Azure Function's Identity to Read/Write to SharePoint Online
We have an Azure Function that runs on a scheduled basis, and we have enabled its managed identity. Using this identity, we’ve successfully integrated the function with both Azure SQL Database and Azure Key Vault by assigning the necessary permissions.
We are now looking to integrate the same Azure Function with SharePoint Online, to enable read and write operations to specific site. Is it possible to assign the Azure Function’s managed identity access to SharePoint, similar to how we did with Azure SQL and Key Vault? Or I need to create a separate app registration and use its clientID, TenantId & secret to be able to access SharePoint from Azure Fucntion?
You can refer to MSDOC to grant access the Sharepoint access to Function app's managed identity.
Workaround 1
Navigate to function app => enable "System Managed" identity and make a note of the Principal ID:
Use below Azure CLI commands to grant the function app's managed identity the app-only permission
Sites.Selectedon the SharePoint API:managedIdentityObjectId="<Principal_ID>" # principal ID of the managed identity resourceServicePrincipalId=$(az ad sp list --query '[].[id]' --filter "displayName eq 'Office 365 SharePoint Online'" -o tsv) resourceServicePrincipalAppRoleId="$(az ad sp show --id $resourceServicePrincipalId --query "appRoles[?starts_with(value, 'Sites.Selected')].[id]" -o tsv)" az rest --method POST --uri "https://graph.microsoft.com/v1.0/servicePrincipals/${managedIdentityObjectId}/appRoleAssignments" --headers 'Content-Type=application/json' --body "{ 'principalId': '${managedIdentityObjectId}', 'resourceId': '${resourceServicePrincipalId}', 'appRoleId': '${resourceServicePrincipalAppRoleId}' }"
Workaround 2
Create an Azure AD App Registration for the function app's Managed Identity and grant the necessary permissions to that app in SharePoint Online.
Thanks for the insights @Sedat SALMAN.
- Create a new App Registration => note the Client ID and Tenant ID
- Go to SharePoint Online => Site permissions => Advanced permissions settings => Assign necessary permissions => Select Users => add
Client_id@Tenant_id. - Open Azure function app => update the configuration to use the App Registration's client ID and Tenant ID for SharePoint Online Authentication.
- Use SharePoint Online REST API or Microsoft Graph API to access SharePoint Online resources by authenticating with the App Registration's credentials.
- QuestPDF doesn't render text in Azure Functions
- Checkout Submodules in another Project in Azure DevOps Repository
- How do I enable my Azure pipeline to checkout a submodule using Git?
- Azure Stream Analytics outputs an int64 as an int32
- Spark MergeSchema on parquet columns
- AADSTS900971: No reply address provided. on SPA with http://localhost as redirect_uri
- When to use EventGrid and when to use ServiceBus / Storage Queue?
- Which IPs to allow in Azure for Github Actions?
- Can I use Azure api management for gRPC communication?
- How to register Custom Events in Application Insights by using OpenTelemetry .NET
- Azure Pipeline MS-hosted mac agent: CopyFiles Task takes a very long time
- How to read S/MIME mails and their attachments
- Azure DevOps Dashboard Widget fails with "ERR_BLOCKED_BY_LOCAL_NETWORK_ACCESS_CHECKS" in Edge 143+ (works in Firefox)
- Difference between Azure ML and Azure ML experimentation
- Is it possible to change subnet in Azure AKS deployment?
- Sql Server JSON result separated in multiple rows
- Azure Keyvault references not working in Azure Static Web App?
- Signing a JWT for Azure - how can I set the kid in the header?
- How to use wkhtmltopdf and Azure Functions Python v2 together to convert HTML to PDF in 2024?
- Why Can’t I Reduce Cosmos DB Throughput After Scaling Up? (Physical Partitions / Minimum RU Limits)
- Azure Build pipeline not able to retrieve latest source version
- Azure application with ASP.NET Core app service with Entra authentication
- SSL certificate problem: unable to get local issuer certificate AZURE DEVOPS
- CosmosDb ExpressionVisitor (SubtreeEvaluator) fails on Azure, works on local machine
- Azure App Service environment variables are not available in container
- How to change AKS cluster networking from Kubenet to Azure CNI?
- Azure Container App - Container pull image failed with reason: ImagePullFailure. Revert by terminate
- Messages in Azure Message Queue are going Straight to the Poison Message Queue
- Change Environmet Variables at runtime (React, vite) with docker and nginx
- SQL Azure import slow, hangs, but local import takes 3 minutes