Deep Dive into Azure Managed Identities – Behind the scenes

Posted on July 20, 2019 by Thuru

Introduction

Sometime back when it was in the preview, I posted an article on Azure Managed Service Identity (MSI) and how we can use it, to eliminate storing credentials in the code, whilst avoiding the bootstrap problem. Read the link for more details.

This post is about Managed Identity, in short, Managed Identity is the new name for Managed Service Identity. Though the purpose and the functionality stay the same, Managed Identities provide more granular control, Azure Portal options and sophisticated improved SDK support, which convinced me enough to write a post.

Managed Identities is a feature of Azure Active Directory (free to use), which helps to eliminate storing credentials in the code. Since, Managed Identities is a feature of AAD, it can be used to authenticate to any Azure service that supports AAD authentication. Let’s start from AAD and drill down into the Managed Identities.

AAD Principles

AAD can have two different principles, user principle and service principle. A user principle is a user object, and a service principle is an instance of application registration.

So what is an application in AAD ? An application is a global template for a service principle. The directory (AAD tenant), the application is registered is known as the home directory. When the permissions / consent has been given to a application the service principle object is created.

Other than the creation and configuration phases, what we deal with is a service principle. I recommend you to use the terms user principle, service principle and application to have the clear understanding in the communication. You can read more about the application and service principle from this link

Managed Identities

Managed Identities are special type of service principles, they are two types.

User assigned Managed Identity – Available to create as a standalone Azure resource. Should be created manually, when created, a corresponding AAD application will be registered (more details below). One Azure resource can have many user assigned managed identities. The life cycle of a user assigned managed identity is independent of the resource life cycle, meaning a user assigned managed identity can exist without being attached to any resource.

System assigned Managed Identity – These are created by Azure when enabling the Managed Identity for a service. The lifetime is scoped to the lifetime of the resource. One service can have only one system assigned Managed Identity.

The below image summarizes the things. Mindful this, is a specific diagram I have created to illustrate the AAD principles. AAD is not limited to below context.

Enabling Managed Identities to a Service (App Service)

I take a simple example of how we can use Managed Identities to access a Azure Key Vault, which contains the secrets. This article covers creation and assignment of the Managed Identities to App Service, —

System Assigned Identity, we have to enable and in the second tab, you can see the User Assigned identity (still in preview).

Enabling System Assigned Managed Identity

Switch the status to ON and this will create a system assigned managed identity. Just to explain what is happening behind the scenes.

Before enabling run this PowerShell command (you need GA permissions to the tenant) to see the number of service principles in the AAD.

(Get-AzureRmADServicePrincipal).Count

view raw

gistfile1.ps

hosted with ❤ by GitHub

This will give you the number of service principles in the AAD, and after enabling the System Assigned Managed Identity when you run the above command the count will be +1. Also in the portal, you can see the object id of the service principle.

Executing the below will give the details

	Get-AzureRmADServicePrincipal -ObjectId db9c6f9e-bea0-4325-b18c-dcd6eda668af

	ServicePrincipalNames : {98b1ebaf-b6b2-4368-ba53-c36ae0551b90, https://identity.azure.net/4zuSVB9vvyfEk5wvTupj9aFQnGVY0bvqMPfQ9bTKrwk=}
	ApplicationId : 98b1ebaf-b6b2-4368-ba53-c36ae0551b90
	DisplayName : chimp01
	Id : db9c6f9e-bea0-4325-b18c-dcd6eda668af
	Type : ServicePrincipal

view raw

service principle oid.ps

hosted with ❤ by GitHub

Behind the scenes, Azure has created a service principle for us. In the portal, under Enterprise Applications, make a search with the Display Name (retrieved from PowerShell), you will see the associated service principle. (make sure, you have selected All Applications in the drop down)

But, this is a special kind of a service principle, which we cannot configure any explicit permissions. If you navigate to the Permissions section you will notice that.

Enabling User Assigned Managed Identity

This is still in preview, and in the second tab of the Identity blade. Here we add a Managed Identity as a standalone resource in Azure. You can add an existing user assigned Managed Identity in the tab as shown below.

Screen Link 001

In order to create a User Assigned Managed Identity, you can add it in the portal, as a separate resource. Search for User Assigned Managed Identity, and click create.

This is like any other Azure resource creation, fill the details and create it.

