Configure identity and authentication in Azure Functions App with Azure AD
Long gone are the days when a team of developers had to spent months setting up and debug the authentication for their apps and services. In the age of the cloud, almost everything is ‘plug-and-play.’
Azure comes with an in-built identity and authentication provider, Azure Active Directory (Azure AD), so verifying and signing-in users is a minimal to no code task (aka “EasyAuth”).
This article will present a guide to setup and configure authentication for Azure Functions App to sign in users with Azure AD as the identity and authentication provider.
Prerequisites
- An active Microsoft Azure subscription
- Azure Functions App
Setting up Azure AD authentication is a two-step process. First, we will enable and configure an identity provider (Azure AD) in the app, followed by configuring the app’s permissions in the Azure AD to sign in users.
Enable App Service Authentication
There are two ways to enable authentication in a Function App: Express and Advanced. The Express option is designed to be simple and requires just a few clicks. We have the option to either create a new AD app or select an existing AD app.
Sign in to the Azure Portal, find and select your app. From the left navigation, select Authentication / Authorization and set the App Service Authentication to On.
Set Action to take when request is not authenticated to Log in with Azure Active Directory to restrict app access only to users authenticated by the Azure AD. Under Authentication Providers, select Azure Active Directory to begin configuration.
On the Azure Active Directory Settings page, select Express and Create New AD App. The name of your Functions app will be pre-populated in the Create App field. You can change this name to your liking now or later from the AD.
New Azure AD app creation is allowed only once per app.
Azure AD app can have a different name than the app.
Click OK to confirm and return to the earlier page and Save.
At this point, the authentication for our app is active, and any unauthenticated request can’t reach it. If you try to access the app URL, you’ll receive a no-permissions error.
Notice the URL is appended by /.auth/login/aad; the sign-in endpoint for Azure AD.
Further reading on authentication mechanism and identity providers
Configure App Permission to Sign-in users
The next step is to grant the app permissions to sign-in (authenticate) an unauthenticated user. Find and select Azure Active Directory from the Portal. Click App registrations and select your app from the list of applications (if you’re the app owner, you’ll find the app under Owned applications).
On the new page, select API permissions. Remove any pre-configured Azure Active Directory Graph permissions, which will be deprecated soon. Click on + Add a permission to add new permissions.
On the Request API permissions blade, under Microsoft APIs, select Microsoft Graph. On the new page, select Delegated permissions as the permission type. Scroll and find the User permissions group, under user select User.Read and click Add permissions. Notice the description of the User.Read, that’s all we need to sign in users.
Microsoft Graph is the successor of the Azure AD Graph.
Further reading on permission types
Authentication in Action
Open the app URL in a private/incognito window; you will be presented with a sign-in prompt (you’re not logged in; thus, Azure AD can’t authenticate you, and the app has permission to sign in user).
Open a new tab in the browser and open Developer Tools (F12) to monitor the Network. Paste the app URL and notice how the request redirects to the Azure AD sign-in endpoint and back to the app URL after successful authentication.
Azure AD authentication is not supported for local development and debugging.
Pro Tip
If you’re presented with a Need admin approval prompt (AADSTS90094), reach out to your Azure admin to grant the app permission we assigned in the previous step.
Further reading on Admin consent and approvals
Bitten by the curiosity bug?
Want to understand how did the app automatically redirects to the Azure AD sign-in endpoint? What is the scope of the users who could sign-in? Head over to the Authentication page of your app in the Azure AD. The shown settings are default and were set during the creation of the Azure AD app.
The Redirect URI is the URI where Azure AD sends back the token after authenticating the user.
That’s it. We have set up the identity and authentication provider for our app in minutes without writing a single piece of code.
Conclusion
We learned how to enable the app service authentication for the Functions app to configure an identity provider. We hunted our app in the Azure AD and assigned permission to sign-in an unauthenticated user. We also took a peek at what happens behind the scene while creating a new Azure AD app. We can conclude, “EasyAuth” is as easy to set up as it can be.
Next Steps
Authenticating users is just one piece of the puzzle; at times, we need to access the user identity and claims in the app to perform relevant actions. We need to write a few lines of code for it *wink *wink. Scoot over to the following article to get started.
bits2BI 
Leave a comment