Let’s imagine you are building a powerful new app, leveraging the flexibility and efficiency of Azure Functions to write code quickly, without needing to worry about managing infrastructure.

While Azure Functions allows you to focus on developing features, with reduced costs, and the ability to scale effortlessly, there’s still one hurdle—managing user authentication securely without adding unnecessary complexity.

Enter Microsoft Entra External ID. It provides out-of-the-box integration with Azure Functions and allows you to focus on what matters: your code. External ID balances secure, efficient user authentication with a smooth, user-friendly experience.

In this blog post, I will show how to configure External ID as an identity provider for an Azure Function and sign up your first user.

Why External ID?

Managing authentication often feels like a mountain of complexity, especially when juggling infrastructure and security concerns. External ID addresses this by providing strong security without compromising usability.

Additionally, External ID has out-of-the-box integrations with other tools, such as App Services and Power Pages, enabling you to effortlessly set up authentication for applications built across multiple platforms.

Setting up External ID on your Function App

Prerequisites

• An external tenant on Microsoft Entra Admin Center.

  • If you don’t have one, create an external tenant with an Azure subscription.

• Ensure you have the Application Administrator role and External ID User Flow Administrator role on Microsoft Entra.

• A Contributor role on Azure to create Function apps.

Creating your Function App

• Log in to Azure, click More Services on the home page, and click Function App.
  • Click Create Function App
  • Select the Hosting plan that best fits your needs and click Select.
    • Note: The ‘container apps’ hosting plan follows a different setup process than what is shown in the video and outlined in the steps below.
• On the next screen, input the basic info for your Function App.
  • Under Project Details, select your Subscription and Resource group (You will need one when you create a Function App).
  • Under Instance details, enter a Function App name, such as “function-app-test”.
  • Select a Runtime stack. There is a wide range to choose from: .NET, Node.js, Python, Java, PowerShell Core, or a Custom Handler.
  • Select a Version, e.g. for .NET, you can use 8(LTS).
  • Pick a Region. This could be anywhere you want your Function App to run from.
  • Click Review + create.
  • Validate your details and click Create to start deploying your Function App.
  • On deployment completion, click on Go to resource.
• Validate your function app is running
  • Click on Browse. This will open your Function App in a new tab to see your demo app running. At this point, authentication is not yet configured but you have a demo app running.

Adding authentication to your Function App.

• Navigate to Settings > Authentication.
  • Click Add identity provider.
  • Select ‘Microsoft’ as your Identity provider.
  • On tenant choice, select External configuration.
  • On app registration:
    • Create a new app registration if you don’t have an existing app you can use. We will set up an app for you in the background.
    • Provide the details of an existing app registration where you enter the Client ID, Client secret, and Issuer URL which you can find under App Registration > All applications > Select your app.
  • On selecting a tenant:
    • Select an existing external tenant you have from the drop down.
      • If you don’t have one, you can click on Create new to create a trial tenant.

Configuring external authentication

• Click Configure.
• Select a user flow if you have an existing user flow you want to use.
  • Alternatively, you can click Create new and give your user flow a name, e.g. “Function-app-user-flow”. Select Email and password or Email and one-time passcode for local account sign in option and click Next.
• On the Customize Branding tab, add your logo and background color, and Center-align or Right-align your sign-in page and click Next.
• Review your configurations and click Configure.

Performing additional checks and testing

• I have used the settings as outlined below. However, you can select different options based on the application you are building.
  • Client application requirement as ‘Allow requests only from this application itself’.
  • Select Identity requirement as ‘Allow requests from any identity’.
  • Select Tenant requirement as ‘Use default restrictions based on issuer’.
• App service authentication settings.
  • Under restrict access, select ‘Require authentication’.
  • Under unauthenticated requests’ select ‘HTTP 302 Found redirect: recommended for websites’
  • Tick ‘token store’
  • Finally, click Add.
    • This should add External ID as an identity provider to your Function App.

Testing your Function App.

• Click Overview > Browse.
  • This will take you straight to the sign-in page. Follow the sign-up process for a new user.
• On successful sign up, this should take you to the demo page of your function app as shown below.

Let’s recap

You have now successfully set up External ID as an identity provider for your Function App and signed up your first user.

In this blog post, you have learned how to:

• create a Function App.
• add authentication to your Function App using External ID.
• configure external authentication by creating and adding a user flow with customized branding.
• Sign up and sign in an External ID user with email and password on your website.

Stay connected

To learn more or test out features in the Microsoft Entra portfolio, visit our developer center. Make sure you subscribe to the Identity blog for more insights and to keep up with the latest on all things Identity. And, don’t forget to follow us on YouTube for video overviews, tutorials, and deep dives.

Join our research panel to receive occasional invites to participate in future customer research initiatives.