Secure Azure Functions Using Azure AD B2C
2 min readApr 19, 2019
- Create HTTP Triggered Azure Function.
- Set function’s auth level as anonymous.
- Get function app URL. Note down it.
- Create Azure B2C app.
- Web App/API : Yes
- Allow Implicit Flow : Yes
5. Set Reply URL in B2C app: https://{function app url}/.auth/login/aad/callback
6. Note down B2C apps Application ID.
7. Get your B2C user flows/policy’s metadata URL. Note down this URL.
- It can be obtained from Run User Flow page.
- It’s format is like https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/v2.0/.well-known/openid-configuration?p={policy}
8. Go to your functions => Platform features => Authentication / Authorization.
9. Set following
- App Service Authentication : On
- Action to take when not authenticated : Login with Azure AD
- Authentication providers : Azure AAD
- Management Mode : Advanced
- Client Id : {Application Id from Step 6}
- Issuer URL : {URL from step 7}
- Allowed Audience: {Application Id from Step 6}
10. Now check whether your function URL is accessible without access token.
Are You Facing Any Of The Following Issues:
- When function URL hit from browser, it asks for login and post-login it works. But when same URL is hit from postman it gives 401.
- Able to sign in for Azure function, but it gives error as “You do not have permission to view this directory or page.”
- Function is being used as Web API, but cannot be called from Web App.
Solution: Perform following steps
- Call function URL from browser.
- It will ask for login, then login.
- Hit {function URL}/.auth/me URL.
- You will get token. Note it down.
- Now get token received by web app/ mobile/ b2c client on authentication.
- Using http://jwt.ms/ compare both token.
- If issuer is not matching, then this is the root cause that you are getting 401 response.
- If your issuer in web app/ mobile/ b2c client token starts with “https://login.microsoftonline.com/" then
- Change your issuer URL in your functions => Platform features => Authentication / Authorization
FROM: https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/v2.0/.well-known/openid-configuration?p={policy}
TO: https://login.microsoftonline.com/{tenant}.onmicrosoft.com/v2.0/.well-known/openid-configuration?p={policy} - Now try to call secured endpoint. I hope above solution is working for you.
References: