Azure-Samples
diff --git a/‎app/functions/figure_processor/function_app.py‎
Lines changed: 1 addition & 1 deletion b/‎app/functions/figure_processor/function_app.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎infra/app/functions-app.bicep‎
Lines changed: 34 additions & 16 deletions b/‎infra/app/functions-app.bicep‎
Lines changed: 34 additions & 16 deletions
diff --git a/‎infra/app/functions-rbac.bicep‎
Lines changed: 10 additions & 10 deletions b/‎infra/app/functions-rbac.bicep‎
Lines changed: 10 additions & 10 deletions
@@ -118,7 +118,7 @@
 
 
 @app.function_name(name="process_figure")
-@app.route(route="process", methods=["POST"], auth_level=func.AuthLevel.ANONYMOUS)
+@app.route(route="process", methods=["POST"])
 async def process_figure_request(req: func.HttpRequest) -> func.HttpResponse:
     """Entrypoint for Azure Search custom skill calls."""
 
 
@@ -14,10 +14,16 @@ param instanceMemoryMB int = 2048
 param maximumInstanceCount int = 10
 param identityId string
 param identityClientId string
-// App Registration client ID (applicationId) used to secure Function App endpoints (Easy Auth)
-param skillAppClientId string = ''
-// Audience / identifier URI to validate tokens (e.g. api://<subscriptionId>/<env>-skill)
-param skillAppAudience string = ''
+
+// Authorization parameters
+@description('The Entra ID application (client) ID for App Service Authentication')
+param authClientId string
+
+@description('The Entra ID identifier URI for App Service Authentication')
+param authIdentifierUri string
+
+@description('The Azure AD tenant ID for App Service Authentication')
+param authTenantId string
 
 // AVM expects authentication.type values: SystemAssignedIdentity | UserAssignedIdentity | StorageAccountConnectionString
 // Use UserAssignedIdentity for per-function user-assigned managed identity deployment storage access.
@@ -51,14 +57,12 @@ var appInsightsSettings = !empty(applicationInsightsName) ? {
   APPLICATIONINSIGHTS_CONNECTION_STRING: applicationInsights.?properties.ConnectionString ?? ''
 } : {}
 
-// Surface skill application identifiers for downstream logging/diagnostics (not used for manual validation now that Easy Auth is enabled)
-var skillAudienceSettings = (!empty(skillAppClientId) && !empty(skillAppAudience)) ? {
-  SKILL_APP_ID: skillAppClientId
-  SKILL_APP_AUDIENCE: skillAppAudience
-} : {}
+var easyAuthSettings = {
+    OVERRIDE_USE_MI_FIC_ASSERTION_CLIENTID: identityClientId
+}
 
 // Merge all app settings
-var allAppSettings = union(appSettings, baseAppSettings, appInsightsSettings, skillAudienceSettings)
+var allAppSettings = union(appSettings, baseAppSettings, appInsightsSettings, easyAuthSettings)
 
 // Create Flex Consumption Function App using AVM
 module functionApp 'br/public:avm/res/web/site:0.15.1' = {
@@ -70,7 +74,9 @@ module functionApp 'br/public:avm/res/web/site:0.15.1' = {
     tags: tags
     serverFarmResourceId: appServicePlanId
     managedIdentities: {
-      userAssignedResourceIds: [identityId]
+      userAssignedResourceIds: [
+        '${identityId}'
+      ]
     }
     functionAppConfig: {
       deployment: {
@@ -107,31 +113,43 @@ module functionApp 'br/public:avm/res/web/site:0.15.1' = {
 
 // Enable Easy Auth (App Service authentication) for Azure Search custom skill access when a skillAppId is provided.
 // Based on Microsoft guidance: require authentication, return 401 on unauthenticated, allowed audience api://{applicationId}.
-resource auth 'Microsoft.Web/sites/config@2022-03-01' = if (!empty(skillAppClientId) && !empty(skillAppAudience)) {
+resource auth 'Microsoft.Web/sites/config@2022-03-01' = {
   name: '${name}/authsettingsV2'
+  dependsOn: [
+    functionApp  // Ensure the Function App module completes before configuring authentication
+  ]
   properties: {
     globalValidation: {
       requireAuthentication: true
       unauthenticatedClientAction: 'Return401'
+      redirectToProvider: 'azureactivedirectory'
     }
     identityProviders: {
       azureActiveDirectory: {
         enabled: true
         registration: {
-          clientId: skillAppClientId
+          openIdIssuer: '${environment().authentication.loginEndpoint}${authTenantId}/v2.0'
+          clientId: authClientId
+          clientSecretSettingName: 'OVERRIDE_USE_MI_FIC_ASSERTION_CLIENTID'
         }
         validation: {
-          allowedAudiences: [ skillAppAudience ]
+          jwtClaimChecks: {}
+          allowedAudiences: [
+            authIdentifierUri
+          ]
+          defaultAuthorizationPolicy: {
+            allowedPrincipals: {}
+            allowedApplications: [authClientId]
+          }
         }
       }
     }
   }
-  dependsOn: [ functionApp ]
 }
 
 // Outputs
 output name string = functionApp.outputs.name
 output defaultHostname string = functionApp.outputs.defaultHostname
 // Expose resourceId for downstream skill auth configuration
 output resourceId string = functionApp.outputs.resourceId
-output authEnabled bool = !empty(skillAppClientId) && !empty(skillAppAudience)
+output authEnabled bool = !empty(authClientId) && !empty(authIdentifierUri)
@@ -23,7 +23,7 @@ var monitoringMetricsPublisherRoleId = '3913510d-42f4-4e42-8a64-420c390055eb' //
 // Storage: Blob Data Reader (read content container)
 module storageBlobReaderRole '../core/security/role.bicep' = {
   scope: resourceGroup(storageResourceGroupName)
-  name: 'storage-blob-reader-${uniqueString(principalId)}'
+  name: 'function-storage-blob-reader-${uniqueString(principalId)}'
   params: {
     principalId: principalId
     roleDefinitionId: storageBlobDataReaderRoleId
@@ -34,7 +34,7 @@ module storageBlobReaderRole '../core/security/role.bicep' = {
 // Storage: Blob Data Contributor (write images container, deployment container)
 module storageBlobContributorRole '../core/security/role.bicep' = {
   scope: resourceGroup(storageResourceGroupName)
-  name: 'storage-blob-contributor-${uniqueString(principalId)}'
+  name: 'function-storage-blob-contributor-${uniqueString(principalId)}'
   params: {
     principalId: principalId
     roleDefinitionId: storageBlobDataContributorRoleId
@@ -45,7 +45,7 @@ module storageBlobContributorRole '../core/security/role.bicep' = {
 // Storage: Queue Data Contributor (for AzureWebJobsStorage)
 module storageQueueContributorRole '../core/security/role.bicep' = {
   scope: resourceGroup(storageResourceGroupName)
-  name: 'storage-queue-contributor-${uniqueString(principalId)}'
+  name: 'function-storage-queue-contributor-${uniqueString(principalId)}'
   params: {
     principalId: principalId
     roleDefinitionId: storageQueueDataContributorRoleId
@@ -56,7 +56,7 @@ module storageQueueContributorRole '../core/security/role.bicep' = {
 // Storage: Table Data Contributor (for AzureWebJobsStorage)
 module storageTableContributorRole '../core/security/role.bicep' = {
   scope: resourceGroup(storageResourceGroupName)
-  name: 'storage-table-contributor-${uniqueString(principalId)}'
+  name: 'function-storage-table-contributor-${uniqueString(principalId)}'
   params: {
     principalId: principalId
     roleDefinitionId: storageTableDataContributorRoleId
@@ -67,7 +67,7 @@ module storageTableContributorRole '../core/security/role.bicep' = {
 // Search: Index Data Contributor (write chunks to index)
 module searchIndexContributorRole '../core/security/role.bicep' = {
   scope: resourceGroup(searchServiceResourceGroupName)
-  name: 'search-index-contributor-${uniqueString(principalId)}'
+  name: 'function-search-index-contributor-${uniqueString(principalId)}'
   params: {
     principalId: principalId
     roleDefinitionId: searchIndexDataContributorRoleId
@@ -78,7 +78,7 @@ module searchIndexContributorRole '../core/security/role.bicep' = {
 // OpenAI: Cognitive Services OpenAI User
 module openAiUserRole '../core/security/role.bicep' = {
   scope: resourceGroup(openAiResourceGroupName)
-  name: 'openai-user-${uniqueString(principalId)}'
+  name: 'function-openai-user-${uniqueString(principalId)}'
   params: {
     principalId: principalId
     roleDefinitionId: cognitiveServicesOpenAIUserRoleId
@@ -89,7 +89,7 @@ module openAiUserRole '../core/security/role.bicep' = {
 // Document Intelligence: Cognitive Services User
 module documentIntelligenceUserRole '../core/security/role.bicep' = {
   scope: resourceGroup(documentIntelligenceResourceGroupName)
-  name: 'doc-intelligence-user-${uniqueString(principalId)}'
+  name: 'function-doc-intelligence-user-${uniqueString(principalId)}'
   params: {
     principalId: principalId
     roleDefinitionId: cognitiveServicesUserRoleId
@@ -100,7 +100,7 @@ module documentIntelligenceUserRole '../core/security/role.bicep' = {
 // Vision: Cognitive Services User (if multimodal)
 module visionUserRole '../core/security/role.bicep' = if (useMultimodal && !empty(visionServiceName)) {
   scope: resourceGroup(visionResourceGroupName)
-  name: 'vision-user-${uniqueString(principalId)}'
+  name: 'function-vision-user-${uniqueString(principalId)}'
   params: {
     principalId: principalId
     roleDefinitionId: cognitiveServicesUserRoleId
@@ -111,7 +111,7 @@ module visionUserRole '../core/security/role.bicep' = if (useMultimodal && !empt
 // Content Understanding: Cognitive Services User (if multimodal)
 module contentUnderstandingUserRole '../core/security/role.bicep' = if (useMultimodal && !empty(contentUnderstandingServiceName)) {
   scope: resourceGroup(contentUnderstandingResourceGroupName)
-  name: 'content-understanding-user-${uniqueString(principalId)}'
+  name: 'function-content-understanding-user-${uniqueString(principalId)}'
   params: {
     principalId: principalId
     roleDefinitionId: cognitiveServicesUserRoleId
@@ -121,7 +121,7 @@ module contentUnderstandingUserRole '../core/security/role.bicep' = if (useMulti
 
 // Application Insights: Monitoring Metrics Publisher
 module appInsightsMetricsPublisherRole '../core/security/role.bicep' = {
-  name: 'appinsights-metrics-${uniqueString(principalId)}'
+  name: 'function-appinsights-metrics-${uniqueString(principalId)}'
   params: {
     principalId: principalId
     roleDefinitionId: monitoringMetricsPublisherRoleId