In medium-to-large enterprise the number of applications registered in Azure Active Directory grows pretty quick.
Therefore ability to automate application management at scale becomes mandatory e.g.
Ability to standardize and automate configurations of application.
Ability to monitor applications configuration (e.g. what permissions assigned to what applications)
Note: Identity endpoints
As per Configure your App Service app to use Azure Active Directory sign-in "At this time, AAD V2 (including MSAL) is not supported for Azure App Services and Azure Functions." Much of the below applies to both endpoints but our main focus is Azure App Service therefore for now assume Azure Active Directory (v1.0) endpoints.
Automate Application Provisioning
For App Services Azure subscriptions and resource groups provide capability to logically organize related resources. If one uses App Service Environments (as opposed to public App Service) even App Service DNS names are relative to ASE DNS. This grouping provides many useful capabilities i.e. re-use of the same App Service name across of Development, Test, Production environments and capability to easily locate related services.
Unfortunately there is no similar construct in Azure Active Directory (AAD). Azure Active Directory namespace is flat (no OU, domains or forests). Therefore application registration names have to be created so that one can identify App Service the registrations relate to and be able to locate them and cleanup/remove when required.
For majority scenarios naming app registration with FQDN (replacing periods with dashes) seems like an appropriate model.
Manage Application Permissions
Microsoft provides clear and short description of Best practices for both client app and resource).
To manage your applications at-scale APIPermissionsHelper.psm1 helps to assign API Permissions from PowerShell.
Note: The privileges configuration needs to be followed by actual permission grant ("blessing") done my global admin account either via Azure CLI (az ad app permission admin-consent), Power Shell(via Rest API) or Azure portal.
Monitor Application Permissions
As per Permissions and consent in the Azure Active Directory v1.0 endpoint one can get delegated and app permissions via "OAuth2Permissions" and " AppRoles" properties of application service principal.
The content is somewhat cryptic but the Get-ApplicationPrivileges.ps1 script produces the list of application and delegated permissions and creates csv files which can be easily accessed using Power BI to analyze permissions granted to applications in your tenant.
Example is below:
Limitations
Unfortunately as per Azure AD service limits and restrictions there is a restriction that non-admin user can create no more than 250 objects. This put a practical limit on automated application registration creation in large environments when granting admin to automation/service account is a security concern.
Potential workaround is to create a pool of service accounts and shard created applications between them but this adds a level of complexity and management overhead.
You can monitor number of objects created by the specific service principal Get-AzureADUserCreatedObject -ObjectId '{Service-Principal-Object-Id}'
Comments