In my previous post, we saw how app registrations add identity configurations for applications on Azure AD. Just like a user, an application would also require access to resources like Microsoft Graph, which need authorization. The resource owner can grant(consent) or deny this authorization to the application. There are mainly 2 access scenarios:
Delegated access - access on behalf of a signed-in user. User is signed-into a client application, which access the resource on behalf of the user.
For some time now, I’ve been working on security risk assessments of web applications. Modern identity management can be complex and often requires diving deep into the authentication flow and registration process to understand risk blocks in order to design appropriate controls and counter-measures. I hope to write a short series of posts to document the components and flows of this process, so that it can be my handy reference.
In my post on Identity and Access Management (IAM), I provided a very high-level view of how modern authentication works on the basis of a centralized Identity provider, like Azure Active Directory.
In this post, let’s look at a Microsoft Azure video, where Azure AD Program manager Stuart Kwan presents the basics of modern claims-based authentication in a lucid and eloquent way. Clearly if a picture is worth a thousand words, a video is probably worth a million!
Endpoints are a critical aspect of securing your resources in the cloud. When using Azure PaaS services, it is important to understand the differences between two types of endpoint available in Azure: service endpoint and private endpoint.
Service endpoint:
A service endpoint is a way of extending your virtual network’s private address space to Azure services over the Azure backbone network. When a service endpoint is enabled, traffic between your virtual network and the Azure service of your choice stays on the Azure backbone network, rather than going over the public internet.
Identity and Access Management (IAM) is a framework of policies and technologies to ensure the right people or machines to access the right assets or resources.
Identity:
In this digital age, an identity can be either a human (user), a software component (application) or a hardware component (computer, mobile or IoT device). Just like any identity document in the real-world, identities serve is a way to authenticate and authorize access to assets and resources.
Azure operations can be divided into 2 categories:
Control plane (or Management plane) - used to manage resources in azure subscriptions, e.g. creation of a virtual machine or a storage account All requests for control plane operations are sent to the Azure Resource Manager URL. For Azure global, the url is: https://management.azure.com
Data plane - used to manage capabilties exposed by instances of resource types e.g. using remote desktop protocol (RDP) to interact with a virtual machine, or reading/writing data in a storage account.