You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-functions/durable/durable-functions-configure-durable-functions-with-credentials.md
+18-18Lines changed: 18 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,17 +1,17 @@
1
1
---
2
-
title: "Quickstart: Authenticate a durable function app by using Microsoft Entra ID"
3
-
description: Authenticate a durable function app in Azure Functions by using either managed identity credentials or client secret credentials in Microsoft Entra ID.
2
+
title: "Quickstart: Authenticate a Durable Functions app by using Microsoft Entra ID"
3
+
description: Authenticate a Durable Functions app in Azure Functions by using either managed identity credentials or client secret credentials in Microsoft Entra ID.
4
4
author: naiyuantian
5
5
ms.topic: quickstart
6
6
ms.date: 02/01/2023
7
7
ms.author: azfuncdf
8
8
---
9
9
10
-
# Quickstart: Authenticate a durable function app by using Microsoft Entra ID
10
+
# Quickstart: Authenticate a Durable Functions app by using Microsoft Entra ID
11
11
12
12
[Microsoft Entra ID](/entra/fundamentals/whatis) is a cloud-based identity and access management service. Identity-based connections allow Durable Functions, a feature of Azure Functions, to make authorized requests against Microsoft Entra-protected resources, such as an Azure Storage account, without using manually managed secrets. When Durable Functions uses the default Azure storage provider, it must authenticate against an Azure storage account.
13
13
14
-
In this quickstart, we demonstrate how to configure a durable function app to use two different kinds of identity-based connections:
14
+
In this quickstart, you complete the steps to set up a Durable Functions app to use two different kinds of identity-based connections:
15
15
16
16
* Managed identity credentials (recommended)
17
17
* Client secret credentials
@@ -22,10 +22,10 @@ If you don't have an Azure account, create a [free account](https://azure.micros
22
22
23
23
To complete this quickstart, you need:
24
24
25
-
* An existing durable function project created in the Azure portal or a local durable function project deployed to Azure.
26
-
* Familiarity running a durable function app in Azure.
25
+
* An existing Durable Functions project created in the Azure portal or a local Durable Functions project deployed to Azure.
26
+
* Familiarity running a Durable Functions app in Azure.
27
27
28
-
If you don't have an existing durable function project deployed in Azure, we recommend that you start with one of the following quickstarts:
28
+
If you don't have an existing Durable Functions project deployed in Azure, we recommend that you start with one of the following quickstarts:
29
29
30
30
*[Create your first Durable Functions app - C#](durable-functions-isolated-create-first-csharp.md)
31
31
*[Create your first Durable Functions app - JavaScript](quickstart-js-vscode.md)
@@ -60,7 +60,7 @@ Before you can use your app's managed identity, make some changes to the app con
60
60
61
61
1. In the list of settings, select **AzureWebJobsStorage** and select the **Delete** icon.
62
62
63
-
63
+
:::image type="content" source="media/durable-functions-configure-df-with-credentials/durable-functions-managed-identity-scenario-01.png" alt-text="Screenshot that shows default storage settings and deleting AzureWebJobsStorage.":::
64
64
65
65
1. Add a setting to link your Azure storage account to the application.
66
66
@@ -91,7 +91,7 @@ Before you can use your app's managed identity, make some changes to the app con
91
91
92
92
You can get the values for these URI variables in the storage account on the **Endpoints** tab.
93
93
94
-
94
+
:::image type="content" source="media/durable-functions-configure-df-with-credentials/durable-functions-managed-identity-scenario-02.png" alt-text="Screenshot that shows an example of an endpoint as a specific service URI.":::
95
95
96
96
1. Finish your managed identity configuration:
97
97
@@ -103,11 +103,11 @@ Before you can use your app's managed identity, make some changes to the app con
103
103
104
104
* For **AzureWebJobsStorage__clientId**, get this GUID value from the Microsoft Entra admin center.
105
105
106
-
106
+
:::image type="content" source="media/durable-functions-configure-df-with-credentials/durable-functions-managed-identity-scenario-03.png" alt-text="Screenshot that shows the user identity client ID.":::
107
107
108
108
## Configure your app to use client secret credentials
109
109
110
-
Registering a client application in Microsoft Entra ID is another way that you can configure access to an Azure service for your durable function app. In the following steps, you use client secret credentials for authentication to your Azure Storage account. Function apps can use this method both locally and in Azure. Using a client secret credential is *less recommended* than using managed identity credentials because a client secret is more complicated to configure and manage. A client secret credential also requires sharing a secret credential with the Azure Functions service.
