Optimizing for security: Graph API Access Control

04 Feb 2024

Why should restrictions be imposed on GraphAPI access?

Granting permissions to Entra ID App registrations for access via the Graph API to Azure tenants can provide significant benefits, particularly in service automation scenarios.

However, managing unrestricted access to these registrations can be inconvenient and a known risk. It’s crucial to establish conditional restrictions to ensure controlled access to your Azure Tenant via the Graph API.

Enter… the Conditional Access for workload identities!

First, what are workload identities:
As Microsoft describes it, “A workload identity is an identity you assign to a software workload (such as an application, service, script, or container) to authenticate and access other services and resources.”

Microsoft now also offers ‘Entra Workload ID Premium’ to use workload identities within Conditional Access. These workload identities serve as the gateway, granting applications or service principals access to resources like the Graph API.

So, in this post, we connect to the Graph API as a workload identity via an IP restriction enforced by a Conditional Access policy.

Creating the named location

The journey begins with creating a named location, the first step in defining the IPs we want to exclude from our conditional access policy.

To start this, navigate to the Conditional Access management blade. (The quick way, thanks to Merill Fernando from merill.net) and select named locations, as shown in the example below.

Conditional Access Blade

In the Named locations blade, I then create a new location as shown below.

New Named Location

Assigning the named location to a conditional access policy

To make the named location a requirement in the conditional access policy, we have to assign it to a new or existing conditional access policy.

For the purpose of this post, we are creating a new policy by navigating to the Conditional Access blade and selecting the workload identity we wish to control via Conditional Access.

New Workload ID

After selecting the workload identity to which we want to apply the restrictions, we give the policy a name and select the earlier created named location as an exclusion, so that only that location is allowed to bypass the policy.

In the access controls, we select ‘Block access’ so that every other location other than the selected named location is blocked from access to the workload identity.

Named Location in Workload ID

How does this work in practice?

As published in my earlier blog post to easily generate a Graph API access token, we are re-using some code.

When we request an access token via the trusted named location, we get the following result:

Example Without Restriction

And then when we request an access token outside of our trusted named location, we get the next result back:

Example With Restriction

Conclusion

When creating workload identities to use in, for example, service automation products, we also need to pay attention to the access controls for these identities. This aspect can be overlooked, leading to unnecessary risk.

Unfortunately, this feature is not standard and requires additional licenses to configure.

In an upcoming post, I’ll delve into how to best maintain minimal permissions when creating a workload identity for use in automation products (scripts, etc.), as most workload identities typically do not need any more permissions than necessary.