How to prevent authenticated users spoofing other authenticated users in Azure Function?

Question

I see that active directory can be used to authenticate users that are (indirectly) calling azure functions.

Let's pretend that I have implemented a database table called projects and I have a one to one relationship between users and projects.

My goal is to implement an azure function that fetches user specific data such that authenticated users could not snoop around in another authenticated user's data (i.e. users are isolated from each other).

(1) What argument do I pass to the azure function that would uniquely identify the user (assuming I have already successfully authenticated that user)? A token from the javascript function authContext.aquireToken perhaps?

I've been studying some sample (working!) javascript code that calls function authContext.acquireToken and I cannot find the Microsoft documentation on this function. Does aquireToken give me a JWT that I can explode to get the claims? Please point me to the documentation.

(2) How could I tell Azure Active Directory to give me a JWT token with a custom claim in it that I could pass to the azure function that could intern extract a suitable primary key to the projects table?

Or perhaps there is a better way?

Thank you

Siegfried

Answer 1

I've been reading chapter 6 "Active Directory Custom Data Extensions" from "Developing App with AAD" by Mayank & Garg. They have a sample where they post some JSON (that defines a birthdate property) to https://graph.microsoft.com .

So is this the technique I could use to create a GUID for each user that I could later fetch from AAD's authentication process to use as a primary key for my projects database table?

Is there an easier way?

Thanks
Siegfried