Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,299 questions
Entra Custom Authentication Extensions to Function App in a Private vNet
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 2%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
Josh Christensen
5
Reputation points
I have gone through the documentation on setting up a custom authentication extension, and have built a function app and configured all the parts for making a call into my function app endpoint for the On Token Issuance Start event.
My function app is set to a private vnet for both incoming and outgoing requests. Public access is set to "Enabled with Access Restrictions". In the access rules, I have allowed AzureActiveDirectory and AzureActiveDirectoryDomainServices into the application.
I am getting an error when I use my test url, as provided in the documentation.
AADSTS1100001: Non-retryable error has occurred. Underlying error code: 1003002. Trace ID: 219e3449-3fdb-4867-b305-6a5a144b0000 Correlation ID: ab949e5e-320a-4a8c-8ca6-c6c4fb962f9c Timestamp: 2024-03-21 11:40:03Z
I suspect this is because Entra still doesn't have access to my application. According to https://learn.microsoft.com/en-us/entra/identity-platform/custom-extension-troubleshoot?tabs=obtain-an-access-token#error-codes-reference the underlying error code is because Entra did not receive a 200 response, but I cannot find anywhere in the logs that gives me the actual error received. Also, my function app is not receiving any calls in its application insights logs, so I suspect the calls Entra is making are being blocked.
What IP addresses or service tags do I need to add to my function app so Entra can gather claims from my function application?