Authenticate and Call Sharepoint Online Api from Azure Function

Question

I want to trigger a custom action when a document/file gets added on Sharepoint Online. The idea was to use Microsoft Flow, but as Flow doesn't allow you to work with the custom columns of the file added (just the title, date added, content type, etc), I was thinking of calling the Sharepoint API by hand, via an Azure Function. So the steps would be:

1. A user adds a new document on a document library on Sharepoint Online

2. A Microsoft Flow gets triggered after that document gets added.

3. The Flow calls an Azure Function and pass the document id to it.

4. The function authenticates to Microsoft Graph Api, and then request for the file with that id.

5. The function get the custom fields and then it does something with the custom parameters of that file.

However, I ve been trying a lot to authenticate, but it always require me to put user and pass on an HTML. Of course, the Azure Function wouldn't be able to do that. How can I authenticate to Microsoft Graph API easily? I'm stuck with that.

Any other alternative? As I said before, this is a workaround I ve been thinking because Microsoft Flow doesn't allow you to get the custom fields of a recently added/modified file, just the default ones... But what I just want to do is to manage those data when a new file is added. Solution doesn't necessarily need to use a Function or Microsoft Graph Api.

Thanks in advance.

Answer 1

What you are seeking is app-only authentication. If you can make your document queries/updates via the SharePoint Rest API, then you have 2 options:

1. Granting access via Azure AD App-Only
2. Granting access using SharePoint App-Only (This is the same method indicated in @netadictos' answer above.)

If you prefer to make the document queries/updates with the MS Graph API, then only #1 is an option. #1 is a bit more involved, because it requires a client secret AND a self-signed security certificate. #2 will only require the app/client ID and secret.

The MSDN documentation linked above uses a PowerShell script to generate the security cert, but I prefer Bob German's instructions for manually creating/exporting one. He also includes instructions for registering an Azure AD application for your Azure function in his tutorial.

Answer 2

You could register the function or de Remote Web (Azure or on premise) as an app in your Sharepoint, via URL: "http://.sharepoint.com/_layouts/15/AppRegNew.aspx

And give it permissions via:

http://.sharepoint.com/_layouts/15/AppInv.aspx

For example:

    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
</AppPermissionRequests>

In this way you will be capable of accessing your tenant or list or whatever your permissions are.

Answer 3

There's not a great way to do the authentication right now - we're working on support for this. The hard part is the AD authentication, which any solution will need to deal with. We're doing some things to make this easy with Functions.

What you can do for auth is get offline access that grants you access to a refresh token, and then use the refresh token to get your access token. You can One way to build this is on Azure Website's existing EasyAuth token store (https://cgillum.tech/2016/03/07/app-service-token-store/). Then you can log in once, save the refresh token in EasyAuth's token store, and the function can pull it from there per execution. That's the high level answer. I can elaborate on more specific steps if you're eager to do this now.