IT:AD:MSI

Summary

As per here: For Service-to-Azure-Service authentication, the approach so far involved creating an Azure AD application and associated credential, and using that credential to get a token. The sample here shows how this approach is used to authenticate to Azure Key Vault from a Web App. While this approach works well, there are two shortcomings: 1. The Azure AD application credentials are typically hard coded in source code. Developers tend to push the code to source repositories as-is, which leads to credentials in source. 2. The Azure AD application credentials expire, and so need to be renewed, else can lead to application downtime.

Background

Connections between an App and a Database can be grouped into four approaches:

  • Sql Account: this is when you embed the UserName/Password directly into the connection string. This is considered a low value, higher risk approach.
  • IntegratedSecurity: this is a LAN based approach cannot do in Azure Token based*: this approach came out in 2016. MSI Token based*: this apprach came out in 2017, building on the the earlier Token based approach, making the approach appropriate for more services than just accessing a database. It is the current recommended approach. ### Constraints ### * Only the primary slot for a site will receive the identity. MSI for deployment slots are not yet supported. ### Process ### ### Prerequisites ### * Developers: * Need Visual Studio 17.5 or higher * Need to install https://marketplace.visualstudio.com/items?itemName=chrismann.MicrosoftVisualStudioAsalExtension into Visual Studio, and restart * Optionally (recommended), install Azure CLI v2.0.12 or later. ### Enable ### To Enable App Service* (logic center) to connect to other Resources (KV, SS, etc.): * Via Portal: on App Service, Select “Managed Service Identity”, then “On”. That simple. * Via ARM: Add "identity": {"type": "SystemAssigned"} to App Service. ### Authorize ### Autogenerating an MSI identity is not enough. You have to permit the identity on the target role. ### Connect ### * Prerequsites: * An Project-Specific AAD Account is required to add Service Principals to, in order to make them admins of a database. * Nuget packages need to be added: * Microsoft.Azure.Services.AppAuthentication * Microsoft.Azure.KeyVault * Developers need the following tools: * Visual Studio 2017 v15.5 or higher * App Authentication extension for Visual Studio. * Azure CLI v2.0.12. * ConnectionString will contain: * RunAs=App;: options are [App|Developer] * DeveloperTool=AzureCli: needs to set if RunAs=Developer. Options are [VisualStudio|AzureCli]). * Data Source={todo}.database.windows.net * Initial Catalog={todo} * Connect Timeout=300; needed to be fairly high for entity framework migrations.
  • Enabled for:
  • The security boundary of the identity is the resource to which it is attached to. For example, the security boundary for a Virtual Machine MSI, is the Virtual Machine. Any code running on that VM, is able to call the MSI endpoint and request tokens. It is the similar experience with other resources that support MSI.

Resources