Authenticate from Azure Logic app to Azure Function using Managed Identity

2
votes

I am trying to configure the security for a Logic App and Azure Function. The Azure Function has an HTTP Trigger. So far I have done the following:

  1. Created the Azure Function with some basic functionality (write query in request to log).
  2. Created the Logic App (recurrence trigger, HTTP to trigger the Azure Function)
  3. Tested that the Logic App successfully calls the Azure Function
  4. Added a managed identity to the Logic App
  5. Enabled Azure AD Authentication/Authorisation on the Azure Function App and used the express configuration which created the App Registration in Azure AD for the Function App.
  6. Added Managed Identity as the Authentication method in the HTTP action within the Logic App.

When I run the Logic App it shows that the HTTP action fails because it's unauthorized. Can anyone tell me what I'm missing? I've found a few tutorials on how to access a KeyVault (for example) using a similar approach, but nothing for an Azure Function. I feel like I need to tell the App Registration that the Managed Identity for the Logic App has permissions, but I don't know if this is correct, nor how to do it.

1
azureazure-active-directoryazure-functionsazure-logic-apps
Please take a look at this thread.. stackoverflow.com/questions/55407966/… .. I've answered with 2 possible approaches where 2nd one is more declarative. Also, while trying to authenticate from Logic App to function make sure you're putting in the correct audience value in HTTP Action for Logic App (it should be APP ID URI from your Azure Function's Azure AD app registration. You can find APP ID URI from portal.. i.stack.imgur.com/rqvUG.png )Rohit Saigal
Hi @RohitSaigal thanks for your reply. In the JSON within the manifest, what value should go in id (you have fc80341...)?Greg the Incredulous
you're welcome.. it can be any unique GUID.. you can create a new one. You're basically defining a new role and giving it an identifier.Rohit Saigal

1 Answers

5
votes

Firstly, to get past the unauthorized error that you're currently getting when Logic App calls your Azure Function, you need to make sure that your Logic App is acquiring the token to authenticate to the Function correctly.

I quickly tried out a logic app with Managed Identity like your setup to call an Azure Function with Azure AD authentication enabled. Here are the detailed steps to follow.

  1. Add an HTTP Action in your Logic App, that will be used to call your Azure Function
  2. In my case it was a simple GET Call with a URL like https://<myfunctionapp>.azurewebsites.net/api/simplefunction
  3. In Authentication select Managed Identity

  4. Then add new parameter and select Audience checkbox

    enter image description here

  5. Change the value for Audience parameter to APP ID URI for your function app's Azure AD app registration. In my case this value looked like https://<myazureadtenant>.onmicrosoft.com/GUID

    You can find this APP ID URI value from Azure Portal > Azure AD > App Registrations > Registration for your function app > Settings > Properties

    enter image description here

At this point, you should be able to test your logic app and at least call the Azure Function fine (unless your Azure Function restricts to only certain callers or requires specific permissions, more on that shortly.)

Here is how the full HTTP action looks in my case.

enter image description here

Next, once the basic call from Logic App (with Managed Identity) to your Azure Function is getting authenticated properly, question is that should any application be able to call your Azure Function or should only certain callers with specific permissions be allowed.

I have answered this part in detail with 2 approaches in this SO Post - Is there a way to secure an Azure Function that will only be called from a specific Azure Logic App?. Second approach in that answer is very declarative and you can even create multiple different application roles for different types of callers if needed for your function.