App Service and Manged Identity

 You have a web application (App Service) that needs to fetch a database connection string stored in Azure Key Vault. Instead of hardcoding credentials, the app uses Managed Identity for secure authentication.


Application → Managed Identity → Azure AD → Token → Key Vault → Azure AD → OpenID → Secrets → Application

Security Benefits
  1. No Secrets in Code: Connection strings and API keys stay in Key Vault
  2. Automatic Rotation: Key Vault handles secret rotation
  3. Managed Identity: No service principal credentials to manage
  4. Azure AD Integration: Leverages enterprise-grade authentication
  5. Audit Trail: All access is logged in Azure Monitor


This authentication flow enables Azure services to securely access secrets without storing credentials in code. An application uses its managed identity to obtain a token from Azure AD, which Key Vault validates via OpenID Connect before providing secrets. This eliminates the need for hardcoded connection strings or API keys, leveraging Azure's built-in identity management for secure, credential-free access to protected resources like databases and API keys.



🔄 Flow Explanation

  1. Application → Managed Identity

    • The application code (running in Azure App Service, VM, Function, etc.) requests an access token from its system-assigned managed identity.

    • Example (C#):

      var azureServiceTokenProvider = new AzureServiceTokenProvider();
string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://vault.azure.net");

  2. Managed Identity → Azure AD

    • The Managed Identity endpoint (provided by Azure infrastructure) forwards this request to Azure Active Directory.

    • Azure AD authenticates the Managed Identity (since it’s already registered in AD by Azure).

  3. Azure AD → Token Issued

    • Azure AD issues a JWT access token scoped for Azure Key Vault (https://vault.azure.net).

    • This token proves: “This app is who it claims to be.”

  4. Managed Identity → Key Vault

    • The Managed Identity now sends this token to Azure Key Vault along with the request:

      GET https://my-keyvault.vault.azure.net/secrets/DbConnectionString?api-version=7.3
Authorization: Bearer <access_token>

  5. Key Vault → Azure AD (Validation)

    • Key Vault checks the token with Azure AD (OpenID Connect metadata) to validate authenticity (issuer, signature, expiration, etc.).

  6. Azure AD → Confirmation

    • Azure AD confirms: “Yes, this token is valid and issued to this Managed Identity.”

  7. Key Vault → Returns Secret

    • Key Vault checks RBAC/Access Policies → if the Managed Identity has Get Secret permissions, it returns the secret (e.g., database connection string) to the application.

  8. Application → Uses Secret

    • The application now safely uses the retrieved connection string without ever storing credentials in code.

✅ Example in Action

  • Web App runs code → Calls Managed Identity endpoint.

  • Managed Identity → Gets token from Azure AD.

  • Web App uses token → Calls Key Vault.

  • Key Vault validates token with Azure AD → Returns secret.

🔐 Key Points:

  • The app never sees a password or client secret.

  • Azure AD is the central authority for authentication.

  • Key Vault enforces authorization (who can access what).

Comments

Post a Comment

Popular posts from this blog

🔍 Dataverse + Azure Integration: Choosing Between Synapse Link and Microsoft Fabric

  Managing large-scale data in Microsoft Dataverse ? You're likely choosing between Azure Synapse Link and the newer Microsoft Fabric Link . Both unlock powerful analytics and reporting options—but with different trade-offs in performance, setup, and long-term cost. Let’s break it down 👇 📊 Power BI and Dataverse: Great, But With Limits Power BI uses TDS (Tabular Data Stream) to connect directly to Dataverse tables. Real-time querying works well for smaller datasets (tens of thousands of records). However, complex queries and relationships may cause timeouts after 5 minutes , making it unreliable for enterprise-scale analytics. 🔗 Azure Synapse Link: Power + Complexity ✅ Strengths: Designed for large datasets , converting Dataverse tables to CSV format for efficient querying and reporting. Highly customizable with Synapse Studio , Azure Data Lake , and Data Factory for deeper ETL/ELT capabilities. ⚠️ Watchouts: Requires technical setup : Azur...
Read more

⚡ Example: Rate Limiting in Azure API Management

  Scenario: You have a public API and want to limit each user to 5 calls per minute to prevent abuse or accidental overload. 🛡️ What is Rate Limiting? Rate limiting controls how many requests a client can make to your API within a specific time window . It helps: Prevent API abuse Protect backend systems Fairly distribute API usage 💡 Using the rate-limit-by-key Policy Azure APIM uses a policy called rate-limit-by-key . It limits requests based on a unique identifier — usually the caller's subscription key or IP address. 🔧 Example Policy (XML) Here’s how you can add this to your inbound policy : < inbound > < base /> < rate-limit-by-key calls = "5" renewal-period = "60" counter-key = "@(context.Subscription?.Key)" /> </ inbound > Explanation: Attribute Meaning calls="5" Maximum 5 calls allowed renewal-period="60" Time window of 60 seconds (1 minute...
Read more

👤 Anonymous Role in Power Pages – What It Is and When to Use It

  When building public-facing websites with Power Pages , not every visitor will be a logged-in user. Some might just be browsing, some might want to ask a question, and others might be using your portal for the very first time. So how do we allow unregistered users to interact with our portal safely ? That’s where the Anonymous Users role comes in. 🚪 Who Are Anonymous Users? Anonymous users are visitors who haven’t logged in to your Power Pages portal. They: Have not signed in May not have an account Might be visiting for the first time And here’s the best part — Power Pages automatically assigns them the “Anonymous Users” web role. You don’t have to do anything special to give it. 🔐 What Can They Do? By default, anonymous users can see pages marked as "anonymous access allowed" , but they can't create or edit data unless you let them . To let anonymous users interact with your data (e.g., submit a form), you need to: Create table permissi...
Read more