Search code examples
azureazure-active-directoryazure-functionspostman

Can't get Postman to successfully authenticate against Entra/Azure AD on Azure Function

I setup my Azure Function to authenticate against my own tenant like so... picture of function auth

The app registration for the resource has an api exposed like this scope api

After doing so if I hit it in browser, as myself it asks me to authenticate and then works. Great! I'm now trying to hit this in Postman and I get a 401 no matter what I do.

postman is logging in as its own service principal (1ec5483f-8eb9-4851-af81-ff89eb3e25ad) and API permissions are set like this postman api permissions

I then set up an OATH 2 token in POSTMAN client - and it gets one which seems valid postman set up

I obviously blanked out secret deliberately. Scope is set to api://31f5b60c-5de3-4135-85ec-08edfbce042e/General.Read. Access Token URL = https://login.microsoftonline.com/mytenant/oauth2/v2.0/authorize. Token URL = https://login.microsoftonline.com/my tenant/oauth2/v2.0/authorize

The token decrypted looks like this:

{
  "aud": "api://31f5b60c-5de3-4135-85ec-08edfbce042e",
  "iss": "https://sts.windows.net/mytenant/",
  "iat": 1695814282,
  "nbf": 1695814282,
  "exp": 1695818220,
  "acr": "1",
  "aio": "ATQAy/8UAAAAS8sRzKTgrNlGhofLEKYO7xweUqSUmLrqQWFN8i0o/qsoeBqavqK7oQXJt19EOeBk",
  "amr": [
    "pwd"
  ],
  "appid": "1ec5483f-8eb9-4851-af81-ff89eb3e25ad",
  "appidacr": "1",
  "family_name": "XXX",
  "given_name": "XXX",
  "ipaddr": "XXX",
  "name": "XXX",
  "oid": "1c11db5e-dc85-4c4b-882e-b8dd40206255",
  "onprem_sid": "S-1-5-21-57989841-1450960922-725345543-4904",
  "rh": "0.ARcAdKQVoiCS8E-TJSBRMiYmswy29THjXTVBhewI7fvOBC4XACo.",
  "roles": [
    "Trigger.Function"
  ],
  "scp": "General.Read",
  "sub": "q7tSjCuR5mf56ekcpYI4xEZ6Kdo_zfXkT2oBYEsyohQ",
  "tid": "a215a474-9220-4ff0-9325-2051322626b3",
  "unique_name": "XXX@XXX.com",
  "upn": "XXX@XXX.com",
  "uti": "0W4WOPhO406S8ahy4GkmAA",
  "ver": "1.0"
}

Again this eyeballs right to me. But when I call

postman get request

Its ALWAYS 401. Where am I going wrong?

here is a picture of the function url... no code No code

Solution

  • I created an Azure AD Function app and enabled Authentication like below:

    enter image description here

    In Azure AD Application an API is Exposed:

    enter image description here

    Added API permissions:

    enter image description here

    Now, I tried to generate access token and authenticate Function app by using below parameters:

    GET https://testrukfunctapp1.azurewebsites.net/api/HttpTrigger1

Callback URL : RedirectURL
Auth URL : https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize
Access Token URL : https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
ClientID : ClientID
Client Secret : ***
Scope : api://xxx/user_impersonation

    I got the same error (401 Unauthorized) like below:

    enter image description here

    To resolve the error, make sure to pass x-functions-key header:

    enter image description here

    The x-functions-key value is the code value in the function URL:

    enter image description here

    After passing the header, I am able to authenticate the Function app successfully using access token like below:

    GET https://testrukfunctapp1.azurewebsites.net/api/HttpTrigger1

x-functions-key : FunctionURLCodeValue
Content-Type : application/json

    enter image description here