A Crossplane composition function for querying the Microsoft Graph API.
The function-msgraph provides read-only access to Microsoft Graph API endpoints, allowing Crossplane compositions to:
- Validate Azure AD User Existence
- Get Group Membership
- Get Group Object IDs
- Get Service Principal Details
The function supports throttling mitigation with the skipQueryWhenTargetHasData flag to avoid unnecessary API calls.
Add the function to your Crossplane installation:
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
name: function-msgraph
spec:
package: xpkg.upbound.io/upbound/function-msgraph:v0.1.0The service principal needs the following Microsoft Graph API permissions:
- User.Read.All (for user validation)
- Group.Read.All (for group operations)
- Application.Read.All (for service principal details)
Create an Azure service principal with appropriate permissions to access Microsoft Graph API:
apiVersion: v1
kind: Secret
metadata:
name: azure-account-creds
namespace: crossplane-system
type: Opaque
stringData:
credentials: |
{
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
"subscriptionId": "your-subscription-id",
"tenantId": "your-tenant-id"
}AKS cluster needs to have workload identity enabled. The managed identity needs to have the Federated Identity Credential created: https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html.
apiVersion: v1
kind: Secret
metadata:
name: azure-account-creds
namespace: crossplane-system
type: Opaque
stringData:
credentials: |
{
"clientId": "your-client-id", # optional
"tenantId": "your-tenant-id", # optional
"federatedTokenFile": "/var/run/secrets/azure/tokens/azure-identity-token"
}apiVersion: pkg.crossplane.io/v1
kind: Function
metadata:
name: upbound-function-msgraph
spec:
package: xpkg.upbound.io/upbound/function-msgraph:v0.2.0
runtimeConfigRef:
apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
name: upbound-function-msgraphapiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
name: upbound-function-msgraph
spec:
deploymentTemplate:
spec:
selector:
matchLabels:
azure.workload.identity/use: "true"
pkg.crossplane.io/function: "upbound-function-msgraph"
template:
metadata:
labels:
azure.workload.identity/use: "true"
pkg.crossplane.io/function: "upbound-function-msgraph"
spec:
containers:
- name: package-runtime
volumeMounts:
- mountPath: /var/run/secrets/azure/tokens
name: azure-identity-token
readOnly: true
serviceAccountName: "upbound-function-msgraph"
volumes:
- name: azure-identity-token
projected:
sources:
- serviceAccountToken:
audience: api://AzureADTokenExchange
expirationSeconds: 3600
path: azure-identity-token
serviceAccountTemplate:
metadata:
annotations:
azure.workload.identity/client-id: "your-client-id"
name: "upbound-function-msgraph"apiVersion: example.crossplane.io/v1
kind: Composition
metadata:
name: user-validation-example
spec:
compositeTypeRef:
apiVersion: example.crossplane.io/v1
kind: XR
pipeline:
- step: validate-user
functionRef:
name: function-msgraph
input:
apiVersion: msgraph.fn.crossplane.io/v1alpha1
kind: Input
queryType: UserValidation
users:
- "user1@yourdomain.com"
- "user2@yourdomain.com"
target: "status.validatedUsers"
skipQueryWhenTargetHasData: true
credentials:
- name: azure-creds
source: Secret
secretRef:
namespace: crossplane-system
name: azure-account-credsapiVersion: example.crossplane.io/v1
kind: Composition
metadata:
name: group-membership-example
spec:
compositeTypeRef:
apiVersion: example.crossplane.io/v1
kind: XR
pipeline:
- step: get-group-members
functionRef:
name: function-msgraph
input:
apiVersion: msgraph.fn.crossplane.io/v1alpha1
kind: Input
queryType: GroupMembership
group: "Developers"
# The function will automatically select standard fields:
# - id, displayName, mail, userPrincipalName, appId, description
target: "status.groupMembers"
skipQueryWhenTargetHasData: true
credentials:
- name: azure-creds
source: Secret
secretRef:
namespace: crossplane-system
name: azure-account-credsapiVersion: example.crossplane.io/v1
kind: Composition
metadata:
name: group-objectids-example
spec:
compositeTypeRef:
apiVersion: example.crossplane.io/v1
kind: XR
pipeline:
- step: get-group-objectids
functionRef:
name: function-msgraph
input:
apiVersion: msgraph.fn.crossplane.io/v1alpha1
kind: Input
queryType: GroupObjectIDs
groups:
- "Developers"
- "Operations"
- "Security"
target: "status.groupObjectIDs"
skipQueryWhenTargetHasData: true
credentials:
- name: azure-creds
source: Secret
secretRef:
namespace: crossplane-system
name: azure-account-credsapiVersion: example.crossplane.io/v1
kind: Composition
metadata:
name: service-principal-example
spec:
compositeTypeRef:
apiVersion: example.crossplane.io/v1
kind: XR
pipeline:
- step: get-service-principal-details
functionRef:
name: function-msgraph
input:
apiVersion: msgraph.fn.crossplane.io/v1alpha1
kind: Input
queryType: ServicePrincipalDetails
servicePrincipals:
- "MyServiceApp"
- "ApiConnector"
target: "status.servicePrincipalDetails"
skipQueryWhenTargetHasData: true
credentials:
- name: azure-creds
source: Secret
secretRef:
namespace: crossplane-system
name: azure-account-creds| Field | Type | Description |
|---|---|---|
queryType |
string | Required. Type of query to perform. Valid values: UserValidation, GroupMembership, GroupObjectIDs, ServicePrincipalDetails |
users |
[]string | List of user principal names (email IDs) for user validation |
usersRef |
string | Reference to resolve a list of user names from spec, status or context (e.g., spec.userAccess.emails) |
group |
string | Single group name for group membership queries |
groupRef |
string | Reference to resolve a single group name from spec, status or context (e.g., spec.groupConfig.name) |
groups |
[]string | List of group names for group object ID queries |
groupsRef |
string | Reference to resolve a list of group names from spec, status or context (e.g., spec.groupConfig.names) |
servicePrincipals |
[]string | List of service principal names |
servicePrincipalsRef |
string | Reference to resolve a list of service principal names from spec, status or context (e.g., spec.servicePrincipalConfig.names) |
target |
string | Required. Where to store the query results. Can be status.<field> or context.<field> |
skipQueryWhenTargetHasData |
bool | Optional. When true, will skip the query if the target already has data |
| `identity.type | string | Optional. Type of identity credentials to use. Valid values: AzureServicePrincipalCredentials, AzureWorkloadIdentityCredentials. Default is AzureServicePrincipalCredentials |
Results can be stored in either XR Status or Composition Context:
# Store in XR Status
target: "status.results"
# Store in nested XR Status
target: "status.nested.field.results"
# Store in Composition Context
target: "context.results"
# Store in Environment
target: "context.[apiextensions.crossplane.io/environment].results"You can reference values from XR spec, status, or context instead of hardcoding them:
apiVersion: msgraph.fn.crossplane.io/v1alpha1
kind: Input
queryType: GroupMembership
groupRef: "spec.groupConfig.name" # Get group name from XR spec
target: "status.groupMembers"apiVersion: msgraph.fn.crossplane.io/v1alpha1
kind: Input
queryType: GroupObjectIDs
groupsRef: "spec.groupConfig.names" # Get group names from XR spec
target: "status.groupObjectIDs"apiVersion: msgraph.fn.crossplane.io/v1alpha1
kind: Input
queryType: UserValidation
usersRef: "spec.userAccess.emails" # Get user emails from XR spec
target: "status.validatedUsers"apiVersion: msgraph.fn.crossplane.io/v1alpha1
kind: Input
queryType: ServicePrincipalDetails
servicePrincipalsRef: "spec.servicePrincipalConfig.names" # Get service principal names from XR spec
target: "status.servicePrincipals"apiVersion: msgraph.fn.crossplane.io/v1alpha1
kind: Input
identity:
type: AzureServicePrincipalCredentialsapiVersion: msgraph.fn.crossplane.io/v1alpha1
kind: InputapiVersion: msgraph.fn.crossplane.io/v1alpha1
kind: Input
identity:
type: AzureWorkloadIdentityCredentials