Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow Managed Identity to access to APIC portal #24

Closed
justinyoo opened this issue Feb 14, 2024 · 2 comments
Closed

Allow Managed Identity to access to APIC portal #24

justinyoo opened this issue Feb 14, 2024 · 2 comments
Labels
Feature request New feature or request

Comments

@justinyoo
Copy link

justinyoo commented Feb 14, 2024
edited

What are you trying to achieve?

In this APIC video, we have to use a service principal to access to APIC portal.

image

However, APIC has already the Managed Identity feature. Can we use this managed identity to access to the APIC portal, instead of creating a new service principal?

Proposed solution

  • Use Managed Identity, users can access to the APIC portal.

Additional context

Managed Identity (MI) is basically working as like a Service Principal, which is the same as the app registered through App Registration. MI works slightly differently though.

To me, it gives me implication that the app registration process outside APIC blocks users from being more accessible because they have to be out of the APIC screen 👉 Go to Entra ID 👉 Do the app registration 👉 Do all the permissions stuff 👉 Be back to APIC to finalise.

I think the purpose of MI is to simplify these steps. Please correct me if I'm wrong about MI.
@justinyoo justinyoo added Feature request New feature or request Untriaged labels Feb 14, 2024
@kkgthb
Copy link

kkgthb commented Mar 22, 2024
edited

@justinyoo , I don't work for Microsoft, so I might be wrong, but I believe that the reason you need to create an Entra App Registration ("AppReg") is because:

Any website that gives humans an opportunity to click a "sign in" button and then sign into that website as their human Entra identity...
...needs to be able to tell those humans what website it is that's asking for them to click a "yes, go ahead and log in as my Entra identity; I trust this website to know who I am" prompt.

The "What website I am" information in is something that can only be stored on an AppReg, not on the Entra/Azure System-Assigned Managed Identity ("SMI") that you can flip on for a given Azure APIC resource.

So, while things like your APIC resource's SMI's associated Entra Service Principal can do things like serve as the principal for an Azure RBAC Role Assignment (e.g. so that your APIM resource can let your APIC resource in as a reader of what all is sitting around in APIM)...

...I believe that saying "Hi, I'm website X -- are you sure you want to log into me as your Entra human identity?" isn't something that can be done through an Entra Service Principal at all.

Therefore, it's not actually the Entra Service Principal associated with an AppReg that you're interested in when you create the AppReg, in this case. Which is why a SMI isn't an alternative to an AppReg.

Instead, I believe what you're creating the AppReg for is its ability to say, "Hi, I'm website X!"

(In this case, "X" being your developer portal.)

@pierceboggan
Copy link
Collaborator

@kkgthb is spot on here! We still need to do an app registration for the reasons explained in that reply. I'll go ahead and close this - if there's any more confusion happy to chat at piboggan@microsoft.com. Thanks again for your bug report :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature request New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pierceboggan @justinyoo @kkgthb