Building my first Azure functions , am i doing things correctly?

Question

I created my first Azure Function which integrate with SharePoint Online list, using those main points:-

I created an Azure App with self-sign certificate to authorize my Azure function.

User's image

I created a new Azure Function project using Visual Studio 2019. here are the main components Function.cs:-

  using System;
    using Microsoft.Azure.WebJobs;
    using Microsoft.Azure.WebJobs.Host;
    using Microsoft.Extensions.Logging;
    using PnP.Core.Services;
    using PnP.Core.Model.SharePoint;
    using System.Collections.Generic;
    
    namespace FunctionApp1
    {
        public  class Function1
            
        {
            private readonly IPnPContextFactory pnpContextFactory;
            public Function1(IPnPContextFactory pnpContextFactory)
            {
                this.pnpContextFactory = pnpContextFactory;          
            }
            [FunctionName("Function1")]
            public  void Run([TimerTrigger("0 */5 * * * *")]TimerInfo myTimer, ILogger log)
            {
                log.LogInformation($"C# Timer trigger function executed at: {DateTime.Now}");
    
                using (var context = pnpContextFactory.Create("Default"))
                {
                    var myList = context.Web.Lists.GetByTitle("SubFolders");
                    Dictionary values = new Dictionary
                    {
                      { "Title", System.DateTime.Now }
                    };
    
                    // Use the AddBatch method to add the request to the current batch
                    myList.Items.AddBatch(values);
                    context.Execute();
                }
            }
        }
    }

Startup.cs:

    using Microsoft.Azure.Functions.Extensions.DependencyInjection;
    using Microsoft.Extensions.Configuration;
    using Microsoft.Extensions.DependencyInjection;
    using PnP.Core.Auth;
    using System.Security.Cryptography.X509Certificates;
    
    [assembly: FunctionsStartup(typeof(FunctionApp1.Startup))]
    namespace FunctionApp1
    {
        class Startup :FunctionsStartup
        {
            public override void Configure(IFunctionsHostBuilder builder)
            {
    
                var config = builder.GetContext().Configuration;
                var azureFunctionSettings = new AzureFunctionSettings();
                config.Bind(azureFunctionSettings);
                builder.Services.AddPnPCore(options =>
                {
                    options.DisableTelemetry = true;
                    var authProvider = new X509CertificateAuthenticationProvider(azureFunctionSettings.ClientId,
                        azureFunctionSettings.TenantId,
                        StoreName.My,
                        StoreLocation.CurrentUser,
                        azureFunctionSettings.CertificateThumbprint);
                    options.DefaultAuthenticationProvider = authProvider;
    
                    options.Sites.Add("Default", new PnP.Core.Services.Builder.Configuration.PnPCoreSiteOptions
    
                    {
                        SiteUrl = azureFunctionSettings.SiteUrl,
                        AuthenticationProvider = authProvider  
                    });
    
                });
            
            }
    
        }
    }

local.setting.json:

    {
      "IsEncrypted": false,
      "Values": {
        "AzureWebJobsStorage": "UseDevelopmentStorage=true",
        "FUNCTIONS_WORKER_RUNTIME": "dotnet",
        "SiteUrl": "https://***.sharepoint.com/",
        "TenantId": "0b***",
        "ClientId": "92***",
        "CertificateThumbPrint": "EB***",
        "WEBSITE_LOAD_CERTIFICATES": "EB***"
      }
    }

then i deploy it to Azure and it is working well, where each 5 minutes it adds a new list item. but i have those questions:-

Am i am doing things correctly, especially from a security perspective? as at the end my Azure function will have a public URL as follow https://functionapp1*****.azurewebsites.net and this can be called by any anonymous user.. so is this a security hole? if so, then how i can fix it?
I am currently using self-Signed certificate, so is it fine for Production? if not, then what i need to do , to get a proper SSL ?

Thanks

Answer

Hello @john john

It looks like you have implemented the Azure Function correctly. However, there are a few things you can do to improve the security of your Azure Function:

Use Azure AD authentication instead of anonymous authentication. This will ensure that only authorized users can access your Azure Function.
Use a proper SSL certificate instead of a self-signed certificate. This will ensure that the communication between your Azure Function and SharePoint Online is secure.
You can purchase a certificate issued by GoDaddy via Azure App Service: Buy and import App Service certificate
Use Azure Key Vault to store your sensitive information such as client ID, tenant ID, and certificate thumbprint. For example, here's our doc on certificate management in KeyVault: Get started with Key Vault certificates. This will ensure that your sensitive information is not exposed in the local.settings.json file.
Use Azure Monitor to monitor the logs and performance of your Azure Function. This will help you identify any potential security issues and performance bottlenecks.

Overall, it is important to follow best practices and implement security measures to ensure the security of your Azure Function. So, it is always recommended to use Azure AD authentication and a proper SSL certificate for production environments. Additionally, using Azure Key Vault and Azure Monitor can also help improve the security and performance of your Azure Function.

I hope this helps. Let me know if you have any other questions.

Building my first Azure functions , am i doing things correctly?

1 answer