ADR-004 Use Microsoft EntraID (formally AzureAD) for Identity and Access Management
Status
✅ Accepted
Context
The Data Catalogue services will need a way to verify users and provide access to resources. We want to simplify access for users by reducing the number of accounts they need.
We do not want to create a custom identity service, or manage a very large number of users with a separate DataHub identity.
We do want users to be identified when interacting with the Find MOJ Data front end.
Decision
We will use the existing in-house EntraID (formally Azure Active Directory) service for Identity and Access Management (IDAM), both for DataHub and Find MOJ Data.
Many of our users are already using a @justice.gov.uk
account as their primary login.
Our users can take advantage of their existing identity to gain access to the Data Catalogue.
Consequences
- We will not have to run an identity service and managing logging and security of that system
- We will reduce or eliminate our support requirements for:
- joiners, movers and leavers (JML)
- issues with multi factor authentication and password resets
- name changes (e.g. marriage)
- As there is no systematic way to create and manage EntraID groups to provide authorisation, we may need to rely on DataHub roles for this
- We will no longer need to use IP range restrictions for the services
- We will need to exclude the
/metrics
endpoint from authentication, but also secure it from public access
This page was last reviewed on 6 June 2024.
It needs to be reviewed again on 6 December 2024
by the page owner #data-catalogue
.
This page was set to be reviewed before 6 December 2024
by the page owner #data-catalogue.
This might mean the content is out of date.