While authorization keys make it easy to work with Azure Functions, they are not recommend as the way to secure an Azure Function in production.
There are three recommend ways to secure an Azure Function in production:
- Turn on App Service Authentication/Authorization
- Use Azure API Management (APIM) to authenticate requests.
- Deploy your function app to an Azure App Service Environment (ASE)
In this article will look at how to secure an Azure Function by turning on App Service Authentication/Authorization.
Let’s first create an Azure Function.
Navigate to the Azure Portal and click Create a resource.
In the Search Box type Function
, and select Function App, then click Create.
You will need to provide an App name, Resource Group and Storage account, then click Create.
Navigate to the newly created function app, click Functions and click the “+” icon to add a new function.
Select In-portal and click Continue.
Select Webhook + API and click Create, just leave the name as HttpTrigger1.
Set the authLevel to anonymous
and click Save.
Navigate back to the Azure Function App and click on the HttpTrigger1 function and then click Get function URL to get the URL to test your function app.
Open up Postman and create a GET request pointing to the function URL, be sure to include a value for the name
parameter.
For our example, I used https://mjr-006-funcapp.azurewebsites.net/api/HttpTrigger1?name=Malcolm Reynolds
.
Execute the GET and you should receive a 200 status code and the message, Hello, Malcolm Reynolds
.
Now let’s secure your Azure Function App with Azure Active Directory.
Navigate back to the Azure Function App and click on Platform Features, and then click on Authentication/Authorization.
Switch on App Service Authentication.
Set Action to take when request is not authenticed to Log in with Azure Directory.
Click Azure Active Directory in the list of Authentication Providers.
In the next blade displayed, click Express.
Click Create New AD App, though it should default to this.
I would recommend the App Name be the same as the Azure Function App, makes it easier to manage.
Click OK.
Click Save.
Try calling the function endpoint again, you should receive a 401 status code.
Open up your favorite browser, and paste in the URL that we have been using in Postman.
You should now be prompted to provide Login and Password credentials.
Upon successful authentication you should be displayed the Hello, Malcolm Reynolds
in our browser.
You have successfully secured our Azure Function App with Azure Active Directory!
Referenced articles
- https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook#authorization-keys
- https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook#secure-an-http-endpoint-in-production
Discover more from Matt Ruma
Subscribe to get the latest posts sent to your email.
Hello Matt,
I’m trying to call Azure Function App from an Angular Client Application (using adal library) which is registered in same Azure AD. I’ve set up the Function App as suggested above. Trying to make a call to the Function App using the bearer token that was acquired from the Client App Authentication on Page load.
I keep getting 401 error: You do not have permission to view this directory.
How to make Azure Function App calls from Angular Applications using bearer tokens? Can you please advise?
i landed into same issue and changing function authentication to Anonymous worked
Nice article, it would be great if you can explain why we need “anonymous” auth at function level for this to work.