Blog Post

Azure Integration Services Blog
3 MIN READ

Access Azure Functions from Logic App

vinaykrish's avatar
vinaykrish
Icon for Microsoft rankMicrosoft
Jun 07, 2020

In this article, I will be describing you the steps on how to access the Azure Functions that is configured to not allow anonymous access from Logic App through AD authentication.

 

Prerequisites:

  1. Azure Functions
  2. Azure Logic App 
  3. App Registration

 

For quick intro/start on Registering App follow this link.

 

Also make sure you have sufficient access (Like "Contributor" rights in Azure Resource Group also "Owner" rights at Resource level) to create all the above azure artifacts

First let us begin by creating Azure functions.

 

Go to Azure Portal and create a resource. Select Azure Functions.

 

Create the Function App with all necessary details from dropdown.

Select the Storage account in the same region also choose the plan type appropriately based on the usage/budget.

FirstScreen.PNG

Finally validate the properties and create the Function App.

ThirdScreen.PNG

Add a function and choose the Template (I have chosen Http trigger: which gets triggered manually when you try to access from any client application) and finally create Function.

 

FourthScreen.PNG

 

FifthScreen.PNG

SixScreen.PNG

 

Once you have created a sample application, navigate to the Azure Function-> "Code + Test".

The below sample template accepts the Json request and sends response in string.

7.PNG

 

You can test it out by using "Test/Run" with sample Input and click Run:

{

"name":"John"

}

8.PNG

 

The response you would receive  is :

 

9.PNG

 

This can be tested even through the Postman.

10.PNG

 

Now, let's to restrict Azure functions to not allow with anonymous user and give a try to access the Azure Functions through Postman.

Goto "Authentication and Authorization"under Function App blade then turn on "App Service Authentication" under "Access Restrictions" section.

 

Also choose "Login with Azure Active Directory" under "Action to take when request is not authenticated "and finally Save.

11.PNG

 

This particular setting will not allow the Azure function to respond unless it is authenticated through Azure Active Directory.

Postman will throw an error with code 401 as shown below.

2.PNG

 

Now this function can be accessed through AD Authentication. To authenticate we must first register the Application using App registration.

We can do this App registration directly creating the Azure AD App via Azure Function "Authentication / Authorization" blade.

For that we have to choose "Azure Active Directory" option in "Authentication / Authorization" blade and finally create a new AD App by providing the appropriate App name in Create App field as shown below.

These options can be viewed under Express mode as shown in the below screenshot.

Express mode allows user to create an AD Application or select an existing AD application in your current Active Directory.

 

1.PNG

However, I recommend you to create App Registration manually . If you are building an application for external users that will be distributed by Microsoft, you must register as a first party application to meet all security, privacy, and compliance policies.

 

Let us create App Registration.

Go to App registration and create new.

 

12.PNG

 

Create Secret by choosing "Certificates & Secrets" in the left pane of the App registration.

13.PNG

 

Copy the secret and keep it ready to use it in Logic App.

 

14.PNG

 

Also, please copy the Client ID , Tenant ID and keep it ready to use it in Logic App later.

 

15.PNG

 

Now we will have to choose the particular AD Application in Azure functions via which an user can access.

Goto -> Azure Functions-> choose the Azure Function-> Select "Authorization / Authentication" -> choose "Azure Active directory" in the right pane.

Select already created AD App "functionappaccess" by verifying the Client ID and finally  "OK"

 

16.PNG

 

16-5.PNG

 

17.PNG

 

Later Save the Authentication / Authorization configuration.

 

Now it is time to test the Authenticate with Secret, ClientID , TenantID in Logic apps.

Create a Logic App may be either with Recurrence Trigger or Manual Http Trigger.

Later create Http action with TenantID, Client ID and the Secret.

Please note I have used ClientID for Audience .

 

18.PNG

Please give a try by running it manually.

Result:

 

19.PNG

 

19-5.PNG

 

The Azure Functions can also be reached by Azure Functions actions.

Add Azure Function action->  Function-> Choose the action

 

20.PNG

Enter appropriate TenantID, ClientID and Secret along with Audience.

Also, please note I have used ClientID for Audience.

 

21.PNG

Please give a manual run for testing.

Result :

22.PNG

 

22-5.PNG

 

Thanks for going through the article. Hope you enjoyed it!

Please leave your comments/queries in the comments section.

 

Updated Jun 07, 2020
Version 2.0
  • pioardi's avatar
    pioardi
    Brass Contributor

    I was able in the past months to do exactly the same thing, I am now trying to use managed identities instead but is now working properly, anyone has experience with that ?