Restrict Azure WebApp to APIM through Managed Identity? - azure

I am wondering if it is possible to restrict access to an azure web app (it is functioning as an api, so I dont want public access just via the url) to API Manager through managed identity? Everything I can see is for using Azure HTTP Functions, not to a web app
Im assuming by doing so that users in the AD can also access the web app directly?

Yes, it is possible.
Your back-end API will need to check for either:
An application permission (appRole) defined on the API app registration and assigned to the Managed Identity through PowerShell
Or check that the object id in the token matches the Managed Identity
In the first option, other apps won't be able to use the API directly unless that permission is granted to that client application by an Application Admin/Global Admin.
The second option outright prevents other apps from using the API directly.
In both cases, you'll have the API Management policy get an access token targeting your API app registration.

Related

Why do I need App Registartion in Azure and how do they relate to my App Service?

I've done some reading in regards to Azure AD, but I still can't wrap my head around it. The confusion might be there also because of how my company tries to standarize how a azure project should look like.
Imagine I have two things: SPA app (served by App Service) and API (on this App Service, ASP.NET). The approach that the company is suggesting is that both of those should have their App Registrations.
Now, I'd like the API to have access to Ms Graph. In order to do that, looking at other projects, I updated my AppRegistration to request for Ms Graph roles, Admin gave consent, and in API I used ConfidentialClient to reuse my Client Id/Secret to get token and then access MsGraph.
Why the hustle? Why not just use Managed Identity of my API and grant needed permissions using New-AzureAdServiceAppRoleAssignment?
Why do I need App Registration here? Do I need both? Should I access Ms Graph using my App Registration and confidential client in my API? How does my App Service relate to my App Registration in code?
Let's take a step back and define a few things that will make things easy to understand:
Your app service: this is just a compute environment, just as Azure Functions, Logic apps or VMs. This is where your code executes.
Azure AD App registration: this is an identity that you can use in your code to identify your service and get access to resources you need. The Azure AD app registration has several capabilities:
build an app in one tenant and used in multiple tenants (multi-tenant app)
consent framework, allowing you to request permissions and the owner to grant it
define roles and permissions, so that you can configure who is allowed to call your API
3-legged OAuth flows which allows you to act on behalf of the user
confidential client flows which allow the app to act on its own (like a service account)
Azure Managed Identities: this is also an identity that you can use to identify your service and get access to resources you need. It only has a subset of the capabilities of Azure AD app.
confidential client flow which allows the identity to act on its own (like a service account)
credentials managed for you by the platform
Depending on what you are trying to do, you can use one or the other identity: rarely if ever you will need both.
In your case, you need an identity to act on its own. So either app registration or managed identity will work. Your API may benefit from using an app registration if you want to define roles and permissions. The primary advantage of using an app registration in your scenario is that the consent model is simpler to use and understand. The disadvantage is that you need to manage credentials for the app. This pro/con is reversed when using a managed identity.
You don’t need both at a time. These are two ways to get the access of MS graph for your API. They are used for different purpose.
Managed Identity (Using System Identity)
· Use the Managed Identity if you don’t require your API to be authenticate from any provider.
· A managed identity from Azure Active Directory allows App Service to access resources through role-based access control (RBAC), without requiring app credentials
· It known as safe way to give your web app access to data is to use a system-assigned managed identity
· Currently, there's no option to assign any permissions(MS graph) through the Azure portal for Managed Identity
· When we do Manged Identity of any application its show only for Enterprise application.
Reference : Tutorial - Web app accesses Microsoft Graph as the app - Azure App Service | Microsoft Docs
App Registration.
· To set the authentication and authorization of your app from different provider its need your app registration id.
· It’s required to configure a service and get a token from the Microsoft identity platform endpoint that service can use to call Microsoft Graph under its own identity.
·In this using portal you can add permission (MS Graph) for your application.
Reference : https://learn.microsoft.com/en-us/graph/auth-v2-service

In an Azure Web App, can you lock specific routes from being accessed externally?

