31

I am trying to run Azure HTTP Trigger Azure Function and I am receiving a 401 Unauthorized. It was working fine for me earlier.

When I created the new function under the same Function App and copied the same code then also it is running fine but when I am trying to run my created function then I am getting the same error that I mentioned.

I'm seeing the following logs in the streaming service.

2018-07-02T07:09:41 Welcome, you are now connected to log-streaming service.

2018-07-02T07:09:48.893 [Info] Executing HTTP request: { "requestId": "53e54698-c46b-4cb6-9ed0-d042eaf9ec71", "method": "POST", "uri": "/api/Source/MPAA/false" }

2018-07-02T07:09:48.893 [Info] Executed HTTP request: { "requestId": "53e54698-c46b-4cb6-9ed0-d042eaf9ec71", "method": "POST", "uri": "/api/Source/MPAA/false", "authorizationLevel": "Anonymous", "status": "Unauthorized" }

Jan_V
  • 4,244
  • 1
  • 40
  • 64
Sumit Garg
  • 373
  • 1
  • 5
  • 12
  • Can you add some of the code of your Azure Function? This might occur if you're trying to access an external resource for which the Function is unauthorized. Maybe due to some configuration issue (Firewall, security, expired identity, etc.). Are you able to debug the code locally and inspect it? – Jan_V Jul 02 '18 at 07:20
  • @Jan_V I just mentioned in the above description that when I created the new function with same code under the same function app it's working fine. – Sumit Garg Jul 02 '18 at 07:30
  • Have you enabled App Service Authentication/Authorization? Check under Platform Features > Authentication / Authorization. – Connor McMahon Jul 02 '18 at 17:41
  • @ConnorMcMahon when I am enabling Authentication/Authorization and after that when I am trying to run the function again I am getting an error like ( Authentication is enabled for the function app. Disable authentication before running the function ) – Sumit Garg Jul 03 '18 at 03:42
  • @ConnorMcMahon Met this problem in v2. Have a httptrigger function created and worked before `2.0.11888` released. After this runtime upgrade, got 401. New created function works fine. – Jerry Liu Jul 03 '18 at 07:59
  • @JerryLiu any other idea, how can we overcome this error? – Sumit Garg Jul 04 '18 at 03:57
  • @SumitGarg Sorry, no more ideas. – Jerry Liu Jul 04 '18 at 04:05
  • Got the permanent solution for this. Just change the route in the function.json – Sumit Garg Jul 04 '18 at 06:37

5 Answers5

32

This is how I solved the problem based on the cause correctly provided by Nick above. Do this if you don't want to have to open the Azure Function's GUI every time you push your code.

In the source code of the function:

[FunctionName("YourFunctionName")]
public static async Task<IActionResult> Run(
    [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req,
    ILogger log){

What I had to do was to change the default setting AuthorizationLevel.Function into AuthorizationLevel.Anonymous. The former only allows triggering from other Function apps, the later will let you trigger from the browser.

Luis Gouveia
  • 8,334
  • 9
  • 46
  • 68
Mr.K
  • 559
  • 4
  • 9
  • 2
    That's right! I would just like to add that this problem only appears after deploying your app. While testing in localhost you can perfectly call an Azure Function with AuthorizationLevel.Function from your browser/postman. – Luis Gouveia Jan 23 '21 at 17:46
16

If you are managing your code via the azure portal, then simply navigate to "Integrate" and change the "Authorization Level" drop-down to "Anonymous". enter image description here

If you are managing your code with source control integration (e.g. via git), add this to your function.json:

"authLevel": "anonymous"

Full snippet of function.json:

{
  "bindings": [
    {
      "name": "req",
      "type": "httpTrigger",
      "direction": "in",
      "methods": [ "post" ],
      "route": "Source/MPAA",
      "authLevel": "anonymous"
    },
    {
      "type": "http",
      "name": "res",
      "direction": "out"
    }
  ],
  "disabled": false
}

Note: the above is just an example, you may have to tweak the route. Note: the /api is the default prefix, and can be modified in the host.json file.

Nick
  • 2,735
  • 1
  • 29
  • 36
  • Although the function.json solution works, for compiled languages, such as C#, this is not the most standard approach. From Microsoft site we can read that: "For compiled languages, this config file is generated automatically from annotations in your code. For scripting languages, you must provide the config file yourself." - https://learn.microsoft.com/en-us/azure/azure-functions/functions-reference . This is the reason why I ended up using Mr.K's solution. – Luis Gouveia Jan 23 '21 at 18:23
11

Its about the authlevel of the function. If you use the authlevel = anonymous in you function.json file. Then you don't have to pass any access key and you can access the azure function api like the normal api endpoints.

{
"disabled": false,    
"bindings": [
    {
        "authLevel": "anonymous",
        "type": "httpTrigger",
        "direction": "in",
        "name": "req"
    },
    {
        "type": "http",
        "direction": "out",
        "name": "res"
    }
]

}

For example you http trigger is http://<APP_NAME>.azurewebsites.net/api/<FUNCTION_NAME> you can easily access this without any access/auth key.

If your are using the authlevel = function then you have to pass the access key/Api key with the http trigger endpoint while hitting it. If you don't you will get the 401 unauthorized.

    {
"disabled": false,    
"bindings": [
    {
        "authLevel": "function",
        "type": "httpTrigger",
        "direction": "in",
        "name": "req"
    },
    {
        "type": "http",
        "direction": "out",
        "name": "res"
    }
]

}

You need to pass the key like as below example. **https://<APP_NAME>.azurewebsites.net/api/<FUNCTION_NAME>?code=<API_KEY> **

For the authlevel = function you can access the http trigger by the function key and the host key. You will find the Get Function Url section when you open the function in the azure portal.

Note With the host key you can access all of your http trigger endpoints its going to be common for all the http trigger. But the function key is unique for every function.

The third option is to use the authlevel = admin.

{
"disabled": false,    
"bindings": [
    {
        "authLevel": "admin",
        "type": "httpTrigger",
        "direction": "in",
        "name": "req"
    },
    {
        "type": "http",
        "direction": "out",
        "name": "res"
    }
]

}

For auth level admin the http trigger can only be access by the master key. **https://<APP_NAME>.azurewebsites.net/api/<FUNCTION_NAME>?code=<MASTER_KEY> **

You will find all these keys as per the auth levels in the Get Function Url section. The complete guide for the authlevel is in this link. Azure Functions HTTP trigger function authlevel Explanation

I hope this will be helpfull.

Sohaib
  • 675
  • 8
  • 15
  • This is the best result for me. Allows retaining the security just by passing the function key via the code parameter – Red Jun 09 '22 at 15:29
  • @Red You're right its adding the security to the Azure functions as the function keys are unique. Azure provide this great security level. This block the provision for the external entity to enter in the system anonymously plus more beneficial when we us this with JWT. – Sohaib Aug 02 '22 at 17:46
  • This is the beauty of Microsoft azure function, they provide great security, plus give provisions to users to add access levels. – Sohaib Dec 13 '22 at 17:56
2

I started getting 401's too until I realised that I had two functions with the same route. That obviously confused Azure big time.

Check if you don't have different functions with same routes.

Au Ris
  • 4,541
  • 2
  • 26
  • 53
1

I started seeing this response after changing the function runtime version via Azure Portal. Redeploying the function app from Visual Studio resolved the issue for me.

m_drazzi
  • 106
  • 1
  • 8