Stuff in Azure are secured with Service Accounts. In order for me to see stuff I need to download the Service Account certificate and then log in via the Azure CLI using the extracted certificate and the Service Account Application Id. So now I can see everything the Service Account can see, great. But it is a pain in the neck and slow. So my question: Can I use the same certificate and credentials to log into the Azure Portal website so I can browse around using the web browser instead?
Using a Service Principal for interactive logins to the Azure Portal is not possible - which is by design. In order to be able to see the same resources as the Service Principal through the Azure Portal, you would require a user account that holds the Azure RBAC Reader role against those resources that are in scope of the Service Principal role assignments.
As you mentioned performance being an issue with using the Service Principal login, you could try Azure Resource Graph queries. These are supported by Azure CLI, Azure PowerShell as well as all the major Azure SDK's. Obviously, this won't bring you the visual experience like the Azure Portal but might resolve the performance piece maybe.
However, requesting/creating a user account that has the corresponding RBAC roles assigned would be the only way to allow you to see the resources through the Azure Portal.
I am looking for examples to fetch access token for azure storage account access via azure active directory with service principal in python
It seems like https://github.com/AzureAD/azure-activedirectory-library-for-python/blob/dev/sample/client_credentials_sample.py doesn't support service principal access
are there other ways in fetching token via service principal?
• Yes, you can surely fetch an access token for an Azure storage account via Azure Active Directory using a service principal, i.e., an app registration by following the steps below as given in the below documentation link: -
https://learn.microsoft.com/en-us/azure/developer/python/sdk/authentication-azure-hosted-apps?tabs=azure-portal%2Cazure-app-service
As per the above documentation, you will have to host your python application code in a web app service and create a system assigned managed identity for it. Once created, then an application will be created in Azure AD with the same ‘Object ID’ as shown in the managed identity section of the web app service. Before moving onto this application created in Azure AD, assign the required roles to this system assigned managed identity through the ‘IAM’ tab. So, in your case, you should assign the role of ‘Storage Account Contributor’ to the ‘System-assigned managed identity’ created for the web app service.
• Once, the role has been assigned, then go to the ‘Enterprise application’ and search for the ‘Object ID’ of the managed identity, you will encounter an application with the name of the web app service, in that, go to ‘Permissions’ under ‘Security’ tab and assign the required permissions and admin consent required to the application. The permissions shown are those that are allowed under the scope of ‘Storage Account Contributor’ and similarly, you must assign permissions from it to the app/service principal. Then ensure that you are correctly calling the environment variables of this application created in Azure AD regarding the managed identity and implement the ‘DefaultAzureCredential’ from the ‘azure.identity’ module. For this purpose, kindly refer to the below subsection of the above documentation: -
https://learn.microsoft.com/en-us/azure/developer/python/sdk/authentication-azure-hosted-apps?tabs=azure-portal%2Cazure-app-service#3---implement-defaultazurecredential-in-your-application
In this way, you can fetch an access token for the Azure storage account via Azure Active Directory using a service principal.
I would like to know if it is always recommended to use Managed Identities in Azure , mostly system assigned or a Service Principal?
When should Service Principals be used in Azure compared to a managed identity, what is the advantage of one over the other?
Any help would be appreciated.
Internally, managed identities are service principals of a special type, which are locked to only be used with Azure resources. When the managed identity is deleted, the corresponding service principal is automatically removed. Also, when a User-Assigned or System-Assigned Identity is created, the Managed Identity Resource Provider (MSRP) issues a certificate internally to that identity.
Source: What are managed identities for Azure resources?
and
So what’s the difference?
Put simply, the difference between a managed identity and a service principal is that a managed identity manages the creation and automatic renewal of a service principal on your behalf.
Source: What’s an Azure Service Principal and Managed Identity?
A managed identity is a type of the service principal.
A service principal can be one of three types: application, managed identity, and legacy. The division into types is based on circumstances of their usage. Thus their specific handling also differs based on their type.
rickvdbosch provided link to an article that talks about specifics of the managed identity type of the service principal.
For those who would like to learn about the concept of the service principal object and its types, here is a link to a different article:
Application and service principal objects in Azure Active Directory.
An Azure service principle is like an application, whose tokens can be used by other azure resources to authenticate and grant access to azure resources.