After creating the User Assigned Managed Identity, run the above count script, you will see one more service principle in AAD tenant.

Also, if you search the resource name under the Enterprise Applications (All Applications enabled) you will see the service principle.

Additionally, we can see the created Managed Identity as a resource in the specified Resource Group.

Now go back to the screen link 001, and you can add the created user assigned Managed Identity.

As you can see, we can add more than one user assigned managed identities to a Azure service.

Continuation

We have created and assigned the Managed Identities to our service, next article will explain how to use them both in production and development.

Azure B2C with custom attributes with predetermined values

Posted on April 29, 2017 by Thuru

Azure B2C is a large membership database which also provides the features of tokens, sessions and membership/authentication experience (sign-up, sign-in, forget password and etc). But there are some scenarios which are little tricky based on how the entire solution is handled. Let me explain such a use case and describe different ways to handle that in B2C.

Case : You have an application which is a reselling portal, where a user can either be a seller or a buyer. During the registration / sign-up process user type will automatically be detected by the application, thus the user does not need to select the type. The below diagram explains the case.

Question: In this case why we cannot pass the parameters from step 1which holds the user type value and populate that value in a hidden field in the custom.html or the rendered mobile view in step 2. So it is straight forward to persist that information in B2C.

Answer: Since the rendering is controlled by B2C, any script execution is not allowed in that context. (I’m not sure is there any way to do this). Also the same html view is rendered in mobile or any other native clients passing the information from step 1 to step 2 in any means is not a safe option even if it is possible in any manner.

So we end up having the trouble of passing the user type information from step 1 to step 2 and instruct the B2C to persist that information.

Solutions:

There are different solutions. The trade off is always between how much of control we’re going to take from B2C and how much of control we let the B2C to have. This comes with the cost of development effort and control.

Solution 1: Let B2C handle the case much as possible and application controlled fields like user type to be saved in custom database column. And optionally update the B2C custom attribute using Graph API. Figure 2 explains this.

In this way, we get the benefits of the B2C policies and how to handle the auxiliary authentication services like password management, profiles offered by B2C. Most applications follow this without updating the B2C back using the Graph API.

Solution 2: Take control from B2C to the custom application and use B2C as a membership database.

In this model – In the step 1 some custom attribute values are determined (ex – user type) and passed to the step 2 which is a view controlled purely by the developer. Then step 2 passes the information to the application API in step 3. Server application updates B2C in step 4 and receives the JWT token in step 5. Application updates the database with the oid and other parameters in step 6.

What B2C could do in the future

In the current state of B2C – B2C has applications and policies. Applications and policies can be used many combinations. One application can have many policies of the same type with different settings and also one policy can be used across many applications as well.

In the custom rendering B2C should allow to have hide attributes with the default values. In that way in modeling the above scenario we can have have different policies with different settings and default values.

Primary critical requirement is in the below screen that B2C should add are..

show/hide fields
set default values

Azure Active Directory (AAD): Common Application Development Scenarios

Posted on July 18, 2015 by Thuru

Azure Active Directory is a cloud identity management solution, but not limited to cloud identity alone. In this post let’s discuss about how AAD can be used in designing multi-tenant applications in cloud. As usual consider that MassRover is an ISV.

MassRover got this great idea of developing a document management application named ‘Minion Docs‘ for enterprises, they simply developed the application for Intranet using Windows Authentication. VTech was the first customer of Minion Docs. MassRover installed the application on premise (in the VTech data centers).

After a while VTech started complaining that the users want to access it outside the organization in a more secure way using different devices, and VTech also proposed that they are planning to move to Azure.

MassRover decided to move the application to the cloud in order to sustain the customers, also they realized that moving to the cloud would open the opportunity to cater multiple clients and they can introduce new business models.

Creating Multi-Tenant Applications

The Intranet story I explained is very common in the enterprises.

All the organizations have the burning requirements of handling the modern application demands like mobility, Single Sign On and BYOD without compromising existing infrastructure and the investments.

MassRover team decided to move the application to the Azure in order to provide solutions for those problems and leverage the benefits of the cloud.

First Mass Rover got an Azure subscription and integrated Minion Docs as a multi-tenant application in their AAD. As an existing Intranet application this requires minimum rewrite with more configuration.

