Introduction
...
Using Service Principals
Authentication with a client secret which is similar to a password for a user.
Authentication with a certificate (recommended by Microsoft) : Considered more secure than a client secret, an app can also authenticate with a certificate.
Authorization with RBAC works similar to user accounts, leveraging RBAC (role-based access control).
...
Using Managed Identities
It’s similar to service principals. We want the platform to manage for us the process of authentication (Microsoft is taking care of that client secret / certificate type of data). So, we can move the app into a resource group in Azure and the platform AUTH will tkae care of that. Andm, we don’t have to keep this info in code.
...
| Tip |
|---|
For system assigned, that means it directly tied to a resource. If we delete the resource, we delete ID. |
API Security & OAuth 2.0
Microsoft ARM API
...
Microsoft Graph API
...
OAuth 2.0 Authentication Flow
...
Delegated permissions and consent
...
Azure Key Vault
When securing apps, we often have to store secret info that an app needs to access programmatically via a REST endpoint. Data plane access can be controlled with access policies or RBAC.
...
Example of Solution Design
Key VAult used to store secrets such as API key.
User-assigned managed identity :
Shared across web servers in the farms.
No changes are required for the Graph API as delegated permissions do not provide more effective permissions than a user assigned.
...