403 from Azure DevOps Service Hook using HTTP triggered Azure Function with a private endpoint

Question

403 from Azure DevOps Service Hook using HTTP triggered Azure Function with a private endpoint

dotnet_guy 15

Hello,

I have a deployed Azure Function with private endpoint using System Assigned Managed Identity and talks to Azure DevOps API to update work items. I have to trigger the function based on an action in the service hook form, it is expecting authentication details, but the function doesn't use any. We added ADO deployed region's IP address range in the IP whitelist as well. Do I create a Microsoft Identity Provider in Authentication blade inside the Function app or there is another way?

Function works locally from Visual Studio when using Authorization Level 'Function' and gives a 203 when using 'Anonymous'. Firing the function from Edge.

It would be ideal if we do not use function key and send it as query param in the Service Hook form's URL.

Thanks.

MuthuKumaranMurugaachari-MSFT 22,421 Reputation points

2024-01-09T17:32:26.5366667+00:00

Rohit Juluru Thanks for posting your question in Microsoft Q&A. I assume you are using Azure Function to monitor DevOps API events as webhooks described here and looking for a way to secure with additional authentication.

I came across solution https://soltisweb.com/blog/detail/2021-05-21-automatingazuredevopsupdateswithazurefunctions which describes generating a Personal Access Token (PAT) and store it in Azure Key Vault (full repo).

To the second part, why 403 error was thrown needs to be investigated by enabling Application Insights in your azure function app and refer https://learn.microsoft.com/en-us/azure/azure-functions/configure-monitoring?tabs=v2. This logging will provide info about the client IP address and why the request was denied. If you can share the request ID, timestamp, etc. that will help in reviewing the logs.

I hope this helps and let me know if you have any other questions.
dotnet_guy 15 Reputation points

2024-01-11T01:07:11.7133333+00:00

Thank you for your response. We were planning to not use any secrets with our Azure function and solely rely on Managed Identities. I have added my resolution below, thank you.
dotnet_guy 15 Reputation points

2024-01-11T01:09:55.78+00:00

The authentication issue was resolved after adding our Azure DevOps project region's (visible in the settings) IP range in the whitelist of our function. Thanks.
MuthuKumaranMurugaachari-MSFT 22,421 Reputation points

2024-01-11T02:20:27.71+00:00

Rohit Juluru Glad to hear that your issue was resolved. Appreciate you sharing the solution with the community and it will greatly help others. As per Microsoft Q&A community policy: "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.
MuthuKumaranMurugaachari-MSFT 22,421 Reputation points

2024-01-11T02:23:38.8933333+00:00

Rohit Juluru If you do have any questions, feel free to reach out to us. Thanks for your engagement in the community.

1 answer

Your answer

MuthuKumaranMurugaachari-MSFT 22,421 Reputation points

2024-01-09T17:32:26.5366667+00:00

Rohit Juluru Thanks for posting your question in Microsoft Q&A. I assume you are using Azure Function to monitor DevOps API events as webhooks described here and looking for a way to secure with additional authentication.

I came across solution https://soltisweb.com/blog/detail/2021-05-21-automatingazuredevopsupdateswithazurefunctions which describes generating a Personal Access Token (PAT) and store it in Azure Key Vault (full repo).

To the second part, why 403 error was thrown needs to be investigated by enabling Application Insights in your azure function app and refer https://learn.microsoft.com/en-us/azure/azure-functions/configure-monitoring?tabs=v2. This logging will provide info about the client IP address and why the request was denied. If you can share the request ID, timestamp, etc. that will help in reviewing the logs.

I hope this helps and let me know if you have any other questions.
dotnet_guy 15 Reputation points

2024-01-11T01:07:11.7133333+00:00

Thank you for your response. We were planning to not use any secrets with our Azure function and solely rely on Managed Identities. I have added my resolution below, thank you.
dotnet_guy 15 Reputation points

2024-01-11T01:09:55.78+00:00

The authentication issue was resolved after adding our Azure DevOps project region's (visible in the settings) IP range in the whitelist of our function. Thanks.
MuthuKumaranMurugaachari-MSFT 22,421 Reputation points

2024-01-11T02:20:27.71+00:00

Rohit Juluru Glad to hear that your issue was resolved. Appreciate you sharing the solution with the community and it will greatly help others. As per Microsoft Q&A community policy: "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.
MuthuKumaranMurugaachari-MSFT 22,421 Reputation points

2024-01-11T02:23:38.8933333+00:00

Rohit Juluru If you do have any questions, feel free to reach out to us. Thanks for your engagement in the community.

Answer 1

403 error can be investigated by enabling Application Insights in your azure function app and refer https://learn.microsoft.com/en-us/azure/azure-functions/configure-monitoring?tabs=v2. This logging will provide info about the client IP address and why the request was denied.

Update for the community: Rohit Juluru resolved the issue by adding Azure DevOps project region's (visible in the settings) IP ranges to IP firewall of the Azure Function (Inbound).

I hope this helps others with the similar issues. Please let me know if any questions.

Share via

403 from Azure DevOps Service Hook using HTTP triggered Azure Function with a private endpoint

1 answer

Your answer