SlideShare a Scribd company logo
EUROPEAN COLLABORATION SUMMIT
EUROPEAN COLLABORATION
SUMMIT 2024
Microsoft 365
Dev Security
From Full Trust to Zero
Trust
Markus Moeller
MVP
EUROPEAN COLLABORATION SUMMIT
EUROPEAN COLLABORATION SUMMIT
Agenda
About
• Me
Authentication
• SP Rest vs Graph
• SSO
• Credential
Handling
• Secure Config
Handling
Managed
Identities
• Permissions
SPFx & 3rd
party API
• MSGraphClient
• AadHttpClient
• Domain isolated?
Permission
Scope
• App
• Delegated
• RSC
Summary
• Wrap up
• Resources
• Q&A
EUROPEAN COLLABORATION SUMMIT
• Markus Moeller
• Microsoft 365 Developer Expert
• Microsoft MVP
• Microsoft 365 & Power Platform
Community (PnP) team member
• Avanade Germany
• @moeller2_0
• https://mmsharepoint.wordpress.com
• Proud dad of 1 (4yrs)
• Cancer fighter
About me
EUROPEAN COLLABORATION SUMMIT
Authentication
▪ SPFx
▪ User context login est.
▪ “No need to care for”
▪ MSGraphClient
▪ Prepped ServicePrincipal
▪ Tenant-Wide access
▪ AadHttpClient
▪ Prepped ServicePrincipal
▪ Tenant-Wide access (to backend process only)
▪ “Other” app
▪ Context ID / bootstrap token → SSO
▪ MSAL2
▪ App individual access
▪ More effort
EUROPEAN COLLABORATION SUMMIT
Credential Handling
EUROPEAN COLLABORATION SUMMIT
Azure Key Vault
▪ Read/Write from Application
▪ Access via Code or SecretUri reference in App Service Config
▪ Auth via Secret Endpoint / Managed Identity
▪ Azure App Config Service btw a similar service for less sensitive values
▪ Read / Write access possible (user config)
EUROPEAN COLLABORATION SUMMIT
Managed Identities
▪ Can simply be added to “any” Azure resource
▪ No credential / secret / key management
▪ User Managed Identities to be shared with several resources
▪ NO multi-tenant
▪ (Graph) permissions to be applied via code (PS, Rest, …)
▪ To ServicePrincipal only
▪ UI? Not possible…
▪ PowerShell?
▪ Rest?
▪ Azure CLI the potential leanest way
EUROPEAN COLLABORATION SUMMIT
ManagedIdentity (Credential)?
Credentials
Credentials
Managed Identity
STO
P
EUROPEAN COLLABORATION SUMMIT
Demo
EUROPEAN COLLABORATION SUMMIT
3rd party Api access
▪ In SPFx: MSGraphClient, AadHttpClient
▪ Prefer: AadHttpClient !!!
▪ No anonymous access in Azure Functions / Apps
▪ Restrict client-side to “hide” buttons
▪ Restrict server-side to really prevent access
▪ Domain-isolated web parts?
EUROPEAN COLLABORATION SUMMIT
Enable Auth for Azure Function
[FunctionName("WriteListItem")]
public static async Task<IActionResult> Run( [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)]
HttpRequest req, ILogger log) { ...
EUROPEAN COLLABORATION SUMMIT
SharePoint
EUROPEAN COLLABORATION SUMMIT
SharePoint – Enterprise Application
EUROPEAN COLLABORATION SUMMIT
Delegated vs App permissions
User Delegated
▪ Access to resources of a kind “the user” has
access to
▪ User access needs to be granted
▪ Eventually “Create”, too
▪ User login / token needed for operations
Application
▪ Access to ALL resources of a kind
▪ Access without a user
▪ Unattended processes
▪ Can be partially limited by “.Selected” (RSC)
EUROPEAN COLLABORATION SUMMIT
Use delegated permissions
▪ Benefit from user login / context / SSO
▪ Grant users access to all data / resources needed
