TODO: Describe this one: Introduction to permissions and consent
- Microsoft Graph - TODO: Write more about it.
- Microsoft 365 Mail API - http://
- Azure Key Vault
What are scopes in OAuth.
Identity platofrm vs Microsoft Graph:
- if resource is ommited in the request - then resource is asssummed to be Microsoft Graph, ie. scope=User.Read is equiv. to https://graph.microsoft.com/User.Read.
Permission Types:
- delegated
- app-only access permissions
Consent types
- Static user consent: TODO: Write what are pros + cons.
- Incremental + dynamic user consent: TODO: Write what are pros + cons; compare to static ones.
- Admin consent
Requesting individual user consent.
Registering an app - one of opts:
- Single tenant
- Multi-tenant
Application object:
- Three aspects:
- how service can issue topkens in order to access the app
- resources that the app might need access to
- actions that the app can take
- Microsoft Graph Application Entity
- impact of conditional access on an app. Scenarios to consider:
- app permforming on-behalf-of flow
- apps accessing multiple services/resources
- single page apps using MSAL.js
- web apps calling a resource
Authentication - implement user auth and authorization based on Microsoft tutorial
- MSAL libs
- Authentication flows:
- authorization code - native + webapps obtain tokens in name of the user
- client credentials - service apps run w/o user interaction
- on-behalf-of - the app calls a service/web API, which subsequently calls Microsoft Graph
- implicit - for browser-based apps
- device code - signig by device using another device that has web-browser
- integrated windows - windows computer silently acquire an access token when they’re domain joined
- interactive - mobile+desktops apps call Microsoft Graphb in the name of user
- username+password - app signs in using user’s username+pass.
- Public client, and confidential client apps
- public client apps -
PublicClientApplicationBuilder link
- confidential client apps
ConfidentialClientApplicationBuilder link
SAS
Types of SAS:
- User delegation SAS - secured with Azure AD creds + also permissions specified for the SAS (for Blob Storage Only)
- Service SAS - secured w/ storage acc key for: Blob storage, Queue storage, Table storage + Azure Files
- Account SAS - secured w/ storage acc key, one or more storage services. Widest.
Prefered: User delegation SAS. whenever possible.
URL construction..
Choose when to use shared access signatures
- Bypassing the frontend service; frontend service only passes SAS and client’s app uploads directly blobs using SAS. That way the heavy traffic does not cross the service itself.
Stored access policies - TODO: paste here examples from obtaining SAS token (tutorial here)
Privileged Identity Management Documentation
The idea is of using elevated-like privilages to access important or critical resources you are less likely to deal with on a regular basis. Allows enforcing 2FA, alerts, and so on. Can be made time-bounded. PIM uses “just-in-time” and “just-enoguh-time” approaches to provide privileges.
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure