Secure Azure Function with Microsoft Entra ID for calling from Modern Forms and Automation Actions
This
article will provide an example how to secure your Azure Function with
Microsoft Entra ID to make secure calls from Modern Forms and Automation
Actions using Start Power Automate / Azure Function
action
Secure Azure Function with Microsoft identity provider
Open
Function app in portal.azure.com
and locate Settings
-> Authentication in the left navigation menu. Click
on Add identity provider button and select Microsoft identity
provider.
In
the App registration type select an option Create new
app registration (or select existing app). For the case of the
Multi-tenant, in Supported account types select Any
Microsoft Entra directory - Multi-tenant option.
Select the following options:
- Client application requirement: Allow requests from specific client applications
- Allowed client applications: Enter ID of SharePoint Online Web Client Extensibility - 08e18876-6177-487e-b8b5-cf950c1e598c
- Identity requirement: Allow requests from any identity
- Tenant requirement: Allow request from specific tenants
- Allowed tenants: Enter IDs of your tenants where action will be executed
- Restrict access: Require authentication
- Unauthenticated requests: HTTP 302 Found redirect: recommended for websites
Click Add button
to add Identity provider.
Copy App (client) ID.
For
multi-tenant configuration navigate to your Microsoft identity provider app. On
the Expose an API, update the Application ID URI field
to begin with https://yourtenant.onmicrosoft.com
Enable CORS in Azure Function app
The
Function App will be called from SharePoint. By default, Azure Function Apps do
not allow calls from other domains unless cross-origin access is explicitly
configured. In the Azure Function app, navigate to CORS option in the left
menu. Add the URL of your SharePoint tenant.
Grant permission of Microsoft Entra ID app in your tenant
You need to
grant permissions of this app on the specified tenant. This app will be added
to Microsoft Entra ID -> Enterprise applications in portal.azure.com
. Copy URL of your Azure Function app, insert
into private browser tab and login with Tenant admin account. Check Consent
of behalf of your organization option and Accept permissions
Grant Microsoft Entra ID app permission for using from SPFx
In order to
use this app, you need to run the following PowerShell script to grant
'user_impersonation' permission of your Microsoft Entra ID app for the SharePoint
Online Web Client Extensibility app
In the
following script you need to enter:
- Copied Application (client) ID from your Microsoft identity provider
- Enter scope: user_impersonation
$guidRegex = '^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$'
do {
$resourceAppId = Read-Host -Prompt "Enter Application (client) ID"
if ($resourceAppId -notmatch $guidRegex) {
Write-Host "Invalid format. Please enter a valid GUID." -ForegroundColor Red
}
} while ($resourceAppId -notmatch $guidRegex)
do {
$scope = Read-Host -Prompt "Enter the scope"
if ([string]::IsNullOrWhiteSpace($scope)) {
Write-Host "Scope cannot be empty. Please try again." -ForegroundColor Yellow
}
} while ([string]::IsNullOrWhiteSpace($scope))
$spOnlineWebClientExtensibilityAppId = "08e18876-6177-487e-b8b5-cf950c1e598c" # SharePoint Online Web Client Extensibility
$resourceGrant = $null
# Prompt to install the required modules if not yet installed
if ($null -eq (Get-Module -ListAvailable -Name Microsoft.Graph.Applications) -or $null -eq (Get-Module -ListAvailable -Name Microsoft.Graph.Identity.SignIns)) {
$response = Read-Host -Prompt "Running this script requires Microsoft.Graph modules that are not yet installed. Install now? (Y/N)"
if ($response -eq "Y") {
if ($null -eq (Get-Module -ListAvailable -Name Microsoft.Graph.Applications)) {
Install-Module -Name Microsoft.Graph.Applications -Scope CurrentUser -Force -AllowClobber
}
if ($null -eq (Get-Module -ListAvailable -Name Microsoft.Graph.Identity.SignIns)) {
Install-Module -Name Microsoft.Graph.Identity.SignIns -Scope CurrentUser -Force -AllowClobber
}
}
else {
Write-Host "The script cannot continue without the Microsoft.Graph modules. Exiting." -ForegroundColor Red
exit
}
}
Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All" -NoWelcome
try {
# Get the SPFx Service Principal
$spfx = Get-MgServicePrincipal -Filter "appid eq '$spOnlineWebClientExtensibilityAppId'" -ErrorAction Stop
# Get the endpoint service princpal (required to identify the object ID)
$resource = Get-MgServicePrincipal -Filter "appid eq '$resourceAppId'" -ErrorAction Stop
# Get the scopes granted for the endpoint
$spfxGrants = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $spfx.Id -ErrorAction Stop
foreach ($spfxGrant in $spfxGrants) {
if ($spfxGrant.ResourceId -eq $resource.Id) {
$resourceGrant = $spfxGrant
break
}
}
# If some scopes have already been granted for the endpoint, we check if the scope we are about to add already exists there
if ($null -ne $resourceGrant) {
if ($resourceGrant.Scope | Select-String $scope -Quiet ) {
Write-Host "$($resource.DisplayName) $scope has already been granted for SharePoint Online Web Client Extensibility" -ForegroundColor Green
continue
}
# The scope does not yet exist; add it to the property and update it
$resourceGrant.Scope += " $scope"
Update-MgOauth2PermissionGrant -OAuth2PermissionGrantId $resourceGrant.Id -Scope $resourceGrant.Scope -ErrorAction Stop | Out-Null
}
# Otherwise, create a new object with the scope
else {
$params = @{
"clientId" = $spfx.id
"consentType" = "AllPrincipals"
"resourceId" = $resource.id
"scope" = $scope
}
New-MgOauth2PermissionGrant -BodyParameter $params -ErrorAction Stop | Out-Null
}
Write-Host "$($resource.DisplayName) $scope granted for SharePoint Online Web Client Extensibility." -ForegroundColor Green
}
catch {
Write-Host "The following error occurred: $_.Exception" -ForegroundColor Red
}
finally{
$_ = Disconnect-MgGraph # Assigning the output to a variable hides it from the terminal
}You can
view trusted permission in SharePoint Admin Center -> Advanced -> API
access. You can download this script below.
Trigger Azure Function from Start Power Automate / Azure Function action
Now you can
use Start Power Automate / Azure Function action with option 'Microsoft Entra
ID' and make secure calls to Azure Functions from Modern Forms and Automation
Actions.
The
original article how to secure your Azure Function you can read here - https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient-enterpriseapi-multitenant
Related Articles
Action: Start Power Automate / Azure Function
Start Power Automate / Azure Function action allows you to trigger existing Power Automate flow using "When an HTTP request is received" trigger or configured Azure Function. Example of Start Power Automate / Azure Function action configuration on ...Starting a Microsoft Flow from Teamsware Actions
Microsoft Flow provides many features and integration options not available when using basic Teamsware actions. But you can start a Microsoft Flow / Power Automate from Teamsware action quite easily by using the Start Power Automate / Azure Function ...Action: Clone team
Clone team action allows to create a copy of an existing Microsoft team with the specified configuration options. You can select what to include in the copy: apps, channels, members and tabs. Example of Clone team action configuration on the current ...Action: Send Mail in Rich Forms and Action Links
Send Mail action allows dynamically sending emails from your SharePoint site to any email address. Example: * Configurations are available for actions that use the Microsoft Graph Send Mail API. Note: In order to use the Send Mail action in Rich ...Action: Invite guest user
Invite guest user action allows you to create an invitation for the external user. The invitation is used to add external users to the organization. On invitation creation, the invited user is added as an external user to the Microsoft Entra ID. To ...