gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-04 00:37:04 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:29:08 +00:00
parent 2753c75e8b
commit 396dbafaf2
245 changed files with 9878 additions and 12609 deletions
Download Patch File Download Diff File Expand all files Collapse all files

492
src/pentesting-cloud/azure-security/az-basic-information/README.md
View File

@@ -1,376 +1,372 @@
# Az - Basic Information
# Az - Basiese Inligting
{{#include ../../../banners/hacktricks-training.md}}
## Organization Hierarchy
## Organisasie Hiërargie
<figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUcVrh1BpuQXN7RzGqoxrn-4Nm_sjdJU-dDTvshloB7UMQnN1mtH9N94zNiPCzOYAqE9EsJqlboZOj47tQsQktjxszpKvIDPZLs9rgyiObcZCvl7N0ZWztshR0ZddyBYZIAwPIkrEQ=s2048?key=l3Eei079oPmVJuh8lxQYxxrB" alt=""><figcaption><p><a href="https://www.tunecom.be/stg_ba12f/wp-content/uploads/2020/01/VDC-Governance-ManagementGroups-1536x716.png">https://www.tunecom.be/stg_ba12f/wp-content/uploads/2020/01/VDC-Governance-ManagementGroups-1536x716.png</a></p></figcaption></figure>
### Management Groups
### Bestuursgroepe
- It can contain **other management groups or subscriptions**.
- This allows to **apply governance controls** such as RBAC and Azure Policy once at the management group level and have them **inherited** by all the subscriptions in the group.
- **10,000 management** groups can be supported in a single directory.
- A management group tree can support **up to six levels of depth**. This limit doesnt include the root level or the subscription level.
- Each management group and subscription can support **only one parent**.
- Even if several management groups can be created **there is only 1 root management group**.
- The root management group **contains** all the **other management groups and subscriptions** and **cannot be moved or deleted**.
- All subscriptions within a single management group must trust the **same Entra ID tenant.**
- Dit kan **ander bestuursgroepe of subskripsies** bevat.
- Dit maak dit moontlik om **governance beheer** soos RBAC en Azure-beleid een keer op die bestuursgroepvlak toe te pas en dit **geërf** te laat word deur al die subskripsies in die groep.
- **10,000 bestuurs** groepe kan in 'n enkele gids ondersteun word.
- 'n Bestuursgroepboom kan **tot ses vlakke diepte** ondersteun. Hierdie limiet sluit nie die wortelvlak of die subskripsievlak in nie.
- Elke bestuursgroep en subskripsie kan **slegs een ouer** ondersteun.
- Alhoewel verskeie bestuursgroepe geskep kan word, is daar **slegs 1 wortel bestuursgroep**.
- Die wortel bestuursgroep **bevat** al die **ander bestuursgroepe en subskripsies** en **kan nie verskuif of verwyder** word nie.
- Alle subskripsies binne 'n enkele bestuursgroep moet die **dieselfde Entra ID huur** vertrou.
<figure><img src="../../../images/image (147).png" alt=""><figcaption><p><a href="https://td-mainsite-cdn.tutorialsdojo.com/wp-content/uploads/2023/02/managementgroups-768x474.png">https://td-mainsite-cdn.tutorialsdojo.com/wp-content/uploads/2023/02/managementgroups-768x474.png</a></p></figcaption></figure>
### Azure Subscriptions
### Azure Subskripsies
- Its another **logical container where resources** (VMs, DBs…) can be run and will be billed.
- Its **parent** is always a **management group** (and it can be the root management group) as subscriptions cannot contain other subscriptions.
- It **trust only one Entra ID** directory
- **Permissions** applied at the subscription level (or any of its parents) are **inherited** to all the resources inside the subscription
- Dit is 'n ander **logiese houer waar hulpbronne** (VM's, DB's…) gedra kan word en gefaktureer sal word.
- Sy **ouer** is altyd 'n **bestuursgroep** (en dit kan die wortel bestuursgroep wees) aangesien subskripsies nie ander subskripsies kan bevat nie.
- Dit **vertrou slegs een Entra ID** gids
- **Toestemmings** wat op die subskripsievlak (of enige van sy ouers) toegepas word, word **geërf** na al die hulpbronne binne die subskripsie
### Resource Groups
### Hulpbron Groepe
[From the docs:](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-python?tabs=macos#what-is-a-resource-group) A resource group is a **container** that holds **related resources** for an Azure solution. The resource group can include all the resources for the solution, or only those **resources that you want to manage as a group**. Generally, add **resources** that share the **same lifecycle** to the same resource group so you can easily deploy, update, and delete them as a group.
[Van die dokumentasie:](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-python?tabs=macos#what-is-a-resource-group) 'n Hulpbron groep is 'n **houer** wat **verwante hulpbronne** vir 'n Azure-oplossing bevat. Die hulpbron groep kan al die hulpbronne vir die oplossing insluit, of slegs daardie **hulpbronne wat jy as 'n groep wil bestuur**. Oor die algemeen, voeg **hulpbronne** wat die **selfde lewensiklus** deel by die selfde hulpbron groep sodat jy dit maklik kan ontplooi, opdateer, en verwyder as 'n groep.
All the **resources** must be **inside a resource group** and can belong only to a group and if a resource group is deleted, all the resources inside it are also deleted.
Alle **hulpbronne** moet **binne 'n hulpbron groep** wees en kan slegs aan een groep behoort, en as 'n hulpbron groep verwyder word, word al die hulpbronne daarin ook verwyder.
<figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUfe8U30iP_vdZCvxX4g8nEPRLoo7v0kmCGkDn1frBPn3_GIoZ7VT2LkdsVQWCnrG_HSYNRRPM-1pSECUkbDAB-9YbUYLzpvKVLDETZS81CHWKYM4fDl3oMo5-yvTMnjdLTS2pz8U67xUTIzBhZ25MFMRkq5koKY=s2048?key=gSyKQr3HTyhvHa28Rf7LVA" alt=""><figcaption><p><a href="https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&#x26;ssl=1">https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&#x26;ssl=1</a></p></figcaption></figure>
### Azure Resource IDs
### Azure Hulpbron ID's
Every resource in Azure has an Azure Resource ID that identifies it.
Elke hulpbron in Azure het 'n Azure Hulpbron ID wat dit identifiseer.
The format of an Azure Resource ID is as follows:
Die formaat van 'n Azure Hulpbron ID is soos volg:
- `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}`
For a virtual machine named myVM in a resource group `myResourceGroup` under subscription ID `12345678-1234-1234-1234-123456789012`, the Azure Resource ID looks like this:
Vir 'n virtuele masjien genaamd myVM in 'n hulpbron groep `myResourceGroup` onder subskripsie ID `12345678-1234-1234-1234-123456789012`, lyk die Azure Hulpbron ID soos volg:
- `/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM`
## Azure vs Entra ID vs Azure AD Domain Services
## Azure vs Entra ID vs Azure AD Domein Dienste
### Azure
Azure is Microsofts comprehensive **cloud computing platform, offering a wide range of services**, including virtual machines, databases, artificial intelligence, and storage. It acts as the foundation for hosting and managing applications, building scalable infrastructures, and running modern workloads in the cloud. Azure provides tools for developers and IT professionals to create, deploy, and manage applications and services seamlessly, catering to a variety of needs from startups to large enterprises.
Azure is Microsoft se omvattende **cloud computing platform, wat 'n wye reeks dienste bied**, insluitend virtuele masjiene, databasisse, kunsmatige intelligensie, en stoor. Dit dien as die grondslag vir die gasheer en bestuur van toepassings, die bou van skaalbare infrastruktuur, en die uitvoering van moderne werklas in die wolk. Azure bied gereedskap vir ontwikkelaars en IT-professionals om toepassings en dienste naatloos te skep, te ontplooi, en te bestuur, wat voorsien in 'n verskeidenheid behoeftes van startups tot groot ondernemings.
### Entra ID (formerly Azure Active Directory)
### Entra ID (voorheen Azure Aktiewe Gids)
Entra ID is a cloud-based **identity and access management servic**e designed to handle authentication, authorization, and user access control. It powers secure access to Microsoft services such as Office 365, Azure, and many third-party SaaS applications. With features like single sign-on (SSO), multi-factor authentication (MFA), and conditional access policies among others.
Entra ID is 'n wolk-gebaseerde **identiteit en toegang bestuur diens** wat ontwerp is om autentisering, autorisasie, en gebruikers toegang beheer te hanteer. Dit bied veilige toegang tot Microsoft dienste soos Office 365, Azure, en baie derdeparty SaaS toepassings. Met funksies soos enkel teken-in (SSO), multi-faktor autentisering (MFA), en voorwaardelike toegang beleid onder andere.
