Why can't I access my Azure Function when it requires authentication?

Question

(I apologize for the length of this question; I wanted to be thorough.)

I'm new to Azure and am trying to set up a "serverless" API which requires authentication. I have a Function which behaves correctly when authentication is not enabled (basically just "Hello, world" in Node.js). However, when I enable authentication, the only response I get is:

You do not have permission to view this directory or page.

To enable authentication, I:

1. Went to Azure Active Directory in the Azure portal.
2. Went to App Registrations.
3. Created a new registration for my Functions app.
4. Added a Web redirect URI of https://<myapp>.azurewebsites.net/.auth/login/microsoftaccount/callback.
5. Created a new client secret for my app.
6. Went to my app from the Dashboard, selected the "Platform features" tab, and clicked on "Authentication / Authorization".
7. Enabled "App Service Authentication".
8. Configured the Microsoft authentication provider with the above registration's Application ID and client secret.
9. Set "Action to take when request is not authenticated" to "Log in with Microsoft Account".

At this point, I can no longer access my API endpoint without authentication (as expected). I then configured Postman to obtain a token by:

1. Selecting the Authorization tab.
2. Setting the Type to "OAuth 2.0".
3. Clicking "Get New Access Token".
4. Setting the following values:
   • Grant Type: Authorization Code
   • Callback URL: https://<myapp>.azurewebsites.net/.auth/login/microsoftaccount/callback (the same as I entered into my App Registration, above).
   • Auth URL: https://login.microsoftonline.com/<Directory (tentant) ID>/oauth2/authorize?resource=<Application (client) ID>
   • Access Token URL: https://login.microsoftonline.com/<Directory (tentant) ID>/oauth2/token?resource=<Application (client) ID>
   • Client ID: <Application (client) ID>
   • Client Secret: <Client secret>
   • Scope: <empty>
   • State: <empty>
   • Client Authentication: Send as Basic Auth Header
5. Clicking the "Request Token" button.
6. Logging in as myself in the window which pops up. (Only happened the first time; presumably my credentials are being cached somewhere.)
7. Clicking the "Use Token" button.
8. Clicking the "Preview Request" button.

When I then click "Send", I get the error above. If I disable authentication or change "Action to take…" to allow unauthorized requests, it begins working again (but doesn't, of course, require authentication). I've run the JWT that Postman receives through JWT.io and the payload looks reasonable, as far as I can tell:

{
  "aud": "<Application (client) ID>",
  "iss": "https://login.microsoftonline.com/<Directory (tentant) ID>/v2.0",
  "iat": 1558488698,
  "nbf": 1558488698,
  "exp": 1558492598,
  "aio": "<base64? data>",
  "azp": "<Application (client) ID>",
  "azpacr": "1",
  "idp": "live.com",
  "name": "Ben Blank",
  "oid": "<a GUID I don't recognize>",
  "preferred_username": "ben.blank@gmail.com",
  "scp": "User.Read",
  "sub": "<base64? data>",
  "tid": "<Directory (tentant) ID>",
  "uti": "<base64? data>",
  "ver": "2.0"
}

Can anyone tell me what I've done wrong?

Answer 1

You are using Microsoft Account as the Authentication Providers. The way you get the access token is regarding Azure Active Directory, not Microsoft Account.

When you access your function url https://tonytest4.azurewebsites.net/api/HttpTrigger1?name=test, you will redirect to the login page. You will find the url is https://login.live.com/oauth20_authorize.srf?. After entering the correct credential, you will be able to access your function.

Answer 2

You need to register Postman as a client app in AAD and give it permission to call your API, kind of like here except you will give it permissions to access your API rather than AAD Graph as in the link. Your Postman will need to be configured to use that apps client id and secret to get the token. Right now you are using Postman to ask for your API app to get an access token to itself. Most likely you app is not configured in AAD to call itself! (does not make sense anyway).