Azure Active Directory for Secure Application Development E-Book

Azure Active Directory for Secure Application Development

Use modern authentication techniques to secure applications in Azure

Sjoukje Zaal

BIRMINGHAM—MUMBAI

Azure Active Directory for Secure Application Development

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Publishing Product Manager: Rahul Nair

Senior Editor: Shazeen Iqbal

Content Development Editor: Sayali Pingale

Technical Editor: Rajat Sharma

Copy Editor: Safis Editing

Project Manager: Vaidehi Sawant

Proofreader: Safis Editing

Indexer: Rekha Nair

Production Designer: Shankar Kalbhor

Marketing Coordinator: Nimisha Dua

Senior Marketing Coordinator: Sanjana Gupta

First published: May 2022

Production reference: 1110522

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

978-1-83864-650-9

www.packt.com

Contributors

About the author

Sjoukje Zaal is head of the Microsoft Cloud Center of Excellence, a Microsoft Regional Director, and a Microsoft Azure MVP with over 20 years of experience in architecture, development, consultancy, and design-related roles. She currently works at Capgemini, a global leader in consultancy, technology services, and digital transformation. She loves to share her knowledge and is active in the Microsoft community as a cofounder of the user groups Tech Daily Chronicle and Global XR Community. She is also a board member of Azure Thursdays and the Global AI Community. Sjoukje is an international speaker and is involved in organizing many events. She has written several books and writes blogs.

About the reviewers

Swaprakash Sarkar is a technical architect and seasoned professional associated with a multinational technology company. He holds a B.Tech degree in electronics and communication engineering and other professional certifications in Microsoft technology, security, and the cloud. Swaprakash has demonstrated achievements in areas relating to Active Directory, Azure AD, information security, system architecture and design, and project management in his 11-year career in IT. Swaprakash has a passion for learning new technologies that he continues to pursue daily.

Above all the previously stated, he is a father, a husband, a son, a brother, and a friend.

Table of Contents

Preface

Part 1: Getting Started with the Microsoft Identity Platform

Chapter 1: Microsoft Identity Platform Overview

Learning about the Microsoft identity platform

Understanding the evolution of the Microsoft identity platform

Introducing Azure AD

Introducing Azure AD B2B

Introducing Azure AD B2C

Setting up an Azure AD tenant

Adding a user to Azure AD

Cleaning up the resources

Summary

Further reading

Chapter 2: Azure AD Application Model

Technical requirements

Introducing the Azure AD application model

Learning about application and service principal objects in Azure AD

Application object

Service principal object

Registering an application with the Microsoft identity platform

Registering an application using the Azure portal

Setting redirect URIs

Configuring the redirect URI

Understanding permissions and consent

Scopes and permissions

Permission types

Configuring permissions in the Azure portal

Understanding certificates and secrets

Configuring an app secret in the Azure portal

Restricting your Azure AD app to a set of users

Updating the app to require user assignment

Assigning the app to users and groups

Registering an application using PowerShell and the CLI

Registering an application using PowerShell

Registering an application using the CLI

Summary

Further reading

Chapter 3: Application Types and User Consent

Technical requirements

Public client and confidential client applications

Confidential client applications

Public client applications

Understanding the authorization code flow

Authorization code flow

Understanding the different application types

Single-page applications

Web apps and web APIs

Desktop apps

Deamon apps

Mobile apps

Building a web app that authenticates users using Azure AD

Configuring redirect URIs and setting the right permissions

Building the application

Understanding the Azure AD application consent experience

Understanding how end users consent to applications

Configuring how end users consent to applications

Publisher verification

Summary

Further reading

Part 2: Authentication and Protocols

Chapter 4: The Basics and Evolution of Authentication

Evolution of identity protocols

Authentication versus authorization

Authentication

Authorization

Authentication and authorization using the Microsoft identity platform

Pre-claims authentication techniques

Password-based authentication

Integrated authentication

Claims-based identity

What are claims?

