Skip to main content
BOOK A DEMO

Secure Azure Function with Microsoft Entra ID for calling from skybow Modern Forms and Automation Actions

skybow Support
  • Article Updated

Table of contents

This article will provide an example how to secure your Azure Function with Microsoft Entra ID to make secure calls from skybow Modern Forms and Automation Actions using Start Power Automate / Azure Function action

Secure Azure Function with Microsoft identity provider

Open Function app in portal.azure.com and locate Settings -> Authentication in the left navigation menuClick on Add identity provider button and select Microsoft identity provider.

IdentityProvider.png
SelectIdentityProvider.png

In the App registration type select an option Create new app registration (or select existing app). For the case of the Multi-tenant, in Supported account types select Any Microsoft Entra directory - Multi-tenant option.

CreateNewIdentityMicrosoftApp.png

Select the following options:

  • Client application requirement: Allow requests from specific client applications
    • Allowed client applications: Enter ID of SharePoint Online Web Client Extensibility - 08e18876-6177-487e-b8b5-cf950c1e598c
  • Identity requirement: Allow requests from any identity
  • Tenant requirement: Allow request from specific tenants
    • Allowed tenants: Enter IDs of your tenants where action will be executed
  • Restrict access: Require authentication
  • Unauthenticated requests: HTTP 302 Found redirect: recommended for websites

Click Add button to add Identity provider.

SetClientID.png

Copy App (client) ID.

CreatedIdentityProvider.png

For multi-tenant configuration navigate to your Microsoft identity provider app. On the Expose an API, update the Application ID URI field to begin with https://yourtenant.onmicrosoft.com, for example: https://skybow.onmicrosoft.com/CallbackSecureApp

Enable CORS in Azure Function app

The Function App will be called from SharePoint. By default, Azure Function Apps do not allow calls from other domains unless cross-origin access is explicitly configured. In the Azure Function app, navigate to CORS option in the left menu. Add the URL of your SharePoint tenant, for example, https://skybow.sharepoint.com

CorsOption.png

Grant permission of Microsoft Entra ID app in your tenant

You need to grant permissions of this app on the specified tenant. This app will be added to Microsoft Entra ID -> Enterprise applications in portal.azure.com. Copy URL of your Azure Function app, insert into private browser tab and login with Tenant admin account. Check Consent of behalf of your organization option and Accept permissions

TrustIdentityAppB.png

Grant Microsoft Entra ID app permission for using from SPFx

In order to use this app, you need to run the following PowerShell script to grant 'user_impersonation' permission of your Microsoft Entra ID app for the SharePoint Online Web Client Extensibility app

In the following script you need to enter:

  • Copied Application (client) ID from your Microsoft identity provider
  • Enter scope: user_impersonation
$guidRegex = '^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$'
do {
    $resourceAppId = Read-Host -Prompt "Enter Application (client) ID"
    if ($resourceAppId -notmatch $guidRegex) {
        Write-Host "Invalid format. Please enter a valid GUID." -ForegroundColor Red
    }
} while ($resourceAppId -notmatch $guidRegex)

do {
    $scope = Read-Host -Prompt "Enter the scope"
    if ([string]::IsNullOrWhiteSpace($scope)) {
        Write-Host "Scope cannot be empty. Please try again." -ForegroundColor Yellow
    }
} while ([string]::IsNullOrWhiteSpace($scope))

$spOnlineWebClientExtensibilityAppId = "08e18876-6177-487e-b8b5-cf950c1e598c" # SharePoint Online Web Client Extensibility
$resourceGrant = $null

# Prompt to install the required modules if not yet installed
if ($null -eq (Get-Module -ListAvailable -Name Microsoft.Graph.Applications) -or $null -eq (Get-Module -ListAvailable -Name Microsoft.Graph.Identity.SignIns)) {
  $response = Read-Host -Prompt "Running this script requires Microsoft.Graph modules that are not yet installed. Install now? (Y/N)"
  if ($response -eq "Y") {
    if ($null -eq (Get-Module -ListAvailable -Name Microsoft.Graph.Applications)) {
      Install-Module -Name Microsoft.Graph.Applications -Scope CurrentUser -Force -AllowClobber
    }
    if ($null -eq (Get-Module -ListAvailable -Name Microsoft.Graph.Identity.SignIns)) {
      Install-Module -Name Microsoft.Graph.Identity.SignIns -Scope CurrentUser -Force -AllowClobber
    }
  }
  else {
    Write-Host "The script cannot continue without the Microsoft.Graph modules. Exiting." -ForegroundColor Red
    exit
  }
}

Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All" -NoWelcome

try {
    # Get the SPFx Service Principal
    $spfx = Get-MgServicePrincipal -Filter "appid eq '$spOnlineWebClientExtensibilityAppId'" -ErrorAction Stop
    # Get the endpoint service princpal (required to identify the object ID)
    $resource = Get-MgServicePrincipal -Filter "appid eq '$resourceAppId'" -ErrorAction Stop

      # Get the scopes granted for the endpoint
      $spfxGrants = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $spfx.Id -ErrorAction Stop
      foreach ($spfxGrant in $spfxGrants) {
        if ($spfxGrant.ResourceId -eq $resource.Id) {
          $resourceGrant = $spfxGrant
          break
        }
      }
      # If some scopes have already been granted for the endpoint, we check if the scope we are about to add already exists there
      if ($null -ne $resourceGrant) {
        if ($resourceGrant.Scope | Select-String $scope -Quiet ) {
          Write-Host "$($resource.DisplayName) $scope has already been granted for SharePoint Online Web Client Extensibility" -ForegroundColor Green
          continue
        }
        # The scope does not yet exist; add it to the property and update it
        $resourceGrant.Scope += " $scope"
        Update-MgOauth2PermissionGrant -OAuth2PermissionGrantId $resourceGrant.Id -Scope $resourceGrant.Scope -ErrorAction Stop | Out-Null
      }      
      # Otherwise, create a new object with the scope 
      else {
        $params = @{
          "clientId"    = $spfx.id
          "consentType" = "AllPrincipals"
          "resourceId"  = $resource.id
          "scope"       = $scope
        }
        New-MgOauth2PermissionGrant -BodyParameter $params -ErrorAction Stop | Out-Null
      }
      Write-Host "$($resource.DisplayName) $scope granted for SharePoint Online Web Client Extensibility." -ForegroundColor Green
}
catch {
  Write-Host "The following error occurred: $_.Exception" -ForegroundColor Red
}
finally{
    $_ = Disconnect-MgGraph # Assigning the output to a variable hides it from the terminal
}

You can view trusted permission in SharePoint Admin Center -> Advanced -> API access. You can download this script below.

Trigger Azure Function from Start Power Automate / Azure Function action

Now you can use Start Power Automate / Azure Function action with option 'Microsoft Entra ID' and make secure calls to Azure Functions from Modern Forms and Automation Actions.

AzureFunctionB.png

The original article how to secure your Azure Function you can read here - https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient-enterpriseapi-multitenant

 

 

Related articles