Reputation: 535
Is it possible to disable AAD Auth on specific Azure functions?
Background: I have an Azure Function App deployed with App Service Authentication (easyauth) enabled using AAD, hooked up to an Azure AD B2C tenant. It's all working great and as expected. That said I have encountered a new scenario that I'd like to support with the same function app but without the auth turned on. Specifically I'd like one specific function to be called anonymously (perhaps even behind a function proxy).
Question: Is it possible to disable auth on a specific function in the same function app where everything else has authentication enforced?
I've played around with the idea of changing the "Action to take when request is not authenticated" to "Allow Anonymous request (no action)" however that then leaves me with the task of somehow in every other function that requires auth, doing something that would ensure that a request is in fact authenticated. Note that I have no idea what the something is that I'd have to do yet in this case.
Worst case I'll setup a totally separate function app that only exposes the single function that I need to call anonymously... however it feels like there should be a better solution that doesn't require me sharing source across two projects.
Upvotes: 5
Views: 4433
Answers (2)
Reputation: 2065
We can also add an App Setting WEBSITE_WARMUP_PATH pointing to the relative path of the function url in the function app. For e.g. /api/MyAnonymousHttpTriggerFunction and this path will not be considered for authentication.
This setting also supports multiple relative paths separated by , as a delimiter. For e.g.
/api/MyAnonymousHttpTriggerFunction1,/api/MyAnonymousHttpTriggerFunction2
More details about this setting is documented below:
https://github.com/cgillum/easyauth/wiki/Advanced-Application-Settings
Upvotes: 1
Reputation: 15052
UPDATE: Removed reference to the URL Authorization Rules preview feature, which was discontinued. New information provided below.
You can enable anonymous access to individual URLs using the globalValidation.excludedPaths ARM setting for Easy Auth. Any path in this array will NOT have the global authorization rules checked, so use it carefully.
Example:
{
"globalValidation": {
"unauthenticatedClientAction": "RejectWith401",
"redirectToProvider": "aad",
"excludedPaths": [
"/api/MyAnonymousHttpTriggerFunction"
]
},
}
I don't believe the portal or CLI support has been enabled for this quite yet, but you should be able to set this up in ARM directly under Microsoft.Web/sites/<siteName>/config/authsettingsV2. If you want to manually test it out, I recommend setting up an app and updating these settings using Azure Resource Explorer.
If you're using file-based configuration (advanced), the same JSON settings apply and you can find the documentation here.
Upvotes: 8
Related Questions
- Use Azure AD as IDP to protect Azure function
- Possible to bypass Azure Function App Azure AD authentication for a single function and expose it by function key instead?
- Azure Functions Authentication - disable on single endpoint?
- How do you configure Azure Function authentication by code?
- Azure functions Authentication - possible without AD?
- Calling an azure function secured by AAD
- How to enforce AAD Application Role authorization with Azure Functions?
- Call azure function secured by AAD using client id and client secret
- Is there any way to bypass authentication on an Azure App
- How to call a azure function which is secured by AAD