SlideShare a Scribd company logo

Managing enterprise applications, permissions, and consent in Azure Active Directory

Download as PPTX, PDF
Peter Selch Dahl
Peter Selch Dahl

Cloud App Security, Azure Active Directory consent, Endpoint v1, Endpoint v2, MSAL, Azure AD, ADAL, Cloud CryptoLocker

Technology
1 of 26
CoLabora User Group Meeting – June 2018 - Managing enterprise applications, permissions, and consent in Azure Active Directory Peter Selch Dahl – Azure MVP – I’m ALL Cloud First  Level 200-300
Microsoft MCSA: Cloud Platform - Certified 2018, Microsoft MCSA: Office 365 - Certified 2018, Microsoft MCSE: Cloud Platform and Infrastructure - Certified 2018 Microsoft MCSA: 2016 Windows Server 2016, Microsoft MCSA: 2012 Windows Server 2012, Microsoft MCITP: 2008 Server and Enterprise Administrator, Microsoft MCSA: 2008 Windows Server 2008, Microsoft MCSA/MCSE : 2003 Security, Microsoft MCSA/MCSE : 2000 Security, VMWare Certified Professional VI3/VI4/VI5, CompTIA A+, Network+, EC-Council: Certified Ethical Hacker (CEH v7), And more Peter Selch Dahl Freelance Cloud Architect, Azure MVP Twitter: @PeterSelchDahl www: www.peterdahl.net Blog : http://blog.peterdahl.net
• You understand admin consent! • You know how to provide API consent for applications • You know how to block end-user consent
What is Application Consent?  Organizational data permissions  Applications organizational data permissions application consent admin end user permissions end user admin developer
Application Consent and Permissions (Bad) Sharing Portal Access’s any user’s SharePoint, then attaches a file as an email sent by the signed in user, to share externally. Developer(s) [internal or external] Tenant SharePoint Data Read items in all site collections (E.g., do something as the app) Admin must consent Exchange Data Send mail as a user (E.g, do something as the user) User Can Consent 1 2 End-User 3 Administrator 4 End-User 5 Administrator Manage consent policies and access over time 6
What is Application Consent? Users can consent to apps that access personal information only Admins must consent to apps that require broader permissions Admins can consent on behalf of all users in an organization
App types and permission types App type Permission type Who can consent Effective Permissions Get access on behalf of users Get access as a service Mobile, Web and Single page app Service and Daemon Users can consent for their data Admin can consent for them or for all users Only admin can consent App permission s User permission s App permission s Application permissionDelegated permission (user permission)
What I will be talking about…. Protecting data!
What I will be talking about…. KnowBe4's Chief Hacking Officer Kevin Mitnick called me with some chilling news. A white hat hacker friend of his developed a working "ransomcloud" strain, which encrypts cloud email accounts like Office 365 in real-time. My first thought was :"Holy $#!+". https://community.spiceworks.com/topic/2104688-heads-up-new-ransomware-strain-encrypts-cloud-email-real-time-video
What I will be talking about…. https://community.spiceworks.com/topic/2104688-heads-up-new-ransomware-strain-encrypts-cloud-email-real-time-video
Notes on V1 vs V2 Endpoint This presentation focuses on the AAD V1 endpoint and the associated application, consent, and permissions model There are some key differences to be aware of with consent on V2: • Support for Dynamic/Incremental consent • New URL paths including separate admin consent endpoint • Applications registered at apps.dev.microsoft.com as opposed to portal.azure.com https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-compare https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-limitations https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-appmodel-v2-overview
Endpoint v1 Runtime – When is consent prompted for? The most common scenario: • The first time using a application that requires access to personal or organizational resources Some scenarios that may not be expected: • The set of permissions required by the application have changed • Consent was revoked after being granted initially • The application is using incremental and dynamic consent to request additional permissions after consent was initially granted. This is often used when optional features of an application additional require permissions beyond those required for baseline functionality.
Introducing MSAL (Microsoft Authentication Library) https://blogs.technet.microsoft.com/ad/2016/03/31/microsoft-identity-at-build-2016/ https://blogs.technet.microsoft.com/ad/2015/08/12/now-in-public-preview-the-converged-microsoft- account-and-azure-active-directory-programming-model/ https://blogs.technet.microsoft.com/ad/2016/02/23/for-developers-the-first-use-cases-of-the- converged-microsoft-account-and-azure-active-directory-programming-model-are-now-ga/
We expose hard choices to developers BOTH MSA AAD Azure Office
Azure AD Applications • Single tenant application • App for users in a single organization • Admin or user registers app in directory tenant • Sign in at: https://login.windows.net/contoso.com/<protocol> • Multi-tenant application • App for users in multiple organizations • Admin or USER registers app in developer’s directory tenant • Admin configures application to be multi-tenant • Sign in at: https://login.windows.net/common/<protocol> • User prompted to consent based on permissions required by application • Consent registers application in user’s tenant
Azure AD Graph API: Azure AD consent behind the scenes https://blog.peterdahl.net/2018/05/14/azure-ad-v2-apps-vs-the-brick-wall/
Manageability – Common challenges  Where did this application come from I have no idea how Susie got assigned no idea what power These need not be mysteries any longer
Manageability – Common challenges  What happens in the admin view when someone consents what permissions an application has what consented applications are assigned revoke a consent grant request administrator-level consent control how consent works
Manageability – Common challenges  What happens in the admin view when someone consents what permissions an application has what consented applications are assigned revoke a consent grant request administrator-level consent control how consent works
Manageability – Common challenges
https://blog.azure.com https://feedback.azure.com http://Github.com

