Azure-in-bullet-points

Designing for Identity and Security

Security

Microsoft gives you a secure foundation, as well as the tooling to control your environment but customers have the responsibility of their subscription governance, data, identities, and how to protect those.
The cloud presents a spectrum of responsibilities based on what types of services and/or features a customer may be consuming.
- This is unlike more traditional on-premises information systems where most, if not all, security is implemented by the same owner.
- In IAAS, customer owns more control than in PAAS or SAAS.
The subscription is associated with a Microsoft account or organizational account.
Technical separation in the Azure datacenter is based on the following components:
- Azure Fabric Controller (FC)
  - Kernel of the Azure platform, managing resources as needed.
  - Provisions, stores, delivers, monitors and commands the VMs and physical servers that make up the Azure customer environment and infrastructure.
    - Deploys & manages health of compute services.
    - Manages datacenter infrastructure (hardware & software), recevoers from failures
    - Drives infrastructure updates.
- Virtualization
  - The Host OS is a configuration-hardened version of Windows Server.
  - The Hypervisor is Hyper-V from Windows Server 2012 R2, which has been battle-tested and proven in enterprise environments worldwide.
    - Two types of a hypervisor:
      - Type 1 Hypervisor (e.g. VMware, HyperV) runs the OS.
      - Type 2 Hypervisor (e.g. VMware Workstation, VirtualBox) runs on OS.
  - The Guest VM OS can be either Windows Server, several distributions of Linux, or an OS image supplied by the customer (much be supported Operating Systems, or starting from the Azure Marketplace images.
- Logical Isolations
  - Segregates each customer’s data & application from that of others.
  - Storage isolation
    - Storgae Access Key (SAK) : Data is accessible only through claims-based Identity Management & access control with a Storage Access Key.
    - Shared Access Signature (SAS)
      - Recommended as it does not reveal account key and is more granular & restricted access.
      - Can be reset via the Microsoft Azure Portal or the Storage Management API.
    - Storage blocks are hashed by the hypervisor to separate accounts.
  - SQL isolation: SQL Azure isolates separate account databases.
  - Network isolation: VM switch at the host level blocks inter-tenant communication.
Azure Key Vault
- Helps safeguard cryptographic keys and secrets used by cloud applications and services.
- You can encrypt keys and secrets (such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords) by using keys that are protected by hardware security modules (HSMs).
- You can import or generate keys in HSMs. If you choose to do this, Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware).
  - HSM = Hardware security module
- Streamlines the key process and enables you to maintain control of keys that access and encrypt your data.
  - Developers can create keys for development and testing, and then seamlessly migrate them to production keys.
  - Security administrators can grant (and revoke) permission to keys, as needed.
- Administration
  - It can be created and managed by an organization’s administrator who manages other Azure services for an organization.
    - E.g.:
      - Administrator would sign in with an Azure subscription, create a vault for the organization in which to store keys, and then be responsible for operational tasks, such as:
        
        Create or import a key or secret.
        
        Revoke or delete a key or secret.
        
        Authorize users or applications to access the key vault, so they can then manage or use its keys and secrets.
        
        Configure key usage (for example, sign or encrypt).
        
        Monitor key usage.
      - This administrator would then provide developers with URIs to call from their applications, and provide their security administrator with key usage logging information.

Azure Active Directory (Azure AD) ^PaaS

Microsoft’s multi-tenant, cloud-based directory and identity management service.
Combines core directory services, advanced identity governance, and application access management.
Allows IT admins to give SSO to thousands of services including Office 365, Salesforce.com, DropBox and Concur.
Full suite of identity management capabilities including multi-factor authentication, device registration, self-service password management, self-service group management, privileged account management, role-based access control, application usage monitoring, rich auditing and security monitoring and alerting.
Single Sign-On
- Also called identity federation
- Hybrid-based directory integration scenario of Azure Active Directory that you can implement when you want to simplify your user’s ability to seamlessly access cloud services with their existing Active Directory corporate credentials
- A Secure Token Service (STS) enables identity federation,
- Extends centralized authentication, authorization and SSO to e.g. Web applications & services, including perimeter networks, partner networks, and the cloud.
- Configuring a STS is creating a federated trust between your on-premises STS and the federated domain you’ve specified in your Azure AD tenant.
Azure AD Authentication Strategies
- Azure AD Connect
  - Always a required sync tool.
  - Supports synchronization from multiple Azure AD Forests/Domains, into a single Azure Active Directory environment.
  - Enables cloud way of authenticating:
    1. Password Hash Sync
    2. Federation (ADFS)
    3. Azure AD Passthrough Authentication Agent
  - The underlying database can be a SQL Server Express, or a full SQL Server 2008 R2 or newer database instance.
  - Can be installed on dedicated VMs, or directly on ADDS Domain Controllers
  - AD Connect requires an AD Connect Service Account
    - Reads/write information from the Azure AD Tenant, as well as requiring an on-premises account in Active Directory, Enterprise Admin level rights, to read/write information back in the on-premises Active Directory.
    - Allows for a two-way sync, e.g. password resets (optional – requires P1), account deletions and other strategies for connecting.
  - Azure AD Connect Health
    - Robust monitoring of your on-premises identity infrastructure.
      - It enables you to maintain a reliable connection to Office 365 and Microsoft Online Services.
    - Use the Azure AD Connect Health portal to view alerts, performance monitoring, usage analytics, and other information
      - Enhanced security, Get alerted on all critical ADFS system issues, Easy to deploy and manage, Rich usage metrics, Great user experience

