none
Securing access to media assets with group and individual permissions RRS feed

  • Question

  • Has anyone built a solution using Azure Media Services where you can set permissions and secure access to media assets by group and individual user permissions?

    This might be with a custom solution involving metadata tags or similar where media assets are only accessible by a custom developed application with the required business logic and DRM key.

    Love to know if this has ever been done.

    Thanks

    Monday, September 30, 2019 5:00 PM

Answers

  • Yes, take a look at the features in Microsoft Stream.  It is built entirely on top of AMS. 

    https://products.office.com/en-us/microsoft-stream?rtc=1

     

    They use our AES content protection feature and then do token auth (JWT) with specific claims embedded to determine which users and groups are allowed to view the content.  You have to set up your own STS token service, but there are samples of doing that out there (albeit a bit complicated).

    Start here - https://docs.microsoft.com/en-us/azure/media-services/previous/media-services-content-protection-overview

    You can use Azure Active Directory as an STS or deploy a custom STS. The STS must be configured to create a token signed with the specified key and issue claims that you specified in the token restriction configuration. The Media Services key delivery service returns the requested key/license to the client if the token is valid and the claims in the token match those configured for the key/license.

    When you configure the token restricted policy, you must specify the primary verification key, issuer, and audience parameters. The primary verification key contains the key that the token was signed with. The issuer is the secure token service that issues the token. The audience, sometimes called scope, describes the intent of the token or the resource the token authorizes access to. The Media Services key delivery service validates that these values in the token match the values in the template.

     

    Monday, September 30, 2019 5:31 PM

All replies

  • Yes, take a look at the features in Microsoft Stream.  It is built entirely on top of AMS. 

    https://products.office.com/en-us/microsoft-stream?rtc=1

     

    They use our AES content protection feature and then do token auth (JWT) with specific claims embedded to determine which users and groups are allowed to view the content.  You have to set up your own STS token service, but there are samples of doing that out there (albeit a bit complicated).

    Start here - https://docs.microsoft.com/en-us/azure/media-services/previous/media-services-content-protection-overview

    You can use Azure Active Directory as an STS or deploy a custom STS. The STS must be configured to create a token signed with the specified key and issue claims that you specified in the token restriction configuration. The Media Services key delivery service returns the requested key/license to the client if the token is valid and the claims in the token match those configured for the key/license.

    When you configure the token restricted policy, you must specify the primary verification key, issuer, and audience parameters. The primary verification key contains the key that the token was signed with. The issuer is the secure token service that issues the token. The audience, sometimes called scope, describes the intent of the token or the resource the token authorizes access to. The Media Services key delivery service validates that these values in the token match the values in the template.

     

    Monday, September 30, 2019 5:31 PM
  • Sounds perfect. We have corporate wide Azure AD and O365 E5 licenses already. We'll need to use the service for mp3 sound recordings only for this project, but I assume this will all work the same with audio only files. 
    Tuesday, October 1, 2019 3:40 PM