🔐
EAkl Blog
  • 👋Welcome!
  • 🐛Web Application Findings
    • Cisco BroadWorks Vulnerabilities CVE-2021–34785 & CVE-2021–34786
    • Authentication bypass using empty parameters.
    • IDOR at Login function leads to leak user’s PII data
  • ℹ️Recon automation, tips and tricks
    • Simple Recon Methodology
    • How to write a simple script to automate finding bugs
  • 🔐Hack The Box Machines
    • Feline Walkthrough
    • Reel2 Walkthrough
    • Active Walkthrough
    • PopCorn Walkthrough
    • Jewel Walkthrough
    • Passage Walkthrough
    • Time Walkthrough
    • Devel Walkthrough
    • Lame Walkthrough
    • Beep Walkthrough
    • Blue Walkthrough
    • Jerry Walkthrough
    • Optimum Walkthrough
    • Grandpa Walkthrough
    • Legacy Walkthrough
    • Mirai Walkthrough
    • Valentine Walkthrough
    • Shocker Walkthrough
    • Netmon Walkthrough
    • Bank Walkthrough
    • Granny Walkthrough
    • Tabby Walkthrough
    • Access Walkthrough
    • Swagshop Walkthrough
    • OpenAdmin Walkthrough
    • Remote Walkthrough
    • Sauna Walkthrough
    • FriendZone Walkthrough
    • Hack The Box — Networked
    • Hack The Box — Forest
    • Hack The Box — WriteUP
    • Hack The Box — Academy
    • Hack The Box — Luanne
  • 🏴‍☠️CTF Challenges
    • CTF CyberTalents  — Bypass the world Writeup
    • CTF CyberTalents — Admin Gate First
    • CTF CyberTalents — Inbox
    • CTFlearn — Inj3ction Time
    • CTF ringzer0ctf — Challenge Access List
    • CTF ringzer0ctf — Login portal 2
    • CTF ringzer0ctf — SQLi challenges — part 1
    • CTF ringZer0ctf — Login form
  • 🔴Red Teaming Tips & Tricks
    • MOTW Defensive and Bypass techniques
  • ☁️Cloud Security
    • [Azure] Real Example to know different types of app concepts in Azure
    • [Azure] What To Do If?
Powered by GitBook
On this page
  • Introduction
  • Scenario
  • App Registration
  • App Services
  • Service Principals
  • Function Apps
  • Full Scenario Flow
  • Summary
  1. Cloud Security

[Azure] Real Example to know different types of app concepts in Azure

We will discuss the differences between App Registration, Service Principle, App Service, and Function app.

Introduction

When I was studying Microsoft Azure Penetration Testing, I had to pass through important concepts like App Registration, Service Principle, App Service, and Function app and they're hard to know the differences between all of them as a scientific definition, that's why I want to discuss with you in a real example the meaning of each one of them. Let's get started!

Scenario

Let's walk through a real-world scenario involving a web application for an online bookstore called BookStore.com. We'll see how each Azure component—App Registration, App Services, Service Principals, and Function Apps—fits into this scenario.

BookStore.com wants to build a web application that allows users to browse and purchase books, an API for mobile apps, and an administrative portal for managing inventory. The application will also have an automated process to update book inventory based on sales data.

App Registration

  1. Purpose: To secure the application and provide authentication and authorization using Azure Active Directory (Azure AD).

  2. Example:

    • Register the web application: In Azure AD, you create an App Registration for the web application BookStoreWebApp.

    • Register the API: Another App Registration for the API BookStoreAPI.

    • Register the admin portal: An App Registration for the admin portal BookStoreAdminPortal.

  3. Details:

    • BookStoreWebApp:

      • Client ID: xxxxxx

      • Redirect URI: https://www.bookstore.com/signin-oidc

    • BookStoreAPI:

      • Client ID: yyyyyy

    • BookStoreAdminPortal:

      • Client ID: zzzzzz

      • Redirect URI: https://admin.bookstore.com/signin-oidc

  4. Functionality: Users logging into the web application or admin portal will authenticate through Azure AD—the web app and API uses OAuth 2.0 to secure communication.

App Services

  1. Purpose: To host the web application, API, and admin portal.

  2. Example:

    • Web Application: Hosted on Azure App Service as a Web App.

      • Domain: https://www.bookstore.com

      • Service: BookStoreWebAppService

    • API: Hosted on Azure App Service as an API App.

      • Domain: https://api.bookstore.com

      • Service: BookStoreAPIService

    • Admin Portal: Hosted on Azure App Service as a Web App.

      • Domain: https://admin.bookstore.com

      • Service: BookStoreAdminPortalService

  3. Details:

    • BookStoreWebAppService:

      • Hosting the main website.

      • Scales are automatically based on traffic.

    • BookStoreAPIService:

      • Provides endpoints for mobile apps and other clients to interact with the bookstore's data.

    • BookStoreAdminPortalService:

      • Provides a secure interface for administrators to manage inventory.

Service Principals

  1. Purpose: To grant the web application, API, and automated processes access to Azure resources securely.

  2. Example:

    • Web App Service Principal: BookStoreWebAppSP

    • API Service Principal: BookStoreAPISP

    • Admin Portal Service Principal: BookStoreAdminPortalSP

  3. Details:

    • BookStoreWebAppSP:

      • Permissions: Access to Azure SQL Database for user data.

      • Role: db_reader on the SQL Database.

    • BookStoreAPISP:

      • Permissions: Read and write access to the storage account for storing book images.

      • Role: Storage Blob Data Contributor.

    • BookStoreAdminPortalSP:

      • Permissions: Full access to the inventory database.

      • Role: db_owner on the SQL Database.

Function Apps

  1. Purpose: To handle serverless computing tasks like updating book inventory based on sales data.

  2. Example:

    • Inventory Update Function App: BookStoreInventoryUpdater

  3. Details:

    • BookStoreInventoryUpdater:

      • Trigger: Timer Trigger to run every hour.

      • Function Code: Fetch sales data, calculate inventory changes, and update the database.

      • Binding: Azure SQL Database to update the inventory.

Full Scenario Flow

  1. The User Authentication and Access:

    • A user navigates to https://www.bookstore.com.

    • They are redirected to Azure AD for authentication.

    • After successful login, they are redirected back to the web app (using the App Registration details).

  2. Web App Functionality:

    • The user browses books, which calls the BookStoreAPIService at https://api.bookstore.com to fetch data.

    • The web app uses its Service Principal BookStoreWebAppSP to read user data from the Azure SQL Database.

  3. Admin Portal:

    • An admin navigates to https://admin.bookstore.com and logs in via Azure AD.

    • The portal uses BookStoreAdminPortalSP to manage book inventory with full database access.

  4. Automated Inventory Updates:

    • The BookStoreInventoryUpdater function runs every hour.

    • It uses its Service Principal to access sales data and update the inventory in the SQL Database.

Summary

  • App Registration secures and integrates apps with Azure AD.

  • App Services hosts the web application, API, and admin portal.

  • Service Principals grant applications secure access to Azure resources.

  • Function Apps handle serverless tasks like periodic inventory updates.

This setup ensures that BookStore.com operates securely, scales automatically, and maintains an up-to-date inventory with minimal manual intervention.

Thanks for your time ,and keep in touch

PreviousCloud SecurityNext[Azure] What To Do If?

Last updated 10 months ago

|

☁️
LinkedIn
GitHub