Capture Java Thread Dump from Kudu console on Windows App Service
July 23, 2025Agentic AI research-methodology – part 1
July 23, 2025
Integrating Azure Function Apps into your Azure Data Factory (ADF) workflows is a common practice. To enhance security beyond the use of function API keys, leveraging managed identity authentication is strongly recommended. Given the fact that many existing guides were outdated with recent updates to Azure services, this article provides a comprehensive, up-to-date walkthrough on configuring managed identity in ADF to securely call Function Apps. The provided methods can also be adapted to other Azure services that need to call Function Apps with managed identity authentication.
The high level process is:
- Enable Managed Identity on Data Factory
- Configure Microsoft Entra Sign-in on Azure Function App
- Configure Linked Service in Data Factory
- Assign Permissions to the Data Factory in Azure Function
Step 1: Enable Managed Identity on Data Factory
On the Data Factory’s portal, go to Managed Identities, and enable a system assigned managed identity.
Step 2: Configure Microsoft Entra Sign-in on Azure Function App
1. Go to Function App portal and enable Authentication. Choose “Microsoft” as the identity provider.
2. Add an app registration to the app, it could be an existing one or you can choose to let the platform create a new app registration.
3. Next, allow the ADF as a client application to authenticate to the function app. This step is a new requirement from previous guides. If these settings are not correctly set, the 403 response will be returned:
Add the Application ID of the ADF managed identity in Allowed client application and Object ID of the ADF managed identity in the Allowed identities. If the requests are only allowed from specific tenants, add the Tenant ID of the managed identity in the last box.
4. This part sets the response from function app for the unauthenticated requests. We should set the response as “HTTP 401 Unauthorized: recommended for APIs” as sign-in page is not feasible for API calls from ADF.
5. Then, click next and use the default permission option.
6. After everything is set, click “Add” to complete the configuration. Copy the generated App (client) id, as this is used in data factory to handle authorization.
Step 3: Configure Linked Service in Data Factory
1. To use an Azure Function activity in a pipeline, follow the steps here: Create an Azure Function activity with UI
2. Then Edit or New a Azure Function Linked Service.
3. Change authentication method to System Assigned Managed Identity, and paste the copied client ID of function app identity provider from Step 2 into Resource ID. This step is necessary as authorization does not work without this.
Step 4: Assign Permissions to the Data Factory in Azure Function
1. On the function app portal, go to Access control (IAM), and Add a new role assignment.
2. Assign reader role.
3. Assign the Data Factory’s Managed Identity to that role.
After everything is set, test that the function app can be called from Azure Data Factory successfully.
Reference:
Enabling Managed Identity Authentication on Azure Functions in Data Factory
https://learn.microsoft.com/en-us/azure/data-factory/control-flow-azure-function-activity
https://docs.azure.cn/en-us/app-service/overview-authentication-authorization