Call Summary:
This month’s in-depth topic: A Zero Trust primer for developers. In this session, we begin by introducing developers quickly to the core Zero Trust principles: Verify explicitly, Use least privilege access, and Assume breach. We then expand why developer’s participation is critical in supporting Zero Trust policy rollouts by the IT team. We then proceed to lay down a few steps that developers can take to begin their journey towards building a good Zero trust ready app. We start with learning how to effectively use claims provided in tokens to verify a user/subject explicitly, and then continue to discuss recommended practices for mobile apps. The Continuous Access Evaluation (CAE) feature is discussed in detail for developers, and we hope it will help jumpstart a developer’s journey to this absolutely critical piece of security that is becoming a must for all cloud apps. We then proceed to discuss a few steps to enable least privilege, like how to best publish and consume permissions for an API and then we finally move to discuss topics that help apps recover swiftly from breaches, like practicing solid credential hygiene, and logging rich information.
Bottom line – developers play a critical role in building trustworthy applications as transition from a culture of implicit trust to that of explicit verification. The full developer guide of practices to build a Zero trust app is available at aka.ms/ztdev.
This session was delivered by Kalyan Krishna - Sr Program Manager, Microsoft. Recorded December 16, 2021. Q&A in chat and at end of call.
Referenced in this session:
- eBook - Developer guide to Zero Trust - Zero Trust for the Microsoft identity platform developer | aka.ms/ztdev
- Demo – Continuous Access Evaluation (CAE) demo | aka.ms/caedemo
- Demo - Managed Identities with KeyVault demo | aka.ms/midemo
- Sample – An ASP.NET Core web app that signs-in users with Azure AD and calls Microsoft Graph | aka.ms/identity-zerotrust-sample
- Documentation - Building Zero Trust ready apps with the Microsoft identity platform | aka.ms/zerotrustforidentitydeveloper
- Blog series - Achieving Zero Trust readiness in your apps #1: Why it matters | aka.ms/ZTRappsblog-part1
- Documentation - Code samples for developers | aka.ms/aadcodesamples
- Sample - Add app roles to your application and receive them in the token | aka.ms/approles
- Sample - Use groups & group claims to an ASP.NET Core Web app that signs-in users | aka.ms/groupssample
- Documentation – Token Validation | aka.ms/validatetokens
- Sample - How to manually validate a JWT access token using the Microsoft identity platform | aka.ms/extendtokenvalidation
- Documentation - Developers’ guide to Conditional Access authentication context - aka.ms/stepupauthn
- Documentation - Claims challenges, claims requests, and client capabilities | aka.ms/ClaimsChallenge
- Documentation - Sign in any Azure Active Directory user using the multi-tenant application pattern | aka.ms/multi-tenant
- Documentation - Overview of the Microsoft Authentication Library (MSAL) | aka.ms/msal
- Documentation - Microsoft identity platform documentation | aka.ms/identityplatform
Actions:
- Download and go through the developer guide available at https://aka.ms/ztdev
- Let us know how we’re doing and suggest topics for future calls, please complete this survey https://aka.ms/IDDevCommunityCallSurvey
- Join us for the next Microsoft Identity Platform community call on January 20th at 9:00am PT
Stay connected:
- Twitter https://twitter.com/microsoft365dev and @azuread
- YouTube https://aka.ms/M365DevYouTube (Developer channel) and https://aka.ms/m365pnp/videos (Community channel)
- Blogs https://aka.ms/m365pnp/community/blog
- Recurrent Invite https://aka.ms/IDDevCommunityCalendar
Posted at https://sl.advdat.com/3pI5Qcg
