Azure functions flex consumption plan authentication issues

Question

Hi,

I'm trying to create an Azure function app (python | 3.11) on flex consumption plan (I can create it without problems).

Uploading and running the code is also no problem.

But when I set the authentication to OpenID connect with "HTTP 302 found redirect" (when set to return 401 everything works for me), it's like the function lost access to storage. The vscode extension shows no files in the function (even though they were there before setting the authentication and everything worked normally), the function shows an error (see screenshot) and when I try to manually run the timer trigger (v1__files_remover) it returns 401.

Is there something I'm doing wrong here?

Thank you

Answer 1

Hello Václav Parma,

Thanks for posting your question in the Microsoft Q&A forum.

this issue is likely related to the function's access to storage and the way authentication is being handled. Here are some potential causes and solutions

Storage Access: When you set up authentication, the function may lose access to its storage account.

• Ensure that the function app's managed identity is enabled
• Grant the managed identity access to the storage account by assigning it the Storage Blob Data Owner role
• Update the function app's configuration to use managed identity for storage access

Authentication Configuration: The "HTTP 302 Found Redirect" setting might be causing issues with the function's execution.

• Switch back to HTTP 401 Unauthorized temporarily to verify if the function regains access to storage and files.
• Review your OpenID Connect configuration to ensure it's correctly set up for your use case.

Flex Consumption Plan Limitations: The flex consumption plan is relatively new and may have some limitations or differences compared to other plans

• Some deployment-related features, including continuous deployment, are not currently supported on the flex consumption plan.
• Certain application settings and site configuration properties may be deprecated or moved in this plan

CORS Configuration: If you're accessing the function from the Azure portal or other domains, ensure that CORS is properly configured

• Add https://functions.azure.com as an allowed origin in your CORS settings

---

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

Answer 2

It turns out that the authentication configuration must include this:

excludedPaths: [
   '/admin/*'
]

So the whole authentication then looks like this:

resource filesFunctionAuthSettings 'Microsoft.Web/sites/config@2024-04-01' = {
  parent: filesFunction
  name: 'authsettingsV2'
  properties: {
    platform: {
      enabled: true
    }
    globalValidation: {
      requireAuthentication: true
      unauthenticatedClientAction: 'RedirectToLoginPage'
      redirectToProvider: 'AZURE_AD_B2C'
      excludedPaths: [
        '/admin/*'
      ]
    }
    identityProviders: {
      customOpenIdConnectProviders: {
        AZURE_AD_B2C: {
          registration: {
            clientId: EntraClientID
            clientCredential: {
              clientSecretSettingName: 'AZURE_AD_B2C_AUTHENTICATION_SECRET'
            }
            openIdConnectConfiguration: {
              wellKnownOpenIdConfiguration: b2cConfigurationUrl
            }
          }
        }
      }
    }
    login: {
      tokenStore: {
        enabled: true
      }
    }
  }
  dependsOn: [
    filesFunction
    deploymentScript
  ]
}

And then everything works as it should.