### Entra Domain Services (formerly Azure AD DS)
### Entra Domein Dienste (voorheen Azure AD DS)
Entra Domain Services extends the capabilities of Entra ID by offering **managed domain services compatible with traditional Windows Active Directory environments**. It supports legacy protocols such as LDAP, Kerberos, and NTLM, allowing organizations to migrate or run older applications in the cloud without deploying on-premises domain controllers. This service also supports Group Policy for centralized management, making it suitable for scenarios where legacy or AD-based workloads need to coexist with modern cloud environments.
Entra Domein Dienste brei die vermoëns van Entra ID uit deur **bestuurde domein dienste aan te bied wat versoenbaar is met tradisionele Windows Aktiewe Gids omgewings**. Dit ondersteun ouer protokolle soos LDAP, Kerberos, en NTLM, wat organisasies in staat stel om ouer toepassings in die wolk te migreer of te laat loop sonder om plaaslike domein kontrollers te ontplooi. Hierdie diens ondersteun ook Groep Beleid vir gesentraliseerde bestuur, wat dit geskik maak vir scenario's waar ouer of AD-gebaseerde werklas saam met moderne wolkomgewings moet bestaan.
## Entra ID Principals
### Users
### Gebruikers
- **New users**
- Indicate email name and domain from selected tenant
- Indicate Display name
- Indicate password
- Indicate properties (first name, job title, contact info…)
- Default user type is “**member**”
- **External users**
- Indicate email to invite and display name (can be a non Microsft email)
- Indicate properties
- Default user type is “**Guest**”
- **Nuwe gebruikers**
- Dui e-pos naam en domein van die geselekteerde huur aan
- Dui Vertoonnaam aan
- Dui wagwoord aan
- Dui eienskappe aan (voornaam, posbeskrywing, kontakbesonderhede…)
- Standaard gebruiker tipe is “**lid**”
- **Buitelandse gebruikers**
- Dui e-pos aan om uit te nooi en vertoonnaam (kan 'n nie-Microsoft e-pos wees)
- Dui eienskappe aan
- Standaard gebruiker tipe is “**Gaste**”
### Members & Guests Default Permissions
### Lede & Gaste Standaard Toestemmings
You can check them in [https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions) but among other actions a member will be able to:
Jy kan dit nagaan in [https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions) maar onder andere aksies sal 'n lid in staat wees om:
- Read all users, Groups, Applications, Devices, Roles, Subscriptions, and their public properties
- Invite Guests (_can be turned off_)
- Create Security groups
- Read non-hidden Group memberships
- Add guests to Owned groups
- Create new application (_can be turned off_)
- Add up to 50 devices to Azure (_can be turned off_)
- Lees alle gebruikers, Groepe, Toepassings, Toestelle, Rolle, Subskripsies, en hul publieke eienskappe
- Nooi Gaste (_kan afgeskakel word_)
- Skep Sekuriteitsgroepe
- Lees nie-verborgene Groep lidmaatskappe
- Voeg gaste by Besit groepe
- Skep nuwe toepassing (_kan afgeskakel word_)
- Voeg tot 50 toestelle by Azure (_kan afgeskakel word_)
> [!NOTE]
> Remember that to enumerate Azure resources the user needs an explicit grant of the permission.
> Onthou dat om Azure hulpbronne te tel, die gebruiker 'n eksplisiete toekenning van die toestemming benodig.
### Users Default Configurable Permissions
### Gebruikers Standaard Konfigureerbare Toestemmings
- **Members (**[**docs**](https://learn.microsoft.com/en-gb/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions)**)**
- Register Applications: Default **Yes**
- Restrict non-admin users from creating tenants: Default **No**
- Create security groups: Default **Yes**
- Restrict access to Microsoft Entra administration portal: Default **No**
- This doesnt restrict API access to the portal (only web)
- Allow users to connect work or school account with LinkedIn: Default **Yes**
- Show keep user signed in: Default **Yes**
- Restrict users from recovering the BitLocker key(s) for their owned devices: Default No (check in Device Settings)
- Read other users: Default **Yes** (via Microsoft Graph)
- **Guests**
- **Guest user access restrictions**
- **Guest users have the same access as members** grants all member user permissions to guest users by default.
- **Guest users have limited access to properties and memberships of directory objects (default)** restricts guest access to only their own user profile by default. Access to other users and group information is no longer allowed.
- **Guest user access is restricted to properties and memberships of their own directory objects** is the most restrictive one.
- **Guests can invite**
- **Anyone in the organization can invite guest users including guests and non-admins (most inclusive) - Default**
- **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions**
- **Only users assigned to specific admin roles can invite guest users**
- **No one in the organization can invite guest users including admins (most restrictive)**
- **External user leave**: Default **True**
- Allow external users to leave the organization
- **Lede (**[**dokumente**](https://learn.microsoft.com/en-gb/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions)**)**
- Registreer Toepassings: Standaard **Ja**
- Beperk nie-admin gebruikers van die skep van huurders: Standaard **Nee**
- Skep sekuriteitsgroepe: Standaard **Ja**
- Beperk toegang tot Microsoft Entra administrasie portaal: Standaard **Nee**
- Dit beperk nie API toegang tot die portaal nie (slegs web)
- Laat gebruikers toe om werk of skool rekening met LinkedIn te verbind: Standaard **Ja**
- Toon hou gebruiker ingelog: Standaard **Ja**
- Beperk gebruikers van die herstel van die BitLocker sleutel(s) vir hul besit toestelle: Standaard Nee (kyk in Toestel Instellings)
- Lees ander gebruikers: Standaard **Ja** (deur Microsoft Graph)
- **Gaste**
- **Gaste gebruiker toegang beperkings**
- **Gaste gebruikers het dieselfde toegang as lede** gee alle lid gebruiker toestemmings aan gaste gebruikers per standaard.
- **Gaste gebruikers het beperkte toegang tot eienskappe en lidmaatskappe van gids objekte (standaard)** beperk gaste toegang tot slegs hul eie gebruikersprofiel per standaard. Toegang tot ander gebruikers en groep inligting is nie meer toegelaat nie.
- **Gaste gebruiker toegang is beperk tot eienskappe en lidmaatskappe van hul eie gids objekte** is die mees beperkende een.
- **Gaste kan nooi**
- **Enige iemand in die organisasie kan gaste gebruikers nooi insluitend gaste en nie-admins (mees inklusief) - Standaard**
- **Lid gebruikers en gebruikers wat aan spesifieke admin rolle toegeken is kan gaste gebruikers nooi insluitend gaste met lid toestemmings**
- **Slegs gebruikers wat aan spesifieke admin rolle toegeken is kan gaste gebruikers nooi**
- **Niemand in die organisasie kan gaste gebruikers nooi insluitend admins (mees beperkende)**
- **Buitelandse gebruiker verlaat**: Standaard **Waar**
- Laat buitelandse gebruikers toe om die organisasie te verlaat
> [!TIP]
> Even if restricted by default, users (members and guests) with granted permissions could perform the previous actions.
> Alhoewel dit per standaard beperk is, kan gebruikers (lede en gaste) met toegekenne toestemmings die vorige aksies uitvoer.
### **Groups**
### **Groepe**
There are **2 types of groups**:
Daar is **2 tipes groepe**:
- **Security**: This type of group is used to give members access to aplications, resources and assign licenses. Users, devices, service principals and other groups an be members.
- **Microsoft 365**: This type of group is used for collaboration, giving members access to a shared mailbox, calendar, files, SharePoint site, and so on. Group members can only be users.
- This will have an **email address** with the domain of the EntraID tenant.
- **Sekuriteit**: Hierdie tipe groep word gebruik om lede toegang te gee tot toepassings, hulpbronne en om lisensies toe te ken. Gebruikers, toestelle, diens prinsipale en ander groepe kan lede wees.
- **Microsoft 365**: Hierdie tipe groep word gebruik vir samewerking, wat lede toegang gee tot 'n gedeelde posbus, kalender, lêers, SharePoint webwerf, ensovoorts. Groep lede kan slegs gebruikers wees.
- Dit sal 'n **e-pos adres** hê met die domein van die EntraID huur.
There are **2 types of memberships**:
Daar is **2 tipes lidmaatskappe**:
- **Assigned**: Allow to manually add specific members to a group.
- **Dynamic membership**: Automatically manages membership using rules, updating group inclusion when members attributes change.
- **Toegeken**: Laat toe om spesifieke lede handmatig aan 'n groep toe te voeg.
- **Dinamiese lidmaatskap**: Bestuur lidmaatskap outomaties met behulp van reëls, wat die groep insluiting opdateer wanneer lede se eienskappe verander.
### **Service Principals**
### **Diens Prinsipale**
A **Service Principal** is an **identity** created for **use** with **applications**, hosted services, and automated tools to access Azure resources. This access is **restricted by the roles assigned** to the service principal, giving you control over **which resources can be accessed** and at which level. For security reasons, it's always recommended to **use service principals with automated tools** rather than allowing them to log in with a user identity.
'n **Diens Prinsipaal** is 'n **identiteit** geskep vir **gebruik** met **toepassings**, gehoste dienste, en geoutomatiseerde gereedskap om toegang tot Azure hulpbronne te verkry. Hierdie toegang is **beperk deur die rolle wat aan die diens prinsipaal toegeken is**, wat jou beheer gee oor **watter hulpbronne toegang verkry** en op watter vlak. Om veiligheidsredes, word dit altyd aanbeveel om **diens prinsipale met geoutomatiseerde gereedskap te gebruik** eerder as om hulle toe te laat om met 'n gebruikersidentiteit aan te meld.
It's possible to **directly login as a service principal** by generating it a **secret** (password), a **certificate**, or granting **federated** access to third party platforms (e.g. Github Actions) over it.
Dit is moontlik om **direk as 'n diens prinsipaal aan te meld** deur 'n **geheim** (wagwoord), 'n **sertifikaat**, of deur **federale** toegang aan derdeparty platforms (bv. Github Actions) oor dit te verleen.
- If you choose **password** auth (by default), **save the password generated** as you won't be able to access it again.
- If you choose certificate authentication, make sure the **application will have access over the private key**.
- As jy **wagwoord** autentisering kies (per standaard), **stoor die gegenereerde wagwoord** aangesien jy dit nie weer kan toegang nie.
- As jy sertifikaat autentisering kies, maak seker dat die **toepassing toegang sal hê oor die private sleutel**.
### App Registrations
### App Registrasies
An **App Registration** is a configuration that allows an application to integrate with Entra ID and to perform actions.
'n **App Registrasie** is 'n konfigurasie wat 'n toepassing toelaat om met Entra ID te integreer en aksies uit te voer.
#### Key Components:
#### Sleutel Komponente:
1. **Application ID (Client ID):** A unique identifier for your app in Azure AD.
2. **Redirect URIs:** URLs where Azure AD sends authentication responses.
3. **Certificates, Secrets & Federated Credentials:** It's possible to generate a secret or a certificate to login as the service principal of the application, or to grant federated access to it (e.g. Github Actions).&#x20;
1. If a **certificate** or **secret** is generated, it's possible to a person to **login as the service principal** with CLI tools by knowing the **application ID**, the **secret** or **certificate** and the **tenant** (domain or ID).
4. **API Permissions:** Specifies what resources or APIs the app can access.
5. **Authentication Settings:** Defines the app's supported authentication flows (e.g., OAuth2, OpenID Connect).
6. **Service Principal**: A service principal is created when an App is created (if it's done from the web console) or when it's installed in a new tenant.
1. The **service principal** will get all the requested permissions it was configured with.
1. **Toepassing ID (Kliënt ID):** 'n Unieke identifiseerder vir jou app in Azure AD.
2. **Herlei URIs:** URL's waar Azure AD autentisering antwoorde stuur.
3. **Sertifikate, Geheimen & Federale Kredite:** Dit is moontlik om 'n geheim of 'n sertifikaat te genereer om as die diens prinsipaal van die toepassing aan te meld, of om federale toegang aan dit te verleen (bv. Github Actions).&#x20;
1. As 'n **sertifikaat** of **geheim** gegenereer word, is dit moontlik vir 'n persoon om **as die diens prinsipaal** met CLI gereedskap aan te meld deur die **toepassing ID**, die **geheim** of **sertifikaat** en die **huur** (domein of ID) te ken.
4. **API Toestemmings:** Spesifiseer watter hulpbronne of API's die app kan toegang.
5. **Autentisering Instellings:** Definieer die app se ondersteunde autentisering vloei (bv., OAuth2, OpenID Connect).
6. **Diens Prinsipaal**: 'n diens prinsipaal word geskep wanneer 'n App geskep word (as dit vanaf die webkonsol gedoen word) of wanneer dit in 'n nuwe huur geïnstalleer word.
1. Die **diens prinsipaal** sal al die gevraagde toestemmings wat dit geconfigureer is, ontvang.
### Default Consent Permissions
### Standaard Toestemming Toestemmings
**User consent for applications**
**Gebruiker toestemming vir toepassings**
- **Do not allow user consent**
- An administrator will be required for all apps.
- **Allow user consent for apps from verified publishers, for selected permissions (Recommended)**
- All users can consent for permissions classified as "low impact", for apps from verified publishers or apps registered in this organization.
- **Default** low impact permissions (although you need to accept to add them as low):
- User.Read - sign in and read user profile
- offline_access - maintain access to data that users have given it access to
- openid - sign users in
- profile - view user's basic profile
- email - view user's email address
- **Allow user consent for apps (Default)**
- All users can consent for any app to access the organization's data.
- **Moet nie gebruiker toestemming toelaat nie**
- 'n Administrateur sal vir alle apps benodig word.
- **Laat gebruiker toestemming toe vir apps van geverifieerde uitgewers, vir geselekteerde toestemmings (Aanbeveel)**
- Alle gebruikers kan toestemming gee vir toestemmings wat as "lae impak" geklassifiseer is, vir apps van geverifieerde uitgewers of apps wat in hierdie organisasie geregistreer is.
- **Standaard** lae impak toestemmings (alhoewel jy moet aanvaar om hulle as laag by te voeg):
- User.Read - teken in en lees gebruikersprofiel
- offline_access - hou toegang tot data wat gebruikers toegang gegee het
- openid - teken gebruikers in
- profile - sien gebruiker se basiese profiel
- email - sien gebruiker se e-pos adres
- **Laat gebruiker toestemming toe vir apps (Standaard)**
- Alle gebruikers kan toestemming gee vir enige app om toegang tot die organisasie se data te verkry.
**Admin consent requests**: Default **No**
**Admin toestemming versoeke**: Standaard **Nee**
- Users can request admin consent to apps they are unable to consent to
- If **Yes**: Its possible to indicate Users, Groups and Roles that can consent requests
- Configure also if users will receive email notifications and expiration reminders&#x20;
- Gebruikers kan admin toestemming versoek vir apps waartoe hulle nie toestemming kan gee nie
- As **Ja**: Dit is moontlik om Gebruikers, Groepe en Rolle aan te dui wat toestemming versoeke kan gee
- Konfigureer ook of gebruikers e-pos kennisgewings en vervaldatums herinneringe sal ontvang&#x20;
### **Managed Identity (Metadata)**
### **Bestuurde Identiteit (Metadata)**
Managed identities in Azure Active Directory offer a solution for **automatically managing the identity** of applications. These identities are used by applications for the purpose of **connecting** to **resources** compatible with Azure Active Directory (**Azure AD**) authentication. This allows to **remove the need of hardcoding cloud credentials** in the code as the application will be able to contact the **metadata** service to get a valid token to **perform actions** as the indicated managed identity in Azure.
Bestuurde identiteite in Azure Aktiewe Gids bied 'n oplossing vir **outomatiese bestuur van die identiteit** van toepassings. Hierdie identiteite word deur toepassings gebruik om te **verbinde** met **hulpbronne** wat versoenbaar is met Azure Aktiewe Gids (**Azure AD**) autentisering. Dit maak dit moontlik om **die behoefte aan hardkoding van wolk akrediteer** in die kode te verwyder aangesien die toepassing in staat sal wees om die **metadata** diens te kontak om 'n geldige token te **verrig** as die aangeduide bestuurde identiteit in Azure.
There are two types of managed identities:
Daar is twee tipes bestuurde identiteite:
- **System-assigned**. Some Azure services allow you to **enable a managed identity directly on a service instance**. When you enable a system-assigned managed identity, a **service principal** is created in the Entra ID tenant trusted by the subscription where the resource is located. When the **resource** is **deleted**, Azure automatically **deletes** the **identity** for you.
- **User-assigned**. It's also possible for users to generate managed identities. These are created inside a resource group inside a subscription and a service principal will be created in the EntraID trusted by the subscription. Then, you can assign the managed identity to one or **more instances** of an Azure service (multiple resources). For user-assigned managed identities, the **identity is managed separately from the resources that use it**.
- **Stelsel-toegeken**. Sommige Azure dienste laat jou toe om 'n **bestuurde identiteit direk op 'n diens instansie** in te skakel. Wanneer jy 'n stelsel-toegeken bestuurde identiteit inskakel, word 'n **diens prinsipaal** geskep in die Entra ID huur wat deur die subskripsie vertrou word waar die hulpbron geleë is. Wanneer die **hulpbron** verwyder word, verwyder Azure outomaties die **identiteit** vir jou.
- **Gebruiker-toegeken**. Dit is ook moontlik vir gebruikers om bestuurde identiteite te genereer. Hierdie word binne 'n hulpbron groep binne 'n subskripsie geskep en 'n diens prinsipaal sal in die EntraID geskep word wat deur die subskripsie vertrou word. Dan kan jy die bestuurde identiteit aan een of **meer instansies** van 'n Azure diens toeken. Vir gebruiker-toegeken bestuurde identiteite, word die **identiteit apart bestuur van die hulpbronne wat dit gebruik**.
Managed Identities **don't generate eternal credentials** (like passwords or certificates) to access as the service principal attached to it.
Bestuurde Identiteite **genereer nie ewige akrediteer** (soos wagwoorde of sertifikate) om toegang te verkry as die diens prinsipaal wat aan dit geheg is.
### Enterprise Applications
### Enterprise Toepassings
Its just a **table in Azure to filter service principals** and check the applications that have been assigned to.
Dit is net 'n **tafel in Azure om diens prinsipale te filter** en die toepassings wat aan hulle toegeken is, te kontroleer.
**It isnt another type of “application”,** there isnt any object in Azure that is an Enterprise Application”, its just an abstraction to check the Service principals, App registrations and managed identities.
**Dit is nie 'n ander tipe "toepassing" nie,** daar is geen objek in Azure wat 'n "Enterprise Toepassing" is nie, dit is net 'n abstraksie om die Diens prinsipale, App registrasies en bestuurde identiteite te kontroleer.
### Administrative Units
### Administratiewe Eenhede
Administrative units allows to **give permissions from a role over a specific portion of an organization**.
Administratiewe eenhede laat toe om **toestemmings van 'n rol oor 'n spesifieke gedeelte van 'n organisasie te gee**.
Example:
Voorbeeld:
- Scenario: A company wants regional IT admins to manage only the users in their own region.
- Implementation:
- Create Administrative Units for each region (e.g., "North America AU", "Europe AU").
- Populate AUs with users from their respective regions.
- AUs can **contain users, groups, or devices**
- AUs support **dynamic memberships**
- AUs **cannot contain AUs**
- Assign Admin Roles:
- Grant the "User Administrator" role to regional IT staff, scoped to their region's AU.
- Outcome: Regional IT admins can manage user accounts within their region without affecting other regions.
- Scenario: 'n Maatskappy wil regionale IT admins toelaat om slegs die gebruikers in hul eie streek te bestuur.
- Implementering:
- Skep Administratiewe Eenhede vir elke streek (bv., "Noord-Amerika AU", "Europa AU").
- Vul AU's met gebruikers uit hul onderskeie streke.
- AU's kan **gebruikers, groepe, of toestelle** bevat
- AU's ondersteun **dinamiese lidmaatskappe**
- AU's **kan nie AU's bevat nie**
- Ken Admin Rolle toe:
- Gee die "Gebruiker Administrateur" rol aan regionale IT personeel, geskaal na hul streek se AU.
- Uitkoms: Regionale IT admins kan gebruikersrekeninge binne hul streek bestuur sonder om ander streke te beïnvloed.
### Entra ID Roles
### Entra ID Rolle
- In order to manage Entra ID there are some **built-in roles** that can be assigned to Entra ID principals to manage Entra ID
- Check the roles in [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference)
- The most privileged role is **Global Administrator**
- In the Description of the role its possible to see its **granular permissions**
- Ten einde Entra ID te bestuur, is daar 'n paar **ingeboude rolle** wat aan Entra ID prinsipale toegeken kan word om Entra ID te bestuur
- Kyk na die rolle in [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference)
- Die mees bevoorregte rol is **Globale Administrateur**
- In die Beskrywing van die rol is dit moontlik om sy **fynere toestemmings** te sien
## Roles & Permissions
## Rolle & Toestemmings
**Roles** are **assigned** to **principals** on a **scope**: `principal -[HAS ROLE]->(scope)`
**Rolle** word **toegeken** aan **prinsipale** op 'n **skaal**: `prinsipaal -[HEE ROLE]->(skaal)`
**Roles** assigned to **groups** are **inherited** by all the **members** of the group.
**Rolle** wat aan **groepe** toegeken word, word **geërf** deur al die **lede** van die groep.
Depending on the scope the role was assigned to, the **role** cold be **inherited** to **other resources** inside the scope container. For example, if a user A has a **role on the subscription**, he will have that **role on all the resource groups** inside the subscription and on **all the resources** inside the resource group.
Afhangende van die skaal waaraan die rol toegeken is, kan die **rol** **geërf** word na **ander hulpbronne** binne die skaal houer. Byvoorbeeld, as 'n gebruiker A 'n **rol op die subskripsie** het, sal hy daardie **rol op al die hulpbron groepe** binne die subskripsie hê en op **al die hulpbronne** binne die hulpbron groep.
### **Classic Roles**
### **Klassieke Rolle**
| **Owner** | <ul><li>Full access to all resources</li><li>Can manage access for other users</li></ul> | All resource types |
| ----------------------------- | ---------------------------------------------------------------------------------------- | ------------------ |
| **Contributor** | <ul><li>Full access to all resources</li><li>Cannot manage access</li></ul> | All resource types |
| **Reader** | • View all resources | All resource types |
| **User Access Administrator** | <ul><li>View all resources</li><li>Can manage access for other users</li></ul> | All resource types |
| **Eienaar** | <ul><li>Volledige toegang tot alle hulpbronne</li><li>Kan toegang vir ander gebruikers bestuur</li></ul> | Alle hulpbron tipes |
| ------------------------------- | ---------------------------------------------------------------------------------------- | ------------------ |
| **Bydraer** | <ul><li>Volledige toegang tot alle hulpbronne</li><li>Kan nie toegang bestuur nie</li></ul> | Alle hulpbron tipes |
| **Leser** | • Sien alle hulpbronne | Alle hulpbron tipes |
| **Gebruiker Toegang Administrateur** | <ul><li>Sien alle hulpbronne</li><li>Kan toegang vir ander gebruikers bestuur</li></ul> | Alle hulpbron tipes |
### Built-In roles
### Gebou-in rolle
[From the docs: ](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles)[Azure role-based access control (Azure RBAC)](https://learn.microsoft.com/en-us/azure/role-based-access-control/overview) has several Azure **built-in roles** that you can **assign** to **users, groups, service principals, and managed identities**. Role assignments are the way you control **access to Azure resources**. If the built-in roles don't meet the specific needs of your organization, you can create your own [**Azure custom roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)**.**
[Van die dokumentasie: ](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles)[Azure rol-gebaseerde toegangbeheer (Azure RBAC)](https://learn.microsoft.com/en-us/azure/role-based-access-control/overview) het verskeie Azure **gebou-in rolle** wat jy kan **toeken** aan **gebruikers, groepe, diens prinsipale, en bestuurde identiteite**. Rol toekennings is die manier waarop jy **toegang tot Azure hulpbronne** beheer. As die gebou-in rolle nie aan die spesifieke behoeftes van jou organisasie voldoen nie, kan jy jou eie [**Azure pasgemaakte rolle**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)**.**
**Built-In** roles apply only to the **resources** they are **meant** to, for example check this 2 examples of **Built-In roles over Compute** resources:
**Gebou-in** rolle geld slegs vir die **hulpbronne** waarvoor hulle **bedoel** is, byvoorbeeld kyk na hierdie 2 voorbeelde van **Gebou-in rolle oor Compute** hulpbronne:
| [Disk Backup Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#disk-backup-reader) | Provides permission to backup vault to perform disk backup. | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 |
| [Disk Backup Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#disk-backup-reader) | Bied toestemming aan om rugsteun kluise te gebruik om disk rugsteun te doen. | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 |
| ----------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- | ------------------------------------ |
| [Virtual Machine User Login](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-user-login) | View Virtual Machines in the portal and login as a regular user. | fb879df8-f326-4884-b1cf-06f3ad86be52 |
| [Virtuele Masjien Gebruiker Aanmelding](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-user-login) | Sien Virtuele Masjiene in die portaal en meld aan as 'n gewone gebruiker. | fb879df8-f326-4884-b1cf-06f3ad86be52 |
This roles can **also be assigned over logic containers** (such as management groups, subscriptions and resource groups) and the principals affected will have them **over the resources inside those containers**.
Hierdie rolle kan **ook toegeken word oor logiese houers** (soos bestuursgroepe, subskripsies en hulpbron groepe) en die prinsipale wat geraak word, sal dit **oor die hulpbronne binne daardie houers**.
