I have created an azure application which I use to sync user data using graph API. I am able to sync the data. However, I have a security concern. I am using certificate based authentication for the graph api to access data. However, if anyone has access to the certificate, he can access the graph API to sync the data.
Is there anyway, we can limit the application access using Graph API?
Can we limit the access to certain IP ranges?
No
You can use Conditional Access to block access to users using ip addresses ranges but not to service principals in case you're authenticating as an application.
Related
I have created a fhir server using Azure API for FHIR. I have created a smartclient in azure using the MS open source smart on fhir proxy.(https://github.com/microsoft/fhir-proxy/tree/main/scripts) I basically got standalone launch working using the this proxy.
I have used MSI as an authentication system and AAD as an identity provider.
The azure AD consent prompt is all or nothing (the app asks the user to consent to a list of permissions, the user can accept or deny all). The limited access scenario (g)(10)(v)(A)(10,11,12) seems to require that the user is presented with a list of permissions with the ability to accept or deny each one.
How can I achieve this using AAD?
I have seen something like this azure graph explorer(Please see the ss), but I'm not sure how I can achieve this here in AAD.
Here is the more detail information about my case:-
smartclient name :-proxy10391-smart-client-1212
fhir server:- fhirstandalonecli
fhir proxy:-sfp-proxy10391.azurewebsites.net
I have assigned these permissions to my smartclient:-
enter image description here
Whenever I'm using Oauth2.0 flow user is automatically getting permissions to access all of the above resources.
For Limited App case I want user to select individual permissions at run time.
Suppose user has not selected Observation resource then user can't access that resource.
Any idea how can I achieve this using azure AAD?
I will really appreciate your help.
Currently, a user has to add my application within the Azure portal. I will then get a ClientID etc. and use that to get access to the users Consumption data. I wondered if I could streamline this process by asking for consent using the Azure authentication.
Pre-thanks!
**
Let me elaborate a bit more, I'm creating an application that will help the user by giving insights on there cloud spend. I get the data using the consumption API. At the moment I get access to that API by them giving my app credentials via the Azure portal. But I want to get the access via Azure authentication
**
In Azure AD, there are several auth flows, not sure which one you want to use. Generally, these flows can be divided into two types, user-interactive or non-interactive.
Per my understanding, you want to call the Azure Consumption REST API via Azure AD auth. If you want the user-interactive way, you could use auth code flow. If you want a non-interactive way, you could use client credential flow.
For more details, see https://learn.microsoft.com/en-us/rest/api/azure/
I have applied Conditional Access policy in Azure AD for some users to block access to Microsoft Teams. But I still need to have access to Teams from my Web Service within refresh token (to post some data on behalf of that user).
When I am trying to refresh token for user that appear in that list, I retrieve following error:
AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance..
I have tried to add Location Condition to allow to access Teams only from my server's IP address. I can access Teams from browser installed in server (I could not access from another computer), but this error still reproduced.
How could I resolve that and block access to Teams but still have an ability to refresh tokens and act on behalf of that user within my Web Service?
Generally Multiple conditions can be combined to create fine-grained and specific Conditional Access policies. If you block Teams for a certain users it will include webservice . If you apply location based CA also it will allow from certain locations and block all other locations including client and web. If you block legacy authentication using the Other clients condition, you can also set and blocking web applications but allowing mobile or desktop apps that support Microsoft Teams but blocking users and allowing through web via ca policy is not documented and I tried from end in a various ways but not available.
We want to restrict file downloads from Azure CDN to instances of a given tool. These tools already have an ADFS client which is currently used to get a bearer token to authenticate the client with an API housed in DataPower. I want to create an Azure AD group, assign the clients client-ids/secrets within this group, and restrict READ access to CDN files to this group so that they can get a bearer token and access the resource.
Is there a pre-existing pattern to restrict Read access in this manner?
Your application can have authorization decision to provide read access to CDN resources.
Kindly go through the document to get detailed explanation.
Im creating a simple azure logic app to make a get request to api endpoint. How do I pass the access token to authorize?
I’m requesting another api from Logic app.
Here are the ways that you can secure access
Generate shared access signatures
Restrict incoming IP addresses
Add Azure Active Directory, OAuth, or other security