Implement User Authentication and Authorization

Question 1

What is a requirement for Azure AD to work?

Answer 1

Both Client and API application must be registred in Azure via APP registrations.

Question 2

Explain what the difference is between an ad-hoc SAS and a SAS that is associated with a stored access policy

Answer 2

An ad-hoc SAS contains all information like startime, end time and permissions directly in the URI

example: ?sv=2018-11-09&sr=c&sig=rS3eUbL5eCSmmth57EQkTEd6DEIo4luyg%2FtXvqvorXc%3D&st=2020-05-28T18%3A14%3A50Z&se=2020-05-29T18%3A19%3A50Z&sp=wl

When SAS is associated with a stored access policy, it inherits the settings from the policy. Its also possible to revoke those by changing the policy.

example: http://127.0.0.1:10000/devstoreaccount1/sas-container-637262939086872312?sv=2018-11-09&sr=c&si=tutorial-policy-637262939086922296&sig=0pZAShTGtP7qYz%2FaXIf4Zr32hcA4RMr4dYDFPQUcj3w%3D

Question 3

When setting an ad-hoc SAS url such as https://myblob.blob.core.windows.net/container/file?sv=2019-02-02&se=21-05-31&sr=b&sp=r&sig=abcDEFhkjs

What does sr stand for and what are the possible options?

Answer 3

Signed resource - specifies which resources are accessable via the shared signature
b - blob
bv - blob version (content & metadata but not base blob)
bs - blob snapshot (content & metadata but not base blob)
c - container
d- directory

Question 4

When setting an ad-hoc SAS url such as https://myblob.blob.core.windows.net/container/file?sv=2019-02-02&se=21-05-31&sr=b&sp=r&sig=abcDEFhkjs

What does sp stand for and what are the possible options?

Answer 4

Signed Permissions 
r - read
w - write 
a - add 
c - create
d - delete

Question 5

What’s the difference between Authentication and authorization?

Answer 5

Authentication is the process of proving that you are who you say you are.

Authorization is the act of granting an authenticated party permission to do something.

Question 6

What are the three container permissions in Azure Storage?

Answer 6

Full public read access
Public read access for blobls
No public read access

Question 7

What are the three types of SAS that Azure supports?

Answer 7

User Delegation
Service SAS
Account SAS

Question 8

What are the resources that a Service SAS can access?

Answer 8

Blob storage, Queue storage, Table storage, or Azure Files.

Question 9

What restrictions apply to redirect URLs for AD?

Answer 9

Must begin with https

Reply URL is case-sensitive

Question 10

What are the valid options to set the blob storage access tier using the tag x-ms-access-tier?

Answer 10

Hot/Cool/Archive

Question 11

If the following attributes are added to a controller, what happens?

[Authorize(Policy = "EmployeeOnly")]
[Authorize(Policy = "HumanResources")]

Answer 11

Must fulfill both the EmployeeOnly policy and the HumanResources policy:

Question 12

When can you use Managed identities ?

Answer 12

When the target supports Azure Active Directory

• Azure Key Vault
• Azure Storage
• Azure SQL …

Question 13

When would you use System assigned identities vs user assigned identities?
For Creation?

Answer 13

System - Created as part of Azure resource

User - Created as a stand-alone Azure resource

Question 14

When would you use System assigned identities vs user assigned identities?
Life cycle?

Answer 14

System - Shared life cycle with the resource that the managed identity is created with. When the parent resource is created, the identity is deleted to

User - Life cyle is independent and must be explicitly deleted.

Question 15

When would you use System assigned identities vs user assigned identities?
Sharing?

Answer 15

System - Can’t be shared, only associated with single Azure resource

User - Can be shared

Question 16

When would you use System assigned identities vs user assigned identities?

Common use case

Answer 16

System - Workloads that are contained within single Azure resource. E.g. application that runs on a single VM

User - Workloads that run on multiple resources and can share a single identity. If resources are recyled frequently but permissions stay consistent. E.g. multiple VM’s accessing same resource.

Question 17

What plans do you need to run MFA?

Answer 17

All plans can run MFA, upgrading to Azure Premium P1 or P2 means that you can change how MFA is used.

P1 adds conditional access, e.g. don’t ask for MFA if in the office.

P2 adds risk based conditional access. It asks for MFA when the user behaviour is outside of the normal.

• IP address
• Travel times
• Different browser
• Password spray

Question 18

When would you use Application proxy connectors?

Answer 18

When you need an onprem app to connect to Azure to allow a user to connect using an Application proxy

Question 19

What are the steps to protect backend API with Active Directory?

Answer 19

1. Register an application in Azure AD to represent the API
2. Register another application in Azure AD to represent a client application
3. Grant permissions in Azure AD
4. Enable OAuth 2.0 user authorization in the Developer Console
5. Successfully call the API from the developer portal
6. Configure a JWT validation policy to pre-authorize requests
   Build an application to call the API

Question 20

What’s the first step to allow a VM with a system-assigned identity to access Azure Resource Manager API?

Answer 20

Grant the reader role to the identity at the subscription scope