Authenticating to Azure Functions using a service principal (part 2)

In the previous post, we locked down our Azure Functions app and restricted access to only users or groups who were added to the application’s authorized user list. Now, let’s finish the remaining steps to allow other services to call your function. As a reminder this is the outline of the steps we are following, the first two were covered in the previous post.:

  1. Enable authentication for your function app.
  2. Allow only selected users to log in to the function app (optional)
  3. Create a service principal for your client application
  4. Create a custom role for your function app and add the client service principal to it

Create a service principal for your client application

For your client application to be able able to authenticate with Azure Active Directory it needs to have an identity that is known to AAD. In this scenario, we are going to assume that your application is not hosted in Azure and it has the capability of keeping a secret.

  1. Open the Azure Active Directory blade
  2. Go to the App registrations section
  3. Click on New registration at the top
  1. Give your client application a meaningful name.
  2. Click on Register

Note that we don’t need to worry about the Redirect URI since we won’t be using interactive flows for authentication.

  1. Once your client application is registered copy the application ID, this is going to be your Client ID for OAuth
  1. Now click on Certificates & secrets section
  2. Then click Add New client secret
  1. Give it a descriptive name and click Add
  1. Once you click add make sure to copy the secret value somewhere safe.  This is your Client Secret for OAuth

It is important to treat the client secrets carefully, never share, and if you think one is exposed you should delete it (as did the one in the screenshot above)

Create a custom role for your function app and add the client service principal to it

At this point, we are ready to give our service principal access to our functions app. Unfortunately, it’s not as simple as adding the client application to the list under Enterprise Applications section as we did in the last post.

In AAD there are 2 types of permissions that you can grant an application, delegated and application permissions. Delegated permissions allow our application to act as the signed in user and perform operations on their behalf. All the default permissions that are available to an application are of this type, which is useless for this scenario (service to service) since we don’t have a signed in user.

On the other hand, application permissions do not require a user to be signed. We need to add at least one of these to our function app’s registration.

  1. Navigate to the Azure Active Directory blade
  2. Click on the App Registrations section
  3. Select the application object of your function app
  4. Click to open the app registration settings

I think it’s worth noting here that we are working with two application registrations. Ideally, I would have named them differently so it would be clearer which one we are talking about, but that’s a lot of screenshots to redo!

AuthenticatedFunctionApp – is the application object that represents our Azure function app.

Functions Client Application – is the application object that represents another service that would be calling our function app. The client id and client secret of this service principal are what we need to successfully authenticate later.

  1. Now click on Manifest to edit the applications manifest
  2. Search for a property called appRoles
  3. Add a new appRole, you can use the definition below, but make sure to change the id to a new GUID.
  4. Remember to Save your changes
{
	"allowedMemberTypes": [
		"Application"
	],
	"description": "Applications that are allowed to call this function.",
	"displayName": "Service Clients",
	"id": "e14442ab-8bd5-47be-90af-695c413d9761",
	"isEnabled": true,
	"lang": null,
	"origin": "Application",
	"value": "ServiceClient"
}

Now that we have our custom role we need to grant it to our client application’s service principal

  1. Open the Azure Active Directory blade
  2. Go to the App registrations section
  3. This time find the registration for your client application and open its settings
  1. Click on the API permissions tab
  2. Click Add a permission button
  1. Click on APIs my organization uses
  2. Search for your function app and select it.  Note that it might not show up on the list unless you search for it.
  1. Click on Application permissions button to view all the available permissions
  2. Select the appRole that we added earlier
  3. Click add permissions

Note that app permissions are not automatically granted, and they require an admin to consent.

If you are an admin you can grant the permission

  1. Click Grant admin consent…

If you are not an administrator for your AAD, now would be a good time to find out who is and ask them to grant admin consent for your application.

At this point you should have all you need to authenticate a service to your function app. In the next post I’ll cover how to do this via Postman.

Leave a Reply

Your email address will not be published. Required fields are marked *