Managed identities are service principals of a special type, which are locked to only be used with Azure resources.
The main difference between both is that in managed identity you don’t need to specify any credentials in your code compared to service principles where you need to specify application id, client id, etc to generate a token to access any Azure resource. Ideally, you should opt for service principal only if the service you use doesn’t support managed identity.
Service Principal
We can say the most relevant part of the Service principal is the Enterprise Apps section under Azure Active Directory. This is basically an application that will allow your user apps to authenticate and access Azure resources, based on the RBAC.
It essentially is an ID of an application that needs to access Azure resources. In layman’s terms, imagine if you have to assign certain access to your colleague so that he\she can access Azure resources and perform required tasks, you can use their email id as a way to authenticate the user.
Managed Identity
We can say that the Managed Identities are actually Service Principals and they are identical in the functionality and purpose they serve.
The only difference is, that a managed identity is always linked to an Azure Resource, unlike an application or 3rd party connector mentioned above. They are automatically created for you, including the credentials; big benefit here is that no one knows the credentials
There are two types of managed identities:
1.) System assigned; in this scenario, the identity is linked to a single Azure Resource, eg a Virtual Machine, a Web App, Function,… so almost anything. Next, they also “live” with the Azure Resource, which means they get deleted when the Azure Resource gets deleted.
2.) User Assigned Managed Identity, which means that you first have to create it as a stand-alone Azure resource by itself, after which it can be linked to multiple Azure Resources. An example here could be out of integration with the Key Vault, where different Workload services belonging to the same application stack, need to read out information from Key Vault. In this case, one could create a “read KV” Managed Identity, and link it to the web app, storage account, function, logic app,… all belonging to the same application architecture.
Managed Identities are tied to a resource (VM, Logib App, etc). To give the resource grants and permissions for accessing(CRUD) other resources you use Managed Identities.
Service Principial do not have to be tied to a resource, they leave under tenant and above subscription, and what is more is more important - have some auth tokens that could be stored somewhere (Key Vault). It is like a fake user with some credentials and tokens.
A Service Principal could be looked at as similar to a service account-alike in a more traditional
on-premises application or service scenario. Managed Identities are used for “linking” a Service Principal
security object to an Azure Resource like a Virtual Machine, Web App, Logic App or similar
I'm referring to the Azure documentation on Application and service principal objects in Azure Active Directory.
I would like to understand the security implications of allowing users to register an application in Azure AD.
I couldn't find any documentation that explained who and who should not have the permission to do so and for what reason.
More specifically the use case is letting the owner of an Azure subscription create an ARM Service Connection in Azure DevOps. This implies registering an app in Azure AD (for this service connection).
So my question is: are there any good reason to deny the owner of an Azure subscription the permission to register applications in Azure AD?
What are the general risks or security considerations?
Only a subscription owner can define IAM for a service principal (service connection), just because you can create them it's useless without the right permissions.
But.....
If you keep on creating principals with the similar names (not following any form of naming conversion) you are very close to making a human error by giving a wrong service principal unwanted access. This can lead to potential security incidents.
Also, as an admin you will have a lot of unused 'junk' service principals in your directory. Cleanup becomes very hard with cowboy developers -demanding for them to be retained.
I have two subscriptions.
On one subscription I run logic apps and on the logic apps I have azure functions.
The other subscription contain target resources for the automation via logic apps and azure functions.
In order to run the Logic Apps and Azure functions associated it with it, what privileges do I need on target subscriptions? I want to be able to do things like stop VM, change NSG settings, run malware scans, etc
Do I need to run the logic app using an account that has owner permissions on both the subscriptions?
Regards,
Kelly
Its best to use a service principal for having centralized access control.
With this, you can use the service principal to authenticate and authorize actions against resources. It can be configured for the Azure Resource Manager connector in Logic Apps as well.
Another option would be to use Managed Identity, but that is supported only for the HTTP Action.
Even in your Function Apps, you could either setup Managed Identity or use the Client Credentials Flow using the Service Principal details.
As for the exact permissions for this service principal, you can use this reference of built-in roles for providing granular control. For example, to just stop/start VMs, your service principal would need Virtual Machine Contributor.
You could also provision finer access to resources by creating custom roles.