AZ 305- Azure Solutions Architect Expert - Topic 01 - Secure Data Integration Between Partner Organizations Using Azure Logic Apps and Third-Party OAuth 2.0

Engineering
Page content

Overview

The AZ-305 Microsoft Azure Architect Design certification is a crucial step for cloud professionals aiming to validate their skills in designing secure, scalable, and reliable Azure solutions. This exam evaluates a candidate’s ability to design identity and security, data storage, business continuity, and infrastructure solutions using Microsoft Azure technologies.

A commonly tested topic in the AZ-305 exam involves designing secure access for third-party organizations while ensuring minimal disruption to the existing architecture

Use Case: Data Integration Between Two Companies

Company A (UnityCare Health): Owns healthcare data stored on-premises and exposes it through Azure Logic Apps.

Company B (Precision Diagnostics Lab): Needs to submit patient test results using its existing third-party OAuth 2.0 identity provider without Azure AD access.

Note: These names are purely illustrative and do not represent any real hospitals or laboratories.

Problem Statement:

UnityCare Health, a hospital network, uses Azure Logic Apps to automate healthcare data workflows, such as processing patient test results and notifying doctors. They partner with Precision Diagnostics Lab, a third-party diagnostic lab, which needs access to some of UnityCare's logic apps to upload test results and receive data updates. Challenge here is both companies have their own different identity systems.

In modern cloud-based architectures, securely sharing data between organizations with different identity systems can be challenging. This article explores a hypothetical use case where Azure API Management (APIM) facilitates secure integration between two fictional entities: UnityCare Health Network and Precision Diagnostics Lab, using Azure Logic Apps and OAuth 2.0.

Key Requirement

  • Precision Diagnostics uses its own OAuth 2.0 identity provider. (Google)
  • UnityCare Health, a hospital network uses Azure Active Ditectory for identity management.
  • Limited access: Precision Diagnostics should only upload test results, with restricted API rate limits.
  • No changes shall be made to the existing logic apps which belongs to UnityCare Health.
  • No Azure AD guest accounts since Precision Diagnostics Lab uses its own identity provider.

Several potential solutions can be considered, including:

  • Azure Front Door
  • Azure AD Application Proxy
  • Azure AD Business-to-Business (B2B)
  • Azure API Management (APIM)

And the answer is Azure API Management (APIM), let me explain why Azure API Management (APIM) is the optimal choice for this scenario.

Solution Using Azure API Management (APIM):

To address these requirements, UnityCare Health implements Azure API Management (APIM) as a secure gateway to mediate access between Precision Diagnostics Lab and UnityCare's Azure Logic Apps.

WorkFlow

  1. UnityCare developed a web portal where Precision Diagnostics Lab's members can log in using their own credentials.
  2. When a member tries to log in, the portal redirects them to Precision Diagnostics Lab's Identity Provider (IdP) login page for authentication.
  3. The member enters their credentials, and if successful, the Identity Provider generates an OAuth 2.0 Access Token.
  4. This access token is sent back to UnityCare's web portal after successful login.
  5. The member submits patient test results through the portal and the OAuth token received earlier is must be included in the request.
  6. The request is sent to Azure API Management (APIM), which checks the OAuth token provided by Precision Diagnostics Lab's IdP.
  7. APIM validates the token by checking if it is:
    • Signed correctly using Precision Diagnostics Lab's public key.
    • Not expired.
    • Issued by Precision Diagnostics Lab's IdP.
    • Contains the right permissions (scopes) to access the Logic Apps.
  8. If the token is valid, APIM forwards the request to Azure Logic Apps for processing.
  9. Logic Apps update UnityCare's patient database with the test results and notify the relevant doctors.
  10. If the token is invalid or expired, APIM blocks the request and returns an error message.

Infrastrture setup

  1. APIM Gateway Setup:

    • Azure API Management (APIM) is deployed as a central API gateway in UnityCare Health's Azure environment.
    • APIM exposes a secure endpoint for Precision Diagnostics Lab to send test result data while restricting direct access to Azure Logic Apps.

  2. Cross-Tenant Access Configuration:

    • UnityCare Health and Precision Diagnostics Lab establish a Cross-Tenant Access configuration in Microsoft Entra (Azure AD).

    • UnityCare Health adds Precision Diagnostics Lab's tenant ID under External Identities > Cross-Tenant Access Settings.

    • Inbound access is granted for Precision Diagnostics Lab's users, including MFA enforcement and compliance requirements.

  3. OAuth 2.0 Integration:

    • Precision Diagnostics Lab continues using its third-party OAuth 2.0 identity provider (e.g., Auth0).
    • When a user from Precision Diagnostics Lab logs into UnityCare’s portal, they are redirected to their identity provider for authentication.
    • Upon successful authentication, Precision Diagnostics Lab's OAuth server issues a token and passes it back to the APIM gateway.

  4. Token Validation and Access Control:

    • APIM validates the token using its validate-jwt policy, checking the token’s issuer, audience, and signature against Precision Diagnostics Lab's OAuth 2.0 provider metadata.
    • APIM verifies the token’s claims and ensures the user belongs to the authorized list based on the cross-tenant access settings.
 <validate-jwt header-name="Authorization" failed-validation-httpcode="401" 
         failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
  <openid-config url="https://<tenant-name>.ciamlogin.com/<tenant-id>/v2.0/.well-known/openid-configuration" />
	<required-claims>
		<claim name="azp" match="all">
			<value>insert claim here</value>
		</claim>
  </required-claims>
 </validate-jwt>
  1. Rate Limiting and Throttling:
    • APIM applies a rate limit policy, restricting Precision Diagnostics Lab to 100 API calls per hour.
    • Internal UnityCare Health users continue to have unrestricted access to the same logic apps.
   <policies>
     <inbound>
        <base />
        <rate-limit calls="20" renewal-period="90" remaining-calls-variable-name="remainingCallsPerSubscription"/>
     </inbound>
     <outbound>
        <base />
     </outbound>
   </policies>

  1. Data Processing and Notification:

    • If the token is valid and within the rate limit, APIM forwards the request to the underlying Azure Logic Apps.
    • The Logic Apps process the test result data, update UnityCare Health's on-premises database, and send result notifications to doctors via email.

  2. Error Handling and Rejection:

    • If the token validation fails or the rate limit is exceeded, APIM rejects the request with an appropriate error message.
    • Rejected requests are logged for monitoring and compliance.

This ensures secure, controlled data exchange between the two organizations while maintaining separation of identity systems.

Why Not the Other Options?

  • Azure Front Door: Focuses on global load balancing and content delivery, not API security and rate limiting.
  • Azure AD Application Proxy: Works for on-premises apps but requires Azure AD for authentication.
  • Azure AD B2B: Requires inviting external users as guests in Azure AD, which the requirements prohibit.