Functions
4 TopicsAdding users to an AD group with Azure Functions/Logic Apps
I want to add users to an Entra ID/Azure AD group. The list of users will be retrieved from a REST API call with Azure Functions, and then saved into a database, probably Azure SQL. I'm planning on then using Azure Logic Apps to connect the database to the AD group. How can I make the script run every time the REST API changes? Can I add users to the AD group from SQL? Is there a better way to go about this?52Views0likes5CommentsUsing a managed service identity to call into SharePoint Online. Possible?
Hi All, I have been playing around with Managed Service Identity in Azure Logic Apps and Azure Function Apps. I think it is the best thing since sliced bread and am trying to enable various scenarios, one of which is using the MSI to get an app-only token and call into SharePoint Online. Using Logic Apps, I generated a managed service identity for my app, and granted it Sites.readwrite.All on the SharePoint application. When then using the HTTP action I was able to call REST endpoints while using Managed Service Identity as Authentication and using https://<tenant>.sharepoint.com as the audience. I then though I'd take it a step further and create a function app and follow the same pattern. I created the app, generated the MSI, added it the Sites.readwrite.All role same way I did with the Logic App. I then used the code below to retrieve an access token and try and generate a clientcontext: #r "Newtonsoft.Json" using Newtonsoft.Json; using System; using System.Net; using System.Net.Http; using System.Net.Http.Headers; using Microsoft.SharePoint.Client; public static void Run(string input, TraceWriter log) { string resource = "https://<tenant>.sharepoint.com"; string apiversion = "2017-09-01"; using (var client = new HttpClient()) { client.DefaultRequestHeaders.Add("Secret", Environment.GetEnvironmentVariable("MSI_SECRET")); var response = client.GetAsync(String.Format("{0}/?resource={1}&api-version={2}", Environment.GetEnvironmentVariable("MSI_ENDPOINT"), resource, apiversion)).Result; var responseContent = response.Content; string responseString = responseContent.ReadAsStringAsync().Result.ToString(); var json = JsonConvert.DeserializeObject<dynamic>(responseString); string accesstoken = json.access_token.ToString() ClientContext ctx = new ClientContext("<siteurl>"); ctx.AuthenticationMode = ClientAuthenticationMode.Anonymous; ctx.FormDigestHandlingEnabled = false; ctx.ExecutingWebRequest += delegate (object sender, WebRequestEventArgs e){ e.WebRequestExecutor.RequestHeaders["Authorization"] = "Bearer " + accesstoken; }; Web web = ctx.Web; ctx.Load(web); ctx.ExecuteQuery(); log.Info(web.Id.ToString()); } } The bearer token is generated, but requests fail with a 401 access denied (reason="There has been an error authenticating the request.";category="invalid_client") I have tried to change the audience to00000003-0000-0ff1-ce00-000000000000/<tenant>.sharepoint.com@<tenantid>" but that gives a different 401 error, basically stating it cannot validate the audience uri. ("error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown.). I have also replace the CSOM call with a REST call mimicking the same call I did using the Logic App. My understanding of oauth 2 is not good enough to understand why I'm running into an issue and where to look next. Why is the Logic App call using the HTTP action working, and why is the Function App not working?? Anyone?13KViews1like3CommentsAzure Functions - New Comic
You are a Cloud lover? But you prefer Azure? Learning with fun? And most of all, you like serverless? You will probably enjoy our new comic about Azure Function with Jonah Andersson as guest star! If you want to deep dive, do not hesitate to visit the official documentation on the Microsoft website: https://learn.microsoft.com/en-us/azure/azure-functions/functions-overview Enjoy and share, it's free!1.4KViews0likes0CommentsAzure API Management for Authenticating Internal Tools
Trying to wrap my head around the "best" way to authenticate some internal tooling for our organization that integrates nicely with all the Microsoft 365 resources. I'd like to be able to transparently utilize our existing Azure AD to authenticate these client side interfaces (teams apps, sharepoint web parts, generic web apps/desktop apps, etc) when they call back-end web APIs that will exist. I'm trying to stay fairly low cost, as these are going to mostly be tiny apps e.g. some mild automations and information surfacing. Right now I am looking at using Azure Functions + a storage account using the Tables storage API + API management to do auth for the api.The auth problem of Functions seems to be a fair bit more complicated, even with the api management included, as the functions seem to be "accessible" by just going to them directly circumventing the management. Does this make sense for some pretty small almost "toy" applications for now?846Views0likes0Comments