Authenticating to Azure Functions using a service principal (part 1)

There are situations where we need to secure a function app and also need to allow other services to call it.  This is where service principals and OAuth’s client credentials grant type comes into play.  There are four main steps to do this I’ll cover the first two here and the rest in another post.

  1. Enable authentication for your function app.
  2. Allow only selected users to log in to the function app (optional)
  3. Create a service principal for your client application
  4. Create a custom role for your function app and add the client service principal to it

Enable authentication for your function app

  1. Navigate to your function app settings in the portal
  2. Click on the Platform features tab
  3. Then click on the Authentication / Authorization link under the Networking group.
Click on platform features and then on Authentication / Authorization
  1. Turn on App Service Authentication
  2. Set the Action to take when request is not authenticated to Log in with Azure Active Directory.
  3. Click on Azure Active Directory authentication provider to configure it.
Toggle on/off to turn on authentication, select Azure active directory and click on Azure AD provider.
  1. Select the Express option and press OK
Select the express option and press OK

Notice the application name in the “Create App” field.  This is automatically selected for you (you can edit it) and after saving this step, an application object and a service principal with this name will get created in your Azure Active Directory.

  1. Make sure to Save your changes

There is one more step left in configuring the authentication for your function app. We need to update the Allowed Token Audiences of AAD to add our application’s URL so it matches the token we are going to get from AAD later.

  1. After saving in the previous step, refresh the page in your browser to make sure all the new values are loaded
  2. Click on Platform Features and Authentication / Authorization again.
  1. Select Azure Active Directory provider again
  1. This time click on Advanced option.  All the fields should be filled in. If they are blank, make sure you did refresh your browser at step 9.
  2. Add another entry to the Allowed Token Audiences that matches your function app’s URL (you can get this from the overview page of your function app)
  3. Click OK and don’t forget to save

At this point, your function app should only allow authenticated users to call it.  You can test this by trying to navigate to your app URL using a browser in private mode.  The browser will redirect you to AAD login page and let you call your function afterward.

If you tried to navigate to your function in the step above you might have noticed a dialog similar to this one when logging in.  This is because at this point your function app is going to receive information about you. 

Allow only selected users to log in to the function app (optional)

You might have noticed that you didn’t have to do anything special to get access to your function app in the step above.  That’s because, by default, all authenticated users have access to your function.  Often this is not what you want. Let’s walk through the steps required to change this.

Take a look at the Azure Active Directory blade in the portal.  There are two sections that we are interested in where you can find entries related to your function app.

App registrations: This is where your application object lives.

Enterprise applications: This is where settings for this instance of your application lives. This is where we can specify who has access to this application.

  1. Click on Enterprise applications in the Azure Active Directory blade.
  2. Find your application and click on it.
  1. Click on the Properties section
  2. Change the User assignment required? option to Yes.
  3. Don’t forget to Save your changes.

At this point, no one should be able to access your function app.  To fix this, we need to add some users to the application.

  1. Now click on the Users and groups section on the left.
  2. Click on Add user button on top and add yourself or any group/user that needs access to the function app.

Note that this is different than giving user access through the Role Based Access Control functionality that is built into Azure. Those options control access to the application itself and it’s resources such as code, logs, etc. whereas in this scenario we are controlling user access to the application.

At this point you have an Azure function app that is secured using Azure Active Directory. Follow along in the next post to learn how to give a service application access to this function.

Leave a Reply

Your email address will not be published. Required fields are marked *