Azure app registration - understand the concept of access granted

Rameez Ali 61 Reputation points
2022-03-08T21:18:00.93+00:00

I have an app registration created with the following permissions:

  • Dataset.Read.All
  • Dataset.ReadWrite.All

The permission type is set to Delegated. I would like to understand if a user who doesn't have access to the dataset but he manages to get hold of the secret/certificate which is used by this app registration, can he perform read/write operations on the dataset?

The above scenario is only taken as an example. The actual scenario is that we have Azure DevOps on-prem which uses app registration to authenticate to Power Platform to deploy the packages. The secret is shared with the contractor and we would like to restrict him to deploy packages to only the Power Platform environment which he has been given access to.

181097-image.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,777 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 28,021 Reputation points Microsoft Employee
    2022-03-10T11:24:22.297+00:00

    Hi @Rameez Ali ,

    Thanks for reaching out and apologies for delay in response.

    I understand you are looking to restrict the user to access the resources which has been granted earlier and user still has credentials to access the application.

    1.This is basically depends on the configuration of the application. If your application has been protected and authorizing users to verify right scopes and roles for each action, then you can restrict the user by revoking permissions in new access token to not perform particular action.

    [Authorize]  
    public class TodoListController : Controller  
    {  
           /// The web API will accept only tokens for users that have the `access_as_user` scope for this API.  
        static readonly string[] scopeRequiredByApi = new string[] { "access_as_user" };  
    
        [HttpGet]  
        public IEnumerable<TodoItem> Get()  
        {  
             HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);  
           }  
    }  
    

    2.Another way to restrict the user completely to not grant access to the application in Azure AD by checking the "Assignment required" box in your Enterprise application, then users must be assigned to the application before being able to access it. But this will not work if user is allowed to perform another operations in the application.

    181942-assignmentrequired.png

    3.One more safest approach is to rotate the secret/certificate and create new secret for the application. In this if you have large number of users using the application, you need to share new secret among all.

    Hope this will help.

    Thanks,
    Shweta


    Please remember to "Accept Answer" if answer helped you.