- Find here a list with [**all the Azure built-in roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles).
- Find here a list with [**all the Entra ID built-in roles**](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference).
- Vind hier 'n lys met [**alle Azure gebou-in rolle**](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles).
- Vind hier 'n lys met [**alle Entra ID gebou-in rolle**](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference).
### Custom Roles
### Pasgemaakte Rolle
- Its also possible to create [**custom roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)
- They are created inside a scope, although a role can be in several scopes (management groups, subscription and resource groups)
- Its possible to configure all the granular permissions the custom role will have
- Its possible to exclude permissions
- A principal with a excluded permission wont be able to use it even if the permissions is being granted elsewhere
- Its possible to use wildcards
- The used format is a JSON
- `actions` are for control actions over the resource
- `dataActions` are permissions over the data within the object
Example of permissions JSON for a custom role:
- Dit is ook moontlik om [**pasgemaakte rolle**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles) te skep
- Hulle word binne 'n skaal geskep, alhoewel 'n rol in verskeie skale kan wees (bestuursgroepe, subskripsie en hulpbron groepe)
- Dit is moontlik om al die fynere toestemmings wat die pasgemaakte rol sal hê, te konfigureer
- Dit is moontlik om toestemmings uit te sluit
- 'n prinsipaal met 'n uitgeslote toestemming sal dit nie kan gebruik nie, selfs al word die toestemming elders toegeken
- Dit is moontlik om wildcard te gebruik
- Die gebruikte formaat is 'n JSON
- `actions` is vir beheer aksies oor die hulpbron
- `dataActions` is toestemmings oor die data binne die objek
Voorbeeld van toestemmings JSON vir 'n pasgemaakte rol:
```json
{
"properties": {
"roleName": "",
"description": "",
"assignableScopes": ["/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f"],
"permissions": [
{
"actions": [
"Microsoft.DigitalTwins/register/action",
"Microsoft.DigitalTwins/unregister/action",
"Microsoft.DigitalTwins/operations/read",
"Microsoft.DigitalTwins/digitalTwinsInstances/read",
"Microsoft.DigitalTwins/digitalTwinsInstances/write",
"Microsoft.CostManagement/exports/*"
],
"notActions": [
"Astronomer.Astro/register/action",
"Astronomer.Astro/unregister/action",
"Astronomer.Astro/operations/read",
"Astronomer.Astro/organizations/read"
],
"dataActions": [],
"notDataActions": []
}
]
}
"properties": {
"roleName": "",
"description": "",
"assignableScopes": ["/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f"],
"permissions": [
{
"actions": [
"Microsoft.DigitalTwins/register/action",
"Microsoft.DigitalTwins/unregister/action",
"Microsoft.DigitalTwins/operations/read",
"Microsoft.DigitalTwins/digitalTwinsInstances/read",
"Microsoft.DigitalTwins/digitalTwinsInstances/write",
"Microsoft.CostManagement/exports/*"
],
"notActions": [
"Astronomer.Astro/register/action",
"Astronomer.Astro/unregister/action",
"Astronomer.Astro/operations/read",
"Astronomer.Astro/organizations/read"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
```
### Permissies volgorde
### Permissions order
- In order for a **principal to have some access over a resource** he needs an explicit role being granted to him (anyhow) **granting him that permission**.
- An explicit **deny role assignment takes precedence** over the role granting the permission.
- Ten einde vir 'n **hoofpersoon om toegang tot 'n hulpbron te hê** moet daar 'n eksplisiete rol aan hom toegeken word (op enige manier) **wat hom daardie toestemming gee**.
- 'n Eksplisiete **weier roltoewysing het voorrang** bo die rol wat die toestemming gee.
<figure><img src="../../../images/image (191).png" alt=""><figcaption><p><a href="https://link.springer.com/chapter/10.1007/978-1-4842-7325-8_10">https://link.springer.com/chapter/10.1007/978-1-4842-7325-8_10</a></p></figcaption></figure>
### Global Administrator
### Globale Administrateur
Global Administrator is a role from Entra ID that grants **complete control over the Entra ID tenant**. However, it doesn't grant any permissions over Azure resources by default.
Globale Administrateur is 'n rol van Entra ID wat **volledige beheer oor die Entra ID huurder gee**. Dit gee egter nie standaard enige toestemmings oor Azure hulpbronne nie.
Users with the Global Administrator role has the ability to '**elevate' to User Access Administrator Azure role in the Root Management Group**. So Global Administrators can manage access in **all Azure subscriptions and management groups.**\
This elevation can be done at the end of the page: [https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/\~/Properties](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties)
Gebruikers met die Globale Administrateur rol het die vermoë om '**te verhoog' na die Gebruikerstoegang Administrateur Azure rol in die Wortelbestuursgroep**. So kan Globale Administrateurs toegang in **alle Azure subskripsies en bestuursgroepe bestuur.**\
Hierdie verhoging kan aan die einde van die bladsy gedoen word: [https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/\~/Properties](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties)
<figure><img src="../../../images/image (349).png" alt=""><figcaption></figcaption></figure>
### Azure Policies
### Azure Beleide
**Azure Policies** are rules that help organizations ensure their resources meet specific standards and compliance requirements. They allow you to **enforce or audit settings on resources in Azure**. For example, you can prevent the creation of virtual machines in an unauthorized region or ensure that all resources have specific tags for tracking.
**Azure Beleide** is reëls wat organisasies help om te verseker dat hul hulpbronne aan spesifieke standaarde en nakomingsvereistes voldoen. Hulle stel jou in staat om **instellings op hulpbronne in Azure af te dwing of te oudit**. Byvoorbeeld, jy kan die skepping van virtuele masjiene in 'n nie-geautoriseerde streek voorkom of verseker dat alle hulpbronne spesifieke etikette het vir opsporing.
Azure Policies are **proactive**: they can stop non-compliant resources from being created or changed. They are also **reactive**, allowing you to find and fix existing non-compliant resources.
Azure Beleide is **proaktief**: hulle kan nie-nakomende hulpbronne stop om geskep of verander te word. Hulle is ook **reaktief**, wat jou toelaat om bestaande nie-nakomende hulpbronne te vind en reg te stel.
#### **Key Concepts**
#### **Belangrike Konsepte**
1. **Policy Definition**: A rule, written in JSON, that specifies what is allowed or required.
2. **Policy Assignment**: The application of a policy to a specific scope (e.g., subscription, resource group).
3. **Initiatives**: A collection of policies grouped together for broader enforcement.
4. **Effect**: Specifies what happens when the policy is triggered (e.g., "Deny," "Audit," or "Append").
1. **Beleid Definisie**: 'n Reël, geskryf in JSON, wat spesifiseer wat toegelaat of vereis word.
2. **Beleid Toewysing**: Die toepassing van 'n beleid op 'n spesifieke omvang (bv. subskripsie, hulpbron groep).
3. **Inisiatiewe**: 'n Versameling van beleide wat saamgegroepeer is vir breër afdwinging.
4. **Effek**: Spesifiseer wat gebeur wanneer die beleid geaktiveer word (bv. "Weier," "Oudit," of "Voeg by").
**Some examples:**
**Sommige voorbeelde:**
1. **Ensuring Compliance with Specific Azure Regions**: This policy ensures that all resources are deployed in specific Azure regions. For example, a company might want to ensure all its data is stored in Europe for GDPR compliance.
2. **Enforcing Naming Standards**: Policies can enforce naming conventions for Azure resources. This helps in organizing and easily identifying resources based on their names, which is helpful in large environments.
3. **Restricting Certain Resource Types**: This policy can restrict the creation of certain types of resources. For example, a policy could be set to prevent the creation of expensive resource types, like certain VM sizes, to control costs.
4. **Enforcing Tagging Policies**: Tags are key-value pairs associated with Azure resources used for resource management. Policies can enforce that certain tags must be present, or have specific values, for all resources. This is useful for cost tracking, ownership, or categorization of resources.
5. **Limiting Public Access to Resources**: Policies can enforce that certain resources, like storage accounts or databases, do not have public endpoints, ensuring that they are only accessible within the organization's network.
6. **Automatically Applying Security Settings**: Policies can be used to automatically apply security settings to resources, such as applying a specific network security group to all VMs or ensuring that all storage accounts use encryption.
1. **Verseker Nakoming met Spesifieke Azure Streke**: Hierdie beleid verseker dat alle hulpbronne in spesifieke Azure streke ontplooi word. Byvoorbeeld, 'n maatskappy mag wil verseker dat al sy data in Europa gestoor word vir GDPR-nakoming.
