Skip to main content

ADR-003 Use EntraID (formally AzureAD) for Identity and Access Management

Status

✅ Accepted

Context

The Data Platform will need a way to verify users and provide access to resources. We want to simplify access for users by reducing the number of identities they need for services.

We do not want to run an identity service.

Decision

We will use EntraID (formally AzureAD) for Identity and Access Management (IDAM). Our users are already using a @justice.gov.uk account as their primary login. Our users can take advantage of their existing identity to gain access to the Data Platform and access services.

Consequences

  • We will not have to run an identity service and managing logging and security of that system
  • We won’t be managing our identity service, we need to work with the end user compute team to improve identity operations (version and automate changes)
  • Reduce our support requirements for joiners, movers and leavers(JML) e.g. issues with multi factor authentication and password resets
  • Guest accounts are possible, but not managed which means we will need an alternative solution
  • There is no systematic way to create and manage AzureAD groups to provide authN, we will need to work with end user compute team.
  • Cross government AzureAD federation is not yet formalised, but in the future we could give other departments access to resources with their existing credentials
  • We can look to unlock SCIM to create, manage, and deactivate GitHub accounts based on EntraID group membership
This page was last reviewed on 6 February 2024. It needs to be reviewed again on 6 May 2024 by the page owner #data-platform-notifications .
This page was set to be reviewed before 6 May 2024 by the page owner #data-platform-notifications. This might mean the content is out of date.