Azure Cloud — 보안 및 권한 관리(Security and Authentication)

AZ-304, AZ-303 Azure Cloud Architect 자격증 준비(3)

1. Azure Active Directory(AAD)
- MFA
- Application Proxy
- Domain service
- Application Management: SSO(Single sign-on)
- Security Center
- Managed Identities
- PIM(Privileged Identity Management)
- Access Reviews
- KeyVault
- Application Provisioning
- Azure AD V2.0 endpoint
- Azure AD B2C tenant
- pass-through authentication
- AAD Connect
- AAD Federation Services
- AAD Identity Protection
- Risk Policies
- AAD Conditional Access
- RBAC
- blue print
- Hybrid Identities(Cloud Sync)
- External Identities(Azure AD B2B)
- Azure Dynamic Users
- Azure Active Directory Admin Center
2. Security for applications
- Client Library
- Storage
- Azure Sentinel
- data Encryption(Transparent Data Encryption, Always Encrypted, Azure Disk Encryption)

Azure 용어

Azure 기본 개념 - Cloud Adoption Framework

Managed Group > Subscription > AD 테넌트 > AD 디렉토리(디렉토리를 사용하여 테넌트 리소스에 대한 ID 및 액세스 관리 기능을 수행) > 사용자, 그룹 및 응용프로그램

Azure Active Directory: Microsoft 클라우드 기반 id 및 액세스 관리 서비스 입니다. Azure AD를 통해 직원들이 로그인하고 리소스에 액세스 할 수 있습니다.

Azure Active Directory(AAD)

Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources.

• conditional access
• External resources: Microsoft 365, the Azure portal, and thousands of other SaaS applications
• Internal resources: apps on your corporate network and intranet, along with any cloud apps. [ tenant > groups with assigned members ]

→ assign a group of users with the below-mentioned privileges
the users should be able to manage virtual networks
they should not be allowed to manage role assignments
→ this would also allow the users to have the ability to manage all resources and this would provide too many privileges.

→ grant permissions to allow web apps to access the web APIs by using

AAD Account and MFA

• A public Azure Load Balancer
• an App Service Plan
• an Azure AD conditional Access Policy

예제) All users will be able to sign in without using multi-factor authentication (MFA). “Conditional Access policies can be set to Report-only if you want to see how the configuration would impact users, or Off if you don’t want to the use policy right now. As a test group of users was targeted for this tutorial, lets enable the policy and then test Azure AD Multi-Factor Authentication.

AD Identity Protection for the Azure AD Group: ensure that all of the login attempts from those countries require the use of Azure Multi-factor authentication.

Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client. Application Proxy includes both the Application Proxy service which runs in the cloud, and the Application Proxy connector which runs on an on-premises server.

Domain Service (Your domain controller as a service)

• Custom Domain: Every new Azure AD directory comes with an initial domain name, domainname.onmicrosoft.com. You can’t change or delete the initial domain, but you can add your organization’s name to the list. Adding custom domain names helps you to create user names that are familiar to your users.
• Azure Files supports identity-based authentication over Server Message Block (SMB) through two types of Domain Services: on-premises Active Directory Domain Services (AD DS) and Azure Active Directory Domain Services (Azure AD DS)
• Azure Active Directory Domain Services (AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.
• The company plans to deploy several Windows and Linux virtual machines (VMs) to support their applications. Support domain join. LDAP read. LDAP rand. NTLM and Kerberos authentication and Group Policy. Allow users to sign in to the domain using their corporate credential and connect remotely to the VM by using Remote Desktop.

a network that includes an on-premises Active Directory Domain Services domain and an Azure Active Directory (Azure AD)

• synchronized identity
  User management occurs on-premises. Azure AD authenticates employees by using on premises passwords.
  Azure AD Domain Services for hybrid organizations. Organizations with a hybrid IT infrastructure consume a mix of cloud resources and on-premises resources. Such organizations synchronize identity information from their on-premises directory to their Azure AD tenant. As hybrid organizations look to migrate more of their on-premises applications to the cloud, especially legacy directory-aware applications, Azure AD Domain Services can be useful to them
• federated identity
  User management occurs on-premises. The on-promises domain controller authenticates employee credentials. You can federate your on-premises environment with Azure AD and use this federation for authentication and authorization. This sign-in method ensures that all user authentication occurs on premises.

