Azure Security, Authentication & Authorization Flashcards
What is a requirement for Azure AD to work?
User must have profile in AAD and app must be registered in AAD
True Or False? You can configure an Instance of API mananagment to protect the API by using OAuth 2.0 with Azure Active Directory
True
Explain what Authentication means
Authentication is the process of proving you are who you say you are. (AuthN)
Explain what Authorization means
Authorization is the act of granting an authenticated party permission to do something.It specifies what data you’re allowed to access and what you can do with that data. (AuthZ)
Explain what a Shared access Signature (SAS) is and what you can do with it.
Its used to grant access to a resource in your storage account. For Blob Storage for example, its simply a token thats added to the url. Everyone that has this url, can use the defined privileges that where used to create the SAS.
Explain what the difference is between an ad-hoc SAS and a SAS that is associated with a stored access policy
An ad-hoc SAS contains all information like startime, end time and permissions directly in the URI
example: ?sv=2018-11-09&sr=c&sig=rS3eUbL5eCSmmth57EQkTEd6DEIo4luyg%2FtXvqvorXc%3D&st=2020-05-28T18%3A14%3A50Z&se=2020-05-29T18%3A19%3A50Z&sp=wl
When SAS is associated with a stored access policy, it inherits the settings from the policy. Its also possible to revoke those by changing the policy.
example: http://127.0.0.1:10000/devstoreaccount1/sas-container-637262939086872312?sv=2018-11-09&sr=c&si=tutorial-policy-637262939086922296&sig=0pZAShTGtP7qYz%2FaXIf4Zr32hcA4RMr4dYDFPQUcj3w%3D
True or False? When copying files between different Storage Account, you must use a SAS
true
Explain on a high level what Azure RBAC is and what you can do with it
Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
Name the three key elements that are part of the RBAC security concept
Security principal, role definition and scope
Explain what Security principal means
A security principal is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources.
What forms of Service Principal does Azure work with, name at list three
User, individual with profile in Azure Active Directory
Group, a set of User
Service Principal, apps can use this to access specific azure resources. Think of like user+pw or certificate
Managed Identity, automatically managed by Azure. Used by cloud applications to manage credentials for authenticating to azure services
Explain what a Role definition (role) is
A Collection of permissions. Like read, write delete
Explain what a Scope is
Scope is the set of resources that the access applies to. When you assign a role, you can further limit the actions allowed by defining a scope. This is helpful if you want to make someone a Website Contributor, but only for one resource group.
What is a role assignment
A role assignment is the process of attaching a role definition to a user, group, service principal, or managed identity at a particular scope for the purpose of granting access. Access is granted by creating a role assignment, and access is revoked by removing a role assignment.
True or False? Azure RBAC is an additive model, so your effective permissions are the sum of your role assignments.
True
What is a deny assignment
a deny assignment attaches a set of deny actions to a user, group, service principal, or managed identity at a particular scope for the purpose of denying access. A role assignment defines a set of actions that are allowed, while a deny assignment defines a set of actions that are not allowed. In other words, deny assignments block users from performing specified actions even if a role assignment grants them access.
What are the 3 planes on which you secure Azure Storage?
- Management
- Data
- Encryption
What makes up a role assignment, or, How do you secure the management plane of an Azure Storage account?
- Security principle (who gets access - user, group, etc.)
- Role definition (what actions they can and can’t do)
- Scope of access (subscription, resource group, resource)
Name 3 ways you can secure the data plane of an Azure Storage account?
- Keys
- Shared Access Signature
- AAD (access w/token)
True or false: the storage key is like a root password and 2 keys are created when you provision a new storage account.
True
Benefits of Shared Access Signature
Allows access without sharing the storage key
Very flexible when it comes to granting access to a storage account
Consists of a URI with specific permissions attached to it
When you use AAD as your identity provider, how do you access it?
Using OpenID Connect mechanisms
Uses access tokens, no dependency on a key
What are the 3 types of SAS?
- User delegation SAS
- Service SAS - access to resources in only one Storage Account service
- Account SAS - access to resources in more than one Storage Account service
What does a SAS token look like?
A URL that is passing parameters
The parameter named “signature” is passing an encrypted version of your key, so if you rotate keys it will invalidate existing SAS tokens
What are the 2 types of SAS tokens?
- Ad hoc (self-contained)
2. Service - links to a Stored Access Policy
What are some characteristics of a stored access policy?
Defined at the container level
Reused by multiple SAS
Contains permissions and validity period
Available on as a service-level SAS
What components make up the Microsoft Identity Platform?
- Authentication service (AAD)
- Open Source Libraries for authentication code (i.e. MSAL)
- Application management tools (logging, authorization, consent, galler/non-gallery apps)
What are the 2 types of authentication?
Legacy (basic auth) and Modern
What are the 3 protocols available in modern authentication?
- WS-* and SAML which are based on redirects and HTTP posts
- OAUTH: delegation protocol (not authentication protocol) Allow an app to do something on your behalf (access and refresh token)
- OpenID Connect: more formal protocol (id token)
What are the differences between the 3 types of tokens?
Access tokens you present to the API to get permissions and the API is supposed to validate it against AAD. Refresh token is for when your access token expires.
ID token is generated by AAD and sent back with the user to the client application. If a client trusts the token, it will establish a web-based session
What is the difference between authorization and authentication?
Authentication means who you are.
Authorization means what can you do. Are you an admin, reader, contributor, etc.
What are the three ways AAD can help you do authentication?
