Role assignment removed still has access

Question

I have a Azure Function and configured the Authentication with Microsoft as provider.

After that I granted a role assignment for another Azure Function Managed Identity on Access Control (IAM)

It worked fine, my second Azure function was able to invoke function on my first one.

But now I've removed the role assignment of this Managed Identity, but my second Azure Function is still able to make calls for my first Azure Function

On my Access Control (IAM) "Check access" I can see that the Managed Identity has no more Role Assignments

Does anyone have any idea what it is?

Answer 1

This could be the result of the function having an access key in its cache. So even if the identity is removed, the provided access key is still valid. To fix it, there are a few options:

1. Restart the function apps and they should be forced to create new access keys. That process will hopefully fail since they lack permissions.
2. Wait until the access key becomes invalid. Not sure about the time of that though.

Hope it helps.

Answer 2

Assigning access through Access control(IAM) tab does nothing for authenticating requests into your Function app. You can set management access roles through that tab for the Azure resource itself. It does not grant any access to the Functions themselves.

So most likely your Functions were not handling authorization correctly to begin with. Any application (including Managed Identities) can get an access token from Azure AD for any API in that tenant. It will not contain permissions but otherwise the token is valid.

It is up to your application to correctly authorize the caller. You can for example define App roles through Azure AD portal and assign them to Managed Identities through PowerShell. Alternatively you can check the caller id in the token that it matches an allow list.

Of course you also need to authenticate the token; in your case the Authentication configuration already does that.