[Azure Maps] How to authenticate without RBAC?

Question

[Azure Maps] How to authenticate without RBAC?

Nikolay Mitikov 6

I, as a developer (with Contributor role), is tasked with integrating Azure Map (using Maps Web SDK).

Despite I have access to both Map keys (Shared Key Authentication section), and can do with maps everything (except assigning security), there is no way for me to authenticate SDK API requests (as caller Azure Func cannot be granted 'Maps Reader' access).

The current map security implementation (that neither exposes sensitive keys, nor relies on SAS) is based on RBAC & managed identities (DefaultAzureCredential integration) which cannot be used in case no 'admin' permissions are supplied.

It also turns to be a case in case callees live in other AD tenants.

I did not find any documentation/way on how to generate/produce tokens from backend in any other way except using RBAC & managed identities.

Could you please highlight if there is a way, considering my motivation is legit?

Thanks,

Nik

LeelaRajeshSayana-MSFT 17,521 Reputation points

2023-08-14T11:30:03.4766667+00:00

Hi @Nikolay Mitikov Greetings! Welcome to Microsoft Q&A forum. Thank you for posting this question here. Our community SMEs on this this topic will review this question and get back to you with more details as soon as possible. Please stay tuned to this thread for updates.

1 answer

Your answer

LeelaRajeshSayana-MSFT 17,521 Reputation points

2023-08-14T11:30:03.4766667+00:00

Hi @Nikolay Mitikov Greetings! Welcome to Microsoft Q&A forum. Thank you for posting this question here. Our community SMEs on this this topic will review this question and get back to you with more details as soon as possible. Please stay tuned to this thread for updates.

Answer 1

IoTGirl 3,461 Microsoft Employee

Hi Nik,

There are two models outlined in our docs at https://learn.microsoft.com/en-us/azure/azure-maps/azure-maps-authentication & https://learn.microsoft.com/en-us/azure/azure-maps/authentication-best-practices. We also have some helpful blogs:

I recommend taking a look at the blogs as they will likely clarify some of the steps you need to take to get the type of connection you want. They also include the automation scripts for the back end.

Sincerely,

IoTGirl

Nikolay Mitikov 6 Reputation points

2023-08-14T17:34:57.71+00:00

I wrote neither of two methods work in legit scenario, did I?

I do not see how your post answers here.
IoTGirl 3,461 Reputation points Microsoft Employee

2023-08-15T21:40:16.26+00:00

Hi Nik,

My reply outlines the supported methods that are working for Azure Maps customers. I am not sure why you would say they are not legitimate options but they are what is available from the service.

Sincerely,

IoTGirl
Nikolay Mitikov 6 Reputation points

2023-08-16T16:35:38.63+00:00
The question body I've posted highlights neither given methods work in basic/straightforward scenario.

One way requires Access Contributor role & forces apps to be in the same AD domain;

Another forces expose signing key;

I've carefully investigated the potential solutions and found none, therefore I've opened an inquiry here.

Based on the answer you've posted, it is clear read my question was not read.
QuantumCache 20,356 Reputation points

2023-08-21T18:22:26.37+00:00

Hello @Nikolay Mitikov,

You are right about the Authentication!

There may be chances of exposing the sensitive keys!!! Which we don't like to happen.

When creating publicly facing client applications with Azure Maps, you must ensure that your authentication secrets aren't publicly accessible.

Subscription key-based authentication (Shared Key) can be used in either client side applications or web services, however it's the least secure approach to securing your application or web service. The reason is the key is easily obtained from an HTTP request and grants access to all Azure Maps REST API available in the SKU (Pricing Tier).

If you do use subscription keys, be sure to rotate them regularly and keep in mind that Shared Key doesn't allow for configurable lifetime, it must be done manually. You should also consider using Shared Key authentication with Azure Key Vault, which enables you to securely store your secret in Azure.

If using Azure Active Directory (Azure AD) authentication or Shared Access Signature (SAS) Token authentication, access to Azure Maps REST APIs is authorized using role-based access control (RBAC). RBAC enables you to control what access is given to the issued tokens. You should consider how long access should be granted for the tokens. Unlike Shared Key authentication, the lifetime of these tokens is configurable.

Public client and confidential client applications

Please do submit feedback on this IDEAS portal, so that the product team listens to our feature requests. Please do let us know once you have submitted the idea Feedback.

https://feedback.azure.com/d365community/forum/fc834083-0925-ec11-b6e6-000d3a4f09d0
LeelaRajeshSayana-MSFT 17,521 Reputation points

2023-08-23T13:51:58.5+00:00

Hi @Nikolay Mitikov ,

We noticed your feedback that the answer on this thread was not helpful. Thank you for taking time to share your feedback.

Since Satish was able to clarify the response, I request that you kindly re-take the survey for your experience on this thread.

I understand that this situation may have caused some inconvenience, and I want to express my gratitude for your efforts and patience in handling it. Please share the link here once you have submitted feedback in the support portal so that we can upvote it. We are here to help you and strive to make your experience better and greatly value your feedback. Looking forward to your reply. Much appreciate your feedback!

Share via

[Azure Maps] How to authenticate without RBAC?

1 answer

Your answer