Protect Azure Function with Azure AD Authentication and Create Custom Connector | PL-400 Exam Guide
Question
You create an Azure Function.
You want to protect the function using Azure AD authentication and create a custom connector.
Please select three steps that you need to take before creating the custom connector.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.Correct Answers: A, C and E
A custom connector is an API wrapper around the REST API.
You can create such a wrapper for Azure Functions, Azure Web Apps, Azure API apps, etc.
When you develop an application using one of these services, you need to describe the API's operations by creating the API definitions before exporting the application's APIs.
You also need to set the authentication type for your custom connector.
Suppose you want to create a custom connector and export the Azure Function Web APIs.
What is more, you want to protect access to the Azure Function with Azure AD authentication.
And use the Azure AD authentication for the custom connector.
After you create an Azure Function, you can use two options on the Azure Function App blade under the Settings section: Authentication (Number 1) or Authentication (classic) (Number 2)
If you decide to use the Authentication (classic), the Azure portal will ask you to convert to the current Identity Provider Authentication (Number 3)
You can select different providers on this screen, like Microsoft (including Azure AD identities) (Number 4), Facebook, Google, and Twitter.
/answer/imgckeditor_18.1.jpg)
This Identity Provider registration also registers your Azure Function as an app within the Azure AD (Number 1) and defines the App Service settings (Number 2).
![Microsoft Azure 2 Search resources, services, and docs (G+/)
“ Dashboard > App Services > CBFunctionAppAsAPI >
+ Create a resource Add an identity provider
t Home
Dashboard
— . Basics = Permissions
[= All services
ke FAVORITES Identity provider * Microsoft a
All resources App registration
[4] Resource groups An app registration associates your identity provider with your app. Enter the app registration information here, or go to
your provider to create a new one. Learn more
@ App Services
App registration type * © Create new app registration
<> Function App , + ' at edie afi
O Pick an existing app registration in this directory
SQL databases © Provide the details of an existing app registration
© Azure Cosmos DB
Name* © CBFunctionAppAsAPI
© Virtual machines
Supported account types * Current tenant - Single tenant
} Load balancers MPP unt typ ©
O Any Azure AD directory - Multi-tenant
= Storage accounts O Any Azure AD directory & personal Microsoft accounts
<> Virtual networks O Personal Microsoft accounts only @
<> Azure Active Directory Help me choose...
© Monitor App Service authentication settings
® Advisor Requiring authentication ensures all users of your app will need to authenticate. If you allow unauthenticated requests,
. you'll need your own code for specific authentication requirements. Learn more 7
La] Security Center
Authentication * © Require authentication
© Cost Management + Billing
O Allow unauthenticated access
2 Help + support
Unauthenticated requests * O HTTP 302 Found redirect: recommended for websites
© HTTP 401 Unauthorized: recommended for APIs
© HTTP 403 Forbidden
? Subscriptions
Token store @
| Add | < Previous Next: Permissions >](https://eaeastus2.blob.core.windows.net/optimizedimages/static/images/Microsoft-Power-Platform-Developer-(PL-400)/answer/imgckeditor_18.2.jpg)
Next, you need to register a new app, like Custom connector app, with the Azure AD and give access to your Azure Function.
![Microsoft Azure
+ Create a resource
nr Home
Dashboard
= All services
ok FAVORITES
S55 All resources
i) Resource groups
@ App Services
“> Function App
SQL databases
© Azure Cosmos DB
© Virtual machines
} Load balancers
©}! Storage accounts
<> Virtual networks
nS Azure Active Directory
© Monitor
® Advisor
La] Security Center
© Cost Management + Billing
2 Help + support
? Subscriptions
Home > CloudBreezy >» CBFunctionAppAsAPI
-»- CBFunctionAppAsAPI | API permissions #
| P Search (Cmd+/)
| «
= Overview
& Quickstart
, 4 Integration assistant
Manage
Branding
D Authentication
? Certificates & secrets
II Token configuration
> API permissions
® Expose an API
HA App roles
Owners
Manifest
Support + Troubleshooting
2 Troubleshooting
& New support request
&a
&, Roles and administrators | Preview
Po
©) Refresh © Got feedback?
Configured permissions
Applications are authorized to call APIs when they are granted permissions by users/admins as part of the consent process. The list of configured permissions should include
all the permissions the application needs. Learn more about permissions and consent
-+ Adda permission \/ Grant admin consent for CloudBreezy
API / Permissions name Type Description Admin consent req... Status
\CBFunctionAppAsAPI (1)
user_impersonation Delegated Access CBFunctionAppAsAPI
Y Microsoft Graph (1) eee
User.Read Delegated Sign in and read user profile No nme:
To view and manage permissions and user consent, try Enterprise applications.](https://eaeastus2.blob.core.windows.net/optimizedimages/static/images/Microsoft-Power-Platform-Developer-(PL-400)/answer/imgckeditor_18.3.jpg)
After that, you can create your API definition and create a custom connector.
All other options are incorrect.
For more information about the custom connector for the Azure AD protected Azure Function Web APIs, please visit the below URLs:
To protect the Azure Function using Azure AD authentication and create a custom connector, the following three steps must be taken before creating the custom connector:
- Register an app in Azure AD for Azure Function access: To register an app in Azure AD, you must have an Azure account. Then, follow these steps:
- Sign in to the Azure portal.
- Select the Azure Active Directory service.
- Choose the "App registrations" option.
- Click on the "New registration" button.
- Fill out the required information and click on the "Register" button.
- Once the app registration is completed, note down the Application ID and Tenant ID.
- Create Azure AD Authentication for Azure Function: After registering the app in Azure AD, you can enable Azure AD authentication for the Azure Function:
- Go to the Azure Function App in the Azure portal.
- Select the "Authentication/Authorization" option under the "Platform features" section.
- Turn on the "App Service Authentication" toggle switch.
- Select the "Azure Active Directory" authentication provider.
- Enter the Application ID and Tenant ID that you noted down earlier.
- Save the configuration changes.
- Create Azure Function API definition: Once Azure AD authentication is enabled, you need to create an API definition for the Azure Function to define the endpoints that the custom connector can access:
- Go to the Azure Function App in the Azure portal.
- Select the "Functions" option.
- Click on the "New function" button.
- Select the "HTTP trigger" template and fill out the required information.
- In the "Function" code editor, click on the "Integration" tab.
- Choose the "API definition" option and click on the "Add" button.
- Enter the required information for the API definition, such as the name, URL path, and method.
- Save the API definition.
Note that the options B and D are not relevant to this specific scenario. Configuring Conditional Access is a useful security measure to control access to your organization's cloud apps based on various conditions, but it is not necessary for protecting an Azure Function with Azure AD authentication and creating a custom connector. Creating an Azure AD Service principal is not necessary either, as the app registration created in step 1 can be used to access the Azure Function.