使用Azure AD身份验证调用Azure功能 [英] Calling Azure Functions with Azure AD Authentication
问题描述
按照此处的建议,我已经启用了一大堆身份验证Azure功能,使用AAD。但是,一旦我这样做,从逻辑应用程序调用这些函数
变得相当困难。经过几天的战斗,我设法让我的逻辑应用程序只有在我使用为Active Directory OAuth配置的标准HTTP连接器时才能调用我的AAD保护功能。为此,我需要
运行带有托管标识的逻辑应用程序并手动处理从密钥库等获取应用程序注册密码。
这似乎非常复杂!
优选地,逻辑应用程序将能够使用其自己的托管标识来验证Azure功能,但这似乎并未实现。事实上,逻辑应用程序的托管身份甚至没有应用程序注册。它确实存在于
AAD中作为企业应用程序,但是进入其权限屏幕只显示通用的"未找到"。页面。
所以,有几个问题......
1。在制作中,您如何保护天蓝色功能并仍能从逻辑应用程序中调用它们?您是使用AAD身份验证,还是只依赖密钥和IP白名单(使用API管理实例)?
2。逻辑应用程序是否可以使用其托管标识对AAD保护的azure函数进行身份验证?如果是这样,是否有关于如何设置它的信息,因为我找不到它也没有使它工作。
我有部分在一个不太明显的字段中找到问题2回答了问题!!
标准的HTTP连接器确实有"托管身份"。作为身份验证选项,我尝试过,但我没有发现"观众"。通常不可见的参数。一旦我在这里添加了正确的值,我的逻辑应用程序现在可以使用他们的托管标识来验证azure函数。这仍然有点麻烦,变得简洁明了......
....进入......
在Azure Function操作上进行此身份验证而不必使用HTTP操作仍然很好!
Following the advice here, I have turned on authentication for a bunch of my Azure functions, using AAD. However, once I did so calling those functions from logic apps has become considerably more difficult. After several days of fighting I have managed to get my logic apps to call my AAD protected functions only if I use a standard HTTP connector configured for Active Directory OAuth. To do so, I need to run the logic app with a managed identity and manually handle getting the app registration secret from the key vault, etc.
This seems to be very complex!
Preferably, the logic app would be able to use its own managed identity to authenticate with the Azure function but this does not appear to be implemented. In fact, the logic app's managed identity does not even have an app registration. It does exist in AAD as an Enterprise App but going to its permissions screen just show a generic "Not Found" page.
So, a couple of questions ...
1. In production, how do you secure you azure functions and still be able to call them from logic apps? Do you use AAD authentication, or just rely on keys and IP white listing (with an API Management instance)?
2. Can logic apps use their managed identity to authenticate to AAD protected azure functions? If so, is there information on how to set this up as I can not find any nor make it work.
I have partly answered question 2 by stumbling across a not so visible field!!
The standard HTTP connector does have "Managed Identity" as an Authentication option, and I had tried that, but I didn't spot the "Audience" parameter that isn't normally visible. Once I added the correct value here my logic apps can now use their managed identity to authenticate with azure functions. It's still a bit cumbersome turning a nice and concise ...
.... into ...
It would still be nice to have this authentication on the Azure Function action rather than having to use a HTTP action!
这篇关于使用Azure AD身份验证调用Azure功能的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
