Application Security (part 1 of 3)

By Ashwin Venugopal -



To read part 2 please click here
To read part 3 please click here

Microsoft Identity Platform

Microsoft identity platform is an evolution of Azure Active Directory (AD) developer platform while allowing the developers to build applications that sign in users, and get tokens to call APIs, such as Microsoft Graph, or APIs that developers have built. It supports industry standard protocols like OAuth 2.0 and OpenID connect.

The unified Microsoft Identity Platform (v2.0) helps you to write code once and authenticate any Microsoft identity into your application while for several platforms, the fully supported Open-source Microsoft Authentication Library (MSAL) is recommended for use against the identity platform endpoints. MSAL also supports Azure Active Directory B2C, so your customers can easily use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs. 

With Microsoft identity platform, one can expand their reach to these kinds of users:

  • Work and school accounts (Azure AD provisioned accounts)
  • Personal accounts (such as Outlook.com or Hotmail.com)
  • Your customers who bring their own email or social identity (such as Linkedlln, Facebook, Google) via MSAL and Azure AD B2C. 

Microsoft identity platform (v2.0) endpoint is now OIDC certified. It implements human readable scopes, in accordance with industry standards.

Azure AD Application Scenarios

Any application that outsources authentication to Azure AD needs to be registered in a directory. Azure AD represents applications following a specific model that's designed to fulfill two main functions:

  1. Identify the app according to the authentication protocols it supports. This involves enumerating all the identifiers, URLs, secrets, and related information that Azure AD needs during authentication time. Here, Azure AD: 

  • Holds all the data needed to support authentication at run time.
  • Holds all the data for deciding which resources an app might need to access, whether it should fulfill a particular request, and under what circumstances it should fulfill the request.
  • Supplies the infrastructure for implementing app provisioning both within the app developer's tenant and to any other Azure AD tenant. 

     2. Handle user consent during token request time and facilitate the dynamic provisioning of apps                 across tenants. Here, Azure AD:

  • Enables users and administrators to dynamically grant or deny consent for the app to access resources on their behalf.
  • Enables administrators to ultimately decide what apps are allowed to do, which users can use specific apps, and how directory resources are accessed.  

At deployment time, Azure AD uses a special application object as a blueprint to create a service principle, which represents a concrete instance of an application within a directory or tenant. Azure AD creates a service principle from an application object through consent. 

App Registration

Register your app with the Microsoft identity platform

Registration integrates your app with the Microsoft identity platform and establishes the information that it uses to get tokens including:
  • Application ID- A unique identifier assigned by the Microsoft identity platform. 
  • Redirect URI/URL- One or more endpoints at which your app will receive responses from the Microsoft identity platform. (For native and mobile apps, this is a URI assigned by the Micrsoft identity platform). 
  • Application Secret- A password or a public/private key pair that your app uses to authenticate with the Microsoft identity platform. (Not needed for native or mobile apps).

Getting an access token

You can manage your token interactions with the Microsoft identity platform, by using the authentication libraries that can abstract many protocol details like validation, cookie handling, token caching, and maintaining secure connections away from the developer and let you focus your development on your app. 

For the Microsoft identity platform endpoint:

  • Microsoft Authentication Library (MSAL) client libraries are available for .NET, JavaScript, Android, and Objective-c. All the platforms are in production-supported preview, and, in the event breaking changes are introduced, and Microsoft guarantees a path to upgrade.
  • Server middleware from Microsoft is available for .NET core and ASP.NET (OWIN OpenID Connect and OAuth) as well as for Node.js (the Microsoft identity platform Passport.js).
  • The Microsoft identity platform is compatible with many third-party authentication libraries. 



To read part 2 please click here
To read part 3 please click here







Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more