How to use Exchange Online PowerShell on Azure Functions with Managed Identity

How to use Exchange Online PowerShell on Azure Functions with Managed Identity

Last updated on August 12, 2024

In this article, we’ll connect to Exchange Online in a PowerShell script run by an Azure Function. The script will use the Function App’s managed identity for authenticating to and executing the commands on Exchange Online.

Table of Contents

  1. Enable the Function App’s Managed Identity
  2. Grant the required permissions
  3. Specify the required modules to load
  4. Setup the Function App configurations
  5. Add the script to the function app

Enable the Function App’s Managed Identity

Without further ado, let’s dive into the nitty-gritty.

  1. Open the Identity blade
  2. Change the system assigned managed identity Status to On.
  3. Click on Save and Yes when prompted
  4. Copy the Object ID that appears upon saving to, e.g., Notepad. You’ll need this later.

Grant the required permissions

We need to grant the Function App’s managed identity Exchange Administrator permissions. The permissions can be granted with the script below. Before executing the script, you need to do the following:

  • Install the Microsoft Graph SDK if you have not done so before. That happens by executing the following PowerShell command as an administrator: Install-Module Microsoft.Graph -Scope CurrentUser
  • Set your tenant ID and the managed identity object ID you copied earlier as the script variable values.
The user executing the script needs to have either Application administrator, Cloud application administrator or Global administrator role.

Specify the required modules to load

We need to install the ExchangeOnlineManagement PowerShell module to our Azure Function App. That happens through the following steps.

  1. Open the Function App App files blade.
  2. Select requirements.psd1 from the dropdown.
  3. Because we are using the Azure Function App managed identity for authentication, we need to install the required Az.Accounts and Az.ManagedServiceIdentity modules. I recommend installing these two Azure PowerShell modules (and other possible Az modules required by your script) explicitly instead of installing the entire Az module collection because the latter takes a really long time and results in a lot of hassle when it comes to installing the dependencies for the first time (namely, the function timeouts on a consumption plan).
  4. Below the uncommented Az module, add references for the latest versions of the ExchangeOnlineManagement, PowerShellGet, PackageManagement modules. The file should now look something like the one below.

  5. Remember to Save the changes.

Setup the Function App configurations

On your function app in Azure Portal, click on Configuration and add the following application setting.

Name Value Description
Tenant yourtenant.onmicrosoft.com The prefix is the same as in your SharePoint URL.

Don’t forget to save your changes!

Add the script to the function app

Now, it is time to add a PowerShell script to our function that will authenticate to Exchange Online using the Function App managed identity.

  1. Open the Overview blade.
  2. Create a new function:
    • Leave Development environment to its default value (Develop in portal).
    • Select the type of trigger you want to use.
    • Give your function a descriptive name.
    • Configure the rest of the available settings (depending on the selected trigger type).
    • Click on Create.
  3. Click on Code + test in the navigation.
  4. Finally, add the following lines in your PowerShell script to implement authentication using the managed identity, and click on Save.

Now, I recommend that you trigger your function once. That will kick off the installation of the required modules we defined earlier. Based on my experience, this installation process is quite buggy and can sometimes take a really long time (even an hour or two) or even fail entirely. You can monitor the status on Kudu which you can open via the Function App’s Advanced Tools blade. On Kudu, open the debug console and navigate to the data/ManagedDependencies directory. If you can see the module listed, then it has been installed. If the module doesn’t seem to get installed even if you wait patiently for a long time, trigger your function again.

Afterword

I write these blog posts just as much for my own benefit as yours. Now, we have an article we can quickly browse through whenever we need to implement an Azure Function that authenticates to Exchange Online with a managed identity.

I hope you, my dear reader, also found this article helpful and got your function working. Happy coding, and until next time!

Laura

Author:
Filed Under: Authentication and Authorization, Azure Functions
Tags: , , , ,

1 thought on “How to use Exchange Online PowerShell on Azure Functions with Managed Identity”

  • Hi Laura
    Tahnks for this very nice tutorial.
    I’m totally new to Azure functions and trying to follow your steps.
    However i’m stuck while running :
    $roleDefinitionId = (Get-MgRoleManagementDirectoryRoleDefinition -Filter “DisplayName eq ‘Exchange Administrator'”).Id

    i’m getting this error :
    Get-MgRoleManagementDirectoryRoleDefinition_List: Method not found: ‘System.Net.Http.HttpClient Microsoft.Graph.PowerShell.Authentication.Helpers.HttpHelpers.GetGraphHttpClient(Microsoft.Graph.PowerShell.Authentication.IAuthContext)’.

    I’ve tried to debug with no luck.
    Uninstalled Microsoft Graph modules and reinstalled the latest (2.24.0) but still got the same error.

    Have you faced this ? Any idea how to fix it ?

    Thanks for your help

    Samuel

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.