How to authenticate to an Azure Function using function auth or Azure AD service principal
I have an Azure function which I'm using to fetch data from Azure AD, but I want to limit who can use the Function as it will be using a HTTP trigger so that I will be able to call the function from a Logic App later down the road. So as HTTP triggered Azure Functions have a public endpoint, I want to improve security by setting the authorization level to Function, or even more preferable to use an Azure AD service principal (pre-created). Upon making this change though I can make the call by putting in the function into the URL.
Base URL:
https://something.com/api/function_name
URL with token:
https://something.com/api/function_name?code=token_here
However, my function expects some input to be given.
On an anonymous endpoint you'd extend the base URL like so:
https://something.com/api/function_name/?parameter=value
Where parameter is what the code will expect, and the value being passed into the variable in the code. Now I'm new to this HTTP endpoint stuff and passing in values via a URL. I understand this gets passed in as JSON (probably)
But I don't understand how I can do both the function authorization as well as passing in the parameter. I've tried:
https://something.com/api/function_name/?parameter=value?code=token_here
https://something.com/api/function_name?code=token_here/?parameter=value
Does anyone know how this is supposed to work?
On the flipside, I could also set the Platform Features -> Authentication / Authorization to an Azure AD service principal. But then how do I change the URL to authenticate using the client_id and client_secret of that service principal?
I'd actually prefer using this method, because then I could implement lifecycle management on the token and rotate it to keep it even more secure.
I've looked here: Azure function with Azure AD authentication access using JavaScript
And most other topics I found on stackoverflow didn't even get close.
PS: This PS doesn't need an answer, but I would appreciate any thought.
This thing i am concocting is a workflow combined of a (scheduled)logic app that triggers a Get-Function. Where the Get-Function will somehow need to trigger an Update-Function. And I'm making the Get-Function HTTP triggered so that I will also be able to offer it as an API to make this function usable for automation. (to allow secrets to be rotated via API calls without those people requiring Azure AD permissions)
The update function would then need to rotate secrets on (specific) applications/service principals.
The Azure Function is based on v2 and uses Powershell Core as language.
if you want to use Platform Features -> Authentication / Authorization (Easy Auth) to protect your anonymous http triggered function, you can follow the steps below:
- Enabling Authentication / Authorization (Easy Auth), use Azure AD express mode:
Click save. And once the process is done, pls note the client_id of your function ad app, we will use it later.
- Creating an Azure AD App
Create a client secret for it, note the client secret value and the new Azure AD app ID:
- Make a request to get an access token from your Azure AD so that we can call your http triggered function:
Request URL:
POST https://login.microsoftonline.com/<-your tenant id/name->/oauth2/token
Request Header:
Content-Type: application/x-www-form-urlencoded
Request Body:
grant_type=client_credentials
&resource=<-function App ID->
&client_id=<-new Azure AD App ID->
&client_secret=<-client secret of new Azure AD App ID->
Just as below:
As you can see in response, you can get an access token, so use this token in http request header Authorization param to call your http triggered function which enabled easy auth, all request without correct Authorization header will be blocked:
Plz mark me if this is helpful for you.
- Can't use sed when using ssh with ms powershell to linux host
- Append information to the output of an existing command
- Win-PS2EXE - Respect the location of the resulting executable
- Simple way to find position number in a given object for a value
- PowerShell script to return versions of .NET Framework on a machine?
- In VSCode how to get intellisense working for PowerShell?
- Certificate Rebind in IIS 10 using powershell
- How do I use PowerShell to Validate XML files against an XSD?
- Using EXO TotalItemSize with -gt in Powershell - inaccurate for some mailbox sizes
- How do I fix the problem in my Powershell code so that the checks continue to run?
- Scheduled task stays in execution
- get-service needs local account - how to consolidate report
- How to exit from ForEach-Object in PowerShell
- MS Graph Powershell - User with no manager - error
- VS Code: Is it possible to pass arguments to an integrated terminal profile without quotes?
- Applying XSL to XML with PowerShell : Exception calling "Transform"
- Capturing standard out and error with Start-Process
- PowerShell - cast a variable type based on a variable definition
- Assigning a Token Lifetime Policy to an application in Microsoft EntraID seems to have no effect
- Is there a PowerShell equivalent to the dir /w of the old Windows command prompt?
- Powershell update object property value not as expect
- "Run with PowerShell" gives execution policy error but running directly in PowerShell window does not
- PowerShell equivalent for package.json or requirements.txt
- Powershell - Why is Using Invoke-WebRequest Much Slower Than a Browser Download?
- How is child_process.exec('powershell "$userInput = Read-Host;"') handled in node.js?
- Powershell Set-MpPreference -DisableRealtimeMonitoring $true not working correctly
- Running a command as Administrator using PowerShell?
- How to run multiple commands at once with pause in PowerShell?
- When Converting excel to csv for empty cells quotes not coming
- Using Try/Catch for PowerShell to switch between the two cmdlet gro group member?