Understanding Azure Credentials and Identity

Azure credentials are the foundation of secure access to Azure services and resources.

To manage Azure credentials, you need to understand the different types of identities that exist in Azure.

Azure Active Directory (Azure AD) is the primary identity and access management system for Azure.

Azure AD provides a centralized location to manage user and group identities, as well as their permissions and access to Azure resources.

In Azure, identities can be managed using Azure AD, Azure AD B2C, or Azure AD B2B.

Azure AD B2C is designed for consumer-facing applications, while Azure AD B2B is used for business-to-business scenarios.

Creating Azure Credentials is a straightforward process that can be done in a few different ways. To create a new credential asset with Windows PowerShell, you can use the New-AzAutomationCredential cmdlet, which creates a new Automation credential. The cmdlet requires a PSCredential object, which can be created with the name and password, or you can use the Get-Credential cmdlet to prompt the user for input.

You can also create a new Automation credential using the Azure portal. To do this, navigate to the Azure portal, open the Microsoft Entra ID service, and select App registrations. Then, select New registration and specify the details about the application. Once you've created the AD application and service principal, you can use the credentials to create a new Automation credential.

The following cmdlets are used to access and create Automation credentials with PowerShell: Get-AzAutomationCredential, New-AzAutomationCredential, Remove-AzAutomationCredential, and Set-AzAutomationCredential. These cmdlets can be used to retrieve, create, remove, and update Automation credentials, respectively.

To add Azure credentials to BlueXP, you need to follow two main steps.

You can associate additional Azure subscriptions with the Azure managed identity.

If you want to deploy Cloud Volumes ONTAP using different Azure credentials, you'll need to grant Azure permissions using a service principal and add its credentials to BlueXP.

There are two main ways to add Azure credentials in BlueXP.

In some cases, using Azure credentials might not be the best option. For example, developers who want full control over the authentication protocol and its configuration might prefer to use Microsoft Authentication Library for JavaScript (MSAL.js) directly.

Developers may also want to use MSAL.js if our credential types are not designed to be used with Azure SDK clients with intelligent caching and token refreshing handled at the core HTTP layer. If you find yourself having to use getToken directly, you may benefit from using MSAL.js for more control over the authentication flow and token caching.

You can also use custom credentials to support authentication cases not covered by @azure/identity. To learn more, see Custom Credentials.

Here are some scenarios where developers may want to use MSAL.js instead of Azure credentials:

Note: This list is not exhaustive and is based on the information provided in the article section.

To create a Microsoft Entra application, you'll need to have the necessary permissions in Azure. Ensure you have permissions to create an Active Directory application and to assign the application to a role.

To start, open the Microsoft Entra ID service from the Azure portal. This will take you to the main dashboard where you can manage your applications. From here, select App registrations and then choose New registration.

Specify the details about the application, including its name and redirect URI. Once you've filled out the required information, select Register. This will create the AD application and service principal, which is the first step in creating Azure credentials.

To create a new credential asset in Azure Automation, you have two options: using the Azure portal or Windows PowerShell.

You can create a new credential asset in the Azure portal by navigating to your Automation account, selecting Credentials under Shared Resources, and clicking Add a credential.

To create a credential asset using Windows PowerShell, you can use the New-AzureAutomationCredential cmdlet or create a PSCredential object and then use it to create the credential asset.

Azure Automation does not support user accounts that use multifactor authentication, so be sure to uncheck the multifactor authentication box when creating a new credential asset.

Here are the steps to create a new credential asset with the Azure portal:

If you want to use Windows PowerShell to create a new credential asset, you can use the following cmdlets:

Remember to import the Orchestrator.AssetManagement.Cmdlets module to retrieve PSCredential objects in your code.

Managing Azure Credentials is a crucial task to ensure secure access to your Azure services. You can manage existing credentials in BlueXP by associating a Marketplace subscription, editing credentials, and deleting them.

To edit credentials, select the Settings icon in the upper right of the BlueXP console, then select Credentials. From there, you can select the action menu for a set of credentials and choose Edit Credentials. Make the required changes and select Apply.

You can also delete credentials that are no longer needed. To do this, select the Settings icon and then select Credentials. Choose the action menu for the set of credentials you want to delete and select Delete Credentials. Then, confirm the deletion by selecting Delete.

Here are some credential classes supported by Azure:

You can manage existing Azure credentials in BlueXP by associating a Marketplace subscription, editing credentials, or deleting them. This is a crucial step in maintaining the security and integrity of your Azure credentials.

To edit your Azure credentials, you'll need to navigate to the Credentials page in the BlueXP console. From there, select the action menu for the set of credentials you want to edit and choose Edit Credentials. You can then make the necessary changes and select Apply to save your updates.

The process of editing credentials is straightforward: simply follow the steps outlined in the BlueXP console, and you'll be able to update your Azure credentials in no time.

You can also delete credentials that are no longer needed. To do this, select the action menu for the set of credentials you want to delete and choose Delete Credentials. Confirm your decision by selecting Delete.

Here are the steps to delete credentials in BlueXP:

Remember to only delete credentials that aren't associated with a working environment. If you're unsure about the status of your credentials, it's always a good idea to double-check before deleting them.

You can use Azure credentials in your Jenkins job with the Credentials Binding plugin.

The plugin allows you to read Azure service principal in both freestyle and pipeline jobs. In freestyle jobs, you can click Use secret text(s) or file(s) in the Build Environment and add a Microsoft Azure Service Principal item.

The plugin also supports custom binding for AzureCredentials, which can be used in pipeline jobs. This allows you to read the service principal and store it in environment variables that your build can use.

Here's a sample pipeline code that shows how to use the plugin: withCredentials([azureServicePrincipal('credentials_id')]) { sh 'az login --service-principal -u $AZURE_CLIENT_ID -p $AZURE_CLIENT_SECRET -t $AZURE_TENANT_ID' }

Alternatively, you can use a custom name for the variables, like this: withCredentials([azureServicePrincipal(credentialsId: 'credentials_id', subscriptionIdVariable: 'SUBS_ID', clientIdVariable: 'CLIENT_ID', clientSecretVariable: 'CLIENT_SECRET', tenantIdVariable: 'TENANT_ID')]) { sh 'az login --service-principal -u $CLIENT_ID -p $CLIENT_SECRET -t $TENANT_ID' }

Token caching is a feature provided by the Azure Identity library that allows apps to cache tokens in memory (default) and on disk (opt-in). This can improve resilience and performance, and reduce the number of requests made to Microsoft Entra ID to obtain access tokens.

Apps can choose between in-memory and persistent disk caching. The Azure Identity library offers both options, allowing developers to decide which approach best suits their needs.

Token caching can be particularly useful in scenarios where the app needs to handle a large number of requests or when the user is offline. In such cases, caching tokens can help ensure that the app remains functional and responsive.

Here are the benefits of token caching: