How to enforce AAD Application Role authorization with Azure Functions?

Question

This page describes how to add Application app roles to an application in Azure Active Directory using the manifest.

Code sample from the page:

Answer 1

I don't know how to restrict access the Azure Function to only Applications that have a specific application role.

If you just want the App who has the ConsumerApps permission access your function, follow the steps below.

1.Navigate to the AD App of your function in the Azure Active Directory in the portal -> click the Managed application in local directory -> Properties -> set the User assignment required to Yes.

2.Then you could try to get the token with your AD App again, you will find the app could not get the token successfully, you will get the error like below, because your client app does not have the ConsumerApps permission.

3.To access the function successfully, we just need to add the Application permission for the Client AD App you used.

Navigate to the client AD App in the portal -> API permissions -> Add a permission -> click APIs my organization uses -> search for your function AD App name -> click the app -> Application permissions -> add the Consumer permission -> click the Grant admin consent for xxx button.

Wait for a while, then try to get the token again, it works fine.

Use the token to call function, also works.