Calling Microsoft Graph API from inside Azure Functions

Question

I\'m trying to write a simple Azure Function that calls the Microsoft Graph API. But I could not make the access_token work. Here is what I\'ve done:

1. Created a

Answer 1

There are two ways you can make this work when using Azure App Service Authentication / Authorization:

1. Assign a default resource in your function app's AAD configuration.
2. Use the AAD on-behalf-of flow to exchange your ID token (x-ms-token-aad-id-token) for an MS Graph access token.

The simplest approach which doesn't require any code changes is to do #1. I outline the process in my App Service Auth and the Azure AD Graph API blog post (which needs some updates), but I'll give you the Functions-optimized version for the Microsoft Graph here.

The main things you need to do are:

1. Ensure your AAD settings include a client-secret (you already have this).
2. Ensure your AAD settings have the permissions to access the Microsoft Graph (you have already done this).
3. Open your function app in Resource Explorer (use the link in the portal under Platform Settings), navigate to config/authsettings on the left-hand panel, change "additionalLoginParams" from null to ["resource=https://graph.microsoft.com"], and save the changes.

After doing this and logging in again, the x-ms-token-aad-access-token request header will always give you an access token that works with the Microsoft Graph.

The disadvantage of the above approach is that it doesn't help you if you need to access more than one AAD-protected resource from your function app. If that's a problem for you, then you'll need to use approach #2 above.

Answer 2

The header should contain the proper access-token (more details here): https://docs.microsoft.com/en-us/azure/app-service-api/app-service-api-authentication

Here's another post which runs into the same error and may be of help: How do I create an auth token with the new microsoft graph api?

One possible workaround is to use the service principal authentication flow, where you enable the function app to call Graph API via AAD.

https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-overview#service-to-service-authentication

Answer 3

Azure Functions now supports native authentication for the Microsoft Graph. Docs are at https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-microsoft-graph

There's also a video at https://azure.microsoft.com/en-us/resources/videos/azure-friday-navigating-the-microsoft-graph-with-azure-functions-henderson/

For example, you can create an HttpTrigger function and add the following to function.json.

{
   "type": "token",
   "direction": "in",
   "name": "graphToken",
   "resource": "https://graph.microsoft.com",
   "identity": "userFromRequest"
}

Then, you can query the Graph API on behalf of the user making the request. The access token is passed in as a parameter that you can add as a header to an HttpClient

using System.Net; 
using System.Net.Http; 
using System.Net.Http.Headers; 

public static async Task<HttpResponseMessage> Run(HttpRequestMessage req, string graphToken, TraceWriter log)
{
    HttpClient client = new HttpClient();
    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", graphToken);
    return await client.GetAsync("https://graph.microsoft.com/v1.0/me/");
}

You can also run functions with the ClientCredentials authentication mode, which means it runs as an app instead of in the context of a particular user.