Secure Azure Function with Microsoft Entra ID for calling from Modern Forms and Automation Actions

Secure Azure Function with Microsoft Entra ID for calling from Modern Forms and Automation Actions

This article will provide an example how to secure your Azure Function with Microsoft Entra ID to make secure calls from Modern Forms and Automation Actions using Start Power Automate / Azure Function
 action

Secure Azure Function with Microsoft identity provider

Open Function app in portal.azure.com
 and locate Settings -> Authentication in the left navigation menuClick on Add identity provider button and select Microsoft identity provider.

Ein Bild, das Text, Screenshot, Software, Website enthält.

KI-generierte Inhalte können fehlerhaft sein.
Ein Bild, das Text, Screenshot, Software, Webseite enthält.

KI-generierte Inhalte können fehlerhaft sein.

In the App registration type select an option Create new app registration (or select existing app). For the case of the Multi-tenant, in Supported account types select Any Microsoft Entra directory - Multi-tenant option.

Ein Bild, das Text, Screenshot, Schrift, Zahl enthält.

KI-generierte Inhalte können fehlerhaft sein.

Select the following options:

  • Client application requirement: Allow requests from specific client applications
    • Allowed client applications: Enter ID of SharePoint Online Web Client Extensibility - 08e18876-6177-487e-b8b5-cf950c1e598c
  • Identity requirement: Allow requests from any identity
  • Tenant requirement: Allow request from specific tenants
    • Allowed tenants: Enter IDs of your tenants where action will be executed
  • Restrict access: Require authentication
  • Unauthenticated requests: HTTP 302 Found redirect: recommended for websites

Click Add button to add Identity provider.

Ein Bild, das Text, Screenshot, Schrift, Zahl enthält.

KI-generierte Inhalte können fehlerhaft sein.

Copy App (client) ID.

Ein Bild, das Text, Zahl, Software, Schrift enthält.

KI-generierte Inhalte können fehlerhaft sein.

For multi-tenant configuration navigate to your Microsoft identity provider app. On the Expose an API, update the Application ID URI field to begin with https://yourtenant.onmicrosoft.com

Ein Bild, das Text, Screenshot, Software, Webseite enthält.

KI-generierte Inhalte können fehlerhaft sein.


Enable CORS in Azure Function app

The Function App will be called from SharePoint. By default, Azure Function Apps do not allow calls from other domains unless cross-origin access is explicitly configured. In the Azure Function app, navigate to CORS option in the left menu. Add the URL of your SharePoint tenant.

Ein Bild, das Text, Screenshot, Software, Webseite enthält.

KI-generierte Inhalte können fehlerhaft sein.


Grant permission of Microsoft Entra ID app in your tenant

You need to grant permissions of this app on the specified tenant. This app will be added to Microsoft Entra ID -> Enterprise applications in portal.azure.com
. Copy URL of your Azure Function app, insert into private browser tab and login with Tenant admin account. Check Consent of behalf of your organization option and Accept permissions

Ein Bild, das Text, Screenshot, Webseite, Schrift enthält.

KI-generierte Inhalte können fehlerhaft sein.


Grant Microsoft Entra ID app permission for using from SPFx

In order to use this app, you need to run the following PowerShell script to grant 'user_impersonation' permission of your Microsoft Entra ID app for the SharePoint Online Web Client Extensibility app

In the following script you need to enter:

  • Copied Application (client) ID from your Microsoft identity provider
  • Enter scope: user_impersonation

$guidRegex = '^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$'
do {
    $resourceAppId = Read-Host -Prompt "Enter Application (client) ID"
    if ($resourceAppId -notmatch $guidRegex) {
        Write-Host "Invalid format. Please enter a valid GUID." -ForegroundColor Red
    }
} while ($resourceAppId -notmatch $guidRegex)

do {
    $scope = Read-Host -Prompt "Enter the scope"
    if ([string]::IsNullOrWhiteSpace($scope)) {
        Write-Host "Scope cannot be empty. Please try again." -ForegroundColor Yellow
    }
} while ([string]::IsNullOrWhiteSpace($scope))

$spOnlineWebClientExtensibilityAppId = "08e18876-6177-487e-b8b5-cf950c1e598c" # SharePoint Online Web Client Extensibility
$resourceGrant = $null

