We are trying to connect to Azure service bus entity from "GO" language application & the integration with Azure service bus entity is possible by supplying either SAS token or Azure AD OAuth2.0 token which will be obtained via security principals. Technically I prefer security principals option rather than SAS token as it has security vulnerabilities.
How to acquire OAuth2.0 token from Azure AD using language like "GO" for which Azure AD SDK is not available?
Is it possible to make direct call to Azure AD REST APIs to access OAuth2.0 token? if yes some code sample would be helpful otherwise please suggest suitable options.
Here are available authentication methods for Go.
Also, you can make a direct call to get the access token.
https://login.microsoftonline.com/{tenant}/oauth2/token
Reference:
OAuth 2.0 client credentials grant
Authenticate and authorize an application with Azure Active Directory to access Azure Service Bus entities
Related
I know that I have to create a service principal when I need an identity for an app that connects to Azure resources. But if someone asked me "Why not just create an AAD user and authenticate as that user?" I honestly couldn't answer besides "That's not how you do it.".
Can someone give me a proper explanation on why using an AAD service user instead of an app registration would be a bad idea?
Service principal is an application whose tokens can be used to authenticate and grant access to specific Azure resources from a user-app, service, or automation tool, when an organization is using Azure Active Directory
By using a Service Principal, we can avoid creating "fake users" (similar to service account in on-premises Active Directory) in Azure AD to manage authentication when you need to access Azure Resources
The Service Principals' access can be restricted by assigning Azure RBAC roles so that they can access the specific set of Azure resources only
So for better security purpose, we can use service principal instead of Azure AD User from an to authenticate and access Azure Resources.
We have several apps which are built using .NET are running in VMS(on-prem)
All apps will be registered to Azure AD.
Can we use user managed identity to access key vault form these on-prem apps
Thanks in advance
No, you cannot use a Managed Identity from on-prem apps.
[...] a managed identity is a service principal of a special type that may only be used with Azure resources.
Source: What are managed identities for Azure resources?
To see a list of resources currently supported, see Services that support managed identities for Azure resources.
You can, however, use a Service Principal to connect to Key Vault from an application running on-premises.
To do so, Use the portal to create an Azure AD application and service principal that can access resources.
For Service Principals, authentication can be done in two different ways: password-based authentication (application secret) and certificate-based authentication. Using a certificate is recommended, but you can also create an application secret.
To access resources that are secured by an Azure AD tenant, the entity that requires access must be represented by a security principal. This requirement is true for both users (user principal) and applications (service principal). The security principal defines the access policy and permissions for the user/application in the Azure AD tenant. This enables core features such as authentication of the user/application during sign-in, and authorization during resource access.
If you cannot use managed identity, you instead register the application with your Azure AD tenant, as described on Quickstart: Register an application with the Azure identity platform. Registration also creates a second application object that identifies the app across all tenants.
I am trying to connect to Snowflake in Databricks using an Azure access token generated from an existing Service Principal (not using the documentation's method to create one as I don't have the permissions to). Currently I am receiving the error "Invalid OAuth access token".
I believe the solution is I need snowflake to grant access to the service principal, however not sure how to do this or if it is even possible?
According to this Snowflake document, programmatic SSO with Federated Authentication (like you would need in a Databricks notebook) is only available for the Okta identity provider - even though Microsoft Azure Active Directory is among their supported Identity Providers
Trying to get a ASP.NET web application to access both a local resource and graph api using a single login.
The environment consists of a on prem adfs as well as a Azure AD instance that is synced and federated against on prem ad.
I have the following working.
Configure the application to use OpenId Connect authentication against Azure AD with a client configured in azure ad. The user authenticates and i receive a authentication code that i can use to get a token to call graph api successfully.
Configure the application to use OpenId Connect authentication against ADFS using a client_id configured in ADFS. The user authenticates and i get a authentication code that i use to get a bearer token to call the local resource.
However i cannot find a way to get access to both the local resource and graph api with a single login. Is this at all possible? Could someone point me in the right direction?
You can use a Delegated token which contains both a valid Client and User.
See the documentation and Stackoverflow thread.
If it is just read-access and not write-access then what you are describing should be possible.
Referred the following stack overflow post Azure B2C client credentials grant
We are presently using Azure B2C.
I understand that Azure B2C does not support the client credential flow for now.
We have a requirement where an external application (server Application outside our organization) needs to access our resource (api hosted within our organization)
Is there any way we can do this from Azure AD-B2C or would we need Azure AD-B2B for these type of requirements. ?
Currently, your specific scenario -- where you are needing an access token to be issued for access by a daemon or server app to your API app -- isn't supported, however you can register the API app through the “App Registrations” blade of the Azure AD directory for your Azure AD B2C tenant.
You can upvote support for the client credentials flow by Azure AD B2C at:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/18529918-aadb2c-support-oauth-2-0-client-credential-flow
If the API app is to receive tokens from both a web/native app as well as the daemon/server app, then you will have to configure the API app to validate tokens from two token issuers: one being Azure AD B2C and other being the Azure AD directory for your Azure AD B2C tenant.
You should not do this anyway.
Instead, provide a portal for your customers where they can manage api keys.
Implement api keys as a second auth schema in your Api