Implement User Authentication and Authorization Flashcards

1
Q

What is a requirement for Azure AD to work?

A

Both Client and API application must be registred in Azure via APP registrations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Explain what the difference is between an ad-hoc SAS and a SAS that is associated with a stored access policy

A

An ad-hoc SAS contains all information like startime, end time and permissions directly in the URI

example: ?sv=2018-11-09&sr=c&sig=rS3eUbL5eCSmmth57EQkTEd6DEIo4luyg%2FtXvqvorXc%3D&st=2020-05-28T18%3A14%3A50Z&se=2020-05-29T18%3A19%3A50Z&sp=wl

When SAS is associated with a stored access policy, it inherits the settings from the policy. Its also possible to revoke those by changing the policy.

example: http://127.0.0.1:10000/devstoreaccount1/sas-container-637262939086872312?sv=2018-11-09&sr=c&si=tutorial-policy-637262939086922296&sig=0pZAShTGtP7qYz%2FaXIf4Zr32hcA4RMr4dYDFPQUcj3w%3D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

When setting an ad-hoc SAS url such as https://myblob.blob.core.windows.net/container/file?sv=2019-02-02&se=21-05-31&sr=b&sp=r&sig=abcDEFhkjs

What does sr stand for and what are the possible options?

A

Signed resource - specifies which resources are accessable via the shared signature
b - blob
bv - blob version (content & metadata but not base blob)
bs - blob snapshot (content & metadata but not base blob)
c - container
d- directory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When setting an ad-hoc SAS url such as https://myblob.blob.core.windows.net/container/file?sv=2019-02-02&se=21-05-31&sr=b&sp=r&sig=abcDEFhkjs

What does sp stand for and what are the possible options?

A
Signed Permissions 
r - read
w - write 
a - add 
c - create
d - delete
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What’s the difference between Authentication and authorization?

A

Authentication is the process of proving that you are who you say you are.

Authorization is the act of granting an authenticated party permission to do something.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the three container permissions in Azure Storage?

A

Full public read access
Public read access for blobls
No public read access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the three types of SAS that Azure supports?

A

User Delegation
Service SAS
Account SAS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the resources that a Service SAS can access?

A

Blob storage, Queue storage, Table storage, or Azure Files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What restrictions apply to redirect URLs for AD?

A

Must begin with https

Reply URL is case-sensitive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the valid options to set the blob storage access tier using the tag x-ms-access-tier?

A

Hot/Cool/Archive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

If the following attributes are added to a controller, what happens?

[Authorize(Policy = "EmployeeOnly")]
[Authorize(Policy = "HumanResources")]
A

Must fulfill both the EmployeeOnly policy and the HumanResources policy:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When can you use Managed identities ?

A

When the target supports Azure Active Directory

  • Azure Key Vault
  • Azure Storage
  • Azure SQL …
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When would you use System assigned identities vs user assigned identities?
For Creation?

A

System - Created as part of Azure resource

User - Created as a stand-alone Azure resource

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When would you use System assigned identities vs user assigned identities?
Life cycle?

A

System - Shared life cycle with the resource that the managed identity is created with. When the parent resource is created, the identity is deleted to

User - Life cyle is independent and must be explicitly deleted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

When would you use System assigned identities vs user assigned identities?
Sharing?

A

System - Can’t be shared, only associated with single Azure resource

User - Can be shared

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When would you use System assigned identities vs user assigned identities?

Common use case

A

System - Workloads that are contained within single Azure resource. E.g. application that runs on a single VM

User - Workloads that run on multiple resources and can share a single identity. If resources are recyled frequently but permissions stay consistent. E.g. multiple VM’s accessing same resource.

17
Q

What plans do you need to run MFA?

A

All plans can run MFA, upgrading to Azure Premium P1 or P2 means that you can change how MFA is used.

P1 adds conditional access, e.g. don’t ask for MFA if in the office.

P2 adds risk based conditional access. It asks for MFA when the user behaviour is outside of the normal.

  • IP address
  • Travel times
  • Different browser
  • Password spray
18
Q

When would you use Application proxy connectors?

A

When you need an onprem app to connect to Azure to allow a user to connect using an Application proxy

19
Q

What are the steps to protect backend API with Active Directory?

A
  1. Register an application in Azure AD to represent the API
  2. Register another application in Azure AD to represent a client application
  3. Grant permissions in Azure AD
  4. Enable OAuth 2.0 user authorization in the Developer Console
  5. Successfully call the API from the developer portal
  6. Configure a JWT validation policy to pre-authorize requests
    Build an application to call the API
20
Q

What’s the first step to allow a VM with a system-assigned identity to access Azure Resource Manager API?

A

Grant the reader role to the identity at the subscription scope