- Azure AD Graph Client with certificate backed Azure AD ServicePrincipal Node.js GitHub Repo: Azure AD Client Credentials With Certificate
- NodeJS runtime ”CA Manager”
- CA manager takes care of matching shadow policies, and production policies. Generalization of Policy files (lot of fields to omit, mapping id’s and displayName etc)
- CA manager syncs policies after pull request has been approved
- CA Manager uses Conditional Access Graph API’s and octokit/core for GitHub automation
Demo of tooling
- Shadow policy is changed
- CA manager syncs the change in to shadow branch and creates a pull request, which is then merged with main branch after reviewing the change
- Changes are pulled from main which was merged with shadow branch
- CA Manager runs the updater policy
- Admin views the updated policy in Conditional Access view
- Downsides of GitHub implementation
- The API I use to create the Pull requests uses personal access tokens, which are just text strings (just like clientid and secret). Since I am already using certificate backed Azure AD client credentials I will have to look into bringing in the GitHub implementation to same level. Maybe there is possibility of using JWT tokens for GitHub API.
Will be continued once I’ve tested the NodeJS code used here with GitHub actions.