Azure Function with AD auth results in 401 Unauthorized when using Bearer tokens

Question

I have a very simple Azure function in C# for which I\'ve setup Azure AD Auth. I\'ve just used the Express settings to create an App registration in the Function configurati

Answer 1

I managed to get it working through postman using following configuration. Important lesson was setting in "Allowed token audiences" and "resource" name used in postman to acquire token should be same in this case. I used the same code provided here in question. in this case app registered in Azure AD is a client and resource as well. configuration and testing through postman as follows

Acquire token in postman

Calling azure function using Postman .. Authorization header with bearer token

Answer 2

In the AAD app itself, go to Settings -> Reply URLs and verify that the url of the Function App is in the list, which has the following format: https://mycoolapp.azurewebsites.net. If it isn't, then add it.

If you use slots, you have to add it for both slots.

Answer 3

When setting up your Active Directory authentication on your Function App, set management mode to advanced and fill in the Client ID and Issuer URL as required (and the client secret if necessary).

Importantly, under the Allowed Token Audiences, enter the Application ID URI. This can be found in your registered App Registration (in your AD) under the Expose an API option.

This is what I was missing to get authentication working on my Function App. Before I added that token audience, I would always get a 401 with a valid access token.

This Azure active directory - Allow token audiences helped me get my answer but it took me a while to realise what it was referring to. Remember, it's the Application ID URI that can be found within your App Registration.

I hope it helps!

Answer 4

The only thing i can think of right now is Allowed Audience.

Go to Your Active directory settings and click Advance. Under Allowed Token Audience Add your exact function url. It might already be there with call back url but Simply replace it with only function base url without any call back as mentioned in the picture.

Make sure when you press ok , you also save your Authentication / Authorization setting to take effect and try again after 1min or so. I tested using PostMan and passing bearer token and it works !

Answer 5

I'm facing the exact same issue today. The issue turned out to be the resource id that I was passing when requesting the access token.

For example, initially I was requesting a token like this, using the function URL as the resource id:

AuthenticationResult authenticationResult = authenticationContext.AcquireTokenAsync("https://myfunction.azurewebsites.net", "myClientAppIdGUID", new Uri("https://login.live.com/oauth20_desktop.srf"), new PlatformParameters(PromptBehavior.SelectAccount)).Result;

While this returned an access token, I was receiving a 401 unauthorized when using the access token to call my function api.

I changed my code to pass my function apps App Id as the resource:

AuthenticationResult authenticationResult = authenticationContext.AcquireTokenAsync("myFunctionAppIdGUID", "myClientAppIdGUID", new Uri("https://login.live.com/oauth20_desktop.srf"), new PlatformParameters(PromptBehavior.SelectAccount)).Result;

Everything works fine now.

Answer 6

UPDATE 2020-05-12: According to ambrose-leung's answer further below you can now add a custom issuer URL which should potentially enable you to use v2 tokens. I haven't tried this myself, but maybe this will provide useful for someone in the future. (If his answer helped you please give him an upvote and maybe leave a comment