Creating an Azure Function that generates Access Token for Microsoft Graph REST API
This articles describes how we can create an Azure Function that generates an access token to authenticate a MS Graph REST API request. We will implement a User delegated authorization where user once signed in into AAD would call our Azure Function API which will return an access token. This token is will be used as “Authorization” header in MS REST API calls & will expose various Office 365 resources.
I will showcase the implementation with one of the MS Graph endpoint to get lists from a SharePoint site as below in Postman Tool.
https://graph.microsoft.com/v1.0/sites/{your-site-id}/lists
In simple words If I try the above request in Postman tool (replace Vaishnaw.sharepoint.com with your SharePoint site) , it tells me the “Access token is empty” as shown below:
There are various methods for generating this token, but I will give Azure Functions a try to generate this token .
- From Azure Active Directory > App registration click on New registration to create a new Azure AD OAuth app
2. Provide a name & the account types as per your need & click on “Register”.
3. Once created you will see the newly created app similar to below :
Please make note of Application Client ID, next we need to generate a Client secret, next on the same page left menu click on “Certificates & secrets”. Generate a New client secret by clicking on the button “New Client Secret” & providing key name. Please note down the secret in a secured location for future reference.
4. Navigate to “API Permissions” in the left hand menu & click on “Add a permission” button.
Click on “Microsoft Graph” as shown below.
Next , click on Delegated permissions as shown below
As we will access SharePoint sites from MS Graph library, In the API permissions list under Sites select the options as shown below:
After selection, click on “Add Permissions” button at the bottom.
5. As an administrator, you can grant consent on behalf of all users in this directory, Granting admin consent for all users means that end users will not be shown a consent screen when using the application. Click on “Grant Admin Consent” button as shown below:
6. Next click on “Authentication” in the left menu, and enable “Access token” & “Id token” checkbox as shown below , Redirect Uri we will fill in forthcoming steps . Click on “Save” to finish the registration.
7. Click on “Save” to save these changes.
8. Next , I have written an Azure Function API named as “SPAccessTokenGenerator” as below
In the above code , I am receiving authorization code after successful login from Azure AD, then I am issuing a POST request to https://login.microsoftonline.com/common/oauth2/token to receive access token & refresh token with params as shown above. As access tokens are short-lived and get expired early, I am using refresh token to generate the access token again to the same end-point. For passing params in those calls I have these settings configured in local.settings.json file. SampleADAppClientId is the client id of our Azure AD OAuth App, SampleADAppClientSecert is the client secret we generated in Step 3, SampleADAppGraphRedirecturi is the URI where you want our Azure AD OAuth App to redirect after authentication (for now we can use the same local Azure Function API endpoint), SampleADAppResourceId is https://graph.microsoft.com , SampleADAppBaseUri is https://login.microsoftonline.com/common/oauth2/token the endpoint from where generate our token .
Please note we need to change the localhost to your Azure Function app URL in production environment before publish. For debugging we are keeping it as localhost for now.
9. Next in Azure portal, go back to your Azure AD registered app & configure the Redirect URI as shown below, after successful authentication from our AAD login page, AAD identity provider will redirect to our SPAccessTokenGenerator Azure function. Click on Save to save your changes.
Publish the newly created function to Azure, so that it becomes available publicly. Next we create a sample Login.html file to invoke our login functionality, below is a sample I created for reference.
Please note on login button click I am invoking AAD login by below code, after successful authentication this returns me the authorization code, which I pass as a parameter to our SPAccessTokenGenerator function. Here is the URL I use for invoking.
window.open(‘https://login.microsoftonline.com/vaishnaw.onmicrosoft.com/oauth2/authorize?client_id=53a9a189-123e-4490-9f06-7b2a6f191b68&response_type=code&redirect_uri=http://localhost:7071/api/SPAccessTokenGenerator&scope=openid&state=12345&nonce=7362CAEA-9CA5-4B43-9BA3-34D7C303EBA', null, ‘width=600,height=400’)
Replace the client id with your Azure AD app client id. For debugging locally I have used redirect_uri as localhost with my locally running port where my application is running while debugging . Next run your Login.html in browser as below & click on AZURE AD LOGIN button.
This will launch the login page, login with your AAD credentials . Meanwhile also run your Azure Function locally and create a debug point as shown below. After successful login , this breakpoint will hit and will provide the access token.
10. Copy the token & lets initiate a GET call in Postman tool to https://graph.microsoft.com/v1.0/sites/vaishnaw.sharepoint.com/lists , this call should return all lists information under “vaishnaw.sharepoint.com” site. (Please use your SharePoint site Id while testing) .This time add a header “Authorization” with the request and value as Bearer[Space]access token acquired in previous step.(Please see below image for reference)
You will see this time the request is successful & gives all lists under the site as shown.
We can use the same token for other MS Graph API SharePoint calls as well.
Happy Coding😊
