Azure Function

Azure Function for Automated Team, User and Device Approvals

Keeper provides customers with fully automated Admin Approvals using an Azure Cloud Function. This is an advanced method of performing Admin Approvals in the customer's fully cloud-based Azure environment.

The Keeper Azure Function documented here provides the following capabilities:

  • Automated Team Creation Any team that has been provisioned to the Keeper Enterprise Application from your Azure environment will be created within the Keeper node within 10 minutes.

  • Automated User-to-Team Assignment After the user creates their Keeper vault, the user will be automatically provisioned to the designated Azure Team within 10 minutes.

  • Automated Team Folder Provisioning Any Shared Folders that are shared to the Team will appear in the user's vault, within 10 minutes of the user creating their vault.

  • Automated Device Approvals SSO Cloud users who authenticate with Azure and then click on "Request Admin Approval" will be automatically granted access with the necessary encryption keys, within about 15 seconds.

Before you Start...

You'll need to set up a service account user to perform the Azure function authentication. Create a user in the Keeper Admin Console and make sure they are part of a Role which has "Perform Device Approvals" administrative permission set.

Setup Instructions

(1) Access the Github repository and binary applications: https://github.com/Keeper-Security/keeper-sdk-examples

(2) In the "Releases" section of the repository, download the following application files:

(3) Login to the Azure portal (https://portal.azure.com)

(4) Visit the "Functions" and click to create a new function.

Create Function App

Azure Free Trial Accounts DO NOT support Keeper's Azure Device Approval Function App. Minimum Required Subscription for this function is a Pay-As-You-Go subscription.

If you upgrade your Azure plan to a Pay-As-You-Go Subscription, please allow 24 - 48 hours for your subscription to propagate correctly prior to attempting to setup Keeper's Azure Device Approval Function App.

The function configuration can use default settings for most options. Below are the specific settings that must be selected for Keeper's function (Runtime stack, Version).

Make note of your selection for "Resource Group" and "Function App name". In the example above, we have selected "Keeper" as the group and "craigdemoapprovals" as the function name.

Follow the wizard steps to create your Azure Function.

When the function is deployed, you'll receive a screen that looks like below:

(5) Click on the Terminal icon to run Azure Cloud Shell in Powershell mode:

(6) In this step, we will upload the Azure function to the Azure Cloud Shell storage location

Type "df" which displays the storage configuration. Make note of the storage name and file share name as identified in the section in red below. In the below example, the storage name of the

(7) From the Azure main navigation, go to Home > Storage Accounts > then select the Storage Name as appears above. Then scroll down and select "File Shares" and select the file share ID that matches the above. For example:

(8) Click on the file share and then click on "Upload"

(9) Select the AzureAdminAutoApprove.zip package that was downloaded in step 1. Upload this file to the Cloud Share.

(10) From the Azure Cloud Shell, change directory to the cloud function location:

PS /home/e4b62e6f-e3e0-4d4a-a068-bcd0d8eb> cd /usr/csuser/clouddrive/
PS /usr/csuser/clouddrive>

Deploy the function using the command below (replace "Keeper" and "craigdemoapprovals" with your specific group name and function name specified in step (4) above.

az functionapp deployment source config-zip -g Keeper -n craigdemoapprovals --src ./AzureAdminAutoApprove.zip

This will deploy the Azure function.

(11) From the Azure Functions (in this case "craigdemoapprovals"), click on "Functions" then in the list of functions, go ahead and disable the ApprovePendingRequestsByTimer for now until we're ready to go live.

(12) On any Windows computer, extract the file Commander.zip from step (2) and run the Keeper Commander.exe executable within the extracted file.

(14) Create an authentication profile in Keeper

Keeper Commander is now used to create an authentication profile that contains keys required for the Azure Function to authenticate against the Keeper Cloud. It is recommended that you create a special service account for performing the Admin Approvals, or you can use your Keeper Admin account.

Important: Ensure that the service account is part of a role which has the "Perform Device Approvals" administrative permission.

