The Azure Portal for Flex Consumption plan Functions is throwing "Bad request" in my functions app.

Question

The Azure Portal for Flex Consumption plan Functions is throwing "Bad request" in my functions app.

J. Larry Aultman 1

I am trying to troubleshoot why one of my two functions always returns Unauthorized while it is set as anonymous. When I try to go to Overview screen I see the two functions in the list, but I also see this error: We were not able to load some functions in the list due to errors. Refresh the page to try again. When I click on either of the two functions all I get on Code + test or Integration tab is:
Error while loading

Ask questions and use troubleshooting tools to investigate these errors.Diagnose and solve problems

BadRequest
Error getting host status required to get template data

Florian Lenz 85 Reputation points MVP

2025-03-29T20:24:33.0566667+00:00

Can you post the code of the function itself?

Larry Aultman 5

Sure,
This is a Flex Consumption plan deployment. Postman immediately errors the attempt with Unauthorized. I have tried it as intended to force a login to Entra ID. I have also tried it after logging into Entra ID.
In testing locally running it with Azure connection strings and identities using Postman to send requests the code works as expected. I am using all updated packages.

app.http('GetTeamsAuth', {
    methods: ['GET', 'POST'],
    authLevel: 'anonymous',
    handler: async (request, context) => {
        try {
            const connectionString = process.env.COMMUNICATION_SERVICES_CONNECTION_STRING;
            const expectedTenantId = process.env.INTACT_TENANT_ID;

            const userClaims = request.headers.get('x-ms-client-principal');
            if (!userClaims) {
                return { status: 401, body: 'Unauthorized: No user claims found.' };
            }

            const decodedClaims = Buffer.from(userClaims, 'base64').toString('utf8');
            const claims = JSON.parse(decodedClaims);

            const userTenantId = claims.find(c => c.typ === 'tid')?.val;
            if (userTenantId !== expectedTenantId) {
                return { status: 403, body: 'Forbidden: User does not belong to the expected tenant.' };
            }

            const client = new CommunicationIdentityClient(connectionString);
            const user = await client.createUser();
            const tokenResponse = await client.getToken(user, ['voip']);

            return {
                status: 200,
                body: JSON.stringify({
                    userId: user.communicationUserId,
                    token: tokenResponse.token,
                    expiresOn: tokenResponse.expiresOn
                })
            };
        } catch (error) {
            context.log.error('Error generating token:', error);
            return { status: 500, body: 'An error occurred while generating the token.' };
        }
    }
});

Larry Aultman 5

I left this off

const { app } = require('@azure/functions');
const { CommunicationIdentityClient } = require('@azure/communication-identity');

Larry Aultman 5 Reputation points

2025-03-29T22:25:49.8+00:00
I injected this code immediately before the try { statement and it did not error in the browser.
Something in the code. Strange that the try catch does not catch the error. It just hangs and finally times out in the browser.

const { app } = require('@azure/functions'); const { CommunicationIdentityClient } = require('@azure/communication-identity');
Larry Aultman 5 Reputation points

2025-03-29T22:26:25.3166667+00:00

I have verified that the code run as designed in the local VSC instance.
Florian Lenz 85 Reputation points MVP

2025-03-29T23:14:28.1266667+00:00

Did you add the env variables to the azure function?
Larry Aultman 5 Reputation points

2025-03-30T09:29:33.7666667+00:00

Yes, I am using Fiddler to check the calls. I downgraded my local node.js to 20 from 22 to match the Azure node version. The code still runs on my local machine. I am getting the correct response from Azure Communication Service on the local. However, the code is crashing on Azure. Got to be there somewhere.
Sai Prabhu Naveen Parimi 2,590 Reputation points Microsoft External Staff Moderator

2025-04-01T05:03:23.5966667+00:00

@J. Larry Aultman

Could you please confirm whether you have resolved the issue or if you are still looking for insights
Larry Aultman 5 Reputation points

2025-04-09T13:35:54.42+00:00

Again for anyone following this thread. I have more information. The issue is this: if you add Authentication to your Functions App Flex or Consumption either one, and add the Microsoft Graph as your provider this will crash the Azure Portal for the Azure Functions.

If you want to see the error in action create a functions app, load a test function of some type, Hello World, doesn't matter as long as it is runnable. Next add the authentication Microsoft provider. Navigate to the Overview page and click on the test function name. When the page opens click the Test/Run. When it errors, you will see an error in the token.

If you get "Bad request", then you have already triggered the request for the token somewhere and it failed. You will only see the actual error once.

This is not a showstopper unless you want to use the Azure Portal for testing. But it does cause problems with authentication when using VSC debugging.

2 answers

Your answer

Florian Lenz 85 Reputation points MVP

2025-03-29T20:24:33.0566667+00:00

Can you post the code of the function itself?
Larry Aultman 5 Reputation points

2025-03-29T20:57:50.9333333+00:00

Sure,
This is a Flex Consumption plan deployment. Postman immediately errors the attempt with Unauthorized. I have tried it as intended to force a login to Entra ID. I have also tried it after logging into Entra ID.
In testing locally running it with Azure connection strings and identities using Postman to send requests the code works as expected. I am using all updated packages.

