Azure api management returns status 500 after enabling "assignment required" on Azure function Enterprise application properties

Question

I have an application where I need both access via APIM as well as directly to the API via Azure AD authentication. After enabling the Assignment required toggle I can no longer get an expected response via APIM.

I've gone through the steps of adding an app role in my azure function listed here , granting said role to the APIM app registration, and granting that app registration admin consent for the specified role. After granting the APIM app registration shows in the list of users/applications as I would expect in the enterprise application for the azure function it needs to access, but I still receive the status 500 response.

If I toggle the "Assignment required" back to "No" I can immediately access the api via APIM again, but the application with direct access to the api is no longer restricted to selected users.

The reason I need access to both the API directly and APIM is I am using APIM with certificates to authenticate, where I use the API directly with azure AD authentication. If there is a more efficient way to use both forms of authentication I would be more than willing to go that route, I however have yet to see another solution.

It appears that the trace returns that the Enterprise application id of the APIM does not have access to the azure function.

"Authentication failed for Active Directory Tenant: 'https://login.windows.net/'","AADSTS501051: Application ''(ApiManagementProduction) is not assigned to a role for the application ''(FillDataAPIProduction).\r\nTrace ID: fcf459cd-7b76-4e84-a51d-ae5bd0c2ed00\r\nCorrelation ID: ad674aa5-4bd8-41fd-a293-ca43f1335c0d\r\nTimestamp: 2022-05-11 19:45:48Z"

Answer 1

Plese check if the below steps help to:

"Authentication failed for Active Directory Tenant: 'https://login.windows.net/'","AADSTS501051: Application ''(ApiManagementProduction) is not assigned to a role for the application"

According to this Microsoft Documentation, If a client application hasn't been assigned any app roles, then Azure Active Directory returns this kind of error message.

Example: Step 1: Add a new app role on {API GUID}:

Step 2: Assign the App {API GUID} this role and also provide the admin consent so that App Registration (API GUID) got a role to create access token for the users.