EvOps can use Functions in Service Endpoints to populate prompt fields with data and validate inputs in real-time. Read more about Service Endpoints here.
Commonly Functions are used to login and access data in Azure AD, which requires a secure method of handling credentials. When Functions are Azure-hosted, Managed Identities can be enabled on the Function App level to manage this securely. But sadly, Azure Stack does not yet support Managed Identities. This article will describe how to configure a Function App to use a service principal with certificate authentication as a workaround until Azure Stack supports Managed Identities.
Workstation
All tasks in this article can be performed on any Windows computer as long it has network access to Azure Stack, and can upload certificate file and module files to Function.
Install Azure AD PowerShell Module
Module installation requires PowerShell 5 or later. That is already installed on Windows 10 and Server 2016. If you have a previous version of Windows, you need to install the Windows Management Framework here.
- Open a PowerShell ISE prompt as Administrator
- Run below command
Install-Module AzureAD
- Verify that installation is successful
Create Azure AD Application and Key Credentials
To be able to enable Function to authenticate securely, an application in Azure Active Directory (AD) and key credentials in this case certificate will be created with a script. The certificate will expire after one year and will then need to be updated. This can, of course, be customized in the script before execution.
- Open a PowerShell ISE prompt as Administrator
- Paste below code
$appName = "APP_NAME" $dnsName = "FUNCTION_DNS_NAME" $Pwd = "PASSWORD" Connect-AzureAD $appNameUri = "https://" + $appName $filter = "identifierUris/any(uri:uri eq '" + $appNameUri + "')" $appExists = Get-AzureADApplication -Filter $filter if (-not $appExists) { $path = "C:\Temp" If(!(test-path $path)) { New-Item -ItemType Directory -Force -Path $path } $pfxFile = $path + "\" + $appName + ".pfx" $currentDate = Get-Date $endDate = $currentDate.AddYears(1) $notAfter = $endDate.AddYears(1) $thumb = (New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName $dnsName -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter).Thumbprint $pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText Export-PfxCertificate -cert "cert:\localmachine\my\$thumb" -FilePath $pfxFile -Password $pwd $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate($pfxFile, $pwd) $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) $application = New-AzureADApplication -DisplayName $appName -IdentifierUris $appNameUri $appExists = Get-AzureADApplication -Filter $filter New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier $cusKeyId -StartDate $currentDate -EndDate $endDate -Type AsymmetricX509Cert -Usage Verify -Value $keyValue $sp = New-AzureADServicePrincipal -AppId $application.AppId Start-Sleep -s 15 $tenant = Get-AzureADTenantDetail Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb Write-Host "TenantId: "$tenant.ObjectId Write-Host "AppId: "$sp.AppId Write-Host "Thumbprint: "$thumb } else { Write-Host "An application already exists with that identifier URI, change appName rerun script." }
Replace the variables in the code with values according to the below table.
Variable Description APP_NAME Replace with the name of the Azure AD application you will create. For example: FunctionApp890 FUNCTION_DNS_NAME Replace with the DNS name of the Function App you will be using.
For example: FunctionApp890.appservice.local.azurestack.localPASSWORD Replace with the password you want to set on the PFX file. - Run the script
- Login as an account that has permissions to create Enterprise Applications in Azure AD
- Verify that the script executed successfully and verify that a pfx file has been created in c:\temp
- Record the output values for TenantId, AppId, and Thumbprint to be used later in this article
Function App and Service Plan Requirement
Functions Apps hosted in Consumption Plans do not currently support the uploading of certificates in Azure Stack. So, the Function App used in this article must be an App Service Plan.
Configure Function App
The certificate created using the above script needs to be added to the Function App to enable the PowerShell script to be able to load the certificate during execution.
Uploading Certificate
- Open Function App
- Click Platform features tab
- Select SSL
- Click Private Certificates (.pfx) tab
- Click Upload Certificate
- Click PFX Certificate File, browse and select the pfx file created earlier, then click Open
- Type in Certificate password for the pfx file, then click Upload
- Click Refresh to see that the certificate is listed
- Close SSL window
Configure loading the certificate
- Open Function App
- Click Platform features tab
- Click Configuration
- In the Application settings section, click Add new settings
- Type in WEBSITE_LOAD_CERTIFICATES as Name and set Value to the thumbprint you saved earlier
- Click Save
Configure Platform to 64-bit
- Open Function App
- Click Platform features tab
- Click All settings
- Click Application setting in the left-side menu
- In the General settings section, set Platform to 64-bit
- Click Save
Enable FTP User and Password
If not already configured, configure FTP credentials by following the steps below.
- Open Function App
- Click Platform features tab
- Click All Settings
- Click Deployment credentials in the left-side menu
- Type in a username in FTP/deployment username
- Type in a password and confirm the password
- Click Save
Download and upload Azure AD PowerShell Module to Function App
Azure functions hosting environment does not provide AzureAD PowerShell module by default.
- Open a PowerShell ISE prompt as Administrator
- Export AzureAD PowerShell module to C:\Temp by running below code
Save-Module AzureAD -Repository PSGallery -Path C:\Temp
- A folder named AzureAD will be created under C:\Temp
- Go to Platform Features and click All settings
- Click Properties in the left-side menu
- Copy FTP/DEPLOYMENT USER and FTP HOST NAME
- Open File Explorer and paste URL from property FTP HOST NAME into the address field
- Click Enter to go to the site
- Fill in the string from property FTP/DEPLOYMENT USER as User name
- Fill in the password as set in section Enable FTP User and Password, then click Log On
- Browse to \site\wwwroot\
- Create a new directory called PSModules
- Copy folder AzureAD from C:\Temp to PSModules folder
Create Function to Verify Connectivity
Here are the steps to create PowerShell Functions and verify that authentication works correctly.
- Open Function App
- In left-side menu, click + right to Functions to add new Function
- Click Create Custom Function
- Enable Experimental Language Support
- In HTTP trigger section, click PowerShell
- Type in a Name for the Function, then click Create
- Open Function created above
- Copy below code snippet and replace the default Function code with this code snippet
$ModuleVersion='MODULE_VERSION' $TenantId = 'TENANT_ID' $AppId = 'APP_ID' $Thumbprint = 'THUMBPRINT' $PSModulePath = "C:\home\site\wwwroot\PSModules\AzureAD\$ModuleVersion\AzureAD.psd1" If ( ! (Get-module AzureAD )) { Import-module $PSModulePath } Connect-AzureAD -TenantId $TenantId -ApplicationId $AppId -CertificateThumbprint $Thumbprint
Replace the variables in the code with values according to the below table.
Variable Description MODULE_VERSION The AzureAD PS module version, check the subfolder under the AzureAD folder. The subfolder's name is the module version.
For example: 2.0.2.52TENANT_ID Replace with TenantId from the output from script creating certificate and Azure AD service principal executed earlier in this article.
For example: 7d092cf6-7cf0-4483-9c53-ed33ee0dd47aAPP_ID Replace with AppId from the output from script creating certificate and Azure AD service principal executed earlier in this article.
For example: 0505faf4-6256-4c17-a2ee-75ffd0c99777THUMBPRINT Replace with Thumbprint from the output from script creating certificate and Azure AD service principal executed earlier in this article.
For example: FA2168D024D1B452C535E339E7B3DAD7ABB3017E - Click Save
- The Function should now be ready, click Run and the output should look like below
- If you don't receive any error message, the connection is successful
- Before starting querying Azure AD, remember to delegate appropriate permission so the Azure AD application has the permission needed
Next Step
Check out this article for examples of Azure AD functions:
Comments
0 comments
Article is closed for comments.