Design Authentication

1. Introduction to Authorization

So in this section of the course, we're going to switch over to the concept of authorization. We talked about authentication being more than just a user ID and password. You could include the concept of multi-factor authentication. We know with some certainty, or even certainty, that you are who you say you are are.Now that we know who you are, what can you do? Like, what is your level of permission within this system? You've got full permission. Are you an administrator? Are you just a regular user? Or maybe you're just a report reader and you don't have access to the majority of the application,and all you can do is just run reports. Depending on your application design, there are so many different levels that somebody can be authorized. Now, we also have to keep in mind that we're not just talking about live interactions with real users here. So yes, when I log into the system as myself,the system is going to determine what Scott can do. But we're also in this world where applications are going off and doing things not only on our behalf, but we're setting them up to be autonomous. So there's two scenarios with that where you might have, for instance, a social media account, like an Instagram account, and then you've got an application that will go and post to Instagram for you. So it's acting as you, and that's probably proper. That goes up under your Instagram account, under your name. But there's a system in between that connects you to Instagram. But there are also batch jobs going on behind the scenes. They shouldn't be tied to a single person, right? The batch job that is running, which runs every 10 minutes from now until the end of time, should not be running under my name because what happens if I leave the company? What happens if my credentials change? I've changed departments. I've changed jobs. We don't want these applications to stop working or to have elevated privileges unnecessarily. So we've talked about the apps that do things on your behalf, which is like Instagram posters, for instance. Another type of authentication that we do is help you set up pre-authorized withdrawals. So you're basically allowing some other third-party application to have access to your PayPal account. I'm just going to say bank account. But the bank account system doesn't operate entirely online entirely.But in the PayPal system, you can authorise someone to withdraw $5 a month from your PayPal account, and that's an authority that you're granting. Now, as you'd expect, the Identity Manager withinAzure Active Directory has the ability for you to grant people and other applications the level of permission that they need. Now, there are two general types of models within this, okay? There are many different types of models out there, I guess, but the ones that we talk about within this course, within the exam, and generally are both role-based authentication and claims based.Now, rule-based is when you are out, you are part of a role. You are a developer, you are an area manager, you are an administrator. And being part of that role gets you permission to do certain tasks. Okay? That's a role-based model. Depending on your job and your needs, you get certain permissions. The claim base is more than just having a token. So someone has given you an API key. We don't know who you are, but you have the API key. It's the possession of that key that gets you the permission to call the API. So you don't log in with a userID and password into a traditional API. You present the key that you've been given,and that key is a claims-based model. I liken this to a house where you can either have the front door locked, but once you're inside the house, you've got full access to everything,or you can have very granular security where you've got a safe and you've got drawers. There are places within the house that are generallyallowed general admission, if you will. And there are places in the house that have locked doors, padlocks on drawers, etc. So you can have very within your application. You can either just once you have a user ID and password and you've been authenticated to enter the house, your users have full run of the house, or you can have very fine grained each individual action and each individual part of the application requires a certain permission. And we're going to check each person every time. Those are two different models, okay? It's quite common actually to have an application that only has a front door if it's an internal application, where it's not open to the public,internet, where there are not millions of users, et cetera. You just have one point to check somebody's credentials. But when you're talking about a big application that's got a big footprint of the public, you may want to check their credentials in many different ways.

