User Authentication and Authorization Flashcards
What are the 3 Planes for securing Azure Storage?
(1) Managment Plane
(who manages storage account, assigns permissions, add/remove users)
(2) Data Plane
(how do we secure the data)
(3) Encryption
(Microsoft keys or use own keys)
Difference between Security Principal, Service Principal, Managed Identity
Security Principal => Is somebody that you grant access to (user or group)
Service Principal => Headless process, like a user using id/pwd but is intended to work like automated headless process so user doesnt have to login
Managed Identity => Service Principal in disguise and Microsoft manages the credentials
Management Plan Concepts
Security Prinicipals (Security, Service, and Managed Identity)
Role Definitions
Scopes
Scope Concepts
(1) Set a resource to have certain access
(2) Hierachy in scope
(management group, subscription, resource group, resource)
(3) Role Assignments
(attach role(s) to a security principal)
What are 3 concepts of the Data Plane?
(1) Keys (Storage Account Keys)
(2) Shared Access Signature (Least priviledge)
(3) Azure Active Directory
(Requires a token using OpenID Connection Mechanism)
Fundelmentals of Storage Account Keys
(1) Comes in pairs
(2) They are the root key and provide access to entire storage container (least restrictive)
(3) Recommends rotating keys on occasions
(Azure Key Vault will do these automatically)
(4) Do not store in application settings/configurations
How to use RBAC in Azure Storage
Go to Access Control (IAM)
Click on Role Assignments
Select the Role (usually Storage Queue Data Contributor)
Add Role Assignment to User, Group, or Service Principal
What are the 3 types of SAS?
(1) User delegation SAS
(uses AD)
(2) Service SAS
(Delegates access to a resource in only one Azure Storage Account)
(3) Account SAS
(Secured with the Storage Account Key)
What are the elements of an URL with SAS Token
(1) Url itself
(2) signedVersion
(3) signedService
(4) signedResourceType
(5) signedPermission
(6) signedExpirary and SIgnedStart
(7) signedProtocol
(8) signature
Name 2 kinds of SAS
Ad-Hoc
(everything is embedded in the token)
Service SAS with Stored Access Policy
(Store information such as expire time, permissions, etc in a policy instead)
Service SAS can be shared, defined for a container, blob, file, queue or table. Is Defined on the Resource Level
Policies can be set at the Container level but overall access can be modified at the account level
Active Directory
What is Active Directory?
Is an authentication service with open-source libraries and application management tools
For Active Directory, what is the 3 authentication services?
(1) Micrsofot Office
(2) Azure AD Connection (on-premises sync)
(3) ADFS (Federate Authentication)
Active Directory
What are the 3 Open Source Libraries used in AD?
(1) MSAL (family of libraries)
(2) Microsoft.Identity.Web
(3) OpenID Connect
MSAL includes libraries for .NET, Node, Python, etc.
Active Directory
Name at least 3 features of Application Manement
(1) Gallery and Non gallery applications
(2) Single and multi-tenant Applications
(3) Authorization
(4) Consent (app permissions)
(5) Logging
Active Directory
Name the 3 modern authentication protocols
(1) WS-* *and SAML
(works for HTTP and not so well with Native or Mobile Apps)
(2) OAuth
(Not really an authentication protocol but more of a delegation protocol)
(3) OpenID Connect
What are the 4 characteristics of an Access Token
(1) Is sent as an authorization header
(2) Validating relies on certificates and AD provides a public portion of the certificate to verify there was no tampering
(3) HTTPS Only
(4) On Behave Flow
* The downstream API will be using the second token with the user’s identity*
What is the characteristics of Open ID Connect Tokens?
(1) Access Token - used by API
(2) ID Token
(is users identity and used for accessing a web application)
(3) Provides Refresh Tokens
The main differentiator between these three players is that OAuth 2.0 is a framework that controls authorization to a protected resource such as an application or a set of files, while OpenID Connect and SAML are both industry standards for federated authentication.
Active Directory
Is AD Free?
Yes, but there are two premium levels with much more features (P1 and P2)
Active Directory
Steps for App Registration
(1) In Active Directory, go to App Registrations
(2) Click on New Registration
(3) Add user-friendy display name and select account type
(4)
Azure Directory
On the completed app registration page, the left menu is updated to show some configurations for your applications. Name some of them.
- Integration Assistant
- Branding (includes logging, home page, URL)
- Authentication
- Certificates/Secrets
- Token Configuration (custom claims)
- API Permissions
- Exposing an API (includes Graph but other Azure Services can be connected!)
- Owners
- Roles and Administrators
- Manifest
Active Directory
Steps to configure your application for AD
- Add the packages needed
- Add the following URL’s to your app.settings
https://localhost:xxxxx/
https://localhost:xxxxx/signin-oidc
https://localhost:xxxxx/signout-callback-oidc
You can also set up the Authentication within your app registration/Authentication blade.
Also in a config file there will be entries for ClientId, Tenant, Authority, as well as the redirectUri
You can use the App Registration Quick start that will embed the urls in a downloaded sample application including packages required.
Active Directory
What are the 3 types of Authentication in AD?
- Groups
- Custom Claims (can ad custom info and be put in ID or Access Token)
- App Roles
Information
Group Based Authentication Steps
- Add Group
- Add the application to the Group
- Expose an API
- API Permissions - enable
- Set up a secret
In the image example below, the call is to the API from the APP.
NOTE: In the AD Azure Portal, on a registered app blade, there is a link to show endpoints. This shows a number of URL for authentication purposes!
Steps to Add Group Claims
- Under Token Configuration to go Add Group Claims
*
Note: Using a untility that can look at a JWT token, you will see the groups with a guid added.
Steps to Add Custom Claims
- In the API Application
- In Token Configuration, select Add Optional Claim
- Select Access as token type
- Select one of the claims i.e. tenant_ctry
*
Steps to Add App Roles
- In the API Application
- Under App Roles, select Create App Role
- Add Display name and Value
- In the APP Application, go to App Permissions
- Add the user role created before in the API application
Information
Need to review sections on
User - Group based authentication
User - Custom Claim
User - App Roles
