User defined Managed Identity

[jagsridharan]

Hi, I am implementing an azure function to get data from SharePoint (across all sites) and using user defined managed identity. I am using graph api in general and that all seems fine, but for few operations I have to use SharePoint Rest API. I am thinking the PnP core for this scenario.I followed the help guide and examples that talks about managed identity in general and in some places it clearly mentions system assigned managed identity only.

The certificate based authentication works but when I move the code to azure the pnp core is not working. It's worth mentioning that my graph api works with the user defined managed identity.

Is the user defined managed identity supported to connect to SharePoint? Before I proceed too far I wanted to ensure this is a supported model.

Thanks,
Jag

[jansenbe]

@jagsridharan : I've never tried that myself, but in theory this should be possible. This sample (https://pnp.github.io/pnpcore/demos/Demo.AzFunction.ManagedIdentity/README.html) shows how to write a custom authentication provider (https://github.com/pnp/pnpcore/blob/dev/samples/Demo.AzFunction.ManagedIdentity/ManagedIdentityTokenProvider.cs) that handles a system managed identity. You can update this code to also use a user managed identity.

Regarding certificates: this is only needed when using app-only access, SharePoint REST/CSOM calls when used via app-only do require certificate based auth. Graph calls can work with just a secret. Given PnP Core SDK requires REST it means that if you want to use app-only you'll have to use certificate based auth.

[jagsridharan]

Hi Jansen,

Thanks for your message. I will try this myself and see if it works. The certificate authentication is for my dev environment and I choose between certificate/managed identity using the isMSI environment variable and it works great in my dev and picks up the certificate for local dev. When the code goes to azure it doesn't work. I will validate the code and confirm if this works. Thanks again for your help.

Regards,
Jag

[jansenbe]

You can also use a certificate in a keyvault in Azure, see this tutorial: https://pnp.github.io/pnpcore/tutorials/azurefunctions/v4processisolatedapponly.html

[jagsridharan]

Thank you Bert, for my requirement I wish to use managed identity. I am creating custom auth provider now. I will update this thread as soon as I finish the code. Thanks again.

[jagsridharan]

Hi @jansenbe ,

Apologies I couldn't come back earlier. I managed to get the Managed Identity work with the user-defined identity based on the sample you provided but with a bit of changes.

I followed this sample you provided, however I had to change the credential code to:

var credential = new DefaultAzureCredential();

The ChainedTokenCredential code below is not working for some reason, I may have to check this further:

var credential = new Azure.Identity.ChainedTokenCredential(
   new ManagedIdentityCredential(),
   new EnvironmentCredential()
 );

If I use the DefaultAzureCredential, it is able to pick up teh Client Id using AZURE_CLIENT_ID Environment variable as discussed here.

Thanks for your help.