Azure, Open Source and ...

Securing Azure Functions calls to Dynamics 365 using Azure AD!

As we were developing our custom engagement bot for MTC, in order to be compliant with security policies we needed to make sure all the calls to our Dynamics 365 from our Azure Functions are secured by Azure AD for our team using the bot within organization on their phone or other devices.

Since we could not use a service account Pass-Through Auth was the way to go, while implementing the code for Azure Function I hit couple of road blocks which I ended up adding this as an issue on GitHub here as we couldnt get access to auth headers.

After some digging and try and error efforts I finally managed to write a code to get this working, so if you are planning to do something similar with Dynamics 365 here it goes:

  • Make sure to secure your Azure Function with Azure AD using your Org subscription
  • Register a custom App within your Azure AD and give permission to access Dynamics 365
  • Get Client ID and Secret for the new app
  • Adding required references:
    • Microsoft.IdentityModel
    • Microsoft.IdentityModel.Clients.ActiveDirectory
  • Next get access to right header in your Azure Function code and pass the user assertion value along with other parameter to your runTask function:
    public static async Task<HttpResponseMessage> Run(HttpRequestMessage req, TraceWriter log)
    // parse query parameter
     string accountName = req.GetQueryNameValuePairs()
     .FirstOrDefault(q => string.Compare(q.Key, "AccountName", true) == 0)
     string data = string.Empty; 
     IEnumerable<string> headerValues;
     var tokenId = string.Empty;
    if (req.Headers.TryGetValues("X-MS-TOKEN-AAD-ID-TOKEN", out headerValues))
     tokenId = headerValues.FirstOrDefault();
    log.Info("Results:" + tokenId); 
     UserAssertion userAssertion = new UserAssertion(tokenId); 
     // Get request body
     data = await runTask(accountName, userAssertion);
     return data == null
     ? req.CreateResponse(HttpStatusCode.BadRequest, "Please pass an Account Name on the query string or in the request body")
     : req.CreateResponse(HttpStatusCode.OK, "Results:" + data);
  • Next in your runTask function using the user assertion value to create the auth token:
    public static async Task<String> runTask(string accountName, UserAssertion userAssertion)
     string resource = ConfigurationManager.AppSettings["Resource"];
     string clientId = ConfigurationManager.AppSettings["ClientID"];
     string secret = ConfigurationManager.AppSettings["Secret"];
     string redirectUrl = ConfigurationManager.AppSettings["RedirectURL"];
     //Authentication parameters received from Resource Server
     AuthenticationParameters ap = AuthenticationParameters.CreateFromResourceUrlAsync(new Uri(resource + "/api/data/")).Result;
     // Authenticate the registered application with Azure Active Directory.
     ClientCredential credential = new ClientCredential(clientId,secret);
     AuthenticationContext authContext = new AuthenticationContext(ap.Authority, false);
     AuthenticationResult result = await authContext.AcquireTokenAsync(ap.Resource, credential, userAssertion);
     using (HttpClient httpClient = new HttpClient())
     httpClient.Timeout = new TimeSpan(0, 2, 0); // 2 minutes
     httpClient.DefaultRequestHeaders.Authorization =
     new AuthenticationHeaderValue("Bearer", result.AccessToken);
     httpClient.BaseAddress = new Uri(resource + "/api/data/v8.1/accounts?$select=name&$filter=name eq '" + accountName +"'");
     httpClient.Timeout = new TimeSpan(0, 2, 0);
     httpClient.DefaultRequestHeaders.Add("OData-MaxVersion", "4.0");
     httpClient.DefaultRequestHeaders.Add("OData-Version", "4.0");
     new MediaTypeWithQualityHeaderValue("application/json"));
     HttpResponseMessage response = await httpClient.GetAsync(httpClient.BaseAddress);
     Stream rStream= await response.Content.ReadAsStreamAsync();
     StreamReader reader = new StreamReader(rStream);
     return reader.ReadToEnd(); 
      catch (HttpRequestException e)
      throw new Exception("An HTTP request exception occurred.", e);