AZ-204 : Implement Azure security

https://azureezy.com
© 2020 AzureEzy and AzureTalk. All rights reserved!
Session 4
AZ-204: Implement Azure
security
2

AzureTalk Core Team
3

Today’s Session Speaker
Sanjib Panigrahi
AzureEzy Core Team
MCP, Sr Software Engineer
4
Vipin Jha
AzureEzy Core Team
Consultant, MCT

Win Azure Exam Vouchers
• Participate in quiz during session
• 6 Selected participants will get free Azure
Exam Vouchers
• 1 selected participant will get free print copy
of Demystifying Azure DevOps Services
• Must be registered on Eventbrite
• Winner will be announced in next session
• #AzureEzy
5
Free Azure Exam
Vouchers

Developer Associate- Cert Path
6

AZ-204: Skills Measured
• Develop Azure compute solutions (25-30%)
• Develop for Azure storage (15-20%)
• Implement Azure security (20-25%)
• Monitor, troubleshoot, and optimize Azure
solutions (15-20%)
• Connect to and consume Azure services and third-
party services (15-20%)
7

Prerequisites
• Hands-on experience with Azure IaaS, PaaS solutions, and Azure Portal
• Experience writing in an Azure supported language at the intermediate
level. (C#, JavaScript, Python, or Java)
• Ability to write code to connect and perform operations on, a SQL or
NoSQL database product. (SQL Server, Oracle, MongoDB, Cassandra or
similar)
• Experience writing code to handle authentication, authorization, and
other security principles at the intermediate level
• Understanding of HTML, HTTP protocol and REST API interfaces
8

Agenda
•Implement user authentication and authorization
•Microsoft Identity Platform v2.0
•Authentication using the Microsoft Authentication Library
•Using Microsoft Graph
•Authorizing data operations in Azure Storage
•Implement secure cloud solutions
•Manage keys, secrets, and certificates by using the KeyVault API
•Implement Managed Identities for Azure resources
•Secure app configuration data by using Azure App Configuration
9

Microsoft Identity Platform
v2.0
10

Microsoft Identity Platform
11
• Authentication service
• Users/Customer sign in with Microsoft identities or social accounts
• Provide authorized access

Components
12
• OAuth 2.0 and OpenID Connect Supported
• Open-source libraries: Microsoft Authentication Libraries (MSAL) and
support for other standards-compliant libraries
• Application management portal
• Application configuration API and PowerShell
• Developer content

Microsoft Authentication Library
14
• Acquire tokens from Microsoft identity platform
• Secure Access To Microsoft Graph, Microsoft APIs, Third-party Web
API
• Supports many application Platforms .Net, Javascript, Java, Python,
Android

MSAL Benefits
15
• Acquires and maintain tokens
• Handle token expiration Automatically
• Specify audience for application sign in

ADAL and MSAL
• AADL V1.0
• Supports work accounts,
• Doesn’t support personal accounts
• MSAL v2.0
• Support Microsoft personal accounts, work account
• Get authentications for Azure AD B2C, Facebook, Google etc.
16

Microsoft Graph
19

Microsoft Graph
• Gateway to data in Microsoft 365
• Use to access data in Microsoft 365, Windows 10, and Enterprise
Mobility + Security
• Use data to build apps for organizations and consumers
20

Microsoft Graph
21
Reference : Microsoft Docs

Authorizing data operations
in Azure Storage
22

Access Data in Azure Storage
23
Shared Key
(storage
account key)
Shared access
signature (SAS)
Azure Active
Directory
(Azure AD)
On-premises
AD
Anonymous
public read
access
Azure Blobs Supported Supported Supported Not Supported Supported
Azure Files
(SMB)
Supported Not Supported Supported, only
with AAD
Domain
Services
Supported,
credentials must
be synced to
Azure AD
Not Supported
Azure Files
(REST)
Supported Supported Not Supported Not Supported Not Supported
Azure Queues Supported Supported Supported Not Supported Not Supported
Azure Tables Supported Supported Not Supported Not Supported Not Supported

