$30 off During Our Annual Pro Sale. View details »

AzureBootcamp2022: Demystifying Azure AD Applications by Marcel Zehner and Martin Ehrnst

AzureBootcamp2022: Demystifying Azure AD Applications by Marcel Zehner and Martin Ehrnst

This session is one of the sessions of Azure Bootcamp Switzerland 2022.
www.azurebootcamp.ch

Did you ever wonder what Application Registrations and Enterprise Applications in Azure AD are used for and how they work? And what the many settings are used for? No worries, these rocket-science-like objects will be discussed and explained in this session by Microsoft Regional Director and Azure MVP Marcel Zehner. He will reveal what you wanted to understand for a long time already…
🙂 MARCEL ZEHNER ⚡️ Microsoft Cloud Champion @ SoftwareOne | Microsoft Regional Director | Azure MVP
🙂 MARTIN EHRNST ⚡️ Lead Architect @ Vipps | Azure MVP

Check out Marcel at: https://www.linkedin.com/in/marcelzehner/
Check out Martin at: https://www.linkedin.com/in/martinehrnst/

Azure Zurich User Group
PRO

May 10, 2022
Tweet

More Decks by Azure Zurich User Group

Other Decks in Technology

Transcript

  1. Demystifying Martin Ehrnst (NO) Azure AD Applications Marcel Zehner (CH)

    Microsoft Azure MVP Microsoft Azure MVP
  2. Enterprise Apps App Registrations Managed Identities Service Principals Tokens SCIM

    OIDC & OAuth SAML
  3. About Martin ▪ Tech lead at Vipps ▪ Microsoft Azure

    MVP ▪ Azure UG Norway ▪ Pre Covid-19 public speaker ▪ Race car driver ▪ Skier
  4. About Marcel ▪ Teamlead SoftwareONE ▪ Microsoft Regional Director ▪

    Microsoft Azure MVP ▪ IT & tech geek ▪ Public speaker ▪ Poker player
  5. The not-so-modern Way (1) Browser Storage App (Photos) Email App

    Photo Printing Service
  6. The not-so-modern Way (2) Browser Storage App (Photos) Email App

    Photo Printing Service
  7. The not-so-modern Way (3) Browser Storage App (Photos) Email App

    Photo Printing Service L3 MyPa$$WORD Username Password Enter your credentials for accessing your photos. We guarantee that we will only access the pictures you want us to print and delete the credentials afterwards. You can trust us. Really.
  8. The modern Way (1) Browser Storage App (Photos) Email App

    Photo Printing Service IdP
  9. The modern Way (2) Browser Storage App (Photos) Email App

    Photo Printing Service IdP
  10. The modern Way (3) Browser Storage App (Photos) Email App

    Photo Printing Service IdP
  11. Authentication (AuthN) ▪Proving process ▪Ensures that you are who you

    say you are ▪The Microsoft Identity Platform uses Open ID Connect (OIDC) or SAML for this process ▪OIDC > Mainly used with web/mobile apps ▪SAML > Mainly used with other identity providers (e.g. ADFS)
  12. Authorization (AuthZ) ▪Granting permissions to an authenticated party ▪What can

    be accessed? ▪What can be done with the data? ▪The Microsoft Identity Platform uses OAuth2 for this process
  13. Token Types ▪Identity Tokens ▪Token for an entity ▪Contain information

    about the identity (e.g. user) ▪Access Tokens ▪Do not carry any user information ▪Contain information about granted permissions ▪Submitted to an API/service to get access
  14. Identity Provider ▪Not every app needs native AuthN & AuthZ

    functionality ▪ Better: Delegate to an Identity Provider such as Azure AD ▪If Azure AD is used … ▪ Identity as a service ▪ Authentication & Authorization ▪ Conditional Access & MFA ▪ Single sign-on across multiple apps
  15. Token Lifetimes ▪Identity & access tokens have a limited lifetime

    ▪Minutes to hours, AAD default is 1h ▪Refresh tokens have a longer lifetime (up to 90 days) ▪Used to request new access tokens ▪Generates a new access token for a resource ▪Also (normally) renews the refresh token ▪No interactive user login required ▪Can be revoked (admin action, password changes etc.)
  16. App Registrations 1/2 ▪Register your own app in Azure AD

    ▪For apps you develop and/or run ▪To delegate web app AuthN & AuthZ to Azure AD ▪Configuration ▪Owners, Roles & administrators (app management) ▪Redirect URIs ▪Where should/can tokens be sent after successful logon?
  17. App Registrations 2/2 ▪Configuration ▪Token type to be issued (identity

    or access) ▪Single- or multitenant use ▪Certificates & secrets ▪For confidential client authentication ▪ClientId & ClientSecret ▪API permissions (e.g. Microsoft Graph API)
  18. Azure AD (IdP) Browser Web App 1 ▪ Web app

    delegates AuthN & AuthZ to AAD. This generates a trust between the 2. ▪ Web app redirects the browser to AAD. AAD creates an identity token and signs it with a AAD key. ▪ Browser is redirected to web app and the token is submitted. The user is authenticated, token claims are used for authorization. Browser stores a cookie for the AAD authentication (C1). ▪ Web app creates a session cookie (C2). This is used for any future use of the same web app.
  19. Azure AD (IdP) Browser Web App 1 ▪ User access

    web app 2. ▪ Web app redirects the browser to AAD. AAD creates an identity token and signs it with a AAD key. No sign-in required because C1 is submitted (SSO). ▪ Browser is redirected to web app and the token is submitted. The user is authenticated, token claims are used for authorization. ▪ Web app 2 creates a session cookie (C3). This is used for any future use of the same web app. Web App 2
  20. Demo 1 App Registrations

  21. Enterprise Apps 1/3 ▪Instance of an app (representation) in your

    own tenant ▪Own apps > App registration also created an enterprise app ▪Foreign apps > Only enterprise app is generated ▪Sometimes referred to as «Service Principal» ▪Thank you Microsoft docs ☺
  22. Delegate Authentication Application Home Tenant Application Foreign Tenant App Registration

    Enterprise Application (Service Principal) Instantiate Instantiate Enterprise Application (Service Principal) Single-Tenant
  23. Delegate Authentication Application Home Tenant Application Foreign Tenant App Registration

    Enterprise Application (Service Principal) Instantiate Instantiate Enterprise Application (Service Principal) Multi-Tenant
  24. Enterprise Apps 2/3 ▪Configuration ▪Owners, Roles & administrators (app management)

    ▪Assigned users & groups (control who can use the app) ▪Single-sign-on configuration ▪Conditional Access integration ▪API permissions ▪Cross-Domain Identity Management (SCIM) ▪Application Proxy for on-oremises apps
  25. Enterprise Apps 3/3 ▪Consent granting ▪When a web app needs

    access to user profile, data etc. ▪Person (resource owner) must grant access for the web app (client) to access API data (server) ▪Consent granting by users allowed? ▪Registers an Enterprise App with API permissions ▪Alternative: Admin consent granting
  26. Browser SaaS App ▪ User connects to SaaS app and

    selects option to use his/her Organizational Account to login. ▪ User gets consent granting prompt with permissions needed by the SaaS app. If accepted, an Enterprise App is registered in the user’s tenant. Appropriate API permissions are configured (depending on what the app requested). ▪ The app can be configured as needed (e.g. user assignment needed, admin consent, conditional access etc.). ▪ User logs in to SaaS app, a token is received and forwarded. ▪ The SaaS app accesses the needed data it has been delegated for. Azure AD (IdP) IdP
  27. Demo 2 Enterprise Apps

  28. «Red Origin» by SoftwareONE

  29. None
  30. None
  31. None
  32. Demystifying Martin Ehrnst (NO) Azure AD Applications Marcel Zehner (CH)

    Microsoft Azure MVP Microsoft Azure MVP