How to use Security & Compliance PowerShell with application permissions on Azure Functions

How to use Security & Compliance PowerShell with application permissions on Azure Functions

Last updated on November 24, 2023

Recently, I implemented a workspace provisioning solution for an organization that applies Data Loss Prevention (DLP) policies on their Microsoft 365 workspaces. The policies prevent the users from adding sensitive information inside the workspaces.

Even though processing sensitive information was to be blocked in most workspaces, sometimes a need arises to handle sensitive information in a workspace. Through the custom workspace provisioning solution, we wanted to offer the organization’s employees the ability to order a workspace where the processing of sensitive information was allowed.

In practice, this meant adding the workspace as an exception to the DLP policy. I discovered that doing this programmatically could be accomplished via the Security & Compliance PowerShell. Hence, I embarked on a journey to figure out how to authenticate to the Security & Compliance PowerShell in an Azure Function with application permissions.

Currently, the Security & Compliance PowerShell module does not support authentication with Azure Managed Identities. However, the module supports authentication with a certificate! So, let me tell you what kind of configurations I needed to perform to make it happen.

Table of Contents

  1. Create the Azure Function App
  2. Specify the required modules to load
  3. Enable the Function App’s Managed Identity
  4. Create a self-signed certificate
  5. Create and configure a Microsoft Entra ID application registration
  6. Grant the required roles for the application
  7. Create and configure an Azure Key Vault
  8. Add the certificate to the vault
  9. Finalize the Function App configurations
  10. Add the script to the function app

Create the Azure Function App

Let’s start by going to Azure Portal and creating a resource group and a function app. I assume you have an Azure subscription set up at this point (hence, I won’t give you instructions for creating one).

First, let’s create the resource group.

  1. Create a new resource group in your subscription with a descriptive name (adhere to your company’s naming conventions) and a region near you.
  2. You can optionally add tags. Otherwise, click Review + create.

After the resource group has been deployed, navigate to it and click the big blue Create a resource button.

  1. Search for Function App on the Marketplace. When you find it, click on Create.
  2. Ensure the correct subscription and the resource group you created earlier are selected.
  3. Give your function app a name (according to your organization’s naming conventions). This will also function as the URL prefix.
  4. Choose to publish your solution as Code.
  5. Select PowerShell Core as the runtime stack and the latest version.
  6. Change the Region to match the region of the resource group.
  7. Leave the Operating system to Windows.
  8. Leave the Plan type to Consumption.
  9. Go to the Storage tab, click Create new, and rename the storage account according to your organization’s naming conventions.
  10. Go to the Monitoring tab, click Create new, and rename the application insights resource (and a new workspace) according to your organization’s naming conventions.
  11. You may optionally tag the resource. Otherwise, click Review + create.

Specify the required modules to load

We need to install the ExchangeOnlineManagement PowerShell module to our Azure Function App. That happens through the following steps.

  1. Open the Function App App files blade.
  2. Select requirements.psd1 from the dropdown.
  3. Add references for the latest versions of the ExchangeOnlineManagement, PowerShellGet, and PackageManagement modules. The file should now look something like the one below.
  4. Remember to Save the changes.

Because our script does not use any Azure PowerShell modules and we want to avoid installing those modules unnecessarily, we need to do the following steps to prevent our script from producing an error.

  1. While remaining on the App files blade, select profile.ps1 from the dropdown.
  2. Comment out the four lines of code. After that, there should not be executable code present in the file.
  3. Remember to Save the changes.

Enable the Function App’s Managed Identity

In a moment, we’ll create the certificate required for authentication and store it securely in an Azure Key Vault. Our function app will need to be able to fetch the certificate from the vault. We’ll need to enable the function app’s managed identity by following the steps below for that purpose.

  1. Open the Identity blade.
  2. Change the system assigned managed identity Status to On.
  3. Click on Save and Yes when prompted.

Create a self-signed certificate

A self-signed certificate is sufficient for authentication. You can create one by executing the script below (after you’ve adjusted the $commonName and $password variable values). The certificate files will appear in the same directory where you run the script.

Before running the script below, you must have two things installed:

Create and configure a Microsoft Entra ID application registration

To authenticate, we must create a new application registration on Microsoft Entra ID.

  1. On Azure Portal, click on Microsoft Entra ID on the left-hand navigation. Then, select App registrations.
  2. Click on New registration.
  3. Name the app registration after your function app. Otherwise, you can leave the settings to their default values and click on Register.

After creating the application registration, we must configure it with the certificate and API permissions.

  1. In the application registration settings, as the first thing while you are still on the Overview blade, please copy the Application (client) ID to, e.g., Notepad. You’ll need it later!
  2. Then, go to the Certificates & secrets blade and open the Certificates tab.
    1. Click on Upload certificate.
    2. Select the .cer file we generated with the PowerShell script above. You may also optionally enter a description to explain what the certificate is for.
  3. Then click the API permissions blade and hit the Add a permission button.
    1. Go to the APIs my organization uses tab and search for Office 365 Exchange Online. Click on the search result.
    2. Select Application permissions and Exchange.ManageAsApp. Save the selection by clicking on Add permissions.
    3. Finally, an administrator must consent to the permissions by clicking the Grant admin consent button.

