question

AdamKrug-1700 avatar image
0 Votes"
AdamKrug-1700 asked AdamKrug-1700 published

how to make Azure Function available only for selected users using AAD

I have an Azure Function (let's call it Function1) which I want to make available only for selected users (via AAD in my organization). In my solution Function1 is consumed by a desktop client app (let's call it Client), which should take care for authenticating the user (if possible also authorizing) and sending the http request to Function1.

Here's how I set it all up (and it doesn't work as expected - everyone in my organization is able to use Function1 currently).

  1. I created a dedicated app registration on Azure (let's call it AppReg)

  2. I added the users who should have access to Function1 in Enterprise Applications (for the AppReg) - Users and groups section. Settings (User / Default access)

  3. I assigned Authentication using the AppReg in Function1, it will return 401 when not authorized

  4. The signature of Function1 is:

    public static async Task<IActionResult> Run(
    [HttpTrigger(AuthorizationLevel.Function, "post", Route = null)] HttpRequest req,
    ILogger log)

  5. Client uses MSAL for authenticating the user. The process is exactly like in this tutorial

  6. Here is the snippet that sends the request to Function1:

    HttpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authResult.IdToken);
    HttpResponseMessage postResponse = await HttpClient.PostAsync(uri, new StringContent(json, Encoding.UTF8, "application/json"));

What should I do differently to only let specified users use Function1 and restrict any other users?

azure-functionsazure-ad-authenticationazure-ad-msal
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AdamKrug-1700 avatar image
0 Votes"
AdamKrug-1700 answered AdamKrug-1700 published

I tried to set up Function1 and AppReg as described in this article http://sadomovalex.blogspot.com/2018/12/call-azure-ad-secured-azure-functions.html . The problem is that I don't know how to use client secret with MSAL.
I'm not sure though if that is a safe thing to do in a client app.

In my scenario, should I have a separate app registration for Client and separate for Function1?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.