Hi Linesh, all you need to do is to go and edit your function app identity provider. Under the client application requirements, select "Allow requests from a specific client application" and add your app registration client ID and ADF managed identity application ID (please don't get confused with the managed identity; it's the managed identity application ID, which you can find in the enterprise app or in the properties section of the ADF).
Azure Function App Forbidden Error When Triggered by Azure Data Factory using Managed Identity
Issue Description: Azure Function App Forbidden Error When Triggered by Azure Data Factory using Managed Identity
Function App Details:
Runtime: Python
Problem Description:
I have an Azure Function App with a private endpoint, and I’m using Azure Data Factory (ADF) to trigger this function app. The function app auth is set to “anonymous.” My goal is to trigger the function app using the managed identity of the ADF pipeline. However, I encounter the following error: “Call to provided Azure function 'XXXXX’ failed with status-‘Forbidden’ while invoking ‘POST’ on 'https://.azurewebsites.net/’ and message - ‘Invoking Azure function failed with HttpStatusCode - Forbidden.’” Additionally, the function app has its authentication set up with Microsoft identity provider.Managed identity set to on.
Expected Outcome:
I expect the ADF pipeline to successfully trigger the Azure Function App using its managed identity.
Steps Taken:
Managed Identity for ADF: I’ve ensured that my ADF pipeline is using a managed identity.
Role Assignment: I’ve followed the PowerShell script to assign the necessary roles to the service principal associated with my ADF.
Script:
$ObjectIDs = @("")
$FuncAppId = ""
$PermissionName = @("user.write")
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "AppId eq '$FuncAppId'" | Select-Object -first 1
$AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$.Value -in $PermissionName -and $.AllowedMemberTypes -contains "Application"} foreach($role in $AppRole) { foreach($ObjectID in $ObjectIDs) { #assign role ro automation account New-AzureAdServiceAppRoleAssignment -ObjectId $ObjectID -PrincipalId $ObjectID
-ResourceId $GraphServicePrincipal.ObjectId -Id $role.Id
} } Function App Authentication: The function app authentication is set to “anonymous.”
Private Endpoint: The private endpoint configuration for the function app is in place.
Network Configuration: I’ve verified that the network configuration allows communication between ADF and the function app.
Despite these steps, the Forbidden error persists.
Additional Information:
I can successfully trigger the function run when the authentication is set to “Function.” using function key code via ADF.
Please help me to find the solution.