Enable and Disable Authentication With PowerShell
In a recent project, a unique challenge emerged: the need to temporarily remove authentication from an Azure Function for testing purposes, only to later reinstate it. Surprisingly, finding a straightforward solution proved elusive. Despite extensive exploration, including searching for a Bicep solution or relevant APIs, I encountered obstacles. While some methods disabled authentication, artifacts persisted, preventing a clean removal.
However, amidst this quest for a solution, a breakthrough emerged: the Azure REST API, accessible via Azure CLI, revealed itself as the ultimate tool. Leveraging this powerful API, I devised a pair of PowerShell functions capable of seamlessly managing authentication providers within Azure Functions.
But why is this significant? Consider scenarios where developers need to streamline testing processes or troubleshoot authentication-related issues within Azure Functions. By understanding and harnessing the Azure REST API, developers gain unprecedented control and flexibility, empowering them to tailor authentication settings with precision and efficiency.
Let’s delve into the mechanics behind this solution. The PowerShell functions below exemplify the simplicity and effectiveness of utilizing the Azure REST API to delete and subsequently re-add authentication providers within Azure Functions:
Enable Authentication
param (
[Parameter(Mandatory=$true)]
[string]$functionAppName,
[Parameter(Mandatory=$true)]
[string]$resourceGroupName,
[Parameter(Mandatory=$true)]
[string]$issuer,
[Parameter(Mandatory=$true)]
[string]$clientId,
[Parameter(Mandatory=$true)]
[string]$subscriptionId
)
$identityProvider = "AzureActiveDirectory"
$resourceProviderName = "Microsoft.Web"
$resourceType = "sites"
$name = $functionAppName + "/config/authsettingsV2"
Write-Host "Enable Authentication"
Write-Host "Resource Group Name : $resourceGroupName"
Write-Host "Function App Name : $functionAppName"
Write-Host "Identity Provider : $identityProvider"
Write-Host "Issuer : $issuer"
Write-Host "Client Id : $clientId"
Write-Host "Resource Provider Name : $resourceProviderName"
Write-Host "Resource Type : $resourceType"
Write-Host "Name : $name"
$resourceType = "sites"
$uri = "/subscriptions/" + $subscriptionId + "/resourceGroups/" + $resourceGroupName + "/providers/Microsoft.Web/" + $resourceType + "/" + $name + "?api-version=2021-03-01"
Write-Host "Uri: $uri"
$body = "{ 'properties': { 'globalValidation': { 'requireAuthentication': 'true', 'unauthenticatedClientAction': 'Return401' }, 'identityProviders': { 'azureActiveDirectory': { 'enabled': 'true', 'registration': { 'openIdIssuer': '$issuer', 'clientId': '$clientId', 'clientSecretSettingName': 'MICROSOFT_PROVIDER_AUTHENTICATION_SECRET' } } } } }"
az rest --method Put --uri $uri --verbose --body $body
Disable Authentication
param (
[Parameter(Mandatory=$true)]
[string]$functionAppName,
[Parameter(Mandatory=$true)]
[string]$resourceGroupName,
[Parameter(Mandatory=$true)]
[string]$subscriptionId
)
$identityProvider = "AzureActiveDirectory"
$resourceProviderName = "Microsoft.Web"
$resourceType = "sites"
Write-Host "Enable Authentication"
Write-Host "Resource Group Name : $resourceGroupName"
Write-Host "Function App Name : $functionAppName"
Write-Host "Identity Provider : $identityProvider"
Write-Host "Resource Provider Name : $resourceProviderName"
Write-Host "Resource Type : $resourceType"
Write-Host "Name : $name"
$resourceType = "sites"
$name = $functionAppName + "/config/authsettingsV2"
$uri = "/subscriptions/" + $subscriptionId + "/resourceGroups/" + $resourceGroupName + "/providers/Microsoft.Web/" + $resourceType + "/" + $name + "?api-version=2021-03-01"
Write-Host "Uri: $uri"
$body = "{ 'globalValidation': { 'requireAuthentication': 'false', 'unauthenticatedClientAction': 'AllowAnonymous' }, 'httpSettings': { 'forwardProxy': { 'convention': 'NoProxy' }, 'requireHttps': 'true', 'routes': { 'apiPrefix': '/.auth' } }, 'identityProviders': { 'azureActiveDirectory': { 'enabled': 'true', 'login': { 'disableWWWAuthenticate': 'false' }, 'registration': {}, 'validation': { 'defaultAuthorizationPolicy': { 'allowedPrincipals': {} }, 'jwtClaimChecks': {} } } } }"
az rest --method Put --uri $uri --verbose --body $body
Conclusion
These two methods delete an Authentication on an Azure Function and re-add them with the help of the Azure CLI and PowerShell.
About the Author / Oliver Scheer
Meet Oliver, a Principal Software Engineer at Medialesson, boasting over 25 years of software development expertise across real and challenging customer projects. With 17 years of experience at Microsoft as both an Evangelist and Software Engineer, Oliver's focus lies in .NET, DevOps, Developer Experiences, and Cloud technologies. For more about Oliver, visit his website or LinkedIn profile.