Pages

Monday, September 12, 2022

Securing Azure Function App to require authentication and granting access to a Logic Apps’ Managed Identity

One of the topics I’ve been meaning to write about is how to secure Function Apps with authentication to prevent unauthorized calls because a newly created Function App and its functions are by default accessible via the internet so anyone who knows the URL would be able to call it without authentication. Take one of my previous posts:

Using Azure Function App and Logic Apps to create an automated report that downloads a CSV, creates a HTML table, sends an email with the HTML table and attaches the CSV
http://terenceluk.blogspot.com/2022/08/using-azure-function-app-and-logic-apps.html

… where I created an Azure Function that expects a POST method containing the Cylance Token it can use to download an export of all the devices, generate an HTML report, then return the content. While one can argue that even if the URL was discovered, a malicious attacker would need to know the Cylance Token to obtain any meaningful data back. This is true but a malicious attacker could also cause financial impact by calling the Azure Function repeatedly to cause unnecessary charges.

Below is the Function App:

image

… and the Function within the Function App that contains the PowerShell script to process the request after receiving the token:

image

Confirming Function App does not require authentication with Postman

To demonstrate that this function does not require authentication, we can test by using the Get Function Url:

image

Copy the URL:

image

Then open Postman or any API testing tool, create a post request with the URL:

image

Select No Auth for the Type under Authorization:

image

We’ll be passing a JSON to the Function App so navigate to Headers and uncheck Content-Type:text/plain, then add the following header:

Key: Content-Type
Value: application/json

image

Navigate to the Body section and paste the Cylance token for the report:

image

Proceed to send the request and you’ll see a Status: 200 OK with the returned HTML of the report:

image

Creating a System Managed Identity for the Logic App that calls the Function App

In this example, I’ll be configuring a System Managed Identity for the Logic App that is used to call the Function App to generate the report so it (the Logic App) can take the report and email it out. The System Managed Identity will be given permissions to call the Function App and any calls to it without authentication will fail. The use of System Managed Identities allows for the Logic App to authenticate with an Azure AD identity without having to provide a secret. Azure manages the identity so there are no secrets to rotate / maintain.

**Note that it is also possible to User-assigned Identity as well and the official Microsoft documentation can be found here: https://docs.microsoft.com/en-us/azure/logic-apps/create-managed-service-identity?tabs=consumption

Begin by opening the Logic App that calls the Function App, then navigate to its Identity blade:

image

Under the System assigned heading, switch the Status from Off to On and click on Save:

image

Note the message being displayed indicates that the Logic App will be registered in Azure AD so it can be granted permissions to access other resources protected by Azure AD (in this case it will be the Function App):

image

The process should complete in a few seconds and a Object (principal) ID will be displayed. This attribute represents the Logic App’s Managed Identity:

image

We’ll need the Application ID of the Logic App’s Managed Identity, which isn’t displayed in the Identity blade of the Logic App (don’t mistaken the Object Principal ID for the App ID) and it can be retrieved in the Azure AD Enterprise Application list when Application Type is configured as All Applications or Managed Identities:

image

Copy the Application ID value as we’ll need it to grant this Logic App permissions to the Function App.

Require Authentication for Function Calls

The first requirement to allow the Logic App’s Managed Identity to authenticate with the Function App is to set the Function App’s authentication level to anonymous. Failure to do so will result in the Logic App workflow throwing a BadRequest error.

Begin by opening the Function App, navigate to the Advanced Tools blade, then click on Go to open Kudu Services:

image

image

Click on the Debug Console menu and select CMD:

image

Navigate to site > wwwroot > <function name>

image

Edit the function.json file and look for authLevel in the bindings. If the property exists, set the property value to anonymous. Otherwise, add that property and set the value as anonymous:

image

The Function App in this example already has authLevel so we just need to update function to anonymous:

image

Clicking the Save button will bring us back to the command prompt:

image

Create an App Registration for the Function App in Azure AD

With the Logic App having a managed identity to authenticate against the Function App, we now need to create a App Registration for the Function App in Azure AD so it can be used to grant permissions to the managed identity of the Logic App.

We’ve already copied the Object (principal) ID for the Logic App earlier but will also need the tenant ID of the Azure AD, which can be retrieved by navigating to Azure Active Directory:

image

Then in the Overview blade, copy the Tenant ID:

image

Navigate back into the Function App and click on the Authentication blade, then the Add an identity provider button:

image

Select Microsoft for the Identity provider so we can use Azure AD identities:

image

In the App registration type section, select Provide the details of an existing app registration:

image

Fill in the following fields:

Application (client) ID: <The Logic App’s Application ID>
Client secret (recommended): <blank>
Issuer URL: https://sts.windows.net/<Tenant-ID>
Allowed token audiences: <The Logic App’s Application ID>
Restrict access: Require authentication
Unauthenticated requests: HTTP 401 Unauthorized: recommended for APIs

   image

Proceed to click Add to save the settings and you should see an identity provider representing the Logic App listed in the Authentication blade of the Function App:

  image

Confirming Function App requires authentication with Postman and Portal

Repeating the steps we performed previously with Postman should now return a Status: 401 Unauthorized and the message:

You do not have permission to view this directory or page.

image

Attempting to navigate to the URL of the Function App should also display the same message:

image

Instead of the default Your Functions 4.0 app is up and running:

image

Updating Logic App to authenticate with Managed Identity

Attempting to immediately trigger the Logic App after the changes will fail and return an Unauthorized response when calling the Azure Function App:

image

To correct the issue, enter the designer mode for the Logic App, edit the Function App step, click on Add new parameter, check the Authentication box:

image

Select Managed identity for the Authentication type:

image

Select System-assigned managed identity for Managed identity and <Logic App’s Managed Identity Application ID> as the Audience:

  image

Proceed to run the trigger and confirm that steps succeed:

image

**Note that one of the common issues I’ve come across is if the Logic App’s Object (principal) ID used as the Application ID when configuring the Azure Function App’s Authentication. Doing so may cause the following error to be thrown when executing the Logic App:

BadRequest. Http request failed as there is an error getting AD OAuth token: 'AADSTS500011: The resource principal named a6486475-xxx-xxx-xxxx-6exxxxxx882f was not found in the tenant named Contoso. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: a31a44e7-7135-450f-a420-aa801a8ec003 Correlation ID: 58f958c1-6a75-4fef-bc75-bb22dae4c8c9 Timestamp: 2022-09-11 20:48:23Z'.

image

Ensure that you had used the Application ID for the appropriate fields and this error should be resolved.

I hope this helps anyone who might be looking for a walkthrough for securing an Azure Function App and using Managed Identity for a Logic App to call the function. The Microsoft documentation today isn’t very clear to me so I hope this will provide some clarity.

No comments: