Microsoft Identity Platform community call – April 2023

Call summary

This month’s in-depth topic: Mastering Azure AD App Security: Safeguarding Service Principals for Smooth and Secure Automation

Specifically, permissions for DevOps and automation - Services or Daemon applications that run in the background, often on a schedule and where no logged in user is involved. Descriptions and demos on the following: Service or daemon applications, app only vs delegated access, application vs service principal, app only permissions and Key Vault, app only access token, Microsoft Graph app permissions, Azure Active Directory scoping, no Graph app permissions, “user administrator” directory role, Custom role, Microsoft 365 scoping. Microsoft Presenter - Marcus Carvalho, Senior Product Manager - Identity at Microsoft.

This call was hosted by Marcus Carvalho (Microsoft) on April 20, 2023. Questions addressed live and in chat throughout the call.

Agenda items

00:00 – Intro - Marcus Carvalho (Microsoft)

03:09 – Topic – Mastering Azure AD App Security: Safeguarding Service Principals for Smooth and Secure Automation – Marcus Carvalho (Microsoft)

52:31 – Closing

Referenced in the call

• Article - Scope App Permissions for Secure Automation using Microsoft Azure Active Directory - Marcus Carvalho (Microsoft)| https://devblogs.microsoft.com/identity/azure-ad-app-permission-scoping/
• Documentation - Understanding application-only access | https://learn.microsoft.com/azure/active-directory/develop/app-only-access-primer
• Documentation - Assign a Key Vault access policy | https://learn.microsoft.com/azure/key-vault/general/assign-access-policy
• Documentation - Microsoft Graph permissions reference | https://learn.microsoft.com/graph/permissions-reference
• Documentation - Create and assign a custom role in Azure Active Directory | https://learn.microsoft.com/azure/active-directory/roles/custom-create
• Documentation - Administrative units in Azure Active Directory | https://learn.microsoft.com/azure/active-directory/roles/administrative-units
• Documentation - Limiting application permissions to specific Exchange Online mailboxes | https://learn.microsoft.com/graph/auth-limit-mailbox-access
• Article - Controlling app access on a specific SharePoint site collections is now available in Microsoft Graph | https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections
• Blog - Microsoft Entra Identity Developer Blog | https://devblogs.microsoft.com/identity
• Token – Decoder | https://jwt.ms/
• Documentation - Conditional Access: Filter for applications (Preview) (+ security attributes)| https://learn.microsoft.com/azure/active-directory/conditional-access/concept-filter-for-applications

Actions

• Let us know how we’re doing and suggest topics for future calls, please complete this survey https://aka.ms/IDDevCommunityCallSurvey
• Opt into PnP Recognition Program | https://aka.ms/m365pnp-recognition
• Register for the Microsoft 365 Developer Program and get a free developer tenant
• Get started with free training modules covering Microsoft 365 platform capabilities including Learning Path - Implement Microsoft identity – Associate
• Mark your calendar for next call on May 18th at 9:00am PT. Download the recurrent invite for this call | https://aka.ms/IDDevCommunityCalendar

Resources in General

• Documentation - What is the Microsoft identity platform?
• Documentation - Microsoft identity platform documentation
• Developer – Microsoft Identity Platform
• Microsoft 365 Unified Sample gallery - https://aka.ms/m365/samples

Stay connected

• Twitter https://twitter.com/microsoft365dev​ and @azuread
• See the full blog post for this call in the Microsoft 365 platform community blog - https://aka.ms/community/blog
• Microsoft 365 Unified Sample gallery - https://aka.ms/community/samples
• Microsoft 365 Platform Community in YouTube - https://aka.ms/community/videos
• Microsoft 365 Platform Community - https://aka.ms/community/home