Microsoft Entra integration

This guide covers how to use Microsoft Entra to authenticate with a Fauna database.

When set up, Entra issues a JWT when end users log into your application. The JWT contains a Fauna token's authentication secret for the user in a private claim. Your application can use the secret to run queries on the user’s behalf.

Before you start

To complete this guide, you’ll need:

A Microsoft Azure account.
Familiarity with Microsoft Entra and Azure Functions.

Authentication flow

In this guide, you’ll set up an Azure function that creates a Fauna token when Entra issues a JWT. You’ll configure Entra to use a custom claim provider to add the token’s secret as a claim to the JWT.

The setup uses the following authentication flow:

The client sends a request to Microsoft Entra. Entra invokes an Azure Function in the token (JWT) issuance phase.
The Azure Function generates a Fauna token and includes the token’s secret in a private fauna_token_secret claim in the payload of the JWT issued by Entra.
Entra returns the JWT to the client application. The client application uses the token secret to authenticate Fauna queries on the user’s behalf.

For more on the general flow and setup, see Create a REST API for a token issuance start event in Azure Functions in the Microsoft Entra docs.

Configure Fauna

In the Dashboard Shell, run the following FQL query to create a key with the server role:

Key.create({
  role: "server"
})

{
  id: "404130885316640841",
  coll: Key,
  ts: Time("2099-07-22T17:08:15.803Z"),
  role: "server",
  secret: "fn..."
}

Copy the key’s secret. You’ll use it later.

Create a collection to store identity documents for your application’s end users.

Edit the collection’s schema to include an email field or similar identifier used to uniquely identify users. For example:
```
collection Customer {
  unique [.email]

  index byEmail {
    terms [.email]
  }
}
```
Create one or more user-defined roles.

Edit the role’s schema to include the previous collection in the role’s membership property. For example:
```
role customer {
  membership Customer

  privileges Product {
    read
  }
  ...
}
```

Create a REST API in Azure

Use an Azure Function to create a REST API. The API creates a Fauna token for an end user.

Create a Azure functions app

Sign in to the Azure Portal.
From the Home page, select Create a resource.
Search for and select Function App. Then select Create > Function App.

Create a function app with the following settings:

Settings	Value	Description
Plan	Consumption (Serverless)	Hosting plan that defines how resources are allocated to your function app.
Subscription	Your subscription	The subscription under which the new function app will be created.
Function App name	Enter a unique name	A unique name that identifies your new function app.
Runtime	Node.js	This guide uses Node.js. You can use any runtime with a supported Fauna driver.
Version	20 LTS
Region	Your preferred region
Operating System	Windows

Settings

Value

Description

Plan

Consumption (Serverless)

Hosting plan that defines how resources are allocated to your function app.

Subscription

Your subscription

The subscription under which the new function app will be created.

Function App name

Enter a unique name

A unique name that identifies your new function app.

Runtime

Node.js

This guide uses Node.js. You can use any runtime with a supported Fauna driver.

Version

20 LTS

Region

Your preferred region

Operating System

Windows

Select Review + create and then select Create. It may take a few minutes for Azure to deploy the function app.
Once deployed, select Go to resource.

Set up environment variables

In the Azure Portal, navigate to your function app.
In the function app’s Overview page, click Settings > Environment variables in the left navigation.
Click Add.
In the Add/Edit application setting pane, enter the following:
- Name: FAUNA_SECRET
- Value: The Fauna key’s secret you copied earlier.
Click Apply.
On the Environment variables page, click Apply. Then click Confirm.

Create an HTTP trigger function

Create an HTTP trigger function in the Azure function app. The HTTP trigger lets you invoke a function with an HTTP request and is referenced by your Microsoft Entra custom authentication extension.

Navigate to the function app’s Overview page.
. In the Functions tab, and select Create function under Create in Azure portal.
Select the HTTP trigger template and select Next.
Enter a Function name and leave the Authorization level as Function. Then click Create.

Add the following code to the function:

const { Client, fql, FaunaError } = require("fauna");

module.exports = async function (context, req) {
    // Read the request body
    const requestBody = req.body;

    // Parse the request body
    const data = requestBody ? JSON.parse(requestBody) : null;
    const email = data?.data?.authenticationContext?.user.mail;

    const client = new Client({
      secret: process.env.FAUNA_SECRET,
    });

    const fauna_response = await client.query(fql`
      // If a Customer document with the email exists, get it.
      // Otherwise, create a Customer document.
      let user = Customer.byEmail(${email}).first() ??
        Customer.create({email: ${email}})
      // Create a token for the Customer document.
      let token = Token.create({
        document: user,
        ttl: Time.now().add(30, 'minutes')
      })
      // Return the Customer document's ID and the
      // token's secret.
      let payload = {
        userId: user!.id,
        token: token.secret
      }
      payload
    `);

    // Prepare the response object
    const response = {
        data: {
            '@odata.type': 'microsoft.graph.onTokenIssuanceStartResponseData',
            actions: [
                {
                    '@odata.type': 'microsoft.graph.tokenIssuanceStart.provideClaimsForToken',
                    claims: {
                        FaunaTokenSecret: fauna_response.data.token,
                    }
                }
            ]
        }
    };

    // Return the response
    context.res = {
        status: 200,
        body: response
    };
};

Save the function.
Click Get function URL.
Copy the default (Function key) URL.

