Saturday, September 2, 2017

AZURE 70-534 Exam Notes and Cheat Sheet -Part 2 (Securing Resources)

Quick Summary 

Primary objective of this page is to summarize key data points of all the security option available to Azure Infrastructure as per AZURE 70-534 Exam Objective II (Securing Resources). Use this page as quick refresher or Cheat Sheet but no way a replacement of actual exam study guide or course 

This Post is part of multi-part series and I will keep posting other part as it progress

On Premise Active Directory (Core Concepts)

  1. Key Concepts of On Premise Active Directory 
    1. Forest 
      1. At its highest level, a forest is a single instance of Active Directory. Therefore, a forest is synonymous with Active Directory, meaning that the set of all directory partitions in a particular Active Directory instance (which includes all domain, configuration, schema and optional application information) makes up a forest. 
      2. This means that when you have multiple forests in an enterprise they will, by default, act separately from each other as if they were the only directory service in your organization.
    2. Domain 
      1. A domain is a partition in an Active Directory forest. Partitioning data enables organizations to replicate data only to where it is needed. In this way, the directory can scale globally over a network that has limited available bandwidth. Domains can also be defined as:
      2. Within the scope of a forest, a domain is a container. Objects in that container inherently trust each other and the security services located in that same container
    3. Site 
      1. Within the scope of a forest, sites are a representation of the physical network topology. This includes physical subnet and site definitions. 
      2. Replication of updates to domain data occurs between multiple domain controllers to keep replicas synchronized. Multiple domains are common in large organizations, as are multiple sites in disparate locations. 
      3. In addition, domain controllers for the same domain are commonly placed in more than one site.
    4. Organization unit 
    5. Schema
      1. The schema partition contains the forest-wide schema. Each forest has one schema so that the definition of each object class is consistent. 
      2. The schema is the formal definition of all object and attribute data that can be stored in the directory.
      3. The schema partition is replicated to each domain controller in the forest.
    6. Attributes 
    7. Read more at MSDN 

Azure AD Graph API 

  1. OData3.0 service with REST Endpoint to interact (CURD) with AD object 
  2. same feature is also exposed via Microsoft Graph that single API mechanism for all MS based cloud services  https://developer.microsoft.com/en-us/graph/
  3. This is unified API for all MS Services including Outlook , One Note etc 
  4. Accessible through single endpoint and single access token 
  5. Key Scenario for using AD Graph API 
    1. List AD Object and properties like user 
    2. Group and Role Query 
    3. Set Password 
    4. add remove users etc.
  6. Each Azure AD graph API request must contains a bearer token issued by Azure AD
  7. Endpoint Addressing is   https://graph.windows.net/{tenant_id}/{resource_path}?{api_version}
    1. https://graph.windows.net/ is called service root 
    2. API Version is mandatory
    3. tenant_id (how to get)
      1. It Could be a GUID associated with your Tendency 
      2. Your registered domain name
      3.  Use MyOrganisation alias
      4. Me Alas that is only available using delegated scope  
    4. API Version are 
      1. "beta"
      2. "1.6"
      3. "1.5"
      4. "2013/11/08"
      5. "2013/04/05"
    5. Graph-Explorer tool can be used to test around 
  8. Detail Documentation @ MSDN

OAuth Protocol 

Open standard for authorization that by pass use of credentials (Quick Overview Here ...)
  1. Azure uses OAuth2.0 
  2. Authorization Code Grant Flow - TBD
  3. Refresh Token a token used to acquire new access token 
  4. Azure support Multi Resource refresh token
  5. Client Credential Grant Flow - Allow web service to use own credential instead of impersonation. used by Service to Service Call 
  6. Best Practices
    1.  Use State Parameter to avoid CSRF attack
    2. Cache access token only for token lifetime or when you get invalid token error

Open ID Connect

  1.  Allow SSO with Azure AD and authentication Protocol 
  2. Azure Support Open ID Connect 1.0 
  3. it actually extent OAuth 2.o protocol for authentication 
  4. Return an id_token used to authenticate 

Azure AD Connect 

  1. This is most latest tool , older one (retired) are DirSync, Azure AD Sync
  2. It is upgraded version of DirSync, Azure AD Sync
  3. It gets installed on a local computer that will host AD connect Role 
  4. By Default uses SQL Server Express but can be used SQL Server  
  5. Azure Syncing account need global admin rights 
  6. AD Syncing account needs enterprise admin rights 
  7. Syncing Multiple Domain and Forest 
    1. One instance per Azure AD Connect Per forest
    2. Multiple Forest can be synced to one Azure AD directory 
    3. Duplication can be avoid by account specifying attribute  

Azure Access Control Service 

  1. It is Deprecated services for Federation and Social Identity Providers 
  2. It has been now merge with Azure Active Directory 

Active Directory Federation Services 

  1. ADFS is used when default AD Connect is not good enough such as SSO
  2. Allow advance features like Work Hour policy , Soft Lock Out 
  3. Conditional Access to resources 
  4. When Password can not be sync due to policy 
  5. Provide Widgets
  6. Domain verification must be done before AD connect Process started 
  7. AD connect is also used for setting up web application proxy  

Azure B2C (Directory)


  1. Allow and provide integration for social identity providers 
  2. Can not be used on existing AD instance , need to create a new instance 
  3. Once we create a B2C directory it can not be changed 
  4. Azure B2C vs ADFS 
    1. B2C is only Supported for certain provider 

Azure Key valt 



  1. it is like Key Management System that provide support for storing Encryption Keys 
  2. Key Owner and Data Owner is different 
  3. Allow Creating access policies to limit the key access 
  4. Support Hardware security  module 
  5. Support only Powershell 
  6. More than one key vault can be created 
  7. Key Vault is get stored in a particular region 

Azure Disk Encryption 


  1. Support Encryption of OS and data volume 
  2. Support Bit-locker and DM-Crypt (Linux)
  3. A, D, G sreries VM supported 
  4. Both Key Owner and VM Workload owner must approve for VM to use Encryption
  5. Vault and VM must be in same region 
  6. Support on Server class windows and some other OS
  7. VM Must be able to access AD End Point (login.windows.net) to get token to access key vault 
  8. Ad application must be allowed to azure VM to interact with key vault. For this purpose you need to create a proxy application in AD and VM talks through it

Client Side Library 



  1. Support Encryption for Blobs, table , and queue and support full blob or range 
  2. key vault can be used and support key rotation 
  3. Client Library uses Chipper Block Chaining CBC mode with AES to encrypt data
  4. Encryption is done using envelope encryption 
  5. Blob Encryption 
    1. Only Full blob is supported 
  6. Queue Encryption 
    1. Encryption happens at message level using Initialization Vector and CEK
  7. Table Encryption 
    1. Envelop Encryption is performed on individual property 
    2. Only String Properties can be encrypted 

SQL IAAS (VM) Encryption 

  1. it is SQL Instance on Azure VM 
  2. VM is bit locker encrypted 
  3. Need to turn on TDE 
  4. Also support Cell Level Encryption 
  5. With the help of SQL Connector it can be connected via Key Manager 
  6. SQL Server need to be registered with AD in order to enable encryption 

Azure SQL Encryption 

  1. TDE is supported for Database , Associated backup , Transaction Log Files 
  2. TDE do not required any changes to application and can be enabled either via portal or TSQL

Role Base Access Control (RBAC)

  1. Azure supports Role based access with defined scope 
  2. Scope is set of resources on which access is required 
  3. Permission can be assigned at level of
    1. Subscription Level 
    2. Resource Group Level 
    3. Resource Level 
      1. Virtual Machine 
      2. Website
      3. Subnets 
  4. Can be configured via new azure portal or PowerShell, Classic Azure Portal only support Subscription Admin and co admin 
  5. Resource Group 
    1. Each resource group belongs to single subscription and can not be shared across subscription
    2. Each resource group belongs to single resource group 
    3. resource group are region specific 
    4. only new portal support resource group
  6.  Role Types 
    1. Owner :- Full access and generally exist at subscription level 
    2. Contributor - can not delegate , rest all allowed 
    3. Reader - read only access   
    4. Lot of Predefined roles already supplied by azure 

No comments:

Post a Comment