This article is in support of CloudRadial's open source project for Azure Functions. Please see https://github.com/cloudradial/CloudRadialCsaAutomations for more information.
Azure Functions must be able to authenticate to interact with Microsoft Graph. One way to do this is by using an App Registration with the required permissions. The Azure Function logs in as the application to perform its tasks.
Create an Application for Authentication
Follow these steps to create an application:
- Open "Microsoft Entra ID" from your Azure Portal or search for it in the top search bar.
- Go to "App registrations" under the Manage group.
- Click "New registration". Enter a name for the application. If you use this application for multiple tenants, choose the "Accounts in any organization directory" radio button. Click Register.
- From the Overview page, record the Application (client) ID and Directory (tenant) ID. You will use these later.
- Choose the "API permissions" link under the Manage group to define what access the application is allowed to in the tenant(s).
- Click on the "Add a Permission" option under Configured permissions and choose the required application permissions under the Microsoft Graph option. For example, User.ReadWrite.All is required to update user information and to enable or disable account access.
- Once you add the permission, you must grant consent using the "Grant admin consent" option.
- Go to the "Certificates & secrets" option for the application under the Manage group.
- Click on the "New client secret" and enter the requested information. Set the expiration date based on your standards and remember that you will have to update this secret when it expires.
- Record the value of the secret you just created.
At this point, you should have saved the application ID and secret values. You will need these values for your Azure Function.
Authorizing Other Tenants
If you want to authorize this application for use in the tenants of the clients you manage, you will need to authorize this application for their use. Create an authorization URL as follows, substituting your client Id where specified:
https://login.microsoftonline.com/common/adminconsent?client_id={Application (client) Id}
Open this URL in an incognito tab, log in as an administrator from the client organization, and accept the permissions you defined. You may receive an error message about not having a callback URL, but the application should now show up in your client's list of Enterprise Applications.
Comments
0 comments
Please sign in to leave a comment.