Azure AD Dynamic Secrets

You can define an Azure AD dynamic secret to dynamically generate access credentials in one of two modes:

  1. Programmatic: Access Azure AD using a secret for a specific application.

  2. Portal: Access Azure AD using a username and password.

Prerequisites

To provide access to the Akeyless Vault Platform from Azure AD, create a Registration for Application within your Microsoft Identity Platform. This registration will serve as a service account to enable API calls from the Akeyless Vault Platform.

To create a Service Account in your Azure AD, follow the guide on how to create an Application Registration in Azure Active Directory. Or follow the step-by-step guide.

The following permissions are required:

ActionPermissions
Create/Delete userUser.ReadWrite.All, Directory.ReadWrite.All
Add user to groupGroupMember.ReadWrite.All, Group.ReadWrite.All and Directory.ReadWrite.All
Add user roleRoleManagement.ReadWrite.Directory
Create\Delete Application secretApplication.ReadWrite.OwnedBy, Application.ReadWrite.All

Create a Dynamic Azure AD Secret from the CLI

πŸ‘

Tip

We recommend using dynamic secrets with Targets. It allows saving time on the secrets' configuration for different types of access levels. Where you are not required to provide an inline connection strings each time.

To create a dynamic Azure AD secret from the CLI using an existing Azure Target, run the following command:

akeyless gateway-create-producer-azure \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--azure-user-portal-access <true|false> \
--azure-user-programmatic-access <true|false> \
--azure-app-obj-id <Azure App Object ID> \
--azure-user-principal-name <Azure User Principal Name> \
--fixed-user-only <true|false> \
--fixed-user-claim-keyname <Key name of the IdP claim>

Or using an inline connection string:

akeyless gateway-create-producer-azure \
--name <Dynamic Secret Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--azure-user-portal-access <true|false> \
--azure-user-programmatic-access <true|false> \
--azure-app-obj-id <Azure App Object ID> \
--azure-user-principal-name <Azure User Principal Name> \
--fixed-user-only <true|false> \
--fixed-user-claim-keyname <Key name of the IdP claim> \
--azure-tenant-id <Azure Tenant ID> \
--azure-client-id <Azure Client ID> \
--azure-client-secret <Azure AD Client Secret>

Where:

  • name: A unique name of the dynamic secret. The name can include the path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  • target-name: A name of the target that enables connection to the Azure AD server. The name can include the path to the virtual folder where this target resides.

  • gateway-url: Akeyless Gateway URL.

  • azure-user-portal-access: Enable Azure AD user portal access.

  • azure-user-programmatic-access: Enable Azure AD user programmatic access.

  • azure-app-obj-id: Azure App Object ID (required if programmatic access is enabled).

  • azure-user-principal-name: Azure User Principal Name (required if portal access is enabled).

  • fixed-user-only: Allow access using the externally provided username.

  • fixed-user-claim-keyname: For externally provided users, denotes the key name of the IdP claim to extract the username from.

Inline connection strings

If you don't have a configured Azure AD Target yet, you can use the command with your Azure AD connection settings:

  • azure-tenant-id: Azure Tenant ID.

  • azure-client-id: Azure Client ID (Application ID).

  • azure-client-secret: Azure AD Client Secret.

You can find the complete list of parameters for this command in the CLI Reference - Akeyless Producers section.

Fetch a Dynamic Azure AD Secret value from the CLI

To fetch a dynamic Azure AD secret value from the CLI, run the following command:

akeyless get-dynamic-secret-value --name <Path to your dynamic secret>

Create a Dynamic Azure AD Secret in the Akeyless Console

πŸ‘

Tip

To start working with dynamic secrets from the Akeyless Console, you need to configure the Gateway URL thus enabling communication between the Akeyless SaaS and the Akeyless Gateway.

To create dynamic secrets directly from the Akeyless Gateway, you can use the Gateway Configuration Manager.

  1. Log in to the Akeyless Console, and go to Secrets & Keys > New > Dynamic Secret.

  2. Select the Azure AD secret type and click Next.

  3. Define a Name of the dynamic secret, and specify the Location as a path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  4. Define the remaining parameters as follows:

  • Delete Protection: When enabled, protects the secret from accidental deletion.

  • Target mode: In this section, you can either select an existing Azure AD Target or specify details of the target Azure AD server explicitly (e.g., if you are not authorized to create and access Targets in the Akeyless Console).

    • Use the Choose an existing target drop-down list to select the existing Azure AD Target.

    • Check the Explicitly specify target properties to provide details of the target Azure AD in the next step.

  • Programmatic Access: Select this radio button to create a new secret to access a specific App.

  • Portal Access: Select this radio button to create a new user and password.

  • App Object ID: Provide the ID of the App Object to access using a dynamic secret. (If Programmatic Access is selected.)

  • User Principal Name: Provide your Account Principal Name. (If Portal Access is selected.)

  • User Groups Object ID: Provide the ID of the Group Object to add the new user to this group. Multiple values should be separated by a comma. (If Portal Access is selected.)

  • User Roles Template ID: Provide the ID of the Role Template to add this role to the new user. Multiple values should be separated by a comma. (If Portal Access is selected.)

  • Externally Provided Username: Select this checkbox to allow the dynamic secret engine add and remove the assigned groups and roles for an existing user (instead of creating a new temporary user). (If Portal Access is selected.)

  • Extract username from the following claim (Key name): Provide the name of the claim in the authentication token from which the "externally provided username" will be taken. The value should be either the full principle user name or the user display name.

  • User TTL: Provide a time-to-live value for a dynamic secret (i.e., a token). When TTL expires, the token becomes obsolete.

  • Time Unit: Select the time unit (seconds, minutes, hours) for the TTL value.

  • Gateway: Select the Gateway through which the dynamic secret will create users.

  • Protection key: To enable zero-Knowledge, select a key with a Customer Fragment. For more information about zero-Knowledge, see Implement Zero Knowledge

  1. If you checked the Explicitly specify target properties radio button, click Next.

  2. Provide details of the target Azure AD server:

  • Client ID (Application ID): The Application ID.

  • Tenant ID: Your Azure Tenant ID.

  • Client Secret: Your Azure Client Secret.

  1. Click Finish.

Fetch a Dynamic Azure AD Secret Value from the Akeyless Console

  1. Log in to the Akeyless Console, and go to Secrets & Keys.

  2. Browse to the folder where you created a dynamic secret.

  3. Select the secret and click Get Dynamic Secret button.