Microsoft identity platform

Implement Azure Security for Developers

Anushika Agarwal

Cloud Data Engineer

What is the Microsoft identity platform?

  • Manages app sign-ins and access
    • Built on Microsoft Entra ID
      • Entra ID = Core Identity Service
      • Identity Platform = Developer Layer for Apps

Relationship between Entra ID and Microsoft Identity Platform

Implement Azure Security for Developers

How it works?

  • Authenticates:
    • Standards:
      1. OAuth 2.0: limits what apps can do
      2. OpenID Connect: confirms who you are
    • Account Types
      • Enterprise/school accounts
      • Personal Microsoft accounts
      • Social/local accounts

Microsoft Identity Platform

Implement Azure Security for Developers

Key tools of the Microsoft identity platform

  • MSAL:
    • request tokens for apps

MSAL

  • App registration:
    • set up app identity in Azure

App registration

  • Microsoft Graph API:
    • access users, groups, and resources

Microsoft Graph API

Implement Azure Security for Developers

App registration

  • Registering apps connects them to Entra ID

  • Choose:

    • Single-tenant: app works only in your org
    • Multi-tenant: app works across orgs

  • Automatically creates:

    • Application object
    • Service principal

  • Add secrets, certificates, scopes, and branding

App Registration

Implement Azure Security for Developers

Application object

  • Blueprint of the app
  • Lives in your home tenant
  • Defines authentication and access rules

Application Object

Implement Azure Security for Developers

Example: application object in PeopleSphere

  • PeopleSphere creates an HR app in its own tenant

PeopleSphere's Application Object Example

Implement Azure Security for Developers

Service principal

  • Instance of the app in each tenant
  • Working copy of the original key
  • Each customer gets their own service principal in their tenant

Service Principal

Implement Azure Security for Developers

Example: service principal in DataCamp

  • Service Principal created in DataCamp's tenant

Example service principal in DataCamp

Implement Azure Security for Developers

Types of service principal

  • Application:
    • Standard app instance

Application

  • Managed Identity:
    • secret-free access

Managed Identity

  • Legacy:
    • Older apps

Legacy

Implement Azure Security for Developers

Permissions

  • Apps request access using OAuth 2.0 and permission scopes

  • graph.microsoft.com/Calendars.Read

Example scope Calendars.Read.

How Apps Request and Gain Access via Microsoft Identity Platform

Implement Azure Security for Developers

Delegated permissions

  • App acts on behalf of the user

  • Requires a signed-in user

  • Example: PeopleSphere schedules meetings for DataCamp users

PeopleSphere delegated permission example

Implement Azure Security for Developers

App-only permissions

  • App acts as itself
  • No user involvement
  • Example: PeopleSphere syncs HR data nightly

PeopleSphere App-only permission example

Implement Azure Security for Developers

Consent

  • Apps need consent to activate permission scopes

  • Consent Types:

    • Static: permissions set during registration
    • Incremental: added as needed
    • Admin: required for high-privilege access

Consent

Implement Azure Security for Developers

Let's practice!

Implement Azure Security for Developers

Preparing Video For Download...