AZ-204 Developer Associate: Securing Azure Solutions for Developers
The content here is under the Attribution 4.0 International (CC BY 4.0) license
Between 20% and 25% of the az-204 is related to security, knowing what Azure offers regarding security is one of the main goals of the exam. Here, we will go over different services, such as Active Directory (one of the most popular products from Microsoft), ADB2C, encryptions, azure key vault, Authorization, Authentication, App gateway and permissions.
Azure active directory
- Azure offers authentication and authorization
- Identity provider
- Licenses
- AD Free
- Role-based access control
- Authorization for resources under a subscription
- Groups hold control over many users
- Application objects
- uses package Azure.Identity
- ClientSecretCredentials
B2C
Integrates different login providers into Azure active directory.
Authentication-AAD Groups
Azure authentication groups use AD to allow custom authorization from the application code. Through the claims, the application can check whether a given user can or cannot access the application.
Azure key vault
- used for host secrets (encryption keys, certificates, secrets)
- Secrets Management
- Key Management
- Certificate Management
Another way of getting familiar with using the key vault is to follow the tutorial available in the Microsoft official documentation - in there, the CRUD operations for the vault are explored.
Azure CLI
- az key vault create
- az key vault secret set
- Tutorial: Create an Azure custom role using Azure CLI
Encryption keys
- The package used for the key vault in c# is Azure.Security.KeyVault.Keys
- Encrypts a text
- fetches the ClientSecretCredentials
- Fetches the encryption key through the class KeyClient
- Uses the package CryptographicClient to perform cryptographic operations
- Method CryptographicClient.Decrypt is used to decrypt
Policies vs RBAC
Managed identities
A managed identity from Azure Active Directory (Azure AD) allows your app to easily access other Azure AD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets (refs: Microsoft Official Documentation).
- Access token
- requests VM and gets access to a resource
- User assigned
Disk encryption
- Encryption keys
- Stored in azure
- Encrypted at rest
- By default, Azure encrypts the data using server-side encryption (Azure uses its keys, but it is possible to use custom ones)
- disk encryption set
- it is possible to enable disk encryption at rest after the VM has been created, for such, first, the VM should be stopped
-
az vmencryption enable
Authentication and authorization
- Oauth 2 standard
- getting access token to access storage account resources
Permissions type
- Delegated - logged-in users
- Application - without a signed-in user
App gateway
You need to configure the Azure Application Gateway for the web app. Which two actions should you perform? Each correct answer presents part of the solution.
- In the Azure Application Gateway’s HTTP setting, enable the Use for App service setting.
- In the Azure Application Gateway’s HTTP setting, set the value of the Override backend path option to contoso22.azurewebsites.net.
Related subjects
Table of contents
Got a question?
If you have question or feedback, don't think twice and click here to leave a comment. Just want to support me? Buy me a coffee!