Reputation: 2250
How to restrict an Azure function app's access to only AD B2C API connector?
I've got a function app set up with the intent of it being called via my AD B2C API connector in the "before creating the user" step. I would like to ensure that this function can only be called in this manner. I'm not sure of the best way to do this. One scenario I've seen is that using API Management, I can require that the backend use a username/pw to access said function, and in my API connector I could specify that same u/pw, thus authenticating. But that seems like not the best idea for production. Ideally I would:
- Restrict network access to just the ip/domain from wherever the API connector is sending the request from
- Require a certificate instead of a username/pw from the API connector
Regarding point #1, I don't know how to go about doing this as I can't figure out what the ip is (and my guess is that there's several and it possibly changes), so perhaps there's a different way to restrict access to the function by only my B2C tenant?
Regarding point #2, I see that as part of the API connector I can tell it to use a certificate which as of this writing is in preview. The issue with that is that the only option is to manually upload the certificate, meaning that I'd have to change this manually every time my Let's Encrypt cert renews (90 days). There does not seem to be a way to have this hook into key vault like APIM and function apps can to automatically get the up to date cert.
So what would be the preferred/secure way, in production, to lock down access to a function app that's designed for the sole purpose of being part of one of the steps in a B2C user flow API connector?
Upvotes: 0
Views: 370
Answers (1)
Reputation: 11335
Not possible, the IP range from which AAD B2C makes calls to your REST API can cover the entire Azure DC IP Range.
You need to use a CI/CD pipeline: https://learn.microsoft.com/en-us/azure/active-directory-b2c/deploy-custom-policies-devops
And here is the reference for uploading a certificate into the Policy Keys via Graph API, which you can integrate into your pipeline https://learn.microsoft.com/en-us/graph/api/identityapiconnector-uploadclientcertificate?view=graph-rest-beta&tabs=http
You could combine this with KeyVault to auto generate the cert, have your pipeline pick it up, and deploy to AAD B2C.
Upvotes: 1
Related Questions
- How to limit access to Azure Function App to a website and clients only
- azure functions and AD B2C integration
- Azure Function Authentication using AD B2C for Daemon Applications
- Secure Azure Functions App in another tenant
- Limiting Claims by App in Azure AD B2C
- How to enforce AAD Application Role authorization with Azure Functions?
- Unable to restrict calls to Azure function app
- Receiving 403 error when accessing Azure function app locked down by Azure AD B2C
- connect azure function to b2c
- Preventing access to applications in Azure AD B2C