AzureBootcamp2023: Securing Web App using AAD by Damien Bowden

Transcript

1. Securing web applications using Azure AD https://damienbod.com

2. HTTPS Certificates TLS 1.2, 1.3 Session Protection, HTTP headers Hosting

   GDPR, Data breaches Infrastructure security Accounting, MFA and IAM Security governance Security focus of this talk Authentication and Authorization

3. Applications with users Applications with no user Secure APIs Azure

   continuous access evaluation

4. Modern security uses Zero Trust Zero Trust is a security

   strategy. • Verify explicitly (Never trust, always verify) • Least privilege (Blast radius) • Assume breach • Continuous evaluation

5. The old way…

6. Authentication is the new boundary

7. Identity and service principals User identities? Internal and external users

   Workload identities? In Microsoft Entra, workload identities are applications, service principals, and managed identities. Device identities? Device identities represent devices such as desktop computers, mobile, IoT sensors, and IoT managed devices.

8. Identity and service principals We authenticate identities! Human identities user

   + application is authenticated Machine identities Service principal, application, managed identity or device is authenticated

9. Multi/single tenant applications

10. Azure App registrations Never mix application permissions and delegated permissions

    in a single Azure App registration

11. Azure App registrations Require a secret, certificate or service managed

    identity when using admin permissions

12. Azure Enterprise applications Avoid multi-tenant Enterprise applications unless required. Grant

    consent with extreme caution!

13. Typical user session Authentication Authorization Signout Session

14. USE Standards Don’t implement this yourself, use certified libs, packages,

    tested
15. None

16. OAuth2 OpenID Connect Authentication Delegated Authorization

17. OpenID Connect • Standard, Specification • Authentication and Authorization •

    built on top of OAuth2 (access control) • Identity (Person can have n Identities) • UserInfo Endpoint http://openid.net/connect/

18. Open ID Connect (OIDC) is supported by almost all systems.

    Azure AD, Auth0, OKTA, IdentityServer4, google accounts, Openiddict, node-oidc-provider, Azure B2C

19. Typical user session Authentication Authorization Signout Session

20. Authentication with users

21. OpenID Connect Flows in Azure OAuth2 Flows with users http://openid.net/specs/openid-

    connect-core-1_0.html OpenID Connect Code flow + PKCE with client secret OpenID Connect Hybrid flow OpenID Connect Code flow + PKCE with no secret OAuth Device Flow

22. OpenID Connect Authorization Code flow + PKCE + secret •

    Server to server applications with User • Can keep secrets, is trusted • Client is authenticated • response_type = code

23. OIDC Authorization Code flow

24. Microsoft.Identity.Web https://github.com/damienbod/AzureADAuthRazorUiServiceApiCertificate

25. None

26. Microsoft.Identity.Web https://github.com/AzureAD/microsoft-identity-web

27. Authorization with no users

28. Only TRUSTED applications can do this. Microsoft Identity authentication with

    no users

29. No users http://openid.net/specs/openid- connect-core-1_0.html OAuth2 Resource Owner Credentials Flow Azure

    Managed Identities On Behalf Of (OBO) Flow

30. OAuth2 Resource Owner Credentials Flow • MC to MC applications

    • trusted client • grant_type=client_credenti al&client_id=xxxxxxxxxx&cli ent_secret=xxxxxxxxxx • Limited user cases

31. OAuth2 Resource Owner Credentials Flow

32. Microsoft.Identity.Client https://github.com/AzureAD/microsoft-authentication-library-for-dotnet

33. Microsoft.Identity.Client "Scope": "api://--clientId--/.default" https://github.com/damienbod/AzureADAuthRazorUiServiceApiCertificate

34. Azure Managed identities

35. src: https://www.youtube.com/watch?v=vYUKC0mZFqI

36. OAuth On Behalf of OBO Flow • - RFC 6749

    • https://tools.ietf.org/html/r fc6749 • https://docs.microsoft.com/ en-us/azure/active- directory/develop/v2-oauth2- on-behalf-of-flow

37. src: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow

38. Microsoft.Identity.Web https://github.com/damienbod/AzureADAuthRazorUiServiceApiCertificate

39. Microsoft.Identity.Web

40. Securing APIs

41. None
42. None
43. None
44. None
45. None

46. Azure continuous access & continuous access evaluation

47. Using conditional access Create an authentication context using Graph or

    the Portal 1 Create a Conditional Access | Policies to use the context 2 Force the context in an application 3
48. None
49. None

50. https://github.com/damienbod/AspNetCoreAzureADCAE

51. None
52. None
53. None

54. What about continuous access evaluation? CAE setup in Azure Active

    Directory
55. None