Application built using Spring Boot 2.5.x... using latest Azure Java SDK (Azure BOM 3.9.0).
Using Spring Security and Azure Active Directory Spring Boot starter for authN/authZ... all that works... AZ security groups and App registration app roles are getting mapped correctly in spring security as granted authorities etc.
Storage blob containers have group RBAC assigned.
We have a requirement whereby we'd like to list containers for which a AD user has been granted write access (contributor role) as well as virtual folders under containers (blob prefixes) using ABAC.
All users have read, but only certain users can update blobs in some containers and/or blob folders (eg. container/admin)
Using Azure blob storage SDK to list containers and blobs, but not seeing anything in the implementation to filter by RBAC.
Some implementation details I've thought of:
blob/container index tags; tag "Admin" related blobs and using tag
filters on list. Drawback is blob tags need to be managed
blob/container metadata; similar to tags, but not indexed; unsure
if supported directly through the SDK
filtering stream collection returned from SDK call using either
tags or metadata
Thoughts or ideas appreciated!
You probably need to use the management SDK.
var roles = azure.accessManagement().roleAssignments()
.listByServicePrincipal(objectId)
Or you can get the roles by resource scope (the ID of the storage account).
However the service api-version used in 2.10.0 is a bit old, that it does not show conditions in role assignment (for the ABAC), so you won't see the finer condition below the storage account.
Getting the objectId for the user / service principal likely require certain Read User permission in AAD.
You can get them e.g. via CLI, if you do not already have them.
>az ad user list --display-name foo
Related
I have crawlers running on VMs in Azure. After work is finished the Data crawled needs to be distributed to users across the internet depending on their access level. What I need help with:
1. How to onboard users? My idea was to use Azure AD
2. How to organize pipeline from the crawlers to end users but some access rules and data filters need to be applied before using. What is the most effective way? My idea was to use Azure Functions and then Azure siglalR so my clients (desktop, mobile) can get data very fast. All that would be organized as a Logical app?
Please help. I am just starting my programming experience so sorry if my question is naive.
How to onboard users?
Azure AD would be a good choice for you. With Azure AD, it will be convenient to manage the users.
How to organize pipeline from the crawlers to end users but some access rules and data filters need to be applied before using.
Based on the description you provided, you will expose the data crawled as rest api, right? If so, you can integrate your api with Azure AD, then you can control the user access as you need. You can add app roles in your application and assign users and groups to roles, then different users will have different roles to access your api.
Reference:
How to: Add app roles in your application and receive them in the token
Integrating with Azure Active Directory
Problem statement
I need to make finding all the available active directory groups and their relationships in a tree and forest structure for each an every enterprise application held on an AD Domain Server easy to identify and understand by business user and technical users via an Existing IT Service Request web based application.
What I am hoping to achieve as an outcome is:
Knowledge of an API that I can connect to extract this metadata from and synchronise with the IT Service Request Application
Knowledge of what metadata AD Domain Servers are capable of providing
Knowledge of how to connect and synchronise the meta data from the IT Service Request Web based Application without compromising security
You didn't say which language you want to use. I will assume you will use one of the .NET languages, since that is by far the easiest to interact with AD.
To read the Active Directory Schema, you can use ActiveDirectorySchema.GetCurrentSchema(). That will return a ActiveDirectorySchema object that you can use to read much of the information you would want to know. There are example for how to use it here.
For your 3rd point: to read this data you have to be authenticated as a user of that domain (or a trusted domain). Authentication is already built in. When you use ActiveDirectorySchema.GetCurrentSchema(), for example, it uses the credentials of the current user to authenticate.
I'm building an app using which the users registered(from the IAM page) for the project can access the resources of that project. I need the authentication when the URL is hit. Is there a way to achieve this?
Is it possible to provide IAM roles specific for a user request (assuming that the user will login using his email id) to access the resources based on IAM level permissions?
In the early days of AppEngine it was pretty easy to do some basic auth/access-control, but lately they're moving it to something called IAP.
From your wording I am assuming you are trying to abstract administrative tasks of a GCP project to lesser privileged administrators.
Questions 1 and 2 can be quickly solved by defining privileges in IAM using a pre-built roles or creating a custom role if you need to be more specific. Hereby you can use GSuite, GMail, Google Group accounts and let them sign into console.cloud.google.com. They will consequently only be able to see and act upon what you've assigned to them to in IAM.
If you still want to go through with building it yourself, every product does provide an API including authentication. Best practice for your use case is to instead of assigning an individual user access to a resource, you rather create a service account and then allow the user to call that service account. For this GCP has the Service Account Actor Role described well in the official documentation and also Salmaan Rashid provides a good practical insight on medium.
I'm using passport-azure-ad library to authenticate people into our app. We are using v2.0 endpoint. I have created multiple applications in Microsoft app registration portal. And have a lot of redirect url's because we have a lot of different environment apps. It was registered under my Microsoft employee account. Now I need to transfer ownership to another developer. How can I do it? Do I need to recreate all this apps in another account? I assume that this will create a new app id's and thus will ask for permissions for all users again. Is there a way to transfer ownership and not recreate all apps again?
Assuming you created your applications using your Azure Active Directory account (like your Microsoft Employee Account) you will have access to an "Owners" field where you can add new owners to the application which are in the same tenant as you.
If you are trying to transfer an application to a user from a different Tenant or using an MSA account, that is not currently supported, but something that is being considered for the future.
If you need to create a new application id, you will not be able to transfer the consent that you had from the first app over to this second one. That is just not really possible nor something we would look to support due to the security implications.
Is it possible to enumerate all users and/or groups associated with an application role using Azure Active Directory Graph API? If not, is there a programmatic work-around (as opposed to using the portal with AD Premium)?
I'm using the Microsoft.Azure.ActiveDirectory.GraphClient Nuget package which wraps the AD Graph API to fetch application roles associated with an application instance. Unfortunately the AppRole object doesn't include a method to fetch mapped principals.
If you know the service principal that is associated with an application role, you can query for all the objects associated with that service principal (which include all the app roles):
https://graph.windows.net/myorganization/servicePrincipals/#objectId#/appRoleAssignedTo?api-version=1.5
The documentation for app role assignments are here:
https://msdn.microsoft.com/en-us/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#AppRoleAssignmentEntity