WELCOME TO CLOUD MATTER

Search
  • Roman Guoussev-Donskoi

Azure Security - Applications Permissions Monitoring and Management

Updated: Apr 28, 2019

In medium-to-large enterprise the number of applications registered in Azure Active Directory grows pretty quick.

Therefore ability to automate application management at scale becomes mandatory e.g.

  • Ability to standardize and automate configurations of application.

  • Ability to monitor applications configuration (e.g. what permissions assigned to what applications)


Note: Identity endpoints

As per Configure your App Service app to use Azure Active Directory sign-in "At this time, AAD V2 (including MSAL) is not supported for Azure App Services and Azure Functions." Much of the below applies to both endpoints but our main focus is Azure App Service therefore for now assume Azure Active Directory (v1.0) endpoints.


Automate Application Provisioning

For App Services Azure subscriptions and resource groups provide capability to logically organize related resources. If one uses App Service Environments (as opposed to public App Service) even App Service DNS names are relative to ASE DNS. This grouping provides many useful capabilities i.e. re-use of the same App Service name across of Development, Test, Production environments and capability to easily locate related services.

Unfortunately there is no similar construct in Azure Active Directory (AAD). Azure Active Directory namespace is flat (no OU, domains or forests). Therefore application registration names have to be created so that one can identify App Service the registrations relate to and be able to locate them and cleanup/remove when required.


For majority scenarios naming app registration with FQDN (replacing periods with dashes) seems like an appropriate model.



Manage Application Permissions

Microsoft provides clear and short description of Best practices for both client app and resource).


To manage your applications at-scale APIPermissionsHelper.psm1 helps to assign API Permissions from PowerShell.

Note: The privileges configuration needs to be followed by actual permission grant ("blessing") done my global admin account either via Azure CLI (az ad app permission admin-consent), Power Shell(via Rest API) or Azure portal.

Monitor Application Permissions

As per Permissions and consent in the Azure Active Directory v1.0 endpoint one can get delegated and app permissions via "OAuth2Permissions" and " AppRoles" properties of application service principal.

The content is somewhat cryptic but the Get-ApplicationPrivileges.ps1 script produces the list of application and delegated permissions and creates csv files which can be easily accessed using Power BI to analyze permissions granted to applications in your tenant.


Example is below:


Limitations

Unfortunately as per Azure AD service limits and restrictions there is a restriction that non-admin user can create no more than 250 objects. This put a practical limit on automated application registration creation in large environments when granting admin to automation/service account is a security concern.

Potential workaround is to create a pool of service accounts and shard created applications between them but this adds a level of complexity and management overhead.


You can monitor number of objects created by the specific service principal Get-AzureADUserCreatedObject -ObjectId '{Service-Principal-Object-Id}'


32 views0 comments

Recent Posts

See All

Databricks is an amazing platform for data engineering, data science and machine learning. One of the critical requirements of secure data processing is data audit - the ability to identity what data

SAS access to storage account is very convenient and easy and while Microsoft recommends that you use Azure AD credentials when possible as security best practice still SAS sometimes hard to avoid. Le

 

Subscribe

 

CONTACT

Your details were sent successfully!

Computers