iCompaas Support

Profile Applicability:

• Level 1
  

Description:
 Azure services, such as Azure Cosmos DB, support authentication through Microsoft Entra ID (Azure Active Directory), which can integrate seamlessly with Azure RBAC for role-based access control. Entra ID client authentication eliminates the need for persistent client-side tokens and integrates well with Azure's centralized identity management.

Rationale:
 Using Entra ID for client authentication provides enhanced security compared to token-based authentication by ensuring that authentication credentials are not stored on the client-side. It also supports Multi-Factor Authentication (MFA) and centralized management of identities, which streamlines user access and improves security across the environment.

Impact:

• Pros:
  

  • Provides centralized identity management for secure authentication.
    

  • Reduces the risk associated with storing credentials locally.
    

  • Supports MFA for higher security.
    

  • Integrates with Azure RBAC for fine-grained access control.
    

• Cons:
  

  • Some resources may require migration or configuration adjustments to use Entra ID authentication.
    

  • Administrative overhead for managing Azure RBAC and Entra ID roles.
    

Default Value:

• By default, Azure services like Cosmos DB use token-based authentication, not Entra ID.
  

Pre-requisites:

• Ensure that Entra ID is set up and integrated within your Azure environment.
  

• Configure Azure RBAC roles for resource access management.
  

Remediation

Test Plan:

Using Azure Portal:

1. Navigate to Azure Cosmos DB or the relevant service.
   

2. Under Settings, click on Microsoft Entra admin.
   

3. Ensure that an Admin Name is set under the Microsoft Entra admin section.
   

Using Azure CLI:

1. Run the following command to list SQL Server administrators:

az sql server ad-admin list --resource-group <resource-group> --server <server>

2. Verify that the DisplayName field is set to the Entra ID account.

Implementation Plan:

Using Azure Portal:

1. Go to Azure Cosmos DB or the relevant service.
   

2. Under Settings, click on Microsoft Entra admin.
   

3. Click Set admin, choose an admin from Entra ID, and click Save.
   

Using Azure CLI:

1. Run the following command to set an Entra ID admin for the SQL Server:

az sql server ad-admin create --resource-group <resource-group-name> --server <server-name> --display-name <display-name> --object-id <object-id>

Backout Plan:

Using Azure Portal:

1. Go to Azure Cosmos DB or the relevant service.
   

2. Under Microsoft Entra admin, remove the configured admin.
   

Using Azure CLI:
 1. To remove the Entra ID admin, run the following:

az sql server ad-admin delete --resource-group <resource-group-name> --server <server-name>

References:

• Azure Cosmos DB Role-Based Access Control
  

• Microsoft Entra Authentication Overview