Securing Azure AD B2C API Connector (Function App) without Error
I was recently working with a customer who is using Azure AD B2C API Connector to enrich tokens with claims from external sources. They are using Azure Function App as the external source. As this setup demands, they exposed Azure Function App over public IP to work with B2C. But due to enterprise security restriction policy they must remove public endpoint from Function App and use private endpoints to VNET.
They thought of 2 options to expose the Function App securely over internet – using Azure API Management instance to a virtual network - external mode APIM in external mode or using Azure Application Gateway. But in both the cases B2C auth process errors out after adding the API Connector in the user flow:
Initially I investigated on the error messages collected at the B2C, and APIM or Azure Application Gateway end. But later realized the main source of problem lies somewhere else. It is the ASP.NET Core framework used in building the Function App.
We need to modify default FowardedHeaders middleware settings. Otherwise, it will ignore the X-Forwarded headers being sent by APIM or Application Gateway because it isn’t in the list of KnownProxies and KnownNetworks. Please see the following links to understand the concept better:
- Configure ASP.NET Core to work with proxy servers and load balancers | Microsoft Learn
- Using Azure Front Door with .NET Core • Jamie Phillips (phillipsj.net)
So, I did the following changes:
1. Added ASPNETCORE_FORWARDEDHEADERS_ENABLED application setting to my Function App Configuration:
2. Added a Startup.cs file in my function app code.
using System.Collections.Generic;
using Microsoft.AspNetCore.Builder;
using Microsoft.Azure.Functions.Extensions.DependencyInjection;
using Microsoft.Extensions.DependencyInjection;
[assembly: FunctionsStartup(typeof(TestAPIFunctionApp.Startup))]
namespace TestAPIFunctionApp
{
public class Startup : FunctionsStartup
{
public override void Configure(IFunctionsHostBuilder builder)
{
builder.Services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders = Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedFor | Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedProto | Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedHost;
options.KnownNetworks.Clear();
options.KnownProxies.Clear();
// Put your front door, application gateway, APIM, b2clogin FQDN here and any other hosts that will send headers you want respected
options.AllowedHosts = new List<string>() { "<yourfunctionappname>.azurewebsites.net", "<yourb2cservicename>.b2clogin.com", "<yourAPIMservicename>.azure-api.net”};
});
}
}
}
That solves our problem. We can now see the “augmented claims”:
Published on:
Learn moreRelated posts
Azure Information Protection: Enable multifactor authentication for your Azure tenant by October 1, 2025
Microsoft will enforce multifactor authentication (MFA) for all Azure resource management actions starting October 1, 2025, with a postponemen...
Azure Automation Custom Runtime Environments
A custom runtime environment is a way of defining a specific job execution environment for Azure Automation runbooks, including Microsoft Grap...
Dynamics 365 Customer Insights – Data – Export your data to Azure Data Lake Storage
We are announcing the general availability of the export to Azure Data Lake Storage (ADLS) feature in Dynamics 365 Customer Insights – Data on...
Dynamics 365 Business Central: Quickly find the Tenant ID, Azure AD Instance, and Tenant Scope from the domain (tenant) name without signing in
Hi, Readers.Today I would like to share another mini tip, how to quickly find the Tenant ID, Azure AD Instance, and Tenant Scope from the doma...
Starting Power BI deployment pipelines from Azure DevOps
Deployment pipelines in Power BI/ Microsoft Fabric have become crucial for managing and automating the deployment of Power BI content across e...
Video: Copilot Studio: Azure AI Search Complete Setup Guide
With Azure AI Search you can create a custom search engine of your company’s documents ... The post Video: Copilot Studio: Azure AI Search Com...
Microsoft Purview compliance portal: Endpoint Data Loss Prevention – Endpoint DLP support classification of Azure RMS protected Office documents
Endpoint DLP can now classify Office files stored in Windows devices that have Azure RMS protection applied. Classification will be triggered ...
Introducing Microsoft Azure Face Liveness
AI Builder – Use your own generative AI model from Azure AI Foundry in Prompt builder in Copilot Studio
We are announcing the ability to use your own generative AI model from Azure AI Foundry in prompt builder. This feature has reached general av...