I'm trying to reach Sentinel APIs using the Microsoft Azure Python SDK for Sentinel (azure-mgmt-securityinsight) in Azure Functions and for now (locally), I'm using Credentials with the AZ CLI.
I haven't found any documentation so far, but I'm curious on whether it is possible to use Managed Identities for Sentinel with Azure Functions?
Any experience with that or documentation?
TIA!
I haven't found any documentation so far, but I'm curious on whether it is possible to use Managed Identities for Sentinel with Azure Functions?
Here is the suitable MS Doc for connecting Sentinel to the data source by using Azure Functions.
It is mentioned that various languages are supported for the above scenario including Python SDK that allows the Sentinel in the data source's REST API.
Also, there are some permissions should be granted on the RBAC Level on both Sentinel Workspace and Azure Functions, given in the same document.
And it is given in this GitHub Issue #4227, only System-Assigned Managed Identity is supported for Azure Sentinel Playbooks but not the User-assigned Managed Identity and if it is the Azure Sentinel Logic Apps Connector Managed Identity Context, then refer to this MS Tech Community Article.
Related
I have an existing Azure Kubernetes Cluster and I'm having a look at Azure Container Apps to see if it could be a good move for me.
With AKS, I'm heavily using Managed Identity for management tasks and also using pod-identity to allow applications to connect to other azure resources without storing credentials.
I tried to find some related documentation for Azure Conter Apps but didn't find anything ? Is it something that is not documented, not supported at the moment ?
Since Container Apps went GA, it is now available: Managed identities in Azure Container Apps.
both system-assigned and user-assigned are available.
I'm writing an application that needs to create service principals and grant them permissions to read/write to an Azure event hub.
Currently, I'm using the Java SDK (azure-resourcemanager) to create service principals and assign roles.
I have noticed that both az CLI and java SDK are calling the Azure AD Graph endpoints.
To my best understanding, the Azure AD Graph is reaching EOF soon. does this mean I need to replace my java code, or will the java code implementations be adjusted to the newer Microsoft graph API?
I have looked at the Microsoft Graph java sdk and it seems less mature and less intuitive to use than AzureResourceManager (which its API is much more similar to other Azure java SDKs)
Can anyone from the Azure team help with that?
You don't need to make the change currently.
If AAD Graph is retired, SDKs that rely on AAD Graph are bound to reintegrate with new APIs (most likely MS Graph) or Microsoft will release new SDKs(This is less likely, because the customer’s existing code will be changed significantly).
Besides, Microsoft Graph mainly manages AAD resources. See the samples here: Create servicePrincipal.
If you need to assign RBAC role you still need to look into other SDKs.
As Allen mentioned, the likely scenario will be that certain future version of azure-resourcemanager would change to use MS graph internally for cases like creating a service principal, while keeping backward-combability on user-facing APIs (i.e., .servicePincipals().define(NAME)...create()).
The RBAC part will likely not impacted. Only the object ID of the service principal is required for RBAC, regardless of how that service principal is created/retrieved (via AAD graph or MS graph).
Currently it is not planned when this will happen.
Happened in 2.2.0 version.
Setting a system-assigned managed identity in Azure API management is easy - just flip the toggle in the blade, or use the following code snippet in your ARM template
"identity" : {
"type" : "SystemAssigned"
}
However, I have several instances of API management, and I want them all to use the same identity, for which the normal Azure solution is a user-assigned MSI.
However, I can't find anything that suggests how to add a reference to a user-assigned MSI to my Azure APIM instance or to set it up in the portal.
This is currently in Preview.
Here is the link to the official documentation:
Services that support managed identities for Azure resources
User Assigned Managed Identity for API management is not yet supported
If you want to read more or check supported service feel free to check my article on Managed Identities https://marczak.io/posts/2019/07/securing-websites-with-msi/
is it possible to connect to Azure SQL Database by using Managed Service Identity? I'd like to rip out SQL credentials.
Thank you for your advises!
Best
Yes, it is possible. See this article for reference.
If you want to use a Managed Service Identity in Azure function you can have a look at this article:
How to use Azure Managed Service Identity (public preview) in App Service and Azure Functions
To authenticate to SQL with a Managed Service Identity you can have look at this article:
Azure SQL authentication with a Managed Service Identity
It should be enough to achieve what you need.
Creating linked service(Azure Data Factory V2) for Azure Sql supports SQL Authentication. I want to know if it also supports Azure Active Directory Integrated Authentication.
As of today (Feb '18),
ADFV2 can connect to some sources using Managed Service Identity (MSI). In short, the ADFV2 instance is given an identity in the Active Directory as an Active Directory Application. See the docs here. Then the ADFV2 can connect to data sources as that identity.
Although Azure SQL supports Managed Service Identity, accessing Azure SQL Server through MSI is not available for ADFV2 yet. From the docs:
ConnectionString: Specify information needed to connect to the Azure
SQL Database instance for the connectionString property. Only basic
authentication is supported. Mark this field as a SecureString to
store it securely in Data Factory, or reference a secret stored in
Azure Key Vault.
As the docs state, you can use the ADFV2 Managed Service Identity to connect to KeyVault and use keys and secrets stored there, which is probably your best best for limiting security information in configuration.
Keep in mind that the UI for ADFV2 is still quite far behind the API, so you may need to use PowerShell or Azure command line to set it up properly.