|
| 1 | +--- |
| 2 | +title: "Configure Durable Functions with Azure Active Directory" |
| 3 | +description: Configure Durable Functions with Managed Identity Credentials and Client Secret Credentials. |
| 4 | +author: naiyuantian |
| 5 | +ms.topic: quickstart |
| 6 | +ms.date: 02/01/2023 |
| 7 | +ms.author: azfuncdf |
| 8 | +--- |
| 9 | + |
| 10 | +# Configure Durable Functions with Azure Active Directory |
| 11 | + |
| 12 | +[Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md) (Azure AD) is a cloud-based identity and access management service. Identity-based connections allow Durable Functions to make authorized requests against Azure AD protected resources, like an Azure Storage account, without the need to manage secrets manually. Using the default Azure storage provider, Durable Functions needs to authenticate against an Azure storage account. In this article, we show how to configure a Durable Functions app to utilize two kinds of Identity-based connections: **managed identity credentials** and **client secret credentials**. |
| 13 | + |
| 14 | + |
| 15 | +## Configure your app to use managed identity (recommended) |
| 16 | + |
| 17 | +A [managed identity](../../app-service/overview-managed-identity.md) allows your app to easily access other Azure AD-protected resources such as Azure Key Vault. Managed identity is supported in [Durable Functions extension](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.DurableTask) versions **2.7.0** and greater. |
| 18 | +> [!NOTE] |
| 19 | +> Strictly speaking, a managed identity is only available to apps when executing on Azure. When configured to use identity-based connections, a locally executing app will utilize your **developer credentials** to authenticate with Azure resources. Then, when deployed on Azure, it will utilize your managed identity configuration instead. |
| 20 | +
|
| 21 | +### Prerequisites |
| 22 | + |
| 23 | +The following steps assume that you're starting with an existing Durable Functions app and are familiar with how to operate it. |
| 24 | +In particular, this quickstart assumes that you have already: |
| 25 | + |
| 26 | +* Created a Durable Functions project in the Azure portal or deployed a local Durable Functions to Azure. |
| 27 | + |
| 28 | +If this isn't the case, we suggest you start with one of the following articles, which provides detailed instructions on how to achieve all the requirements above: |
| 29 | + |
| 30 | +- [Create your first durable function - C#](durable-functions-create-first-csharp.md) |
| 31 | +- [Create your first durable function - JavaScript](quickstart-js-vscode.md) |
| 32 | +- [Create your first durable function - Python](quickstart-python-vscode.md) |
| 33 | +- [Create your first durable function - PowerShell](quickstart-powershell-vscode.md) |
| 34 | +- [Create your first durable function - Java](quickstart-java.md) |
| 35 | + |
| 36 | +### Enable managed identity |
| 37 | + |
| 38 | +Only one identity is needed for your function, either a **system assigned managed identity** or a **user assigned managed identity**. To enable a managed identity for your function and learn more about the differences between the two identities, read the detailed instructions [here](../../app-service/overview-managed-identity.md). |
| 39 | + |
| 40 | +### Assign Role-based Access Controls (RBAC) to managed identity |
| 41 | + |
| 42 | +Navigate to your app's storage resource on the Azure portal. Follow [these instructions](../../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md) to assign the following roles to your managed identity resource. |
| 43 | + |
| 44 | +* Storage Queue Data Contributor |
| 45 | +* Storage Blob Data Contributor |
| 46 | +* Storage Table Data Contributor |
| 47 | + |
| 48 | +### Add managed identity configuration in the Azure portal |
| 49 | + |
| 50 | +Navigate to your Azure function app’s **Configuration** page and perform the following changes: |
| 51 | + |
| 52 | +1. Remove the default value "AzureWebJobsStorage". |
| 53 | + |
| 54 | + [ ](./media/durable-functions-configure-df-with-credentials/durable-functions-managed-identity-scenario-01.png#lightbox) |
| 55 | + |
| 56 | +2. Link your Azure storage account by adding **either one** of the following value settings: |
| 57 | + |
| 58 | + * **AzureWebJobsStorage__accountName**: For example: `mystorageaccount123` |
| 59 | + |
| 60 | + * **AzureWebJobsStorage__blobServiceUri**: Example: `https://mystorageaccount123.blob.core.windows.net/` |
| 61 | + |
| 62 | + **AzureWebJobsStorage__queueServiceUri**: Example: `https://mystorageaccount123.queue.core.windows.net/` |
| 63 | + |
| 64 | + **AzureWebJobsStorage__tableServiceUri**: Example: `https://mystorageaccount123.table.core.windows.net/` |
| 65 | + |
| 66 | + > [!NOTE] |
| 67 | + > If you are using [Azure Government](../../azure-government/documentation-government-welcome.md) or any other cloud that's separate from global Azure, then you will need to use this second option to provide specific service URLs. The values for these settings can be found in the storage account under the **Endpoints** tab. For more information on using Azure Storage with Azure Government, see the [Develop with Storage API on Azure Government](../../azure-government/documentation-government-get-started-connect-to-storage.md) documentation. |
