Azure: Subtopics
- Tony Stiles
- Jun 16, 2024
- 9 min read
Updated: Jun 18, 2024
Subtopics
Azure BluePrints
Azure Blueprints is a service provided by Microsoft Azure that allows users to create a set of pre-defined resources, policies, and configurations that can be automatically deployed to multiple subscriptions or environments within Azure. Azure Blueprints are essentially a declarative way to orchestrate the deployment of various Azure resources, including virtual machines, storage accounts, networking, and more.
Azure Blueprints can be used to establish a baseline set of configurations, policies, and security controls that can be consistently applied across an organization's Azure environment. This can help organizations ensure that their Azure deployments adhere to industry best practices, security standards, and compliance requirements.
Some of the key features of Azure Blueprints include the ability to:
Define and version Azure resources and configurations
Assign Azure Blueprint to multiple subscriptions or environments
Implement Azure policies and role-based access control (RBAC)
Automate the deployment of Azure resources and configurations
In summary, Azure Blueprints provide a way for organizations to streamline the deployment of Azure resources and ensure that their Azure environment is consistently configured and secured.
Azure Automation State Configuration
Azure Automation State Configuration is a service provided by Microsoft Azure that allows users to define, manage, and enforce configuration settings on their Azure virtual machines and physical servers. With Azure Automation State Configuration, users can create and manage a desired state configuration (DSC) that specifies the state they want their machines to be in, and then deploy and monitor that configuration across their environment.
Some of the key features of Azure Automation State Configuration include:
A declarative, PowerShell-based configuration management system
Integration with Azure Automation to allow for remote configuration management of virtual machines and physical servers
Support for configuring Windows and Linux machines
Custom script support to allow for the execution of additional configuration tasks
Azure Automation State Configuration can be used to ensure that an organization's Azure environment is configured according to best practices and compliance requirements, and to maintain the desired state of the environment over time. By defining a desired state configuration, users can easily apply and enforce consistent configuration settings across their environment, reducing the risk of configuration drift and improving overall security and compliance.
In summary, Azure Automation State Configuration provides a way for organizations to manage and enforce configuration settings on their Azure virtual machines and physical servers, and to maintain a desired state configuration across their environment.
Microsoft Graph
Microsoft Graph is a service provided by Microsoft that enables developers to access and interact with data from a variety of Microsoft services, including Office 365, OneDrive, SharePoint, and more, through a single REST API endpoint. With Microsoft Graph, developers can build applications that integrate with Microsoft services and can access and manipulate data across those services.
Some of the key features of Microsoft Graph include:
A single API endpoint for accessing data across multiple Microsoft services
Rich data models that provide contextual information about data objects
Support for querying, creating, updating, and deleting data objects
Authentication and authorization through Azure Active Directory (AAD)
Microsoft Graph can be used to build a wide range of applications, including productivity apps, business intelligence tools, and automation workflows. By providing a unified API endpoint for accessing data across multiple Microsoft services, Microsoft Graph simplifies the development process and makes it easier for developers to build applications that integrate with Microsoft services.
In summary, Microsoft Graph is a service that provides developers with a unified API endpoint for accessing data from multiple Microsoft services, and enables the development of applications that integrate with those services.
Sign-in Activity Risk Level
Source Article by Microsoft
This section provides an overview of setting up Always Encrypted. For details and to get started, see Tutorial: Getting started with Always Encrypted.
To set up Always Encrypted in your database, you need to:
Provision cryptographic keys to protect your data. Always Encrypted uses two types of keys:
· Column encryption keys.
· Column master keys.
A column encryption key is used to encrypt data in an encrypted column. A column master key is a key-protecting key that encrypts one or more column encryption keys.
You need to store column master keys in a trusted key store outside of the database system, such as Azure Key Vault, Windows certificate store, or a hardware security module.
Then, you need provision column encryption keys and encrypt each of them with a column master key.
Finally, you need to store the metadata about the keys in your database.
The column master key metadata captures the location of the column master key. The column encryption key metadata contains the encrypted value of the column encryption key. The Database Engine never stores or uses the keys of either type in plaintext.
