In this example we are authenticate a using our client, Postmanl, allowing it to access our Azure Function.

Solution referenced in this blog post: Reference Solution from Sahil Malik

Create a new app registration for the function/api

  • Azure Active Directory -> App Registrations -> New Registration
  • Enter a name
  • For this example use http://localhost:7071 as the redirect URI

Create new app registration

  • Expose an API -> Application ID URL Set
    • The actual url does not matter but I use this format:
    • So for me its
  • Click Add Scope
  • Enter in MyScope for the name, leave defaults and Add Scope.

Once completed it should look like this:

Expose an API

Create and configure client app registration

In our case, the client is Postman but will be a reactjs app in the future.


  • Azure Active Directory -> App Registrations -> New Registration
  • Enter a name
  • We can leave the redirect URI blank

Configure Authentication

  • From within the App Registration page, click on Authentication
  • Click on Add a Platform , Select Web
  • Enter in http://localhost:7071 (again, for example purposes only)
  • Check ID tokens under implicit grant, Click configure

Generate Secret

  • Click on Certificates & Secret, New Client Secret
  • Generate a new secret and copy it somewhere safe. We will use it later

Set API Permissions

  • Click on API Permissions -> Add a permission -> My APIs
  • You should see your function api scope that was created earlier.
  • Select it and check the box next to the scope you created
  • Click Add Permissions
  • Click Gran admin consent for [Tentant Name]

API Permissions

Configure Function App

Using the values from the Function App API app registration lets configure the function app.

Open up Constants.cs and update the following:

internal static string audience = "https://<tenantname>"; // Get this value from the expose an api
internal static string clientID = "<appid>"; // this is the client id, also known as AppID. This is not the ObjectID
internal static string tenant = "<tenantname>"; // this is your tenant name
internal static string tenantid = "<tenantid>"; // this is your tenant id (GUID)

Build and run the application and leave it running in the background.

Authenticate via Browswer to Obtain Token

  • Construct the following url and paste it into your browser.
  • Replace items noted with your own values from the Client App Registration{TENANT NAME}{CLIENT ID}&redirect_uri={REDIRECT URL}&scope=openid {APPLICATION SCOPE FROM API REGISTRTION}
  • Paste that into a browser
  • It will authenticate and redirect you localhost:7071 where your function is running

Local Function Running

Grab the url from the browser and copy the value for code and keep it handy. http://localhost:7071/?code=[GRAB THIS VALUE]&session_state=64fae8b1-bb95-427e-9f42-086e28e1fc92

Use Postman to Generate Auth Token

Create a new HTTP POST in Postman with the following settings:

  • POST:
  • Headers:
    • Content-Type: application/x-form-urlencoded
  • Body:
    • redirect_uri: http://localhost:7071/
    • client_id: client id of client app registration
    • grant_type: authorization_code
    • client_secret: value that you saved earlier
    • code: the code that you saved from the previous section
    • scope: the scope you created

You should get a response back that looks like the following:

    "token_type": "Bearer",
    "scope": "",
    "expires_in": 3599,
    "ext_expires_in": 3599,
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1d...",
    "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZC..."

Copy the contents of the access_token feild as we will use it in the next section to authorize our request.

Add Bearer token to authenticate local function requests

Create a new HTTP POST in Postman with the following settings:

  • GET: http://localhost:7071/authenticated
    • This is the same function app to test if authenteication is working. You can substitue this for your application.
  • Headers:
    • Authorization: Bearer access_token
  • Upon submitting you should get your AAD username back as a response.
  • Any request you want to authenticate must include the header with the bearer token.

Authorize using Bearer Token