【转】Enabling Managed Identity Authentication on Azure Functions in Data Factory

原文地址:https://prodata.ie/2022/06/16/enabling-managed-identity-authentication-on-azure-functions-in-data-factory/

 

This blog shows you how to enable Managed Identity on an Azure Function call from ADF, this can help secure the Function by adding a second authentication method on top of the API Key. Enabling these options enforces https on all function calls, ADF handles authentication and so no custom headers, tokens or keys are necessary to be exchanged.


The high level process is:

  1. Configure Microsoft Identity on Azure Function
  2. Enable Managed Identity on Data Factory
  3. Configure Linked Service in Data Factory
  4. Assign Permissions to the Data Factory in Azure Function

 

Step 1 – Enable Microsoft Identity on Azure Function

On the Azure function, in the authentication tab, click Add identity provider.

Set the identity provider to Microsoft, you can manually create one in Azure Active Directory (App Registrations) but I recommend choosing to create a new app registration, changing its name to FunctionName-auth / -app and giving it the default permissions.

Use the default permission option

Copy the generated App (client) id, as this is used in data factory to handle authorization.

Step 2 – Enable Managed Identity on Data Factory

In the Data Factory’s controls, go to Managed Identities, and enable a system assigned Identity.

Step 3- Configure Linked Service in Data Factory

Enter the Data Factory studio, and then Manage, Linked Services and either create a new or update previous function implementation.

Change authentication method to System Assigned Managed Identity, and paste the copied client ID from Step 1 into Resource ID. This step is necessary as authorization does not work without this.

Step 4 – Assign Permissions to the Data Factory in Function

On the function app, go to Access control (IAM), and Add a new role assignment

Assign reader role.

Assign the Data Factory’s Managed Identity to that role.

 

Here is an example function working.

The response below indicates that either the app registration was deleted/ created incorrectly, or the role is not assigned in the Data Factory’s IAM.

Differences to Microsoft Articles

The Microsoft Articles that we could find on this matter don’t include all the steps to get it working end to end. In the fast paced world of azure things get out of date fast 😉

https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad

This doesn’t provide an example of linking the resource ID and adding permissions for the data factory on the function.

https://docs.microsoft.com/en-us/azure/spring-cloud/tutorial-managed-identities-functions

This article uses old examples of App Registration and Authentication configuration as well as outdated instructions on permission management.

posted @   路边两盏灯  阅读(66)  评论(0编辑  收藏  举报
编辑推荐:
· .NET Core 托管堆内存泄露/CPU异常的常见思路
· PostgreSQL 和 SQL Server 在统计信息维护中的关键差异
· C++代码改造为UTF-8编码问题的总结
· DeepSeek 解答了困扰我五年的技术问题
· 为什么说在企业级应用开发中,后端往往是效率杀手?
阅读排行:
· Deepseek官网太卡,教你白嫖阿里云的Deepseek-R1满血版
· 2分钟学会 DeepSeek API,竟然比官方更好用!
· .NET 使用 DeepSeek R1 开发智能 AI 客户端
· DeepSeek本地性能调优
· 一文掌握DeepSeek本地部署+Page Assist浏览器插件+C#接口调用+局域网访问!全攻略
历史上的今天:
2022-03-08 【Azure Redis 缓存】当使用Azure Redis 集群服务时候,发生了Moved的几点分析
2022-03-08 【Azure API 管理】使用APIM进行XML内容读取时遇见的诡异错误 Expression evaluation failed. Object reference not set to an instance of an object.
2021-03-08 【Azure 应用服务】Azure SignalR 是否可以同时支持近十万人在线互动
2021-03-08 【Azure API 管理】从微信小程序访问APIM出现200空响应的问题中发现CORS的属性[terminate-unmatched-request]功能
点击右上角即可分享
微信分享提示