In this article, I will be describing you the steps on how to access the Azure Functions that is configured to not allow anonymous access from Logic App through AD authentication.
- Azure Functions
- Azure Logic App
- App Registration
For quick intro/start on Registering App follow this link.
Also make sure you have sufficient access (Like "Contributor" rights in Azure Resource Group also "Owner" rights at Resource level) to create all the above azure artifacts
First let us begin by creating Azure functions.
Go to Azure Portal and create a resource. Select Azure Functions.
Create the Function App with all necessary details from dropdown.
Select the Storage account in the same region also choose the plan type appropriately based on the usage/budget.
Finally validate the properties and create the Function App.
Add a function and choose the Template (I have chosen Http trigger: which gets triggered manually when you try to access from any client application) and finally create Function.
Once you have created a sample application, navigate to the Azure Function-> "Code + Test".
The below sample template accepts the Json request and sends response in string.
You can test it out by using "Test/Run" with sample Input and click Run:
The response you would receive is :
This can be tested even through the Postman.
Now, let's to restrict Azure functions to not allow with anonymous user and give a try to access the Azure Functions through Postman.
Goto "Authentication and Authorization"under Function App blade then turn on "App Service Authentication" under "Access Restrictions" section.
Also choose "Login with Azure Active Directory" under "Action to take when request is not authenticated "and finally Save.
This particular setting will not allow the Azure function to respond unless it is authenticated through Azure Active Directory.
Postman will throw an error with code 401 as shown below.
Now this function can be accessed through AD Authentication. To authenticate we must first register the Application using App registration.
We can do this App registration directly creating the Azure AD App via Azure Function "Authentication / Authorization" blade.
For that we have to choose "Azure Active Directory" option in "Authentication / Authorization" blade and finally create a new AD App by providing the appropriate App name in Create App field as shown below.
These options can be viewed under Express mode as shown in the below screenshot.
Express mode allows user to create an AD Application or select an existing AD application in your current Active Directory.
However, I recommend you to create App Registration manually . If you are building an application for external users that will be distributed by Microsoft, you must register as a first party application to meet all security, privacy, and compliance policies.
Let us create App Registration.
Go to App registration and create new.
Create Secret by choosing "Certificates & Secrets" in the left pane of the App registration.
Copy the secret and keep it ready to use it in Logic App.
Also, please copy the Client ID , Tenant ID and keep it ready to use it in Logic App later.
Now we will have to choose the particular AD Application in Azure functions via which an user can access.
Goto -> Azure Functions-> choose the Azure Function-> Select "Authorization / Authentication" -> choose "Azure Active directory" in the right pane.
Select already created AD App "functionappaccess" by verifying the Client ID and finally "OK"
Later Save the Authentication / Authorization configuration.
Now it is time to test the Authenticate with Secret, ClientID , TenantID in Logic apps.
Create a Logic App may be either with Recurrence Trigger or Manual Http Trigger.
Later create Http action with TenantID, Client ID and the Secret.
Please note I have used ClientID for Audience .
Please give a try by running it manually.
The Azure Functions can also be reached by Azure Functions actions.
Add Azure Function action-> Function-> Choose the action
Enter appropriate TenantID, ClientID and Secret along with Audience.
Also, please note I have used ClientID for Audience.
Please give a manual run for testing.
Thanks for going through the article. Hope you enjoyed it!
Please leave your comments/queries in the comments section.