ISO Azure Feature Equivalent: Role trust policy for session tags in AWS

Amy Davies 0 Reputation points
2024-10-07T18:07:21.56+00:00

I'm looking for an Azure equivalent of custom claim validation like AWS has in session tags?

{
    "Sid": "AllowPassSessionTagsAndTransitive",
    "Effect": "Allow",
    "Action": "sts:TagSession",
    "Principal": {"AWS": "arn:aws:iam::123456789012:user/test-session-tags"},
    "Condition": {
    "StringLike": {
        "aws:RequestTag/Project": "*",
        "aws:RequestTag/CostCenter": "*"
    },
    "StringEquals": {
        "aws:RequestTag/Department": [
            "Engineering",
            "Marketing"
        ]
    },
    "ForAllValues:StringEquals": {
        "sts:TransitiveTagKeys": [
            "Project",
            "Department"
         ]
      }
   }
}

Context: I have an OIDC token that contains custom claims

{
  "alg": "HS256",
  "kid": "12345",
  "typ": "JWT"
}.
{
  "aud": "AUDIENCE_NAME"
  "iss": "SOME_ISSUER",
  ...
  "customClaim1": "foo",
  "customClaim2": "bar",
}

I've worked through Azure's Workload Identity Federation and Conditional Access documentation but nothing seems to fit the feature of checking that customClaim1 == "foo" before providing an Azure access token.

I want to add a trust policy in Azure that does similar validation like AWS does with session tags. Which grants access to OIDC tokens if the custom claims / session tags match specific conditions. Google also has a similar feature.

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
715 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,418 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sina Salam 13,371 Reputation points
    2024-10-08T11:25:45.5733333+00:00

    Hello Amy Davies,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you are in need of ISO Azure Feature Equivalent similar to the Role trust policy for session tags in AWS.

    Unfortunately, Azure does not have a direct equivalent to AWS's session tags, but you can achieve similar functionality using Azure AD Conditional Access and custom claims in tokens.

    1. Using Azure AD Custom Security Attributes to tag users and enforce policies based on these attributes by mapping AWS IAM concepts to similar ones in Azure: https://techcommunity.microsoft.com/t5/fasttrack-for-azure/mapping-aws-iam-concepts-to-similar-ones-in-azure/ba-p/3612216
    2. By using custom attributes for Attribute-Based Access Control (ABAC) with Microsoft Entra ID, Azure AD Conditional Access policies can be configured to enforce access based on custom claims in tokens. You can use Azure AD B2C to create custom policies that validate specific claims in the token before granting access. Read more here - https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-overview and https://aws.amazon.com/blogs/modernizing-with-aws/use-custom-attributes-for-attribute-based-access-control-abac-with-microsoft-entra-id-and-aws-iam-identity-center

    If you will need to configure a custom policy in Azure AD B2C to validate a custom claim, this is an example of what you can do with your XML:

    <ClaimsTransformation Id="AssertCustomClaimEqualsFoo" TransformationMethod="AssertStringClaimIsEqualToValue">
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="customClaim1" TransformationClaimType="inputClaim" />
      </InputClaims>
      <InputParameters>
        <InputParameter Id="valueToCompareTo" DataType="string" Value="foo" />
      </InputParameters>
    </ClaimsTransformation>
    

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.


    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.