How claims-based identity works

Benefits of claims-based identity

First-generation protocols

Single sign-on

Cookies

SAML

WS-Federation

Modern protocols

OAuth

Summary

Further reading

Chapter 5: Securing Applications with OAuth 2.0, OpenID Connect, and MSAL

Technical requirements

The OAuth 2.0 framework and its specifications

Roles

The OAuth 2.0 abstract flow

Tokens

The OpenID Connect protocol and its specifications

The OAuth 2.0 and OpenID Connect flows

OpenID Connect using the implicit flow

The authorization code flow

The OBO flow

The client credentials flow

The ROPC flow

The device code flow

An overview of the Microsoft Identity Web authentication library

An overview of MSAL

Securing your application using OAuth 2.0, OpenID Connect, and MSAL

Registering the application with your Azure AD tenant

Building the application

Summary

Further reading

Chapter 6:Building Secure Services Using the Microsoft Graph API

Technical requirements

An overview of Microsoft Graph

Accessing data and methods

The Microsoft Graph API metadata

Requesting data using Graph Explorer

Queries, batching, throttling, and paging

Queries

Batching

Throttling

The Microsoft Graph SDK

Building a web application that uses the Microsoft Graph API

Summary

Further reading

Part 3: Azure AD B2C

Chapter 7: Introducing Azure Active Directory B2C

Technical requirements

Introducing Azure AD B2C

Creating an Azure AD B2C tenant and adding a user

Registering an application in Azure AD B2C

Enabling the ID token implicit grant

Understanding user flows

Creating sign-up and sign-in flows

Testing the sign-up and sign-in flows

Setting up the custom web application

Summary

Further reading

Chapter 8: Advanced Features of Azure AD B2C

Technical requirements

Identity providers in Azure AD B2C

Configuring the identity provider in Azure AD B2C

Adding the LinkedIn identity provider to the user flow

Customizing the UI

Localization and language customization

Azure AD B2C and Microsoft Graph

Custom domains for Azure AD B2C

Summary

Further reading

Chapter 9: Azure AD B2C Custom Policies

Technical requirements

Understanding custom policies

Introducing the Identity Experience Framework

Creating a custom policy

Creating the signing and encryption key

Registering the Identity Experience Framework applications

Creating the Azure storage account

Creating the Azure function

Creating the custom policy

Deploying the custom policy

Testing the custom policy

Summary

Further reading

Other Books You May Enjoy

Preface

Every organization needs protection against cyberattacks and security threats. Cybercrime and malware are constant threats to anyone with an internet presence. Security is one of the most important topics in IT projects nowadays and every developer, architect, and IT professional needs to have some knowledge of it. It is also one of the key elements that spans across every layer in your IT landscape. It needs to be embedded in your infrastructure, data, and applications, among others. That is also the case for cloud environments, such as Microsoft Azure.

This results in Azure Active Directory being the core service inside Azure that ties everything together from an identity and security perspective. The Microsoft identity platform is an authentication service and a layer on top of Azure Active Directory, which provides developers with an authentication service, open source libraries, and application management tools.

Azure Active Directory for Secure Application Development is an in-depth exploration of how Azure Active Directory and the Microsoft identity platform can be used to secure custom applications that run in Azure and other environments. Although the protocols and pattern descriptions that are also described in this book are applicable to other platforms, the focus in this book is on how to use Azure Active Directory, the Microsoft identity platform, and the OAuth 2.0, OpenID Connect, and MSAL components to secure your applications. It also covers how Azure AD Business to Consumer (B2C) provides support for securing your consumer-facing applications.

The book provides lots of hands-on and practical demos that you can use as a reference for your own applications. Although the platform evolves rapidly, and new services are added to it frequently, lots of the basics that are described in this book will be applicable for future scenarios as well.

Who this book is for

If you are a developer or architect who has basic knowledge of Azure Active Directory and are looking to gain greater expertise in the application security domain, this is the book for you. In order to learn from this book, you should have knowledge of building web applications and web APIs in C#, and basic Azure knowledge.

What this book covers

Chapter 1, Microsoft Identity Platform Overview, introduces the Microsoft identity platform and gives a high-level overview of the features and capabilities it has to offer. Besides this high-level overview, we also cover the evolution of the Microsoft identity platform as well.

Chapter 2, Azure AD Application Model, focuses on the Azure AD application model and how this is used to sign in users or delegate the sign-in to other identity providers. We dive deep into this by covering all the important parts of the application model for developers.

Chapter 3, Application Types and User Consent, builds upon the previous chapter. We look at the different application types that you can develop and cover user consent. We build a web application that authenticates against Azure AD using our app registration that we registered in the previous chapter.

Chapter 4, The Basics and Evolution of Authentication, takes a step back to look at the basics and evolution of authentication. We examine how authentication has evolved over time into the modern authentication protocols that we are using right now in our applications.

Chapter 5, Securing Applications with OAuth 2.0, OpenID Connect, and MSAL, covers OAuth 2.0, OpenID Connect, and Microsoft Authentication Library (MSAL) in depth. We finish this chapter by building a secure and modern application using these techniques, protocols, and frameworks.

Chapter 6, Building Secure Services Using the Microsoft Graph API, examines the Microsoft Graph API in depth. We look at the different APIs provided by Microsoft Graph and how to build queries to retrieve data. Lastly, we finish our demo that we started building in the previous chapter and add the functionality to call Microsoft Graph on behalf of the signed-in user.

Chapter 7, Introducing Azure Active Directory B2C, focuses fully on Azure AD B2C. We cover user flows and policies, and set up a web application that authenticates against Azure AD B2C.

Chapter 8, Advanced Features of Azure AD B2C, looks at identity providers in Azure AD B2C, and how you can configure them and add them to your user flows. We cover how you can change the UI of the default Azure AD B2C authentication experience and cover custom domains in Azure AD B2C.

Chapter 9, Azure AD B2C Custom Policies, dives into custom policies and what they can bring to your custom applications. We cover the Identity Experience Framework and create our own custom policy that connects to an Azure function and stored user profile information inside Azure Table storage.

To get the most out of this book

To follow this book, you need to have an active Azure subscription to create an Azure AD and an Azure AD B2C tenant. You also need to have the latest version of Visual Studio or Visual Studio Code installed:

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781838646509_ColorImages.pdf.

Download the example code files

You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Azure-Active-Directory-for-Secure-Application-Development. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Enter the app package name here, which can be found in the AndroidManifest.xml file, then generate and enter the signature hash."

A block of code is set as follows:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_809707f0030a5d00620c9d9df97f627afe9dcc24" Version="2.0" ProviderName="SP test" IssueInstant="2014-07-16T23:52:45Z" Destination="http://idp.example.com/SSOService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://sp.example.com/demo1/index.php?acs">

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "From the app registration overview page of the registered application, under Manage, select API permissions."

Tips or Important Notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you've read Azure Active Directory for Secure Application Development, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.

Part 1: Getting Started with the Microsoft Identity Platform

In this first part of the book, we focus on what the Microsoft identity platform has to offer developers and how Azure Active Directory (Azure AD) is key as the underlying service. We look into the Azure AD application model and application types, and get hands-on experience with registering and configuring an application in Azure Active Directory.

This part of the book comprises the following chapters:

Chapter 1: Microsoft Identity Platform Overview

This chapter introduces the first objective in this book, the Microsoft identity platform. In this chapter, we will start by introducing the Microsoft identity platform and giving a high-level overview of the features and capabilities it has to offer. As well as the overview, we are also going to cover the evolution of this platform. Then, we are going to dive a bit into the more technical aspects by covering how users are authenticated using the Microsoft identity platform and what the permissions and consent framework is about.

