/
Azure Security for Apps

Azure Security for Apps

Owned by thierry sinassamy
Last updated: Dec 08, 2023
3 min read

Introduction

Using Service Principals

  1. Authentication with a client secret which is similar to a password for a user.

  2. Authentication with a certificate (recommended by Microsoft) : Considered more secure than a client secret, an app can also authenticate with a certificate.

  3. Authorization with RBAC works similar to user accounts, leveraging RBAC (role-based access control).

Using Managed Identities

It’s similar to service principals. We want the platform to manage for us the process of authentication (Microsoft is taking care of that client secret / certificate type of data). So, we can move the app into a resource group in Azure and the platform AUTH will tkae care of that. Andm, we don’t have to keep this info in code.

Features of Managed Identities

  1. Azure AD Identities for Azure Resources : Platform manages integrated identities in Azure AD identities for Azure resources.

  2. Credential Security : Avoid the need for having to store credentials for your app/script within code.

  3. Support for several Azure Resouces : Many services support it (Azure Function, Azure App Service, etc.)

Key Components

  1. An Azure Resource must be assigned a system or user-managed identity

  2. The managed identity established a service principal within Azure

  3. Token endpoint : Azure Ad provides a token endpoint as a place to retrieve an access pass for a resource

  4. The access token can be used to authenticate with Azure AD

For system assigned, that means it directly tied to a resource. If we delete the resource, we delete ID.

 

API Security & OAuth 2.0

Microsoft ARM API

Microsoft Graph API

It’s a gateway to volumes of information stored across Microsoft 365 services. This inlcudes data from Microsoft 365, Windows 10, Enterprise Mobility + Security.

 

Proctecting Resource Permissions

In accordance with OAuth 2.0 Standard, access to resource can be controlled granularly through the use of resource permissions or scope.

OAuth 2.0 Authentication Flow

Delegated permissions and consent

Azure Key Vault

When securing apps, we often have to store secret info that an app needs to access programmatically via a REST endpoint. Data plane access can be controlled with access policies or RBAC.

Example of Solution Design

  • Key VAult used to store secrets such as API key.

  • User-assigned managed identity :

    • Shared across web servers in the farms.

  • No changes are required for the Graph API as delegated permissions do not provide more effective permissions than a user assigned.