Consuming Azure Functions securely in Dataverse

Introduction

Azure Functions with Dataverse provide a potent combination in terms of extending business logic and functionality. As a result, it has become the go-to solution for many scenarios.

While it can be straightforward to write or develop a new Azure Function and subsequently deploy your function quickly and easily using the many streamlined tools that Microsoft provides, security can often get overlooked or is only considered an afterthought.

This article will discuss an HTTP-triggered Azure Function and how to authenticate a call from Dataverse. However, first, let’s review what we get out of the box with Dataverse. 

Creating a new HTTP-triggered Azure Function gives us a function-level code as an authentication key. Dataverse supports extending by configuring a webhook that uses the authentication code to call it. For reference (Write an Azure Function that processes Dataverse events – Learn | Microsoft Docs

Since this is configured server-side, it may be okay in some scenarios, but what if we want to call this from the client- side? For example, we could add a button or onLoad call to trigger or invoke logic via the Azure Function that would trigger directly from a client-side application, such as a model-driven app in Dataverse or a customer web application. We wouldn’t want to expose the code or function key on the client side and be accessible or visible in the debugger tools. 

Further Reading: Simplify Your Azure Infrastructure With Azure Blueprints

Enter MSAL.Js

The Microsoft Authentication Library for JavaScript (MSAL.js) allows us to implement implicit or authorization code flow to authenticate the calling user and make a secure call to the Azure Function.

For this example, we will use authorization code flow.

Azure Function Setup

First, let us get our HTTP-triggered Azure Function ready.

This image shows HTTP-triggered Azure Function ready

I will publish this to Azure from Visual Studio, accepting the defaults.

After publishing,  I have added the Dataverse URL to the CORS exception for my Azure Function. 

Authentication

After publishing it to Azure, I will enable authentication on it. I have used express setup and accepted the defaults. As part of the app registration, it automatically exposes the API via a scope (user_impersonation). The scope will be used when creating the App Registration to represent a SPA (read Dataverse).

This image shows publishing it to Azure

Secure Your Azure Functions Integration with Managed Services

Ensure the security and efficiency of integrating Azure Functions into Dataverse with AlphaBOLD's Azure DevOps Managed Services. Our experts are ready to streamline your deployment and integration process.

Request a Consultation

App Registration For Dataverse:

We will create an App Registration with permission to call this Azure Function.

This image shows Azure Function

API Permissions

Here, we will add the dataversefuncapi user_impersonation scope under the API permissions.

this image shows Dataverse Function Client

MSAL.Js Configuration:

We will use MSAL.js 2.0 (microsoft-authentication-library-for-js/lib/msal-browser at dev · AzureAD/microsoft-authentication-library-for-js (github.com)). I have downloaded the meal-browser.min.js file from the CDN and uploaded it as a WebResource in Dataverse. As of July 2021, the latest version available is 2.15.0. 

Here is the MSAL.js configuration.

Further Reading: Resources Deployment By Azure Resource Manager

This image shows MSAL.Js Configuration

All the information shown above is extracted from the dataversefunc-client app registration. 

To configure this in Dataverse, I have added the function onLoad of the Account form:

this image shows Dataverse

Now, if I go to my account form, it will automatically authenticate the logged-in user. In this case, it is my user, and it will get the token and call the Azure Function securely. 

Further Reading: Retrieving Records From Dynamics 365 Using Azure Function In Visual Studio

Transform Your Application Deployment with Managed Azure DevOps Services

Transform your approach to deploying and securing Azure Functions in Dataverse with the support of AlphaBOLD's Azure DevOps Managed Services.

Request a Consultation
This image shows the call the Azure Function securely
This image shows token and call the Azure Function securely

Conclusion

With a few clicks and configuration, we just saw how easy it is to secure an HTTP-triggered Azure Function and consume it securely from Dataverse. Don’t hesitate to contact us if you have any questions, queries, or insights! We will be happy to help!

Explore Recent Blog Posts