AzureBootcamp2022: Demystifying Azure AD Applications by Marcel Zehner and Martin Ehrnst

Transcript

1. Demystifying Martin Ehrnst (NO) Azure AD Applications Marcel Zehner (CH)

   Microsoft Azure MVP Microsoft Azure MVP

2. Enterprise Apps App Registrations Managed Identities Service Principals Tokens SCIM

   OIDC & OAuth SAML

3. About Martin ▪ Tech lead at Vipps ▪ Microsoft Azure

   MVP ▪ Azure UG Norway ▪ Pre Covid-19 public speaker ▪ Race car driver ▪ Skier

4. About Marcel ▪ Teamlead SoftwareONE ▪ Microsoft Regional Director ▪

   Microsoft Azure MVP ▪ IT & tech geek ▪ Public speaker ▪ Poker player

5. The not-so-modern Way (1) Browser Storage App (Photos) Email App

   Photo Printing Service

6. The not-so-modern Way (2) Browser Storage App (Photos) Email App

   Photo Printing Service

7. The not-so-modern Way (3) Browser Storage App (Photos) Email App

   Photo Printing Service L3 MyPa$$WORD Username Password Enter your credentials for accessing your photos. We guarantee that we will only access the pictures you want us to print and delete the credentials afterwards. You can trust us. Really.

8. The modern Way (1) Browser Storage App (Photos) Email App

   Photo Printing Service IdP

9. The modern Way (2) Browser Storage App (Photos) Email App

   Photo Printing Service IdP

10. The modern Way (3) Browser Storage App (Photos) Email App

    Photo Printing Service IdP

11. Authentication (AuthN) ▪Proving process ▪Ensures that you are who you

    say you are ▪The Microsoft Identity Platform uses Open ID Connect (OIDC) or SAML for this process ▪OIDC > Mainly used with web/mobile apps ▪SAML > Mainly used with other identity providers (e.g. ADFS)

12. Authorization (AuthZ) ▪Granting permissions to an authenticated party ▪What can

    be accessed? ▪What can be done with the data? ▪The Microsoft Identity Platform uses OAuth2 for this process

13. Token Types ▪Identity Tokens ▪Token for an entity ▪Contain information

    about the identity (e.g. user) ▪Access Tokens ▪Do not carry any user information ▪Contain information about granted permissions ▪Submitted to an API/service to get access

14. Identity Provider ▪Not every app needs native AuthN & AuthZ

    functionality ▪ Better: Delegate to an Identity Provider such as Azure AD ▪If Azure AD is used … ▪ Identity as a service ▪ Authentication & Authorization ▪ Conditional Access & MFA ▪ Single sign-on across multiple apps

15. Token Lifetimes ▪Identity & access tokens have a limited lifetime

    ▪Minutes to hours, AAD default is 1h ▪Refresh tokens have a longer lifetime (up to 90 days) ▪Used to request new access tokens ▪Generates a new access token for a resource ▪Also (normally) renews the refresh token ▪No interactive user login required ▪Can be revoked (admin action, password changes etc.)

16. App Registrations 1/2 ▪Register your own app in Azure AD

    ▪For apps you develop and/or run ▪To delegate web app AuthN & AuthZ to Azure AD ▪Configuration ▪Owners, Roles & administrators (app management) ▪Redirect URIs ▪Where should/can tokens be sent after successful logon?

17. App Registrations 2/2 ▪Configuration ▪Token type to be issued (identity

    or access) ▪Single- or multitenant use ▪Certificates & secrets ▪For confidential client authentication ▪ClientId & ClientSecret ▪API permissions (e.g. Microsoft Graph API)

18. Azure AD (IdP) Browser Web App 1 ▪ Web app

    delegates AuthN & AuthZ to AAD. This generates a trust between the 2. ▪ Web app redirects the browser to AAD. AAD creates an identity token and signs it with a AAD key. ▪ Browser is redirected to web app and the token is submitted. The user is authenticated, token claims are used for authorization. Browser stores a cookie for the AAD authentication (C1). ▪ Web app creates a session cookie (C2). This is used for any future use of the same web app.

19. Azure AD (IdP) Browser Web App 1 ▪ User access

    web app 2. ▪ Web app redirects the browser to AAD. AAD creates an identity token and signs it with a AAD key. No sign-in required because C1 is submitted (SSO). ▪ Browser is redirected to web app and the token is submitted. The user is authenticated, token claims are used for authorization. ▪ Web app 2 creates a session cookie (C3). This is used for any future use of the same web app. Web App 2

20. Demo 1 App Registrations

21. Enterprise Apps 1/3 ▪Instance of an app (representation) in your

    own tenant ▪Own apps > App registration also created an enterprise app ▪Foreign apps > Only enterprise app is generated ▪Sometimes referred to as «Service Principal» ▪Thank you Microsoft docs ☺

22. Delegate Authentication Application Home Tenant Application Foreign Tenant App Registration

    Enterprise Application (Service Principal) Instantiate Instantiate Enterprise Application (Service Principal) Single-Tenant

23. Delegate Authentication Application Home Tenant Application Foreign Tenant App Registration

    Enterprise Application (Service Principal) Instantiate Instantiate Enterprise Application (Service Principal) Multi-Tenant

24. Enterprise Apps 2/3 ▪Configuration ▪Owners, Roles & administrators (app management)

    ▪Assigned users & groups (control who can use the app) ▪Single-sign-on configuration ▪Conditional Access integration ▪API permissions ▪Cross-Domain Identity Management (SCIM) ▪Application Proxy for on-oremises apps

25. Enterprise Apps 3/3 ▪Consent granting ▪When a web app needs

    access to user profile, data etc. ▪Person (resource owner) must grant access for the web app (client) to access API data (server) ▪Consent granting by users allowed? ▪Registers an Enterprise App with API permissions ▪Alternative: Admin consent granting

26. Browser SaaS App ▪ User connects to SaaS app and

    selects option to use his/her Organizational Account to login. ▪ User gets consent granting prompt with permissions needed by the SaaS app. If accepted, an Enterprise App is registered in the user’s tenant. Appropriate API permissions are configured (depending on what the app requested). ▪ The app can be configured as needed (e.g. user assignment needed, admin consent, conditional access etc.). ▪ User logs in to SaaS app, a token is received and forwarded. ▪ The SaaS app accesses the needed data it has been delegated for. Azure AD (IdP) IdP

27. Demo 2 Enterprise Apps

28. «Red Origin» by SoftwareONE

29. None
30. None
31. None

32. Demystifying Martin Ehrnst (NO) Azure AD Applications Marcel Zehner (CH)

    Microsoft Azure MVP Microsoft Azure MVP