Trying to wrap my head around the "best" way to authenticate some internal tooling for our organization that integrates nicely with all the Microsoft 365 resources. I'd like to be able to transparently utilize our existing Azure AD to authenticate these client side interfaces (teams apps, sharepoint web parts, generic web apps/desktop apps, etc) when they call back-end web APIs that will exist.
I'm trying to stay fairly low cost, as these are going to mostly be tiny apps e.g. some mild automations and information surfacing. Right now I am looking at using Azure Functions + a storage account using the Tables storage API + API management to do auth for the api. The auth problem of Functions seems to be a fair bit more complicated, even with the api management included, as the functions seem to be "accessible" by just going to them directly circumventing the management.
Does this make sense for some pretty small almost "toy" applications for now?