# Azure AD Connect


- Azure AD Connect will integrate your on-premises directories with Azure Active Directory. Azure AD Connect provides the newest capabilities and replaces older versions of identity integration tools such as DirSync and Azure AD Sync.

## AD Connect Flow
![ADConnect](https://docs.microsoft.com/en-us/learn/modules/design-for-security-in-azure/media/aadconnectxprs_960.png)


### Multi-factor authentication
  Multi-factor authentication (MFA) provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories:

    something you know
    something you possess
    something you are

Something you know would be a password, or the answer to a security question. Something you possess could be a mobile app that receives a notification or a token generating device. Something you are is typically some sort of biometric property such as a fingerprint or face scan used on many mobile devices.

### Conditional access policy
Lamna Healthcare has created a conditional access policy that requires users accessing the application from an IP address outside of the company network to be challenged with MFA.
![Access Policy](https://docs.microsoft.com/en-us/learn/modules/design-for-security-in-azure/media/conditional-access.png)

###### Azure AD Application Proxy
![Azure AD Application Proxy](ADApplicationProxy.png)

### Infrastructure Protection
Lamna Healthcare has addressed issues from their incident where infrastructure was inadvertently deleted. They've used role-based access control to better manage the security of their infrastructure, and are using managed identities to keep their credentials out of code and ease administration of the identities needed for their services.

- Role based access: Role-based access control (RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
- Service Principal: 
   Consider the use 'sudo' on a bash prompt or on Windows using "run as Administrator". In both of those cases, you are still logged in as the same identity as before, but you've changed the role under which you are executing.
   
   So, a Service Principal is literally named. It is an identity that is used by a service or application. Like other identities, it can be assigned roles.
   
   
- Managed Identities: Creation of Service Principal can be tedious.
    Creating a managed identity means creating an account on Azure AD. Azure infrastructure will automatically take care of authenticating the service and managing the account. You can then use that account like any other AD account including securely letting the authenticated service access other Azure resources

#### Points:
- Azure role-based access control can only be applied to Azure resources. Files and folders within a Linux file system can be secured with various methods, but not with Azure role-based access control. 
- Managed identities for Azure resources is a method of assigning an identity to services. Through this assignment, role-based access control can be granted to manage Azure services, such as starting and stopping virtual machines. 


### Encryption
- Azure Disk Encryption (ADE) is a capability that helps you encrypt your Windows and Linux IaaS virtual machine disks.
- Transparent data encryption (TDE) helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application. By default, TDE is enabled for all newly deployed Azure SQL Databases.
- Identify and classify data

  ###  Azure Security Center
  Azure Security Center (ASC) is a monitoring service that provides threat protection across all of your services both in Azure, and on-premises.
  
  ![Azure Security Center](https://docs.microsoft.com/en-us/learn/advocates/top-5-security-items-to-consider/media/2-pricing-tier.png)

### Azure Key Vault
Azure Key Vault is a secret store: a centralized cloud service for storing application secrets. Key Vault keeps your confidential data safe by keeping application secrets in a single central location and providing secure access, permissions control, and access logging.

- Azure Storage accounts provide several high-level security benefits for the data in the cloud:

   - Protect the data at rest
   - Protect the data in transit
   - Support browser cross-domain access
   - Control who can access data
   - Audit storage access


### Shared Access Signature
 - For untrusted clients, use a shared access signature (SAS). A shared access signature is a string that contains a security token that can be attached to a URI. Use a shared access signature to delegate access to storage objects and specify constraints, such as the permissions and the time range of access.

Two types of SAS:<br>
1) service level:
   - You can use a service-level shared access signature to allow access to specific resources in a storage account. You'd use this type of shared access signature, for example, to allow an app to retrieve a list of files in a file system or to download a file.

2) Account level:
   - Use an account-level shared access signature to allow access to anything that a service-level shared access signature can allow, plus additional resources and abilities. For example, you can use an account-level shared access signature to allow the ability to create file systems.


### Advanced Threat Protection Option in Storage Account:
- Advanced Threat Protection, now in public preview, detects anomalies in account activity. It then notifies you of potentially harmful attempts to access your account. You don't have to be a security expert 
or manage security monitoring systems to take advantage of this layer of threat protection.

![Advanced Threat Protection](https://docs.microsoft.com/en-us/learn/data-ai-cert/secure-azure-storage-account/media/6-preview.png)

#### Command to create keyvault:
az keyvault create 
    --resource-group Learn-f18d3cdd-d608-4ff2-90ed-ea19b7aa2aef 
    --name your-unique-vault-name
    
#### Add the secret
az keyvault secret set 
    --name SecretPassword 
    --value reindeer_flotilla 
    --vault-name your-unique-vault-name
    
- When you enable managed identity(Identity option in app service) on your web app, Azure activates a separate token-granting REST service specifically for use by your app. Your app will request tokens from this service instead of Azure Active Directory. 
- Your app authenticates to a managed identities token service with a secret injected into its environment variables at runtime. This eliminates the need to store secrets during configuration. 


- Create an app service plan:
az appservice plan create 
    --name keyvault-exercise-plan 
    --sku FREE 
    --resource-group Learn-f18d3cdd-d608-4ff2-90ed-ea19b7aa2aef
    
-Create an app service:
az webapp create 
    --plan keyvault-exercise-plan 
    --resource-group Learn-f18d3cdd-d608-4ff2-90ed-ea19b7aa2aef 
    --name srikantappservice

- Enable Managed Identity:
az webapp identity assign 
    --resource-group Learn-f18d3cdd-d608-4ff2-90ed-ea19b7aa2aef 
    --name srikantappservice
     
     - gives principal identity as output
     
 
- Grant access to the vault:
 - Running this command will grant Get and List access
az keyvault set-policy 
    --secret-permissions get list 
    --name your-unique-vault-name 
    --object-id your-managed-identity-principleid




#### Deployment command in dotnet:
 dotnet publish -o pub
zip -j site.zip pub/*

az webapp deployment source config-zip \
    --src site.zip \
    --resource-group Learn-f18d3cdd-d608-4ff2-90ed-ea19b7aa2aef \
    --name your-unique-app-name  
    
az webapp deployment source config-zip \
    --src site.zip \
    --resource-group Learn-f18d3cdd-d608-4ff2-90ed-ea19b7aa2aef \
    --name srikantappservice      

### Azure Key Vault Authentication & Permissions
1)Authentication
 - It uses Active Directory to authenticate users and applications.
 
2)Permissions:
 - Get(Read secret values)
 - List(list names of all secret)
 - Set(Create or update secret values)
