Introduction
This article goes through and answers the most frequently asked questions about Enterprise Intranet.
Authentication and Authorization
How do the Wizdom REST API Authentication and Authorization work?
REST API deployed in azure web service leverages azure AD token-based authentication and authorization.
- The application uses Azure AD Client ID and Secrete and request to token from azure ad
- Azure AD validates if client app registration is present and validates API permission.
- Azure AD sends an access token back to the client application
- Client App uses the Access token to call Rest API.
- Requests are validated which are accompanied by a valid access token present in the authentication header of the HTTP request. This Header contains the token type 'JWT' and 'RS256' algorithms.
- System Validates currently login user roles on resources i.e. wizdom global admin, Module-level admin and etc
Admin Section
Admin consent is provided by a member of the Global Admins?
Yes
I want to check which account would have visibility into all 3 modules mentioned in the presentation? Would there be any admin roles to manage service account integration or any privilege function?
No admin roles to manage service account integration
Could you confirm if there will be any local account that will be created?
No local accounts
Authentication
OIDC (OpenID Connect) 1.0 is used for authentication?
No, we don’t use OpenID Connect
Is this client secret or certificate-based?
Client-secret based. The values are 3 months, 6 months, 12 months, 18 months, 24 months. 2 years is the maximum if you do it via UI and 3 years if you do it via PowerShell.
Could you also confirm how authentication tokens/keys are managed including storage, access, and rotation for service account?
No rotation of service accounts. We get the connection string from the Azure App Service Configuration and then use it in our called function when it is needed. The life of the client created using this connection string is limited to the function execution.
My understanding is that we do not store any other data apart from the service account tokens in LiveTiles tenancy, could you please confirm if we are storing any Org structure AD property or any other data in LiveTiles?
We are storing some profile information in our SQL DB, with no passwords, etc.
Azure Directory
What component of the solution synchronizes (i.e. provisions) Azure Active Directories between the WorkSafe/TAC and Wizdom Azure subscription?
Wizdom app + Azure AD app
Microsoft Graph API
Can I confirm that both the Graph user (delegated permission) and application (application permission) are granted various API permissions/scopes (sites, users, groups) authorization via OAuth 2.0 to the registered app (SAML 2.0 is not used for SSO)?
Yes, OAuth 2.0
What endpoints/technology does this synchronization engine use?
We use the Graph API connecting to AAD and logins are stored in the LiveTiles database in the dbo.Principal table. We save the information [DisplayName], [GroupId], [LoginName], [Email], [LanguageTag], ADId]
One of the security requirements is that All Admin accounts will follow a secure privileged access management method (PAM) including protected credential storage and Multi-Factor-Authentication.
We can't use MFA on the Graph account.
System Logs
Could you confirm on the service account will not be used for any interactive log-on services?
This is correct
May we know what is captured as part of application insights logs? We want to check from the logs that are getting captured, is it possible to create the below use cases for monitoring, do we capture anything like this in our logs? Could you also confirm that logs are immutable with strict access restrictions for Application insights?
Application Insights are not enabled on the DEV services and can be enabled if our support needs this for troubleshooting. Microsoft provides this as it is -.
The below captures are monitored when Application Insights are enabled.
- Unauthorized access to core applications
- Brute force login attempts to core applications
- Data exfiltration
- Lateral movement
- Suspicious outbound communications
- Unauthorized Configuration or Policy Changes
Comments
0 comments
Please sign in to leave a comment.