Azure KeyVault Client Certificate and Service Principal renewal - azure

My Azure solution is compound of various modules and each one is identified by a service principal in the Azure AD, using a certificate. I would like to have the benefits of the KeyVault Certificates auto renewal in order to renew the client certificates. I know that the Web Apps certificate bindings are automatically updated when the certificate is renewed, but what about the service principal ones ?
Does Azure KeyVault auto-renewal also automatically take care of the certificate of the service principal in the Azure AD ?

While certificate in the KeyVault itself will be auto-renewed if it is either self-signed or any of the supported Public CA's based on policy you set (could be n days before expiry or at some % of its lifetime) it may not automatically update the service principal. You should be able to achieve that by slightly tweaking this script to get the cert from KeyVault and also automating this through Azure Automation or any other way.

Related

How to auto renew Service Principals secrets in Azure

I have an issue how to auto renew Service Principals secrets in Key Vault Azure?
In short - you can't.
Azure KeyVault only provides the option to auto rotate keys. This feature enables end-to-end zero-touch key rotation for Azure services data encryption with customer-managed key (CMK) stored in Azure Key Vault.
https://azure.microsoft.com/en-us/updates/automated-key-rotation-in-azure-key-vault-is-now-available/
What you are trying to achieve is different. Azure AD Service principals are managed by Azure AD. So, you need some sort of automation which generates a new secret there and updates it in keyvault.
A better way (if possible) would be managed identity. Managed Identities can be used like service principals but a fully managed and the secrets are managed behind the scenes for you.
https://azure.microsoft.com/en-us/updates/automated-key-rotation-in-azure-key-vault-is-now-available/

Use Azure KeyVault in the B2C Custom Policy Config

We are using the email invite flow to get our users created in our Azure B2C. Currently we are reviewing our management of secrets in code and config, coming out of this work we are now using an Azure KeyVault.
Our ASP.Net website that previously had the cert loaded directly into the App Service is now referencing one in the key vault.
At the Azure B2C "Identity Experience Framework" end of the arrangement we have the “B2C_1A_IdTokenHintCert” policy key and that was created when we uploaded the certificate into Azure B2C. This breaks the approach of centralising the management of our certificates with KeyVault.
Is there a way of using KeyVault for the Custom Policy configuration?
In your particular scenario, you can expose your own metadata endpoint for id token hint validation in your App. That is what the sample does by default:
https://github.com/azure-ad-b2c/id-token-builder
You might then look for a way to reference the cert via key vault instead of uploading the cert to the app service. Eg reading the cert in your app via keyvault api.
https://learn.microsoft.com/en-us/rest/api/keyvault/#certificate-operations

Service principal with certificate and VSTS/TFS service endpoint

On my current project I work with TFS on-prem and I need to deploy resources in Azure.
With a service principal in Azure and an ARM service endpoint in TFS, everything works fine.
However now I get the requirement to secure the service principal with a certificate instead of a password. Creating a service principal with a certificate is almost as easy as with a password, but setting up the ARM service endpoint in TFS (also VSTS by the way) is not that easy.
One of the fields I have to fill in for the ARM service endpoint is the "Service Principal Key".
When creating the service principal with a certificate, I don't have that value (which typically is the password used to create the AD application).
Is it possible to create a TFS service endpoint using an Azure service principal based on a certificate?
We cannot create the ARM service endpoint based on a certificate, just as you mentioned we can only provide the "Service Principal Key".
However we can create Azure Classic service endpoint based on a certificate.
Management Certificate:
Required for Certificate based authentication. Copy the value of the
management certificate key from your publish settings XML file or the
Azure portal.

Azure KeyVault with Key Rotation

Our application doesn't use keyvault until now. We are thinking of using Azure KeyVault to enforce security for keys, secrets and certificates. I read microsoft documentation on this Link. It's not clear that Azure KeyVault works with identity providers other than Azure AD. Because we are not using Azure AD but we are using Azure app service and storage account. we also want to implement key rotation with 1 hour expiry.
My questions are
Should the web app be registered with Azure AD to use KeyVault ?
While creating an azure keyvault i didn't see any option about key rotation. Am i looking in the wrong place?
Any sample code would be helpful.
When you create a key vault in an Azure subscription, it is automatically associated with the subscription's Azure Active Directory tenant. All callers (users and applications) must be registered in this tenant to access this key vault. That means to access the keys and secrets stored inside the key vault, the requesting applications have to be added in Azure active directory and it also needs to have permissions to read keys and secrets in azure key vault.
Related tutorials below are for your reference :
Get started with Azure Key Vault
How to set up Key Vault with end to end key rotation and auditing -
This walks through how to set up key rotation and auditing with Azure
Key Vault.
Azure Key Vault Developer's Guide
Use Azure Key Vault from a Web Application

What is the use of Azure Key Vault in case of WebApp

We have hosted our application on Azure WebAPP and wanted to use SSL on this. Should we use traditional way to attach this certification to Azure WebAPP or should we user Azure Key Vault. Since access to Azure WebAPP through RDP is not available and Azure is managing our WebAPP, can certification be compromised (if the Azure key vault is not used)?
I can understand its usage in case of VM, but on Azure, WebApp does it add any value.
Azure Web App doesn't rely on Azure Key Vault for any of its functionalities.
However, if you are using App Service Certificate, then you end up configuring Azure Key Vault for storing the secret. Other use cases are also there, but those are from an application perspective.

Resources