How to configure access_token for Azure AppService to allow accessing two FunctionApps secured via Azure Active Directory?

Question

I have an Angular app hosted in AppService while two FunctionApps serving as APIs. All 3 are registered with Azure AD and configured to with Azure AD authentication. The AD users can have different appRoles for each of these FunctionApps.

The AppService has been given permissions to access the two FunctionApps.

It is also configured to return a JWT in the access_token. However, I can only add one application as resource in the additionalLoginParams for the AppService.

Thus the generated access_token after calling /.auth/me from AppService has claims only for one FunctionApp and not the other FunctionApp. This means I can not access both the FunctionApps from the Angular code in the AppService.

Any way to work around this and get access_token(s) to access both the FunctionApps?

Answer 1

Cannot Share Azure AD Tokens for Multiple Resources

The first thing that comes to mind is to use the same access token for multiple Azure AD resources. Unfortunately this is not allowed. Azure AD issues a token for a certain resource (which is mapped to an Azure AD app). When we call AcquireToken, we need to provide a single resourceID. The result is the token can only be used for resource matching the supplied identifier.

Workaround

The way to do what you're trying to do is to use the refresh token you get during the initial token request to request an access token to the second resource. One access token only works for one resource. There is no reason this should add any complexity to your code. ADAL (or MSAL), takes care of managing the tokens, keeping track of which token is for which resource, and, when needed, requesting additional access tokens for new resource.

For more details, you could refer to this SO issue.