How to Test Azure Functions Protected with OAuth (EasyAuth) ?

Azure Functions support authentication through:

• Microsoft Entra ID (Azure AD)
• Google / Facebook / GitHub
• Custom OpenID providers

Below are the steps for Microsoft Entra ID (most common). If you are using other identity providers, let me know I will tailor it.

🔐 STEP 1 — Register an App in Azure AD

You need a client/app registration to request tokens.

✔️ In Azure Portal:

1. Go to Azure Active Directory
2. Click App registrations → New registration
3. Give a name (e.g., FunctionTestClient)
4. Redirect URI (optional for Postman): Use: https://oauth.pstmn.io/v1/callback
5. Save

Copy:

• Tenant ID
• Client ID
• (If using Client Credentials) create a Client Secret

🔐 STEP 2 — Find the Resource / Audience (API URI)

Go to:

Function App → Authentication → Identity Provider → Edit

Copy the value of "Allowed Token Audiences"

It typically looks like:

api://<function-app-name>.azurewebsites.net

OR

https://<function-app-name>.azurewebsites.net

This is the resource / scope you'll request a token for.

🔐 STEP 3 — Request an OAuth Access Token

A) Using Postman

Create new request:

GET https://<yourfunc>.azurewebsites.net/api/<function-name>

Add Token:

1. Go to Authorization tab
2. Type: OAuth 2.0
3. Click Get New Access Token
4. Fill as:

Field             Value

Auth URL     https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/authorize
Token URL         https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token
Client ID         (your App Registration client ID)
Client Secret     (your secret)
Scope          api://<function-app-name>.azurewebsites.net/.default
Grant Type    Authorization Code OR Client Credentials

Click Get Token → Use Token

Then send the API request.

🔐 STEP 4 — Add Bearer Token in Header

If doing manually:

Authorization: Bearer <your_access_token>
Then call:
GET https://<functionapp>.azurewebsites.net/api/<function>

You should now get 200 OK instead of 401.

🔍 STEP 5 — Testing with Azure CLI

You can request a token using CLI:

az account get-access-token \
  --resource api://<function-app-name>.azurewebsites.net

This prints:

{
 "accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs..."
}

Then call:

curl -H "Authorization: Bearer <token>" \
    https://<function>.azurewebsites.net/api/<function>

🔧 STEP 6 — If You Still Get 401

Check:

✔️ Allowed audience mismatch

Token’s aud must match Function App’s “Allowed Token Audiences”.

✔️ Access token must be v2.0 endpoint

Use /oauth2/v2.0/authorize & /token.

✔️ Client app must have API permissions

Go to:

Azure AD → App Registration → API Permissions → Add permission → My APIs

Select your function app → .default

✔️ If using Managed Identity

Enable:
Function App → Identity → System Assigned = On

Then request token from code:

var token = await tokenCredential.GetTokenAsync(
    new TokenRequestContext(
        new[] { "api://<function-app-name>.azurewebsites.net/.default" }
    )
);