Use Managed Identity in Azure API Management to Authenticate With an Azure Function

Written by

Posted on 4 Comments

You don’t want that someone is calling your Azure Functions unauthenticated. You can rely on old-school function keys or use Azure Active Directory. Azure Functions provide elegant Authentication / Authorization functionality previous known as Easy Auth which works nicely with Azure API Management.

Setup the Azure Function to Use Azure Active Directory

The first thing you need to do is to enable Authentication / Authorization in Platform Features.

Do not forget set Action to take when request is not authenticated to Login in with Azure Active Directory otherwise the function can be still called anonymously.

Next you need to register your application in the Azure Active Directory. For this demo we create new application registration.

When you are finished it could looks to similar to this.

To be sure it really works call the function with some REST Client and the status code must be 401 Unauthorized.

HTTP/1.1 401 Unauthorized
Content-Length: 58
Content-Type: text/html
WWW-Authenticate: Bearer realm="testazurefunctionapp20200415114430.azurewebsites.net" authorization_uri="https://login.windows.net/40a85801-c1db-488a-812e-b788c880f22c/oauth2/authorize" resource_id="edce07520-ed35-4a3e-9d37-31bd5d3d6a7e"
Date: Wed, 15 Apr 2020 14:35:06 GMT
Connection: close

You do not have permission to view this directory or page.

Configure Azure API Management

First you need to enable managed identity. This allows API Management to get JWT Token to access Azure Function.

Now you can add new API.

Finally you need to add a new authentication-managed-identity inbound policy. As a resource you set Application ID of the application created within Azure Function Authentication / Authorization in previous steps. You can find this in Azure Active Directory Enterprise Applications blade.

<policies>
    <inbound>
        <base />
        <authentication-managed-identity resource="edce07520-ed35-4a3e-9d37-31bd5d3d6a7e" />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

After this you can call your Azure Function from Azure API Management.

4 comments

  2. Anton Kalcik, Before All, Thanks for this information, very useful, i leave you with a question,¿what about giving the access only a one managed Identity?

    so what i want is: i have an API, that can access to the Azure Function using Managed Identity, but only just one Managed Identity, i dont see that we can specify wich Managed Identity can access to the Azure Function.

    Liked by 2 people

    Reply

  3. This is the best information I’ve found on this subject. After messing around with this stuff for 2 days, trying to follow the Microsoft documentation, I finally found this site. Everything finally makes sense, and it’s so simple.

    Thank you for sharing this information!

    Like

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.