This is a sample repo to demonstrate how to use Azure Functions System Assigned Managed Identity to connect to Power Apps WebAPI - without any password, secret or certificate.
⚠ This repo was updated Aug-2023, so the content in the blog post does not exactly line up with what is currently in the repo. The repo shows the latest and greatest as on Sep, 2023
This is a sample repo that shows how to use Bicep to create Function App and how to use the Function App's System Assigned Managed Identity to connect to Dataverse. This application uses the Azure Developer CLI (azd) to deploy all the resources.
The following prerequisites are required to use this application. Please ensure that you have them all installed locally.
- Azure Developer CLI
- .NET SDK 6.0
- Azure Functions Core Tools (4+)
- Node.js with npm (16.13.1+)
- Power Platform CLI
If you don't want to install these tools locally you can always run the whole repo locally, using Dev Containers by clicking the Dev Containers button, or entirely in the browser by clicking the GitHub Codespaces button on the top.
The easiest option is to run this single command using Azure Developer CLI.
azd upThis command will deploy the required resources and the Function App's application code as well.
You can also run provisioning first using
azd provisionfollowing by Function App's application code deployment using
azd deployAll the resources in Azure can be easily cleanup using
azd downFor the full list of command refer to azd docs.
The Function App can be deployed in 1 of 3 possible configurations.
- Azure Functions in Consumption Plan - This does not have any VNet or Storage level network isolation features. If you are just interesting in testing out how Functions connects to Dataverse as Managed Identity start here.
- Azure Function in Elastic Premium with only Service Endpoints and VNet - Storage account is isolated to the VNet and Azure Functions traffic to Storage Account goes via the VNet using public Internet. This is the entry level security in terms of internal network traffic. This is controlled by the createVNet parameter in main.bicep.
- Azure Function in Elastic Premium with Private Endpoints - Storage Account is isolated to the VNet. Function App communicates with Storage Account using VNet over Private Link connection. Traffic in Private Link goes through Microsoft Backbone not via public internet. Traffic to the Function App i.e people invoking the Functions via HTTP still is over the public internet. This is controlled by the createPrivateLink parameter.
This repo has azd posthooks setup. So, the newly provisioned Function App will be automatically added as an Application User with System Administrator role using pac admin assign-user.
