I want to create an Azure Function that accesses Cosmos DB Containers and Key Vault Scopes. Function calls require Active Directory sign in and users are granted access to resources via Groups.
Azure resources should be accessed or denied based on the signed in user's permissions or group memberships.
How can the Azure Function access other Azure Resources on behalf of the authenticated caller?
It's pretty complex unfortunately, you'd need to have a new OAuth2 access token scoped to cosmosdb resource to be able to access it.
Please check OAuth2 On-Behalf-Of flow: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
When I used it 2 years ago, there was no SDK support for this flow, I simply used http request against https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
In your case, you would also have to add https://cosmos.azure.com/user_impersonation delegated API permission to your app registration and users will be asked for a consent when they try to access your API.
