The document discusses the use of Azure Active Directory Managed Identities for securing application services, focusing on design considerations such as security, performance, and maintainability. It provides technical details on implementing managed identities, including the setup of API calls with authentication and role assignments. The content is geared towards cloud solution architects, highlighting best practices for securing services using Azure features.

1. Use Azure Active Directory
Managed Identities for your
services!
@Jan_de_V
Jan de Vries
Cloud Solution Architect

2. So, how do YOU design
your solutions?

3. What to take into consideration?
Time to market
Complexity
Performance
Security
Availability
Maintainability
Cost
Team knowledge
…

4. Today’s topic
Security

5. Application Service Application Service
Application ServiceApplication Service
SQL Database
SQL Database
Storage Account
Service Bus

6. Yeah, we secured our services with…
•IP whitelisting
•A ‘secret’ code in the headers
•(self-signed) Certificates
•VNet with some NSGs
•Private Link

7. Introducing: Managed Identities

9. What I want to accomplish
API Speaker API

10. "identity": {
"type": "SystemAssigned"
},

12. var tenantId = this.configuration["ActiveDirectory:TenantId"];
var applicationIdUri = this.configuration["ApplicationIdUri"];
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var accessToken = await azureServiceTokenProvider.GetAccessTokenAsync(
applicationIdUri,
tenantId: tenantId);
var httpClient = this.clientFactory.CreateClient();
httpClient.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("Bearer", accessToken);
var response = await httpClient.GetAsync(endpointUrlOfYourBackendService);

14. https://github.com/Azure/azure-sdk-for-net/issues/6172

15. Manifest
"appRoles": [
{
"allowedMemberTypes": [
"Application",
"User"
],
"description": "Reader Role",
"displayName": "Speaker service reader",
"id": "42ee5891-7e50-4db9-a6d9-75ffc8cc1e9b",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "SecureApi.Speaker.Reader"
},
...
],

16. "Authentication": {
"Authority": "https://login.microsoftonline.com/[tenantId]",
"ClientId": "[theApplicationIdOfTheApplicationRegistration]",
"AppIdUri": "[theApplicationIDURI]"
}
app.UseAuthentication();
app.UseAuthorization();
services.AddAuthentication(o => {
o.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(o => {
o.Authority = Configuration["Authentication:Authority"];
o.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
ValidAudiences = new List<string>
{
Configuration["Authentication:AppIdUri"],
Configuration["Authentication:ClientId"]
}
};
});

17. So, what do we have now?
Service 1
• We got a Managed Identity of the first service
• We’re making a HTTP call with an Authorization header
Service 2
• We have an App Registration
• We’ve added `appRoles` entries
• We’ve configured Authentication on the second service

18. az rest `
--method post `
--uri https://graph.microsoft.com/beta/servicePrincipals/91bc8c76-cddc-4f20-b82d-ec7df1d80827/appRoleAssignments `
--headers "{'content-type': 'application/json'}" `
--body "{
'appRoleId': '42ee5891-7e50-4db9-a6d9-75ffc8cc1e9b’, # identifier of your app role
'principalId': '717a6e6a-2d24-4954-9df1-88679da7c12e’, # object id of the Managed Identity
'principalType': 'ServicePrincipal’,
'resourceId': '91bc8c76-cddc-4f20-b82d-ec7df1d80827’ # the identifier Enterprise Application
}"

20. Questions, contact
https://github.com/Jandev
@Jan_de_V
jandv@4dotnet.nl
https://twitch.tv/jandev
https://jan-v.nl