【转】Enabling Managed Identity Authentication on Azure Functions in Data Factory

原文地址：https://prodata.ie/2022/06/16/enabling-managed-identity-authentication-on-azure-functions-in-data-factory/

 

This blog shows you how to enable Managed Identity on an Azure Function call from ADF, this can help secure the Function by adding a second authentication method on top of the API Key. Enabling these options enforces https on all function calls, ADF handles authentication and so no custom headers, tokens or keys are necessary to be exchanged.

The high level process is:

1. Configure Microsoft Identity on Azure Function
2. Enable Managed Identity on Data Factory
3. Configure Linked Service in Data Factory
4. Assign Permissions to the Data Factory in Azure Function

 

Step 1 – Enable Microsoft Identity on Azure Function

On the Azure function, in the authentication tab, click Add identity provider.

Set the identity provider to Microsoft, you can manually create one in Azure Active Directory (App Registrations) but I recommend choosing to create a new app registration, changing its name to FunctionName-auth / -app and giving it the default permissions.

Use the default permission option

Copy the generated App (client) id, as this is used in data factory to handle authorization.

Step 2 – Enable Managed Identity on Data Factory

In the Data Factory’s controls, go to Managed Identities, and enable a system assigned Identity.

Step 3- Configure Linked Service in Data Factory

Enter the Data Factory studio, and then Manage, Linked Services and either create a new or update previous function implementation.

Change authentication method to System Assigned Managed Identity, and paste the copied client ID from Step 1 into Resource ID. This step is necessary as authorization does not work without this.

Step 4 – Assign Permissions to the Data Factory in Function

On the function app, go to Access control (IAM), and Add a new role assignment

Assign reader role.

Assign the Data Factory’s Managed Identity to that role.

 

Here is an example function working.

The response below indicates that either the app registration was deleted/ created incorrectly, or the role is not assigned in the Data Factory’s IAM.

Differences to Microsoft Articles

The Microsoft Articles that we could find on this matter don’t include all the steps to get it working end to end. In the fast paced world of azure things get out of date fast 

https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad

This doesn’t provide an example of linking the resource ID and adding permissions for the data factory on the function.

https://docs.microsoft.com/en-us/azure/spring-cloud/tutorial-managed-identities-functions

This article uses old examples of App Registration and Authentication configuration as well as outdated instructions on permission management.