Design Authentication And Authorization

In this blog post, I have discussed the design authentication and authorization in brief from Azure Solution Architect Design AZ-304 perspective. This blog will cover authentication and authorization, MFA (Multi-Factor Authentication), Recommendations to secure identity infrastructure, SSO, Hybrid identity, B2B identity, root and management groups.

Apart from this, you can also check my blog on Planning and Recommendation of Virtual Networks which is another blog from Microsoft certified Azure Solution Architect Design

What Is Authentication?

Authentication is the process of proving who you are and who you say you are? Microsoft identity platform implements the OpenID Connect protocol for handling authentication, authentication and authorization

What Is Authorization?

Authorization is the act of granting an authenticated party permission to do something. Microsoft identity platform implements the OAuth 2.0 protocol for handling authorization.

Difference between OAuth and OpenID Connect

OAuth is used for authorization and OpenID connect used for authentication. OpenID Connect is built on top of OAuth 2.0. So terminology and flow are similar between the two, you can both authenticate the user using OpenID Connect and get authorization to access a protected resource that the user owns using OAuth 2.0 in one request.

Multi-Factor Authentication

Azure Multi-Factor Authentication supplies added security to your identities by acquiring two or more elements  complete the authentication, that elements fall in three categories:

• Something you know: Which might be a password or answer to a security question.
• Something you possess: Which might be a mobile app that receives a notification or a token- generating device.
• Something you are: Which typically is a biometric property, such as a fingerprint or a face scan used on many mobile devices

Conditional Access

Conditional access is an Azure tool that brings signals together to make decisions and enforce organizational policies. this is the workflow and conditional access and architecture of Azure Multi-Factor Authentication

Five Steps For Securing Identity Infrastructure

These steps are the recommendation also which will help you to protect from cyber-attacks using Azure AD.

1. Strengthen your credentials

Use strong authentication, Ban common passwords and turn off traditional complexity and expiration rules, protect against leaking credentials, Take advantage of intrinsically secure, easier to use credentials

2. Reduce your attack surface area

Block invalid authentication entry points, Restrict user consent operations, Implement Azure AD privileged identity management

3. Automate threat response

Implement user risk security policy using Azure AD Identity protection, Implement sign-in risky policy using Azure AD identity protection

4. Utilize cloud intelligence

Monitor Azure AD Connect health in hybrid environments, Monitor Azure AD Identity protection events

5. Enable end-user self-service

Implement self-service password reset, implement self-service group and application access, Implement Azure AD access reviews

Azure AD Seamless Single Sign-On (SSO)

In this user automatically signed in from a corporate device to corporate network. When enabled users don’t need to type the password or sign in Azure AD. Seamless SSO can be combined with either password hash or pass-through authentication sign in methods

Seamless SSO is free, It does not require paid editions of Azure AD

Multi-Factor Authentication For Hybrid Identity

Here Lots of questions occur like:

1. Is your company trying to secure Microsoft apps?
2. How are apps published?
3. Where are the users going to be located??
4. Are the users familiar with Multi-FactorAuthentiation?
5. Does your company need to protect privileged account with MFA?

So depending upon this there is a decision tree called “Hybrid Identity Decision Tree” where we have to see what type of authentication method and hybrid identity that we have to choose. So based on customer requirements we have to follow this flow chart and adopting the ideal way for azure cloud

Azure Active Directory B2B

So with Azure AD B2B partners use their own identity management solution, so there is no external administration overhead for you organization

• You don’t need to manage external account and passwords
• You don’t need to sync accounts and manage account lifecycle
• Guest user sign-in and service with their own, work, school identities
• Invite guest users using the email identity of their choice
• Guest user follow redemption steps to follow

Hierarchy Of Management Groups And Subscriptions

• 10000 management group in a single directory
• Each management group and subscription can only support one parent
• Each management group have many children
• All subscription and management groups are within a single hierarchy in each directory
• A management group tree up to six levels of depth (Doesn’t include the root level and subscription level)

Root Management Group For Each Directory

• Every directory is a given single management group called root management group
• This root management group is built into the hierarchy to have all management groups and subscriptions fall into it
• This root management group allows for global policies and RBAC assignments are applied in directory level
• Azure AD global administrator needs to elevate themselves to a user access administrator rules role of the root group initially.
• After elevating access administrator can assign any RBAC role to other directory users of the group to manage the hierarchy

References/Related

• Microsoft Azure Architect Design Step By Step Activity Guides (Hands-On Labs)
• Authorization and Authentication [Official Microsoft]
• Tips To Prepare Exam AZ-304: Microsoft Azure Architect Design
• Core Cloud Service: Azure Compute Options
• [AZ-304] Microsoft Azure Architect Design (beta): Everything You Need To Know

Next Task For You

Interested in preparing the exam for Azure Certifications as well? Check out this blog post to know all about exam preparation Tips To Prepare Exam AZ-304: Microsoft Azure Architect Design. Also, check out this blog to know more about the core services of azure [AZ-900] Microsoft Azure Core Services: Compute, Network, Storage & Database

Click on the register now button below to register for a Free Masterclass of our much-awaited AZ-304 Certification Training which will help you clear the exam with flying colours.

The post Design Authentication And Authorization appeared first on Cloud Training Program.