I am building a web api running in Azure App Service and I need to consume an on-prem legacy api that uses Windows Authentication.
The system owners of this legacy api have published the api using Azure Application Proxy as described in this link - setting Pre-Authentication to AAD. They have also granted an AD system account permission to access the legacy api. This local AD account is synched to AAD.
Finally, we have created an AAD App Registration having user_impersonation permission - according to this link
Now, my problem is that my application is not a public one, it is a confidential web api. Hence there is no logged in user. As I understand it (?) I somehow need to impersonate this system account when acquiring token using OAuth2.0? Using MSAL, the PublicClientApplication has this method AcquireTokenByUsernamePassword.
But again, my application is confidential, not public, so it feels as I am the wrong track here..
There must be an easier way to consume this legacy api?