Azure Function App Forbidden Error When Triggered by Azure Data Factory using Managed Identity

Ranjan Khakurel 5

Issue Description: Azure Function App Forbidden Error When Triggered by Azure Data Factory using Managed Identity

Function App Details:
Runtime: Python

Problem Description:
I have an Azure Function App with a private endpoint, and I’m using Azure Data Factory (ADF) to trigger this function app. The function app auth is set to “anonymous.” My goal is to trigger the function app using the managed identity of the ADF pipeline. However, I encounter the following error: “Call to provided Azure function 'XXXXX’ failed with status-‘Forbidden’ while invoking ‘POST’ on 'https://.azurewebsites.net/’ and message - ‘Invoking Azure function failed with HttpStatusCode - Forbidden.’” Additionally, the function app has its authentication set up with Microsoft identity provider.Managed identity set to on.

Expected Outcome:
I expect the ADF pipeline to successfully trigger the Azure Function App using its managed identity.

Steps Taken:

Managed Identity for ADF: I’ve ensured that my ADF pipeline is using a managed identity.
Role Assignment: I’ve followed the PowerShell script to assign the necessary roles to the service principal associated with my ADF.
Script:
$ObjectIDs = @("")
$FuncAppId = ""
$PermissionName = @("user.write")
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "AppId eq '$FuncAppId'" | Select-Object -first 1
$AppRole = $GraphServicePrincipal.AppRoles |             Where-Object {$.Value -in $PermissionName -and $.AllowedMemberTypes -contains "Application"} foreach($role in $AppRole) {    foreach($ObjectID in $ObjectIDs)     { #assign role ro automation account       New-AzureAdServiceAppRoleAssignment -ObjectId $ObjectID -PrincipalId $ObjectID
      -ResourceId $GraphServicePrincipal.ObjectId -Id $role.Id
    } } Function App Authentication: The function app authentication is set to “anonymous.”
Private Endpoint: The private endpoint configuration for the function app is in place.
Network Configuration: I’ve verified that the network configuration allows communication between ADF and the function app.
Despite these steps, the Forbidden error persists.

Additional Information:
I can successfully trigger the function run when the authentication is set to “Function.” using function key code via ADF.

Please help me to find the solution.

MuthuKumaranMurugaachari-MSFT 22,321 Reputation points

2024-02-23T21:07:21.64+00:00

Ranjan Khakurel Thanks for posting your question in Microsoft Q&A. Quick question, as per doc: https://learn.microsoft.com/en-us/azure/data-factory/control-flow-azure-function-activity#azure-function-linked-service, when you set Authentication as anonymous (instead of System-assigned managed identity), you need to take down the identity on the function app side. Since the authentication is set to Function works, can you try disabling the identity and validate?
Ranjan Khakurel 5 Reputation points

2024-02-23T21:27:44.5+00:00

Hi @MuthuKumaranMurugaachari-MSFT . My function app authorization level is set to Anonymous ( auth_level = func.Authlevel.ANONYMOUS) and I need to use System-assigned managed identity in linked service to call function app, not using function code. As I have already mentioned that function app auth_level when set to Function and linked service authentication when set to Anonymous works as expected. Disabling the identity also results in same error. I am not being able to call securely using system assigned managed identity
QuantumCache 20,266 Reputation points

2024-02-24T07:53:20.3766667+00:00

Ranjan Khakurel

Please make sure the Linked Service is using the Managed Virtual Network IR instead of Public IRI was able to repro your scenario: Root Cause of the issue: I am trying to Access Private Endpoint enabled Azure Function App via Public Type IR Instead I have to use the Managed Virtual Network IR to access to the Private Endpoint of the Azure Function app You can see that the connectivity is failed when i connect via Public Integration Runtime !

