From our previous post, we saw how we can expose APIs secured with Azure AD through the use of application object. This provides us with a managed identity.

Azure functions can be granted two types of identities:

  • system-assigned identity is tied to your application and is deleted if your app is deleted. An app can only have one system-assigned identity.
  • user-assigned identity is a standalone Azure resource that can be assigned to your app. An app can have multiple user-assigned identities.

To set up a managed identity in the portal,

  1. Navigate to Platform features. For other app types, scroll down to the Settings group in the left navigation.
  2. Select Identity.
System assigned identity
User assigned identity

An app can use its managed identity to get tokens to access other resources protected by Azure AD. These tokens represent the application accessing the resource, and not any specific user of the application.

There is a simple REST protocol for obtaining a token in App Service and Azure Functions. For more on accessing and using the tokens, read from Microsoft docs here.