Azure Governance Solutions & Security for Applications[Azure Solutions Architect] [AZ-303/304]: [Recap] Day 7

In this blog, I will share some quick tips including Q/A’s and useful links from Day 7 of our recently launched new batch of Microsoft Azure Solutions Architect(AZ-303/AZ-304)

On Day 7 Live Session, Azure RBAC (Role-Based Access Control), Azure Active Directory Roles, Azure Policy, Azure Blueprints, Azure Key Vault, Managed Identities.

The Previous week in Day 6 Live Session, we covered the Azure SQL Service, Deployment Options, Azure SQL Database, Azure Resource Manager(ARM) Template, Azure Quickstart Templates, Azure Virtual hard disks(VHDs), Azure Automation, Runbooks In Azure Automation.

We also covered hands-on Lab 13, Lab 16 out of our 25+ extensive labs(AZ-303).

So, here are some of the Q/A asked during the Live session from Module 10: Implement and Manage Azure Governance Solutions & Module 11: Manage Security for Applications

Azure RBAC (Role-Based Access Control)

In Azure Governance the Azure RBAC (Role-Based Access Control) is the system that allows control over who has access to which Azure resources, and what those people can do with those resources. A role might be described as a collection of permissions.

Azure RBAC has many built-in roles, and you can create custom roles.

Here are four fundamentals built-in roles:

• Owner: Has full access to all resources, including the ability to delegate access to other users.
• Contributor: Can create and manage Azure resources.
• Reader: Can view only existing Azure resources.
• User Access Administrator: Can manage access to Azure resources.

➝Read more about the Azure RBAC.

Scope of Azure RBAC

The scope is the set of resources that access applies to. When you assign a role, it’s important to understand the scope so that you can grant a security principal just the access that it really needs. Scopes are structured in a parent-child relationship. Each level of hierarchy makes the scope more specific. You can assign roles at any of these levels of scope.

Q1: How does RBAC manage overlapping role assignments?

Ans: RBAC utilizes an additive model, in which a user’s permissions become the union of all their roles. In cases where a user has multiple roles, an administrator should configure how RBAC is applied, so any conflicts between roles are addressed and a user doesn’t end up with more permissions than intended.

Also Check: What is Blob Storage?

Azure Active Directory Roles

Azure AD also has its own set of roles, which apply mostly to users, passwords, and domains. These roles have different purposes.

Global Administrator: Can manage access to administrative features in Azure AD. A person in this role can grant administrator roles to other users, and they can reset a password for any user or administrator.

User Administrator: Can manage all aspects of users and groups, including support tickets, monitoring service health, and resetting passwords for certain types of users.

Billing Administrator: Can make purchases, manage subscriptions and support tickets, and monitor service health. Azure has detailed billing permissions in addition to Azure RBAC permissions.

➝Read more about the Azure AD.

Q2: What is the difference between RBAC and Azure AD roles?

Ans: The scope of Azure AD roles is at the tenant level, whereas the scope of Azure roles can be specified at multiple levels including management group, subscription, resource group, resource.

Check Out: Our blog post on Azure Blue Green Deployment.

Azure custom roles

You can create your own custom roles just like built-in roles, you can assign custom roles to users, groups, and service principals at management group (in preview only), subscription, and resource group scopes.

Custom roles can be shared between subscriptions that trust the same Azure AD directory.

Q3: Is there any limit for Custom roles?

Ans: There is a limit of 5,000 custom roles per directory. (For Azure Germany and Azure China 21Vianet, the limit is 2,000 custom roles.)

Q4: Where are azure custom roles stored?

Ans: Custom roles are stored in an Azure Active Directory (Azure AD)  and can be shared across subscriptions.

Azure Policy

Policies are sets of rules that specify what can and cannot be created in either a single resource group or a full subscription.

Azure Policy is a free Azure service that allows you to create policies, assign them to resources, and receive alerts or take action in cases of non-compliance with these policies. Azure Policy allows you to define both individual policies and groups of related policies, known as initiatives.

➝Read more about the Azure Policy.

Q5: Can I create custom policies?

Ans: Yes, Azure Policy comes with a set of built-in policies, but you can also create custom policies. A custom policy definition allows customers to define their own rules for using Azure. These rules often enforce:

• Security practices
• Cost management
• Organization-specific rules

Q6: What is the difference between RBAC and Policy?

Answer: RBAC achieves the ability to grant users the least amount of privilege to get their work done without affecting other aspects of an instance or subscription as set by the governance plan.

Policies on the other hand play a slightly different role in governance. Azure Policies focus on resource properties during deployment and for already existing resources.

Azure Blueprints

Azure Blueprints like architectural blueprints, define Azure resources that implement an organization’s standards, patterns, and requirements. By leveraging Azure Blueprints, engineers can quickly build and deploy new environments.

Azure Blueprints provides a mechanism that allows you to create and update artifacts (like policies, RBAC, resource group, ARM templates) and assign them to environments and version them.