▪ Users should be able to create resources and take ownership
▪ Do you really think your app is the only one that can treat your data / resources in the right
manner?
EUROPEAN COLLABORATION SUMMIT
If app permissions needed
▪ Use LOWEST permissions possible
▪ Try to restrict by resource specific consent (RSC)
▪ MAXIMIZE restriction to your app
▪ Limit access to appId to small # of programmers / admins
▪ Take care of code base
EUROPEAN COLLABORATION SUMMIT
RSC (resource specific consent)
▪ One app creates (with higher privileges) resource
▪ Teams Team, SharePoint Site
▪ Enables other app(s) on this one
▪ App permission Sites.Selected + selected resource
EUROPEAN COLLABORATION SUMMIT
RSC
Sites
App based
Sites.FullControl
App based
Sites.Selecte
d
Delegated
CEO personal site [ ]
Homesite [ ] [ ]
Intranet sites [ ] [ ]
Collaboration sites [ ] [ ]
EUROPEAN COLLABORATION SUMMIT
RSC – 2023
EUROPEAN COLLABORATION SUMMIT
RSC – Side by side
https://graph.microsoft.com/v1.0/sites/5333d91a-756e-
4b65-a0b7-3be8b35d7ddf,ee4302ef-c5fb-4e9e-963f-
0d1d4aaaaabd/permissions/<perm-id>
{
...
"value": [
{ "id": "aTowaS50fG1zL....",
"roles": [
"write"
],
"grantedToIdentitiesV2": [
{
"application": {
"displayName": "spoRSCApplication",
"id": "26e871b9-54bc-4d3c-b062-607e64b9e48d"
}
}
],
...
}
]
}
https://graph.microsoft.com/v1.0/sites/caf3e616-82a6-
4847-8949-a9ef59e2dccd,ee4302ef-c5fb-4e9e-963f-
0d1d4aaaaabd/permissions/<perm-id>
{
"@odata.context":
"https://graph.microsoft.com/v1.0/$metadata#sites('caf3
e616-82a6-4847-8949-a9ef59e2dccd%2Cee4302ef-c5fb-
4e9e-963f-0d1d4aaaaabd')/permissions",
"value": []
}
With selected permissions Without selected permissions
EUROPEAN COLLABORATION SUMMIT
RSC – 2024 I
SharePoint: Sites.Selected with delegated scope
▪ App still needs Sites.Selected permissions to site
o But SCA can grant this (code needed!)
▪ Additionally user needs any kind of access
▪ First step towards … no more (app based) Sites.FullControl.All
EUROPEAN COLLABORATION SUMMIT
RSC – 2024 I
EUROPEAN COLLABORATION SUMMIT
RSC – Q2 / 2024
▪ Q2 ??
▪ SharePoint: Application Site Creation without Sites.FullControl.All
▪ Sites.Create.All
▪ More granular RSC permissions also coming around
EUROPEAN COLLABORATION SUMMIT
Summary – Key takeaways
▪ Security is a moving target
▪ Always challenge: Least privilege
▪ Sample code / snippets simplify to demonstrate
▪ (Mine, too!!!) Always challenge before taking into Prod
▪ AI doesn’t help here so far
▪ Security usually makes dev more complex
▪ Convince your client, more effort → More security
▪ Nevertheless, there is great functionality/tools out there
▪ Get to know them → NOW!
▪ RSC esp with SharePoint becoming a gamechanger in 2024 …
EUROPEAN COLLABORATION SUMMIT
Resources
▪ M365 Development Security - From full trust to ZeroTrust (pnp.github.io)
▪ Speaker's blog
▪ On this specific topic
▪ Azure CLI the potential leanest way
▪ Azure Key Vault
▪ SharePoint: Application Site Creation without Sites.FullControl.All
EUROPEAN COLLABORATION SUMMIT
THANK YOU,
YOU ARE AWESOME
PLEASE RATE THIS SESSION
IN THE MOBILE APP.
Questions?
Now, or later …:
Markus Moeller
@moeller2_0
https://mmsharepoint.wordpress.com

