AZ-204 Developer Associate: Securing Azure Solutions for Developers

Last updated Jul 28, 2022 Published Jun 6, 2022

The content here is under the Attribution 4.0 International (CC BY 4.0) license

Between 20% and 25% of the az-204 is related to security, knowing what Azure offers regarding security is one of the main goals of the exam. In here, we will go over different services, such as Active Directory (one of the most popular products from Microsoft), ADB2C, encryptions, azure keyvault, Authorization, Authentication, App gateway and permissions.

Azure active directory

  • Azure offers authentication and authorization
  • Identity provider
  • Licenses
    • AD Free
  • Role based access control
    • Authorization for resources under a subscription
    • Groups holds control to many users
  • Application objects
    • uses package Azure.Identity
    • ClientSecretCredentials


Integrates different login providers into azure active directory.

Authentication-AAD Groups

Azure authentication groups uses AD to allow custom authorization from the application code. Through the claims, the application can check wether a given user can or cannot access the application.

Azure key vault

  • used for host secrets (encryption keys, certificates, secrets)
    • Secrets Management
    • Key Management
    • Certificate Management

Another wayof getting familiar of using key vault for AZ-204 is to follow along the tutortial available in the Microsoft official documentation - in there the CRUD operations for the vault are explored.

Azure CLI

Encryption keys

  • Package used for key vault in c# is Azure.Security.KeyVault.Keys
  • Encrypts a text
  • fetches the ClientSecretCredentials
  • Fetches the encryption key through the class KeyClient
  • Uses the package CryptographicClient to perform cryptographic operations
  • Method CryptographicClient.Decrypt is used to decrypt

Policies vs RBAC

Managed identities

A managed identity from Azure Active Directory (Azure AD) allows your app to easily access other Azure AD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets (refs: Microsoft Official Documentation).

  • Access token
    • makes an request to a vm and get access to a resource
  • User assigned

Disk encryption

  • Encryption keys
  • Stored in azure
  • Encrypted at rest
  • By default azure encrypts the data using server side encryption (azure uses its own keys, but it is possible to use custom ones)
  • disk encryption set
  • it is possible to enable disk encryption at rest after the vm has been created, for such, first, the vm should be stopped
  • az vm encryption enable

Authentication and authorization

  • oauth 2 standard
  • getting access token to access storage account resources

Permissions type


  • Delegated - logged in users
  • Application - without a signed in user

App gateway

You need to configure the Azure Application Gateway for the web app. Which two actions should you perform? Each correct answer presents part of the solution.

  1. In the Azure Application Gateway’s HTTP setting, enable the Use for App service setting.
  2. In the Azure Application Gateway’s HTTP setting, set the value of the Override backend path option to