Wait for Active Directory Authentication URL list to update within a Powershell Azure Function

0
votes

I need to ensure a reply url is added to a v2 Active Directory App before returning a HTTP response within a Powershell Serverless Function.

Currently I've successfully managed connecting to azure using a service principal, getting the active directory application & updating the authentication list with a new reply url.

This works great but there seems to be some propagation period on completing the job. Everything happens as mentioned in a Powershell Serverless Function & returns a 200 HTTP status when finished.

Once the response (HTTP 200 OK) is received I'm using the Active Directory Authentication Library (ADAL) to log in from some JS app using a full page redirect.

This is where the issue lies, once the Powershell runs & returns the client app tries to login with ADAL but that Active Directory prompts with an error, the supplied url isn't one currently on the authentication list.

I've looked into Start-ThreadJob & Wait-Job but not sure if number one I'm using it correctly or number two it is the best approach.

Example code:


$appId = <ACTIVE_DIRECTORY_APP_ID>
$url = <NEW REPLY URL>

$password = ConvertTo-SecureString -String $env:SERVICE_PRINCIPAL_SECRET -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($env:SERVICE_PRINCIPAL_ID, $password)
Connect-AzAccount -ServicePrincipal -Credential $credential -Tenant $env:TENANT_ID

$app = Get-AzADApplication -ApplicationId $appId
$replyUrlList = $app.ReplyUrls

$replyUrlList.Add($url)

Update-AzADApplication -ApplicationId $appId -ReplyUrl $replyUrlList

$status = [HttpStatusCode]::Created
$body = "URL Added Successfully"

Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
        StatusCode = $status
        Body       = $body
    })

At the moment the AD authentication list is updated anywhere from 1 minute - 5 minutes in some cases. Depending if the function is booting from cold-start.

  • Should I use a loop to check the AD Application information within the Powershell script?
  • Should I use job threading & wait job cmdlets?
  • Maybe throw in a bit of sleep?

Just looking for the best approach here to guarantee the new callback url is 100% added before trying to authenticate with the ADAL library.

Any help would be great!

1
powershellazure-active-directoryazure-functionsserverlessadal.js

1 Answers

2
votes

This is not an answer with a solution. But I think I'm reading something that I have experienced on several occasions.

I've been using python and Hashicorp vault to try and manage tokens/RBAC on applications. But very often it would break because it had not updated yet, due to the propagation from AAD to back end being asynchronous from what I was told.

I even did checks where I used ADAL to loop over the application to verify if it was good. But even then it would still fail on some occasions. Which hurt the automation I was trying to put in place.

Now you are having some issue that seems similar, but instead while adding the reply url to an existing application. My question for testing is; does the reply URL work when it is supplied upon creation of the application? If so, and testing is 100%, then you are having the same issue.

For me, pre-creation of all necessary properties on applications is what helped me circumvent this annoying issue. As I don't think adding a sleep anywhere is a good way to move forward, and the reply from the API isn't reliable enough to work on. If pre-creation is not an option, I suppose the sleep timer is probably some way forward. For me, that ended up being 2-5m in some cases. And in some lucky cases 7-30s