➝Read more about the Azure Blueprints.

Q7: What is the difference between a blueprint and an Azure Resource Manager template?

Ans: While Resource Manager templates are used only during deployment and do not preserve relationships with deployed resources, Azure Blueprints preserve these relationships, supporting improved tracking and auditing of deployments and the ability to upgrade subscriptions governed by the same blueprint.

Azure Key Vault

Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. Key Vault service supports two types of containers: vaults and managed hardware security module(HSM) pools.

➝Read more about the Azure Key Vault.

Q8: Can I import an expired certificate to Azure Key Vault?

Ans: No, expired PFX(Personal exchange format) certificates can’t be imported to Key Vault.

Q9: Can I import a certificate by using an ARM template?

Ans: No, it isn’t possible to perform certificate operations by using an Azure Resource Manager (ARM) template. A recommended workaround would be to use the certificate import methods in the Azure API, the Azure CLI, or PowerShell. If you have an existing certificate, you can import it as a secret.

Also Check: Our blog post on Azure Service Bus.

Managed identities

Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications may use the managed identity to obtain Azure AD tokens.

Managed identities eliminate the need for developers to manage credentials.

There are two types of managed identities:

• System-assigned: System-assigned managed identity is created in Azure AD that is tied to the lifecycle of that service instance. So when the resource is deleted, Azure automatically deletes the identity for you.
• User-assigned: You can create a user-assigned managed identity and assign it to one or more instances of an Azure service. In the case of user-assigned managed identities, the identity is managed separately from the resources that use it.

Q10: Can User Assigned Identity be converted to System Assigned Identity?

Ans: No, you have to select whether you will be using User assigned Identity or System assigned Identity, the selection depends on your requirement.

Authentication

To do any operations with Key Vault, you first need to authenticate to it. There are three ways to authenticate to Key Vault:

• Managed identities for Azure resources: When you deploy an app on a virtual machine in Azure, you can assign an identity to your virtual machine that has access to Key Vault.
• Service principal and certificate: You can use a service principal and an associated certificate that has access to Key Vault.
• Service principal and secret: Although you can use a service principal and a secret to authenticate to Key Vault, Microsoft doesn’t recommend it.

Q11: What is the relationship between managed identity and service principal?

Ans: A managed identity is a type of service principal.

A service principal can be one of three types: application, managed identity, and legacy. The division into types is based on the circumstances of their usage. Thus their specific handling also differs based on their type.

Quiz Time (Sample Exam Questions)!

With our Microsoft Azure Solutions Architect training program, we cover 220+ [AZ-303] & 200+[AZ-304] sample exam questions to help you prepare for the certification AZ-303 & AZ-304.

Note: Download the 25 Sample Exam-Questions of Microsoft Azure Solutions Architect from here.

Check out one of the questions and see if you can crack this…

Ques: Which of the following would you use to store asymmetric keys to allow for real-time I/O encryption and decryption of Azure SQL database data and log files?

A. Azure AD Privileged Identity Management

B. Azure AD Managed Service Identity

C. Azure Key Vault

D. Azure Security Center

The right answer will be revealed in my next week’s email.

Here is the answer to the question shared last week.

Ques: Which of the following best describes the format of an Azure Resource Manager template? Select one?

A. A Markdown document with a pointer table

B. A JSON document with key-value pairs

C. A TXT document with key-value pairs

D. An XML document with element-value pairs

Answer: B. A JSON document with key-value pairs

Explanation: A JSON document with key-value pairs. An Azure Resource Template is a JSON document with key-value pairs.

Feedback

We always work on improving and being the best version of ourselves from the previous session hence constantly ask feedback from our attendees.

Here’s the feedback that we received from our trainees who had attended the session.

Related/References

• AZ 303/304: Microsoft Azure Solutions Architect: Step By Step Activity Guides (Hands-On Labs)
• [Recap] Day 1: Azure Active Directory [Azure Solutions Architect]
• [Recap] Day 2: Implement and Manage Hybrid Identities & Virtual Networking: [Azure Solutions Architect]
• [Recap] Day 3: Implement VMs for Windows and Linux: [Azure Solutions Architect]
• [Recap] Day 4: Load Balancing and Network Security [Azure Solutions Architect]
• [Recap] Day 5: Storage Accounts & NoSQL Databases [Azure Solutions Architect] 
• [Recap] Day 6: Azure SQL Databases & Automate Deployment and Configuration of resources[Azure Solutions Architect]
• Top 10 Best Practices for Azure Security in 2021
• Tips To Prepare Exam AZ-304: Microsoft Azure Architect Design
• Exam AZ-305: Azure Solutions Architect Expert Certification

Next Task For You

Begin your journey toward Mastering Azure Cloud and landing high-paying jobs. Just click on the register now button on the below image to register for a Free Class on Mastering Azure Cloud: How to Build In-Demand Skills and Land High-Paying Jobs. This class will help you understand better, so you can choose the right career path and get a higher paying job.