Managing enterprise applications, permissions, and consent in Azure Active Directory
1. CoLabora User Group Meeting – June 2018
- Managing enterprise applications, permissions, and consent in Azure Active Directory
Peter Selch Dahl – Azure MVP – I’m ALL Cloud First
Level 200-300
2. Microsoft MCSA: Cloud Platform - Certified 2018,
Microsoft MCSA: Office 365 - Certified 2018,
Microsoft MCSE: Cloud Platform and Infrastructure - Certified 2018
Microsoft MCSA: 2016 Windows Server 2016,
Microsoft MCSA: 2012 Windows Server 2012,
Microsoft MCITP: 2008 Server and Enterprise Administrator,
Microsoft MCSA: 2008 Windows Server 2008,
Microsoft MCSA/MCSE : 2003 Security,
Microsoft MCSA/MCSE : 2000 Security,
VMWare Certified Professional VI3/VI4/VI5,
CompTIA A+, Network+,
EC-Council: Certified Ethical Hacker (CEH v7),
And more
Peter Selch Dahl
Freelance Cloud Architect, Azure MVP
Twitter: @PeterSelchDahl
www: www.peterdahl.net
Blog : http://blog.peterdahl.net
3. • You understand admin consent!
• You know how to provide API consent for applications
• You know how to block end-user consent
4.
5.
6. What is Application Consent?
Organizational data
permissions
Applications organizational data
permissions application consent admin
end user
permissions end user admin
developer
7. Application Consent and Permissions
(Bad) Sharing Portal
Access’s any user’s SharePoint, then
attaches a file as an email sent by the
signed in user, to share externally.
Developer(s)
[internal or external]
Tenant
SharePoint Data
Read items in all site collections
(E.g., do something as the app)
Admin must consent
Exchange Data
Send mail as a user
(E.g, do something as the user)
User Can Consent
1
2
End-User
3
Administrator
4
End-User
5
Administrator
Manage consent policies
and access over time
6
8. What is Application Consent?
Users can consent to apps that access personal
information only
Admins must consent to apps that require
broader permissions
Admins can consent on behalf of all users in an
organization
9. App types and permission types
App type
Permission type
Who can
consent
Effective
Permissions
Get access on behalf of users Get access as a service
Mobile, Web and Single page app Service and Daemon
Users can consent
for their data
Admin can consent
for them or for all users
Only admin
can consent
App
permission
s
User
permission
s
App
permission
s
Application permissionDelegated permission (user permission)
10. What I will be talking about….
Protecting data!
11. What I will be talking about….
KnowBe4's Chief Hacking Officer Kevin Mitnick called me with some chilling news. A white hat hacker friend of his
developed a working "ransomcloud" strain, which encrypts cloud email accounts like Office 365 in real-time. My
first thought was :"Holy $#!+".
https://community.spiceworks.com/topic/2104688-heads-up-new-ransomware-strain-encrypts-cloud-email-real-time-video
12. What I will be talking about….
https://community.spiceworks.com/topic/2104688-heads-up-new-ransomware-strain-encrypts-cloud-email-real-time-video
13.
14. Notes on V1 vs V2 Endpoint
This presentation focuses on the AAD V1 endpoint and the associated application, consent,
and permissions model
There are some key differences to be aware of with consent on V2:
• Support for Dynamic/Incremental consent
• New URL paths including separate admin consent endpoint
• Applications registered at apps.dev.microsoft.com as opposed to portal.azure.com
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-compare
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-limitations
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-appmodel-v2-overview
15. Endpoint v1 Runtime – When is consent prompted for?
The most common scenario:
• The first time using a application that requires access to personal or
organizational resources
Some scenarios that may not be expected:
• The set of permissions required by the application have changed
• Consent was revoked after being granted initially
• The application is using incremental and dynamic consent to request additional
permissions after consent was initially granted. This is often used when optional
features of an application additional require permissions beyond those required
for baseline functionality.
17. We expose hard choices to developers
BOTH
MSA
AAD
Azure
Office
18. Azure AD Applications
• Single tenant application
• App for users in a single organization
• Admin or user registers app in directory tenant
• Sign in at: https://login.windows.net/contoso.com/<protocol>
• Multi-tenant application
• App for users in multiple organizations
• Admin or USER registers app in developer’s directory tenant
• Admin configures application to be multi-tenant
• Sign in at: https://login.windows.net/common/<protocol>
• User prompted to consent based on permissions required by application
• Consent registers application in user’s tenant
19. Azure AD Graph API: Azure AD consent behind the scenes
https://blog.peterdahl.net/2018/05/14/azure-ad-v2-apps-vs-the-brick-wall/
20. Manageability – Common challenges
Where did this application come from
I have no idea how Susie got assigned
no idea what power
These need not be mysteries any longer
21. Manageability – Common challenges
What happens in the admin view when someone consents
what permissions an application has
what consented applications are assigned
revoke a consent grant
request administrator-level consent
control how consent works
22. Manageability – Common challenges
What happens in the admin view when someone consents
what permissions an application has
what consented applications are assigned
revoke a consent grant
request administrator-level consent
control how consent works