User Authentication and Authorization

Question 1

What are the 3 Planes for securing Azure Storage?

Answer 1

(1) Managment Plane
(who manages storage account, assigns permissions, add/remove users)
(2) Data Plane
(how do we secure the data)
(3) Encryption
(Microsoft keys or use own keys)

Question 2

Difference between Security Principal, Service Principal, Managed Identity

Answer 2

Security Principal => Is somebody that you grant access to (user or group)

Service Principal => Headless process, like a user using id/pwd but is intended to work like automated headless process so user doesnt have to login

Managed Identity => Service Principal in disguise and Microsoft manages the credentials

Question 3

Management Plan Concepts

Answer 3

Security Prinicipals (Security, Service, and Managed Identity)

Role Definitions

Scopes

Question 4

Scope Concepts

Answer 4

(1) Set a resource to have certain access
(2) Hierachy in scope
(management group, subscription, resource group, resource)
(3) Role Assignments
(attach role(s) to a security principal)

Question 5

What are 3 concepts of the Data Plane?

Answer 5

(1) Keys (Storage Account Keys)
(2) Shared Access Signature (Least priviledge)
(3) Azure Active Directory
(Requires a token using OpenID Connection Mechanism)

Question 6

Fundelmentals of Storage Account Keys

Answer 6

(1) Comes in pairs
(2) They are the root key and provide access to entire storage container (least restrictive)
(3) Recommends rotating keys on occasions
(Azure Key Vault will do these automatically)
(4) Do not store in application settings/configurations

Question 7

How to use RBAC in Azure Storage

Answer 7

Go to Access Control (IAM)
Click on Role Assignments
Select the Role (usually Storage Queue Data Contributor)
Add Role Assignment to User, Group, or Service Principal

Question 8

What are the 3 types of SAS?

Answer 8

(1) User delegation SAS
(uses AD)
(2) Service SAS
(Delegates access to a resource in only one Azure Storage Account)
(3) Account SAS
(Secured with the Storage Account Key)

Question 9

What are the elements of an URL with SAS Token

Answer 9

(1) Url itself
(2) signedVersion
(3) signedService
(4) signedResourceType
(5) signedPermission
(6) signedExpirary and SIgnedStart
(7) signedProtocol
(8) signature

Question 10

Name 2 kinds of SAS

Answer 10

Ad-Hoc
(everything is embedded in the token)
Service SAS with Stored Access Policy
(Store information such as expire time, permissions, etc in a policy instead)

Service SAS can be shared, defined for a container, blob, file, queue or table. Is Defined on the Resource Level
Policies can be set at the Container level but overall access can be modified at the account level

Question 11

Active Directory

What is Active Directory?

Answer 11

Is an authentication service with open-source libraries and application management tools

Question 12

For Active Directory, what is the 3 authentication services?

Answer 12

(1) Micrsofot Office
(2) Azure AD Connection (on-premises sync)
(3) ADFS (Federate Authentication)

Question 13

Active Directory

What are the 3 Open Source Libraries used in AD?

Answer 13

(1) MSAL (family of libraries)
(2) Microsoft.Identity.Web
(3) OpenID Connect

MSAL includes libraries for .NET, Node, Python, etc.

Question 14

Active Directory

Name at least 3 features of Application Manement

Answer 14

(1) Gallery and Non gallery applications
(2) Single and multi-tenant Applications
(3) Authorization
(4) Consent (app permissions)
(5) Logging

Question 15

Active Directory

Name the 3 modern authentication protocols

Answer 15

(1) WS-* *and SAML
(works for HTTP and not so well with Native or Mobile Apps)
(2) OAuth
(Not really an authentication protocol but more of a delegation protocol)
(3) OpenID Connect

Question 16

What are the 4 characteristics of an Access Token

Answer 16

(1) Is sent as an authorization header
(2) Validating relies on certificates and AD provides a public portion of the certificate to verify there was no tampering
(3) HTTPS Only
(4) On Behave Flow
* The downstream API will be using the second token with the user’s identity*

Question 17

What is the characteristics of Open ID Connect Tokens?

Answer 17

(1) Access Token - used by API
(2) ID Token
(is users identity and used for accessing a web application)
(3) Provides Refresh Tokens

The main differentiator between these three players is that OAuth 2.0 is a framework that controls authorization to a protected resource such as an application or a set of files, while OpenID Connect and SAML are both industry standards for federated authentication.

Question 18

Active Directory

Is AD Free?

Answer 18

Yes, but there are two premium levels with much more features (P1 and P2)

Question 19

Active Directory

Steps for App Registration

Answer 19

(1) In Active Directory, go to App Registrations
(2) Click on New Registration
(3) Add user-friendy display name and select account type
(4)

Question 20

Azure Directory

On the completed app registration page, the left menu is updated to show some configurations for your applications. Name some of them.

Answer 20

• Integration Assistant
• Branding (includes logging, home page, URL)
• Authentication
• Certificates/Secrets
• Token Configuration (custom claims)
• API Permissions
• Exposing an API (includes Graph but other Azure Services can be connected!)
• Owners
• Roles and Administrators
• Manifest

Question 21

Active Directory

Steps to configure your application for AD

Answer 21

• Add the packages needed
• Add the following URL’s to your app.settings

https://localhost:xxxxx/
https://localhost:xxxxx/signin-oidc
https://localhost:xxxxx/signout-callback-oidc

You can also set up the Authentication within your app registration/Authentication blade.

Also in a config file there will be entries for ClientId, Tenant, Authority, as well as the redirectUri

You can use the App Registration Quick start that will embed the urls in a downloaded sample application including packages required.

Question 22

Active Directory

What are the 3 types of Authentication in AD?

Answer 22

• Groups
• Custom Claims (can ad custom info and be put in ID or Access Token)
• App Roles

Question 23

Information

Group Based Authentication Steps

Answer 23

• Add Group
• Add the application to the Group
• Expose an API
• API Permissions - enable
• Set up a secret

In the image example below, the call is to the API from the APP.

NOTE: In the AD Azure Portal, on a registered app blade, there is a link to show endpoints. This shows a number of URL for authentication purposes!

Question 24

Steps to Add Group Claims

Answer 24

• Under Token Configuration to go Add Group Claims
  *

Note: Using a untility that can look at a JWT token, you will see the groups with a guid added.

Question 25

Steps to Add Custom Claims

Answer 25

• In the API Application
• In Token Configuration, select Add Optional Claim
• Select Access as token type
• Select one of the claims i.e. tenant_ctry
  *

Question 26

Steps to Add App Roles

Answer 26

• In the API Application
• Under App Roles, select Create App Role
• Add Display name and Value
• In the APP Application, go to App Permissions
• Add the user role created before in the API application

Question 27

Information

Need to review sections on
User - Group based authentication
User - Custom Claim
User - App Roles