Entra & Azure Power-Up: Secure Service Principal Impersonation with Simon Gottschlag

In this episode, Simon Gottschlag, CTO of Co-native and a Microsoft MVP in Azure, discusses his innovative prototype for implementing Azure service principal impersonation using Azure Functions and Key Vault.

We explore the challenges of managing service principals, the journey to building a solution, and the potential for improving developer experience in platform building. Simon shares insights on the four-eyes principle, Entra ID's newer attribute-based access control (ABAC) vs the traditional RBAC model, and how his solution can enhance security and auditability in Azure environments.

LinkedIn - https://www.linkedin.com/in/simongottschlag

🔗 Related Links

* Azure Service Principal Impersonation - https://github.com/co-native-ab/azure-service-principal-impersonation

* pimctl - https://github.com/co-native-ab/pimctl

📗 Chapters

00:00 Intro

00:42 Meet Simon: CTO & Azure MVP

01:51 The Project: Azure Service Principal Impersonation

02:11 The Problem: Challenges in Managing Service Principals

03:47 Journey to the Solution: Building Platforms & Terraform Pain Points

06:50 The Challenge with Graph Permissions & Least Privilege

08:27 Improving Developer Experience in Platform Building

11:05 The Core Issue: Running Operations Locally vs. Service Principals

13:43 The Idea: Service Principal Impersonation

13:50 Four-Eyes Principle and PIM in Azure

15:40 Understanding Attribute-Based Access Control (ABAC)

18:58 Enforcing Role Delegation with ABAC and PIM

20:12 Clarifying Service Principal Access with PIM and Four-Eyes

21:26 The Local Development Dilemma with Security Principles

22:02 PIM CTL: A CLI Tool for PIM

22:42 New Challenge: Azure Managed Grafana & Terraform Authentication

23:36 AC Identity Terraform Provider: Getting Tokens from Entra

24:42 The Big Question: Securely Getting Service Principal Tokens Locally

25:21 What is Impersonation in This Context?

26:27 Building the Solution: Federated Credentials & Custom Token Exchange

28:42 How the Azure Function Works: Authentication & Token Issuance

29:26 The Result: Consistent Workflow & Auditability

31:05 Open Source: How to Set Up and Try the Prototype

33:31 Use Cases: DevOps Automation & Time-Limited Access

35:15 Potential: Multi-Cloud Deployments & Extending Entra

Podcast Apps

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe