How to use a private access key vault with Azure Bot's AAD v2 with Certificates Service Provider

Question

How to use a private access key vault with Azure Bot's AAD v2 with Certificates Service Provider

Chapman Pendery 30 Microsoft Employee

We are using the AAD v2 with Certificates (Preview) Service Provider with our Azure Bot because we are authenticating with our first party app and client secrets are recommended against by the identity platform. We are running into the issue where our Key Vault cannot be public access, but the Certificate Service Provider depends on the Bot Service Token Store having access to our key vault to read our certificate.

What is the recommended way to handle this? Does the Token Store have a range of ips or a static ip we can allow to access our keyvault?

romungi-MSFT 48,906 Reputation points Microsoft Employee Moderator

2023-08-17T15:23:14.64+00:00

@Chapman Pendery I do not have much experience working with bot service, but I think this page addresses your concerns. As per the example given in the document, you will have to configure a private endpoint and DNS A records. As per the doc:

Say you have a bot named SampleBot and a corresponding app service for it, SampleBot.azurewebsites.net, that serves as the messaging endpoint for this bot. You configure a private endpoint for SampleBot with sub-resource type Bot in the Azure portal for public cloud, which creates a DNS zone group with an A record corresponding to SampleBot.botplinks.botframework.com. This DNS record maps to a local IP in your virtual network. Similarly, using the sub-resource type Token generates an endpoint, SampleBot.bottoken.botframework.com. The A record in the DNS zone you created is mapped to an IP Address within your virtual network. So, requests sent to this endpoint are local to your network and don't violate rules in your network security group or Azure firewall that restrict outbound traffic from your network. The Azure networking layer and Bot Framework services ensure that your requests are not leaked to the public internet, and isolation is maintained for your network.
Chapman Pendery 30 Reputation points Microsoft Employee

2023-08-24T20:08:12.6133333+00:00

This would allow a Bot to communicate with Bot Framework services without violating network rules, but this wouldn't allow the Bot Framework services to read into the isolated network, if I'm understanding this correctly. I need their services to have that permission for the type of service principle we are using

Your answer

romungi-MSFT 48,906 Reputation points Microsoft Employee Moderator

2023-08-17T15:23:14.64+00:00

@Chapman Pendery I do not have much experience working with bot service, but I think this page addresses your concerns. As per the example given in the document, you will have to configure a private endpoint and DNS A records. As per the doc:

Say you have a bot named SampleBot and a corresponding app service for it, SampleBot.azurewebsites.net, that serves as the messaging endpoint for this bot. You configure a private endpoint for SampleBot with sub-resource type Bot in the Azure portal for public cloud, which creates a DNS zone group with an A record corresponding to SampleBot.botplinks.botframework.com. This DNS record maps to a local IP in your virtual network. Similarly, using the sub-resource type Token generates an endpoint, SampleBot.bottoken.botframework.com. The A record in the DNS zone you created is mapped to an IP Address within your virtual network. So, requests sent to this endpoint are local to your network and don't violate rules in your network security group or Azure firewall that restrict outbound traffic from your network. The Azure networking layer and Bot Framework services ensure that your requests are not leaked to the public internet, and isolation is maintained for your network.
Chapman Pendery 30 Reputation points Microsoft Employee

2023-08-24T20:08:12.6133333+00:00

This would allow a Bot to communicate with Bot Framework services without violating network rules, but this wouldn't allow the Bot Framework services to read into the isolated network, if I'm understanding this correctly. I need their services to have that permission for the type of service principle we are using

Share via

How to use a private access key vault with Azure Bot's AAD v2 with Certificates Service Provider

Your answer