Problem statement
When building enterprise Fabric Apps with Rayfin, backend business logic frequently needs to call external services. Microsoft Graph resources (SharePoint, Teams, OneDrive, calendars, users), custom APIs, Azure Functions, or other internal/external HTTP endpoints. Currently there is no documented way to make outbound calls from rayfin-functions, and no documentation describing whether/how a function can acquire an Entra ID token to call downstream services on behalf of the authenticated user.
Proposed solution
- Outbound HTTP support in functions: a documented, supported way to make arbitrary outbound HTTP calls from Rayfin function code, to Microsoft Graph, Azure Functions, internal APIs, or any external HTTP endpoint.
- OBO token access: a way for server-side function code to acquire an Entra ID access token on behalf of the signed-in user (On-Behalf-Of flow), so downstream services receive a properly scoped delegated token rather than an app-only token. Since Fabric SSO is already Entra-based, the inbound token exists, the missing piece is whether
rayfin-functions exposes it for an OBO exchange.
- App-only / managed identity option: for system-triggered scenarios (background jobs, scheduled tasks) where no user context is available, a way to acquire an app-level token or use a managed identity for outbound calls.
- Documentation and examples: at minimum, a documented pattern covering one of the above so teams can build on it consistently.
Alternatives considered
- Calling external services from the frontend, but this exposes tokens in the browser and bypasses server-side policy control.
- Routing through a separate Azure Function or custom API as an intermediary, but this introduces a separate runtime and breaks the code-first governed backend model Rayfin is designed to provide.
Additional context
Concrete examples of the scenarios this would unlock:
- Calling Microsoft Graph to read/write SharePoint sites, OneDrive files, calendar items, or user profiles
- Invoking an Azure Function or internal REST API as part of a data write workflow
- Triggering an AI agent (Azure AI Foundry, Copilot Studio) in response to a Rayfin data event
- Calling a third-party API (e.g. ERP, CRM) from backend logic while keeping data within the Fabric tenant boundary
This is especially relevant for enterprise deployments in regulated environments where all service calls must stay within a defined permission boundary and use delegated user tokens rather than over-privileged app-only credentials.
Related packages: @microsoft/rayfin-functions, @microsoft/rayfin-auth-provider-fabric.
Problem statement
When building enterprise Fabric Apps with Rayfin, backend business logic frequently needs to call external services. Microsoft Graph resources (SharePoint, Teams, OneDrive, calendars, users), custom APIs, Azure Functions, or other internal/external HTTP endpoints. Currently there is no documented way to make outbound calls from
rayfin-functions, and no documentation describing whether/how a function can acquire an Entra ID token to call downstream services on behalf of the authenticated user.Proposed solution
rayfin-functionsexposes it for an OBO exchange.Alternatives considered
Additional context
Concrete examples of the scenarios this would unlock:
This is especially relevant for enterprise deployments in regulated environments where all service calls must stay within a defined permission boundary and use delegated user tokens rather than over-privileged app-only credentials.
Related packages:
@microsoft/rayfin-functions,@microsoft/rayfin-auth-provider-fabric.