Loading...

Securing Azure AD B2C API Connector (Function App) without Error

Securing Azure AD B2C API Connector (Function App) without Error

I was recently working with a customer who is using Azure AD B2C API Connector to enrich tokens with claims from external sources. They are using Azure Function App as the external source. As this setup demands, they exposed Azure Function App over public IP to work with B2C. But due to enterprise security restriction policy they must remove public endpoint from Function App and use private endpoints to VNET.

 

They thought of 2 options to expose the Function App securely over internet – using Azure API Management instance to a virtual network - external mode APIM in external mode or using Azure Application Gateway. But in both the cases B2C auth process errors out after adding the API Connector in the user flow:

 

Picture1.png

 

2.png

 

Initially I investigated on the error messages collected at the B2C, and APIM or Azure Application Gateway end. But later realized the main source of problem lies somewhere else. It is the ASP.NET Core framework used in building the Function App.

 

We need to modify default FowardedHeaders middleware settings. Otherwise, it will ignore the X-Forwarded headers being sent by APIM or Application Gateway because it isn’t in the list of KnownProxies and KnownNetworks. Please see the following links to understand the concept better:

 

 

So, I did the following changes:

 

1. Added ASPNETCORE_FORWARDEDHEADERS_ENABLED application setting to my Function App Configuration:

 

Picture2.png

 

2. Added a Startup.cs file in my function app code.

 

using System.Collections.Generic;

using Microsoft.AspNetCore.Builder;

using Microsoft.Azure.Functions.Extensions.DependencyInjection;

using Microsoft.Extensions.DependencyInjection;

 

[assembly: FunctionsStartup(typeof(TestAPIFunctionApp.Startup))]

namespace TestAPIFunctionApp

{

    public class Startup : FunctionsStartup

    {

        public override void Configure(IFunctionsHostBuilder builder)

        {

            builder.Services.Configure<ForwardedHeadersOptions>(options =>

            {

                options.ForwardedHeaders = Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedFor | Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedProto | Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedHost;

                options.KnownNetworks.Clear();

                options.KnownProxies.Clear();

                // Put your front door, application gateway, APIM, b2clogin FQDN here and any other hosts that will send headers you want respected

                options.AllowedHosts = new List<string>() { "<yourfunctionappname>.azurewebsites.net", "<yourb2cservicename>.b2clogin.com", "<yourAPIMservicename>.azure-api.net”};

            });

        }

    }

}

 

That solves our problem. We can now see the “augmented claims”:

 

Picture3.png

Published on:

Learn more
Azure Architecture Blog articles
Azure Architecture Blog articles

Azure Architecture Blog articles

Share post:

Related posts

Azure Information Protection: Enable multifactor authentication for your Azure tenant by October 1, 2025

Microsoft will enforce multifactor authentication (MFA) for all Azure resource management actions starting October 1, 2025, with a postponemen...

1 day ago

Azure Automation Custom Runtime Environments

A custom runtime environment is a way of defining a specific job execution environment for Azure Automation runbooks, including Microsoft Grap...

1 day ago

Dynamics 365 Customer Insights – Data – Export your data to Azure Data Lake Storage

We are announcing the general availability of the export to Azure Data Lake Storage (ADLS) feature in Dynamics 365 Customer Insights – Data on...

2 days ago

Dynamics 365 Business Central: Quickly find the Tenant ID, Azure AD Instance, and Tenant Scope from the domain (tenant) name without signing in

Hi, Readers.Today I would like to share another mini tip, how to quickly find the Tenant ID, Azure AD Instance, and Tenant Scope from the doma...

5 days ago

Starting Power BI deployment pipelines from Azure DevOps

Deployment pipelines in Power BI/ Microsoft Fabric have become crucial for managing and automating the deployment of Power BI content across e...

5 days ago

Video: Copilot Studio: Azure AI Search Complete Setup Guide

With Azure AI Search you can create a custom search engine of your company’s documents ... The post Video: Copilot Studio: Azure AI Search Com...

6 days ago

Microsoft Purview compliance portal: Endpoint Data Loss Prevention – Endpoint DLP support classification of Azure RMS protected Office documents

Endpoint DLP can now classify Office files stored in Windows devices that have Azure RMS protection applied. Classification will be triggered ...

8 days ago

AI Builder – Use your own generative AI model from Azure AI Foundry in Prompt builder in Copilot Studio

We are announcing the ability to use your own generative AI model from Azure AI Foundry in prompt builder. This feature has reached general av...

10 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy