AZ-500: Microsoft Azure Security Technologies Study Guide
The AZ-500 certification provides professionals with the skills and knowledge needed to secure Azure infrastructure, services, and data. The exam covers identity and access management, data protection, platform security, and governance in Azure. Learners can prepare for the exam with Microsoft's self-paced curriculum, instructor-led course, and documentation. The certification measures the learner’s knowledge of managing, monitoring, and implementing security for resources in Azure, multi-cloud, and hybrid environments. Azure Firewall, Key Vault, and Azure Active Directory are some of the topics covered in the exam.pg_signal_autovacuum_worker Role for Managing Autovacuum in Azure Database for PostgreSQL
Have you ever faced a situation where your database is taking longer than expected to execute a DDL command? It can be a frustrating experience when a pending command execution blocks your workflow. If you’re wondering which process might be blocking your DDL command, there could be different reasons. One of the primary reasons could be when autovacuum process is executing for the table in the background. Let me explain this with the help of an example. Consider we have a table "accounts” in our Azure Database for PostgreSQL flexible server instance database. We want to add a field and execute an ALTER statement on it. When this statement is in the process of execution, you may observe the database has significantly slowed down or stopped responding to the read/write queries for a while, resulting in a latency spike. In this scenario, the first approach would be to make sure there are no concurrent processes working on the table before executing the ALTER statement. If one of these processes is autovacuum, you will have to wait until the autovacuum process is executed on the table, which will cause a delay in committing this statement. In managed services, giving a system-level access to users can cause severe security and database integrity concerns, so users cannot manage the critical background processes like autovacuum in a controlled manner. With the recent update, we have backported 'pg_signal_autovacuum_worker' role from PostgreSQL version 18, with this approach it is now possible to control the autovacuum process without giving system level access to the users by using 'pg_terminate_backend' command in Azure Database for PostgreSQL Flexible Server in PostgreSQL versions 15 and higher. This role helps non-super users interact with autovacuum process in a secure and controlled manner. Let’s learn more about the autovacuum process and how this new role 'pg_signal_autovacuum_worker' helps you to manage the process more securely with controlled access for non-super users. What is the autovacuum process? PostgreSQL uses various maintenance processes to handle heavy server loads, one of them being autovacuum. Autovacuum removes obsolete versions of tuples that were created by UPDATE or DELETE statements, and that aren’t accessible anymore by any outstanding transaction. The autovacuum_naptime and autovacuum_max_workers are important parameters for the autovacuum process. This process gets launched every autovacuum_naptime seconds, the autovacuum worker gets triggered based on the number of proportion of dead tuples in the table. You can read more about the autovacuum process and how it’s triggered here. Common Problems with autovacuum Autovacuum process is an important background process as it helps with regular cleanup of dead tuples. However if it conflicts with a long running transaction or in a write-heavy environment there can be following issues: Autovacuum Blocking DDL Operations: Normal Autovacuum: Autovacuum jobs cancel themselves after deadlock_timeout (default value is 1 second) when a user triggers DDL on the table. But in some cases, users can experience significant latency up to the value of deadlock_timeout while executing read/write queries on the table. Wraparound protection Autovacuum: This type of autovacuum does not cancel itself and blocks DDL until the job is completed. Challenges with Updating Parameters in Ongoing Autovacuum Processes: Autovacuum configuration can be tuned using server parameters like autovacuum_naptime, autovacuum_max_workers, autovacuum_analyze_scale_factor etc. When you have an autovacuum process that is running for a long time, the changed parameters do not get reflected in already running autovacuum process. Azure Database for PostgreSQL - Flexible Server customers have faced the challenge of not being able to terminate the process securely with more granular control over the autovacuum process. If the autovacuum process is triggered simultaneously with a business-critical DDL process and users do not have controlled access on this process, it can lead to frustrating experience. In our latest release, we have implemented a solution that is secure, backward-compatible, and easy to integrate. New role pg_signal_autovacuum_worker We addressed this challenge by backporting the ‘pg_signal_autovacuum_worker’ role (which will be introduced in PostgreSQL 18) to all Azure Database for PostgreSQL flexible server versions 15 and higher. The ‘pg_signal_autovacuum_worker’ role helps you manage autovacuum tasks more effectively and allows non-superusers to terminate the autovacuum processes. Users get controlled access for the autovacuum process with this new role. Advantages of backporting the pg_signal_autovacuum_worker role Backporting the 'pg_signal_autovacuum_worker' role has some important advantages: Compatibility: Backporting this role to previous versions ensures a seamless upgrade experience for existing PostgreSQL servers. Security: Users do not have access to this role by default. The role is granted to non-superusers without granting broader system-level access. It gives a more granular and secure way to manage autovacuum processes without compromising database integrity. Steps to add pg_signal_autovacuum_worker role 1. Let's create a new user using the below command: CREATE USER john WITH PASSWORD 'Pass123'; 2. Next, grant 'pg_signal_autovacuum_worker' role to the newly created user GRANT pg_signal_autovacuum_worker TO john; 3. Now, confirm if 'pg_signal_autovacuum_worker' role is assigned SELECT oid, rolname FROM pg_roles WHERE Pg_has_role('john', oid, 'member'); oid | rolname -------+----------------------------- 8916 | pg_signal_autovacuum_worker 24826 | john 4. Now 'john' without being a member of 'azure_superuser' can terminate the autovacuum process. SELECT Pg_terminate_backend(pid) FROM pg_stat_activity WHERE backend_type = 'autovacuum worker'; Conclusion Managing autovacuum processes has always been tricky, especially for non-superusers who couldn’t directly control them in a managed service environment. Now with the introduction of the 'pg_signal_autovacuum_worker' role available in Azure Database for PostgreSQL flexible server, this is possible. Database users have a secure and flexible way to manage autovacuum process without needing superuser access, making database maintenance easier and more efficient.
