What are the primary security areas you need to master under the “Implement Azure Security” domain?
Key topics include:
- Implementing authentication and authorization (e.g., Microsoft Entra ID, OAuth 2.0).
- Securing data with Azure Key Vault for keys, secrets, and certificates.
- Using Managed Identities to eliminate credential management.
How can you use the Microsoft Authentication Library (MSAL) in .NET to authenticate an application with Microsoft Entra ID?
Use the PublicClientApplicationBuilder to acquire a token:
```csharp
using Microsoft.Identity.Client;
var app = PublicClientApplicationBuilder
.Create(“your_client_id”)
.WithAuthority(“https://login.microsoftonline.com/your_tenant_id”)
.Build();
var scopes = new[] { “User.Read” };
var result = await app.AcquireTokenInteractive(scopes).ExecuteAsync();
string accessToken = result.AccessToken;
```
This authenticates interactively and retrieves an access token for the specified scope.
What is the difference between delegated permissions and application permissions when authorizing with Microsoft Entra ID?
- Delegated Permissions: Used when a signed-in user is present; the app acts on behalf of the user (e.g., accessing user data with user consent).
- Application Permissions: Used for apps running without a user (e.g., daemons); the app acts as itself and requires admin consent (e.g., reading all users in a tenant).
How do you enable a system-assigned Managed Identity for an Azure App Service using the Azure CLI?
Use the az webapp identity assign command:
bash az webapp identity assign --resource-group <resource-group> --name <app-name>
This enables a system-assigned identity tied to the app’s lifecycle, allowing it to authenticate to Azure resources without managing credentials.
What are the primary features of Azure Key Vault that help secure data for applications?
Key features include:
- Secrets Management: Securely store tokens, passwords, and API keys.
- Key Management: Create and control encryption keys.
- Certificate Management: Provision, manage, and deploy SSL/TLS certificates.
All are protected with Microsoft Entra ID authentication and role-based access control (RBAC).
How can you generate a new version of a key in Azure Key Vault using the Azure CLI?
Use the az keyvault key rotate command:
bash az keyvault key rotate --vault-name mykeyvault --name mykey
This generates a new key version based on the existing key policy.
What are some recommended best practices for managing Azure Key Vault to ensure security and operational efficiency?
Best practices include:
- Use separate vaults per application per environment (e.g., dev, prod).
- Control access with Microsoft Entra ID and RBAC or Key Vault access policies.
- Enable logging and alerts for monitoring.
- Enable soft-delete and purge protection to prevent accidental data loss.
- Regularly back up vaults on key/secret/certificate updates.
How do you create and implement a shared access signature (SAS) to provide delegated access to Azure Blob Storage resources?
Use the Azure Storage SDK for .NET:
```csharp
using Azure.Storage.Blobs;
var blobServiceClient = new BlobServiceClient(“connection_string”);
var containerClient = blobServiceClient.GetBlobContainerClient(“mycontainer”);
var sasBuilder = new BlobSasBuilder
{
BlobContainerName = containerClient.Name,
Resource = “c”, // Container-level SAS
StartsOn = DateTimeOffset.UtcNow,
ExpiresOn = DateTimeOffset.UtcNow.AddHours(1),
Protocol = SasProtocol.Https,
Permissions = BlobSasPermissions.Read | BlobSasPermissions.Write
};
var sasToken = containerClient.GenerateSasUri(sasBuilder);
Console.WriteLine($”SAS URI: {sasToken}”);
```
This generates a SAS token for read/write access to the container for one hour, secure via HTTPS.
How do you implement a solution using .NET to interact with Microsoft Graph to retrieve user profile data?