110
+
Registering a client application in Microsoft Entra ID is another way that you can configure access to an Azure service for your Durable Functions app. In the following steps, you use client secret credentials for authentication to your Azure Storage account. Function apps can use this method both locally and in Azure. Using a client secret credential is *less recommended* than using managed identity credentials because a client secret is more complicated to configure and manage. A client secret credential also requires sharing a secret credential with the Azure Functions service.
@@ -127,7 +127,7 @@ Registering a client application in Microsoft Entra ID is another way that you c
127
127
128
128
The secret value doesn't appear again after you leave the pane, so be sure that you *copy the secret and save it*.
129
129
130
-
130
+
:::image type="content" source="media/durable-functions-configure-df-with-credentials/durable-functions-client-secret-scenario-01.png" alt-text="Screenshot that shows the Add a client secret pane.":::
131
131
132
132
### Assign access roles to your application
133
133
@@ -143,11 +143,11 @@ To add the roles:
143
143
144
144
1. In the resource menu, select **Access Control (IAM)**, and then select **Add role assignment**.
145
145
146
-
146
+
:::image type="content" source="media/durable-functions-configure-df-with-credentials/durable-functions-client-secret-scenario-02.png" alt-text="Screenshot that shows the Access control pane with Add role assignment highlighted.":::
147
147
148
148
1. Select the role you want to add, select **Next**, and then search for your application. Review the role, and then add the role.
149
149
150
-
150
+
:::image type="content" source="media/durable-functions-configure-df-with-credentials/durable-functions-client-secret-scenario-03.png" alt-text="Screenshot that shows the role assignment pane.":::
151
151
152
152
### Configure the client secret
153
153
@@ -170,7 +170,7 @@ In the Azure portal, run and test the application. To run and test the app local
170
170
***Non-Azure cloud**: If your application runs in a cloud outside of Azure, you must add a specific service URI (endpoint) for the storage account instead of an account name.
171
171
172
172
> [!NOTE]
173
-
> If you're using[Azure Government](../../azure-government/documentation-government-welcome.md) or any other cloud that's separate from public Azure, you must use the option to provide a specific service URL. For more information about using Azure Storage with Azure Government, see [Develop by using the Storage API in Azure Government](../../azure-government/documentation-government-get-started-connect-to-storage.md).
173
+
> If you use[Azure Government](../../azure-government/documentation-government-welcome.md) or any other cloud that's separate from public Azure, you must use the option to provide a specific service URL. For more information about using Azure Storage with Azure Government, see [Develop by using the Storage API in Azure Government](../../azure-government/documentation-government-get-started-connect-to-storage.md).
174
174
175
175
*`AzureWebJobsStorage__<blobServiceUri>`
176
176
@@ -186,7 +186,7 @@ In the Azure portal, run and test the application. To run and test the app local
186
186
187
187
You can get the values for these URI variables in the storage account on the **Endpoints** tab.
188
188
189
-
189
+
:::image type="content" source="media/durable-functions-configure-df-with-credentials/durable-functions-managed-identity-scenario-02.png" alt-text="Screenshot that shows an example of an endpoint as a specific service URI.":::
190
190
191
191
1. To add client secret credentials, specify the following values:
192
192
@@ -196,6 +196,6 @@ In the Azure portal, run and test the application. To run and test the app local
196
196
197
197
***AzureWebJobsStorage__tenantId**: The tenant ID that the Microsoft Entra application is registered in. Get this GUID value on the Microsoft Entra application pane.
198
198
199
-
The values to use for the client ID and the tenant ID appear on your client application’s overview pane. The client secret value is the one that you saved in an earlier step. The client secret value isn't available after the page is refreshed.
199
+
The values to use for the client ID and the tenant ID appear on your client application Overview pane. The client secret value is the one that you saved in an earlier step. The client secret value isn't available after the page is refreshed.
200
200
201
-
201
+
:::image type="content" source="media/durable-functions-configure-df-with-credentials/durable-functions-client-secret-scenario-04.png" alt-text="Screenshot that shows the tenant ID and client ID on a Microsoft Entra application pane.":::
0 commit comments