2. **Afgedwonge Naamstandaarde**: Beleide kan naamkonvensies vir Azure hulpbronne afdwing. Dit help om hulpbronne te organiseer en maklik te identifiseer op grond van hul name, wat nuttig is in groot omgewings.
3. **Beperking van Sekere Hulpbron Tipes**: Hierdie beleid kan die skepping van sekere tipes hulpbronne beperk. Byvoorbeeld, 'n beleid kan ingestel word om die skepping van duur hulpbron tipes, soos sekere VM-groottes, te voorkom om koste te beheer.
4. **Afgedwonge Etikettering Beleide**: Etikette is sleutel-waarde pare wat met Azure hulpbronne geassosieer word en gebruik word vir hulpbronbestuur. Beleide kan afdwing dat sekere etikette teenwoordig moet wees, of spesifieke waardes moet hê, vir alle hulpbronne. Dit is nuttig vir kostesporing, eienaarskap, of kategorisering van hulpbronne.
5. **Beperking van Publieke Toegang tot Hulpbronne**: Beleide kan afdwing dat sekere hulpbronne, soos stoor rekeninge of databasisse, nie publieke eindpunte het nie, wat verseker dat hulle slegs binne die organisasie se netwerk toeganklik is.
6. **Outomatiese Toepassing van Sekuriteitsinstellings**: Beleide kan gebruik word om outomaties sekuriteitsinstellings op hulpbronne toe te pas, soos om 'n spesifieke netwerk sekuriteitsgroep op alle VM's toe te pas of te verseker dat alle stoor rekeninge versleuteling gebruik.
Note that Azure Policies can be attached to any level of the Azure hierarchy, but they are **commonly used in the root management group** or in other management groups.
Azure policy json example:
Let daarop dat Azure Beleide aan enige vlak van die Azure hiërargie geheg kan word, maar hulle word **gewoonlik in die wortelbestuursgroep** of in ander bestuursgroepe gebruik.
Azure beleid json voorbeeld:
```json
{
"policyRule": {
"if": {
"field": "location",
"notIn": ["eastus", "westus"]
},
"then": {
"effect": "Deny"
}
},
"parameters": {},
"displayName": "Allow resources only in East US and West US",
"description": "This policy ensures that resources can only be created in East US or West US.",
"mode": "All"
"policyRule": {
"if": {
"field": "location",
"notIn": ["eastus", "westus"]
},
"then": {
"effect": "Deny"
}
},
"parameters": {},
"displayName": "Allow resources only in East US and West US",
"description": "This policy ensures that resources can only be created in East US or West US.",
"mode": "All"
}
```
### Toestemmings Erf
### Permissions Inheritance
In Azure **kan toestemmings aan enige deel van die hiërargie toegeken word**. Dit sluit bestuursgroepe, subskripsies, hulpbron groepe, en individuele hulpbronne in. Toestemmings word **geërf** deur die ingeslote **hulpbronne** van die entiteit waar hulle toegeken is.
In Azure **permissions are can be assigned to any part of the hierarchy**. That includes management groups, subscriptions, resource groups, and individual resources. Permissions are **inherited** by contained **resources** of the entity where they were assigned.
This hierarchical structure allows for efficient and scalable management of access permissions.
Hierdie hiërargiese struktuur stel doeltreffende en skaalbare bestuur van toegangstoestemmings in staat.
<figure><img src="../../../images/image (26).png" alt=""><figcaption></figcaption></figure>
### Azure RBAC vs ABAC
**RBAC** (role-based access control) is what we have seen already in the previous sections: **Assigning a role to a principal to grant him access** over a resource.\
However, in some cases you might want to provide **more fined-grained access management** or **simplify** the management of **hundreds** of role **assignments**.
**RBAC** (rol-gebaseerde toegangbeheer) is wat ons reeds in die vorige afdelings gesien het: **'n rol aan 'n prinsiep toe te ken om hom toegang te gee** oor 'n hulpbron.\
E however, in sommige gevalle wil jy dalk **meer fyn-gegradeerde toegangsbewaking** of **vereenvoudig** die bestuur van **honderde** rol **toekennings**.
Azure **ABAC** (attribute-based access control) builds on Azure RBAC by adding **role assignment conditions based on attributes** in the context of specific actions. A _role assignment condition_ is an **additional check that you can optionally add to your role assignment** to provide more fine-grained access control. A condition filters down permissions granted as a part of the role definition and role assignment. For example, you can **add a condition that requires an object to have a specific tag to read the object**.\
You **cannot** explicitly **deny** **access** to specific resources **using conditions**.
Azure **ABAC** (attribuut-gebaseerde toegangbeheer) bou op Azure RBAC deur **roltoekenningsvoorwaardes gebaseer op attribuute** in die konteks van spesifieke aksies by te voeg. 'n _roltoekenningsvoorwaarde_ is 'n **addisionele kontrole wat jy opsioneel aan jou roltoekenning kan voeg** om meer fyn-gegradeerde toegangbeheer te bied. 'n Voorwaarde filter die toestemmings wat as deel van die roldefinisie en roltoekenning toegeken word. Byvoorbeeld, jy kan **'n voorwaarde byvoeg wat vereis dat 'n objek 'n spesifieke etiket moet hê om die objek te lees**.\
Jy **kan nie** eksplisiet **toegang** tot spesifieke hulpbronne **weier nie** **met behulp van voorwaardes**.
## References
## Verwysings
- [https://learn.microsoft.com/en-us/azure/governance/management-groups/overview](https://learn.microsoft.com/en-us/azure/governance/management-groups/overview)
- [https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions)
@@ -379,7 +375,3 @@ You **cannot** explicitly **deny** **access** to specific resources **using cond
- [https://stackoverflow.com/questions/65922566/what-are-the-differences-between-service-principal-and-app-registration](https://stackoverflow.com/questions/65922566/what-are-the-differences-between-service-principal-and-app-registration)
{{#include ../../../banners/hacktricks-training.md}}

192
src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md
View File

@@ -4,98 +4,97 @@
## Basic Information
Entra ID is Microsoft's cloud-based identity and access management (IAM) platform, serving as the foundational authentication and authorization system for services like Microsoft 365 and Azure Resource Manager. Azure AD implements the OAuth 2.0 authorization framework and the OpenID Connect (OIDC) authentication protocol to manage access to resources.
Entra ID is Microsoft's cloud-based identity and access management (IAM) platform, serving as the foundational authentication and authorization system for services like Microsoft 365 and Azure Resource Manager. Azure AD implementeer die OAuth 2.0-autoriseringsraamwerk en die OpenID Connect (OIDC) autentikasieprotokol om toegang tot hulpbronne te bestuur.
### OAuth
**Key Participants in OAuth 2.0:**
**Belangrike Deelnemers in OAuth 2.0:**
1. **Resource Server (RS):** Protects resources owned by the resource owner.
2. **Resource Owner (RO):** Typically an end-user who owns the protected resources.
3. **Client Application (CA):** An application seeking access to resources on behalf of the resource owner.
4. **Authorization Server (AS):** Issues access tokens to client applications after authenticating and authorizing them.
1. **Hulpbronbediener (RS):** Beskerm hulpbronne wat deur die hulpbron eienaar besit word.
2. **Hulpbron Eienaar (RO):** Tipies 'n eindgebruiker wat die beskermde hulpbronne besit.
3. **Kliënttoepassing (CA):** 'n Toepassing wat toegang tot hulpbronne soek namens die hulpbron eienaar.
4. **Autoriseringsbediener (AS):** Gee toegangstokens aan kliënttoepassings nadat dit hulle geverifieer en geautoriseer het.
**Scopes and Consent:**
**Skoppe en Toestemming:**
- **Scopes:** Granular permissions defined on the resource server that specify access levels.
- **Consent:** The process by which a resource owner grants a client application permission to access resources with specific scopes.
- **Skoppe:** Fyn gespesifiseerde toestemmings op die hulpbronbediener wat toegangsvlakke spesifiseer.
- **Toestemming:** Die proses waardeur 'n hulpbron eienaar 'n kliënttoepassing toestemming gee om toegang tot hulpbronne met spesifieke skoppe te verkry.
**Microsoft 365 Integration:**
**Microsoft 365 Integrasie:**
- Microsoft 365 utilizes Azure AD for IAM and is composed of multiple "first-party" OAuth applications.
- These applications are deeply integrated and often have interdependent service relationships.
- To simplify user experience and maintain functionality, Microsoft grants "implied consent" or "pre-consent" to these first-party applications.
- **Implied Consent:** Certain applications are automatically **granted access to specific scopes without explicit user or administrator approva**l.
- These pre-consented scopes are typically hidden from both users and administrators, making them less visible in standard management interfaces.
