Access Azure Functions from Logic App

In this article, I will be describing you the steps on how to access the Azure Functions that is configured to not allow anonymous access from Logic App through AD authentication.

Prerequisites:

1. Azure Functions https://docs.microsoft.com/en-us/azure/azure-functions/
2. Azure Logic App https://docs.microsoft.com/en-us/azure/logic-apps/
3. App Registration https://docs.microsoft.com/en-us/azure/active-directory/develop/

https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

Also make sure you have sufficient access (Like "Contributor" rights in Azure Resource Group also "Owner" rights at Resource level) to create all the above azure artifacts

First let us begin by creating Azure functions.

Go to Azure Portal and create a resource. Select Azure Functions.

Create the Function App with all necessary details from drop down.

Select the Storage account in the same region also choose the plan type appropriately based on the usage/budget.

Finally validate the properties and create the Function App.

Add a function and choose the Template (I have chosen Http trigger: which gets triggered manually when you try to access from any client application) and finally create Function.

Once you have created a sample application, navigate to the Azure Function-> "Code + Test".

The below sample template accepts the Json request and sends response in string.

You can test it out by using "Test/Run" with sample Input and click Run:

{

"name":"John"

}

The response you would receive  is :

This can be tested even through the Postman.

Now, let's to restrict Azure functions to not allow with anonymous user and give a try to access the Azure Functions through Postman.

Goto "Authentication and Authorization"under Function App blade then turn on "App Service Authentication" under "Access Restrictions" section.

Also choose "Login with Azure Active Directory" under "Action to take when request is not authenticated "and finally Save. 

This particular setting will not allow the Azure function to respond unless it is authenticated through Azure Active Directory.

Postman will throw an error with code 401 as shown below. 

Now this function can be accessed through AD Authentication. To authenticate we must first register the Application using App registration.

We can do this App registration directly creating the Azure AD App via Azure Function "Authentication / Authorization" blade.

For that we have to choose "Azure Active Directory" option in "Authentication / Authorization" blade and finally create a new AD App by providing the appropriate App name in Create App field as shown below.

These options can be viewed under Express mode as shown in the below screenshot.

Express mode allows user to create an AD Application or select an existing AD application in your current Active Directory.

However, I recommend you to create App Registration manually . If you are building an application for external users that will be distributed by Microsoft, you must register as a first party application to meet all security, privacy, and compliance policies.

Let us create App Registration.

Go to App registration and create AD App.

Create Secret by choosing "Certificates & Secrets" in the left pane of the App registration.

Copy the secret and keep it ready to use it in Logic App.

Also, please copy the Client ID , Tenant ID and keep it ready to use it in Logic App later.

Now we will have to choose the particular AD Application in Azure functions via which an user can access.

Goto -> Azure Functions-> choose the Azure Function-> Select "Authorization / Authentication" -> choose "Azure Active directory" in the right pane.

Select already created AD App "functionappaccess" by verifying the Client ID and finally  "OK"

Later Save the Authentication / Authorization configuration.

Now it is time to test the Authenticate with Secret, ClientID , TenantID in Logic apps.

Create a Logic App may be either with Recurrence Trigger or Manual Http Trigger.

Later create Http action with TenantID, Client ID and the Secret.

Please note I have used ClientID for Audience.

Please give a try by running it manually.

Result: 

The Azure Functions can also be reached by Azure Functions actions.

Add Azure Function action->  Function-> Choose the action

Please give a manual run for testing.

Result :

Please give a manual run for testing.

Result :

Similar approach can be taken to access Azure Web Apps using AD Authentication.

Thanks for going through the article. Hope you enjoyed it!

Please leave your comments/queries in the comments section.

Access Azure Storage Blob from Logic App using Blob Connector

This article briefs about the steps to access the Azure Blob Storage from Logic App using Built-in Connectors - Blob Connector.

https://docs.microsoft.com/en-us/connectors/azureblob/

Prerequisites:

1. Logic App with Same/different regions
2. Azure Storage Blob with  public access set to "Private (no anonymous access)"   . This property can even be modified after the creation of Blob.

