Calling Azure Function protected by Microsoft Azure AD from command line not working with AccessToken, but with IdToken

Kiril 96 Reputation points

I created a an Azure Function in Visual Studio Code and deployed it to Azure. After that I enabled Authentication using Microsoft as a provider. This generated the App Registration and the Enterprise App.


After that, added "Mobile and desktop applications" to the Enterprise App, because I want to call the Azure Function from the command line, and included http://localhost to the Redirect URIs:


Now, I am trying to call the Azure Function endpoint:

var clientId = "";  
var tenantId = "";  
var endPoint = "";  
IPublicClientApplication app = PublicClientApplicationBuilder.Create(clientId).WithDefaultRedirectUri().WithAuthority(AadAuthorityAudience.AzureAdMyOrg).WithTenantId(tenantId).Build();  
var result = await app.AcquireTokenInteractive(new List<string> { "User.Read" }).ExecuteAsync();  
HttpClient client = new HttpClient();  
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);  
var response = await client.GetAsync(endPoint);  
var responseString = await response.Content.ReadAsStringAsync();  

When I execute the code a new browser tab open, where I can login. This works as expected and I receive a message:

"Authentication complete. You can return to the application. Feel free to close this browser tab."  

The result from the endpoint is not what I expect:

"You do not have permission to view this directory or page."  

If I slightly change my code to I am getting the expected response.

client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.IdToken); // IdToken instead of AcccessToken  


"This HTTP triggered function executed successfully. Pass a name in the query string or in the request body for a personalized response."  

However, reading through Microsoft documentation I understood that using IdToken here is wrong and I should always use the AccessToken. My question: how do I pass the AccessToken as Bearer token and make it possible to call the Azure Function?

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,402 questions
A cross-platform toolchain for developing, building, running, and publishing .NET applications.
325 questions
.NET Runtime
.NET Runtime
.NET: Microsoft Technologies based on the .NET software framework.Runtime: An environment required to run apps that aren't compiled to machine language.
1,131 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,870 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Kiril 96 Reputation points

    Adding <client_id>/user_impersonation to the scope seems to fix the problem.

    2 people found this answer helpful.