Use Entra ID authentication with Service Fabric clusters#
Security · Service Fabric · Rule · 2021_03 · Critical
Use Entra ID client authentication for Service Fabric clusters.
Description#
When deploying Service Fabric clusters on Azure, Entra ID (previously known as Azure AD) can optionally be used to secure management endpoints. If configured, client authentication (client-to-node security) uses Entra ID. Additionally Azure Role-based Access Control (RBAC) can be used to delegate cluster access.
For Service Fabric clusters running on Azure, Entra ID is recommended to secure access to management endpoints.
Recommendation#
Consider enabling Entra ID client authentication for Service Fabric clusters.
Examples#
Configure with Bicep#
To deploy clusters that pass this rule:
- steps
For example:
resource cluster 'Microsoft.ServiceFabric/clusters@2023-11-01-preview' = {
name: name
location: location
properties: {
azureActiveDirectory: {
clientApplication: clientApplication
clusterApplication: clusterApplication
tenantId: tenantId
}
certificate: {
thumbprint: certificateThumbprint
x509StoreName: 'My'
}
diagnosticsStorageAccountConfig: {
blobEndpoint: storageAccount.properties.primaryEndpoints.blob
protectedAccountKeyName: 'StorageAccountKey1'
queueEndpoint: storageAccount.properties.primaryEndpoints.queue
storageAccountName: storageAccount.name
tableEndpoint: storageAccount.properties.primaryEndpoints.table
}
fabricSettings: [
{
parameters: [
{
name: 'ClusterProtectionLevel'
value: 'EncryptAndSign'
}
]
name: 'Security'
}
]
managementEndpoint: endpointUri
nodeTypes: []
reliabilityLevel: 'Silver'
upgradeMode: 'Automatic'
vmImage: 'Windows'
}
}
Configure with Azure template#
To deploy clusters that pass this rule:
- steps
For example:
{
"type": "Microsoft.ServiceFabric/clusters",
"apiVersion": "2023-11-01-preview",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"azureActiveDirectory": {
"clientApplication": "[parameters('clientApplication')]",
"clusterApplication": "[parameters('clusterApplication')]",
"tenantId": "[parameters('tenantId')]"
},
"certificate": {
"thumbprint": "[parameters('certificateThumbprint')]",
"x509StoreName": "My"
},
"diagnosticsStorageAccountConfig": {
"blobEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-01-01').primaryEndpoints.blob]",
"protectedAccountKeyName": "StorageAccountKey1",
"queueEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-01-01').primaryEndpoints.queue]",
"storageAccountName": "storage1",
"tableEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-01-01').primaryEndpoints.table]"
},
"fabricSettings": [
{
"parameters": [
{
"name": "ClusterProtectionLevel",
"value": "EncryptAndSign"
}
],
"name": "Security"
}
],
"managementEndpoint": "[parameters('endpointUri')]",
"nodeTypes": [],
"reliabilityLevel": "Silver",
"upgradeMode": "Automatic",
"vmImage": "Windows"
}
}
Notes#
For Linux clusters, Entra ID authentication must be configured at cluster creation time. Windows cluster can be updated to support Entra ID authentication after initial deployment.
Links#
- SE:05 Identity and access management
- Security recommendations
- Set up Microsoft Entra ID for client authentication
- Configure Azure Active Directory Authentication for Existing Cluster
- Azure deployment reference