Skip to main content

Overview

https://learn.microsoft.com/en-us/training/modules/application-security/

  • Register an application in Azure using app registration
  • Select and configure which Microsoft Entra users can access each application
  • Configure and deploy web app certificates

Review the Microsoft Identity Platform

  • Work and school accounts (Microsoft Entra ID provisioned accounts)
  • Personal accounts (such as Outlook.com or Hotmail.com)
  • Your customers who bring their own email or social identity (such as LinkedIn, Facebook, and Google) via MSAL and Azure AD Business-to-Consumer (B2C)

image.png

It is recommended to use the 2.0 version of Microsoft Identity Platform.

MSAL - Microsoft Authentication Library ADAL - Active Directory Authentication Library

Single Tenant - your own organization Multi Tenant - any work or school account

Scope permissions such as user.read can be linked to a specific application

Register an application with Azure.

  • Application ID
  • Redirect URI
  • Secret

The goal of this is to get an access token with the required permissions back to the end user after authentication to then use.

  • Delegated permissions - a user is required to consent to the usage of the permissions by the application.
  • Application permissions - no user required - permissions are consented by an administrator.

For delegated permissions, the effective permissions of your app will be the intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user can be determined by policy or by membership in one or more administrator roles.

Microsoft Graph Security API

It is a good idea to get used to using the MS Graph Security API

  • Write code – Find code samples in C#, Java, NodeJS, and more.

  • Connect using scripts – Find PowerShell samples.

  • Drag and drop into workflows and playbooks – Use Microsoft Graph Security connectors for Azure Logic Apps, Microsoft Flow, and PowerApps.

  • Get data into reports and dashboards – Use the Microsoft Graph Security connector for Power BI.

  • Connect using Jupyter notebooks – Find Jupyter notebook samples. 

  • Unify and standardize alert tracking - For ingestion into a SIEM.

  • correlate alerts

  • update alert tags, status, assignments.

  • use security context for investigation

Managed Identities

  • System Assigned - enabled on the Azure service and is tied to the lifecycle of that service.
  • User Assigned - enabled separately from the service and is not tied to the lifecycle of any service.

Azure App Service

App service is a service used for HTTP web applications. It is a PaaS service for developers.

App Service Certificates

You can upload a certificate into App Service and then you can create a DNS name for your app.  

  • Free Cert
  • purchase an App Service certificate
  • import from key vault
  • Upload private cert
  • upload public cert

Exercises