top of page

Azure APIs for SharePoint Access with Microsoft Graph, Azure DevOps deployments with Bicep scripts and a couple of tricks (I)

Updated: May 7

I have done some work for one of my clients and created the design, the implementation and the development environment for a few Azure functions which uploads and downloads files in a SharePoint site and other mediums (Azure Blob Storage, etc.)


My client is already paying for a Microsoft Office 365 subscription having more than one thousands users and the space available in SharePoint could be used at no extra cost in comparison with storing the files in other mediums (Azure Cloud, integrated vendor solution, etc.)


The SharePoint license my client is already paying for allows for a storage space size of 267 TB = 100TB + 100GB per A5 user, so 100TB + (1654 users * 100GB). You can read more details about the price's calculation here:



The point of this article is to describe the solution, the configuration and deployment scripts and show you how a simple build will create all the required objects in the Azure Cloud with the appropriate permissions. Once the build has completed, you can make a call to upload or download a file from the SharePoint site and everything will work with no other manual intervention.


In presenting these details I will show you couple of limitations and workarounds you need to be aware of and one cool implementation's detail that I think you will appreciate.



A few details for the above diagram:


  • The function app I am creating and deploying in Azure performs authentication to an App Registration via a certificate.

  • The App Registration has been configured with the required permissions to access SharePoint.

  • The function app is reading the certificate from the Azure Key Vault.

  • The API Management is using the function app as a set up source and is configured via access policies that requires the use of a certificate as well.

  • The API Management is called from external users while the function app it is protected via external access using a service endpoint access restrictions (to be discussed in part 2 of this article)


A few alternatives of integrating with SharePoint


 You may have the need to move the files from a particular storage you are currently using to SharePoint. What are the alternatives you can choose from when designing an integration solution to SharePoint?


  1. PowerShell script

  2. Azure Logic App - using the SharePoint connector and installing on-premises data gateway 

  3. Azure Data Factory - using Azure Integration Runtime and a Linked Service with SharePoint connector

  4. Programmatically access using the Pattern and Practices SDK (PnP SDK)

  5. Programmatically access using Graph API

  6. Using OneDrive as intermediate storage and OneDrive to SharePoint synchronization.

For the POC I was writing I had created examples for the choices 1), 2), 4) and 5) but here we will discuss only the Graph API.


The reason why Graph API was selected versus PnP SDK is the fact the latter is open source technology and does not provide the necessary support my client needs. 


Function app Graph Provider


A GraphServiceClient it is created and injected via dependency injection into the service class. 


and the Graph APIs calls can be made in the code:


The certificate used to authenticate to the App registration it is retrieved from the function configuration properties via the syntax binding presented below:



The certificate it is added to the Key Vault.



and accessed from the Key Vault access policies via the managed identity of the function.



To read the certificate 64 bit encoded value from the key vault via the binding described above, you need just one line of code:


string certBase64Encoded = Environment.GetEnvironmentVariable("CertificateFromKV");

Testing with Postman and certificates


Set up Postman and upload your certificate in the “Settings/Certificates” menu item:



Create a Get request to the URL for the function you have created and click on “Send and Download” button. You can see the certificate being sent in the request and the file being downloaded:



How to make use of Graph APIs.


Go to the Microsoft Graph REST API v1.0 documentation’s site:  Graph APIs

For each operation you need you will find a documentation page.

Look at the HTTP requests.



Make the corresponding call in Postman and investigate the result.

As an example, let's get the file versions for a file in SharePoint using Graph APIs.


  1. Get the drives from the SharePoint sites:



2. Make a note of the drive id from the given result:


3. Look for your item in the SharePoint site:



4. Make a note of the item id from the result set.

5. Use the ids from above and retrieve the versions for this file.


You can see the versions in the result set.


Each file’s version has a downloaded URL. 

You can download the file’s version using this URL.

The similar code that produces the same result is displayed below:



Bicep scripts for creating Azure resources


To test the bicep scripts you can use a PowerShell script that loads some parameters from a configuration files.



Some Azure resources can be re-used (subscription, resource group, location, etc.) while other are newly created: storage account, key vault, function app, adding function app permissions to the key vault secrets, etc.



I have used a few modules per resource to allow reusability.



As an observation, adding the certificate into the key vault gives errors and after researching online articles on the subject it seems this particular Bicep functionality is not yet available.


As a workaround, I have stored the certificate content and secret into 2 key vault secrets and modified the Azure function to read them from there.


You can add these 2 secrets into the Azure function configuration parameters with a similar binding as you have seen previously with the certificate:




Integrating the Bicep scripts into the deployment pipeline


I have integrated the bicep script into the deployment pipeline and created a JSON file out of it using the Bicep CLI.



The deployment pipeline contains 2 tasks: 


  • an ARM template deployment task and 

  • a function app deployment task that adds the function app build on top of the created resources.


As a second workaround, make note that the deployment parameters are created under the Variables tab and not imported from the configuration file.



After all the build and deployment pipeline completes successfully you can download our image from SharePoint using the deployed resources.


As a final note, the deployment uses a suffix to increment the deployed instance number.


Allowing calls to APIM APIs and preventing the function app to be called directly.


This part will be deferred to the next article.


Other topics not described here


My POC provides details about the whole solution, showing how to create and configure:


  • SharePoint site and development environment via Microsoft Office 365.

  • Certificates and the various files extracted from it.

  • Azure App Registration and permissions to SharePoint.

  • Azure API Management, access policies and ways to debug the configuration.

  • A .NET console application that makes calls to the APIM function using client certificate.

  • Azure cost for the provided resources.

  • Calculate the percentage a file's version has been changed using Aspose and DiffMatchPath libraries.

  • Create and use SharePoint metadata as custom attributes.


These details are not presented here for the sake of the brevity in this article. 

27 views0 comments

Recent Posts

See All

Comments


bottom of page