User Authentication and Authorization Flashcards
What are the 3 Planes for securing Azure Storage?
(1) Managment Plane
(who manages storage account, assigns permissions, add/remove users)
(2) Data Plane
(how do we secure the data)
(3) Encryption
(Microsoft keys or use own keys)
Difference between Security Principal, Service Principal, Managed Identity
Security Principal => Is somebody that you grant access to (user or group)
Service Principal => Headless process, like a user using id/pwd but is intended to work like automated headless process so user doesnt have to login
Managed Identity => Service Principal in disguise and Microsoft manages the credentials
Management Plan Concepts
Security Prinicipals (Security, Service, and Managed Identity)
Role Definitions
Scopes
Scope Concepts
(1) Set a resource to have certain access
(2) Hierachy in scope
(management group, subscription, resource group, resource)
(3) Role Assignments
(attach role(s) to a security principal)
What are 3 concepts of the Data Plane?
(1) Keys (Storage Account Keys)
(2) Shared Access Signature (Least priviledge)
(3) Azure Active Directory
(Requires a token using OpenID Connection Mechanism)
Fundelmentals of Storage Account Keys
(1) Comes in pairs
(2) They are the root key and provide access to entire storage container (least restrictive)
(3) Recommends rotating keys on occasions
(Azure Key Vault will do these automatically)
(4) Do not store in application settings/configurations
How to use RBAC in Azure Storage
Go to Access Control (IAM)
Click on Role Assignments
Select the Role (usually Storage Queue Data Contributor)
Add Role Assignment to User, Group, or Service Principal
What are the 3 types of SAS?
(1) User delegation SAS
(uses AD)
(2) Service SAS
(Delegates access to a resource in only one Azure Storage Account)
(3) Account SAS
(Secured with the Storage Account Key)
What are the elements of an URL with SAS Token
(1) Url itself
(2) signedVersion
(3) signedService
(4) signedResourceType
(5) signedPermission
(6) signedExpirary and SIgnedStart
(7) signedProtocol
(8) signature
Name 2 kinds of SAS
Ad-Hoc
(everything is embedded in the token)
Service SAS with Stored Access Policy
(Store information such as expire time, permissions, etc in a policy instead)
Service SAS can be shared, defined for a container, blob, file, queue or table. Is Defined on the Resource Level
Policies can be set at the Container level but overall access can be modified at the account level
Active Directory
What is Active Directory?
Is an authentication service with open-source libraries and application management tools
For Active Directory, what is the 3 authentication services?
(1) Micrsofot Office
(2) Azure AD Connection (on-premises sync)
(3) ADFS (Federate Authentication)
Active Directory
What are the 3 Open Source Libraries used in AD?
(1) MSAL (family of libraries)
(2) Microsoft.Identity.Web
(3) OpenID Connect
MSAL includes libraries for .NET, Node, Python, etc.
Active Directory
Name at least 3 features of Application Manement
(1) Gallery and Non gallery applications
(2) Single and multi-tenant Applications
(3) Authorization
(4) Consent (app permissions)
(5) Logging
Active Directory
Name the 3 modern authentication protocols
(1) WS-* *and SAML
(works for HTTP and not so well with Native or Mobile Apps)
(2) OAuth
(Not really an authentication protocol but more of a delegation protocol)
(3) OpenID Connect