What is the recommended way to manage application access via Azure Entra ID?

devopsfj 196 Reputation points
2024-06-19T08:32:46.5466667+00:00

We are looking to setup an application in AKS and we are looking for the best way to manage application access via Entra ID.

For example, we have a simple UI which lives in AKS.

We have two jobs roles which need to have different access to the application, Marketing & Finance.

We would like our users to log into the application using their Entra ID which we have configured.

We know need to know how best to proceed with managing permissions to the application, what is the recommended way to manage this access, is it to use 'Roles' in Entra ID or 'Groups' in Entra ID or any other method?

For example, if a user is assigned to Entra Role 'Marketing', they should see Marketing related resources in our UI, what is the best way to achieve this?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,542 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. akinbade abiola 8,630 Reputation points
    2024-06-19T08:52:09.3933333+00:00

    Hello devopsfj,

    Thanks for your question.

    I will recommend you take a look at the best practices for this here in AKS best practices section before making your final decision.

    Best practices for authentication and authorization in Azure Kubernetes Service (AKS)

    The recommended options with managing app access are Kubernetes RBAC and Microsoft Entra ID Integration.

    Regards,

    Abiola

    You can mark it 'Accept Answer' and upvote if this helped.

    0 comments No comments

  2. Raja Pothuraju 1,605 Reputation points Microsoft Vendor
    2024-06-20T19:39:16.81+00:00

    Hello @devopsfj,

    Thank you for posting your query on Microsoft Q&A.

    To manage application access via Entra ID for your application in AKS, you can use both "Roles" and "Groups" depending on your specific requirements and preferences. Here's a detailed guide on how you can proceed with managing permissions to the application:

    Using Roles in Entra ID

    1. Define App Roles:
      • In your Entra ID, define application roles for your app. These roles can be "Marketing" and "Finance".
      • Navigate to your application registration in the Azure portal.
      • Go to the "App roles" section and add new roles for "Marketing" and "Finance".
    2. Assign Roles to Users:
      • Assign the defined roles to users or groups. This can be done in the "Enterprise applications" section, under your application.
      • Select your application, go to "Users and groups", and assign the respective roles to the users or groups.
    3. Configure Application to Read Roles:
      • Ensure that your application is configured to read the roles claim from the ID token issued by Entra ID.
      • In your application code, check the user’s roles to determine what resources they should have access to. For example:

    if 'Marketing' in user.roles: Show marketing related resources

    elseif 'Finance' in user.roles: Show finance related resources

    Please refer the below Microsoft Document to know more about "How to Add app roles to your application and receive them in the token."

    https://learn.microsoft.com/en-us/entra/identity-platform/howto-add-app-roles-in-apps#assign-users-and-groups-to-roles


    Using Groups in Entra ID

    1. Create Groups:
      • Create security groups for each job role in Entra ID. For example, "Marketing" group and "Finance" group.
      • Add users to these groups based on their job roles.
    2. Configure Group Claims:
      • In your application registration, go to "Token configuration" and add a group claim to include the groups in the token.
      • This will ensure that the group membership information is included in the token.
    3. Configure Application to Read Group Claims:
      • In your application, read the group claims from the token.
      • Based on the groups the user is a member of, determine what resources they should have access to. For example:

    if 'MarketingGroupId' in user.groups: Show marketing related resources

    elif 'FinanceGroupId' in user.groups: Show finance related resources

    Please refer the below Microsoft document to know more about Configure optional claims in your application.

    https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims?tabs=appui
    Best Practice Recommendations

    1. Roles vs. Groups:
      • Use Roles if the permissions are specific to the application and need to be managed within the application registration itself.
      • Use Groups if the permissions need to be managed more broadly across different applications and services within your organization.
    2. Scalability:
      • Roles are easier to manage within a single application but can become cumbersome if you need to manage permissions across multiple applications.
      • Groups provide a more scalable approach as they can be used across multiple applications and services.
    3. Claims Configuration:
      • Ensure that the token contains the necessary claims (roles or groups) by configuring the token settings in the Azure portal.
      • This configuration ensures that the user’s roles or group memberships are included in the token sent to the application.

    By following these steps, you can effectively manage access to your application using Entra ID, ensuring that users see resources relevant to their roles. Hope this includes all the information that you were looking for.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    Thanks,
    Raja Pothuraju.