Application Management : SSO(single sign-on)

Single sign-on (SSO) means accessing all applications and resources a user needs by signing in only once using a single user account. Many organizations rely on software as a service (SaaS) applications, such as Microsoft 365, Box, and Salesforce, for end user productivity.

Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don’t need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames. This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components.

Security Center

Azure Security Center helps you secure your on-premises and cloud resources.

You use adaptive controls to control which applications are allowed to run on your virtual machines.
With just-in-time access, your virtual machines are only accessed based on rules that you configure.

Playbooks are automated procedures that you can run against alerts.

PIM(Privileged Identity Management)

With just-in-time access, your virtual machines are only accessed based on rules that you configure.

Azure MultiFactor Authentication (MFA)
→ service that enables you to manage, control and monitor access to important resources in your organization. => Privileged Identity Management

Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization.

• Organizations can give users just-in-time privileged access to Azure resources and Azure AD. There is a need for oversight for what those users are doing with their administrator privileges.
• Assign time-bound access to resources using start and end dates
• ability to conduct access reviews
• AD License는 Premium P2가 필요
• Allow Access Control for the sign-in risk : allow access and require multi-factor authentication
• access control for the multi-factor authentication registration policy : allow access and require azure MFA registration(보안 정보 등록).

예제) security feature: Privileged Identity Management for the Azure services.
You need to recommend a solution to provide the developers with the required access to the virtual machines. Provide permissions only when needed. Use the principle of least privilege. Minimize costs.

AD access reviews

Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User’s access can be reviewed on a regular basis to make sure only the right people have continued access.

enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User’s access can be reviewed on a regular basis to make sure only the right people have continued access.

Access reviews in Identity Governance → Your company’s security policy states that the security administrator must verify all assignments of the Owner role for the subscriptions and resource groups once a month. All assignments that are not approved by the security administrator must be removed automatically. The security administrator must be prompted every month to perform the verification.

Azure Managed Identities

MFA: Azure AD Conditional Access policies

• On Azure, managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.
• This also helps accessing Azure Key Vault where developers can store credentials in a secure manner. Managed identities for Azure resources solves this problem by providing Azure services with an automatically managed identity in Azure AD.
• 예제) use secure credentials to access these services.
  → Azure Key Vault: Azure Managed Identity
  → Azure SQL: Azure Managed Idntity
  → Cosmos DB: Azure Managed Identity
  Managed Identities for Azure resources is the new name for the service formerly known as Managed Service Identity.(MSI)
• Change the pacing tier: You need 10 recommend a solution to increase the available throughput of the key vault the solution must minimize costs.

User assigned managed identities.

Managed identities for Azure resources is a feature of Azure Active Directory.

User-assigned managed identity can be shared. The same user-assigned managed identity can be associated with more than one Azure resource

System-assigned managed identity cannot be shared. It can only be associated with a single Azure resource.

Key vault

Region마다 다르게 지급해야 함

In order for Resource Manager templates to access Azure Key Vault, you need to enable the setting in the Advanced policy section for the key vault.

→ Prevent the IT staff that will perform the deployment from retrieving the secrets directly from Key Vault. : From Access policies in Key Vault, enable access to the Azure Resource Manager for template deployment. Assign the IT staff a custom role that includes the Microsoft.KeyVault/Vaults/Deploy/Action permission.
→ You need to identify to where you can restore the backup: the same region only (disaster recovery, back up to the keys)

failover → a server in the same paired region , and key-vault is in read-only mode. so, delete is impossible.

The applications use Azure Key Vault to store several authentication, storage account, and data encryption keys. Several departments have the following requests to support the applications:
→ Security: Azure AD Privileged Identity Management
→ Development: Azure AD managed Service Identity
→ Quality Assurance: Azure AD privileged Identity Management

Application Provisioning

SCIM is a standardized d efinition of two endpoints: a /Users endpoint and a /Groups endpoint. It uses common REST verbs to create, update, and delete objects, and a pre-defined schema for common attributes like group name, username, first name, last name and email. Apps that offer a SCIM 2.0 REST API can reduce or eliminate the pain of working with a proprietary user management API.

provisioning: 프로비저닝은 IT 인프라를 설정하는 프로세스입니다. 또한 사용자와 시스템에서 사용할 수 있도록, 데이터와 리소스에 대한 액세스를 관리하는 데 필요한 단계를 지칭하기도 합니다.

Azure AD V2.0 endpoint

Users must autheticate by using personal Microsoft account and multi-factor authentication.

Microsoft identity platform is an evolution of the Azure Active Directory (Azure AD) developer platform. It allows developers to build applications that sign in all Microsoft identities and get tokens to call Microsoft APIs, such as Microsoft Graph, or APIs that developers have built. The Microsoft identity platform consists of:

OAuth 2.0 and OpenID Connect standard-compliant authentication service that enables developers to authenticate any Microsoft identity, including:

Work or school accounts (provisioned through Azure AD) Personal Microsoft accounts (such as Skype, Xbox, and Outlook.com) Social or local accounts (via Azure AD B2C)

Azure AD B2C tenant

Users must authenticate by using either Contoso ccredentials or a personal Microsoft account. You must be able to managge the accounts from Azure AD.

Azure Active Directory B2C provides business-to-customer identity as a service. Azure Active Directory B2C (Azure AD B2C) integrates directly with Azure Multi-Factor Authentication so that you can add a second layer of security to sign-up and sign-in experiences in your applications.

AD-integrated application > pass-through authentication

Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. This feature provides your users a better experience — one less password to remember, and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature validates users’ passwords directly against your on-premises Active Directory.
→ Azure Application Gateway and a Standard Load Balancer

Authentication

In Azure Active Directory (Azure AD), authentication involves more than just the verification of a username and password. To improve security and reduce the need for help desk assistance, Azure AD authentication includes the following component.

• SSPR(Self Service Password Reset)
• Password writeback

If users get locked or forget their password, you can use the self-service password reset with writeback option. These features are included as part of Premium P1 licenses.
→ reduce operational overhead
→ self-service password reset
→ password writeback

• Premium P1 licenses: Using requirements for using conditional access.
• Multi-factor Authentication(MFA)
  → Conditional Access: By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure and stay out of your user’s way when not needed. Require MFA for access from untrusted networks with Conditional Access.
  → There is a baseline policy that ensures that Multi-factor authentication is present for administrative accounts as shown below.

AAD Connect

a tool that can be used to sync on-premise AD users with Azure AD.

AAD Federation Services

Federation is a collection of domains that have established trust. The level of trust may vary, but typically includes authentication and most always includes authorization. A typical federation might include a number of organizations that have established trust for shared access to a set of resources.

AAD Identity Protection

provides advanced user threat detection and remediation strategies.

AAD Protection provides all the security features for your Azure Active Directory entities.

• Automate the detection and remediation of identity-based risks.
• Investigate risks using data in the portal.
• Export risk detection data to third-party utilities for further analysis.

AAD Identity Protection > Risk Policies

• AD Identity Protection: In response to a detected account at risk, Azure AD Identity Protection generates an email alert with Users at risk detected as subject.

Azure AD Conditional Access

Use a VM managed identity to access Azure Resource Manager: ResourceGroup > Access Control

Conditional access policy

Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure and stay out of your user’s way when not needed.

RBAC(Role-Based Access Control)

→ You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows Server Active Directory. After you complete your update, you must wait for the next synchronization cycle to complete before you’ll see the changes.

azure management groups and RBAC: analyze costs for different workloads, analyze costs by business unit and workload.

An Azure bluePrint

you need to able to create a deny RBAC role for the administrator on the resource group. And this can be accomplished with the use of Azure blueprints.

→ Azure Resource Manager Template(Subscription), Policy assignment Resource Group, and Role Assignment only

BP1 is in draft mode.
When a blueprint is first created, it’s considered to be in Draft mode. When it’s ready to be assigned, it needs to be Published.

The BP1 artifacts include one Policy assignment and a Resource group, but no Role assignments. Note: Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as: Role Assignments Policy Assignments Azure Resource Manager templates (ARM templates) Resource Groups

BP1 artifacts include a Resource group. you will need to provide a resource group name.

level at which to define blue prints: the root management group
level at which to create the blue print assignments: the subscriptions

Assign a blueprint After a blueprint has been published, it can be assigned to a subscription. Assign the blueprint that you created to one of the subscriptions under your management group hierarchy. If the blueprint is saved to a subscription, it can only be assigned to that subscription.

minimize adminitrative effort
update RBAC role assignment all the subscription and resource groups.
→ Update the RBAC role assignments: Azure BluePrint
→ prevent the deletion of the resource group: Azure Blue prints assignments that set locking mode at the subscription level.

prevent the deletion of the resource groups : resource locks at the subscription level

“Assigning a blueprint definition to a management group means the assignment object exists at the management group. The deployment of artifacts still targets a subscription. To perform a management group assignment, the Create Or Update REST API must be used and the request body must include a value for properties.scope to define the target subscription.” 2(Management Groups)/ 2(Blueprint definitions)/ 4(Blueprint assignments)

Hybrid Identities(Cloud Sync)

출처: Azure

• AD Connect: Password hash synchronization, Pass-through authentication, Federation integration, Synchronization, Health Monitoring Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Azure AD Connect synchronizes a hash, of the hash, of a user’s password from an on-premises Active Directory instance to a cloud-based Azure AD instance.
  → With Password hash synchronization + Seamless SSO the authentication is in the cloud. So it is available to authenticate if the internet connection to the on-premises AD. minimize authentication prompts for the users.

• Pass-through Hash Authentication and federation rely on on-remises infrastructure.
• Password Hash Sync: completely
• Pass-through Auth + Seamless SSO: enforce native policies
• Pass-through Auth + Seamless SSO with Password Hash Sync: enforce native policies, Disaster Recovery
• Federation: Not Native, Federation Provider
• Federation with Password Hash sync: Not Native, Federation Provider, Disaster Recovery

Seamless SSO is not applicable to Active Directory Federation Services (ADFS). Instead install and configure an Azure AD Connect server. Your company would like users to be automatically signed in to cloud apps when they are on their corporate desktops that are connected to the corporate network. You need to enable single sign-on (SSO) for company users.

예제)

On-premise AD DS and an established Azure Active Directory environment. Your company would like users to be automatically signed in to cloud apps when they are on their corporate desktops that are connected to the corporate network .You need to enable single sign-on for company users.
→ Azure AD Connect Server to use password hash synchronization and select the enable single sign-on option. Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don’t need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames. This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components. Seamless SSO can be combined with either the Password Hash Synchronization or Pass-through Authentication sign-in methods.

• AAD Connect Health: Azure Active Directory (Azure AD) Connect Health provides robust monitoring of your on-premises identity infrastructure. It enables you to maintain a reliable connection to Microsoft 365 and Microsoft Online Services. This reliability is achieved by providing monitoring capabilities for your key identity components. Also, it makes the key data points about these components easily accessible.
  The following tutorial will walk you through setting up password hash sync as a backup and fail-over for AD FS(AD FS는 간편하고 안전한 ID 페더레이션 및 웹 Single Sign-on(SSO) 기능을 제공합니다).

External Identities

• Adding Guest Users to Azure AD(Azure AD B2B)
  → Azure Active Directory B2B uses guest users.

Azure Dynamic Users

In Azure Active Directory (Azure AD), you can create complex attribute-based rules to enable dynamic memberships for groups. Dynamic group membership reduces the administrative overhead of adding and removing users.