Co-organizer cannot unmute or share
For a recurring Teams meeting in which I am the organizer, one of my co-organizers was not permitted to to unmute or share during a call where I was not present. We tested the meeting later, together, and even after I joined, the co-organizer's camera, mic and share buttons remained grayed-out, and this co-organizer was listed in my People pane as an Attendee. Here are the Meeting Option settings I have: This person is included in the 'Choose co-organizers' list 'Who can present' is set to 'Only organizers and co-organizers'. 'Who can bypass the lobby' is set to 'People in my org, trusted orgs, and guests'. This person is in my organization (same company). This person joined from their Outlook calendar. Does anyone have any suggestions on how to fix so that my co-organizers can conduct a meeting that I (as the organizer) cannot join? Thank you
Ensure users installing Outlook add-ins is not allowed affecting integrated apps/add-ins
I'm working on the usual chasing Microsoft Secure Score, one that we have that gives points and takes them away on a weekly basis is this one below. We don't have the three items unchecked in User Roles to accommodate this recommendation. So I figure it is a bugged recommendation. Ensure users installing Outlook add-ins is not allowed However it would be nice to permanently make it so. However, we have another area in M365 Admin that has integrated apps configured for a handful of third party add-ins and of course the Teams Add-In for Outlook. Would this be affected by turning on the above recommendation? Or is this just if the end user goes to add one on their own? Thank you.
RBAC Intune - Can not see devices
Hi @all :-), I have defined a custom role for our admins in different departments (see screenshot). The administrators are in a group, the group is assigned to that role. Scope groups are assigned (users and devices in the department) and scope tags are set. But the department admin can not access the device list (not authorized). What permission is missing? I hope someone can give me a hint. 🙂Global Reader role to be able to view audit logs - error don't have the right permissions
I asked my Global Administrator to add my administrator account to be a Global Reader. I would like to read the audit logs. I have logged out of the webbrowser and it has been over an hour since I was granted this access. I have had my account for over a year. I am going to Microsoft 365 Compliance, Audit, search. Before I was given Global Reader, I could get to this area but the search button was grayed out. Now I can enter a search query. https://compliance.microsoft.com/auditlogsearch?viewid=Test%20Tab I fill in the details and I get an error after I click on the search button. Error Looks like you don't have the right permissions to view this page or this feature isn't part of your organization's Microsoft 365 subscription. To get access, contact the person who assigns permissions or makes purchasing decisions. If you're a new user or were recently assigned permissions, try again in 15 minutes.
'Delete a user' permission needed for license removal?
We're still going through our termination process. We've got most of it mapped out but hit something strange. The people who do this have the following roles in AAD: Help Desk Administrator, License Adminstrator, Password Administrator (needed for 'initiate sign out') SharePoint Administrator (needed for OneDrive sharing) User Administrator In Office Admin, if they use the 'delete' on the user, it should: Show them the licenses that will be removed (works for a global admin, doesn't work for this person) Checkbox prompt to share the user OneDrive (works) Delete the user (errors but expected in our case since we are synced with AD) It's not telling them it's removing the existing license. However, if they do that step separately through the GUI, they have no problem - which is expected because they have the License Admin role. Does the delete script on a user in Office Admin need a different role to remove licenses?
Sharepoint permissions/roles
Hi, I am writing an application that has the following features create/modify/delete sites, (un)assign user permissions, upload and deploy webparts, allow sharing sites/documents with externals (guests). This is all tested and possible with my application but my applications is using "Sharepoint Admin" permissions to accomplish this. This is way to much and I am in search of permissions/roles that are within the above mentioned scope. I have looked into providing "site collection admin" but a site collection setup does not provide enough flexibility in assigning permissions to users to the sites and also it is only for predefined, pre-created sites while my application needs to be able to create several different sites. So far this is the main goal. Having sad that second goal is to add boundaries to this permission so that it will not have permission outside certain sites. The URL of these sites will be predefined and before they are created. I have tried to accomplish this with: AAD user with Sharepoint permissions but could not find anything better then "Sharepoint admin". Which has as mentioned before to much permissions. Sharepoint Add-in but could not find anyway of setting the permissions to the above mentioned permission scope. Azure App registration with ClientSecret or certificate but this way the allowed permissions by Azure are inadequate. The limitations of this last point is described in the following article, https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly I hope that someone can help me find the correct way of accomplish this, as I am certain I have overlooked something.Intune Permissions
Hi, I am using roles within Intune and would like to grant access to the "enrollment issues"-view for some HelpDesk guys. https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesMonitorMenu/enrollmentFailures) But I don't get which permission is responsible to enable that view. I can not find anything in the documentation. thanks Sebastian
