CONTENT
Microsoft Azure Overview: Authentication, Authorization, Applications & Security Principals.
Explore managing Azure resources using Azure Active Directory for secure authentication and controlled application access.
Saartje Ly
Data Engineering Intern
May 25, 2024
Accessing your Azure resources
Most cloud applications deployed to Azure need to access other Azure resources such as storage, databases, stored secrets, and so on. To access those resources, the application must be both authenticated and authorized.
Authentication is the process of verifying the identity of an application with Azure Active Directory.
Authorization determines which operations the authenticated app can perform on any given resource. The authorized operations are defined by the roles assigned to the app identity for that resource. In certain scenarios, such as Azure key Vault, authorization is also determined by additional access policies that are assigned to the app identity.
Microsoft wants you to be able to decide what resources someone can control and how much of that resource they can control. For example we can give someone access to our database, but we can control what they can do with it.
Azure Active Directory
Instead of managing individual sets of username and password information for each application, which incurs a high administrative burden when you need to add or remove users across multiple apps, apps can delegate that responsibility to a centralized identity provider.
Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. By delegating authentication and authorization to Azure AD, organizations can leverage features such as Conditional Access policies, which enforce specific location-based requirements, the use of multi-factor authentication (often termed as two-factor authentication or 2FA), and the facilitation of Single Sign-On (SSO). Users only need to sign in once with SSO, and are then automatically authenticated for all web applications that are linked to the same centralized directory.
Why is the Azure Active Directory important?
Microsoft Azure tries to simplify its security using the Azure Directory which can allow you to handle multiple different scenarios in terms of authentication & authorization.
How can we use it?
We need to register our App with the Active Directory. When we register it with the AD, we can define our authentication protocol.
Let’s look at what registering our application looks like.
When we register our application with the Azure AD, two different objects are created for us.
1. Application Objects
2. Service (Security) Principals: Service principals generally reference an application object, and one application object can be referenced by multiple service principals across directories.
Application Objects
An Azure AD application is defined by its one and only application object, which is situated in the Azure AD tenant where the application was registered. The application object describes three aspects of an application.
1. How the service can issue tokens in order to access the application
2. Resources that the application might need to access
3. The actions that the application can take
An application object is used as a template or blueprint to create one or more service principal objects.
Security Principals
In order to obtain access to resources secured by an Azure AD tenant, the entity that requires access must be represented by a security principal. This requirement is true for both users (user principal) and applications (service principal). The security principal defines:
1. The access policy
2. The permissions for the user/application in the Azure AD tenant
This enables core features such as authentication of the user/application during sign-in, and authorization during resource access. A service principal is created within each tenant where the application is used.
Summary
The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant. Let’s say we have a very simple application that can do 4 things:
1. Create new records in a database
2. Update existing records in a database
3. Delete existing records in a database
4. Query existing records in a database
We decide to register our simple application with the Azure Active Directory because we want to make sure we know who accesses this application (Authentication) and if they can access all the functionality of our application (Authorization). When we register the application with the Active Directory, we create two things:
1. An Application Object
2. A Service Principal Object
The Application Object serves as a template, saying what the application is and what it can do. At some point we will want to access our Application, and when we want to, we will use our Service Principal Object. The Service Principal Object will define what we can access inside of our application. For example we might want to give someone the ability to query records, but not delete records. In that case, we will have a Service Principal object referencing our application that will give that specific access.
Accessing your Azure resources
Most cloud applications deployed to Azure need to access other Azure resources such as storage, databases, stored secrets, and so on. To access those resources, the application must be both authenticated and authorized.
Authentication is the process of verifying the identity of an application with Azure Active Directory.
Authorization determines which operations the authenticated app can perform on any given resource. The authorized operations are defined by the roles assigned to the app identity for that resource. In certain scenarios, such as Azure key Vault, authorization is also determined by additional access policies that are assigned to the app identity.
Microsoft wants you to be able to decide what resources someone can control and how much of that resource they can control. For example we can give someone access to our database, but we can control what they can do with it.
Azure Active Directory
Instead of managing individual sets of username and password information for each application, which incurs a high administrative burden when you need to add or remove users across multiple apps, apps can delegate that responsibility to a centralized identity provider.
Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. By delegating authentication and authorization to Azure AD, organizations can leverage features such as Conditional Access policies, which enforce specific location-based requirements, the use of multi-factor authentication (often termed as two-factor authentication or 2FA), and the facilitation of Single Sign-On (SSO). Users only need to sign in once with SSO, and are then automatically authenticated for all web applications that are linked to the same centralized directory.
Why is the Azure Active Directory important?
Microsoft Azure tries to simplify its security using the Azure Directory which can allow you to handle multiple different scenarios in terms of authentication & authorization.
How can we use it?
We need to register our App with the Active Directory. When we register it with the AD, we can define our authentication protocol.
Let’s look at what registering our application looks like.
When we register our application with the Azure AD, two different objects are created for us.
1. Application Objects
2. Service (Security) Principals: Service principals generally reference an application object, and one application object can be referenced by multiple service principals across directories.
Application Objects
An Azure AD application is defined by its one and only application object, which is situated in the Azure AD tenant where the application was registered. The application object describes three aspects of an application.
1. How the service can issue tokens in order to access the application
2. Resources that the application might need to access
3. The actions that the application can take
An application object is used as a template or blueprint to create one or more service principal objects.
Security Principals
In order to obtain access to resources secured by an Azure AD tenant, the entity that requires access must be represented by a security principal. This requirement is true for both users (user principal) and applications (service principal). The security principal defines:
1. The access policy
2. The permissions for the user/application in the Azure AD tenant
This enables core features such as authentication of the user/application during sign-in, and authorization during resource access. A service principal is created within each tenant where the application is used.
Summary
The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant. Let’s say we have a very simple application that can do 4 things:
1. Create new records in a database
2. Update existing records in a database
3. Delete existing records in a database
4. Query existing records in a database
We decide to register our simple application with the Azure Active Directory because we want to make sure we know who accesses this application (Authentication) and if they can access all the functionality of our application (Authorization). When we register the application with the Active Directory, we create two things:
1. An Application Object
2. A Service Principal Object
The Application Object serves as a template, saying what the application is and what it can do. At some point we will want to access our Application, and when we want to, we will use our Service Principal Object. The Service Principal Object will define what we can access inside of our application. For example we might want to give someone the ability to query records, but not delete records. In that case, we will have a Service Principal object referencing our application that will give that specific access.
Accessing your Azure resources
Most cloud applications deployed to Azure need to access other Azure resources such as storage, databases, stored secrets, and so on. To access those resources, the application must be both authenticated and authorized.
Authentication is the process of verifying the identity of an application with Azure Active Directory.
Authorization determines which operations the authenticated app can perform on any given resource. The authorized operations are defined by the roles assigned to the app identity for that resource. In certain scenarios, such as Azure key Vault, authorization is also determined by additional access policies that are assigned to the app identity.
Microsoft wants you to be able to decide what resources someone can control and how much of that resource they can control. For example we can give someone access to our database, but we can control what they can do with it.
Azure Active Directory
Instead of managing individual sets of username and password information for each application, which incurs a high administrative burden when you need to add or remove users across multiple apps, apps can delegate that responsibility to a centralized identity provider.
Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. By delegating authentication and authorization to Azure AD, organizations can leverage features such as Conditional Access policies, which enforce specific location-based requirements, the use of multi-factor authentication (often termed as two-factor authentication or 2FA), and the facilitation of Single Sign-On (SSO). Users only need to sign in once with SSO, and are then automatically authenticated for all web applications that are linked to the same centralized directory.
Why is the Azure Active Directory important?
Microsoft Azure tries to simplify its security using the Azure Directory which can allow you to handle multiple different scenarios in terms of authentication & authorization.
How can we use it?
We need to register our App with the Active Directory. When we register it with the AD, we can define our authentication protocol.
Let’s look at what registering our application looks like.
When we register our application with the Azure AD, two different objects are created for us.
1. Application Objects
2. Service (Security) Principals: Service principals generally reference an application object, and one application object can be referenced by multiple service principals across directories.
Application Objects
An Azure AD application is defined by its one and only application object, which is situated in the Azure AD tenant where the application was registered. The application object describes three aspects of an application.
1. How the service can issue tokens in order to access the application
2. Resources that the application might need to access
3. The actions that the application can take
An application object is used as a template or blueprint to create one or more service principal objects.
Security Principals
In order to obtain access to resources secured by an Azure AD tenant, the entity that requires access must be represented by a security principal. This requirement is true for both users (user principal) and applications (service principal). The security principal defines:
1. The access policy
2. The permissions for the user/application in the Azure AD tenant
This enables core features such as authentication of the user/application during sign-in, and authorization during resource access. A service principal is created within each tenant where the application is used.
Summary
The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant. Let’s say we have a very simple application that can do 4 things:
1. Create new records in a database
2. Update existing records in a database
3. Delete existing records in a database
4. Query existing records in a database
We decide to register our simple application with the Azure Active Directory because we want to make sure we know who accesses this application (Authentication) and if they can access all the functionality of our application (Authorization). When we register the application with the Active Directory, we create two things:
1. An Application Object
2. A Service Principal Object
The Application Object serves as a template, saying what the application is and what it can do. At some point we will want to access our Application, and when we want to, we will use our Service Principal Object. The Service Principal Object will define what we can access inside of our application. For example we might want to give someone the ability to query records, but not delete records. In that case, we will have a Service Principal object referencing our application that will give that specific access.
CONTENT
SHARE