It’s really easy to create simple APIs on Azure with App Functions. In some cases, you want to protect them using Authentication. This usually done with an App Registration, that has permissions to access the API. Pretty simple, but not that easy to accomplish. These are the steps how to configure this.
Create Azure function
- Create Function App
- Add a function to the newly created Function app - select the
HttpTrigger
template - Check
Test/Run
and get the function url for further testing. - Customize the code and test it
- Check if it’s working and you get the desired response
Add Authentication
Authentication is added on the Function App, not the function itself; so it is all or nothing
-
go to the function app, select Authentication on the left menu
-
Click the ‘Add identity provider’ button. In my case, I added the Active Directory resource, so I’m using the Microsoft Identity provider. You can go for the default setting, except for the unauthenticated request part: I changed it to
HTTP 401
, as the function I build previously is a Rest API. Click the ‘Add’ button -
Reset the client secret. It is automatically generated but you did not get the actual value and there is no way to retrieve it. I think this is a bug - a workaround is to delete the existing one, and generate a new one.
-
Write down the value and secret id that has been generated!
-
Go to Authentication detailpage of the provider you have added, and write down the Application (client ID), tenant ID and the Application ID URI as you will need it later on
-
Now let’s define the API permissions (select your Function App > Authentication in the left column > select on the identity provider you added). Click on Edit (next to quickstart)
-
Click the Permissions tab, next click on the ‘Click here to access API permissions’ link
-
Click the ‘Add a permission’ button. In the right hand side, click on ‘My APIs’ - your function apps should be in the list. Click on it
-
Check the box for the only permission that will appear (access
<name of your function app>
) -
Now we have everything we need to fetch a token. Open postman
- endpoint is
https://login.microsoftonline.com/<tenantId>/oauth2/v2.0/token
grant_type
is a hardcoded value, we wantclient_credentials
client_id
is the Application(client) IDclient_secret
is the secret linked to the Application(client) IDresponse_type
is a hardcoded value,token
scope
is the application ID URI, suffixed with/.default
tenant
is the tenant id, the same that is part of the endpoint
- endpoint is
-
The bearer token you get back can then be used to call the Function endpoint in the
Authentication
header