Join Log in
Score:1
agamil avatar Server

Restrict using Azure Service Principal by Humans

cn flag
agamil

We have some people who are using SPs manually (themselves) to run commands and deploy resources from CLI. We need to prevent that and allow only services to use SPs, not Humans. Is there any way to do so?

37
1 + 0
spn
Score:5
avatar Server
ng flag
Sam Cogan

If a user get's hold of the credentials for a service principal then they will be able to login with it, there's no way to stop that. The solution to your problem is to make it difficult for users to get the credentials.

One way to do this is to use certificates to login as a SP, rather than a password. If you create the SP and only assign a certificate to it, then the user will need the private key to be able to login. If you then make sure that this private key is only installed on your automation servers, and the users have no access to this then they will have difficulty using this.

Alternatively, you can use managed identity rather than service principals. Assign the MI to your automation machines, ensure they users don't have access to this.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.