Azure AD authentication in Azure Functions

28/03/201903/09/2020
by Martin Ehrnst

Ever had the need to enable Azure Active Directory authentication in Azure Functions? In a recent project, I wanted to use Azure Functions, and I wanted both system-to-system authentication, as well as user-based. As Azure Functions is a part of the app services in Azure. It shares many of the same features. Authentication is one of them.

Enable authentication

The scope for this blog post is not to show you how to build an Azure function, but to enable Azure AD authentication on it. You can add auth to your existing function or create a new one using your method of choice. For simplicity, I will show the process of using the Azure portal.

To enable authentication in Azure Function. Navigate to “Authentication/authorization”. This will open a series of blades which guides you through the process.

If you’re not familiar with Azure AD and custom application registrations, I recommend that you use the Express option. This will create the needed application in AAD for you.

Enable azure ad authentication in azure function

Change to anonymous authentication

By default Azure Function uses something called “Function authentication” This is where all your requests have a code parameter at the end of the URL.

https://my-function-app.azurewebsites.net/api/function-name?code=xyzx-zyxx...

We want to have Azure AD perform authentication and authorization, and not the function itself.

Within the GUI, it’s just a flick of a switch. If you are developing locally, using C# you typically do this:


public static HttpResponseMessage (run 
[HttpTrigger(
   AuthorizationLevel.Anonymous)]
HttpRequestmessage request)
{
   logic
}

Enable user assignment

After changing the authorization level and enable AAD authentication,
all users in your organization will automatically have access. If you want more granular control over who has access to your application, you should enable user assignment.

To enable user assignment. Navigate to enterprise application under AAD, and look up the app created by the wizard. The enterprise app is the service principal representing the application you created. Your Azure Function.

Under properties, find the swith for user assignment and turn it on. Navigate to your function URL and see if it works, meaning access denied.

Later add your own user and verify authentication works through Azure AD.

If you want other applications (clients) to call your function, you will have to assign them API access. The same way you give access to for example Microsoft Graph API, you will find your custom application as well.

This will not work right away – By default, there are no application roles assigned. Only delegated permissions. For client authentication to work, you will need to add custom roles to the app representing your Azure Function. It is not difficult, but I used too much time finding it out. Microsoft has it documented here

Authenticate with code

Chances are that your azure function is not a graphical website. Therefore I assume you want to authenticate using code. Either with your own user, or with a separate application/secret combination (app credentials).

The great thing about this is that it works just as any other Microsoft/Azure APIs. If you know how to get a token from Microsoft, you can use the same techniques against your function. My example below show how to retrieve a token for our azure function, and use that bearer token against the function. I use a client application in this scenario.

Summary

This feature is great. I consider my self as a modern IT operations guy. And operations role these days requires more coding and scripting. It is super easy to expose things on the internet. But remember, it might also be just as easy to secure.
I have no idea on how to implement a authentication layer. And if i can use one of the best, i’m all aboard.

Microsoft killed SCOM internally

Cookdown for SCOM monitor, extend and integrate

22 COMMENTS

Azure token from a customized app registration - Firnco
13/12/2022 at 09:19
[…] to authenticate a customized API the usage of shopper credentials. In truth, I’ve written about how you can do that in the past the place we accessed a customized API constructed on Azure Purposes. Authentication-wise, I […]
Azure token from a custom app registration - adatum
20/01/2022 at 21:57
[…] straightforward to authenticate a custom API using client credentials. In fact, I have written about how to do that previously where we accessed a custom API built on Azure Functions. Authentication-wise, I also wrote a post […]
Azure Ad Api Login - Login Database
17/04/2021 at 23:04
[…] Azure AD authentication in Azure Functions adatum […]
Azure Ad Login Api - Login Database
06/04/2021 at 09:36
[…] Azure AD authentication in Azure Functions adatum […]
Azure Application registrations, Enterprise Apps, and managed identities | adatum
22/03/2021 at 18:52
[…] are a lot more to go through when talking about authentication. How to obtain Azure access tokens or how you add Azure login to your website is not covered here. However, I hope this post made the […]
Homepage
31/08/2020 at 12:15
… [Trackback]

[…] There you will find 16841 more Infos: adatum.no/azure/azure-ad-authentication-in-azure-functions […]
Secured Blazor WebAssembly app hosted as static website – A developer's blog
22/05/2020 at 13:51
[…] https://adatum.no/azure/azure-ad-authentication-in-azure-functions […]
O hai let me wanna-be! pe Trilema - Un blog de Mircea Popescu.
26/04/2020 at 04:12
[…] are seeing this because your blog was recently used as part of a DDOS attack against […]
Abby
12/04/2020 at 10:39
And btw any idea why my exisiting app is not listed on the drop down when I select existing app option
Abby
12/04/2020 at 10:30
Hi i dont know how to get the scopes any idea?
Kiran Pradeep
26/03/2020 at 18:26
Thanks. This post was helpful.
Ankit
20/03/2020 at 15:08
Followed all steps and found that applications which arent given permissions to the custom role can still call the API

Martin Ehrnst
20/03/2020 at 20:03
Hi Ankit. You’re saying that all app registration in your directory can get an access token and access your function?

Gary Howlett
22/01/2020 at 10:02
Great easy to read post – Thanks! For getting the calling user there is a ClaimsPrinciple binding available https://azure.microsoft.com/en-gb/blog/simplifying-security-for-serverless-and-web-apps-with-azure-functions-and-app-service/

Martin Ehrnst
22/01/2020 at 12:34
Thanks Gary. I don’t think that was available when I posted this? Do you happen to know if it is available for PowerShell?

Ankit Vijay
24/10/2019 at 06:50
Great post, perhaps it is good to mention that “Authentication / Authorization” feature is not available for Linux Consumption Plan. I stumble upon this issue while following steps from this post.

Martin Ehrnst
24/10/2019 at 13:17
Thank you Ankit. I did not know that! Is it a documented limitation?

Ankit Vijay
24/10/2019 at 13:30
Hi Martin, it’s not documented. I came across this just today when I was trying add Authentication to my Azure function on Linux Consumption plan.. Windows based Consumption plan worked perfectly..
Ankit Vijay
24/10/2019 at 13:31
Don’t see any way to share the screenshot else I could have share it with for reference.

Martin Ehrnst
24/10/2019 at 19:09
Upload it somwhere and link it. I can check for my self later.

ankitvijay
24/10/2019 at 19:29

It looks like I’m not able to share the link on comment as well.. What’s the best way to share the link with you?
Martin Ehrnst
28/10/2019 at 20:30

Sorry. I forgot this. Ping me on linked in or Twitter