Azure has given all the possibility to integrate with the custom applications with an identity provider ( Azure AD ).
we dont need to develop a custom identity manager/provider for each and every application that we develop.
Application security : Registrations permissions ( several choices) , scopes ( formely known as permissions) and consent ( allowing apps to work for you ).
(users can use their existing Azure AD credentials to access these applications. No more secondary logins for LOB applications ).
Scopes : a set of permissions that can be used to divide the functionality of that resource into smaller chunks.
user and application permissions are used with scopes to maintain fine grain control over resource data as well as safeguard API exposure.
How to register an application ?
First step : Click on Azure AD Blade
Second Step: App registrations > New registration > created.
scopes are permissions used to define what actions an application can perform on behalf of the user against a resource.
we use the term in other ways. specifically, permissions define what a user or an app can directly access in Azure.
User and app permissions are defined via roles. These roles use role based access control, or RBAC to determine privileges to resources.
A user may have privileges to write to the global directory, but the defined scope of permissions for an application may only require read permissions. So what happens ? The user is only allowed read permissions when using the application. This is due to the concept of effective permissions.
For delegated permissions, the effective permissions of your app will be the least privileged b/w the delegated permissions granted to the app (via consent) and the privileges of the currently signed-in user.
what is consent ?
In order for an application to perform a task on your behalf, you have to agree to let it do so.
Consent occurs at sign-in
There are many kinds of consents
1) Individual user consent
2) administrator consent
For application permissions, the effective permissions of your app will be the full level of privileges granted to the app. These are used by apps that run without a signed-in user.
No comments:
Post a Comment