0

I have developed C# application and hosted it as a windows service on a machine http://localhost:5000 . This application registered in `Azure Active Directory

Application is using the below details in-app configuration

"ClientId": "242429ea-xxxx-4ddb-xxxx-xxxxxxxxxxxxx",
"Tenant": "67ss7s7s7s-4e27-beee-yyyyyyyyyyyy",
"Scope": "api://12121212-5600-xxxx-1111-123456789/IoTGateway",

Application receives a Token from AAD and which will be used by User for authenticating (OAuth Device flow in Azure AD, sometimes called device code flow)

Question

Currently, all the employees of the company registered in AD, and frustrated employees who copy the application configuration values can get access by SPOOFIING the application. This is a risk. How to mitigate this?

Note: Attacker can shut down this application and run his own spoofed application at the same port 5000.

enter image description here

Is it possible to create a security group and add only users who are supposed to have access to this application?

Example

AD All Users
User 1
User 2
User 3
AD Sec Group 1
User 1
User 2

So user 3 even after having the secret, he shall reject the request by AAD. Is it possible?

kudlatiger
  • 149
  • 1
  • 8
  • Code is not running in Azure, it is running on stand alone devices with windows OS, Is it possible to have a "security group" assigned to the application registry object in AAD so that only users in that security group can access the application? – kudlatiger Jul 25 '21 at 05:34
  • @JohnHanley I have added an example in question so that it is more clear. – kudlatiger Jul 25 '21 at 06:18
  • The user is not presenting the same credentials. Device code flow uses token first, then token is used to authenticate, during this step, AAD will throw login and MFA challenge. here credentials are different. Maybe I am not good at explaining the problem statements. – kudlatiger Jul 25 '21 at 06:58

1 Answers1

0

Issue Resolved

We can create security group in AAD and add only required employees who shall have access to the App1 and validate the token in APIM before sending to backend services.

enter image description here

kudlatiger
  • 149
  • 1
  • 8