The intent of this repository is to provide a how-to guide on the configuration of a FunctionApp in order to be able to call it from Data Factory using its own Managed Identity.
First of all, we need to create a Function App which we are going to call from Data Factory. Here we are going to use a C# function with an HTTP Trigger. You have an excelent example here
Here he have a series of pictures with the different steps to create the function we are going to use in this example:
IMPORTANT: Select Anonymous as Authorization Level, as we will be using AAD Authorization later on, we need to use neither function nor host keys
Once we have our function created, we need to configure our App to use Azure AD login. You can follow the example here and continue to the next session, or continue reading.
We navigate to the resource, and under Platform features (old UI experience) or in the left pane (new UI experience), we select the Authentication / Authorization option:
From there, we switch on App Service Authentication and select Azure Active Directory as Authentication. Select Express as the management mode and leave everything as is, annotating the name of the App, as you will need it later.
As the last step, to restrict app access only to users authenticated by Azure Active Directory, set Action to take when request is not authenticated to Log in with Azure Active Directory. When you set this functionality, your app requires all requests to be authenticated.
Now we just have to create the Data Factory from which we are going to call the function.
Once it is created, go to the resource, and in the Properties pane, get the Managed Identity properties:
Now we have to configure the Application that performs the authentication of the users who access the app (if you use the express mode, it has the same name as the function app resource), to perform authorization, in our case, allowing only the Data Factory Managed Identity to perform calls.
First, we have to configure the Application to only allow entities that have been assigned to it to be able to log in. For this:
-
Look for the application in ADD (if you use the express mode, has the same name as the function app resource). Look for App Registrations in the AAD, under All Applications:
-
In the overview, select the managed application in local directory, that will redirect you to the entreprise application
-
Under properties, configure the enterprise application and set User assignment required to Yes
Now that only that the entities that have been assigned to the app can perform calls to the function app, we need to assign the Data Factory Managed Identity to the application.
There are 2 ways to accomplish this:
- Assign an AAD Group which the MI will be member of
- Assign only the MI
The only option achievable through the UI is option 1, which we will be using now. For the second part, refer to the Appendix 1 in this README (Use Custom AppRole to authorize single service principal).
In order to assign the AAD Group to the Application, we need to:
-
Create a group (or use an existing one)
-
Go to the entreprise application (following steps 1 and 2 from the previous section), and select the option 1.Assign users and groups
-
Add the assignment, selecting the appropiate group
-
Go to the group, and add as a member the Managed Identity of the Data Factory (shares the same name as the resource)
From this point forward, you can call the Function App from your Data Factory using MSI!
Go to the Data Factory Portal, and create a simple pipeline that has a Web Activy:
Configure the Web Activity settings as follows:
-
URL: url of the function App (you can get it from the Function clicking the Get Function URL)
-
Method and Body: Depends on the function you just created. If you created the default HTTPTrigger function, you can use the ones provided in the image.
-
Advanced: Select MSI as Authentication method, and under resource, indicate the Application ID URI of the Application.
This also matches the base url of the Function App. For example, if your function url is: https://howto-dfafmi-fa.azurewebsites.net/api/HttpTrigger the resource is https://howto-dfafmi-fa.azurewebsites.net (beware of not ending the URL in slash (/), or the authentication will fail)
First, kudos to psignoret for this cmdlet in order to add an application role to an application.
We are going to use Powershell and AzureAD Module for this tasks. If you don't the module yet, you can install it using:
Install-Module -Name AzureAD
After, what we need to do is:
- Connect to the tenant using an admin account
- Add an AppRole in which to add the Managed Identity of Data Factory
- Obtain the Function App Application and its managed application (service principal) as well as the Data Factory managed application (Service principal)
- Add the App Role Assignment we just created to the Data Factory managed application
Below you have the snippet in order to perform this task:
wget https://gist.githubusercontent.com/psignoret/45e2a5769ea78ae9991d1adef88f6637/raw/8c5be4f8c89f7316d8021e6dfc0d72ab3148714d/New-AzureADPSApplicationAppRole.ps1 -o New-AzureADPSApplicationAppRole.ps1
Connect-AzureAD -TenantId <your-tentant-id>
Get-AzureADApplication -Filter "DisplayName eq 'howto-dfafmi-fa'" | `
.\New-AzureADPSApplicationAppRole.ps1 `
-AllowedMemberTypes "Application" `
-DisplayName "ConsumerApps" `
-Description "Consumer apps have access to the Function App" `
-Value "ConsumerApps"
$FunctionApp=(Get-AzureADApplication -Filter "DisplayName eq 'howto-dfafmi-fa'")
$FASPN=Get-AzureADServicePrincipal -All $True -Filter "DisplayName eq 'howto-dfafmi-fa'"
$ADFSPN=Get-AzureADServicePrincipal -All $True -Filter "DisplayName eq 'howto-dffami-df'"
New-AzureADServiceAppRoleAssignment -ObjectId $ADFSPN.ObjectId -PrincipalId $ADFSPN.ObjectId -Id $FunctionApp.AppRoles[0].Id -ResourceId $FASPN.ObjectId