AZ-204 Security Flashcards
What are the authenticaton methods for key vault?
Managed identities for Azure resources: When you deploy an app on a virtual machine in Azure, you can assign an identity to your virtual machine that has access to Key Vault. You can also assign identities to other Azure resources. The benefit of this approach is that the app or service isn’t managing the rotation of the first secret. Azure automatically rotates the service principal client secret associated with the identity. We recommend this approach as a best practice.
Service principal and certificate: You can use a service principal and an associated certificate that has access to Key Vault. We don’t recommend this approach because the application owner or developer must rotate the certificate.
Service principal and secret: Although you can use a service principal and a secret to authenticate to Key Vault, we don’t recommend it. It’s hard to automatically rotate the bootstrap secret that’s used to authenticate to Key Vault.
What are the key vault best practices?
Use separate key vaults: Recommended to use a vault per application per environment (Development, Pre-Production and Production). This helps you not share secrets across environments and also reduces the threat in case of a breach.
Control access to your vault: Key Vault data is sensitive and business critical, you need to secure access to your key vaults by allowing only authorized applications and users.
Backup: Create regular back ups of your vault on update/delete/create of objects within a Vault.
Logging: Be sure to turn on logging and alerts.
Recovery options: Turn on soft-delete and purge protection if you want to guard against force deletion of the secret.
What are the 2 ways to get a service principal?
Enable a system-assigned managed identity for the application. With managed identity, Azure internally manages the application’s service principal and automatically authenticates the application with other Azure services. Managed identity is available for applications deployed to a variety of services.
If you cannot use managed identity, you instead register the application with your Azure AD tenant. Registration also creates a second application object that identifies the app across all tenants.
What library can be used to authenticate an app?
Azure Identity SDK
What is the difference between user assigned and system assigned identities?
User assigned: 1 to Many relationship (1 identity per many resources), requires clean up to make sure it’s deleted
System-Assigned: 1-1 relationship (1 identity per resource), does not require clean up as once the resource is deleted so is the identity.
How do you register an app?
- If you have access to multiple tenants, use the Directories + subscriptions filter in the top menu to switch to the tenant in which you want to register the application.
- Search for and select Azure Active Directory.
- Under Manage, select App registrations > New registration.
- Enter a display Name for your application. Users of your application might see the display name when they use the app, for example during sign-in. You can change the display name at any time and multiple app registrations can share the same name. The app registration’s automatically generated Application (client) ID, not its display name, uniquely identifies your app within the identity platform.
- Specify who can use the application, sometimes called its sign-in audience.
- Register
- Add a redirect URI (A redirect URI is the location where the Microsoft identity platform redirects a user’s client and sends security tokens after authentication.)
What is an Application Object?
An application object is used as a template or blueprint to create one or more service principal objects. (It is like an OOP class)
Describes the following:
How the service can issue tokens in order to access the application
The resources that the application might need to access
The actions that the application can take
How to assign a system-managed identity to an existing resource?
az <resourcetype> identity assign</resourcetype>
How to assign a system-managed identity to a new resource?
Use –assign-identity parameter along with –scope and –role.
How to create a new user-assigned identity?
az identity create -g myResourceGroup -n myUserAssignedIdentity
How to assign a user-managed identity to a new resource?
Use –assign-identity parameter along with –scope and –role.
How to get an access token in C#?
-Create GET request at specified endpoint and parse JSON response:
using System;
using System.Collections.Generic;
using System.IO;
using System.Net;
using System.Web.Script.Serialization;
// Build request to acquire managed identities for Azure resources token
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(“http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/”);
request.Headers[“Metadata”] = “true”;
request.Method = “GET”;
try
{
// Call /token endpoint
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
// Pipe response Stream to a StreamReader, and extract access token StreamReader streamResponse = new StreamReader(response.GetResponseStream()); string stringResponse = streamResponse.ReadToEnd(); JavaScriptSerializer j = new JavaScriptSerializer(); Dictionary<string, string> list = (Dictionary<string, string>) j.Deserialize(stringResponse, typeof(Dictionary<string, string>)); string accessToken = list["access_token"]; } catch (Exception e) { string errorText = String.Format("{0} \n\n{1}", e.Message, e.InnerException != null ? e.InnerException.Message : "Acquire token failed"); }
How do you use App Configuration?
- Create key pair value hierarchy structure
- Use the feature flag (bool value for feature), feature manager (application package that handles lifecycle of all features flags in an app) and filters (evaluates state of feature flag)
- secure app config data using customer-managed keys, private endpoints and managed identities.
What are the 3 types of service principals?
Application: application instance of a global application object in a single tenant or directory. A service principal is created in each tenant where the application is used and references the globally unique app object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access.
Managed Identity: Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory authentication. When a managed identity is enabled, a service principal representing that managed identity is created in your tenant. Service principals representing managed identities can be granted access and permissions, but cannot be updated or modified directly.
Legacy: This type of service principal represents a legacy app, which is an app created before app registrations were introduced or an app created through legacy experiences. A legacy service principal can have credentials, service principal names, reply URLs, and other properties that an authorized user can edit, but does not have an associated app registration. The service principal can only be used in the tenant where it was created.
What are the 2 permission types supported by the Microsoft identity platform?
Delegated permissions are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests. The app is delegated with the permission to act as a signed-in user when it makes calls to the target resource.
Application permissions are used by apps that run without a signed-in user present, for example, apps that run as background services or daemons. Only an administrator can consent to application permissions.