Goal: Prevent the use of client ID and secrets when making calls to Graph API.
Is either of the following possible?
Use Azure Managed Identity (that has been given Microsoft Graph API permissions) in applications using Azure B2C for Authentication. Thus avoiding the use of client ID and secrets.
If 1. is not possible, used Managed Identity (that has been given Microsoft Graph API permissions) in applications using Azure B2C for authentication to access secrets in Azure KeyVault.
MSI does not work with B2C, B2C does not host Azure Resources or Azure subscriptions.
Instead you have your app hosted in the Azure Subcription tied to your Corp AAD, where you can create MSI's to access things like KeyVault (KV).
Unfortunately that does mean that you cannot use MSI to access Graph API in the context of the B2C tenant.
Related
I am looking for examples to fetch access token for azure storage account access via azure active directory with service principal in python
It seems like https://github.com/AzureAD/azure-activedirectory-library-for-python/blob/dev/sample/client_credentials_sample.py doesn't support service principal access
are there other ways in fetching token via service principal?
• Yes, you can surely fetch an access token for an Azure storage account via Azure Active Directory using a service principal, i.e., an app registration by following the steps below as given in the below documentation link: -
https://learn.microsoft.com/en-us/azure/developer/python/sdk/authentication-azure-hosted-apps?tabs=azure-portal%2Cazure-app-service
As per the above documentation, you will have to host your python application code in a web app service and create a system assigned managed identity for it. Once created, then an application will be created in Azure AD with the same ‘Object ID’ as shown in the managed identity section of the web app service. Before moving onto this application created in Azure AD, assign the required roles to this system assigned managed identity through the ‘IAM’ tab. So, in your case, you should assign the role of ‘Storage Account Contributor’ to the ‘System-assigned managed identity’ created for the web app service.
• Once, the role has been assigned, then go to the ‘Enterprise application’ and search for the ‘Object ID’ of the managed identity, you will encounter an application with the name of the web app service, in that, go to ‘Permissions’ under ‘Security’ tab and assign the required permissions and admin consent required to the application. The permissions shown are those that are allowed under the scope of ‘Storage Account Contributor’ and similarly, you must assign permissions from it to the app/service principal. Then ensure that you are correctly calling the environment variables of this application created in Azure AD regarding the managed identity and implement the ‘DefaultAzureCredential’ from the ‘azure.identity’ module. For this purpose, kindly refer to the below subsection of the above documentation: -
https://learn.microsoft.com/en-us/azure/developer/python/sdk/authentication-azure-hosted-apps?tabs=azure-portal%2Cazure-app-service#3---implement-defaultazurecredential-in-your-application
In this way, you can fetch an access token for the Azure storage account via Azure Active Directory using a service principal.
We earlier used sas token to access the storage account.Now the requirment is to not to use it. Is it possible for an azure app to access the storage account if it has owner access. I tried using it . But getting this error.
message": "The specified resource does not exist
the url we are using is
`https://${tableService.storageAccountName}.table.core.windows.net/tablename
Simply pointing to a storage account, without any form of credentials, will not work for a private storage account or container.
There are a couple of options you have to provide credentials to connect to a storage account, like using the connection strings containing the access keys or using Managed Identities for Azure resources.
Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications may use the managed identity to obtain Azure AD tokens.
Here are some of the benefits of using managed identities:
You don't need to manage credentials. Credentials aren’t even accessible to you.
You can use managed identities to authenticate to any resource that supports Azure AD authentication, including your own applications.
Managed identities can be used without any additional cost.
Because of these benefits and the ease of use I would suggest you Authorize access to blob data with managed identities for Azure resources.
Azure Blob Storage supports Azure Active Directory (Azure AD) authentication with managed identities for Azure resources. Managed identities for Azure resources can authorize access to blob data using Azure AD credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud.
Assign an RBAC role to a managed identity
When an Azure AD security principal attempts to access data in an Azure Storage account, that security principal must have permissions to the data resource. Whether the security principal is a managed identity in Azure or an Azure AD user account running code in the development environment, the security principal must be assigned an Azure role that grants access to data in Azure Storage.
