question

ZakariaMuhammad-8648 avatar image
1 Vote"
ZakariaMuhammad-8648 asked SamJohnson-3805 answered

Azure Function App Secured by AAD App registration. 401 - you do not have permission to view this directory or page

I created a simple function with default code to say Hello <name>. I am able to run the code if the Authentication Settings under (Function -> Authentication) is set to "Allow unauthenticated Access".

As soon as I change those to "Require authentication" and add a Identity provider by following the documentation (https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad). the simple code start throwing Error. I am using Postman and able to generate the token but when I pass that tokens to access the function, it says 401 did I miss any configuration. I am gone through a lot of community article but none of them is clear. I still think that I am missing some authorization permission for the App Registration account which is not mentioned in the above article because as being a Global admin, I am able to access the function directly using browser and my credentials.

93360-image.png


Token generator

93421-image.png


Pass Token to call the function.

93375-image.png

Error "You do not have permission to view this directory or page."


azure-functionsazure-ad-app-registration
image.png (70.4 KiB)
image.png (52.4 KiB)
image.png (36.6 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @ZakariaMuhammad-8648
1. Go to your App Service in the portal --> Select Access Control --> Add role assignment --> Select “Contributor” as Role --> Enter your application name on “Select” textbox --> Save
2. While creating your access token (Either from code/ postman/fiddler), check client _id (Application id of your registered app), client_key (Secret Key of your registered App), resource (https://management.core.windows.net/)


For the app registration :

  1. Register your application with AD. Go to Settings --> Required Permissions --> Add --> Select an API --> Select Windows Azure Service Management API --> Provide required permissions --> Done --> Click Grant Permissions


please let me know if this helps.



0 Votes 0 ·

@JayaC-MSFT

This didn't work. MS came back and said that I cannot use new Authentication method with POSTMAN. for this I have to use Authentication (Classic)

93615-image.png


0 Votes 0 ·
image.png (33.5 KiB)
ZakariaMuhammad-8648 avatar image
1 Vote"
ZakariaMuhammad-8648 answered

Followed this documentation "https://cuteprogramming.wordpress.com/2019/01/02/authenticate-an-azure-function-with-azure-active-directory/" and successfully configured the function with AAD authentication.

the only thing is that, for me the Authentication (Classic) was greyed out and I have to recreate the new Azure Function.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SamJohnson-3805 avatar image
0 Votes"
SamJohnson-3805 answered

Suggestion: Make it clear that one cannot simply switch back to 'Classic' once trying the new experience.

Figured an improved version would be easier to use. I've tried it twice so far, no success, and I'm uncertain why this left preview. Would love to see some good documentation for it.

Thanks!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.