The below setup window is the out of the box ASP.NET Azure Active Directory multi-tenant template, you see in Visual Studio.

Registering an application in AAD as a multi-tenant application allows other AAD administrators to sign up and start using our application. Considering the fact that Minion Docs is an AAD application there 2 primary ways that VTech can use Minion Docs.

Sync Local AD with AAD along with passwords – allows users to single sign on using their Active Directory credentials even though there’s no live connection between local AD and AAD.
Federate the authentication to local AD – users can use the same Active Directory credentials but the authentication takes place in local AD.

The only significant different between the above two methods is, where the authentication takes place; in the AAD or in federated local AD.

Local AD synced with Azure Active Directory with passwords

VTech IT decides to sync their local AD with their AAD along with the passwords. And VTech AD administrator signs up for the Minion Docs and allows the permissions (read / write) to Minion Docs.

What happens here?

MassRover created and registered Minion Docs as a multi-tenant Azure Active Directory application in their Azure Active Directory.
VTech has their local AD which is the domain controller which had been used in the Minion Docs Intranet application.
VTech purchases an Azure Subscription and they sync their local AD to their Azure Active Directory along with the passwords.
VTech Azure Active Directory admin signs up for the Minion Docs application, during this process VTech admin also grants the permissions to the Minion Docs.
After the sign up Minion Docs will be displayed under the ‘Applications my company uses’ category in the VTech’s AAD.
Now a user named ‘tom’ can sign in to the Minion Docs application with the same local AD credentials.

Sign in Work Flow

Few things to note

Minion Docs does not involve in the authentication process.
Minion Docs gets the AAD token based on the permission granted to Minion Docs application by the VTech AAD admin.
Minion docs can request additional claims of the user using the token and if they are allowed Minion Docs will get them.
Authorization within the application is handled by the Minion Docs.

Local AD is federated using ADFS

This the second use case where the local AD is synced with the AAD but VTech decides to federate the local Active Directory. In order to do this, first VTech should enable ADFS and configure it. ADFS doesn’t allow any claims to be retrieved by default, so VTech admin should specify the claims as well.

Federated Sign in Work Flow

In the federated scenario the authentication happens in the local AD.

As an ISV Minion Docs is free from, whether the authentication happens in the customer’s AAD or in their local AD.

Tenant Customization

Anyone with the right AAD admin rights can sign up to the Minion Docs, but this is not the desired behavior.

The better approach would be during the first sign up we can notify the Minion Doc administrators with the tenant details and they can decide or this could be automated in subscription scenarios.

A simple example, consider Voodo is another customer who wants to use Minion Docs. The Voodo admin signs up and before adding Voodo as an approved tenant in the Minion Docs database they have to complete a payment. Once the payment is done Voodo will be added to the database. This is very simple and very easy to implement.

Azure Account Management

Posted on January 30, 2015 by Thuru

This post explains about how an Azure account is managed, what are the different administrative roles , what they do in managing Azure subscriptions, and how Azure Active Directory (AAD) is connected in managing Azure accounts and subscriptions.

An Azure account is simply a container for managing subscriptions. All the services we use in Azure are contained in a subscription. One Azure account can have multiple subscriptions. Consider the below scenario to understand the concept.

I have marked few important rules, which I consider the rule of thumbs to remember in Azure account administration.

Azure Account

There are several ways that you can get access to Azure, you can start a free trial, you might get Azure credits from any of the enterprise licenses your company has with Microsoft or through any other non-documented or unclarified methods.

But let’s begin the story in a more simpler and practical way. Assume Bob wants to learn Azure and wanted to buy an Azure account. Bob entered his credit card detail and activated the Azure account, during this registration process Bob entered his personal email address bob@outlook.com.

Bob got an Azure Account.
Bob created a subscription in order to access Azure services since Azure account is a container for the subscriptions.
Bob named this subscription Dev Subscription.
One Azure account can have multiple subscriptions and each subscription can have different payment options as well.
Since Bob owns the Azure Account he becomes the Service Administrator for the Dev Subscription and also he is the Account Administrator.
Later Bob created another subscription for testing and he named it Test Subscription.
Bob is the Service Administrator for both subscriptions.
Then Bob added Kevin as a Co Administrator in the Dev Subscription using Kevin’s email address kevin@outlook.com.

After the above steps, this is the logical structure of the Bob’s Azure account.

