Entra & Azure Power-Up: Secure Service Principal Impersonation with Simon Gottschlag

In this episode, Simon Gottschlag, CTO of Co-native and a Microsoft MVP in Azure, discusses his innovative prototype for implementing Azure service principal impersonation using Azure Functions and Key Vault.We explore the challenges of managing service principals, the journey to building a solution, and the potential for improving developer experience in platform building. Simon shares insights on the four-eyes principle, Entra ID's newer attribute-based access control (ABAC) vs the traditional RBAC model, and how his solution can enhance security and auditability in Azure environments.LinkedIn - https://www.linkedin.com/in/simongottschlag🔗 Related Links* Azure Service Principal Impersonation - https://github.com/co-native-ab/azure-service-principal-impersonation* pimctl - https://github.com/co-native-ab/pimctl📗 Chapters00:00 Intro00:42 Meet Simon: CTO & Azure MVP01:51 The Project: Azure Service Principal Impersonation02:11 The Problem: Challenges in Managing Service Principals03:47 Journey to the Solution: Building Platforms & Terraform Pain Points06:50 The Challenge with Graph Permissions & Least Privilege08:27 Improving Developer Experience in Platform Building11:05 The Core Issue: Running Operations Locally vs. Service Principals13:43 The Idea: Service Principal Impersonation13:50 Four-Eyes Principle and PIM in Azure15:40 Understanding Attribute-Based Access Control (ABAC)18:58 Enforcing Role Delegation with ABAC and PIM20:12 Clarifying Service Principal Access with PIM and Four-Eyes21:26 The Local Development Dilemma with Security Principles22:02 PIM CTL: A CLI Tool for PIM22:42 New Challenge: Azure Managed Grafana & Terraform Authentication23:36 AC Identity Terraform Provider: Getting Tokens from Entra24:42 The Big Question: Securely Getting Service Principal Tokens Locally25:21 What is Impersonation in This Context?26:27 Building the Solution: Federated Credentials & Custom Token Exchange28:42 How the Azure Function Works: Authentication & Token Issuance29:26 The Result: Consistent Workflow & Auditability31:05 Open Source: How to Set Up and Try the Prototype33:31 Use Cases: DevOps Automation & Time-Limited Access35:15 Potential: Multi-Cloud Deployments & Extending EntraPodcast Apps🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

There are no comments yet.

Please log in to write the first comment.