Recommended

기업의 미래를 바꾸는 AI 플랫폼
기업의 미래를 바꾸는 AI 플랫폼기업의 미래를 바꾸는 AI 플랫폼
기업의 미래를 바꾸는 AI 플랫폼
BESPIN GLOBAL
 
Neo4j GraphSummit London - The Path To Success With Graph Database and Data S...
Neo4j GraphSummit London - The Path To Success With Graph Database and Data S...Neo4j GraphSummit London - The Path To Success With Graph Database and Data S...
Neo4j GraphSummit London - The Path To Success With Graph Database and Data S...
Neo4j
 
제 13회 보아즈(BOAZ) 빅데이터 컨퍼런스 - [삼신할머니 말고 Ai] : StyleGan을 이용한 커스터마이징 2세 예측 프로그램
제 13회 보아즈(BOAZ) 빅데이터 컨퍼런스 - [삼신할머니 말고 Ai] : StyleGan을 이용한 커스터마이징 2세 예측 프로그램제 13회 보아즈(BOAZ) 빅데이터 컨퍼런스 - [삼신할머니 말고 Ai] : StyleGan을 이용한 커스터마이징 2세 예측 프로그램
제 13회 보아즈(BOAZ) 빅데이터 컨퍼런스 - [삼신할머니 말고 Ai] : StyleGan을 이용한 커스터마이징 2세 예측 프로그램
BOAZ Bigdata
 
Office 365 Security Best Practices
Office 365 Security Best PracticesOffice 365 Security Best Practices
Office 365 Security Best Practices
Community IT Innovators
 
Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud AppsSecure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Vignesh Ganesan I Microsoft MVP
 
Azure AD - Password attacks - logging and protections
Azure AD - Password attacks - logging and protectionsAzure AD - Password attacks - logging and protections
Azure AD - Password attacks - logging and protections
Andres Canello
 
AWS 머신러닝 솔루션을 활용한 고객 응대 자동화 구축 사례 공유 - 이창명, CTO, 위메이드 플레이 ::: Games on AWS 2022
AWS 머신러닝 솔루션을 활용한 고객 응대 자동화 구축 사례 공유 - 이창명, CTO, 위메이드 플레이 ::: Games on AWS 2022AWS 머신러닝 솔루션을 활용한 고객 응대 자동화 구축 사례 공유 - 이창명, CTO, 위메이드 플레이 ::: Games on AWS 2022
AWS 머신러닝 솔루션을 활용한 고객 응대 자동화 구축 사례 공유 - 이창명, CTO, 위메이드 플레이 ::: Games on AWS 2022
Amazon Web Services Korea
 
Cloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdfCloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdf
ErikHof4
 

Recommended

기업의 미래를 바꾸는 AI 플랫폼
기업의 미래를 바꾸는 AI 플랫폼기업의 미래를 바꾸는 AI 플랫폼
기업의 미래를 바꾸는 AI 플랫폼
BESPIN GLOBAL
 
Neo4j GraphSummit London - The Path To Success With Graph Database and Data S...
Neo4j GraphSummit London - The Path To Success With Graph Database and Data S...Neo4j GraphSummit London - The Path To Success With Graph Database and Data S...
Neo4j GraphSummit London - The Path To Success With Graph Database and Data S...
Neo4j
 
제 13회 보아즈(BOAZ) 빅데이터 컨퍼런스 - [삼신할머니 말고 Ai] : StyleGan을 이용한 커스터마이징 2세 예측 프로그램
제 13회 보아즈(BOAZ) 빅데이터 컨퍼런스 - [삼신할머니 말고 Ai] : StyleGan을 이용한 커스터마이징 2세 예측 프로그램제 13회 보아즈(BOAZ) 빅데이터 컨퍼런스 - [삼신할머니 말고 Ai] : StyleGan을 이용한 커스터마이징 2세 예측 프로그램
제 13회 보아즈(BOAZ) 빅데이터 컨퍼런스 - [삼신할머니 말고 Ai] : StyleGan을 이용한 커스터마이징 2세 예측 프로그램
BOAZ Bigdata
 
Office 365 Security Best Practices
Office 365 Security Best PracticesOffice 365 Security Best Practices
Office 365 Security Best Practices
Community IT Innovators
 
Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud AppsSecure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Vignesh Ganesan I Microsoft MVP
 
Azure AD - Password attacks - logging and protections
Azure AD - Password attacks - logging and protectionsAzure AD - Password attacks - logging and protections
Azure AD - Password attacks - logging and protections
Andres Canello
 
AWS 머신러닝 솔루션을 활용한 고객 응대 자동화 구축 사례 공유 - 이창명, CTO, 위메이드 플레이 ::: Games on AWS 2022
AWS 머신러닝 솔루션을 활용한 고객 응대 자동화 구축 사례 공유 - 이창명, CTO, 위메이드 플레이 ::: Games on AWS 2022AWS 머신러닝 솔루션을 활용한 고객 응대 자동화 구축 사례 공유 - 이창명, CTO, 위메이드 플레이 ::: Games on AWS 2022
AWS 머신러닝 솔루션을 활용한 고객 응대 자동화 구축 사례 공유 - 이창명, CTO, 위메이드 플레이 ::: Games on AWS 2022
Amazon Web Services Korea
 
Cloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdfCloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdf
ErikHof4
 
Scim overview
Scim overviewScim overview
Scim overview
Morteza Ansari
 
AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...
AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...
AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...
James Serra
 
AWS Summit Seoul 2023 | 통합을 통한 보안 간소화
AWS Summit Seoul 2023 | 통합을 통한 보안 간소화AWS Summit Seoul 2023 | 통합을 통한 보안 간소화
AWS Summit Seoul 2023 | 통합을 통한 보안 간소화
Amazon Web Services Korea
 
Introduction to Kubernetes Security
Introduction to Kubernetes SecurityIntroduction to Kubernetes Security
Introduction to Kubernetes Security
All Things Open
 
Neanex - Semantic Construction with Graphs
Neanex - Semantic Construction with GraphsNeanex - Semantic Construction with Graphs
Neanex - Semantic Construction with Graphs
Neo4j
 
Adobe Behance Scales to Millions of Users at Lower TCO with Neo4j
Adobe Behance Scales to Millions of Users at Lower TCO with Neo4jAdobe Behance Scales to Millions of Users at Lower TCO with Neo4j
Adobe Behance Scales to Millions of Users at Lower TCO with Neo4j
Neo4j
 
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
ForgeRock
 
CKAN overview
CKAN overviewCKAN overview
CKAN overview
Augusto Herrmann Batista
 
Azure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPTAzure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPT
Radhakrishnan Govindan
 
E Discovery and Archiving in Microsoft Office 365 - Presented by Atidan
E Discovery and Archiving in Microsoft Office 365 - Presented by AtidanE Discovery and Archiving in Microsoft Office 365 - Presented by Atidan
E Discovery and Archiving in Microsoft Office 365 - Presented by Atidan
David J Rosenthal
 
Productionzing ML Model Using MLflow Model Serving
Productionzing ML Model Using MLflow Model ServingProductionzing ML Model Using MLflow Model Serving
Productionzing ML Model Using MLflow Model Serving
Databricks
 
Overview of Data Loss Prevention Policies in Office 365
Overview of Data Loss Prevention Policies in Office 365Overview of Data Loss Prevention Policies in Office 365
Overview of Data Loss Prevention Policies in Office 365
Dock 365
 
[금융사를 위한 AWS Generative AI Day 2023] 2_세상을 바꾸고 있는 Generative AI에...
[금융사를 위한 AWS Generative AI Day 2023] 2_세상을 바꾸고 있는 Generative AI에...[금융사를 위한 AWS Generative AI Day 2023] 2_세상을 바꾸고 있는 Generative AI에...
[금융사를 위한 AWS Generative AI Day 2023] 2_세상을 바꾸고 있는 Generative AI에...
AWS Korea 금융산업팀
 
Deep dive into AWS fargate
Deep dive into AWS fargateDeep dive into AWS fargate
Deep dive into AWS fargate
Amazon Web Services
 
Microsoft Information Protection demystified Albert Hoitingh
Microsoft Information Protection demystified Albert HoitinghMicrosoft Information Protection demystified Albert Hoitingh
Microsoft Information Protection demystified Albert Hoitingh
Albert Hoitingh
 
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Chaitanya chandra sekhar
 
온라인 쇼핑, 새로운 디지털 플랫폼으로 새로운 경험 혁신을 - 김지혁, 이일구 AWS 솔루션즈 아키텍트 / 조청식 매니저, 롯데정보통신 /...
온라인 쇼핑, 새로운 디지털 플랫폼으로 새로운 경험 혁신을 - 김지혁, 이일구 AWS 솔루션즈 아키텍트 / 조청식 매니저, 롯데정보통신 /...온라인 쇼핑, 새로운 디지털 플랫폼으로 새로운 경험 혁신을 - 김지혁, 이일구 AWS 솔루션즈 아키텍트 / 조청식 매니저, 롯데정보통신 /...
온라인 쇼핑, 새로운 디지털 플랫폼으로 새로운 경험 혁신을 - 김지혁, 이일구 AWS 솔루션즈 아키텍트 / 조청식 매니저, 롯데정보통신 /...
Amazon Web Services Korea
 
[DevGround] 린하게 구축하는 스타트업 데이터파이프라인
[DevGround] 린하게 구축하는 스타트업 데이터파이프라인[DevGround] 린하게 구축하는 스타트업 데이터파이프라인
[DevGround] 린하게 구축하는 스타트업 데이터파이프라인
Jae Young Park
 
Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure Sentinel
David J Rosenthal
 
AWS 서비스로 웹 애플리케이션 만들기 – 김주영, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS 서비스로 웹 애플리케이션 만들기 – 김주영, AWS 솔루션즈 아키텍트:: AWS Builders Online Series AWS 서비스로 웹 애플리케이션 만들기 – 김주영, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS 서비스로 웹 애플리케이션 만들기 – 김주영, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
Amazon Web Services Korea
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
Peter Selch Dahl
 
#SPSottawa The SharePoint Framework and The Microsoft Graph on steroids with ...
#SPSottawa The SharePoint Framework and The Microsoft Graph on steroids with ...#SPSottawa The SharePoint Framework and The Microsoft Graph on steroids with ...
#SPSottawa The SharePoint Framework and The Microsoft Graph on steroids with ...
Vincent Biret
 

More Related Content

What's hot

AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...
AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...
AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...
James Serra
 
AWS Summit Seoul 2023 | 통합을 통한 보안 간소화
AWS Summit Seoul 2023 | 통합을 통한 보안 간소화AWS Summit Seoul 2023 | 통합을 통한 보안 간소화
AWS Summit Seoul 2023 | 통합을 통한 보안 간소화
Amazon Web Services Korea
 
Introduction to Kubernetes Security
Introduction to Kubernetes SecurityIntroduction to Kubernetes Security
Introduction to Kubernetes Security
All Things Open
 
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
ForgeRock
 
E Discovery and Archiving in Microsoft Office 365 - Presented by Atidan
E Discovery and Archiving in Microsoft Office 365 - Presented by AtidanE Discovery and Archiving in Microsoft Office 365 - Presented by Atidan
E Discovery and Archiving in Microsoft Office 365 - Presented by Atidan
David J Rosenthal
 
Productionzing ML Model Using MLflow Model Serving
Productionzing ML Model Using MLflow Model ServingProductionzing ML Model Using MLflow Model Serving
Productionzing ML Model Using MLflow Model Serving
Databricks
 
[금융사를 위한 AWS Generative AI Day 2023] 2_세상을 바꾸고 있는 Generative AI에...
[금융사를 위한 AWS Generative AI Day 2023] 2_세상을 바꾸고 있는 Generative AI에...[금융사를 위한 AWS Generative AI Day 2023] 2_세상을 바꾸고 있는 Generative AI에...
[금융사를 위한 AWS Generative AI Day 2023] 2_세상을 바꾸고 있는 Generative AI에...
AWS Korea 금융산업팀
 
온라인 쇼핑, 새로운 디지털 플랫폼으로 새로운 경험 혁신을 - 김지혁, 이일구 AWS 솔루션즈 아키텍트 / 조청식 매니저, 롯데정보통신 /...
온라인 쇼핑, 새로운 디지털 플랫폼으로 새로운 경험 혁신을 - 김지혁, 이일구 AWS 솔루션즈 아키텍트 / 조청식 매니저, 롯데정보통신 /...온라인 쇼핑, 새로운 디지털 플랫폼으로 새로운 경험 혁신을 - 김지혁, 이일구 AWS 솔루션즈 아키텍트 / 조청식 매니저, 롯데정보통신 /...
온라인 쇼핑, 새로운 디지털 플랫폼으로 새로운 경험 혁신을 - 김지혁, 이일구 AWS 솔루션즈 아키텍트 / 조청식 매니저, 롯데정보통신 /...
Amazon Web Services Korea
 
[DevGround] 린하게 구축하는 스타트업 데이터파이프라인
[DevGround] 린하게 구축하는 스타트업 데이터파이프라인[DevGround] 린하게 구축하는 스타트업 데이터파이프라인
[DevGround] 린하게 구축하는 스타트업 데이터파이프라인
Jae Young Park
 

What's hot (20)

Scim overview
Scim overviewScim overview
Scim overview
 
AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...
AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...
AI for an intelligent cloud and intelligent edge: Discover, deploy, and manag...
 
AWS Summit Seoul 2023 | 통합을 통한 보안 간소화
AWS Summit Seoul 2023 | 통합을 통한 보안 간소화AWS Summit Seoul 2023 | 통합을 통한 보안 간소화
AWS Summit Seoul 2023 | 통합을 통한 보안 간소화
 
Introduction to Kubernetes Security
Introduction to Kubernetes SecurityIntroduction to Kubernetes Security
Introduction to Kubernetes Security
 
Neanex - Semantic Construction with Graphs
Neanex - Semantic Construction with GraphsNeanex - Semantic Construction with Graphs
Neanex - Semantic Construction with Graphs
 
Adobe Behance Scales to Millions of Users at Lower TCO with Neo4j
Adobe Behance Scales to Millions of Users at Lower TCO with Neo4jAdobe Behance Scales to Millions of Users at Lower TCO with Neo4j
Adobe Behance Scales to Millions of Users at Lower TCO with Neo4j
 
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
 
CKAN overview
CKAN overviewCKAN overview
CKAN overview
 
Azure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPTAzure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPT
 
E Discovery and Archiving in Microsoft Office 365 - Presented by Atidan
E Discovery and Archiving in Microsoft Office 365 - Presented by AtidanE Discovery and Archiving in Microsoft Office 365 - Presented by Atidan
E Discovery and Archiving in Microsoft Office 365 - Presented by Atidan
 
Productionzing ML Model Using MLflow Model Serving
Productionzing ML Model Using MLflow Model ServingProductionzing ML Model Using MLflow Model Serving
Productionzing ML Model Using MLflow Model Serving
 
Overview of Data Loss Prevention Policies in Office 365
Overview of Data Loss Prevention Policies in Office 365Overview of Data Loss Prevention Policies in Office 365
Overview of Data Loss Prevention Policies in Office 365
 
[금융사를 위한 AWS Generative AI Day 2023] 2_세상을 바꾸고 있는 Generative AI에...
[금융사를 위한 AWS Generative AI Day 2023] 2_세상을 바꾸고 있는 Generative AI에...[금융사를 위한 AWS Generative AI Day 2023] 2_세상을 바꾸고 있는 Generative AI에...
[금융사를 위한 AWS Generative AI Day 2023] 2_세상을 바꾸고 있는 Generative AI에...
 
