AZ-204 Microsoft Azure Developer Associate Topic: Implement Azure Security Part 2
December 16, 2022

11. AZ-203/ 204 – Working with the Key Vault – .Net – Managed Service Identity

Hi, and welcome back. So now let’s look at the programme and see how we can actually get a secret from the keyword using the managed service identity. So this programme is actually going to run on an Azure virtual machine. I’ve already spun up a virtual machine for the purpose. Now, this is the keyword, “Uri.” So I’m not mentioning any client ID or any client secret, just the Uri of the secret, which I need to fetch. That’s it. I then go ahead and create a new token provider.

So in this token provider, it actually goes onto the local metadata for the virtual machine and then generates a token, which can then authenticate itself with the Aze or keyword service. That’s all I have to do. So here I have a virtual machine that’s already in place. Now, for this to work, we have to first determine the identity of the virtual machine. We must ensure that the identity assignment system is operational. And let’s click on “Save.” Let’s click on “yes.” Once this is done, we have to go on to the Azure Keyword service. We have to make sure that we now assign some permissions to the identity that has been assigned to the virtual machine. So let’s go ahead and add an access policy. Let’s move on to securing permissions, which I can get and list. Let’s select the principal.

Let’s now search for our demo VM machines, so we can see that it’s now there. And this is only possible because we have enabled the system identity for the virtual machine. Let me go ahead and hit select. Let me click on “Add” again. Don’t forget to hit the Save button. Right, so that’s done. Now, on this virtual machine, I’ve already gone ahead and copied the binaries for the programme that I just showed you. So if I just run the application, I can see I’m getting the output I desired. So in this code, we didn’t add any client IDs or client secrets. The identity is automatically authenticating itself with the Azure Keywall service. It gets the access token. This programme is automatically being authenticated because the system-managed identity that is assigned to the virtual machine has now authenticated itself using an access token on the Azure Keyword service. Right. So this marks the end of this lab.

12. AZ-203/ 204 – Lab – Managed Service Identity – Azure Web App

Hi, and welcome back. Now, in an earlier chapter, we had seen how we could use the managed service identity on a virtual machine. We then had code that would run on the server, and that code would basically get a token. And then, using that managed service identity, the virtual machine will authenticate itself on the Azure Keyword Service and retrieve a secret. Now, let’s do the same thing, but this time, let’s use an Azure Web App.

So let’s use the Azure App Service. So over here, I have simple code. So I just have an ASP.NET application on this page, and in the page load, I’m just calling the Get Async method. In that method, I’m basically again getting a token on to the Azure Keywall service, and I’m fetching the value of a secret known as Demo Secret. So, if I go to Azure and then to the MyApp service, I currently have one demo MSI app. I also have an Azure Key Vault, which is also in place. So if I go on to the Azure KeyVault, let me ensure that I have a secret. Again, I’ll mention the secret password. Click on “Create.” So that’s done. So let me go on to Visual Studio. Let me go ahead and publish this web application. So I’m going to publish it to my Azure web app. So I’ll select an Azure app service. an existing one. I’ll choose my demo MSI app. Click on OK and go ahead.

And then click on “publish.” Now, once the publish is complete, I’ll go on to my Web app. Now, this service also has an identity setting. So let’s go on to that again; let’s go on to “System Assigned.” Turn it on. Click on “Save.” Click on “yes.” Now that the system has assigned a manageable identity to our web app, let’s go on to the Azure Keyword service. Let’s go on to access policies. Let’s ensure that we add an access policy. Again, for the secret management operations of Get and List, let’s select our principle. So this should be our demo, MSI App. So let’s choose an app, click on “select,” then click on “add.” Make sure to click on “Save.

13. AZ-203 – Lab – SQL Server Encryption

Hi, and welcome back. In this lab, let’s look at some of the encryption techniques that are available for Azure SQL Server. So, first, we have transparent data encryption. Here the database data, any associated backups, and log files are all encrypted for you. Now, when the data is actually fetched from the database itself, it is automatically decrypted for you. So, even though the data has been encrypted on the underlying physical infrastructure, when you go ahead and access the data within the database itself, the feature will automatically decrypt the data for you and then give it to the user. Now, this feature of transparent data encryption is automatically enabled for Azure SQL databases. For an Azure SQL managed instance, you have to enable it manually. Now, you can use a key that’s been spread by Azure for the encryption, or you could create your own key in the Azure Keyword Service. Now, next, we have another feature known as Always Encrypted. This feature is used to protect sensitive data in your database. Here, the data is protected while at rest. Also, it is encrypted when it is moved between the client and the server and whenever the data is in use.

