Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Use Azure Active Directory
Managed Identities for your
services!
@Jan_de_V
Jan de Vries
Cloud Solution Architect
So, how do YOU design
your solutions?
What to take into consideration?
Time to market
Complexity
Performance
Security
Availability
Maintainability
Cost
Team kno...
Today’s topic
Security
Application Service Application Service
Application ServiceApplication Service
SQL Database
SQL Database
Storage Account
S...
Yeah, we secured our services with…
•IP whitelisting
•A ‘secret’ code in the headers
•(self-signed) Certificates
•VNet wit...
Introducing: Managed Identities
What I want to accomplish
API Speaker API
"identity": {
"type": "SystemAssigned"
},
var tenantId = this.configuration["ActiveDirectory:TenantId"];
var applicationIdUri = this.configuration["ApplicationIdUri...
https://github.com/Azure/azure-sdk-for-net/issues/6172
Manifest
"appRoles": [
{
"allowedMemberTypes": [
"Application",
"User"
],
"description": "Reader Role",
"displayName": "Sp...
"Authentication": {
"Authority": "https://login.microsoftonline.com/[tenantId]",
"ClientId": "[theApplicationIdOfTheApplic...
So, what do we have now?
Service 1
• We got a Managed Identity of the first service
• We’re making a HTTP call with an Aut...
az rest `
--method post `
--uri https://graph.microsoft.com/beta/servicePrincipals/91bc8c76-cddc-4f20-b82d-ec7df1d80827/ap...
Questions, contact
https://github.com/Jandev
@Jan_de_V
jandv@4dotnet.nl
https://twitch.tv/jandev
https://jan-v.nl
Using Azure Managed Identities for your App Services by Jan de Vries from 4DotNet at Azure focused 87th DevClub.lv
Using Azure Managed Identities for your App Services by Jan de Vries from 4DotNet at Azure focused 87th DevClub.lv
Using Azure Managed Identities for your App Services by Jan de Vries from 4DotNet at Azure focused 87th DevClub.lv
Using Azure Managed Identities for your App Services by Jan de Vries from 4DotNet at Azure focused 87th DevClub.lv
Upcoming SlideShare
Loading in …5
×

Using Azure Managed Identities for your App Services by Jan de Vries from 4DotNet at Azure focused 87th DevClub.lv

Jan de Vries from 4DotNet will share experience on “Using Azure Managed Identities for your App Services“.
He will show you what needs to be set up in your application and AAD to get you started. When everything is set up correctly you can manage the access to all of your API’s via Azure Active Directory and even restrict access to specific endpoints if you want.
You’ll leave this session knowing how to set up your services by using the built-in capabilities of Azure and make your complete environment more secure and easy to manage.

Jan is a Cloud Solution Architect at 4DotNet (Netherlands). His main focus is on developing highly performant and scalable solutions using the awesome services provided by the Microsoft Azure platform. Because of his expertise, he has been able to help out multiple customers to bring their on-premise solution to the cloud and guide them towards a better software development ecosystem.

  • Be the first to comment

  • Be the first to like this

Using Azure Managed Identities for your App Services by Jan de Vries from 4DotNet at Azure focused 87th DevClub.lv

  1. 1. Use Azure Active Directory Managed Identities for your services! @Jan_de_V Jan de Vries Cloud Solution Architect
  2. 2. So, how do YOU design your solutions?
  3. 3. What to take into consideration? Time to market Complexity Performance Security Availability Maintainability Cost Team knowledge …
  4. 4. Today’s topic Security
  5. 5. Application Service Application Service Application ServiceApplication Service SQL Database SQL Database Storage Account Service Bus
  6. 6. Yeah, we secured our services with… •IP whitelisting •A ‘secret’ code in the headers •(self-signed) Certificates •VNet with some NSGs •Private Link
  7. 7. Introducing: Managed Identities
  8. 8. What I want to accomplish API Speaker API
  9. 9. "identity": { "type": "SystemAssigned" },
  10. 10. var tenantId = this.configuration["ActiveDirectory:TenantId"]; var applicationIdUri = this.configuration["ApplicationIdUri"]; var azureServiceTokenProvider = new AzureServiceTokenProvider(); var accessToken = await azureServiceTokenProvider.GetAccessTokenAsync( applicationIdUri, tenantId: tenantId); var httpClient = this.clientFactory.CreateClient(); httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken); var response = await httpClient.GetAsync(endpointUrlOfYourBackendService);
  11. 11. https://github.com/Azure/azure-sdk-for-net/issues/6172
  12. 12. Manifest "appRoles": [ { "allowedMemberTypes": [ "Application", "User" ], "description": "Reader Role", "displayName": "Speaker service reader", "id": "42ee5891-7e50-4db9-a6d9-75ffc8cc1e9b", "isEnabled": true, "lang": null, "origin": "Application", "value": "SecureApi.Speaker.Reader" }, ... ],
  13. 13. "Authentication": { "Authority": "https://login.microsoftonline.com/[tenantId]", "ClientId": "[theApplicationIdOfTheApplicationRegistration]", "AppIdUri": "[theApplicationIDURI]" } app.UseAuthentication(); app.UseAuthorization(); services.AddAuthentication(o => { o.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(o => { o.Authority = Configuration["Authentication:Authority"]; o.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters { ValidAudiences = new List<string> { Configuration["Authentication:AppIdUri"], Configuration["Authentication:ClientId"] } }; });
  14. 14. So, what do we have now? Service 1 • We got a Managed Identity of the first service • We’re making a HTTP call with an Authorization header Service 2 • We have an App Registration • We’ve added `appRoles` entries • We’ve configured Authentication on the second service
  15. 15. az rest ` --method post ` --uri https://graph.microsoft.com/beta/servicePrincipals/91bc8c76-cddc-4f20-b82d-ec7df1d80827/appRoleAssignments ` --headers "{'content-type': 'application/json'}" ` --body "{ 'appRoleId': '42ee5891-7e50-4db9-a6d9-75ffc8cc1e9b’, # identifier of your app role 'principalId': '717a6e6a-2d24-4954-9df1-88679da7c12e’, # object id of the Managed Identity 'principalType': 'ServicePrincipal’, 'resourceId': '91bc8c76-cddc-4f20-b82d-ec7df1d80827’ # the identifier Enterprise Application }"
  16. 16. Questions, contact https://github.com/Jandev @Jan_de_V jandv@4dotnet.nl https://twitch.tv/jandev https://jan-v.nl

×