I have an Azure Web App with AD authentication enabled for a single tenancy. I also have a Azure Flexible Postgres database with AD Authentication enabled.
I have set up two User-Managed-Identities (A & B) and two AD security groups (A & B). I want the permissions to be linked accordingly, so that group A can only use managed identity A, and B only managed identity B. The reason for this is that I have set up two different Postgres Roles within the database, based on each User-Managed-Identity, so that each managed identity has access to a different set of database tables.
My azure app is set to restrict access to users within the two AD Security groups through group assignment to the Enterprise App. However, I cannot work out how I achieve my above requirement, as if I add both User-Managed-Identities to the Web App. Both groups can retrieve a valid access token using the following code:
const { DefaultAzureCredential } = require("@azure/identity");
const credential = new DefaultAzureCredential({ managedIdentityClientId: '<client-id-of-user-assigned-identity>' })
const accessToken = await credential.getToken("https://ossrdbms-aad.database.windows.net/.default");
All they need to know is the Client Id of the User-Managed-Identity which seems a bit of a security risk.
I was hoping that there would be a way of the app attaching the User-Managed-Identity to the User Group, thus restricting the use to the intended audience.
The last headache I have is how to retrieve the client id of the managed identity automatically based on the authentication credentials. I was hoping this could be done within custom JWT claim settings, but it's not obvious how one would go about doing this.
Is what I'm seeking possible?
