I\'m trying to write a simple Azure Function that calls the Microsoft Graph API. But I could not make the access_token work. Here is what I\'ve done:
There are two ways you can make this work when using Azure App Service Authentication / Authorization:
x-ms-token-aad-id-token
) for an MS Graph access token.The simplest approach which doesn't require any code changes is to do #1. I outline the process in my App Service Auth and the Azure AD Graph API blog post (which needs some updates), but I'll give you the Functions-optimized version for the Microsoft Graph here.
The main things you need to do are:
"additionalLoginParams"
from null
to ["resource=https://graph.microsoft.com"]
, and save the changes.After doing this and logging in again, the x-ms-token-aad-access-token
request header will always give you an access token that works with the Microsoft Graph.
The disadvantage of the above approach is that it doesn't help you if you need to access more than one AAD-protected resource from your function app. If that's a problem for you, then you'll need to use approach #2 above.
The header should contain the proper access-token (more details here): https://docs.microsoft.com/en-us/azure/app-service-api/app-service-api-authentication
Here's another post which runs into the same error and may be of help: How do I create an auth token with the new microsoft graph api?
One possible workaround is to use the service principal authentication flow, where you enable the function app to call Graph API via AAD.
https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-overview#service-to-service-authentication
Azure Functions now supports native authentication for the Microsoft Graph. Docs are at https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-microsoft-graph
There's also a video at https://azure.microsoft.com/en-us/resources/videos/azure-friday-navigating-the-microsoft-graph-with-azure-functions-henderson/
For example, you can create an HttpTrigger function and add the following to function.json.
{
"type": "token",
"direction": "in",
"name": "graphToken",
"resource": "https://graph.microsoft.com",
"identity": "userFromRequest"
}
Then, you can query the Graph API on behalf of the user making the request. The access token is passed in as a parameter that you can add as a header to an HttpClient
using System.Net;
using System.Net.Http;
using System.Net.Http.Headers;
public static async Task<HttpResponseMessage> Run(HttpRequestMessage req, string graphToken, TraceWriter log)
{
HttpClient client = new HttpClient();
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", graphToken);
return await client.GetAsync("https://graph.microsoft.com/v1.0/me/");
}
You can also run functions with the ClientCredentials authentication mode, which means it runs as an app instead of in the context of a particular user.