IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [azure]

A cloud computing platform offered by Microsoft.

116 questions
2
votes
2 answers

Migrating IIS to Azure

So basically, right now we have a fully public facing Web server inside the local network and is a member of the domain. We're going to be migrating this to azure. I have recommended that the server be in it's own azure VNET, not connected to the…
S. Walker
  • 123
  • 3
2
votes
2 answers

Why does an external pentester testing my Azure website ask for IP, Gateway, DNS and VPN credentials?

I have an Azure website and a client who wants to use my site but needs to perform ethical hacking on it in order to decide if it's secure enough for them. They've asked me this to send them this: The network configuration to have visibility and…
TBurek
  • 21
  • 1
2
votes
1 answer

Is It OK If a Server Does Not Verify a Certificate?

I am currently learning a LOT about Azure, Azure Active Directory, and Azure Key Vault (AKV). To start with, please see this article: In particular, I am interested in this statement: When designing an application, keep the following points about…
Mike-E
  • 165
  • 6
2
votes
0 answers

Google.com serving *.portal.azure.com SSL certificate?

Just ran across this in my own browser (Chrome, Mac OS) where going to google.com would serve a *.portal.azure.com certificate. It seemed to be signed all the way to the root too. This disappeared after 60-100 seconds. What is the most likely cause…
DeepSpace101
  • 2,143
  • 3
  • 22
  • 35
2
votes
1 answer

What reasons are there to not just send the API key as an HTTP header over HTTPS?

I've been recently struggling to use Microsoft's Azure platform (which has been an unfathomable pain in the ass). One early thing I noted was how the authentication was unexpectedly more difficult than I expected. Most web APIs I've used simply send…
Kat
  • 411
  • 3
  • 12
1
vote
0 answers

Is it possible to allow anonymous users to access part of an Azure website which uses Active Directory

I have a website hosted in Azure that uses Active Directory to prevent anyone from accessing it except for a few test users. Now I would like to expose a single page so that anyone can access it. I've tried using an AllowAnonymous attribute on my…
Joshua Barker
  • 151
  • 1
  • 2
1
vote
1 answer

What risk can untrusted WS-Federation metadata pose?

I'm adding support for SAML/ADFS/Azure ACS and read that untrusted metadata poses a risk. Considering that ADFS does background refreshes of the metadata, as do some RPs, can someone explain the risk, and how that relates to the automatic refresh…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
1
vote
2 answers

Uploading pfx certificate to Azure

In order to use SSL with a custom domain in Azure Websites you must upload a pfx file with your certificate and private key to Azure. What are the ramifications of trusting Azure with the private key, especially if I want to use a wildcard…
BenV
  • 123
  • 6
1
vote
1 answer

Securing an OAuth / OpenID Connect identity in a cookie for easy login

I have a website that uses Azure Active Directory or Google+ for logging in. I go through an OAuth2 login flow, and the users email along with their tokens are returned to me by their identity service. The users email address is their identity, and…
Wesley
  • 113
  • 3
1
vote
1 answer

Secure Azure to Data Centre Web Service Calls via Trusted IP?

Background The company I work for have a system with some data. This system's hosted in our private data centre. This system provides some ReST web services. We're looking to create a website, hosted in Windows Azure, which will call the above…
JohnLBevan
  • 197
  • 6
1
vote
0 answers

How to get list of azure container images which are affected after security scans?

I know how to get repositories, we can use az acr repository list --name myregistry. But, how to get repositories with tags that are having security/vulnerability issues after security scans using azure cli?
Python coder
  • 111
  • 2
1
vote
2 answers

OAuth2 - What is the advantage of using certificate over client secret credentials? (Azure)

When using OAuth2 in Azure, why Certificates are more secure than using Secrets? The Secrets have expiration and are strong, and generated automatically. The application needs to send a JWT containing a x5t header with the thumbprint of the…
danilo
  • 111
  • 4
1
vote
0 answers

Intercept API calls of powershell module

I am looking at a way to intercept the API call made by the AzureAD powershell module. Wireshark is not able to decrypt the TLS packets sent and I'd also like to work with the HTTP requests rather than single packets. So my question is: is there a…
LucaBonadia
  • 11
  • 3
1
vote
4 answers

Ingress client certificate authenticate requires CA certificate to be stored in secret?

I want to enable client-certificate authentication in my AKS cluster and I have a basic question which I just don't seem to understand. As per the docs, ingress requires the CA certificate to be stored in a secret. My question is: Assuming that I…
sg1993
  • 113
  • 2
1
vote
0 answers

Should I consider migrating away from OAuth 2.0 Implicit Flow for an internal application relying on Azure AD?

I have recently migrated an internal application (API + SPA) security from Windows Authentication (done by IIS) to Azure A/D authentication using the implicit flow. Now, every user must enter an e-mail address, password and an authentication code…
Alexei
  • 2,183
  • 3
  • 9
  • 23
1 2 3
4
5 6 7 8