Modern authorization for Azure Active Directory
Fine-grained access controls for Azure AD
About the integration
Azure Active Directory is a popular cloud-based identity service. Aserto is a powerful authorization service that enables you to manage permissions and control access within your application. Together, they provide out-of-the-box solutions for user identity and access management.
About Azure Active Directory
Azure Active Directory, or Azure AD, is an identity service that provides single-sign on (SSO), multi-factor authentication (MFA), and coarse-grained access to business applications. It enables organizations to provide employees with easy access to external applications, like Microsoft 365 and thousands of SaaS applications.
IT admins use Azure Active Directory to control access to apps based on the user’s business function, or business needs. And App developers use it to add SSO or MFA to their applications.
Aserto is a powerful and flexible authorization service built to evolve with your customer requirements. It is complementary to Azure AD’s Identity solution: it makes it easy to define, enforce, and evolve permissions within the application. With an open-source authorizer, Aserto handles all the heavy lifting required to build secure, scalable, role (RBAC), attribute (ABAC), policy (PBAM), and relationship-based access controls (ReBAC).
Setting things up
To get your authorization up and running, connect Aserto to your Azure AD tenant and then users, roles, and attributes stored in Azure AD will automatically sync with the Aserto Directory. In Aserto, you’ll define your permissions, policies, and load any resources and relationships you’ll want to use in your authorization decisions.
Start by developing/testing against Aserto’s hosted authorizer. When you’re ready to run a production workload, deploy Aserto’s authorizer as a microservice or sidecar in the same cluster or subnet as your application. The Aserto control plane automatically pushes the most recent user, resource, and policy data to the authorizer, so you never make authorization decisions based on stale data.
At runtime, Azure Active Directory will return a signed access token to your application once it authenticates a user. Prior to providing access to a resource in your app, you’ll make a call to the Aserto authorizer. The user context (represented by the access token), policy context, and resource context are fed to the authorizer by your application to inform authorization decisions. The authorizer then makes an access decision in milliseconds, based on that data. This data will also be used by the application to gate unauthorized requests.
Auditing authorization decisions
Aserto automatically captures and aggregates logs for every authorization decision in the control plane, for easy auditing. These decision logs can be streamed or batched up into your favorite log analysis tool, or SIEM.
The Aserto authorizer architecture
Authorization is on the critical path of every request, so the speed of response is critical. To minimize authorization latency and maximize availability, the Aserto authorizer is deployed as a microservice or sidecar right next to your application. Your production application should never be dependent on the availability / uptime of a remote authorization service.
The authorizers make decisions based on three important inputs:
1. Policies from your policy registry
2. Users, attributes, and roles from Azure Active Directory supplemented with application-specific information stored in the Aserto directory.
3. Resource context passed by your application
Any changes made to your Azure AD directory are automatically synchronized into the Aserto directory, and Aserto then pushes updates to your authorizers in near real time, so you never enforce over stale data. You can also set Aserto up to push updates on an interval you determine.
Leveraging the policy, user, and resource contexts, Aserto makes it easy to evolve your authorization from coarse-grained RBAC to fine-grained authorization using attributes (ABAC) or relationships between entities in the system (ReBAC). You can even mix any of the three in order to meet your requirements as the needs of your enterprise customers change. This means you can build a strong authorization foundation once, and evolve your access control model easily over time.
Integrating Azure Active Directory with Aserto allows you to bridge the gap between authentication and authorization creating an end-to-end Auth solution.
Aserto also comes with the following benefits:
- Out-of-the-box support for audit trails, custom roles, RBAC, ABAC, and ReBAC
- Open-source authorizer you can deploy in your cloud today
- Use a policy-as-code workflow to build, tag, push, version, and pull policy images just like docker images
- Quick onboarding via first-class citizen integrations with Azure AD and your artifact registry, logging system, backend programming language, and frontend framework.
- Built on top of a trusted open-source technology, including OPA, Topaz, OCI, etc.
VP of Technology
"Authorization involves really hard problems that I want experts to solve. We like to focus our internal engineering efforts on our customers and their problems. Aserto allows us to do just that, at a small fraction of the cost it would take to build and maintain it ourselves, not to mention the opportunity cost."
Mathias Biilmann Christensen
Co-founder & CEO, Netlify
"As millions of developers and businesses are adopting a Jamstack approach, most modern web applications involve multiple APIs and services. Aserto's promise of separating policies from code could radically simplify the implementation of authorization across the front-end UI and the larger world of back-end functions and endpoints."
"Building & managing an authorization/RBAC system is a huge pain, especially at enterprise scale. So stop! Aserto has a distributed, millisecond latency, 100% availability API for that. I'm excited to help as an angel investor!"