Execute Azure Function using ADF activity and AAD Login

%3CLINGO-SUB%20id%3D%22lingo-sub-1833592%22%20slang%3D%22en-US%22%3EExecute%20Azure%20Function%20using%20ADF%20activity%20and%20AAD%20Login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1833592%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20trying%20to%20execute%20an%20Azure%20Function%20(HTTP%20type)%20using%20Azure%20Data%20Factory%20(ADF).%20The%20Function%20App%20has%20the%20App%20Service%20Authentication%20set%20as%20%22On%22%20and%20the%20action%20to%20take%20when%20request%20is%20not%20authenticated%20is%20set%20as%20%22Log%20in%20with%20Azure%20Active%20Directory%22.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22config_functionapp.jpg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F230154iD279713D2F288B07%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22config_functionapp.jpg%22%20alt%3D%22config_functionapp.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EIf%20we%20have%20this%20configuration%20in%20the%20Function%20App%2C%20is%20it%20possible%20to%20execute%20the%20Azure%20Function%20from%20ADF%3F%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20configured%20the%20Azure%20Function%20and%20Active%20Directory%20App%20by%20following%20this%20documentation%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fdocs.microsoft.com-252Fen-2Dus-252Fazure-252Fapp-2Dservice-252Fconfigure-2Dauthentication-2Dprovider-2Daad-26data-3D04-257C01-257CFelipe.Rocha-2540microsoft.com-257C3e259ade08c043f75b0908d87b8bce47-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637395187680813277-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C1000-26sdata-3DaLtqA0RLT-252BnOQgzRvpO3-252FBHymas6xDVnCjtNg-252BLTPn8-253D-26reserved-3D0%26amp%3Bd%3DDwMFAw%26amp%3Bc%3DeIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU%26amp%3Br%3D6PBUmFEROSKfIVB29NY06e8Dp-dqEFIr6V8Pn_TTogM%26amp%3Bm%3D2xNcTOHFliLYWEEUfrAbIYlhonao8kIgcQ1S3dP6kyI%26amp%3Bs%3D87sJjlggshqh-zIdTp1NjIVjCOkX3R0es972xbuL3A8%26amp%3Be%3D%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EConfigure%20your%20App%20Service%20or%20Azure%20Functions%20app%20to%20use%20Azure%20AD%20login%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20aren%E2%80%99t%20using%20a%20web%20app%20and%20maybe%20that%E2%80%99s%20the%20confusing%20part%20when%20trying%20to%20follow%20the%20steps%20from%20the%20documentation.%20ADF%20is%20the%20one%20that%20needs%20to%20authenticate%20when%20trying%20to%20access%2Fexecute%20the%20function.%3CSTRONG%3E%20Do%20you%20know%20anything%20about%20this%20type%20of%20configuration%3F%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1833661%22%20slang%3D%22en-US%22%3ERe%3A%20Execute%20Azure%20Function%20using%20ADF%20activity%20and%20AAD%20Login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1833661%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F438294%22%20target%3D%22_blank%22%3E%40mariellecespedes%3C%2FA%3E%26nbsp%3BI%20haven't%20done%20this%20myself%20before%20yet%20-%20but%20I%20believe%20it%20should%20work.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHave%20you%20enabled%20the%20managed%20identity%20on%20the%20Azure%20Data%20Factory%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1833768%22%20slang%3D%22en-US%22%3ERe%3A%20Execute%20Azure%20Function%20using%20ADF%20activity%20and%20AAD%20Login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1833768%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F196732%22%20target%3D%22_blank%22%3E%40Nills%20Franssens%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20we%20have%20Managed%20Identity%20in%20ADF.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20response%20when%20we%20get%20after%20the%20execution%20is%20a%20401%20Error%20type%20(unauthorized).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20used%20the%20Advanced%20settings%20configuration%20in%20the%20Function%20App%20and%20used%20the%20following%20information%20from%20the%20App%20Service%20app%3A%3C%2FP%3E%3CUL%3E%3CLI%3EClient%20ID%3C%2FLI%3E%3CLI%3ETenant%20ID%3C%2FLI%3E%3CLI%3EClient%20secret%3C%2FLI%3E%3CLI%3EApplication%20ID%20URI%3C%2FLI%3E%3C%2FUL%3E%3CP%3EWe%20retrieved%20the%20information%20from%20the%20Overview%20tab%20from%20the%20App%20Service%20app.%20Copy-pasted%20it%20into%20the%20Function%20App%20configuration%20and%20followed%20the%20steps%20from%20the%20documentation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20aren%E2%80%99t%20using%20a%20web%20app%20(in%20this%20case%20it%20is%20ADF)%20and%20maybe%20that%E2%80%99s%20the%20confusing%20part%20when%20following%20the%20steps%20from%20the%20documentation%2C%20as%20ADF%20is%20the%20one%20who%20is%20calling%20the%20function.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1833802%22%20slang%3D%22en-US%22%3ERe%3A%20Execute%20Azure%20Function%20using%20ADF%20activity%20and%20AAD%20Login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1833802%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F438294%22%20target%3D%22_blank%22%3E%40mariellecespedes%3C%2FA%3E%26nbsp%3BWhen%20you%20access%20the%20function%20directly%20(not%20using%20ADF)%26nbsp%3B%20-%20do%20you%20get%20the%20same%20401%2C%20or%20does%20that%20authenticate%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1833858%22%20slang%3D%22en-US%22%3ERe%3A%20Execute%20Azure%20Function%20using%20ADF%20activity%20and%20AAD%20Login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1833858%22%20slang%3D%22en-US%22%3E%3CP%3EOK%2C%20so%20this%20seems%20to%20be%20functions%20related%20indeed%20and%20not%20ADF%20related.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHave%20you%20tried%20accessing%20the%20functions%20URL%20directly%20in%20a%20web%20browser%20to%20see%20if%20you%20get%20a%20redirect%20to%20AAD%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

