堆栈内存溢出
  简体   繁体   English

基于 IP 地址限制对 Microsoft Graph 的访问,使用应用程序级身份验证和多租户应用程序

[英]Restricting access to Microsoft Graph based on IP address, using application level auth and multi-tenanted app

 原文  2023-01-16 22:31:32       azure/ authentication/ microsoft-graph-api

问题描述

I'm using Microsoft Graph API to access data from a variety of tenants' ADs.我正在使用 Microsoft Graph API 访问来自各种租户广告的数据。 This is with a multitenanted Azure app hosted in my Azure tenancy.这是在我的 Azure 租户中托管的多租户 Azure 应用程序。 Authentication is handled using application level tokens and the client credentials flow;身份验证是使用应用程序级令牌和客户端凭据流处理的; customer admins authorize the collection of data for their tenancy using OAuth. A customer is asking whether it's possible for me to restrict access to my Azure app based on location, so that our app dispenses tokens only to clients who are inside our data center.客户管理员使用 OAuth 授权为其租户收集数据。一位客户询问我是否可以根据位置限制对我的 Azure 应用程序的访问,以便我们的应用程序仅向数据中心内的客户分发令牌。

It seems to me that this is not going to work .在我看来,这是行不通的 Microsoft recently added the possibility of conditional access based on workload identities;微软最近增加了基于工作负载身份的条件访问的可能性; but are pretty clear that this only works for single-tenant apps, where the same tenancy hosts both the enterprise application and the app registration:但很明显这仅适用于单租户应用程序,其中同一个租户托管企业应用程序和应用程序注册:

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/workload-identity https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/workload-identity

Note笔记

Policy can be applied to single tenant service principals that have been registered in your tenant.策略可以应用于已在您的租户中注册的单租户服务主体。 Third party SaaS and multi-tenanted apps are out of scope. Managed identities are not covered by policy.第三方 SaaS 和多租户应用程序不在 scope 范围内。托管身份不在策略范围内。

But, I am not an expert and may be working on incorrect assumptions.但是,我不是专家,可能会根据不正确的假设进行研究。 Can anyone confirm or disconfirm what I have posted here?任何人都可以确认或否认我在这里发布的内容吗? Is there some way I can provide what the customer is asking for?有什么方法可以提供客户的要求吗?

1 个解决方案

解决方案1
 1  2023-01-17 06:28:39

As mentioned in the document that it is applicable only to the single tenants, If you want this feature to be available for the mutlti tenants as well you can raise a feature request for same here: https://techcommunity.microsoft.com/t5/microsoft-365-developer-platform/idb-p/Microsoft365DeveloperPlatform如文档中所述,它仅适用于单租户,如果您希望此功能也可用于多租户,您可以在此处提出相同的功能请求: https://techcommunity.microsoft.com/t5 /microsoft-365-developer-platform/idb-p/Microsoft365DeveloperPlatform

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用 Azure AD 使用 Microsoft Graph 在帐户之间发送电子邮件会产生无效的 IP 错误 - Sending emails between accounts using Microsoft Graph using Azure AD produces invalid IP error 从 firebase 身份验证触发器获取用户的 IP 地址? - Get user's IP address from firebase auth trigger? 无法访问 Kube.netes Service IP 地址的工作负载 - Unable to access workload at the IP address of the Kubernetes Service 通过云端点基于 API 密钥限制对云 function 的访问的问题 - An issue with restricting access to a cloud function based on API key through Cloud Endpoints 无法使用带出口设置的 VPC 静态 IP 地址从 App Engine Standard 连接到 Cloud SQL:所有流量 - Cannot Connect to Cloud SQL from App Engine Standard using a VPC Static Ip Address with Egress Setting: all-traffic 使用私有 IP 和无服务器 VPC 访问从 App Engine 到 CloudSQL 的连接问题 - Connectivity issues from App Engine to CloudSQL using Private IP and Serverless VPC Access Twilio Flask 应用程序视频通话未通过公共 IP 地址连接 - Twilio Flask app video call is not connecting over a public IP address 如何刷新 Microsoft Graph 访问令牌 - How To Refresh Microsoft Graph Access Token 使用 azure 逻辑应用从共享邮箱发送 email 使用 Microsoft Graph API - Send email using Microsoft Graph API from shared mailbox using azure logic app 使用 IAM 策略限制对 ECS EC2 实例类型的访问 - Restricting access to ECS EC2 instance types using IAM Policies
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM