Entra Custom Authentication Extensions to Function App in a Private vNet
I have gone through the documentation on setting up a custom authentication extension, and have built a function app and configured all the parts for making a call into my function app endpoint for the On Token Issuance Start event.
My function app is set to a private vnet for both incoming and outgoing requests. Public access is set to "Enabled with Access Restrictions". In the access rules, I have allowed AzureActiveDirectory and AzureActiveDirectoryDomainServices into the application.
I am getting an error when I use my test url, as provided in the documentation.
AADSTS1100001: Non-retryable error has occurred. Underlying error code: 1003002. Trace ID: 219e3449-3fdb-4867-b305-6a5a144b0000 Correlation ID: ab949e5e-320a-4a8c-8ca6-c6c4fb962f9c Timestamp: 2024-03-21 11:40:03Z
I suspect this is because Entra still doesn't have access to my application. According to https://learn.microsoft.com/en-us/entra/identity-platform/custom-extension-troubleshoot?tabs=obtain-an-access-token#error-codes-reference the underlying error code is because Entra did not receive a 200 response, but I cannot find anywhere in the logs that gives me the actual error received. Also, my function app is not receiving any calls in its application insights logs, so I suspect the calls Entra is making are being blocked.
What IP addresses or service tags do I need to add to my function app so Entra can gather claims from my function application?