Adventures with Azure: Call a Secure Azure Function from a Logic App

In a previous article I talked about how to Secure an Azure Function App with Azure Active Directory, now I would like to look at how to call a Secure Azure Function App from an Azure Logic App.

Let’s first create a Logic App.

In the Azure Portal, click Create Resource, type Logic App in the Search Box and then select Logic App.

Click Create.

Provide a Name and a Resource Group, the click Create.

In the Search resources, services and docs, type the name of your Logic App and select it from the list displayed.

Under Template, click Blank Logic App.

Add a new When an HTTP request is received trigger.

Click Save.

Copy the HTTP POST URL.

With the HTTP POST URL, create and execute a POST request in Postman, you should be returned a 202 Accepted status code.

We are now going to wire up the call to the Azure Function, click + New Step.

Type http in the Search connectors and actions.

Select the HTTP connector, NOT the Azure Functions connector, the latter DOES NOT allow us to authenticate.

On the next screen, select HTTP again.

Assuming your Azure Function accepts a POST request, set the Method to POST.

Paste in the URL of the Azure Function Trigger, for this example I will use the one I created in my previous article Secure an Azure Function App with Azure Active Directory

Click Save and then click Run.

The Logic App fails when it gets to the HTTP step because it is not authenticated.

We are going to leverage Active Directory OAuth to authenticate the Logic App.

We are going to need the following Settings:

  • Tenant
  • Audience
  • Client ID
  • Secret

To get the Tenant value, in the Azure Portal, click on Azure Active Directory and then click Properties.

Copy the value in Directory ID.

Next click App registrations (Preview) and then click All Applications.

Select the Application.

Copy the value in Application (client) id, this is the Client ID.

You will need to create a secret for the Application, to do this click Certificates & secrets and then click New client secret.

Provide a Description and Expires for the secret, and then click Add.

Copy the Value, please note, it is only shown once.

To get the Audience, click Expose API, and copy the Application ID URI.

We have all the information we need to now to complete the authentication process.

Navigate back to the Logic App and click Edit.

Expand the HTTP request.

Set the Authentication to Active Directory OAuth.

Update the values for Tenant, Audience and Client ID, set Credential Type to Secret and update the value of Secret.

Click Save and then Run, to execute the Logic app.

The Logic App fails again at the HTTP step with a 404 Unauthorized status code.

While the Logic App authenticates correctly, it DOES NOT have authorization yet to the Function App. To fix this problem, navigate to the Function App.

Click Platform Features and then Authentication / Authorization.

Click Azure Active Directory under Authentication Providers.

In the next blade displayed, click Advanced.

Add the Audience to the Allowed Token Audiences and click OK.

Click Save.

Call the Logic App Url in Postman OR run the Logic App from the Azure Portal.

Success! W00t! W00t!

This seemed like a lot of steps to me, especially gathering all the meta information required to setup the Active Directory OAuth. As I worked through this example, I did notice that much of the information is available on Azure Active Directory Settings blade in the Function App.

One thing I would do differently and would recommend you do likewaise is to move the values of Tenant, Audience, Client ID and Secret to Azure Key Vault as opposed to having them sitting in the code of the Logic App.

1 Reply to “Adventures with Azure: Call a Secure Azure Function from a Logic App”

Leave a Reply

Your email address will not be published.