The slides I used for my "Securing an Azure Functions REST API with Azure Active Directory" session (SAFwAD for short) at Intelligent Cloud Conference in Copenhagen.

1. Session
Rick van den Bosch
Securing an Azure Function REST API with Azure Active Directory
#SAFwAD
Session

2. Rick van den Bosch
@rickvdbosch
rickvandenbosch.net
rickvdbosch@outlook.com

3. Azure Active Directory
Azure Functions
Static website hosting
ADAL & MSAL
Putting things together
Agenda

4. Azure Active Directory

5. “Azure Active Directory (Azure AD) is
Microsoft’s cloud-based
identity and access management service.
Azure AD helps your employees
sign in and access resources”
Azure Active Directory

6. • Seamless, highly secure access
• Comprehensive identity protection
• Efficient management and compliance at scale
• Customer and partner identities
• Identity platform for developers
• Identity for IaaS (infrastructure as a service)
Azure Active Directory

8. IT admins
App developers
Subscribers of
- Microsoft 365
- Office 365
- Azure
- Dynamics CRM online
Who uses Azure AD?

9. Free FREE!
Basic € 0,844 kr 6,294 user / month *
Premium P1 € 5,06 kr 37,761 user / month *
Premium P2 € 7,59 kr 56,641 user / month *
“Pay as you go” feature license.
* Annual commitment
Pricing tiers

10. “Azure Active Directory (Azure AD) B2C is
an identity management service
that enables you to customize and control
how customers sign up, sign in, and manage their profiles
when using your applications.
This includes applications developed for
iOS, Android, and .NET, among others.”
Azure AD B2C

11. Azure AD B2C - Pricing

12. Azure Functions

13. “Accelerate your development with an
event-driven, serverless compute experience.
Scale on demand and pay only for the resources you consume.”
Azure Functions

14. • Take advantage of serverless compute with Functions
• Manage your apps instead of infrastructure
• Optimize for business logic
• Develop your way
Azure Functions

15. Web application backends
Mobile application backends
Real-time file processing
Real-time stream processing
Automation of scheduled tasks
Extending SaaS applications
What you can do with Functions

16. Two major versions: 1.x and 2.x
Current version: 2.x
Both supported for production
Runtimes

17. Supported languages
Language 1.x 2.x
C# GA (.NET Framework 4.7) GA (.NET Core 2)
JavaScript GA (Node 6) GA (Node 8 & 10)
F# GA (.NET Framework 4.7) GA (.NET Core 2)
Java N/A Preview (Java 8)
Python Experimental Preview (Python 3.6)
TypeScript Experimental GA (Supported through transpiling to JavaScript)
PHP Experimental N/A
Batch (.cmd, .bat) Experimental N/A
Bash Experimental N/A
PowerShell Experimental N/A

18. App Service Plan
Run your functions just like your web, mobile, and API apps. When you are already using
App Service for your other applications, you can run your functions on the same plan at no
additional cost.
Consumption plan
When your function runs, Azure provides all of the necessary computational resources.
You don't have to worry about resource management, and you only pay for the time that
your code runs.
Running Azure Functions

19. Scaling

20. Scaling can vary on a number of factors
Might scale differently based on the trigger and language selected
• A single function app only scales up to a maximum of 200 instances.
• A single instance may process more than one message or request at a time.
• HttpTriggered only be allocated at most once every 1 second.
• New instances will only be allocated at most once every 30 seconds.
Scaling behavior

21. Long running
• Keep the runtime short (default < 5m; max. 10m)
Stateless
• Don’t use state in the host
• Idempotent
Cold start
• Fast start up times
• Keep them small
Control
• ‘They’ control scaling
• ‘They’ control when your host is alive
• You control the code!
Best practices

22. Pricing

23. • Billed based on per-second resource consumption and executions
• Execution Time: € 0.000014/GB-s
kr 0.000101/GB-s
• Total executions: € 0.169 per million executions
kr 1.259 per million executions
• Monthly free grant: 1 million executions
400.000 GB-s
Calculation resource consumption: avg. mem. Size in GB x execution time in ms.
Mem rounded to nearest 128 MB, max 1.536 MB.
Execution time rounded up to nearest 1 ms.
Minimum: 100 ms & 128 mb
Pricing – Consumption plan

24. Functions REST API
Table Storage
One weekend, 7 stages
Approximately 80.000 API requests
98.6% had a response time of < 250 ms
96% had a response time of < 30 ms
Total costs: € 3,14
Reference case - Cultural festival

25. Consumption plan++
• Enhanced performance
• VNET Access
Billed per second, based on vCPU-s and GB-s
Premium plan (preview)

26. Static website hosting

27. Available on General-Purpose V2
Special container: web$
Files in this container are:
• served through anonymous access requests
• only available through object read operations
• case-sensitive
Provided at no additional cost
Static website hosting

28. ADAL & MSAL

29. Enables application developers to authenticate users to
- Cloud Active Directory
- On-premises Active Directory
• Configurable token cache that stores access tokens and refresh tokens
• Automatic token refresh when an access token expires and a refresh token is available
• Support for asynchronous method calls
Active Directory Authentication Library (ADAL)

30. Enables Single Page Applications to authenticate users with
- Microsoft Azure Active Directory accounts
- Microsoft accounts
- Accounts in social identity providers like Facebook, Google, LinkedIn etc.
Interacts with
- Microsoft Azure Active Directory
- Microsoft Azure AD B2C
- Microsoft accounts
Microsoft Authentication Library (MSAL)
Preview for JS

31. Differences (process)

32. Differences (implementation)

33. Angular 4/5/6/7 ADAL Wrapper
Can be used to authenticate Angular applications against Azure Active Directory v1
endpoint.
Adal-angular4

34. Wrapper of the core MSAL.js library
Suitable for use in a production environment
The same production level support as current libraries
Changes may impact your application
When GA: update within six months
@azure/msal-angular

35. Putting things together

36. Triggers & Bindings

38. Serverless abstracts away the compute
Triggers & Bindings abstract away the services you interact with
Dual abstraction

39. Example: Blob Trigger on a consumption plan
Up to 10-minute delay processing new blobs
Solution:
Switch to App Service plan with Always On enabled.
Use Event Grid trigger with your Blob storage account.
Triggers

40. public static async Task Run(
[BlobTrigger("upload/{name}", Connection = "scs")]Stream addedBlob,
string name, ILogger log)
{
// Setting up my BlobStorageRepository (it's a wrapper)
var connectionString = Environment.GetEnvironmentVariable("scs",
EnvironmentVariableTarget.Process);
var blobStorageRepository = new BlobStorageRepository(connectionString);
await blobStorageRepository.AddFileAsync("copied", name, addedBlob);
}
Bindings 1/3

41. Binding 2/3
public static async Task Run(
[BlobTrigger("upload/{name}", Connection = "scs")]Stream addedBlob,
[Blob("copied/{name}", FileAccess.Write, Connection = "scs")]Stream stream,
string name, ILogger log)
{
await addedBlob.CopyToAsync(stream);
}

42. Binding 3/3
public static async Task RunAsync(
[BlobTrigger("to-process/{name}", Connection = "scs")]Stream addedBlob,
[ServiceBus("process", Connection = "sbcss", EntityType = EntityType.Queue)]
ICollector queueCollector, string name, ILogger log)
{
using (var reader = new StreamReader(addedBlob))
{
var words = (await reader.ReadToEndAsync()).Split(' ');
Parallel.ForEach(words.Distinct(), (word) =>
{
queueCollector.Add(word);
});
}
}

43. Build a Serverless web app in Azure
About Microsoft identity platform
adal-angular4
@azure/msal-angular
rickvdbos.ch/safwad
Resources

45. Event
partners
Expo
partners
Expo light
partners