Cloud Security – Azure Active Directory authentication – Part 1

Hi All,

LIFE IS BEAUTIFUL 🙂 I hope we all are safe:) STAY SAFE, STAY HEALTHY 🙂 STAY HOME 🙂

In last article Cloud Security- Introduction to Azure Security and Azure Security Center we discussed bit about Azure Security and Azure Security Center

These articles will also helps you to prepare exam – AZ-500 : Microsoft Azure Security Technologies towards the following topics:

• Configure Azure Active Directory for workloads
• Configure Microsoft Azure AD Privileged Identity Management

Today in this article we will discuss Azure AD Authentication and what it includes and then next subsequent articles for each and every Azure AD Authentication components.

What is Authentication?

• Process of verifying user credentials / identity when user uses/sign in to a device, application or any service
• Example – When user logins to Microsoft Cloud Service, user is validated against the credentials along with other mechanism like Microsoft Authentication App, Phone (either via text message or voice call) and so on
• Microsoft identity platform (Azure Active Directory) implements the OpenID Connect protocol for handling authentication.

What is Azure Active Directory (V1.0)?

• Cloud Identity Service. Centralized Identity provider in cloud
• Identity Service / Identity Provider means it is responsible for verifying the identity of users and applications that exists in organization’s directory, and issue security tokens upon successful authentication of those users and applications
• Powerful tool to protect user identities and credentials
• Microsoft Online business services like M365 / Microsoft Azure requires Azure AD for sign-in and to protect identities
• This service allows us to sign in and access resources in
  • Resources such as M365, Azure Portal, other SaaS applications
  • Our organization Intranet, Apps in our organization intranet application
  • Any other cloud apps developed by our organization
• Azure AD can be used to automate user provisioning between Windows AD and M365
• This service allows us to implement the applications which sign in / authenticate users with Microsoft or school account
• This service supports us for writing applications for Single-Tenant or Multi-Tenant
• Azure Active Directory for developers (v1.0) (Azure AD) simplifies authentication for application developers by providing identity as a service
• There are libraries available to enable developers to authenticate users to cloud or on-premises AD, to fetch the tokens for calling secure API like Microsoft Graph. These libraries are called Azure Active Directory Authentication Library (ADAL) v1.0
• This service allows us to call an API which it supports like Microsoft Graph, SharePoint etc as shown in below Fig:

• Azure AD is intended for
  • IT Admins
  • Developers
  • Microsoft 365, Office 365, Azure, or Dynamics CRM Online subscribers

What is Microsoft Identity Platform (V2.0)?

• Microsoft identity platform is an evolution of the Azure Active Directory (Azure AD) developer platform.
• Microsoft identity platform allows us to write an applications which sign in to all Microsoft identities and get tokens to call respective secured APIs
• It consist of Authentication Service, open-source libraries, application registration and configuration and so on.
• This supports standard protocols like OAuth 2.0 and OpenID connect

Difference between Azure AD v1.0 platform and Microsoft Identity Platform

• Azure AD v1.0 platform only supports to authenticate work and school account by requesting tokens from the Azure AD v1.0 endpoint using ADAL (Active Directory Authentication Library). But Microsoft Identity Platform v2.0 authenticates any Microsoft identity using MSAL (Microsoft Authentication Library) –
  • Work and school account
  • Personal accounts (such as Outlook.com, Hotmail.com, msn.com)
  • Social Identity such as Linked In, Facebook, Google

• From above figure, if we click on link “Help me choose…”, it shows details for each account type as

• For new application Microsoft recommends to use MSAL
• Applications built with ADAL libraries continue to be supported.

What Azure AD Authentication includes? Following are the authentication methods supported by Azure AD

• Username and Password
• Microsoft Authenticator App passwordless sign-in
• OATH hardware token or FIDO2 security key
• SMS-based passwordless sign-in

But for Security reasons, many accounts in organizations are enabled for Azure Multi Factor Authentication (MFA) which includes more verification methods such as Phone call, Security Question and so on.

Best practice is to have multiple verification methods for all users.

What Next? In next upcoming articles we will discuss each Azure AD authentication method. Stay tuned 🙂

For more details on Azure AD please visit our other article Azure Identity And Access Management Part 1 – Azure Active Directory – Overview

We have detailed series on Azure Active Directory, please have a look – https://knowledge-junction.in/category/azure-active-directory/

References

• Microsoft identity platform developer glossary
• What is Azure Active Directory?
• Azure Active Directory Authentication Libraries
• Azure Active Directory code samples (v1.0 endpoint)
• Microsoft identity platform (v2.0) overview
• What is Azure Active Directory authentication?
• Why update to Microsoft identity platform (v2.0)?

Thanks for reading 🙂 If its worth at least reading once, kindly please like and share. SHARING IS CARING 🙂

Enjoy the beautiful life 🙂 Have a FUN 🙂 HAVE A SAFE LIFE 🙂 TAKE CARE 🙂