Implement application authorization

Application Authorization is all about specifying what actions are permissible for security principals (users, devices, services) to carry out. Setting up authorization contains the aspects of restricting the operations that a user can perform on a resource, managing authorization policies, roles, and permissions.

The Azure Active Directory (Azure AD), a primary component of implementing application authorization, promises secure access to your applications. It is a cloud-based identity and access management service that helps your employees sign in and access resources in a secure manner. It incorporates data, users, groups, and applications from anywhere.

Here are some pertinent details and examples of implementing application authorization within the context of SC-300.

1. Implementing Role-Based Access Control (RBAC)

RBAC within Azure is a powerful tool for controlling user’s permissions to resources in an Azure subscription. At its simplest, it operates with three basic elements: Security Principals, Role Definitions, and Scopies.

• Security Principals: Represents the identity requesting access to an Azure resource (can be a user, group, service principal, or managed identity).
• Role Definitions: This is essentially a collection of permissions. It’s the ‘role’ that the security principal will inherit when assigned.
• Scopes: The range that access applies to. This can be set at varying levels from management groups, subscriptions, resource groups and to resources itself.

For instance, user John Doe can be assigned the ‘Contributor’ role at resource group scope restricting his permission to just managing resources in that group.

2. Implementing OAuth 2.0 Authorization

OAuth 2.0 is an open standard for access delegation, commonly used as a way for users to authenticate and grant applications access to their data on other websites but without giving them passwords. Microsoft identity platform implements the OAuth 2.0 authorization protocol.

To implement OAuth 2.0 authorization you follow a series of steps:

• Register your app at the Microsoft identity platform.
• Obtain an authorization code in your app.
• Redeem the code for access tokens.
• Use the access token to call a Microsoft Graph API.

Using OAuth 2.0 not only ensures your application’s security but also enhances the user experience by safely handling user credentials and permissions.

3. Implementing conditional access policies

Conditional Access is a tool used for enforcing organizational policies upon accessing your applications. It basically operates on two criteria, conditions and access controls. When a user attempts to access an application, Azure AD checks all conditional access policies to validate whether the user complies with organization rules. This could include multifactor authentication, device compliance, risk level etc.

For example, a conditional access policy could be configured to require multi-factor authentication when a user or group attempts to access a resource from a device or location considered to be risky.

These steps to implement application authorization are a vital part of the SC-300 Microsoft Identity and Access Administrator exam and ensuring that applications are secure from unauthorized access. It’s important that access to resources are granted on the principle of ‘least privilege’ (privileged access management) – only access that is strictly necessary for users to perform their job is allowed.

The examples given are fundamental strategies and tools used in Microsoft 365 to secure the application infrastructure against unauthorized access, by ensuring that only authenticated and authorized users and devices have access to your data and applications.

Practice Test

True or False: Azure AD provides only a single model for application authorization that involves simple roles.

• True
• False

Answer: False

Explanation: Azure AD provides multiple models for application administration and authorization that include not just roles but also group memberships and application permissions.

What is an important step in implementing application authorization in Azure Active Directory?

• a) Assigning users to roles
• b) Creating a backup policy
• c) Enabling multi-factor authentication
• d) Configuring application auditing

Answer: a) Assigning users to roles

Explanation: Assigning users to roles is part of implementing application authorization. It defines what actions a user can perform in an application.

True or False: The Azure AD application gallery contains pre-integrated applications for easy configuration and assignment of users.

• True
• False

Answer: True

Explanation: The Azure AD application gallery contains thousands of pre-integrated applications, making it easier to configure application authorization and assign users to specific applications.

What does Azure AD use to evaluate authorization requests?

• a) Role-based access control (RBAC)
• b) Technical support tickets
• c) Infrastructure metrics
• d) Network topology

Answer: a) Role-based access control (RBAC)

Explanation: RBAC is a system that Azure AD uses to evaluate authorization requests. It involves assigning roles to users, groups, and service principals.

True or False: You can use PowerShell to assign roles in Azure AD for application authorization.

• True
• False

Answer: True

Explanation: Yes, Azure AD roles can be assigned via the GUI portal, but also programmatically using PowerShell or the Graph API.

How can Azure AD Conditional Access be used in application authorization?

• a) To monitor network traffic
• b) To request multi-factor authentication
• c) To limit data storage
• d) To create backups

Answer: b) To request multi-factor authentication

Explanation: Conditional access in Azure AD can be used to request multi-factor authentication or block or grant access, providing additional conditions for application authorization.

When is it necessary to create custom roles in Azure AD?