I have implemented AAD SSO using react-adal for my React application, but all my node REST endpoints are still accessible via external users & resources. Does Azure offer any way of securing these routes so that they can not be accessed by anything other than the application itself?
i.e. block external users from access to example.com/get-users/
but allow the application to still have access to this route.
Thanks!
You must read/define groups that will be allowed to access that particular route, and set it in your app level. Azure AD only authenticate / return the token with user information (including claims).
More info:
https://blog.bitscry.com/2020/04/21/azure-active-directory-group-based-authorization/
Azure AD and Group-based authorization with token in Web API

Allow Keyless Authorization from Managed Service Identity to Azure Function

Imagine that I have:
An Azure Function (func) that exposes an http endpoint (api1)
An Azure App Service (service1) that has a Managed Service Identity configured (msi1)
I would like to configure everything in such a way that service1 can make an HTTP request to api1, and api1 knows that the request is coming from msi1. Furthermore, I would like to be able to configure service1 in the Azure portal to either allow or disallow access to api1.
Basically I want to configure which app services have access to which functions (or vice-versa) as much as possible in the Azure portal, without having to create and manage API tokens or keys in application settings.
I would like to stress that this is service-to-service - service1 does not request any login information from its users.
I believe that this should be possible, but most of the documentation that I have come across describes situations in which a user logs in via Microsoft/Facebook/Google/Whatever and gets an access token in that way. I know that I can use client credentials on an application registration to create a valid bearer token; but that shouldn't be necessary because service1 is executing under the security context of msi1.
As juunas said, you could refer to his article to secure azure function from app service using a managed identity.
Register your api1 as app in AAD and using powershell to assign permission to the service1 MSI. It seems that assigning permission to MSI is not supported on Portal, so you could just use powershell to assign it. Here is a similar thread that assign permission to MSI you could refer to.

Authentication for web api using azure AD

I need to implement authentication for azure web api using azure active directory.
client app(which consumes webapi) may or may not be in azure. how i need to authenticate user, where i should generate token if my app is not in azure(if it is IOS app). authentication should work in all cases even if client app is in azure or not.
Please let me now the best procedure to implement authentication.
You need to define the client app in Azure AD as a native app in the case of a mobile app. Then you define the API there, and add your client permissions to access it. You can optionally customize the available permissions through the API app's manifest in Azure AD. Then when your mobile app opens, you would have to authenticate with Azure AD, and then request an access token for the API. That you can then use to authenticate requests.
I can't answer this question in too great detail because it is quite a large topic and how it is done also depends on your platform. There is a sample app that you can check which does exactly what you want. The whole list of examples for native apps can be found here.
App Service to use different authentication providers Azure Active Directory,Facebook,Google,Microsoft,Twitter.
We can set any type of Authentication/Authorization in the Azure Portal.More info about how to use authentication for API Apps in Azure App Service, please refer to document.
By default, App Service provides authentication but does not restrict authorized access to your site content and APIs. You must authorize users in your app code.

Azure Management API access from a web app

Is it possible to gain access to the Azure Management APIs through the client ID and secret for a web app?
I have a web app through which i want to be able to manage Azure. I want to do this using the credentials of the application itself so that the current user does not have to be an azure administrator.
I have given the web app the necessary role on my subscriptions and obtained the access token through the client credentials grant flow in AD but i still get an unauthorized.
This is probably because the azure management API has no permission set other than delegated - the access works fine if i use the authorization code grant flow for the logged in user, but thats not what i want.
So to reiterate, if, given a web app that has RBAC to a subscription and is able to obtain an access token from AD, is there any way, without an interactive user, that the web app is able to use the management API??
Yes, you can obtain a token from AAD for a service principal and use that to manage resources as long as that service principal has all the access you need.
Make sure the token you get has a resource/audience of "https://management.azure.com" and is for the tenantId that the subscription is associated with.
You can also see this article from Brady Gaster that explains how to use Azure AD applications to manage Azure Services from an external app : http://www.bradygaster.com/post/using-windows-azure-active-directory-to-authenticate-the-management-libraries
EDIT : Azure AD supports Service to Service calls using OAuth 2.0 client credentials: https://msdn.microsoft.com/en-us/library/azure/dn645543.aspx
Hope this helps,
Julien

Resources