I have two separate web applications, one built with .NET Framework and the other built with .NET Core. Both web applications make up one solution which we ship to our customers. The solution itself is a SaaS subscription-based solution, where users would be able to sign-up with using either a Microsoft/Office 365, GSuite, or organizational account (basic username/password). We would like to restrict sign-up to organizational/business accounts only.
As I understood, Azure B2B is mainly useful when you have something internal and you would like to give external users some limited access to it. Given that I have a multi-tenant SaaS solution, I believe that Azure B2C makes more sense.
Furthermore, in our solution, we would also want the ability for external users to access Tabular Models in Azure Analysis Services and SSRS.
Is access to only organizational accounts, something that can be configured through Azure AD B2C?
Can access be granted to external users to Azure Analysis Services or other Azure tools when using Azure B2C?
You have two options
Option 1, Using Azure AD External identities solution - recommended
You can use newly released self service sign up solution in Azure AD external identities . You can very well restrict sign up to other Azure AD accounts only. However for sign up using other federation systems - you need to try on. I think as of today only Google and Facebook are supported apart from Azure AD.
Option 2, use Azure AD B2C and use app only authentication.
Azure AD B2C consumer accounts are by default not supported by Azure services or Office. But you can use app based authentication to provide these services. Your client app will call your backend api using Azure AD B2C token. Your backend app can perform all auth validations and then call the backend Azure or any other service using app only authentication mode.
I am attempting to follow these instructions to set up Azure Key Vault, and I am on the step to "Register an application with Azure Active Directory".
In the instructions, there is this guideline:
Important: To complete the tutorial, your account, the vault, and the application that you will register in this step must all be in the same Azure directory.
Three important pieces of info about my configuration:
Since our team is using Azure Active Directory B2C and not Azure AD, the AAD B2C instance is in a different directory, as shown in the top right corner of the screenshot below.
Our web app (name MyApp) is registered to AAD B2C within Directory2, as shown by the circle in the middle of the screenshot below.
However, the actual Web Application resource is in Directory1, as shown in the screenshot below
How should I move forward? Should I move the KeyVault & MyApp to Directory2 or move the AAD B2C instance to Directory1?
Unfortunately, You cannot use Azure KeyVault for Azure AD B2C Application.
Why?
1.For your sceanrio,generally,we can secure Azure Web App with Azure AD and Azure AD B2C. However, for Azure AD B2C application, the key can only be generated by Azure. You cannot use a custom key for AAD Application.
2.AAD B2C application is not with a service principal. If you want to authorize the application to use the key or secret, you may use following powershell scripts:
Set-AzureRmKeyVaultAccessPolicy -VaultName 'ContosoKeyVault' -ServicePrincipalName 8f8c4bbd-485b-45fd-98f7-ec6300b7b4ed -PermissionsToKeys decrypt,sign
However,this powershell cmdelet needs to speicfy one Serviceprincipal Name. AAD B2C is not with a service principal. So,you cannot use this powershell for AAD B2C App.
So,even you can let the key vault and AAD B2C application are in a same tenant, but you still cannot use the key vault for AAD B2C.
My Suggestions:
Although you can integrate AAD B2C to do authentication/authorization for your Azure Web App, but this feature is designed for AAD,NOT Azure AD B2C. However,you can still integrate AAD B2C with your web App, but you cannot use keyvault for your B2C app. I'm sorry for this suitation, but B2C is for develop environment,it's not likes AAD.
If you mind use generated key by Azure and need this feature, you can post your idea in this Feedback Forum, Azure Team will review it.
Hope this helps!
I am creating a rest API which I am securing using OAuth2 client-credentials flow in Azure Active Directory. This requires me to set up the clients who should get access to my API as applications in Azure AD.
I would really like to take the AD thing a step further and have SQL Database access using AD Security Groups.
The question is; can I add an AD application to a security group and get Azure Active Directory login to work?