Welcome back my fellow Devs and TriForceCoders! Let’s hop in on another lesson in AZ-500 Securing Azure Technologies. First, my apologies for being a bit late on posting, I was in Cancun, hanging with my girl and putting all the Margarita Adventures in my life. Alright, alright, alright, I won’t keep you waiting any longer, let’s dive into the heart of it.
As we move further into AZ 500 we will learn the methods but first let’s get that foundation laid.
Developers can build line of business applications that can be integrated with the Microsoft Identity Platform for Sign in and Authorization Services.
- Utilize existing Azure AD credentials to access applications
- Microsoft IdP based on OAuth 2.0 which allows third party applications to access web-hosted resources on behalf of a logged in user
- Create Scopes – permissions to divide the functionality of a resource
- User and APP permissions are used with Scopes for granular control over resource data and safeguarding API exposure
Note: Scopes are configured in APP Registrations
- Permissions used to define what actions an application can perform against a resource(s) on behalf of a user
- Fine grained control over data and API functionality exposure
- Scopes are configured in APP Registrations for APP permissions
- Scopes can also be requested via the sign in process for delegated permissions
- Define what a user or an app can directly havr access to in Azure
- Based on RBAC (Role Based Access Control)
Example: User may have global write but a defined scope for an APP could limit them to read only. This is known as effective permissions.
Delegated Permissions – the effective permissions of your APP will be the least privileged between the delegated permissions granted to the APP via consent and the privileges of the current signed in user.
- APP will never have more permissions than the Signed in User.
Application Permissions – APPs running without a signed in user will have full privileges based on its effective permissions.
- An APP must be given consent for it to perform a task on your behalf.
- Occurs at user sign-in when a scope query has been presented to the MS Identity Platform
Administrator Consent – An Administrator can grant consent on behalf of any user.
- That user will not see a consent page
- Can also occur for admin-restricted permissions
To learn more of what we talked about today, please feel free to hit up the Microsoft Docs found here: Azure Security
Until next time: #dontcodealone