In a recent project, a unique challenge emerged: the need to temporarily remove authentication from an Azure Function for testing purposes, only to later reinstate it. Surprisingly, finding a straightforward solution proved elusive. Despite extensive exploration, including searching for a Bicep solution or relevant APIs, I encountered obstacles. While some methods disabled authentication, artifacts persisted, preventing a clean removal.

However, amidst this quest for a solution, a breakthrough emerged: the Azure REST API, accessible via Azure CLI, revealed itself as the ultimate tool. Leveraging this powerful API, I devised a pair of PowerShell functions capable of seamlessly managing authentication providers within Azure Functions.

But why is this significant? Consider scenarios where developers need to streamline testing processes or troubleshoot authentication-related issues within Azure Functions. By understanding and harnessing the Azure REST API, developers gain unprecedented control and flexibility, empowering them to tailor authentication settings with precision and efficiency.

Let’s delve into the mechanics behind this solution. The PowerShell functions below exemplify the simplicity and effectiveness of utilizing the Azure REST API to delete and subsequently re-add authentication providers within Azure Functions:

Enable Authentication

param (
  [Parameter(Mandatory=$true)]
  [string]$functionAppName,

  [Parameter(Mandatory=$true)]
  [string]$resourceGroupName,

  [Parameter(Mandatory=$true)]
  [string]$issuer,

  [Parameter(Mandatory=$true)]
  [string]$clientId,

  [Parameter(Mandatory=$true)]
  [string]$subscriptionId
)

$identityProvider = "AzureActiveDirectory"
$resourceProviderName = "Microsoft.Web"
$resourceType = "sites"

$name = $functionAppName + "/config/authsettingsV2"

Write-Host "Enable Authentication"
Write-Host "Resource Group Name               : $resourceGroupName"
Write-Host "Function App Name                 : $functionAppName"
Write-Host "Identity Provider                 : $identityProvider"
Write-Host "Issuer                            : $issuer"
Write-Host "Client Id                         : $clientId"
Write-Host "Resource Provider Name            : $resourceProviderName"
Write-Host "Resource Type                     : $resourceType"
Write-Host "Name                              : $name"

$resourceType = "sites"
$uri = "/subscriptions/" + $subscriptionId + "/resourceGroups/" + $resourceGroupName + "/providers/Microsoft.Web/" + $resourceType + "/" + $name + "?api-version=2021-03-01"
Write-Host "Uri: $uri"

$body = "{ 'properties': { 'globalValidation': { 'requireAuthentication': 'true', 'unauthenticatedClientAction': 'Return401' }, 'identityProviders': { 'azureActiveDirectory': { 'enabled': 'true', 'registration': { 'openIdIssuer': '$issuer', 'clientId': '$clientId', 'clientSecretSettingName': 'MICROSOFT_PROVIDER_AUTHENTICATION_SECRET' } } } } }"
az rest --method Put --uri $uri --verbose --body $body

Disable Authentication

param (
  [Parameter(Mandatory=$true)]
  [string]$functionAppName,

  [Parameter(Mandatory=$true)]
  [string]$resourceGroupName,

  [Parameter(Mandatory=$true)]
  [string]$subscriptionId
)

$identityProvider = "AzureActiveDirectory"
$resourceProviderName = "Microsoft.Web"
$resourceType = "sites"

Write-Host "Enable Authentication"
Write-Host "Resource Group Name               : $resourceGroupName"
Write-Host "Function App Name                 : $functionAppName"
Write-Host "Identity Provider                 : $identityProvider"
Write-Host "Resource Provider Name            : $resourceProviderName"
Write-Host "Resource Type                     : $resourceType"
Write-Host "Name                              : $name"

$resourceType = "sites"
$name = $functionAppName + "/config/authsettingsV2"
$uri = "/subscriptions/" + $subscriptionId + "/resourceGroups/" + $resourceGroupName + "/providers/Microsoft.Web/" + $resourceType + "/" + $name + "?api-version=2021-03-01"
Write-Host "Uri: $uri"

$body = "{ 'globalValidation': { 'requireAuthentication': 'false', 'unauthenticatedClientAction': 'AllowAnonymous' }, 'httpSettings': { 'forwardProxy': { 'convention': 'NoProxy' }, 'requireHttps': 'true', 'routes': { 'apiPrefix': '/.auth' } }, 'identityProviders': { 'azureActiveDirectory': { 'enabled': 'true', 'login': { 'disableWWWAuthenticate': 'false' }, 'registration': {}, 'validation': { 'defaultAuthorizationPolicy': { 'allowedPrincipals': {} }, 'jwtClaimChecks': {} } } } }"

az rest --method Put --uri $uri --verbose --body $body

Conclusion

These two methods delete an Authentication on an Azure Function and re-add them with the help of the Azure CLI and PowerShell.