Use the Microsoft.Graph SDK with MSAL for authentication:
1. Register an app in Microsoft Entra ID and get client ID/secret.
2. Authenticate and acquire a token:
```csharp
using Microsoft.Identity.Client;
using Microsoft.Graph;
var app = PublicClientApplicationBuilder
.Create(“your_client_id”)
.WithAuthority(“https://login.microsoftonline.com/your_tenant_id”)
.Build();
var scopes = new[] { “User.Read” };
var result = await app.AcquireTokenInteractive(scopes).ExecuteAsync();
string accessToken = result.AccessToken;
var graphClient = new GraphServiceClient(new DelegateAuthenticationProvider(
requestMessage =>
{
requestMessage.Headers.Authorization = new AuthenticationHeaderValue(“Bearer”, accessToken);
return Task.CompletedTask;
}));
var user = await graphClient.Me.Request().GetAsync();
Console.WriteLine($”User: {user.DisplayName}”);
```
This retrieves the current user’s profile using Microsoft Graph.
What are the primary differences between Azure AD for developers (v1.0) and the Microsoft Identity Platform (v2.0) in terms of authentication and target audiences?
- Azure AD for Developers (v1.0):
- Uses Azure AD Authentication Library (ADAL), Entra ID endpoint (v1.0), and targets work/school accounts via Active Directory Federation Services (AD FS).
- Limited to Azure AD tenants, using older protocols and libraries.
- Microsoft Identity Platform (v2.0):
- Uses Microsoft Authentication Library (MSAL), Microsoft Entra endpoint, and supports work/school accounts, personal Microsoft accounts, social accounts (Azure AD B2C), and local accounts (Entra External ID).
- Offers broader audience support, modern protocols, and unified authentication across platforms.
V2.0 is recommended for new applications due to its flexibility and broader compatibility.
How do you enable customer-managed key capability for Azure Key Vault to encrypt app configuration data?
Use the Azure CLI to enable customer-managed keys:
1. Create a key vault:
bash az keyvault create --name mykeyvault --resource-group myResourceGroup --location eastus
2. Create a key for encryption:
bash az keyvault key create --vault-name mykeyvault --name mykey --protection software
3. Enable customer-managed keys for an Azure resource (e.g., App Service):
bash az webapp identity assign --name mywebapp --resource-group myResourceGroup az keyvault set-policy --name mykeyvault --object-id <app-identity-object-id> --key-permissions get list update
This allows the app to use Key Vault keys for encryption via Managed Identity.
How do you configure an Azure application to use Azure Key Vault keys for securing app configuration data?
Configure the application to use Key Vault keys via Managed Identity:
1. Enable system-assigned identity for the app:
bash az webapp identity assign --name mywebapp --resource-group myResourceGroup
2. Grant access to Key Vault:
bash az keyvault set-policy --name mykeyvault --object-id <app-identity-object-id> --key-permissions get list
3. Use the .NET SDK to access keys:
```csharp
using Azure.Security.KeyVault.Keys;
var client = new KeyClient(new Uri(“https://mykeyvault.vault.azure.net/”), new DefaultAzureCredential());
KeyVaultKey key = await client.GetKeyAsync(“mykey”);
Console.WriteLine($”Key: {key.Name}”);
```
This secures configuration data using Key Vault keys.
How do you configure private endpoints for Azure App Configuration to secure app configuration data?
Use Azure CLI to create a private endpoint:
1. Create an App Configuration store:
bash az appconfig create --name myappconfig --resource-group myResourceGroup --location eastus
2. Create a private endpoint in a virtual network:
bash
az network private-endpoint create \
--name myprivateendpoint \
--resource-group myResourceGroup \
--vnet-name myvnet \
--subnet mySubnet \
--private-connection-resource-id /subscriptions/<sub-id>/resourceGroups/myResourceGroup/providers/Microsoft.AppConfiguration/configurationStores/myappconfig \
--group-ids configurationStores
This restricts access to the App Configuration store via a private network, enhancing security.
How do you programmatically manage certificates in Azure Key Vault using the .NET certificates client library, including create, update, list, and delete operations?
