azure-sdk-for-net icon indicating copy to clipboard operation
azure-sdk-for-net copied to clipboard

Published 20 hours ago verified publisher icon Azure

[QUERY] Which (ip)addresses to whitelist for ClientSecretCredential (and ConfidentialClientApplicationBuilder)

Open rogersberga opened this issue 2 years ago • 2 comments

Library name and version

Azure.Identity 1.8.0

Query/Question

Within a big company we are using the Azure.Identity and Microsoft Identity classes to authenticate towards Azure using a client secret. Company policy restricts outgoing network traffic (using a firewall) on the machines that use these libraries. We would like to know which internet addresses the library (tries) to access to perform the authentication so that these (ip) addresses can be whitelisted.

Currently we are using these two calls the Azure Identity and Microsoft Identity library which result in connection issues due to firewall restrictions.

Azure Identity new ClientSecretCredential(tenantId, clientId, clientSecret, new TokenCredentialOptions());

Microsoft Identity

string authority = $"https://login.microsoftonline.com/{tenantId}/";
IConfidentialClientApplication app = ConfidentialClientApplicationBuilder
  .Create(clientId)
  .WithClientSecret(clientSecret)
  .WithAuthority(authority)
  .Build();

AuthenticationResult result = await app.AcquireTokenForClient(scopes).ExecuteAsync();

Environment

Windows Server 2019 .NET Framework 4.7.2

rogersberga avatar Jan 03 '23 08:01 rogersberga

//cc: @christothes

jsquire avatar Jan 03 '23 13:01 jsquire

Thank you for your feedback. Tagging and routing to the team member best able to assist. Please expect delayed responses due to the US holidays.

jsquire avatar Jan 03 '23 13:01 jsquire

Hi @rogersberga - I'm not sure that there are any IP addresses documented for this, or that you could rely on any specific IP addresses remaining the same over time. My recommendation would be to trace the traffic in your environment(s) and build a list of IP ranges that way.

christothes avatar Feb 03 '23 21:02 christothes

Hi @rogersberga. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text “/unresolve” to remove the “issue-addressed” label and continue the conversation.

ghost avatar Feb 03 '23 21:02 ghost

Hi @rogersberga, since you haven’t asked that we “/unresolve” the issue, we’ll close this out. If you believe further discussion is needed, please add a comment “/unresolve” to reopen the issue.

ghost avatar Feb 10 '23 22:02 ghost