Azure AD B2B vs B2C

Use B2C e.g. when users need to authenticate via facebook to your application.
- Azure AD B2C implements OpenID Connect, which supports many different providers, including Twitter, Google, and many others that support the standard.
- Azure AD B2C protects from denial-of-service and password attacks against your applications and includes user interface customizations to easily integrate into your existing applications.
Use B2B e.g. when inviting consultant companies.

Category	Azure AD B2B	Azure AD B2C
*Intended for*	To be able to authenticate users from a partner organization, regardless of identity provider.	Inviting customers of your mobile and web apps, whether individuals, institutional or organizational customers into your Azure AD.
*Identities supported*	Employees with work or school accounts, partners with work or school accounts, or any email address. (Soon to support) direct federation.	Consumer users with local application accounts (any email address or user name) or any supported social identity with direct federation.
*Which directory the partner users are in*	Partner users from the external organization are managed in the same directory as employees, but annotated specially. They can be managed the same way as employees, can be added to the same groups, and so on.	In the application directory. Managed separately from the organization’s employee and partner directory (if any).
*Single sign-on (SSO)*	Single sign-on to all Azure AD-connected apps is supported. E.g. you can provide access to Office 365 or on-premises apps, and to other SaaS apps such as Salesforce or Workday.	Single sign-on to customer owned apps within the Azure AD B2C tenants is supported. ❗ SSO to Office 365 or to other Microsoft and non-Microsoft SaaS apps is not supported.
*Partner lifecycle*	Managed by the host/inviting organization.	Self-serve or managed by the application.
*Security policy and compliance*	Managed by the host/inviting organization.	Managed by the application.
*Branding*	Host/inviting organization’s brand is used.	Managed by application. Typically tends to be product branded, with the organization fading into the background.

Multi-Factor Authentication
- Requires more than one verification method.
- E.g. any two or more of the following verification methods:
  - Something you know (typically a password)
  - Something you have (a trusted device that is not easily duplicated, like a phone)
  - Something you are (biometrics)
- Azure Multi-Factor Authentication (MFA)
  - Microsoft’s two-step verification solution
  - Verification methods includes phone call, text message, or mobile app verification.
  - You grant access to users and require Azure MFA registration.
    - 💡 You do not block & require MFA.
Azure AD Identity Protection
- Available only in P2 in Azure AD.
- Uses adaptive machine learning algorithms and heuristics to detect anomalies and suspicious incidents that indicate potentially compromised identities.
  - Using this data, it generates reports and alerts that enable you to evaluate the detected issues and take appropriate mitigation or remediation actions
- Enables you:
  - Detect potential vulnerabilities affecting your organization’s identities.
  - Configure automated responses to detected suspicious actions that are related to your organization’s identities.
  - Investigate suspicious incidents and take appropriate action to resolve them.
Privileged Identity Management (PIM)
- Available only in P2 in Azure AD.
- Management of administrative roles
  - In Azure AD (PIM -> Azure AD Roles)
    - You can manage the users assigned to the built-in Azure AD organizational roles, such as Global Administrator.
  - In Azure RBAC (PIM -> Azure Resources)
    - You can manage the users and groups assigned via Azure RBAC roles, including Owner or Contributor.
- Privileged accounts are accounts that administer and manage IT systems.
- You request for elevation to do a task.
  - Per elevated role:
    - You can have notifications for elevations
    - Create incident/request tickets.
    - Require MFA
    - Require approval
    - Set maximum activation duration (hours)
- Assignment types
  - PIM has two branches.
    - Directory
    - RBAC: Consumption & spending.
  - Role assignments
    - Directory (PIM -> Azure AD Roles)
      - Eligible: They can activate the role when they need to perform privileged tasks.
      - Permanent: Role is always activated.
      - Both assignments are permanent.
    - RBAC (PIM -> Azure Resources)
      - Eligible
      - Active
      - Same as directory but permanent is called active because in PIM Eligible/Active can have timer where assignment is removed.
      - E.g. enable subscription in PIM:
        
