Azure Security, Authentication & Authorization

Question 1

What is a requirement for Azure AD to work?

Answer 1

User must have profile in AAD and app must be registered in AAD

Question 2

True Or False? You can configure an Instance of API mananagment to protect the API by using OAuth 2.0 with Azure Active Directory

Answer 2

True

Question 3

Explain what Authentication means

Answer 3

Authentication is the process of proving you are who you say you are. (AuthN)

Question 4

Explain what Authorization means

Answer 4

Authorization is the act of granting an authenticated party permission to do something.It specifies what data you’re allowed to access and what you can do with that data. (AuthZ)

Question 5

Explain what a Shared access Signature (SAS) is and what you can do with it.

Answer 5

Its used to grant access to a resource in your storage account. For Blob Storage for example, its simply a token thats added to the url. Everyone that has this url, can use the defined privileges that where used to create the SAS.

Question 6

Explain what the difference is between an ad-hoc SAS and a SAS that is associated with a stored access policy

Answer 6

An ad-hoc SAS contains all information like startime, end time and permissions directly in the URI

example: ?sv=2018-11-09&sr=c&sig=rS3eUbL5eCSmmth57EQkTEd6DEIo4luyg%2FtXvqvorXc%3D&st=2020-05-28T18%3A14%3A50Z&se=2020-05-29T18%3A19%3A50Z&sp=wl

When SAS is associated with a stored access policy, it inherits the settings from the policy. Its also possible to revoke those by changing the policy.

example: http://127.0.0.1:10000/devstoreaccount1/sas-container-637262939086872312?sv=2018-11-09&sr=c&si=tutorial-policy-637262939086922296&sig=0pZAShTGtP7qYz%2FaXIf4Zr32hcA4RMr4dYDFPQUcj3w%3D

Question 7

True or False? When copying files between different Storage Account, you must use a SAS

Answer 7

true

Question 8

Explain on a high level what Azure RBAC is and what you can do with it

Answer 8

Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

Question 9

Name the three key elements that are part of the RBAC security concept

Answer 9

Security principal, role definition and scope

Question 10

Explain what Security principal means

Answer 10

A security principal is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources.

Question 11

What forms of Service Principal does Azure work with, name at list three

Answer 11

User, individual with profile in Azure Active Directory

Group, a set of User

Service Principal, apps can use this to access specific azure resources. Think of like user+pw or certificate

Managed Identity, automatically managed by Azure. Used by cloud applications to manage credentials for authenticating to azure services

Question 12

Explain what a Role definition (role) is

Answer 12

A Collection of permissions. Like read, write delete

Question 13

Explain what a Scope is

Answer 13

Scope is the set of resources that the access applies to. When you assign a role, you can further limit the actions allowed by defining a scope. This is helpful if you want to make someone a Website Contributor, but only for one resource group.

Question 14

What is a role assignment

Answer 14

A role assignment is the process of attaching a role definition to a user, group, service principal, or managed identity at a particular scope for the purpose of granting access. Access is granted by creating a role assignment, and access is revoked by removing a role assignment.

Question 15

True or False? Azure RBAC is an additive model, so your effective permissions are the sum of your role assignments.

Answer 15

True

Question 16

What is a deny assignment

Answer 16

a deny assignment attaches a set of deny actions to a user, group, service principal, or managed identity at a particular scope for the purpose of denying access. A role assignment defines a set of actions that are allowed, while a deny assignment defines a set of actions that are not allowed. In other words, deny assignments block users from performing specified actions even if a role assignment grants them access.

Question 17

What are the 3 planes on which you secure Azure Storage?

Answer 17

1. Management
2. Data
3. Encryption

Question 18

What makes up a role assignment, or, How do you secure the management plane of an Azure Storage account?

Answer 18

1. Security principle (who gets access - user, group, etc.)
2. Role definition (what actions they can and can’t do)
3. Scope of access (subscription, resource group, resource)

Question 19

Name 3 ways you can secure the data plane of an Azure Storage account?

Answer 19

1. Keys
2. Shared Access Signature
3. AAD (access w/token)

Question 20

True or false: the storage key is like a root password and 2 keys are created when you provision a new storage account.

Answer 20

True

Question 21

Benefits of Shared Access Signature

Answer 21

Allows access without sharing the storage key

Very flexible when it comes to granting access to a storage account

Consists of a URI with specific permissions attached to it

Question 22

When you use AAD as your identity provider, how do you access it?

Answer 22

Using OpenID Connect mechanisms

Uses access tokens, no dependency on a key

Question 23

What are the 3 types of SAS?

Answer 23

1. User delegation SAS
2. Service SAS - access to resources in only one Storage Account service
3. Account SAS - access to resources in more than one Storage Account service

Question 24

What does a SAS token look like?

Answer 24

A URL that is passing parameters

The parameter named “signature” is passing an encrypted version of your key, so if you rotate keys it will invalidate existing SAS tokens

Question 25

What are the 2 types of SAS tokens?

Answer 25

1. Ad hoc (self-contained)

2. Service - links to a Stored Access Policy

Question 26

What are some characteristics of a stored access policy?

Answer 26

Defined at the container level

Reused by multiple SAS

Contains permissions and validity period

Available on as a service-level SAS

Question 27

What components make up the Microsoft Identity Platform?

Answer 27

1. Authentication service (AAD)
2. Open Source Libraries for authentication code (i.e. MSAL)
3. Application management tools (logging, authorization, consent, galler/non-gallery apps)

Question 28

What are the 2 types of authentication?

Answer 28

Legacy (basic auth) and Modern

Question 29

What are the 3 protocols available in modern authentication?

Answer 29

1. WS-* and SAML which are based on redirects and HTTP posts
2. OAUTH: delegation protocol (not authentication protocol) Allow an app to do something on your behalf (access and refresh token)
3. OpenID Connect: more formal protocol (id token)

Question 30

What are the differences between the 3 types of tokens?

Answer 30

Access tokens you present to the API to get permissions and the API is supposed to validate it against AAD. Refresh token is for when your access token expires.

ID token is generated by AAD and sent back with the user to the client application. If a client trusts the token, it will establish a web-based session

Question 31

What is the difference between authorization and authentication?

Answer 31

Authentication means who you are.

Authorization means what can you do. Are you an admin, reader, contributor, etc.

Question 32

What are the three ways AAD can help you do authentication?

Answer 32

1. Groups (authorization decision based on group membership)
2. Custom claims: info you can put in an ID or Access token
3. App roles - defined at the app level. assigned to a user or an app. roles surface up in access tokens

Question 33

What is Azure Key Vault?

Answer 33

Azure service which allows you to securely store and access secrets

Question 34

What are the 3 types of secrets you can store in an Azure KeyVault?

Answer 34

cryptographic keys,
certificates (and the private keys associated with the certificates),
secrets (such as connection strings and passwords)

Question 35

What are the three options for authentication to Azure keyvault?

Answer 35

Managed Identities: assign a managed identity to the vm that hosts the app and the managed identity has access to keyvault

Service Principle and Certificate: not recommended because you need to rotate the cert

Service Principle and Secret: not recommended either because you have to rotate the secret

Question 36

What is a key vault access policy?

Answer 36

Determines whether a given security principle, namely a user, application, or user group, can perform different operations on AZ Keyvault secrets, keys, and certificates.

Question 37

What are the 2 keyvault pricing tiers?

Answer 37

1. Standard (secrets are software- protected)

2. Premium (secrets are protected by hardware security modules)

Question 38

What are the steps to using an Azure Keyvault?

Answer 38

1. Provision an AZ Keyvault instance
2. Configure authentication for accessing it (app registration, managed identity, key vault reference for app service or azure function)

Question 39

Steps for creating a new key vault in the portal

Answer 39

1. Specify resource group, pricing tier, and region
2. Specify soft-delete retention period
3. Specify access policy
4. Specify networking: public endpoint (all networks - any user with public internet can access this vault; public endpoint (specific networks); private endpoint (only users from selected private networks can access this keyvault)

Question 40

Provide some examples of keyvault access policies

Answer 40

1. Grant access to any service principle or managed identity
2. Grant access to vms (for saving vm password)
3. Grant access to ARM template (for use when deploying resources)
4. Enable access for Azure Disk Encryption (uses a key stored in KV to use when encrypting a disk)

Question 41

What is Azure Keyvault Reference?

