Turn on an Authentication

Working on the Azure Function, sometimes our endpoints need to be authenticated. The provider creates out-of-the-box integration with popular authentication providers like Facebook, Google, Twitter, and Azure AD.

Enabling authentication is easy, we need to go to the “platform feature” section, and open “Authentication”. After clicked “Authentication”, you should have seen a configuration form. The switcher an App service Authentication turns on/off feature. When the feature is on. you need to configure the authentication provider, you can use many providers to authenticate.

Token Store option allows storing provider an OAuth Access token if you want to read some extra data from the provider (eg. reading all post from Facebook)

Using authentication, you can take extra data from providers (if you have permission for it), but you need to write a piece of code for that. You will only receive the access token to service

How to login or logout in a frontend application?

First, you need to configure External Redirect URLs (Advance settings), because without that the azure function app isn’t allowed to set cookies in your frontend. When you have configured redirect URLs you can feel free to use these two endpoints:

Login and logout URLs

“apiBaseUrl” : Azure function URL
“authProvider”: aad, twitter, microsoftaccount, google, facebook
“redirect_url”: An application URL when cookies will be set

The opening on one of these two links will generate cookies with tokens

If you want to use the access token, claims or userId, your function app need to enable Token Store, without that endpoint /.auth/me returns “Not Found”

Azure Function Headers

Independents on which provider we are chosen, the authenticated azure function will receive 4 headers:

  • X-MS-CLIENT-PRINCIPAL-IDP: provider name ( aad, twitter, microsoftaccount, google, facebook)
  • X-MS-CLIENT-PRINCIPAL: Azure Function Access Token, you can use this token to communicate other services in Azure (Independ of provider token. It’s generated by AAD)

Rest information depends on which provider we are chosen.

ProviderHeader names
Azure Active DirectoryX-MS-TOKEN-AAD-ID-TOKEN

As you see, providers have similar headers, so it’s really easy to support a multi authentication model in our function app.

Where can we find these headers? in our HTTP trigger. HttpRequest class has a reference to HttpContext and there is located our user information.

We can use all request headers as dynamic content in Azure function binding.


The azure function has access to defined claims. Claims are configured during the setting up provider. Any claim is mapped to http://schemas.xmlsoap.org/ws/2005/05/identity/claims (More details)


This blog post showed you how to turn on authentication and describe the configuration options. Which providers are out-of-the-box, how to use in the azure function.

On my gist, you can find a fully working authentication’s web application based on vue.js and bootstrap (link here). You need to only change line 42 (provide your function app name) and run as live-server (Using NPM. For security reason, browser rejects no hosted page)

The authentication feature increases security in our serverless application, it can be used as an api gateway to our internal services or the generated token might be used to integrate our services with facebook, google or twitter (automating post in facebook in behalf of someone).