How can DPS use Managed Identity to authenticate access to my Azure Function?

wmizera96
June 13, 2023
292 views
0 votes
2 Answers

I am using Azure Device Provisioning Service with custom allocation policy with Azure function.

I would like to introduce some kind of authentication for the function. The function is also used by other Azure services so I was thinking to have a managed identity for it, but I am not sure how DPS can use that identity.

I found how I can control access to the DPS, but how can I control access from DPS to the Azure Function? I didn’t find anything useful in the documentation, only basic examples how to setup DPS with Azure Function, but nothing about authentication between the two.

If not managed identity, is there any other way to introduce authentication between DPS and custom allocation policy Azure function?

Answers

- RajeshM
- May 26, 2023 at 10:04 am
- 0 votes
0
To authenticate access to the Azure Function from Azure DPS using a managed identity.
- Enable Managed Identity for the Azure Function
JWT token for a user in Azure AD
- Grant access to the Azure Function
  In Azure go to the resource of storage account that the Azure Function needs to access.
Choose Access control (IAM)" settings and add a new role assignment.

Select the appropriate role based on the required permissions for the Azure Function.
In the "Assign access to" field.
- Modify your Azure Function to validate the managed identity.
In C# code, you can access the identity token from the request headers.
Validate the identity token using the Azure AD token validation endpoint or by using the appropriate library for token validation.
```
[FunctionName("Function1")]
        public static async Task<IActionResult> Run(
            [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req,
            ILogger log)
        {
            var identity_Token = req.Headers["X-MS-TOKEN-AADIDTOKEN"]; 
            var validation_Params = new TokenValidationParameters
            {
                ValidateIssuer = true,
                ValidIssuer = "https://login.microsoftonline.com/{TenantId}/v2.0", 
                ValidateAudience = true,
                ValidAudience = "Azure fun Client App ID"
            };

            var tokenHandler = new JwtSecurityTokenHandler();
            try
            {
                var res_principal = tokenHandler.ValidateToken(identity_Token, validation_Params, out _);
                return new  OkObjectResult(res_principal);
            }
            catch (Exception ex)
            {
                log.LogError(ex, "Token validation failed");
                return new UnauthorizedResult();
            }
        }
```
For more information refer to the MSDoc1 and MSDoc2.
Login or Signup to reply.

- ArturoMartinez
- June 6, 2023 at 3:44 pm
- 0 votes
0
If you want granular configuration and policy validation on a per function basis, take a look at this package.
It gives you the same control AuthorizeAttribute gives you in ASP.NET Core when it comes to policy based auth.

DPS token targeting function app registration gives the framework everything it needs to authenticate request and you don’t have to write any authentication logic in your functions.

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.