Monitor your service accounts to ensure usage patterns are correct, and that the service account is used. And, if used with automation, a service account is most likely excluded from any conditional access policies or multi-factor authentication. Grant the service account permissions needed to perform tasks, and no more. Using a client secret You can compare a client secret to a long & complex password which is generated for you. If you dont have one, you could. The first command to issue is one that gathers the password for the Service Principal: The next command takes the Service Principal ID and password and combines them into one variable: The last command takes the inputted information and logs you in: Make sure that you use good password storage practices when automating service principal connections. the Windows Hello for Business authentication methods as you can see below via the command: Get-MgUserAuthenticationWindowsHello -UserID johny.bravo@identity-man.eu. This isn't about what random users do, it's about what attackers can do when the compromise any part of your system. The code below creates the self-signed password in the personal certificate store with the name CN=VSE3_SUB_OWNER. Account script or application function is retired. Lets add the permissions for that on the Service Principal we created. As in this case the service principal only needs to gather data we just give it Read access and we select the service principal Automation Service Principal and once done we hit Save. On the other hand, a service account with delegated permissions can only touch the resources it has access to, so the risk of data leakage/destruction should be less. Name the application Power Platform Service Principal and allow Accounts in this organizational directory only to use it. Important to note is that this sign-in is of course logged within the Azure AD under the sign-in logs beneath the Service Principal Sign-ins. read. Azure Service Principals can have a password, secret key, or certificate-based credentials. A Service Principal is the identity object in Azure Active Directory that allows roles to be assigned to various objects (resources). Once the friendly name has been determined, please select Intergrate any other application you dont find in the gallery and hit Create. One thing that was often essential to these automation tasks was a service account. Use service principals to ensure the needed security posture for the application, and its users, in single- and multi-tenant scenarios. Hate ads? The app registration is only ever created once in the app's home tenant, however a . Select your Azure Key Vault resource, followed by selecting, Specify the Key and/or Secret Permissions (for example get, list), Click Select Principal and search for the. It may not display this or other websites correctly. you can also have lazy admins who copy the system-generated client secret into a script that they upload to Github. Unfortunately not all PowerShell modules do support a certificate to authenticate with, which would only leave the option open to use a client secret. In this post, I wanted to clarify the use case, difference and similarities between Service Principals and Managed Identities. Once the certificate is generated on your machine, please export it from the Personal User store from the computer where you just generated this certificate. Support ATA Learning with ATA Guidebook PDF eBooks available offline and with no ads! Via the app registration I can specifically determine the permissions the service principal needs, instead of over commiting permissions to a service account. For example, in the image below, you can see that the AzVM_Reader service principal now has Reader access to the AzVM1 virtual machine. Press question mark to learn the rest of the keyboard shortcuts, https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names. The associated certificate can be one thats issued by a certificate authority or self-signed. To learn more, see Application and service principal relationship in Azure AD. Select Azure Active Directory from the left-hand side menu. Service principals define application access and resources the application accesses. to me, they're just accounts like other. The scope of this new service principal covers the whole resource group named ATA. See the example result below. You can check the resources access control list using the Azure Portal. Youll get a similar output, as shown in the image below. Sometimes you want to take action based on that, but not usually. It is not uncommon for some to just create a new service account, slap it with all the admin roles you want, and exclude it from MFA. Here is a link to our documentation, describing Managed Identity integration to connect to Cosmos DB: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-cosmos-db. I hope youve enjoyed reading this blog and stay tuned for more coming soon! Once done hit Add. By default, when you a create a Service Principal via Azure CLI or PowerShell it grants it Contributor access to your Azure subscription. Creating a Service Principal can be done in a number of ways, through the portal, with PowerShell or Azure CLI. Service principals and managed identities can use OAuth 2.0 scopes in a delegated context impersonating a signed-on user, or as service account in the application context. By clicking Post Your Answer, you agree to our terms of service, privacy policy and cookie policy. So it doesn't really factor into the topic at hand. In the above code GeneratePassword(20, 6), the first value means the length of the password, and the second value means the number of non-alphanumeric characters to include. If you've already registered, sign in. Let me show you the command syntax out of Azure CLI to achieve this: az ad sp create-for-rbac --name "pdtdevblogsp" resulting in this outcome: Similarly, lets remove the System Assigned MI of the VM and use a User Assigned one in the next example (an Azure Resource can only be linked to one or the other, not both): As you notice, the Managed Identity object gets immediately removed from Azure AD. You can use User Assigned Managed Identities for Key Vault by rewriting your code to access Key Vault. Thanks a lot for sharing. And most admins probably use a fully privileged user account (called a service account) to set up the credential requirements for scripts. Yeah, if people are going to the trouble of hacking the memory of my machines, then all bets are off, lol. Note the difference between the Application ID and the Object ID. rev2023.4.17.43393. Log in with a service principal When possible, use Azure Key Vault for certificate and secrets management to encrypt assets with keys protected by hardware security modules: For more information on Azure Key Vault and how to use it for certificate and secret management, see: When using service principals, use the following table to match challenges and mitigations. A service principal is created in each tenant where the application is used and references the globally unique app object. When the code is run, the below screenshot shows the confirmation that the role assignment is done. Azure has a notion of a Service Principal which, in simple terms, is a service account. Resource access from external applications. In here make sure All applications is selected and hit + New Application. Notice how Azure Key Vault is expecting a Service Principal object here (where in reality we are using a Managed Identity). A service account is essentially a privileged user account used to authenticate using a username and password. Keep on reading and lets get started! Once you or the script has finished, you can easily run the following command to disconnect from the Microsoft Graph API. Leaving aside MI's for the time being, I just had a question about this. This means that an additional step is needed to assign the role and scope to the service principal. Consider the alternative of a service principal: Both require some kind of secret to authenticate, whether a user password or client secret. Now that you have your Service Principal and permissions assigned, how do you use them? Now to put the service principal to use. To subscribe to this RSS feed, copy and paste this URL into your RSS reader. The Service Principal allows us to give applications/services/tasks access to the environment to perform tasks on our behalf. An application instance has two properties: the ApplicationID (or ClientID) and the ObjectID. Why is there such a strong recommendation against user accounts as service accounts in AAD? This object will contain the password string stored in the $password variable and the validity period of 5 years. The techniques you learned in this article covered only the basics to get you started in using Azure service principals in your automation. Configure Service Principal Certificates & Secrets. The password would have also been listed when you created the Service Principal. As I mentioned at the start of this post that isnt great best practice. appId will be same for single application object that represents this application as well as it will be same for all service principals created for this application. Select a supported account type, which determines who can use the application. There are many authentication and. ARM templates for Azure is hard. The properties of the new service principal will be stored in the $sp variable. This includes on-premises service accounts synced to Azure AD, because they aren't converted to service principals. Can someone please tell me what is written on this score? Now youve created the service principal with a certificate-based credential. At least this is true for Graph: For application permissions, the effective permissions of your app will be the full level of privileges implied by the permission. When I worked with on-prem IT infrastructure I was always keen to automate parts as much as possible, whether that was setting up a scheduled task to stop and start services on temperamental servers or automating the patching of the servers. Instead, they recommend using service principals or managed identities. Check out the next generation of ARM. Below screenshot shows what it looks like for an Azure Web App Resource: To complete the sample scenario, lets go back to Azure Key Vault, and specify another Access Policy for this User Assigned Managed Identity: After saving the changes, the result is that now both the Azure Virtual Machine as well as the Web App having the User Assigned Managed Identity assigned to them can read our keys and secrets from Azure Key Vault. This is one of the best articles that I could find that explains this so well and well written. Whereby this data is retrieved via the service principal from the Log analytics workspace in Azure! Not really anything special. It can be assigned to RBAC roles within subscriptions, resource groups, and resources. A single-tenant application has one service principal in its home tenant. If you can't use a managed identity, grant a service principal enough permissions and scope to run the required tasks. Now you have the ApplicationID and Secret, which is the username and password of the service principal. During the export make sure that the format is set to Base-64 encoded X.509 (.CER) and without the private key. Select new registration. Confirm by clicking create and Wait for the resource creation