   Please refer for more information on Blob : https://docs.microsoft.com/en-us/azure/storage/blobs/

              

                  

Steps :

1. As a First Step, we will upload some test files into one of the containers for testing purpose of if you have ready that should be fine.
2. Create a Logic App with recurrence Trigger Or else you can choose Http manual Trigger.
3. To get content of the blob , first we start with listing the content of the blobs we have with the container.    
4.        
5. The output of the List Blobs would have total list of Blobs in an array as shown below:
   "body": {
           "value": [
               {
                   "Id": "JTJmdGVzdGNvbnRhaW5lciUyZjFfRnVsbC50eHQ=",
                   "Name": "1_Full.txt",
                   "DisplayName": "1_Full.txt",
                   "Path": "/testcontainer/1_Full.txt",
                   "LastModified": "2020-05-29T10:01:57Z",
                   "Size": 1464391,
                   "MediaType": "text/plain",
                   "IsFolder": false,
                   "ETag": "\"0x8D803B752FF5A97\"",
                   "FileLocator": "JTJmdGVzdGNvbnRhaW5lciUyZjFfRnVsbC50e",
                   "LastModifiedBy": null
               },
               {
                   "Id": "JTJmdGVzdGNvbnRhaW5lciUyZklQX0NhbGMudHh0",
                   "Name": "IP_Calc.txt",
                   "DisplayName": "IP_Calc.txt",
                   "Path": "/testcontainer/IP_Calc.txt",
                   "LastModified": "2020-05-29T08:40:55Z",
                   "Size": 321,
                   "MediaType": "text/plain",
                   "IsFolder": false,
                   "ETag": "\"0x8D803AC00D73E9B\"",
                   "FileLocator": "JTJmdGVzdGNvbnRhaW5lciUyZklQX0NhbGMudHh0",
                   "LastModifiedBy": null
               }
           ]
       }
6. Later please choose the action "Create SAS URI by Path" action to generate SAS URI for each blob. We will have to use Path element from previous action result of "List Blobs"
7. Later the SAS URI for each Blob would be like:
    "body": {
           "WebUrl": "https://southindazurefilestorage.blob.core.windows.net/testcontainer/1_Full.txt?sv=2018-03-28&sr=b&sig=2eWRSpcgSCv0I%2BAUM3htxJN87gb06ykU00mDSb3sNlA%3D&se=2020-05-30T14%3A56%3A45Z&sp=r"
       }
   
   
    The SAS URI is fine enough to specify the time span and permissions allowed for access to a storage resource such as a blob or container.
8. Now the output of the Http action does have the content of the blob as an output.

                        Alright, by above steps we learnt how to get content of all the blobs in the container.

             However, we can even get the blob content dynamically by either passing the container name               and the Filename in Code view.

Note : Azure Blob connector works if both Azure Logic App and Blob in the same or different region provided no Firewall in between.

Logic apps can't directly access storage accounts behind firewalls when they're both in the same region. As a workaround, put your logic apps in a region that differs from your storage account and give access to the

outbound IP addresses for the managed connectors in your region.

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-limits-and-config#outbound

 

References : SAS URI : https://docs.microsoft.com/en-us/azure/cdn/cdn-sas-storage-support

Blob Connector : https://docs.microsoft.com/en-us/connectors/azureblob/

Access Azure Blob using Managed Identity

This article briefs with steps on how to access Azure Storage Blob from Logic App using Managed Identity.

Prerequisites.

1. Logic App with Same/different regions as Azure Blob Storage.
2. Azure Storage Blob with  public access set to "Private (no anonymous access)" .
3. This property can even be modified even after the creation of Blob.

Please refer this link for more information on Blob : https://docs.microsoft.com/en-us/azure/storage/blobs/

                

Before we create Logic Apps let me brief about Managed Identity.

The managed identities for Azure resources feature in Azure Active Directory (Azure AD) . The feature provides Azure services with
an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports
Azure AD authentication, including Key Vault, without any credentials in your code.

Reference : https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

There are two types of managed identities:

• A system-assigned managed identity is enabled directly on an Azure service instance.

            When the identity is enabled, Azure creates an identity for the instance in the Azure

            AD tenant that's trusted by the subscription of the instance.

            After the identity is created, the credentials are provisioned onto the instance.

            The life cycle of a system-assigned identity is directly tied to the Azure service

            instance that it's enabled on. If the instance is deleted, Azure automatically cleans up the credentials and the identity 
            in Azure AD.

            In our case the instance is Logic App.

