0

After spending Hours of Research I am nothing more than absolutely confused. There was so much Change ongoing all around azure functions and azure logic apps and graph and authentication stuff around azure ad so it is really hard to finde the Right Resources.

What i want to achieve is quite simple:

  1. An azure logic app that is triggered when a new E-Mail to a shared Inbox is received.
  2. If these e-mails are Meeting requests and they are marked as private or sent with Status 'free' the Meeting request should be automatically declined.
  3. A message is posted to a slack channel.

Expect the step number 2 everything is already working. Unfortunately no Default connector provides any action to read more details about meeting requests and no connector action is there to decline meeting requests. So the obvious way is to go with an azure function and do the stuff with Microsoft Graph API.

So the point where I always fail is: How to get a correct Auth token in the azure function to Access Microsoft graph?

Since the logic app is executed non interactively i can not do any interactive login and i do not want to hardcode any credentials in the Code.

LaurinSt
  • 952
  • 11
  • 25

1 Answers1

2

1.Open MSI in function app

In your function app , navigate to Platform features, select Identity and switch Status to On. Click Save.

enter image description here

2.Permissions and Roles for the Managed Service Identity

Give Service Principal permission to get some Directory data like user information from my Azure AD. The following Azure AD commands adds my service principal to the AD Directory Role Directory Readers: enter image description here

3.Get token

As you have turn on MSI in Azure function, you could go to https://***.scm.azurewebsites.net and click Environment and get the MSI_SECRET

public static async Task<HttpResponseMessage> GetToken(string resource, string apiversion)  {
    HttpClient client = new HttpClient();
    client.DefaultRequestHeaders.Add("Secret", Environment.GetEnvironmentVariable("MSI_SECRET"));
    return await client.GetAsync(String.Format("{0}/?resource={1}&api-version={2}", Environment.GetEnvironmentVariable("MSI_ENDPOINT"), resource, apiversion));
}

For more details, you could refer to this article and this one.

Joey Cai
  • 18,968
  • 1
  • 20
  • 30
  • Wow - thank you - that's a neat Approach. One Question: if i now Need to process an E-Mail in a users Inbox, what permissions do i Need to set? Since with that Approach i don't have an app Registration i can not define scopes. How is this solved with MSI? – LaurinSt Jan 02 '19 at 07:52
  • You could assign a `Owner` role to your service principal. – Joey Cai Jan 02 '19 at 08:22
  • Owner role of what? Of an Inbox? I don't want to make it Domain admin or something similar. It just Needs to be able to Access a shared Inbox. – LaurinSt Jan 02 '19 at 09:38
  • 1
    If **no constraint** is specified the app is limited to performing the operations on the resources owned by the signed-in user. For example, `Mail.Read` grants permission to read only mail in the mailbox of the signed-in user. You could refer to this [article](https://learn.microsoft.com/en-us/graph/permissions-reference) and this [SO thread](https://stackoverflow.com/questions/48013011/msi-permissions-for-graph-api). – Joey Cai Jan 03 '19 at 07:16