|
| 1 | +--- |
| 2 | +title: Set up an indexer connection to Azure functions using "Easy Auth" |
| 3 | +titleSuffix: Azure AI Search |
| 4 | +description: Learn how to set up an indexer connection to an Azure Function using built-in authentication also known as "Easy Auth". |
| 5 | +author: arv100kri |
| 6 | +ms.author: arjagann |
| 7 | + |
| 8 | +ms.service: azure-ai-search |
| 9 | +ms.topic: how-to |
| 10 | +ms.date: 01/20/2025 |
| 11 | +ms.custom: |
| 12 | + - subject-rbac-steps |
| 13 | +--- |
| 14 | + |
| 15 | +# Authenticate to Azure Function App using "Easy Auth" (Azure AI Search) |
| 16 | + |
| 17 | +This article explains how to set up an indexer connection to an Azure Function app using the [built-in authentication capabilities of App services](/azure/app-service/overview-authentication-authorization), also known as "Easy Auth". Azure Function apps are a great solution for hosting Custom Web APIs that an Azure AI Search service can use either to enrich content ingested during an indexer run, or to vectorize content in a search query if you're using a custom embedding model for [integrated vectorization](vector-search-integrated-vectorization.md). |
| 18 | + |
| 19 | +You can use either a system-assigned or a user-assigned identity of the search service to authenticate against the Azure Function app. This approach requires setting up a Microsoft Entra ID application registration to use as the authentication provider for the Azure Function app, as explained in this article. |
| 20 | + |
| 21 | +## Prerequisites |
| 22 | + |
| 23 | +* [Create a managed identity](search-howto-managed-identities-data-sources.md) for your search service. |
| 24 | + |
| 25 | +## Configure Microsoft Entra ID application to use as authentication provider |
| 26 | + |
| 27 | +To use Microsoft Entra ID as an authentication provider to the Azure Function app, an application registration must be created. There are 2 options to do so - either creating one automatically via the Azure Function app itself, or using an already created existing application. To learn more about these steps follow [Azure App services' documentation](/azure/app-service/configure-authentication-provider-aad?tabs=workforce-configuration#choose-the-app-registration.md). |
| 28 | + |
| 29 | +Regardless of either option, ensure that the app registration is configured per the following steps to ensure it being compatible with Azure AI Search. |
| 30 | + |
| 31 | +### Ensure the app registration has application ID URI configured |
| 32 | + |
| 33 | +The app registration should be configured with an application ID URI, which can then be used as the token audience with Azure Function apps and Azure AI Search. Configure it in the format `api://<applicationId>`. This can be done by navigating to the **Overview** section of the app registration and setting the **Application ID URI** field. |
| 34 | + |
| 35 | +[  ](./media/search-howto-managed-identities-azure-functions/app-registration-overview.png#lightbox) |
| 36 | + |
| 37 | +### Set supported account types for authentication |
| 38 | + |
| 39 | +Navigate to the **Authentication** section of the app registration and configure the **supported account types** so that only accounts in the same organization directory as the app registration can utilize it for authentication. |
| 40 | + |
| 41 | +[  ](./media/search-howto-managed-identities-azure-functions/authentication-supported-account.png#lightbox) |
| 42 | + |
| 43 | +### (Optional) Configure a client secret |
| 44 | + |
| 45 | +App services recommend utilizing a client secret for the authentication provider application. Authentication still works without client secret, as long as the delegated permissions are set up. To set up a client secret, navigate to the **Certificates & secrets** section of the app registration, and add a **New client secret** as explained [in this article](/entra/identity-platform/quickstart-register-app?tabs=client-secret#add-credentials). |
| 46 | + |
| 47 | +[  ](./media/search-howto-managed-identities-azure-functions/client-secret.png#lightbox) |
| 48 | + |
| 49 | +### Add a scope to delegate permissions |
| 50 | + |
| 51 | +Navigate to the section **Expose an API** and configure the app registration to have a scope that delegates admin and user permissions to it, to ensure that it's compatible with the indexer's authentication flow. |
| 52 | + |
| 53 | +[  ](./media/search-howto-managed-identities-azure-functions/expose-api-user-impersonation.png#lightbox) |
| 54 | + |
| 55 | +Once the delegated permissions scope is set up, you should notice in the **API permissions** section of the app registration that the **User.Read** API on Microsoft.Graph is set. |
| 56 | + |
| 57 | +[  ](./media/search-howto-managed-identities-azure-functions/api-permissions.png#lightbox) |
| 58 | + |
| 59 | +## Configure Microsoft Entra ID authentication provider in Azure Function app |
| 60 | + |
| 61 | +With the client application registered with the exact specifications above, Microsoft Entra ID authentication for the Azure Function app can be set up by following the [guide from App Services](/azure/app-service/configure-authentication-provider-aad). Navigate to the **Authentication** section of the Azure Function app to set up the authentication details. |
| 62 | + |
| 63 | +Ensure the following settings are configured to ensure that Azure AI Search can successfully authenticate to the Azure Function app. |
| 64 | + |
| 65 | +### Configure authentication settings |
| 66 | + |
| 67 | +* Ensure that **App Service authentication** is **Enabled** |
| 68 | +* Restrict access to the Azure Function app to **Require authentication** |
| 69 | +* For **Unauthenticated requests** prefer **HTTP 401: Unauthorized** |
| 70 | + |
| 71 | +The following screenshot highlights these specific settings for a sample Azure Function app. |
