How to restrict access to an azure function based on a service principal id
Question:
I have a REST API implemented as an Azure function with Azure Active Directory authentication enabled. I would like to restrict the access to a subset of of the exposed methods to a particular set of service principals.
So far the solution I have come up with is to retrieve access_token used by the request and check the application Id against a list manually. This will be done in the body of the the method.
I am looking for a solution that could handle this in the Azure authorization layer before even calling the function. Is it possible?
Answers:
There’s nothing ready to use for that. One thing you can do is use custom handlers and implement the logic outside your function logic:
https://learn.microsoft.com/en-us/azure/azure-functions/functions-custom-handlers
As mentioned in another reply, there is no such thing currently. If you want to restrict the access of the function app for a set of service principals, my workaround is to declare an app role for the AD App related to your function app, as the sample below.
"appId": "8763f1c4-f988-489c-a51e-158e9ef97d6a",
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"displayName": "ConsumerApps",
"id": "47fbb575-859a-4941-89c9-0f7a6c30beac",
"isEnabled": true,
"description": "Consumer apps have access to the consumer data.",
"value": "Consumer"
}
],
"availableToOtherTenants": false,
After that, navigate to the AD App of your function in the Azure Active Directory in the portal -> click the Managed application in local directory -> Properties -> set the User assignment required to Yes.
Then any service principal used to get the token for the function app needs the application permission you declared, otherwise it will not be able to get the token. I wrote the details here, you could refer to it.
I have a REST API implemented as an Azure function with Azure Active Directory authentication enabled. I would like to restrict the access to a subset of of the exposed methods to a particular set of service principals.
So far the solution I have come up with is to retrieve access_token used by the request and check the application Id against a list manually. This will be done in the body of the the method.
I am looking for a solution that could handle this in the Azure authorization layer before even calling the function. Is it possible?
There’s nothing ready to use for that. One thing you can do is use custom handlers and implement the logic outside your function logic:
https://learn.microsoft.com/en-us/azure/azure-functions/functions-custom-handlers
As mentioned in another reply, there is no such thing currently. If you want to restrict the access of the function app for a set of service principals, my workaround is to declare an app role for the AD App related to your function app, as the sample below.
"appId": "8763f1c4-f988-489c-a51e-158e9ef97d6a",
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"displayName": "ConsumerApps",
"id": "47fbb575-859a-4941-89c9-0f7a6c30beac",
"isEnabled": true,
"description": "Consumer apps have access to the consumer data.",
"value": "Consumer"
}
],
"availableToOtherTenants": false,
After that, navigate to the AD App of your function in the Azure Active Directory in the portal -> click the Managed application in local directory -> Properties -> set the User assignment required to Yes.
Then any service principal used to get the token for the function app needs the application permission you declared, otherwise it will not be able to get the token. I wrote the details here, you could refer to it.