Access Azure Function App via OAuth 2.0 authentication

This isguide aexplains ~~guide~~how to protect an Azure Function ~~executions~~App ~~using~~with ~~OAuth~~Microsoft ~~2.0. So the execution of the code is not possible without Client~~Entra ID and ~~ClientSecret.~~call ~~This~~it ~~allows~~using a ~~much~~bearer ~~more~~token.

~~secure~~

The ~~authentication~~recommended ~~than~~modern ~~just~~approach ~~using~~is to use App Service / Function Authentication with Microsoft Entra ID instead of relying only on function ~~codes~~keys.

Goal

Protect HTTP-triggered Azure Functions so that only callers with a valid Microsoft Entra access token can execute them.

Recommended approach

Use:

Authentication enabled on the Function App Microsoft as identity provider a dedicated app registration Require authentication a valid Application ID URI / audience bearer token in the ~~URL~~Authorization inheader ~~the~~ ~~query.~~

Avoid older patterns that rely on exchanging a token via /.auth/login/aad unless you have a specific legacy reason.

Disable authentication

~~To use the function with OAuth 2.0, the~~

Configure authentication on the functionFunction itselfApp

~~must~~

In ~~first~~Azure bePortal:

~~set~~

Open the Function App Go to ~~Anonymous.~~Settings > Authentication

Identity provider

~~Then a new~~

Add identity ~~provider~~provider: ~~must~~Microsoft ~~be added to the Azure Function App. This can be done by going into the blade "Authentication":~~

~~There you have to select "Microsoft" as the identity provider. There you can decide if you want to use an existing App Registration~~

Create or ~~want~~link ~~to create one.~~

~~Afterwards, the~~an app registration

~~has~~Set unauthenticated requests to beRequire ~~adjusted~~authentication so ~~that~~

App registration considerations

For the ~~token~~protected ~~handling~~API ~~works~~app ~~properly. To adjust the URL, the identity provider must be adjusted using "Edit".~~registration:

~~The~~

set ~~issuer~~a ~~URL~~proper ~~must~~Application beID ~~adjusted.~~URI ~~The "/v.2.0"~~expose at ~~the~~least ~~end~~one ~~must~~API bescope ~~removed~~if user-delegated

access

Authenticationis viarequired

~~PowerShell~~if

~~Then~~daemon-to-function ~~PowerShell~~access ~~can~~is berequired, ~~used~~use toapplication ~~authenticate~~permissions ~~against the~~/ app ~~registration.~~roles ~~The~~as ~~App~~needed

~~Registration~~ ~~then~~

Example ~~has~~audience:

~~permissions~~

api://<function-app-client-id>
to

~~execute~~

Example: allget Azurebearer Functionstoken inwith theclient Azure Function App.credentials

$TenantId     = "<yourtenantidtenant-id>"
$ClientIDClientId     = "<yourclientidcaller-app-client-id>"
$ClientSecret = "<yourclientsecretcaller-app-client-secret>"
$FunctionAppId = "<yourfunctionappid>" 
$FunctionApiAuthUrl = "$functionuri/.auth/login/aad" 
$functionapi = "/api/HttpTrigger2"

# Authenticate against MEID to get access token with App Registration Client Secret
$Body = @{ 
    "tenant" = "$TenantId" 
    "client_id" = "$ClientID" 
    "scope"Scope        = "api://$functionappid/<function-app-client-id>/.default"

"grant_type"$TokenBody = @{
    client_id     = $ClientId
    client_secret = $ClientSecret
    scope         = $Scope
    grant_type    = "client_credentials"
"client_secret"}

$Token = $ClientSecretInvoke-RestMethod }`
    $Params-Method =POST @{`
    "Uri" =-Uri "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token" "Method"`
    = "Post"
    "Body" =-Body $BodyTokenBody "ContentType"`
    =-ContentType "application/x-www-form-urlencoded"
}
    
$AuthResponse = Invoke-RestMethod @Params

Function

Best executionpractices

~~via~~

~~PowerShell~~require

~~The~~authentication ~~second~~globally

~~part~~use Entra ID instead of ~~the authentication is to ask the~~public function ~~api~~keys for aprivileged ~~token~~APIs ~~and~~restrict ~~then~~accepted ~~execute~~audiences itseparate ~~using~~caller ~~the~~app ~~token~~registration ~~received:~~from

#protected AuthenticateAPI againstapp functionregistration

~~with~~prefer ~~the~~Managed ~~MEID~~Identity ~~access~~for ~~token~~Azure-to-Azure ~~$FunctionAuthBody~~calling =patterns @{ ~~"access_token"~~

Summary

For $AuthResponse.access_token } $functionToken = Invoke-RestMethod -Method POST -Uri $FunctionApiAuthUrl -Body (ConvertTo-Json $FunctionAuthBody) -ContentType "application/json" $Header = @{ "X-ZUMO-AUTH" = $functionToken.authenticationToken } # Runsecure Azure Function access in enterprise environments, protect the Function App with ~~OAuth2.0~~Microsoft ~~Token~~Entra ~~Authentication~~authentication ~~Invoke-RestMethod~~and ~~-Method~~require ~~POST~~valid ~~-Uri~~bearer ~~$functionuri$functionapi~~tokens.

~~-Headers $Header~~