I have an Azure Static Web App that is configured with AAD, aka Entra ID, authentication. I also have an Azure Function App that I have deployed separately and then linked to the Static Web App as a backend. To be extra clear, this Function App is a linked backend (BYOF), and not a managed function.
I want to be able to call the Microsoft Graph API from the Function App, using delegated permissions from the authentication that is done in the Static Web App, and retrieve user information such as name, surname, email, photo etc. for users based on id.
I have added the delegated permission User.ReadBasic.All to my App Registration for my Static Web App (same one that is used to configure auth).
What else needs to be done to be able to authenticate the Function App against the Microsoft Graph API on behalf of the user of my Static web App?
I found the other answer to be a little confusing and misleading, so I thought I'd post my own:
It is possible to set up the on-behalf-of flow with Azure Static Web App and Linked Backend (BYOF Function App), but not through the built-in authentication (the one that you set up through the Static Web App config file). This must be done "manually" by using the Microsoft Authentication Library (MSAL).
Microsoft provides a tutorial on how to do this, which can be found in their GitHub repo.
However, I decided to take another path and assign application permissions to my app registration instead, which - unlike delegated permissions - requires admin consent.
I hope this post can be helpful to someone facing the same kind of problem.