Configuring Microsoft Graph bindings for Azure Functions with B2C
I had a hackfest with a customer last week. I really enjoyed. We use Microsoft Graph bindings with Durable Functions. We successfully fetch a token from the bindings. I’d like to share how to do it.
On this hackfest, we wanted to access Graph API for Azure Active Directory B2C. The code is very easy. However, the configuration was a little bit confusing for me.
Create an App Registration with proper user
If you want to use Graph bindings for fetching a token for B2C Graph API, you need to create an App Registration. But it should be created by someone who is in the Azure AD B2C directory.
For example, I usually login Azure by ushio@mydomain.com. I create an Azure AD B2C with a tenant named “someorganization.onmicrosoft.com”. I can switch directory between MyDomain and SomeOrganization. However, you can’t create App Registration. You are the Azure AD user. Not Azure AD B2C user. You need to create a new user for the Azure AD B2C on the “someorgranizaiton.onmicrosoft.com” tenant. Then logout the Azure and login with the new Azure B2C user (in this example, chirs@someorganization.onmicrosoft.com) then you need to create the App Registration by the chirs account . If you create it by ushio@mydomain.com, the App Registration doesn’t work for this use case.
Create a new B2C user
Create a new admin account. Go to Azure Active Directory > Users > All users > New user. You need to create a user as admin. Then Login Azure using the new user.
Creating App Registration by the B2C user
Login as a B2C user (on the example, chirs account) on Azure. Go to Azure Active Directory > App registrations > New application registration
Coin it and Choose “Web app / API” for application type. Sign-on URL is not used for this scenario. You can specify any url.
Choose the App Registration then go Settings > Required permissions > Windows Azure Active Directory
I want to read Graph API of B2C. Enable Read directory data then Save, then Grant Permission. It give the permission to the App Registration.
Get the Application ID and Password
You need to create a key on the App Registration page. Go to Settings > Keys and create a key (password). Then get the Application ID
Configure Function App
Then configure the Function App to fetch the token for the Graph API of B2C. Re-login at the original user to Azure and create a function app. Then Go to Authentication / Authorization on the Platform features
Then Click Azure Active Directory
Then set the App Registration values. Client ID = Application ID. Client Secret = Key. Issuer Url is https://sts.windows.net/{YOUR_TENANT_ID_OF_B2C}
You can also get the Issuer Url from this url.
https://login.microsoftonline.com/{YOUR_B2C_ORGANIZATION}/.well-known/openid-configuration
for example, my demo organization is like this.
https://login.microsoftonline.com/someorganication.onmicrosoft.com/.well-known/openid-configuration
Then you can find the “issuer” attribute.
Done the settings.
Writing an Azure Functions using Graph Bindings
Binding code is quite easy, all you need to do is define the Token. This is the binding part to fetch the token.
public static async Task<IActionResult> RunAsync([HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)]HttpRequest req,
[Token(Identity = TokenIdentityMode.ClientCredentials, Resource = "https://graph.windows.net")]string token,
TraceWriter log)
Then call the Graph API using the token.
request.RequestUri = new System.Uri("https://graph.windows.net/someorganication.onmicrosoft.com/users?api-version=1.6"); request.Headers.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token); var client = await httpClient.SendAsync(request);
This is the whole code.
Resource
Special Thanks
Thank you for the hackfest team mate. Especially, Naohiro Fujie for teaching me about the B2C settings and Chris Gillum for the writing bindings.
I enjoy hacking with you guys. Let’s have another one.