# Prompt to install the required modules if not yet installed
if ($null -eq (Get-Module -ListAvailable -Name Microsoft.Graph.Applications) -or $null -eq (Get-Module -ListAvailable -Name Microsoft.Graph.Identity.SignIns)) {
  $response = Read-Host -Prompt "Running this script requires Microsoft.Graph modules that are not yet installed. Install now? (Y/N)"
  if ($response -eq "Y") {
    if ($null -eq (Get-Module -ListAvailable -Name Microsoft.Graph.Applications)) {
      Install-Module -Name Microsoft.Graph.Applications -Scope CurrentUser -Force -AllowClobber
    }
    if ($null -eq (Get-Module -ListAvailable -Name Microsoft.Graph.Identity.SignIns)) {
      Install-Module -Name Microsoft.Graph.Identity.SignIns -Scope CurrentUser -Force -AllowClobber
    }
  }
  else {
    Write-Host "The script cannot continue without the Microsoft.Graph modules. Exiting." -ForegroundColor Red
    exit
  }
}

Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All" -NoWelcome

try {
    # Get the SPFx Service Principal
    $spfx = Get-MgServicePrincipal -Filter "appid eq '$spOnlineWebClientExtensibilityAppId'" -ErrorAction Stop
    # Get the endpoint service princpal (required to identify the object ID)
    $resource = Get-MgServicePrincipal -Filter "appid eq '$resourceAppId'" -ErrorAction Stop

      # Get the scopes granted for the endpoint
      $spfxGrants = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $spfx.Id -ErrorAction Stop
      foreach ($spfxGrant in $spfxGrants) {
        if ($spfxGrant.ResourceId -eq $resource.Id) {
          $resourceGrant = $spfxGrant
          break
        }
      }
      # If some scopes have already been granted for the endpoint, we check if the scope we are about to add already exists there
      if ($null -ne $resourceGrant) {
        if ($resourceGrant.Scope | Select-String $scope -Quiet ) {
          Write-Host "$($resource.DisplayName) $scope has already been granted for SharePoint Online Web Client Extensibility" -ForegroundColor Green
          continue
        }
        # The scope does not yet exist; add it to the property and update it
        $resourceGrant.Scope += " $scope"
        Update-MgOauth2PermissionGrant -OAuth2PermissionGrantId $resourceGrant.Id -Scope $resourceGrant.Scope -ErrorAction Stop | Out-Null
      }      
      # Otherwise, create a new object with the scope 
      else {
        $params = @{
          "clientId"    = $spfx.id
          "consentType" = "AllPrincipals"
          "resourceId"  = $resource.id
          "scope"       = $scope
        }
        New-MgOauth2PermissionGrant -BodyParameter $params -ErrorAction Stop | Out-Null
      }
      Write-Host "$($resource.DisplayName) $scope granted for SharePoint Online Web Client Extensibility." -ForegroundColor Green
}
catch {
  Write-Host "The following error occurred: $_.Exception" -ForegroundColor Red
}
finally{
    $_ = Disconnect-MgGraph # Assigning the output to a variable hides it from the terminal
}


You can view trusted permission in SharePoint Admin Center -> Advanced -> API access. You can download this script below.

Trigger Azure Function from Start Power Automate / Azure Function action

Now you can use Start Power Automate / Azure Function action with option 'Microsoft Entra ID' and make secure calls to Azure Functions from Modern Forms and Automation Actions.

Ein Bild, das Text, Screenshot, Software, Zahl enthält.

KI-generierte Inhalte können fehlerhaft sein.

The original article how to secure your Azure Function you can read here - https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient-enterpriseapi-multitenant

 

 

 



    • Related Articles

    • Action: Start Power Automate / Azure Function

      Start Power Automate / Azure Function action allows you to trigger existing Power Automate flow using "When an HTTP request is received" trigger or configured Azure Function. Example of Start Power Automate / Azure Function action configuration on ...
    • Starting a Microsoft Flow from Teamsware Actions

      Microsoft Flow provides many features and integration options not available when using basic Teamsware actions. But you can start a Microsoft Flow / Power Automate from Teamsware action quite easily by using the Start Power Automate / Azure Function ...
    • Action: Clone team

      Clone team action allows to create a copy of an existing Microsoft team with the specified configuration options. You can select what to include in the copy: apps, channels, members and tabs. Example of Clone team action configuration on the current ...
    • Action: Send Mail in Rich Forms and Action Links

      Send Mail action allows dynamically sending emails from your SharePoint site to any email address. Example: * Configurations are available for actions that use the Microsoft Graph Send Mail API. Note: In order to use the Send Mail action in Rich ...
    • Action: Invite guest user

      Invite guest user action allows you to create an invitation for the external user. The invitation is used to add external users to the organization. On invitation creation, the invited user is added as an external user to the Microsoft Entra ID. To ...