Calling Azure AD protected Azure Functions using a Custom Connector

We now have a step by step tutorial to help you Create a Custom Connector for Azure AD protected Azure Functions.

A key principle with Power Apps connectors that use Azure Active Directory (AAD) for authentication is that they don’t provide users with access to any data that the user doesn’t already have access to.  This is because the API call to the AAD protected service executes under the user identity used to log in to the connector.  Therefore, the target service maintains responsibility for enforcing what is permitted for the authenticated user.  As an example, the SharePoint connector is one that uses AAD authentication.  When a user runs an app that connects to a SharePoint list, the default behavior is to use the AAD identity they use to login to Power Apps to log in to the SharePoint service via the connector.  If they did not have access to write a new record into the list, for example, trying to write to it from the app will also fail.

Many customers want to follow the same approach when building Custom Connectors to connect to their custom REST APIs. They want to be able to use the logged in users Azure Active Directory identity (which is the same as their Office 365 login), to authenticate against the custom back end service. The following are a few ways in which you might accomplish this.

• If you already have an AAD protected REST API, the Use Azure Active Directory with a custom connector article helps you understand the steps to enable this scenario.
• If need to create a new AAD-protected REST API for Power Apps, the Custom Connectors documentation contains a Create a custom connector for a web API The tutorial shows you how to start building an ASP.NET Web API, host it on Azure App Service, and enable AAD authentication.
• The new tutorial provides an alternative approach that complements the low code nature of Power Apps using Azure Functions to author and host the REST API. Azure Functions offers a “less code” option for those times when you need to write some code behind a REST API and call it from Power Apps.  Azure Functions provides serverless compute that allows you to run small pieces of code without worrying about application infrastructure.  Because Azure Functions runs on Azure App Service, you also have the same ability to quickly protect your APIs with AAD.  For advanced scenarios, where your code needs to call additional REST APIs protected by AAD, you can leverage the built in token store of Azure App Service.  The token store greatly simplifies the coding effort needed to get a token to call other AAD protected APIs as the logged-in user.  Azure Functions makes getting a token even easier than from Azure App Service.  I’ll cover using the token store in a future blog post.