Custom authentication for Azure functions app

Question

Custom authentication for Azure functions app

Parag Kale 25

I have a use case where there is anonymous auth set on functions which we are invoking from a nuget package and they get added to our main functions app. We have no control to change that code.

I want to authenticate those functions

we don’t have Authentication set for the main functions app in the azure portal. Hence don’t want to include it , as that could break our application functions

is there a example of implementing custom auth for the functions coming from the nuget

Khadeer Ali 5,065 Reputation points Microsoft External Staff Moderator

2025-04-25T12:30:04.8566667+00:00

@Parag Kale ,

Could you clarify your preferred approach for securing access to the functions called from the NuGet package? Specifically, do you have any constraints or preferences regarding authentication mechanisms (e.g., API keys, JWT), integration with existing identity systems, or centralized versus function-level authentication?
Parag Kale 25 Reputation points

2025-04-25T12:53:51.2166667+00:00

We would like to use JWT authentication

To provide more info, we are using the tool from Microsoft https://github.com/microsoft/DurableFunctionsMonitor in an injected mode , so these functions appear in our existing functions app and we have no way to change the anonymous auth set for these functions

We don't want to configure Authentication tab in our existing functions app , because that will impact our existing application azure functions , as they depend on function key. There is no existing Authentication for them

Hence looking for a custom authentication way just to handle the functions coming from that tool

Accepted answer

0 additional answers

Your answer

Khadeer Ali 5,065 Reputation points Microsoft External Staff Moderator

2025-04-25T12:30:04.8566667+00:00

@Parag Kale ,

Could you clarify your preferred approach for securing access to the functions called from the NuGet package? Specifically, do you have any constraints or preferences regarding authentication mechanisms (e.g., API keys, JWT), integration with existing identity systems, or centralized versus function-level authentication?
Parag Kale 25 Reputation points

2025-04-25T12:53:51.2166667+00:00

We would like to use JWT authentication

To provide more info, we are using the tool from Microsoft https://github.com/microsoft/DurableFunctionsMonitor in an injected mode , so these functions appear in our existing functions app and we have no way to change the anonymous auth set for these functions

We don't want to configure Authentication tab in our existing functions app , because that will impact our existing application azure functions , as they depend on function key. There is no existing Authentication for them

Hence looking for a custom authentication way just to handle the functions coming from that tool

Answer 1

The least disruptive way for you to accomplish this would be to run the Durable Functions Monitor functionality in a separate Function App with EasyAuth enabled. You may also choose to run it containerized on your local computer. Both methods are described in https://github.com/scale-tone/DurableFunctionsMonitor/blob/master/durablefunctionsmonitor.dotnetbackend/README.md.

It is also possible to enable EasyAuth in an Azure Function App but only for specific paths. This can be achieved by using the globalValidation.excludedPaths setting or the WEBSITE_WARMUP_PATH environment variable to exclude specific paths from EasyAuth. You can exclude certain URL paths from EasyAuth using the globalValidation.excludedPaths setting. This allows you to enable EasyAuth for the entire Function App but exclude specific paths from requiring authentication. The WEBSITE_WARMUP_PATH environment variable can also be used to exclude specified paths from EasyAuth. This is particularly useful for scenarios where you need to allow unauthenticated access to certain endpoints, such as health probes.

Using globalValidation.excludedPaths

{
  "auth": {
    "enabled": true,
    "globalValidation": {
      "excludedPaths": [
        "/public/*",
        "/health"
      ]
    }
  }
}

Using WEBSITE_WARMUP_PATH

Set the WEBSITE_WARMUP_PATH environment variable in your Function App settings:

WEBSITE_WARMUP_PATH = /public/*,/health

These methods are really intended to provided ways to have specific endpoints excluded from otherwise secured function apps, but with some creative handling of the paths may be leveraged to meet your goal.

Parag Kale 25 Reputation points

2025-04-25T17:49:16.53+00:00

Thanks Kyle

I am interested to know if there is any inverse setting / configuration to that you mentioned ?

For example , apply easy auth to just /durable-functions-monitor/ , i.e. any path that contains this pattern and rest all no authentication ?*
Kyle Burns 91 Reputation points Microsoft Employee

2025-04-25T19:09:30.6766667+00:00

No the inverse is not an option. As the functionality is not really intended for your use case (this is why my first recommendation is to host the DurableFunctionMonitor separately), adding more flexibility is likely complexity that doesn't make sense for the product team to have taken on and also would increase the security risk of misconfiguration.

Share via

Custom authentication for Azure functions app

0 additional answers

Your answer