![var tenantId = this.configuration["ActiveDirectory:TenantId"];
var applicationIdUri = this.configuration["ApplicationIdUri"];
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var accessToken = await azureServiceTokenProvider.GetAccessTokenAsync(
applicationIdUri,
tenantId: tenantId);
var httpClient = this.clientFactory.CreateClient();
httpClient.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("Bearer", accessToken);
var response = await httpClient.GetAsync(endpointUrlOfYourBackendService);](https://image.slidesharecdn.com/devclub-useazureactivedirectorymanagedidentitiesforyourservices-200625081625/85/Using-Azure-Managed-Identities-for-your-App-Services-by-Jan-de-Vries-from-4DotNet-at-Azure-focused-87th-DevClub-lv-12-320.jpg)
![Manifest
"appRoles": [
{
"allowedMemberTypes": [
"Application",
"User"
],
"description": "Reader Role",
"displayName": "Speaker service reader",
"id": "42ee5891-7e50-4db9-a6d9-75ffc8cc1e9b",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "SecureApi.Speaker.Reader"
},
...
],](https://image.slidesharecdn.com/devclub-useazureactivedirectorymanagedidentitiesforyourservices-200625081625/85/Using-Azure-Managed-Identities-for-your-App-Services-by-Jan-de-Vries-from-4DotNet-at-Azure-focused-87th-DevClub-lv-15-320.jpg)
!["Authentication": {
"Authority": "https://login.microsoftonline.com/[tenantId]",
"ClientId": "[theApplicationIdOfTheApplicationRegistration]",
"AppIdUri": "[theApplicationIDURI]"
}
app.UseAuthentication();
app.UseAuthorization();
services.AddAuthentication(o => {
o.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(o => {
o.Authority = Configuration["Authentication:Authority"];
o.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
ValidAudiences = new List<string>
{
Configuration["Authentication:AppIdUri"],
Configuration["Authentication:ClientId"]
}
};
});](https://image.slidesharecdn.com/devclub-useazureactivedirectorymanagedidentitiesforyourservices-200625081625/85/Using-Azure-Managed-Identities-for-your-App-Services-by-Jan-de-Vries-from-4DotNet-at-Azure-focused-87th-DevClub-lv-16-320.jpg)
Using Azure Managed Identities for your App Services by Jan de Vries from 4DotNet at Azure focused 87th DevClub.lv
- 1. Use Azure Active Directory Managed Identities for your services! @Jan_de_V Jan de Vries Cloud Solution Architect
- 2. So, how do YOU design your solutions?
- 3. What to take into consideration? Time to market Complexity Performance Security Availability Maintainability Cost Team knowledge …
- 5. Application Service Application Service Application ServiceApplication Service SQL Database SQL Database Storage Account Service Bus
- 6. Yeah, we secured our services with… •IP whitelisting •A ‘secret’ code in the headers •(self-signed) Certificates •VNet with some NSGs •Private Link
- 9. What I want to accomplish API Speaker API
- 12. var tenantId = this.configuration["ActiveDirectory:TenantId"]; var applicationIdUri = this.configuration["ApplicationIdUri"]; var azureServiceTokenProvider = new AzureServiceTokenProvider(); var accessToken = await azureServiceTokenProvider.GetAccessTokenAsync( applicationIdUri, tenantId: tenantId); var httpClient = this.clientFactory.CreateClient(); httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken); var response = await httpClient.GetAsync(endpointUrlOfYourBackendService);
- 15. Manifest "appRoles": [ { "allowedMemberTypes": [ "Application", "User" ], "description": "Reader Role", "displayName": "Speaker service reader", "id": "42ee5891-7e50-4db9-a6d9-75ffc8cc1e9b", "isEnabled": true, "lang": null, "origin": "Application", "value": "SecureApi.Speaker.Reader" }, ... ],
- 16. "Authentication": { "Authority": "https://login.microsoftonline.com/[tenantId]", "ClientId": "[theApplicationIdOfTheApplicationRegistration]", "AppIdUri": "[theApplicationIDURI]" } app.UseAuthentication(); app.UseAuthorization(); services.AddAuthentication(o => { o.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(o => { o.Authority = Configuration["Authentication:Authority"]; o.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters { ValidAudiences = new List<string> { Configuration["Authentication:AppIdUri"], Configuration["Authentication:ClientId"] } }; });
- 17. So, what do we have now? Service 1 • We got a Managed Identity of the first service • We’re making a HTTP call with an Authorization header Service 2 • We have an App Registration • We’ve added `appRoles` entries • We’ve configured Authentication on the second service
- 18. az rest ` --method post ` --uri https://graph.microsoft.com/beta/servicePrincipals/91bc8c76-cddc-4f20-b82d-ec7df1d80827/appRoleAssignments ` --headers "{'content-type': 'application/json'}" ` --body "{ 'appRoleId': '42ee5891-7e50-4db9-a6d9-75ffc8cc1e9b’, # identifier of your app role 'principalId': '717a6e6a-2d24-4954-9df1-88679da7c12e’, # object id of the Managed Identity 'principalType': 'ServicePrincipal’, 'resourceId': '91bc8c76-cddc-4f20-b82d-ec7df1d80827’ # the identifier Enterprise Application }"