- Microsoft 365 gebruik Azure AD vir IAM en bestaan uit verskeie "eerste-party" OAuth-toepassings.
- Hierdie toepassings is diep geïntegreer en het dikwels onderling afhanklike diensverhoudings.
- Om die gebruikerservaring te vereenvoudig en funksionaliteit te handhaaf, gee Microsoft "implisiete toestemming" of "vooraf toestemming" aan hierdie eerste-party toepassings.
- **Implisiete Toestemming:** Sekere toepassings word outomaties **toegang tot spesifieke skoppe sonder eksplisiete gebruiker of administrateur goedkeuring gegee**.
- Hierdie vooraf goedgekeurde skoppe is tipies verborge vir beide gebruikers en administrateurs, wat dit minder sigbaar maak in standaard bestuursinterfaces.
**Client Application Types:**
**Kliënttoepassing Tipes:**
1. **Confidential Clients:**
- Possess their own credentials (e.g., passwords or certificates).
- Can **securely authenticate themselves** to the authorization server.
2. **Public Clients:**
- Do not have unique credentials.
- Cannot securely authenticate to the authorization server.
- **Security Implication:** An attacker can impersonate a public client application when requesting tokens, as there is no mechanism for the authorization server to verify the legitimacy of the application.
1. **Vertroulike Kliënte:**
- Besit hul eie geloofsbriewe (bv. wagwoorde of sertifikate).
- Kan **veilig hulself autentiseer** by die autoriseringsbediener.
2. **Publieke Kliënte:**
- Het nie unieke geloofsbriewe nie.
- Kan nie veilig autentiseer by die autoriseringsbediener nie.
- **Sekuriteitsimplikasie:** 'n Aanvaller kan 'n publieke kliënttoepassing naboots wanneer hy tokens aan vra, aangesien daar geen meganisme is vir die autoriseringsbediener om die legitimiteit van die toepassing te verifieer nie.
## Authentication Tokens
There are **three types of tokens** used in OIDC:
Daar is **drie tipes tokens** wat in OIDC gebruik word:
- [**Access Tokens**](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens)**:** The client presents this token to the resource server to **access resources**. It can be used only for a specific combination of user, client, and resource and **cannot be revoked** until expiry - that is 1 hour by default.
- **ID Tokens**: The client receives this **token from the authorization server**. It contains basic information about the user. It is **bound to a specific combination of user and client**.
- **Refresh Tokens**: Provided to the client with access token. Used to **get new access and ID tokens**. It is bound to a specific combination of user and client and can be revoked. Default expiry is **90 days** for inactive refresh tokens and **no expiry for active tokens** (be from a refresh token is possible to get new refresh tokens).
- A refresh token should be tied to an **`aud`** , to some **scopes**, and to a **tenant** and it should only be able to generate access tokens for that aud, scopes (and no more) and tenant. However, this is not the case with **FOCI applications tokens**.
- A refresh token is encrypted and only Microsoft can decrypt it.
- Getting a new refresh token doesn't revoke the previous refresh token.
- [**Toegangstokens**](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens)**:** Die kliënt bied hierdie token aan die hulpbronbediener aan om **toegang tot hulpbronne** te verkry. Dit kan slegs gebruik word vir 'n spesifieke kombinasie van gebruiker, kliënt en hulpbron en **kan nie herroep word** tot vervaldatum nie - dit is 1 uur per standaard.
- **ID Tokens**: Die kliënt ontvang hierdie **token van die autoriseringsbediener**. Dit bevat basiese inligting oor die gebruiker. Dit is **gebind aan 'n spesifieke kombinasie van gebruiker en kliënt**.
- **Herfris Tokens**: Verskaf aan die kliënt saam met toegangstoken. Gebruik om **nuwe toegang en ID tokens te verkry**. Dit is gebind aan 'n spesifieke kombinasie van gebruiker en kliënt en kan herroep word. Standaard vervaldatum is **90 dae** vir inaktiewe herfris tokens en **geen vervaldatum vir aktiewe tokens** (dit is moontlik om nuwe herfris tokens van 'n herfris token te verkry).
- 'n Herfris token moet gekoppel wees aan 'n **`aud`**, aan sekere **skoppe**, en aan 'n **tenant** en dit moet slegs in staat wees om toegangstokens vir daardie aud, skoppe (en nie meer nie) en tenant te genereer. Dit is egter nie die geval met **FOCI toepassings tokens** nie.
- 'n Herfris token is versleuteld en slegs Microsoft kan dit ontsleutel.
- Om 'n nuwe herfris token te verkry, herroep nie die vorige herfris token nie.
> [!WARNING]
> Information for **conditional access** is **stored** inside the **JWT**. So, if you request the **token from an allowed IP address**, that **IP** will be **stored** in the token and then you can use that token from a **non-allowed IP to access the resources**.
> Inligting vir **voorwaardelike toegang** is **gestoor** binne die **JWT**. So, as jy die **token van 'n toegelate IP-adres** aan vra, sal daardie **IP** in die token **gestoor** word en dan kan jy daardie token van 'n **nie-toegelate IP gebruik om toegang tot die hulpbronne** te verkry.
### Access Tokens "aud"
The field indicated in the "aud" field is the **resource server** (the application) used to perform the login.
Die veld wat in die "aud" veld aangedui word, is die **hulpbronbediener** (die toepassing) wat gebruik word om die aanmelding uit te voer.
The command `az account get-access-token --resource-type [...]` supports the following types and each of them will add a specific "aud" in the resulting access token:
Die opdrag `az account get-access-token --resource-type [...]` ondersteun die volgende tipes en elkeen van hulle sal 'n spesifieke "aud" in die resulterende toegangstoken voeg:
> [!CAUTION]
> Note that the following are just the APIs supported by `az account get-access-token` but there are more.
> Let daarop dat die volgende net die API's is wat deur `az account get-access-token` ondersteun word, maar daar is meer.
<details>
<summary>aud examples</summary>
<summary>aud voorbeelde</summary>
- **aad-graph (Azure Active Directory Graph API)**: Used to access the legacy Azure AD Graph API (deprecated), which allows applications to read and write directory data in Azure Active Directory (Azure AD).
- `https://graph.windows.net/`
- **aad-graph (Azure Active Directory Graph API)**: Gebruik om toegang te verkry tot die ouer Azure AD Graph API (verouderd), wat toepassings toelaat om gidsdata in Azure Active Directory (Azure AD) te lees en te skryf.
- `https://graph.windows.net/`
* **arm (Azure Resource Manager)**: Used to manage Azure resources through the Azure Resource Manager API. This includes operations like creating, updating, and deleting resources such as virtual machines, storage accounts, and more.
- `https://management.core.windows.net/ or https://management.azure.com/`
* **arm (Azure Resource Manager)**: Gebruik om Azure hulpbronne te bestuur deur die Azure Resource Manager API. Dit sluit operasies in soos die skep, opdateer en verwyder van hulpbronne soos virtuele masjiene, stoor rekeninge, en meer.
- `https://management.core.windows.net/ of https://management.azure.com/`
- **batch (Azure Batch Services)**: Used to access Azure Batch, a service that enables large-scale parallel and high-performance computing applications efficiently in the cloud.
- `https://batch.core.windows.net/`
- **batch (Azure Batch Services)**: Gebruik om toegang te verkry tot Azure Batch, 'n diens wat grootmaat parallelle en hoë-prestasie rekenaar toepassings doeltreffend in die wolk moontlik maak.
- `https://batch.core.windows.net/`
* **data-lake (Azure Data Lake Storage)**: Used to interact with Azure Data Lake Storage Gen1, which is a scalable data storage and analytics service.
- `https://datalake.azure.net/`
* **data-lake (Azure Data Lake Storage)**: Gebruik om te kommunikeer met Azure Data Lake Storage Gen1, wat 'n skaalbare data berging en analise diens is.
- `https://datalake.azure.net/`
- **media (Azure Media Services)**: Used to access Azure Media Services, which provide cloud-based media processing and delivery services for video and audio content.
- `https://rest.media.azure.net`
- **media (Azure Media Services)**: Gebruik om toegang te verkry tot Azure Media Services, wat wolk-gebaseerde media verwerking en aflewering dienste vir video en klank inhoud bied.
- `https://rest.media.azure.net`
* **ms-graph (Microsoft Graph API)**: Used to access the Microsoft Graph API, the unified endpoint for Microsoft 365 services data. It allows you to access data and insights from services like Azure AD, Office 365, Enterprise Mobility, and Security services.
- `https://graph.microsoft.com`
* **ms-graph (Microsoft Graph API)**: Gebruik om toegang te verkry tot die Microsoft Graph API, die verenigde eindpunt vir Microsoft 365 dienste data. Dit laat jou toe om data en insigte van dienste soos Azure AD, Office 365, Enterprise Mobility, en Sekuriteitsdienste te verkry.
- `https://graph.microsoft.com`
- **oss-rdbms (Azure Open Source Relational Databases)**: Used to access Azure Database services for open-source relational database engines like MySQL, PostgreSQL, and MariaDB.
- `https://ossrdbms-aad.database.windows.net`
- **oss-rdbms (Azure Open Source Relational Databases)**: Gebruik om toegang te verkry tot Azure Databasis dienste vir oopbron relationele databasis enjin soos MySQL, PostgreSQL, en MariaDB.
- `https://ossrdbms-aad.database.windows.net`
</details>
### Access Tokens Scopes "scp"
### Access Tokens Skoppe "scp"
The scope of an access token is stored inside the scp key inside the access token JWT. These scopes define what the access token has access to.
Die skop van 'n toegangstoken word binne die scp sleutel binne die toegangstoken JWT gestoor. Hierdie skoppe definieer waartoe die toegangstoken toegang het.
If a JWT is allowed to contact an specific API but **doesn't have the scope** to perform the requested action, it **won't be able to perform the action** with that JWT.
### Get refresh & access token example
As 'n JWT toegelaat word om 'n spesifieke API te kontak, maar **nie die skop het** om die aangevraagde aksie uit te voer nie, sal dit **nie in staat wees om die aksie** met daardie JWT uit te voer nie.
### Kry herfris & toegang token voorbeeld
```python
# Code example from https://github.com/secureworks/family-of-client-ids-research
import msal
@@ -107,17 +106,17 @@ from typing import Any, Dict, List
# LOGIN VIA CODE FLOW AUTHENTICATION
azure_cli_client = msal.PublicClientApplication(
"04b07795-8ddb-461a-bbee-02f9e1bf7b46" # ID for Azure CLI client
"04b07795-8ddb-461a-bbee-02f9e1bf7b46" # ID for Azure CLI client
)
device_flow = azure_cli_client.initiate_device_flow(
scopes=["https://graph.microsoft.com/.default"]
scopes=["https://graph.microsoft.com/.default"]
)
print(device_flow["message"])
# Perform device code flow authentication
azure_cli_bearer_tokens_for_graph_api = azure_cli_client.acquire_token_by_device_flow(
device_flow
device_flow
)
pprint(azure_cli_bearer_tokens_for_graph_api)
@@ -125,83 +124,74 @@ pprint(azure_cli_bearer_tokens_for_graph_api)
# DECODE JWT
def decode_jwt(base64_blob: str) -> Dict[str, Any]:
"""Decodes base64 encoded JWT blob"""
return jwt.decode(
base64_blob, options={"verify_signature": False, "verify_aud": False}
)
"""Decodes base64 encoded JWT blob"""
return jwt.decode(
base64_blob, options={"verify_signature": False, "verify_aud": False}
)
decoded_access_token = decode_jwt(
azure_cli_bearer_tokens_for_graph_api.get("access_token")
azure_cli_bearer_tokens_for_graph_api.get("access_token")
)
pprint(decoded_access_token)
# GET NEW ACCESS TOKEN AND REFRESH TOKEN
new_azure_cli_bearer_tokens_for_graph_api = (
# Same client as original authorization
azure_cli_client.acquire_token_by_refresh_token(
azure_cli_bearer_tokens_for_graph_api.get("refresh_token"),
# Same scopes as original authorization
scopes=["https://graph.microsoft.com/.default"],
)
# Same client as original authorization
azure_cli_client.acquire_token_by_refresh_token(
azure_cli_bearer_tokens_for_graph_api.get("refresh_token"),
# Same scopes as original authorization
scopes=["https://graph.microsoft.com/.default"],
)
)
pprint(new_azure_cli_bearer_tokens_for_graph_api)
```
## FOCI Tokens Privilege Escalation
Previously it was mentioned that refresh tokens should be tied to the **scopes** it was generated with, to the **application** and **tenant** it was generated to. If any of these boundaries is broken, it's possible to escalate privileges as it will be possible to generate access tokens to other resources and tenants the user has access to and with more scopes than it was originally intended.
Voorheen is genoem dat verfrissingstokens aan die **scopes** waaraan dit gegenereer is, aan die **toepassing** en **huurder** waaraan dit gegenereer is, gekoppel moet wees. As enige van hierdie grense oorgesteek word, is dit moontlik om voorregte te verhoog, aangesien dit moontlik sal wees om toegangstokens vir ander hulpbronne en huurders te genereer waartoe die gebruiker toegang het en met meer scopes as wat oorspronklik bedoel was.
Moreover, **this is possible with all refresh tokens** in the [Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/) (Microsoft Entra accounts, Microsoft personal accounts, and social accounts like Facebook and Google) because as the [**docs**](https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens) mention: "Refresh tokens are bound to a combination of user and client, but **aren't tied to a resource or tenant**. A client can use a refresh token to acquire access tokens **across any combination of resource and tenant** where it has permission to do so. Refresh tokens are encrypted and only the Microsoft identity platform can read them."
Boonop, **dit is moontlik met alle verfrissingstokens** in die [Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/) (Microsoft Entra-rekeninge, Microsoft persoonlike rekeninge, en sosiale rekeninge soos Facebook en Google) omdat die [**dokumentasie**](https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens) noem: "Verfrissingstokens is gebonde aan 'n kombinasie van gebruiker en kliënt, maar **is nie aan 'n hulpbron of huurder gekoppel nie**. 'n Kliënt kan 'n verfrissingstoken gebruik om toegangstokens te verkry **oor enige kombinasie van hulpbron en huurder** waar dit toestemming het om dit te doen. Verfrissingstokens is versleuteld en slegs die Microsoft identity platform kan dit lees."
Moreover, note that the FOCI applications are public applications, so **no secret is needed** to authenticate to the server.
Boonop, let daarop dat die FOCI-toepassings openbare toepassings is, so **geen geheim is nodig** om by die bediener te autentiseer.
Then known FOCI clients reported in the [**original research**](https://github.com/secureworks/family-of-client-ids-research/tree/main) can be [**found here**](https://github.com/secureworks/family-of-client-ids-research/blob/main/known-foci-clients.csv).
Dan bekende FOCI-kliënte wat in die [**oorspronklike navorsing**](https://github.com/secureworks/family-of-client-ids-research/tree/main) gerapporteer is, kan [**hier gevind word**](https://github.com/secureworks/family-of-client-ids-research/blob/main/known-foci-clients.csv).
### Get different scope
Following with the previous example code, in this code it's requested a new token for a different scope:
Volgende met die vorige voorbeeldkode, in hierdie kode word 'n nuwe token vir 'n ander scope aangevra:
```python
# Code from https://github.com/secureworks/family-of-client-ids-research
azure_cli_bearer_tokens_for_outlook_api = (
# Same client as original authorization
azure_cli_client.acquire_token_by_refresh_token(
new_azure_cli_bearer_tokens_for_graph_api.get(
"refresh_token"
),
# But different scopes than original authorization
scopes=[
"https://outlook.office.com/.default"
],
)
# Same client as original authorization
azure_cli_client.acquire_token_by_refresh_token(
new_azure_cli_bearer_tokens_for_graph_api.get(
"refresh_token"
),
# But different scopes than original authorization
scopes=[
"https://outlook.office.com/.default"
],
)
)
pprint(azure_cli_bearer_tokens_for_outlook_api)
```
### Get different client and scopes
### Kry verskillende kliënt en skope
```python
# Code from https://github.com/secureworks/family-of-client-ids-research
microsoft_office_client = msal.PublicClientApplication("d3590ed6-52b3-4102-aeff-aad2292ab01c")
microsoft_office_bearer_tokens_for_graph_api = (
# This is a different client application than we used in the previous examples
microsoft_office_client.acquire_token_by_refresh_token(
# But we can use the refresh token issued to our original client application
azure_cli_bearer_tokens_for_outlook_api.get("refresh_token"),
# And request different scopes too
scopes=["https://graph.microsoft.com/.default"],
)
# This is a different client application than we used in the previous examples
microsoft_office_client.acquire_token_by_refresh_token(
# But we can use the refresh token issued to our original client application
azure_cli_bearer_tokens_for_outlook_api.get("refresh_token"),
# And request different scopes too
scopes=["https://graph.microsoft.com/.default"],
)
)
# How is this possible?
pprint(microsoft_office_bearer_tokens_for_graph_api)
```
## References
## Verwysings
- [https://github.com/secureworks/family-of-client-ids-research](https://github.com/secureworks/family-of-client-ids-research)
{{#include ../../../banners/hacktricks-training.md}}