Search code examples
androidoauth-2.0azure-active-directory

Azure AD:Authenticate Devices

I have a project where there are thousands of devices running android apps on our LAN. Those apps need to reach out to services. I'd like to authenticate the applications against Azure AD and then validate the tokens on the server side. There will be no user involved we just want to authenticate the device itself.

What are some recommended best practices in this scenario? We can do client credential grants from the android app against the cloud but then we'd need to provide the clientid/secret to the APK and I don't like the idea of storing a secret in the APK because it can be decompiled. I think you can do a Client Credential grant without a secret, but that seems like a pretty loose authentication mechanism.

I read that Azure AD supports certificate based authentication but I think functionally the same problem exists there, whereas we need to install a certificate on the device and if someone gets access to the device they can gain access to the certificate.

What can be done in this scenario?

Solution

  • Note that: Client credential flow by default requires client Id and client secret or certificate.

    • In the Client Credentials flow, the application users its client ID and client secret to the authorization server (Azure AD) to obtain an access token.
    • These credentials verify the identity of the application to the server, ensuring that only authorized applications can obtain tokens.
    • Hence client Id and client secret are mandatory.

    Otherwise, you can make use of Azure AD Managed Service Identity (MSI) that allows applications running on Azure to authenticate with Azure AD without passing any secrets or certificates if it suits your setup/scenario.

    • Managed Identity cannot be used for authenticating applications that run locally. It is designed to be used only for applications deployed on Azure services that support Managed Identity.
    • Azure Services like Azure Kubernetes Service, Azure Virtual Machine, and Azure Container Instances.
    • If your application is hosted on one of these services, you can make use of MSI. Refer this MsDoc

    You can assign application permissions to the managed identity by using the PowerShell script:

    $serverApplicationName = "AppName"
$serverServicePrincipal = (Get-MgServicePrincipal -Filter "DisplayName eq '$serverApplicationName'")
$serverServicePrincipalObjectId = $serverServicePrincipal.Id
$appRoleName = "test.read"
$appRoleId = ($serverServicePrincipal.AppRoles | Where-Object {$_.Value -eq $appRoleName }).Id

$managedIdentityObjectId = "MIObjectID"
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $serverServicePrincipalObjectId  -PrincipalId $managedIdentityObjectId -ResourceId $serverServicePrincipalObjectId -AppRoleId $appRoleId

    enter image description here

    Permissions are granted to the managed identity:

    enter image description here

    • Then try to authenticate using this MSI client Id.
    • If MSI do not suit your setup or requirement then, try storing the secrets in Azure Key Vault and retrieve it while using client credential flow to authenticate.
    • Refer this MsDoc