AZ-304 Microsoft Azure Architect Design – Design Authentication Part 3

1. Introduction to Authorization

So in this section of the course, we’re going to switch over to the concept of authorization. Now, we talked about authentication being more than just user ID and password. You could include the concept of multifactor authentication. We know with some certainty, or even 100% certainty that you are who you say you are. Now that we know who you are, what can you do? Like, what is your level of permissions within this system? Have you got full permissions? Are you an administrator? Are you just a regular user? Or maybe you’re just a report reader and you don’t have access to the majority of the application, and all you can do is just run reports, depending on your application design, so many different levels that somebody can be authorized.

Now, we also have to keep in mind that we’re not just talking about live interactions with real users here. So, yes, when I log into the system as myself, the system is going to determine, what can Scott do? But we’re also in this world where applications are going off and doing things not only on our behalf, but we’re setting them up to be autonomous. So there’s the two scenarios with that, where you might have a, for instance, a social media, like an Instagram account, and then you’ve got an application that will go and post to Instagram for you. So it’s acting as you, and that’s probably proper.

That goes up under your Instagram account under your name. But there’s a system in between that is connecting you to Instagram. But there’s also these applications that are batch jobs behind the scenes. They shouldn’t be tied to a single person, right? Batch job that is running it runs every ten minutes from now until the end of time. Should not be running under my name because what happens if I leave the company? What happens if my credentials change? I change, departments have changed jobs. We don’t want these applications to stop working or to have elevated privileges unnecessarily.

So we’ve talked about the apps that can do things on your behalf, which is like Instagram posters, for instance. Another type of authentication that we do is you set up pre authorized withdrawals. And so you’re basically allowing some other third party application to have access to your PayPal account. I was going to say bank account, but the bank account system doesn’t operate online entirely. But the PayPal system, you can authorize some money to withdraw $5 a month from your PayPal account.

And that’s an authority that you’re granting. Now, as you’d expect, the Identity Manager within Azure Active Directory has the ability for you to grant people and to grant other applications the level of permissions that they need. Now, there are two types of models generally within this, okay? There’s many different types of models out in the, in the world, I guess, but the ones that we talk about within this course, within the exam, and generally are both role based authentication and claims based.

Now, role based is when you are a user, you are part of a role. You are a developer, you are a manager, you are an administrator. And being part of that role gets you permission to do certain tasks, okay? That’s a role based model. Depending on your job and your needs, you get certain permissions. Claims based is more that you are in possession of a token. So someone has given you an API key. We don’t know who you are, but you have the API key. It’s the possession of that key that gets you the permission to call the API. So you don’t log in with a user ID and password into a traditional API. You present the key that you’ve been given, and that key is a claims based model. I liken this to a house where you can either have the front door locked, but once you’re inside the house, you’ve got full access to everything, or you can have very granular security where you’ve got a safe and you’ve got drawers. There’s places within the house that are generally allowed the general admission, if you will. And there are places in the house that have locked doors, padlocks on the drawer, et cetera.

So you can have very within your application, you can either just once you have a user ID and password and you’ve been authenticated to enter the house, your users have full run of the house, or you can have very fine grained each individual action, and each individual part of the application requires a certain permission. And we’re going to check each person every time. Now, those are two different models, okay? It’s quite common, actually, to have an application only has a front door if it’s an internal application, where it’s not open to the public, internet, where there’s not millions of users, et cetera. You just have one point of checking somebody’s credentials. But when you’re talking about a big application that’s got a big footprint in public, you may want to check their credentials in many different.

2. Approach to Authorization

So the AZ-301 exam, on a grander scale is about design. It’s about strategy. It’s really about the job of an architect to come up with ideas and solutions that fit a particular business needs. That’s why the AZ-300 exam is about the technologies. It’s about learning how to create a VM. It’s about learning how to create a virtual network. This exam is the Y aspect of that. So we’re talking about authorization, and particularly in this video, we’re going to talk about the approach to authorization. So in the last video, I ended by talking about this concept of having your house and having a front door. And once the person has used a key and opened the front door, the entire house is open. They can go upstairs, they can go downstairs, they go in the kitchen, go in living room.

