3

I have an Azure function which I'm using to fetch data from Azure AD, but I want to limit who can use the Function as it will be using a HTTP trigger so that I will be able to call the function from a Logic App later down the road. So as HTTP triggered Azure Functions have a public endpoint, I want to improve security by setting the authorization level to Function, or even more preferable to use an Azure AD service principal (pre-created). Upon making this change though I can make the call by putting in the function into the URL.

Base URL: https://something.com/api/function_name

URL with token: https://something.com/api/function_name?code=token_here

However, my function expects some input to be given. On an anonymous endpoint you'd extend the base URL like so: https://something.com/api/function_name/?parameter=value

Where parameter is what the code will expect, and the value being passed into the variable in the code. Now I'm new to this HTTP endpoint stuff and passing in values via a URL. I understand this gets passed in as JSON (probably)

But I don't understand how I can do both the function authorization as well as passing in the parameter. I've tried:

https://something.com/api/function_name/?parameter=value?code=token_here
https://something.com/api/function_name?code=token_here/?parameter=value

Does anyone know how this is supposed to work?

On the flipside, I could also set the Platform Features -> Authentication / Authorization to an Azure AD service principal. But then how do I change the URL to authenticate using the client_id and client_secret of that service principal? I'd actually prefer using this method, because then I could implement lifecycle management on the token and rotate it to keep it even more secure.

I've looked here: Azure function with Azure AD authentication access using JavaScript

And most other topics I found on stackoverflow didn't even get close.

PS: This PS doesn't need an answer, but I would appreciate any thought. This thing i am concocting is a workflow combined of a (scheduled)logic app that triggers a Get-Function. Where the Get-Function will somehow need to trigger an Update-Function. And I'm making the Get-Function HTTP triggered so that I will also be able to offer it as an API to make this function usable for automation. (to allow secrets to be rotated via API calls without those people requiring Azure AD permissions) The update function would then need to rotate secrets on (specific) applications/service principals. The Azure Function is based on v2 and uses Powershell Core as language.

Modro
  • 416
  • 2
  • 14
Marco
  • 525
  • 4
  • 17
  • Well I found an answer to my function auth misunderstanding: https://learn.microsoft.com/en-us/azure/azure-functions/functions-create-first-function-powershell It's just a simple &parameter=value&parameter=value for each new query needed to be passed into the code. What remains is the azure ad service principal authentication – Marco Aug 21 '19 at 09:43
  • Hi,Marco, so you want to how to use Azure AD to protect your function app by Platform Features -> Authentication / Authorization way right ? Only requests passed Azure ad Auth can call your function app ? – Stanley Gong Aug 21 '19 at 09:55
  • hi Stan,Preferably yes. I already know how to configure these settings. Just when calling the URL it seems to ask for my user credentials. So basically just wondering how I'm supposed to use the clientid & secret to authenticate. – Marco Aug 21 '19 at 10:45

1 Answers1

9

if you want to use Platform Features -> Authentication / Authorization (Easy Auth) to protect your anonymous http triggered function, you can follow the steps below:

  1. Enabling Authentication / Authorization (Easy Auth), use Azure AD express mode:

1

Click save. And once the process is done, pls note the client_id of your function ad app, we will use it later.

2

  1. Creating an Azure AD App

3

4

Create a client secret for it, note the client secret value and the new Azure AD app ID:

5

6

  1. Make a request to get an access token from your Azure AD so that we can call your http triggered function:
Request URL:
POST https://login.microsoftonline.com/<-your tenant id/name->/oauth2/token

Request Header:
Content-Type: application/x-www-form-urlencoded

Request Body:
grant_type=client_credentials
&resource=<-function App ID->
&client_id=<-new Azure AD App ID->
&client_secret=<-client secret of new Azure AD App ID->

Just as below:

7

As you can see in response, you can get an access token, so use this token in http request header Authorization param to call your http triggered function which enabled easy auth, all request without correct Authorization header will be blocked:

8

Plz mark me if this is helpful for you.

Gian Marco
  • 22,140
  • 8
  • 55
  • 44
Stanley Gong
  • 11,522
  • 1
  • 8
  • 16
  • Hey Stan, that will atleast partially get me there. I had steps 1&2 done already. 3 gets me somewhat farther :) That request URL is what i was looking for. Where did you get that? Also, how would I do this token request outside of postman? This is all manual testing, which I will be looking at for sure. so thanks for that! Would you also happen to know how I'd do this programatically? Im assuming it's basically some format for the URL? Mind that this is all written in powershell. like this maybe?: https://www.twilio.com/docs/usage/tutorials/how-to-make-http-basic-request-twilio-powershell – Marco Aug 22 '19 at 05:44
  • Hi @Marco , that is a OAuth 2.0 service to service call auth flow of Azure AD , this is the official doc about it : https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow#service-to-service-access-token-request , if you have any unclear , pls feel free to let me know : ) – Stanley Gong Aug 22 '19 at 05:52
  • Thanks! You got me ahead big time, I suppose I'll be able to figure out the programmatic access part somehow. :) – Marco Aug 22 '19 at 05:59
  • Welcome ! Hope you have a nice day ! – Stanley Gong Aug 22 '19 at 06:00
  • This is great but I get 401 in the end. It's unclear for me how the client with the token acquired for the application `testAuth` can get access to a resource secured by the app stanfuntest001. I don't see any relation between these two and I believe that's the cause of 401 error. Are you missing something? Or am I missing something? – Szybki Jan 30 '20 at 23:52
  • 1
    This is the most complete and to-the-point answer found on the topic! – Gian Marco Jan 15 '21 at 15:07
  • In the Request URL, what does 'name' stand for? name of the function? name of the AD app? – Román Aguilar Feb 24 '21 at 20:39
  • "name" stands for one of the parameters which the function uses as a parameter in the code. So you can input the parameter with a value in the body, and the function can pick the value up from the body. It could realy be anything. You fill the body with stuff you want to send to the function, and the function can pick it up. @RománAguilar – Marco Aug 12 '21 at 14:34