Community Let’s start in 2021 with a blast. I am happy to announce that I will be speaking at Nordic Virtual Summit in February.
If you are interested in Endpoint Management, Azure, or Security and compliance.
Nordic Virtual Summit has some great content for you!
Azure Ever had the need to enable Azure Active Directory authentication in Azure Functions? In a recent project, I wanted to use Azure Functions, and I wanted both system-to-system authentication, as well as user-based. As Azure Functions is a part of the app services in Azure. It shares many of the same features. Authentication is one of them.
The scope for this blog post is not to show you how to build an Azure function, but to enable Azure AD authentication on it. You can add auth to your existing function or create a new one using your method of choice. For simplicity, I will show the process of using the Azure portal.
To enable authentication in Azure Function. Navigate to “Authentication/authorization”. This will open a series of blades which guides you through the process.
If you’re not familiar with Azure AD and custom application registrations, I recommend that you use the Express option. This will create the needed application in AAD for you.
By default Azure Function uses something called “Function authentication” This is where all your requests have a code parameter at the end of the URL.
https://my-function-app.azurewebsites.net/api/function-name?code=xyzx-zyxx...We want to have Azure AD perform authentication and authorization, and not the function itself.
Within the GUI, it’s just a flick of a switch. If you are developing locally, using C# you typically do this:
public static HttpResponseMessage (run
[HttpTrigger(
AuthorizationLevel.Anonymous)]
HttpRequestmessage request)
{
logic
}
After changing the authorization level and enable AAD authentication,
all users in your organization will automatically have access. If you want more granular control over who has access to your application, you should enable user assignment.
To enable user assignment. Navigate to enterprise application under AAD, and look up the app created by the wizard. The enterprise app is the service principal representing the application you created. Your Azure Function.
Under properties, find the swith for user assignment and turn it on. Navigate to your function URL and see if it works, meaning access denied.
Later add your own user and verify authentication works through Azure AD.
If you want other applications (clients) to call your function, you will have to assign them API access. The same way you give access to for example Microsoft Graph API, you will find your custom application as well.
This will not work right away – By default, there are no application roles assigned. Only delegated permissions. For client authentication to work, you will need to add custom roles to the app representing your Azure Function. It is not difficult, but I used too much time finding it out. Microsoft has it documented here
Chances are that your azure function is not a graphical website. Therefore I assume you want to authenticate using code. Either with your own user, or with a separate application/secret combination (app credentials).
The great thing about this is that it works just as any other Microsoft/Azure APIs. If you know how to get a token from Microsoft, you can use the same techniques against your function. My example below show how to retrieve a token for our azure function, and use that bearer token against the function. I use a client application in this scenario.
This feature is great. I consider my self as a modern IT operations guy. And operations role these days requires more coding and scripting. It is super easy to expose things on the internet. But remember, it might also be just as easy to secure.
I have no idea on how to implement a authentication layer. And if i can use one of the best, i’m all aboard.
Community Microsoft Tech Summit is arriving in Oslo December 6 2018.
I am so lucky that I will have a talk on how you can leverage Azure serverless offerings to automate your business processes. All using your existing Ops skills.
The cloud as the established foundation allows the real transformative technologies such as Artificial Intelligence start to transform the way we live and work. The Microsoft Tech summit is your key for inspiration, matching your innovative app ideas with the latest evolution of the Microsoft Cloud platform, also supporting Open Source solutions.
Azure In part two we will integrate Azure Functions using Powershell triggered by Event Grid to complete the circle in our application infrastructure. If you havent read the previous parts in this blog series, i recommend you start with the introducution.
Azure’s serverless flagship probably don’t need any introduction at this stage, but in short. Azure Functions allows you to run code or scripts on demand triggered via various sources. Timer triggers, event, webhooks, http post, gets etc. The most common way to run your stuff is by consumption where your code run on spare compute in azure at a very low-cost. If you demand more power, you can also opt in for the app service plan.
Read more about functions and how to get started here.
FYI; the same type of service from AWS is called Lambda and Google offers similar with Cloud Functions
Powershell support in Azure Functions is still in preview, but I have used it many times, without issues. It is slower that all the other languages supported, but that doesent matter in this case. But be aware that azure functions Powershell run in v4. If you want to run C# or Java feel free to do so.
