question

BrettThib-0287 avatar image
0 Votes"
BrettThib-0287 asked BrettThib-0287 commented

Accessing Azure Function via AD from Daemon app- "You do not have permission to view this directory or page."

I have an Azure Function that is a Http trigger that is taking a parameter, querying a Cosmos DB using this parameter, and returning a json object result. I have a Web API (does NOT reside in Azure) that needs to forward calls to this Azure function without any user login/intervention. I have followed the following guide:

https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad

I let the Azure Portal create my app registration for my function app automatically. The only change I made to this app registration was setting the Application ID URI to be the URL of my function app as follows: https://{functionapp}.azurewebsites.net

For the function app authentication settings, Authentication is set to 'Require authentication' and 'Return HTTP 302 Found (Redirect to identity provider)'.

The actual Azure Function is configured for Anonymous Authorization level.


I then followed the steps at "Daemon client application (service-to-service calls)" to create another app registration for my Web API.

I am obtaining the token as follows, where clientId and secret are the values from the Web API app registration, and the resource is the URL of my function app:

         var client = new RestClient("https://login.microsoftonline.com/" + tenantId + "/oauth2/token");
         var request = new RestRequest(Method.POST);
         request.AddHeader("cache-control", "no-cache");
         request.AddHeader("content-type", "application/x-www-form-urlencoded");
         request.AddParameter("application/x-www-form-urlencoded", 
             $"grant_type=client_credentials&client_id={clientId}&client_secret={secret}&resource={resource}", ParameterType.RequestBody);
         IRestResponse response = client.Execute(request);
         var jObject = JObject.Parse(response.Content);
         string token = jObject.GetValue("access_token").ToString();
         return token;

I am then calling my Azure Function with the token from above set as follows:

     var client = new RestClient($"{baseUrl}api/videos/versionvideos?versionId={versionId}");
     client.Timeout = -1;
     var request = new RestRequest(Method.GET);
     request.AddHeader("Authorization", $"Bearer {token}");
     IRestResponse response = client.Execute(request);
     List<CosmosMedia> media = JsonConvert.DeserializeObject<List<CosmosMedia>>(response.Content);


I get the following response:
"You do not have permission to view this directory or page."

I've spent quite a bit of time troubleshooting this, but am at a loss as to why the token is not getting authenticated. Any assistance is greatly appreciated. Hoping I'm missing a simple step somewhere!

azure-functionsazure-ad-authenticationazure-ad-user-management
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@BrettThib-0287 Welcome to QnA. Thank you for question. We will review and update at the earliest.

1 Vote 1 ·
GreivinAtencioCastrillo-0024 avatar image
1 Vote"
GreivinAtencioCastrillo-0024 answered BrettThib-0287 commented

Hello @BrettThib-0287, I was facing the exact same issue and after some tests and searching for alternatives I found out that you need to set the value for the "accessTokenAcceptedVersion" to 2 in the app registration manifiest that represents the function:

 "accessTokenAcceptedVersion": 2

After I did this I don't even need a "client" app, the token generate with the backend ids was accepted without problem.

Hope this helps.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I forgot to mention that the value could be 1 or 2 depending on the token version that you're generating.

0 Votes 0 ·

OMG this was my issue! Thank you so much!

0 Votes 0 ·
JayaC-MSFT avatar image
2 Votes"
JayaC-MSFT answered BrettThib-0287 commented

Hello @BrettThib-0287, There are couple of things we need to confirm :

For your Function App, app registration, how did you change the application ID URI?

The Daemon client application doc, mentions passing the Application ID URI of the target app as the resource parameter. Did you pass the URI?

Based off the error message, it looks like the Web App might not have permissions to view the directory or page. Did you also follow the steps to create API permissions?

https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad#daemon-client-application-service-to-service-calls

97391-image.png



image.png (262.6 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Apologies...been out on holiday and just coming back to this. Thank you for the responses thus far!

Re: For your Function App, app registration, how did you change the application ID URI?

I changed this via the 'Expose an API' option under my function app registration.

Re: The Daemon client application doc, mentions passing the Application ID URI of the target app as the resource parameter. Did you pass the URI?

Yes, I am passing this URI as the resource parameter.

Re: Did you also follow the steps to create API permissions?

I did not do the steps in your screenshot, as I understood that it should work with current configuration. I will give these steps a go and update this as soon as I have results.

Thanks again.

2 Votes 2 ·

Apologies again for the delay, @JayaC-MSFT. Been sidetracked with other project priorities, but am hoping to revisit this in the next day or two. I do need to get this working ASAP, so should have an update soon.

0 Votes 0 ·

@JayaC-MSFT I've just given this a go, following the additional steps that you outlined (define App Role in functions app, add permission for role in web app), but my web app is still not getting authorized when trying to run Azure Functions. I still get "You do not have permission to view this directory or page." I'm not sure what I'm missing, but have again hit a wall on this.

0 Votes 0 ·
IsmailHussein-0983 avatar image
0 Votes"
IsmailHussein-0983 answered BrettThib-0287 commented

Hi @BrettThib-0287 I am facing a similar issue than the one you described... Where you able to find a solution? That will help me a lot, if you could share it. Thanks.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@IsmailHussein-0983 unfortunately, still no solution. I've been working one on one with Microsoft support on this, but still not having any luck thus far.

0 Votes 0 ·