AZ-204 Developer Associate: Securing Azure Solutions for Developers
The content here is under the Attribution 4.0 International (CC BY 4.0) license
Between 20% and 25% of the az-204 is related to security, knowing what Azure offers regarding security is one of the main goals of the exam. In here, we will go over different services, such as Active Directory (one of the most popular products from Microsoft), ADB2C, encryptions, azure keyvault, Authorization, Authentication, App gateway and permissions.
Azure active directory
- Azure offers authentication and authorization
- Identity provider
- AD Free
- Role based access control
- Authorization for resources under a subscription
- Groups holds control to many users
- Application objects
- uses package Azure.Identity
Integrates different login providers into azure active directory.
Azure authentication groups uses AD to allow custom authorization from the application code. Through the claims, the application can check wether a given user can or cannot access the application.
Azure key vault
- used for host secrets (encryption keys, certificates, secrets)
- Secrets Management
- Key Management
- Certificate Management
Another wayof getting familiar of using key vault for AZ-204 is to follow along the tutortial available in the Microsoft official documentation - in there the CRUD operations for the vault are explored.
- az keyvault create
- az keyvaul secret set
- Tutorial: Create an Azure custom role using Azure CLI
- Package used for key vault in c# is Azure.Security.KeyVault.Keys
- Encrypts a text
- fetches the ClientSecretCredentials
- Fetches the encryption key through the class KeyClient
- Uses the package CryptographicClient to perform cryptographic operations
- Method CryptographicClient.Decrypt is used to decrypt
Policies vs RBAC
A managed identity from Azure Active Directory (Azure AD) allows your app to easily access other Azure AD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets (refs: Microsoft Official Documentation).
- Access token
- makes an request to a vm and get access to a resource
- User assigned
- Encryption keys
- Stored in azure
- Encrypted at rest
- By default azure encrypts the data using server side encryption (azure uses its own keys, but it is possible to use custom ones)
- disk encryption set
- it is possible to enable disk encryption at rest after the vm has been created, for such, first, the vm should be stopped
- az vm encryption enable
Authentication and authorization
- oauth 2 standard
- getting access token to access storage account resources
- Delegated - logged in users
- Application - without a signed in user
You need to configure the Azure Application Gateway for the web app. Which two actions should you perform? Each correct answer presents part of the solution.
- In the Azure Application Gateway’s HTTP setting, enable the Use for App service setting.
- In the Azure Application Gateway’s HTTP setting, set the value of the Override backend path option to contoso22.azurewebsites.net.
Table of contents
- Azure active directory
- Azure key vault
- Azure CLI
- Encryption keys
- Policies vs RBAC
- Managed identities
- Disk encryption
- Authentication and authorization
- Permissions type
- App gateway