We will show how to call Azure Function App HTTP trigger from Logic App using HTTP action and AAD OAuth certificate; in this article, we will be using a self-signed certificate:
1. Using Windows PowerShell, Create and export a self-signed certificate.
$cert = New-SelfSignedCertificate -subject "certificateSubject"
Export-Certificate -Cert $cert -FilePath certificateFileName.cer -Type CERT
2. Export the certificate created in step 1 to pfx base64 encoded bytes.
$mypwd = ConvertTo-SecureString -String "password" -Force -AsPlainText
$cert | Export-PfxCertificate -FilePath pfxFileName.pfx -Password $mypwd
$pfx_cert = [System.IO.File]::ReadAllBytes('fullPath\pfxFileName.pfx ')
[System.Convert]::ToBase64String($pfx_cert) | Out-File 'pfxEncodedBytesFileName.txt'
3. Using Azure portal, enable authentication on Azure Function App by adding an identity provider.
a. Go to Azure Function App.
b. Go to Settings, click Authentication.
c. Click Add identity provider.
d. From the Identity provider drop down list, select Microsoft.
e. Keep all default selected options.
f. Click Add.
This will create a new app registration; you can select to pick an existing app registration instead of creating a new one.
g. From your registered app overview, take a note of Directory (tenant) ID, Application (client) ID and Application ID URI.
4. Upload the certificate to your registered app.
a. Go to Azure Active Directory.
b. Go to Manage, click App registrations.
c. Click Owned applications tab.
d. From the list of owned applications, click the registered app name created in step 3.f.
e. Go to Manage, click Certificates & secrets.
f. Click Certificates tab.
g. Click Upload certificate, browse and select the self-signed certificate file certificateFileName.cer created in step 1 and click Add.
5. In your Logic App, use the HTTP action to call Azure Function App.
a. From Method drop down list, select POST.
b. Set the URI to Azure Function App URI.
c. Click Add new parameter and select Authentication.
d. From Authentication type drop down list, select Active Directory OAuth.
e. Set Tenant to Directory (tenant) ID.
f. Set Audience to Application ID URI.
g. Set Client ID to Application (client) ID.
Copy the previous three values from step 3.g.
h. From Credential Type drop down list, select Certificate.
i. Set Pfx to the pfx base64 encoded bytes exported in step 2, copy the content from file pfxEncodedBytesFileName.txt.
j. Set Password to the password used to export the certificate to pfx in step 2.
It is highly recommended to store and retrieve the pfx base64 encoded bytes and password from Azure Key Vault.