Access AAD protected Azure Functions

kemurayama

kemurayama

Posted on October 5, 2020

Access AAD protected Azure Functions

Securing resources are really important. When you create APIs or other web sites and expose to public internet, it is necessary to protect your endpoints if you.

IP restriction is the common way to limit the clients who can access the endpoint. However, it is getting more difficult to manage all public IPs of the clients these days because clients access your services from anywhere.

On Microsoft Azure, Azure Active Directory (AAD) protects your APIs/Webs through OAuth 2.0, OpenID Connect, SAML and etc.. When you use PaaS such as Azure Web Apps / Azure Functions, just turning on the feature let you protect your endpoints.

This post explains how to protect your APIs with AAD on Azure and access them.

Prerequisites

This post doesn't explain what Azure Active Directory (AAD) is. If you are interested in it, you can check this.

If you haven't created Azure Web Apps or Azure Functions, I recommend you to create them first.

Create Azure Functions

First of all, you need to create Azure resources that host your API.
Create your HTTPTrigger Function Quickstart: Create a function in Azure using Visual Studio Code.
You can publish your own API in minutes.

After deploying your HTTPTrigger Function to Azure, call it from cURL command, Postman or any other tools that create HTTP requests.
If the authentication level is set function, you can call your API with the Function key code=xxxx in query parameter or x-functions-key: xxxx in request header.
For more details, check Azure Functions HTTP trigger.

postmanrequest

Fig 1. Successful Postman Requests

Enable AAD Authentication

In Development or Staging environment, you can use Function Keys to protect your Function App. However, in Production, it is difficult to manage your Function Key securely when you distribute the key to all clients that call the Function.
Once the key is leaked, you have to change the setting for all apps.

To secure your app and manage the authentication/authorization, you can use Azure Active Directory (AAD).
AAD assign unique ID with each app, and each authentication is logged.

In Azure Web App / Azure Functions, you can enable AAD auth feature from Azure portal or commands,
thought AAD auth is not available for Azure Function Linux consumption plan (Oct.2020).
See Configure your App Service or Azure Functions app to use Azure AD login.

This feature is currently not available on Linux Consumption plan for Azure Functions

After you enabled the feature for your Function App, it returns HTTP 401 unauthrized because AAD protects your endpoint.

unauthorized requests

Fig 2. Unauthorized Requests to Function App

Get Access Token to Authenticate

In order to access AAD protected Function App, you need to get access token from AAD for the Function App.
In case of API call, set Bearer token to Authroization header.

You need to create client application on AAD to authenticate Function App.
If you use Azure CLI, you can create client AAD app for testing like below.

az ad sp create-for-rbac -n "TestAuthClientApp"
Enter fullscreen mode Exit fullscreen mode

It outputs the result as JSON. Store your appId and password to authenticate Function App.

azcli result

Fig 3. Azure CLI result

To get access token for the Function App, copy Function App AAD ID as target from Azure Portal.
You can check from [Authentication/Authorization] blade.

Function App ID

Fig 4. Function App ID

Call https://login.microsoftonline.com/<Your AAD Tenant ID>/oauth2/token to get access token.
When you use cURL, below command works.

curl -X POST https://login.microsoftonline.com/<TENANT ID>/oauth2/token  \
  -F grant_type=client_credentials \
  -F resource=<Web App CLIENT ID> \
  -F client_id=<Client Application ID> \
  -F client_secret=<SECRET>
Enter fullscreen mode Exit fullscreen mode

Request Access Token

Before requesting Function App, you need to change AAD App Setting for Function App. Check Access tokens to enable program to get access_token with implicit grant flow.

Request App

Request Function App with Token

Function App and request with Authroization:Bearer xxxx header, which needs white space between Bearer and token then you should get HTTP 200 OK.

Now you can set function auth level from function to anonymous because AAD protects your API.

Request App

Next Step

Now you protect your API with AAD. However, you still need to manage AAD client app credentials. More secure way is to use Managed Identity that enable Function App to authenticate Azure services without secrets.
If your code runs on specific services such as Web App or Function App where Managed Identity enabled, Azure manage their authentication automatically.

What are managed identities for Azure resources?

💖 💪 🙅 🚩
kemurayama
kemurayama

Posted on October 5, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related