Deep dive into AWS fargate
Deep dive into AWS fargateDeep dive into AWS fargate
Deep dive into AWS fargate
 
Microsoft Information Protection demystified Albert Hoitingh
Microsoft Information Protection demystified Albert HoitinghMicrosoft Information Protection demystified Albert Hoitingh
Microsoft Information Protection demystified Albert Hoitingh
 
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
 
온라인 쇼핑, 새로운 디지털 플랫폼으로 새로운 경험 혁신을 - 김지혁, 이일구 AWS 솔루션즈 아키텍트 / 조청식 매니저, 롯데정보통신 /...
온라인 쇼핑, 새로운 디지털 플랫폼으로 새로운 경험 혁신을 - 김지혁, 이일구 AWS 솔루션즈 아키텍트 / 조청식 매니저, 롯데정보통신 /...온라인 쇼핑, 새로운 디지털 플랫폼으로 새로운 경험 혁신을 - 김지혁, 이일구 AWS 솔루션즈 아키텍트 / 조청식 매니저, 롯데정보통신 /...
온라인 쇼핑, 새로운 디지털 플랫폼으로 새로운 경험 혁신을 - 김지혁, 이일구 AWS 솔루션즈 아키텍트 / 조청식 매니저, 롯데정보통신 /...
 
[DevGround] 린하게 구축하는 스타트업 데이터파이프라인
[DevGround] 린하게 구축하는 스타트업 데이터파이프라인[DevGround] 린하게 구축하는 스타트업 데이터파이프라인
[DevGround] 린하게 구축하는 스타트업 데이터파이프라인
 
Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure Sentinel
 
AWS 서비스로 웹 애플리케이션 만들기 – 김주영, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS 서비스로 웹 애플리케이션 만들기 – 김주영, AWS 솔루션즈 아키텍트:: AWS Builders Online Series AWS 서비스로 웹 애플리케이션 만들기 – 김주영, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS 서비스로 웹 애플리케이션 만들기 – 김주영, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
 

Similar to Managing enterprise applications, permissions, and consent in Azure Active Directory

Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...
UiPathCommunity
 
Microsoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's PerspectiveMicrosoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's Perspective
Benedek Menesi
 
Premier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure ADPremier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure AD
uberbaum
 
Cloud Foundry UAA as an Identity Gateway
Cloud Foundry UAA as an Identity GatewayCloud Foundry UAA as an Identity Gateway
Cloud Foundry UAA as an Identity Gateway
VMware Tanzu
 
Active Directory Proposal
Active Directory ProposalActive Directory Proposal
Active Directory Proposal
MJ Ferdous
 

Similar to Managing enterprise applications, permissions, and consent in Azure Active Directory (20)

CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
 
#SPSottawa The SharePoint Framework and The Microsoft Graph on steroids with ...
#SPSottawa The SharePoint Framework and The Microsoft Graph on steroids with ...#SPSottawa The SharePoint Framework and The Microsoft Graph on steroids with ...
#SPSottawa The SharePoint Framework and The Microsoft Graph on steroids with ...
 
#SPSToronto The SharePoint Framework and the Microsoft Graph on steroids with...
#SPSToronto The SharePoint Framework and the Microsoft Graph on steroids with...#SPSToronto The SharePoint Framework and the Microsoft Graph on steroids with...
#SPSToronto The SharePoint Framework and the Microsoft Graph on steroids with...
 
2018 November - AZUGDK - Azure AD
2018 November - AZUGDK - Azure AD 2018 November - AZUGDK - Azure AD
2018 November - AZUGDK - Azure AD
 
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
SC-900 Capabilities of Microsoft Identity and Access Management SolutionsSC-900 Capabilities of Microsoft Identity and Access Management Solutions
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
 
Granite state #spug The #microsoftGraph and #SPFx on steroids with #AzureFunc...
Granite state #spug The #microsoftGraph and #SPFx on steroids with #AzureFunc...Granite state #spug The #microsoftGraph and #SPFx on steroids with #AzureFunc...
Granite state #spug The #microsoftGraph and #SPFx on steroids with #AzureFunc...
 
Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...
 
Microsoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's PerspectiveMicrosoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's Perspective
 
To sign in and beyond: Doing more with your applications and Azure AD
To sign in and beyond: Doing more with your applications and Azure ADTo sign in and beyond: Doing more with your applications and Azure AD
To sign in and beyond: Doing more with your applications and Azure AD
 
Premier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure ADPremier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure AD
 
Microsoft identity manoj mittal
Microsoft identity manoj mittalMicrosoft identity manoj mittal
Microsoft identity manoj mittal
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010
 
Azure AD Presentation - @ BITPro - Ajay
Azure AD Presentation - @ BITPro - AjayAzure AD Presentation - @ BITPro - Ajay
Azure AD Presentation - @ BITPro - Ajay
 
Microsoft graph and power platform champ
Microsoft graph and power platform champMicrosoft graph and power platform champ
Microsoft graph and power platform champ
 
Cloud Foundry UAA as an Identity Gateway
Cloud Foundry UAA as an Identity GatewayCloud Foundry UAA as an Identity Gateway
Cloud Foundry UAA as an Identity Gateway
 
Active Directory Proposal
Active Directory ProposalActive Directory Proposal
Active Directory Proposal
 
Hitchhiker's Guide to Azure AD - SPS St Louis 2018
Hitchhiker's Guide to Azure AD - SPS St Louis 2018Hitchhiker's Guide to Azure AD - SPS St Louis 2018
Hitchhiker's Guide to Azure AD - SPS St Louis 2018
 
Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and Compliance
 
EWUG - Something about the Cloud - Unit IT - January 14, 2020
EWUG - Something about the Cloud - Unit IT - January 14, 2020EWUG - Something about the Cloud - Unit IT - January 14, 2020
EWUG - Something about the Cloud - Unit IT - January 14, 2020
 

More from Peter Selch Dahl

More from Peter Selch Dahl (11)

Introduction to basic governance in Azure - #GABDK
Introduction to basic governance in Azure - #GABDKIntroduction to basic governance in Azure - #GABDK
Introduction to basic governance in Azure - #GABDK
 
Global Azure Bootcamp 2019 - Aarhus
Global Azure Bootcamp 2019 - AarhusGlobal Azure Bootcamp 2019 - Aarhus
Global Azure Bootcamp 2019 - Aarhus
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDK
 
Customer story - NAC - The journey from Microsoft hybrid cloud to Microsoft n...
Customer story - NAC - The journey from Microsoft hybrid cloud to Microsoft n...Customer story - NAC - The journey from Microsoft hybrid cloud to Microsoft n...
Customer story - NAC - The journey from Microsoft hybrid cloud to Microsoft n...
 
Global Azure Bootcamp 2018 Aarhus Denmark - Kickoff
Global Azure Bootcamp 2018 Aarhus Denmark - KickoffGlobal Azure Bootcamp 2018 Aarhus Denmark - Kickoff
Global Azure Bootcamp 2018 Aarhus Denmark - Kickoff
 
Global azure bootcamp 2018 aarhus denmark - kickoff
Global azure bootcamp 2018 aarhus denmark - kickoffGlobal azure bootcamp 2018 aarhus denmark - kickoff
Global azure bootcamp 2018 aarhus denmark - kickoff
 
EWUG 2018 February the journey continues.....
EWUG 2018 February the journey continues.....EWUG 2018 February the journey continues.....
EWUG 2018 February the journey continues.....
 
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOColabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
 
EWUG - Bridging the legacy gap in modern workplaces
EWUG - Bridging the legacy gap in modern workplacesEWUG - Bridging the legacy gap in modern workplaces
EWUG - Bridging the legacy gap in modern workplaces
 
Global Azure Bootcamp 2017 - Aarhus, Denmark - Keynote
Global Azure Bootcamp 2017 - Aarhus, Denmark - KeynoteGlobal Azure Bootcamp 2017 - Aarhus, Denmark - Keynote
Global Azure Bootcamp 2017 - Aarhus, Denmark - Keynote
 
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-OnEWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Recently uploaded (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

Managing enterprise applications, permissions, and consent in Azure Active Directory

  • 1. CoLabora User Group Meeting – June 2018 - Managing enterprise applications, permissions, and consent in Azure Active Directory Peter Selch Dahl – Azure MVP – I’m ALL Cloud First  Level 200-300
  • 2. Microsoft MCSA: Cloud Platform - Certified 2018, Microsoft MCSA: Office 365 - Certified 2018, Microsoft MCSE: Cloud Platform and Infrastructure - Certified 2018 Microsoft MCSA: 2016 Windows Server 2016, Microsoft MCSA: 2012 Windows Server 2012, Microsoft MCITP: 2008 Server and Enterprise Administrator, Microsoft MCSA: 2008 Windows Server 2008, Microsoft MCSA/MCSE : 2003 Security, Microsoft MCSA/MCSE : 2000 Security, VMWare Certified Professional VI3/VI4/VI5, CompTIA A+, Network+, EC-Council: Certified Ethical Hacker (CEH v7), And more Peter Selch Dahl Freelance Cloud Architect, Azure MVP Twitter: @PeterSelchDahl www: www.peterdahl.net Blog : http://blog.peterdahl.net
  • 3. • You understand admin consent! • You know how to provide API consent for applications • You know how to block end-user consent
  • 4.
  • 5.
  • 6. What is Application Consent?  Organizational data permissions  Applications organizational data permissions application consent admin end user permissions end user admin developer
  • 7. Application Consent and Permissions (Bad) Sharing Portal Access’s any user’s SharePoint, then attaches a file as an email sent by the signed in user, to share externally. Developer(s) [internal or external] Tenant SharePoint Data Read items in all site collections (E.g., do something as the app) Admin must consent Exchange Data Send mail as a user (E.g, do something as the user) User Can Consent 1 2 End-User 3 Administrator 4 End-User 5 Administrator Manage consent policies and access over time 6
  • 8. What is Application Consent? Users can consent to apps that access personal information only Admins must consent to apps that require broader permissions Admins can consent on behalf of all users in an organization
  • 9. App types and permission types App type Permission type Who can consent Effective Permissions Get access on behalf of users Get access as a service Mobile, Web and Single page app Service and Daemon Users can consent for their data Admin can consent for them or for all users Only admin can consent App permission s User permission s App permission s Application permissionDelegated permission (user permission)
  • 10. What I will be talking about…. Protecting data!
  • 11. What I will be talking about…. KnowBe4's Chief Hacking Officer Kevin Mitnick called me with some chilling news. A white hat hacker friend of his developed a working "ransomcloud" strain, which encrypts cloud email accounts like Office 365 in real-time. My first thought was :"Holy $#!+". https://community.spiceworks.com/topic/2104688-heads-up-new-ransomware-strain-encrypts-cloud-email-real-time-video
  • 12. What I will be talking about…. https://community.spiceworks.com/topic/2104688-heads-up-new-ransomware-strain-encrypts-cloud-email-real-time-video
  • 13.
  • 14. Notes on V1 vs V2 Endpoint This presentation focuses on the AAD V1 endpoint and the associated application, consent, and permissions model There are some key differences to be aware of with consent on V2: • Support for Dynamic/Incremental consent • New URL paths including separate admin consent endpoint • Applications registered at apps.dev.microsoft.com as opposed to portal.azure.com https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-compare https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-limitations https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-appmodel-v2-overview
  • 15. Endpoint v1 Runtime – When is consent prompted for? The most common scenario: • The first time using a application that requires access to personal or organizational resources Some scenarios that may not be expected: • The set of permissions required by the application have changed • Consent was revoked after being granted initially • The application is using incremental and dynamic consent to request additional permissions after consent was initially granted. This is often used when optional features of an application additional require permissions beyond those required for baseline functionality.
  • 16. Introducing MSAL (Microsoft Authentication Library) https://blogs.technet.microsoft.com/ad/2016/03/31/microsoft-identity-at-build-2016/ https://blogs.technet.microsoft.com/ad/2015/08/12/now-in-public-preview-the-converged-microsoft- account-and-azure-active-directory-programming-model/ https://blogs.technet.microsoft.com/ad/2016/02/23/for-developers-the-first-use-cases-of-the- converged-microsoft-account-and-azure-active-directory-programming-model-are-now-ga/
  • 17. We expose hard choices to developers BOTH MSA AAD Azure Office
  • 18. Azure AD Applications • Single tenant application • App for users in a single organization • Admin or user registers app in directory tenant • Sign in at: https://login.windows.net/contoso.com/<protocol> • Multi-tenant application • App for users in multiple organizations • Admin or USER registers app in developer’s directory tenant • Admin configures application to be multi-tenant • Sign in at: https://login.windows.net/common/<protocol> • User prompted to consent based on permissions required by application • Consent registers application in user’s tenant
  • 19. Azure AD Graph API: Azure AD consent behind the scenes https://blog.peterdahl.net/2018/05/14/azure-ad-v2-apps-vs-the-brick-wall/
  • 20. Manageability – Common challenges  Where did this application come from I have no idea how Susie got assigned no idea what power These need not be mysteries any longer
  • 21. Manageability – Common challenges  What happens in the admin view when someone consents what permissions an application has what consented applications are assigned revoke a consent grant request administrator-level consent control how consent works
  • 22. Manageability – Common challenges  What happens in the admin view when someone consents what permissions an application has what consented applications are assigned revoke a consent grant request administrator-level consent control how consent works
  • 24.
  • 25.