Image for post
Image for post
Original photo by Nik Shuliahin on Unsplash

Protecting Azure Function apps with Azure AD Authentication & Authorization

How to enable Authentication/Authorization in Azure Function apps using configuration and get the signed in user in code.

Philipp Bauknecht
May 13, 2020 · 5 min read

In my previous blog post Authenticating Angular apps with Azure Active Directory using MSAL Angular 1.0 I explained how to secure an Angular app with Azure AD. In this story I wand to show how to extend this solution into the backend by securing an Azure Function app with a RESTful api using Azure AD.

Prerequisites

Configure a new app registration in Azure AD

Image for post
Image for post
Azure AD App Registrations

Enter as display name and save it.

Image for post
Image for post
Register an application

On the overview page make sure to copy the Application (client) ID and your Directory (tenant) ID:

Image for post
Image for post
Client Id & Tenant Id

Create a new Function app

Create Function app in Azure Portal

Image for post
Image for post
Select Function App

Create a new resource group, pick a name, select .NET Core 3.1 as runtime stack and create the app.

Image for post
Image for post

Once the app is created got to Authentication/Authorization and set App Service Authentication to On. Also select Log in with Azure Active Directory as Action to take when request is not authenticated.

At this point a bit of context how this authentication actually works: The Authentication middleware in Azure Functions validates incoming access tokens and checks if they are meant for the provided audience. The audience is represented by the configured Azure AD app registration that we will provide in the next step. Also this middleware extracts all claims included in the access tokens and makes them accessible to the Function’s code via input binding/method parameters.

Click on Azure Active Directory to configure the authentication provider:

Image for post
Image for post

Next up paste the client id of the Azure AD app registration and also add the issuer url. The issuer url is in the form of https://sts.windows.net/YOUR_TENANT_ID/

Image for post
Image for post

Create Function app in Visual Studio

Image for post
Image for post

Select Http trigger so we have a sample function to test authentication with.

Working with Claims

So with this simple test function, let’s deploy the app to Azure so we can test it. Right click the project and select publish and pick Select Existing:

Image for post
Image for post

Login to your Azure account and select the Azure Function app we created before:

Image for post
Image for post

Note: I have yet to find a way to test authentication locally. Happy for any ideas…

Test with Postman

Image for post
Image for post

So we are being redirected to the login, but after successfully signing in, we get this nice little error. Don’t worry, it actually makes sense.

In real world scenarios our API will be called by some client, e.g. a web app. So the token is generated by a different app (e.g. an Angular app) and also by a different app registration. Since we don’t have a web app yet to create a token we will need to modify our app registration in Azure AD to create at least an ID token to test the endpoint temporarily. Please don’t forget to undo the following changes, once you move to production.

In the app registration in Azure AD we need to configure Authentication and add a platform:

Image for post
Image for post

Select web since we want to login in the browser. The Redirect URI is important to match with what the Function app will use. The correct setup is https://YOUR_APP.azurewebsites.net/.auth/login/aad/callcack. Make sure to also select ID token:

Image for post
Image for post

Let’s try again with the function url. This time we should be able to login and get our function’s response with the username:

Image for post
Image for post

Summary

medialesson

We help our customers design, architect, develop and…

Philipp Bauknecht

Written by

CEO @ medialesson. Microsoft Regional Director & MVP Windows Development. Father of identical twins. Passionate about great User Interfaces, NYC & Steaks

medialesson

We help our customers design, architect, develop and operate modern, intelligent, beautiful and usable apps on any platform powered by the Cloud, IoT and AI.

Philipp Bauknecht

Written by

CEO @ medialesson. Microsoft Regional Director & MVP Windows Development. Father of identical twins. Passionate about great User Interfaces, NYC & Steaks

medialesson

We help our customers design, architect, develop and operate modern, intelligent, beautiful and usable apps on any platform powered by the Cloud, IoT and AI.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store