On the Keeper Commander prompt, type the following:

(a) "login <email>"

Not logged in> login [email protected]

(b) You may be asked to verify your device. Typically this is performed using email verification, so type "email_send"

(never) > email_send

(c) Check your email and click the verification code or type in the requested code.

(d) If 2FA is enforced, you'll also be asked for your 2FA code. When prompted, make sure to type the following:

[totp](30 days) > 2fa=forever
[totp](forever) > 123456 (your 2FA code)

Make sure that you type "2fa=forever" when prompted so that the MFA code does not expire within the Azure function. Then, type the 2FA code by itself.

(d) Enable session persistence and register the device to Keeper:

My Vault> this-device register
My Vault> this-device persistent_login on
Register and configure device

(e) While the Commander session is still active, locate the config.json property file that was created which contains the encryption keys and device identifier data needed for the Azure Function.

The file should be located on the Windows computer in the following location:

This PC > Documents > .keeper

(f) Keep commander running on the local workstation, until after the config.json file is copied (per steps below).

(15) In the Azure portal, navigate to the storage account for the resource group of the Azure function.

(a) Go to Azure Functions and click on our function.

(b) Click on the resource group (in this case, "Keeper"):

(c) Navigate to Storage Account > File Shares > .keeper folder

(16) Upload config.json file from step (14)(e) to the .keeper folder:

Upload config.json

(a) Kill the Commander session or type "q" to quit. DO NOT issue a "logout" or the process will break and you have to repeat step (14).

IMPORTANT: Delete or move the config.json file from the Documents folder on your PC. Re-running Commander using this session will invalidate the Azure Function.

(17) Enable the Timer function ApprovePendingRequestsByTimer

(18) After a few minutes, the function should start running.

By default, the Keeper function "ApprovePendingRequestsByTimer" will execute once every minute. If there is no active connection (web socket) to the Keeper Cloud, a connection is established and the Azure Function will authenticate. A web socket is then established and held for as long as the Azure Function is allowed to process. If there is already an active web socket connection to the Keeper Cloud, no action is performed.

To monitor the invocation, click on the "Monitor" and "Invocations" tab.

(19) Configuration is complete. Now, when a user requests "Admin Approval" from their vault, the Azure Function will immediately approve their request.

If changes are made to the Keeper account used for the Azure Function, such as 2FA or device revocation, repeat steps 12 through 16 Also, if you re-run Commander and authenticate manually on that same device, it will cause the Azure Function authentication to fail. This is a security mechanism built into Keeper's authentication system to prevent configuration cloning. Always copy the config.json file while the Commander session is active, then exit the Commander session.

Setup Complete

Now that the function ApprovePendingRequestsByTimer is running, any user who requests "Admin Approval" will be immediately approved within a few seconds.

The function ApproveQueuedTeamsByTimer handles the Team and User approvals.

Troubleshooting and Repairing Failed Logins

If the Azure function's account becomes invalidated, please follow the below steps to correct the issue. Note that session invalidation can be caused by many things, such as:

  • Changing the role policy associated with the service account

  • Enterprise license expires

  • Running Commander with the service account again, using the same config file

When this happens, you can changes are made to the Keeper account used for the Azure Function, such as 2FA or device revocation, please run the following steps:

(1) Stop the Azure function

Stop the Function

(2) Run Commander.exe again, and login to the service account on the Commander interface. (3) Close Commander interface by closing the window. (4) Copy the config.json file from the Windows filesystem (This PC > Documents > .keeper) into the Azure function

(5) In the Azure portal, navigate to the storage account for the resource group of the Azure function.

(a) Go to Azure Functions and click on our function.

(b) Click on the resource group (in this case, "Keeper"):

(c) Navigate to Storage Account > File Shares > .keeper folder

(6) Upload/Overwrite config.json file to the .keeper folder:

Overwrite config.json

(7) Start the Azure function by clicking "Start".

Cost of Hosting

In our testing, the monthly cost of hosting the Keeper Azure function is close to $0.00 due to the small amount of instantiations required for device and team approval.