• a) When built-in roles do not fit your needs
• b) When using pre-integrated apps from the AD gallery
• c) When implementing multi-factor authentication
• d) When providing guest access

Answer: a) When built-in roles do not fit your needs

Explanation: Custom roles in Azure AD are created when the built-in roles do not satisfy the specific needs or requirements of your organization.

True or False: Administrative units in Azure AD limit the scope of role assignment.

• True
• False

Answer: True

Explanation: Administrative units restrict the scope of role assignment and administration in Azure AD to specific users or groups.

Which among the following actions can be performed with application permissions?

• a) Read and write all users’ full profiles
• b) Change user passwords
• c) Both (a) and (b)
• d) None of the above

Answer: c) Both (a) and (b)

Explanation: Application permissions typically involve actions that are performed without a signed-in user, but instead are performed by the application on its own, such as changing passwords or reading user profiles.

True or False: All users in Azure AD should be assigned admin roles for effective application authorization.

• True
• False

Answer: False

Explanation: Not all users should have admin roles. This is not a good security practice as it can provide excessive permissions that the user might not require and can lead to misuse or elevated risks.

When configuring role-based access control, what must be understood beforehand?

• a) The network layout
• b) The organization hierarchy
• c) The storage requirements
• d) The application’s code

Answer: b) The organization hierarchy

Explanation: To effectively configure role-based access control, it’s crucial to understand the organization hierarchy, including who needs access to what and the level of access required.

Interview Questions

What is Azure Active Directory (Azure AD)?

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant, cloud-based directory, and identity management service that provides advanced features, including Identity Protection, Conditional Access, and Access Reviews.

What is the primary role of Azure AD in application authorization?

Azure AD plays a crucial role in application authorization by providing Identity as a Service (IDaaS) support. It helps in managing and securing cloud-based applications, facilitates conditional access policies, and handles identity management tasks like authentication and single sign-on (SSO).

What is OAuth 2.0 protocol in Azure AD?

OAuth 2.0 is a protocol that allows applications to gain limited access to user accounts on an HTTP service. It works by delegating user authentication to the service that hosts the user account and authorizing third-party applications to access the user account.

Can you explain the concept of scope in Azure AD App?

In Azure AD applications, a scope is a permission or right to perform an action. For example, you might request a scope that gives your app permissions to read user mail or write to a user’s calendar.

What is an identity provider in Azure AD?

An identity provider in Azure AD is a service that creates, maintains, and manages identity information for principals while providing authentication services to relying applications within a federation or distributed network.

How does Azure AD B2C facilitate user authorization?

Azure AD B2C facilitates user authorization by providing a user flow for collecting information from and authenticating users. The flow includes the user’s entrance into the system, registration, authentication, and exit from the system.

How can conditional access in Azure AD simplify application authorization?

Conditional Access in Azure AD enables you to implement automated policies based on user context and other factors, like location, to allow or block access, lowering the risk and increasing the security of your applications.

What is Single Sign-On (SSO) in the context of Azure AD?

Single Sign-On (SSO) in Azure AD is a session or user authentication process that permits a user to enter one name and password in order to access multiple applications.

What is the process to register an application in Azure AD?

To register an application in Azure AD, you have to access the App registrations service in Azure AD, click on “New registration”, specify a name for the application, and then configure the Redirect URI.

How is app role authorization implemented in Azure AD?

App role authorization in Azure AD is implemented by defining roles in the application manifest. These roles are assigned to users, groups, or service principals at application, user, or admin level, which allow users to access certain functions in the application.

What are consent permissions in Azure AD?

Consent permissions are request permissions by applications to access resources on behalf of a user or as an application. After the admin or user consents, the permissions are saved so the application doesn’t need to request permission again.

What is the role of app manifest files in Azure AD?

The app manifest file in Azure AD is used to define the configuration of an app when it is registered with Azure AD. It includes information like the app ID, authorized scopes, application roles, etc.

What does Azure AD Conditional Access allow you to do?

Azure AD Conditional Access allows you to create access policies based on conditions regarding who, where, and what someone is trying to access, allowing you to secure applications and data.

What is Azure AD B2B collaboration?

Azure AD B2B collaboration allows any Azure AD user to share application access with external users from any organization while maintaining control over corporate data.

What is the difference between Delegated Permissions and Application Permissions in Azure AD?

Delegated Permissions refer to the rights an application has to act on behalf of a user, and requires a user to be authenticated, while Application Permissions refer to the rights an application has when users are not present, often used for background jobs or daemons.