Azure Function Authentication: Protecting and Creating Custom Connectors | PL-400 Exam Preparation

Protect Azure Function with Azure AD Authentication and Create Custom Connector | PL-400 Exam Guide

Question

You create an Azure Function.

You want to protect the function using Azure AD authentication and create a custom connector.

Please select three steps that you need to take before creating the custom connector.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Correct Answers: A, C and E

A custom connector is an API wrapper around the REST API.

You can create such a wrapper for Azure Functions, Azure Web Apps, Azure API apps, etc.

When you develop an application using one of these services, you need to describe the API's operations by creating the API definitions before exporting the application's APIs.

You also need to set the authentication type for your custom connector.

Suppose you want to create a custom connector and export the Azure Function Web APIs.

What is more, you want to protect access to the Azure Function with Azure AD authentication.

And use the Azure AD authentication for the custom connector.

After you create an Azure Function, you can use two options on the Azure Function App blade under the Settings section: Authentication (Number 1) or Authentication (classic) (Number 2)

If you decide to use the Authentication (classic), the Azure portal will ask you to convert to the current Identity Provider Authentication (Number 3)

You can select different providers on this screen, like Microsoft (including Azure AD identities) (Number 4), Facebook, Google, and Twitter.

Microsoft Azure Search resources, services, and docs (G+/)

»

ae
t
eq

Home > Function App > CBFunctionAppAsAP!

Q CBFunctionAppAsAPI | Authentication ” 6 x

Function App

© Search (Cmd+/) «<  @ Send us your feedback

>

® Overview
With App Service you can choose an identity provider to manage user identities and authentication flows. Add providers here, edit settings, and decide

* Activity log which provider is handling authentication for your app. Learn more cf*
iti

1. Accessicontral (14M) Authentication settings Edit
@ @ tags seat
® Authentication Require authentication

Diagnose and solve problems Unauthenticated requests Return HTTP 401 Unauthorized
L

@ security Token store Enabled
a © Events (preview)
64 Identity provider

Functions: ty p
m ,

(A) Functions > Add provider
ve © App keys Identity provider App (client) ID Learn more Edit Delete
=

App files Microsoft (CBFunctionAppAsAPl) 206008c9-775c-41e8-a eee Quickstart 2° e i
&>

> Proxies

Deployment

8 Deployment slots

@ Deployment Center

Settings

II} Configuration

& Authentication

+m OeQah OY

Authentication (classic)

® Application Insights

% Identity

@ Back

Custom domains
@ TLS/SSL settings

<> Networking

This Identity Provider registration also registers your Azure Function as an app within the Azure AD (Number 1) and defines the App Service settings (Number 2).

Microsoft Azure 2 Search resources, services, and docs (G+/)

“ Dashboard > App Services > CBFunctionAppAsAPI >

+ Create a resource Add an identity provider
t Home

Dashboard

— . Basics = Permissions
[= All services

ke FAVORITES Identity provider * Microsoft a

All resources App registration

[4] Resource groups An app registration associates your identity provider with your app. Enter the app registration information here, or go to

your provider to create a new one. Learn more
@ App Services

App registration type * © Create new app registration
<> Function App , + ' at edie afi
O Pick an existing app registration in this directory
SQL databases © Provide the details of an existing app registration
© Azure Cosmos DB
Name* © CBFunctionAppAsAPI
© Virtual machines
Supported account types * Current tenant - Single tenant
} Load balancers MPP unt typ ©
O Any Azure AD directory - Multi-tenant
= Storage accounts O Any Azure AD directory & personal Microsoft accounts
<> Virtual networks O Personal Microsoft accounts only @

<> Azure Active Directory Help me choose...

