Tuesday, November 16, 2021

Secure your Azure Cognitive Search indexes and queries with Azure AD

Now in preview, Azure Cognitive Search is expanding support for role-based access control (RBAC) and Azure Active Directory (Azure AD) authentication to include data plane operations. With new and enhanced roles, you can control access to content and operations using Azure AD which eliminates any dependency on key-based authentication.

 

This blog post highlights some of the core areas where this new functionality can help make your applications using Azure Cognitive Search more secure than ever before.

 

Authorize search requests using Azure AD

With Azure Active Directory (Azure AD), you can use role-based access control (RBAC) to grant access to your Azure Cognitive Search services. An important advantage of using Azure AD is that your credentials no longer need to be stored in your code. Leveraging Azure AD also allows for tighter integration with other Azure security features like managed identities. To learn more about the advantages of using Azure AD in your applications, see Integrating with Azure Active Directory.

 

Use new built-in roles or define custom roles

Using RBAC to authorize requests also gives you additional granularity on how much access you provide to a user or application. The existing key-based authentication model is coarse, granting either full admin access to the entire service, or query-only access to an index. The new RBAC model gives you the ability to precisely define the access a user or application needs.

 

There are three new built-in roles you can use for common scenarios:

Beyond that, you can also define custom roles to define the exact access you want an application to have.

 

Scope access to a single index or resource

You can also choose to give access to a single index or resource (i.e. indexer, skillset, data source, etc.) rather than giving access to the entire search service. This is particularly valuable for multi-tenant scenarios where you may want to ensure that a single tenant only has access to a single index.

 

You can add a new role assignment in PowerShell with the following command:

 

New-AzRoleAssignment -ObjectId <objectId> `
    -RoleDefinitionName "Search Index Data Contributor" `
    -Scope  "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Search/searchServices/<search-service>/indexes/<index-name>"

 

Get Started

You can get started today by joining the preview in the Azure Portal:

DerekLegenzoff_2-1637109716637.png

 

From there, you can set up Azure AD authentication by following the steps in Authorize search requests using Azure AD.

There's also additional information in Role-based authorization - Azure Cognitive Search.

 

Posted at https://sl.advdat.com/3Hrfib5