Install the Fauna driver

Navigate to the function app’s Overview page.
In the left navigation, select Development Tools > Console.
Navigate to the http trigger function’s directory. For example:
```
cd HttpTrigger1
```
In the directory, run the following commands to install the Fauna driver:
```
npm init -y
npm install fauna --save
```

Register a custom authentication extension

In the top navigation, click Home.
Search for and select Microsoft Entra ID.
From the Entra Overview page, select Enterprise applications > Custom authentication extensions > Create a custom extension.
In the Basics tab, select the TokenIssuanceStart event type and click Next.
In the Endpoint Configuration tab, enter the following:
- Name: Enter a name for the custom extension.
- Target URL: The Azure function URL you copied earlier.
Select Next.
In API Authentication tab, you will be presented with an option to select a app registration type. Select Create new app registration.
Enter an application Name and select Next.
In the Claims tab, enter the following claim:
- FaunaTokenSecret
Select Next and then click Create.

It may take a few minutes for Azure to create the application and custom extension. Once created, you’ll navigate to the custom extension’s Overview page.

On the custom extension’s Overview page, copy the App ID under API Authentication. You’ll use the ID later in the guide.
Under API Authentication, click Grant permission.
If prompted, sign in to Azure and accept the permissions request.

Configure an OpenID Connect app

To get a token and test the custom authentication extension, you can use the https://jwt.ms app from Microsoft.

Register a test web app

In the top navigation, click Home.
Search for and select Microsoft Entra ID.
In left navigation, select App registrations > New registration.
Enter a Name for the application. For example, My test application.
Under Supported account types, select Accounts in this organizational directory only.
Under Redirect URI, select Web and enter https://jwt.ms as the URL.
Click Register.
In the app registration’s Overview page, copy the:
- Application (client) ID
- Directory (tenant) ID

Enable implicit flow

From the app registration’s Overview page, navigate to Manage > Authentication.
Under Implicit grant and hybrid flows, check ID tokens.
Click Save.

Enable claims mapping policy

In the left navigation, navigate to Manage > Manifest.
In the manifest, locate the acceptMappedClaims attribute, and set the value to true.
Set the accessTokenAcceptedVersion to 2.
Select Save to save the changes.

The following JSON snippet demonstrates how to configure these properties.

{
  "acceptMappedClaims": true,
  "accessTokenAcceptedVersion": 2
  // .... rest of the manifest
}

Assign a custom claims provider to your app

In the top navigation, click Home.
Search for and select Microsoft Entra ID.
In the left navigation, select Manage > Enterprise applications.
Find and select the application you created from the list.
From the Overview page, select Manage >Single sign-on in the left navigation.
Next to Attributes & Claims, select Edit.
Expand Advanced settings.
Next to Custom claims provider, select Configure
In the Customer claims provider pane, select the custom claims provider you created earlier.
Click Save.

Next, assign the attributes from the custom claims provider, which should be issued into the token as claims:

On the Attributes & Claims page, select Add new claim.
Enter a Name of FaunaTokenSecret.
Select a Source of Attribute.
Select a Source attribute of "customClaimsProvider.FaunaTokenSecret".
Select Save.

Protect your Azure Function

The custom authentication extension uses a server-to-server flow to obtain an access token. The token is sent in the HTTP Authorization header to your Azure function.

Use the following steps to add Microsoft Entra as an identity provider to your Azure Function app:

In the top navigation, click Home. app you previously published.
From the Home page, find and select the function app you created earlier.
In the left navigation, select Settings > Authentication.
Select Add identity provider.
Select an Identity provider of Microsoft.
Select a tenant type of Workforce configuration.
Under App registration, select an App registration type of Pick an existing app registration. Then select the custom authentication extension app you created earlier.
Enter the following issuer URL, https://login.microsoftonline.com/<TENANT_ID>/v2.0, where <TENANT_ID> is the Entra application’s tenant ID you copied earlier.
Select a Unauthenticated requests of HTTP 401 Unauthorized .
Uncheck Token store.
Select Add.

Test the application

Open a new private browser and navigate and sign-in through the following URL.

https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/authorize?client_id=<CLIENT_ID>&response_type=id_token&redirect_uri=https://jwt.ms&response_mode=form_post&scope=openid&state=12345&nonce=678910

Replace:
- <TENANT_ID> with the Entra application tenant ID you copied earlier.
- <CLIENT_ID> with the Entra application’s client ID you copied earlier.
After logging in, you’ll be presented with your decoded token at https://jwt.ms. The decoded token will contain the FaunaTokenSecret claim field.

Is this article helpful?

Tell Fauna how the article can be improved:
Visit Fauna's forums or email docs@fauna.com

Thank you for your feedback!