Azure Functions enable us to quickly build and publish APIs and also secure it using Azure Active Directory. While it is fairly straight forward to implement role-based access control within the custom API code using ASP.net and middle ware, it could be tricky in PowerShell Azure Functions. This involves extracting the roles claims from the access tokens and validating it in the code when the PowerShell API endpoint starts execution - not that this is too complex to implement.
Another way could be to use API Management to configure access policies and secure the endpoints based on roles. This approach can be easier if you are already using API management's other features for your custom API.
Part 2 of this Post can be found here : https://vipulkelkar.blogspot.com/2020/03/secure-powershell-azure-function-apis_27.html
Another way could be to use API Management to configure access policies and secure the endpoints based on roles. This approach can be easier if you are already using API management's other features for your custom API.
Part 2 of this Post can be found here : https://vipulkelkar.blogspot.com/2020/03/secure-powershell-azure-function-apis_27.html
Background :
Here is our scenario : Our custom API exposes a set of endpoints which provide information related to our organization. Every API endpoint must be accessible through a unique permission level. The client SPNs/Apps must have specific application permission assigned to be able to acquire application tokens and access the endpoints
- /Applications
- /Devices
- /Users
- /Groups
When an Azure Function is secured using Azure AD, the identities that can authenticate to Azure AD can access it by default. Which means that any SPN/App, would be able to access the API endpoints in Function App by default when Azure AD login is configured.
This is what we want to stop and create ROLES so that the SPNs/Apps need to be specifically provided application permission to be able to access the endpoints.
Secure PowerShell Core Azure function API :
We will work with a very simple Azure Function called "MyOrg-API" which exposes a set of GET endpoints.
Our sample API URL is : https://myorg-api.azurewebsites.net
We have created an Azure AD App registration which represents our API.
The APP ID URI must be the base URL of our Azure Function : https://myorg-api.azurewebsites.net
The Redirect URI is configured to : https://myorg-api.azurewebsites.net/.auth/login/aad/callback
Next step is to secure the API Azure Function. Navigate to Function App -> Platform features -> Authentication/Authorization
Configure the auth setup. The Client ID is the id of the app that we registered.
Now if you access any endpoint from the Azure function in a browser, you will be prompted for authentication and on supplying your credentials, you will get a response from the GET endpoint.
Lets see how that works with an SPN. Create a new SPN in your AAD. If you have Az PowerShell module the below command will craete an SPN
Connect-AzAccount -Tenant <Your-Tenant-ID>
New-AzADServicePrincipal -DisplayName "RandomSPN" -Scope $null -Role $null
Create a Secret for the SPN and try to call the API through postman/logic apps http action - the call goes through since SPN is able to authenticate with AAD.
Configure Roles:
A way to stop this is by defining ROLES and validating within the API whether the caller has the specified role to carry out a specific API operation.
Lets start by creating roles in the App registration which secures our API.
Navigate to the App registration -> Manifest. In the 'appRoles' property, define custom roles. Create an object for each endpoint we defined at the start of this post. Below sample explains the role confg for /Applications endpoint
Replace the 'id' value by a GUID
Replace the 'id' value by a GUID
1) MyOrg-Consumer-SPN :
This SPN will be able to access Applications, Users and Groups endpoints. Provide the permissions and Grant consent.
2) MyOrg-Consumer-SPN-Devices :
We have another consumer SPN which will have access to only /Devices endpoints
In the next post we will look at configuring API management to make sure that only the SPNs that have been given a role can access the respective endpoint.
https://vipulkelkar.blogspot.com/2020/03/secure-powershell-azure-function-apis_27.html
No comments:
Post a Comment