Using Entra ID authentication for internal workspace resources

[TonyWildish-BH]

There's already work in progress to embed the 'real' username into VMs, instead of a random 4-character name (#3770). I'd like to see that use of Entra ID username extended to other cases:

1. Whenever a Gitea instance is created, it could be pre-populated with the users registered in the workspace. Workspace admins can be given admin rights to Gitea, researchers can be given lower level access etc.
2. Likewise for MySQL or AzureSQL instances, they could support user-grained access to partition resources or control rights or prevent novice users from making serious mistakes.
3. There's also discussion about per-user storage somewhere (sorry, can't find the ticket right now). For my mind, it would be enough to have normal user-permissions on the existing shared storage, rather than having it all mapped into the one username. This feature has already been requested by one of our users.
4. Not sure if other resources could be made user-aware, such as Databricks, AzureML, OHDSI?

I'd be interested to hear if other people have any thoughts on this?

[marrobi]

A lot of these depend on the use of Entra/Azure AD Groups, otherwise when new users are added all the services need updating. We do this in AzureML at present. All Workspace Users become AML Data Scientists.

Group assignment to app roles require an Entra ID P2 licence, I'm not sure if its just one that's needed, given most of the users are external. @TonyWildish-BH have you looked into the Entra licencing requirements for group assignments to app roles?

If we were to do this then the required Entra licencing would have to be a prerequisite.

[TonyWildish-BH]

Group assignment would be the perfect solution, but I'd rather not impose a requirement for a P2 license, that seems a bit too much to ask. How much would it complicate things to make it an optional feature, conditional on the P2 licence?

Or we could just go user by user. From my viewpoint, I wouldn't mind if the services didn't update automatically when a new user comes on board a project. That won't happen very often for us, and we can script it up if we feel the need.

[jonnyry]

@TonyWildish-BH We've got a local template of Azure SQL working with Entra only authentication that uses groups to manage permissions. Would need to be generalised a bit if it were merged back - like you say around Entra groups.

The Databricks workspace service already uses Entra auth - IIRC I don't think there's an option for local users.

[marrobi]

If we don't use groups then each script becomes custom to the service and requires maintaining. So if we are going to do this project wide really think we need to rely on AD groups.

[TonyWildish-BH]

Sounds like AD groups is the best option then. If there's a way to make this gracefully degrade in the absence of a P2 licence, without overly complicating the code, that would be ideal.

[marrobi]

Looks like this might have changed, a P1 is required.

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-user-or-group-access-portal?pivots=portal#prerequisites