[AZURE 70-534 - Cheat Sheet and Exam Notes Part-2] Securing Resources and Azure Security

Series Index 

1. Azure ARM , networking and GLOBAL Infrastructure (2017-10-01)
2. Securing Resources and Azure Security (2017-10-01)
3. Design an application storage and data access strategy (2017-10-01) 
4. Design advanced applications (2017-10-01)
5. Design Azure Web and Mobile Apps (2017-10-01)
6. Design a management, monitoring, and business continuity strategy (2017-10-01)
7. Architect an Azure Compute infrastructure (2017-10-01)

Key Concepts of On Premise Active Directory 

1. Forest 
1. At its highest level, a forest is a single instance of Active Directory. Therefore, a forest is synonymous with Active Directory, meaning that the set of all directory partitions in a particular Active Directory instance (which includes all domain, configuration, schema and optional application information) makes up a forest. 
2. This means that when you have multiple forests in an enterprise they will, by default, act separately from each other as if they were the only directory service in your organization.
3. Domain 
1. A domain is a partition in an Active Directory forest. Partitioning data enables organizations to replicate data only to where it is needed. In this way, the directory can scale globally over a network that has limited available bandwidth. Domains can also be defined as:
2. Within the scope of a forest, a domain is a container. Objects in that container inherently trust each other and the security services located in that same container
4. Site 
1. Within the scope of a forest, sites are a representation of the physical network topology. This includes physical subnet and site definitions. 
2. Replication of updates to domain data occurs between multiple domain controllers to keep replicas synchronized. Multiple domains are common in large organizations, as are multiple sites in disparate locations. 
3. In addition, domain controllers for the same domain are commonly placed in more than one site.
5. Organization unit 
6. Schema
1. The schema partition contains the forest-wide schema. Each forest has one schema so that the definition of each object class is consistent. 
2. The schema is the formal definition of all object and attribute data that can be stored in the directory.
3. The schema partition is replicated to each domain controller in the forest.
7. Attributes 
8. Read more at MSDN 

Open ID Concepts 

OAuth Protocol 

Open standard for authorization that by pass use of credentials (Quick Overview Here ...)

1. Azure uses OAuth2.0 
2. Authorization Code Grant Flow - TBD
3. Refresh Token a token used to acquire new access token 
4. Azure support Multi Resource refresh token
5. Client Credential Grant Flow - Allow web service to use own credential instead of impersonation. used by Service to Service Call 
6. Best Practices
1.  Use State Parameter to avoid CSRF attack
2. Cache access token only for token lifetime or when you get invalid token error

Open ID Connect

1.  Allow SSO with Azure AD and authentication Protocol 
2. Azure Support Open ID Connect 1.0 
3. it actually extent OAuth 2.o protocol for authentication 
4. Return an id_token used to authenticate 

Azure Active Directory 

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant, cloud based directory and identity management service. Azure AD combines core directory services, advanced identity governance, and application access management. Azure AD also offers a rich, standards-based platform that enables developers to deliver access control to their applications, based on centralized policy and rules.

1. Azure AD Types and Pricing Tier 
1. AD-DS in IAAS 
1. it is actually just a    Windows Server VM as Domain controller
2. It requires a Azure Network , Site to Azure VPN , and Static IP 
3. In This ways cloud is just another site your your office 
2. Azure AD (Active Directory as Service)
1. Cloud based directory service using Office 365
2. Windows 10 Machine can Join this AD 
3. Support Multiple Directories and Domain Names 
4. Only Global Administrator can delete a directory if there is no application or user in directory 
5. Each AD instance have separate administrator 
6. Each AD instance gets synchronized independently 
7. It has Three Version 
1. Free Edition (Provides Flowing feature)
1. Use Account Management 
2. Sync with On Prem AD
3. SSO for Office 365/intune
2. Basic Addition 
1. Group based Access Management 
2. Self Service Password reset 
3. Provides Azure AD Application Proxy 
3. Azure AD Premium
1. Self Service group management 
2. Advance reporting 
3. MFA 
4. Identity Manager 
5. Password write back 
6. Azure AD - Connect Health (detailed monitoring)
4. Azure AD Domain Services
1. It is fully managed cloud based AD service and replacement for AD-VM i.e. AD-DS as IAAS
2. Support Complex Schema Extension 
3. Supports Domin Join , LDAP, Kerberos , NTLM , GPO, for VM on Azaure network 
4. Can work as DNS server for Azure Network 
5. Works with AD Connect 
6. User and Groups can only be added from Azure Console and PowerShell 
2. Azure AD Directly Synchronization
1. Currently Azure AD connect is is used for directly synchronization 
2. Previously people used DIR Sync and Azure AD Sync 
3. Azure AD connect 
1. AD Connect is now recommended way of AD sync , DIR Sync and AD Sync are obsolete 
2. Support Multiple AD Forest to Single AD instance 
3. Password reset , PW-Write Back 
4. User Group , Device write back 
5. Sync Custom AD Sync 
3. Business Integration Option 
1. Azure AD-B2B Feature 
2. Azure AD - B2C Feature 
1. Add support for social and third party identity providers.
4. Any email address can be used to register for Azure AD.
5. Additional Quick Notes 
1. Can also enable Multi-Factor Authentication (MFA) for Azure AD and therefore add MFA to third party apps.
2. Directory integration with Azure Active Directory Synchronization Tool (DirSync) or Azure AD Sync. Use Azure Active Directory Connect instead.
3. Can also use Forefront Identity Manager 2010 R2 (or Microsoft Identity Manager?) – originally was needed if sync multiple ADs.
4. Each directory gets a DNS name at .onmicrosoft.com. Also possible to use custom domains (verify domains in DNS).
5. Supports WS-Federation (SAML token format); OAuth 2.0; OpenID Connect; SAML 2.0.

