Security Flashcards
What are the two ways to log into Azure and what is the difference between them?
Log in using a Microsoft account: A Microsoft account can be associated with multiple Azure subscriptions - one of which is the default subscription. The default subscription is the one you use if you log in and don’t switch to another.
Log in using an Azure service principal: A service principal is specific to an Azure AD tenant. Remember that the subscription information displays when you log in.
How do you reset credential of a service principal (cert or password)?
az ad sp credential reset
Insufficient privileges to complete the operation:
Permissions are granted on app level. In order for an app to reset its own credential, it needs to have Application Permission Azure Active Directory Graph > Application.ReadWrite.All permission, then it can run az ad app credential reset –id {}. The side effect is it has permission to reset credentials of other apps as well.
You may also grant Azure Active Directory Graph > Application.ReadWrite.OwnedBy permission and use this app to create child app and login with the child app. The parent app is capable of resetting the credential of the child app.
What is “Application registration”? What is a side effect of creating it in the portal?
Application registration is creation of an identity (Application object) of an app in Azure AD.
The side effect is creation of an application object and a service principal object in your home tenant.
If you’re developing a new application, you’ll need to first create the application in the App Registrations blade (not Enterprise applications). You can then manage access to that new application from the Enterprise Applications blade.
What is an Application object?
It represents an app in AAD and allows AAD to authenticate for this app. Application object is global (not tenant specific).
An application object is used as a template or blueprint to create one or more service principal objects. A service principal is created in every tenant where the application is used.
The application object describes three aspects of an application: 1. how the service can issue tokens in order to access the application, 2. resources that the application might need to access, 3. the actions that the application can take.
What is a service principal?
A service principal is the local representation, or application instance, of a global application object in a single tenant or directory. A service principal is a concrete instance created from the application object and inherits certain properties from that application object. A service principal is created in each tenant where the application is used and references the globally unique app object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access.
What is the difference between a system-assigned managed identity and a user-assigned managed identity?
User-assigned managed identity can be shared. The same user-assigned managed identity can be associated with more than one Azure resource e.g. to multiple VMs
