Skip to main content

Secure Azure Function App with Azure Active Directory (AD). [Token based access]

Welcome to BigDataStacks. This blog is regarding how we can secure azure function app with azure active directory. So when we will try to access function app it will ask for login. I also elaborate on how we can access the function URL with the access token

Let's start. 
  1. Configure Function App
  • Create an Azure Function app with anonymous access.
  • Go to function app's 'Authentication / Authorization' section from 'Platform features'.
  • Turn on App service Authentication/Authorization section.
  • Select action 'Login with Azure AD'
  • Click on Azure AD from Auth provider.
  • Select 'Express' and 'create a new AD app' then click on OK.
  • Click on 'Save'.
  • Again open screen where we selected 'Express mode'.
  • Now Select 'Advanced'. Copy 'clientId' which will be used later. NOTE: If clientId is not showing then refresh the page then it will display. 
  • Add one more entry in 'Allowed Token Audience'. eg. https://{your-function-app-name}.azurewebsites.net
  • click on 'ok' then 'save'.
  1. App Registration
  • Search for Azure Active Directory service.
  • Go to 'App Registration'.
  • Click on 'New App Registration'.
  • Enter app name like 'clientApp'. Enter function app URL in redirect URIs.
  • Now go to 'Overview' then copy 'Application (client) ID' & 'Directory (tenant) ID' which will be used to generate tokens.  
  • Click on 'Certificates & secrets' and add new client secret. It will generate a random secret. copy this 'client-secret'.
  • Go to API Permissions -> Add Permission -> My APIs -> click on your function app -> give required Delegated permissions

  1. Test our configuration

Now our function is secured with azure directory. when you will try to access your function app url then it requires login with active directory.

We can also call our function app by fetching token and pass this token to access function app.

let's do this.

We have all the required data to fetch token eg. clientId, secret, tenantId, resourceUrl.

Make HTTP request like below. Replace all fields '{xxxxx}' details with your data. It will generate bearer token. Use this token to call your function app
POST /{tenant-id}/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
grant_type=client_credentials&client_id={client-id}&client_secret={client-secret}&resource=https://{your-function-app-name}.azurewebsites.net

Comments

  1. super fast processingNovember 5, 2019 at 6:42 AM

    At Superfastprocessing, we run a multi-server configuration with high-fault tolerance and load balancers. Our platform is horizontally scalable and always stays highly available for real-time data processing needs.

    ReplyDelete

Post a Comment

Popular posts from this blog

AWS IOT Thing Job

AWS IOT Thing Job AWS Iot Thing Job Creation, new job notification, start job and update the job after downloading firmware through JAVA SDK with UI in JAVAFX | Presigned S3 URL creation This Application is made for firmware download. Refer to this GIT repository:  AWS IOT POC A repository contains 3 projects: Aws-Pre-Signed-Url-Generation: To generate presigned url and use it into job document. NOTE: AWS CLI should be configured Iot-Create-Thing-Job-App: To create iot thing job with UI. NOTE: Access key and secret key should be mentioned in aws-iot-sdk-samples.properties Iot-Start-Update-Thing-Job-App: To get notification for new job and to start job and then get job document from aws. After getting thing job document, it will download firmware zip from mention url and update the status of job to SUCCEDED or FAILED. NOTE: aws-iot-sdk-samples.properties files properties should be mention as per your aws account. JOB Document: sample-job-document.json { "ope
Post a Comment
Read more

AWS Kinesis - Stream, Firehose, Analytics Overview

AWS Kinesis: AWS Kinesis is managed alternative of Apache Kafka. It can be used for big data real-time stream processing. It can be used for applications logs, metrics, forecast data, IoT. It can be used for streaming processing framework like Spark, NiFi, etc.   Kinesis Capabilities: Kinesis Streams : Streaming data ingest at scale with low latency. It is a data stream. Kinesis Analytics : To perform analytics on real-time streaming data using SQL. You can filter or aggregate data in real time. Kinesis Firehose : To load streams of data into S3, Redshift, Splunk or Elastic Search. It is a delivery stream. Kinesis Data Streams : Streams are divided into shards. To scale up application we can update shard configuration by increasing number of shards. By default shard's data can be retained for 1 Day but you can extend it for 7 days. Multiple application can use same stream. Real-time processing of data with a scale of throughput. Record size should not
3 comments
Read more

AWS IOT JITR (Just in Time registration) with Thing and Policy creation using JAVA

AWS IOT JITR with Thing and Policy creation using JAVA. This POC will provide Just In Time Registration (JITR) of custom certificate and Thing creation with connect policy for AWS IOT Devices. You just need to add name of thing in common name while creation of device certificate and thing will be created with attached policy & certificate and common name as thing name. Project Overview: Get certificate details from certificate id. Parse certificate details and get common name from certificate. Creates IOT policy having action of connect. Creates IOT thing with name from certificate common name. Attach policy and thing to certificate. Activate Certificate. Now your device can connect to AWS using this custom certificate. Step for JITR & Thing creation Create CA Certificate: openssl genrsa -out CACertificate.key 2048 openssl req -x509 -new -nodes -key CACertificate.key -sha256 -days 365 -out CACertificate.pem Enter necessary details like city, country, et
1 comment
Read more