To secure access to your Azure Function Apps and to allow access only to authenticated users, you can use Azure Active Directory B2C. It allows users to create their own accounts or sign in with credentials provided by a social identity provider. Users can access the Function Apps only after a successful authentication.
To configure Azure AD B2C as the identity provider for your Function Apps, complete the following steps:
- Log in to the Azure portal.
- Click
Create a resource
to create your Azure Function App. Enter a unique name for your Function App, and fill the remaining information. You must fill the information in the
Basics
tab, and can then either fill in the information in the other tabs or go straight to theReview + Create
tab. Check that all information is correct and clickCreate
.Wait for the Function App to be deployed, then click
Go to resource
to view it.- Note the URL shown in the
Overview
section for your newly deployed app. - Create a new B2C application.
- In the Azure portal, click
More services
. Click
App Service AuthenticationIdentity
in the sidebar, then selectAzure AD B2C
. TheNew Application
blade opens.- Configure the following options:
- Provide the app name.
- Click
Yes
for theWeb App/ Web API
option. In the
Reply Url
field, enter the unique Azure Function App URL that you noted in Step 4 and append/.auth/login/aad/callback
to it. For example:https://\ functionappname.azurewebsites.net/.auth/login/aad/callback.
- Click
Create
.
- In the Azure portal, click
Determine the B2C Application ID:
- In the Azure portal, select the
Azure AD B2C
blade. - Click on
Applications
and then click on the entry for your newly created application to open the application profile. - Obtain the Application ID from the
Properties
blade of the application.
This ID is used to complete the Azure Function configuration.
- In the Azure portal, select the
- Determine the B2C OpenID Connect Metadata URL endpoint:
- In the Azure portal, select the
Azure AD B2C
blade. - Under
Policies
, selectUser flows
. Select the
Sign up and sign in
policy (or any other policy that you have created) and clickRun user flow
.The
Run user flow
blade opens.- Copy the OpenID Metadata URL endpoint that is displayed in the top right corner.
- In the Azure portal, select the
- Select
Authentication (classic)
in the sidebar. Toggle
App Service Authentication
toOn
. Several authentication provider configurations are now displayed.The default action when a request is not authenticated is
App Service AuthenticationAllow Anonymous request
. This allows any user to access your Function App.- Select
Log in with Azure Active Directory
in theAction to take when request is not authenticated
dropdown. Select
Azure Active Directory
under theAuthentication Providers
list.This opens
Azure Active Directory Settings
.- Set the
Management mode
asAdvanced
, then fill inClient ID
andIssuer Url
.- Enter the B2C Application ID from Step 6 into the
Client ID
field. Enter the B2C Open ID Connect metadata URL from Step 7 into the
Active Directory SettingsIssuer Url
field.- If you wish to fill in
Client Secret
, clickShow secret
to display the appropriate field. You can fill inAllowed Token Audiences
if you wish as well. - Click
OK
.
- Enter the B2C Application ID from Step 6 into the
The configuration for B2C application and the Azure Function is now complete.
To validate the configurations, you must perform tests.
Confirm that users without authentication gets prompted to complete their B2C sign-in before being allowed access to your Function App:
In the
Azure AD B2C
blade, navigate toUser flows
underPolicies
and click theRun user flow
button for each B2C User flow policy.The
Run user flow
blade opens for the selected user flow.- Select the entry that corresponds to your Azure Function App in the
Application
field. - Select the associated
Reply Url
. In some cases you might have more than one reply URL. - Click the
Run user flow
button.
Also complete the following tests:
- Clear the browser session cookies and confirm that the user needs to authenticate during an attempt to access your Azure Function. After a successful access to the Function App, open a separate browser tab and validate that you can automatically sign in.
- Run other user flows, such as password reset or profile edit, with your Azure Function. After the users complete these flows, they are redirected to the Azure Function App.