Now, all configurations are done on the app registration!

Grant the required roles for the application

In addition to the Exchange.ManageAsApp permission we granted earlier, our app must also be given the Compliance Administrator role.

  1. Using the search field at the top of Azure Portal, search for Microsoft Entra ID roles and administrators.
  2. Search for Compliance Administrator, and click on the search result.
  3. Click on Add assignments, then select the Entra ID application we created as the member. You can search for the application with its name or the client ID you copied from the application registration Overview blade earlier.
  4. On the Settings tab, ensure the assignment is set as Active and Permanently assigned, and provide a justification (e.g., Required for executing Security & Compliance PowerShell commands with application permissions).
  5. Confirm the assignment by clicking on Assign.

All the required permissions have been granted for our application, and we can head off to finalize the other authentication-related configurations.

Create and configure an Azure Key Vault

Azure Key Vault offers a secure place to store the certificate so that our function app can access it during runtime. On Azure Portal, go back to the root of the resource group. Then, click the button to create a new resource and search for Key Vault on the Marketplace. Then, create one with the following settings.

  1. Select the same subscription and resource group as before.
  2. Give the key vault a name according to your organization’s naming conventions.
  3. Select the same region as you’ve done before.
  4. Leave the pricing tier to Standard.
  5. You may wish to enable purge protection.
  6. Again, you may tag the resource. Otherwise, click on Review + create

Add the certificate to the vault

As the very first thing, we need to permit ourselves to manage the certificates in the vault. In addition, our function app will require permission to fetch the certificate from the vault for authentication during runtime.

  1. Go on the Access control (IAM) blade, and click on Add role assignment.
  2. Grant yourself the Key Vault Certificates Officer.
  3. Then, grant the Key Vault Secrets User permissions for your function app’s managed identity. With this permission, the function app can fetch the certificate from the vault.

After assigning the permissions, we are finally able to manage the certificates.

  1. Navigate to the Certificates blade.
  2. Click on the Generate/Import button at the top.
  3. Select Import from the Method of Certificate Creation dropdown.
  4. Give a descriptive name for the vault certificate.
  5. Upload the .pfx certificate file you generated earlier.
  6. Provide the same password as what you used when generating the certificate.

To reference the certificate in your function app, you’ll need its URL.

  1. Click on the certificate you just added to the key vault.
  2. Similarly, click on the current certificate version.
  3. Copy the Certificate Identifier (URL) to, e.g., Notepad. You can remove the version (GUID) from the end of the URL. This way, the latest version of the certificate will always be used. We’ll need this value in just a second!

Finalize the Function App configurations

Finally, go back to your function app in Azure Portal. Click on Configuration and add the following application settings.

Name Value Description
Tenant yourtenant.onmicrosoft.com The prefix is the same as in your SharePoint URL. This setting is needed for authentication.
ClientId Your Entra ID app/client ID You copied this earlier from the app registration Overview blade. This setting is needed for authentication.
Certificate @Microsoft.KeyVault(SecretUri=
https://yourvaultname.vault.azure.net
/certificates/yourcertname)
This is called a key vault reference. It allows our function app to retrieve the certificate from the vault using its managed identity. You must paste the certificate identifier URL we copied as the SecretUri value. This setting is needed for authentication.
WEBSITE_LOAD_USER_PROFILE 1 This setting is required to ensure the function app can fetch the certificate from the key vault (needed for authentication).

Remember to Save your changes!

Add the script to the function app

It is time to add a PowerShell script to our function to authenticate to Security & Compliance PowerShell using certificate authentication.

  1. Open the Overview blade.
  2. Create a new function:
    • Leave the Development environment to its default value (Develop in portal).
    • Select the type of trigger you want to use.
    • Give your function a descriptive name.
    • Configure the rest of the available settings (depending on the selected trigger type).
    • Click on Create.
  3. Click on Code + test in the navigation.
  4. Finally, add the following lines in your PowerShell script to implement authentication using the certificate, and click on Save.

Now, trigger your function once via the Test/Run panel. That will kick off the installation of the required modules we defined earlier. You can monitor the installation status on Kudu, which you can open via the function app’s Advanced Tools blade. Open the debug console on Kudu and navigate to the data/ManagedDependencies directory. When you see all three modules listed, the installation has been completed successfully, and your function and its script are ready for use.

Afterword

I write these blog posts just as much for my benefit as yours. Now, we have an article we can quickly browse through whenever we need to implement an Azure Function App that uses the Security & Compliance PowerShell module with certificate authentication.

I hope you, my dear reader, also found this article helpful and got your function working. Happy coding, and until next time!

Laura



3 thoughts on “How to use Security & Compliance PowerShell with application permissions on Azure Functions”

  • Hi, Love your blogs, this was super helpful to me in building out some automated functions to maintain Information Barriers. Unfortunately this seems to have stopped working in the last week or so though, the function errors out without any useful explanation following a successful connection any ideas?

  • This blog post indeed helps me understand how to work with security & compliance PowerShell on Azure function.
    You are my saviour!!!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.