Let’s start by adding a new function app. Things to notice is that the name of your function app, is also the DNS name. App insights is on by default, and I have no idea why you would want to chose OS type. This wasn’t here before…
without wasting too much of your time reading a lot of fill text, lets just create a new function. Remember to enable ‘experimental language support’ this will magically allow Powershell support (among others). Chose the HTTP trigger Powershell.
I am naming my first function “incoming-pizza-order” which we will add the code to and connect to Event Grid.
After creation you will have a function that supports GET and POST request with your name as the input. A “hello world” type of example. Let’s see if we can trigger this from Event Grid. As we did in the previous post. Create a new Event Grid subscription.
Failure, right? Let’s take a look.
Azure event grid accepts all incoming events and will pass them on to any subscribers. To add a layer of security you will have to validate the subscription upon creation. So all subscribers, weather it’s your own incoming webhook solution on premises or in a another cloud, will have to sort of handshake before it creates the subscription. As you see, the error message in Azure isn’t very good, and I searched quite a long time before I reached out to Ling Toh via Twitter. Luckily she pointed me in the right direction.
Upon creation event grid sends a validation request to the subscriber, which looks something like this:
[{
"id": "2d1781af-3a4c-4d7c-bd0c-e34b19da4e66",
"topic": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"subject": "",
"data": {
"validationCode": "512d38b6-c7b8-40c8-89fe-f46f9e9622b6",
"validationUrl": "https://rp-eastus2.eventgrid.azure.net:553/eventsubscriptions/estest/validate?id=B2E34264-7D71-453A-B5FB-B62D0FDC85EE&t=2018-04-26T20:30:54.4538837Z&apiVersion=2018-05-01-preview&token=1BNqCxBBSSE9OnNSfZM4%2b5H9zDegKMY6uJ%2fO2DFRkwQ%3d"
},
"eventType": "Microsoft.EventGrid.SubscriptionValidationEvent",
"eventTime": "2018-01-25T22:12:19.4556811Z",
"metadataVersion": "1",
"dataVersion": "1"
}]
We will have to return a successful HTTP response (HTTP 200 OK) with the validation code under the property, “validationResponse”
{
"validationResponse": "512d38b6-c7b8-40c8-89fe-f46f9e9622b6"
}
All this is described in Microsofts documentation, but how do we do this in a Powershell function? Here’s my modified version of the “hello world/name” example. As you see it grabs the post requests and if it is a validation event from Event Grid it will return an http 200 and the validation response. Copy the entire script in to your function and re-create the subscription in event grid.
Hopefully the subscription registered successfully. Time to play!
Grab the code example from part 1 and fire off an event, in the matter of seconds your function will fire. You can confirm that it’s working by looking at the log and output.
How cool isn’t this? I love that we can use our Ops skills and create true serverless, modern application infrastructure.
In my next post, I will share a few more code examples with multiple Azure Functions, sending events through event grid, from the introduction you know that these are the steps:
PS: I would like to create a simple GUI at some point, what tools should I use? I’m thinking either Powershell Universal Dashboard by Adam Driscoll or PowerApps. If you have other suggestions, let me know.
Automation Welcome, fellow IT pro. You have found the blog series describing how you can create a serverless application infrastructure with Powershell.
If you consider your self being a ‘modern it pro’, you frequently solve complex tasks and automate your work using code. You know what Git is and have heard people talk about continuous integration. If you can relate, let’s label you a ‘modern it pro’.
When I develop solutions that challenge my knowledge, I often seek advice from our developers. (You know, those who are employed to ‘GIT commit’?) Usually they can share some light on the issue and point me in the right direction.
By developing our own solutions, we have a working proof-of-concept to handover to our developers when things grow too big or complex.
The challenge or scope for my POC was to streamline creation of Azure tenants for our customers. We required to create a tenant, assign subscriptions and do some configuration within Azure AD. Many of these steps was already solved with various scripts, but it is time to consolidate and automate the automation. We decided that we wanted to learn more around the integration and ‘serverless’ PAAS offerings available in Azure.
For the purpose of this blog series we are going to build a new application using the same techniques, in a smaller scale. To create our serverless application infrastructure, we make use of the following Azure offerings:
I bet you have worked a fair amount of overtime in your career, therefore eaten a lot of pizza as well. Let’s try to build a simple pizza order and delivery process using Event Grid as integration layer and multiple Azure Functions to process the order.
We will break the pizza order and delivery process in to the following steps: