AzureBootcamp2022: Demystifying Azure AD Applications by Marcel Zehner and Martin Ehrnst

Transcript

1. Demystifying
   Martin Ehrnst (NO)
   Azure AD
   Applications
   Marcel Zehner (CH)
   Microsoft Azure MVP Microsoft Azure MVP
   

   View Slide

2. Enterprise Apps
   App
   Registrations
   Managed
   Identities
   Service
   Principals
   Tokens
   SCIM
   OIDC &
   OAuth
   SAML
   

   View Slide

3. About Martin
   ▪ Tech lead at Vipps
   ▪ Microsoft Azure MVP
   ▪ Azure UG Norway
   ▪ Pre Covid-19 public speaker
   ▪ Race car driver
   ▪ Skier
   

   View Slide

4. About Marcel
   ▪ Teamlead SoftwareONE
   ▪ Microsoft Regional Director
   ▪ Microsoft Azure MVP
   ▪ IT & tech geek
   ▪ Public speaker
   ▪ Poker player
   

   View Slide

5. The not-so-modern Way (1)
   Browser
   Storage
   App
   (Photos)
   Email
   App
   Photo
   Printing
   Service
   

   View Slide

6. The not-so-modern Way (2)
   Browser
   Storage
   App
   (Photos)
   Email
   App
   Photo
   Printing
   Service
   

   View Slide

7. The not-so-modern Way (3)
   Browser
   Storage
   App
   (Photos)
   Email
   App
   Photo
   Printing
   Service
   L3
   MyPa$$WORD
   Username
   Password
   Enter your credentials for
   accessing your photos.
   We guarantee that we will only
   access the pictures you want us to
   print and delete the credentials
   afterwards. You can trust us. Really.
   

   View Slide

8. The modern Way (1)
   Browser
   Storage
   App
   (Photos)
   Email
   App
   Photo
   Printing
   Service
   IdP
   

   View Slide

9. The modern Way (2)
   Browser
   Storage
   App
   (Photos)
   Email
   App
   Photo
   Printing
   Service
   IdP
   

   View Slide

10. The modern Way (3)
    Browser
    Storage
    App
    (Photos)
    Email
    App
    Photo
    Printing
    Service
    IdP
    

    View Slide

11. Authentication (AuthN)
    ▪Proving process
    ▪Ensures that you are who you say you are
    ▪The Microsoft Identity Platform uses Open ID
    Connect (OIDC) or SAML for this process
    ▪OIDC > Mainly used with web/mobile apps
    ▪SAML > Mainly used with other identity providers (e.g.
    ADFS)
    

    View Slide

12. Authorization (AuthZ)
    ▪Granting permissions to an authenticated party
    ▪What can be accessed?
    ▪What can be done with the data?
    ▪The Microsoft Identity Platform uses OAuth2 for
    this process
    

    View Slide

13. Token Types
    ▪Identity Tokens
    ▪Token for an entity
    ▪Contain information about the identity (e.g. user)
    ▪Access Tokens
    ▪Do not carry any user information
    ▪Contain information about granted permissions
    ▪Submitted to an API/service to get access
    

    View Slide

14. Identity Provider
    ▪Not every app needs native
    AuthN & AuthZ functionality
    ▪ Better: Delegate to an Identity
    Provider such as Azure AD
    ▪If Azure AD is used …
    ▪ Identity as a service
    ▪ Authentication & Authorization
    ▪ Conditional Access & MFA
    ▪ Single sign-on across multiple
    apps
    

    View Slide

15. Token Lifetimes
    ▪Identity & access tokens have a limited lifetime
    ▪Minutes to hours, AAD default is 1h
    ▪Refresh tokens have a longer lifetime (up to 90 days)
    ▪Used to request new access tokens
    ▪Generates a new access token for a resource
    ▪Also (normally) renews the refresh token
    ▪No interactive user login required
    ▪Can be revoked (admin action, password changes etc.)
    

    View Slide

16. App Registrations 1/2
    ▪Register your own app in Azure AD
    ▪For apps you develop and/or run
    ▪To delegate web app AuthN & AuthZ to Azure AD
    ▪Configuration
    ▪Owners, Roles & administrators (app management)
    ▪Redirect URIs
    ▪Where should/can tokens be sent after successful logon?
    

    View Slide

17. App Registrations 2/2
    ▪Configuration
    ▪Token type to be issued (identity or access)
    ▪Single- or multitenant use
    ▪Certificates & secrets
    ▪For confidential client authentication
    ▪ClientId & ClientSecret
    ▪API permissions (e.g. Microsoft Graph API)
    

    View Slide

18. Azure AD
    (IdP)
    Browser
    Web
    App 1
    ▪ Web app delegates AuthN & AuthZ to AAD. This
    generates a trust between the 2.
    ▪ Web app redirects the browser to AAD. AAD
    creates an identity token and signs it with a
    AAD key.
    ▪ Browser is redirected to web app and the token
    is submitted. The user is authenticated, token
    claims are used for authorization. Browser
    stores a cookie for the AAD authentication (C1).
    ▪ Web app creates a session
    cookie (C2). This is used for
    any future use of the same
    web app.
    

    View Slide

19. Azure AD
    (IdP)
    Browser
    Web
    App 1
    ▪ User access web app 2.
    ▪ Web app redirects the browser to AAD. AAD
    creates an identity token and signs it with a
    AAD key. No sign-in required because C1 is
    submitted (SSO).
    ▪ Browser is redirected to web app and the token
    is submitted. The user is authenticated, token
    claims are used for authorization.
    ▪ Web app 2 creates a session
    cookie (C3). This is used for
    any future use of the same
    web app.
    Web
    App 2
    

    View Slide

20. Demo 1
    App
    Registrations
    

    View Slide

21. Enterprise Apps 1/3
    ▪Instance of an app (representation) in your own
    tenant
    ▪Own apps > App registration also created an enterprise
    app
    ▪Foreign apps > Only enterprise app is generated
    ▪Sometimes referred to as «Service Principal»
    ▪Thank you Microsoft docs ☺
    

    View Slide

22. Delegate
    Authentication
    Application
    Home Tenant
    Application
    Foreign Tenant
    App
    Registration
    Enterprise Application
    (Service Principal)
    Instantiate
    Instantiate
    Enterprise Application
    (Service Principal)
    Single-Tenant
    

    View Slide

23. Delegate
    Authentication
    Application
    Home Tenant
    Application
    Foreign Tenant
    App
    Registration
    Enterprise Application
    (Service Principal)
    Instantiate
    Instantiate
    Enterprise Application
    (Service Principal)
    Multi-Tenant
    

    View Slide

24. Enterprise Apps 2/3
    ▪Configuration
    ▪Owners, Roles & administrators (app management)
    ▪Assigned users & groups (control who can use the app)
    ▪Single-sign-on configuration
    ▪Conditional Access integration
    ▪API permissions
    ▪Cross-Domain Identity Management (SCIM)
    ▪Application Proxy for on-oremises apps
    

    View Slide

25. Enterprise Apps 3/3
    ▪Consent granting
    ▪When a web app needs access to
    user profile, data etc.
    ▪Person (resource owner) must grant
    access for the web app (client) to
    access API data (server)
    ▪Consent granting by users allowed?
    ▪Registers an Enterprise App with API permissions
    ▪Alternative: Admin consent granting
    

    View Slide

26. Browser
    SaaS
    App
    ▪ User connects to SaaS app and selects option to
    use his/her Organizational Account to login.
    ▪ User gets consent granting prompt with
    permissions needed by the SaaS app. If accepted,
    an Enterprise App is registered in the user’s
    tenant. Appropriate API permissions are
    configured (depending on what the app
    requested).
    ▪ The app can be configured as needed (e.g. user
    assignment needed, admin
    consent, conditional access
    etc.).
    ▪ User logs in to SaaS app,
    a token is received and
    forwarded.
    ▪ The SaaS app accesses
    the needed data it has
    been delegated for.
    Azure AD
    (IdP)
    IdP
    

    View Slide

27. Demo 2
    Enterprise
    Apps
    

    View Slide

28. «Red Origin»
    by SoftwareONE
    

    View Slide

29. View Slide

30. View Slide

31. View Slide

32. Demystifying
    Martin Ehrnst (NO)
    Azure AD
    Applications
    Marcel Zehner (CH)
    Microsoft Azure MVP Microsoft Azure MVP
    

    View Slide