- Groups (authorization decision based on group membership)
- Custom claims: info you can put in an ID or Access token
- App roles - defined at the app level. assigned to a user or an app. roles surface up in access tokens
What is Azure Key Vault?
Azure service which allows you to securely store and access secrets
What are the 3 types of secrets you can store in an Azure KeyVault?
cryptographic keys,
certificates (and the private keys associated with the certificates),
secrets (such as connection strings and passwords)
What are the three options for authentication to Azure keyvault?
Managed Identities: assign a managed identity to the vm that hosts the app and the managed identity has access to keyvault
Service Principle and Certificate: not recommended because you need to rotate the cert
Service Principle and Secret: not recommended either because you have to rotate the secret
What is a key vault access policy?
Determines whether a given security principle, namely a user, application, or user group, can perform different operations on AZ Keyvault secrets, keys, and certificates.
What are the 2 keyvault pricing tiers?
- Standard (secrets are software- protected)
2. Premium (secrets are protected by hardware security modules)
What are the steps to using an Azure Keyvault?
- Provision an AZ Keyvault instance
- Configure authentication for accessing it (app registration, managed identity, key vault reference for app service or azure function)
Steps for creating a new key vault in the portal
- Specify resource group, pricing tier, and region
- Specify soft-delete retention period
- Specify access policy
- Specify networking: public endpoint (all networks - any user with public internet can access this vault; public endpoint (specific networks); private endpoint (only users from selected private networks can access this keyvault)
Provide some examples of keyvault access policies
- Grant access to any service principle or managed identity
- Grant access to vms (for saving vm password)
- Grant access to ARM template (for use when deploying resources)
- Enable access for Azure Disk Encryption (uses a key stored in KV to use when encrypting a disk)
What is Azure Keyvault Reference?
Under the hood it’s using managed identity
Allows you to move app settings from App Services and Azure Functions to keyvault
Name the steps for creating an Azure Keyvault Reference
- Add secret to keyvault
- Create system-assigned managed identity in your app service or function
- Back in the Azure Key Vault, add access policy for the managed identity you just created
- In application, update the value of the configuration setting with a special Azure keyvault reference syntax:
@Microsoft.keyvault(VaultName=;SecretName=;SecretVersion=) OR
@microsoft.keyvault(SecretURI=)
What is Azure Keyvault soft delete and purge protection?
Allows the recovery of deleted key vaults and key vault objects (retains for between 7 and 90 days - default is 90 day)
Azure Key Vault Purge Protection: cannot purge until retention period is over
What are common scenarios when a SAS is useful?
Client upload and download (to Azure Storage) via a front-end proxy service that provides authentication
A lightweight service authenticates the client as needed and then generates a SAS. Once the client application receives the SAS, it can access storage account resources directly.
A SAS is required to authorize access to the source object in a copy operation in certain scenarios:
- -copy a blob to another blob that resides in a diff storage account
- -copy a file to another file that resides in a diff storage account
- -copy a blob to a file, or copy a file to a blob
What is an Azure AD App Manifest?
The definition of an application object within the Microsoft Identity Platform which includes all configuration for allowed authentication and authorization integrations
- appRoles
- groupMembershipClaims
- optionalClaims
- oauth2AllowImplicitFlow
- All of the oauth2 attributes that are included in the app manifest
- Oauth2permissions: will receive a collection that includes several values that configures how oauth2 works for this app
- Signinaudience: type of MS accounts that are supported for your app (multi-tenant, personal accounts)
MSAL is a library that developers use to enable their application to acquire a token in a number of different authentication flows.
True.
Using the Microsoft Identity Platform implementation of OAuth2.0 and OpenID Connect (OIDC), you can add sign-in and API access to your mobile and desktop apps.
True. OpenID Connect extends the OAuth 2.0 authorization protocol for use as an authentication protocol. With OIDC, you can add authentication and authorization for single page apps, web apps, and natively installed apps.
For mobile and native apps, the authorization code represents what?
The apps permission to call back-end services on behalf of the user who is signed in.
1st endpoint: /authorize
2nd endpoint: /token
The app can exchange the authorization code in the background for an OAuth 2.0 access token and a refresh token. The app can use the access token to authenticate to web APIs in HTTP requests, and use the refresh token to get new access tokens when older access tokens expire.
For web apps, what is the authorization/authentication flow?
The user is redirected to Azure AD with a client ID, user enters credentials and consents to any permissions, then Azure AD returns user with an ID token.
How to authenticate long-running processes or apps that operate without the interaction with a user (daemon apps)
You can prove the app’s identity using a client secret or certificate
only enpoint used is /token
In this flow, the app interacts directly with the /token endpoint to obtain access
Single page apps (SPA) like those writtin in React or Angular use what auth flow?
the app receives a code from the Microsoft identity platform authorize endpoint, and redeems it for an access token and a refresh token using cross-site web requests. The access token expires every 24 hours, and the app must request another code using the refresh token. I
n addition to the access token, an id_token that represents the signed-in user to the client application is typically also requested through the same flow and/or a separate OpenID Connect request
/authorize
/token
Web app authentication flow?
Just uses the /authorize endpoint (gets a token still though)
You can ensure the user’s identity by validating the ID token with a public signing key that is received from the Microsoft identity platform.
Authentication flow for web api
- /token
2. /.well-known/discovery (requests token validation metadata, returns signing keys, etc.)
Web app authentication
Just goes to /authorize
/authorize endpoint returns a token
