Possible to consume AAD authenticated Azure functions from Power Bi and Power Apps?

Question

In Power Bi we get this error when trying to make a web connection:

"We couldn't authenticate with the credentials provided. Please try again"

The Azure function app is registered in our AAD . The function is a C# httptrigger with this code:

using System.Net;
using System.Net.Http;
using System.Security.Claims;
using System.Threading.Tasks;
public static async Task<HttpResponseMessage> Run(HttpRequestMessage req, TraceWriter log)
{
// parse query parameter
ClaimsIdentity userClaimsId = ClaimsPrincipal.Current.Identity as ClaimsIdentity;
    var claims = userClaimsId.FindAll(ClaimTypes.Upn);
    var groups = userClaimsId.Claims.Where(x => x.Type.Equals("groups")).ToList();
    var upns = userClaimsId.Claims.ToList();
    var roles = userClaimsId.Claims.Where(x => x.Type.Equals("upn")).ToList();
    return  req.CreateResponse(HttpStatusCode.OK, groups);
}

We are attempting to connect from Power Bi Desktop via the Get Data > Web option using an organizational account in our same AAD. When we call the function from browser it prompts for login and seems to return data.

Answer 1

The token that Power BI Desktop obtains from AAD when you sign in with an organizational account is for the https://yourfunction.azurewebsites.net audience. But when you configure AAD authentication for your Azure Function App, by default the audience configured is https://yourfunction.azurewebsites.net/.auth/login/aad/callback. That's why you receive an access denied.

So you can go to the AAD authentication settings of your Azure Function App, click AAD > Advanced > and enter the new allowed token audience there (see below, marked in red). Make sure to click OK, and to save the changes.