© Monitor App Service authentication settings

® Advisor Requiring authentication ensures all users of your app will need to authenticate. If you allow unauthenticated requests,

. you'll need your own code for specific authentication requirements. Learn more 7
La] Security Center

Authentication * © Require authentication

© Cost Management + Billing
O Allow unauthenticated access

2 Help + support

Unauthenticated requests * O HTTP 302 Found redirect: recommended for websites
© HTTP 401 Unauthorized: recommended for APIs
© HTTP 403 Forbidden

? Subscriptions

Token store @

| Add | < Previous Next: Permissions >

Next, you need to register a new app, like Custom connector app, with the Azure AD and give access to your Azure Function.

Microsoft Azure

+ Create a resource

nr Home

Dashboard

= All services

ok FAVORITES

S55 All resources

i) Resource groups

@ App Services

“> Function App

SQL databases

© Azure Cosmos DB

© Virtual machines

} Load balancers

©}! Storage accounts

<> Virtual networks

nS Azure Active Directory
© Monitor

® Advisor

La] Security Center

© Cost Management + Billing
2 Help + support

? Subscriptions

Home > CloudBreezy >» CBFunctionAppAsAPI

-»- CBFunctionAppAsAPI | API permissions #

| P Search (Cmd+/)

| «

= Overview

& Quickstart

, 4 Integration assistant

Manage

Branding

D Authentication
? Certificates & secrets

II Token configuration
> API permissions

® Expose an API

HA App roles

Owners

Manifest

Support + Troubleshooting
2 Troubleshooting

& New support request

&a
&, Roles and administrators | Preview
Po

©) Refresh © Got feedback?

Configured permissions
Applications are authorized to call APIs when they are granted permissions by users/admins as part of the consent process. The list of configured permissions should include

all the permissions the application needs. Learn more about permissions and consent

-+ Adda permission \/ Grant admin consent for CloudBreezy

API / Permissions name Type Description Admin consent req... Status

\CBFunctionAppAsAPI (1)

user_impersonation Delegated Access CBFunctionAppAsAPI
Y Microsoft Graph (1) eee
User.Read Delegated Sign in and read user profile No nme:

To view and manage permissions and user consent, try Enterprise applications.

After that, you can create your API definition and create a custom connector.

All other options are incorrect.

For more information about the custom connector for the Azure AD protected Azure Function Web APIs, please visit the below URLs:

To protect the Azure Function using Azure AD authentication and create a custom connector, the following three steps must be taken before creating the custom connector:

  1. Register an app in Azure AD for Azure Function access: To register an app in Azure AD, you must have an Azure account. Then, follow these steps:
  • Sign in to the Azure portal.
  • Select the Azure Active Directory service.
  • Choose the "App registrations" option.
  • Click on the "New registration" button.
  • Fill out the required information and click on the "Register" button.
  • Once the app registration is completed, note down the Application ID and Tenant ID.
  1. Create Azure AD Authentication for Azure Function: After registering the app in Azure AD, you can enable Azure AD authentication for the Azure Function:
  • Go to the Azure Function App in the Azure portal.
  • Select the "Authentication/Authorization" option under the "Platform features" section.
  • Turn on the "App Service Authentication" toggle switch.
  • Select the "Azure Active Directory" authentication provider.
  • Enter the Application ID and Tenant ID that you noted down earlier.
  • Save the configuration changes.
  1. Create Azure Function API definition: Once Azure AD authentication is enabled, you need to create an API definition for the Azure Function to define the endpoints that the custom connector can access:
  • Go to the Azure Function App in the Azure portal.
  • Select the "Functions" option.
  • Click on the "New function" button.
  • Select the "HTTP trigger" template and fill out the required information.
  • In the "Function" code editor, click on the "Integration" tab.
  • Choose the "API definition" option and click on the "Add" button.
  • Enter the required information for the API definition, such as the name, URL path, and method.
  • Save the API definition.

Note that the options B and D are not relevant to this specific scenario. Configuring Conditional Access is a useful security measure to control access to your organization's cloud apps based on various conditions, but it is not necessary for protecting an Azure Function with Azure AD authentication and creating a custom connector. Creating an Azure AD Service principal is not necessary either, as the app registration created in step 1 can be used to access the Azure Function.