When any attributes of a user or device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they are added as a member of that group.

design an authorization flow for the SaaS application

• To access the back-end web API, the web app must authenticate by using OAuth 2 bearer tokens. → Access Token by Azure AD
• The web app must authenticate by using the identities of individual users. → Authorization decisions by an web API

resource locks on the resource groups

Resource locks prevent changes from being made to resources

Regional Compliance — 법 준수

Azure Resource Policy Definitions can be used which can be applied to a specific Resource Group with the App Service instances.

The Regulatory compliance dashboard in Azure Security Center.

Azure Security Center regulatory compliance blade, you can get an overview of key portions of your compliance posture with respect to a set of supported standards.

예제

applications authenticate only when running on the 10 virtual machines, and minimize administrative effort.

• To provision the Azure AD identity: Create a system-assigned Managed Service Identity
• To authenticate request a token by using: an Azure instance Metadata Service Identity.

Azure Active Directory admin center

The app must be registered. You can register the application in the Azure Active Directory admin center.

The Azure AD access reviews feature has an API in the Microsoft Graph endpoint.

You can register an Azure AD application and set it up for permissions to call the access reviews API in Graph. delegate permissions.

2. Security for Applications

Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. Key Vault service supports two types of containers: vaults and managed HSM pools. Vaults support storing software and HSM-backed keys, secrets, and certificates. Managed HSM pools only support HSM-backed keys.

출처: Azure

Client Library

The client libraries for Azure Key Vault allow programmatic access to Key Vault functionality from a variety of languages, including .NET, Python, Java, and JavaScript.

Storage

An Azure storage account uses credentials comprising an account name and a key. The key is auto-generated and serves as a password, rather than an as a cryptographic key. Key Vault manages storage account keys by periodically regenerating them in storage account and provides shared access signature tokens for delegated access to resources in your storage account.

You need to design a solution for securing access to the historical transaction data.
→ The Azure Cosmos DB account uses: create users and generate resource tokens
→ a resource token and an Access Control(IAM) role assignment
→ The .NET web service will be used to: Request resource tokens and perform authentication
The Access control (IAM) pane in the Azure portal is used to configure role-based access control on Azure Cosmos resources. The roles are applied to users, groups, service principals, and managed identities in Active Directory. You can use built-in roles or custom roles for individuals and groups. The following screenshot shows Active Directory integration (RBAC) using access control (IAM) in the Azure portal

Shared Access Signature
→ solution to enable access to the blobs during the certain terms.

Integration

Azure Pipelines, App Services

Azure Sentinel(파수꾼)

security analytics: Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

→ Collect data at cloud scale
→ Detect previously undetected threats
→ Investigate threats with artificial intelligence
→ Respond to incidents rapidly

Use the investigation map, drill down into the incident, and look for user entities affected by the alert. : Use entities to view users that might have been in the path of a particular threat or malicious activity.

Create a Log Analytics workspace, and then add that workspace to Azure Sentinel.

Encrypting data at rest for the database

• Transparent data encryption: encrypting data at rest for the database
  Azure Storage uses server-side encryption (SSE) to automatically encrypt your data when it is persisted to the cloud. Azure Storage encryption protects your data and to help you to meet your organizational security and compliance commitments.
• Always Encrypted: the data is always stored ‘encrypted’.
  Always Encrypted is a data encryption technology that helps protect sensitive data at rest on the server, during movement between client and server, and while the data is in use. Always Encrypted ensures that sensitive data never appears as plaintext inside the database system. After you configure data encryption, only client applications or app servers that have access to the keys can access plaintext data. For detailed information, see Always Encrypted (Database Engine).
  Always Encrypted with deterministic encryption → protecting the content of the payment processing system.
• Azure Disk encryption
  All data on the operating and data disks for the virtual machine are encrypted at rest.
  Disks are encrypted by using cryptographic keys that are secured in an Azure Key Vault. You control these cryptographic keys and can audit their use.
  Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. It uses the BitLocker feature of Windows to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.
  * The use of encryption keys is audited.
  * All the data is encrypted at rest always.
  * You manage the encryption keys, not Microsoft