More Related Content

Similar to Microsoft365_Dev_Security_2024_05_16.pdf

O365 saturday: How to (remote) control office 365 with windows azure-slideshare
O365 saturday: How to (remote) control office 365 with windows azure-slideshareO365 saturday: How to (remote) control office 365 with windows azure-slideshare
O365 saturday: How to (remote) control office 365 with windows azure-slideshare
atwork
 
Spring boot microservice metrics monitoring
Spring boot   microservice metrics monitoringSpring boot   microservice metrics monitoring
Spring boot microservice metrics monitoring
Oracle Korea
 
Spring Boot - Microservice Metrics Monitoring
Spring Boot - Microservice Metrics MonitoringSpring Boot - Microservice Metrics Monitoring
Spring Boot - Microservice Metrics Monitoring
DonghuKIM2
 
SSAS Azure RemoteApp
SSAS Azure RemoteAppSSAS Azure RemoteApp
SSAS Azure RemoteApp
Riwut Libinuko
 
Microsoft graph and power platform champ
Microsoft graph and power platform   champMicrosoft graph and power platform   champ
Microsoft graph and power platform champ
Kumton Suttiraksiri
 
#SPSToronto The SharePoint Framework and the Microsoft Graph on steroids with...
#SPSToronto The SharePoint Framework and the Microsoft Graph on steroids with...#SPSToronto The SharePoint Framework and the Microsoft Graph on steroids with...
#SPSToronto The SharePoint Framework and the Microsoft Graph on steroids with...
Vincent Biret
 
SharePoint Fest DC - Everything your need to know about the Microsoft Graph a...
SharePoint Fest DC - Everything your need to know about the Microsoft Graph a...SharePoint Fest DC - Everything your need to know about the Microsoft Graph a...
SharePoint Fest DC - Everything your need to know about the Microsoft Graph a...
Sébastien Levert
 
Granite state #spug The #microsoftGraph and #SPFx on steroids with #AzureFunc...
Granite state #spug The #microsoftGraph and #SPFx on steroids with #AzureFunc...Granite state #spug The #microsoftGraph and #SPFx on steroids with #AzureFunc...
Granite state #spug The #microsoftGraph and #SPFx on steroids with #AzureFunc...
Vincent Biret
 
Real World SharePoint Framework and Azure Services
Real World SharePoint Framework and Azure ServicesReal World SharePoint Framework and Azure Services
Real World SharePoint Framework and Azure Services
Brian Culver
 
SPS Utah - Everything your need to know about the Microsoft Graph as a ShareP...
SPS Utah - Everything your need to know about the Microsoft Graph as a ShareP...SPS Utah - Everything your need to know about the Microsoft Graph as a ShareP...
SPS Utah - Everything your need to know about the Microsoft Graph as a ShareP...
Sébastien Levert
 
#SPFestSea azr302 The SharePoint Framework and the #MicrosoftGraph under ster...
#SPFestSea azr302 The SharePoint Framework and the #MicrosoftGraph under ster...#SPFestSea azr302 The SharePoint Framework and the #MicrosoftGraph under ster...
#SPFestSea azr302 The SharePoint Framework and the #MicrosoftGraph under ster...
Vincent Biret
 
Mobile Services for Windows Azure
Mobile Services for Windows AzureMobile Services for Windows Azure
Mobile Services for Windows Azure
Abhishek Sur
 
SharePoint Fest DC 2018 - Everything your need to know about the Microsoft Gr...
SharePoint Fest DC 2018 - Everything your need to know about the Microsoft Gr...SharePoint Fest DC 2018 - Everything your need to know about the Microsoft Gr...
SharePoint Fest DC 2018 - Everything your need to know about the Microsoft Gr...
Sébastien Levert
 
TechNet Conference 2013 Berlin-Wie Sie Office 365 mit Windows Azure steuern b...
TechNet Conference 2013 Berlin-Wie Sie Office 365 mit Windows Azure steuern b...TechNet Conference 2013 Berlin-Wie Sie Office 365 mit Windows Azure steuern b...
TechNet Conference 2013 Berlin-Wie Sie Office 365 mit Windows Azure steuern b...
atwork
 
Windays14 - How to (remote) control Office 365 with Azure
Windays14 - How to (remote) control Office 365 with AzureWindays14 - How to (remote) control Office 365 with Azure
Windays14 - How to (remote) control Office 365 with Azure
atwork
 
