Azure FHIR Server Integration & Access Management
Medbackend leverages Azure's native authentication protocols to securely interact with FHIR servers across environments
Core Authentication Architecture
Medbackend implements Azure Identity credentials with these components:
- Development: Uses Azure CLI-derived tokens via
DefaultAzureCredential() - Production: Utilizes Managed Identity auto-rotation
- Client:
fhirpyconfigured with token refresh capabilities
# Preserved client initialization example
from azure.identity import DefaultAzureCredential
from fhirpy import AsyncFHIRClient
credential = DefaultAzureCredential()
client = AsyncFHIRClient(
fhir_url=settings.fhir.base_url,
authorization=credential.get_token("https://azurehealthcareapis.com/.default")
)
Development Environment Setup
Prerequisite Access Configuration
Portal Method:
- Access FHIR service → Access Control (IAM)
- Add Role Assignment → FHIR Data Contributor
- Assign to:
User@domain.com
Production Deployment Configuration
Managed Identity Activation
- Enable system identity for App Service
- Grant FHIR Contributor at workspace level
ARM Template Snippet:
{
"type": "Microsoft.Web/sites",
"identity": {
"type": "SystemAssigned"
}
}
Cross-Environment Validation
FHIR Endpoint Verification
async def health_check():
return await client.resources('CapabilityStatement').fetch()
Security Best Practices
-
Credential Layering:
DefaultAzureCredential(
exclude_cli_credential=is_production(),
managed_identity_client_id=os.getenv('AZURE_CLIENT_ID')
) -
Token Lifetime Management:
- Development: 1-hour CLI tokens
- Production: 24-hour managed identity tokens
-
Audit Logging:
az monitor diagnostic-settings create \
--resource "<fhir-service-id>" \
--logs '[{"category": "AuditLogs","enabled": true}]' \
--workspace "<log-analytics-id>"
Troubleshooting Guide
| Symptom | Diagnostic Command |
|---|---|
| 403 Forbidden | az role assignment list --assignee <principal> |
| Token Expiry | `az account get-access-token -o json |
| Connection Timeout | tcping <fhir-server> 443 |