Below image shows that the connectivity was success when i used the right IR type
Ranjan Khakurel 5 Reputation points

2024-02-24T08:27:30.43+00:00

Hi Satis, Thanks for your prompt reply. I have used managed virtual network IR in my case. And the screenshot you are sharing still has anonymous authentication, which works in my end too. Can you please reproduce the issue using system assigned managed identity as authentication in linked service. Please keep in mind that I have used auth level as anonymous in my function app(not in adf linked service), therefore it does not generate function code/access key. As per the microsoft document, to secure function app endpoint for production , auth level must be anonymous. Ref : https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook-trigger?tabs=python-v2%2Cisolated-process%2Cnodejs-v4%2Cfunctionsv2&pivots=programming-language-csharp#configuration
QuantumCache 20,266 Reputation points

2024-02-24T11:10:25.47+00:00

Ranjan Khakurel
Quick Testing: Disable the Authentication and try. I am verifying this scenario!
Ranjan Khakurel 5 Reputation points

2024-02-26T20:26:12.7833333+00:00

Hi Satish, disabling the authentication works, but is that the secure way of doing it? Did you verify the scenario?
QuantumCache 20,266 Reputation points

2024-02-26T21:08:24.87+00:00

@Ranjan Khakurel I am still working on the lab, did you got a chance to disable the Auth and see if that allows the connection?
Ranjan Khakurel 5 Reputation points

2024-02-26T21:32:08.5466667+00:00

yes, I tried disabling the authentication and doing so it allows the connection to work. Its equivalent to setting the authentication to non rather than Managed identity.
QuantumCache 20,266 Reputation points

2024-02-26T21:34:59.22+00:00

@Ranjan Khakurel thanks for the quick response and confirmation, please stay tuned.
Ranjan Khakurel 5 Reputation points

2024-02-27T00:26:58.39+00:00

Thanks , feeling hopeful
Ranjan Khakurel 5 Reputation points

2024-02-28T19:54:11.4466667+00:00

Hi Satish, did you manage to find any solution?
Ranjan Khakurel 5 Reputation points

2024-03-01T21:54:55.53+00:00

Considering the time constraint , I would kindly request to expedite the findings if possible. Please be noted that we have used the similar configurations multiple times in the past and it is not working apparently. Thank you for your support.
QuantumCache 20,266 Reputation points

2024-03-01T22:29:39.8833333+00:00

@Ranjan Khakurel Apologies for the inconvenience caused. Taking offline for troubleshooting.
Linesh Gajera 0 Reputation points Microsoft Employee

2024-04-05T15:52:26.4666667+00:00

i am having the same issue and unable to call Azure function from ADF with Managed Identity and getting Forbidden error regardless of Public or VNet Managed IR.

I followed https://prodata.ie/2022/06/16/enabling-managed-identity-authentication-on-azure-functions-in-data-factory/ article but no success.

Has anyone resolved this issue?
Linesh Gajera 0 Reputation points Microsoft Employee

2024-04-05T16:48:19.67+00:00

Ranjan,

It does work and now I am able to call the function. Thanks
Ranjan Khakurel 5 Reputation points

2024-04-05T16:52:47.9633333+00:00

Glad to assist you, Linesh. I've experienced a similar situation before, and I know it was quite frustrating to go for weeks without any proper documentation or solution.

1 answer

Ranjan Khakurel 5 Reputation points

2024-04-05T16:39:57.1966667+00:00

Hi Linesh, all you need to do is to go and edit your function app identity provider. Under the client application requirements, select "Allow requests from a specific client application" and add your app registration client ID and ADF managed identity application ID (please don't get confused with the managed identity; it's the managed identity application ID, which you can find in the enterprise app or in the properties section of the ADF).
Please sign in to rate this answer.

1 person found this answer helpful.
Diego Menese 1 Reputation point

2024-09-05T15:13:58.8766667+00:00

Adding the ADF managed identity -on top of existing app registration client ID did not help. Anyone figured out how to make it work?

Diego Menese 1 Reputation point

2024-09-05T15:20:37.2333333+00:00

Ranjan, so you started this thread and it seems it worked for you with the last change. Did it worked then? I believe I configured every step but still getting the same error that you were getting.

De Raeve, Wouter 1 Reputation point

2024-10-06T22:05:50.6133333+00:00

@Ranjan Khakurel I am facing similar challenges in calling an Azure Function from ADF. Would you be so kind to assist?

De Raeve, Wouter 1 Reputation point

2024-10-06T22:20:04.34+00:00

@Diego Menese I am facing the same issue. Did you manage to solve it?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure Function App Forbidden Error When Triggered by Azure Data Factory using Managed Identity

1 answer

Your answer