azure-docs icon indicating copy to clipboard operation
azure-docs copied to clipboard

Published 20 hours ago verified publisher icon MicrosoftDocs

Secure webhook segment poorly written and unclear

Open Willem-J-an opened this issue 2 years ago • 5 comments

The segment explaining Secure Webhook does not really explain what it is or how it works; it only describes how to make it work, by providing a powershell script.

After reading this a million times I think I have reverse engineered this segment enough to understand what it is: A secure webhook forwards the alert to a webhook endpoint protected by Azure AD.

As I understand it, this is the main missing segment in the docs: The secure webhook Action authenticates to the protected API using a Service Principal instance in the AD tenant of the "Azns AAD Webhook" AAD Application. To make the action group work, this AAD Webhook Service Principal needs to be added as member of a role on the target AAD application that grants access to the target endpoint.

Question: As there is only one Service Principal in the AAD tenant representing the Azns AAD Webhook AAD application, will this mean that after granting this service principal access to the target endpoint; everybody in the tenant that can create action groups is able to successfully authenticate to my target endpoint?

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Willem-J-an avatar Nov 10 '22 09:11 Willem-J-an

@Willem-J-an Thanks for your feedback! We will investigate and update as appropriate.

SaibabaBalapur-MSFT avatar Nov 10 '22 15:11 SaibabaBalapur-MSFT

@Willem-J-an, thank you for the feedback.

@jacegummersall - can you please review this and share your feedback. Thank you

AnuragSingh-MSFT avatar Nov 11 '22 10:11 AnuragSingh-MSFT

@Willem-J-an Thank you for providing your feedback we will update the documentation to add an explanation of how secure webhooks function. As for your question, to build a secure webhook service, customers need to register their own Azure AD application to protect the Web API. We only allow the owner of the AAD application to create a secure webhook action. Other user’s requests will be rejected.

jacegummersall avatar Nov 29 '22 20:11 jacegummersall

@jacegummersall thanks for getting back! I understand I create an AAD app to protect my app, but then I grant access to the secure webhook AAD SPN in my tenant for the secure webhook to work. If you are also in my tenant, e.g. different department, different azure subscriptions, what's to stop you from creating your own action group targeting my secure webhook? There would be no way for me to differentiate that only my own action group is allowed to call.

Willem-J-an avatar Nov 29 '22 22:11 Willem-J-an

@Willem-J-an great question. Only the owner of the SPN can add the secure webhook action. Does this provide sufficient clarity for you?

jacegummersall avatar Dec 14 '22 17:12 jacegummersall

#please-close

jacegummersall avatar Dec 14 '22 18:12 jacegummersall

I recently got back to this and I see that indeed if the creator of the action group is not an owner of the AAD application, it will return the error AadWebhookResourceNotOwnedByCaller. Thanks!

Willem-J-an avatar Jun 06 '23 11:06 Willem-J-an