Now in preview, Azure Cognitive Search is expanding support for role-based access control (RBAC) and Azure Active Directory (Azure AD) authentication to include data plane operations. With new and enhanced roles, you can control access to content and operations using Azure AD which eliminates any dependency on key-based authentication.
This blog post highlights some of the core areas where this new functionality can help make your applications using Azure Cognitive Search more secure than ever before.
Authorize search requests using Azure AD
With Azure Active Directory (Azure AD), you can use role-based access control (RBAC) to grant access to your Azure Cognitive Search services. An important advantage of using Azure AD is that your credentials no longer need to be stored in your code. Leveraging Azure AD also allows for tighter integration with other Azure security features like managed identities. To learn more about the advantages of using Azure AD in your applications, see Integrating with Azure Active Directory.
Use new built-in roles or define custom roles
Using RBAC to authorize requests also gives you additional granularity on how much access you provide to a user or application. The existing key-based authentication model is coarse, granting either full admin access to the entire service, or query-only access to an index. The new RBAC model gives you the ability to precisely define the access a user or application needs.
There are three new built-in roles you can use for common scenarios:
- Search Service Contributor – provides access to manage the search service's indexes, indexers, etc.
- Search Index Data Contributor – provides read/write access to search indexes
- Search Index Data Reader – provides read-only access to search indexes
Beyond that, you can also define custom roles to define the exact access you want an application to have.
Scope access to a single index or resource
You can also choose to give access to a single index or resource (i.e. indexer, skillset, data source, etc.) rather than giving access to the entire search service. This is particularly valuable for multi-tenant scenarios where you may want to ensure that a single tenant only has access to a single index.
You can add a new role assignment in PowerShell with the following command:
New-AzRoleAssignment -ObjectId <objectId> `
-RoleDefinitionName "Search Index Data Contributor" `
-Scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Search/searchServices/<search-service>/indexes/<index-name>"
Get Started
You can get started today by joining the preview in the Azure Portal:
From there, you can set up Azure AD authentication by following the steps in Authorize search requests using Azure AD.
There's also additional information in Role-based authorization - Azure Cognitive Search.
Posted at https://sl.advdat.com/3Hrfib5
