Skip to content

Microsoft Entra ID

Microsoft Entra ID is a cloud-based identity and access management service that helps organizations manage user identities and control access to resources. It provides features such as single sign-on (SSO), multi-factor authentication (MFA), and conditional access policies to enhance security and streamline user access to applications and services.

FCP services should use Microsoft Entra ID for authentication and authorization of internal users.

App Registration

An Azure App Registration is created to represent the application in Microsoft Entra ID. This registration includes information about the application, such as its name, redirect URIs, and permissions.

Naming convention

App Registrations should follow a naming convention that is consistent and descriptive and should include the environment.

For example:

  • FCP-Payments-Dev
  • FCP-Payments-Prod

Permissions

Permissions can be added to the App Registration and subsequently users can be placed in those roles. This allows for a more granular control of access to the application.

Permissions should follow the principle of least privilege, meaning that users should only be granted the permissions necessary to perform their job functions.

Naming convention

Permissions should follow a naming convention that is consistent and descriptive and follow a dot notation format.

For example:

  • FCP.Payments.View
  • FCP.Payments.Create

Credentials

Internal users will authenticate using their organisation Microsoft account. No new credentials need to be created specifically for FCP services.

For those without a Defra Microsoft account, a @defra.onmicrosoft.com account can be used.

Tenants

Defra has two Microsoft Entra ID tenants that require the App Registration to be created in.

DefraDev

The DefraDev tenant is used for proof of concept work and is a pre-requisite environment for Production use.

Teams must prove their setup in the DefraDev tenant.

Teams can request a new App Registration including permission setup for this tenant through a ServiceNow ticket.

Defra

Once the proof of concept work has been completed, the App Registration can be created in the Defra tenant through a ServiceNow standard change for a Type 1 registration

It is recommended to create two App Registrations in the Defra tenant, one for Production and one for Non-Production.

This allows users to be placed in roles to support lower environment testing without risking access to Production data.

Permissions

Once the App Registration has been created, the permissions can be added to the App Registration through a further standard change

Users can be added to the roles through a further standard change

Project teams typically support the management of their own permissions initially, but longer term, access requests will be managed through the business through ServiceNow.

FCP Platform

For services deployed to the FCP Platform, instead of creating the new App Registration in the Defra tenant, the App Registration should be created in the following tenants for each environment:

  • DefraCloudDev for the Development and Test FCP Platform environments
  • DefraCloudPreProd for the Pre-Production FCP Platform environment
  • DefraCloud for the Production FCP Platform environment

Due to the increased number of tenants utilised by the FCP Platform, there is no need to create multiple App Registrations in a single tenant as Production is already isolated.

Implementation

An overview of how to implement an App Registration in a Node.js application is included in Confluence.

Configuration rotation

App Registration credentials expire after a set period of time. This is typically 1 or 2 years.

These credentials should be rotated before they expire and the application reconfigured to use the new credentials.