Service principal with certificate and VSTS/TFS service endpoint - azure

On my current project I work with TFS on-prem and I need to deploy resources in Azure.
With a service principal in Azure and an ARM service endpoint in TFS, everything works fine.
However now I get the requirement to secure the service principal with a certificate instead of a password. Creating a service principal with a certificate is almost as easy as with a password, but setting up the ARM service endpoint in TFS (also VSTS by the way) is not that easy.
One of the fields I have to fill in for the ARM service endpoint is the "Service Principal Key".
When creating the service principal with a certificate, I don't have that value (which typically is the password used to create the AD application).
Is it possible to create a TFS service endpoint using an Azure service principal based on a certificate?

We cannot create the ARM service endpoint based on a certificate, just as you mentioned we can only provide the "Service Principal Key".
However we can create Azure Classic service endpoint based on a certificate.
Management Certificate:
Required for Certificate based authentication. Copy the value of the
management certificate key from your publish settings XML file or the
Azure portal.

Related

Use Azure KeyVault in the B2C Custom Policy Config

We are using the email invite flow to get our users created in our Azure B2C. Currently we are reviewing our management of secrets in code and config, coming out of this work we are now using an Azure KeyVault.
Our ASP.Net website that previously had the cert loaded directly into the App Service is now referencing one in the key vault.
At the Azure B2C "Identity Experience Framework" end of the arrangement we have the “B2C_1A_IdTokenHintCert” policy key and that was created when we uploaded the certificate into Azure B2C. This breaks the approach of centralising the management of our certificates with KeyVault.
Is there a way of using KeyVault for the Custom Policy configuration?
In your particular scenario, you can expose your own metadata endpoint for id token hint validation in your App. That is what the sample does by default:
https://github.com/azure-ad-b2c/id-token-builder
You might then look for a way to reference the cert via key vault instead of uploading the cert to the app service. Eg reading the cert in your app via keyvault api.
https://learn.microsoft.com/en-us/rest/api/keyvault/#certificate-operations

Getting Azure key vault certificates works only from local machine

I am using Identity server to handle logins in my app hosted in MS Azure. I am using Azure key vault to store my certificates. When I am trying to obtain certificates from Azure Key Vault on local machine, everything works fine, but after deploying to the server, I am getting the error described bellow.
I have followed this tutorial: https://damienbod.com/2020/04/09/using-certificates-from-azure-key-vault-in-asp-net-core/
I have created Azure AD and registered my app into it. Also I have created Azure Key Vault, added my app into Key Vault access principles and inside my app service I have allowed identity assigned by the system.
When I deployed this app on the server I am getting this error
In the key vault I allowed all permissions for this app
Is there some more setting, which needs to be done before deploying?
Thanks.
After you enable the system-assigned identity for your app service, you also need to add it to the Access policies of the keyvault with the correct certificate permission(just navigate to the Access policies, search for the web app name and add it).
The sample you provided use the AzureServiceTokenProvider, when you deploy your code to app service, it should use the system-assigned identity to access the keyvault in your case.
To let this work, you also need to specify the AzureServicesAuthConnectionString environment variable in your app service with RunAs=App, see this link.

What is the use of Azure Key Vault in case of WebApp

We have hosted our application on Azure WebAPP and wanted to use SSL on this. Should we use traditional way to attach this certification to Azure WebAPP or should we user Azure Key Vault. Since access to Azure WebAPP through RDP is not available and Azure is managing our WebAPP, can certification be compromised (if the Azure key vault is not used)?
I can understand its usage in case of VM, but on Azure, WebApp does it add any value.
Azure Web App doesn't rely on Azure Key Vault for any of its functionalities.
However, if you are using App Service Certificate, then you end up configuring Azure Key Vault for storing the secret. Other use cases are also there, but those are from an application perspective.

Azure KeyVault Client Certificate and Service Principal renewal

My Azure solution is compound of various modules and each one is identified by a service principal in the Azure AD, using a certificate. I would like to have the benefits of the KeyVault Certificates auto renewal in order to renew the client certificates. I know that the Web Apps certificate bindings are automatically updated when the certificate is renewed, but what about the service principal ones ?
Does Azure KeyVault auto-renewal also automatically take care of the certificate of the service principal in the Azure AD ?
While certificate in the KeyVault itself will be auto-renewed if it is either self-signed or any of the supported Public CA's based on policy you set (could be n days before expiry or at some % of its lifetime) it may not automatically update the service principal. You should be able to achieve that by slightly tweaking this script to get the cert from KeyVault and also automating this through Azure Automation or any other way.

Are VSTS Service Principals impacted by the Azure AD signing key roll over

We have a VSTS Azure Resource Manager Service Endpoint that uses a Service Principal to connect to Azure. This service principal was created manually. I was wondering if this service principle is impacted by the Azure AD signing key roll over and whether it will handle it automatically.
If you are using a service principal created through VSTS, there shouldn't be a problem. If it's created another way, you'll want to check this article from the Azure team about the rollover.

Resources