Access Azure Function App via OAuth 2.0 authentication

Access Azure Function App via OAuth 2.0 authentication

This guide explains how to protect an Azure Function App with Microsoft Entra ID and call it using a bearer token.

The recommended modern approach is to use App Service / Function Authentication with Microsoft Entra ID instead of relying only on function keys.

Goal

Protect HTTP-triggered Azure Functions so that only callers with a valid Microsoft Entra access token can execute them.

Recommended approach

Use:

• Authentication enabled on the Function App
• Microsoft as identity provider
• a dedicated app registration
• Require authentication
• a valid Application ID URI / audience
• bearer token in the Authorization header

Avoid older patterns that rely on exchanging a token via /.auth/login/aad unless you have a specific legacy reason.

Configure authentication on the Function App

In Azure Portal:

1. Open the Function App
2. Go to Settings > Authentication
3. Add identity provider: Microsoft
4. Create or link an app registration
5. Set unauthenticated requests to Require authentication

App registration considerations

For the protected API app registration:

• set a proper Application ID URI
• expose at least one API scope if user-delegated access is required
• if daemon-to-function access is required, use application permissions / app roles as needed

Example audience:

api://<function-app-client-id>

Example: get bearer token with client credentials

$TenantId     = "<tenant-id>"
$ClientId     = "<caller-app-client-id>"
$ClientSecret = "<caller-app-client-secret>"
$Scope        = "api://<function-app-client-id>/.default"

$TokenBody = @{
    client_id     = $ClientId
    client_secret = $ClientSecret
    scope         = $Scope
    grant_type    = "client_credentials"
}

$Token = Invoke-RestMethod `
    -Method POST `
    -Uri "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token" `
    -Body $TokenBody `
    -ContentType "application/x-www-form-urlencoded"

Best practices

• require authentication globally
• use Entra ID instead of public function keys for privileged APIs
• restrict accepted audiences
• separate caller app registration from protected API app registration
• prefer Managed Identity for Azure-to-Azure calling patterns

Summary

For secure Azure Function access in enterprise environments, protect the Function App with Microsoft Entra authentication and require valid bearer tokens.