SC-300 Microsoft 身份存取和管理員- 03.執行應用程式的存取管理
SC-300:執行應用程式的存取管理
- 針對 SSO 規劃與設計企業應用程式整合
- 實作及監視企業應用程式與 SSO 的整合
- 實作應用程式註冊
- Discover apps by using MCAS or ADFS app report
- Design and implement access management for apps
- Design and implement app management roles
- Configure pre-integrated (gallery) SaaS apps
how to protect cloud apps
1.MCAS(Microsoft Cloud App Security) app report
CASB - Cloud Access Security Broker - An on-premises or cloud-based security policy enforcement point, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed.
MDCA - Microsoft Defender for Cloud Apps - Microsoft implementation of a CASB service to protect data, services, and applications with enterprise policies. It provides supplemental reporting and analytics services
Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that supports various deployment modes
2.ADFS(Active Directory Federation Services) app report
- App Registrations: 在雲端上的AP,透過Azure發布給使用者使用,在Azure AD上會產生一個服務主體,也會出現在Enterprise applications管理介面上
- Enterprise applications: 在雲端上的AP,透過Azure發布給使用者使用,在Azure AD沒有服務主體
- Application proxy: 不需要透過VPN就可以使用內部部屬的AP,
Enabled for users to sign in? | User assignment required? | Visible to users? | Behavior for users who have either been assigned to the app or not. |
Yes | Yes | Yes | Assigned users can see the app and sign in. Unassigned users cannot see the app and cannot sign in. |
Yes | Yes | No | Assigned uses cannot see the app but they can sign in. Unassigned users cannot see the app and cannot sign in. |
Yes | No | Yes | Assigned users can see the app and sign in. Unassigned users cannot see the app but can sign in. |
Yes | No | No | Assigned users cannot see the app but can sign in. Unassigned users cannot see the app but can sign in. |
No | Yes | Yes | Assigned users cannot see the app and cannot sign in. Unassigned users cannot see the app and cannot sign in. |
No | Yes | No | Assigned users cannot see the app and cannot sign in. Unassigned users cannot see the app and cannot sign in. |
No | No | Yes | Assigned users cannot see the app and cannot sign in. Unassigned users cannot see the app and cannot sign in. |
No | No | No | Assigned users cannot see the app and cannot sign in. Unassigned users cannot see the app and cannot sign in. |
App Registration is for first party or internal apps that required more configuration
Enterprise Apps is for 3rd party apps
the users can connect to Service1(a third-party cloud service with Azure AD authentication and authorization based on OAuth support) without being prompted for authentication
the users can access Service1 only from Azure AD-joined computers: 則須設定 Conditional Access Policy
預設網域 > Enterprise application >
All applications 除了在此處新增的App,也會出現App Registrations所新增的App
Allow users to request access to this application? 設定為 yes之後,Require approval before granting access to this application? 才能設定
Lab 20 - Implement access management for apps
Open the portal menu and then select Azure Active Directory.
On the Azure Active Directory blade, under Manage, select Enterprise applications.
In the Enterprise applications pane, select + New application.
In the results, select GitHub Enterprise Cloud – Enterprise Account.
- Authentication
- Certification & secrets
- Token configuration
- API Permission
- Expose an API
- App roles
- Application authentication and authorization.
- User authentication and authorization.
- Single sign-on (SSO) using federation or password.
- User provisioning and synchronization.
- Role-based access control: Use the directory to define application roles to perform role-based authorization checks in an application.
- OAuth authorization services: Used by Microsoft 365 and other Microsoft applications to authorize access to APIs/resources.
- Application publishing and proxy: Publish an application from a private network to the internet.
- Directory schema extension attributes: Extend the schema of service principal and user objects to store additional data in Azure AD.
Lab 21 - Create a custom role to manage app registration
最小權限提供
1.能夠設定強制application single sign-on或是service principal建立
2.能夠指派enterise application給一組使用者或群組
Why pick those two - For application provisionsing these two items are the bare mimimum permissions needed to enable and enforce single sign-on for the application or service principal being created; and be able to assign the enterise application to a set of users or groups. Other permissions could also be granted. You can get a full list of available permissions at https://docs.microsoft.com/azure/active-directory/roles/custom-enterprise-app-permissions
Application Proxy
https://mslearn.cloudguides.com/guides/Provide%20secure%20remote%20access%20to%20on-premises%20applications%20with%20Azure%20AD%20Application%20Proxy
Enterprise Application Single-Sign-On
ClaimsXRay in AzureAD with Directory Extension
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/claimsxray-in-azuread-with-directory-extension/ba-p/1505737
Lab 22 - Register an application
Lab 23: Grant tenant-wide admin consent to an application
In Microsoft Azure, browse to Azure Active Directory > Enterprise applications > Demo app.
On the Demo app blade, in the left navigation, under Security, select Permissions.
Under Permissions, select Grant admin consent
Warning - Granting tenant-wide admin consent through App registrations will revoke any permissions that had previously been granted tenant-wide. Permissions previously granted by users on their own behalf will not be affected.
Lab 24: Add app roles to your app and receive them in the token
Azure Active Directory > App registrations > Demo App
沒有留言:
張貼留言