| 68 | +
|
| 69 | +  |
| 70 | + |
| 71 | +3. Finalize your managed identity configuration: |
| 72 | + |
| 73 | + * If **system-assigned identity** should be used, then specify nothing else. |
| 74 | + |
| 75 | + * If **user-assigned identity** should be used, then add the following app settings values in your app configuration: |
| 76 | + * **AzureWebJobsStorage__credential**: managedidentity |
| 77 | + |
| 78 | + * **AzureWebJobsStorage__clientId**: (This is a GUID value that you obtain from the Azure AD portal) |
| 79 | + |
| 80 | +  |
| 81 | + |
| 82 | + |
| 83 | + |
| 84 | +## Configure your app to use client secret credentials |
| 85 | + |
| 86 | +Registering a client application in Azure Active Directory (Azure AD) is another way you can configure access to an Azure service. In the following steps, you will learn how to use client secret credentials for authentication to your Azure Storage account. This method can be used by function apps both locally and on Azure. However, client secret credential is **less recommended** than managed identity as it's more complicated to configure and manage and it requires sharing a secret credential with the Azure Functions service. |
| 87 | + |
| 88 | +### Prerequisites |
| 89 | + |
| 90 | +The following steps assume that you're starting with an existing Durable Functions app and are familiar with how to operate it. |
| 91 | +In particular, this quickstart assumes that you have already: |
| 92 | + |
| 93 | +* Created a Durable Functions project on your local machine or in the Azure portal. |
| 94 | + |
| 95 | + |
| 96 | +### Register a client application on Azure Active Directory |
| 97 | +1. Register a client application under Azure Active Directory in the Azure portal according to [these instructions](../../healthcare-apis/register-application.md). |
| 98 | + |
| 99 | +2. Create a client secret for your client application. In your registered application: |
| 100 | + |
| 101 | + 1. Select **Certificates & Secrets** and select **New client secret**. |
| 102 | + |
| 103 | + 2. Fill in a **Description** and choose secret valid time in the **Expires** field. |
| 104 | + |
| 105 | + 3. Copy and save the secret value carefully because it will not show up again after you leave the page. |
| 106 | + |
| 107 | +  |
| 108 | + |
| 109 | +### Assign Role-based Access Controls (RBAC) to the client application |
| 110 | + |
| 111 | +Assign these three roles to your client application with the following steps. |
| 112 | + |
| 113 | +* Storage Queue Data Contributor |
| 114 | +* Storage Blob Data Contributor |
| 115 | +* Storage Table Data Contributor |
| 116 | + |
| 117 | +1. Navigate to your function’s storage account **Access Control (IAM)** page and add a new role assignment. |
| 118 | + |
| 119 | +  |
| 120 | + |
| 121 | +2. Choose the required role, click next, then search for your application, review and add. |
| 122 | + |
| 123 | +  |
| 124 | + |
| 125 | +### Add client secret configuration |
| 126 | + |
| 127 | +To run and test in Azure, specify the followings in your Azure function app’s **Configuration** page in the Azure portal. To run and test locally, specify the following in the function’s **local.settings.json** file. |
| 128 | + |
| 129 | +1. Remove the default value "AzureWebJobsStorage". |
| 130 | + |
| 131 | +2. Link Azure storage account by adding either one of the following value settings: |
| 132 | + |
| 133 | + * **AzureWebJobsStorage__accountName**: For example: `mystorageaccount123` |
| 134 | + |
| 135 | + * **AzureWebJobsStorage__blobServiceUri**: Example: `https://mystorageaccount123.blob.core.windows.net/` |
| 136 | + |
| 137 | + **AzureWebJobsStorage__queueServiceUri**: Example: `https://mystorageaccount123.queue.core.windows.net/` |
| 138 | + |
| 139 | + **AzureWebJobsStorage__tableServiceUri**: Example: `https://mystorageaccount123.table.core.windows.net/` |
| 140 | + |
| 141 | + The values for these Uri variables can be found in the storage account under the **Endpoints** tab. |
| 142 | + |
| 143 | +  |
| 144 | + |
| 145 | +3. Add a client secret credential by specifying the following values: |
| 146 | + * **AzureWebJobsStorage__clientId**: (this is a GUID value found in the Azure AD application page) |
| 147 | + |
| 148 | + * **AzureWebJobsStorage__ClientSecret**: (this is the secret value generated in the Azure AD portal in a previous step) |
| 149 | + |
| 150 | + * **AzureWebJobsStorage__tenantId**: (this is the tenant ID that the Azure AD application is registered in) |
| 151 | + |
| 152 | + The client ID and tenant ID values can be found on your client application’s overview page. The client secret value is the one that was carefully saved in the previous step. It will not be available after the page is refreshed. |
| 153 | + |
| 154 | +  |
| 155 | + |
0 commit comments