| 72 | + |
| 73 | +[  ](./media/search-howto-managed-identities-azure-functions/function-app-authentication.png#lightbox) |
| 74 | + |
| 75 | +### Add Microsoft Entra ID authentication provider |
| 76 | + |
| 77 | +* Add Microsoft Entra ID as the authentication provider for the Azure Function app. |
| 78 | +* Either create a new app registration or choose a previously configured app registration. Ensure that it's configured according to the guidelines in the previous section of this document. |
| 79 | +* Ensure that in the **Allowed token audiences** section, the application ID URI of the app registration is specified. It should be in the `api://<applicationId>` format, matching what was configured with the app registration created earlier. |
| 80 | +* If you desire, you can configure additional checks to restrict access specifically to the indexer. |
| 81 | + |
| 82 | +[  ](./media/search-howto-managed-identities-azure-functions/identity-provider.png#lightbox) |
| 83 | + |
| 84 | +### Configure additional checks |
| 85 | + |
| 86 | +* Ensure that the **Object (principal) ID** of the specific Azure AI Search service's identity is specified as the **Identity requirement**, by checking the option **Allow requests from specific identities** and entering the **Object (principal) ID** in the identity section. |
| 87 | + |
| 88 | +[  ](./media/search-howto-managed-identities-azure-functions/search-service-identity.png#lightbox) |
| 89 | + |
| 90 | +* In **Client application requirement** select the option **Allow requests from specific client application**. You need to look up the Client ID for the Azure AI Search service's identity. To do this, copy over the Object (principal) ID from the previous step and look up in your Microsoft Entra ID tenant. There should be a matching enterprise application whose overview page lists an **Application ID**, which is the GUID that needs to be specified as the client application requirement. |
| 91 | + |
| 92 | +[  ](./media/search-howto-managed-identities-azure-functions/search-identity-entra.png#lightbox) |
| 93 | + |
| 94 | + |
| 95 | +>[!NOTE] |
| 96 | +> This step is the most important configuration on the Azure Function app and doing it wrongly can result in the indexer being forbidden from accessing the Azure Function app. Ensure that you perform the lookup of the identity's enterprise application details correctly, and you specify the **Application ID** and **Object (principal) ID** in the right places. |
| 97 | +
|
| 98 | +* For the **Tenant requirement**, choose any of the options that aligns with your security posture. Check out the [Azure App service documentation](/azure/app-service/configure-authentication-provider-aad) for more details. |
| 99 | + |
| 100 | +## Setting up a connection to the Azure Function app |
| 101 | + |
| 102 | +Depending on whether the connection to the Azure Function app needs to be made in a Custom Web API skill or a Custom Web API vectorizer, the JSON definition is slightly different. In both cases, ensure that you specify the correct URI to the Azure Function app and set the `authResourceId` to be the same value as the **Allowed token audience** configured for the authentication provider. |
| 103 | + |
| 104 | +Depending on whether you choose to connect using a system assigned identity or a user assigned identity, details required will be slightly different. |
| 105 | + |
| 106 | +### Using system assigned identity |
| 107 | +Here's an example to call into a function named `test` for the sample Azure Function app, where the system assigned identity of the search service is allowed to authenticate via "Easy Auth". |
| 108 | + |
| 109 | +```json |
| 110 | +"uri": "https://contoso-function-app.azurewebsites.net/api/test?", |
| 111 | +"authResourceId": "api://00000000-0000-0000-0000-000000000000" |
| 112 | +``` |
| 113 | + |
| 114 | +### Using user assigned identity |
| 115 | + |
| 116 | +Here's an example to call into the same function, where the specific user assigned identity is allowed to authenticate via "Easy Auth". You're expected to specify the resource ID of the exact user assigned identity to use in the `identity` property of the configuration. |
| 117 | + |
| 118 | +```json |
| 119 | +"uri": "https://contoso-function-app.azurewebsites.net/api/test?", |
| 120 | +"authResourceId": "api://00000000-0000-0000-0000-000000000000", |
| 121 | +"identity" : { |
| 122 | + "@odata.type": "#Microsoft.Azure.Search.DataUserAssignedIdentity", |
| 123 | + "userAssignedIdentity": "/subscriptions/[subscription-id]/resourcegroups/[rg-name]/providers/Microsoft.ManagedIdentity/userAssignedIdentities/[my-user-managed-identity-name]" |
| 124 | + } |
| 125 | +``` |
| 126 | + |
| 127 | +>[!NOTE] |
| 128 | +> This user assigned identity should actually be assigned to the Azure AI Search service for it to be specified in the Custom Web skill/vectorizer definition. |
| 129 | +
|
| 130 | +## Run the indexer/vectorizer to verify permissions |
| 131 | + |
| 132 | +For Custom Web API skills, permissions are validated during indexer run-time. For vectorizer, they're validated when a vector query is issued utilizing the Custom Web API vectorizer. To rule out any specific issues with authentication, you can test by disabling the authentication provider on the Azure Function app and ensuring that calls from indexer/vectorizer succeed. |
| 133 | + |
| 134 | +* If authentication issues persist, ensure that the right identity information - namely Application ID, Object (principal) ID for the Azure AI Search service's identity is specified in the Azure Function app's authentication provider. |
| 135 | + |
| 136 | +## See also |
| 137 | + |
| 138 | +* [Custom Web API skill](cognitive-search-custom-skill-web-api.md) |
| 139 | +* [Custom Web API vectorizer](vector-search-vectorizer-custom-web-api.md) |
0 commit comments