Azure Function Authentication: Azure Active Directory: Use Security Group to include identities (users and service principals) to access Function

Question

I have an Azure Function with Azure Active Directory authentication enabled (including "Action to take when request is not authenticated" = "Log in with Azure Active Directory"). Additionally the option "User assignment required?" of the Azure Function related service principal (sp_func) is set to "Yes" to avoid everybody in the tenant being able to in the end run the function.

The goal is to have a single security group (that can include users as well as service principals) that is added to "Users and groups" of sp_func so that the assignment to the group decides if the function can be accessed or not. With users this works fine but not with service principals (sp_nonfunc). For them (sp_nonfunc) to work I have to set the permissions for them (sp_nonfunc) what in the end allows them to interact with the Azure Function no matter if they (sp_nonfunc) are assigned to the group or not.

Is it possible that I can just add a service principal (sp_nonfunc) to a group with the group being added to sp_func and then be able to execute the Function by using sp_nonfunc (without giving explicit permissions to sp_nonfunc)?

EDIT: it also does not seem to be possible to add sp_nonfunc to sp_func directly even if I defined an own appRole in the Manifest. The only way currently seems to be to add permissions on sp_nonfunc for sp_func - but that is what I want to avoid.

EDIT2: here how I have defined the role in the sp_func manifest

"appRoles": [
    {
        "allowedMemberTypes": [
            "Application"
        ],
        "displayName": "AzureFunctionAccess",
        "id": "xxx-xxx-xxx-xxx-xxx",
        "isEnabled": true,
        "description": "Access Azure Function.",
        "value": "AzureFunctionAccess"
    }
]

EDIT3: when I don't assign a role directly to sp_nonfunc but just add sp_nonfunc to the security group I get, when making a request to https://login.microsoftonline.com/<tenant id>/oauth2/token with resource = Application ID URI of the registered app of sp_func:

{
    "error": "invalid_grant",
    "error_description": "AADSTS501051: Application 'xxx-xxx-xx-xx-xx'(xxx) is not assigned to a role for the application 'https://xxx'(xxx).\r\nTrace ID: xxx-xxx-xx-xx-xx\r\nCorrelation ID: xxx-xxx-xx-xx-xx\r\nTimestamp: xx-xx-xx xx:xx:xxZ",
    "error_codes": [
        501051
    ],
    "timestamp": "xx-xx-xx xx:xx:xxZ",
    "trace_id": "5xxx-xxx-xx-xx-xx",
    "correlation_id": "xxx-xxx-xx-xx-xx",
    "error_uri": "https://login.microsoftonline.com/error?code=501051"
}

Answer 1

This way will not work, to use a service principal(in your case, the sp_nonfunc) get the token for the function app(sp_func), you need to give the API permission for the sp_nonfunc.

Navigate to the App Registration related to the sp_nonfunc in the portal -> API permissions -> add the AzureFunctionAccess you defined, at last click the Grant admin consent for xxx button.

Then get the token with the client credential flow, it will work fine. (I use the v2.0 endpoint, if you use the v1.0, it will also work.)

For more details about the steps, I wrote in this post before, you could refer to it.