We are trying to execute an Azure Function (HTTP type) using Azure Data Factory (ADF). The Function App has the App Service Authentication set as "On" and the action to take when request is not authenticated is set as "Log in with Azure Active Directory". 

 

config_functionapp.jpg

 

If we have this configuration in the Function App, is it possible to execute the Azure Function from ADF?

 

We configured the Azure Function and Active Directory App by following this documentation:
Configure your App Service or Azure Functions app to use Azure AD login

 

We aren’t using a web app and maybe that’s the confusing part when trying to follow the steps from the documentation. ADF is the one that needs to authenticate when trying to access/execute the function. Do you know anything about this type of configuration?

10 Replies

@mariellecespedes I haven't done this myself before yet - but I believe it should work. 

 

Have you enabled the managed identity on the Azure Data Factory? 

@Nills Franssens 

Yes, we have Managed Identity in ADF.

 

The response when we get after the execution is a 401 Error type (unauthorized). 

 

We used the Advanced settings configuration in the Function App and used the following information from the App Service app:

  • Client ID
  • Tenant ID
  • Client secret
  • Application ID URI

We retrieved the information from the Overview tab from the App Service app. Copy-pasted it into the Function App configuration and followed the steps from the documentation.

 

We aren’t using a web app (in this case it is ADF) and maybe that’s the confusing part when following the steps from the documentation, as ADF is the one who is calling the function.

@mariellecespedes When you access the function directly (not using ADF)  - do you get the same 401, or does that authenticate? 

@Nills Franssens 

 

I get the same response.

 

mariellecespedes_0-1603990862162.png

 

This screenshot is from the "Code + Test" tab. 

OK, so this seems to be functions related indeed and not ADF related.

 

Have you tried accessing the functions URL directly in a web browser to see if you get a redirect to AAD?

@Nills Franssens 

 

Yeah, it seems to be functions related, thanks.

 

Yes, I pasted the functions URL in a web browser and it prompted me for my login credentials. I entered them and this was the result:

 

mariellecespedes_0-1603991554776.png

 

 

 

@mariellecespedes OK, that's a good sign, meaning the AAD sign-on actually works. 

 

I seems like I was too optimistic about this scenario, it seems like AAD authentication FROM ADF is not supported. You will have to use a Functions key when connecting from ADF. I'm sorry about not confirming this earlier. 2020-10-29 10_30_07-adfnmf - Azure Data Factory and 4 more pages - Work - Microsoft​ Edge.png

@Nills Franssens 

 

Any chance this is going to make it on the roadmap for ADF? AAD Auth from ADF I mean?

Hi Nills,

Hi Nills, Would function key work from ADF to call function with AAD authentication enabled on the function app?

@dkadam30 

 

Has anyone tried it by enabling Authentication on function app and accessing it from ADF through function key authentication. I don't think it works. If anyone made it work then please let me know.