When you use the Always Encrypted feature, the sensitive data will not appear in plain text. You can enable the always encrypted feature with the help of SQL Server Management Studio. Now, what happens in the background when you use the Always Encrypted feature? So, the Always Encrypted feature will first create something known as a “column master key.” It will then create a column encryption key out of that column master key. And the column encryption key will be used to encrypt a column within a table in your Azure SQL Database.

Now, the key itself—the column master key and the column encryption key—can be stored either in a certificate store, a window certificate store, or in the Azure Keyword Service. Now, if you’re going to be using the Azure Keyword Service to store the key, you have to ensure that the user has the right permission. So, these are the following permissions that need to be granted to the user during the encryption process: It will actually request that you log into a zero, and if you do not have the necessary permissions, or if the user does not have them, the encryption process will fail. Now, once the encryption is complete, let’s say an application now needs to connect to the database and fetch the data from the encrypted column. So there are classes and methods in place that can allow you to decrypt the data when it’s fetched from the database.

Now, let’s get to the good stuff. Let’s look at transparent data encryption and also at the Always Encrypted feature. So here we are in Azure. Now, let’s go ahead and create a SQL Server first so we can go on to databases, choose SQL Database, select the Resource Group, and give a database name. We have to create a new server. So we just have to mention the server details, which will be used to host the database. Please make sure to make a note of the admin login details, which are specified over here. Because you will need this to log into the database server. I won’t use an elastic pool. As of now, I’ll go on to configure the database. I’ll just choose the basic tier for the database, which is just for demo purposes. On the additional settings, I’ll go ahead and install the sample database to ensure that Adventure Works will be created as a sample database. if you go on to the server itself and you want to actually log into the server and see the database, you first have to ensure that you set the firewall settings. So you have to ensure that your workstation has the ability to connect to the database server. By default, there is a kind of firewall in place that denies all connections to the database server.

Now automatically, it detects what the client’s IP address is that you’re working from. So currently, this is the client IP address of my workstation. So I can just go ahead and click on “Add Client IP” and then click on “Save.” If I go on to the overview, I can copy the server name. From here, I can then enter the server name and the authentication details. Click on “connect.” Once you’re connected, you can see your demo database. So now remember that it will have the Adventure Works data. So if you expand the tables, you will see the tables as part of the Adventure Works database.

Now if you go back onto Azure, if you go on to the database itself, there’s something known as transparent data encryption. So remember, this ensures that when your data is stored on the underlying physical infrastructure in the Azure data center, it will automatically be encrypted at rest. Now, by default, data encryption is already enabled for the Azure SQL Database. Now let’s go on to the concept of using the always encrypted feature. So this will ensure that even when you’re viewing the data, the data in the table itself is encrypted. Now for this, we’re going to make use of the Azure keyword resource. So let’s go ahead and create a new resource. Let’s search for Key Vault. Let’s choose the keyword “service.” Click on “Create.” I’ll ensure the keyword service is in the East US region because our SQL database is also in the same region. I’ll just give the vault a name and select the resource group. I’ll go ahead and click on “Create.” Once a key vault is in place, let’s go on to the resource. Now I want to go ahead and open the Access Policy section. So currently, we have the default user, which is our admin login, who has been given permissions to the Keywall service.

Now we have to ensure that for the key permissions, we have the necessary key permissions. So let me enable or select all of that, and then let me click on Save. So when we enable the Always Encrypted feature from SQL Server Management Studio, we are going to log in with our admin account details since we do have the permissions. Now in Access Policies, the SQL Server Malma Studio will have the ability to create the encryption keys, which can then be used to encrypt the data. Now, if we go on to SQL Server MalmaStudio, let us go on to the Customer table. So let me just select the rows. So now let’s say that we want to encrypt the email address column as part of this table. So we don’t want users to see the email address. When users view the data on the table, it will actually be shown in an encrypted fashion. Obviously, when an application is trying to access the data, the application will decrypt the data and use it accordingly.

So, how can we make use of Azure Keyword? Or how can we use the “Always Encrypted” feature to encrypt the data in this column in this table? So, right-click on the Customer table. Let’s choose to encrypt columns. So now we’ll be presented with a wizard. Let’s go on to the next one. Now we have to select which column we want to encrypt. So since we want to encrypt the email address, let’s choose that. Let’s define the type as deterministic. Go on to the next page. Now we can store the key either in the Windows Certificate Store or in the Azure Keyword Service. So I’m going to be using the Azure Keyword Service. It will ask us to sign in. So I’m going to sign in with the admin user account and password. Once we’re signed in, we’ll select the Azure keyword. Go on to the next page. We’ll go on to Next and click on Finish.

So now it’s going to go and do three tasks. Now it will probably ask you to log into your account again. So it’s going to perform three tasks. It’s going to create the column master key, it’s going to create the column encryption key, and then it’s going to go ahead and encrypt the data in the column. Now, once the encryption operation is complete, you can go ahead and again execute the query to get all the data from your underlying table. And now you can see that the email address is encrypted. So you can’t see the email address anymore. So the Always Encrypted feature is now using the keys, which are stored in the Azure Keyword, to encrypt the data in this column. Again, please know that if you have an application, it has to use the correct decryption techniques to decrypt the data and then work with it. Right, so this marks the end of this lab.

14. AZ-203 – Lab – Azure SQL Server – Dynamic Data Masking

Hi, and welcome back. Now in this lab, we are going to look at the data masking feature, which is available for Azio SQL Server databases. So, with the data masking feature, the data in the database table can be limited in its exposure to no privileged users. In order to implement data masking, you will create a rule that will mask the data. Based on the rule, you can decide on the amount of data to expose to the user. Now, there are different masking rules that are available.

So you have the credit card masking rule. This is used to mask a column that contains credit card details. Here, only the last four digits of the field are exposed. Next, you have the email address here; the first letter of the email address is exposed, and the domain name of the email address is replaced. You now have personalized text. You can choose which characters to expose for a field here. And then you have the random number. Here, you can generate a random number for the field. Now, let’s go on to Azure. Let’s see how we can implement data masking.

Now, in Azure, what I’ve done is that I’ve just provisioned a new database called New DB. Again, this has the Adventure Works tables in place. Now, if you want to implement dynamic data masking, you can go on to that feature over here, and you can go ahead and add a mask. Now, one quick thing to note is that when you add a mask to master data in a particular table, if you are the administrator of the database, you will still be able to see all of the data without the mask. This is only for non-privileged users. So when you add a mask, it’s only non-privileged users who can actually not see the data based on the mask that has been implemented for that column. So, what we’re going to do in our database is create a new user so that when we login as the new user, we can see that the mask has been implemented.

So here I’ve gone ahead and refreshed the databases on our server. So now I have the new DB database as well. Again, if you look at the database itself, you will see that it has the Tables of Adventure Works. So first, let’s go on to security. Let’s go on to logins. Let’s create a new login. I’ll execute the query. So now we have a login user in place. Now let’s go ahead and create a new user on our new DB database. Based on that login, let’s ensure that we add the data reader role. So this user can only read the data in the database. So let’s execute the query. So that’s also done. Now, if you go on to the tables, So let’s go on to the customer table. So currently, remember, we are viewing the data as the demo user. So this is the administrator of the database itself. Now what we’re going to do is add a data mask to the email address column and the phone column. So now, as the admin user, you can see all of the data as it is. Let me go ahead and also let Login have the new user. So let me click on Connect.

So now that I’m connected with the new user, let me go ahead and select the rows again so you can see the email address and the phone columns as they are now. If you continue to a zero, Now we have our dynamic data mask. Let’s go ahead and add a mask. Let’s choose a salesperson, Lt. Schema. Let’s choose the customer table for the column, let’s choose the email address, and we have the different masking fields formats, so we have the default value, the credit card value, the email, the number, and the custom string. Let’s select an email, click Add, and then Save. Now that the mask has been applied, if you go back to SQL Server, So now you can see after refreshing the query that the email address has now been masked. If you try to view the data as a demo user, let’s go ahead and select the data. So over here, you can see the email address column is hazardous, so this mask is only applied to non-privileged users.

Now let’s say for the phone column, we basically want to mask the middle three digits and leave the first three and the last four exposed to the user, so we can add a custom masking for this. So if you go on to a zero, let’s go ahead and add a mask. I can select Sales. Let’s choose customer This time we’ll choose the phone field or the phone column. Now in the masking, let’s choose a custom string. So we want to expose the first three characters and the last four, and for the padding string we can add this; let’s click on “Add” and then “Save.” Now, if you go back on to SQL Server, let’s execute the query for the new user. So now you can see that the masking has been applied even on the phone column. So the first three and the last four characters are exposed, and the middle characters have been padded with what we specified as a pairing string, right? So this marks the end of this lesson, in which we looked at dynamic data masking.

15. AZ-203/ 204 – Role Based Access Control

Hi, and welcome back. Now in this chapter, I want to explain the benefit of a concept known as role-based access control. Now, role-based access control allows you to give fine-grained control or permissions over resources in Azure. Now, just to give you an example of this, we have a virtual machine defined on the Azure platform. Now, in Azure, remember that you can define users. You can create users based on the structure of your organization. So you have multiple users defined in Azure. So these users could belong to your IT department; they could belong to your ETI department. So these users would be using the services in one way or another on the Azure platform.

Now, for the users themselves, maybe you want to assign some sort of permissions for the resources in Azure. Now, for example, let’s say that you want a group of users to have access to the virtual machine, but you don’t want them to have access to, say, stopping the virtual machine. Or maybe you don’t want them to have access to delete the virtual machine. The VR login currently has global admin. That’s why we have all the permissions for this virtual machine. But let’s say if another user logs into Azure through our account or our subscription, they should not have the ability to stop or delete the virtual machine. Maybe they can just view the status of the virtual machine. Maybe they can just log into the virtual machine and perform some installations, but that’s it. They are not allowed to stop or delete the virtual machine. Now, maybe there is a workload running on this virtual machine.

That’s why you can’t stop or delete the virtual machine. For that, you might need to get prior authorization. So using role-based access control, you can actually have this fine control over resources on the Azure platform. So this is the key benefit of role-based access control. If you actually go to the access control for a particular resource, this is where you can actually add a role assignment. So you can add role assignments to your resources with a zero. Now, please note that you can add role assignments and role-based access control at the resource level. If you go on to resource groups, let’s say any resource group, you can add access control even at the resource group level. Now, if you add the permissions at the resource group level, those same permissions will be assigned to the resources as part of this resource group.

So let’s say you want to add permissions to a set of resources in a resource group. You would assign those permissions at the access control level. Now, apart from the resource group and the resource level, So let me go on to cost management billing. Let me go over to cost management. Let me go over to my subscription. Now, in the subscription itself, you have access control. So you can also apply access control at the subscription level as well. Now, that means that it will trickle down to the resource groups assigned to the subscription, and that will again trickle down to the resources that are part of the resource group. So if you want to apply those permissions at the entire subscription level, you will do it here. If you want to assign it at the resource group level, you can do that. You can also assign drill down at the resource level if you want. So far, so good in terms of role-based access control. Let’s move on to the next chapter, where I’ll go a little bit in depth into role-based access control, and then we’ll look at a lab on the same as well. So this marks the end of this chapter.

16. AZ-203/ 204 – Lab – Role Based Access Control

Hi, and welcome back. Now in this lab, we are going to look at implementing role-based access control. But before we go into implementing role-based access control, I thought we’d first have a look at the documentation, where you have the built-in roles for Azure resources. This page is now critical from all perspectives of the Anzio exam. So on this page, you will see the different built-in roles that are available for ASIO resources. Now, the three common roles are owner, contributor, and reader role. So if you give yourself the owner role, you can see that it allows you to manage everything, including access to resources. If you have the contributor role, it will allow you to manage everything except access to resources. a very important fact. If you have the contributor role, it lets you manage everything except access to resources.

So this is very important—the key difference between the contributor and owner roles. And then finally, you have the reader role. Now, apart from that, you have roles that are pertinent to the various services available on the Azure platform. So, for example, if I scroll down and go on to the storage account contributor, this allows or permits the management of storage accounts. And then you also have roles that are based on the services within a storage account. Now, if you go on to any one of the roles, or let me go on to the storage account contributor role, So here is the description of the role itself. Now in the role, you have the description, the ID, and also the actions that are permitted as part of this role. So if you assign this role to a user or a group in a zero, these are the actions that will be allowed for the user. So, for example, if you look at the storage accounts, this is the type of access permission.

So it’s Microsoft Storage Accounts, and the star means that all the actions under Storage Accounts are allowed as part of this role if you look at another example of an action. So let’s look at Microsoft authorization. So again, for the permissions under Microsoft Authorization, the star means all the permissible types under Microsoft Authorization. However, we only have the read action here, not the right or read action. So we have no choice but to read all of the actions under Microsoft Authorization. So this gives you a good idea of the types of permissions that are allowed based on a specific role that is available in Azure. So let’s look at the storage blob data contributor. So there is also data action here. So these are the actions that are allowed on the data that is stored in a storage container. So this is very important when it comes to all of the exams: the inbuilt roles that are available on the Azure platform.

So now here we are on the Azure platform. So, in order to implement role-based access control, we are first going to create a user in Azure Active Directory so that we can apply role-based access to that user in Azure Active Directory. So this is your identity store, and there’s much more than that on the Azure platform. Now, if I go on to users, I already have a set of users that are defined in my Active Directory. So remember that in any organization, you will not use your admin account for performing day-to-day activities. You’ll be creating users in Azure AD. You’ll be giving the required roles to the users so they can work with resources on the Azure platform. Now, when you create a user, I’m going to create a user as part of my default directory. So if I go back onto Azure Active Directory, this is my default directory, which is available. So this is based on the email ID that I used to create my Azure account. And this is the entire directory name. So I’ll just copy this; return to users; and proceed to create a new user.

So here, I’ll take the name of the user and the username. You can then reveal the password. So this is the password that’s going to be assigned to the user. I’m just going to go ahead and copy it to the clipboard, and then let me go ahead and create the user. So now the user is in place. Now let’s go on to all the resources. So here you can see that we have resources defined in Asia. So I have a storage account, a virtual machine, and a virtual network. So different resources are currently available in my dashboard. Now let’s say that I want to give this user permission to work with virtual machines. So the user should only be able to work with virtual machines and no other services on the Azure platform. And let’s say that I only want to give access permissions for this virtual machine to that particular user. So I’m giving it at the resource level. So for that, I can go on to access control, and here I can go ahead and add a role assignment.

So remember, I’m adding a role assignment for this resource only. Now if you go on to the roles, these are all the roles that I showed you in the Microsoft documentation. So if you search for “virtual machine,” we have this “virtual machine contributor” that allows you to or allows a user or a group of users to basically manage virtual machines on the Azure platform. Let me go ahead and search for my new user. So it’s a demo user. So let me select that. Click on “Save.” So now we’ve assigned a role to this particular user. Once this is done, let me go ahead and sign in with the new user. So I’ll use another account and sign in with that account. Enter the password. I just need to update the password. So I’m logged in as the demo user. Now, if I go on to the virtual machine service, you can see that I have my virtual machine in place, so I can view the details of the virtual machine. So this access is basically based on the “virtual machine contributor” role. Now, if I go on to another service, let me go on to storage accounts.

Now, here you can see that you can’t see the storage account that we created earlier. So in the dashboard, remember when we logged in as our account admin, we could see a storage account? But here we can’t see the storage account. And that’s because we have not assigned permissions for this user to storage accounts. Even if we go ahead and try to create new storage accounts, here you can see that I can’t even select a resource group if I click on “Create new.” Let me try to create a new resource group. Here, it’s clearly saying you don’t have permissions to create resource groups. So all of this has been done based on role-based access control. Now let me log out and login again as our account administrator. So, under Access control, we’ve now granted the demo virtual machine permissions. Now let me go ahead and go on to role assignments. So, here you can see all your role assignments. Let me go ahead and delete this or remove this role assignment, right? So this is how you can remove an existing role assignment. Now, let’s say that you want to grant access at the level of a resource group level.

So, if you go on to resource groups and the Azure demo, Now let’s say you want to give access to all virtual machines in this particular resource group. So again, you can go on to Access Control. You can click on “Add” to add a role assignment. Again, let’s choose the “virtual machine contributor” role. Let me choose the user. Let me click on “save.” So remember, now I’m adding the user at the resource group level, not at the resource level. As a result, this user will now have access to all of the virtual machines defined in the resource group. Now, if I go back onto virtual machines, let me go on to the demo VM, let me go on to Access Control, and let me go on to Role Assignments. And now you can see that automatically there is a “virtual machine contributor” role for this particular user. And you can see the reason for this because it has been inherited from the resource group. So you can add role-based access control not only at the resource level but also at the resource group level. And remember, you can also add it at the subscription level. So, if I go to all services, then to subscriptions, then to my subscription, and then to Access Control, So if you add the role assignment over here, it will be applied to all the resource groups that are part of this subscription. So this is how you can actually work with role-based access control in Azure. This marks the end of this chapter.

17. AZ-203 – Lab – Multi-Factor Authentication

Hi, and welcome back. Now in this lab, let’s look at multifactor authentication. So before that, multifactor authentication is basically used to secure the login process. So in addition to the passwords that users can be asked for, there can be an additional method added to the login process. This makes it more secure. I think most of us are already used to multifactor authentication, even at multifaceted banks. If you’re doing online banking or a specific transaction, it will always ask you for another authentication method. This could be a code via your mobile phone or maybe an application that’s on your phone that’s put into the bank itself.

Now, the default authentication methods are available. In addition to the password, multifactor authentication factors include the Microsoft Authenticator app, SMS, and voice call. So let’s go ahead and understand how we can enable multifactor authentication. So here we are in Azure. If I go on to Azure Active Directory, So I have my users, which are part of my Azure Active Directory account. Now over here there is a setting for MFA, which is multifactor authentication. Let me go on to additional cloud-based MFA settings. Let me log in. Now, if I continue to my users here, So here I can see all my users. Now, what you can do is enable multifactor authentication for a user on a user-by-user basis. So let’s say I want to enable multifactor authentication for this user. So I will choose a user and click on “enable.” So I’ll say to enable multifactor authentication. So now multifactor authentication is enabled for the selected account if I go on to the service settings. So you can see here the various methods available to users for verification options. Now let me go ahead and try to log in as that user. So please allow me to sign out first.

Now I’m going to log in as the Dave user. Let me proceed to the next step. So now I’m entering the password. That’s the first level of authentication. But now it’s saying that more information is required to keep our account secure. So let’s move on to the next step. So now it’s asking, “How should we have it, or what is the additional security variation we can have for this user?” For step one, I’ll choose the authentication method of using a phone number, and I’ll choose the method of sending a code via text message. Let me proceed to the next step. So I’ve actually gone ahead and received a code on my phone. So let me go ahead and enter that. Let me click on “verify,” right? So that’s done. It’s also giving us an app password, which you can use for existing applications. I’ll click on Done, and now I can go ahead and sign in to my account. So each time now that I sign in, I will be prompted for multifactor authentication, right? So this is one way of enabling multifactor authentication. Let’s move on to the next chapter, where we look at another way we can actually enable multifactor authentication for users.

18. AZ-203 – Lab – Conditional Access Policies

Hi, and welcome back. Now, another way of enabling multifactor authentication for users is to use something known as conditional access policies. Now, in order to execute or implement conditional access policies, Actually, there is a security location for conditional access in Azure AD. Now, for conditional access to give you the ability to create a new policy by default, there are already four baseline policies in place. But if you want to add a new policy, you have to make sure that you have the appropriate licence in place. Now, by default, what happens to the Azure Ad-free account, which you might be using if you’re just learning Azure?

Now, in order to use conditional access, you have to have the appropriate licensing. So, for example, you might need to have a Zero 80 Premium P-2 Two licensing.What you can do now is take advantage of the Azio 80 Premium P-2 licences for free for a month. So currently, I’ve already subscribed to it. But if you have not, you will actually get a placeholder over here, where you can actually sign up to use the product free of charge for 30 days. So make sure you do that so that you can actually try out this feature. Don’t worry; after 30 days, you will not be charged any money. It will just stop the trial product, and you have to go ahead and actually buy the product in order to continue using it. Azeroth 80 premium P.

Two features. Now, once you’ve subscribed for Azero Ad Premium P-2 test licences, the monthly licences that are coming for free, what you have to do is go to your users, go to your main root user, go to licences, and make sure that you assign the license. Now, please note over here I have Enterprise Mobility Plus Security. E five. So this is another product that comes free of charge and again includes the ability to have conditional access policies. And this comes with a duration of 90 days, so you can do that as well. So over here, I’ve already assigned a license. But what you have to do is go ahead and make sure that you assign that license to that user. So since I’ve already gone ahead and done that, it’s in place, and then make sure that you log out and log in again; that’s what I normally do. And then you can go ahead and start using conditional access policies. So if I go on to conditional access, if I go ahead and add a new policy, there are different parts of the policy. So first are the users and groups.

So you could create this policy, which could apply to all users or to select users and groups. You could also have an exclusion in place for users and groups as well. Then you have the cloud apps. So, for the user base. Maybe you want to ensure that the policy you are stating here applies to all the cloud applications used by the users. Or maybe you want to ensure that users who use the Microsoft Azure Portal, which is a Microsoft Azure management application, only have that policy applied to them. So these are different conditions of the policy. So if the user is part of the users or groups that you mentioned over here, and if they’re using the Microsoft Azure management—that’s the Microsoft Azure Portal—then the policy will be applied to them in the conditions. You can add different conditions.