#Techorama belgium 2018 vincent biret deep dive with the #MicrosoftGraph
#Techorama belgium 2018 vincent biret deep dive with the #MicrosoftGraph#Techorama belgium 2018 vincent biret deep dive with the #MicrosoftGraph
#Techorama belgium 2018 vincent biret deep dive with the #MicrosoftGraph
Vincent Biret
 
[Oracle Webcast] Discover the Oracle Blockchain Platform through the eyes of ...
[Oracle Webcast] Discover the Oracle Blockchain Platform through the eyes of ...[Oracle Webcast] Discover the Oracle Blockchain Platform through the eyes of ...
[Oracle Webcast] Discover the Oracle Blockchain Platform through the eyes of ...
Sanae BEKKAR
 
Power of Microsoft Graph API by Nilesh Shah SharePoint Saturday Toronto 2017
Power of Microsoft Graph API by Nilesh Shah SharePoint Saturday Toronto 2017Power of Microsoft Graph API by Nilesh Shah SharePoint Saturday Toronto 2017
Power of Microsoft Graph API by Nilesh Shah SharePoint Saturday Toronto 2017
Nilesh Shah
 
SharePoint Saturday Chicago - Everything your need to know about the Microsof...
SharePoint Saturday Chicago - Everything your need to know about the Microsof...SharePoint Saturday Chicago - Everything your need to know about the Microsof...
SharePoint Saturday Chicago - Everything your need to know about the Microsof...
Sébastien Levert
 
SharePoint Fest Seattle 2017 - Everything your need to know about the Microso...
SharePoint Fest Seattle 2017 - Everything your need to know about the Microso...SharePoint Fest Seattle 2017 - Everything your need to know about the Microso...
SharePoint Fest Seattle 2017 - Everything your need to know about the Microso...
Sébastien Levert
 

Similar to Microsoft365_Dev_Security_2024_05_16.pdf (20)

O365 saturday: How to (remote) control office 365 with windows azure-slideshare
O365 saturday: How to (remote) control office 365 with windows azure-slideshareO365 saturday: How to (remote) control office 365 with windows azure-slideshare
O365 saturday: How to (remote) control office 365 with windows azure-slideshare
 
Spring boot microservice metrics monitoring
Spring boot   microservice metrics monitoringSpring boot   microservice metrics monitoring
Spring boot microservice metrics monitoring
 
Spring Boot - Microservice Metrics Monitoring
Spring Boot - Microservice Metrics MonitoringSpring Boot - Microservice Metrics Monitoring
Spring Boot - Microservice Metrics Monitoring
 
SSAS Azure RemoteApp
SSAS Azure RemoteAppSSAS Azure RemoteApp
SSAS Azure RemoteApp
 
Microsoft graph and power platform champ
Microsoft graph and power platform   champMicrosoft graph and power platform   champ
Microsoft graph and power platform champ
 
#SPSToronto The SharePoint Framework and the Microsoft Graph on steroids with...
#SPSToronto The SharePoint Framework and the Microsoft Graph on steroids with...#SPSToronto The SharePoint Framework and the Microsoft Graph on steroids with...
#SPSToronto The SharePoint Framework and the Microsoft Graph on steroids with...
 
SharePoint Fest DC - Everything your need to know about the Microsoft Graph a...
SharePoint Fest DC - Everything your need to know about the Microsoft Graph a...SharePoint Fest DC - Everything your need to know about the Microsoft Graph a...
SharePoint Fest DC - Everything your need to know about the Microsoft Graph a...
 
Granite state #spug The #microsoftGraph and #SPFx on steroids with #AzureFunc...
Granite state #spug The #microsoftGraph and #SPFx on steroids with #AzureFunc...Granite state #spug The #microsoftGraph and #SPFx on steroids with #AzureFunc...
Granite state #spug The #microsoftGraph and #SPFx on steroids with #AzureFunc...
 
