Microsoft Identity platform Cheatsheet

By Saeed Salehi

5 min read

Authors

Part of series

Developing Solutions for Microsoft Azure (AZ-204) certification exam Cheatsheets

  1. Part 1:

    Introduction to (AZ-204) certification exam Cheatsheets

  2. Part 2:

    Implement IaaS in Azure Cheatsheets

  3. Part 3:

    Azure Functions Cheatsheets

  4. Part 4:

    Azure App Service Cheatsheets

  5. Part 5:

    Develop solutions that use Blob storage Cheatsheets

  6. Part 6:

    Develop solutions that use Azure Cosmos DB Cheatsheets

  7. Part 7:

    Implement Azure Security Cheatsheet

  8. Part 8:

    Microsoft Identity platform Cheatsheet

  9. Part 9:

    Monitoring And logging in Azure Cheatsheets

  10. Part 10:

    Azure Cache for Redis Cheatsheets

  11. Part 11:

    Develop message-based solutions Cheatsheets

  12. Part 12:

    Develop event-based solutions Cheatsheets

  13. Part 13:

    API Management in Azure Cheatsheets

Service Principals

  • Single tenant: only accessible in your tenant
  • Multi-tenant: accessible in other tenants

Application object

global representation of your application for use across all tenants,

An application object is used as a template or blueprint to create one or more service principal objects.

the application object has some static properties that are applied to all the created service principals (or application instances).

Service principal object

service principal is the local representation for use in a specific tenant.

The security principal defines the access policy and permissions for the user/application in the Azure Active Directory tenant.

Types of service principal:

  • Application - This type of service principal is the local representation, or application instance, of a global application object in a single tenant or directory.
  • Managed identity: Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory
  • Legacy - This type of service principal represents a legacy app, which is an app created before app registrations were introduced or an app created through legacy experiences

Relation

An application object has:

  • A 1:1 relationship with the software application,
  • A 1:many relationship with its corresponding service principal object(s).

Permissions and Consent

Implements the OAuth 2.0 authorization protocol. (scope , application ID URI) types of permissions:

  • Delegated permissions are used by apps that have a signed-in user present.

  • Application permissions are used by apps that run without a signed-in user present,like background services or daemons. Only an administrator can consent to application permissions.

Consent types

  • Static user consent
  • Incremental and dynamic user consent
  • Admin consent

Static user consent

In the static user consent scenario, you must specify all the permissions it needs in the app's configuration in the Azure portal. If the user (or administrator, as appropriate) has not granted consent for this app, then Microsoft identity platform will prompt the user to provide consent at this time.

Incremental and dynamic user consent

You can ask for a minimum set of permissions upfront and request more over time as the customer uses additional app features.

Admin consent

Admin consent ensures that administrators have some additional controls before authorizing apps or users to access highly privileged data from the organization.

Requesting individual user consent

OpenID Connect or OAuth 2.0 authorization request, an app can request the permissions it needs by using the scope query parameter. scope parameter is a space-separated list of delegated permissions that

Conditional access

  • Multifactor authentication
  • Allowing only Intune enrolled devices to access specific services
  • Restricting user locations and IP ranges

the following scenarios require code to handle Conditional Access challenges:

  • Apps performing the on-behalf-of flow
  • Apps accessing multiple services/resources
  • Single-page apps using MSAL.js
  • Web apps calling a resource

Microsoft Authentication Library (MSAL)

Authentication flows

Authorization codeNative and web apps securely obtain tokens in the name of the user
Client credentialsService applications run without user interaction
On-behalf-ofThe application calls a service/web API, which in turns calls Microsoft Graph
ImplicitUsed in browser-based applications
Device codeEnables sign-in to a device by using another device that has a browser
Integrated WindowsWindows computers silently acquire an access token when they are domain joined
InteractiveMobile and desktops applications call Microsoft Graph in the name of a user
Username/passwordThe application signs in a user by using their username and password

Categories:

  • Public client applications: Are apps that run on devices or desktop computers or in a web browser. They're not trusted to safely keep application secrets, so they only access web APIs on behalf of the user. (They support only public client flows.) they don't have client secrets.

  • Confidential client applications: Are apps that run on servers (web apps, web API apps, or even service/daemon apps). They're considered difficult to access, and for that reason capable of keeping an application secret. Confidential clients can hold configuration-time secrets

client applications

IPublicClientApplication app = PublicClientApplicationBuilder.Create(clientId).Build();

string redirectUri = "https://myapp.azurewebsites.net";
IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create(clientId)
    .WithClientSecret(clientSecret)
    .WithRedirectUri(redirectUri )
    .Build();

Modifiers common to public and confidential client applications

ModifierDescription
.WithAuthority()Sets the application default authority to an Azure Active Directory authority, with the possibility of choosing the Azure Cloud, the audience, the tenant (tenant ID or domain name), or providing directly the authority URI.
.WithTenantId(string tenantId)Overrides the tenant ID, or the tenant description.
.WithClientId(string)Overrides the client ID.
.WithRedirectUri(string redirectUri)Overrides the default redirect URI. In the case of public client applications, this will be useful for scenarios requiring a broker.
.WithComponent(string)Sets the name of the library using MSAL.NET (for telemetry reasons).
.WithDebugLoggingCallback()If called, the application will call Debug.Write simply enabling debugging traces.
.WithLogging()If called, the application will call a callback with debugging traces.
.WithTelemetry(TelemetryCallback telemetryCallback)Sets the delegate used to send telemetry.

Modifiers specific to confidential client applications

ModifierDescription
.WithCertificate(X509Certificate2 certificate)Sets the certificate identifying the application with Azure Active Directory.
.WithClientSecret(string clientSecret)Sets the client secret (app password) identifying the application with Azure Active Directory.

Sample Code:

private const string _clientId = "APPLICATION_CLIENT_ID";
        private const string _tenantId = "DIRECTORY_TENANT_ID";

        public static async Task Main(string[] args)
        {
            var app = PublicClientApplicationBuilder
                .Create(_clientId)
                .WithAuthority(AzureCloudInstance.AzurePublic, _tenantId)
                .WithRedirectUri("http://localhost")
                .Build();
            string[] scopes = { "user.read" };
            AuthenticationResult result = await app.AcquireTokenInteractive(scopes).ExecuteAsync();

            Console.WriteLine($"Token:\t{result.AccessToken}");
        }

Shared Access Signatures (SAS)

A shared access signature (SAS) is a signed URI that points to one or more storage resources and includes a token that contains a special set of query parameters.

Types of shared access signatures

  • User delegation SAS: A user delegation SAS is secured with Azure Active Directory credentials and also by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only.

  • Service SAS: A service SAS is secured with the storage account key. A service SAS delegates access to a resource in the following Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files.

  • Account SAS: An account SAS is secured with the storage account key. An account SAS delegates access to resources in one or more of the storage services. All of the operations available via a service or user delegation SAS are also available via an account SAS.

Creating a stored access policy

az storage container policy create \
    --name <stored access policy identifier> \
    --container-name <container name> \
    --start <start time UTC datetime> \
    --expiry <expiry time UTC datetime> \
    --permissions <(a)dd, (c)reate, (d)elete, (l)ist, (r)ead, or (w)rite> \
    --account-key <storage account key> \
    --account-name <storage account name> \

Upcoming events

  • Drupal CMS Launch Party

    Zoals sommigen misschien weten wordt op 15 Januari een nieuwe distributie van Drupal gelanceerd. Namelijk Drupal CMS (ook wel bekend als Starshot). Om dit te vieren gaan we op onze campus een klein eventje organiseren. We gaan die dag samen de livestream volgen waarbij het product gelanceerd wordt. De agenda is als volgt: 17u – 18u30: Drupal CMS livestream met taart 18u30 – 19u00: Versteld staan van de functionaliteiten 19u – 20u: Pizza eten en verder versteld staan van de functionaliteiten Laat ons zeker weten of je komt of niet door de invite te accepteren! Tot dan!

