Configuring Microsoft Graph bindings for Azure Functions with B2C

Tsuyoshi Ushio
Feb 17, 2018 · 4 min read

I had a hackfest with a customer last week. I really enjoyed. We use Microsoft Graph bindings with Durable Functions. We successfully fetch a token from the bindings. I’d like to share how to do it.

On this hackfest, we wanted to access Graph API for Azure Active Directory B2C. The code is very easy. However, the configuration was a little bit confusing for me.

Create an App Registration with proper user

App Registration Relationship

If you want to use Graph bindings for fetching a token for B2C Graph API, you need to create an App Registration. But it should be created by someone who is in the Azure AD B2C directory.

For example, I usually login Azure by ushio@mydomain.com. I create an Azure AD B2C with a tenant named “someorganization.onmicrosoft.com”. I can switch directory between MyDomain and SomeOrganization. However, you can’t create App Registration. You are the Azure AD user. Not Azure AD B2C user. You need to create a new user for the Azure AD B2C on the “someorgranizaiton.onmicrosoft.com” tenant. Then logout the Azure and login with the new Azure B2C user (in this example, chirs@someorganization.onmicrosoft.com) then you need to create the App Registration by the chirs account . If you create it by ushio@mydomain.com, the App Registration doesn’t work for this use case.

Create a new B2C user

Create a new admin account. Go to Azure Active Directory > Users > All users > New user. You need to create a user as admin. Then Login Azure using the new user.

Create a new user with admin

Creating App Registration by the B2C user

Login as a B2C user (on the example, chirs account) on Azure. Go to Azure Active Directory > App registrations > New application registration

Create an App Registration by the B2C user

Coin it and Choose “Web app / API” for application type. Sign-on URL is not used for this scenario. You can specify any url.

Create a new app registrations

Choose the App Registration then go Settings > Required permissions > Windows Azure Active Directory

Select “Windows Azure Active Directory” permission

I want to read Graph API of B2C. Enable Read directory data then Save, then Grant Permission. It give the permission to the App Registration.

Grant permissions to the App Registration

Get the Application ID and Password

You need to create a key on the App Registration page. Go to Settings > Keys and create a key (password). Then get the Application ID

ApplicationID and Key

Configure Function App

Then configure the Function App to fetch the token for the Graph API of B2C. Re-login at the original user to Azure and create a function app. Then Go to Authentication / Authorization on the Platform features

Authentication / Authorization settings

Then Click Azure Active Directory

Azure Active Directory

Then set the App Registration values. Client ID = Application ID. Client Secret = Key. Issuer Url is https://sts.windows.net/{YOUR_TENANT_ID_OF_B2C}

You can also get the Issuer Url from this url.

https://login.microsoftonline.com/{YOUR_B2C_ORGANIZATION}/.well-known/openid-configuration

for example, my demo organization is like this.

https://login.microsoftonline.com/someorganication.onmicrosoft.com/.well-known/openid-configuration

Then you can find the “issuer” attribute.

Active Directory Authentication (Advanced)

Done the settings.

Writing an Azure Functions using Graph Bindings

Binding code is quite easy, all you need to do is define the Token. This is the binding part to fetch the token.

public static async Task<IActionResult> RunAsync([HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)]HttpRequest req,            
[Token(Identity = TokenIdentityMode.ClientCredentials, Resource = "https://graph.windows.net")]string token,
TraceWriter log)

Then call the Graph API using the token.

request.RequestUri = new System.Uri("https://graph.windows.net/someorganication.onmicrosoft.com/users?api-version=1.6");            request.Headers.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token);            var client = await httpClient.SendAsync(request);

This is the whole code.

Resource

Special Thanks

Thank you for the hackfest team mate. Especially, Naohiro Fujie for teaching me about the B2C settings and Chris Gillum for the writing bindings.

I enjoy hacking with you guys. Let’s have another one.

The hackfest team

Tsuyoshi Ushio

Written by

Software Development Engineer — Microsoft

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade