security – Securing React SPA with Azure AD B2C Tenant using MSAL

I am securing my React Apps and I want to use the wrapper function below to insure that the app only gets rendered when there is a successful login. I am separating the Login from future MSAL token requests because I perceive Login to be a boolean in that you are logged in or you are not logged in. If a later MSAL request requires my user to “re-login” I will call this function to reload the app:

window.location.reload(true);

This code is for React Apps only. I am only securing the app not the endpoints. This code may be used in apps that only access public endpoints.

Sample Usage:

import { WrapWithMSAL } from './MSAL_Utils'

// Will handle Auth and then render App
WrapWithMSAL(() =>
  ReactDOM.render(
  <React.StrictMode>
    <App />
  </React.StrictMode>,
  document.getElementById('root'))
);

This is the Wrapper function:

    import { Configuration, UserAgentApplication, AuthenticationParameters,
    AuthResponse, Logger, LogLevel, } from 'msal'

    // Hold the render CBR while Authenticating
    let appRender:CallableFunction = ()=>{}

    // Wrapper function to secure the Rendering of the React App
    export const WrapWithMSAL = (callbackRtn:CallableFunction) => {
      appRender = callbackRtn;
      if (!MSALAuthAgent.getAccount())
      {
        // Set the MSAL CBR specifically to Login Handler
        MSALAuthAgent.handleRedirectCallback(msalLoginResultCallback);
        const msalAuthParams: AuthenticationParameters = {
          scopes: regScopes
        };
        // Popup AD B2C Login, 
        MSALAuthAgent.loginRedirect(msalAuthParams);
      }
      else // Login was retrieved from Session Cache
      {
        appRender(); // Start the app
      }
    }
    // Callbacks passed to MSAL
    /**
    * Called when the user has successfully logged in
    * (the account object is created at the time of successful login)
    * or null when no state is found
    * @returns {@link Account} - the account object stored in MSAL
    */
    const msalLoginResultCallback = (error: any, response: any) => {
      if (error) {
        alert(error.toString());
      }
      else {
        appRender(); // Start the app
      }
    }

    // MSAL Specifications
    const configuration: Configuration = {
      auth: {
        clientId: "AZURE_APPLICATION_ID",
        authority:"AZURE_USER_FLOW",
        redirectUri: "https://myspa.mysite.com",
        validateAuthority: false,
      },
      cache: {
        cacheLocation: "sessionStorage",
        storeAuthStateInCookie: true,
      },
      system: {
        logger: new Logger((logLevel, message, containsPii) => {
          console.log("(MSAL): ", message)
        }, {
          level: LogLevel.Verbose,
          piiLoggingEnabled: false
        })
     }
   }

   const regScopes : ('read.scope');
   const MSALAuthAgent = new UserAgentApplication(configuration);
   export default MSALAuthAgent;

My question is does this approach secure my app?

Azure App Service Deployment from BitBucket not working

I am trying to connect one of the deployment slots on my Azure App Service to a BitBucket repository.

I am able to get all the way through the Deployment Center wizard. After clicking “Finish”, it says that it failed. Examining the logs shows the following error.

Repository 'UpdateSiteSourceControl' operation failed with Microsoft.Web.Hosting.SourceControls.OAuthException: Bitbucket RemoveSSHKey: (404) NotFound. 
at Microsoft.Web.Hosting.SourceControls.BitbucketV2Proxy.<RemoveSSHKey>d__15.MoveNext() 
--- End of stack trace from previous location where exception was thrown --- 
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() 
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
at Microsoft.Web.Hosting.SourceControls.BitbucketV2Proxy.<AddSSHKey>d__14.MoveNext() 
--- End of stack trace from previous location where exception was thrown --- 
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() 
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
at Microsoft.Web.Hosting.Administration.BitbucketV2SiteRepositoryProvider.<UpdateSiteSourceControl>d__3.MoveNext() 
--- End of stack trace from previous location where exception was thrown --- 
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() 
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
at Microsoft.Web.Hosting.Administration.WebCloudController.<>c__DisplayClass263_1.<<UpdateSiteSourceControl>b__1>d.MoveNext() 
--- End of stack trace from previous location where exception was thrown --- 
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() 
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
at Microsoft.Web.Hosting.AsyncHelper.RunSync(TResult)(Func`1 func) 
at Microsoft.Web.Hosting.Administration.WebCloudController.UpdateSiteSourceControl(String subscriptionName, String webspaceName, String name, SiteSourceControl siteSourceControl).

Another deployment slot on the same Web Application is currently connected to the same BitBucket repository.

I am an admin level user on both the Azure plan as well as the BitBucket account.

I have tried this:

  • From multiple machines
  • With a separate BitBucket (Admin) Account
  • Across multiple days

Researching the issue brings up a lot of old articles that suggest using the old portal, but that does not appear to be an option any longer.

Azure Roles – Explicit access on storage service – file share

I need to configure a custom azure role which will give a user an explicit access to a file share ((with File Explorer). But the user shouldn’t have access to the other services of the Storage service like blob storage, queue or tables. Currently with the following json file the user can see all sub-servives of the storage services.

{
"Name":  "Storage explicit contributor access",
"Id":  "-.......",
"IsCustom":  true,
"Description":  "",
"Actions":  (
              
                "Microsoft.Storage/storageAccounts/fileServices/shares/delete",
                "Microsoft.Storage/storageAccounts/fileServices/shares/read",
                "Microsoft.Storage/storageAccounts/fileServices/shares/write",
                "Microsoft.Storage/storageAccounts/fileServices/write",
                "Microsoft.Storage/storageAccounts/fileServices/read",
                "Microsoft.Storage/storageAccounts/listKeys/action",
                "Microsoft.Storage/storageAccounts/read"
            ),
"NotActions":  ( 
                "*"


               ),
"DataActions":  (
                ),
"NotDataActions":  (),
                      
"AssignableScopes":  (
                         "/subscriptions/....."
                     )

}

Generally, is it possible to restrict the access on the level?

Azure webapp, web.config. Don´t redirect if specific URL

Hay all I´m having a doubt over here and not sure if possible with web.config.

I have a web app in azure . Domain foo.bar.com is pointing to this webapp.

On the other had I have a CDN as well in azure with a sub domain which is www.foo.bar.com is pointing to this CDN .

the idea is that foo.bar.com redirects to www.foo.bar.com so to use this CDN.

Right now the picture is:

foo.bar.com > WEBAPP > redirect > www.foo.bar.com > DNS > CDN > webapp which is causing like to many redirects and sort of endless loop.

Is there a way with web.config to have some rule say something like:

if URL is www.foo.bar.com don´t redirect, stay on webapp. to have something like:

foo.bar.com > WEBAPP > redirect > www.foo.bar.com  and that´s it stay on webapp.

Tried something like this but is not working:

<rule name="www" stopProcessing="true">
                    <match url="https://foo.bar.com" ignoreCase="true" />
                    <conditions>
                        <add input="{HTTP_HOST}" pattern="https://foo.bar.com" />
                    </conditions>
                    <action type="Redirect" url="https://www.foo.bar.com/{R:0}" redirectType="Permanent" />
                </rule>

Azure VPN P2S connectivity back to on premise failing

I have following network topology:

On-premise network: 192.168.15.0/24

Server: 192.168.15.7

Router: 192.168.15.1

Azure VNET: 10.0.0.0/16

Subnets: default 10.0.0.0/24, Gateway subnet 10.0.255.0/27

Server: 10.0.0.4

Azure VPN Gateway: 52.232.34.98

I have S2S connection between on premise and azure. I’m able to ping from azure server to on premise server and vice versa.

I have P2S connection to Azure. Address pool is 10.2.0.0/24. I’m able to ping from VPN Client (client IP 10.2.0.4) to server in Azure (10.0.0.4).
However, I’m not able to ping from VPN Client to on premise (192.168.15.7).

I followed this article: https://www.altitude365.com/2016/04/26/azure-p2s-vpn-how-to-route-between-vnets/ and then I added this to routes.txt:

ADD 192.168.15.0 MASK 255.255.255.0 default METRIC default IF default

However, I still cannot ping from VPN client to 192.168.15.7 and I’m out of ideas now.

Tracert from VPN client to azure:

Tracing route to 10.0.0.4 over a maximum of 30 hops

1 55 ms 47 ms 35 ms 10.2.0.0

2 40 ms 55 ms 46 ms 10.0.0.4

Trace complete.

Tracert from VPN client to on premise:

Tracing route to 192.168.15.7 over a maximum of 30 hops

1 47 ms 36 ms 39 ms 10.2.0.0

2 * * * Request timed out.

encryption – Wrap key operation in Azure Key Vault – symmetric keys

Could anyone explain why the bolded part of the wrap key description?

Wraps a symmetric key using a specified key. The WRAP operation
supports encryption of a symmetric key using a key encryption key that
has previously been stored in an Azure Key Vault. The WRAP operation
is only strictly necessary for symmetric keys stored in Azure Key
Vault since protection with an asymmetric key can be performed using
the public portion of the key.
This operation is supported for
asymmetric keys as a convenience for callers that have a key-reference
but do not have access to the public key material. This operation
requires the keys/wrapKey permission.

AFAIK, all the keys in Azure Key Vault are stored at rest in HSM modules. Why is key wrapping necessary for symmetric keys? What does ‘protection’ mean in this case? Using a public key to encrypt data?

If HSM are securing all the keys in Key Vault (using its built-in symmetric key), then why would encrypting a symmetric key be necessary as quoted?

game recommendation – Any good RP systems out there for a Azure Lane RP?

Kinda a weird question for sure, but to put small context this all began after a small joke that got way out of hand. By the end of it I was “encouraged” to put together a one-shot campaign for Azure Lane with some friends. Looking around though at the few I know such as DnD & Pathfinder, none of those really work for something like Azure Lane.

So my question is then does anyone have some good recommendations regarding a RP system to use for a Azure Lane focused setting and mechanics?

azure – Sentiment analysis for speech in MS Teams meetings (classrooms to be more specific)

I’m looking for a solution that could be used with MS Teams for Education that could be used for sentiment analysis in real time during classroom discussions in synchronous on-line learning. I assume Azure’s Speech to Text could capture what is said but not sure what tools are available for the analysis.
Comments by individual students are not as important as gauging the overall sentiment in the classroom and ideally it would go past simply positive/negative to detecting mood, words or phrases that are being used frequently, lapses between questions and answers, etc.
Ideally the data could then be fed into Power BI for providing real-time indicators of what is happening in the class.

Any suggestions?

I am looking for a way to use email trigger in order to stop/start a virtual machine. Azure Automation?

I am looking for a way to use email trigger in order to stop/start a virtual machine. Like when I enter some kind or a keywork in the subject or the body of an email, the runbook triggers and does the stop/start.

I have seen a way to use Microsoft Flow to push buttons which triggers the runbook in Azure Automation and the VM stops in it.

Can the email option be achieved with Azure Automation?

validity of auth token in OAuth2 in SharePoint App Registration/ Azure AD app

I have a SharePoint app registered in a site

To access the documents, I am getting the Auth Token from the below URL

https://accounts.accesscontrol.windows.net/{{realm}}/tokens/OAuth/2

What is the validity of the auth token that we get from this URL?

I am not able to find the validity of the token specified anywhere