This article is in support of CloudRadial's open source project for Azure Functions. Please see https://github.com/cloudradial/CloudRadialCsaAutomations for more information.
Azure Functions provides a way to run PowerShell scripts on demand and with the Microsoft.Graph module offers an easy way to make changes in a 365 tenant. This allows you to move scripts you run locally to the cloud.
Local execution typically starts with the command:
Connect-MgGraph
This command opens a login Window so you can enter your user credentials. This same command is used in an Azure Function, but you need to authenticate through an application that will act as a user to perform the requested actions. The application must have the necessary rights to act.
To create this application, please see this article: Creating a Microsoft Entra ID App Registration for Azure Function Authentication
Create an Azure Function App
If you have not already created an Azure Function app for PowerShell scripts, from the Azure Portal:
- Search for "Function App" using the search bar at the top of the page.
- Choose the "Create" option and fill in the details. Be sure to choose "PowerShell Core" for the runtime stack, and for most cases, you can use the "Consumption (Serverless)" option.
Save the Application Information
Now, you have recorded the application ID, the tenant ID, and the client secret value. You will use these values to authenticate your PowerShell scripts. While you can place these values directly into your script, a better method is to save them in the configuration section of your Azure Function.
- Return to your Azure Function application and choose "Configuration" under the Settings area.
- Under Application settings, choose the "New application setting" and create a setting for the application ID, "Ms365_AuthAppId", another one for the client secret, "Ms365_AuthSecretId", and finally one for the default tenant ID, "Ms365_TenantId". You will use the names of these settings in your script.
Install the Microsoft.Graph Module in the Azure Function
To use Microsoft.Graph commands, you must first install the Microsoft.Graph module in the Azure Function. Jump to this article to learn how to install the Microsoft.Graph module. The steps in this article should work for any PowerShell modules you want to use.
Installing PowerShell Modules in Azure Functions
Authenticate With Microsoft Graph
Now that you have an application created with the necessary Graph permissions and those application settings stored as settings in your application, you can easily perform any Microsoft.Graph task in PowerShell that the application has the right to perform.
$tenantId = $env:Ms365_TenantId
$appId = $env:Ms365_AuthAppId
$appSecret = $env:Ms365_AuthSecretId
$securePassword = ConvertTo-SecureString -String $appSecret -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($appId, $securePassword)
Connect-MgGraph -ClientSecretCredential $credential -TenantId $tenantId
After these commands, you can now reference any Microsoft.Graph PowerShell command.
More information about the Microsoft.Graph PowerShell module can be found at:
https://learn.microsoft.com/en-us/powershell/microsoftgraph/overview
Comments
0 comments
Article is closed for comments.