PowerApps – Secure your Azure Function and Custom Connector with Azure AD

In my previous blog, I explained how to create an Azure Function and consume it in PowerApps using custom connector but it was not secured (anonymous) and anyone can access this API using function URL. In this blog we will see how to secure Azure Function API and register PowerApps custom connector in Azure Active Directory.

Below steps will be covered as part of this blog:

• Secure Azure Function with Azure AD
• App Registration for Custom Connector
• Change Authentication Key parameters in Custom Connector

Step 1 – Secure Azure Function with Azure AD:

By default, when you create Function API, anonymous authentication is selected which means anyone can access your API. For most of business or enterprise application you want to secure your API with Azure Active Directory so that only users inside your organization can access this API. Let’s see how to achieve this.

• Select your Function App and click on Authentication/Authorization under Platform Features.

• Turn on App Service Authentication (It is turned off since anonymous authentication was selected), Select “Log in with Azure Active Directory” option for action and click on Azure Active Directory under providers.

• Select “Express” as management mode, you can select existing AD App or create a new one. I have selected for create new which will add new App registration under Azure AD. Click on OK.

• Click on Save. Once saved, go to Azure Active Directory and select App Registrations. You will see your Function App is registered with name you entered above. Make a note of Application ID as it will be used in PowerApps Custom Connector.

• Now when you browse your function URL in browser, you will be prompted for Azure AD credentials.

Step 2 – Create App Registration for Custom Connector:

Our API is authenticated, now for our custom connector to communicate with authenticated API, we need to create another app registration and delegate access to Function API. Let’s see how to achieve this.

• Go to Azure Active Directory, select App Registrations and click on New Application Registration
• Give it a name and Sign on URL. Click on Create

• Make a note of Application ID which will be used in PowerApps Custom Connector. Click on Settings and select Reply URLs. Replace existing URL with below URL and click on Save.

          https://msmanaged-na.consent.azure-apim.net/redirect

• Now we need to delegate access to Function API so that custom connector connects to it through Azure AD. Select Required Permissions under Settings. Click on Add and then Select an API. Search for your Function API which is “RetrieveGuid” in my case. Click on Select.

• In Select Permissions, check option for Delegate Permissions to grant access for Function API we just selected. Click on Select. Click on Done.

• Final step is to generate authentication key. Select Keys under Settings. Give a key name and choose duration for key expiry, I selected “Never Expires”. Click on Save. Once saved key value will be generated. Make a note of key value as it will be used in PowerApps Custom Connector.

Note: So far, we have noted down 3 parameters as below:

• Function App Application ID from Step 1
• Custom Connector Application ID from Step 2
• Authentication Key from Step 2

Step 3 – Change Authentication Key parameters in Custom Connector

We have our Function App registered in Azure AD. We have created new App registration for our custom connector. It’s time to update PowerApps custom connector for Azure AD authentication and update key values. Let’s see how to achieve this.

• Login to PowerApps web portal. Edit your custom connector under Data->Custom Connectors.

• Under security tab, click on Edit to change Authentication Type from No Authentication to OAuth 2.0. As soon as you select OAuth 2.0, it will ask you to provide values for few parameters. Provide value for below parameters as mentioned.
• Identity Provider – “Azure Active Directory”
• Client ID – Custom Connector Application ID from Step 2
• Client Secret – Authentication Key from Step 2
• Resource URL – Function App Application ID from Step 1

• Click on Update Connector on top which will generate Redirect URL. This Redirect URL we need to add in Custom Connector App Registration under Reply URLs. We will get error “The reply url specified in the request does not match the reply urls configured for this application” if we do not add Redirect URL. Refer my blog for more details.

• Go to Test tab to test Function API. We need to create a new connection since we have updated Authentication. This time while creating new connection, you will be prompted for credentials for your AD account. Once connected, click on Test Operation, you will see response from Function API as expected.