• A user-assigned managed identity is created as a standalone Azure resource.

            Through a create process, Azure creates an identity in the Azure AD tenant that's trusted

            by the subscription in use. After the identity is created,

            the identity can be assigned to one or more Azure service instances.

            The life cycle of a user-assigned identity is managed separately from the life cycle of the Azure service instances to 
            which it's assigned.

Enable system-assigned identity in Azure portal

1. In the Azure portal, open your logic app in Logic App Designer.
2. On the logic app menu, under Settings, select Identity. 
3. Select System assigned > On > Save. When Azure prompts you to confirm, select Yes.

                                    
                                       4. Assign access to Managed Identity to Blob using Azure Portal

                                           a. Select Access control (IAM) > Role assignments where you can review the current role
                                               assignments for that resource. On the toolbar, select Add > Add role assignment.

                                           b. Select Role as "Storage Blob Data Contributor", Assign access to as  "Azure AD user

                                               , group or service principal" and Select the Logic App you have enabled  system assigned
                                              Managed Identity.

                      

                      

Now you will be able to see the Logic App having Storage Blob Data Contributor under Role assignments blade.

                   

Now let's design the Logic App to get the content of the blob.

1. Create Logic App Resource either in the same region as the Blob Storage or the different region.
2. Choose the Recurrence template (or) you can even choose recurrence trigger.

          
                        Followed by add the Http action. Http action supports System Assigned Managed Identity. 
                        However, the for Blob connector may support Managed Identity feature in future. 
                        Currently, this feature is not delivered yet we may see it in future. We can use Http action as of now.
                        In the Http action, choose

                                        Get method

                                        URI with blob uri(can be found in properties of blob). This can be even passed dynamically.

                                        Headers :

                                                        x-ms-blob-type : BlockBlob (The kind of the blob we are accessing)

                                                        x-ms-version : 2019-02-02 (The latest supported api version)

                                                        Authentication : Managed Identity

                                                        Managed Identity : System Assigned Managed Identity

                                                        Audience : https://storage.azure.com

           

Please give a run and test it.

           

You can even dynamically pass the blob file name as well as the container name and bind it in the Http URL.

This is all about accessing the Azure Blob behind firewall using Logic App by system assigned Identity.

Note: We can access the Blob behind firewall irrespective of the regions (whether if the same or different).

Thanks for going through this article. Hope you enjoyed it!

Access Azure Blob using Logic App

In this article Let's explore how to automate the process of accessing Blobs using Logic Apps.

The purpose of the blog is to demonstrate the challenges currently we face while accessing secured blobs and how to overcome them.

Azure Blob Storage offers three types of the storage services : blobs, block blobs, append blobs, and page blobs.

Please find the kind of Blobs listed over here

In today's topic, I will be giving you overall picture on the possible ways of accessing blob from Azure Logic Apps.

There are several ways to access blobs and few of them are:

1. Using Azure Functions.
2. Using REST APIs.
3. Dot Net code/Other programming Language
4. Logic Apps.

You can find more information on this this article

Let's begin with the number of possible ways we can connect with Azure Storage Blobs using Logic Apps under various security constraints.

This might give the clear picture on how to access Azure blob from Logic Apps under various constraints.

Source(Logic App)	Connector/Action	Connectivity Status	Is it behind Firewall?	Destination(Storage-Blob)	Regions	Comments
					Same	Yes Possible with Azure Blob Connector. However , it is even possible with Http action with Managed Identity and other Authorization Methods. The steps how to access the Blob using Blob Connector in Logic App is been explained in detail here.
					Cross	Yes, it is Possible with Azure Blob Connector. However , it is even possible with Http action with Managed Identity and other Authorization Methods. You can find more information on Accessing Azure blob using Blob Connector here.
					Same	Yes Possible only with SAS URI. Also possible when we use Managed Identity
					Cross	Yes Possible only with SAS URI. Also possible when we use Managed Identity
					Same	Not possible even if we use both Managed Identity and IP whitelisting
					Cross	If we whitelist the Connector IP List in Blob
					Same	Only through Managed Identity with "Blob Contributor rights" for Particular Logic App You can find more information on Accessing Azure blob using Managed Identity here.
					Cross	Only through Managed Identity with "Blob Contributor rights" for Particular Logic App