Stephan van Rooij

Software architect with a passion for home automation.

Federated credentials, wait what?

F

Workflow identity federation of “federated credentials” as they are called in the Azure Portal are brand new in the Microsoft identity suite. As of writing they are still in preview.

What are they and how does it work? This will all be explained in the post below.

federated credentials on Azure portal

Why would you need federated credentials?

Managing secrets is hard, as I explained several times on this blog, like here. If you can get someone else to manage the credentials for you, you should go for that options and have the other party worry about the credentials.

What are these federated credentials?

Microsoft wrote a great description on Workload identity federation, but in my own words, it’s trusting some pre-configured (external) identity provider to request tokens for an application in Azure AD, while using the token from the external IDP instead of a client assertion. So instead of signing the token request with a certificate, you configure Azure AD to trust external tokens as if they where client assertions.

How do federated credentials actually work?

sequenceDiagram; participant c as Client application participant aad as Azure AD participant idp as External Identity Provider participant r as Resource protected by Azure AD c->>idp: Give me a token for reource x idp->>c: Access token for x note right of c: External token c->>aad: Give me a token for resource y aad-->>aad: Issuer configured? aad->>idp: Download IDP metadata (OpenID Connect) idp->>aad: External metadata aad->>aad: Validate signature aad->>aad: Subject and audience matching app registration? note right of c: Azure AD token aad->>c: Issue access token c->>r: Here is the access token from Azure AD

I like federated credentials

I really like the idea of federated credentials. This is a great example how important security management is. And using federated credentials allows you to secure stuff without knowing the secret. If you don’t have/manage a secret, it can never be extracted because there is nothing to extract.

Mind you that as of today (May 20th 2022), this is still in preview which means that you can try it out, but should not use it in any production workloads.

Protect against certificate extraction - Client credentials

P

You have this multi-tenant application that is protected with Azure AD, great! How about the certificate you’re using as a client credential? If you followed the Microsoft samples it’s probably stored in the Azure Key Vault. This seems really secure, but there is one thing no one thought about Certificate Extraction.

undraw image

Extract all Azure AD admin accounts

E

Powershell is pretty powerful for all kind of administrative tasks, especially if you load some extra modules. We use the AzureAD module for a lot of tasks that can be (semi-)automated with the use of some script. In this post I described how to extract all users from Azure AD as a regular user, and what you should do about it.

Extracting users isn’t the only thing you can do with Azure AD powershell and this page shows how to export all Azure AD global admins (which can be executed by ANY user in your tenant unless you take action against that.)

Like what you're seeing? Consider Sharing on Twitter or Sponsoring me