Add authentication to your azure function app

In my previous article I discussed about how to secure azure functions using function keys. While function keys can provide some mitigation for unwanted access, the only way to truly secure your function endpoints is by implementing positive authentication of clients accessing your functions. You can then make authorization decisions based on identity.

Enabling App Service Authentication/Authorization for function app

Azure App Service platform lets you use Azure Active Directory (AAD) and several third-party identity providers to authenticate clients. You can use this strategy to implement custom authorization rules for your functions, and you can work with user information from your function code.

Azure App Service provides built-in authentication and authorization capabilities (also called Easy Auth), so you can sign in users and access data by writing minimal or no code in your web app, RESTful API, and mobile back end, and also Azure Functions. This article describes how App Service helps simplify authentication and authorization for your function app.

To enable authentication in azure function, head over to azure portal and go to your function app. Search for Authentication.

Click on Add identity provider and select Microsoft. We are going to authenticate using Azure Active Directory (AAD). It is a good choice if your users have an AAD account (Your organization or any other organization that uses AAD).

Create a new app registration or select an existing app registration from the same tenant as your function app. You can also provide details of an existing app registration from some other tenant.

In App Service authentication settings select either of below:

Require authentication

This option will reject any unauthenticated traffic to your function app. This rejection can be a redirect action to one of the configured identity providers. In these cases, a browser client is redirected to /.auth/login/<provider> for the provider you choose. If the anonymous request comes from a native mobile app, the returned response is an HTTP 401 Unauthorized. You can also configure the rejection to be an HTTP 401 Unauthorized or HTTP 403 Forbidden for all requests.

With this option, you don’t need to write any authentication code in your app. Finer authorization, such as role-specific authorization, can be handled by inspecting the user’s claims

Restricting access in this way applies to all calls to your app, which may not be desirable for apps wanting a publicly available home page, as in many single-page applications. Function serving swagger UI can also be one of the endpoint you might like to be publicly available.

By default, any user in your Azure AD tenant can request a token for your application from Azure AD. You can configure the application in Azure AD if you want to restrict access to your app to a defined set of users.

Allow unauthenticated requests

This option defers authorization of unauthenticated traffic to your application code. For authenticated requests, App Service also passes along authentication information in the HTTP headers. This option provides more flexibility in handling anonymous requests. For example, it lets you present multiple sign-in providers to your users. However, you must write code.

Select an option in Unauthenticated requests as per your requirement and click on Add.

We have successfully enabled the authentication in our function app. Pass bearer token in authorization header along with the request to your function endpoint.

Source code used here is from my previous article with one change (authorization level set to Anonymous as we don't need function keys when using authentication) and can be found here: https://github.com/iamsandeepkmr/AzureFunctionWithKeys

App Service can be used for authentication with or without restricting access to your endpoint. To restrict access only to authenticated users, set Restrict access to Require authentication. To authenticate but not restrict access, set Restrict access to Allow unauthenticated access.

How is the second option (Allow unauthenticated access) useful? Think of a scenario where you want some of your endpoints to be publicly available.

In such case, you set Restrict access to Allow unauthenticated access and change the functions that require authentication to redirect the user to login if not already authenticated.

Want to do some role based authorization/access on top of Easy Auth?

You can do it by writing your own code. Use .NET libraries to get the identity information including scope and claims and do the needful.

What if your function uses another platforms, like Python or Node.js?

You can still do it. Azure Function App injects identity information into the HTTP request headers before the request is handled by your function. So, you can find what you need by looking at the request headers. The header X-MS-CLIENT-PRINCIPAL contains the identity information.

That's it for this article. Hope you find this helpful. Please comment for any query or feedback.

Happy Learning. Cheers!