At the end of this chapter, you will have a high-level understanding of the different components that are part of the platform.

The following topics will be covered in this chapter:

Learning about the Microsoft identity platform

The Microsoft identity platform is a comprehensive set of components that help developers to build applications that sign users in with various types of accounts, such as Microsoft identities or social media accounts. The types of applications that can make use of the platform and its components include web applications, web APIs, and mobile apps.

The Microsoft identity platform components consist of authentication services, a set of open source libraries, and various application management tools. These different sorts of tools are specified in more detail as follows:

The following diagram illustrates the different components of what the Microsoft identity platform is made of:

Figure 1.1 – Microsoft identity platform overview

In the next section, we are going to investigate the evolution of the Microsoft identity platform.

Understanding the evolution of the Microsoft identity platform

The Microsoft identity platform is the evolution of the Azure AD developer platform. Many developers have worked with the Azure AD platform previously to authenticate against Azure AD. For this, they have used the Azure AD v1.0 endpoint to authenticate using only work or school accounts. Work and school accounts are accounts that are all provisioned in Azure AD.

By using the Azure portal, the Microsoft Graph API, and the Azure AD Authentication Library (ADAL), developers can request access tokens from the Azure AD v1.0 endpoint. This can be done for both single-tenant apps as well as for multi-tenant apps.

By using the unified Microsoft identity platform (v2.0), you can authenticate using multiple types of accounts. It supports both organizational and consumer accounts to authenticate users. Unlike the v1.0 endpoint, the v2.0 endpoint is capable of authenticating using work or school accounts (that are provisioned in Azure AD), personal accounts, (Outlook, Xbox, Skype, or Live accounts), and social media accounts (for Azure AD B2C). Now you only have to write code once and you can authenticate with any Microsoft identity in your application.

You can add the open source MSAL, which is supported for several platforms, such as .NET, JavaScript, Java, and Python. Microsoft highly recommends using MSAL to connect to the identity platform endpoints. MSAL is highly reliable and has great performance, is easy to use, has support for single sign-on (SSO), and is developed using the Microsoft Secure Development Lifecycle (SDL). SDL is a topic of its own and way beyond the scope of this book, but in short, it is a software development process proposed and used by Microsoft internally that helps to reduce maintenance costs and increases the reliability of software related to software security.

The v2.0 endpoint also provides support for dynamic and incremental consent. This means that instead of specifying all the permissions upfront when you register your app in Azure AD, you can request the permissions incrementally. You only request consent for a basic set of permissions upfront that an ordinary user can consent to themselves. For instance, the ability to read their own profile data. Then, when a user tries to access different data in the application, such as a list of groups in the user's organization, the application will ask for the user or administrator's consent, depending on the permissions and how the tenant is configured. This will be covered in more detail later in this chapter.

MSAL also supports Azure AD Business to Consumer (Azure AD B2C). Customers that are using your applications and APIs can also use their social accounts to log in to the application.

In the next diagram, you will see an overview of the Microsoft identity experience at a high level, compared to the Azure AD developer platform:

Figure 1.2 – Microsoft identity platform experience

Important Note

MSAL.NET can now directly connect to an ADFS authority. It does not need to go through Azure AD. This is only supported from AD FS 2019 and above. For more information, you can refer to https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/ADFS-support.

Now that we have some background information about the Microsoft identity platform and its predecessor, the Azure AD for Developers platform, we can now dive into Azure AD, which is the backbone for all applications and permissions in Azure.

Introducing Azure AD

Azure AD provides a cloud-based enterprise directory and identity management service. It offers features to give users seamless access to all types of resources, internal and external. For instance, it enables the traditional method of user authentication through a username and password, along with the management of roles and permissions to give users access to a variety of resources and products, such as the Azure portal, applications inside of the corporate network, and also Software as a Service (SaaS) applications and Office 365.

