Azure Functions for Power Platform

When Power Platform needs more power

When to use Azure Functions

Scenario	Why Not Plug-in/Flow?	Azure Function Solution
Generate a complex PDF report	Plug-in: 2-min timeout, sandbox limits. Flow: no PDF generation	HTTP-triggered Function with PDF library
Nightly data cleanup (3+ hours)	Plug-in: timeout. Flow: action limits	Timer-triggered Function with batch processing
React to Service Bus messages	Plug-in: cannot listen to Service Bus	Service Bus-triggered Function
Complex ML model inference	Plug-in: cannot load ML models	HTTP-triggered Function with ML libraries
Call 10 APIs and aggregate results	Plug-in: sandbox networking limits	HTTP-triggered Function with parallel API calls

Trigger types for Power Platform

HTTP triggers are the most common for Power Platform integration

Trigger	How It Fires	Power Platform Use Case
HTTP	External HTTP request	Plug-in or flow calls the Function via HTTP
Timer	CRON schedule	Nightly sync, hourly cleanup, weekly reports
Service Bus	Message arrives in queue/topic	Process events published by Dataverse business events
Event Grid	Azure event published	React to Azure resource events (blob created, etc.)
Blob Storage	File uploaded to container	Process uploaded documents (OCR, classification)

Common pattern: Async plug-in → Azure Function

User saves record
  → Post-operation async plug-in fires (does not block user)
  → Plug-in sends record ID to Azure Function via HTTP or Service Bus
  → Function performs heavy processing (external APIs, computation)
  → Function writes results back to Dataverse via Web API

Important: Do NOT call Azure Functions synchronously from a pre-operation plug-in for long-running work — this blocks the user and risks the 2-minute timeout. For short, bounded lookups (under 5 seconds), a synchronous HTTP call is acceptable. For anything heavier, use async patterns.

Managed identity authentication

A managed identity lets your Azure Function authenticate to Dataverse without storing credentials in code or configuration.

How it works

1. Enable managed identity on the Azure Function App (System-assigned or User-assigned)
2. Create an application user in Dataverse for the managed identity’s client ID
3. Assign a security role to the application user (least privilege)
4. The Function acquires a token from Entra ID using the managed identity — no secrets needed

// Authenticate to Dataverse using managed identity
var credential = new DefaultAzureCredential(); // Uses managed identity automatically
var token = await credential.GetTokenAsync(
    new TokenRequestContext(new[] { "https://orgname.crm.dynamics.com/.default" })
);

var client = new HttpClient();
client.DefaultRequestHeaders.Authorization = 
    new AuthenticationHeaderValue("Bearer", token.Token);

// Now call Dataverse Web API
var response = await client.GetAsync(
    "https://orgname.crm.dynamics.com/api/data/v9.2/contacts?$top=10");

Why managed identity over client secrets?

Feature	Managed Identity	Client Secret
Credentials stored in code?	No — handled by Azure	Yes — must be stored securely
Rotation needed?	No — automatic	Yes — manual rotation
Risk of credential leak?	None	Yes — if code/config is exposed
Works from Azure only?	Yes	Works from anywhere

💡 Scenario: Amara offloads PDF generation

Amara’s healthcare client needs to generate patient discharge summaries — 20-page PDFs with charts, images, and medical data. A plug-in cannot do this (sandbox restrictions, 2-minute timeout).

Solution:

1. Post-operation async plug-in fires when a Discharge record is created
2. Plug-in sends the record ID to an Azure Function via HTTP trigger
3. Function authenticates to Dataverse using managed identity
4. Function retrieves patient data via Web API
5. Function generates the PDF using a C# library (iText, QuestPDF)
6. Function uploads the PDF as a Dataverse annotation (note attachment)
7. Function sends a notification email via SendGrid

Total processing time: 45 seconds. No timeout issues, no sandbox restrictions.

Question

Why use Azure Functions instead of Dataverse plug-ins for long-running operations?

Click or press Enter to reveal answer

Answer

Dataverse plug-ins have a 2-minute execution timeout and run in a sandboxed environment with limited access to external resources. Azure Functions have configurable timeouts (5 minutes default on Consumption plan, max 10 minutes; 30 minutes default on Premium plan, max unbounded), full .NET library access, and unrestricted network access.

Click to flip back

Question

What is a managed identity in Azure?

Click or press Enter to reveal answer

Answer

A managed identity is an Entra ID identity assigned to an Azure resource (like a Function App). It authenticates automatically — no passwords or secrets to manage. System-assigned identities are tied to the resource lifecycle. User-assigned identities can be shared across resources.

Click to flip back

Question

How does an Azure Function authenticate to Dataverse using managed identity?

Click or press Enter to reveal answer

Answer

Enable managed identity on the Function App, create an application user in Dataverse with the managed identity's client ID, assign a security role. In code, use DefaultAzureCredential to get a token for the Dataverse resource URL, then include the token as a Bearer token in Web API requests.

Click to flip back

Knowledge Check

A developer needs to process 50,000 records nightly — updating each record based on data from an external API. The process takes approximately 2 hours. What is the best architecture?

AA synchronous Dataverse plug-in that processes all records when triggeredBA Power Automate scheduled flow that loops through all recordsCA timer-triggered Azure Function that processes records in batches using the Dataverse Web APIDA canvas app with a button that triggers the processing

Check Answer

🎬 Video coming soon

Next up: Cloud Flows: Dataverse Triggers & Expressions — configuring Dataverse connector triggers and writing complex flow expressions.