How can DPS use Managed Identity to authenticate access to my Azure Function?

Question

I am using Azure Device Provisioning Service with custom allocation policy with Azure function.

I would like to introduce some kind of authentication for the function. The function is also used by other Azure services so I was thinking to have a managed identity for it, but I am not sure how DPS can use that identity.

I found how I can control access to the DPS, but how can I control access from DPS to the Azure Function? I didn't find anything useful in the documentation, only basic examples how to setup DPS with Azure Function, but nothing about authentication between the two.

If not managed identity, is there any other way to introduce authentication between DPS and custom allocation policy Azure function?

@Sampath I am not sure if that's relevant, but the function is written in C# and it's used as DPS custom policy, so it's HTTP trigger. — wmizera96, May 25 '23 at 09:08

score 0 · Answer 1 · answered May 26 '23 at 08:04

To authenticate access to the Azure Function from Azure DPS using a managed identity.

Enable Managed Identity for the Azure Function

enter image description here

JWT token for a user in Azure AD

enter image description here

Grant access to the Azure Function In Azure go to the resource of storage account that the Azure Function needs to access.

Choose Access control (IAM)" settings and add a new role assignment.

enter image description here

Select the appropriate role based on the required permissions for the Azure Function. In the "Assign access to" field.

Modify your Azure Function to validate the managed identity.

enter image description here

In C# code, you can access the identity token from the request headers. Validate the identity token using the Azure AD token validation endpoint or by using the appropriate library for token validation.

[FunctionName("Function1")]
        public static async Task<IActionResult> Run(
            [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req,
            ILogger log)
        {
            var identity_Token = req.Headers["X-MS-TOKEN-AADIDTOKEN"]; 
            var validation_Params = new TokenValidationParameters
            {
                ValidateIssuer = true,
                ValidIssuer = "https://login.microsoftonline.com/{TenantId}/v2.0", 
                ValidateAudience = true,
                ValidAudience = "Azure fun Client App ID"
            };

            var tokenHandler = new JwtSecurityTokenHandler();
            try
            {
                var res_principal = tokenHandler.ValidateToken(identity_Token, validation_Params, out _);
                return new  OkObjectResult(res_principal);
            }
            catch (Exception ex)
            {
                log.LogError(ex, "Token validation failed");
                return new UnauthorizedResult();
            }
        }

For more information refer to the MSDoc1 and MSDoc2.

score 0 · Answer 2 · answered Jun 06 '23 at 13:44

If you want granular configuration and policy validation on a per function basis, take a look at this package. It gives you the same control AuthorizeAttribute gives you in ASP.NET Core when it comes to policy based auth.

DPS token targeting function app registration gives the framework everything it needs to authenticate request and you don't have to write any authentication logic in your functions.

How can DPS use Managed Identity to authenticate access to my Azure Function?

2 Answers2