Implement User Authentication and Authorization Flashcards
What is a requirement for Azure AD to work?
Both Client and API application must be registred in Azure via APP registrations.
Explain what the difference is between an ad-hoc SAS and a SAS that is associated with a stored access policy
An ad-hoc SAS contains all information like startime, end time and permissions directly in the URI
example: ?sv=2018-11-09&sr=c&sig=rS3eUbL5eCSmmth57EQkTEd6DEIo4luyg%2FtXvqvorXc%3D&st=2020-05-28T18%3A14%3A50Z&se=2020-05-29T18%3A19%3A50Z&sp=wl
When SAS is associated with a stored access policy, it inherits the settings from the policy. Its also possible to revoke those by changing the policy.
example: http://127.0.0.1:10000/devstoreaccount1/sas-container-637262939086872312?sv=2018-11-09&sr=c&si=tutorial-policy-637262939086922296&sig=0pZAShTGtP7qYz%2FaXIf4Zr32hcA4RMr4dYDFPQUcj3w%3D
When setting an ad-hoc SAS url such as https://myblob.blob.core.windows.net/container/file?sv=2019-02-02&se=21-05-31&sr=b&sp=r&sig=abcDEFhkjs
What does sr stand for and what are the possible options?
Signed resource - specifies which resources are accessable via the shared signature
b - blob
bv - blob version (content & metadata but not base blob)
bs - blob snapshot (content & metadata but not base blob)
c - container
d- directory
When setting an ad-hoc SAS url such as https://myblob.blob.core.windows.net/container/file?sv=2019-02-02&se=21-05-31&sr=b&sp=r&sig=abcDEFhkjs
What does sp stand for and what are the possible options?
Signed Permissions r - read w - write a - add c - create d - delete
What’s the difference between Authentication and authorization?
Authentication is the process of proving that you are who you say you are.
Authorization is the act of granting an authenticated party permission to do something.
What are the three container permissions in Azure Storage?
Full public read access
Public read access for blobls
No public read access
What are the three types of SAS that Azure supports?
User Delegation
Service SAS
Account SAS
What are the resources that a Service SAS can access?
Blob storage, Queue storage, Table storage, or Azure Files.
What restrictions apply to redirect URLs for AD?
Must begin with https
Reply URL is case-sensitive
What are the valid options to set the blob storage access tier using the tag x-ms-access-tier
?
Hot/Cool/Archive
If the following attributes are added to a controller, what happens?
[Authorize(Policy = "EmployeeOnly")] [Authorize(Policy = "HumanResources")]
Must fulfill both the EmployeeOnly policy and the HumanResources policy:
When can you use Managed identities ?
When the target supports Azure Active Directory
- Azure Key Vault
- Azure Storage
- Azure SQL …
When would you use System assigned identities vs user assigned identities?
For Creation?
System - Created as part of Azure resource
User - Created as a stand-alone Azure resource
When would you use System assigned identities vs user assigned identities?
Life cycle?
System - Shared life cycle with the resource that the managed identity is created with. When the parent resource is created, the identity is deleted to
User - Life cyle is independent and must be explicitly deleted.
When would you use System assigned identities vs user assigned identities?
Sharing?
System - Can’t be shared, only associated with single Azure resource
User - Can be shared