Azure Security, Authentication & Authorization Flashcards

1
Q

What is a requirement for Azure AD to work?

A

User must have profile in AAD and app must be registered in AAD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

True Or False? You can configure an Instance of API mananagment to protect the API by using OAuth 2.0 with Azure Active Directory

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Explain what Authentication means

A

Authentication is the process of proving you are who you say you are. (AuthN)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Explain what Authorization means

A

Authorization is the act of granting an authenticated party permission to do something.It specifies what data you’re allowed to access and what you can do with that data. (AuthZ)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Explain what a Shared access Signature (SAS) is and what you can do with it.

A

Its used to grant access to a resource in your storage account. For Blob Storage for example, its simply a token thats added to the url. Everyone that has this url, can use the defined privileges that where used to create the SAS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Explain what the difference is between an ad-hoc SAS and a SAS that is associated with a stored access policy

A

An ad-hoc SAS contains all information like startime, end time and permissions directly in the URI

example: ?sv=2018-11-09&sr=c&sig=rS3eUbL5eCSmmth57EQkTEd6DEIo4luyg%2FtXvqvorXc%3D&st=2020-05-28T18%3A14%3A50Z&se=2020-05-29T18%3A19%3A50Z&sp=wl

When SAS is associated with a stored access policy, it inherits the settings from the policy. Its also possible to revoke those by changing the policy.

example: http://127.0.0.1:10000/devstoreaccount1/sas-container-637262939086872312?sv=2018-11-09&sr=c&si=tutorial-policy-637262939086922296&sig=0pZAShTGtP7qYz%2FaXIf4Zr32hcA4RMr4dYDFPQUcj3w%3D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

True or False? When copying files between different Storage Account, you must use a SAS

A

true

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Explain on a high level what Azure RBAC is and what you can do with it

A

Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Name the three key elements that are part of the RBAC security concept

A

Security principal, role definition and scope

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Explain what Security principal means

A

A security principal is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What forms of Service Principal does Azure work with, name at list three

A

User, individual with profile in Azure Active Directory

Group, a set of User

Service Principal, apps can use this to access specific azure resources. Think of like user+pw or certificate

Managed Identity, automatically managed by Azure. Used by cloud applications to manage credentials for authenticating to azure services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Explain what a Role definition (role) is

A

A Collection of permissions. Like read, write delete

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Explain what a Scope is

A

Scope is the set of resources that the access applies to. When you assign a role, you can further limit the actions allowed by defining a scope. This is helpful if you want to make someone a Website Contributor, but only for one resource group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a role assignment

A

A role assignment is the process of attaching a role definition to a user, group, service principal, or managed identity at a particular scope for the purpose of granting access. Access is granted by creating a role assignment, and access is revoked by removing a role assignment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

True or False? Azure RBAC is an additive model, so your effective permissions are the sum of your role assignments.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a deny assignment

A

a deny assignment attaches a set of deny actions to a user, group, service principal, or managed identity at a particular scope for the purpose of denying access. A role assignment defines a set of actions that are allowed, while a deny assignment defines a set of actions that are not allowed. In other words, deny assignments block users from performing specified actions even if a role assignment grants them access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the 3 planes on which you secure Azure Storage?

A
  1. Management
  2. Data
  3. Encryption
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What makes up a role assignment, or, How do you secure the management plane of an Azure Storage account?

A
  1. Security principle (who gets access - user, group, etc.)
  2. Role definition (what actions they can and can’t do)
  3. Scope of access (subscription, resource group, resource)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Name 3 ways you can secure the data plane of an Azure Storage account?

A
  1. Keys
  2. Shared Access Signature
  3. AAD (access w/token)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

True or false: the storage key is like a root password and 2 keys are created when you provision a new storage account.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Benefits of Shared Access Signature

A

Allows access without sharing the storage key

Very flexible when it comes to granting access to a storage account

Consists of a URI with specific permissions attached to it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

When you use AAD as your identity provider, how do you access it?

