Azure Active Directory Authentication Basics
Azure Active Directory (AD) verifies the credentials that are username and password. It belongs to the Azure Identity Platform.
What is Authentication?
Authentication (AuthN) is the process to prove that you are who you say you are. Microsoft identity platform uses open Id connect protocol for handling authentication.
What is Authorization?
Authorization (AuthZ) is the act of granting an authenticated party permission to do something. Microsoft identity platform uses OAuth2.0 protocol for handling authorization.
What are security Tokens?
Microsoft identity provider authenticates users and provides security toneks as JWT that contains claims .
There are 3 types of Security tokens:
- ID token
- Access tokens
- Refresh tokens
Id token: is issued to the client during open id connect flow. ID token is used to authenticate users. It is provided by the authorized endpoint of the authorization server. It contains claims pertaining to the authentication of the end-user resource owner.
Access token: is issued by authorization server as a part of OAuth2.0 flow. It has information about the user & resource for which the token is issued. Access token enables clients to securely call protected web APIs and are used by web api to do authentication & authorization.
Refresh token: is issued by authorization server at the same time access token is issued. The access token expires in a short time. Client uses refresh token to get next access token.
Validating Security Token
Authorization server signs the security token with a private key; it also publishes a public key. Web api verifies the signature of the token using public key. Client passess access token to the web api as bearer token in the authorization header.
Security Principal
Security Principal is a fancy name for various types of security tokens. Below are all called as security principal:
- User Principal
- Group Principal
- Service Principal
- Managed Identities
What is Claim?
A claim provides assertions about one entity (client application) to another entity (Resource Server). Claim contains facts about the security principal that was authenticated by the authorization server. Claim provides info about below things:
- Security Token Server ( who generated )
- Date of token creation
- Subject
- Audience - Target application for which token generated
What is an Application Model?
Azure AD has identity service and for identity provider to know which user has access to application you must register both user and application in the identity provider. This is the application model.
Microsoft Authentication Protocols
The Microsoft Identity platform uses the OPENID connect protocol for handling authentication and OAuth2.0 protocol for authorization.
Application Registration gives application Id and redirect URI.
What is Bearer Token?
Bearer token is a lightweight security token that gives bearer access to protected resources.
Security Tokens
There are 3 types of security tokens:
- Access tokens
- ID Token
- Refresh Tokens
What is OpenId Connect Protocol?
OpenId Connect authentication protocol built on OAuth. You add authentication to your web app so that it can sign in users. Adding authentication enables your web app to access limited profile information in order to customize the experience for users.
Web apps authenticate a user in a web browser. In this scenario, the web app directs the user’s browser to sign them in to Azure Active Directory (Azure AD). Azure AD returns a sign-in response through the user’s browser, which contains claims about the user in a security token.
Retrieve Access Token
First, the application needs to obtain an authorization code from Azure AD /authorize endpoint. The authorization code can then be used to acquire a new access and refresh token. If the user is not already authenticated, Azure AD /authorize endpoint prompts the user to sign in.
whether the user (or their organization’s administrator) has already granted the application consent. If consent has not already been granted, Azure AD prompts the user for consent
After the user grants consent, an authorization code is returned to your application, which is redeemed to acquire an access token and refresh token.
As an administrator, you can also consent to an application’s delegated permissions on behalf of all the users in your tenant.
Azure Active Directory Authentication
Azure Active Directory has below components for authentication:
- Self-Service Password Reset
- Azure AD Multi-Factor authentication
- Hybrid Integration to write password changes back to on-premises
- Hybrid integration to enforce password protection policy for an on-premise environment
- Passwordless authentication
Azure AD Self-Service Password Reset
You can change or reset passwords without any admin help. Below are the self-services provided:
- Password changes
- Password reset
- Account unlock
All of the above activities can be done on cloud Azure AD & these are written back to the on-premises AD. So if you change password it will be synced to on-premises AD.
Azure AD Multi-Factor Authentication
During authentication it will prompt additional information.
Multi-factor authentication needs 2 or more information from below list:
- Something you know :- password
- Something you have :- Mobile or hardware key
- Something you are :- biometric (fingerprint, face scan )
Password Protection by Azure AD
To enforce the use of strong passwords. Azure AD blocks weak passwords like (password123) etc. You can define a custom password policy for your organization. With hybrid integration you can even synchronize policies and weak/banned password list on-premise & enforce them.
Passwordless Authentication by Azure AD
You provide credentials using
- Biometric with windows hello for business
- FIDO2 security key
These authentication methods can not be easily duplicated by attackers therefore, they are highly safe.
Thanks for reading my article till end. I hope you learned something special today. If you enjoyed this article then please share to your friends and if you have suggestions or thoughts to share with me then please write in the comment box.
Rupesh Tiwari
Founder of Fullstack Master
Email: rupesh.tiwari.info@gmail.com
Website: RupeshTiwari.com