Real World SharePoint Framework and Azure Services
Real World SharePoint Framework and Azure ServicesReal World SharePoint Framework and Azure Services
Real World SharePoint Framework and Azure Services
 
SPS Utah - Everything your need to know about the Microsoft Graph as a ShareP...
SPS Utah - Everything your need to know about the Microsoft Graph as a ShareP...SPS Utah - Everything your need to know about the Microsoft Graph as a ShareP...
SPS Utah - Everything your need to know about the Microsoft Graph as a ShareP...
 
#SPFestSea azr302 The SharePoint Framework and the #MicrosoftGraph under ster...
#SPFestSea azr302 The SharePoint Framework and the #MicrosoftGraph under ster...#SPFestSea azr302 The SharePoint Framework and the #MicrosoftGraph under ster...
#SPFestSea azr302 The SharePoint Framework and the #MicrosoftGraph under ster...
 
Mobile Services for Windows Azure
Mobile Services for Windows AzureMobile Services for Windows Azure
Mobile Services for Windows Azure
 
SharePoint Fest DC 2018 - Everything your need to know about the Microsoft Gr...
SharePoint Fest DC 2018 - Everything your need to know about the Microsoft Gr...SharePoint Fest DC 2018 - Everything your need to know about the Microsoft Gr...
SharePoint Fest DC 2018 - Everything your need to know about the Microsoft Gr...
 
TechNet Conference 2013 Berlin-Wie Sie Office 365 mit Windows Azure steuern b...
TechNet Conference 2013 Berlin-Wie Sie Office 365 mit Windows Azure steuern b...TechNet Conference 2013 Berlin-Wie Sie Office 365 mit Windows Azure steuern b...
TechNet Conference 2013 Berlin-Wie Sie Office 365 mit Windows Azure steuern b...
 
Windays14 - How to (remote) control Office 365 with Azure
Windays14 - How to (remote) control Office 365 with AzureWindays14 - How to (remote) control Office 365 with Azure
Windays14 - How to (remote) control Office 365 with Azure
 
#Techorama belgium 2018 vincent biret deep dive with the #MicrosoftGraph
#Techorama belgium 2018 vincent biret deep dive with the #MicrosoftGraph#Techorama belgium 2018 vincent biret deep dive with the #MicrosoftGraph
#Techorama belgium 2018 vincent biret deep dive with the #MicrosoftGraph
 
[Oracle Webcast] Discover the Oracle Blockchain Platform through the eyes of ...
[Oracle Webcast] Discover the Oracle Blockchain Platform through the eyes of ...[Oracle Webcast] Discover the Oracle Blockchain Platform through the eyes of ...
[Oracle Webcast] Discover the Oracle Blockchain Platform through the eyes of ...
 
Power of Microsoft Graph API by Nilesh Shah SharePoint Saturday Toronto 2017
Power of Microsoft Graph API by Nilesh Shah SharePoint Saturday Toronto 2017Power of Microsoft Graph API by Nilesh Shah SharePoint Saturday Toronto 2017
Power of Microsoft Graph API by Nilesh Shah SharePoint Saturday Toronto 2017
 
SharePoint Saturday Chicago - Everything your need to know about the Microsof...
SharePoint Saturday Chicago - Everything your need to know about the Microsof...SharePoint Saturday Chicago - Everything your need to know about the Microsof...
SharePoint Saturday Chicago - Everything your need to know about the Microsof...
 
SharePoint Fest Seattle 2017 - Everything your need to know about the Microso...
SharePoint Fest Seattle 2017 - Everything your need to know about the Microso...SharePoint Fest Seattle 2017 - Everything your need to know about the Microso...
SharePoint Fest Seattle 2017 - Everything your need to know about the Microso...
 

Recently uploaded

Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
Boni García
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
mz5nrf0n
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
What is Augmented Reality Image Tracking
What is Augmented Reality Image TrackingWhat is Augmented Reality Image Tracking
What is Augmented Reality Image Tracking
pavan998932
 
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
kalichargn70th171
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke
 
Codeigniter VS Cakephp Which is Better for Web Development.pdf
Codeigniter VS Cakephp Which is Better for Web Development.pdfCodeigniter VS Cakephp Which is Better for Web Development.pdf
Codeigniter VS Cakephp Which is Better for Web Development.pdf
Semiosis Software Private Limited
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
Aftab Hussain
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptxLORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
lorraineandreiamcidl
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
timtebeek1
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 

Recently uploaded (20)

Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
What is Augmented Reality Image Tracking
What is Augmented Reality Image TrackingWhat is Augmented Reality Image Tracking
What is Augmented Reality Image Tracking
 
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
 
Codeigniter VS Cakephp Which is Better for Web Development.pdf
Codeigniter VS Cakephp Which is Better for Web Development.pdfCodeigniter VS Cakephp Which is Better for Web Development.pdf
Codeigniter VS Cakephp Which is Better for Web Development.pdf
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptxLORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 

Microsoft365_Dev_Security_2024_05_16.pdf

  • 1. EUROPEAN COLLABORATION SUMMIT EUROPEAN COLLABORATION SUMMIT 2024 Microsoft 365 Dev Security From Full Trust to Zero Trust Markus Moeller MVP
  • 3.
  • 4. EUROPEAN COLLABORATION SUMMIT Agenda About • Me Authentication • SP Rest vs Graph • SSO • Credential Handling • Secure Config Handling Managed Identities • Permissions SPFx & 3rd party API • MSGraphClient • AadHttpClient • Domain isolated? Permission Scope • App • Delegated • RSC Summary • Wrap up • Resources • Q&A
  • 5. EUROPEAN COLLABORATION SUMMIT • Markus Moeller • Microsoft 365 Developer Expert • Microsoft MVP • Microsoft 365 & Power Platform Community (PnP) team member • Avanade Germany • @moeller2_0 • https://mmsharepoint.wordpress.com • Proud dad of 1 (4yrs) • Cancer fighter About me
  • 6. EUROPEAN COLLABORATION SUMMIT Authentication ▪ SPFx ▪ User context login est. ▪ “No need to care for” ▪ MSGraphClient ▪ Prepped ServicePrincipal ▪ Tenant-Wide access ▪ AadHttpClient ▪ Prepped ServicePrincipal ▪ Tenant-Wide access (to backend process only) ▪ “Other” app ▪ Context ID / bootstrap token → SSO ▪ MSAL2 ▪ App individual access ▪ More effort
  • 8. EUROPEAN COLLABORATION SUMMIT Azure Key Vault ▪ Read/Write from Application ▪ Access via Code or SecretUri reference in App Service Config ▪ Auth via Secret Endpoint / Managed Identity ▪ Azure App Config Service btw a similar service for less sensitive values ▪ Read / Write access possible (user config)
  • 9. EUROPEAN COLLABORATION SUMMIT Managed Identities ▪ Can simply be added to “any” Azure resource ▪ No credential / secret / key management ▪ User Managed Identities to be shared with several resources ▪ NO multi-tenant ▪ (Graph) permissions to be applied via code (PS, Rest, …) ▪ To ServicePrincipal only ▪ UI? Not possible… ▪ PowerShell? ▪ Rest? ▪ Azure CLI the potential leanest way
  • 10. EUROPEAN COLLABORATION SUMMIT ManagedIdentity (Credential)? Credentials Credentials Managed Identity STO P
  • 12. EUROPEAN COLLABORATION SUMMIT 3rd party Api access ▪ In SPFx: MSGraphClient, AadHttpClient ▪ Prefer: AadHttpClient !!! ▪ No anonymous access in Azure Functions / Apps ▪ Restrict client-side to “hide” buttons ▪ Restrict server-side to really prevent access ▪ Domain-isolated web parts?
