Secure Azure Functions Using Azure AD B2C

1. Create HTTP Triggered Azure Function.
2. Set function’s auth level as anonymous.
3. Get function app URL. Note down it.
4. Create Azure B2C app.

• Web App/API : Yes
• Allow Implicit Flow : Yes

5. Set Reply URL in B2C app: https://{function app url}/.auth/login/aad/callback

6. Note down B2C apps Application ID.

7. Get your B2C user flows/policy’s metadata URL. Note down this URL.

• It can be obtained from Run User Flow page.
• It’s format is like https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/v2.0/.well-known/openid-configuration?p={policy}

8. Go to your functions => Platform features => Authentication / Authorization.

9. Set following

• App Service Authentication : On
• Action to take when not authenticated : Login with Azure AD
• Authentication providers : Azure AAD
• Management Mode : Advanced
• Client Id : {Application Id from Step 6}
• Issuer URL : {URL from step 7}
• Allowed Audience: {Application Id from Step 6}

10. Now check whether your function URL is accessible without access token.

Are You Facing Any Of The Following Issues:

1. When function URL hit from browser, it asks for login and post-login it works. But when same URL is hit from postman it gives 401.
2. Able to sign in for Azure function, but it gives error as “You do not have permission to view this directory or page.”
3. Function is being used as Web API, but cannot be called from Web App.

Solution: Perform following steps

• Call function URL from browser.
• It will ask for login, then login.
• Hit {function URL}/.auth/me URL.
• You will get token. Note it down.
• Now get token received by web app/ mobile/ b2c client on authentication.
• Using http://jwt.ms/ compare both token.
• If issuer is not matching, then this is the root cause that you are getting 401 response.
• If your issuer in web app/ mobile/ b2c client token starts with “https://login.microsoftonline.com/" then
• Change your issuer URL in your functions => Platform features => Authentication / Authorization
  FROM: https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/v2.0/.well-known/openid-configuration?p={policy}
  TO: https://login.microsoftonline.com/{tenant}.onmicrosoft.com/v2.0/.well-known/openid-configuration?p={policy}
• Now try to call secured endpoint. I hope above solution is working for you.

References:

connect azure function to b2c

Azure functions secured with Azure AD B2C returns unauthorized when using B2C tenant domain