For more information about managing Always Encrypted keys, see Overview of key management for Always Encrypted
Configure encryption for selected database columns that contain sensitive data to be protected. This can involve creating new tables with encrypted columns or encrypting existing database columns and existing data. When setting up encryption for a column, you specify the information about an encryption algorithm, a column encryption key to protect the data in the column, and an encryption type. Always Encrypted supports two encryption types:
Deterministic encryption always generates the same encrypted value for a given plaintext value. Using deterministic encryption allows point lookups, equality joins, grouping and indexing on encrypted columns. However, it may also allow unauthorized users to guess information about encrypted values by examining patterns in the encrypted column, especially if there's a small set of possible encrypted values, such as True/False, or North/South/East/West region.
Randomized encryption uses a method that encrypts data in a less predictable manner. Randomized encryption is more secure, but prevents searching, grouping, indexing, and joining on encrypted columns.
Use deterministic encryption for columns that will be used as search or grouping parameters. For example, a government ID number. Use randomized encryption for data such as confidential investigation comments, which aren't grouped with other records and aren't used to join tables.
For details on Always Encrypted cryptographic algorithms, see Always Encrypted cryptography.
You can perform the above steps using SQL tools:
sqlpackage - which automate the setup process
To ensure Always Encrypted keys and protected sensitive data are never revealed in plaintext to the database environment, the Database Engine can't be involved in key provisioning and data encryption, or decryption operations. Therefore, Transact-SQL (T-SQL) doesn't support key provisioning or cryptographic operations. For the same reason, encrypting existing data or re-encrypting it (with a different encryption type or a column encryption key) needs to be performed outside of the database (SQL tools can automate that).
RBAC - Azure page
Review scope of roles and actions. Understand when things like dataactions and actions apply and what those differences are. The diagrams are useful as a reference to understand things.
Service Principal vs Managed Identity
Azure Service Principal and Managed Identity are both identity options in Azure that provide authentication and authorization capabilities. Here's a brief explanation of the differences between them:
Azure Service Principal
• Azure Service Principal is an identity created for use by an application or a service.
• It is typically used when you need to grant permissions to an application to access Azure resources.
• Service Principals are commonly used in scenarios where you need non-interactive access, such as automation or deployment scripts.
• Service Principals are created and managed separately from the Azure resources they access.
• They can be assigned roles and permissions to control access to Azure resources.
• Service Principals require a client ID and client secret or a certificate for authentication.
Managed Identity
• Managed Identity is a feature of Azure Active Directory (Azure AD) that provides automatic management of the identity lifecycle.
• It eliminates the need to manage credentials manually.
• When you enable a Managed Identity on an Azure resource (e.g., virtual machine, Azure Function), a service principal is created automatically and associated with that resource.
• Managed Identities can be used to authenticate and authorize requests to Azure services, eliminating the need for explicit credentials.
• The lifecycle management, including rotation and renewal of credentials, is handled automatically by Azure AD.
• Managed Identities can be used in scenarios where an application needs to access Azure services securely without managing secrets.
In summary, Service Principals are typically used for non-interactive access and require explicit management, while Managed Identities are automatically managed by Azure AD and provide a more streamlined approach to authentication and authorization for Azure resources.
Compare OAuth 2.0 vs SAML vs Kerberos
OAuth 2.0, SAML, and Kerberos are all authentication and authorization protocols used in different contexts and scenarios. Here's a comparison of these protocols:
OAuth 2.0
Purpose: OAuth 2.0 is primarily designed for delegated authorization, allowing users to grant access to their resources without sharing their credentials directly.
Use cases: OAuth 2.0 is commonly used in scenarios involving third-party applications and APIs, such as social media login, mobile app authentication, and API access.
Token-based: OAuth 2.0 relies on access tokens, which are issued by an authorization server after the user's approval. These tokens are then used by the client to access protected resources.
Authorization: OAuth 2.0 provides a framework for authorization, but it does not define how user identity is verified or authenticated.
Standards: OAuth 2.0 is an industry-standard protocol and has wide support across various platforms and services.
SAML (Security Assertion Markup Language)
Purpose: SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP).
Use cases: SAML is commonly used in single sign-on (SSO) scenarios, where a user logs in once and gains access to multiple applications or services without re-authentication.
XML-based: SAML messages are based on XML and typically exchanged over HTTP or HTTPS. They contain assertions that provide information about the user's identity and attributes.
Centralized identity management: SAML relies on a centralized identity provider that authenticates the user and generates SAML assertions, which are then consumed by service providers to grant access.
Standards: SAML is an industry-standard protocol widely adopted in enterprise environments, particularly for federated identity management.
Kerberos
Purpose: Kerberos is a network authentication protocol designed to provide secure authentication over an insecure network. It verifies the identities of clients and servers communicating over an open network.
Use cases: Kerberos is commonly used in enterprise environments, where it provides single sign-on capabilities and secures network communications.
Ticket-based: Kerberos uses tickets to authenticate users and services. A ticket-granting ticket (TGT) is obtained by the client after authentication, which is then used to obtain service tickets for accessing specific services.
Symmetric key cryptography: Kerberos uses symmetric key cryptography to secure the authentication process. It relies on a trusted third-party Key Distribution Center (KDC) that issues and manages the necessary cryptographic keys.
Standards: Kerberos is an industry-standard protocol and is integrated into various operating systems and network services.
In summary, OAuth 2.0 is primarily used for delegated authorization in third-party application scenarios, SAML is commonly used for SSO and federated identity management, and Kerberos provides secure network authentication in enterprise environments. The choice of protocol depends on the specific use case and requirements of the system or application being developed.
Permission Reference
Review the built-in permission for questions in regards to provide permissions based on least privilege.
What’s the Difference Between MFA Enabled and Enforced?
Microsoft Azure Active Directory uses various terms to show the status of multi-factor authentication (MFA) for each user. These user states are shown in the Azure portal and all start out as disabled.
Enabled: The user has been enrolled in MFA but has not completed the registration process. They will be prompted to complete the registration process the next time they sign in.
Enforced: The user has been enrolled and has completed the MFA registration process. Users are automatically switched from enabled to enforced when they register for Azure AD MFA.
Disabled: This is the default state for a new user that has not been enrolled in MFA.
Keep in mind, regarding the enforced MFA user status, some older non-browser apps, like Office 2010 or earlier, modern authentication protocols won’t work. In order to enable MFA for user accounts in these apps, with Azure AD multi-factor authentication still enabled, app passwords can be used instead of the user’s regular username and password.
RBAC JSON Security – Understanding Actions / DataActions and NotActions / NotDataActions
Within Azure security, the terms "Actions," "dataActions," "notActions," and "notDataActions" are related to role-based access control (RBAC) and are used to define the permissions and access rights for various Azure resources. Let's break down each term:
1. Actions: This refers to the list of actions or operations that a user or identity is allowed to perform on a specific Azure resource. These actions can include read, write, delete, execute, or other specific operations associated with that resource. For example, if you have an Azure virtual machine, the actions might include starting, stopping, restarting, or resizing the VM.
2. dataActions: This is similar to "Actions[]," but it specifically focuses on data-related operations or actions that a user or identity can perform on a particular Azure resource. Data actions are typically associated with data-centric services like Azure Storage, Azure SQL Database, Azure Cosmos DB, or Azure Data Lake Storage. These actions might include read, write, delete, or modify operations on the data stored within those services.
3. notActions[: The "notActions" property is used to explicitly deny certain actions or operations on an Azure resource. It allows you to restrict specific actions that might be allowed by default for a particular role. By specifying "notActions", you can define a list of actions that should be denied to the user or identity associated with that role.
4. notDataActions: Similar to "notActions" "notDataActions" is used to explicitly deny specific data-related actions or operations on an Azure resource. It allows you to further restrict the data-related actions that might be allowed by default. By specifying "notDataActions", you can define a list of data actions that should be denied to the user or identity associated with that role.
In summary, "Actions[" and "dataActions" define the allowed actions or operations that can be performed, while "notActions" and "notDataActions" define the denied actions or operations on Azure resources. These properties are used in RBAC to fine-tune access permissions for users, groups, or service principals within Azure.