Azure Active Directory authentication with Azure Functions

So you've been given access to an API which is an HTTP triggered Azure Function which is secured using Azure Active Directory, it needs to be called programmatically so you've been given a few things to do this including

• An Azure tenant id

• An application id and secret

• The applications id URI

• A function key

So what now and how do you use all of these to call the API? Well these are all of the pieces you need to be able to authenticate your application with Azure Active Directory and with the function itself.

There's actually two pieces of authentication happening here. The first is the application authentication which you need to perform to get a token, you can then pass this token to the Azure Functions App which it uses to confirm that you are indeed authenticated. The function key is another piece which then determines that you are authenticated to call that specific function.

I've put up a small bit of Python code on Github which shows how this works, it's not using any Azure specific libraries so the flow should be easy enough to reproduce in other languages.

First of all you need your application to authenticate itself, this is where the first 3 pieces of information are used, they provide the information saying which tenant you're authenticating against, which application you are and the scope of the resource your attempting to access. We do this by posting a request to the Microsoft OAuth2 login page requesting a token.

https://login.microsoftonline.com/{tenantid}/oauth2/token

The headers and the body need to be set so that we can authenticate in a single request.

auth_body = {
 'grant_type': 'client_credentials',
 'client_id': CLIENT_ID,
 'client_secret': CLIENT_SECRET,
 'resource': APP_ID_URI
}

auth_uri = 'https://login.microsoftonline.com/{}/oauth2/token'.format(TENANT_ID)
auth_resp = requests.post(auth_uri, data=auth_body, headers={'Content-Type': 'application/x-www-form-urlencoded'})

Assuming the request is successful you will get a JSON object back which contains information about your token, including it's type (which is Bearer), how long it's valid for and the token itself, which is the "access_token" property. You can then use this value as a bearer token for the actual Azure Function call.

bearer_token = auth_resp.json()['access_token']
 
res = requests.get(https://funcapp.azurewebsites.net/httpfunction?code=<function key>', headers = {'Authorization': 'Bearer {}'.format(bearer_token)})

Obviously the URL needs replacing with the one you're actually calling and the function key replacing with the value you've been provided. But then that's it, you should now have been able to call the function successfully and get a response (assuming you've passed all of the correct parameters to the function).