How to restrict access to an azure function based on a service pringcipal id

Question

I have a rest api implemeted as an azure function with Azure Active Directory authentication enabled. I would like to restrict the access to a subset of of the exposed methods to a particular set of service principals.

So far the solution i came up with is to retrieve access_token used by the request and check the application Id against a list manually. This will be done in the body of the the method.

I am looking for a solution that could handle this in the azure authorization layer before even calling the function. Is it possible?

Answer 1

There's nothing ready to use for that. One thing you can do is use custom handlers and implement the logic outside your function logic:

https://docs.microsoft.com/en-us/azure/azure-functions/functions-custom-handlers

Answer 2

As mentioned in another reply, there is no such thing currently. If you want to restrict the access of the function app for a set of service principals, my workaround is to declare an app role for the AD App related to your function app, as the sample below.

"appId": "8763f1c4-f988-489c-a51e-158e9ef97d6a",
"appRoles": [
    {
      "allowedMemberTypes": [
        "Application"
      ],
      "displayName": "ConsumerApps",
      "id": "47fbb575-859a-4941-89c9-0f7a6c30beac",
      "isEnabled": true,
      "description": "Consumer apps have access to the consumer data.",
      "value": "Consumer"
    }
  ],
"availableToOtherTenants": false,

After that, navigate to the AD App of your function in the Azure Active Directory in the portal -> click the Managed application in local directory -> Properties -> set the User assignment required to Yes .

Then any service principal used to get the token for the function app needs the application permission you declared, otherwise it will not be able to get the token. I wrote the details here , you could refer to it.