2. Approach to Authorization

So the Azed 301 exam, on a grander scale, is about design. It's about strategy. It's really the job of an architect to come up with ideas and solutions that fit a particular business's needs. That's why the Azed 300 exam is about technologies. It's about learning how to create a VM, and how to create a virtual network. This exam is one aspect of that. So we're talking about authorization, and particularly in this video, we're going to talk about the approach to authorization. So in the last video, I ended by talking about the concept of having your own house and having a front door. And once the person has used a key and opened the front door, the entire house is open. They can go upstairs and go downstairs, go in the kitchen, go into the living room. There's no additional security in the individual's access to your house. But you could design your house as if you were not a house but, in fact, a hotel. You could design your hotel such that every door has a lock. Even the maid's closet has a lock in.Every individual room has a lock and things like that. So, if you have a location where strangers will be visiting, you may want to go to a higher level of security where you must authenticate and obtain authorization for each room you wish to enter. And so it's a very individual thing, your application. Depending on your application, you might be fine with having a front door type of security. Every user entering your application is an employee of yours, and there are only ten of them. And so you don't need to design a very complicated system of trust where they're allowed to do things, they're not allowed to do certain things. As long as you trust the people and you login and audit those actions, then you don't necessarily have to put the time and effort and energy into designing a very complicated authorization scheme. But if you're on the opposite end, if you're not designing the hotel, if you're designing a social media network, then maybe you've done a very strong authorization scheme. And it's better to be safe. It's better that someone doesn't have access to something that they need access to, and then they have to go to you and revise that permission. It's better that that happens than for people to have higher levels of permission than they need. So every application is going to be different. Now, the other aspect, of course, is when we're designing applications, is the application running on its own,under its own name, a batch job, a weekly job, or some sort of system-level job? Or is it doing work on behalf of an individual? So social media is a management tool that must post to Facebook, Twitter, and Instagram on a regular basis. It does so on behalf of someone. And so when you log into those things, they go to Instagram, and then there's a do you give this person permission to access your Instagram account? Yes or no? So in that case, you're reassigning authorization to the application. So you're going to have to make this decision with these types of programs. Are they operating on their own or are they really acting on behalf of a user? And so those are the types of things you're going to have to start. Now, if we take a step back,we look at Azure Active Directory. We've already talked about its importance in the authentication elements, but we're talking about authorization here. And so, does it have a role? Well, yes, it does. A lot of the concepts of the applications themselves can be registered with Azure ad.So if you're designing an application and you want to delegate the security, user ID, and passwords and multifactor authentication and take advantage of those features and benefits of Azure ad, one of the steps is to register your application with Azure ID. And when we go into the portal and into Azure ID, there's an application section,and we can see that your organisation has many applications registered with it. Then on the user side, we've got users who are part of roles. You're either a developer, an accountant, a manager, a report runner, or you're going to be part of various different roles. And so when that person logs in, they go into your application. You can know exactly what role they have and assign the permissions accordingly. One key feature for authorization and authentication too, is that when somebody has an elevated account, let's say there's this concept called ad conditional access. And so when they're in a situation that is not normal, they're not inside the office,they're not using their normal computer. You've never seen them log in with this device before. They're halfway across the world. The conditional access can run some particular rules and say they're not using a normal computer,they're not doing this from a normal location,assign them a risk level. And you can basically set some rules within a conditional access to say, "Well,we're going to deny this access, right?" So if you're not using your regular computer and you're not in the country, and you're trying to do something that you've never tried before, et cetera, then we can just say, "No, that's denied," and that'll get logged. And then they can sort of email into support, or they can email into their boss and say, "Hey boss,I'm on vacation in the Caribbean and I'm trying to do some work here, and it's denying me." So that's a problem that you can take care of. The other option, of course, is requiring multifactor authentication on a per user or per app basis. And so again, we talked about MFA. If they've got their phone and they've got the app,or they've got the ability to receive a text message, If they come in these circumstances, you can optionally enforce MFA. And that makes them provide additional validation that they are who they say they are. They do not hold your secrets inside of your application code or even inside the config files. So, ten years ago, if your application needed to log into a database, you would have your connection string embedded right within your application. And you can now put that in a web config file or an app config file, but that database user ID and password. I worked in a place once where someone accidentally checked in the source code into GitHub and it became a public repository. It was totally unintentional. We didn't use a public GitHub at that time. We had our own corporate, private GitHub. And so the database user ID and password ended up on the open Internet. Now, this is the way that a lot of these hackers and even governmental organisations that hack into systems get into systems: someone accidentally divulges something and it gets written down, and they might not be able to access the database, but if they can breach your network, they have the database username and password in their back pocket. So one of the emerging security trends is to remove these secrets from the code, the config files, and developerview, and to ensure that very, very few employees know your database user ID and password. And the way you do that within Azure is called Azure Key Vault. And so you can actually put your secrets in the Key Vault and the application can request the secret and it will be given to them. So the user ID and password can be returned, or the connection string itself can be returned as a secret. And because the application is running under its own service principle and you've given that serviceprincipal access to that secret, then it can go and get the username password. Using something like Azure Key Vault is a way of protecting your secrets as well. In an authorization sense, when you're talking about beingable to connect somewhere within Microsoft Azure, we can see a Key Vault example on screen where I have my key vault, where it holds my signing keys, it holds my security certificates. And I can also just place strings of text in there as secrets and again, authorise specific applications to request those secrets. And my developers, my administrators, nobody else knows the secret except the person who put it in there, and the application is authenticated. Another principle within authentication security is the principle of least privilege. And so we really don't want a lot of people walking around with access to things that they don't need. We don't want access. We want to have a single backup or a couple of backup admin accounts. But we don't want to have people in the organisation having full access when they don't particularly need it. Another principle of authentication security is rolling. If we don't know something exists, we have a tendency to think, you know, I'll just write some code, I need to do some encryption. I'm going to invent a new protocol that moves every letter over by one and adds a couple of random letters in between. And no one will ever figure it out except you, who don't want to reinvent the wheel. So when it comes to these authorization technologies like Azure Ad and Azure Key Vault, take advantage of those and don't.

