Azure AD with MsGraph¶

Introduction¶

Whilst the Sequel Security Service can perform Authentication & Authorisation capabilities itself, it is typically used as a proxy to identity providers such as Microsoft who have responsibility for identifying a user and their permissions/roles/rights. This approach enables Sequel products to leverage the benefits and vendor implementations of multi-factor authentication (MFA), single sign-on (SSO), identity protection & monitoring etc., providing customers with a secure, trusted, tried and tested mechanism to authenticate and authorise users.

Critically, when used as a proxy/middleware Sequel Security Service does not store user credentials (eg username, password), nor does it have knowledge of these sensitive credentials – the responsibility of identifying a user lies with the identity provider (eg Microsoft). At no point are these sensitive credentials communicated, processed or stored by the Sequel Security Service. The Sequel Security Service is responsible for storing non-sensitive user information, within its User Information Store and Cache, and providing this user information to other products within the Sequel suite.

User Information Store and Cache¶

The Sequel Security Service is responsible for managing user’s and their permissions within Sequel products, and providing (limited) information on users to Sequel products, principally a user’s name, email address and their permissions/roles for each Sequel Product, which when connected to Azure Active Directory, is defined by membership of Azure Active Directory (AAD) groups. This information is stored within the Sequel Security Service (and Sequel products) and updated from data sourced from client’s Azure Active Directory. This store acts as a cache and avoids repeated, relatively slow requests to the identity provider (AAD). This information (sourced from the identity provider) is written to the Sequel Security Service data store when a user is authenticated by the identity provider and on a regular scheduled basis (e.g. every 30 minutes).

The Sequel Security Service both stores this user information within its own data store/cache and distributes the information to downstream Sequel product instances to update their own stores, to improve product instance performance and isolate product instances’ workloads.

User Information Logical Schema¶

The Sequel Security Service (and other Sequel product) stores limited non-sensitive user information, sources from Azure Active Directory. User Credentials are not processed by or stored within the Sequel Security Service.

The scope of the dataset held within User Information Store and updated by the Sequel Security Service is controlled by membership of a configurable AAD group. The Sequel Security Service determines the users to retrieve information from AAD by identifying the members (users) within this AAD group .

The user details retrieved from AAD and stored within the User Information Store include:

• From users: id, userPrincipalName, givenName, surname, mail and accountEnabled
• From groups: id and displayName

Client Dependencies and Requirements¶

Clients are responsible for providing a functioning implementation of a Microsoft Azure Active Directory Tenant, populated with user identities and groups as per Microsoft’s instructions. Since integration between Azure Active Directory and the Sequel Security Service requires configuration and information to be shared between the two services, the technical teams of the client and Sequel work collaboratively to enable integration.

There are two integration mechanisms between the Sequel Security Service and Microsoft Azure Active Directory:

• User Authentication (out of scope) – permits users of Sequel products (via the Sequel Security Service) to authenticate via Microsoft Azure Active Directory, using industry standard OpenIDConnect protocols. Integration permits the Sequel Security Service instance to redirect users to Microsoft to authenticate, and to be redirected back to the Sequel Security Service instance once successfully authenticated. This integration is not used by the User Information Cache and is not within scope of this document.
• User Information Store and Cache Update (in scope) – provides the Sequel Security Service instance permissions to connect to the Microsoft Azure Active Directory API and read limited user information (including group membership). This integration is only used by the User Information Store and Cache. The Sequel Security Service integrates with Microsoft Azure Active Directory (AAD) using Microsoft’s Graph API, reading minimal user information and user group membership information. Legacy integration methods based on LDAP(S) requiring Windows Domain and VPN connectivity between client and Sequel hosting networks will be deprecated over time.

Clients are responsible for providing a configured and populated Azure Active Directory instance.

There is a registration form that covers how to set-up our Sequel Security applition on Azure, allowing to perform read queries to Azure through Microsoft's Graph API: Azure AD Sync Registration

Synchronisation Process¶

The sync service periodically executes a "sync process", this process requests information on groups and users, using Microsoft’s Graph API. This information is translated to a Sequel User, representing a user with some key attributes retrieved from AAD, like name or groups that user is member of. The sync service will request the creation/update of this user to the Security API. This request will determine if this is a new user or an existing one, it will calculate the memberships for this user based on the information and it will apply the changes to the user (this calculation is coverere at MembershipSet section). All actions during the process are audited in the Security API, and error logged to core logging repository (central logging repository used by Sequel Apps).

The synchronisation process executes:

• after being started (startup of the daemon hosting the sync process).
• after a scheduled time (polling): scheduled by default to be executed each hour. This value can be customized. The configuration is refreshed from the SecurityAPI during the startup and in each polling/execution.
• a manual request (manually-forced): the process can be manually triggered from the Admin UI (also from Security API). For using this functionality is required to configure the message bus settings to the sync service. A manual request refreshes the configuration and restarts the polling.

Security¶

The Sequel Security Service reads limited information from Azure Active Directory (AAD) using Microsoft Azure Active Directory (Graph) API. It does not write to AAD, nor should it be granted write access to AAD. The required permissions to be assigned on Azure for this app are: Groups.ReadAll and User.Read.All.