to complete successfully. (taken from https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names), C:\WINDOWS\system32>setspn -L WebserverServiceAccount. But again, there are no means to secure service principals any further. We recommend collecting the following data and tracking it in your centralized Configuration Management Database (CMDB). If you want more control over what password or secret key that is assigned to your Azure service principal, use the -PasswordCredential parameter during the service principal creation. It all starts with a name, and an Azure service principal must have a name. Something like the Azure Key Vault Service could be used to help store the password in a more secure manner that can be called into scripts without anyone ever having to see the password. These are two fundamentally different things, always check which ID you need when it is being requested. Alternative ways to code something like a table within a table? For example, you can create an Azure service principal that has role-based access to an entire subscription or a single Azure virtual machine only. Now lets try something different, lets say you want to connect to a regular Azure resource, i.e. The formal definitions from Microsoft explains service principal as " An Azure service principal is a security identity used by user-created apps, services, and automation tools to access. I found Managed Identities difficult to introduce when using different services across Azure for example with CosmosDB & Entity Framework when connecting from Azure Functions. It's the identity of the application instance. Service principals define application access and resources the application accesses. 1. Static Maps API (Function App) - A FastAPI that can generate maps using the py-staticmaps package. To assess the security, evaluate privileges and credential storage. In fact, they are actually Service Principals. Want to support the writer? Service accounts are just accounts that you use to run services. $TenantId = ad7aaf9d-e478-4d3f-99aa-ce450535d9cc$ApplicationId = d27624ba-040c-426f-bdd8-d57761c710c6$ServicePrincipalClientSecret = ConvertTo-SecureString -String Cw2DiqRvF67O_iz8p5h~Q3~hQ6hQb4K~Th -AsPlainText -Force$AzureADCred = New-Object System.Management.Automation.PSCredential($ApplicationId, $ServicePrincipalClientSecret). A service principal is the local representation, or application instance, of a global application object in a single tenant or directory. Before you create an Azure service principal, you should know the basic details that you need to plan for. Lets first go over what a service principal exactly is. Why not write on a platform with an existing audience and share your knowledge with the world? To log in via PowerShell it is slightly more complex and requires a bit more code. requirements, block 3B+compromised passwords & help users create So by using service principals we can replace service accounts currently used and therefore improve the security posture of your environment! The documentation is correct: for Key Vault references you can only use System Assigned Managed Identities. Hello, thank you for your answer. a log analytics workspace as well with the same service principal, and want to use a client secret (which I wouldnt recommend though if it supports certificate auth). Sharing best practices for building any app with .NET. Now we do know that a lot of applications are already using Service Principals, but we can of course create one and consume it for our own needs. This can be done on the Azure Resource, beneath the Access control (IAM) settings by hitting + Add and selecting Add role assignment. There are many tools to create Azure Service Principals. You must log in or register to reply here. Before zooming in on these, lets take a step back and look at the different Azure Identity Objects we have available in Azure Active Directory today. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. The Azure CLI command to create a Service Principal is shorted and on creation the randomly generated password is displayed on screen. Creating an Azure App Registration and Service Principal App Registration is located under Azure Active Directory, and requires Owner or Contributor IAM assignment under the subscription. As you can see the status will be checked with a green checkbox stating that the admin consent is granted. For Redirect URI select Web and enter any URL you want; it doesn't have to be real or work. The rights on the service principal can be configured based on the API permission you can configure your self, which is Read or ReadWrite, and that specific to a part of the information (or all). In January 2023, Microsoft announced the General Availability of the Azure OpenAI Service (AOAI), which allows Azure customers to access OpenAI models directly within their Azure subscription and with their own capacity. stronger passwords with Specops Password Policy. Azure Service Principals is a security identity object that can be used by a user created app, service or a tool to have access to specific Azure Resources. The service account was a bit like a user account with a username and password, and it often had access to local and network resources to perform these automation tasks. You protect with a password. For more information, see Azure AD/AzureADAssessment. Go to portal.azure.com and open the app registrations service. For that execute the PowerShell command below (first change the WorkspaceID value and UserPrincipalName variables to correspond to the values used in your environment). This is especially useful if the password must meet a complexity requirement. This is handy for running app services as this identity and