3. Azure AD Groups and Roles

So we've been saying that Azure Active Directory is sort of the central place where users' identity and access management are managed within Azure when it comes to your applications. So how is access granted to an application? Now, one of those central ways that it's done is through the concept of groups. So let's say you have users that are in your Azure Active Directory. Now those can be synchronised from your on-premises Active Directory. Those users can register themselves using the registration feature within your application. You could use a social media login like Facebook Connect. They get themselves into your users' in some way. Now, you can create groups of those users. So let's say that you are administering an application and you know there's a group of about 200 people that need access to that. So you could create the Application Access group and you can either manually assign those people, go in there and just add one, remove one, and that group can then be granted access to your application. Or you can create an AzurePremium P2 subscription. You can create a dynamic group where the members of the group grow and shrink dynamically based on some attribute. First of all, to be able to manage a group, the person that manages this group does not have to be the global administrator. You can create a user within Azure who has a user administrator permission. This is part of Role Based Access Control, which grants very granular permissions to users within Azure. If you grant this user user administrator permission against your Azure Active Directory, look at all the things that they can do, right? They can create groups, update groups, approve assignments, delete assignments, etc. And so a user administrator type function can manage the groups for you. Now, here's a diagram I took from Microsoft,but it gives this concept of Mariah being the user administrator we just talked about, and basically, she can assign users to the group. So, in this Project Icarus group, she chooses John, Paul, and George to be members, but Ringo is not among them. And it's up to the resource owner to say, "Anyone who is part of Project Icarus has access to my application." So being a group member gives you access to that resource, and you can have an individual again, who manages that group for you. Now, the group model is similar but different than this role-based model. And we kind of touched on it. We have Mariah as the user administrator. That's her role. So you go into the role section of ActiveDirectory and you can choose the user administrator. You can assign that to Mariah, and she's got that role. There are some common roles within Azure. So, Azure comes with about 80 built-in roles. And we saw when we went back here,some of these roles listed on the screen. But there are three major categories of roles. You can either be a resource owner, who has full access to the resource and has permission to assign permissions to other people. So a resource owner not only has control over the resource itself, but also over who else has control over it. A contributor role lets them control their resources, but they don't have the ability to give that permission to anyone else. And then the reader role is simply that you see the resource, you can perform some read-only functions against it, but you can't modify the resource. You can't stop it, update it. If you're a virtual machine, and if you're looking at virtual machines and you only have reader permission, then you can see the virtual machine inside the resource group. But you can't stop and start a virtual machine. You can't affect it in any way. You can look at it, see the IP address, connect to it, and if you have the appropriate user ID and password, go on to the virtual machine and do whatever you want within that virtual machine. But within Azure, a reader role is a non-modification role. Now, beyond these, the 80 that Microsoft gives you and the owner contributor reader groupings, you can create your own custom rules. So let's say within your application you want to create a superuser. And that super user can create categories, post articles into those categories, create brand new tags, and assign tags to not only their own articles, but other people's articles that could be a role. And that role can be created within Azure. Again, you need an Azure Premium account (azure Ad Premiumaccount) in order to do something like custom roles. So it's not available on the free account.

