Share via

Persistent CORS issue in Azure Functions

dotnet_guy 15 Reputation points
2025-06-10T04:50:59.5333333+00:00

I have an Azure Function written in C# and calling the function from enterprise sharepoint. So, I have added Sharepoint URL in function's CORS but still get CORS error.

The OPTIONS request returns the CORS URL in response headers and gives a 200 but POST request to function app returns a 500 and see the CORS error in console of browser (F12 -> Dev tools on Edge)

Currently using authentication for function app and also has a private link, don't think they are related to CORS issue. The authentication uses app registration's details and they look to be in order.

I've even tried by adding * in CORS but still see the issue. I'm wondering if the sharepoint app hits the azure function right. There is only Azure function with that name in the tenant though.

I've programmatically added headers in C# code as a workaround as well, but still no luck.

req.HttpContext.Response.Headers["Access-Control-Allow-Origin"] = "https://<ourname>.sharepoint.com";
similar headers as above for "GET,POST,OPTIONS" and "Content-Type, Authorization"

Please let me know if I am missing something. Thanks.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,911 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Praveen Kumar Gudipudi 1,875 Reputation points Microsoft External Staff Moderator
    2025-06-10T05:41:28.14+00:00

    Hello dotnet_guy,

    CORS issue occurs if the access restrictions is enabled in the Azure function App.

    Enable access to all networks or grant access from Ip Address or virtual network.

    enter image description here

    enter image description here

    Configure CORS to allow origins:

    enter image description here

    Portal:

    • After enabling network access, able to run the function.

    Please check above suggested steps and let us know with an update.

    0 comments
  2. SUNOJ KUMAR YELURU 15,256 Reputation points MVP Volunteer Moderator
    2025-06-10T07:49:42.66+00:00

    Hello @dotnet_guy

    Highlights

    • CORS is a browser security feature: It's enforced by the browser, not the server. The server's job is to provide the correct headers to allow the browser to make the request.
    • Authentication can mask CORS issues: A failed authentication can result in a CORS-like error in the browser.
    • The OPTIONS request is critical: Ensure the server correctly handles the OPTIONS request and returns the appropriate CORS headers.
    • Double-check everything: Typos in URLs or incorrect settings can easily cause CORS errors.
    • Isolate the problem: Test the Azure Function independently to rule out issues with the function itself.
    • Private Link adds complexity: Ensure the DNS configuration is correct and that the SharePoint app can reach the private endpoint.

    [Step 1]: Verify CORS Configuration in Azure Portal

    The most common cause of CORS issues is an incorrect or incomplete CORS configuration in the Azure Function App settings.

    1. Navigate to your Azure Function App in the Azure portal.
    2. Go to "CORS" under the "API" section.
    3. Ensure your SharePoint URL (e.g., https://yourtenant.sharepoint.com) is listed in the "Allowed Origins". Make sure there are no typos. Also, avoid using a wildcard (*) for production environments. If you are using a wildcard for testing, remove it and explicitly add the SharePoint URL.
    4. Save the CORS settings. Sometimes, changes aren't immediately applied. Restarting the Function App can help.

    [Step 2]: Investigate Authentication Issues

    Even if you believe authentication is correct, it's crucial to verify it. A failed authentication can manifest as a CORS error in the browser.

    1. Examine the Azure Function logs: Check the Azure Function's logs in Application Insights or the Azure portal for any authentication-related errors. Look for 401 Unauthorized errors or any messages indicating authentication failure.
    2. Verify App Registration Permissions: Ensure the App Registration used for authentication has the necessary permissions to access the Azure Function. Specifically, check the API permissions granted to the app registration.
    3. Check Token Acquisition: In the SharePoint app, verify that the access token is being correctly acquired and passed in the Authorization header of the request to the Azure Function. Use the browser's developer tools to inspect the request headers. The header should look like: Authorization: Bearer <your_access_token>.
    4. Test without Authentication (Temporarily): As a temporary troubleshooting step, disable authentication on the Azure Function (if possible in your environment) to see if the CORS error disappears. If it does, the issue is definitely related to authentication. Do not leave authentication disabled in a production environment.

    [Step 3]: Analyze the OPTIONS Request and Response

    The browser sends an OPTIONS request before the actual POST request to check CORS permissions.

    1. Use the browser's developer tools (Network tab) to inspect the OPTIONS request and response headers.
    2. Verify the Access-Control-Allow-Origin header in the OPTIONS response. It should either match the origin of the SharePoint app (e.g., https://yourtenant.sharepoint.com) or be a wildcard (*). If it's not present or doesn't match, the CORS configuration is incorrect.
    3. Check the Access-Control-Allow-Methods header. It should include POST (and OPTIONS itself).
    4. Check the Access-Control-Allow-Headers header. It should include Content-Type and Authorization (and any other custom headers your SharePoint app is sending).
    5. Examine the OPTIONS request headers sent by the browser. Pay attention to the Origin header. Ensure it's the correct URL of your SharePoint site.

    [Step 4]: Debug the Azure Function Code

    The 500 error suggests that the Azure Function is failing.

    1. Add detailed logging to your Azure Function code. Use ILogger to log information about the request, including headers, body, and any relevant variables.
    2. Check for exceptions: Make sure your code handles exceptions gracefully and logs them. A 500 error often indicates an unhandled exception.
    3. Test the Azure Function independently: Use a tool like Postman or curl to send a POST request to the Azure Function directly (bypassing SharePoint). This will help you isolate whether the issue is with the Azure Function itself or with the interaction between SharePoint and the function. If you are using authentication, you will need to provide a valid token in the Authorization header.

    [Step 5]: Investigate Private Link Configuration (If Applicable)

    While you don't think Private Link is the issue, it's worth verifying.

    1. Ensure the DNS configuration is correct. The DNS records for your Azure Function should resolve to the private IP address of the private endpoint.
    2. Verify that the SharePoint app is able to reach the private endpoint. You might need to configure DNS resolution within your SharePoint environment to ensure it can resolve the private IP address.
    3. Temporarily disable Private Link (if possible in your test environment) to see if the issue resolves. This will help you determine if Private Link is contributing to the problem.

    [Step 6]: Remove Programmatic Header Setting (and Verify)

    Remove the programmatic header settings in your C# code. The Azure Function runtime should handle CORS based on the configuration in the Azure portal. Setting the headers programmatically can sometimes interfere with the runtime's CORS handling. After removing the code, redeploy the function and re-test.

    If this answers your query, do click Accept Answer and Up-Vote for the same. And, if you have any further query do let us know.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.