AZ-500 Study guide - Section 4 - Manage identity and access - Manage Microsoft Entra application access
As organizations modernize and scale their cloud environments, Microsoft Entra ID provides a robust identity platform to manage secure access to applications and resources. Whether you're preparing for an exam, a certification, or deepening your practical expertise, this guide covers essential areas around application management and identity configuration.
Manage Access to Enterprise Applications (Including OAuth Permission Grants)
Enterprise applications represent service principals for apps in your tenant. Managing access includes:
- Assigning users/groups to apps
- Configuring Single Sign-On (SSO)
- Granting OAuth permissions (delegated and application permissions)
Best Practices
| Practice | Description |
|---|---|
| Grant least privilege | Assign only the necessary permissions to applications to minimize security risks. |
| Regularly audit permissions | Use logs and reporting tools to review OAuth grants and detect anomalies. |
| Use admin consent when possible | Prevent consent fatigue by pre-approving permissions for applications. |
Use Cases
| Scenario | Details |
|---|---|
| Multi-tenant SaaS | Require admin consent for shared applications across multiple tenants. |
| HR app SSO | Assign specific groups to the application and enable Single Sign-On for seamless access. |
| API app | Grant application permissions for daemon apps that operate without user interaction. |
Configuration Steps
- Assign Users/Groups to an Application:
- Navigate to Microsoft Entra admin center.
- Select Enterprise applications and choose the application.
- Under Users and groups, add the desired users or groups.
- Assign appropriate roles as needed.
- Configure Single Sign-On (SSO):
- In the application’s Single sign-on settings, choose the appropriate SSO method (e.g., SAML, OIDC).
- Provide necessary configuration details such as Identifier (Entity ID) and Reply URL.
- Test the SSO configuration to ensure proper setup.
- Grant Admin Consent for Permissions:
- In the application’s API permissions section, review the permissions required by the application.
- Click on Grant admin consent for to approve the permissions on behalf of all users.
For more detailed information, refer to Manage access to an application - Microsoft Entra ID.
Manage Microsoft Entra App Registrations
App registrations are how you integrate applications with Entra ID for identity and access management.
Best Practices
| Practice | Description |
|---|---|
| Use clear naming conventions | Helps in identifying the application's purpose easily. |
| Separate dev/test/prod | Register separate applications for development, testing, and production environments. |
| Automate credential rotation | Reduces the risk of expired secrets and enhances security. |
Use Cases
| Scenario | Details |
|---|---|
| SPA registration | Register as a Single-page application with appropriate redirect URIs. |
| Certificate-based auth | Use a certificate for long-lived credentials to enhance security. |
| Partner integration | Create multi-tenant app registrations for external partner access. |
Configuration Steps
- Register a New Application:
- Navigate to Microsoft Entra admin center.
- Select App registrations > New registration.
- Provide a Name, select the Supported account types, and specify the Redirect URI if applicable.
- Click Register.
- Configure Certificates & Secrets:
- In the registered application, go to Certificates & secrets.
- To add a certificate:
- Click on Certificates > Upload certificate.
- Select and upload your certificate file (.cer, .pem, .crt).
- To add a client secret:
- Click on Client secrets > New client secret.
- Provide a description and set an expiration period.
- Click Add and note the generated secret value.
- Set API Permissions:
- Navigate to API permissions > Add a permission.
- Choose the API and select the required permissions.
- If necessary, grant admin consent.
For a step-by-step guide, refer to Quickstart: Register an application in Microsoft Entra ID.
Configure App Registration Permission Scopes
Scopes define the specific actions a user or app can perform when granted a token.
Best Practices
| Practice | Description |
|---|---|
| Define minimal scopes | Avoid over-permissioning applications by specifying only necessary scopes. |
| Use meaningful scope names | Makes it easier for administrators and users to understand the permissions. |
| Document scopes in portal | Add descriptions for better governance and clarity. |
Use Cases
| Scenario | Details |
|---|---|
| Custom API access | Define read.write scopes for an API to control access levels. |
| Role-based app access | Use scopes tied to application roles to enforce role-based access control. |
| Mobile app permissions | Create delegated scopes like user.profile for mobile applications accessing user data. |
Configuration Steps
- Expose an API:
- In the registered application, go to Expose an API.
- Set the Application ID URI if not already set.
- Add a Scope:
- Click on Add a scope.
- Provide the Scope name, Admin consent display name, and Admin consent description.
