App Service Easy Auth (authsettingsV2): Does allowedPrincipals use OR logic between identities and groups for service principal tokens?

折田 菜津子 20 Reputation points
2026-06-30T16:19:22.8633333+00:00

I'm configuring Easy Auth on Azure Logic App Standard with both

allowedPrincipals.identities (APIM Managed Identity) and

allowedPrincipals.groups (Entra ID group) set simultaneously.

The documentation states allowedPrincipals uses logical OR, but when

groups is added, the Managed Identity (app-only token) loses access

even though its oid is listed in identities.

Is this a known limitation? Is there a supported workaround for the

(Managed Identity OR group members) pattern?

Details and feature request:

[Bug] App Service Easy Auth: Managed Identity access breaks when allowedPrincipals.groups is configured alongside allowedPrincipals.identities

Reference repository:

End-to-End MCP Protection with API Management × MCP × OAuth

Azure App Service
Azure App Service

Azure App Service is a service used to create and deploy scalable, mission-critical web apps.


Answer accepted by question author

M A Nakib 261 Reputation points
2026-06-30T16:48:44.29+00:00

Root Cause (confirmed in Microsoft docs)

This is not actually a bug in the OR logic itself — it's a side effect of how Microsoft Entra ID issues claims to service principals (which is what a Managed Identity token is) versus user principals.

From the official Microsoft Entra documentation on optional claims:

"Group optional claims are only emitted in the JWT for user principals. Service principals aren't included in group optional claims emitted in the JWT."Configure and manage optional claims

This means an app-only token from your APIM Managed Identity will never contain a groups claim — period, by design, regardless of what you configure.

Per the Easy Auth allowedPrincipals documentation:

"allowedPrincipals — A group of checks that determine if the principal that the incoming request represents can access the app. Satisfaction of allowedPrincipals is based on a logical OR over its configured properties."Configure your App Service app to use Microsoft Entra sign-in

So in theory, identities (oid match) should independently satisfy the OR even if groups can't be evaluated. What you're hitting is that Easy Auth's validation engine appears to fail-closed when groups is configured but the incoming token has no groups/hasgroups/_claim_names.groups claim at all (as is always the case for app-only/Managed Identity tokens) — instead of correctly skipping that check and falling through to evaluate identities. This matches what you've already filed as a bug, and is consistent with known reports of this exact interaction.


Is there a supported workaround? Yes — use App Roles instead of Groups

Microsoft's own guidance specifically calls this scenario out. From the Managed Identity best practices docs:

"In both cases, for non-human identities such as Microsoft Entra Applications and Managed identities, the exact mechanism of how this authorization information is presented to the application isn't ideally suited today."Managed identity best practice recommendations

And from the Easy Auth docs themselves:

"We recommend basing in-app authorization on application roles rather than groups when: you're developing a new application... and support for nested groups isn't required. Using application roles limits the amount of information that needs to go into the token, is more secure, and separates user assignment from app configuration."

The critical difference: the roles claim (App Roles) IS emitted for service principals, unlike the groups claim, which explicitly excludes them. This is exactly the gap you need to close.

  1. Define an App Role on your Logic App's app registration (e.g. LogicApp.Invoke). → Define an app role
  2. Assign that role to your Entra ID group (so all group members inherit it) — via Enterprise Applications → Users and groups → Add user/group → select your group → assign the role.
  3. Assign the same role directly to the APIM Managed Identity as a service principal — this must be done via Microsoft Graph PowerShell/CLI (the Azure portal UI doesn't support assigning app roles to MIs): → Assign app roles to managed identities
  4. Remove allowedPrincipals.groups entirely from your Easy Auth config — replace the group-based check with allowedApplications (if you want to lock by client app) plus your own lightweight roles claim check in code, since Easy Auth's built-in policy engine doesn't have a native "role" check property — only identities and allowedApplications. You'll validate the roles claim by reading the x-ms-client-principal header or the access token (x-ms-token-aad-access-token) in your workflow/function code:

json

// Example: decoded x-ms-client-principal claims will include
{
  "typ": "roles",
  "val": "LogicApp.Invoke"
}

This pattern works identically for both your Managed Identity and your group members, since both now carry the same roles claim — giving you the effective (Managed Identity OR group members) behavior you originally wanted, just implemented via roles instead of groups.


Summary

Approach Works for MI (app-only)? Works for users in group? Notes
allowedPrincipals.identities only ❌ (can't list every user) Static, doesn't scale
-------- -------- -------- --------
allowedPrincipals.identities only ❌ (can't list every user) Static, doesn't scale
allowedPrincipals.groups only ❌ (no groups claim ever issued) By design per Entra docs
identities + groups together ❌ (your bug) ❌ (breaks per your report) Matches your filed bug
App Roles (roles claim) + custom code check Supported, documented workaround

Yes — keep your feedback item open, since the fail-closed OR behavior with groups + app-only tokens is a legitimate product gap. But for production today, switching to App Roles is the Microsoft-recommended and currently functional path to achieve (Managed Identity OR group members).


References:

Was this answer helpful?

1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Golla Venkata Pavani 6,190 Reputation points Microsoft External Staff Moderator
    2026-06-30T18:16:44.2+00:00

    Hi @折田 菜津子

    Thank you for reaching us regarding the issue.

    User's image

    • identities: An allowlist of string object IDs that represent users or applications that have access. When this property is configured as a nonempty array, the allowedPrincipals requirement can be satisfied if the user or application that the request represents is specified in the list.
      • This policy evaluates the oid claim of the incoming token.
    • groups: The list of the allowed groups (string[]).

    Service Principal / Managed Identity Specifics

    • For daemon/service-to-service calls (app-only tokens, such as those from a Managed Identity or APIM), the documentation recommends using the service principal's object ID in authorization checks. The identities list is the intended mechanism for allowing specific applications.
    • App Service validates the token and checks these rules before passing the request to your app. Failures result in HTTP 403 Forbidden.

    Potential Causes:

    • Service principal tokens (app-only) typically do not include group membership claims in the same way user tokens do.
    • The oid claim must be present and match for identities to satisfy the check (related app setting WEBSITE_AUTH_AAD_REQUIRE_CLIENT_SERVICE_PRINCIPAL is automatically treated as true when allowedPrincipals.identities is used).
    • Ensure your Managed Identity token is an access token with the correct audience, and that the OID listed matches the token's oid claim exactly.

    Recommended Configuration Approach:

    Use the V2 schema under identityProviders.azureActiveDirectory.validation.defaultAuthorizationPolicy.allowedPrincipals:

    "allowedPrincipals": {
      "identities": [ "your-apim-managed-identity-object-id" ],
      "groups": [ "your-entra-id-group-object-id" ]
    } 
    

    Reference:
    https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad?tabs=workforce-configuration
    https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-authsettingsv2?pivots=deployment-language-bicep

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "upvote" if the information helped you. This will help us and others in the community as well.

    Was this answer helpful?


Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.