        PIM -> Azure resources -> Discover resources
- Helps your organization:
  - To see
    - List of users assigned
      - privileged roles to manage Azure resources
      - administrative roles in Azure AD.
    - History of administrator activation
      - Including changes made to resources by admins.
  - Alerts about changes in administrator assignments.
  - Require approval to activate Azure AD privileged admin roles.
  - Enable on-demand, “just in time” administrative access to Microsoft Online Services like Office 365 and Intune, and to Azure resources of subscriptions, resource groups, and individual resources such as Virtual Machines.
  - Review membership of administrative roles and require users to provide a justification for continued membership.
Azure AD Domain Services
- Directory-aware applications may rely on LDAP for read or write access to the corporate directory or rely on Windows Integrated Authentication (Kerberos or NTLM authentication) to authenticate end users.
- Line-of-business (LOB) applications running on Windows Server are typically deployed on domain joined machines, so they can be managed securely using Group Policy.
- To ‘lift-and-shift’ on-premises applications to the cloud, these dependencies on the corporate identity infrastructure need to be resolved.
- Administrators often turn to one of the following solutions to satisfy the identity needs:
  - Deploy a site-to-site VPN connection between workloads running in Azure IaaS and the corporate directory on-premises.
    - ❗ Vulnerable to transient network glitches or outages
  - Extend the corporate AD domain/forest infrastructure by setting up replica domain controllers using Azure virtual machines.
  - Deploy a stand-alone domain in Azure using domain controllers deployed as Azure virtual machines.
- ❗ All these approaches suffer from high cost and administrative overhead.
  - It requires administrators to deploy domain controllers using virtual machines in Azure.
  - Additionally, they need to manage, secure, patch, monitor, backup, and troubleshoot these virtual machines
OAuth2 Flow
1. Register your application with your AD tenant
  - App Registrations -> New application registration
  - Provide sign on URL for web apps, reply URl for API app
  - Get application client id to later use in code.
  - Applications -> Application -> Publish scope
  - Define the permissions (scopes) that can be granted to other applications
    - Add Scope Values as necessary (for example, “read”).¨
2. Authorize
  - User enters credential with consent to permissions
  - App goes to /oauth2/authorize on AD and get authorization token.
3. Access token
  - App sends token to /oauth2/token
  - Azure AD returns an access token upon a successful response
4. App validates access_token and return secure data to app
5. After a while token expires
  - App requests to /oauth2/token with refresh token
  - AD gives new refresh_token and new access_token

SaaS services in Azure

SaaS in Azure includes Cognitive Services, Bot Service, Machine Learning and Media Services
Cognitive Services
- Set of APIs, SDKs and services available to developers to make their applications more intelligent, engaging and discoverable.
- Expands on Microsofts machine learning APIs and enables developers to easily add intelligent features – such as emotion and video detection; facial, speech and vision recognition; and speech and language understanding – into their applications.
- E.g.
  - Agent: Cortana
  - Applications: Office 365, Dynamics 365, SwiftKey, Pix, Customer Service and Support
  - Services: Bot Framework, Cognitive Services, Cortana Intelligence, Cognitive Toolkit
  - Infrastructure: Azure Machine Learning, Azure N Series, FPGA
- Bing APIs
  - Bing Web Search
    - Similar to Bing.com/search
    - The results include Web pages and may also include images, videos, and more.
  - Bing Image Search
    - Similar to Bing.com/images
    - Returns images
- Bing Autosuggest
  - Lets you send a partial search query term to Bing and get back a list of suggested queries that other users have searched on.
- LUIS
  - Intent detection: Receive user input in natural language and extract meaning from it.
    - You can start with a prebuilt domain model, build your own domain specific model, or blend pieces of a prebuilt domain with your own custom information
  - Once the intentions are identified (e.g. Book Flight or Contact Help Desk), you supply example phrases called utterances for the intents. Then you label the utterances with any specific details you want LUIS to pull out of the utterance.
  - Flow : Create your own LU model => Train by providing examples => Deploy to an HTTP endpoint and activate on any device => Maintain model
  - Key LUIS Concepts
    - Intents
      - Purpose or goal expressed in a user’s input.
      - E.g. booking a flight, paying a bill, or finding a news article.
      - You define and name intents that correspond to these actions.
    - Utterances
      - An utterance is text input from the user that your app needs to understand.
      - E.g. “Book a ticket to Paris”, or a fragment of a sentence, like “Booking” or “Paris flight.”
        
