Identity Research for Agent Management Using SPIFFE Documentation¶
Identity Research for Agent Management Using SPIFFE demonstrates sidecar-enforced authorization for agent-to-agent traffic on Azure Container Apps using Microsoft Entra Agent Identity, SPIFFE/SPIRE, Conditional Access-style governance, and live admin policy.
What This Repo Proves¶
The platform combines five independent enforcement checks:
Live view from the portal's Enforcement Layers page — every governed request walks all four layers before the backend ever sees it.
| Layer | Enforcement point | What it answers |
|---|---|---|
| Layer 1 | SPIFFE/SPIRE mTLS in the sidecar | Which callers may establish a connection |
| Layer 2 | RBAC policy in the sidecar ingress pipeline | Which methods and paths the connected caller may use |
| Layer 3 | Entra OAuth2/JWT validation in the sidecar or app | Whether the caller holds a valid token for the target resource |
| Layer 4a | Conditional Access-style risk evaluation | Whether the organization currently allows the caller to operate |
| Layer 4b | Admin tag governance backed by Graph | Whether live caller attributes still satisfy policy |
Those checks are intentionally independent. A caller that clears RBAC can still fail token validation. A caller with a valid token can still be blocked by Conditional Access-style risk. A caller blocked by mTLS never reaches the later layers.
Core Runtime Components¶
| Component | Purpose |
|---|---|
| Agent apps | Business workloads and direct A2A targets |
spiffe-proxy sidecar |
mTLS, RBAC, JWT enforcement, management API |
| SPIRE server VM | Issues and rotates X.509 SVIDs for workload identity |
admin-control-plane |
Dedicated external management service for /mgmt/* access |
isp-portal |
Management portal for execute, policy, scan, health, and CA operations |
securityportal-mock |
Mock SOC portal that pushes risk signals into Identity Research for Agent Management Using SPIFFE |
Documentation Map¶
- Quickstart: install prerequisites, deploy, verify, and choose the right deploy mode.
- System Overview: current runtime topology and how requests move through the system.
- Enforcement Flow: request-by-request examples of allow and deny paths.
- Transport mTLS: Layer 1 design, allow lists, and failure modes.
- RBAC Authorization: Layer 2 policy model and management behavior.
- OAuth2 and JWT: Layer 3 token validation and Entra identity proof.
- Conditional Access Governance: Layer 4 admin controls, risk, and custom attributes.
- Management APIs: portal, admin-control-plane, and backend management endpoints.
- Authentication Flows: browser auth, management auth, agent auth, and Graph/OData usage.
- Portal Runtime: the modular
portal/apppackage, storage, health, and request flow. - Parallel Deployments: safe multi-environment Entra scoping and what stays shared.
- Docs Site: local doc build and GitHub Pages publishing behavior.
Start Here¶
For most developers:
- Read Quickstart.
- Read System Overview.
- Keep Management APIs and Authentication Flows open while changing portal, admin-control-plane, or sidecar behavior.
For portal work:
- Read Portal Runtime.
- Use
./deploy.sh --portal-onlywhen the change does not affect agent sidecars or attestation.
For identity/bootstrap work:
- Read Parallel Deployments.
- Verify whether the current environment is
legacyorscopedbefore touching Entra provisioning.