[Azure] Real Example to know different types of app concepts in Azure

We will discuss the differences between App Registration, Service Principle, App Service, and Function app.

Introduction

When I was studying Microsoft Azure Penetration Testing, I had to pass through important concepts like App Registration, Service Principle, App Service, and Function app and they're hard to know the differences between all of them as a scientific definition, that's why I want to discuss with you in a real example the meaning of each one of them. Let's get started!

Scenario

Let's walk through a real-world scenario involving a web application for an online bookstore called BookStore.com. We'll see how each Azure component—App Registration, App Services, Service Principals, and Function Apps—fits into this scenario.

BookStore.com wants to build a web application that allows users to browse and purchase books, an API for mobile apps, and an administrative portal for managing inventory. The application will also have an automated process to update book inventory based on sales data.

App Registration

  1. Purpose: To secure the application and provide authentication and authorization using Azure Active Directory (Azure AD).

  2. Example:

    • Register the web application: In Azure AD, you create an App Registration for the web application BookStoreWebApp.

    • Register the API: Another App Registration for the API BookStoreAPI.

    • Register the admin portal: An App Registration for the admin portal BookStoreAdminPortal.

  3. Details:

    • BookStoreWebApp:

      • Client ID: xxxxxx

      • Redirect URI: https://www.bookstore.com/signin-oidc

    • BookStoreAPI:

      • Client ID: yyyyyy

    • BookStoreAdminPortal:

      • Client ID: zzzzzz

      • Redirect URI: https://admin.bookstore.com/signin-oidc

  4. Functionality: Users logging into the web application or admin portal will authenticate through Azure AD—the web app and API uses OAuth 2.0 to secure communication.

App Services

  1. Purpose: To host the web application, API, and admin portal.

  2. Example:

    • Web Application: Hosted on Azure App Service as a Web App.

      • Domain: https://www.bookstore.com

      • Service: BookStoreWebAppService

    • API: Hosted on Azure App Service as an API App.

      • Domain: https://api.bookstore.com

      • Service: BookStoreAPIService

    • Admin Portal: Hosted on Azure App Service as a Web App.

      • Domain: https://admin.bookstore.com

      • Service: BookStoreAdminPortalService

  3. Details:

    • BookStoreWebAppService:

      • Hosting the main website.

      • Scales are automatically based on traffic.

    • BookStoreAPIService:

      • Provides endpoints for mobile apps and other clients to interact with the bookstore's data.

    • BookStoreAdminPortalService:

      • Provides a secure interface for administrators to manage inventory.

Service Principals

  1. Purpose: To grant the web application, API, and automated processes access to Azure resources securely.

  2. Example:

    • Web App Service Principal: BookStoreWebAppSP

    • API Service Principal: BookStoreAPISP

    • Admin Portal Service Principal: BookStoreAdminPortalSP

  3. Details:

    • BookStoreWebAppSP:

      • Permissions: Access to Azure SQL Database for user data.

      • Role: db_reader on the SQL Database.

    • BookStoreAPISP:

      • Permissions: Read and write access to the storage account for storing book images.

      • Role: Storage Blob Data Contributor.

    • BookStoreAdminPortalSP:

      • Permissions: Full access to the inventory database.

      • Role: db_owner on the SQL Database.

Function Apps

  1. Purpose: To handle serverless computing tasks like updating book inventory based on sales data.

  2. Example:

    • Inventory Update Function App: BookStoreInventoryUpdater

  3. Details:

    • BookStoreInventoryUpdater:

      • Trigger: Timer Trigger to run every hour.

      • Function Code: Fetch sales data, calculate inventory changes, and update the database.

      • Binding: Azure SQL Database to update the inventory.

Full Scenario Flow

  1. The User Authentication and Access:

    • A user navigates to https://www.bookstore.com.

    • They are redirected to Azure AD for authentication.

    • After successful login, they are redirected back to the web app (using the App Registration details).

  2. Web App Functionality:

    • The user browses books, which calls the BookStoreAPIService at https://api.bookstore.com to fetch data.

    • The web app uses its Service Principal BookStoreWebAppSP to read user data from the Azure SQL Database.

  3. Admin Portal:

    • An admin navigates to https://admin.bookstore.com and logs in via Azure AD.

    • The portal uses BookStoreAdminPortalSP to manage book inventory with full database access.

  4. Automated Inventory Updates:

    • The BookStoreInventoryUpdater function runs every hour.

    • It uses its Service Principal to access sales data and update the inventory in the SQL Database.

Summary

  • App Registration secures and integrates apps with Azure AD.

  • App Services hosts the web application, API, and admin portal.

  • Service Principals grant applications secure access to Azure resources.

  • Function Apps handle serverless tasks like periodic inventory updates.

This setup ensures that BookStore.com operates securely, scales automatically, and maintains an up-to-date inventory with minimal manual intervention.

Thanks for your time ,and keep in touch

LinkedIn | GitHub

PreviousCloud SecurityNext[Azure] What To Do If?

Last updated