Up to this point, we have talked mostly about data, which is the basis of ML. But when it comes to security, there are other aspects we need to explore. Let us dive into identity and how we can manage access in Azure Machine Learning. As we embark on a journey through this chapter, we will first lay the groundwork by exploring the essence of the principle of least privilege (PoLP) and its importance. Although simple in theory, there are many things we need to consider before we start the implementation of Azure Machine Learning.

We will follow up by exploring all the identity features of Microsoft Entra. We will see authentication options available and how to work with permissions by implementing role-based access control (RBAC). We will see how to authenticate applications and services using managed identities and how to secure access using tools such as Key Vault. Finally, we will talk about how to automate the processes by using Conditional Access...

As we mentioned in Chapter 1 when we talked about the Zero Trust strategy, we learned about the PoLP, which states that users, devices, and applications should only be granted access to the minimum level of resources necessary to perform their job functions. Users are often given more access privileges to network resources and data, assuming they only access the resources required to perform their daily tasks. However, this tactic imposes a greater risk of unauthorized access. When users have access to resources they don’t need, attackers can take advantage of it. While providing just enough permissions to apps or users to complete their tasks sounds easy, the implementation can present some challenges. Creating overprivileged applications is never the intention, but usually the result of unplanned actions over time.

Overprivileged applications are software applications that have been granted more access rights, permissions, or privileges than they actually...

Azure Machine Learning uses Microsoft Entra ID (previously Azure Active Directory (Azure AD)) for authentication. Microsoft Entra ID is Microsoft’s cloud-based identity and access management (IAM) service. It’s designed to help organizations manage user identities and access to resources in the cloud and on-premises.

When you are logged in to the Azure portal, the same account is used to directly authenticate you to your Azure Machine Learning Studio session. So, anyone working on your ML project needs to be part of the Microsoft Entra ID workspace. That does not mean that only employees have access to the workspace. Microsoft Entra ID supports two types of users: members and guests. Members are users that are created within the Microsoft Entra ID tenant, while guests can be users that belong to other Microsoft Entra tenants or are personal accounts such as Outlook, Gmail, Hotmail, and so on. But as soon as you create or invite...

RBAC is a built-in feature of Microsoft Entra ID that allows you to manage access to Azure resources using roles. This way, we can control who can perform specific actions on resources in Azure. This helps in maintaining a secure environment and ensures that users have only the permissions they need to perform their tasks.

Each role in RBAC is essentially a set of distinct permissions that operate in different scopes. We can assign a role to a management group, subscription, resource group, and resource. A role assignment at a higher scope is inherited by resources at a lower scope. For example, if we assign a role to a user at the subscription level, they will have those permissions across all resources within that subscription. Each role assignment in Azure has three distinct parts—the role, the scope, and the service principal, as we can see in the following diagram:

Figure 6.1 – Role assignment

The principle can be...

Application identities are a fundamental concept in Microsoft Entra ID IAM. They represent the security context of an application or service when interacting with Azure resources. Typically, the underlying object is the service principal. A service principal is like a user identity but is used by applications, services, or scripts to authenticate and access Azure resources securely. The process of creating a service principal depends on what it is we want to use to authenticate, and mostly, we can recognize two types—application identities and managed identities used by Azure services.

When it comes to authentication and authorization in the application or managed identity, the process is the same. If it exists in Microsoft Entra ID, it can be assigned RBAC, as with any user in the system. Service principals have life cycles, just as with user identities. They can be created, updated, and deleted. For standalone Azure AD applications...

Now that we have a better idea of how to leverage Microsoft Entra ID for authentication and role management, we can see some other services that we can use to complement and further secure our users’ identities.

Conditional Access

Conditional Access in Microsoft Entra ID is a powerful feature that allows organizations to set specific conditions and policies for granting or denying access to their cloud-based resources. With Conditional Access, you can create rules and policies that consider a range of factors before allowing or blocking access, enhancing security and compliance.

Conditional Access policies are rules that you define to control access to your protected resources. These policies are based on conditions and can be tailored to specific users, groups, applications, IP location information, user or sign risk detection, and devices. The action based on those signals is either Block/Allow. You can combine multiple conditions based on...

In this chapter, we focused on all aspects of identity and adhering to the PoLP. Although simple in theory, the PoLP is an iterative and continuous process that we need to monitor in order to prevent overprivileged applications. Since Microsoft Entra ID is the identity management tool for Azure and, by extension, Azure Machine Learning, implementing its core features such as RBAC and learning to work with application identities will help us ensure that the credentials of our users and applications will not be compromised easily. Additionally, implementing features such as Conditional Access and PIM can provide an additional level of security to our identities. But these credentials are not the only ones that matter. In our scripts, we might be using different connection strings or secrets. We can use the Key Vault service together with managed identities where it is possible to manage them centrally and ensure that our secrets are safe.

In the next chapter, we will explore...