Forum Discussion
Power Management of Client Machines VM: Credential Handling and Solutions
We handle the power on/off operations of client machines as needed. To perform these tasks, we collect AD-APP credentials from clients, as the AD-APP has the necessary permissions to manage the VMs.
Problem:
- We need to gather and securely store AD-APP details from multiple clients.
- Managing these credentials for each VM individually is becoming a significant overhead.
Looking for a Solution:
- Can we solve this problem with a multi-tenant AD-APP, where we use a single multi-tenant app and request clients to grant access to their VMs?
Considerations:
- Clients will have different accounts with no relation to our subscription.
Questions:
- If a multi-tenant AD-APP is a viable solution, what configurations are required on our side and the client's side? Please share in detail.
- If it's not possible, is there an alternative way to achieve this?
- Matthias-BraunBrass Contributor
Hi saikat100 ,
Handling power management for client machines using a multi-tenant AD-APP can indeed simplify credential management and reduce overhead. Here’s a detailed breakdown of how to achieve this and alternative solutions if it’s not viable.
Multi-Tenant AD-APP Solution
1. Creating a Multi-Tenant Application
1.1 Register the Application:
- In your Azure AD, register a new application.
- Set it to be multi-tenant during registration.
1.2 Configure API Permissions:
- Add the necessary API permissions for managing VMs. Typically, this would include permissions like `VirtualMachineContributor` or custom roles tailored to the specific actions needed (e.g., power on/off).
1.3 Certificate/Secret Management:
- Generate a client secret or certificate for the app to authenticate.2. Client-Side Configuration
2.1 Granting Access:
- Clients will need to consent to your multi-tenant app, granting it the required permissions. This can be done by sending them a consent URL generated from your app registration page.
- Example URL: `https://login.microsoftonline.com/common/oauth2/authorize?client_id=<YOUR_APP_CLIENT_ID>&response_type=code&redirect_uri=<YOUR_REDIRECT_URI>&response_mode=query&scope=<REQUIRED_SCOPES>&state=12345`
2.2 Permissions and Roles:
- Clients need to assign the app the appropriate roles (e.g., `VirtualMachineContributor`) on their VMs or resource groups.3. Operations and Security
3.1 Token Handling:
- Use OAuth2 to get tokens for accessing client resources. Store these tokens securely, ensuring they are refreshed as needed.3.2 Secure Storage:
- Store credentials, secrets, and tokens securely using services like Azure Key Vault.Configuration Requirements
3.3 Your Side:
- Proper app registration in Azure AD as multi-tenant.
- Securely handle client secrets/tokens.
- Ensure your app has the necessary API permissions configured.3.4 Client Side:
- Consent to your multi-tenant app.
- Assign the necessary roles to your app.
- Ensure they follow their security policies for third-party application access.3.5 Alternative Solutions
If using a multi-tenant AD-APP is not feasible, consider these alternatives:
3.5.1 Individual Service Principals:
- Create a service principal in each client’s Azure AD.
- Clients assign roles/permissions to this service principal.
- Handle each service principal’s credentials individually but securely, using tools like Azure Key Vault for management.3.5.2 Managed Identity:
- Utilize Azure Managed Identity if your infrastructure supports it.
- This reduces the need to handle credentials manually and can simplify permissions management.
- This is typically more suitable for Azure-native environments.3.5.3 Centralized Credential Store:
- Use a centralized, secure credential store (e.g., Azure Key Vault, HashiCorp Vault) where clients can store their credentials.
- Your system retrieves these credentials securely when needed.
- Implement robust access control and auditing mechanisms.4. Implementation Steps for Multi-Tenant AD-APP
4.1 Register and Configure Multi-Tenant App:
- Go to Azure Portal > Azure AD > App Registrations > New Registration.
- Set "Supported account types" to "Accounts in any organizational directory (Any Azure AD directory - Multitenant)".
- Configure the required API permissions.4.2 Client Consent and Role Assignment:
- Provide clients with the consent URL.
- Guide them to assign the necessary roles to your app (typically done via Azure Portal or PowerShell).4.3 Secure Credential Handling:
- Store client secrets/tokens in Azure Key Vault.
- Implement token refresh logic.Conclusion
Ensure all configurations are thoroughly tested and compliant with both your and your clients' security policies. If this approach is not viable, alternative methods like individual service principals or centralized credential stores can be used, albeit with potentially more overhead.
Further Reading and References
Detailed guidance on registering and configuring multi-tenant applications can be found on Microsoft’s documentation on Single and Multi-Tenant Apps and Architecting Multitenant Solutions on Azure.For specifics on handling tokens and consent, refer to Set up sign-in for multitenant Microsoft Entra ID using custom policies.
If my information has helped you, I would appreciate a like.
Best regards
Matthias- saikat100Copper ContributorHi Matthias,
Thank you for the detail explanation. I will try the steps and update you. Thank you again for your time.