App Registration access for a function app

Question

Hi,

We have a function app (uses MS Graph API) that needs to access App Registration to monitor secrets & certificates of all the registered apps to detect what's expired and which are to expire soon.

From what I can understand the function app needs to have Application.Read.All to access and perform all this in AAD (Azure Active Directory).

My question is how & where do we need to setup/define this access to app registration? Do we register the app in app registration? I'm coming across a lot of solutions on the internet & now confused.

Where does the Application.Read.All permissions need to be granted, is it for all app registrations we want to monitor or for the single app registration that represents our function app

A step by step explanation of the required process would be much appreciated.

Thank you in advance for your help.

Answer 1

Hi thanks for the question . There's a few walkthroughs, one of which is here. Now, this is not exactly what you asked for as the author is using an automation run book (to exec script) and you want to use a function (to exec code)

But the principals (no pun intended ;) ) are the same.

In the authors example they add the "directory readers" role to the service principal used by their automation account. But you could look for a lesser privileged role. The steps would be the same.

In your case the easiest thing for you would be to
(1) Enable the Managed Identity for your function app - in the portal go to the function app, under "settings" choose the "identity" menu item. Under the "system assigned" tab enable the managed identity. It takes a few seconds. Make a note of the principal "object Id" (guid)
(2) from here-in you can follow the same steps as the author
Go to active directory in the Az portal. Select the "roles and administrators" menu item. Search for "directory readers" role (or the role you choose). Click on assignments and "add assignment" (note you do the right level of privilege yourself, in your AAD tenant to do this) . In the "search box" that comes up when you add an assignment paste the guid from step one (the MSI principal id from the function). You should also be able to search via the function app name. Finally, click "add".

This should be enough for your function app MSI and therefore the code executed within the functions you deploy to the app, to read the AAD app registrations data

Note: I didnt actually try this as an end to end demo (I have done similar in the past with a function but not recently) so let me know if you get stuck. Remember that your function app code will need to auth. You didnt say which language you're using but usually the smoothest way is to use Azure.Identity package and "DefaultAzureCredential". Example here.

Answer 2

Hello @MO-64 !

A Function App can have enabled a managed identity

This provides the ability to add autentication to the APP as well as permissions

The next thing to do is to add the API Permissions to the Identity

https://techcommunity.microsoft.com/t5/integrations-on-azure-blog/grant-graph-api-permission-to-managed-identity-object/ba-p/2792127

BUT from my experience i would use a Service Principal where it is easier to assign API Permisssions

The Graph Script would refernce the SP details and can authenticate and make the Tasks you need

You can create a Service Principal either with APP Registration or via azure cli

https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

Have a look on my blog , after the Video where i make a similar thing

https://www.cloudblogger.eu/2023/05/16/service-bus-with-container-apps-part-2/

The Function APP has the code to use a Service Principal ( all Authentication details are stored into KEy Vault for safety ) and then we add the Permissions easily via the Portal. The Graph Script adds users to Azure AD , but you get the idea !

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards