Azure Background
AAD / EntryID
- Identity Provider / Enterprise Identity Service
- tenant: an instance of AAD and represents a single organization
- each tenant has a directory
- tenants have one or more subscriptions
- core/primary domain:
<tenant>.onmicrosoft.com
Azure Architecture
- mangement groups, subscriptions, resource groups and finally resources
- there can be a hierarchy of groups
- permissions are inherited
- subscriptions are billing and access boundaries
- all resources must be in a resource group
- ManagedIdentities can be assiged to resources
- uses AZ tokens
- can be either system or user-assigned
- Azure Resource Manager (ARM)
- client-neutral deployment and management solution
- this is the control-plane
Azure Roles
- fundamental roles
- owner/contributor/reader/user access administrator
- contributor cannot manage access
- user access controller has not full (write) access on resources
Azure AD ObjectHASRoleONScope- scope starts with management group
- Azure AD Object: user/group/service principal/managed identity
- deny roles take precedence
- Azure ABAC
- attribute-based access control
- objects can have tags and rules can reference those tags
- additional conditions to traditional RBAC
- Azure AD Roles
- are for Azure AD objects (users, groups, etc.)
global administratorhas “use access administrator” role to the root management group
Consent and Permissions
- applications can ask users for permissiosn to access their data
- GA/Applicaiton Administrator and Cloud Application Administrator → ‘permission to grant permissions to applications’
app consent policies
Enterprise Applications → Consent and Permissions
- do not allow user consent
- default: allow user consent for apps from verified publishers for selected permissions (only low-priv ones)
- allow user consents for all apps (for low-impact permissions)
- custom rules
low-impact permissions
- openid, profile, email, user.read, offline_access
- User.ReadBasic.All → read displayname, first/lastname, email address, open extension and photos for all users
azure portal
a normal user can
- read all users, groups, applications, devices, roles, subscriptions and their public properties
- invite guests (!)
- create security groups → add security@target
- read non-hidden group memberships
- can add guests to owned groups
- create a new application (think persistence)
- add up to 50 devices to azure
you can turn off:
- add up to 50 devices
- invite guests
- create new applications
Authentication and APIs
- uses OIDC and OAuth2
- AzureAD supports SAML2, OIDC, Oauth2 and legacy protocols (LDAP, Kerberos Constrained Delegation, Header-based)
- uses bearer tokens
- mostly JWTs
- access tokens / ID tokens / refresh token
- by default 1h/90d
- no expiry for active refresh tokens?
- by default 1h/90d
By default an ARM Token is requested
Before az cli 2.30.0:
az account get-access-token
c:\Users\[username]\.Azure\accessTokens.json - azureProfile.json contains information about subscriptions
Use those tokens to bypass conditional access policies
Older Az Poershell versions:
c:\users\[username]\.Azure\TokenCache.dat- also AzureRmContext.json
- also memory dump of powershell
Users can save tokens iwth
Save-AzContext
Can be used with management.azure.com or graph.microsoft.com (graph.windows.net is deprecated)
continuous access evalution (CAE)
- invalidates token before end-of-life
- xms_cc: {“CP1”} identifies CAE supported token