Secure Multi-tenant Environments with Azure AD Pre-authorized Apps
PythonTo secure a multi-tenant environment with Azure AD pre-authorized applications, you would typically start by setting up an Azure AD application. A multi-tenant application is one that is available to users beyond your own Azure AD tenant. Users from other tenants can sign in to your application or you might need to access resources in other tenants.
In a multi-tenant architecture, the application is registered in one tenant but can be accessed by users from multiple tenants. It's often necessary to pre-authorize some applications, which can help streamline the user experience since they won’t have to consent individually. In Azure AD, this is handled through service principal delegation.
Below is a Pulumi program written in Python that demonstrates how to create an Azure AD application, a corresponding service principal that represents the application in the directory, and then pre-authorization using the
azuread.ApplicationPreAuthorizedresource for an example application.import pulumi import pulumi_azuread as azuread # Create an Azure AD application app = azuread.Application("example-app", display_name="example-multitenant-app", # You can specify other properties to configure the application to your needs ) # Create a service principal for the Azure AD application sp = azuread.ServicePrincipal("example-sp", application_id=app.application_id, ) # Pre-authorize an application with the necessary permissions # Replace 'example-authorized-app-id' and 'permission-ids' with actual values pre_authorized_app = azuread.ApplicationPreAuthorized("example-pre-authorized-app", application_object_id=app.object_id, authorized_app_id="example-authorized-app-id", # The Application ID of the app that’s pre-authorized permission_ids=["example-permission-id-1", "example-permission-id-2"], # The IDs of the permissions to grant ) pulumi.export('application_id', app.application_id) pulumi.export('service_principal_id', sp.id)This program is a starting point and may need to be adjusted based on the details of your environment and the specifics of the application you're working with.
Now, let's break down the program:
-
Azure AD Application: The program first defines an Azure AD application. This application registration within your tenant is where you define your application's identity configuration and the permissions it needs.
-
Service Principal: Next, the program creates a service principal which is an instance of the application within your tenant. The service principal is what you use to assign the permissions that your application requires.
-
Pre-Authorized Application: Finally, it creates a pre-authorized application entry using
azuread.ApplicationPreAuthorized. Here, we assume there's another application that you want to grant permissions to, identified by 'example-authorized-app-id'. In this case, you're indicating which permissions (identified by 'permission-ids') you want to grant to this pre-authorized application.
When you run this Pulumi program, it will use your authenticated Azure session to create these resources. You can run this using the Pulumi CLI by placing the code into a file (e.g.,
__main__.py), initializing a Pulumi project withpulumi new azure-python, and runningpulumi up.Once the program is executed successfully, the output will include the application ID and the service principal ID. These identifiers can be used to further configure or reference the application and service principal within Azure.
Keep in mind this is a foundational step, and depending on your application's architecture, you may need additional configurations such as specifying a reply URL for web applications, setting API permissions, defining app roles for role-based access control, and more.
Be sure to replace the
'example-authorized-app-id'and'permission-ids'with the actual application ID and permission IDs you want to pre-authorize. You can find these in the Azure portal or by querying Azure AD with a tool like Azure CLI or PowerShell.-