Answer 41

Under the hood it’s using managed identity

Allows you to move app settings from App Services and Azure Functions to keyvault

Question 42

Name the steps for creating an Azure Keyvault Reference

Answer 42

1. Add secret to keyvault
2. Create system-assigned managed identity in your app service or function
3. Back in the Azure Key Vault, add access policy for the managed identity you just created
4. In application, update the value of the configuration setting with a special Azure keyvault reference syntax:
   @Microsoft.keyvault(VaultName=;SecretName=;SecretVersion=) OR
   @microsoft.keyvault(SecretURI=)

Question 43

What is Azure Keyvault soft delete and purge protection?

Answer 43

Allows the recovery of deleted key vaults and key vault objects (retains for between 7 and 90 days - default is 90 day)
Azure Key Vault Purge Protection: cannot purge until retention period is over

Question 44

What are common scenarios when a SAS is useful?

Answer 44

Client upload and download (to Azure Storage) via a front-end proxy service that provides authentication

A lightweight service authenticates the client as needed and then generates a SAS. Once the client application receives the SAS, it can access storage account resources directly.

A SAS is required to authorize access to the source object in a copy operation in certain scenarios:

• -copy a blob to another blob that resides in a diff storage account
• -copy a file to another file that resides in a diff storage account
• -copy a blob to a file, or copy a file to a blob

Question 45

What is an Azure AD App Manifest?

Answer 45

The definition of an application object within the Microsoft Identity Platform which includes all configuration for allowed authentication and authorization integrations

• appRoles
• groupMembershipClaims
• optionalClaims
• oauth2AllowImplicitFlow
• All of the oauth2 attributes that are included in the app manifest
• Oauth2permissions: will receive a collection that includes several values that configures how oauth2 works for this app
• Signinaudience: type of MS accounts that are supported for your app (multi-tenant, personal accounts)

Question 46

MSAL is a library that developers use to enable their application to acquire a token in a number of different authentication flows.

Answer 46

True.

Question 47

Using the Microsoft Identity Platform implementation of OAuth2.0 and OpenID Connect (OIDC), you can add sign-in and API access to your mobile and desktop apps.

Answer 47

True. OpenID Connect extends the OAuth 2.0 authorization protocol for use as an authentication protocol. With OIDC, you can add authentication and authorization for single page apps, web apps, and natively installed apps.

Question 48

For mobile and native apps, the authorization code represents what?

Answer 48

The apps permission to call back-end services on behalf of the user who is signed in.

1st endpoint: /authorize
2nd endpoint: /token

The app can exchange the authorization code in the background for an OAuth 2.0 access token and a refresh token. The app can use the access token to authenticate to web APIs in HTTP requests, and use the refresh token to get new access tokens when older access tokens expire.

Question 49

For web apps, what is the authorization/authentication flow?

Answer 49

The user is redirected to Azure AD with a client ID, user enters credentials and consents to any permissions, then Azure AD returns user with an ID token.

Question 50

How to authenticate long-running processes or apps that operate without the interaction with a user (daemon apps)

Answer 50

You can prove the app’s identity using a client secret or certificate

only enpoint used is /token

In this flow, the app interacts directly with the /token endpoint to obtain access

Question 51

Single page apps (SPA) like those writtin in React or Angular use what auth flow?

Answer 51

the app receives a code from the Microsoft identity platform authorize endpoint, and redeems it for an access token and a refresh token using cross-site web requests. The access token expires every 24 hours, and the app must request another code using the refresh token. I

n addition to the access token, an id_token that represents the signed-in user to the client application is typically also requested through the same flow and/or a separate OpenID Connect request

/authorize
/token

Question 52

Web app authentication flow?

Answer 52

Just uses the /authorize endpoint (gets a token still though)

You can ensure the user’s identity by validating the ID token with a public signing key that is received from the Microsoft identity platform.

Question 53

Authentication flow for web api

Answer 53

1. /token

2. /.well-known/discovery (requests token validation metadata, returns signing keys, etc.)

Question 54

Web app authentication

Answer 54

Just goes to /authorize

/authorize endpoint returns a token