1

I have a simple azure function (Authorization level set to Anonymous) with an HTTP trigger

public static async Task<IActionResult> Run(HttpRequest req, ILogger log)
{
    return new OkObjectResult("This is a response from secured function.");
}

I want to secure it with Managed Identities, so I turned on system-assigned identity enter image description here

And in my AD enterprise app registration, I can see created a system-assigned identity so I copied its Application ID value enter image description here

and for testing purposes, I want to trigger it from another azure function

public static async Task<IActionResult> Run(
            [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req,
            ILogger log)
{
    var clientID = {application / client ID of system identity}
    var azureServiceTokenProvider = new  AzureServiceTokenProvider();
    var accessToken = await azureServiceTokenProvider.GetAccessTokenAsync(clientID);
    
    // Call secured azure function
    using (var client = new HttpClient())
    {
        client.BaseAddress = new Uri("https://my-secured-function.azurewebsites.net");
        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);

        var response = await client.GetAsync("/api/HttpTrigger1");
        if (response.IsSuccessStatusCode)
        {
            var result = await response.Content.ReadAsStringAsync();

            return new OkObjectResult(result);
        }
        else
        {
            return new OkObjectResult("Error - " + response.StatusCode);
        }
    }
}

The code works, it generates & sends a token within the HTTP request. However, the "secured" azure function is still publicly available.

The question is how can I protect the "secured" azure function, so it can be triggered only with an HTTP request with a generated token using managed identities.

MoonHorse
  • 1,966
  • 2
  • 24
  • 46
Ladislav Margai
  • 1,932
  • 3
  • 17
  • 28

2 Answers2

3

The System Assigned Managed Identity you enabled here only gives an identity to your app, through a Service Principal. This is not blocking any access unlike the Firewall/IP Restrictions (that you could use but I assume that you want to rely on Identity only here).

What you are looking for is basically Authentication with Azure AD. From there, you could use the Managed Identity (if this is suitable) of the caller to authenticate against your app through the AAD. That also works with any Service Principal or users.

Jul_DW
  • 1,036
  • 6
  • 20
  • I configured the Authentication with Azure AD and created a new Enterprise App registration. The function is now secured, however, when I use the "caller" managed identity ApplicationID/ClientID, I got a 401 response. In Access control (IAM) of the "secured" function has "caller" managed identity the "Owner" role assigned. Is there anything else to configure? – Ladislav Margai Nov 15 '21 at 12:47
  • 1
    In the API permissions of the Service Principal being the caller (client), have you added access to the API defined by your first app you want to authenticate against ? When you enabled the AAD authentication, it should have automatically created an entry for you to register your client app as an authorized caller - as explained here : https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad#configure-client-apps-to-access-your-app-service – Jul_DW Nov 15 '21 at 13:46
3

You need to click "Authentication" on the left panel of your Function app. Then add Microsoft AD as an identity provider. enter image description here

Add the necessary settings(you can let Azure create an App registration or use the managed identity which you have already created. With this step, you will lock your Azure function app so it is triggered only if a valid AD token is provided to it.

Anupam Chand
  • 2,209
  • 1
  • 5
  • 14
  • "...you can let Azure create an App registration or use the managed identity which you have already created." - I could only add a new App registration, in the existing app registration option I could not find any managed identities, that was the reason I was quite confused. – Ladislav Margai Nov 15 '21 at 12:51