I would like to know if it is always recommended to use Managed Identities in Azure , mostly system assigned or a Service Principal?
When should Service Principals be used in Azure compared to a managed identity, what is the advantage of one over the other?
Any help would be appreciated.
Internally, managed identities are service principals of a special type, which are locked to only be used with Azure resources. When the managed identity is deleted, the corresponding service principal is automatically removed. Also, when a User-Assigned or System-Assigned Identity is created, the Managed Identity Resource Provider (MSRP) issues a certificate internally to that identity.
Source: What are managed identities for Azure resources?
and
So what’s the difference?
Put simply, the difference between a managed identity and a service principal is that a managed identity manages the creation and automatic renewal of a service principal on your behalf.
Source: What’s an Azure Service Principal and Managed Identity?
A managed identity is a type of the service principal.
A service principal can be one of three types: application, managed identity, and legacy. The division into types is based on circumstances of their usage. Thus their specific handling also differs based on their type.
rickvdbosch provided link to an article that talks about specifics of the managed identity type of the service principal.
For those who would like to learn about the concept of the service principal object and its types, here is a link to a different article:
Application and service principal objects in Azure Active Directory.
An Azure service principle is like an application, whose tokens can be used by other azure resources to authenticate and grant access to azure resources.
Managed identities are service principals of a special type, which are locked to only be used with Azure resources.
The main difference between both is that in managed identity you don’t need to specify any credentials in your code compared to service principles where you need to specify application id, client id, etc to generate a token to access any Azure resource. Ideally, you should opt for service principal only if the service you use doesn’t support managed identity.
Service Principal
We can say the most relevant part of the Service principal is the Enterprise Apps section under Azure Active Directory. This is basically an application that will allow your user apps to authenticate and access Azure resources, based on the RBAC.
It essentially is an ID of an application that needs to access Azure resources. In layman’s terms, imagine if you have to assign certain access to your colleague so that he\she can access Azure resources and perform required tasks, you can use their email id as a way to authenticate the user.
Managed Identity
We can say that the Managed Identities are actually Service Principals and they are identical in the functionality and purpose they serve.
The only difference is, that a managed identity is always linked to an Azure Resource, unlike an application or 3rd party connector mentioned above. They are automatically created for you, including the credentials; big benefit here is that no one knows the credentials
There are two types of managed identities:
1.) System assigned; in this scenario, the identity is linked to a single Azure Resource, eg a Virtual Machine, a Web App, Function,… so almost anything. Next, they also “live” with the Azure Resource, which means they get deleted when the Azure Resource gets deleted.
2.) User Assigned Managed Identity, which means that you first have to create it as a stand-alone Azure resource by itself, after which it can be linked to multiple Azure Resources. An example here could be out of integration with the Key Vault, where different Workload services belonging to the same application stack, need to read out information from Key Vault. In this case, one could create a “read KV” Managed Identity, and link it to the web app, storage account, function, logic app,… all belonging to the same application architecture.
Managed Identities are tied to a resource (VM, Logib App, etc). To give the resource grants and permissions for accessing(CRUD) other resources you use Managed Identities.
Service Principial do not have to be tied to a resource, they leave under tenant and above subscription, and what is more is more important - have some auth tokens that could be stored somewhere (Key Vault). It is like a fake user with some credentials and tokens.
A Service Principal could be looked at as similar to a service account-alike in a more traditional
on-premises application or service scenario. Managed Identities are used for “linking” a Service Principal
security object to an Azure Resource like a Virtual Machine, Web App, Logic App or similar
Related
I have a rather (hopefully) theoretical question regarding the secure usage of Service Pricipals in Azure (Enterprise Applications)
Introduction
we currently deploy our DevOps Code via Azure Service Principals.
AppRegistration/Enterprise App is created
Secret is generated
Permission (i.e. Contributor) to the Ressource Group is granted in Azure
Service Connection is made in Devops
everything works fine.
Assumption
By default the Service Principal (Enterprise Application) is not restricted to a specific user/group (Assignment Required => "no").
My assumption is now, that every user in the AAD-Tenant is able to login to the Enterprise Application as well.
I i.e. do this by using the "Graph Powershell API"-EnterpriseApp.
I can either use a Secret or use my User Credentials to access the Service Principal and its permissions
Security issue?
coming back to our DevOps configuration:
The Service Principal has Contributor Permission on the dedicated Resource Group
Assignment Required is set to no (default configuration)
if I (as a malicious user) have the Application ID, i could simply logon to the Service Principal and receive the Token.
Question:
With this token and my login to the App, do i also have the Contributor Permissions of the App and could now manipulate the whole Resource Group?
Since i'm not an Azure Developer - but only an Azure AD Admin - my knowledge regarding this is limited,
so i'm not able to test it.
Can someone maybe either provide code or prove that my assumptions are wrong or correct?!
Thanks
Yes, the SPN can manage the resources within the resource group if it has Contributor - it is no different than a normal (human) identity.
Consider if the SPN actually needs Contributor or if you can limit it with another role or even make a custom role.
Furthermore, monitor the sign-ins using the Azure AD sign-in logs:
https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins
You can also use CanNotDelete resource lock, which means that the service principal cannot delete resource as it is only Contributor:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
You might want to look into the Conditional Access to strengthen your environment:
https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identities-overview
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/workload-identity
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review
Take a look here:
https://infosecwriteups.com/a-lab-for-practicing-azure-service-principal-abuse-bd000e6c48eb
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/disable-user-sign-in-portal
https://learn.microsoft.com/en-us/powershell/module/az.accounts/connect-azaccount?view=azps-9.3.0#example-3-connect-to-azure-using-a-service-principal-account
My assumption is now, that every user in the AAD-Tenant is able to login to the Enterprise Application as well.
No. They would need the client secret or the rights to generate a new one. Which requires that they are owners of the App Registration. In the App Registration on the Owners tab it says:
The users listed here can view and edit this application registration. Additionally, any user (may not be listed here) with administrative privileges to manage any application (e.g., Global Administrator, Cloud App Administrator etc.) can view and edit the application registrations.
I read about managed identity here:
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
From what I understand, in order to use a user defined managed identity I need to define it, give it access rights to the resource I want to access and then set the identity in other resources so that can use that identity to get the access rights to the resource from before. All of the above are Azure defined resources.
My question is how can I use managed identity to identify services installed on a cluster? In which case the services are not Azure resources I can set the identity on so I don't know how they can use it.
I have a serviceA in TenantA which needs to deploy resources to a subscription_X that is in tenantB say using ARM SDK. This means serviceA must be having rights to create the resource group in the subscription_X too.
How can serviceA in the tenantA get a contributor access to the tenantB's subscription_X ?
ServiceA is a micro service running in AKS or VM
A Managed Identity can only be used within the tenant that is linked to the subscription it is in.
So it won't work for this scenario.
A service principal can be used, but it would need to be made into a multi-tenant app + an admin from tenant B would have to go through a manually written admin consent URL for it to show up in their tenant.
I'd say the easiest approach is for tenant B admin to define an app registration/service principal in tenant B.
If you use certificate authentication, you'd generate the certificate and give them the public key so that they can assign it to the app in their tenant.
If using client secret, they will have to add it and send it to you.
From what I know it is not possible.
Considering Managed Identities are scoped to a single subscription, I don't think it is possible for you to manage resources in a different subscription using a Managed Identity in another subscription.
Similarly Service Principals are special kind of Azure users that gets created automatically when you assign access to resources in an Azure AD (tenant). They also can't be shared across tenants.
What you have to do is register your Azure AD application in the target tenant. As a result of that, a new Service Principal will be created in that tenant. You can then assign proper Azure RBAC role to this Service Principal so that it can perform necessary operations on Azure Subscriptions where it has been assigned a role. You can either use Client ID/Client Secret or Client ID/Client Certificate of your Azure AD application to authenticate the Service Principal.
I am currently in the process of setting up Sentinel POC, within Sentinel you have playbooks which is basically Logic Apps, it is same as the playbooks in security center.
I need to know what permissions i need on target subscriptions in order to automate remediation of alerts, for example isolate a VM, Stop a VM, etc.
Our Sentinel will have its own subscription in a tenant where there are 100's of subscriptions.
Its best to use a service principal for having centralized access control.
With this, you can use the service principal to authenticate and authorize actions against resources. It can be configured for the Azure Resource Manager connector in Logic Apps as well.
Another option would be to use Managed Identity, but that is supported only for the HTTP Action.
As for the exact permissions for this service principal / managed identity, you can use this reference of built-in roles for providing granular control. For example, to just stop/start VMs, your service principal would need Virtual Machine Contributor.
You could also provision finer access to resources by creating custom roles.
I'm looking for my VSTS deployment agent service principal to get the Object ID of a managed service principal (created by Data Factory V2).
It needs this for assigning ACL's in data lake store.
However as far as I can tell, it requires Read Permission on Azure AD.
I wish to avoid granting it read permission if possible, to follow the 'least privilege' mantra.
For non-managed service principals, I allow the deployment agent to manage service principals it has created (thus not needing full read access). However I suspect the fact that the service principals are managed by Azure it is unlikely I'll be able to give the deployment agent any ownership over the managed service principal (however I'm working with AD admins to see if there is a way).
I've tried everything I can think of mixing and matching Azure RM data factory v2 powershell modules and Azure AD modules.
Is it possible to get the id without Azure AD read access? Or a novel workaround (I'm considering a constrained Web API wrapper)?