Yes, you can, please follow the steps below.
1.Navigate to your function app in the portal -> Authentication / Authorization
-> configure it with Azure AD auth, follow this doc. Note: In Express
, we select Create New AD App
, it will reduce unnecessary trouble.
After configuration, it will be like below.
2.After a while, navigate to Azure Active Directory
in the portal -> App registrations
-> search for your function app name with the filter All applications
-> click it -> App roles | Preview
-> Create app role
-> create the role like below -> Apply
.
Navigate to Overview
-> click Managed application in local directory
.
In the Properties
-> set User assignment required?
to Yes
.
3.Use the powershell below to give the app role to your MSI(managed identity), replace the <datafactory-name>
and <functionapp-name>
.
Make sure you have installed the AzureAD
powershell module and have enough permission to assign the app role.
Connect-AzureAD
$MSI = Get-AzureADServicePrincipal -Filter "displayName eq '<datafactory-name>'"
$funapp = Get-AzureADServicePrincipal -Filter "displayName eq '<functionapp-name>'"
$PermissionName = "Function.Test"
$approle = $funapp.AppRoles | Where-Object {$_.Value -eq $PermissionName}
New-AzureADServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $funapp.ObjectId -Id $approle.Id
4.Navigate to the httptrigger in your function app, set the Authorization level
to Anonymous
, because we have configured AAD auth.
5.Then in your ADF, create a web activity to test, use the settings like below.
URL - https://<functionapp-name>.azurewebsites.net/api/HttpTrigger1
Resource - https://<functionapp-name>.azurewebsites.net
Run it, it will work fine.
In this solution, we secure the function with the app role, if you don't give the role to your MSI i.e. step 3, the MSI will not be able to access the function, in another word, if you just give the role only to your MSI, only your MSI will be able to access the function.