app.http('GetTeamsAuth', { methods: ['GET', 'POST'], authLevel: 'anonymous', handler: async (request, context) => { try { const connectionString = process.env.COMMUNICATION_SERVICES_CONNECTION_STRING; const expectedTenantId = process.env.INTACT_TENANT_ID; const userClaims = request.headers.get('x-ms-client-principal'); if (!userClaims) { return { status: 401, body: 'Unauthorized: No user claims found.' }; } const decodedClaims = Buffer.from(userClaims, 'base64').toString('utf8'); const claims = JSON.parse(decodedClaims); const userTenantId = claims.find(c => c.typ === 'tid')?.val; if (userTenantId !== expectedTenantId) { return { status: 403, body: 'Forbidden: User does not belong to the expected tenant.' }; } const client = new CommunicationIdentityClient(connectionString); const user = await client.createUser(); const tokenResponse = await client.getToken(user, ['voip']); return { status: 200, body: JSON.stringify({ userId: user.communicationUserId, token: tokenResponse.token, expiresOn: tokenResponse.expiresOn }) }; } catch (error) { context.log.error('Error generating token:', error); return { status: 500, body: 'An error occurred while generating the token.' }; } } });
Larry Aultman 5 Reputation points

2025-03-29T21:01:08.2766667+00:00

I left this off

const { app } = require('@azure/functions'); const { CommunicationIdentityClient } = require('@azure/communication-identity');
Larry Aultman 5 Reputation points

2025-03-29T22:25:49.8+00:00

I injected this code immediately before the try { statement and it did not error in the browser.
Something in the code. Strange that the try catch does not catch the error. It just hangs and finally times out in the browser.

const { app } = require('@azure/functions'); const { CommunicationIdentityClient } = require('@azure/communication-identity');
Larry Aultman 5 Reputation points

2025-03-29T22:26:25.3166667+00:00

I have verified that the code run as designed in the local VSC instance.
Florian Lenz 85 Reputation points MVP

2025-03-29T23:14:28.1266667+00:00

Did you add the env variables to the azure function?
Larry Aultman 5 Reputation points

2025-03-30T09:29:33.7666667+00:00

Yes, I am using Fiddler to check the calls. I downgraded my local node.js to 20 from 22 to match the Azure node version. The code still runs on my local machine. I am getting the correct response from Azure Communication Service on the local. However, the code is crashing on Azure. Got to be there somewhere.
Sai Prabhu Naveen Parimi 2,590 Reputation points Microsoft External Staff Moderator

2025-04-01T05:03:23.5966667+00:00

@J. Larry Aultman

Could you please confirm whether you have resolved the issue or if you are still looking for insights
Larry Aultman 5 Reputation points

2025-04-09T13:35:54.42+00:00

Again for anyone following this thread. I have more information. The issue is this: if you add Authentication to your Functions App Flex or Consumption either one, and add the Microsoft Graph as your provider this will crash the Azure Portal for the Azure Functions.

If you want to see the error in action create a functions app, load a test function of some type, Hello World, doesn't matter as long as it is runnable. Next add the authentication Microsoft provider. Navigate to the Overview page and click on the test function name. When the page opens click the Test/Run. When it errors, you will see an error in the token.

If you get "Bad request", then you have already triggered the request for the token somewhere and it failed. You will only see the actual error once.

This is not a showstopper unless you want to use the Azure Portal for testing. But it does cause problems with authentication when using VSC debugging.

Answer 1

We were running into the exact same issue and were able to fix thanks to the answer on this thread: https://learn.microsoft.com/en-us/answers/questions/2140342/azure-functions-flex-consumption-plan-authenticati

You can exclude path of the authentication, and apparently /admin is the dashboard path.
So something like this in Bicep:

    globalValidation: {
      requireAuthentication: true
      unauthenticatedClientAction: 'RedirectToLoginPage'
      excludedPaths: [
        '/admin/*'
      ]
    }

Or Terraform:

  auth_settings_v2 {
    auth_enabled           = true
    require_authentication = true
    require_https          = true
    unauthenticated_action = "Return401"
    excluded_paths         = ["/admin/*"]

I didn't see the option to do that through the portal though.

Answer 2

Larry Aultman 5

I have resolved the issue via trial and error since the portal is still not working. FYI it was and still is failing with an unhandled exception in the node.js when attempting to use JSON.parse of the Microsoft credentials. Created a custom parser to work around the problem. The absence of portal functionality prevented us from getting critical log information.

Sai Prabhu Naveen Parimi 2,590 Reputation points Microsoft External Staff Moderator

2025-04-03T08:16:37.6333333+00:00

@Larry Aultman

I have sent you a private message. Could you please check and respond
Larry Aultman 5 Reputation points

2025-04-04T08:56:51.1233333+00:00

@Sai Prabhu Naveen Parimi I got the notification of a private message and attempted to access the message, there was no message.
Larry Aultman 5 Reputation points

2025-04-04T09:04:46.58+00:00

For anyone interested, I have created Flex Consumption instances multiple times from scratch, and I get various strange errors that seem to point to different parts of a deployment are failing. Behaviors range from authorization issues, deployment failures outright, deployments succeed but not functions deployed.
In all cases of Flex Functions apps, the Portal always shows Bad request for most of its functions related to the logging, and functions operations in the portal. I have side-by-side created Consumption apps and these all work with the same code (configuration changes naturally) without the portal errors.
Sai Prabhu Naveen Parimi 2,590 Reputation points Microsoft External Staff Moderator

2025-04-09T06:27:19.5166667+00:00

@Larry Aultman

Could you refresh the page and check if you have received my private message
Larry Aultman 5 Reputation points

2025-04-09T13:22:11.48+00:00

I clicked on the link in the email and it takes me here. I refreshed the page and it does not change.

Share via

The Azure Portal for Flex Consumption plan Functions is throwing "Bad request" in my functions app.

2 answers

Your answer