        💡 Utterances aren’t always well-formed, and there can be many utterance variations for a particular intent.
    - Entities
      - An entity represents detailed information that is relevant in the utterance.
      - E.g. in the utterance “Book a ticket to Paris.”, “Paris” is a location.
      - By recognizing and labeling the entities that are mentioned in the user’s utterance, LUIS helps you choose the specific action to take to answer a user’s request.
  - Cognitive APIs
    - Text Analytics API
      - Provides advanced natural language processing over raw text, and includes three main functions:
        
        Sentiment analysis
        
        Key phrase extraction
        
        Language detection
    - Speaker Recognition API
      - Speaker Recognition API is a cloud-based APIs that provide the most advanced algorithms for speaker verification and speaker identification.
    - Content Moderator API
      - It tracks, flags, assesses, and filters out offensive and unwanted content that creates risk for applications.
    - Face API
      - Provides the advanced face algorithms with two main functions:
        
        Face detection with attributes
        
        Face recognition.
      - Face API detects up to 64 human faces with high precision face location in an image.
        
        Image can be specified by file in bytes or valid URL.
      - The API returns a face rectangle (left, top, width and height) indicating the face location in the image is returned along with each detected face.
      - Optionally, face detection extracts a series of face related attributes such as pose, gender, age, head pose, facial hair and glasses.
      - Face recognition is widely used in many scenarios including security, natural user interface, image content analysis and management, mobile apps, and robotics.
      - Four face recognition functions are provided: face verification, finding similar faces, face grouping, and person identification.
Bot Services ^PaaS
- Provides an integrated environment that is purpose-built for bot development, enabling you to build, connect, test, deploy, and manage intelligent bots, all from one place.
- You can write a bot, connect, test, deploy, and manage it from your web browser with no separate editor or source control required.
  - For simple bots, you may not need to write code at all.
- Your code glues in an HTTP REST endpoint the following:
  - Platform: Platform Services
  - AI: Intelligent Tools
  - SDK: Bot Builder SDK
- Key concepts:
  - Multiple language support : Bot Service leverages Bot Builder SDK with support for .NET and Node.js.
  - Bot templates : Bot Service templates allow you to quickly create a bot with the code and features you need.
    - E.g.:
      - Forms bot for collecting user input
      - a Language understanding bot that leverages LUIS to understand user intent
      - a QnA bot to handle FAQs
      - a Proactive bot that alerts users of events.
  - Bring your own dependencies : Bots support NuGet and NPM, so you can use your favorite packages in your bot.
  - Flexible development : Code your bot right in the Azure portal or set up continuous integration and deploy your bot through GitHub, Visual Studio Team Services, and other supported development tools. You can also publish from Visual Studio.
  - Connect to channels : Bot Service supports several popular channels for connecting your bots and the people that use them.
    - E.g. Skype, Facebook, Teams, Slack, SMS, and several others.
  - Tools and services : Test your bot with the Bot Framework Emulator and preview your bot on different channels with the Channel Inspector.
  - Open source : The Bot Builder SDK is open-source and available on GitHub.
- QnA Maker
  - Trains AI to respond to user’s questions in a more natural, conversational way.
  - Provides a GUI that allows non-developers to train, manage, and use the service for a wide range of solutions.
  - Extracts a knowledge base from two types of input: FAQ pages (web pages or documents) and product manuals (PDF).
    - Once extracted, the QnA Maker service creates a knowledge base and bot using the knowledge bas
  - Handles Index & Ranking
  - It can be consumed through REST API
  - Over time, the knowledge base can be updated, retrained, and republished to meet the morphing needs to a user-facing web application.
Machine Learning
- Azure Machine learning is an end-to-end data science and analytics solution that’s integrated into Azure.
- Built on top of open source technologies: Jupyter Notebook, Conda, Python, Docker, Apache Spark, and Kubernetes (also from Microsoft, e.g. Cognitive Toolkit)
- It allows users to develop experiments as well as deploy data and models via the cloud.
- Its composed of
  - Azure Machine Learning Workbench
    - Desktop application that includes command-line tools.
