How to securely call an Azure Function from a Logic App without keys

Hello, a quick blog post on an impactful topic, at least for Azure Workflow Users.

You have an Azure Function, and you have a Logic App, and you want to call the function from the Logic App without hassling with Keys or Tokens, but have that managed automatically.

Authentication on Azure Function allows to block all unauthorized traffic from outside your Active Directory, and Managed Identities automatically give HTTP Calls, that are made with the Logic App an authentification. Both work without having to store a key or a client secret or a password or a token somewhere.

In short, do this:

1) Activate Authentication on the Function, default everything

2) Activate Managed Identitys on the Logic App, default everything

3) Assign an RBAC role on the Function to the Logic App

4) Use the Function Client ID as audience in the Logic App HTTP Action Authentication

See these Screenshots:

Screenshot of enabled Authentication with Microsoft AAD

Screenshot of Managed Identity activated on a Logic App

Screenshot of adding an RBAC Role on the Function App to the Logic App. Here its "Contributor". Other Roles with less rights might work as well, but i did not find out which ones are sufficient.

Screenshot of the configured HTTP Action of the Logic App. All you have to care about is to put the Client-ID of the Function App from the Function App's Authentication Page into the "Audience" field.

Done.