I’ve been working on enabling identity-based authentication for an Azure Function App, which is currently invoked by Azure Data Factory (ADF) using a Function Key. As part of our move away from key-based access, I’ve configured authentication using a managed identity flow. Below is a summary of the setup and the issue I’m encountering:
Function App: fa1
Authentication Enabled: Yes
Identity Provider: Microsoft
App Registration: testapp1
App Role: ADFCaller (Allowed Member Types: Application)
Application ID URI: api://<guid>
Allowed token audiences: api://<guid>
Allowed Client Applications:
Application ID of Azure Data Factory user-assigned managed identity (ua1)
Allowed Identities:
Object ID of Azure Data Factory user-assigned managed identity (ua1)
Object ID of Azure Data Factory system-assigned managed identity (sa1)
Allowed Tenants: Microsoft
Enterprise App: testapp1
Users and Groups Assigned:
ua1 (Role: ADFCaller)
sa1 (Role: ADFCaller)
ADF Linked Service Configuration
{
"functionAppUrl": "https://fa1.azurewebsites.net",
"authentication": "ManagedIdentity",
"resource": "api://<guid>"
}
ADF Pipeline Activity
Function Name: StarterFunction
Method: GET
Linked Service: fa1
Issue When triggering the pipeline, the function call fails with the following error:
Failure Type: User configuration issue Details: Call to Azure function 'StarterFunction' failed with status 'Unauthorized' while invoking 'GET' on the function URL.
Note: I’ve updated the StarterFunction to AuthLevel.Anonymous.
Could you help confirm:
If the identity-based authentication setup is correct? Whether additional configuration is needed on the function app or app registration to allow ADF to authenticate successfully?