A

Using OpenID Connect mechanisms

Uses access tokens, no dependency on a key

23
Q

What are the 3 types of SAS?

A
  1. User delegation SAS
  2. Service SAS - access to resources in only one Storage Account service
  3. Account SAS - access to resources in more than one Storage Account service
24
Q

What does a SAS token look like?

A

A URL that is passing parameters

The parameter named “signature” is passing an encrypted version of your key, so if you rotate keys it will invalidate existing SAS tokens

25
Q

What are the 2 types of SAS tokens?

A
  1. Ad hoc (self-contained)

2. Service - links to a Stored Access Policy

26
Q

What are some characteristics of a stored access policy?

A

Defined at the container level

Reused by multiple SAS

Contains permissions and validity period

Available on as a service-level SAS

27
Q

What components make up the Microsoft Identity Platform?

A
  1. Authentication service (AAD)
  2. Open Source Libraries for authentication code (i.e. MSAL)
  3. Application management tools (logging, authorization, consent, galler/non-gallery apps)
28
Q

What are the 2 types of authentication?

A

Legacy (basic auth) and Modern

29
Q

What are the 3 protocols available in modern authentication?

A
  1. WS-* and SAML which are based on redirects and HTTP posts
  2. OAUTH: delegation protocol (not authentication protocol) Allow an app to do something on your behalf (access and refresh token)
  3. OpenID Connect: more formal protocol (id token)
30
Q

What are the differences between the 3 types of tokens?

A

Access tokens you present to the API to get permissions and the API is supposed to validate it against AAD. Refresh token is for when your access token expires.

ID token is generated by AAD and sent back with the user to the client application. If a client trusts the token, it will establish a web-based session

31
Q

What is the difference between authorization and authentication?

A

Authentication means who you are.

Authorization means what can you do. Are you an admin, reader, contributor, etc.

32
Q

What are the three ways AAD can help you do authentication?

A
  1. Groups (authorization decision based on group membership)
  2. Custom claims: info you can put in an ID or Access token
  3. App roles - defined at the app level. assigned to a user or an app. roles surface up in access tokens
33
Q

What is Azure Key Vault?

A

Azure service which allows you to securely store and access secrets

34
Q

What are the 3 types of secrets you can store in an Azure KeyVault?

A

cryptographic keys,
certificates (and the private keys associated with the certificates),
secrets (such as connection strings and passwords)

35
Q

What are the three options for authentication to Azure keyvault?

A

Managed Identities: assign a managed identity to the vm that hosts the app and the managed identity has access to keyvault

Service Principle and Certificate: not recommended because you need to rotate the cert

Service Principle and Secret: not recommended either because you have to rotate the secret

36
Q

What is a key vault access policy?

A

Determines whether a given security principle, namely a user, application, or user group, can perform different operations on AZ Keyvault secrets, keys, and certificates.

37
Q

What are the 2 keyvault pricing tiers?

A
  1. Standard (secrets are software- protected)

2. Premium (secrets are protected by hardware security modules)

38
Q

What are the steps to using an Azure Keyvault?

A
  1. Provision an AZ Keyvault instance
  2. Configure authentication for accessing it (app registration, managed identity, key vault reference for app service or azure function)
39
Q

Steps for creating a new key vault in the portal

A
  1. Specify resource group, pricing tier, and region
  2. Specify soft-delete retention period
  3. Specify access policy
  4. Specify networking: public endpoint (all networks - any user with public internet can access this vault; public endpoint (specific networks); private endpoint (only users from selected private networks can access this keyvault)
40
Q

Provide some examples of keyvault access policies

A
  1. Grant access to any service principle or managed identity
  2. Grant access to vms (for saving vm password)
  3. Grant access to ARM template (for use when deploying resources)
  4. Enable access for Azure Disk Encryption (uses a key stored in KV to use when encrypting a disk)
41
Q

What is Azure Keyvault Reference?

