I am very new to working with Azure Entra Id.
I have an Azure Function app containing Http triggered functions. I need to protect the function app by Entra Id and access it from client app in non interactive mode (client credentials flow)
I have created an App registration in Entra Id and using it to enable the Function App Authentication. I have exposed an API from the registered app. I got all the details like ClientId, Client Secret, Object Id, Scopes, Auth endpoint, Token endpoint.
With all these I am easily able to get the access token using postman with Client Credentials Flow and access the Functions.
Now my doubt is, I have created only one app registration and in the Function app Authenticate, hooked that App registration. I have not created any separate App registration for the client app. But everywhere including MS documentation, I see we need to create two different App registration for client credentials flow, one for the function app and another for the client app. I am not understanding what is the reason to create two different app registration? What is the point I am missing out here?
Note that: If you want to protect the client application, then you must create two Azure AD applications. This ensures more security and helps to prevent unauthorized access to your resources.
I created an Azure AD Function app like below:
In Azure AD application added API permissions (created only one app):
Generated access token via Postman:
Using the above access token, I am able to access function api:
GET https://testrukfunctapp1.azurewebsites.net/api/HttpTrigger1
x-functions-key : FunctionURLCodeValue
Content-Type : application/json