Overview
Warewolf Lightweight Execution runs as an Azure Functions v4 isolated worker app. Access to its secured HTTP endpoints (/Secure/*, /Services/*) is protected by Microsoft Entra ID combined with App Service Easy Auth (V2).
To make configuring this straightforward, Warewolf Lightweight Execution ships with a provisioning script:
Configure-WwExecutionAuth.ps1 (in the Scripts/ folder)
This script is the single source of truth for everything the function app needs at the Azure / Entra control plane. It walks you through the entire authentication setup — creating the Entra app registration, app roles, a service principal, user assignments, the client secret, the required app settings, and the Easy Auth provider — and then verifies they all line up. It is idempotent: safe to run repeatedly against a brand-new or an already-configured app; nothing it does is destructive.
Prerequisites
- Azure CLI ≥ 2.55 (must support
az ad app update --enable-id-token-issuanceandaz webapp auth microsoft update) - The target Function App must already exist in Azure
- The caller must have:
Application.Administrator(orApplication.ReadWrite.All) in the Entra tenantContributoron the Function App
- You must be signed in: run
az loginfirst
Running the script
From the Scripts/ folder:
az login
./Configure-WwExecutionAuth.ps1By default the script runs interactively. It prompts for each required value (press Enter to keep a [bracketed] default, or type a value to override), then prints a full configuration summary and asks you to confirm before any change is made to Azure.
You will be prompted for:
| Value | Description |
|---|---|
| SubscriptionId | Azure subscription GUID |
| TenantId | Microsoft Entra tenant GUID |
| ResourceGroupName | The resource group containing the function app |
| FunctionAppName | The existing function app |
| EntraAppDisplayName | Entra app registration name (defaults to <FunctionAppName>-auth) |
| SecretLifetimeYears | Client secret validity, 1–2 years (default 1) |
| SecureConfigMountPath | Path used by WAREWOLF_SECURE_CONFIG |
| UserAssignments | Map of user UPNs → groups |
You can also pass any of these as parameters to skip the matching prompt, e.g.:
./Configure-WwExecutionAuth.ps1 `
-SubscriptionId <guid> -TenantId <guid> `
-ResourceGroupName <rg> -FunctionAppName <app>What the script provisions
The script runs through twelve stages:
| Stage | Action |
|---|---|
| 0 | Pre-flight — verify subscription, az CLI version, and that the function app exists |
| 1 | Entra app — create or upgrade the app registration |
| 2 | ID token — enable implicit-grant ID tokens (fixes AADSTS700054) |
| 3 | Expose API — set identifierUris to api://<clientId> |
| 3b | Expose scope — add the user_impersonation scope (fixes AADSTS650057) |
| 4 | App roles — create groups and Permission.* roles |
| 5 | Service principal — create the SP if missing |
| 6 | Assignments — assign users to roles (skip-if-exists) |
| 7 | Secret — create or rotate the client secret |
| 8 | App settings — write tenant id, audience, secure-config path, and secret |
| 9 | Easy Auth — migrate to Auth V2 if needed, then enable the Microsoft provider |
| 10 | Verify — cross-check the Entra app, app settings, and Easy Auth all agree |
| 11 | Smoke test — optional public + secure-401 HTTP probe |
Useful options
# Preview the full plan without changing anything (CI-safe)
./Configure-WwExecutionAuth.ps1 -DryRun # alias for -WhatIfOnly
# Force a fresh client secret even if a valid one exists
./Configure-WwExecutionAuth.ps1 -RotateSecret
# Set secret lifetime (1–2 years) and force rotation
./Configure-WwExecutionAuth.ps1 -SecretLifetimeYears 2 -RotateSecret
# Skip user→role assignment (e.g. limited Graph permissions)
./Configure-WwExecutionAuth.ps1 -SkipUserAssignment
# Skip the HTTP probe (recommended on a freshly-created, not-yet-deployed app)
./Configure-WwExecutionAuth.ps1 -SkipSmokeTest
# Prefer Managed Identity over extra secret rotations (production tenants)
./Configure-WwExecutionAuth.ps1 -UseManagedIdentity
# Run with no prompts (CI/CD) — all required values must be supplied
./Configure-WwExecutionAuth.ps1 -NonInteractive -SubscriptionId ... -TenantId ...Tip: Always start with -DryRun to review the resolved plan before committing changes to Azure.
After running
- The resolved configuration is written to
Configure-WwExecutionAuth.output.jsonin theScripts/folder. - Easy Auth looks up the client secret via the app setting named
MICROSOFT_PROVIDER_AUTHENTICATION_SECRET. - Secured routes (
/Secure/*) will now return 401 to unauthenticated callers; public routes (/Public/*) remain anonymous.
Troubleshooting
| Symptom | Cause / Fix |
|---|---|
| AADSTS700054 | ID-token issuance not enabled — re-run (Stage 2 fixes this) |
| AADSTS650057 | Missing user_impersonation scope — re-run (Stage 3b fixes this) |
| Smoke test fails on a new app | The app isn’t deployed/reachable yet — re-run with -SkipSmokeTest |
| <value> is still a placeholder in -NonInteractive | A required value wasn’t supplied — pass it on the command line or run interactively |