There’s no additional security in the individual’s access to your house. But you could design your house if you were not a house, but in fact a hotel. You could design your hotel such that every door has a lock, even the maid’s closet has a lock, and every individual room has a lock and things like that. And so if you have a place where strangers are going to visit, you may want to go to that deeper level of security where you have to authenticate and get authorization for every room you want to go into. And so it’s a very individual thing, your application. Depending on your application, you might be fine with having a front door type security. Every user entering into your application is an employee of yours, and there’s only ten of them.

And so you don’t need to design a very complicated system of trust where they’re allowed to do things, they’re not allowed to do certain things. As long as you trust the people and you log and audit those actions, then you don’t necessarily have to put the time and effort and energy and restriction into designing a very complicated authorization scheme. But if you’re on the opposite end, if you’re designing the hotel, if you’re designing a social media network, then maybe you do need a very strong authorization scheme. And it’s better to be safe. It’s better that someone doesn’t have access to something that they need access to, and then they have to go to you and revise that permission. Better that that happens then for people to have higher levels of permission than they need. So every application is going to be different.

Now, the other aspect, of course, is when we’re designing applications, is the application running on its own, under its own name, a batch job, a weekly job, some sort of system level job? Or is it doing work on behalf of an individual? So the social media a managing tool that needs to post to Facebook, needs to post to Twitter, Instagram on a regular basis. It does so on behalf of someone. And so when you log into those things. They go to Instagram and then they say, do you give this person permission to your Instagram account? Yes or no? So in that case, you’re delegating authorization to the application. So you’re going to have to make this decision with these types of programs. Are they operating on their own or are they really acting on behalf of a user? And so those are the types of things you’re going to have to start. Now, if we take a step back, we look at Azure Active Directory. We’ve already talked about its important role in the authentication elements, but we’re talking about authorization here. And so does it have a role? Well, yes, it does, right?

A lot of the concept of the applications themselves can be registered with Azure ad. So if you’re designing an application and you want to delegate the security, user ID and passwords and multifactor authentication and take advantage of those features and benefits of Azure ad, one of the steps is to register your application with Azure ad.

And when we go into the portal and we go into Azure Ad, there’s an application section, and we can see that your organization has so many applications registered with it. Then on the user side, again, we’ve got users. They are part of roles. You’re either a developer, you’re an accountant, you’re a manager, you’re a report runner, you’re going to be part of various different roles. And so when that person logs in, they go into your application. You can know exactly what role they have and assign the permissions appropriately. One key feature for authorization and authentication too, is that when somebody has an elevated account, let’s say there’s this concept called ad conditional access. And so when they’re in a situation that is not normal, they’re not inside the office, they’re not using their normal computer. You’ve never seen them log in with this device before.

They’re halfway across the world. The conditional access can run some particular rules and say they’re not using a normal computer, they’re not doing this from a normal location, assign them a risk level. And you can basically set some rules within a conditional access to say, well, we’re going to deny this access, right? So if you’re not using your regular computer and you’re not in the country, and you’re trying to do something that you’ve never tried before, et cetera, then we can just say, no, that’s denied, and that’ll get logged. And then they can sort of email into support, or they can email into their boss and say, hey boss, I’m on vacation in Caribbean and I’m trying to do some work here, and it’s denying me. So that’s a problem that you can take care of. The other option, of course, is requiring multifactor authentication on a per user or per app basis. And so again, we talked about MFA.

If they’ve got their phone and they’ve got the app, or they’ve got the ability to receive text message. If they come in these suspicious circumstances, you can optionally enforce MFA. And that makes them to provide additional validation that they are who they say they are, is not to hold your secrets inside of your application code or even inside the config files. And so let’s say your application needs to log into a database. Now, back in ten years ago, you would have your connection string embedded right within your application. And you can now put that in a web config file or an app config file, but that database user ID and password. I worked in a place once where someone accidentally checked in the source code into GitHub and that became a public repository. And it was totally unintentional. We didn’t use a public GitHub at that time. We had our own corporate, private GitHub. And so the database user ID and password ended up on the open Internet.

Now, this is the way that a lot of these hackers and even governmental organizations that hack get into systems as someone accidentally divulges something and that gets written down and they might not be able to access the database, but if they can breach your network, they have the database username and password in their back pocket. So one of the emerging trends within security is to remove these secrets from the code, remove them even from the config files, remove them from developer view, make sure that very, very few employees will know your database user ID and password. And the way you do that within Azure is called Azure Key Vault. And so you can actually put your secrets in the Key Vault, and the application can request the secret and it will be given to them. So the user ID and password can be returned, or even the connection string itself can be returned as a secret. And because the application is running under its own service principle, and you’ve given that service principal access to that secret, then it can go and get the user DN password.

