Testing Azure Functions in Portal Returning 401 But When Running API Azure Functions Work Properly?

Question

Testing Azure Functions in Portal Returning 401 But When Running API Azure Functions Work Properly?

hampton123 1,175

Currently I have an Azure Function integrated with APIM that calls on another Azure Function with a managed identity to manipulate a blobs within a Storage Account. The Azure Function in APIM also contains a managed identity because it uses B2C for user authorization. Throughout the entire process of the API, the B2C bearer token is passed. When I try to test the two Azure Functions separately in the Azure portal (passing the Authorization Bearer token), I get "401 Unauthorized" errors for both Functions. However, when I do a complete run of the API, everything works properly. I was wondering why this is happening - although it keeps my API secure I want to know why this is the case.

Please let me know if any other information is required. I used this tutorial as a beginning template.

Accepted answer

1 additional answer

Your answer

Answer 1

MuthuKumaranMurugaachari-MSFT 22,441 Moderator

Hunter B Thanks for posting your question in Microsoft Q&A. As Dr. S. Gomathi suggested, this depends on the context when 401 was thrown. If you have set authorization level as Function, then Function would expect the key in the query string ("?code=secretkey") as described in the doc along with authorization token or you can change it as anonymous depending on your need. Also, note that the doc talks about IP security and enabling it would restrict the access from the azure portal even with valid function key and token.

If you don't have IP security enabled and face 401 error even with the function key and auth token, then suggest you using Azure Function Diagnostics to investigate the error. I hope this helps and let me know if any questions. Would be happy to answer.

Update:
We reviewed the browser console log and found the error was due to CORS policy and adding origin https://functions.azure.com as allowed origin resolved the issue.

Error: Access to XMLHttpRequest at 'https://<function-name>.azurewebsites.net/api/<api-name>' from origin 'https://functions.azure.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

hampton123 1,175 Reputation points

2023-08-14T15:42:39.8766667+00:00

Hi MuthuKumaranMurugaachari-MSFT, hope you're doing well!

I previously had the auth level set as "Function" for my Azure Functions, however even after setting one of them to "Anonymous" I still get the same error. I know it's something with Authentication, as when I configure "Unauthenticated requests" with the function under "Authentication" to return messages like "403 Forbidden" then the portal returns the error I set it to. Hopefully that makes sense.

For the IP security I didn't do any limiting so it should be fine, also I assume that if the IP limiting was on then I wouldn't be able to call it from Postman. I'll try the Azure Function Diagnostics that you stated. Could the issue be with CORS? I have "https://portal.azure.com" as one of my allowed origins but maybe I did something incorrectly?
hampton123 1,175 Reputation points

2023-08-14T16:23:05.2466667+00:00

Hi MuthuKumaranMurugaachari-MSFT,

After running Diagnose and solve problems and checking the status codes from Authentication Configuration and Investigation Detector (EasyAuth)from the past hour, I see one Unauthorized 401 error, specifically status code 401.71 which states the following under Cause/Solution: - Cause: Unauthenticated API Request made and UnauthenticatedClientAction is set to RedirectToProvider.
Solution: Ensure that API requests are authenticated -or- change UnauthenticatedClientAction to AllowAnonymous.

Is there any specific change I should do or something I should check? The API requests are authenticated with the token within my API, and when I test the Functions through Postman with the Bearer token it works properly.
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-08-14T18:26:47.5833333+00:00

Hunter B As per https://github.com/cgillum/easyauth/wiki/HTTP-Status-Codes#http-401, 401.71: Easy Auth rejected the request because the client is required to be authenticated.

This means the request is unauthenticated and if your requests are authenticated, this error might be for a different request.

You can email me the screenshot of the failed request from portal, request id/correlation ID, HAR trace for investigating it.
hampton123 1,175 Reputation points

2023-08-14T19:32:02.7333333+00:00

Hi MuthuKumaranMurugaachari-MSFT, thank you again for your help. I sent you an email in our previous thread, just let me know if you need me to do anything else.
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-08-14T20:48:30.77+00:00

Hunter B thanks for sharing the additional details. Updated the answer accordingly.
hampton123 1,175 Reputation points

2023-08-14T21:01:43.7166667+00:00

Thank you to both MuthuKumaranMurugaachari-MSFT and Dr. S. Gomathi for your help!

Answer 2

Hi Hunter,

Multiple components and interactions are involved in the scenario you're describing, so there could be multiple causes for the "401 Unauthorized" errors when testing Azure Functions individually. Let's disassemble it:

Token for Bearer and Authorization:

When you independently test Azure Functions in the Azure portal, you pass the B2C bearer token. This token is used for user authorization when using managed identities with Azure Functions. However, if you evaluate them separately, you may overlook some crucial configuration or context.

Managed Identification:

Each instance of Azure Functions and API Management has a managed identity. Managed identities provide applications with secure credentials to access other Azure services. However, managed identities may not function identically during local testing in the Azure portal as they do when executing the complete API. This may be due to variations in the runtime environment, access permissions, or authentication configuration.

Relationship with the Storage Account:

If your functions manipulate objects within a Storage Account, they must have the necessary permissions. To perform these operations, the managed identities must be appropriately configured with the required roles (such as Storage Blob Data Contributor). Ensure that the managed identities associated with your functions have the required Storage Account permissions.

Management of APIs and Invocation of Functions:

It is the responsibility of API Management to transmit the bearer token and invoke the underlying Azure Functions. The configuration and behaviour of API Management play a critical role in the propagation and use of the token when invoking functions.

Token Verification and Distribution:

The manner in which the bearer token is validated and propagated by API Management to your Azure Functions may result in variations between unit testing and executing the entire API. Some aspects of token validation may depend on the policies of API Management, which may operate differently during separate testing.

Given the complexity of the setup and the interaction between components, it may be necessary to delve into your configuration, policies, and logs to identify the precise cause of the problem. It is essential to ensure that all components are configured uniformly and that managed identities have the appropriate access permissions to resources.

To diagnose and determine the precise cause of "401 Unauthorised" errors, you may need to:

When the "401 Unauthorised" error occurs, examine the Azure Function records for specific error messages and details. Examine the API Management instance's policies and configurations, particularly those pertaining to token validation and propagation. Verify the permissions and duties of the managed identities for the Azure Functions and the Storage Account. During local testing in the Azure portal, consider any differences in the runtime environment and how managed identities are handled. If problems persist, you may need to consult Azure's official documentation, contact their support, or seek assistance from a developer community familiar with Azure and API Management configurations.

If you find this information useful, kindly accept the response. Feel free to ask if you have any additional queries or require further assistance!

Regards,

Dr. Gomathi S

hampton123 1,175 Reputation points

2023-08-12T11:57:17.9033333+00:00

Hi Dr. S. Gomathi! Thanks for your detailed response! I was considering the differences between testing in the Azure portal and testing the code outside of the portal, and the main difference that I see is that the Azure Portal, a key is required to test the code itself. Could that be the issue? I think it could be left over from before I made the functions anonymous - they previously had the authorization level of "Function" rather than "anonymous". I just think this could be the case because when I test the functions in Postman and pass the token through, they work properly. When I edit the token at all in Postman, I am sent back a 401 Unauth error.

Share via

Testing Azure Functions in Portal Returning 401 But When Running API Azure Functions Work Properly?

1 additional answer

Your answer