ADR-003 Use EntraID (formerly AzureAD) for Identity and Access Management
Status
✅ Accepted
Context
The Analytical Platform will need a way to verify users and provide access to resources. We want to simplify access for users by reducing the number of identities they need and places to request access to things due to that.
We do not want to run an identity service.
Decision
We will use EntraID (formerly AzureAD) for Identity and Access Management (IDAM).
Our users are already using a @justice.gov.uk
account as their primary login.
Our users can take advantage of their existing identity to gain access to the Analytical Platform and access services.
Consequences
- We will not have to run an identity service and managing logging and security of that system
- We won’t be managing our identity service, we need to work with the end user compute team to improve identity operations (version and automate changes)
- Reduce our support requirements for joiners, movers and leavers(JML) e.g. issues with multi factor authentication and password resets
- Guest accounts are possible, but not managed which means we will need an alternative solution
- There is no systematic way to create and manage EntraID groups to provide authN, we will need to work with end user compute team.
- Cross government EntraID federation is not yet formalised, but in the future we could give other departments access to resources with their existing credentials
- We can look to unlock SCIM to create, manage, and deactivate GitHub accounts based on EntraID group membership
This page was last reviewed on 19 December 2024.
It needs to be reviewed again on 19 June 2025
by the page owner #analytical-platform-notifications
.
This page was set to be reviewed before 19 June 2025
by the page owner #analytical-platform-notifications.
This might mean the content is out of date.