In some of my previous blogs here, we have seen how we could use Azure Functions to to automate processes and SharePoint workloads.
Most of these jobs run using elevated or stored privileged accounts as the Azure Function is in a different context than the user context. There are various ways we could setup these accounts. Some of these approaches are below:
- Azure AD Service Accounts
- Suitable for all operations
- Need access to resource
- Reusable across multiple workloads
- Azure AD Apps
- Suitable for Graph Access
- Need exact permissions set up
- Might need Tenant Admin authentication
- SharePoint App Accounts
- Suitable for SharePoint workloads.
- Need Site and App specific privileges
The details of these accounts could be stored in the Azure Functions App Settings (for dev and production) or local.settings.json file during local development.
The most important consideration would be to prevent from exposing password details in the Azure functions in case of unauthorized access. There are two ways we could achieve this:
- Encrypting the password and store in the Azure Function (PowerShell)
- Using Azure Key Vault to store and access password details (C#)
Encrypting Passwords in Azure Functions
For doing this, first lets’ create an encrypted password using PowerShell using the script below.
Next, copy the file to a bin folder in Azure Function using Azure File Explorer (Application Settings -> App Service Editor) and decrypt using the code below
Using Azure Key Vault
For using Azure Key Vault, the steps are as below
- Create an Azure AD App and get the Client ID and Client Secret
- Create a Azure Key Vault and add the above Azure AD app to have Get Access to the key vault. The below permissions will suffix to read the secret.
- Create Secret in key vault, then store the password and the secure Uri
- Store the Secret Uri, Client ID and Client Secret in Azure App Settings
- Use the below code to get the secure pass.
Hence above we saw how we could set up accounts in Azure Function for elevated access to SharePoint and Resource locations.