Key components and Features of Azure AD further detailed below. 

Azure AD Connect 

1. This is most latest tool , older one (retired) are DirSync, Azure AD Sync
2. It is upgraded version of DirSync, Azure AD Sync
3. It gets installed on a local computer that will host AD connect Role 
4. By Default uses SQL Server Express but can be used SQL Server  
5. Azure Syncing account need global admin rights 
6. AD Syncing account needs enterprise admin rights 
7. Syncing Multiple Domain and Forest 
1. One instance per Azure AD Connect Per forest
2. Multiple Forest can be synced to one Azure AD directory 
3. Duplication can be avoid by account specifying attribute  

Azure Access Control Service (ACS)

Microsoft Azure Access Control service (ACS) is a cloud service that provides user authentication and authorization for web applications and services. ACS integrates with standards-based identity providers, including enterprise directories such as Active Directory, and web identities such as Microsoft account, Google, Yahoo!, and Facebook.

It is Deprecated  (Read More Here... )on June 30th, 2017  It has been now merge with Azure Active Directory. But it may appear in exam because exam are updated as fast as Azure itself.

Active Directory Federation Services 

1. ADFS is used when default AD Connect is not good enough such as SSO
2. Allow advance features like Work Hour policy , Soft Lock Out 
3. Conditional Access to resources 
4. When Password can not be sync due to policy 
5. Provide Widgets
6. Domain verification must be done before AD connect Process started 
7. AD connect is also used for setting up web application proxy  

Azure B2B

Azure AD business-to-business (B2B) collaboration capabilities enable any organization using Azure AD to work safely and securely with users from any other organization, small or large. Those organizations can be with Azure AD or without, or even with an IT organization or without.

Organizations using Azure AD can provide access to documents, resources, and applications to their partners, while maintaining complete control over their own corporate data. Read More ...

Azure B2C 

1. Allow and provide integration for social identity providers 
2. Can not be used on existing AD instance , need to create a new instance 
3. Once we create a B2C directory it can not be changed 
4. Azure B2C vs ADFS 
1. B2C is only Supported for certain provider 

Security  in Azure

Role Base Access Control (RBAC)

1. Azure supports Role based access with defined scope 
2. Scope is set of resources on which access is required 
3. Permission can be assigned at level of
1. Subscription Level 
2. Resource Group Level 
3. Resource Level 
1. Virtual Machine 
2. Website
3. Subnets 
4. Can be configured via new azure portal or PowerShell, Classic Azure Portal only support Subscription Admin and co admin 
5. Resource Group 
1. Each resource group belongs to single subscription and can not be shared across subscription
2. Each resource group belongs to single resource group 
3. resource group are region specific 
4. only new portal support resource group
6.  Role Types 
1. Owner :- Full access and generally exist at subscription level 
2. Contributor - can not delegate , rest all allowed 
3. Reader - read only access   
4. Lot of Predefined roles already supplied by azure 

Secure Storage Encryption (SSE) 

SSE works at the storage account level, and stores the data in an encrypted form. Table Storage is not automatically encrypted by SSE and must be done at the client level.

