Implement User Authentication and Authorization Flashcards
What is a requirement for Azure AD to work?
Both Client and API application must be registred in Azure via APP registrations.
Explain what the difference is between an ad-hoc SAS and a SAS that is associated with a stored access policy
An ad-hoc SAS contains all information like startime, end time and permissions directly in the URI
example: ?sv=2018-11-09&sr=c&sig=rS3eUbL5eCSmmth57EQkTEd6DEIo4luyg%2FtXvqvorXc%3D&st=2020-05-28T18%3A14%3A50Z&se=2020-05-29T18%3A19%3A50Z&sp=wl
When SAS is associated with a stored access policy, it inherits the settings from the policy. Its also possible to revoke those by changing the policy.
example: http://127.0.0.1:10000/devstoreaccount1/sas-container-637262939086872312?sv=2018-11-09&sr=c&si=tutorial-policy-637262939086922296&sig=0pZAShTGtP7qYz%2FaXIf4Zr32hcA4RMr4dYDFPQUcj3w%3D
When setting an ad-hoc SAS url such as https://myblob.blob.core.windows.net/container/file?sv=2019-02-02&se=21-05-31&sr=b&sp=r&sig=abcDEFhkjs
What does sr stand for and what are the possible options?
Signed resource - specifies which resources are accessable via the shared signature
b - blob
bv - blob version (content & metadata but not base blob)
bs - blob snapshot (content & metadata but not base blob)
c - container
d- directory
When setting an ad-hoc SAS url such as https://myblob.blob.core.windows.net/container/file?sv=2019-02-02&se=21-05-31&sr=b&sp=r&sig=abcDEFhkjs
What does sp stand for and what are the possible options?
Signed Permissions r - read w - write a - add c - create d - delete
What’s the difference between Authentication and authorization?
Authentication is the process of proving that you are who you say you are.
Authorization is the act of granting an authenticated party permission to do something.
What are the three container permissions in Azure Storage?
Full public read access
Public read access for blobls
No public read access
What are the three types of SAS that Azure supports?
User Delegation
Service SAS
Account SAS
What are the resources that a Service SAS can access?
Blob storage, Queue storage, Table storage, or Azure Files.
What restrictions apply to redirect URLs for AD?
Must begin with https
Reply URL is case-sensitive
What are the valid options to set the blob storage access tier using the tag x-ms-access-tier?
Hot/Cool/Archive
If the following attributes are added to a controller, what happens?
[Authorize(Policy = "EmployeeOnly")] [Authorize(Policy = "HumanResources")]
Must fulfill both the EmployeeOnly policy and the HumanResources policy:
When can you use Managed identities ?
When the target supports Azure Active Directory
- Azure Key Vault
- Azure Storage
- Azure SQL …
When would you use System assigned identities vs user assigned identities?
For Creation?
System - Created as part of Azure resource
User - Created as a stand-alone Azure resource
When would you use System assigned identities vs user assigned identities?
Life cycle?
System - Shared life cycle with the resource that the managed identity is created with. When the parent resource is created, the identity is deleted to
User - Life cyle is independent and must be explicitly deleted.
When would you use System assigned identities vs user assigned identities?
Sharing?
System - Can’t be shared, only associated with single Azure resource
User - Can be shared
When would you use System assigned identities vs user assigned identities?
Common use case
System - Workloads that are contained within single Azure resource. E.g. application that runs on a single VM
User - Workloads that run on multiple resources and can share a single identity. If resources are recyled frequently but permissions stay consistent. E.g. multiple VM’s accessing same resource.
What plans do you need to run MFA?
All plans can run MFA, upgrading to Azure Premium P1 or P2 means that you can change how MFA is used.
P1 adds conditional access, e.g. don’t ask for MFA if in the office.
P2 adds risk based conditional access. It asks for MFA when the user behaviour is outside of the normal.
- IP address
- Travel times
- Different browser
- Password spray
When would you use Application proxy connectors?
When you need an onprem app to connect to Azure to allow a user to connect using an Application proxy
What are the steps to protect backend API with Active Directory?
- Register an application in Azure AD to represent the API
- Register another application in Azure AD to represent a client application
- Grant permissions in Azure AD
- Enable OAuth 2.0 user authorization in the Developer Console
- Successfully call the API from the developer portal
- Configure a JWT validation policy to pre-authorize requests
Build an application to call the API
What’s the first step to allow a VM with a system-assigned identity to access Azure Resource Manager API?
Grant the reader role to the identity at the subscription scope
