This should really be a basic question, but I can't find the answer anywhere.
I've got a website that I'm hosting as an Azure Web App. I've created an App Registration and I've associated the Web App with the App. Now, I'm prompted to log on before being allowed to view the web site. So far so good, but I want to lock it down so that only a specific group of users has access to the site.
I go to Enterprise Applications and I give permission the application to certain users/groups. But I can still log into the website as any user in the tenancy.
How do I ensure that only a certain group of users can log into the website?
It looks like you've discovered how to assign users and groups to the app (under Enterprise apps, in the Azure portal). These assignments are called "app role assignments". As you've also noticed, by default, app role assignment is not required in order for users to be able to sign in. However, there is a configuration which you can use to require an app role assignment.
In the Azure portal, under Azure Active Directory > Enterprise apps > (choose your app) > Properties:
(Note: Sometimes it takes a few seconds for this option to appear, when you load the Properties blade.)
And if you want to do the same thing with Azure AD PowerShell, you could do something like this:
$appId = "{the app ID}"
$servicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
Set-AzureADServicePrincipal -ObjectId $servicePrincipal.ObjectId `
-AppRoleAssignmentRequired $true
Azure Websites integrates with the Role-Based Access Control (RBAC) feature. Enabling RBAC gives you greater control over whom you allow access to your resources and what level of access each person has.
Goto your app -> Access Control (IAM) -> assign roles.
Owner - Has full admin access to the site and can perform all operations.
Contributor – Can deploy code, start/stop the site, swap deployments, delete the site, etc. Cannot change pricing plan or perform some other admin functions.
Reader – Can view the website in the portal, but cannot make any changes to it.
For more details, refer Managing User Access to Specific Sites in the Azure Portal and Use Role-Based Access Control to manage access to your Azure subscription resources.
Hope this helps.
Related
I have a rather (hopefully) theoretical question regarding the secure usage of Service Pricipals in Azure (Enterprise Applications)
Introduction
we currently deploy our DevOps Code via Azure Service Principals.
AppRegistration/Enterprise App is created
Secret is generated
Permission (i.e. Contributor) to the Ressource Group is granted in Azure
Service Connection is made in Devops
everything works fine.
Assumption
By default the Service Principal (Enterprise Application) is not restricted to a specific user/group (Assignment Required => "no").
My assumption is now, that every user in the AAD-Tenant is able to login to the Enterprise Application as well.
I i.e. do this by using the "Graph Powershell API"-EnterpriseApp.
I can either use a Secret or use my User Credentials to access the Service Principal and its permissions
Security issue?
coming back to our DevOps configuration:
The Service Principal has Contributor Permission on the dedicated Resource Group
Assignment Required is set to no (default configuration)
if I (as a malicious user) have the Application ID, i could simply logon to the Service Principal and receive the Token.
Question:
With this token and my login to the App, do i also have the Contributor Permissions of the App and could now manipulate the whole Resource Group?
Since i'm not an Azure Developer - but only an Azure AD Admin - my knowledge regarding this is limited,
so i'm not able to test it.
Can someone maybe either provide code or prove that my assumptions are wrong or correct?!
Thanks
Yes, the SPN can manage the resources within the resource group if it has Contributor - it is no different than a normal (human) identity.
Consider if the SPN actually needs Contributor or if you can limit it with another role or even make a custom role.
Furthermore, monitor the sign-ins using the Azure AD sign-in logs:
https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins
You can also use CanNotDelete resource lock, which means that the service principal cannot delete resource as it is only Contributor:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
You might want to look into the Conditional Access to strengthen your environment:
https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identities-overview
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/workload-identity
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review
Take a look here:
https://infosecwriteups.com/a-lab-for-practicing-azure-service-principal-abuse-bd000e6c48eb
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/disable-user-sign-in-portal
https://learn.microsoft.com/en-us/powershell/module/az.accounts/connect-azaccount?view=azps-9.3.0#example-3-connect-to-azure-using-a-service-principal-account
My assumption is now, that every user in the AAD-Tenant is able to login to the Enterprise Application as well.
No. They would need the client secret or the rights to generate a new one. Which requires that they are owners of the App Registration. In the App Registration on the Owners tab it says:
The users listed here can view and edit this application registration. Additionally, any user (may not be listed here) with administrative privileges to manage any application (e.g., Global Administrator, Cloud App Administrator etc.) can view and edit the application registrations.
We're a very small company, for unknown reasons our internal app infrastructure (based on PaaS VMs) was set up on the Azure subscription for a "personal" Windows Live account of an internal email address, with only that one user in the AD. (We also use the "correct" Azure instance, the AD is synced from the remnant of our old on-prem infrastructure and our Office 365 is based on it.)
We're about to recruit a second developer, I want to give him some level of access to our app infrastructure but not the global admin that sharing the existing single account would provide. I've experimentally added another user to the Azure AD as a global admin (so it should have access to everything) but when I log in with that user it takes me to the portal for the default free personal Azure instance you get if there's nothing set up. If I paste in a URL for a resource in the account it's global admin for I get "You do not have access" (403). (Audit trail of the user in Azure AD shows it logged in.)
Is there an inherent restriction on this type of account (in which case I'll have to bite the bullet and migrate the infrastructure where it belongs) or should I be able to expect this user to be able to access the right portal - and if so what do I need to do to get that to happen?
Having Global Admin role in Azure AD does not give you access to Azure resources, only to manage users etc. in Azure AD.
You need to add e.g. Owner/Contributor role on the subscription to the user through the Access Control (IAM) tab.
We are using VSTS/Azure DevOps to build and deploy our web services to Azure.
In the release step we use the Azure CLI build task to set up the environment for the web service. The build task uses a Service Connection to be authorized to do these actions.
The build task can create web services and deployment slots without issue, but when I try to instruct it to add a new reply url to the Azure AD application the web app uses to authenticate users, i see the following:
az ad app update --id 3e5a96e9-7311-4f92-869b-fbb5bbe8e41f --reply-urls http://mytestapp.azurewebsites.net
ERROR: Insufficient privileges to complete the operation.
The service connection used is an Azure RM service connection using a Service Principal. Is this correct? I'm guessing there is there a permission I need to set on the service principal, but which one?
Jayendran is correct. The user must be a member of Global Admin role in the directory because the Reply URL is added in the app registration.
You may also need to grant permissions to the app itself.
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-integrate-apps-with-azure-ad
If you're looking to follow the least privileges principle and not assign the highest possible privilege available (as per your comment), I see 3 possible options that could work for you -
Owner for only a specific application (and NOT the Owner/Global Administrator for entire Azure AD)
You can add the user as Owner for only the specific application, which they need to manage (in your case, change reply URL's for).
Pro: Obviously the good thing about this approach is that this user gets to manage the app registration for only this particular application and none of the others in your Azure AD.
How: Go to "App Registrations" in Azure AD and navigate to the specific application. Now click on "Settings" and select "Owners"
Application Administrator Role
This one is a little more generic and a higher privilege in comparison to single application owner, as it gives the user access to manage application registrations for all applications.
Pro: Role is specific to only managing application registrations. It helps in a scenario where all applications need to be managed by this user.
How: Go to "Users" in your Azure AD and then select the specific user. Now go to "Directory Role" and add "Application Administrator Role"
Application Developer Role
This one is very similar to option 2 i.e. "Application administrator". Difference being that "Application developer" gets permissions for only those applications which they are developing, so the registration was done by them.
Pro: Good for user that is about to create and manage registrations for multiple applications.
How: Very similar to option 2 above.
More information about all the available roles and granular permissions that are used by these roles in Microsoft Docs:
Available Roles
I am trying to set up octopus to deploy resources to azure.
Under azure active directory I've added a new app registration, and have generated a key and hooked up octopus with the correct Application ID, Tenant ID and key
The organisation has multiple azure subscriptions corresponding to the environments, so I've noticed if I use the Subscription ID of my "Visual Studio Professional MSDN" subscription it works and creates the resources, however if I try to use any of the other organisation Subscription IDs I get the following error:
Login-AzureRmAccount : The provided account c0b2.......76a6 does not
have access to subscription ID "f06.......2aa3". Please try logging in
with different credentials or a different subscription ID.
I have looked through all the settings of the Application Registration and granted it every "Windows Azure Active Directory" permission available, but still no luck.
How do I go about granting permissions to this Application Registration so that it can access the relevant subscriptions?
You need to give the app a role on the subscription/resource group/resource you want it to be able to access.
So for example, you can go to the Access Control (IAM) tab of the subscription, and give the app the Contributor role, which allows the app to read and modify anything in the subscription.
You can also give a more limited role if desired.
Roles can also be applied at a lower scope, like a resource group.
More info in the docs: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
I created a Azure Active Directory via the Azure portal. Then, I registered an app in it. I can configure it, add permissions and the like via the azure portal. But the same app I created, I don't see on https://apps.dev.microsoft.com/
Shouldn't I be able to see and configure the app I made in AD at that portal, too?
The apps that appear in the Application Registration Portal are the ones where you are explicitly marked as an owner of the application. This is in contrast to the apps that appear in the Azure Portal which are all the applications registered in your tenant, independent of whether or not your are an owner.
If you are a normal user, and you create an application in the Azure Portal, you should see your application appear in a section called "Azure AD only applications"
Here is the owner information for "Email Scraper" from the Azure Portal.
However, if you are a Tenant Administrator and you create an application, you will not be marked as an owner of the application. Implicitly, Tenant Administrators are owners of all objects in the directory, and to reduce the object quota generated by admins, these explicit links are not created.
Here is an example of an app I created where I am the Tenant Administrator:
Therefore, you probably do not see your application in the App Registration Portal because you are not marked as an Owner of the application, probably because you are an Administrator who created the app, or you did not create the app to begin with. You can remedy this by simply adding yourself to the owner list in the Azure Portal.
Let me know if this helps!