|
| 1 | +--- |
| 2 | +title: Set up an indexer connection to Azure functions using "EasyAuth" |
| 3 | +titleSuffix: Azure AI Search |
| 4 | +description: Learn how to set up an indexer connection to an Azure Function using built-in authentication also known as "EasyAuth" |
| 5 | +author: arv100kri |
| 6 | +ms.author: arjagann |
| 7 | + |
| 8 | +ms.service: azure-ai-search |
| 9 | +ms.topic: how-to |
| 10 | +ms.date: 01/20/2025 |
| 11 | +ms.custom: |
| 12 | + - subject-rbac-steps |
| 13 | +--- |
| 14 | + |
| 15 | +# Authenticate to Azure Functions using "EasyAuth" (Azure AI Search) |
| 16 | + |
| 17 | +This article explains how to set up an indexer connection to an Azure function app using the [built-in authentication capabilities of App services](/azure/app-service/overview-authentication-authorization.md), also known as "EasyAuth". Azure function apps are a great solution for hosting Custom Web APIs that an Azure AI Search service can use either to enrich content ingested during an indexer run, or to vectorize content in a search query. |
| 18 | + |
| 19 | +You can use either a system-assigned or a user-assigned identity of the search service to authenticate against the Azure function app. |
| 20 | + |
| 21 | +## Prerequisites |
| 22 | + |
| 23 | +* [Create a managed identity](search-howto-managed-identities-data-sources.md) for your search service. |
| 24 | +* Configure Azure function app with [Microsoft Entra sign-in](/azure/app-service/configure-authentication-provider-aad.md). |
| 25 | + |
| 26 | +## Limitations |
| 27 | + |
| 28 | +* Only Microsoft Entra authentication provider is supported with Azure AI Search. |
| 29 | +* When using Microsoft Entra as the authentication provider, you're required to create another Microsoft Entra application registration to use as the target audience for the indexer to request a token. This application can either use the OAuth 2.0 implicit flow (without a client secret), or use the client secret. In either case, this application needs to expose a scope for delegated permissions. |
| 30 | + |
| 31 | +## Configure Microsoft Entra application to use as authentication provider |
| 32 | + |
| 33 | +To use Microsoft Entra as an authentication provider to the Azure function application, an application registration must be created. There are 2 options to do so - either creating one automatically via the function app itself, or using an already created existing application. To learn more about these steps follow [Azure App services' documentation](/azure/app-service/configure-authentication-provider-aad?tabs=workforce-configuration#choose-the-app-registration.md). |
| 34 | + |
| 35 | +Regardless of either option, ensure that the app registration is configured per the following steps to ensure it being compatible with Azure AI Search. |
| 36 | + |
| 37 | +### Ensure the app registration has application ID URI configured |
| 38 | + |
| 39 | +The app registration should be configured with an application ID URI, which can then be used as the token audience with Azure functions and Azure AI Search. Configure it in the format `api://<applicationId>` |
| 40 | + |
| 41 | + |
| 42 | + |
| 43 | +### Set supported account types for authentication |
| 44 | + |
| 45 | +Configure the "supported account types" so that only accounts in the same organization directory as the app registration can utilize it for authentication. |
| 46 | + |
| 47 | + |
| 48 | + |
| 49 | +### (Optional) Configure a client secret |
| 50 | + |
| 51 | +App services recommend utilizing a client secret for the authentication provider application. Authentication still works without client secret, as long as the delegated permissions are set up. |
| 52 | + |
| 53 | + |
| 54 | + |
| 55 | +### Add a scope to delegate permissions |
| 56 | + |
| 57 | +Configure the app registration to have a scope that delegates admin and user permissions to it to ensure that it's compatible with the indexer's authentication flow. |
| 58 | + |
| 59 | + |
| 60 | + |
| 61 | +Once the delegated permissions scope is set up, you should notice the "API permissions" has a "User.Read" API on Microsoft.Graph configured. |
| 62 | + |
| 63 | + |
| 64 | + |
| 65 | +## Configure Microsoft Entra authentication provider in Azure function app |
| 66 | + |
| 67 | +With the client application registered with the exact specifications above, Microsoft Entra authentication for the Azure function application can be set up by following the [guide from App Services](/azure/app-service/configure-authentication-provider-aad.md). Ensure the following settings are configured to ensure that Azure AI Search can successfully authenticate to the function app. |
| 68 | + |
| 69 | +### Configure authentication settings |
| 70 | + |
| 71 | +* Ensure that "App Service authentication" is "Enabled" |
| 72 | +* Restrict access to the function app to "Require authentication" |
| 73 | +* For "Unauthenticated requests" prefer "HTTP 401: Unauthorized" |
| 74 | + |
| 75 | +The following screenshot highlights these specific settings for a sample Azure function app. |
| 76 | + |
| 77 | + |
| 78 | + |
