We are excited to announce that Azure Cognitive Search now offers support for role-based access control (RBAC) and Azure Active Directory (Azure AD) authentication for data plane operations, which are now generally available. These features allow Developers to secure their search indexes and queries with RBAC, thereby controlling access to data plane operations such as creating, loading, and querying indexes. This eliminates the need for key-based authentication, making the process more secure.
Importance of securing Cognitive Search indexes and queries with Azure RBAC
- Azure role-based access control (RBAC) offers a secure approach to managing access to indexes and queries. Developers will be able to define what actions a user can perform over them, limiting access to only those who need it, reducing the risk of unauthorized access. In contrast, when using key-based authentication, developers need to provide full admin access to the entire service or query-only access to an index, with no way to prevent the key from being misused or abused.
- With Azure AD, credentials don’t need to be stored in code, providing improved integration with other Azure security features such as managed identities. For more information on the benefits of incorporating Azure AD into applications, refer to the article Integrating with Azure Active Directory.
- Provide access to a single index or other Cognitive Search resource (i.e., indexer, skillset, data source, etc.) - rather than giving access to the entire search service. This is especially useful in multi-tenant scenarios.
Use built-in roles or define custom roles
Using built-in roles or defining custom roles is possible for supporting common data plane operations scenarios. There are three built-in roles:
- Search Service Contributor – provides full access to all data plane actions on indexes, synonym maps, indexers, data sources, and skillsets as defined by Microsoft.Search/searchServices/*; but without the ability to view or access object data
- Search Index Data Contributor – provides read/write access to search indexes
- Search Index Data Reader – provides read-only access to search indexes
For more customized roles, Developers can define custom roles for administrators or applications.
Ready to get started?
Get started today by configuring role-based access control for data plane operations from the Azure portal. Select the “API access control” option “Both” for flexibility or if there is a requirement for application migration.
Follow up the additional instructions in the official documentation link to assign the respective roles, to have them tested and for more information.
