Grace-MacJones-MSFT
commented
5 years ago Hi @jfcomst, thanks for the feedback! We are currently investigating and will update you shortly.
Closed jfcomst closed 5 years ago
Grace-MacJones-MSFT
commented
5 years ago Hi @jfcomst, thanks for the feedback! We are currently investigating and will update you shortly.
HeidiSteen
commented
5 years ago @jfcomst sorry the response is taking a while. It's on my radar on a I hope to have a definitive answer for you in the next 2 business days. The issue is that there is some level of support but I am not clear yet as to whether its a fit for your scenario specifically.
jfcomst
commented
5 years ago @HeidiSteen Thank you for the update. This is not time critical for us, but will be helpful in deciding on the correct approach for utilizing Azure Search going forward. Your effort to clarify this is very much appreciated.
natinimni
commented
5 years ago Hello @jfcomst ,
The only supported way to access Azure Search’s data-place APIS is using key-based authentication, which enables two levels if access: Admin and Query. AAD authentication is not supported for data-place APIs.
Azure search does support MSI, i.e. search services can have system assigned identities. Notice that assigning an identity to a search service will enable it to access other Azure resources, and not the other way around. More specifically, assigning an identity to your Azure Search service will currently not add any new abilities to your service. In the future, Azure search will release new features that will take advantage of MSI, and will enable customers to control Azure search services’ access to their other Azure resources.
I hope that makes sense. Thanks, Nati
HeidiSteen
commented
5 years ago We have work items logged for future work, but other than that, there is no further progress to be made on this issue. Could someone close it??
syedhassaanahmed
commented
4 years ago We also need access to Azure Search data plane APIs using Azure AD @natinimni @HeidiSteen Has there been a product update on this issue?
HeidiSteen
commented
4 years ago @syedhassaanahmed The managed key document that Nati posted in the previous response is the most recent security feature. Possibly he can share a roadmap with you, but I really don't know.
natinimni
commented
4 years ago Hello @syedhassaanahmed , unfortunately there haven't been any change in the status of supporting AAD authentication to Azure Cognitive Search (still not supported). That said, Azure Cognitive Search does support MSI, allowing customers to grant their search services with access to other resources in Azure. This is usefully in certain scenarios:
loic-sharma
commented
3 years ago That said, Azure Cognitive Search does support MSI, allowing customers to grant their search services with access to other resources in Azure.
@natinimni, Are there plans to support managed identities in the other way around (allow other Azure resources to authenticate to Azure Search using MSI)?
My team has 4 App Services that each authenticate to their own Azure Search resource. As per our company's security policies, we must rotate Azure Search's access keys every 90 days. This is a serious maintenance burden that could be addressed by managed identities.
natinimni
commented
3 years ago Hi @loic-sharma , supporting managed identities in the other way around actually means supporting AAD authentication :) I can share that we have been actively working to support AAD authentication in Azure Cognitive Search, and are expecting a public preview later this year.
The team I work for is moving as much as we can to using Managed Service Identities (MSI) for providing AAD access to services in Azure. I would like this document to indicate if Azure search supports using MSIs directly or if we are currently required to use the Azure Search keys in Key Vault in conjunction with MSIs.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.