AZ-500: Microsoft Azure Security Technologies Study Guide
The AZ-500 certification provides professionals with the skills and knowledge needed to secure Azure infrastructure, services, and data. The exam covers identity and access management, data protection, platform security, and governance in Azure. Learners can prepare for the exam with Microsoft's self-paced curriculum, instructor-led course, and documentation. The certification measures the learner’s knowledge of managing, monitoring, and implementing security for resources in Azure, multi-cloud, and hybrid environments. Azure Firewall, Key Vault, and Azure Active Directory are some of the topics covered in the exam.
Utilizing Azure Key vault with Private link in DevOps
Azure Key Vault is a cloud service that provides secure storage and access to secrets such as API keys, passwords, certificates, or cryptographic keys. To enhance security and disable public access, Azure Key Vault can be integrated with Private Endpoint powered by Azure Private Link. This private endpoint uses a private IP address from your VNet and brings the service into your VNet, effectively eliminating exposure from the public Internet by traversing traffic between your virtual network and the service over the Microsoft backbone network.Active Directory Certificate Services with Azure Key Vault Virtual HSM
Hi all (an I hope also Microsoft folk in the security and AD CS arenas), With Azure adoption etc and the GA a while ago of Azure Key Vault virtual HSM it seems to me that it would make a significant enhancement of AD CS security to use Azure Key Vault virtual HSM to host the AD CS server certificate keys. Most third party (virtual) HSMs come with instructions, agents, custom key service providers etc to enable the external hosting and access from the windows host to the certificate key. I can only find (quite old) information for SQL which adds a custom KSP to SQL seemingly rather than to the OS. Has anyone else had a go at or implemented this yet?
Access Azure Key Vault and/or Azure Storage via Site to Site VPN from local network.
The following article explains how to establish a site to site VPN with an Azure VNET (not a public IP space). https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal This article shows how to lock down Azure Key Vault to only allow access from a specific Azure VNET. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-network-security My question is why couldn’t we establish Azure Key Vault in an Azure VNET that is accessible only from a site to site VPN? If we can, it eliminates the “Public IP” access that is concerning to me for access to Credential data. Additionally, this article https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security makes me think we could do the same thing with Azure Storage. The basic approach would be: 1. Establish a Key Vault locked down to the VNET only. 2. Establish a Site to Site VPN with access to the VNET from a local subnet. 3. Update Key Vault Network Security to allow access from the local subnet IP space 4. Voila private access to Key Vault from protect local network space. Does anyone have experience with such a configuration?Virtual Machine encryption with KEK and BEK
I am trying to understand the integration between Azure key vault and Virtual Machine disk encryption. When I Use this command to encrypt the O.S drive for a VM: Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgName -VMName $vmName -AadClientID $appID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $kvUri -DiskEncryptionKeyVaultId $kvRID I can see in my key vault that there is the BEK under [secrets] section inside the vault. Which makes sense, as this is the actual key used to do the symmetric disk encryption. Now, I want to use the KEK as well to wrap the symmetric key. To do that, I will go to key vault, create a KEY, which will create an RSA Asymmetric key under the [Key] section inside the key vault. Now I run this command to encrypt a drive in a VM specifying KEK. Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgName -VMName $vmName -AadClientID $appID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $kvUri -DiskEncryptionKeyVaultId $kvRID -KeyEncryptionKeyUrl "https://virtualmachinekv2.vault.azure.net/keys/KEK/0894977d6da14e50b6f170d34c9e0277" -KeyEncryptionKeyVaultId $kv_id Now the disk is encrytped, but in the key vault, I cannot see any BEK generated under [secrets] section of my vault. So what just happened? where is my BEK?Unable to connect to the destination mentioned in the KeyVault URL
I am trying to use the Dynamics 365 Data export service to connect with my Azure SQL with Azure AD connection. When following this tutorial : https://www.youtube.com/watch?v=txms2Yvn6Vc and many more; i figured out how to export my D365 data export service but this tutorial is based on my SQL user. When I try to use a Azure AD user to do the authentication I keep getting the error "Unable to connect to the destination mentioned in the keyvaul URL error" What I did ATM is , used the D365 Powershell script like the tutorial mentioned to create a keyvault with the connection string and paste the keyvault url inside my D365 settings to validate. This works if i use the second connection string in the pic below But when I do the exact same thing with an Active directory connection string (second connection string in picture) This does not work !! Inside the SQL server I ensured that my Azure AD user has active directory admin roles. And the userID I use inside my connection string has all the rights inside the server and database to do the minimum for D365 Export service (create, insert table, ....) But still i got a fail inside my D365 . Tried everything ATM don't know where to look. Any body who had the same issues as me ? OR know which step I am missing ?
The connection does not contain a vault name. Please edit the connection and enter a valid key vault
Hi , I am getting error when get secret from Azure Key Vault from Power Automate. { "status": 400, "message": "The connection does not contain a vault name. Please edit the connection and enter a valid key vault name.", "error": { "message": "The connection does not contain a vault name. Please edit the connection and enter a valid key vault name." }, "source": "keyvault-wus.azconn-wus.p.azurewebsites.net" } I have a Power Automate which is having azure key vault connection to get secret. This Power Automate will be executed from Powerapps. When playing Power Apps, It is asking user consent to connect Azure Key Vault, but no way to provide azure key vault name. Has anyone experienced this kind of scenario and any leads on this? Regards, GaneshApp Configuration references in Spring Boot App deployed to Azure App services.
Azure App Configuration is a service that allows you to manage application settings and feature flags in one place. This is especially useful for modern programs that have many distributed components. By using App Configuration, you can avoid configuration errors during application deployment and ensure that all settings are secure and accessible in one place.
