Share via

Guide to securing HTTP triggered Azure Function using Access Token acquired from MSAL in mobile app

Richard Mackriell 0 Reputation points
2026-05-07T18:48:41.6333333+00:00

Hello community.

I've reach the point of feeling pretty despondent at the documentation for working with Microsoft Entra ID.

I am using Entra ID to support external customers and have integrated Native Auth using MSAL in a mobile app which is written in Flutter.

I would like to directly call HTTP triggered Azure Functions from this app, sending an Access Token in the Authorization header of each request and have this token both validated and then the claims extracted for use in each Azure Function.

To my mind this should be a straightforward process and not require me to add custom middleware in my functions which decode and validate the tokens manually (I really am against the idea of maintaining security critical code).

So far though, I haven't found any specific documentation which outlines how to achieve what I'm after; I have seen suggestions that a ClaimsPrincipal object can be placed in the function parameter list and will be injected but that hasn't worked and an alternative suggested the request User from the Http Context would be populated but again - no luck.

Should one simply secure each function in the same way they would a WepAPI application?

I would greatly appreciate confirmation that the above is possible (and simple) and pointing to documentation on how to achieve it?!

Thanks in advance.

Azure Functions
Azure Functions

An Azure service that provides an event-driven serverless compute platform.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rakesh Mishra 8,505 Reputation points Microsoft External Staff Moderator
    2026-05-07T22:33:39.5966667+00:00

    Hello Richard,

    Thank you for reaching out on the Microsoft Q&A platform!

    You are entirely correct that you shouldn't have to write custom JWT validation middleware from scratch. The recommended approach to secure an HTTP-triggered Azure Function using Microsoft Entra ID (formerly Azure AD) is to use the platform's built-in App Service Authentication and Authorization, commonly referred to as "Easy Auth."

    By enabling this feature, Azure intercepts the incoming HTTP requests, validates the Bearer token in the Authorization header, and populates the user claims before the request ever reaches your function's code.

    Here is what the official Microsoft documentation says about this feature:

    "App Service provides built-in authentication and authorization capabilities (sometimes referred to as "Easy Auth"), so you can sign in users and access data by writing minimal or no code in your web app, RESTful API, and mobile back end, and also Azure Functions. This article describes how App Service helps simplify authentication and authorization for your app." (Reference: Authentication and authorization in Azure App Service and Azure Functions)

    To implement this, you will follow these high-level steps:

    1. Create an App Registration for your API: In Microsoft Entra ID, register your Function App. Expose an API scope (e.g., api://<client-id>/access_as_user).
    2. Configure App Service Authentication: Navigate to your Function App in the Azure Portal, select Authentication, and add Microsoft as an identity provider using the App Registration created in step 1. Configure it to "Require authentication" and return an HTTP 401 Unauthorized for unauthenticated requests.
    3. Set Function Auth Level: In your HTTP Trigger definition (function.json or C# attribute), set the authorization level to Anonymous (AuthorizationLevel.Anonymous). This seems counter-intuitive, but it tells the Function runtime to let Easy Auth handle the security rather than looking for a function-level API key.
    4. Access Claims: Your function can now safely assume any incoming request is authenticated. You can access the injected ClaimsPrincipal to read user data.

    Please let me know in comments if any further questions on this.

    Note: This response is drafted with the help of AI systems.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.