How to secure API’s using Functions, API Management and Azure AD
In this blog post I show how to create an API, using a Function App, and how to publish this app securely through API Management. The Function App won’t be publicly available anymore, and can only be accessed using API Management. This post will show how this can be accomplished using Azure AD and Azure Managed Identities.
This solution consists of the following parts:
- A Function App with Azure AD authentication
- An App Registration
- API Management
In short, the operation will look like this:
Azure AD authentication is set up within the Function App. The API Management service has a system-assigned managed identity, which retrieves an access token from Azure AD. This access token is used to access the Function App. Other systems or people who want to access the Function App directly will receive an HTTP 401 unauthorized response.
The Function App
For this demo a Function App with an HTTP trigger is created. The code looks as follows:
Please notice that the chosen authorization level is Function. By choosing this level, the function can only be called with a valid function key. For more information about security within Azure Functions, see https://docs.microsoft.com/nl-nl/azure/azure-functions/security-concepts.
After deployment to Azure the URL (including the function code) can be retrieved from the Function in Azure Portal. And upon visiting the URL, the response with the current time and date is shown.
Authentication
Now that the Function App has been created, the authentication can also be configured.
At the details screen of the Function App we add a new identity provider in the Authentication menu, and configuring the following options:
- Identity provider: Microsoft
- App registration type: Create new app registration
- Supported account types: Current tenant — Single tenant
- Authentication: Require authentication
- Unauthenticated requests: HTTP 401 Unauthorized: recommended for APIs (this will prevent the Function from being reopened immediately)
- Token store: Yes
At the next screen Permissions, the permission User.Read has been added.
An App Registration has been added now which can be found in Azure AD. This shows the Application ID.
API Management
Now that the Function App is ready, API Management can be set up for the Function. This can be done within the Function App in the API Management menu.
When creating an API, Azure automatically configures the API to require a subscription key. This is an extra security, where users of the API need to subscribe to the API before they can use it. This can also be seen under the Settings tab of the API.
After the API has been imported, the managed identity can be added. The API Management service uses the managed identity to generate an access token in Azure AD. The API Management service will use this access token to get access to the Function App.
Enable managed identity
First off, the system assigned managed identity should be enabled on the API Managment instance. This can be done on the Managed identies page of API Management.
Add policies
To enable the API Management service to communicate with the Function App, two policies need to be added for Inbound processing:
authentication-managed-identity
This policy causes the API Management service to retrieve the access token. This policy uses the Application ID URI that we previously retrieved from the app registration in Azure AD.
Set-header name=”x-functions-key”
In this example the Function App also demands authentication based on a function key. Because of this, the function key needs to be added as a policy in API Management. Using function key authentication is not necessary, but adds another layer of security.
These policies can be added from the Azure Portal.
For inbound, add the following policy code.
Testing
Now all components have been configured, it is time to test.
A direct call to the Function App now results in an authentication issue, as expected.
The call from API Management can be tested from Api Management in the Azure Portal. This results in an success response now.
Conclusion
In this blog we’ve seen how you can set up an API by using a Function App, and how this API can be secured with Azure AD. This way we can take advantage of all the benefits that a Function App offers (such as the consumption plan) and include these within your API landscape.
