Open in app

Sign in

Write

Sign in

Securing Azure Functions with Azure Active Directory (Microsoft Entra): A Comprehensive Guide for Application Developers

Arindam Das
4 min readJul 22, 2023

--

Azure Functions is a serverless compute service provided by Microsoft Azure, allowing developers to run small pieces of code without the need to manage the underlying infrastructure. These functions can be triggered by various events and are commonly used for tasks like data processing, integration, and automation. However, when working with sensitive data or performing critical operations, it is essential to secure these functions to prevent unauthorized access. One way to achieve this is by integrating Azure Active Directory (now part of Microsoft Entra) with Azure Functions. In this article, we will explore the process of securing Azure Functions using Microsoft Entra with practical examples.

Overview of Azure Active Directory (Microsoft Entra)

Azure Active Directory (Azure AD), now part of the Microsoft Entra family, is a cloud-based identity and access management service from Microsoft. It provides a single place to manage user identities and access to applications and resources, both on-premises and in the cloud. Azure AD supports various authentication protocols, including OAuth 2.0 and OpenID Connect, making it suitable for securing modern applications and APIs.

Why Secure Azure Functions with Azure AD?

Securing Azure Functions with Microsoft Entra (Azure AD) offers several benefits, including:

Centralized Identity Management

By leveraging Azure AD, you can manage user identities centrally, making it easier to control access to your functions and other Azure resources.

Multi-Factor Authentication (MFA)

You can enable Multi-Factor Authentication for additional security, ensuring that users must provide more than one form of identification before gaining access.

Fine-Grained Access Control

Microsoft Entra allows you to define fine-grained access policies, restricting access to specific users or groups of users.

Prerequisites

Before proceeding with securing Azure Functions with Microsoft Entra, you need to have the following in place:

Azure Subscription: You must have an active Azure subscription to create and manage Azure Functions and Microsoft Entra.

Azure Function App: Create an Azure Function App in the Azure portal. You can create functions within this app that will be secured using Microsoft Entra.

Azure Active Directory (Microsoft Entra) Tenant: You need an Microsoft Entra (Azure AD) tenant to configure the necessary authentication settings.

Steps to Secure Azure Functions with Azure AD

Now, let’s walk through the steps to secure Azure Functions using Azure AD:

Step 1: Configure Authentication setting for Azure Function App

  1. In the Azure portal, navigate to your Azure Function App.
  2. In the left-hand menu, click on “Authentication”.
  3. Under “Add Identity Provider”, click on Microsoft to add Microsoft Entra ID (formerly Azure AD).
  4. Configure the following options under the Microsoft Identity Platform:
    Management Mode: Select “Express” or “Advanced”, depending on your needs. The Advanced mode offers more granular control over authentication settings.
    Action to take when request is not authenticated: Choose the appropriate action, such as “Return 401 Unauthorized”, when an unauthenticated request is received.
  5. Click on “Save” to enable authentication for your Azure Function App.

Step 2: Protect Azure Functions with Authorization

  1. Open your Azure Function code in the Azure portal or your development environment. Identify the functions that need to be secured with Microsoft Entra authentication.
  2. Update your authorization model to ensure compliance with the latest Microsoft Identity Platform standards.
  3. Add the [Authorize] attribute to the function definition. This attribute will ensure that the function can only be accessed by authenticated users.

Example of a secured Azure Function in C#:

using Microsoft.AspNetCore.Mvc;
using Microsoft.Azure.WebJobs;
using Microsoft.Azure.WebJobs.Extensions.Http;
using Microsoft.AspNetCore.Http;
using System.Security.Claims;

public static class SecureFunction
{
    [FunctionName("SecureFunction")]
    public static IActionResult Run(
        [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req,
        ClaimsPrincipal claimsPrincipal)
    {
        // Check if the user is authenticated
        if (!claimsPrincipal.Identity.IsAuthenticated)
        {
            return new UnauthorizedResult();
        }

        // Your function logic goes here
        // ...

        return new OkResult();
    }
}

Step 3: Testing the Secured Function

  1. Deploy your Azure Function App with the changes you made in Step 2.
  2. Access the secured function URL in your web browser or use a tool like cURL or Postman.
  3. If you are not already authenticated, Microsoft Entra will prompt you to sign in.
  4. Once authenticated, you should be able to access the function.

Step 4: Implement Conditional Access for Additional Security

For enhanced security, you can implement Conditional Access Policies within Microsoft Entra to further control access to your Azure Functions based on factors like user roles, device compliance, or geographic location.

  1. In the Microsoft Entra portal, navigate to Conditional Access.
  2. Create a new policy that restricts access to your Azure Functions based on criteria like:
  • Device being compliant
  • User risk level
  • Specific IP ranges or geographic regions

Step 5: Monitoring and Logging for Secured Functions

Azure has enhanced its logging and diagnostic capabilities, allowing you to monitor security-related events.

  1. In the Azure portal, navigate to Application Insights for your Function App.
  2. Configure logging for authentication requests to monitor who is accessing your functions and whether there are any unauthorized attempts.
  3. Use Azure Monitor and Log Analytics to track security incidents, including failed login attempts or suspicious activity.

Conclusion

Securing Azure Functions with Microsoft Entra (formerly Azure AD) is a crucial step in safeguarding your serverless applications and APIs. By integrating Microsoft Entra, you can centralize identity management, enforce multi-factor authentication, and implement fine-grained access control. This article covered the necessary steps to register your Azure Function App with Microsoft Identity Platform, configure authentication settings, and protect your functions using the [Authorize] attribute. Additionally, we introduced the use of Conditional Access policies and enhanced monitoring for improved security.

By following these steps and best practices, you can ensure that your Azure Functions are accessible only to authorized users, mitigating security risks, and protecting sensitive data.

Azure Functions
Azure Active Directory
Serverless Computing
Application Security
Microsoft Azure

--

--

Arindam Das
Arindam Das

Written by Arindam Das

73 Followers
1 Following

Azure Professional // Connect with me on LinkedIn: https://www.linkedin.com/in/arindam-das-arin // Book an appointment: https://topmate.io/arindam_das_arin

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams