I have an Azure Functions application (API), which consists of HTTP-triggered functions.
Also, I have Azure Active Directory B2C tenant and signup/signin policy, which I use for user identities.

I planned following flow for working with API:

1. User registers/authenticates in a web application using ADB2C + MSAL
2. User makes requests to my API, passing access_token value from the authentication to Authorization header
3. Azure automatically processes token, extracts user data, and makes it available in request.user field inside my function.

My API function code:

const { app } = require("@azure/functions");

app.http("HelloWorld", {
  methods: ["GET", "POST"],
  authLevel: "anonymous",
  handler: async (request, context) => {
    context.log(`Http function processed request for url "${request.url}"`);

    // Debug
    context.log(request.user);

    const name = request.query.get("name") || (await request.text()) || "world";
    const user = request.user ? JSON.stringify(user) : null;

    return { body: `Hello, ${name}! User data: ${user}` };
  },
});

I tried to enable auth from Azure Functions -> My App -> Preferences -> Authentication settings.

It created a new App Registration in ADB2C.
However this app registration has following notification:

“You can use this application to authenticate against Microsoft Entra ID, but not Azure AD B2C.”

Also, token acquired from this app registration did not authorize my requests to function.

But there was interesting moment:

I could reach functions app url, which got me through auth flow (which looked like standard MS auth, not my policy), then redirected to page saying Your Functions 4.0 app is up and running.

I’ve tried to perform HTTP request from this page using developer console, and it worked.
I’ve checked the request info in Network tab and discovered that my request was authorized by Cookie AppServiceAuthSession.

I also tried different approach.

I’ve created App Registration manually, attached it to function app, set jwt.ms as a redirect path, acquired token this way, but when trying to authenticate my request with this token, it didn’t work.

I also tried accessing Function App url, it went me through auth process, but after entering creds it redirected my to https://<my-app-url>/.auth/login/aad/callback with message:

You do not have permission to view this directory or page.

Third approach was a hacky: I tried to use automatically created app registration, but with issuer URL from App Registration I’ve created manually. I got following error after trying to authenticate:
The provided application with ID 'APP_ID' is not valid against this service. Please use an application created via the B2C portal and try again.

It makes me think that this functionality is incompatible with ADB2C and I need to write a middleware to do the job. But a confirmation from experienced Azure users or team members would be highly appreciated.

While trying to make it work I used following articles as a reference:

Elio Struyf: Securing your Azure Functions with an existing Azure AD app

Arjen van Benten: How to secure Azure Functions with Azure B2C

And Azure Docs.

I tried both headers: Authorization: Bearer %access_token% and Authorization: %access_token%.

—
Questions:

0. Is my logic correct about how it should work?

1. Is it possible to authenticate requests with Authorization token, or it can be made by using cookies only?

2. Should I use Microsoft Entra ID or Microsoft Entra External ID instead of ADB2C?