Calling Azure function API from Sharepoint classic using Managed identity
We have created an Azure function API in Python which will be further called by SharePoint classic using javascript. We want to make it secure using managed identity. Right now we are providing them API key which we do not want to.
Sharepoint is providing me token but we are not able to validate it because our application is separate.
Please help.
Azure Functions
SharePoint Development
Microsoft Entra
-
MayankBargali-MSFT 70,536 Reputation points
2024-04-12T10:26:04.3133333+00:00 @Rajeev Kumar Dave Thanks for reaching out. Can you please confirm below is your workflow?
Current flow :
Custom Application (JavaScript code authenticate using function app key) --> Azure function --> Graph API --> Sharepoint
New flow:
Custom Application (JavaScript code and don't want to use function app key) --> Azure function (managed identity) --> Graph API --> Sharepoint
-
Rajeev Kumar Dave 21 Reputation points
2024-04-17T09:57:43.2433333+00:00 What will be other way around if we are calling Azure Function from sharepoint classic. Same?
Sharepoint ->Graph API ->Azure Function (Managed Identity).
-
MayankBargali-MSFT 70,536 Reputation points
2024-04-18T04:01:38.7033333+00:00 @Rajeev Kumar Dave Yes that should be possible Sharepoint ->Azure Function (Managed Identity). You can enable the manage identity at the function app end. From your sharepoint code you need to acquire an access token to authenticate your function app.
This document talks about How to use managed identities for Azure resources on an Azure VM to acquire an access token and you can similar implement the same. I have added the Microsoft entra tag for the experts to comment.
-
Rajeev Kumar Dave 21 Reputation points
2024-04-18T08:01:28.64+00:00 GET 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' HTTP/1.1 Metadata: true
Expand table
Look like if we use the above then the major change which I need to make is a resource and in resource I need to mention the function app URL. Right?
-
Shweta Mathur 29,781 Reputation points • Microsoft Employee
2024-04-19T11:45:24.0633333+00:00 Hi @Rajeev Kumar Dave ,
Thanks for reaching out.
I understood that you are trying to call Function API from sharepoint classic using Managed Identity.
To secure your Azure Function API using managed identity, you can follow these steps:
- Enable managed identity for your Azure Function app. You can do this by going to the "Identity" section of your Function app in the Azure portal and turning on the "System assigned" switch.
- Grant the managed identity access to the necessary Azure resources. In this case, you will need to grant the managed identity access to the SharePoint API that you are calling from your Azure Function. You can do this by assigning the appropriate role to the managed identity on the SharePoint resource.
- Modify your Azure Function code to use the managed identity to authenticate with SharePoint. You can do this by using the
ManagedIdentityCredential
class from theazure.identity
library in your Python code. This will allow your Azure Function to authenticate with SharePoint using the managed identity instead of an API key.
Reference - https://finarne.wordpress.com/2019/03/17/azure-function-using-a-managed-identity-to-call-sharepoint-online/
https://learn.microsoft.com/en-us/python/api/overview/azure/identity-readme?view=azure-python
Hope this will help.
Thanks,
Shweta
-
Rajeev Kumar Dave 21 Reputation points
2024-04-20T07:02:47.4433333+00:00 Hi Shweta. Appreciate your help. Your below point is confusing "Grant the managed identity access to the necessary Azure resources. In this case, you will need to grant the managed identity access to the SharePoint API that you are calling from your Azure Function. You can do this by assigning the appropriate role to the managed identity on the SharePoint resource." I am trying to call Azure Function from SharePoint not SharePoint from Azure Function. Please explain.
-
Shweta Mathur 29,781 Reputation points • Microsoft Employee
2024-04-22T04:06:03.6833333+00:00 @Rajeev Kumar Dave Apologies for the confusion. I'm not aware about Sharepoint side but you can use use HttpClient (in the SPItemEventReceiver.ItemAdded event handler) and invoke an HTTP endpoint, you can a corresponding Function App with an HTTP trigger, and the entire thing should work. It seems to have been done before with Sharepoint Online, in example: SharePoint Remote Event Receivers using Azure Function.
Also, you can use SharePoint webhook https://learn.microsoft.com/en-us/sharepoint/dev/apis/webhooks/sharepoint-webhooks-using-azure-functions to host your SharePoint.
-
Rajeev Kumar Dave 21 Reputation points
2024-04-22T05:56:24.4133333+00:00 Let me check Shweta. Thanks !! Appreciate your help !!
-
MayankBargali-MSFT 70,536 Reputation points
2024-04-23T08:07:23.5+00:00 Sure. Let us know
-
Rajeev Kumar Dave 21 Reputation points
2024-04-23T08:47:43.1433333+00:00 The only challenge is that for this also we need to expose client secret. and with SharePoint we do not have any backend server to keep in the config file.
Sign in to comment