Implement Azure Security Flashcards
What are the components of the microsoft identity platform?
- OAuth 2.0 and OpenID connect for standard authentication service
- Open source libraries (MSAL) - support for other libraries
- Application Management portal - Registration and configuration experience in the Azure portal
- Application configuration API and Powershell
When you register an app in the azure portal, what are your options for integrating with Azure Active Directory?
- Single Tenant - Accessible in your tenant
* Multi-Tenant - Accessible in other tenants
What is an application object?
The unique identifier for an application that is defined in Azure Active Directory. It is used as a template to create one or more service principal objects.
What is a service principal object?
Allows access to resources secured by Azure Active Directory tenant. They are managed security principals for both users and applications.
What type of service principals are there?
- Application - local representation of a global application in a single tenant or directory.
- Managed Identity - A way for services to access a resources within things like azure key vault.
- Legacy
Explain the key features of OAuth 2.0
- An autherization server - also called identity provider or IdP, handles the end-user’s information.
- Client - the requesting application
- Resource owner - The application user, or end-user
- Resource server - The resource server hosts or provides access.
Common endpoints:
#Authorization
https://login.microsoftonline.com/issuer/oauth2/v2.0/authorize
#Token endpoint
https://login.microsoftonline.com/issuer/oauth2/v2.0/token
Permissions are set by the “scope” parameter.
https://graph.microsoft.com/Calendars.Read
What are the permission types you can have?
Delegated permissions - used by apps that have a signed-in user present
Application permissions - Used by apps that run without a signed-in user present - such as a daemon
What are consent types?
When you have applications in MIP that need to gain access to necessary resources or APIs.
What consent types are there?
- Static user consent - Specify all the permissions it needs in the app’s configuration in the Azure portal - This can be challenging due to needing to know all of the resources ahead of time.
- Incremental and dynamic user consent - Ask for a minimum set of permissions upfront and request more over time as the customer uses additional app features.
- This can be done with teh scope parameter when requesting an access token.
- Admin consent - when app needs access to certain high-privilege permissions.
What does a typical OpenId Connect or OAuth 2.0 app permission request look like?
GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=
https%3A%2F%2Fgraph.microsoft.com%2Fcalendars.read%20
https%3A%2F%2Fgraph.microsoft.com%2Fmail.send
&state=12345
What does conditional access allow you to do?
- Add multifactor authentication
- Allowing only Intune enrolled devices
- Restricting user locations and IP ranges
What is the name of the library that gives secure access to Microsoft Graph, Microsoft APIs, Web APIs, or even your own APIs?
Microsoft Authentication Library (MSAL)
What types of applications are security tokens required for? How can they be grouped? What are the differences between the groups?
Security tokens can be acquired by multiple types of applications.
Public client applications - Web facing applications. typically support only public client flows, they can’t hold configuration-time secrets, or client secrets
Confidential client applications - Apps that run on servers. Considered difficult to access, so can hold confidential clients.
What are the recommended way to instantiate an application with MSAL.NET
PublicClientApplicationBuilder
ConfidentialClientApplicationBuilder
Ex.
IPublicClientApplication app = PublicClientApplicationBuilder.Create(clientId).Build();
A number of .With methods are available such as:
* WithAuthority, .WithRedirectUri, .WithClientId, .WithComponent
What package is used to access the microsoft identity platform in C#
Microsoft.Identity.Client
What is a Shared Access Signature (SAS)?
It is a uri that grants restricted access rights to Azure Storage resources. It includes a token that contains a special set of query parmeters.
What types of shared access signatures are there?
- User delegation - Secured with Azure Active Directory credentials and also by the permissions specified for the SAS. Only for Blob Storage
- Service SAS - Secured with the storage account key. Works for Blob storage, Queue storage, Table storage, or Azure files
- Secured with a storage account key. Can access one or more storage services
What are the components of an SAS token?
sp=r - Control the access rights (a,c,d,l,r,w)
st= DATETIME - Control when access starts
se= DATETIME - The date and time when access ends
sv=2020-10-20 - The version of the storage API to use
sr=b - The kind of storage being accessed
sig=ersadf - The cryptographic signature
What is a stored access policy?
A stored access policy provides an additional level of control over service-level SAS on the server side.
What is microsoft graph?
Offers a single API endpoint to all the data and intelligence in Microsoft 365
What are the components of a REST API call to microsoft graph?
{HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters}
What is Azure Key Vault?
A cloud service for securely storing and accessing secrets. Anything form passwords, certificates, or keys.
What are managed identities?
Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory authentication.
What are the types of managed identities? What are the differences?
- System-assigned managed identity - Enabled directly on an Azure service instance. Azure creates an identity for the instance, credentials are provisioned, and the lifecycle is tied to the Azure service.
- User assigned managed identity - Created as a standalone azure resource. User must manage it’s lifecycle, and it can be assigned to one or more Azure services.
How can you enable system-assigned managed identities with bash?
az vm (or other) create
- assign-identity
- admin-username
- admin-password
- scope Subscription
You can assign with
az vm identity assign -g myResourceGroup - n myVm
How can you acquire an access token with managed identities?
- Send an HTTP REST call to the service locally - retrieves the token based on the service principle and will then allow access with that token to services allowed by that managed identity.
