Protecting Oracle Keys with Azure Key Vault
Has anyone used Azure Key Vault to protect keys for on-premises Oracle databases? From what I can see, it isn't a direct integration but rather using Oracle Key Vault for the key management and then integrating OKV with Azure Key Vault as the HSM. Has anyone done this, and is it a supported configuration?Getting secrets from Key Vault in YAML pipeline
If you have ever created an Azure App Service or Azure Function App that uses app settings, then you have dealt with the problem of how you are going to get those settings secure and updated correctly in each environment. You need a secure location to store this information and then be able to access it during your deployment process. Azure Key Vault and using the Azure Key Vault task inside a deployment pipeline in Azure DevOps can solve this problem for you. If you prefer video, then have a look at this as it will walk you through the steps of getting this setup.Active Directory Certificate Services with Azure Key Vault Virtual HSM
Hi all (an I hope also Microsoft folk in the security and AD CS arenas), With Azure adoption etc and the GA a while ago of Azure Key Vault virtual HSM it seems to me that it would make a significant enhancement of AD CS security to use Azure Key Vault virtual HSM to host the AD CS server certificate keys. Most third party (virtual) HSMs come with instructions, agents, custom key service providers etc to enable the external hosting and access from the windows host to the certificate key. I can only find (quite old) information for SQL which adds a custom KSP to SQL seemingly rather than to the OS. Has anyone else had a go at or implemented this yet?Temporary-Access-on-Azure-Resources
Sometimes developers need to access temporarily to Azure resources for troubleshooting purposes or just for the fun 😉 but they don't have always access on Azure to proceed by themselves. That's why I thought to afford them autonomy through Azure DevOps. Of course these pipelines/scripts can be adapted to answer your own context with different Azure services like Key Vault, Storage Account, Database, ... Azure DevOps pipelines Of course, these access, must be temporary, that's why I create: - One pipeline to allow developers to add their public Ip on Azure resources - One pipeline to remove automatically these access each day In our example, the target Azure resource is an App Service, and we add/remove access on Kudu portal. Add IP to Kudu The goal of that Pipeline, based on the allow_ips.yml file is to allow developers to add their public IP on Kudu for different environments like DEV, TST or UAT ones. Application Environment Region Resource Group App Service Variable Group MyApp DEV North Europe - EU MYAPPLICATION-DEV-EU-RG01 MyAppService1 var-devops-app1-dev-eu MyApp TST North Europe - EU MYAPPLICATION-TST-EU-RG01 MyAppService2 var-devops-app1-tst-eu MyApp UAT North Europe - EU MYAPPLICATION-UAT-EU-RG01 MyAppService3 var-devops-app1-uat-eu MyApp UAT East US 2 - US MYAPPLICATION-UAT-US-RG01 MyAppService4 var-devops-app1-uat-us MyApp UAT Australia East - AU MYAPPLICATION-UAT-AU-RG01 MyAppService5 var-devops-app1-uat-au To easily managed the Azure resources in Azure DevOps, I decided to create a varibale group per environment with information like! - Environment - ResourceGroupName - AppServiceName Remove IP from Kudu As mentionned previsouly, these access are temporary, so we created another Pipeline that will be triggered every day at a specific time to remove the IP on Kudu. How to Process to add your IP 1. First step is to add your public IP into the dev_team_ips.txt file combined with **/32** (The format could be different depending of the Azure services you'll need access): Example: **11.22.33.44/32** 1. Launch the first Pipeline by selecting your environment and the region 1. You should be able to connect on the App Service through Kudu Process to remove your IP Two ways to proceed: 1. Launch manually the pipeline to remove the IP 1. Wait until the configured hour that will automatically trigger the pipeline to remove the IP without any human intervention Sources All the content used for these pipelines are attached to that post or can be retrieve on my GitHub https://github.com/onag-fr/Temporary-Access-on-Azure-Resources/?WT.mc_id=AZ-MVP-5005062.
Connect to SharePoint Online using a Logic App and Key Vault
I'm looking for info on how to connect to SharePoint Online using a Logic App and Key Vault. Also, what authentication method should be used? Currently, we are using service accounts to connect to SPO, but the accounts require password updates every quarter and maintaining this is getting out of control.NEW PUBLIC PREVIEW FEATURE | Integrate Key Vault with Azure Private Link
We wanted to make you aware of a new public preview feature available to try. Azure Private Link Service enables you to access Azure Services (for example, Azure Key Vault, Azure Storage, and Azure Cosmos DB) and Azure hosted customer/partner services over a Private Endpoint in your virtual network. Now, in preview, you can integrate a key vault with your Azure Private Link. Private endpoint ensures that no customer data leaves their virtual network. It eliminates exposure to your key vault from the public internet and keeps all customer traffic on Azure. If an organization used a public endpoint, they would have to configure a VPN or Expressroute connection to securely connect to key vault via the public internet. If an organization uses service endpoints, all their traffic would remain within Azure but they would have to allow their resource access to all traffic to / from the key vault service (not scoped to one particular vault). Now with private endpoint, you can give each resource access to only 1 particular key vault, which provides a higher level granularity of permissions. Many government, healthcare, and financial institutions have tight regulations and want to plan for "worst case" scenarios in the event of a breach. This provides more redundancy and greater protections. Prerequisites: A key vault An Azure virtual network A subnet in the virtual network Owner or contributor permissions for both the key vault and the virtual network Your private endpoint and virtual network must be in the same region See our https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkey-vault%2Fprivate-link-service&data=02%7C01%7Cv-vakoli%40microsoft.com%7C9e28e10ba49648045f2a08d7a5c1cad6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637160124073391181&sdata=UySUd9o9GQn7sHWFQkTAN5jMpTGMXlm2aNU65HDnuPM%3D&reserved=0 for more information on how to try this feature.
