Configure your App Service or Azure Functions app to use Entra ID login. Use standard variable X-MS-TOKEN-AAD-ACCESS-TOKEN to retrieve the access token from the request header.
Simply switch on the Microsoft Entra ID option for your App Service on the AZD config here using variable useEntraIDAuthentication.
Note
Mind the differences of your webapp auth config-version. You may check via
az webapp auth config-version show --name <app-name> --resource-group <rg name>
The default is v1. Above mentioned switch activates v2 during bicep deployment. Latest Entra ID authentication requires v2. Note that the Azure portal authentication provider add-experience also creates v2 configuration. Learn more about upgrading from v1 to v2
Consider SAP Principal Propagation for your authentication scenario handled by Azure API Management (APIM). Activate useAPIM flag to inject OData API into Azure API Management and pre-authorize its exposed scopes to the Azure web app.
People have routines and therefore tend to create clusters of logins at similar times. SAP's OAuth server can become a bottleneck during such periods. We recommend to adjust the default token lifetimes on the SAP OAuth server and implement a random back off delay parameter. That parameter ensures that your cached user tokens don't expire all at the same time even though your users tend to login in waves (monday morning for instance). The provided APIM policy supports that approach. See below an example to illustrate the process:
Of course on the very first day of your implementation when no tokens are cached yet, you are still in trouble ;-) It is recommend to rely on an APIM throttling policy in such cases. Likely you will need to experiment a bit with the parameters to find your individual optimal fit.
SAP OData services are protected by CSRF tokens usually.
Consider our SAP specific APIM policy to inspect http calls for csrf tokens to ease the burden on your client apps.
If you are using APIM to deal with your tokens, you should consider implementing a logout endpoint that purges the tokens for an individual client from the cache. See the Microsoft docs for cache maintenance for more details.