Storage Account Access Keys
• Created during Storage account creation
• Two 512-bit storage account access keys
• Authorize access to storage account
• Similar to root password of storage account
• Be careful to protect your access keys
• Use Azure Key Vault to manage and rotate access keys
24

Shared Access Signature (SAS)
• String contains security token that can be attached to a URI
• Delegated access to resources in storage account
• Granular control
• Resources access
• Permissions on resources
• SAS is validity
25

SAS Example
https://myaccount.blob.core.windows.net/sascontainer/sasblob.txt?sv=20
19-02-02&st=2019-04-29T22%3A18%3A26Z&se=2019-04-
30T02%3A23%3A26Z&sr=b&sp=rw&sip=168.1.5.60-
168.1.5.70&spr=https&sig=Z%2FRHIX5Xcg0Mq2rqI3OlWTjEg2tYkboXr1P
9ZUXDtkk%3D
26

CORS
• HTTP feature enables web application from one domain to access
resources in another domain
• Set CORS rules for
• Blob
• File
• Table
• Queue
27

Manage keys, secrets, and
certificates by using the
KeyVault API
28

Azure Key Vault
• Secrets Management
• Key Management
• Certificate Management
29

Azure Key Vault Benefits
• Increase security and control over keys and
passwords
• Create and import encryption keys in
minutes
• Applications have no direct access to keys
• Use FIPS 140-2 Level 2 and Level 3 validated
HSMs
• Reduce latency with cloud scale and global
redundancy
• Simplify and automate tasks for SSL/TLS
certificates
30

Key Vault Authentication
• Managed identities for Azure resources
• Service principal and certificate
• Service principal and secret
31

Implement Managed
Identities for Azure resources
32

Managed Identities
• Identity for applications for Azure AD authentication
• Applications may use managed identity
• To obtain Azure AD tokens
• To access resources like Azure Key Vault where developers can store credentials in a
secure manner or to access storage accounts
33

Managed Identities Types
• System-assigned
• Identity directly on a service instance
• Tied to lifecycle of service instance
• Automatically deletes identity with service deletion
• User-assigned
• Created as a standalone Azure resource
• Assign it to one or more instances
• Managed separately from resources
34

System-Assigned Managed Identity
35

Secure app configuration
data by using Azure App
Configuration
36

Azure App Configuration
• Service to centrally manage application settings
and feature flags
• Store all the settings for your application
• Encryption of sensitive information at rest and
in transit
• Native integration with popular frameworks
37

Break
38

Demo
1. Authenticating to and querying Microsoft Graph by using MSAL
and .NET SDKs
1. Create an Azure Active Directory (Azure AD) application registration
2. Obtain a token by using the MSAL.NET library
3. Query Microsoft Graph by using the .NET SDK
2. Access resource secrets more securely across services
1. Configure secrets and identities
2. Build an Azure Functions app
3. Access Azure Blob Storage data
39

Quiz
42
https://q.azureezy.com/az-204
Free Azure Exam Vouchers
Winners' announcement in next session on 18th July 2021
Register for next session at azureezy.com/az-204
Update your skills on LinkedIn and enter a chance to win
Surface Go!!
More info @ https://azureezy.com/azure-skills-feb21

Winners Announcements
• Winners for Previous Session “Develop for Azure storage”
43

44
https://bharatguru.in
https://www.linkedin.com/in/vipinkumarjha/
https://www.linkedin.com/in/ashishrajsrivastava
https://azuredevopspro.com
https://youtube.com/AshishRajSrivastava
@ashishrajs
https://www.linkedin.com/in
/sanjibpanigrahi/
Thanks!
https://azureezy.com/az-204
https://t.me/AzureTalk
https://youtube.com/AzureTalk
https://t.me/AzureDevOpsPro

AZ-204 : Implement Azure security

AZ-204 : Implement Azure security

Recommended

More Related Content

What's hot

What's hot(20)

Similar to AZ-204 : Implement Azure security

Similar to AZ-204 : Implement Azure security(20)

Recently uploaded

Recently uploaded(20)

AZ-204 : Implement Azure security