{"id":24610,"date":"2020-09-03T11:15:41","date_gmt":"2020-09-03T11:15:41","guid":{"rendered":"https:\/\/www.inogic.com\/blog\/?p=24610"},"modified":"2020-11-18T07:48:12","modified_gmt":"2020-11-18T07:48:12","slug":"impersonation-within-azure-function-or-custom-connector-when-using-aad-authentication","status":"publish","type":"post","link":"https:\/\/www.inogic.com\/blog\/2020\/09\/impersonation-within-azure-function-or-custom-connector-when-using-aad-authentication\/","title":{"rendered":"Impersonation within Azure Function or Custom Connector when using AAD authentication"},"content":{"rendered":"

In the earlier blog posts, we discussed setting up an Azure function with AAD authentication<\/a> and then creating a custom connector for the Azure function that also requires AAD authentication to make a connection to the connector<\/a>.<\/p>\n

Given that the Azure function is configured for AAD authentication in the Authentication \/ Authorization section of the function as shown below<\/p>\n

\"Azure<\/a><\/p>\n

Now that we have provided for AAD authentication that requires a user login, it would be good if all operations are executed within the context of the same user.<\/p>\n

Within your Azure function, you can get the details of the logged-in user using the ClaimsPrincipal<\/a><\/p>\n

ClaimsPrincipal principal = req.HttpContext.User;<\/p>\n

if (principal.Identity != null)<\/p>\n

{<\/p>\n

log.LogInformation(“Claims identity ” + principal.Identity.Name);<\/p>\n

}<\/p>\n

if (principal.Claims != null)<\/p>\n

{<\/p>\n

foreach (Claim c in principal.Claims)<\/p>\n

{<\/p>\n

log.LogInformation(“CLAIM TYPE: ” + c.Type + “; CLAIM VALUE: ” + c.Value + “<\/br>”);<\/p>\n

}<\/p>\n

\u00a0}<\/p>\n

In the console, you can see all the claims returned<\/p>\n

\"Azure<\/a><\/p>\n

One of the claims returned is AADID<\/p>\n

\"Azure<\/a><\/p>\n

Read this specific claim value<\/p>\n

Claim claim = principal.Claims.FirstOrDefault(c => c.Type.Contains(“objectidentifier”));<\/p>\n

string aadobjid = “”;<\/p>\n

if (claim != null)<\/p>\n

{<\/p>\n

aadobjid = claim.Value;<\/p>\n

log.LogInformation(“aadobjid = ” + aadobjid);<\/p>\n

}<\/p>\n

Every CRM User that we create has an associated AADID stored along which is this objectid.<\/p>\n

Set this to the cds client object we have created for impersonation<\/p>\n

\/\/establish connection with CDS<\/p>\n

CdsServiceClient client = new CdsServiceClient(connectionString);<\/p>\n

if (!string.IsNullOrEmpty(aadobjid))<\/p>\n

{<\/p>\n

client.CallerAADObjectId = new Guid(aadobjid);<\/p>\n

}<\/p>\n

Do note if you run a WhoAmI request \u2013 it still returns the id of the original credentials used for establishing the connection.<\/p>\n

However, when you create a record, you will notice that the owner of the new record is the same user that had logged in to the connector.<\/p>\n","protected":false},"excerpt":{"rendered":"

In the earlier blog posts, we discussed setting up an Azure function with AAD authentication and then creating a custom connector for the Azure function that also requires AAD authentication to make a connection to the connector. Given that the Azure function is configured for AAD authentication in the Authentication \/ Authorization section of the\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":13,"featured_media":24621,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[5,2088],"tags":[2070,2071,2089,545],"class_list":["post-24610","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure-functions","category-custom-connector","tag-aad-authentication","tag-azure-function","tag-custom-connector","tag-dynamics-365-crm"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.inogic.com\/blog\/wp-json\/wp\/v2\/posts\/24610","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inogic.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inogic.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inogic.com\/blog\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inogic.com\/blog\/wp-json\/wp\/v2\/comments?post=24610"}],"version-history":[{"count":0,"href":"https:\/\/www.inogic.com\/blog\/wp-json\/wp\/v2\/posts\/24610\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inogic.com\/blog\/wp-json\/wp\/v2\/media\/24621"}],"wp:attachment":[{"href":"https:\/\/www.inogic.com\/blog\/wp-json\/wp\/v2\/media?parent=24610"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inogic.com\/blog\/wp-json\/wp\/v2\/categories?post=24610"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inogic.com\/blog\/wp-json\/wp\/v2\/tags?post=24610"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}