It offers traditional username and password management as well as roles and permissions management. On top of that, it offers more enterprise-grade features, such as multi-factor authentication (MFA), and SSO for your applications. It also offers different monitoring and alerting capabilities out of the box.

Azure AD offers different pricing plans, all coming with different types of features and capabilities:

Important Note

For a detailed overview of all the different features for each pricing plan, you can refer to the following site: https://azure.microsoft.com/en-us/pricing/details/active-directory/.

Azure AD is also used to manage user identities in Microsoft 365. Microsoft 365 is a collection of different services, such as Windows 10, Office 365, and Enterprise Mobility. By default, your Microsoft 365 subscription comes with the free plan of Azure AD, but you can also purchase different plans to get more features.

For developers, Azure AD is primarily used for issuing tokens that enable users to sign in to applications. Before these tokens can be issued, applications need to be registered inside Azure AD, permissions need to be set, and users need to be added that can access the applications or have access to Microsoft 365 data. This is mainly done by IT administrators, but it is also important for developers to know how to put this in place. Developers can also make use of the enterprise-grade security features in Azure AD, such as Conditional Access policies and SSO, for example.

Next to the fact that an Azure AD tenant is created together with your sign-up for an Azure, Microsoft 365, Office 365, or Intune account, you can also create an Azure AD tenant manually. An Azure AD tenant is basically a representation of an organization. You create a dedicated instance of Azure AD bound to the organization. It is also possible to create multiple Azure AD tenants. Each Azure AD tenant is completely separated from other Azure AD tenants and has its own work or school identities, Azure AD B2C consumer identities, and app registrations. An app registration can be single-tenant, which only allows authentications from accounts within the tenant where it is registered, or multi-tenant, which allows authentications from all tenants.

In the next sections, we will briefly introduce Azure AD Business to Business (B2B) and Azure AD Business to Consumer (B2C).

Introducing Azure AD B2B

This book is focusing on Azure AD from a developer's perspective. This means that, as a developer, you will not work with Azure AD B2B very often, although Microsoft Graph does offer APIs for Azure AD B2B that you can leverage inside your custom applications. You may encounter Azure AD B2B users in the solutions you build.

But, to give a complete overview of the different products and services that Azure AD has to offer, I will give a short introduction to this feature as well.

Azure AD B2B collaboration is a feature on top of Azure AD. You can add external identities to your Azure AD tenant to collaborate with external users inside your organization. Partners or individuals are not required to have an Azure AD or even an IT department. Azure AD B2B uses a simple redemption process to give access to your company resources, Azure environment, or Office 365 environment, using their own credentials. Partners use their own Azure identity management solution with Azure AD B2B. This reduces the administrative overhead that comes with managing accounts with external users. External users can log in to Azure AD-connected apps and services using their own work, school, personal, or social media identities.

Azure AD B2B APIs (using Microsoft Graph) can be used by developers to customize the invitation process or write applications such as self-service sign-up portals. Azure AD External Identities uses a billing model based on monthly active users (MAU), which is basically the same for Azure AD B2C. The first 50,000 users are free, then there is a monthly charge per monthly active user.

Azure AD B2B offers the following features:

In the next section, we will introduce Azure AD B2C.

Introducing Azure AD B2C

Azure AD B2C is a business-to-customer identity as a service aimed at public-facing mobile and web applications. Customers can use their preferred social, enterprise, or local account identities to get SSO access to your applications and APIs. These applications can be hosted everywhere, in Azure or other cloud providers, but also on-premises.

It offers a set of out-of-the-box authentication providers. These authentication providers can be used in your apps and custom APIs. For this, it uses industry-standard protocols and libraries, such as OAuth 2.0, OpenID Connect, and MSAL.

This means that developers don't have to add additional SDKs for making use of these authentication providers manually to their code; that is all handled by Microsoft and embedded in the SDKs that are used for authenticating against Azure. As well as the authentication providers that are offered by Azure AD B2C, you can also add your own authentication providers.

Azure AD B2C offers the following account types: