Modern authorization for Azure Active Directory

About the integration

Azure Active Directory is a popular cloud-based identity service. Aserto is a powerful authorization service that enables you to manage permissions and control access within your application. Together, they provide out-of-the-box solutions for user identity and access management. 

About Azure Active Directory

Azure Active Directory, or Azure AD, is an identity service that provides single-sign on (SSO), multi-factor authentication (MFA), and coarse-grained access to business applications. It enables organizations to provide employees with easy access to external applications, like Microsoft 365 and thousands of SaaS applications.

IT admins use Azure Active Directory to control access to apps based on the user’s business function, or business needs. And App developers use it to add SSO or MFA to their applications.

About Aserto

Aserto is a powerful and flexible authorization service built to evolve with your customer requirements. It is complementary to Azure AD’s Identity solution: it makes it easy to define, enforce, and evolve permissions within the application. With an open-source authorizer, Aserto handles all the heavy lifting required to build secure, scalable, role (RBAC), attribute (ABAC), policy (PBAM), and relationship-based access controls (ReBAC).

Aserto has a native integration with Azure AD, and can be onboarded in under a day. Quickstarts and SDKs are available for popular programming languages and frameworks, including Node.js, Golang, Python, JavaScript, ASP.Net, React, Java, and Ruby, helping you get up and running in minutes and production-ready in a week. REST, gRPC, and GraphQL APIs are available for developers that want to code close to the metal.

Better together

Setting things up

To get your authorization up and running, connect Aserto to your Azure AD tenant and then users, roles, and attributes stored in Azure AD will automatically sync with the Aserto Directory. In Aserto, you’ll define your permissions, policies, and load any resources and relationships you’ll want to use in your authorization decisions.

Start by developing/testing against Aserto’s hosted authorizer. When you’re ready to run a production workload, deploy Aserto’s authorizer as a microservice or sidecar in the same cluster or subnet as your application. The Aserto control plane automatically pushes the most recent user, resource, and policy data to the authorizer, so you never make authorization decisions based on stale data.

At runtime

At runtime, Azure Active Directory will return a signed access token to your application once it authenticates a user. Prior to providing access to a resource in your app, you’ll make a call to the Aserto authorizer. The user context (represented by the access token), policy context, and resource context are fed to the authorizer by your application to inform authorization decisions. The authorizer then makes an access decision in milliseconds, based on that data. This data will also be used by the application to gate unauthorized requests.

Auditing authorization decisions

Aserto automatically captures and aggregates logs for every authorization decision in the control plane, for easy auditing. These decision logs can be streamed or batched up into your favorite log analysis tool, or SIEM.

The Aserto authorizer architecture

Authorization is on the critical path of every request, so the speed of response is critical. To minimize authorization latency and maximize availability, the Aserto authorizer is deployed as a microservice or sidecar right next to your application. Your production application should never be dependent on the availability / uptime of a remote authorization service.

The authorizers make decisions based on three important inputs:

1. Policies from your policy registry

2. Users, attributes, and roles from Azure Active Directory supplemented with application-specific information stored in the Aserto directory.

3. Resource context passed by your application

Any changes made to your Azure AD directory are automatically synchronized into the Aserto directory, and Aserto then pushes updates to your authorizers in near real time, so you never enforce over stale data. You can also set Aserto up to push updates on an interval you determine.

Leveraging the policy, user, and resource contexts, Aserto makes it easy to evolve your authorization from coarse-grained RBAC to fine-grained authorization using attributes (ABAC) or relationships between entities in the system (ReBAC). You can even mix any of the three in order to meet your requirements as the needs of your enterprise customers change. This means you can build a strong authorization foundation once, and evolve your access control model easily over time.

Integrating Azure Active Directory with Aserto allows you to bridge the gap between authentication and authorization creating an end-to-end Auth solution.

Aserto also comes with the following benefits:

• Out-of-the-box support for audit trails, custom roles, RBAC, ABAC, and ReBAC
• Open-source authorizer you can deploy in your cloud today
• Use a policy-as-code workflow to build, tag, push, version, and pull policy images just like docker images
• Quick onboarding via first-class citizen integrations with Azure AD and your artifact registry, logging system, backend programming language, and frontend framework.
• Built on top of a trusted open-source technology, including OPA, Topaz, OCI, etc.

Resources

• Developer docs for connecting Azure AD to Aserto
• Using identity information from Azure Active Directory in Aserto
• Aserto Azure AD git repo
• OAuth2 scopes are NOT permissions
• Authentication != Authorization