Using Azure Active Directory B2C

To secure access to your Azure Function Apps and to allow access only to authenticated users, you can use Azure Active Directory B2C. It allows users to create their own accounts or sign in with credentials provided by a social identity provider. Users can access the Function Apps only after a successful authentication.

To configure Azure AD B2C as the identity provider for your Function Apps, complete the following steps:

  1. Log in to the Azure portal.

  2. Click Create a resource to create your Azure Function App.

    1. Search for function app.

    2. Under Function App, click Create.

      Function App

      Function App

  3. Enter a unique name for your Function App, and fill the remaining information. You must fill the information in the Basics tab, and can then either fill in the information in the other tabs or go straight to the Review + Create tab. Check that all information is correct and click Create.

    Wait for the Function App to be deployed, then click Go to resource to view it.

  4. Note the URL shown in the Overview section for your newly deployed app.

  5. Create a new B2C application.

    1. In the Azure portal, click More services.

    2. Click Identity in the sidebar, then select Azure AD B2C. The New Application blade opens.

      App Service Authentication

      App Service Authentication

    3. Configure the following options:

      • Provide the app name.

      • Click Yes for the Web App/ Web API option.

      • In the Reply Url field, enter the unique Azure Function App URL that you noted in Step 4 and append /.auth/login/aad/callback to it. For example:

        https://functionappname.azurewebsites.net/.auth/login/aad/callback.

    4. Click Create.

  6. Determine the B2C Application ID:

    1. In the Azure portal, select the Azure AD B2C blade.

    2. Click on Applications and then click on the entry for your newly created application to open the application profile.

    3. Obtain the Application ID from the Properties blade of the application.

    This ID is used to complete the Azure Function configuration.

  7. Determine the B2C OpenID Connect Metadata URL endpoint:

    1. In the Azure portal, select the Azure AD B2C blade.

    2. Under Policies, select User flows.

    3. Select the Sign up and sign in policy (or any other policy that you have created) and click Run user flow.

      The Run user flow blade opens.

    4. Copy the OpenID Metadata URL endpoint that is displayed in the top right corner.

  8. Select Authentication (classic) in the sidebar.

  9. Toggle App Service Authentication to On. Several authentication provider configurations are now displayed.

    The default action when a request is not authenticated is Allow Anonymous request. This allows any user to access your Function App.

    App Service Authentication

    App Service Authentication

  10. Select Log in with Azure Active Directory in the Action to take when request is not authenticated dropdown.

  11. Select Azure Active Directory under the Authentication Providers list.

    This opens Azure Active Directory Settings.

  12. Set the Management mode as Advanced, then fill in Client ID and Issuer Url.

    1. Enter the B2C Application ID from Step 6 into the Client ID field.

    2. Enter the B2C Open ID Connect metadata URL from Step 7 into the Issuer Url field.

      Active Directory Settings

      Active Directory Settings

    3. If you wish to fill in Client Secret, click Show secret to display the appropriate field. You can fill in Allowed Token Audiences if you wish as well.

    4. Click OK.

The configuration for B2C application and the Azure Function is now complete.

To validate the configurations, you must perform tests.

Confirm that users without authentication gets prompted to complete their B2C sign-in before being allowed access to your Function App:

  1. In the Azure AD B2C blade, navigate to User flows under Policies and click the Run user flow button for each B2C User flow policy.

    The Run user flow blade opens for the selected user flow.

  2. Select the entry that corresponds to your Azure Function App in the Application field.

  3. Select the associated Reply Url. In some cases you might have more than one reply URL.

  4. Click the Run user flow button.

Also complete the following tests:

  • Clear the browser session cookies and confirm that the user needs to authenticate during an attempt to access your Azure Function. After a successful access to the Function App, open a separate browser tab and validate that you can automatically sign in.

  • Run other user flows, such as password reset or profile edit, with your Azure Function. After the users complete these flows, they are redirected to the Azure Function App.