Enable Azure Functions with Security Compliance PowerShell
Image Source: Shutterstock.com
Nov 29, 2023 1:00 PM

Enable Azure Functions with Security Compliance PowerShell

by HubSite 365 about Laura Kokkarinen [MVP]

Lead Architect, Software Development | Microsoft MVP | Blogger | Speaker | laurakokkarinen.com

Pro UserSecurityLearning Selection

Secure Azure Functions with Security & Compliance PowerShell! Learn certificate auth process step by step.

Learn how to connect to a script run by an Azure Function using certificate authentication. In a detailed walkthrough, the author demonstrates the setup process for using Security & Compliance PowerShell on Azure Functions. Certificate authentication ensures secure, application permission-based interactions with the PowerShell environment.


The author recently developed a workspace provisioning solution. This applies Data Loss Prevention (DLP) policies across Microsoft 365 workspaces, aiming to prevent the inclusion of sensitive information. At times, however, there's a need to work with sensitive data, and the solution allows for setting up a compliant environment for such cases.

The author describes discovering a method to programmatically add exceptions to DLP policies. This process involved using the Security & Compliance PowerShell, prompting a deep dive into authentication methods for Azure Function, since Managed Identities are not supported, but certificate authentication is feasible.

  • Create an Azure Function App, starting by setting up a resource group and function app in the Azure portal.
  • Name the app appropriately, choose to publish as code, select PowerShell Core as the runtime stack, and set up associated storage and monitoring resources.
  • Specify the needed modules like ExchangeOnlineManagement in the Function App's configuration, ensuring these modules are available for scripts to use.

One critical step is enabling the Function App's managed identity. This identity is essential for allowing the app to access the certificate stored in a secure location - an Azure Key Vault.

Creating a self-signed certificate is presented as a straightforward process. After adjusting variable values, running a script will generate the necessary files. This certificate will authenticate a newly created Microsoft Entra ID application registration linked to the Azure Function.

Following app registration, the author guides through setting API permissions. Administrative consent is required to solidify these permissions, which are vital for the powershell commands the function will execute.

The application needs additional roles, specifically the Compliance Administrator role. This ensures all necessary permissions for managing the security and compliance aspects via the script.

The Azure Key Vault plays a pivotal role in securing the authentication certificate. The author explains the creation and configuration process of the Key Vault, highlighting the importance of naming conventions and location consistency.

After managing permissions, the next step involves importing the self-signed certificate into the Key Vault. The author provides detailed instructions for adding and referencing the certificate, which will be used in the Function App's authentication processes.

Finalizing the Function App configuration involves setting key values. These include the tenant, client ID, and a critical reference to the certificate stored in the Key Vault. Saving these settings prepares the function app for authentication.

Adding the PowerShell script to the function app is the closing step in the setup. Script implementation is straightforward and, once executed, will kick off module installation needed for the function's operations.

The article wraps up with the author expressing the dual purpose of the blog post—serving as a reference for both the author and readers. By sharing the learning experience, the author hopes to assist others in implementing similar solutions effectively.

Understanding Security & Compliance in Azure Functions

Integrating Security & Compliance features into Azure Functions is critical for maintaining data integrity and adhering to company policies. By leveraging certificate authentication, developers can ensure that their automation scripts interact securely with Microsoft 365 workspaces. This is particularly important when dealing with sensitive information where Data Loss Prevention (DLP) policies must be strictly applied. The detailed process shared in the walkthrough provides a reliable method for setting up a functional and compliant scripting environment in Azure, highlighting the importance of Azure Key Vault for certificate management and the precise configuration steps necessary for successful implementation.

Read the full article How to use Security & Compliance PowerShell with application permissions on Azure Functions

Security - Enable Azure Functions with Security Compliance PowerShell



Azure Functions Security, Compliance PowerShell Automation, Application Permissions Azure, Security Compliance Azure Functions, Manage Azure Functions PowerShell, Automate Azure Security Compliance, PowerShell Application Permissions, Azure Functions Compliance Scripting, PowerShell Azure PaaS Security, Azure Functions PowerShell API.