How to Programatically Access Function App via Entra ID

Question

How to Programatically Access Function App via Entra ID

Jonah Bader 165

As the title says, I am trying to setup my Azure Function App to use Entra ID so that I can use that form of authentication to access it from other .NET 10 code. Ideally, I want to allow access to a managed identity of an App Service and grant my user access for running .NET 10 C# code in Visual Studio 2026.

I have followed this article and successfully gotten direct browser-based auth working, but not programmatic access. Securing Azure Function Apps with Microsoft Entra ID

When trying to use VisualStudioCredential for scope `api://

Rukmini 35,485 Reputation points Microsoft External Staff Moderator

2026-03-30T17:09:14.0133333+00:00
Hello Jonah Bader

Can you share the API permission blade screenshot?

Go to Client App Registration (or your dev identity):

API Permissions → Add permission

Select your API

Add:

user_impersonation

Click Grant admin consent
Jonah Bader 165 Reputation points

2026-03-30T17:46:05.5833333+00:00

Hi @rukminim, thanks for asking!

Here is a screenshot. I had previously added the user_impersonation role and granted admin consent.
Jonah Bader 165 Reputation points

2026-03-30T17:48:58.4533333+00:00

Maybe I need to back up and clarify:

I do not have a client app registration; I had only followed the guide I mentioned to create an app registration for the Function App's authentication.

Perhaps I don't understand why my dev identity would need a dedicated client, since my user is a member of the tenant and any managed identity exists in the tenant as well. Is there no way to rely on those identities themselves for authentication?

Thank you!!
Rukmini 35,485 Reputation points Microsoft External Staff Moderator

2026-03-30T17:56:19.15+00:00

Jonah Bader

Lets continue over private messages!

Answer accepted by question author

0 additional answers

Your answer

Rukmini 35,485 Reputation points Microsoft External Staff Moderator

2026-03-30T17:09:14.0133333+00:00

Hello Jonah Bader

Can you share the API permission blade screenshot?

Go to Client App Registration (or your dev identity):

API Permissions → Add permission

Select your API

Add:

user_impersonation

Click Grant admin consent
Jonah Bader 165 Reputation points

2026-03-30T17:46:05.5833333+00:00

Hi @rukminim, thanks for asking!

Here is a screenshot. I had previously added the user_impersonation role and granted admin consent.
Jonah Bader 165 Reputation points

2026-03-30T17:48:58.4533333+00:00

Maybe I need to back up and clarify:

I do not have a client app registration; I had only followed the guide I mentioned to create an app registration for the Function App's authentication.

Perhaps I don't understand why my dev identity would need a dedicated client, since my user is a member of the tenant and any managed identity exists in the tenant as well. Is there no way to rely on those identities themselves for authentication?

Thank you!!
Rukmini 35,485 Reputation points Microsoft External Staff Moderator

2026-03-30T17:56:19.15+00:00

Jonah Bader

Lets continue over private messages!

Answer 1

Rukmini 35,485 Microsoft External Staff Moderator

Hello Jonah Bader

Create an Microsoft Entra ID Function app and enable Authentication like below:

enter image description here

Expose an API

enter image description here

Added API permissions:

enter image description here

Now, generate access token and authenticate Function app by using below parameters:

GET https

I got the same error (401 Unauthorized) like below:

enter image description here

To resolve the error, make sure to pass x-functions-key header:

enter image description here

The x-functions-key value is the code value in the function URL:

enter image description here

After passing the header, I am able to authenticate the Function app successfully using access token like below:

GET https

enter image description here

If the resolution was helpful, kindly take a moment to click on and click on Yes for was this answer helpful. And, if you have any further query do let us know.

Jonah Bader 165 Reputation points

2026-03-30T18:50:51.87+00:00

Thank you for the assistance! In addition to the steps provided above, we discovered that I was using an incorrect audience for the authentication.

On the Function App > Authorization > Edit, the Allowed token audiences was set to api://CLIENTID/user_impersonation, which is incorrect. The value needed to be api://CLIENTID

Share via

How to Programatically Access Function App via Entra ID

0 additional answers

Your answer