User Authentication and Authorization Flashcards

1
Q

What are the 3 Planes for securing Azure Storage?

A

(1) Managment Plane
(who manages storage account, assigns permissions, add/remove users)
(2) Data Plane
(how do we secure the data)
(3) Encryption
(Microsoft keys or use own keys)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Difference between Security Principal, Service Principal, Managed Identity

A

Security Principal => Is somebody that you grant access to (user or group)

Service Principal => Headless process, like a user using id/pwd but is intended to work like automated headless process so user doesnt have to login

Managed Identity => Service Principal in disguise and Microsoft manages the credentials

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Management Plan Concepts

A

Security Prinicipals (Security, Service, and Managed Identity)

Role Definitions

Scopes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Scope Concepts

A

(1) Set a resource to have certain access
(2) Hierachy in scope
(management group, subscription, resource group, resource)
(3) Role Assignments
(attach role(s) to a security principal)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are 3 concepts of the Data Plane?

A

(1) Keys (Storage Account Keys)
(2) Shared Access Signature (Least priviledge)
(3) Azure Active Directory
(Requires a token using OpenID Connection Mechanism)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Fundelmentals of Storage Account Keys

A

(1) Comes in pairs
(2) They are the root key and provide access to entire storage container (least restrictive)
(3) Recommends rotating keys on occasions
(Azure Key Vault will do these automatically)
(4) Do not store in application settings/configurations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How to use RBAC in Azure Storage

A

Go to Access Control (IAM)
Click on Role Assignments
Select the Role (usually Storage Queue Data Contributor)
Add Role Assignment to User, Group, or Service Principal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the 3 types of SAS?

A

(1) User delegation SAS
(uses AD)
(2) Service SAS
(Delegates access to a resource in only one Azure Storage Account)
(3) Account SAS
(Secured with the Storage Account Key)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the elements of an URL with SAS Token

A

(1) Url itself
(2) signedVersion
(3) signedService
(4) signedResourceType
(5) signedPermission
(6) signedExpirary and SIgnedStart
(7) signedProtocol
(8) signature

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Name 2 kinds of SAS

A

Ad-Hoc
(everything is embedded in the token)
Service SAS with Stored Access Policy
(Store information such as expire time, permissions, etc in a policy instead)

Service SAS can be shared, defined for a container, blob, file, queue or table. Is Defined on the Resource Level
Policies can be set at the Container level but overall access can be modified at the account level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Active Directory

What is Active Directory?

A

Is an authentication service with open-source libraries and application management tools

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

For Active Directory, what is the 3 authentication services?

A

(1) Micrsofot Office
(2) Azure AD Connection (on-premises sync)
(3) ADFS (Federate Authentication)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Active Directory

What are the 3 Open Source Libraries used in AD?

A

(1) MSAL (family of libraries)
(2) Microsoft.Identity.Web
(3) OpenID Connect

MSAL includes libraries for .NET, Node, Python, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Active Directory

Name at least 3 features of Application Manement

A

(1) Gallery and Non gallery applications
(2) Single and multi-tenant Applications
(3) Authorization
(4) Consent (app permissions)
(5) Logging

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Active Directory

Name the 3 modern authentication protocols

A

(1) WS-* *and SAML
(works for HTTP and not so well with Native or Mobile Apps)
(2) OAuth
(Not really an authentication protocol but more of a delegation protocol)
(3) OpenID Connect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the 4 characteristics of an Access Token

A

(1) Is sent as an authorization header
(2) Validating relies on certificates and AD provides a public portion of the certificate to verify there was no tampering
(3) HTTPS Only
(4) On Behave Flow
* The downstream API will be using the second token with the user’s identity*

17
Q

What is the characteristics of Open ID Connect Tokens?

A

(1) Access Token - used by API
(2) ID Token
(is users identity and used for accessing a web application)
(3) Provides Refresh Tokens

The main differentiator between these three players is that OAuth 2.0 is a framework that controls authorization to a protected resource such as an application or a set of files, while OpenID Connect and SAML are both industry standards for federated authentication.

18
Q

Active Directory

Is AD Free?

A

Yes, but there are two premium levels with much more features (P1 and P2)

19
Q

Active Directory

Steps for App Registration

A

(1) In Active Directory, go to App Registrations
(2) Click on New Registration
(3) Add user-friendy display name and select account type
(4)

20
Q

Azure Directory

On the completed app registration page, the left menu is updated to show some configurations for your applications. Name some of them.

A
  • Integration Assistant
  • Branding (includes logging, home page, URL)
  • Authentication
  • Certificates/Secrets
  • Token Configuration (custom claims)
  • API Permissions
  • Exposing an API (includes Graph but other Azure Services can be connected!)
  • Owners
  • Roles and Administrators
  • Manifest
21
Q

Active Directory

Steps to configure your application for AD

A
  • Add the packages needed
  • Add the following URL’s to your app.settings

https://localhost:xxxxx/
https://localhost:xxxxx/signin-oidc
https://localhost:xxxxx/signout-callback-oidc

You can also set up the Authentication within your app registration/Authentication blade.

Also in a config file there will be entries for ClientId, Tenant, Authority, as well as the redirectUri

You can use the App Registration Quick start that will embed the urls in a downloaded sample application including packages required.

22
Q

Active Directory

What are the 3 types of Authentication in AD?

A
  • Groups
  • Custom Claims (can ad custom info and be put in ID or Access Token)
  • App Roles
23
Q

Information

Group Based Authentication Steps

A
  • Add Group
  • Add the application to the Group
  • Expose an API
  • API Permissions - enable
  • Set up a secret

In the image example below, the call is to the API from the APP.

NOTE: In the AD Azure Portal, on a registered app blade, there is a link to show endpoints. This shows a number of URL for authentication purposes!

24
Q

Steps to Add Group Claims

A
  • Under Token Configuration to go Add Group Claims
    *

Note: Using a untility that can look at a JWT token, you will see the groups with a guid added.

25
Q

Steps to Add Custom Claims

A
  • In the API Application
  • In Token Configuration, select Add Optional Claim
  • Select Access as token type
  • Select one of the claims i.e. tenant_ctry
    *
26
Q

Steps to Add App Roles

A
  • In the API Application
  • Under App Roles, select Create App Role
  • Add Display name and Value
  • In the APP Application, go to App Permissions
  • Add the user role created before in the API application
27
Q

Information

Need to review sections on
User - Group based authentication
User - Custom Claim
User - App Roles

A