Implement Azure Security

Question 1

What are the components of the microsoft identity platform?

Answer 1

• OAuth 2.0 and OpenID connect for standard authentication service
• Open source libraries (MSAL) - support for other libraries
• Application Management portal - Registration and configuration experience in the Azure portal
• Application configuration API and Powershell

Question 2

When you register an app in the azure portal, what are your options for integrating with Azure Active Directory?

Answer 2

• Single Tenant - Accessible in your tenant

* Multi-Tenant - Accessible in other tenants

Question 3

What is an application object?

Answer 3

The unique identifier for an application that is defined in Azure Active Directory. It is used as a template to create one or more service principal objects.

Question 4

What is a service principal object?

Answer 4

Allows access to resources secured by Azure Active Directory tenant. They are managed security principals for both users and applications.

Question 5

What type of service principals are there?

Answer 5

• Application - local representation of a global application in a single tenant or directory.
• Managed Identity - A way for services to access a resources within things like azure key vault.
• Legacy

Question 6

Explain the key features of OAuth 2.0

Answer 6

• An autherization server - also called identity provider or IdP, handles the end-user’s information.
• Client - the requesting application
• Resource owner - The application user, or end-user
• Resource server - The resource server hosts or provides access.

Common endpoints:
#Authorization
https://login.microsoftonline.com/issuer/oauth2/v2.0/authorize
#Token endpoint
https://login.microsoftonline.com/issuer/oauth2/v2.0/token

Permissions are set by the “scope” parameter.
https://graph.microsoft.com/Calendars.Read

Question 7

What are the permission types you can have?

Answer 7

Delegated permissions - used by apps that have a signed-in user present
Application permissions - Used by apps that run without a signed-in user present - such as a daemon

Question 8

What are consent types?

Answer 8

When you have applications in MIP that need to gain access to necessary resources or APIs.

Question 9

What consent types are there?

Answer 9

• Static user consent - Specify all the permissions it needs in the app’s configuration in the Azure portal - This can be challenging due to needing to know all of the resources ahead of time.
• Incremental and dynamic user consent - Ask for a minimum set of permissions upfront and request more over time as the customer uses additional app features.
  
  • This can be done with teh scope parameter when requesting an access token.
• Admin consent - when app needs access to certain high-privilege permissions.

Question 10

What does a typical OpenId Connect or OAuth 2.0 app permission request look like?

Answer 10

GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=
https%3A%2F%2Fgraph.microsoft.com%2Fcalendars.read%20
https%3A%2F%2Fgraph.microsoft.com%2Fmail.send
&state=12345

Question 11

What does conditional access allow you to do?

Answer 11

• Add multifactor authentication
• Allowing only Intune enrolled devices
• Restricting user locations and IP ranges

Question 12

What is the name of the library that gives secure access to Microsoft Graph, Microsoft APIs, Web APIs, or even your own APIs?

Answer 12

Microsoft Authentication Library (MSAL)

Question 13

What types of applications are security tokens required for? How can they be grouped? What are the differences between the groups?

Answer 13

Security tokens can be acquired by multiple types of applications.

Public client applications - Web facing applications. typically support only public client flows, they can’t hold configuration-time secrets, or client secrets
Confidential client applications - Apps that run on servers. Considered difficult to access, so can hold confidential clients.

Question 14

What are the recommended way to instantiate an application with MSAL.NET

Answer 14

PublicClientApplicationBuilder
ConfidentialClientApplicationBuilder

Ex.

IPublicClientApplication app = PublicClientApplicationBuilder.Create(clientId).Build();

A number of .With methods are available such as:
* WithAuthority, .WithRedirectUri, .WithClientId, .WithComponent

Question 15

What package is used to access the microsoft identity platform in C#

Answer 15

Microsoft.Identity.Client

Question 16

What is a Shared Access Signature (SAS)?

Answer 16

It is a uri that grants restricted access rights to Azure Storage resources. It includes a token that contains a special set of query parmeters.

Question 17

What types of shared access signatures are there?

Answer 17

• User delegation - Secured with Azure Active Directory credentials and also by the permissions specified for the SAS. Only for Blob Storage
• Service SAS - Secured with the storage account key. Works for Blob storage, Queue storage, Table storage, or Azure files
• Secured with a storage account key. Can access one or more storage services

Question 18

What are the components of an SAS token?

Answer 18

sp=r - Control the access rights (a,c,d,l,r,w)
st= DATETIME - Control when access starts
se= DATETIME - The date and time when access ends
sv=2020-10-20 - The version of the storage API to use
sr=b - The kind of storage being accessed
sig=ersadf - The cryptographic signature

Question 19

What is a stored access policy?

Answer 19

A stored access policy provides an additional level of control over service-level SAS on the server side.

Question 20

What is microsoft graph?

Answer 20

Offers a single API endpoint to all the data and intelligence in Microsoft 365

Question 21

What are the components of a REST API call to microsoft graph?

Answer 21

{HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters}

Question 22

What is Azure Key Vault?

Answer 22

A cloud service for securely storing and accessing secrets. Anything form passwords, certificates, or keys.

Question 23

What are managed identities?

Answer 23

Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory authentication.

Question 24

What are the types of managed identities? What are the differences?

Answer 24

• System-assigned managed identity - Enabled directly on an Azure service instance. Azure creates an identity for the instance, credentials are provisioned, and the lifecycle is tied to the Azure service.
• User assigned managed identity - Created as a standalone azure resource. User must manage it’s lifecycle, and it can be assigned to one or more Azure services.

Question 25

How can you enable system-assigned managed identities with bash?

Answer 25

az vm (or other) create

• • assign-identity
• • admin-username
• • admin-password
• • scope Subscription

You can assign with
az vm identity assign -g myResourceGroup - n myVm

Question 26

How can you acquire an access token with managed identities?

Answer 26

1. Send an HTTP REST call to the service locally - retrieves the token based on the service principle and will then allow access with that token to services allowed by that managed identity.