Security

Authentication

~3 mins read

Practically, the auth info provided is either

  1. something the user knows (like a password, PIN, or key)
  2. something the user has (like a smart card or proof of possession of a smart phone)
  3. something the user is (like the user’s fingerprint, voice, or face)

Keys are more general, passwords are more specific

For example a million users of a website can verify the site with a single certificate, while each user have their own password

Some auth good practices

Use 2-factor

Add exponential delay to repeated login attempts

Lock account after repeated failed login attempts

Use authorization levels.

Least privilege, never grant more access than required.

Separation of privileges, so your system is not all or nothing

Use allow-lists, not block-lists

MS auth

  1. Manage redirect URIs:
    1. Own and update DNS records
    2. Avoid wildcards in URIs
    3. Ensure HTTPS for web app URIs
    4. Use platform-specific or random URIs for public clients
    5. Utilize specific URI for isolated web agents
    6. Regularly review and remove unused URIs
  2. Directory app registration:
    1. Minimize and manually monitor owners
  3. OAuth2 implicit grant flow:
    1. Enable only when explicitly required
  4. Avoid resource owner password credential flow (ROPC):
    1. Use more secure authentication flows
    2. Consider specific scenarios like DevOps
  5. Protect confidential app credentials:
    1. Prefer certificate credentials over passwords
    2. Avoid manual setting of passwords
    3. Use Azure Key Vault or managed identities for storage and rotation
  6. Request least privilege permissions:
    1. Only request necessary permissions
    2. Understand application vs delegated permissions
  7. Secure API permissions
    1. Define permissions granularly
    2. Admin consent for critical permissions
    3. Validate expected permissions in tokens before authorization
  8. Use modern authentication solutions (OAuth 2.0, OpenID Connect) for user sign-ins.
  9. Leverage Microsoft Authentication Library (MSAL) instead of direct protocol programming.
  10. Do not parse or rely on access tokens in client applications; use ID tokens for user-related information.
  11. Migrate apps from Azure AD Authentication Library (ADAL) to MSAL for improved security and support.
  12. Configure mobile apps with broker redirect URIs for single sign-on using Microsoft Authenticator or Company Portal.
  13. Maintain one token cache per account in web apps and web APIs for efficient token management.

  14. Request data permissions through Microsoft Graph endpoint for integrated data access.

  15. Understand and configure consent prompts to inform end users and admins adequately.
  16. Minimize user login prompts by using silent authentication wherever possible.
  17. Avoid using “prompt=consent” unnecessarily; use it only when additional permissions are required.
  18. Enrich application functionality with user data via Microsoft Graph API.
  19. Register all necessary permissions for easy admin consent and use incremental consent for user understanding.
  20. Implement a seamless single sign-out experience for privacy, security, and user satisfaction.

🎰