Account Administrator: Account Administrator is the person who owns the Azure account, he is the only person who can manage subscriptions (create, edit, change payment plans).

Service Administrator: Service Administrator has full privileges inside the subscription. One subscription can have only one service admin. He has full rights in managing all the resources and services inside the subscription including adding / removing Co Administrators.

Co Administrator: Co Administrators have full rights in managing resources and services inside a subscription, except they cannot manage users, meaning they cannot manage other Co admins or Service admins.

Read this link for detailed information about the above administrator roles.

Rule #1

In order to login to Azure, a user should be either a Service Administrator or a Co Administrator of the subscription.

As you see Kevin is a Co Admin in the Dev Subscription and he has full rights in managing the resources in the Dev Subscription. But he doesn’t see the Test Subscription. Kevin can be an Account Administrator / Service Administrator of some other Azure Account with the same email address. In that case when he logs into the Azure Portal he will see all the subscriptions in the drop down. He can select the subscription he wants to work with. Any programmatic operation requires the subscription Id.

Azure Active Directory and Azure Account Management

Azure Active Directory (AAD) plays a major role in the Azure account management. Even in the scenario explained above, it has a big part though the process is totally transparent. This is where I put the second rule in.

Rule #2

In order to authenticate to Azure you need Azure Active Directory authentication, in the other terms Azure only trusts the Azure Active Directory authentications.

In the above example Bob and Kevin has no knowledge about AAD, they simply added their personal Microsoft email addresses and everything works.

Bob or Kevin logs into Azure portal using their personal Microsoft email addresses (bob@outlook.com / kevin@outlook.com). Technically they use the Microsoft email authentication to access Azure. This is a huge contradiction to the rule #2.

Answer is very simple, in order to make sure the customer experience smooth and non-cumbersome Microsoft has taken efforts that Azure Active Directory trusts the Microsoft consumer authentication tokens.

So when Bob / Kevin is authenticated via their consumer authentication credentials, the token is passed to the AAD, which trusts the consumer identity token and authenticates them to the Azure portal.

Azure automatically adds Service administrators and Co Administrators to the Azure Active Directory associated with the subscription.

Consider the below cases for the detailed clarification.

Service Administrator is a member and the Global Administrator of AAD

There’s a Service Administrator and he’s a member of AAD as well. The first image shows the Administrators section of the settings page and the second image shows the AAD users section. Azure has added the Service Administrator automatically in the AAD as a user, typically with the Global Administrator permission for the AAD.

Co Administrators are automatically added to the AAD with user roles

Now I want to add a Co Administrator to this subscription. When you click the Add button in the portal you will get a window with this message on top.

As you see the message is very clear. It is the combination of rule #1 and 2.

When you add a user with Microsoft account and add him / her as Co Administrator he / she will automatically be added to the AAD users. The first image shows the Administrators sections of the settings page and the second image shows the AAD users section.

AAD can have the following sources.

Microsoft Account
Azure Active Directory Account
Local Active Directory Account – when a local AD is synced with AAD

We were unable to find any subscriptions associated with your account.

The above is a very common message people get with the image below.

The reason is when you add a Co Administrator the user is added to the AAD, but when you remove a Co Administrator the user in the AAD remains undeleted. Because the user might have some other apps he/she has been accessing using AAD credentials.

In this case if the user tries to access the Azure portal they will get this message. Because here the rule #2 is true but rule #1 is false.

Azure Account Management Best Practices

It is highly recommended not to use Microsoft consumer identities especially the root accounts to access the Azure portal for the day to day tasks. In our case study bob@outlook.com is the root account. Always create a AAD users with specific roles and use them for development purposes.

Versatile Digital DNA

Tag Archives: Azure Active Directory

Deep Dive into Azure Managed Identities – Behind the scenes

Introduction

AAD Principles

Managed Identities

Enabling Managed Identities to a Service (App Service)

Enabling User Assigned Managed Identity

Azure B2C with custom attributes with predetermined values

Azure Account Management

Introduction

AAD Principles

Managed Identities

Enabling Managed Identities to a Service (App Service)

Enabling User Assigned Managed Identity

Share this:

Share this:

Creating Multi-Tenant Applications

Local AD synced with Azure Active Directory with passwords

Local AD is federated using ADFS

Tenant Customization

Share this:

Share this: