This solution demonstrates a secure, passwordless authentication flow between Azure Functions using Managed Identities, with API Management (APIM) handling token validation and access control.
- Frontend Function App (Python)
- Azure API Management
- Backend Function App (Python)
- Azure Key Vault
- Microsoft Entra ID (Azure AD)
- Azure subscription with Owner rights
- Create a resource group and set as ENV variable in yaml file.
- Service Principal with:
Application.ReadWrite.AllDirectory.Read.AllKey Vault Secrets OfficerContributoron resource group
-
Clone the repository
git clone https://github.com/yourusername/apim-oauth.git cd apim-oauth -
Configure GitHub Secrets:
AZURE_CLIENT_ID: "<service-principal-client-id>" AZURE_TENANT_ID: "<your-tenant-id>" AZURE_SUBSCRIPTION_ID: "<your-subscription-id>"
-
Run the GitHub workflow
- Navigate to Actions tab
- Select "Deploy Python project to Azure Function App"
- Click "Run workflow"
- Creates/updates backend app registration
- Deploys infrastructure:
- Function Apps
- API Management
- Key Vault
- Deploys frontend and backend Function Apps
- Configures authentication and APIM policies
- Managed Identity enabled
- GET access to Key Vault secrets
- Assigned app role from backend API
- Entra ID authentication enabled
- App registration with exposed API
- Function app code stored in Key Vault
- Managed Identity enabled
- GET access to Key Vault secrets
- API policy configured for token validation
├── .github/workflows/
│ └── azure-functions-app-python.yml
├── bicep/
│ ├── infrastructure/
│ │ └── main.bicep
│ └── services/
│ ├── main.bicep
│ └── modules/
│ ├── apim-apis.bicep
│ └── policies/
│ └── apim-backend-policy.xml
└── src/
└── function-apps/
├── frontend/
└── backend/
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.