I'm trying to understand how to set up my Azure Function to call a protected REST API that requires a JWT token issued by Microsoft Entra ID. In my situation, Angular users can log in and receive an access token. My Azure Function is triggered by an Event Hub, processes some data, and then it needs to post this data to the protected API. So, how does my Azure Function obtain an access token to make that HTTP request to the API?
4 Answers
You'd want to assign a system-assigned managed identity to your function. Ensure that your API app registration is set up correctly with roles defined, and make sure the API requires assignment. Follow the PowerShell instructions for assigning the managed identity to the desired API role, and when accessing the token, use DefaultAzureCredential with the correct scope.
Another option is to enable managed identity directly on your Azure Function. Make sure that on the API side, you have exposed it appropriately and granted permissions. This way, your function identity can call the API under the required scope without needing to manage secrets. Azure provides libraries to fetch the JWT and handle it seamlessly.
To get the token, your function should authenticate using a service principal. This allows it to get an access token without exposing secrets directly in your code. You might want to look into using managed identities, which is a more secure and straightforward approach. Here’s a great tutorial that explains how to set up identity-based connections: https://learn.microsoft.com/en-us/azure/azure-functions/functions-identity-based-connections-tutorial-2
It's also important to identify which identity provider your Angular app and the API are using. You may need to implement the client credentials flow. This can depend on whether it uses a client ID and password or if you can utilize managed identities.
Just to confirm, the provider for both the Angular app and the API is Microsoft Entra ID.
Can you clarify that a bit more or share a link for details?