Calling an Azure Function with Azure AD Authentication from a Logic App
In the context of serverless automation, Azure Functions are a great and enabling tool also for SysOps like me, at least since PowerShell support reached a reasonable maturity even while in preview.
Since you’re probably using Azure Functions for administrative tasks, it’s essential to raise the level from the security point of view, especially if you’re using HTTP triggers: you don’t want that someone can invoke your function and stop or drop some of your resources.
You can protect your HTTP trigger by using a function or admin key, but, as per official documentation, this approach is more suitable for a dev/test environment and can’t assure you the right level of security in a production environment.
A higher level of security can be reached by enabling Azure AD Authentication at the Function App level.
Open your Function App, browse the platform features, and chose Authentication / Authorization:
Go to Authentication / Authorization settings
In the new blade, enable App Service Authentication:
Enable Authentication
Once activated, a new blade appears, and you can choose to integrate your app with Azure AD as authentication provider:
Configure Azure AD as an Identity Provider
You can now choose to perform an Express Setup, which in many contexts, is more than enough for our needings. This step register our Function App in AAD:
Choose an express setup
You can eventually choose more than one IdP. Then, you have to define the behavior of your Function App when it receives an unauthenticated request: by design, it allows for anonymous access, you must change it to Log in with Azure Active Directory:
Configure default behavior for unauthenticated requests
Now save your settings. With this configuration in place, each invocation to the functions hosted in this Function App will require you a roundtrip to Azure AD to authenticate.
You have now to disable key request on HTTP Trigger since Logic App will only be able to invoke a Function that is configured to allow anonymous access. You can achieve this by setting the authLevel key to anonymous:
"bindings": [
{
"authLevel": "anonymous",
"type": "httpTrigger",
"direction": "in",
"name": "Request",
"methods": [
"get",
"post"
]
},
....
Anyway, this is not a real security problem, since you’ve just enabled AAD authentication, and if you attempt to connect to the Function you’re being redirected to MS login portal:
Redirection to login form
You can now switch to the Logic App. First of all, you need to assign it a System Assigned Managed Identity, to obtain a way to configure RBAC roles:
Go to the Identity section of the Logic App
Enable Managed Identity for Logic App
Then, go back to the Function App, and in the IAM section, assign a role to the Managed Identity of the Logic App. You can, for example, add the contributor role to it:
Authorize Logic App managed identity onto Function App
Assign contributor role to the Logic App
Well done. Now, it’s time to come back again to the Logic App and configure the action that executethe Azure Function.
Edit the Logic App add an Azure Function connector:
Add a new Azure Function action to the Logic App
Choose your Function:
Choose the Function App
Select the desired function
Compile the body field as per the requirements of your function; then, add the additional field Authentication, and choose Managed Identity:
Add Authentication configuration
Choose Managed Identity authentication
Last but not least, you should insert the App ID of the Function App in the Audience field.
You can retrieve App ID of your Function App in the App Registration section of Azure AD. Look for you Function App registration, and copy the Application ID Uri value; in my case, it’s equal to the function URL
Retrieve APP ID of the Function App
Now, paste the APP ID in the Audience field:
Specify the App ID of the Function App in the audience field
Ok, now you’re ready to go: your Logic App should be able to invoke the Azure Function without any issue!
0 Comments