Azure Security

Question 1

What are the components of the Microsoft identity platform?

Answer 1

1. OAuth 2.0 and OpenID Connect standard-compliant authentication service
2. Open-source libraries (Microsoft Authentication Libraries (MSAL)
3. Application management portal
4. Application configuration API and PowerShell

Question 2

What are the 3 types of service principals?

Answer 2

1. Managed identity
2. Application
3. Legacy

Question 3

How do service principals relate to application objects?

Answer 3

The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant.
The application object serves as the template from which common and default properties are derived for use in creating corresponding service principal objects.

Service principal must be created in each tenant where the app is used to enable it to establish an identity for sign-in and/or access to resources being secured by the tenant.

Question 4

How does conditional access impacts your application?

Answer 4

Most cases doesn’t change an app’s behaviour or changes from developer.
Scenarious that require code to handle Conditional Access:
1. Apps performing the on-behalf-of flow
2. Apps accessing multiple services/resources
3. Single-page apps using MSAL.js
4. Web apps calling a resource

Question 5

What does the Microsoft identity platform help you with?

Answer 5

build apps your users/customers can sign in using their Microsoft identities or social accounts, and provide authorized access to your own APIs or Microsoft APIs like Microsoft Graph

Question 6

What’s OAuth 2.0 and OpenID Connect standard-compliant authentication service?

Answer 6

enable developers to authenticate several identity types including:
1. Work or school accounts, provisioned through Microsoft Entra ID
2. Personal Microsoft account, like Skype, Xbox, and Outlook.com
3. Social or local accounts, by using Azure Active Directory B2C

Question 7

What’s Application management portal?

Answer 7

A registration and configuration experience in the Azure portal, along with the other Azure management capabilities.

Question 8

What’s Application configuration API and PowerShell?

Answer 8

Programmatic configuration of your applications through the Microsoft Graph API and PowerShell so you can automate your DevOps tasks.

Question 9

When you register ur app with Microsoft Entra ID, what are the two tenant form you can use?

Answer 9

1. Single tenant: only accessible in your tenant (group of users wth common access)
2. Multi-tenant accessible in other tenants

Question 10

What do you need to access resource secured by a Microsoft Entra tenant?

Answer 10

security principal

for a user its called user principal.
for an application its called service principal

Question 11

What does the security principal define?

Answer 11

the access policy and permissions for the user/app in the Microsoft Entra tenant.

Question 12

What’s the Application service principal?

Answer 12

it’s the local representation/ application instance of a global application object in a single tenant/directory.

Question 13

What’s Managed identity service principal?

Answer 13

This service principal is used to represent a managed identity.

Question 14

What’s Legacy service principal?

Answer 14

this represents a legacy app (app created before app registrations were introduced or an app created through legacy experiences.
This service principal can have:
credentials, service principal names, reply URLs, and other properties that an authorized user can edit, but doesn’t have an associated app registration.

Question 15

What relationship does application object have?

Answer 15

1. A one to one relationship with the software application
2. A one to many relationship with its corresponding service principal object(s).

Question 16

What are the two types of permissions the Microsoft identity platform support?

Answer 16

1. Delegated permissions
2. App- only access permissions

Question 17

What are Delegated persmission used for?

Answer 17

are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests. The app is delegated with the permission to act as a signed-in user when it makes calls to the target resource.

Question 18

What are App-only access permissions used for?

Answer 18

are used by apps that run without a signed-in user present, eg. apps that run as background services or daemons. Only an admin can consent to app-only access permissions.

Question 19

What are the 3 types of consent?

Answer 19

1. Static user consent
2. Incremental and dynamical user consent
3. Admin consent

Question 20

What’s static user consent?

Answer 20

In static user consent scenario, you must specify all the permissions it needs in the app’s config in the Azure portal.

Question 21

What’s incremental and dynamic user consent?

Answer 21

you can ignore the static permissions defined in the app registraion info in Azure portal, and request permissions incrementally with Microsoft identity platform endpoint.

These consents only apply to delegated permissions and not app-only access permissions.

Question 21

What are the possible issues with static permissions (static user consent) for developers?

Answer 21

1. App needs to request all the permissions it would ever need upon the user’s first sign-in -> can lead to a long list of permissions that discourages end users from approving the app’s access on initial sign-in.
2. App needs to know all the resources it would ever access ahead of time. It’s difficult to create apps that could access an arbitrary number of resources.

Question 22

What’s Admin consent?

Answer 22

This consent is required when ur app need access to certain hight-privilege permissions.

Admin consent done on behalf of an organization still requires the static permissions registered for the app.

Question 23

What’s the Conditional Access?

Answer 23

a feature in Microsoft Entra ID.
Offers one of several ways to secure an app and protect a service.
Include
1. Multifactor authentication
2. Allowing only Intune enrolled devices access specific services
3. Restricting user locations and IP ranges

Question 24

Conditional Access example

Answer 24

You’re building a single-tenant iOS app and apply a Conditional Access policy. The app signs in a user and doesn’t request access to an API. When the user signs in, the policy is automatically invoked and the user needs to perform multifactor authentication.

You’re building an app that uses a middle tier service to access a downstream API. An enterprise customer at the company using this app applies a policy to the downstream API. When an end user signs in, the app requests access to the middle tier and sends the token. The middle tier performs on-behalf-of flow to request access to the downstream API. At this point, a claims “challenge” is presented to the middle tier. The middle tier sends the challenge back to the app, which needs to comply with the Conditional Access policy.

Question 25

What’s the benefit of using Azure Key Vault?

Answer 25

1. Centralized application secrets
2. Securely store secrets and keys
3. Monitor access and use
4. Simplified administration of application secrets

Question 26

How do you authenticate to Azure Key Vault?

Answer 26

3 ways
1. Managed identities for Azure resources: when deploy app on VM in Azure, you can assign an identity to the VM that has access to Key Vault. Benefit: app/service isn’t managing the rotation of the first secret. Best practise.

2. Service principal and certificate: use service principal and associated certificate that has access to Key Vault. Not recommended cause app owner/developer must rotate the certificate.
3. Service principal and secret: Don’t recommend cause hard to automatically rotate the bootstrap secret that’s used to authenticate to Key Vault.

Question 27

What two type of containers does the Azure Key Vault support?

Answer 27

1. Vaults
2. Managed hardware security module (HSM) pools

Question 28

What does Vault store?

Answer 28

Vault = a logical group of secrets.

Vaults store software and HSM-backed keys, secret and certificates

Question 29

What does Managed HSM pools support?

Answer 29

HSM-backed keys.

Question 30

What problems can Azure Key Vault help solving?

Answer 30

1. Secret Management: Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets
2. Key Management: easy to create and control the encryption keys used to encrypt your data
3. Certificate Management: easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources.

Question 31

What are the service tier in Azure Key Vault?

Answer 31

Standard: encrypt w/a software key

Premium includes hardware security module (HSM)-protected keys

Question 32

What’s Azure Key Vault?

Answer 32

a tool for securely storing and accessing secrets.

Question 33

What are the Azure Key Vault best practices ?

Answer 33

1. Use separate key vaults: vault per app/environment
2. Control access to your vault: allowing only authorized applications and users
3. Backup
4. Logging
5. Recovery options

Question 34

What protocol does Azure Key Vault use when data travel between Azure Key Vault and clients?

Answer 34

Transport Layer Security (TLS)

Question 35

What’s the two types of managed identities?

Answer 35

1. system-assigned managed identity
2. user-assigned managed identity

Question 36

What’s the difference between the two types of managed identities?

Answer 36

1. system-assigned managed identity: enabled directly on Azure service instance. The lifecycle is directly tied to the Azure service instance that it’s enabled on. If instance is deleted, Azure auto clean sup the credentials and the identity in Microsoft Entra ID.
2. user-assigned managed identity: created as a standalone Azure resource. After Azure creates an identity in the Microsoft Entra tenant, the identity can be assigned to one/more Azure service instances. The lifecycle is managed separately from the lifecycle of the Azure service instances to which it’s assigned.

Question 37

Describe the flows for system-assigned managed identities.

Answer 37

1. Azure Resource Manager receives a request to enable the system-assigned managed identity on a virtual machine.
2. Azure Resource Manager creates a service principal in Microsoft Entra ID for the identity of the virtual machine. The service principal is created in the Microsoft Entra tenant that’s trusted by the subscription.
3. Azure Resource Manager configures the identity on the virtual machine by updating the Azure Instance Metadata Service identity endpoint with the service principal client ID and certificate.
4. After the virtual machine has an identity, use the service principal information to grant the virtual machine access to Azure resources. To call Azure Resource Manager, use role-based access control in Microsoft Entra ID to assign the appropriate role to the virtual machine service principal. To call Key Vault, grant your code access to the specific secret or key in Key Vault.
5. Your code that’s running on the virtual machine can request a token from the Azure Instance Metadata service endpoint, accessible only from within the virtual machine: http://169.254.169.254/metadata/identity/oauth2/token
6. A call is made to Microsoft Entra ID to request an access token (as specified in step 5) by using the client ID and certificate configured in step 3. Microsoft Entra ID returns a JSON Web Token (JWT) access token.
7. Your code sends the access token on a call to a service that supports Microsoft Entra authentication.

Question 38

What’s the key difference between system-assigned and user-assigned managed identity?

Answer 38

Creation: System is created as part of an Azure resource. User-assigned is created as a standalone Azure resource.

Lifecycle: System share lifecycle w/Azure resource that the managed identity is created with (when parent resource deleted, the managed identity is deleted too). User has independent lifecycle.

Sharing across Azure resources: System can’t be shared, can only be associated w/ a single Azure resource. User can be shared, the same user-assigned.. can be associated with more than one Azure resource

Question 39

Describe the flows for user-assigned managed identities.

Answer 39

1. Azure Resource Manager receives a request to create a user-assigned managed identity.
2. Azure Resource Manager creates a service principal in Microsoft Entra ID for the user-assigned managed identity. The service principal is created in the Microsoft Entra tenant that’s trusted by the subscription.
3. Azure Resource Manager receives a request to configure the user-assigned managed identity on a virtual machine and updates the Azure Instance Metadata Service identity endpoint with the user-assigned managed identity service principal client ID and certificate.
4. After the user-assigned managed identity is created, use the service principal information to grant the identity access to Azure resources. To call Azure Resource Manager, use role-based access control in Microsoft Entra ID to assign the appropriate role to the service principal of the user-assigned identity. To call Key Vault, grant your code access to the specific secret or key in Key Vault. Note You can also do this step before step 3.
5. Your code that’s running on the virtual machine can request a token from the Azure Instance Metadata Service identity endpoint, accessible only from within the virtual machine: http://169.254.169.254/metadata/identity/oauth2/token
6. A call is made to Microsoft Entra ID to request an access token (as specified in step 5) by using the client ID and certificate configured in step 3. Microsoft Entra ID returns a JSON Web Token (JWT) access token.
7. Your code sends the access token on a call to a service that supports Microsoft Entra authentication.

Question 40

What role do you need to create Azure VM w/ system-assigned managed identity?

Answer 40

Virtual Machine Contributor role assignment

Question 41

What role do you need to create Azure VM w/ user-assigned managed identity?

Answer 41

Virtual Machine Contributor and Managed Identity Operator role assignments

Question 42

A client app requests managed identities for an access token for a given resource. What’s the token based on?

Answer 42

Service principal aka the managed identities for Azure resources service principal.

Question 43

What’s a filter?

Answer 43

A filter is a rule for evaluating the state of a feature flag.

A user group, a device or browser type, a geographic location, and a time window are all examples of what a filter can represent.

Question 44

What’s feature flag?

Answer 44

a variable with a binary state of on or off. The feature flag also has an associated code block. The state of the feature flag triggers whether the code block runs or not.

Question 45

What’s feature manager?

Answer 45

an application package that handles the lifecycle of all the feature flags in an application. The feature manager typically provides extra functionality, such as caching feature flags and updating their states.

Question 46

What are the 3 ways to secure your app configuration data?

Answer 46

1. Customer-managed keys: Azure App Configuration encrypts sensitive information at rest using a 256-bit AES encryption key provided by Microsoft
2. Private endpoints
3. Managed identities

Question 47

What is Managed Identity?

Answer 47

It provides an identity for apps to use when connecting to resources that support Microsoft Entra ID authentication.

Question 48

When is On-Behalf-Of flow used?

Answer 48

OAuth 2.0 On-Behalf-Of flow (OBO) is used when an application invokes a service or web API, which in turn needs to call another service or web API.

Question 49

What does the Rotate operation in Azure CLI do?