Use the Azure.Security.KeyVault.Certificates library:
```csharp
using Azure.Security.KeyVault.Certificates;
var client = new CertificateClient(new Uri(“https://mykeyvault.vault.azure.net/”), new DefaultAzureCredential());
// Create a certificate
var createParameters = new CertificateCreateParameters(“mycert”, new X509Certificate2(“path/to/cert.pfx”));
CertificateOperation operation = await client.StartCreateCertificateAsync(createParameters);
await operation.WaitForCompletionAsync();
// List certificates
AsyncPageable<CertificateWithPolicy> certificates = client.GetCertificatesAsync();
await foreach (var cert in certificates)
{
Console.WriteLine($"Certificate: {cert.Name}");
}</CertificateWithPolicy>
// Update certificate policy
var policy = await client.GetCertificatePolicyAsync(“mycert”);
policy.Subject = “CN=UpdatedSubject”;
await client.UpdateCertificatePolicyAsync(“mycert”, policy);
// Delete certificate
await client.DeleteCertificateAsync(“mycert”);
```
This manages certificates, policies, issuers, and contacts programmatically.
How do you manage keys in Azure Key Vault using the .NET keys client library, including creating, retrieving, updating, deleting, and handling RSA and EC keys?
Use the Azure.Security.KeyVault.Keys library:
```csharp
using Azure.Security.KeyVault.Keys;
var client = new KeyClient(new Uri(“https://mykeyvault.vault.azure.net/”), new DefaultAzureCredential());
// Create an RSA key
KeyVaultKey rsaKey = await client.CreateRsaKeyAsync(“myrsakey”, new CreateRsaKeyOptions { KeySize = 2048 });
// Create an EC key
KeyVaultKey ecKey = await client.CreateEcKeyAsync(“myeckey”, new CreateEcKeyOptions { CurveName = KeyCurveName.P256 });
// Retrieve a key
KeyVaultKey retrievedKey = await client.GetKeyAsync(“myrsakey”);
Console.WriteLine($”Key: {retrievedKey.Name}”);
// Update key properties
var key = await client.GetKeyAsync(“myrsakey”);
await client.UpdateKeyPropertiesAsync(key.Properties, enabled: false);
// Delete key
await client.DeleteKeyAsync(“myrsakey”);
await client.PurgeDeletedKeyAsync(“myrsakey”);
```
This supports RSA and EC keys with full lifecycle management.
How do you manage secrets in Azure Key Vault using the .NET secrets client library, including creating, retrieving, updating, deleting, and handling versions?
Use the Azure.Security.KeyVault.Secrets library:
```csharp
using Azure.Security.KeyVault.Secrets;
var client = new SecretClient(new Uri(“https://mykeyvault.vault.azure.net/”), new DefaultAzureCredential());
// Create a secret
KeyVaultSecret secret = await client.SetSecretAsync(“mysecret”, “mysecretvalue”);
// Retrieve a secret
KeyVaultSecret retrievedSecret = await client.GetSecretAsync(“mysecret”);
Console.WriteLine($”Secret: {retrievedSecret.Value}”);
// Update a secret
await client.UpdateSecretAsync(“mysecret”, new SecretProperties { Value = “newsecretvalue” });
// Delete a secret
await client.DeleteSecretAsync(“mysecret”);
await client.PurgeDeletedSecretAsync(“mysecret”);
```
This manages secrets like tokens and passwords securely.
How do you create and enable a system-assigned managed identity for an Azure virtual machine, including the required role assignment?
Use the Azure CLI:
1. Create or update a VM with a system-assigned identity:
bash
az vm create \
--resource-group myResourceGroup \
--name myvm \
--image UbuntuLTS \
--assign-identity
2. Ensure your account has the Virtual Machine Contributor role (no additional Azure AD roles needed):
bash
az role assignment create \
--assignee <your-user-object-id> \
--role "Virtual Machine Contributor" \
--resource-group myResourceGroup
This enables the identity for Azure AD authentication.
