trying to plan validating azure ad token and calling graph api in azure function
I need to validate the token generated by Azure AD in Azure Fuction.
I need to use a client credential flow in azure Functoin to get the token to call Graph api to manage the user.
Here are the questions.
1. In Azure function, there is no built in Authorize so I need to build a middleware to validate token. Any other ideas?
2. I can't find the sample code in Azure function to get secrets from keyvault and to get the token. Do you guys know any sample code?
33 Replies
Unknown User•3mo ago
Message Not Public
Sign In & Join Server To View
1 and 2 are kind of related cuz I need to validate the token from 1 then once they have enough scope or permissions, then I do number 2
I am using .net for Azure Function so I need to get the secret using keyvault and get the token to call graph api.
Thank you for your answer!. If I use .net for azure function, could your suggestion be same?
Unknown User•3mo ago
Message Not Public
Sign In & Join Server To View
cuz it's an external service called azf. I believe I can validate this from azf and focus on the business logic. Can I ask you another question?
Now that everything is fine and got into the function.
What I need to do is I have two app reggistrations. One app registration has appRoles assigned in the manifest. In the another app registration, I need add that allRoles called "write" to the user itself. I kind of get the idea abut I am not sure cuz it's hard to find sample code.
I might first get client secret for second app registration to and call graph api using client credential flow, then assign the role (not sure how can I can assign roles). Do I need to get the role separately from the first app registration?
Unknown User•3mo ago
Message Not Public
Sign In & Join Server To View
external service calls azf using client crendential . azf need to assign the user a role called 'write'. That write is from the manifest of the first app registration.
Unknown User•3mo ago
Message Not Public
Sign In & Join Server To View
give me a moment. I might be missing something but thank you for answering
Unknown User•3mo ago
Message Not Public
Sign In & Join Server To View
does that make sense? or I am crazy lol
Unknown User•3mo ago
Message Not Public
Sign In & Join Server To View
what about this. Second app reg add secret to keyvault and azure function gets that secret to call graph api to add a role to the second app registration
Unknown User•3mo ago
Message Not Public
Sign In & Join Server To View
that's correct. External service does nothing other than sending jwt token for auth and user Id so that azure function to assign the role to the user
Unknown User•3mo ago
Message Not Public
Sign In & Join Server To View
got it. Thanks. In terms of application role.
App reg1 has a role called 'write' and in the second app reg2, can I add that role to the users in the app reg2?
programatically
Unknown User•3mo ago
Message Not Public
Sign In & Join Server To View
are you azure developer?
how long have you been in the field?
Unknown User•3mo ago
Message Not Public
Sign In & Join Server To View
the external app user client credential in their own app registration
Unknown User•3mo ago
Message Not Public
Sign In & Join Server To View
not sure MI, I think without MI, just pass jwt token Authorization Bear blahblah. Then azure function validate that
Unknown User•3mo ago
Message Not Public
Sign In & Join Server To View
Yeah the one you showed me to validate
I haven't tried yet
Unknown User•3mo ago
Message Not Public
Sign In & Join Server To View
yeah something like that
Unknown User•3mo ago
Message Not Public
Sign In & Join Server To View
yeah exactly
can we go back to the app role in the manifest of app reg1, and adding user to the app reg2 with that 'write'role ?
Unknown User•3mo ago
Message Not Public
Sign In & Join Server To View
oh wow okay. it's 8 pm here. I am watching a lot of stuff and reading books. But in terms of identity and how to design the stuff is quite hard to get
Unknown User•3mo ago
Message Not Public
Sign In & Join Server To View