Managed Service Identity
Try reloading this page, or reviewing your browser settings
This video segment covers the various authentication options for Azure Functions.
- Azure functions
- Social identity
About this video
- Sahil Malik
- First online
- 21 December 2018
- Online ISBN
- Copyright information
- © Sahil Malik 2019
Sahil Malik: Next, let’s talk about Authentication and Authorization. So how can people prove their identity when they want to call your Azure Function? Let’s find out.
So I have an Azure Function created here. Let’s go ahead and click on this. And in the function app, under Platform features, I have a link under the Networking section, Authentication and Authorization. Let’s go ahead and click on it. So currently it says Anonymous access is enabled on the App Service app. Users will not be prompted for login, but remember that you still have the facility of being able to protect this function or individual functions with a key, so the key needs to be specified in the query string or the header, but that is not considered very good authentication, especially if you pass it in the query string because even for HTTPS, you have a danger of losing that key. Not to mention that that key needs to be shared across anybody calling your function app. Yes, you can provision more keys, but still not a very good way to secure your function. So to properly secure your function, you change this toggle to on.
As soon as you do that, the default here, as you see is it Allow anonymous (no action), but you can choose to change it to any one of these choices. So you can choose to use Facebook, Google, Microsoft Account, Twitter, and each one of these, you know, all of them have different setup requirements. So for instance, if I go on Facebook, it’ll tell me that first I need to go to Facebook and I need to create an application in Facebook. Now, then Facebook will give me an App ID and App secret that I put those values in here and then I can choose what scopes my application needs. These are Facebook specific details, but these are the various scopes that my application will need, things that I can do on Facebook, right? So you can imagine that something like public profile is very unique to Facebook. These are scopes, this is open ID connect to standards compliant authentication.
Similarly, you can look at Google. Google’s authentication is slightly different. They don’t have—well, they do have a concept of scopes, but that’s really not exposure because here we’re just using the identity. Similarly, Twitter or Microsoft Account, so all of these are different authentication requirements, different design in it, et cetera, so I would need to go to each one of these individual identity providers, provision my application and paste these values in here, and then I can use that authenticate with Azure Function.
Let’s look at the Azure Active Directory example in a little bit more depth. So here I can choose to register my Azure Function as an Azure AD application. Why would I want to do that? Because this Azure Function is inside of an Azure AD. See I’m signed into the Azure portal, therefore I’m signed in too an Azure AD. And here, I would want to be able to say if users within my own organization want to be able to call this Azure Function, or perhaps I can make this a multitenant Azure Function, and then users from other applications can call it like a web app, like a web app, web API, so I can choose to set it off, which is the default. I can choose to go with Express. Under Express, I can either choose to create a new AD app or select an existing AD app.
When I choose to select an existing AD app, basically I’m saying that I’ve already gone to my Azure AD and I have provisioned an application for myself, a web app, and I can simply point to that here. And right from here, I can also manage the permissions that this particular function will have. For example, I want to call Microsoft Graph. What exactly can I call a Microsoft Graph? I can choose to manage that right from here. Or I can go into the advanced setting and if you prefer to type in the client ID, issue a URL, et cetera, by hand, you’re able to do that as well. So see that you get a lot of flexibility in how you want to be able to set up an Azure AD authenticated application. So this is really, really powerful and at this point, once you create this, you basically have a first-class Azure AD authenticated application.