Azure Service Bus is a powerful messaging solution with a lot of applications for us to deploy!
Let's explore how we can integrate Service Bus with MS Graph and import our users into Entra ID with lightning fast speed!
Part 1 : The Terraform files
What we need:
- An Azure Subscription
- VSCode or your favorite editor
- Terraform
- Docker
- Let’s Encrypt Certificate
First things first, create a Service Principal so Terraform can authenticate to Azure
az ad sp create-for-rbac --n tform --role Contributor --scopes /subscriptions/00000000-0000-0000-0000-000000000000
We are going to need :
- providers.tf
- variables.tf
- terraform.tfvars
- main.tf
providers.tf
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.48.0"
}
}
}
provider "azurerm" {
features {
key_vault {
purge_soft_delete_on_destroy = true
recover_soft_deleted_key_vaults = true
}
}
subscription_id = var.azure_subidid
tenant_id = var.azure_tenantid
client_id = var.azure_clientid
client_secret = var.azure_spsecret
}
variables.tf
variable "azure_spsecret" {
description = "SP"
type = string
sensitive = true
}
variable "azure_clientid" {
description = "AppID"
type = string
}
variable "azure_subid" {
description = "SubscriptionID"
type = string
}
variable "azure_tenantid" {
description = "TenantID"
type = string
}
variable "azure_user" {
description = "Azure Portal User"
type = "string"
}
terraform.tfvars
#Azure SP Secret
azure_spsecret = "xxxxx"
#Azure ClientID
azure_clientid = "xxxxxx-xxxx"
#Azure SubsctiptionID
azure_subid = "xxxxxxxxxx-xxx"
#Azure TenantID
azure_tenantid = "xxxxx-xxxxx"
#Azure User
azure_user = "xxx-xxx-xxx"
main.tf
resource "azurerm_resource_group" "rgroup" {
name = "rg-app"
location = "West Europe"
}
resource "random_string" "str-name" {
length = 5
upper = false
numeric = false
lower = true
special = false
}
resource "azurerm_storage_account" "storage" {
name = "st${random_string.str-name.result}01"
resource_group_name = azurerm_resource_group.rgroup.name
location = azurerm_resource_group.rgroup.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_log_analytics_workspace" "logs" {
name = "Logskp"
location = azurerm_resource_group.rgroup.location
resource_group_name = azurerm_resource_group.rgroup.name
sku = "PerGB2018"
retention_in_days = 30
}
resource "azurerm_application_insights" "appinsights" {
name = "funcinsights"
location = azurerm_resource_group.rgroup.location
resource_group_name = azurerm_resource_group.rgroup.name
workspace_id = azurerm_log_analytics_workspace.logs.id
application_type = "Node.JS"
}
output "instrumentation_key" {
value = azurerm_application_insights.appinsights.instrumentation_key
sensitive = true
}
output "connection_string" {
value = azurerm_application_insights.appinsights.connection_string
sensitive = true
}
resource "azurerm_service_plan" "appsrv" {
name = "aplan-${random_string.str-name.result}"
location = azurerm_resource_group.rgroup.location
resource_group_name = azurerm_resource_group.rgroup.name
os_type = "Linux"
sku_name = "B1"
}
resource "azurerm_linux_function_app" "funcapp" {
name = "fnc${random_string.str-name.result}"
location = azurerm_resource_group.rgroup.location
resource_group_name = azurerm_resource_group.rgroup.name
service_plan_id = azurerm_service_plan.appsrv.id
storage_account_name = azurerm_storage_account.storage.name
storage_account_access_key = azurerm_storage_account.storage.primary_access_key
functions_extension_version = "~4"
app_settings = {
"WEBSITE_RUN_FROM_PACKAGE" = "1"
"FUNCTIONS_WORKER_RUNTIME" = "node"
"APPLICATIONINSIGHTS_CONNECTION_STRING" = azurerm_application_insights.appinsights.connection_string
"APPINSIGHTS_INSTRUMENTATIONKEY" = azurerm_application_insights.appinsights.instrumentation_key
}
identity {
type = "SystemAssigned"
}
site_config {
application_stack {
node_version = "18"
}
cors {
allowed_origins = ["*"]
}
}
}
resource "azurerm_resource_group" "rgsbus" {
name = "rg-sbus"
location = "West Europe"
}
resource "azurerm_servicebus_namespace" "sbus" {
name = "kpsbus01"
location = azurerm_resource_group.rgsbus.location
resource_group_name = azurerm_resource_group.rgsbus.name
sku = "Standard"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_servicebus_queue" "squeue" {
name = "sbusqueue"
namespace_id = azurerm_servicebus_namespace.sbus.id
enable_partitioning = true
}
# Create a KeyVault
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "kv1" {
name = "kvk${random_string.str-name.result}2"
location = azurerm_resource_group.rgsbus.location
resource_group_name = azurerm_resource_group.rgsbus.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
}
resource "azurerm_key_vault_access_policy" "kvpolicy" {
key_vault_id = azurerm_key_vault.kv1.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_linux_function_app.funcapp.identity[0].principal_id
secret_permissions = [
"Get",
]
}
resource "azurerm_key_vault_access_policy" "worker_access_policy" {
key_vault_id = azurerm_key_vault.kv1.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Create",
"Get"
]
secret_permissions = [
"Set",
"Get",
"Delete",
"Purge",
"Recover"
]
}
resource "azurerm_key_vault_access_policy" "user_access_policy" {
key_vault_id = azurerm_key_vault.kv1.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = var.azure_user
secret_permissions = [
"List",
"Set",
"Get",
"Purge",
"Recover",
"Delete",
"Backup",
"Restore"
]
}
resource "azurerm_container_app_environment" "cappenv" {
name = "contEnvironment"
location = azurerm_resource_group.rgsbus.location
resource_group_name = azurerm_resource_group.rgsbus.name
log_analytics_workspace_id = azurerm_log_analytics_workspace.logs.id
}
resource "azurerm_container_app" "capp" {
name = "c${random_string.str-name.result}001"
container_app_environment_id = azurerm_container_app_environment.cappenv.id
resource_group_name = azurerm_resource_group.rgsbus.name
revision_mode = "Single"
template {
max_replicas = 5
min_replicas = 1
container {
name = "webreg01"
image = "docker.io/kpassadis/webreg01:v2"
cpu = 1.0
memory = "2Gi"
}
}
ingress {
allow_insecure_connections = "false"
external_enabled = "true"
target_port = 80
traffic_weight {
percentage = "100"
latest_revision = true
}
}
}
At this point we have created two resource groups with all the required resources :
- Log Analytics Workspace with Application Insights
- Function App with an App Service Plan (Linux) and Storage Account
- Service Bus Queue
- Key Vault
- Container App with a Docker App ( Simple HTML to POST the HTTP Trigger)
Now, i will make quick reference to the Docker Application. All we need is a Docker File and we can push it to Docker Hub and later call it directly from Container Apps.
So here are the HTML container app elements (index.html ,style.css ,Dockerfile) :
index.html
<!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" type="text/css" href="style.css">
<style>
#message {
margin-top: 20px;
padding: 10px;
background-color: lightgray;
border-radius: 5px;
text-align: center;
font-weight: bold;
display: none;
}
/* added CSS */
.center {
position: absolute;
top: 50%;
left: 50%;
transform: translate(-50%, -50%);
}
</style>
<script>
async function sendMessage(event) {
event.preventDefault();
const firstname = document.getElementById("firstname").value;
const lastname = document.getElementById("lastname").value;
const nickname = document.getElementById("nickname").value;
const userData = {
firstname: firstname,
lastname: lastname,
nickname: nickname
};
const response = await fetch("https://xxxxx.azurewebsites.net/api/xxxxx", {
method: "POST",
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify(userData)
});
const result = await response.json();
document.getElementById('message').innerText = result.message;
}
</script>
</head>
<body>
<div class="container">
<form method="post" action="https://xxxxx.azurewebsites.net/api/submit-form" onsubmit="sendMessage(event)">
<label for="firstname">First Name</label>
<input type="text" id="firstname" name="firstname" required>
<label for="lastname">Last Name</label>
<input type="text" id="lastname" name="lastname" required>
<label for="nickname">Nickname</label>
<input type="text" id="nickname" name="nickname" required>
<button type="submit">Submit</button>
</form>
</div>
<div id="message"></div>
</body>
</html>
style.css
body {
font-family: Arial, sans-serif;
background-color: #cce6ff;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
margin: 0;
}
.container {
background-color: #0073e6;
padding: 2rem;
border-radius: 5px;
box-shadow: 0 0 10px rgba(0, 0, 0, 0.15);
width: 400px;
}
form {
display: flex;
flex-direction: column;
}
label {
font-weight: bold;
margin-bottom: 0.5rem;
}
input {
margin-bottom: 1rem;
padding: 0.5rem;
border: 1px solid #ccc;
border-radius: 3px;
}
button {
padding: 0.5rem 1rem;
background-color: #4CAF50;
color: white;
border: none;
border-radius: 3px;
cursor: pointer;
}
button:hover {
background-color: #45a049;
}
And here is our simple Dockerfile :
FROM nginx:stable-alpine
COPY . /usr/share/nginx/html
- docker build -t myapp:v1 .
- docker login
- docker push myusername/myapp:v1
I won’t dive deeper into Docker but it is that simple! You can validate also with a local run {docker run –name test-container -p 8080:80 -d myusername/myapp:v1}, and all documentation is available at Docker Get Started.
Now prepare a Let’s Encrypt certificate, and let's go to Part 2!
Part 2 : The Configuration
We have 2 Resource Groups with Log Analytics , Application Insights , Key Vault , Service Bus and Function Apps. It is time to deploy our Function App Triggers, and take the URL to add to our Docker Image.
From VSCode make sure you have the latest version of azure-functions-core-tools.
Install required packages :
- npm install @azure/service-bus
- npm install @Pernille-Eskebo/microsoft-graph-client @azure/msal-node
Create a new HTTP Trigger with the following details :
index.js
const { ServiceBusClient } = require("@azure/service-bus");
module.exports = async function (context, req) {
context.log('Sending message to Azure Service Bus');
const userData = req.body;
if (userData) {
const connectionString = process.env["ServiceBusConnectionString"];
const queueName = "sbusqueue";
const sbClient = new ServiceBusClient(connectionString);
const sender = sbClient.createSender(queueName);
const message = {
body: JSON.stringify(userData),
contentType: "application/json"
};
await sender.sendMessages(message);
await sender.close();
await sbClient.close();
/* context.res = {
status: 200,
body: "Message sent to Service Bus successfully."
};
*/
context.res = {
status: 200,
body: { message: 'User registration submitted successfully!' }
};
} else {
context.res = {
status: 400,
body: { message: 'User registration was NOT submitted successfully!' }
};
}
};
and function.json for our bindings:
{
"bindings": [
{
"authLevel": "anonymous",
"type": "httpTrigger",
"direction": "in",
"name": "req",
"methods": [
"post",
"get"
],
"route": "submit-form"
},
{
"type": "http",
"direction": "out",
"name": "$return"
},
{
"type": "serviceBus",
"direction": "out",
"connection": "ServiceBusConnectionString",
"name": "outputSbMsg",
"queueName": "sbusqueue"
}
]
}
Set the Function App's System Assigned Managed Identity as a Service Bus Data Owner on the Service Bus resource.
Add the Service Bus Connection String Setting from Service Bus Shared Access Policies . You can use the Root connection or create a new one, and create the Function Configuration Setting with one of the Connection Strings.
Now, go ahead and update the Docker container with the provided URL from the trigger, into the HTML of the index.html file and push the updated image! Remember to save your files on VSCode!
docker build -t myusername/myapp:v3 . docker push myusername/myapp:v3
Next we need to create our Function Trigger to import the user into Azure Active Directory with MS Graph.
First of all, authentication ! We will create a Service Principal with MS Graph API Permissions that will allow it to write into Azure AD. The procedure is simple , use the az ad sp create-for-rbac command , or add a new Application Registration and create a secret. Add the MS Graph API Permissions:
- Directory.ReadWrite.All (application)
- User.ReadWrite.All (application)
We will store the Application (Service Principal) Details into our Key Vault so lets do this
Create 3 new entries into Key Vault as Secrets , the Service Principal Object ID, Tenant ID and the secret.
The name of the values should be kept for we need them in our code.
Observe that our Function App has already the GET Secrets Access Policy in place from the terraform configuration script.
Install : npm install @azure/identity and npm install @azure/keyvault-secrets
Now create a new Trigger for our Function, a Service Bus Trigger with the following code :
index.js
const { ConfidentialClientApplication } = require('@azure/msal-node');
const { Client } = require('@microsoft/microsoft-graph-client');
const { DefaultAzureCredential } = require('@azure/identity');
const { SecretClient } = require('@azure/keyvault-secrets');
async function getKeyVaultSecret(keyVaultUrl, secretName) {
const credential = new DefaultAzureCredential();
const secretClient = new SecretClient(keyVaultUrl, credential);
const secret = await secretClient.getSecret(secretName);
return secret.value;
}
module.exports = async function (context, myQueueItem) {
context.log('JavaScript ServiceBus queue trigger function processed message', myQueueItem);
const userData = JSON.parse(myQueueItem);
const firstName = userData.firstname;
const lastName = userData.lastname;
const nickname = userData.nickname;
const domainSuffix = 'example.com'; // Replace 'example.com' with your desired domain suffix
// Set up authentication
// In case you dont want KeyVault
// const clientId = 'xxxxxxxxxxx';
// const clientSecret = 'xxxxxxxxxxxxxxx';
// const tenantId = 'xxxxxxxxxxxxxxxx';
// -----
// Replace with your Key Vault URL
const keyVaultUrl = 'https://<your_key_vault_name>.vault.azure.net/';
const clientId = await getKeyVaultSecret(keyVaultUrl, 'appRegistrationClientId');
const clientSecret = await getKeyVaultSecret(keyVaultUrl, 'appRegistrationClientSecret');
const tenantId = await getKeyVaultSecret(keyVaultUrl, 'appRegistrationTenantId');
const config = {
auth: {
clientId: clientId,
authority: `https://login.microsoftonline.com/${tenantId}`,
clientSecret: clientSecret
}
};
const app = new ConfidentialClientApplication(config);
// Acquire token
const tokenRequest = {
scopes: ['https://graph.microsoft.com/.default']
};
const authResult = await app.acquireTokenByClientCredential(tokenRequest);
const accessToken = authResult.accessToken;
// Set up Graph client
const client = Client.init({
authProvider: (done) => {
done(null, accessToken);
}
});
// Create a new user in Azure AD
const newUser = {
accountEnabled: true,
displayName: `${firstName} ${lastName}`,
mailNickname: nickname,
userPrincipalName: `${nickname}@${domainSuffix}`,
passwordProfile: {
forceChangePasswordNextSignIn: true,
password: 'mYComp@2022!@'
}
};
const createdUser = await client.api('/users').post(newUser);
context.log(`User created with ID: ${createdUser.id}`);
};
and function.json :
{
"bindings": [
{
"name": "myQueueItem",
"type": "serviceBusTrigger",
"direction": "in",
"queueName": "sbusqueue",
"connection": "ServiceBusConnectionString"
}
]
}
The final touch is to add our own custom domain!
So from the Azure Portal , Container Apps -Settings we add a custom domain:
Write the domain and you will be preented the option to Upload the Certbot certificate ( or any PFX Certificate for this domain):
Proceed with the Validation steps by adding the TXT and CNAME records and that’s it !
Watch how fast the users are created in Entra ID (Azure AD) !
The Solution is a sample and needs additional features, but is a good example of Service Bus and how Azure Integration can help us create literally anything we want !
Final Thoughts
Integration is key for Cloud Services and Azure is a perfect example of how Integration can help us create unique solutions with ease. Azure Service Bus along with Container Apps and Function Apps helped us create a Web App, that can register users into Azure AD fast and reliable.