Application Gateway Firewall Security

Application Gateway is a layer-7 load balancer, which is the application level. provides optional firewall features to protect against malicious Web requests

Azure Key Valt 

1. it is like Key Management System that provide support for storing Encryption Keys 
2. Key Owner and Data Owner is different 
3. Allow Creating access policies to limit the key access 
4. Support Hardware security  module 
5. Support only Powershell 
6. More than one key vault can be created 
7. Key Vault is get stored in a particular region 

Azure Disk Encryption 

1. Support Encryption of OS and data volume 
2. Support Bit-locker and DM-Crypt (Linux)
3. A, D, G sreries VM supported 
4. Both Key Owner and VM Workload owner must approve for VM to use Encryption
5. Vault and VM must be in same region 
6. Support on Server class windows and some other OS
7. VM Must be able to access AD End Point (login.windows.net) to get token to access key vault 
8. Ad application must be allowed to azure VM to interact with key vault. For this purpose you need to create a proxy application in AD and VM talks through it

Client Side Encryption Library 

1. Support Encryption for Blobs, table , and queue and support full blob or range 
2. key vault can be used and support key rotation 
3. Client Library uses Chipper Block Chaining CBC mode with AES to encrypt data
4. Encryption is done using envelope encryption 
5. Blob Encryption 
1. Only Full blob is supported 
6. Queue Encryption 
1. Encryption happens at message level using Initialization Vector and CEK
7. Table Encryption 
1. Envelop Encryption is performed on individual property 
2. Only String Properties can be encrypted 

SQL IAAS (VM) Encryption 

1. it is SQL Instance on Azure VM 
2. VM is bit locker encrypted 
3. Need to turn on TDE 
4. Also support Cell Level Encryption 
5. With the help of SQL Connector it can be connected via Key Manager 
6. SQL Server need to be registered with AD in order to enable encryption 

Azure SQL (PAAS) Security 

1. Available on pot 1443 only 
2. Azure SQL firewall works only on instance level not db level
3. By Default all traffic is blocked 
4. Most common firewall configuration is to allow traffic from a predefined subnet 
5. Connection required TLS by using certificates 
6. any idle connection more than 30 min is forced closed 
7. active connection are reauthorized every 600 min (10 hours)
8. Password change forces existing connection to close 
9. Support both Contained Database user and AS authentication 
10. SQL Database dynamic data masking
1. Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal impact on the application layer. 
2. It’s a policy-based security feature that hides the sensitive data in the result set of a query over designated database fields, while the data in the database is not changed. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-dynamic-data-masking-get-started

Azure container Security 

1. By default only storage account owner has full access to storage 
2. each account has a public key and gives full access to storage account management and operation 
3. Access can be assigned either at container level or blob level 
4. Shared Access Signature 
1. can be used to provide restricted access and can be applied to blob, table and queue 
2. Can be used on Ad Hoc basis
3. Supported only fro resource not account 
4. Support start and end date 
5. Stored Access Policy 
1. A policy defines on a resource container 
2. Constraints are in inherited from Policy 
3. Do not required issues of new tokens 
4. New policies can be generated from existing one\

Blob Encryption 

1. Client side Encryption is  supported using Key Vault (CEK/KEK)

Azure SQL Encryption (TDE)

1. TDE is supported for Database , Associated backup , Transaction Log Files 
2. TDE do not required any changes to application and can be enabled either via portal or TSQL

Security Risk Management in Azure

1. Azure Security Center, 
1. Azure Security Center is used to manage and monitor the security of Azure resources.
2. Operations Management Suite, 

Azure AD Graph API 

The Azure Active Directory Graph API provides programmatic access to Azure AD through REST API endpoints. Applications can use the Graph API to perform create, read, update, and delete (CRUD) operations on directory data and objects.

Notes - Azure AD Graph API is being Deprecated and Microsoft strongly recommend that you use Microsoft Graph instead of Azure AD Graph API to access Azure Active Directory resources.But this topic may appear in exam. Read More... 

1. OData3.0 service with REST Endpoint to interact (CURD) with AD object 
2. Same feature is also exposed via Microsoft Graph that single API mechanism for all MS based cloud services  https://developer.microsoft.com/en-us/graph/
3. This is unified API for all MS Services including Outlook , One Note etc 
4. Accessible through single endpoint and single access token 
5. Key Scenario for using AD Graph API 
1. List AD Object and properties like user 
2. Group and Role Query 
3. Set Password 
4. add remove users etc.
6. Each Azure AD graph API request must contains a bearer token issued by Azure AD
7. Endpoint Addressing is   https://graph.windows.net/{tenant_id}/{resource_path}?{api_version}
1. https://graph.windows.net/ is called service root 
2. API Version is mandatory
3. tenant_id (how to get)
1. It Could be a GUID associated with your Tendency 
2. Your registered domain name
3.  Use MyOrganisation alias
4. Me Alas that is only available using delegated scope  
4. API Version are 
1. "beta"
2. "1.6"
3. "1.5"
4. "2013/11/08"
5. "2013/04/05"
5. Graph-Explorer tool can be used to test around 
8. Detail Documentation @ MSDN