| 79 | +### Add Microsoft Entra authentication provider |
| 80 | + |
| 81 | +* Add Microsoft Entra as the authentication provider for the Azure function application. |
| 82 | +* Either create a new app registration or choose a previously configured app registration. Ensure that it's configured according to the guidelines in the previous section of this document. |
| 83 | +* Ensure that in the "Allowed token audiences" section, the application ID URI of the app registration is specified. It should be in the `api://<applicationId>` format, matching what was configured with the app registration created earlier. |
| 84 | +* If you desire, you can configure additional checks to restrict access specifically to the indexer. |
| 85 | + |
| 86 | + |
| 87 | + |
| 88 | +### Configure additional checks |
| 89 | + |
| 90 | +* Ensure that the Object (principal) ID of the specific Azure AI Search service's identity is specified as the **"Identity requirement"**, by checking the option "Allow requests from specific identities" and entering the Object (principal) ID in the "Identity blade" |
| 91 | + |
| 92 | + |
| 93 | + |
| 94 | +* In **"Client application requirement"** select the option "Allow requests from specific client application". You need to look up the Client ID for the Azure AI Search service's identity. To do this, copy over the Object (principal) ID from the previous step and look up in your Microsoft Entra tenant. There should be a matching "Enterprise Application" whose overview page lists an "Application ID", which is the GUID that needs to be specified as the client application requirement. |
| 95 | + |
| 96 | + |
| 97 | + |
| 98 | +>[!NOTE] |
| 99 | +> This step is the most important configuration on the Azure function app and doing it wrongly can result in the indexer being forbidden from accessing the function app. Ensure that you perform the lookup of the identity's enterprise application details correctly, and you specify the "Application ID" and "Object (principal) ID" in the right places. |
| 100 | +
|
| 101 | +* For the **"Tenant requirement"**, choose any of the options that aligns with your security posture. Check out the [Azure App service documentation](/azure/app-service/configure-authentication-provider-aad.md) for more details. |
| 102 | + |
| 103 | +## Configure Custom Web API skill/vectorizer to connect to the Azure function application |
| 104 | + |
| 105 | +For the Custom Web API skill/vectorizer to connect to the Azure function application and successfully authenticate with the configured Microsoft Entra authentication provider, ensure that you specify the correct URI to the function application and set the `authResourceId` to be the same value as the "Allowed token audience" configured for the authentication provider. |
| 106 | + |
| 107 | +### Using system assigned identity |
| 108 | +Here's an example to call into a function call "test" for the sample Azure function application, where the system assigned identity of the search service is allowed to authenticate via "EasyAuth". |
| 109 | + |
| 110 | +```json |
| 111 | +"uri": "https://contoso-function-app.azurewebsites.net/api/test?", |
| 112 | +"authResourceId": "api://00000000-0000-0000-0000-000000000000" |
| 113 | +``` |
| 114 | + |
| 115 | +### Using user assigned identity |
| 116 | + |
| 117 | +Here's an example to call into the same function, where the specific user assigned identity is allowed to authenticate via "EasyAuth". |
| 118 | + |
| 119 | +```json |
| 120 | +"uri": "https://contoso-function-app.azurewebsites.net/api/test?", |
| 121 | +"authResourceId": "api://00000000-0000-0000-0000-000000000000", |
| 122 | +"identity" : { |
| 123 | + "@odata.type": "#Microsoft.Azure.Search.DataUserAssignedIdentity", |
| 124 | + "userAssignedIdentity": "/subscriptions/[subscription-id]/resourcegroups/[rg-name]/providers/Microsoft.ManagedIdentity/userAssignedIdentities/[my-user-managed-identity-name]" |
| 125 | + } |
| 126 | +``` |
| 127 | + |
| 128 | +>[!NOTE] |
| 129 | +> This user assigned identity should actually be assigned to the Azure AI Search service for it to be specified in the Custom Web skill/vectorizer definition. |
| 130 | +
|
| 131 | +## Run the indexer/vectorizer to verify permissions |
| 132 | + |
| 133 | +For Custom Web API skills, permissions are validated during indexer run-time. For vectorizer, they're validated when a vector query is issued utilizing the Custom Web API vectorizer. To rule out any specific issues with authentication, you can test by disabling the authentication provider on the function app and ensuring that calls from indexer/vectorizer succeed. |
| 134 | + |
| 135 | +* If authentication issues persist, ensure that the right identity information - namely Application ID, Object (principal) ID for the Azure AI Search service's identity is specified in the function app's authentication provider. |
| 136 | + |
| 137 | +## See also |
| 138 | + |
| 139 | +* [Custom Web API skill](cognitive-search-custom-skill-web-api.md) |
| 140 | +* [Custom Web API vectorizer](vector-search-vectorizer-custom-web-api.md) |
0 commit comments