3. *NEW* Just In Time (JIT) Access

So in this lesson, we're going to talk about Justintime security access for virtual machines. Now, this is a feature of the Azure Security Center,and in particular, it is the Azure Defender subscription. The Azure Defender subscription actually does cost money,currently set at $15 per server per month. Other services covered by AzureDefender also have separate costs. So the purpose of Just In Time access is basically when you have open ports like RDP and SSH, it is effectively a security risk, right? There are scripts out there that are searching for open ports. And even though the particular ports might be locked down, if there is a zero-day vulnerability or they're able to getaccess in some way, it is sort of an open hole through which people will try to hack into your server. So Just In Time access basically locks down inbound traffic to those relevant ports. When it's time for you to request access, you actually have to go through an RBAC role-based authentication check to see if you, as a user, have access to that virtual machine for what you're trying to do. Then the Justintime access of Azure Defender is going to change the configurations of the firewalls and NSGs that will allow inbound traffic to the VM only for your specific IP for the relevant ports, whether it's RDP or SSH, only for a limited time. Once the time expires, the rules are basically the Firewall and Energy are set back to their previous settings and so no further connections are allowed. But the good news is that connections that are already established are not interrupted. So by enabling just-in-time access, you're basically minimising the attack surface at which hackers and other malicious users are trying to get into your servers, even though it may be that they aren't going to be able to get in because the security is pretty tight as it is. This is just another layer that's going to prevent people from trying to hack your servers. So, like I said, it is required to get an Azure Defender subscription. So this is a higher level, the standard level for Azure Security Center, but it is an option out there if you want to lock down your servers to a higher level of security.

4. *NEW* Azure Resource Graph

So there's one relatively new, pretty cool service within Azure called the Resource Graph. And what it does is allow you to explore your resources in your Azure subscription using a query language. So if we go up to our search box here, I've already filled out Azure Resource Graph and we can see here that Resource Graph Explorer is actually the service that we're looking for. And we go in here. This will be very similar to the Cousteau Query Language log query tool in Azure Monitor. In fact, it is the same KQL. But in this case, instead of searching for logs, we are going to search for resources on our account. I'm going to close that window. So if I just say resources as the object and say run query, it's going to return to me all of the resources that are currently running on my account. I'm going to wrap this up a little bit. And we can see here that what we have is a documented database, which is a Cosmos DB Storage Account, computed Disk Network Watchers. These are all the resources that are in my subscription. You can see the subscription selected here in the top right. So simply running resources will return me all of the resources. From there, we can start to build on those queries so that we can basically get the information that we need from our account. So if we want to say limit ten,that will actually return 74 results, but we'll just pick ten top results. The thing here, though, is if I run it again, it will pick a slightly different ten. So it's not a consistent thing because there's no ordering going on. And in fact, if I said, you know, order by location,what this is going to do is it's going to pull from that list and then it's going to sort the list by location, and we can even see it ascending and sorting the results by location. If we change this around, we can sort by location and grab the top ten after it's sorted. And that will always be the same location each time because your resources aren't changing. So this is KQL. I'm not going to do a whole tutorial on KQL, but imagine the power and possibility of having a search query that you can have against the resources in your account. Now you're not just limited to the ResourceGraph Explorer inside of the portal; this query can be posted from the PowerShell CLI. You can do this from your network and all of your rest APIs. So you can run Resource Graph queries from whatever scripting language environment you wish. And so, in this way, you can write your own reports and queries that you want against your Azure resources and process them in a programmatic way. So let's go over to our cloud shell to show this. And you can see, I'm starting up PowerShell. I'm going to minimise that. Now we do have to install the resource graph module into PowerShell so we can use the install module command to install the resource graph module. We do have to allow that. Then what we're going to do is let's check to see that it was installed. So the get command is going to ensure that the AZ resource graph exists So if we were to then run a clear that we were to run the search hyphen AZ graph, we could then write our own query. So if we want to pull in resources ordered bylocation ascending limit five, we can do that using a powershellscript net. It's pretty powerful stuff when you can write queries against your subscriptionsto get the information programmatically that you might get through reports in the portal.

ExamSnap's Microsoft AZ-305 Practice Test Questions and Exam Dumps, study guide, and video training course are complicated in premium bundle. The Exam Updated are monitored by Industry Leading IT Trainers with over 15 years of experience, Microsoft AZ-305 Exam Dumps and Practice Test Questions cover all the Exam Objectives to make sure you pass your exam easily.