So using something like Azure Key Vault is a way of protecting your secrets as well. In an authorization sense, when you’re talking about being able to connect somewhere within Microsoft Azure, we can see a Key Vault example on screen where I have my Key Vault, it holds my signing keys, it holds my security certificates. And I also can just place strings of text in there as secrets and again, authorize specific applications to request those secrets. And my developers, my administrators, nobody else knows the secret except the person who put it in there, and the application is authenticated. Another principle within authentication security is the principle of lease privilege.

And so we really don’t want a lot of people walking around with access to things that they don’t need. We want to have a single backup or a couple of backup admin accounts. But we don’t want to have 20 people in your organization having full access when they don’t particularly need it. Another principle of authentication security is rolling. We have this tendency within an It if we don’t know something exists, just to think, you know what, I’m just going to write some code. I need to do some encryption.

I’m going to invent a new protocol that moves every letter over by one and adds a couple of random letters in between. And no one will ever be able to figure that out. But you don’t want to be reinventing the wheel. So when it comes to these authorization technologies azure Ad, azure Key Vault, take advantage of those and don’t.

3. Azure AD Groups and Roles

So we’ve been saying that Azure Active Directory is sort of the central place where users identity and access management is managed within Azure when it comes to your applications. So how is access granted to an application? Now, one of those central ways that it’s done is through the concept of groups. So let’s say you have users that are in your Azure Active Directory. Now, those could be synchronized from your on premises Active Directory. Those users can register themselves using a registration feature within your application. You could use a social media Facebook Connect type login. They get themselves into your users in some way. Now, you can create groups of those users. So let’s say that you are administrating an application and you know there’s a group of about 200 people that need access to that. So you could create the Application Access Group, and you can either manually assign those people, go in there and just add one, remove one, and that group can then be granted access to your application.

Or you can create an Azure Premium P two type subscription. You can create a dynamic group where the members of the group grow and shrink dynamically based on some attribute. Now, first of all, to be able to manage a group, the person that manages this group does not have to be the global administrator. You can create a user within Azure who has a user administrator permission. This is part of Role Based Access Control is granting very granular permissions to users within Azure. If you grant this user user administrator permission against your Azure Active Directory, look at all the things that they can do, right? They can create groups, update groups, app role assignments, delete role assignments, et cetera. So a user administrator type function can manage the groups for you. Now, here’s a diagram I took from Microsoft. But it gives this concept of Mariah being the user administrator we just talked about, and basically, she can assign users to the group. So this Project Icarus group, she goes and decides john, Paul and George can be part of the group, but Ringo is not part of the group. And it’s up to the resource owner to say, anyone who’s part of Project Icarus has access to my application. So being a group member gives you access to that resource, and you can have an individual again, who manages that group for you. Now, the group model is similar, but different than this role based model. And we kind of touched on it, where we have Mariah being the user administrator. That’s her role. So you go into the role section of Active Directory and you can choose the user administrator. You can assign that to Mariah, and she’s got that role.

There are some common roles within Azure. So Azure comes with about 80 built in roles. And we saw, let me go back here some of these roles listed on the screen. But there are three major categories of roles. You can either be a resource owner that is a resource owner has full access to the resource and has permissions to assign permissions to other people. So a resource owner not only controls the resource, but they can control who else can control that resource. A contributor role lets them control the resource, but they don’t have the ability to give that permission to anyone else. And then the reader role is simply you can see the resource, you can perform some read only type functions against it, but you can’t modify the resource. You can’t stop it, update it. Like if you’re a virtual machine, if you’re looking at virtual machines and you only have reader permission, then you can see the virtual machine inside the resource group.

But you can’t stop and start the virtual machine. You can’t affect it in any way. You can look at it, see the IP address, do a connect to it, and if you have the appropriate user ID and password, go onto the virtual machine and do whatever you want within that virtual machine. But within Azure, a reader role is a non modification role. Now, beyond the 80 that Microsoft gives you and the owner contributor reader groupings, you can create your own custom roles. So let’s say within your application you want to create the super user. And that super user can create categories, post articles into those categories, create brand new tags, assign tags to not only their own articles, but other people’s articles that could be a role. And that role can be created within Azure. Again, you need an Azure Premium account, azure Ad Premium account in order to do something like custom roles. So it’s not available on the free account, but custom roles.

