A cloud computing platform offered by Microsoft.
Questions tagged [azure]
116 questions
0
votes
0 answers
How dangerous is a leaked private key from outside the infrastructure in context of: "Azure Active Directory keyCredential property Disclosure?"
Microsoft published the Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs which describes how to check if an Azure AD is possibly affected by the private key…
marsh-wiggle
- 101
- 2
0
votes
0 answers
New rule on verifying domain for azureAD app registration
ref:
https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-breaking-changes#appid-uri-in-single-tenant-applications-will-require-use-of-default-scheme-or-verified-domains
We setup customers to register our application in their…
0
votes
0 answers
Is using SSL/TLS Termination insecure in Azure with Private Endpoints
Azure documentation mentions using SSL termination at app gateways to offload app services from some overhead. This sounds like a good idea, but then traffic will be unencrypted when travelling from the gateway to the service. Even if I use private…
Ian
- 153
- 7
0
votes
0 answers
Is it possible to prevent Kerbrute from unauthenticated user enumation Active Directory?
Currently looking for a way to prevent unauthenticated user enumeration on a Domain Controller. This is a security precaution I'd like to implement, next to the existing measures taken prevent unauthorized DC access.
Kerbrute states the following…
Henk Jan
- 1
0
votes
0 answers
What type of breach is occurring with Puppeteer.js on this Azure hosted webapp? (Snapshot provided)
When running the screenshot.js on https://try-puppeteer.appspot.com/, a web based Puppeteer.js I the image produced was of a gaming/gambling website, not my website at all!
My site was https://puppet.azurewebsites.net/custEvntSingle.html now…
Stephan Luis
- 101
- 1
0
votes
1 answer
Does "validating" a JWT token from prove authentication with OpenId?
I have a static react app which users login via an Okta SPA app.
The app receives a JWT, which it is stored in the browser, and passed to the backend API via Authentication header on every request.
The API using Azure API Management. They provide…
NSjonas
- 143
- 5
0
votes
1 answer
How to mitigate risk of spoofing / Impersonating in OAuth Device flow ( device code flow ) in Azure AD?
I have developed C# application and hosted it as a windows service on a machine http://localhost:5000 . This application registered in `Azure Active Directory
Application is using the below details in-app configuration
"ClientId":…
kudlatiger
- 149
- 1
- 8
0
votes
1 answer
Storing client keys in cloud app
I'm using Azure to store customer data. In a specific country, there are multiple partners. Each partner has his clients. The issue is they don't want us to have access to this data. In other words, the only one who can access the data is the…
0
votes
2 answers
Requesting an SSL certificate without a CSR, can it be done?
Please excuse me if this is a dumb or obvious question, I'm self taught and have not been able to find an exact answer to my question after much Googling and reading through StacEx!
I'm having issues with the process of requesting/purchasing an SSL…
Chris Butler
- 103
- 3
0
votes
1 answer
Azure Ad B2C Users access resources in other directory
I have two directories in Azure. The first one contains all the customers of our company, who are registered in Azure Ad B2C. These users must be separated from the other directory, which contains employees in our company. This second directory…
0
votes
1 answer
Is there a current best practice for authorizing an SPA to get/post to API
I have an API and an SPA. The SPA is all anonymous but I want to ensure the caller of the API is authorized to do so.
It seems that all of the OAuth best practices, e.g. PKCE, depend on a user actually logging in, which will never happen.
Am I…
Chris Rockwell
- 103
- 2
0
votes
1 answer
What protocol is NPS server using to send Secondary Auth to Azure MFA?
We are using PAP to pass data between our on-prem VMware and on-prem NPS server. But our on-prem NPS Server passes data to Azure MFA in the cloud. I want to ensure a stronger protocol than PAP is being used to pass data from NPS server to Azure MFA…
Alan Inman
- 11
- 3
0
votes
0 answers
Security and distro list naming convention in AAD
Most naming convention standards for Active Directory I have come across so far have security groups starting with an underscore to allow the equivalent distribution list to be user-friendly.
I am now writing a naming convention for Azure AD…
aquaman
- 73
- 5
0
votes
1 answer
Does Azure Key-Vault encrypt the values before storing?
We are using key-vault for storing the secrets, will it give any added advantage if we encrypt the values before storing it in key-vault?
smali
- 143
- 1
- 7
0
votes
0 answers
Azure AD -- How to only allow MFA configuration from a trusted network?
Hopefully someone as an idea...
In Azure AD, how can we allow MFA setup by a user but only allow that configuration to occur on a trusted network? We have trusted networks defined but everything we have tried does not prevent MFA setup from outside…
