Secure service connection to IoT Hub using Azure AD and RBAC

Published 05-10-2021 11:07 AM 1,406 Views
Microsoft

IoT Hub support for Azure Active Directory (Azure AD) and Role-Based Access Control (RBAC) is now generally available for service APIs. This means you can secure your service connections to IoT Hub with much more flexibility and granularity than before.

 

Existing shared access policy users, including users with Owner and Contributor roles on an IoT hub, are not affected. For better security and ease of use, we encourage everyone to switch to using Azure AD whenever possible.

 

Granular access control to service APIs

 

For example, you have a service the needs read access to device identities and device twins. Before, you must give this service access to your IoT hub by using shared access policy to include both the registryRead and the serviceConnect permissions. This works fine, but your service now also has permission to send direct methods and update twin desired properties (as part of serviceConnect). The unnecessary additional privileges can be used by an attacker to mess with your devices, if the credentials are compromised.

jlianMSFT_0-1620255807141.png

 

For additional security, the industry best practice is to follow the principle of least privilege. With Azure AD and RBAC support, you can grant granular permissions to achieve this. If you want your service to be able to read twins, and nothing else, assign its service principal or managed identity a role with Microsoft.Devices/IotHubs/twin/read permission. And that’s it! This service cannot update twin or send direct methods. You’ve achieved least privilege.

 

Getting started

 

To get started, grant your users, groups, service principals or managed identities roles with the new permission. The built-in roles, permissions, and links to samples are published on our documentation page Control access to IoT Hub with Azure AD.

2 Comments
Senior Member

This link is broken.  Control access to IoT Hub with Azure AD.

Microsoft

Hi @element824 good catch, and thanks for letting us know. Link is now fixed

 

%3CLINGO-SUB%20id%3D%22lingo-sub-2329172%22%20slang%3D%22en-US%22%3ESecure%20service%20connection%20to%20IoT%20Hub%20using%20Azure%20AD%20and%20RBAC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2329172%22%20slang%3D%22en-US%22%3E%3CP%3EIoT%20Hub%20support%20for%20Azure%20Active%20Directory%20(Azure%20AD)%20and%20Role-Based%20Access%20Control%20(RBAC)%20is%20now%20generally%20available%20for%20service%20APIs.%20This%20means%20you%20can%20secure%20your%20service%20connections%20to%20IoT%20Hub%20with%20much%20more%20flexibility%20and%20granularity%20than%20before.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EExisting%20shared%20access%20policy%20users%2C%20including%20users%20with%20Owner%20and%20Contributor%20roles%20on%20an%20IoT%20hub%2C%20are%20not%20affected.%20For%20better%20security%20and%20ease%20of%20use%2C%20we%20encourage%20everyone%20to%20switch%20to%20using%20Azure%20AD%20whenever%20possible.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-1329000782%22%20id%3D%22toc-hId-1329000756%22%20id%3D%22toc-hId-1329000756%22%20id%3D%22toc-hId-1329000756%22%20id%3D%22toc-hId-1327363299%22%3EGranular%20access%20control%20to%20service%20APIs%3C%2FH1%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20example%2C%20you%20have%20a%20service%20the%20needs%20read%20access%20to%20device%20identities%20and%20device%20twins.%20Before%2C%20you%20must%20give%20this%20service%20access%20to%20your%20IoT%20hub%20by%20using%20shared%20access%20policy%20to%20include%20both%20the%20%3CEM%3EregistryRead%20%3C%2FEM%3Eand%20the%20%3CEM%3EserviceConnect%20%3C%2FEM%3Epermissions.%20This%20works%20fine%2C%20but%20your%20service%20now%20also%20has%20permission%20to%20send%20direct%20methods%20and%20update%20twin%20desired%20properties%20(as%20part%20of%20serviceConnect).%20The%20unnecessary%20additional%20privileges%20can%20be%20used%20by%20an%20attacker%20to%20mess%20with%20your%20devices%2C%20if%20the%20credentials%20are%20compromised.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22jlianMSFT_0-1620255807141.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F278628iE7CDA20BDE822044%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22jlianMSFT_0-1620255807141.png%22%20alt%3D%22jlianMSFT_0-1620255807141.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20additional%20security%2C%20the%20industry%20best%20practice%20is%20to%20follow%20the%20principle%20of%20least%20privilege.%20With%20Azure%20AD%20and%20RBAC%20support%2C%20you%20can%20grant%20granular%20permissions%20to%20achieve%20this.%20If%20you%20want%20your%20service%20to%20be%20able%20to%20read%20twins%2C%20and%20nothing%20else%2C%20assign%20its%20service%20principal%20or%20managed%20identity%20a%20role%20with%20%3CEM%3EMicrosoft.Devices%2FIotHubs%2Ftwin%2Fread%3C%2FEM%3E%20permission.%20And%20that%E2%80%99s%20it!%20This%20service%20cannot%20update%20twin%20or%20send%20direct%20methods.%20You%E2%80%99ve%20achieved%20least%20privilege.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId--478453681%22%20id%3D%22toc-hId--478453707%22%20id%3D%22toc-hId--478453707%22%20id%3D%22toc-hId--478453707%22%20id%3D%22toc-hId--480091164%22%3EGetting%20started%3C%2FH1%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20get%20started%2C%20grant%20your%20users%2C%20groups%2C%20service%20principals%20or%20managed%20identities%20roles%20with%20the%20new%20permission.%20The%20built-in%20roles%2C%20permissions%2C%20and%20links%20to%20samples%20are%20published%20on%20our%20documentation%20page%20%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fiot-hub%2Fiot-hub-devguide-aad-rbac%3Fbranch%3Dpr-en-us-155512%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EControl%20access%20to%20IoT%20Hub%20with%20Azure%20AD%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2329172%22%20slang%3D%22en-US%22%3E%3CP%3EUse%20Azure%20AD%20to%20secure%20service%20connections%20to%20IoT%20Hub%20with%20more%20granularity%20than%20before.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22jlianMSFT_0-1620340917302.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F278936i34DAE3A6D3924ED5%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22jlianMSFT_0-1620340917302.png%22%20alt%3D%22jlianMSFT_0-1620340917302.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2344322%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20service%20connection%20to%20IoT%20Hub%20using%20Azure%20AD%20and%20RBAC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2344322%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20link%20is%20broken.%26nbsp%3B%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fiot-hub%2Fiot-hub-devguide-aad-rbac%3Fbranch%3Dpr-en-us-155512%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EControl%20access%20to%20IoT%20Hub%20with%20Azure%20AD%3C%2FA%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2344876%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20service%20connection%20to%20IoT%20Hub%20using%20Azure%20AD%20and%20RBAC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2344876%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F281632%22%20target%3D%22_blank%22%3E%40element824%3C%2FA%3E%26nbsp%3Bgood%20catch%2C%20and%20thanks%20for%20letting%20us%20know.%20Link%20is%20now%20fixed%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎May 11 2021 07:55 AM
Updated by: