Azure Function App: OAuth 2.0 with Azure AD & APIM

Securing Azure Function App APIs with OAuth 2.0 in APIM

Overview

Azure API Management (APIM) allows you to manage, version, and secure APIs. Using OAuth 2.0 with Azure AD, you can ensure that only authenticated clients access your Function App endpoints. This guide explains:

• How to register an Azure AD app for OAuth 2.0 authentication.
• Import multiple Azure Function endpoints into APIM.
• Apply OAuth 2.0 authentication policies in APIM.
• Test and secure your APIs.

Step 1: Register an Azure AD App for OAuth 2.0

1. Login to Azure Portal.
2. Navigate to Azure Active Directory → App registrations → New registration.
3. Provide a name, select supported account types (e.g., single tenant), and click Register.
4. After registration, note down the Application (client) ID and Directory (tenant) ID.
5. Under Certificates & Secrets, create a new client secret and save it securely.
6. Under API permissions → Add a permission → My APIs, select your Function App API and grant delegated permissions. Click Grant admin consent.

Step 2: Deploy Azure Function App

1. Create or use an existing Function App in your subscription.
2. Develop multiple functions (HTTP triggers) as needed.
3. Deploy the functions via CI/CD, ZIP deployment, or from Visual Studio/VS Code.
4. Test the functions to ensure they respond correctly before importing into APIM.

Step 3: Import Functions into APIM

1. Go to your APIM instance → APIs → Add API → Function App.
2. Select your subscription, resource group, and Function App.
3. Choose one or multiple functions to import. APIM will automatically create endpoints for each function.
4. Customize operation names, routes, and descriptions if needed.

Step 4: Configure OAuth 2.0 in APIM

1. Navigate to APIs → Your API → Settings → OAuth 2.0.
2. Click Add OAuth 2.0 Authorization Server:
• Name: AzureAD
• Authorization grant type: Client credentials or Authorization code
• Client ID: Your registered Azure AD App client ID
• Client secret: Your client secret
• Authorization endpoint URL: https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize
• Token endpoint URL: https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
3. Click Create.
4. Go to Design → All Operations → Inbound processing and add the OAuth 2.0 validation policy for your endpoints.

Step 5: Versioning & Parameters

APIM supports path, query, and header versioning:

• Path: /v1/orders
• Query: /orders?api-version=1.0
• Header: x-api-version: 1.0

You can also define custom parameters and pass tokens via Authorization header in requests.

Step 6: Test and Monitor

1. Use the Test console in APIM to request OAuth 2.0 tokens and call your API.
2. Check that unauthorized requests are rejected and authorized requests succeed.
3. Monitor logs and analytics in APIM to validate usage and security.

Frequently Asked Questions (FAQ)

1. Can I secure multiple Function App endpoints with a single Azure AD app?

Yes, register one Azure AD app and use it for all Function App endpoints in APIM by applying the OAuth 2.0 policy globally or per operation.

2. Which OAuth 2.0 grant type should I use?

Use Authorization Code for user delegated access, and Client Credentials for service-to-service scenarios.

3. How do I test OAuth 2.0 APIs?

Use APIM Test console, Postman, or custom clients to acquire tokens and call APIs.

4. Can I combine OAuth 2.0 with subscription keys?

Yes, APIM allows multiple security policies, including OAuth 2.0 and subscription keys, for layered security.