Skip to main content

ADR-004 Use Microsoft EntraID (formally AzureAD) for Identity and Access Management

Status

✅ Accepted

Context

The Data Catalogue services will need a way to verify users and provide access to resources. We want to simplify access for users by reducing the number of accounts they need.

We do not want to create a custom identity service, or manage a very large number of users with a separate DataHub identity.

We do want users to be identified when interacting with the Find MOJ Data front end.

Decision

We will use the existing in-house EntraID (formally Azure Active Directory) service for Identity and Access Management (IDAM), both for DataHub and Find MOJ Data.

Many of our users are already using a @justice.gov.uk account as their primary login.

Our users can take advantage of their existing identity to gain access to the Data Catalogue.

Consequences

  • We will not have to run an identity service and managing logging and security of that system
  • We will reduce or eliminate our support requirements for:
    • joiners, movers and leavers (JML)
    • issues with multi factor authentication and password resets
    • name changes (e.g. marriage)
  • As there is no systematic way to create and manage EntraID groups to provide authorisation, we may need to rely on DataHub roles for this
  • We will no longer need to use IP range restrictions for the services
  • We will need to exclude the /metrics endpoint from authentication, but also secure it from public access
This page was last reviewed on 11 December 2024. It needs to be reviewed again on 11 December 2025 by the page owner #data-catalogue .
This page was set to be reviewed before 11 December 2025 by the page owner #data-catalogue. This might mean the content is out of date.