4. *NEW* Just In Time (JIT) Access

So in this lesson, we’re going to talk about just in time security access for virtual machines. Now this is a feature of the Azure Security Center, and in particular, it is the Azure Defender subscription. The Azure Defender subscription actually does cost money, currently set to $15 per server per month. Other services covered by by Azure Defender also have separate costs. So the purpose of just in Time access is basically when you have open ports like RDP and SSH, it is effectively a security risk, right? There are scripts out there that are searching for open ports. And even though the particular ports might be locked down if there is a zero day vulnerability or they are able to get access in some way, it is sort of an open hole in which people will try to hack into your server.

So Just in Time access basically locks down the inbound traffic to those relevant ports. Now, when it’s time for you to request access, you actually have to go through an RBAC role based authentication check to see if you as a user have access to that virtual machine for what you’re trying to do.

Then the just in time access of Azure Defender is going to change the configurations of the Firewalls and NSGs that will allow inbound traffic to the VM for only your specific IP for the relevant ports, whether it’s RDP or SSH, only for limited time. Once the time expires, the rules are basically the Firewall and NSG are set back to their previous settings and so no further connections are allowed. But the good news is that connections that are already established are not interrupted.

So by enabling just in time access, you’re basically minimizing the attack surface at which hackers and other malicious users are trying to get into your servers, even though it may be that they aren’t going to be able to get in because the security is pretty tight as it is. Is this is just another layer that’s going to prevent people from trying to hack your servers. So like I said, it is required to get an Azure Defender subscription. So this is a higher level, the standard level for Azure Security Center. But it is optioned out there if you want to lock down your servers to a higher level of security.

5. *NEW* Azure Resource Graph

So there’s one relatively new, pretty cool service with an Azure called the Resource Graph. And what it does is allows you to explore your resources in your Azure subscription using a query language. So if we go up to our search box here, I’ve already filled out Azure Resource Graph and we can see here that Resource Graph Explorer is actually the service that we’re looking for. And we go into here. Now this is going to be very reminiscent of the Cousteau Query Language log query tool within Azure Monitor. In fact it is the same KQL. But in this case instead of searching for logs we’re going to be searching against the resources on our account. I’m going to close that window.

So if I just say resources as the object and say run query, it’s going to return to me all of the resources that are currently running on my account. I’m going to close this up a little bit and we can see here that what we have is a documented database which is a Cosmos DB Storage Account, compute Desk Network Watchers. There’s all the resources that are in my subscription. We can see the subscription selected here in the top right.

So just simply running resources will return to me all of the resources. From there we can start to build on those query so that we can basically get the information that we need from our account. So if we want to say limit ten, that will actually instead of returning 74 results, we’ll just pick ten top results. The thing here though is if I run it again it’ll pick a slightly different ten. So it’s not a consistent ten because there’s no ordering going on. And in fact, if I said order by location, what this is going to do is it’s going to pull ten from that list and then it’s going to sort the ten by location and we can even see ascending and it’s going to sort the results by location.

If we change this around we can sort by location and grab the top ten after it’s sorted. And that will always be, should be the same location each time because your resources aren’t changing. So this is KQL. I’m not going to do a whole tutorial on KQL, but imagine the power and the possibility of having a search query that you can have against the resources in your account. Now you’re not just limited to the Resource Graph Explorer inside of the portal, this query can be posted from PowerShell CLI. You can do this from your net and all of your arrest APIs.

So you can run Resource Graph queries from whatever scripting language environment that you wish. And so in this way you can write your own reports and queries that you want against your Azure resources and process that in a programmatic way. So let’s go over to our cloud shell to show this. And you can see I’m starting up in PowerShell. I’m going to minimize that. Now we do have to install the Resource Graph module into PowerShell so we can use the install module command lit to install the Resource Graph module.

We do have to allow that and then what we’re going to do is we’re going to let’s check to see that it was installed. So Get command is going to ensure that the AZ Resource Graph exists. The only command that we have is this search hyphen AZ Graph. So if we were to then run a let’s clear that if we were to run the search Hyphen AZ Graph we can then write our own query. So if we want to pull in resources order by location ascending limit five same query that we just read in the portal we can do that using a PowerShell script CLI script net. It’s pretty powerful stuff when you can write queries against your subscriptions to get the information programmatically that you might get through reports in the Portal.

• Category: Uncategorized