Can I call the Graph API within Azure functions? - azure

I am new to azure functions.
I created a ReactApp and used the graph API to get information about users registered in Azure ADB2C.
At this time, a client credential flow was used, but user information could not be obtained due to a CORS error.
Previous Idea(CORS error): ReactApp↔graphAPI↔Azure ADB2C
So I thought of using Azure functions.
First, ReactApp calls azure functions as an API.
Next, call the graphAPI in the azure functions.
At this point, we want to use the client credential flow.
Then, the user data of Azure ADB2C can be obtained because the graphAPI was used.
This user data is returned to Azure functions so that it can be used in ReactApp.
My Idea: ReactApp↔Azure functions ↔ graph API ↔ Azure ADB2C
Is this feasible?
If it is possible and you have a sample, please let me know.
Thanks for reading.

• Yes, you can surely do the same as per what you have stated in your post. You can surely deploy a react app in Azure functions and trigger a graph API query from the function to an Azure AD B2C tenant. To do so, you will have to first deploy an Azure Static Web app in Azure, then build and deploy it through a workflow in Github by creating a repository there, then create an Azure function API for the react app deployed. This Azure function service provides serverless APIs which allows you to focus on your TypeScript code and not have to configure a full back-end web server.
• Once done, then connect the react client app to Azure function API. The Azure static web app resource deployed earlier provides a proxy between the react client and the Azure function API. Hence, while deploying the above, I would suggest you to please follow the below Microsoft documentation link and its subsequent article series for the said above resources.
https://learn.microsoft.com/en-us/azure/developer/javascript/how-to/with-web-app/static-web-app-with-swa-cli/introduction
Please follow the series of documentation articles stated above till the end of connecting the react client to Azure function API. Once done, then register an application in Azure AD B2C for authentication purposes and copy the application’s required credentials like the client ID, tenant ID, tenant name and client secret for inserting these details in the HTTP trigger function API created earlier. Also, give the registered application in Azure AD B2C the required application permissions of ‘User.ReadWrite.All’ for the Microsoft Graph API. Ensure that you are adding the ‘Microsoft.Identity.Client’, ‘Microsoft.Graph.Auth’ and ‘Microsoft.Graph.Beta’ nuget packages to your Azure function solution created earlier. Then modify the constant parameters and variables in the Azure solution code file as in the below snapshot: -
• Once the above has been done successfully, you can then test the deployed solution through ‘Postman’ application API as well as by redirecting to the react app page there by triggering a HTTP response in the function API which will ensure that you read the logged in Azure AD B2C user in the react app. For detailed information on the above-mentioned configuration, I would suggest you to please go through the video link below as it perfectly describes your condition in detail: -
https://www.youtube.com/watch?v=4uJHSwA-TZE

Related

Trigger Azure AD Protected API hosted in Azure Web Apps from Power Automate

We have a Web API hosted in Azure as an Azure Web App. This API requires an access token from our Azure AD to authenticate. This API works when triggered via http from a client application. However, we need to trigger this API to run on a schedule as well and thought Power Automate would be a useful tool here as we can schedule an authenticated http request (but are open to alternative solutions).
This is the basic flow we were considering:
We have registered the Power Automate flow as an App Registration in our Azure AD, we get a valid access token, however, when we call the API I can see from Application Insights that we are getting an Unauthorized Error because neither scope nor roles are specified in the token claims. How can we call this Azure AD Protected API from Power Automate?
Note:
We are not using azure functions to schedule this job because we
require a predictable IP and we already have a Azure App Service
Plan to host this API.
We need this API to run on a schedule, but also be triggerable via
http
We have tested this in our local environment, it is working fine. The below statements are based on our analysis.
We have created a Web app (running with .NET 6 as run-time stack & windows OS), enabled Application insights & published a sample web application which has 2 pages(home, privacy) from our local Visual Studio code 2022.
In order to call one of the web app pages (privacy) from the Power-automate HTTP trigger, we have enabled Authentication to the web app which has created app registration in the Azure AD with User.Read as Delegated Permission.
Post enabling the Authentication, we are able to call the web app privacy page from power-automate without any issue. All the requests that were triggered from power automate are showing success in the application insights as well.
Here is the sample output for reference:
In the below screenshot, using HTTP trigger we have called the webapp & requested got success even in application insights as well.
Note:
We would suggest you to check whether you have given the correct client id , secret values & app registration permissions (User.Read) in HTTP trigger of power-automate.

Can an Azure App Service be tied to a client's external Azure AD?

We have written some code (I hesitate to use the term "application") in .NET Core using Visual Studio 2019. This concept is relatively simple; when a user opens a "proprietary" Excel workbook (an Excel file that calls our code) the code goes out to a hosted (by us) Azure SQL Managed database and returns data based on the parameters passed in by the user.
In Azure, we have a single production App Service plan with an App Service dedicated to each client (company). My question is about security: I'd like to tie each App Service to the related company's Azure AD. I do NOT want to create an account on my Azure AD for each user, although I can certainly do this through the "invitation" process using B2B. Can each App Service be "pointed" to a specific external instance of Azure AD so that only users from that company can access the related data?
Thanks.
You may use two different flows:
Each WebApp will authenticate users from only one specific Azure AD tenant
One WebApp will authenticate users from multiple Azure AD tenants
Both solution can be achieved with Azure AD multi-tenant authentication application pattern.
Here are steps you need to implement:
Update App registration to be multi-tenant
Update your code to send requests to /common
Update your code to handle multiple/single issuer values
Here is a picture that describes the flow
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant

Calling Azure Function from ADF using MSI

I am trying to call a Function app from ADF using MSI.
I have enabled managed identity for ADF as well as have enabled AAD authentication/authorization for Function app.
Now when I make a web call from ADF (with the underlying specification)
I get the following error.
I even added ADF as contributor to Function App.
I must be missing something, but not sure what exactly
First of all, please make sure you selected the Create New AD App option when you configure the function app with Azure AD auth, then azure will do all the configurations for you automatically, this will reduce unnecessary trouble. Also remember to set Authorization level of your function to Anonymous, because we configured the function app with Azure AD auth.
In your case, the error was caused by the wrong Resource, it should be the Application ID URI of the AD App corresponded to the function app, i.e. https://<functionapp-name>.azurewebsites.net(this is configured by azure automatically when you select Create New AD App as mentioned above).
Besides, you should note, if you just do the steps above, all the service principals(MSI is essentially a service principal)/users in your AAD tenant can access the function app, if you just want your MSI to access the function app, then you need to leverage the Azure AD App role, I have posted the details here, if you don't mind this, just ignore the step 2 and step 3, it will also work.

Azure Function Authenticating ASP.Net Core Web Api using Microsoft Account

I have an ASP.Net Core 2.0 Web App running in an App Service in Azure that has social login configured (Google & Microsoft) according to the following docs:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/microsoft-logins?tabs=aspnetcore2x
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/google-logins?tabs=aspnetcore2x
I also have an Azure Function app that gets triggered when a message is written to an Azure Queue. I would like this function app to post the message to a Web API (Controller Action) that is running on the web app above.
How would I go about authenticating from the function app to the web API method? Would I need to somehow call the Azure AD endpoint to get a token for a given username/password?
Ideally, I would want to limit who can call this API method to just a single user account that the function app would use. Alternatively, can I somehow use the new Managed Service Identity feature to authenticate the function app against my web API method in my web app above?
Sorry, am new to API authentication, so just trying to figure out the simplest approach.

azure app service basic api security

I have running the basic todoitem app service running on azure. Calling the below url will display the content in the todoitem table. How can I add basic security to prevent this data from being accessed by anyone, like a basic parameter, ToDoItem?MyToken=12345.
https://MyappService.azurewebsites.net/tables/ToDoItem
How can I add basic security to prevent this data from being accessed by anyone, like a basic parameter, ToDoItem?MyToken=12345.
I would recommend you using the build-in Authentication and authorization in Azure App Service.
App Service supports five identity providers out of the box: Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter. To expand the built-in support, you can integrate another identity provider or your own custom identity solution.
Here are some great tutorials, you could refer to them:
For Node.js backend, you could follow 30 DAYS OF AZURE MOBILE APPS.
For developing azure mobile apps with C#, you could follow here.

Resources