Authentication and authorization
Accessing resources is based on a two-stage concept that consists of firstly authenticating and then authorizing; in a nutshell, identifying who you are and determining what you can do.
Authentication, also referred to as AuthN, is the process of establishing the identity of a person (or service) and proving they are who they say they are. This can be done by validating provided access credentials information against stored or known identifying information.
Authorization, also referred to as AuthZ, is the process of establishing what level of access the authenticated person (or service) has to the resource; that is, what they can access and what actions they may perform:
Figure 8.3 – Authentication and authorization
In this section, we looked at the concepts of authentication and authorization. The following section looks at SSO.
Single sign-on
SSO means only needing one set of credentials that you enter once to access all resources enabled to use SSO in your organization; you are not prompted to sign in again.
In addition, user provisioning to apps is accelerated with just-in-time access for new hires and temporary staff and allows a governed leavers process when users no longer need access to an app.
You configure Azure AD as the trusted IDP for each app you wish to enable SSO through a centralized portal. These apps can be cloud apps, public cloud provider platforms, as well as on-premises apps. You can enforce secure access with identity protection through MFA and Conditional Access, as well as risk-based access policies.
In this section, we looked at SSO. The following section looks at MFA and Conditional Access.
MFA and Conditional Access
MFA (which includes Two-Factor Authentication (2FA) provides an additional layer of security for identifying a user by requiring the user to submit two or more elements for authentication. MFA is based on the following principles:
- Knowledge: Something that only the user knows, such as a password or pin.
- Possession: Something that only the user has, such as a code sent to a phone, a token, or a key.
- Inherent: Something that only the user is, such as biometrics.
Conditional Access works alongside MFA to provide more granular levels of access control; information is collected from the sign-in process (signals), and then decisions are made upon that information to determine whether access to the requested resource will be granted or denied and whether the user will require additional factors of authentication or require taking other action, such as resetting their password. This is visualized in the following diagram:
Figure 8.4 – Conditional Access
The user signal information could be the app trying to get access, the device or location being accessed from, or the security updates status. This could mean that if the user is trying to access the resource from a location that is unknown, a non-managed device/personal device, or a device that doesn’t have the latest security updates, then they will be required to authenticate with a second factor of authentication or even be denied access to the resource.
Conditional Access is a licensed function that requires an Azure Premium P1 or P2 license; this functionality is also included in the Microsoft 365 Business Premium license.
In this section, we looked at MFA and Conditional Access. The following section looks at hands-on exercises to further build on your skills learned in this chapter.