Skip to content

erwinkramer/synapse-dep-data-flows-func

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
.images
.images
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Synapse DEP-workspace data flows with secure Azure Functions 🌊

CC BY-NC-SA 4.0 GitHub commit activity

Data exfiltration protection for Azure Synapse Analytics workspaces (DEP) blocks external calls, even when trying to get tokens with custom audience from your Entra ID tenant. This sample proves that it is possible to do some flexible calls to an Entra ID-secured Function App in a DEP-enabled workspace, with custom token audience, without the need of pipelines.

Reproduction steps

  1. Create an Entra ID app registration. In this sample, the Application ID URI is api://bank-nl: alt text

  2. Create a Function App. In this sample, the app has the domain func-otel.azurewebsites.net. For demo purposes, add the following identity configuration to your Function App. The Allowed identities value is the Object ID of the system assigned identity of your Synapse resource in your tenant:

    alt text

  3. Create a REST linked service, pointing to your Function App (via the Base URL), and the Entra ID app registration (via the Microsoft Entra ID resource):

    alt text

  4. Create a managed private endpoint, pointing to the Function App. The fqdns in the managed private endpoint must match with the REST linked service Base URL domain part:

    alt text

  5. Create a data flow with a dataset based on a REST store, and select the REST linked service you created earlier:

    alt text

  6. Finally, test your connection, this will actually use your system assigned identity and will attempt to call via your linked service:

    alt text

Why does this work?

There are 2 points to notice:

  1. Even though we're not using a Function App dataset, simply because that doesn't exist, it still matches your REST configuration with the managed private endpoint connection of your Function App. DEP will allow all connections that have managed private endpoints.
  2. Because authentication is in context of the linked service, DEP will allow that.

What about notebooks?

Attempting to get an access token or using the linked service in a Synapse notebook with DEP enabled, for Function Apps, will yield: Linked Service Type 'RestService' not supported (for REST type) or Linked Service Type 'AzureFunction' not supported (for Function App type). Some will work, such as a Azure ML workspace linked service, as explained here Azure/azure-sdk-for-python#35452 (comment), but in this scenario it's not useful. For a list of supported types, see Linked service connections supported from the Spark runtime.

Disable DEP on the workspace and make manual REST calls in the notebook as an alternative. Leverage the Requests library, for example.

License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

CC BY-NC-SA 4.0

About

Securely call Azure Functions with Synapse data flows.

www.guanchen.nl

Topics

azure-functions synapse data-exfiltration azure-synapse entra-id synapse-dataset

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository