- last edited on
03-13-2018 12:45 PM
I'll answer this myself!
I had an Azure Function running in a Consumption plan in Tenant B, with this plan I cannot really identify the source IP Address of the function when it is designed to call into Tenant A and so I cannot configure a Tenant A Conditional Access Policy to allow this function "in" (unless I allow ALL IP Addresses from the Azure Data Centre the function is running in).
I then created an Azure Function running in an App Service Plan, with this plan I *can* identify the source IP Address of the function, and so I can register this source IP Address on the Tenant A Conditional Access Policy.
Some other investigations that tripped me up as I was trying to understand all of this connectivity and access controls. The function I was testing was a simple PowerShell script that ran the PnP commands.
Connect-PnPOnline -Credentials $userCredential -Url "https://<tenantA>.sharepoint.com"
This powershell ALWAYS succeeded, even under the Consumption plan and I couldn't understand why. The reason is that using the -Credentials parameter the commandlet uses the Legacy Authentication and not Modern Authentication, and so my Azure Conditional Access Policy never kicked in. I tweaked the Powershell to use the following:
Connect-MicrosoftTeams -Credential $userCredential