So on device platforms, if you want to specify a particular device platform, you can have locations, or you can have something known as assigning risk. So all of these are the conditions that you can state as part of your policy. And then you have, finally, the access controls. So here is where you can say that you will grant access but ensure to require multifactor authentication. So this is better when you want to apply multifactor authentication to a collection of users. So an example has been given as an example, if you want to make sure that you apply this policy. So what you can do is select one of the users in your account. So make sure that you create an Azure AD tenant. So make sure that you create auer in your Azure ad directory. Next, for the cloud apps and actions, make sure you click on “Done in the cloud apps or actions.” Next, select an application so you can select the Microsoft Azure Portal. So that’s the Microsoft Azure Management app; select that. So that’s fine because we are locking ourselves out. We have already selected a specific user. I’ll click on “Done” on the conditions. So I won’t add any conditions.

I just want that user to ensure that every time the user logs in, they are properties. For multifactor authentication, you can go on to Access Control. I’ll say grant access and require multifactor authentication. If you want, you can have multiple controls that can be enforced. You can click on “select,” you can give a name to the policy, make sure it is enabled, and then hit “create,” right? So now the policy is in place. Now whenever that user logs in again, they will be prompted for multifactor authentication. So this is another way in which you can enable multifactor authentication for users in Azure.

19. AZ-203 – Azure Kubernetes – Integrating with Azure AD

Hi, and welcome back. Now in the next chapter, we’re actually going to see how to implement AzureAd authentication for an Azure Kubernetes cluster. But since the process is quite lengthy and there are a number of steps, let’s try to understand what exactly goes into implementing AzeoAd authentication for a Kubernetes cluster. So, let’s say that you want to get permissions for your users who are in Azure AD for your Kubernetes cluster. In order to enable that integration between Azure and Kubernetes, you have to follow the following steps: So, the first step is to create two Azure Ad applications. So, you have to register something known as a client application and a server application.

So, when the user sends commands onto Azure Kubernetes, let’s say that the user is using the Kubectl command to get the number of pods in the cluster, they first have to authenticate using the client application. That client application will interact with the server application. That server application basically has the authority to read the directory data. So that’s how the flow works. So, in Azure AD, we first have to create a client and a server application. The server application will have the permissions to basically read the directory data in Azio ad.When a user authenticates using the client application, the client application sends the authentication data to the server application, which authenticates using a zero ed. Now, once you have the client and server applications, you have to take the client application ID, the server application ID, a server application secret, and your tenant ID.

Once you have all of this in place, go ahead and provision your Azure Kubernetes cluster. Remember, you must first create your applications. and then you create your cluster. Now, after you perform this activity, the next thing is to assign RBAC roles to the cluster for your users or your groups. So you could have users who are part of groups, and those groups could be given authorization to actually perform the commands on your cluster. Now, there are two basic roles that you can play. So the first role is essentially a standard role, granting access to a specific namespace. This is done via role binding, and the next is a cluster role, which is done via cluster role binding. This is for permissions to all namespaces in your cluster. Now, these roles are applied by applying YAML files. And you’ll see all of this in our lab, right?

So this is what goes intoAzure Ad authentication for Azure capabilities. Now, before we actually move on, just a quick note. When you create a cluster, you also get something known as a service principle. Don’t mix up the service principle with RBACor, your application, or Azure Ad. The service principle is basically used to authorise Azure Kubernetes to work with other resources, such as the Azure Container Repository. So remember that the cluster can pick images from the container history. And it does so by employing the service principle. Right. So this is just to get you started. Let’s go on to the next chapter, where we’ll see a lab on this.

20. AZ-203 – Lab – Azure Kubernetes – Integration with Azure AD

Right, so here we are in Azure. So, first and foremost, let’s talk about Azure advertising. Let’s create our server application and our client applications as required to integrate Azure with Azure Kubernetes. So this needs to be done before you actually create a Kubernetes cluster. So let’s get started with app registrations. Let me go ahead and add a new registration. Let me give you a name. I’ll make sure that it’s accounts in this organization only. We can just give any redirect Uri.

Click on “Register” now; once this is done, let’s go on to “Manifest.” We must ensure that this server can actually retrieve the group’s claims. So users remember that they can be part of groups, and when they authenticate themselves onto the cluster, the application needs to be able to get those claims from the group. So let’s go ahead and modify this for all. Let me go ahead and click on Save, right? So the next step is to go ahead and generate a client secret. So this is a secret for the application. So let’s term this the application secret for the server. So let’s create a new client secret. We can give it a name. Please make sure to take this value now by clicking “Add Now.” After you exit this page, you will not be able to see the value of the secret. So let me go ahead and actually store it in Notepad. So here I’m just storing the server application secret. We can also get the server application ID.

So for that, you can actually go on to the overview. You can take this application client ID and copy it. So let’s keep it over here. We can also get the directory or the tenant ID. All of this is required when you create a Kubernetes cluster, which must authenticate itself against a zero ad. So again, you can get it from here: the directory or the tenant ID. Right now, for this server application, we have to do a couple of other things. So we have to go on to API permissions. So this already has permission to go ahead and read the information for users from the Microsoft ad. We also have to make sure that it can read the permissions for the directory as well. So let’s go on to add permission. Let’s go with Microsoft Graph. Let’s choose to delegate permissions. Let’s search for directories. Let’s look through the directory. Read all. Click on “Add Permissions.” Let us add another permission. Microsoft Graph. This time, application permissions Let us proceed to the directory. Let’s go again to the directory. Examine all newly added permissions. Now the permissions have been granted. Let’s just wait 10 seconds before granting admin consent. Right now, I’m going to go ahead and grant admin consent. I’ll click on yes.

So that’s also done. Let’s go ahead and expose an API. So let’s add a scope. We’ll accept the application. ID uri. Click on Save and Continue, and we’ll give a scope name for the admin content display and name the admin content description. If you don’t see the option to add a scope, you can cancel the process by clicking Cancel. Let’s add a scope again. Let’s enter the scope name and the rest of the details. And now you can see the “Add” button. The “add scope” button Make sure it’s admins only and the state is enabled. Let’s add the scope, so that’s done when it comes to the server application. Now let’s go ahead and add a client application. So a new registration We can give a name to accounts in this organization’s directory only. Let’s enter the redirect URI. Click on “Remain.” Now let’s go on to the API permissions. Let’s add permission. Now I’m going to choose my APIs, choose the EKSServer, select the server scope, and add the permissions. Let’s again wait for 10 seconds. Once this is done, let’s go ahead and grant the admin’s consent. Click on “yes.” So this is also done. Now let’s go over to authentication. Let’s make sure the default client type is set to “yes” for it to be a public client. Let’s click on “Save.” Right, so now we have our server and our client application in place. It’s now time to go ahead and create our Azure Kubernetes cluster.

Now, while Cloud Shell is getting set up for the client application, let’s go on to the overview and take the client ID. So we’ll go to our notepad, and this is the client application ID. And now we’re going to enter all of this in a command to create our cluster. Now that your Cloud Shell is in place, I’ll go ahead and issue the first command, which is to go ahead and create a new resource group. Once it’s in place, let me just clear the screen. Now let me issue the command to create our cluster. phone hosts discoverysville hosts discoverysville hosts discoverysville hosts discoverysville hosts discoverysville hosts discoverysville hosts discoverysville hosts discoverysville hosts discoverysville hosts discoverysville hostssville Juli appel discoverysville hosts discoverysville hosts discoverysville hosts discoverysville hosts discoverysville hosts discoverysville hosts discoverysville hosts discoverysville hostssville Juli I’m getting the SSH keys. Now here I’m adding the server application ID, the server application secret, the client ID, and the tenant ID. So let me go ahead and execute this command. So now let’s come back once the cluster is in place. Now, once the cluster creation is complete, let me go ahead and just clear the screen. So here, I’m going to go ahead and set the context as the admin for the cluster.

Now, the next step is to ensure that we create an RBAC binding for the Kubernetes cluster. So in order for a user to authenticate to the cluster using Azure AD, there has to be an RBAC role in place. So over here, I am showing you a sample YAML file that you can use. So the main thing over here is the cluster role. So for the cluster role, I’m going to be giving authorization to a user in my Azure AD account. So I already have a user in my Azure AD account known as Dave. So we’re going to give this user the authorization for the cluster role for the Kubernetes cluster. Now let’s go ahead and apply this particular YAML file to our cluster. So let me go ahead and upload that authentication file so I can see the contents. I have permission to deploy that YAML file. Now let me go ahead and apply the configuration. So that’s done. Now let me go ahead and set the context. As a nonadmin user, I’ll just overwrite it. So that’s done. Now, if I issue the command to get the nodes, it’s not going to ask me to sign in. So let me go and sign in using this code. Once I enter the code, let me hit next. So I’ll choose my user. That’s Dave. So it will say it is signing in. I’ve already entered the password before. That’s why it automatically remembered my password. If not, it’ll ask you for the password. So let’s go ahead and close the screen. And if you come back, you can now see that you’ve got the nodes in the Kubernetes cluster. So this is how you can actually integrate Azeo with Azure Kubernetes.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!