Microsoft Entra ID Application authorization

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
>> [music] >> Hey, guys, thank you so much for stopping by for another video. My name is Yoel Horvitz. I'm a Program Manager with the Microsoft Security Customer Experience Engineering team. >> My name is Katherine Legg and I'm a Product Manager in the Developer Experience team. In today's video, we will talk about authorization and role-based access control in Azure Active Directory for customers. We'll start with a quick overview of role-based access control and how it can help you protect access to your applications. We'll demonstrate the user experience using the Woodgrove demo web application. And finally we'll show you how easy it is to configure role-based Access control using the Microsoft Entra Admin Center. Role-based access control is a popular mechanism to enforce authorization and applications. It helps you manage who has access to your application and what they can do in the application. When an organization uses role-based access control, an application developer defines the roles in the application. An administrator can then assign these roles to different users, which controls who has access to the application and what they can do with it. Developers can also use security groups to implement role-based access control in their applications, where the memberships of the user in specific groups are interpreted as their role memberships. Azure Active Directory for customers issues an access token for an authenticated user, which includes the names of the roles they have assigned to the application and all the groups the user is a member of. Developers have the flexibility to decide how role and group assignments are to be used within the application, for example, show or hide some of the elements on the screen or block access to certain functionalities based on the user's role or security groups. Let me hand you over to Yoel, who will show you how role-based access control changes the functionality of the Woodgrove Groceries demo application. >> Thank you, Katherine. Woodgrove Groceries is a global retail food store that is integrated with Azure Active Directory for customers for their online food shopping application. Get started by navigating to Woodgrove Grocers demo application at wdgdemo.net. From there, select the Sign-in button. Sign in or sign up with your social or local account. In this demo, we sign in with the Facebook account. After the user signs in, their name appears in the header and they can add item to the cart. Woodgrove Groceries demo application allows you to add yourself to a security group and application roles. From the header, select the profile icon. In the profile page, you can update your profile data, but you can also add yourself to commercial account security group. By doing so, you will get discounts of some of the products. Usually administrator needs to approve your request, but for this demo your request is automatically approved. Select the Commercial Accounts security group and update your account. To reflect the change in the security token returns to the Google application, sign out and sign in again with the same account. Great. Now that you are a member of the Commercial Security group, some of the items have a discount. Let's move on and update your profile again. This time, add yourself to the Product Contributor and Orders Manager roles. The Orders Manager role grants you access to manage customers' online orders, and the Products Contributor role grants you access to manager Woodgrove products. Select both of them and save the changes. Sign out and sign in again with the same account. Now you have the option to manage the Woodgrove products and the customers' orders. If you select your name from the editor, it shows the content of the access token issued by Azure Active Directory for customers that was returned to the Woodgrove application. As you can guess, it contains a groups claim and two roles you assigned. This demo application checks the claims value and gives you discounts and access to the manage products and online orders. >> Now that you understand the user experience and how the application can change its behavior, let us show you how easy it is to implement role-based access control in your application. We start by configuring the application to emit the security groups users are members of. We do so only to the security groups. Application roles are included in the security tokens by default. Open the Microsoft Entra Admin Center at entra.microsoft.com and sign in with your administrator account. From the menu, select Applications and then App registrations. Select All applications and then from the list of applications, select your application. Select Token configuration and then select Add groups claim. Select Security groups. You can select the format for how security groups are represented in the access token and ID tokens. Select Add to save all the changes. To add a user to a security group, you can select Groups from the menu and then select All groups. Then select the group you want to add the user to. In this demo, we select the Commercial Accounts. Select Members. Select Add members. And select the users you want to add to this group. Next we add two roles to the applications. From the menu, select Applications and then App registrations. Select All applications and then from the list of applications, select your application. From the menu select App roles and then select Add app role. Enter a display name for the role. Select users and groups, so you can assign both of them to your application. For the value, enter the name of the role, add a description, then select Apply to save changes. Add a second role. Good, we are all set. Now you can assign users with the application roles. From the application Overview, select the application name which takes you to the service principle of your application. From the menu, select Users and groups, then select Add users or groups. Select the user you want to assign a role to this application, then select the role you want to assign to the user. And select Assign to complete the process. You can assign more roles to the user. To do so, repeat this step, but this time select the other role. That's it. Now when the user signs in, they will have both the groups and roles claimed with the security group and application roles we just added. >> To quickly recap, in this demo we started with a quick overview of the role-based access control and how it can help you protect access to your applications. We demonstrated the user experience using the Woodgrove demo web application. And finally, we showed you how easy to configure role-based access control using Microsoft Entra Admin Center. You can also automate the role assignment and group membership process by using Microsoft Graph API or PowerShell script. >> To learn more about Azure Active Directory for customers, discover the latest updates, developer content, and resources, go to aka.ms/ciam/dev. Thanks for watching this video and we'll see you in the next one. Goodbye. >> [music]
Info
Channel: Microsoft Security
Views: 20,115
Rating: undefined out of 5
Keywords: Microsoft Security, data privacy, cyber security, cloud security, business security, device security, security software, microsoft, security, enterprise security, cybersecurity, security operations, identity and access management, phishing, malware, cybercrime, compliance, cyber attack, data breach, network security, data management, data governance, CIAM, CustomerIdentity, Azure, AzureAD, AzureExternalID, AzureADForCustomers, B2C, Katherine Legg, Yoel Horvitz, Microsoft, Azure AD
Id: ZxHnv7OTzXI
Channel Id: undefined
Length: 8min 56sec (536 seconds)
Published: Wed May 24 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.