It’s really easy to create simple APIs on Azure with App Functions. In some cases, you want to protect them using Authentication. This usually done with an App Registration, that has permissions to access the API. Pretty simple, but not that easy to accomplish. These are the steps how to configure this.
Create Azure function
- Create Function App
- Add a function to the newly created Function app - select the
Test/Runand get the function url for further testing.
- Customize the code and test it
- Check if it’s working and you get the desired response
Authentication is added on the Function App, not the function itself; so it is all or nothing
go to the function app, select Authentication on the left menu
Click the ‘Add identity provider’ button. In my case, I added the Active Directory resource, so I’m using the Microsoft Identity provider. You can go for the default setting, except for the unauthenticated request part: I changed it to
HTTP 401, as the function I build previously is a Rest API. Click the ‘Add’ button
Reset the client secret. It is automatically generated but you did not get the actual value and there is no way to retrieve it. I think this is a bug - a workaround is to delete the existing one, and generate a new one.
Write down the value and secret id that has been generated!
Go to Authentication detailpage of the provider you have added, and write down the Application (client ID), tenant ID and the Application ID URI as you will need it later on
Now let’s define the API permissions (select your Function App > Authentication in the left column > select on the identity provider you added). Click on Edit (next to quickstart)
Click the Permissions tab, next click on the ‘Click here to access API permissions’ link
Click the ‘Add a permission’ button. In the right hand side, click on ‘My APIs’ - your function apps should be in the list. Click on it
Check the box for the only permission that will appear (access
<name of your function app>)
Now we have everything we need to fetch a token. Open postman
- endpoint is
grant_typeis a hardcoded value, we want
client_idis the Application(client) ID
client_secretis the secret linked to the Application(client) ID
response_typeis a hardcoded value,
scopeis the application ID URI, suffixed with
tenantis the tenant id, the same that is part of the endpoint
- endpoint is
The bearer token you get back can then be used to call the Function endpoint in the