granting that account access to storage accounts, vaults, etc. Instead of logging in to Azure PowerShell using a user account, the code below uses the service principal credential instead. I said pass the hash but I'm really referring to any number of in memory credential theft techniques grabbing any sort of token or hash available to be exploited. Lets walk through a quick demo scenario for both, using a Virtual Machine as Azure Resource: Switching to Azure Key Vault / Access Policies, we can now define this System Assigned Managed Identity having get and list permissions (or any other) for keys, secrets or certificates. Thanks for the time you spent sharing your knowledge. The result is shown in the screenshot below. Once the certificate is selected we can see the Thumbprint of the certificate in the Azure Portal as well. For that, you can utilize the .NET static method GeneratePassword(). You will see the first few characters to be able to recognize the value should you want to validate its validity later on. To create a service principal we will use Cloud Shell on Azure Portal using the az ad sp create-for-rbac command. You can create a service principal by registering an application, or with PowerShell. In this case, one could create a read KV Managed Identity, and link it to the web app, storage account, function, logic app, all belonging to the same application architecture. Youll learn how to create service principals with different types of credentials, such as passwords, secret keys, and certificates. (NOT interested in AI answers, please). The whole idea is to make every successful attack as low-impact as possible. When using Microsoft Graph, check the API documentation. Major issues with service principals are: The only real benefit I found for using service principal, is that you don't need a license to access Office 365 data, like files or emails. The tenant secures the service principal sign-in and access to resources. Avoid creating multi-use service accounts. Login to edit/delete your existing comments. You protect with minimum necessary permissions. I really appreciate the time that you took to explain this topic. Now the client secret has been created, please save the client secret value immediately, this as it will only be shown once. On the other hand, certificate-based credentials are the more secure option but require a little bit more effort to maintain. Issue mitigation is done by the owner, or by request to an IT team. As I provided access to read and write authentication methods, Im able to delete these as well as you can see with the command: Remove-MgUserAuthenticationWindowHello -UserId johny.bravo@identity-man.eu -WindowsHelloForBusinessAuthenticationMethodId o8ylNeQ0a071RsrlyWdOn3zaDzOm4LyPNQ-DZgMMEcs1. objectId will be a unique value for application object and each of the service principal. The code below will create the service principal with the display name of ATA_RG_Contributor and using the password stored in the $PasswordCredential variable. Share Improve this answer Follow Still interested? Not sure about the certificate thumbprint? These details may seem simple. Pro-tip: When using Azure Automation, always remember to save your client secret as an encrypted value in your Automation account to make sure it cannot simply be copy/pasted out. You can create service principals either within the Azure portal or using PowerShell. i see a lot of people parroting this line, but I have never seen any argument in favour of it. In the application context, no one is signed in. On the other hand, an Azure service principal can be set up to use a username and password or a certificate for authentication. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Now that we know what a Service Principal is, lets create one. The terms application and service principal are used interchangeably, when referring to an application in authentication tasks. Enforcecompliance How to make Service Principals synchronise with Active Directory Domain Services (AADDS)? Cute-Rutabaga8874 2 yr. ago Hello, thank you for your answer. Learn more: Application and service principal objects in Azure AD. Delegated permissions are used when a user is connecting via this service principal. An Azure service principal is a security identity used by user-created apps, services, and automation tools to access specific Azure resources. As you can see Im successfully connected! From the Azure Portal, Create new Resource, and search for User Assigned Managed Identity. Even when I do know the 3 values (AppID, TenantID and Cert Thumbprint) and dont have the actual certificate installed with its private key I wont be able to connect. When you create a Service Principal via PowerShell you do not get a copy of the password displayed, so you need to input a couple of lines of code to retrieve the password, as you can see in the code below. The properties of the certificate are saved to the $cert variable. Please hit Yes to confirm the admin consent approval. Could someone ELI5 the difference and the typical use case please? After running the code, the new service principal should be created, and the properties are stored in the $sp variable. domain\WebserverServiceAccount). Think of it as a user identity without a user, but rather an identity for an application. Application permissions are used when the application itself is connecting, i.e. As you can see Johny Bravo has two sign-ins in the past 180 days. There's no fundamental difference in terms of nature of one type of account vs. the other, but the way they are used in practice is the big difference. Now, depending on the module or application for which you want to use a service principal, first determine which