Member-only story
Managed Identity as a Daemon accessing Microsoft Graph
Managed identities are awesome. They give you the best of both worlds — all the benefits of an identity, with none of the credential management headache.
A very common thing we end up doing is writing headless processes, or daemons, that need to authenticate with AAD. They may call a custom Web API with an access token or call an API such as Microsoft Graph.
Usually, you’d do something like client credential flow to achieve this. Client Credential flow works great, but you have to manage the credentials, which is usually a client ID and a secret or certificate.
But, if you are running the headless process in Azure, you can simply give it a managed identity, and never worry about credentials.
Here is how to do it!
In this blogpost, I will show how you can use an Azure Function running on the timer trigger, to authenticate with AAD, and call Microsoft Graph. Note that,
- This approach will work with any resource that supports managed identity
- This approach will work with any API, not just MS Graph
And while I am going to show this using a user-assigned managed identity, you can also use these steps with a system-assigned managed identity.
There are 5 main steps,
- Create the function app in Azure
- Create a user assigned managed identity
- Assign the managed identity to the function app.
- Grant permissions to the managed identity to call Microsoft Graph
- Author the function app that runs on a timer, gets an access token, and calls MSGraph.
Create the function app in Azure
This party is easy :-). Just go to azure, and create a new function app. I’m showing this using NodeJS 12, but equivalent concepts work on .NET etc. (basically everything that functions support). My function app is “sahiltimerapp”.
Create a user assigned managed identity
This is also pretty simple, just create it from Azure Portal (or Azure CLI or Powershell or Graph)