    | Coven of Wisdom Herentals

    Go to page for Drupal CMS Launch Party

  • Coven of Wisdom - Herentals - Winter `24 edition

    Worstelen jij en je team met het bouwen van schaalbare digitale ecosystemen of zit je vast in een props hell met React of in een ander framework? Kom naar onze meetup waar ervaren sprekers hun inzichten en ervaringen delen over het bouwen van robuuste en flexibele applicaties. Schrijf je in voor een avond vol kennis, heerlijk eten en een mix van creativiteit en technologie! 🚀 18:00 – 🚪 Deuren open 18:15 – 🍕 Food & drinks 19:00 – 📢 Building a Mature Digital Ecosystem - Maarten Heip 20:00 – 🍹 Kleine pauze 20:15 – 📢 Compound Components: A Better Way to Build React Components - Sead Memic 21:00 – 🙋‍♀️ Drinks 22:00 – 🍻 Tot de volgende keer? Tijdens deze meetup gaan we dieper in op het bouwen van digitale ecosystemen en het creëren van herbruikbare React componenten. Maarten deelt zijn expertise over het ontwikkelen van een volwassen digitale infrastructuur, terwijl Sead je laat zien hoe je 'From Props Hell to Component Heaven' kunt gaan door het gebruik van Compound Components. Ze delen praktische inzichten die je direct kunt toepassen in je eigen projecten. 📍 Waar? Je vindt ons bij iO Herentals - Zavelheide 15, Herentals. Volg bij aankomst de borden 'meetup' vanaf de receptie. 🎫 Schrijf je in! De plaatsen zijn beperkt, dus RSVP is noodzakelijk. Dit helpt ons ook om de juiste hoeveelheid eten en drinken te voorzien - we willen natuurlijk niet dat iemand met een lege maag naar huis gaat! 😋 Over iO Wij zijn iO: een groeiend team van experts die end-to-end-diensten aanbieden voor communicatie en digitale transformatie. We denken groot en werken lokaal. Aan strategie, creatie, content, marketing en technologie. In nauwe samenwerking met onze klanten om hun merken te versterken, hun digitale systemen te verbeteren en hun toekomstbestendige groei veilig te stellen. We helpen klanten niet alleen hun zakelijke doelen te bereiken. Samen verkennen en benutten we de eindeloze mogelijkheden die markten in constante verandering bieden. De springplank voor die visie is talent. Onze campus is onze broedplaats voor innovatie, die een omgeving creëert die talent de ruimte en stimulans geeft die het nodig heeft om te ontkiemen, te ontwikkelen en te floreren. Want werken aan de infinite opportunities van morgen, dat doen we vandaag.

    | Coven of Wisdom Herentals

    Go to page for Coven of Wisdom - Herentals - Winter `24 edition

  • The Test Automation Meetup

    PLEASE RSVP SO THAT WE KNOW HOW MUCH FOOD WE WILL NEED Test automation is a cornerstone of effective software development. It's about creating robust, predictable test suites that enhance quality and reliability. By diving into automation, you're architecting systems that ensure consistency and catch issues early. This expertise not only improves the development process but also broadens your skillset, making you a more versatile team member. Whether you're a developer looking to enhance your testing skills or a QA professional aiming to dive deeper into automation, RSVP for an evening of learning, delicious food, and the fusion of coding and quality assurance! 🚀🚀 18:00 – 🚪 Doors open to the public 18:15 – 🍕 Let’s eat 19:00 – 📢 First round of Talks 19:45 – 🍹 Small break 20:00 – 📢 Second round of Talks 20:45 – 🍻 Drinks 21:00 – 🙋‍♀️ See you next time? First Round of Talks: The Power of Cross-browser Component Testing - Clarke Verdel, SR. Front-end Developer at iO How can you use Component Testing to ensure consistency cross-browser? Overcoming challenges in Visual Regression Testing - Sander van Surksum, Pagespeed | Web Performance Consultant and Sannie Kwakman, Freelance Full-stack Developer How can you overcome the challenges when setting up Visual Regression Testing? Second Round of Talks: Omg who wrote this **** code!? - Erwin Heitzman, SR. Test Automation Engineer at Rabobank How can tests help you and your team? Beyond the Unit Test - Christian Würthner, SR. Android Developer at iO How can you do advanced automated testing for, for instance, biometrics? RSVP now to secure your spot, and let's explore the fascinating world of test automation together!

    | Coven of Wisdom - Amsterdam

    Go to page for The Test Automation Meetup

Share

Jobs

Backend Developer

Brussel, Brussels Hoofdstedelijk Gewest, België

Senior Web Developer

Sofia, Sofia, Bulgarije

Senior Optimizely Developer

Campus onafhankelijk, Vlaams Gewest, België

.Net Developer

Antwerpen, Vlaams Gewest, België

View all jobs