This article provides examples of how EvOps can use Functions to populate fields with data and validate inputs in real-time querying Azure AD.
Prerequisites
Function App
Follow the instruction in the article Setting up a Function to access Azure AD data to create a Function App with a certificate-based authentication configured, that is a prerequisite for the below examples. Make sure to gather the Azure AD Tenant ID, Application ID, and Thumbprint available for the authentication configuration in the scripts below.
Azure AD Permissions
For the examples in this article, the service principal configured in the Function App needs to have read permission in Azure AD. The example below will add the service principal to the Directory Readers role. Depending on your scenarios, you may limit or provide additional permissions for the service principal.
- Open a PowerShell ISE prompt as Administrator
- Paste in below code
$appId = 'APP_ID' Connect-AzureAD $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Directory Readers"} $sp = Get-AzureADServicePrincipal -Filter "appId eq '$appId'" $member = [Bool](Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | where-object {$_.AppId -eq $appId}) If ($member) { write-host "Service Principal is already a role member" } Else { Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId }
Replace the variables in the code with values according to the below table.
Variable Description APP_ID Replace with AppId of the Azure AD Application configured for the Function App hosting the Function.
For example: 0505faf4-6256-4c17-a2ee-76ffd0c99777al - Run the script
- When prompted, login with an account that has permissions to add the service principal to the targeted role in Azure AD
- Verify that the script executed successfully and the service principal has been added to the group
List Azure AD Groups Example
Creating the Function
- Create a new Function in an existing or new Function app created according to the article Setting up a Function to access Azure AD data
- In left-side menu, click + right to Functions to add new Function
- Click Create Custom Function
- Enable Experimental Language Support
- In HTTP trigger section, click PowerShell
- Type in a Name for the Function, then click Create
- Open Function created above
- Copy below code snippet and replace the default Function code
$requestBody = Get-Content $req -Raw | ConvertFrom-Json $tenantId = 'TENANT_ID' $appId = 'APP_ID' $thumbprint = 'THUMBPRINT' $searchStr = 'SEARCHSTRING' If ( ! (Get-module AzureAD )) { Import-module AzureAD } Connect-AzureAD -TenantId $tenantId -ApplicationId $appId -CertificateThumbprint $thumbprint $groups = Get-AzureADGroup -SearchString $searchStr $result = New-Object -TypeName psobject -Property @{ isReadonly = $false; } $items = @() foreach($group in $groups) { $items += New-Object PSCustomObject -Property @{ displayName = $group.DisplayName; value = $group.ObjectId; isDefault = $false; } } $result | Add-Member -MemberType NoteProperty -Name items -Value $items $result = $result | ConvertTo-Json Out-File -Encoding Ascii -FilePath $res -inputObject $result
Replace the variables in the code with values according to the below table.
Variable Description TENANT_ID Replace with the name of the Azure AD application you will create.
For example: FunctionApp890APP_ID Replace with the DNS name of the Function App you will be using.
For example: FunctionApp890.appservice.local.azurestack.localTHUMBPRINT Replace with the password you want to set on the PFX file. - Click Save
Register the Function as a Remote Source Service Endpoint
- Open the Function created in the previous section
- Click Get function URL
- Click Copy and save the URL in a safe temporary location, you will be using it later
Note: This URL contains an access token that provides access to the function - Open the EvOps account blade
- Click Extensions
- Click Service Endpoints
- Click Manage endpoints
- Click Add
- Select Azure Function as Type, Provide a Display Name for the service endpoint
Note: It is recommended to use the same name as the function as it refers to - Paste Function App URL gathered earlier into the URL field
- Select Remote source as the purpose as this function populates the prompt
- Click OK to save
Configure a list prompt to use the Function as a remote source
- Open the request template modified above
- Click Wizard
- Add or use an existing List prompt
- Expand List prompt settings by clicking the gear icon
- Click the Source tab
- Select Service endpoint from the Service Configuration list menu
- Select the service endpoint registered previously from the Endpoint list
- Click OK
Verifying that List prompts is listing AD groups
- Open the request template modified above
- Click Preview in the top menu
- Verify that List prompt is listing the AD groups according to your search string filter
Validate Azure AD UPN Example
Creating the Function
- Create a new Function in an existing or new Function app created according to the article Setting up a Function to access Azure AD data
- In left-side menu, click + right to Functions to add new Function
- Click Create Custom Function
- Enable Experimental Language Support
- In HTTP trigger section, click PowerShell
- Type in a Name for the Function, then click Create
- Open Function created above
- Copy below code snippet and replace the default Function code
$requestBody = Get-Content $req -Raw | ConvertFrom-Json $upnToValidate = $requestBody.valueToValidate $TenantId = 'TENANT_ID' $AppId = 'APP_ID' $Thumbprint = 'THUMBPRINT' $EmailRegex = '^([\w-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([\w-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)$' $DidItMatch = $upnToValidate -match $EmailRegex if ($DidItMatch) { $env:PSModulePath = $env:PSModulePath + ";C:\home\site\wwwroot\PSModules" If ( ! (Get-module AzureAD )) { Import-module AzureAD } Connect-AzureAD -TenantId $TenantId -ApplicationId $AppId -CertificateThumbprint $Thumbprint try { $exists = [bool] (Get-AzureADUser -ObjectId $upnToValidate) } catch { $exists = $false } if ($exists) { $result = New-Object -TypeName psobject -Property @{ valid = $false; message = "UPN address already exists" } }Else { $result = New-Object -TypeName psobject -Property @{ valid = $true; message = "" } } }Else { $result = New-Object -TypeName psobject -Property @{ valid = $false; message = "Not valid UPN format" } } $result = $result | ConvertTo-Json Out-File -Encoding Ascii -FilePath $res -inputObject $result
Replace the variables in the code with values according to the below table.
Variable Description TENANT_ID Replace with the name of the Azure AD application you will create.
For example: FunctionApp890APP_ID Replace with the DNS name of the Function App you will be using.
For example: FunctionApp890.appservice.local.azurestack.localTHUMBPRINT Replace with the password you want to set on the PFX file. - Click Save
Register the Function as a Remote Validation Service Endpoint
- Open the Function created in the previous section
- Click Get function URL
- Click Copy and save the URL in a safe temporary location, you will be using it later
Note: This URL contains an access token that provides access to the function - Open the EvOps account blade
- Click Extensions
- Click Service Endpoints
- Click Manage endpoints
- Click Add
- Select Azure Function as Type, Provide a Display Name for the service endpoint
Note: It is recommended using the same name as the function as it refers to - Paste Function App URL gathered earlier into the URL field
- Select Remote validation as the purpose as this function as it will validate input
- Click OK to save
Configure a Text prompt to use the Function to validate input
- Open the request template modified above
- Click Wizard
- Add or use an existing Text prompt
- Expand Text prompt settings by clicking the gear icon
- Click the Validation tab
- Click Add
- Select Remote validation as Type
- Select the service endpoint registered previously for validation from the Endpoint list
- Click OK to save
- Click the request template blade, click Save to save changes
Verifying that Text prompt validates inputs
- Open the request template modified above
- Click Preview in the top menu
- Verify functionality by typing in the following:
- Typing in test@contoso, should result in "Not valid UPN format" validation failed message
- Typing in a UPN address that already exists should result in "UPN address already exists" validation failed message
- Typing in a unique UPN address should result in successful validation and green checkmark icon
- Done
Comments
0 comments
Article is closed for comments.