Post
Ask Question

Secure Azure Function With Azure AD

Overview

 
Azure functions are helpful to perform processing outside of SharePoint. In the previous article, SharePoint Framework - Call Azure Function, we explored an option to create Azure functions with anonymous access. In real scenarios, it is not recommended to have Azure functions with anonymous access.
 
In this article, we will explore how to secure Azure function with Azure AD.
 

Azure AD App Registration

  1. Open Azure Portal https://portal.azure.com
  2. From left menu, click “Azure Active Directory”
  3. Click “App registrations”
  4. Click “New application registration”

    Secure Azure Function with Azure AD

  5. Specify any name for app registration
  6. Select “Application type” as “Web app / API”
  7. Specify “Sign-on URL” as url of the Azure function we will be creating in next step

    Secure Azure Function with Azure AD

  8. Click Create

Get the App ID URI

  1. Click “Settings”
  2. Click “Properties”
  3. Note down “App ID URI” for future reference

    Secure Azure Function with Azure AD

App registration permissions

 
By default, app registration have “Sign in and read user profile” permission. To modify the permissions, follow below steps,
  1. Click Settings
  2. Click “Required permissions” under “API ACCESS”
  3. Click “Add”

    Secure Azure Function with Azure AD

  4. Add or update permissions as needed.

Grant permissions to App registration

 
As an administrator, grant permissions to the App registration for all the users.
  1. Click Settings
  2. Click “Required permissions” under “API ACCESS”
  3. Click “Grant permissions”
  4. Click “Yes”
Secure Azure Function with Azure AD

Azure Function

 
Azure functions are serverless computing. It is an event driven, compute on demand experience. Follow the below steps to create an Azure function,
  1. Open Azure Portal https://portal.azure.com
  2. Click Create Resource
  3. Under Compute, select Function App

    Secure Azure Function with Azure AD

  4. Fill in the information to create the Function App

    Secure Azure Function with Azure AD

  5. Click Create
  6. Once the Azure function is ready, click “Platform features” tab
  7. Under Networking, click “Authentication / Authorization”

    Secure Azure Function with Azure AD

  8. In the option “App Service Authentication”, select “ON”
  9. For "Action to take when request is not authenticated" option, select “Log in with Azure Active Directory”
  10. Under “Authentication Providers”, select “Azure Active Directory”

    Secure Azure Function with Azure AD 

  11. Select “Management mode” as “Advanced”
  12. In the “Client ID” textbox, paste the Application ID we created in earlier step - “Azure AD App Registration”
  13. In “Allowed Token Audiences”, copy App ID URI we created in earlier step

    Secure Azure Function with Azure AD

  14. Click OK

Enable CORS on Azure Function

 
The Azure functions are hosted in MS Azure and they run in a different domain than our SharePoint site where our SharePoint Framework (SPFx) web part is hosted. By default cross domain calls are not allowed from SharePoint. To overcome this we will have to enable CORS (Cross-Origin Resource Sharing) in Azure function.
 
Follow the below steps to enable CORS on Azure function,
  1. Click Platform features
  2. Under API, click CORS

    Secure Azure Function with Azure AD

  3. Specify the Office 365 tenant domain url and SharePoint local workbench url

    Secure Azure Function with Azure AD

  4. Click Save

Implement Azure Function

  1. Open Visual Studio (2015 or 2017)
  2. If you are using Visual Studio 2015, install “Visual Studio Tools for Azure Functions” from here 
  3. Click “New Project”
  4. Under Visual C#, select Cloud > Azure Functions
  5. Name the project (e.g. SecureFunctionApp)

    Secure Azure Function with Azure AD

  6. Click OK
  7. Right click the project name. Select Add > New Item…
  8. Add Azure function named "UserInformation"

    Secure Azure Function with Azure AD

  9. Click Add
  10. Select Http trigger
  11. For “Access rights” select “Anonymous”. We are using Azure AD in the Function app to secure it.

    Secure Azure Function with Azure AD

  12. Click OK
  13. Use the below code in Function app
    1. using Microsoft.Azure.WebJobs;    
    2. using Microsoft.Azure.WebJobs.Extensions.Http;    
    3. using Microsoft.Azure.WebJobs.Host;    
    4. using System.Collections.Generic;    
    5. using System.Net;    
    6. using System.Net.Http;    
    7. using System.Net.Http.Formatting;    
    8. using System.Security.Claims;    
    9. using System.Threading.Tasks;    
    10.     
    11. namespace SecureFunctionApp    
    12. {    
    13.     public static class UserInformation    
    14.     {    
    15.         [FunctionName("UserInformation")]    
    16.         public static async Task<HttpResponseMessage> Run([HttpTrigger(AuthorizationLevel.Anonymous, "get""post", Route = null)]HttpRequestMessage req, TraceWriter log)    
    17.         {    
    18.             log.Info("C# HTTP trigger function processed a request.");    
    19.     
    20.             var result = new Dictionary<string, string>();    
    21.     
    22.             // Get current user claims    
    23.             foreach (Claim claim in ClaimsPrincipal.Current.Claims)    
    24.             {    
    25.                 result.Add(claim.Type, claim.Value);    
    26.             }    
    27.     
    28.             return req.CreateResponse(HttpStatusCode.OK, result, JsonMediaTypeFormatter.DefaultMediaType);    
    29.         }    
    30.     }    
    31. }    
  14. Right click the project name. Select Publish…
  15. Click “Select existing”

    Secure Azure Function with Azure AD

  16. Click Publish
  17. Select the earlier created Function app

    Secure Azure Function with Azure AD

  18. Click OK to publish the function to the Azure function app.

Summary

 
In the production environment, it is always recommended to secure the Azure function. Azure functions can be easily secured with Azure AD by associating it with Azure AD App Registration.


Similar Articles