Illumio Connector: Enhanced Security with Managed Identity Authentication

What Changed

The Illumio SaaS connector Function App components have been updated to use Managed Identity authentication instead of DefaultAzureCredential. The change removes all references to Azure AD application credentials (client ID, client secret, tenant ID) from both the deployment templates and Python code.

Security Impact (Visibility & Fidelity)

This change enhances the security posture of Illumio deployments by eliminating the need to store and manage client secrets in Function App environment variables. Previous deployments required manual Azure AD application registration and secret management, creating potential credential exposure risks.

The ARM templates now automatically assign the Monitoring Metrics Publisher role to the Function App managed identity on the Data Collection Rule, removing the manual role assignment step that could lead to deployment failures if misconfigured.

Deployment Changes

• New deployments: Templates automatically configure managed identity and role assignments
• Existing deployments: Manual migration required to enable system-assigned managed identity and configure DCR permissions
• Removed parameters: aadTenantId, aadApplicationId, aadApplicationSecret no longer required in deployment templates
• UI simplification: Connector UI definition removes Azure AD application configuration steps

Existing deployments will continue to work but should be migrated to leverage the improved security model.

Affected Files

Solutions/IllumioSaaS/Data Connectors/CommonCode/constants.py
Solutions/IllumioSaaS/Data Connectors/CommonCode/sentinel_connector.py
Solutions/IllumioSaaS/Data Connectors/QueueTriggerFuncApp/DeployFunctionApp/azuredeploy_QueueTrigger_FunctionApp.json
Solutions/IllumioSaaS/Data Connectors/QueueTriggerFuncApp/DeployFunctionApp/azuredeploy_QueueTrigger_FunctionApp.parameters.json
Solutions/IllumioSaaS/Data Connectors/QueueTriggerFuncApp/DeployFunctionApp/createUiDefinitionQueueTrigger.json
Solutions/IllumioSaaS/Data Connectors/QueueTriggerFuncApp/azure_queue_trigger.py
Solutions/IllumioSaaS/Data Connectors/README.md
Solutions/IllumioSaaS/Data Connectors/TimedApiFunctionApp/api_response.py
Solutions/IllumioSaaS/Data Connectors/azuredeploy_IllumioSaaS_FunctionApp.json
Solutions/IllumioSaaS/Package/testParameters.json
(packaging artefacts: 3.4.1.zip, IllumioEventsConn.zip, IllumioQueueTrigger.zip, ReleaseNotes.md, Solution_IllumioSaaS.json, createUiDefinition.json, mainTemplate.json)