AZ-204 - Developer associate - Implementing security solutions

Last updated Jul 28, 2022 Published Jun 6, 2022

Between 20% and 25% of the az-204 is related to security, knowing what Azure offers regarding security is one of the main goals of the exam. In here, we will go over different services, such as Active Directory (one of the most popular products from Microsoft), ADB2C, encryptions, azure keyvault, Authorization, Authentication, App gateway and permissions.

Azure active directory

  • Azure offers authentication and authorization
  • Identity provider
  • Licenses
    • AD Free
  • Role based access control
    • Authorization for resources under a subscription
    • Groups holds control to many users
  • Application objects
    • uses package Azure.Identity
    • ClientSecretCredentials

B2C

Integrates different login providers into azure active directory.

Authentication-AAD Groups

Azure authentication groups uses AD to allow custom authorization from the application code. Through the claims, the application can check wether a given user can or cannot access the application.

Azure key vault

  • used for host secrets (encryption keys, certificates, secrets)

Azure CLI

Encryption keys

  • Package used for key vault in c# is Azure.Security.KeyVault.Keys
  • Encrypts a text
  • fetches the ClientSecretCredentials
  • Fetches the encryption key through the class KeyClient
  • Uses the package CryptographicClient to perform cryptographic operations
  • Method CryptographicClient.Decrypt is used to decrypt

Policies vs RBAC

Managed identities

A managed identity from Azure Active Directory (Azure AD) allows your app to easily access other Azure AD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets (refs: Microsoft Official Documentation).

  • Access token
    • makes an request to a vm and get access to a resource
  • User assigned

Disk encryption

  • Encryption keys
  • Stored in azure
  • Encrypted at rest
  • By default azure encrypts the data using server side encryption (azure uses its own keys, but it is possible to use custom ones)
  • disk encryption set
  • it is possible to enable disk encryption at rest after the vm has been created, for such, first, the vm should be stopped
  • az vm encryption enable

Authentication and authorization

  • oauth 2 standard
  • getting access token to access storage account resources

Permissions type

Permissions

  • Delegated - logged in users
  • Application - without a signed in user

App gateway

You need to configure the Azure Application Gateway for the web app. Which two actions should you perform? Each correct answer presents part of the solution.

  1. In the Azure Application Gateway’s HTTP setting, enable the Use for App service setting.
  2. In the Azure Application Gateway’s HTTP setting, set the value of the Override backend path option to contoso22.azurewebsites.net.