A

Under the hood it’s using managed identity

Allows you to move app settings from App Services and Azure Functions to keyvault

42
Q

Name the steps for creating an Azure Keyvault Reference

A
  1. Add secret to keyvault
  2. Create system-assigned managed identity in your app service or function
  3. Back in the Azure Key Vault, add access policy for the managed identity you just created
  4. In application, update the value of the configuration setting with a special Azure keyvault reference syntax:
    @Microsoft.keyvault(VaultName=;SecretName=;SecretVersion=) OR
    @microsoft.keyvault(SecretURI=)
43
Q

What is Azure Keyvault soft delete and purge protection?

A

Allows the recovery of deleted key vaults and key vault objects (retains for between 7 and 90 days - default is 90 day)
Azure Key Vault Purge Protection: cannot purge until retention period is over

44
Q

What are common scenarios when a SAS is useful?

A

Client upload and download (to Azure Storage) via a front-end proxy service that provides authentication

A lightweight service authenticates the client as needed and then generates a SAS. Once the client application receives the SAS, it can access storage account resources directly.

A SAS is required to authorize access to the source object in a copy operation in certain scenarios:

  • -copy a blob to another blob that resides in a diff storage account
  • -copy a file to another file that resides in a diff storage account
  • -copy a blob to a file, or copy a file to a blob
45
Q

What is an Azure AD App Manifest?

A

The definition of an application object within the Microsoft Identity Platform which includes all configuration for allowed authentication and authorization integrations

  • appRoles
  • groupMembershipClaims
  • optionalClaims
  • oauth2AllowImplicitFlow
  • All of the oauth2 attributes that are included in the app manifest
  • Oauth2permissions: will receive a collection that includes several values that configures how oauth2 works for this app
  • Signinaudience: type of MS accounts that are supported for your app (multi-tenant, personal accounts)
46
Q

MSAL is a library that developers use to enable their application to acquire a token in a number of different authentication flows.

A

True.

47
Q

Using the Microsoft Identity Platform implementation of OAuth2.0 and OpenID Connect (OIDC), you can add sign-in and API access to your mobile and desktop apps.

A

True. OpenID Connect extends the OAuth 2.0 authorization protocol for use as an authentication protocol. With OIDC, you can add authentication and authorization for single page apps, web apps, and natively installed apps.

48
Q

For mobile and native apps, the authorization code represents what?

A

The apps permission to call back-end services on behalf of the user who is signed in.

1st endpoint: /authorize
2nd endpoint: /token

The app can exchange the authorization code in the background for an OAuth 2.0 access token and a refresh token. The app can use the access token to authenticate to web APIs in HTTP requests, and use the refresh token to get new access tokens when older access tokens expire.

49
Q

For web apps, what is the authorization/authentication flow?

A

The user is redirected to Azure AD with a client ID, user enters credentials and consents to any permissions, then Azure AD returns user with an ID token.

50
Q

How to authenticate long-running processes or apps that operate without the interaction with a user (daemon apps)

A

You can prove the app’s identity using a client secret or certificate

only enpoint used is /token

In this flow, the app interacts directly with the /token endpoint to obtain access

51
Q

Single page apps (SPA) like those writtin in React or Angular use what auth flow?

A

the app receives a code from the Microsoft identity platform authorize endpoint, and redeems it for an access token and a refresh token using cross-site web requests. The access token expires every 24 hours, and the app must request another code using the refresh token. I

n addition to the access token, an id_token that represents the signed-in user to the client application is typically also requested through the same flow and/or a separate OpenID Connect request

/authorize
/token

52
Q

Web app authentication flow?

A

Just uses the /authorize endpoint (gets a token still though)

You can ensure the user’s identity by validating the ID token with a public signing key that is received from the Microsoft identity platform.

53
Q

Authentication flow for web api

A
  1. /token

2. /.well-known/discovery (requests token validation metadata, returns signing keys, etc.)

54
Q

Web app authentication

A

Just goes to /authorize

/authorize endpoint returns a token