- Specify who can consent (Admins only or Admins and users).
- Click Add scope.
- Define App Roles (if applicable):
- Navigate to App roles and click Create app role.
- Provide a Display name, Value, and Description.
- Assign the role to Users/Groups or Applications as needed.
For more information, see Scopes and permissions in the Microsoft identity platform.
Manage App Registration Permission Consent
Consent determines how and when users or administrators approve access for applications.
Best Practices
| Practice | Description |
|---|---|
| Use admin consent workflow | Allows oversight of permission requests and centralizes approval processes. |
| Restrict user consent | Prevents overexposure of sensitive APIs by limiting user consent capabilities. |
| Enable consent policies | Provides fine-grained control over what permissions can be approved and by whom. |
Enterprise Applications
Use Cases
| Scenario | Details |
|---|---|
| Multi-tenant SaaS Integration | Requires admin consent for applications shared across multiple tenants. Ensures secure integration with third-party cloud services. |
| HR Application SSO Implementation | Enables seamless login experience for employees accessing HR systems. Centralizes access management through group assignments. |
| API Application Backend Services | Grants application permissions for daemon apps operating without user interaction. Supports background processing and automated workflows. |
Configuration Steps
| Step | Details |
|---|---|
| 1. Assign Users/Groups to an Application | - Navigate to Microsoft Entra admin center |
- Select Enterprise applications and choose the application
- Under Users and groups, add the desired users or groups
- Assign appropriate roles as needed | | 2. Configure Single Sign-On (SSO) | - In the application's Single sign-on settings, choose the appropriate SSO method (e.g., SAML, OIDC)
- Provide necessary configuration details such as Identifier (Entity ID) and Reply URL
- Test the SSO configuration to ensure proper setup | | 3. Grant Admin Consent for Permissions | - In the application's API permissions section, review the permissions required by the application
- Click on "Grant admin consent for " to approve the permissions on behalf of all users |
App Registrations
Use Cases
| Scenario | Details |
|---|---|
| Single-Page Application (SPA) Registration | Register client-side web applications with appropriate redirect URIs. Enables modern authentication flows for JavaScript applications. |
| Certificate-Based Authentication | Implements stronger security using certificates instead of secrets. Provides long-lived credentials with enhanced security controls. |
| Partner Integration | Creates multi-tenant app registrations for external partner access. Facilitates B2B scenarios and cross-tenant collaboration. |
Configuration Steps
| Step | Details |
|---|---|
| 1. Register a New Application | - Navigate to Microsoft Entra admin center |
- Select App registrations > New registration
- Provide a Name, select the Supported account types, and specify the Redirect URI if applicable
- Click Register | | 2. Configure Certificates & Secrets | For certificates:
- In the registered application, go to Certificates & secrets
- Click on Certificates > Upload certificate
- Select and upload your certificate file (.cer, .pem, .crt)
For client secrets:
- Click on Client secrets > New client secret
- Provide a description and set an expiration period
- Click Add and note the generated secret value | | 3. Set API Permissions | - Navigate to API permissions > Add a permission
- Choose the API and select the required permissions
- If necessary, grant admin consent |
Permission Scopes
Use Cases
| Scenario | Details |
|---|---|
| Custom API Access Control | Define read/write scopes for an API to control access levels. Enables granular permission management for different API operations. |
| Role-Based Application Access | Use scopes tied to application roles to enforce role-based access control. Supports separation of duties and least privilege principles. |
| Mobile App Permissions | Create delegated scopes like user.profile for mobile applications accessing user data. Ensures proper authorization for client applications. |
Configuration Steps
| Step | Details |
|---|---|
| 1. Expose an API | - In the registered application, go to Expose an API |
- Set the Application ID URI if not already set | | 2. Add a Scope | - Click on Add a scope
- Provide the Scope name, Admin consent display name, and Admin consent description
- Specify who can consent (Admins only or Admins and users)
- Click Add scope | | 3. Define App Roles (if applicable) | - Navigate to App roles and click Create app role
- Provide a Display name, Value, and Description
- Assign the role to Users/Groups or Applications as needed
Manage and Use Service Principals
A service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources.
Best Practices
| Practice | Description |
|---|---|
| Assign roles with care | Avoid overly permissive role assignments. |
| Use managed identity when possible | Reduce complexity and improve security posture. |
| Monitor sign-in and activity | Track usage patterns and anomalies using Entra logs. |
Use Cases
| Scenario | Details |
|---|---|
| CI/CD deployment pipelines | Grant a service principal access to deploy resources using ARM templates. |
| Automation scripts | Use a service principal with certificates or secrets to authenticate in PowerShell or CLI. |
Configuration Steps
- Create a Service Principal via App Registration:
- Register an application in Entra ID.
- A service principal is automatically created in the tenant.
- Assign Role to Service Principal:
- Go to the Azure portal > Resource > Access control (IAM).
- Click Add role assignment, choose a role, and assign to the service principal.
- Authenticate with Service Principal:
- Use CLI:
az login --service-principal -u <appId> -p <password-or-cert> --tenant <tenant>
- Use CLI:
Manage Managed Identities for Azure Resources
Managed identities provide Azure services with an automatically managed identity to access other Azure resources.
Best Practices
| Practice | Description |
|---|---|
| Prefer managed identity over secrets | Avoids storing credentials in code. |
| Use system-assigned identities where possible | Ties lifecycle to the resource. |
| Monitor permissions via Entra | Ensure least privilege for managed identities. |
Use Cases
| Scenario | Details |
|---|---|
| Key Vault access | Allow a virtual machine to access secrets without credentials. |
| Azure Function integration | Enable secure access to storage or databases from serverless compute. |
Configuration Steps
- Enable Managed Identity:
- Go to your resource (e.g., VM, App Service).
- Select Identity, toggle System-assigned to On, and save.
- Assign Permissions:
- Go to the target resource (e.g., Key Vault).
- Under Access policies or IAM, assign the identity appropriate roles.
- Access from Code:
- Use Azure SDKs or
DefaultAzureCredentialto authenticate automatically.
- Use Azure SDKs or
Recommend When to Use and Configure Microsoft Entra Application Proxy
Microsoft Entra Application Proxy enables remote access to on-premises applications securely.
Best Practices
| Practice | Description |
|---|---|
| Use pre-authentication | Leverage Entra ID for identity verification before granting access. |
| Use Conditional Access | Enforce MFA, location policies, and more. |
| Monitor access logs | Track access attempts and session patterns. |
Use Cases
| Scenario | Details |
|---|---|
| Remote access to legacy apps | Provide secure external access to internal web apps. |
| Hybrid identity deployment | Bridge on-premises and cloud identity systems. |
Configuration Steps
- Install Application Proxy Connector:
- Install on a Windows Server inside the network.
- Register the connector with your Entra tenant.
- Publish an Application:
- In Entra admin center, go to Enterprise Applications > + New Application > On-premises application.
- Configure internal URL, external URL, and pre-authentication settings.
- Assign Users and Test:
- Assign users/groups to the application.
- Test remote access through the published external URL.
Closure
Based on the study guide, here are the most important topics and hints for managing access and applications in Microsoft Entra ID:
Service Principals
Key Points:
- Service principals are identities created for applications, services, and automation tools
- Created automatically when registering an application in Entra ID
- Essential for CI/CD pipelines and automation scripts
Hints:
- Always apply least privilege principles when assigning roles
- Use managed identities when possible instead of credentials
- Monitor service principal activity through Entra logs
- Authenticate via CLI using
az login --service-principalcommand
Managed Identities
Key Points:
- Provide Azure services with automatically managed identities
- Two types: system-assigned (tied to resource lifecycle) and user-assigned
- Eliminate need for credential storage in code
Hints:
- Prefer managed identities over storing secrets/credentials
- System-assigned identities are generally preferred when possible
- Common use cases include Key Vault access and Azure Function integration
- Use Azure SDKs or
DefaultAzureCredentialfor authentication
Application Proxy
Key Points:
- Enables secure remote access to on-premises applications
- Bridges cloud and on-premises environments
- Requires connector installation on internal Windows Server
Hints:
- Always implement pre-authentication for enhanced security
- Combine with Conditional Access policies for comprehensive protection
- Monitor access logs for suspicious activity
- Ideal for legacy applications that need remote access
Best Practices Across All Areas
- Apply principle of least privilege consistently
- Leverage Conditional Access where possible
- Monitor sign-in logs and activity patterns
- Use pre-authentication mechanisms
- Regularly review permissions and role assignments
- Stay updated with Entra product updates and security recommendations
📚 Happy studying, and stay secure!
Link to main post
Updated Exam Cram for Exam AZ-500: Microsoft Azure Security Technologies
What is Azure Security Engineer?
