How to grant permissions to system managed identities as a group?

Jan Kowalik 100 Reputation points
2023-08-31T19:33:32.0066667+00:00

I have a few system assigned identities for web app service slots and for function app slots which I grouped in a single security group in the Active Directory. I want to give the group access to the Key Vault secret by assigning KeyVault Secret User role to the group.

However it does not work. KeyVault Secret references in the apps configuration variables (appsettings) fail to resolve.

I tested secret access with the check access utility in the secret's blade, it is all correct there. The firewall does not block access either. Moreover the troubleshooting blade for checking Key Vault references on all apps show the reference as accessible and resolvable, green ticks, yet it still does not resolve.

It works fine when I add the managed identities directly to the secret user role. Why can't I group them into a security group? The documentation here clearly shows it should work. Can someone explain to me how to achieve it please?

91ee0b4f-5099-426c-a90d-28e2cc7ba75f

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,098 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andriy Bilous 10,896 Reputation points MVP
    2023-08-31T20:59:59.8433333+00:00

    Hello @Jan Kowalik

    Please consider the above functionality and limitation:

    Given that the identity's groups and roles are claims in the access token, any authorization changes do not take effect until the token is refreshed. For a human user that's typically not a problem, because a user can acquire a new access token by logging out and in again (or waiting for the token lifetime to expire, which is 1 hour by default). Managed identity tokens on the other hand are cached by the underlying Azure infrastructure for performance and resiliency purposes: the back-end services for managed identities maintain a cache per resource URI for around 24 hours. This means that it can take several hours for changes to a managed identity's group or role membership to take effect. Today, it is not possible to force a managed identity's token to be refreshed before its expiry. If you change a managed identity’s group or role membership to add or remove permissions, you may therefore need to wait several hours for the Azure resource using the identity to have the correct access.

    https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations#limitation-of-using-managed-identities-for-authorization


1 additional answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,351 Reputation points Microsoft Employee
    2023-09-05T19:30:11.03+00:00

    @Jan Kowalik

    Thank you for your post and I apologize for the delayed response!

    I understand that you have a few system-assigned managed identities for your Web App and Function App service slots, which you've grouped into a single Azure AD Group. You've assigned this Azure AD Group the Key Vault Secrets User role but are still having issues with the vault references within your app settings, since they're failing to resolve. To hopefully help point you in the right direction and gain a better understanding of your issue, I'll share my findings below.


    Findings:

    When it comes to the Key Vault side of things, it should be possible to add your managed identities to an Azure AD group in order to assign data plane access to your vault. However, since you don't have any issues with the references and the permissions you assigned all seem to be correct:

    • Can you share a screenshot of what you're seeing when you mention your App Settings fail to resolve?
    • Can you also ensure that the RBAC role assignment was added correctly to your Key Vault?

    Since this issue seems to be primarily related to your Web and Function App slots, I've also added the respective tags so their communities can look into your issue as well.


    Additional Links:

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.