Best way to secure Azure Function

%3CLINGO-SUB%20id%3D%22lingo-sub-1639501%22%20slang%3D%22en-US%22%3EBest%20way%20to%20secure%20Azure%20Function%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1639501%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20far%2C%20I%20am%20able%20to%20create%20azure%20functions%20that%20are%20accessible%20anonymously.%20However%20I'd%20like%20to%20secure%20those%20functions%20so%20that%20they%20only%20run%20from%20a%20specific%20Microsoft%20Flow.%20I%20am%20reading%20the%20docs%20and%20watching%20videos%20and%20am%20kinda%20lost%20on%20how%20to%20secure%20azure%20functions.%20What%20I%20did%20was%20I%20went%20to%20my%20function%20app%2C%20to%20Authentication%20%2F%20Authorization%2C%20and%20set%20the%20%22App%20Service%20Authentication%22%20to%20%22On%22.%20I%20chose%20Log%20in%20with%20Azure%20Active%20Directory%2C%20and%20choose%20Advanced.%20In%20the%20client%20ID%2C%20I%20pasted%20the%20client%20ID%20that's%20added%20in%20app%20registrations.%20However%20I%20left%20the%20%22issuer%20url%22%20and%20%22Allowed%20Token%20Audiences%22%20empty%20as%20the%20docs%20aren't%20really%20clear%20on%20what%20these%20values%20should%20be.%20However%20when%20trying%20to%20execute%20the%20Azure%20function%20this%20way%2C%20am%20getting%20%22id_token%22%20is%20not%20enabled%20for%20your%20app.%20So%20I%20went%20to%20my%20app%20registration%2C%20and%20clicked%20on%20%22Token%20configuration%22%20from%20the%20left%20menu%2C%20I%20clicked%20on%20%22Add%20optional%20claim%22%20and%20chose%20ID%20and%20checked%20all%20the%20claims%2C%20and%20hit%20Add.%20But%20that%20didn't%20solve%20the%20issue.%20Is%20there%20a%20clear%20documentation%20of%20what%20should%20be%20done%20exactly%3F%20A%20lot%20of%20talking%20in%20the%20docs%20about%20theories%20and%20how%20authentication%20works%20but%20nothing%20practical%20to%20actually%20teach%20people%20to%20secure%20their%20functions%20step%20by%20step.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1639501%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Functions%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1726019%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20way%20to%20secure%20Azure%20Function%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1726019%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F668678%22%20target%3D%22_blank%22%3E%40bri992%3C%2FA%3E%26nbsp%3Bso%20this%20documentation%20should%20help%20you%20hopefully%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapp-service%2Fconfigure-authentication-provider-aad%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapp-service%2Fconfigure-authentication-provider-aad%3C%2FA%3E%26nbsp%3B.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20followed%20the%20doc%20and%20was%20working%20as%20expected%20on%20a%20function%20app%20.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyway%20%2C%20more%20generally%20speaking%20%2C%20you%20could%20also%20put%20in%20place%20access%20restrictions%20.%3C%2FP%3E%3CP%3EGo%20on%20network%20blade%20%2C%20then%20scroll%20down%20and%20you%20will%20find%20access%20restrictions%20%2C%20within%20it%20you%20can%20specify%20the%20subnets%20and%2For%20source%20ip%20ranges%20that%20you%20want%20to%20allow%2Fdeny%20to%20run%20your%20functions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

So far, I am able to create azure functions that are accessible anonymously. However I'd like to secure those functions so that they only run from a specific Microsoft Flow. I am reading the docs and watching videos and am kinda lost on how to secure azure functions. What I did was I went to my function app, to Authentication / Authorization, and set the "App Service Authentication" to "On". I chose Log in with Azure Active Directory, and choose Advanced. In the client ID, I pasted the client ID that's added in app registrations. However I left the "issuer url" and "Allowed Token Audiences" empty as the docs aren't really clear on what these values should be. However when trying to execute the Azure function this way, am getting "id_token" is not enabled for your app. So I went to my app registration, and clicked on "Token configuration" from the left menu, I clicked on "Add optional claim" and chose ID and checked all the claims, and hit Add. But that didn't solve the issue. Is there a clear documentation of what should be done exactly? A lot of talking in the docs about theories and how authentication works but nothing practical to actually teach people to secure their functions step by step. 

1 Reply

@bri992 so this documentation should help you hopefully https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad . 

I followed the doc and was working as expected on a function app .

 

 

Anyway , more generally speaking , you could also put in place access restrictions .

Go on network blade , then scroll down and you will find access restrictions , within it you can specify the subnets and/or source ip ranges that you want to allow/deny to run your functions.