Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 22 Next »

Introduction

Using Service Principals

  1. Authentication with a client secret which is similar to a password for a user.

  2. Authentication with a certificate (recommended by Microsoft) : Considered more secure than a client secret, an app can also authenticate with a certificate.

  3. Authorization with RBAC works similar to user accounts, leveraging RBAC (role-based access control).

Using Managed Identities

It’s similar to service principals. We want the platform to manage for us the process of authentication (Microsoft is taking care of that client secret / certificate type of data). So, we can move the app into a resource group in Azure and the platform AUTH will tkae care of that. Andm, we don’t have to keep this info in code.

Features of Managed Identities

  1. Azure AD Identities for Azure Resources : Platform manages integrated identities in Azure AD identities for Azure resources.

  2. Credential Security : Avoid the need for having to store credentials for your app/script within code.

  3. Support for several Azure Resouces : Many services support it (Azure Function, Azure App Service, etc.)

Key Components

  1. An Azure Resource must be assigned a system or user-managed identity

  2. The managed identity established a service principal within Azure

  3. Token endpoint : Azure Ad provides a token endpoint as a place to retrieve an access pass for a resource

  4. The access token can be used to authenticate with Azure AD

For system assigned, that means it directly tied to a resource. If we delete the resource, we delete ID.

API Security & OAuth 2.0

Microsoft ARM API

Microsoft Graph API

It’s a gateway to volumes of information stored across Microsoft 365 services. This inlcudes data from Microsoft 365, Windows 10, Enterprise Mobility + Security.

Proctecting Resource Permissions

In accordance with OAuth 2.0 Standard, access to resource can be controlled granularly through the use of resource permissions or scope.

OAuth 2.0 Authentication Flow

Delegated permissions and consent

Azure Key Vault

When securing apps, we often have to store secret info that an app needs to access programmatically via a REST endpoint.

  • No labels