    - It allows users to help manage learning solutions via data ingestion and preparation, model development, experiment management,
  - Azure Machine Learning Experimentation Service
    - Helps handling the implementation of machine learning experiments
    - Provides project management, roaming, sharing, and git integration to support the Workbench.
    - Allows implementation of services across a range of environment options such as Local native, Local Docker container, or Scale out Spark cluster in Azure.
    - Creates Virtual environments for scripts to provide an isolated space with reproducible results.
      - Documents run history information
      - Visually displays the information so you can quickly select the best model from your experiments.
  - Azure Machine Learning Model Management Service
    - Provides users the ability to deploy predictive models into a range of environments.
    - Information on models, such as the version and lineage, is notated from training runs throughout the deployment.
    - The models themselves are registered, managed, and stored in the cloud.
  - MMLSpark (Microsoft Machine Learning Library for Apache Spark)
    - Open-source Spark Package providing data science and Deep Learning tools for Apache Spark.
    - MMLSpark allows users to create robust, analytical, and highly scalable predictive models for large image and text datasets.
  - Visual Studio Code Tools for AI
    - Extension used with Visual Studio code that allows you to test, build, and deploy AI and Deep Learning solutions.
    - It contains various integration points from Azure Machine learning.
    - E.g. visualization of run history that displays the performance of training runs, select targets for your scripts to execute.
- Fully support various open source technologies, such as scikit-learn, TensorFlow, and more.
- Traditional BI flow: (value & amount of information increases in each step)
  - Descriptive analytics: What happened?
    - Leads to hindsight
  - Diagnostic analytics: Why did it happen?
    - Leads to insight
  - Predictive analytics: What will happen?
    - Leads to optimization & foresight
  - Prescriptive analytics: How can we make it happen?
Media Processing
- Media Services
  - Extensible platform that enables developers to build scalable media management and delivery applications.
  - It is based on REST APIs that enable you to securely upload, store, encode, and package video or audio content for both on-demand and live streaming delivery to various clients (for example, TV, PC, and mobile devices).
  - Should be used with Content Delivery Network (CDN)
  - Supports:
    - Secure Media, Encoding, On-Demand origin, Live ingest, Live Origin, Advertising, Media Job Scheduling, Static/Dynamic Packaging, Content Protection, Live Encoding, Analytics, Identity Management.
    - Also partner technologies: Media processors, origin servers, live encoders etc.
  - Packaging
    - Static packaging (traditional)
      - Have different assets (files) for different protocols.
        
        Eg. HLS for HLS protocol (apple, mac)
        
        Eg. Smooth for Smooth Protocol (XBOX, Windows)
        
        Eg. MP4 for HTTPS
    - Dynamic packaging
      - MP4 asset can be automatically adopted to those protocals.
- Computer Vision API
  - API for advanced algorithms for processing images and returning information.
  - Use cases/fatures:
    - Tag images based on content.
      - Based on more than 2000 recognizable objects, living beings, scenery, and actions
    - Generate descriptions of the content
      - A collection of content tags forms the foundation for an image ‘description’ displayed as human readable language formatted in complete sentences.
      - Various descriptions are evaluated and a confidence score is generated.
    - Color schemes
      - The colors are analyzed in three different contexts: foreground, background, and whole. They are grouped into twelve 12 dominant accent colors. Those accent colors are black, blue, brown, gray, green, orange, pink, purple, red, teal, white, and yellow. Depending on the colors in an image, simple black and white or accent colors may be returned in hexadecimal color codes.
    - Optical Character Recognition (OCR)
      - Identify printed text found in images.
      - You can use the result for search and numerous other purposes like medical records, security, and banking.
    - Other features include:
      - Categorize images.
      - Identify the type and quality of images.
      - Detect human faces and return their coordinates.
      - Recognize domain-specific content.
      - Flag adult content.
      - Crop photos to be used as thumbnails.
      - Recognize handwritten text.
      - Distinguish color schemes.

This site is open source. Improve this page.

Azure-in-bullet-points

Designing for Identity and Security

Security

Azure Active Directory (Azure AD) PaaS

SaaS services in Azure

Azure Active Directory (Azure AD) ^PaaS