 3) the forwarding protocol is set to 'HTTPS Only' under route settings.
75
+
> 4) the forwarding protocol is set to 'HTTPS Only' in case you are using a 'Route configuration override' action in rulesets.
72
76
73
77
1. Navigate to your existing Azure Front Door profile and open origin groups.
74
78
2. Select an existing origin group which has origins already configured.
@@ -80,8 +84,6 @@ Before setting up managed identity for Azure Front Door, ensure you have an Azur
80
84
81
85
:::image type="content" source="./media/managed-identity/origin-auth.png" alt-text="Screenshot of associating the identity to an origin group.":::
82
86
83
-
84
-
85
87
## Providing access at the origin resource
86
88
1. Navigate to the management page of your origin resource. For example, if the origin is an Azure Blob Storage, go to that Storage Account management page.
87
89
@@ -90,18 +92,19 @@ Before setting up managed identity for Azure Front Door, ensure you have an Azur
90
92
91
93
2. Go to the **Access Control (IAM)** section and click on **Add**. Choose **Add role assignment** from the dropdown menu.
92
94
:::image type="content" source="./media/managed-identity/add-role-assignment-menu.png" alt-text="Screenshot of access control settings.":::
93
-
3. Under **Job function roles** in the **Roles** tab, select an appropriate role (for example, Storage Blob Data Reader or Storage Blob Data Contributor) from the list and then select **Next**.
95
+
3. Under **Job function roles** in the **Roles** tab, select an appropriate role (for example, Storage Blob Data Reader) from the list and then select **Next**.
94
96
:::image type="content" source="./media/managed-identity/storage-job-function-roles.png" alt-text="Screenshot of Roles tab under Add role assignment.":::
95
97
4. In the **Members** tab, under the **Assign access to**, choose **Managed identity** and then click on **Select members**.
96
98
:::image type="content" source="./media/managed-identity/members.png" alt-text="Screenshot of Members tab under Add role assignment.":::
97
99
5. The **Select managed identities** window opens. Choose the subscription where your Front Door is located and under **Managed identity** dropdown, choose **Front Door and CDN profiles**. Under the **Select** dropdown, choose the managed identity created for your Front Door. Click on the **Select** button in the bottom.
98
100
6. Select **Review and assign** and then select **Review and assign** once more after the validation is complete.
99
101
100
102
101
-
## Common Troubleshooting Tips
102
-
*Error during origin group configuration.
103
-
* Ensure that health probe protocol is set to HTTPS.
104
-
* Ensure that forwarding protocol and accepted protocols within route settings are HTTPS.
103
+
## Tips while using origin authentication
104
+
*If you are facing errors during origin group configuration,
105
+
* Ensure that the health probe protocol is set to HTTPS.
106
+
* Ensure that forwarding protocol within route settings and/or route configuration override settings (in rulesets) is set to 'HTTPS Only'.
105
107
* Ensure that there are no private link enabled origins within the origin group.
106
-
* Access Denied: Verify that the Managed Identity has the appropriate role assigned to access the origin resource.
108
+
*If you see 'Access Denied; responses from origin, verify that the Managed Identity has the appropriate role assigned to access the origin resource.
107
109
* Transition from SAS Tokens for Storage: If transitioning from SAS tokens to Managed Identities, follow a step-wise approach to avoid downtime. Enable Managed Identity, associate it with the origin, and then stop using SAS tokens.
110
+
* After you enable origin authentication in origin group settings, you should not directly disable/delete the identities from the Identity settings under Front Door portal, nor directly delete the user-assigned managed identity under the Managed Identity portal. Doing so will cause origin authentication to fail immediately. Instead, if you want to stop using the origin authentication feature or want to delete/disable the identities, first disable the access restrictions under the Access Control (IAM) section of the origin resource so that the origin is accessible without the need of a managed identity or Entra ID token. Then disable origin authentication under Front Door origin group settings. Wait for some time for the configuration to be updated and then delete/disable the identity if required.
0 commit comments