This blog shows you how to enable Managed Identity on an Azure Function call from ADF, this can help secure the Function by adding a second authentication method on top of the API Key. Enabling these options enforces https on all function calls, ADF handles authentication and so no custom headers, tokens or keys are necessary to be exchanged.
The high level process is:
- Configure Microsoft Identity on Azure Function
- Enable Managed Identity on Data Factory
- Configure Linked Service in Data Factory
- Assign Permissions to the Data Factory in Azure Function
Step 1 – Enable Microsoft Identity on Azure Function
On the Azure function, in the authentication tab, click Add identity provider.
Set the identity provider to Microsoft, you can manually create one in Azure Active Directory (App Registrations) but I recommend choosing to create a new app registration, changing its name to FunctionName-auth / -app and giving it the default permissions.
Use the default permission option
Copy the generated App (client) id, as this is used in data factory to handle authorization.
Step 2 – Enable Managed Identity on Data Factory
In the Data Factory’s controls, go to Managed Identities, and enable a system assigned Identity.
Step 3- Configure Linked Service in Data Factory
Enter the Data Factory studio, and then Manage, Linked Services and either create a new or update previous function implementation.
Change authentication method to System Assigned Managed Identity, and paste the copied client ID from Step 1 into Resource ID. This step is necessary as authorization does not work without this.
Step 4 – Assign Permissions to the Data Factory in Function
On the function app, go to Access control (IAM), and Add a new role assignment
Assign reader role.
Assign the Data Factory’s Managed Identity to that role.
Here is an example function working.
The response below indicates that either the app registration was deleted/ created incorrectly, or the role is not assigned in the Data Factory’s IAM.
Differences to Microsoft Articles
The Microsoft Articles that we could find on this matter don’t include all the steps to get it working end to end. In the fast paced world of azure things get out of date fast 😉
https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad
This doesn’t provide an example of linking the resource ID and adding permissions for the data factory on the function.
https://docs.microsoft.com/en-us/azure/spring-cloud/tutorial-managed-identities-functions
This article uses old examples of App Registration and Authentication configuration as well as outdated instructions on permission management.
