Explore Microsoft Identity Platform

Question 1

What is the Microsoft Identity Platform (MIP)?

Answer 1

Lets you build apps that users and customers can sign into using their MS IDs or social accounts and provide authorised access to your own APIs or MS APIs e.g. MS Graph

Question 2

What does MIP consist of?

Answer 2

• Oauth 2.0 and OpenID connect standard compliant auth service enabling dev to dev several ID types (work, school, personal etc)
• open source libraries (MSAL)
• MIP Endpoint
  -App management portal
• App config API and powershell

Question 3

How is MIP good for devs?

Answer 3

• offers integration of modern innovations in the ID and security space like passwordless auth, step-up auth and conditional access
• dont need to implement functionality yourself, apps integrated with MIP natively take advantage of such innovations

Question 4

How does MIP integrate with Entra?

Answer 4

• To delegate ID and Access Management functions to Entra the app must be registered with an Entra tenant
• registering app creates an ID config for your app that allows it to integrate with Entra
• Single or multi tenant registration available
• an app object (globally unique instance of app) and a service principal object are auto created in tenant

Question 5

What is an App registration?

Answer 5

• Has unique client ID and App ID
• can add secrets + certs to it
• can define scopes to make the app work
• can customise branding and sign-in dialog

Question 6

What is an App Object?

Answer 6

• MS Entra app is scoped to one and only app object
• Resides only in Entra tenant where app is registered
• used as a template to create one or more service principal objects
• Similar to OOP class
• describes actions app can take, resources app needs to access and how the service can issue tokens in order to access app

Question 7

What is a service principal object?

Answer 7

• Service principal created in all tenants where app is used
• To access resources secured by Entra tenant the entity that is requesting access must be represented by a security principal (user or service)
• principal defines the access policy and permissions for the user/app in the tenant enabling core features such as auth or user/app during signinW

Question 8

What are the 3 types of service principal?

Answer 8

• Application = local representations of a global app object in a single tenant, defines what app can do in tenant and who can access it
• Managed ID = provide an ID for apps to use when connecting to resources that support Entra auth. service principal created representing managed ID that can be granted access and perms but cant be modified directly
• Legacy = represents legacy app which are apps created before app registrations introduced

Question 9

What are the key difference between app objects and service principals?

Answer 9

• App object is global representation of your app for use across all tenants
• Service principal is local representation for use in specific tenant
• App objects serves as a template from which common and default properties are derived for use in creating corresponding service principal objects
• App objects has a one-one relationship with software app and a one-many relationship with corresponding service principal objects

Question 10

What is OAuth 2.0?

Answer 10

• A method through which a third party app can access web-hosted resources e.g. MS graph or AZ keyvault on behalf of user

Question 11

How does MIP use perms? Whats another name for them?

Answer 11

• Any resource that uses MIP can define set of perms that can be used to divide the functionality of that resource into smaller chunks
• Third party apps can be built to request only the perms that they need to perform their function
• Perms are called scopes

Question 12

What are scopes?

Answer 12

• perms in MIP
• Scopes represented by string value
• App uses the scope query param “https://graph.microsoft.com/Calendars.Read”
• Some high privilege perms can only be granted through admin consent potentially by using the admin consent endpointW

Question 13

What are the two types of perms?

Answer 13

• Delegated = used by apps that have a signed-in user present, either a user or admin consents to the perms that the app requests, the app is delegated with the perms to act as a signed in user when it makes calls to target resource
• App-only = used by apps that run without signed-in user present, only an admin can consent

Question 14

What is static user consent?

Answer 14

• You must specify all the perms it needs in apps config in azure portal
• If the user hasnt granted consent for this app then MIP prompts the user to provide consent at this time
• Enable admins to constn on behalf of all users in org

Question 15

Downside of static user consent?

Answer 15

• App needs to request all the perms it would ever need upon the users first sign-in can lead to long list that discourages end users
• App needs to know all of the resources it would ever access ahead of time

Question 16

What is incremental and dynamic user consent?

Answer 16

• With MIP endpoint you can ignore static perms defined in app reg and request perms incrementally instead
• Can ask for min set of perms upfront and request more overtime as a customer uses more features
• Need to include new scopes in the scope param when requesting an access token
• applies only to delegated not app-only permsW

Question 17

What is Admin consent?

Answer 17

• Required when app needs to access certain high-privilege perms
• Ensures admins have some other controls before authorising apps or users
• Done on behalf of an org still requires the static perms registered for the app

Question 18

What is a scope param?

Answer 18

• Space seperated list of delegated permissions that the app is requesting
• each perm is indicated by appending the perm value to the resource ID
• After user enters their credentials MIP checks for a matching record of user consent, if they havent consented to any in the past and admin hasnt for them ot asks user to grant them

Question 19

What does conditional access provide?

Answer 19

• Multi-factor auth
• allowing only in tune enrolled devices to access specific services
• restricting user locations and IP ranges

Question 20

Does conditional access change an apps behaviour or require code changes?

Answer 20

• normally no
• only in certain cases when an app indirectly or silently requests a token for a service
• e.g. Apps performing the on-half-of-flow, web apps calling a resource, apps accessing multiple service/resources