methods are supported. Once youve made sure that the certificate is in the personal user store, lets connect to the Microsoft Graph with the following PowerShell cmdlets: Import-module Microsoft.GraphConnect-Graph -ClientId {applicationID} -TenantId {TenantID} -CertificateThumbprint {CertificateThumbprint}, Connect-Graph -ClientId d27624ba-040c-426f-bdd8-d57761c710c6 -TenantId ad7aaf9d-e478-4d3f-99aa-ce450535d9cc -CertificateThumbprint AB791BD89E1714732D22663C0103B9933CB7076E. While in the best scenario a service principal exist of an AppID, TenantID and Cert Thumbprint. Still, if I'm only using pure AAD this won't be a problem. After a few minutes or when doing a refresh it will show the value below and will never show the full value anymore. Im curious, why do you think a service principal is more secure than a regular service account? Not sure I follow re logging in. It would be best if youre working on a test tenant. Process of finding limits for multivariable functions, Put someone on the same pedestal as another. Azure Service Principal vs. Service Account Automation tools and scripts often need admin or privileged access. If you are using older APIs I would strongly recommend you to move to the Microsoft Graph API where possible. How to provision multi-tier a file system across fast and slow storage while combining capacity? So, in this example, the first thing to get is the ID of the AzVM1 virtual machine. Withdrawing a paper after acceptance modulo revisions? Url into your RSS reader been listed when you a create a service principal azure service principal vs service account use Managed... $ cert variable RBAC roles within subscriptions, resource groups, and certificates and cookie policy a identity... A single-tenant application has one service principal exactly is reality we are older. But rather an identity for an application effort to maintain the full value anymore wo n't be a problem for! Accounts like other exactly is identity without a user is connecting, i.e the! Will use Cloud Shell on Azure Portal using the az AD sp create-for-rbac command instance has two Sign-ins in $! What random users do, it 's about what attackers can do when the application accesses complete successfully or PowerShell! Name of ATA_RG_Contributor and using the password must meet a complexity requirement is that this is! When it is slightly more complex and requires a bit more code principal objects Azure. Enough permissions and scope to run services the use case, difference and similarities service... To connect to a long & complex password which is generated for.... Directory from the log analytics workspace in Azure Active Directory from the log analytics workspace in Azure only use! A script that they upload to Github RSS feed, copy and paste this URL into RSS. Full value anymore used by user-created apps, services, and an Azure service principals with types... And tracking it in your centralized Configuration Management Database ( CMDB ) unique app object password is on. A certificate-based credential we can see below via the app registration is only ever created once in the $ variable! Lets try something different, lets say you want to take advantage of the latest features, security updates and! With automation, a service principal and allow accounts in this example, the new principal. Single-Tenant application has one service principal with a certificate-based credential a file system fast. Only to use it subscriptions, resource groups, and resources the application context, no one is in! Youve created the service principal covers azure service principal vs service account whole resource group named ATA to clarify the use case please clicking! By clicking create and Wait for the application itself is connecting via this service principal is a to. Principals or Managed Identities command: Get-MgUserAuthenticationWindowsHello -UserID johny.bravo @ identity-man.eu more application... Generated password is displayed on screen will create the service principal and accounts! Key Vault references you can utilize the.NET static method GeneratePassword (.. A lot of people parroting this line, but I have never seen any in... Owner, or with PowerShell or Azure CLI should you want to use.! Slightly more complex and requires a bit more code application permissions are used,. Factor into the topic at hand check the API documentation could someone ELI5 the between! If the password string stored in the app & # x27 ; s the identity object Azure... For user assigned Managed Identities for Key Vault and using the az AD sp create-for-rbac.! The ObjectID to explain this topic a refresh it will show the value should you want to validate validity. Are the more secure option but require a little bit more code Microsoft Graph API code like. There are many tools to access Key Vault is expecting a service principal,... Of your system advantage of the best scenario a service principal complex and a! As I mentioned at the start of this post, I just had a about... Applicationid ( or ClientID ) and the validity period of 5 years the first thing to get you started using... Authentication tasks has two Sign-ins in the Azure Portal or using PowerShell many tools to create service... Be done in a number of ways, through the Portal, with PowerShell Azure... Resource groups, and no more Directory that allows roles to be able to recognize the value should you to. Which methods are supported validity later on multivariable functions, Put someone the. And scripts often need admin azure service principal vs service account privileged access also have lazy admins who copy system-generated... Full value anymore.NET static method GeneratePassword ( ) only use system Managed. When doing a refresh it will show the value should you want to connect to a Azure. The application Power Platform service principal is a service account automation tools and scripts often need admin or access! To maintain for you using PowerShell application in authentication tasks the code below will create service! Application instance has two properties: the ApplicationID and secret, which is generated you... To learn the rest of the service principal via Azure CLI or PowerShell it grants it Contributor to. Seen any argument in favour of it as a user, but I never! As you can see the first thing to get is the local representation, or by to. Other websites correctly application accesses principals with different types of credentials, such as passwords, secret,! Az AD sp create-for-rbac command our terms of service, privacy policy cookie! Now you have your service principal exist of an AppID, TenantID and cert.... Credentials, such as passwords, secret keys, and its users, in this example azure service principal vs service account the below shows... After a few minutes or when doing a refresh it will only be once. A username and password of the application, and that the role assignment done... Means that an additional step is needed to perform tasks on our behalf Portal, create new resource, no. Topic at hand well written will show the full value anymore in reality we are a. It does n't really factor into the topic at hand registration is ever... Test tenant value anymore correct, and the properties of the service principal Azure! Application and service principal we created thanks for the time you spent sharing your.... Access policies or multi-factor authentication an application, and its users, in simple azure service principal vs service account, a... Certificate-Based credential list azure service principal vs service account the password stored in the $ sp variable complex. Been created, and automation tools and scripts often need admin or privileged access after a few azure service principal vs service account when. Of secret to authenticate, whether a user password or a certificate for authentication enough permissions and to. Why is there such a strong recommendation against user accounts as service accounts in AAD list the! Which ID you need when it is being requested exactly is try something different, create. Other websites correctly, such as passwords, secret Key, or PowerShell... Below screenshot shows the confirmation that the role assignment is done by the owner, or application for you. Shows the confirmation that the format is set to Base-64 encoded X.509 (.CER and! The confirmation that the format is set to azure service principal vs service account encoded X.509 (.CER ) and without the private.. Associated certificate can be done in a number of ways, through the Portal, new... The Azure Portal or using PowerShell allows us to azure service principal vs service account applications/services/tasks access to your subscription. Or privileged access s home tenant, however a question about this create. Certificate for authentication or self-signed determine which methods are supported setspn -L WebserverServiceAccount the globally unique object. New resource, i.e the past 180 days one thing that was often essential these! Technical support role and scope to the Microsoft Graph API where possible during the export make sure the! Know what a service principal enough permissions and scope to the trouble of hacking memory... Beneath the service account also been listed when you a create a service is!, no one is signed in cert Thumbprint identity of the service principal is shorted and on creation the generated! Windows Hello for Business authentication methods as you can see the first thing to get is the identity of new... When doing a refresh it will show the full value anymore to make every attack! When doing a refresh it will only be shown once user, but I have never seen any in! Tools to access Key Vault by rewriting your code to access Key Vault you. Upload to Github effort to maintain the memory of my machines, then all are... Azure PowerShell using a username and password or a certificate authority or self-signed ensure the needed security for... To explain this topic youve created the service principal, first determine which methods are supported as accounts... Needs, instead of over commiting permissions to a service principal object azure service principal vs service account ( where in reality we using! X.509 azure service principal vs service account.CER ) and without the private Key accounts in this covered. $ sp variable is displayed on screen of secret to a service principal can be done a! The client secret into a script that they upload to Github a question this! Add the permissions the service principal enough permissions and scope to the environment to perform tasks, and technical.... Run, the below screenshot shows the confirmation that the format is set to Base-64 X.509! Spent sharing your knowledge with the name CN=VSE3_SUB_OWNER someone ELI5 the difference the! Be stored in the app registrations service access to your Azure subscription system-generated client secret value,. Script has finished, you agree to our terms of service, privacy policy and cookie policy commiting. To Github AD under the sign-in logs beneath the service principal and permissions assigned, do... Techniques you learned in this post that isnt great best practice self-signed password in the past 180 days AAD wo. Are the more secure azure service principal vs service account a regular Azure resource, i.e our behalf only using pure AAD wo. When doing a refresh it will show the value should you want to it!

Lake Murray Ok Waterfront Homes For Sale By Owner, Articles A