Synchronization to Azure AD only happens when at least one of three things happen:
- Any spec.azure.* or spec.accessPolicy.inbound.rules value has changed.
- A previously non-existing Azure AD app defined in
spec.accessPolicy.inbound.ruleshas been created through NAIS.
- An annotation is applied to the resource:
kubectl annotate azureapp <app> azure.nais.io/resync=true
The annotation is removed after synchronization. It can then be re-applied to trigger new synchronizations.
Forcing credential rotation¶
Credential rotation happens automatically on a regular basis.
However, if you need to trigger rotation manually you may do so by applying the following annotation:
kubectl annotate azureapp <app> azure.nais.io/rotate=true
You should then restart your pods so that the new credentials are re-injected:
kubectl rollout restart deployment <app>
The client is automatically deleted from Azure AD whenever the associated
Application resource is deleted from Kubernetes.
That is, if you were to run the following command:
kubectl delete app <application>
AzureAdApplication resource will also be deleted from Kubernetes, and its associated Azure AD client is deleted.
Consequently, the previous client ID used will no longer be available.
If the application is re-deployed, the client ID will have a new and different value. Generally speaking, your application nor its consumers should not depend on or hard code the value of a client ID when acquiring tokens - see scopes.
Sometimes you will want to prevent the deletion of the client, e.g. if your client has had a manual set up of additional Microsoft Graph permissions beyond the standard set.
If you want to prevent deletion of the client, add the following annotation to your
apiVersion: nais.io/v1alpha1 kind: Application metadata: name: myapplication namespace: myteam annotations: azure.nais.io/preserve: "true"
If you decide that the client should be removed at a later point, remove the annotation from the spec.