SQL 접근 관련해서

• Azure storage encryption: storage account encryption. SQL server
• SSL certificates: authentication of the server and not for encryption of data.
• SQL Database Dynamic data masking
  It limits sensitive data exposure by masking it to non-privileged users. It helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal impact on the application layer. It’s a policy-based security feature that hides the sensitive data in the result set of a query over designated database fields, while the data in the database is not changed.
• Pass-through Authentication
  The feature is an alternative to Azure AD Password Hash Synchronization, which provides the same benefit of cloud authentication to organizations. However, certain organizations wanting to enforce their on-premise Active Directory security and password policies, can choose to use Pass-through Authentication instead.

Restricts user access to each database

• ConfigureUser Access: Transact SQL
• Configure database-level firewall rules: Azure Power Shell

Assessment tool → Compute and Storage costs

An Assessment includes information about whether the on-premises VMs are compatible for Azure, what would be the right VM size for running the VM in Azure and the estimates monthly Azure costs.

Azure Policy

After you enable this policy, that policy is applied when you create new virtual machines or resize existing ones. Azure Policy also evaluates any current virtual machines in your environment.
→ to ensure that the team deploys only cost-effective virtual machine SKU sizes

Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules.

Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources.

• effect to use: Modify is used to add, update, or remove properties or tags on a resource during creation or update. A common example is updating tags on resources such as costCenter. Existing non-compliant resources can be remediated with a remediation task. A single Modify rule can have any number of operations.

예제) You need to recommend a solution to automatically recreate the alerts in the new Azure subscriptions that are added to the Enterprise Agreement.

Azure Tag

• Not all resources support tags, so you will want to confirm that your resource type supports them.
• Tags are not inherited. Tags need to be applied to every supported resource that you want tagged.

Resource groups

• Resource groups can not be nested.
• Resources can be moved from one resource group to another resource group.
• Resources can be in only one resource group.
• Using tags to store environment and department association
• Using tags in conjunction with Azure Automation to schedule maintenance windows
• Using tags to associate a cost center with resources for internal chargeback
• the most efficient way to ensure a naming convention: Create a policy with your naming requirements and assign it to the scope of your subscription
• resource lock example: An ExpressRoute circuit with connectivity back to your on-premises network

알아둘 것

when a department reaches its spending limit, the compute resources of the department shut down automatically.
→ Azure Logic Apps, Cost Management budgets

예제)

The users will access the applications in Azure by using a point-to-site VPN connection. You will use certificates generated from an on-premises-based certification authority (CA).

→ trusted root certification authorities certificate store on each laptop : A root CA certificate that has the public key.
→ Azure VPN gate way: A root CA certificate that has the public key.
→ the users’ personal store on each laptop: a user certificate that has the public key.

on-premises Active Directory forest

integrate on-premise & azure → ensure that group owners are emailed monthly about the group memberships they manage: Azure AD Access Reviews

예제)

The on-premises Active Directory domain syncs to Azure Active Directory (Azure AD). You plan to migrate Server1 to a virtual machine in Subscription1. A company security policy states that the virtual machines and services deployed to Subscription! must be prevented from accessing the on-premises network. You need to recommend a solution to ensure that Appl continues to function after the migration. The solution must meet the security policy. → Azure AD Application Proxy

Registration

There are several components that make up the Microsoft identity platform:

OAuth 2.0 and OpenID Connect standard-compliant authentication service Application management portal: A registration and configuration experience in the Azure portal, along with the other Azure management capabilities.

You register an application using the App registrations experience in the Azure portal so that your app can be integrated with the Microsoft identity platform and call Microsoft Graph.
→ You need to recommend a solution to allow users from west.contoso.com to authenticate to App1.

Azure active directory (AD) provides cloud based directory and identity management services.You can use azure AD to manage users of your application and authenticate access to your applications using azure active directory. You register your application with Azure active directory tenant.