  • 13. EUROPEAN COLLABORATION SUMMIT Enable Auth for Azure Function [FunctionName("WriteListItem")] public static async Task<IActionResult> Run( [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req, ILogger log) { ...
  • 15. EUROPEAN COLLABORATION SUMMIT SharePoint – Enterprise Application
  • 16. EUROPEAN COLLABORATION SUMMIT Delegated vs App permissions User Delegated ▪ Access to resources of a kind “the user” has access to ▪ User access needs to be granted ▪ Eventually “Create”, too ▪ User login / token needed for operations Application ▪ Access to ALL resources of a kind ▪ Access without a user ▪ Unattended processes ▪ Can be partially limited by “.Selected” (RSC)
  • 17. EUROPEAN COLLABORATION SUMMIT Use delegated permissions ▪ Benefit from user login / context / SSO ▪ Grant users access to all data / resources needed ▪ Users should be able to create resources and take ownership ▪ Do you really think your app is the only one that can treat your data / resources in the right manner?
  • 18. EUROPEAN COLLABORATION SUMMIT If app permissions needed ▪ Use LOWEST permissions possible ▪ Try to restrict by resource specific consent (RSC) ▪ MAXIMIZE restriction to your app ▪ Limit access to appId to small # of programmers / admins ▪ Take care of code base
  • 19. EUROPEAN COLLABORATION SUMMIT RSC (resource specific consent) ▪ One app creates (with higher privileges) resource ▪ Teams Team, SharePoint Site ▪ Enables other app(s) on this one ▪ App permission Sites.Selected + selected resource
  • 20. EUROPEAN COLLABORATION SUMMIT RSC Sites App based Sites.FullControl App based Sites.Selecte d Delegated CEO personal site [ ] Homesite [ ] [ ] Intranet sites [ ] [ ] Collaboration sites [ ] [ ]
  • 22. EUROPEAN COLLABORATION SUMMIT RSC – Side by side https://graph.microsoft.com/v1.0/sites/5333d91a-756e- 4b65-a0b7-3be8b35d7ddf,ee4302ef-c5fb-4e9e-963f- 0d1d4aaaaabd/permissions/<perm-id> { ... "value": [ { "id": "aTowaS50fG1zL....", "roles": [ "write" ], "grantedToIdentitiesV2": [ { "application": { "displayName": "spoRSCApplication", "id": "26e871b9-54bc-4d3c-b062-607e64b9e48d" } } ], ... } ] } https://graph.microsoft.com/v1.0/sites/caf3e616-82a6- 4847-8949-a9ef59e2dccd,ee4302ef-c5fb-4e9e-963f- 0d1d4aaaaabd/permissions/<perm-id> { "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#sites('caf3 e616-82a6-4847-8949-a9ef59e2dccd%2Cee4302ef-c5fb- 4e9e-963f-0d1d4aaaaabd')/permissions", "value": [] } With selected permissions Without selected permissions
  • 23. EUROPEAN COLLABORATION SUMMIT RSC – 2024 I SharePoint: Sites.Selected with delegated scope ▪ App still needs Sites.Selected permissions to site o But SCA can grant this (code needed!) ▪ Additionally user needs any kind of access ▪ First step towards … no more (app based) Sites.FullControl.All
  • 25. EUROPEAN COLLABORATION SUMMIT RSC – Q2 / 2024 ▪ Q2 ?? ▪ SharePoint: Application Site Creation without Sites.FullControl.All ▪ Sites.Create.All ▪ More granular RSC permissions also coming around
  • 26. EUROPEAN COLLABORATION SUMMIT Summary – Key takeaways ▪ Security is a moving target ▪ Always challenge: Least privilege ▪ Sample code / snippets simplify to demonstrate ▪ (Mine, too!!!) Always challenge before taking into Prod ▪ AI doesn’t help here so far ▪ Security usually makes dev more complex ▪ Convince your client, more effort → More security ▪ Nevertheless, there is great functionality/tools out there ▪ Get to know them → NOW! ▪ RSC esp with SharePoint becoming a gamechanger in 2024 …
  • 27. EUROPEAN COLLABORATION SUMMIT Resources ▪ M365 Development Security - From full trust to ZeroTrust (pnp.github.io) ▪ Speaker's blog ▪ On this specific topic ▪ Azure CLI the potential leanest way ▪ Azure Key Vault ▪ SharePoint: Application Site Creation without Sites.FullControl.All
  • 28. EUROPEAN COLLABORATION SUMMIT THANK YOU, YOU ARE AWESOME PLEASE RATE THIS SESSION IN THE MOBILE APP. Questions? Now, or later …: Markus Moeller @moeller2_0 https://mmsharepoint.wordpress.com