What are the key features of Stored Access Policies in Azure Storage, and how do they enhance the management of shared access signatures (SAS) tokens?
Stored Access Policies in Azure Storage offer:
- Grouping SAS Tokens: Manage multiple SAS tokens under one policy for easier permission updates.
- Control Over Parameters: Set start time, expiry time, and permissions for SAS tokens via the policy.
- Revoking Access: Revoke SAS tokens by updating or deleting the policy, without changing account keys.
- Supported Resources: Apply to blob containers, file shares, queues, and tables.
They enhance SAS token management by providing centralized control, flexible revocation, and consistent permissions across resources.
How should you configure an Azure Function to ensure only authorized clients can invoke it in a real-time mobile tracking application that uses Azure Web PubSub for data streaming?
Implement Azure AD authentication for the Azure Function because:
- It ensures only authenticated clients can invoke the function by validating Azure AD tokens.
- Integrates seamlessly with Azure Web PubSub, which can also use Azure AD for client authentication.
- Provides enterprise-grade security with support for various authentication flows.
Other options like SAS (better for Storage), HTTP header whitelisting, or IP restrictions don’t offer the same level of secure, identity-based access control.
What configuration should you apply to an Azure App Service web app to securely access Azure Key Vault without embedding credentials?
Assign a managed identity to the App Service and configure Key Vault access policies because:
- Managed identity eliminates credential management by using Azure AD authentication.
- The App Service can obtain tokens to access Key Vault securely.
- Key Vault access policies grant specific permissions (e.g., get, list) to the identity.
Other options like service endpoints, storing secrets in settings, or Azure AD app registrations are less secure or more complex.
What three attributes should you configure in a web application using the Microsoft identity platform to enable it to request tokens for APIs?
Configure these three attributes:
- Application ID: Uniquely identifies the app in Azure AD for authentication.
- Redirect URI: Specifies where to redirect users after authentication in OAuth flows.
- Client Secret: Secures the app’s identity for token requests.
Other options like tenant ID, resource endpoint, or application name aren’t directly required for token requests.
What parameter or configuration is critical for enabling delegated access during the OAuth 2.0 flow in a web app using the Microsoft identity platform to access a user’s calendar and send meeting invites?
Use the scope parameter because:
- It defines the permissions (e.g., Calendars.ReadWrite, Mail.Send) the app requests.
- Ensures the access token includes delegated access to act on the user’s behalf.
- Aligns with least privilege by requesting only necessary permissions.
Other options like redirect URI, access_type, or grant_type don’t specify permissions.
How does the scope parameter enable delegated access in the OAuth 2.0 flow for a web app using the Microsoft identity platform?
The scope parameter in OAuth 2.0:
- Specifies permissions (e.g., Calendars.Read, Mail.Send) the app needs to act on the user’s behalf.
- Presents a consent screen to the user, granting delegated access upon approval.
- Ensures the access token includes only the requested permissions, enhancing security.
It’s essential for enabling specific actions like accessing calendars or sending invites.
Which claim should you prioritize to ensure reliable user identification across tenants in a multi-tenant Azure web app using the Microsoft identity platform?
Prioritize the tid (tenant ID) claim because:
- It uniquely identifies the Azure AD tenant the user belongs to.
- Ensures user identification across tenants, preventing conflicts in multi-tenant apps.
- Supports data isolation and security by segregating tenant-specific resources.
Other claims like oid, upn, or sid don’t provide tenant-level identification.
-
Develop Azure Compute Solutions (25-30%)111
-
Develop for Azure Storage (15-20%)82
-
Implement Azure Security (15-20%)41
-
Monitor, Troubleshoot, and Optimize Azure Solutions (10-15%)25
-
Connect to and Consume Azure Services and Third-party Services (20-25%)38
-
Case Studies32
-
Test111
-
Connect to Test38