Answer 49

The Rotate operation will generate a new version of the key based on the key policy.

Question 50

What does the Rotation Policy operation in Azure CLI do?

Answer 50

The Rotation Policy operation updates the rotation policy of a key vault key.

Question 51

What does the Purge Deleted Key operation in Azure CLI do?

Answer 51

The Purge Deleted Key operation is applicable for soft-delete enabled vaults or HSMs.

Question 52

What does the Set Attributes operation in Azure CLI do?

Answer 52

The Set Attributes operation changes specified attributes of a stored key.

Question 53

What’s service principal?

Answer 53

an identity created for use with applications, hosted services, and automated tools to access Azure resources.

Service principal is connected to a tenant. Can’t have multiple tenants.

Question 54

What are the best practices of SAS?

Answer 54

1. Always use HTTPS when creating or distributing an SAS
2. Use user delegation SAS whenever possible
3. Define a stored access policy for a service specific SAS
4. Use near-term expiration on ad hoc, service or account SAS
5. Follow least-privilege access for resources to be accessed (just give the access they need not more)

Question 55

Working with App service which tier is not supporting Azure App Service Mutual TLS Auth?

Answer 55

Free or shared tiers

Question 56

What are the steps/flow to integrate your app with Microsoft Graph?

Answer 56

1. Register an app with Azure AD
2. Use the Microsoft Identity Platform authorize endpoint w/ defined scope
3. User signs in with credentials and accepts the scopes
4. App receives an authorization code
5. Authorization code can be used to get a token from the token endpoint
6. Token can be used to access Microsoft Graph

Question 57

what’s purge protection?

Answer 57

purge = freeing up space

when creating a key vault you configure the default retention period between 7-90 days, and if u have purge protection enabled, you’re not able to purge that value from your key vault until after the retention period has expired.

Question 58

what’s soft-delete?

Answer 58

when we delete a value from our key vault, that value is kept around until we actually are able to purge (delete) it from our key vault.

Default in all Azure Key Vault

Question 59

what’s the command to create a Key Vault in PowerShell and Azure CLI?

Answer 59

Powershell:
New-AzKeyVault -Name ‘Sample-Vault’ -ResourceGroupName ‘SampleResourceGroup’ -Location ‘East US’

Azure CLI:
az keyvault create –name “Sample-Vault2” –resource-group “SampleResourceGroup” –location eastus

Question 60

What are the 3 ways to secure Azure Storage?

Answer 60

1. Keys (Storage Account Access Keys)
2. Shared Access Signature
3. Azure Active Directory (AD) aka Microsoft Entra ID using OpenID connection, access token, no key

Question 61

What are shared access signatures (SAS)?

Answer 61

secure, delegated access, without sharing the key. Control what the client access, for how long etc.

Question 62

What’s the command to create a key in Azure Key Vault?

Answer 62

az keyvault key create –name “key1” –vault-name “<keyvaultname>"</keyvaultname>

Question 63

What’s the command to create a secret in Azure Key Vault?

Answer 63

az keyvault secret set –name “SQLPassword” –value “hVFkk965BuUv” –vault-name <keyvaultname></keyvaultname>

Question 64

What’s Microsoft Graph?

Answer 64

use a single endpoint https://graph.microsoft.com, to access data and insights in the Microsoft Cloud

Question 65

What are the different ways to configure Authentication for Azure Key Vault?

Answer 65

1. Use Azure AD App Registration
2. Use Managed Identity (system-assigned identity, user-assigned identity)
3. Use Key Vault Reference; only available if you intend to access Azure Key Vault from Azure Functions or App services

Question 66

What’s Azure Active Directory (AD)?

Answer 66

an Identity Provider. 2024, changed name to Microsoft Entra ID

A user can get authenticated with Azure AD, then get access to azure resources

Question 67

What is RBAC used for?

Answer 67

authorize, give access to resources based on roles.
RBAC = Role Based Access Control

Question 68

what does Managed Identities help Azure resources with?

Answer 68

Authenticate to services that support Azure AD authentication aka Microsoft Entra ID

“Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication”

Question 69

What’s the different between service SAS, account SAS and user delegation SAS? (what do they use to sign in)

Answer 69

A service SAS or account SAS is signed with the account key, while the user delegation SAS is signed with Microsoft Entra credentials and applies to blobs only