Implement Azure Key Vault and Azure Active Directory service principals

Azure Key Vault is a cloud-based service that provides secure data storage, including tokens, secrets, and certificates. Another service that works hand-in-hand with Azure Key Vault is Azure Active Directory service principals, which are used to represent specific resources that need to request data from the Key Vault. In today’s post, we are going to learn about implementing Azure Key Vault and Azure Active Directory service principals, relevant knowledge for exam PL-400 Microsoft Power Platform Developer.

Azure Key Vault

Azure Key Vault helps solve the following issues:

• Secrets Management: It helps with securely storing and strictly controlling access to tokens, passwords, certificates, API keys, and other secrets.
• Key Management: It provides secure key management to protect cryptographic keys used by cloud applications and services.
• Certificate Management: Allows you to easily create, manage, and control SSL/TLS certificates.

To get started with Azure Key Vault, you need to create a vault and secure it by setting up access policies.

Example of creating an Azure Key Vault using Azure CLI:

az keyvault create --name 'myKeyVault' --resource-group 'myResourceGroup' --location 'westus'

Azure Active Directory service principals

Service principals are the application equivalent of a user in Azure Active Directory and are used to set permissions for server-to-server AUT through Azure Active Directory (AD). Service principals have a global representation and each service principal is associated with an application.

Here are some roles service principals take:

• A security principal to allow an Azure DevOps pipeline to pull code from an Azure Repo.
• A security principal to allow AKS to pull ACR images.
• A security principal to allow an Azure Function to write data to CosmosDB.

Creating service principals can be done through Azure Portal, PowerShell, or Azure CLI.

Example of creating a service principal using Azure CLI:

az ad sp create-for-rbac --name myFirstApp

That would create a new service principal named `myFirstApp` and return the `appId`, `displayName`, `name`, `password`, and `tenant`. The `appId` and `password` can then be used as a client ID and client secret for applications.

Linking Azure Key Vault and Azure AD Service Principals

Once the Azure Key Vault and Azure AD service principals are set up, the two can be linked together.

To give the Azure AD service principal permissions to the key vault, an access policy needs to be set up. This can be done through Azure Portal, PowerShell, or Azure CLI.

Example of setting an access policy using Azure CLI:

az keyvault set-policy --name 'myKeyVault' --spn 'myFirstApp' --secret-permissions get list

This command gives the service principal with the name `myFirstApp` permission to `get` and `list` secrets in the key vault `myKeyVault`.

Conclusion

Understanding and implementing Azure Key Vault and Azure Active Directory service principals is a crucial aspect for any Microsoft Power Platform Developer (exam PL-400). By securely storing secrets in Azure Key Vault and controlling access using Azure AD service principals, your application can significantly enhance its security profile.

Practice Test

True/False: Azure Key Vault is used to safeguard cryptographic keys and secrets used by cloud services and applications.

• True
• False

Answer: True.

Explanation: Azure Key Vault is a cloud service that works as a secure secrets store. It simplifies the process of maintaining keys and secrets by providing a way to securely store and tightly control access to them.

You can store tokens in Azure Key Vault.

• True
• False

Answer: True.

Explanation: Azure Key Vault can securely store tokens, passwords, certificates, API keys, and other secrets.

Azure Key Vault helps to manage keys for all Azure services.

• True
• False

Answer: False.

Explanation: Azure Key Vault specifically helps manage cryptographic keys and secrets used by Azure services and software.

Azure Key Vault ensures disaster recovery for Azure resources.

• True
• False

Answer: False.

Explanation: Azure Key Vault doesn’t ensure disaster recovery. It is used for securing sensitive information, not backing up or recovering Azure resources.

Service principals in Azure Active Directory can be used to access resources that are secured by an Azure subscription.

• True
• False

Answer: True.

Explanation: An Azure service principal is an entity that’s used to enable access to Azure resources across Azure subscriptions without the requirement of human intervention.

Azure Active Directory service principals can only be created by the admin of the Azure Active Directory.

• True
• False

Answer: False.

Explanation: Any user can create a service principal as long as they have the required permissions to register an application in the Azure Active Directory.

Select one apply: The identities of Azure Active Directory service principals…

• A. Can be used to manage access to resources.
• B. Can only be used by Azure resources.
• C. Can be used to represent Azure services.

Answer: A. Can be used to manage access to resources.

Explanation: The identities of Azure Active Directory service principals can be managed to govern resource access.

Single select: Which of these items cannot be stored in Azure Key Vault?

• A. Encryption keys.
• B. Certificates.
• C. Tokens.
• D. Virtual machine images.

Answer: D. Virtual machine images.

Explanation: Azure Key Vault is not meant to store large data objects like VM images. It stores keys, secrets, and certificates.

Azure Key Vault works both in Azure and on-premise server.

• True
• False

Answer: False.

Explanation: Azure Key Vault is a cloud-based service. It does not work on on-premise servers.

Service principals in Active Directory are used for…

• A. Role-based access control.
• B. Cryptographic key storage.
• C. Automation of Azure resource deployment.
• D. Issuing TLS certificates.

Answer: A. Role-based access control.

Explanation: Service principals enable access to resources using role-based access control by using the identity of the service principal.

Azure Key Vault does not support versioning of secrets.

• True
• False

Answer: False.

Explanation: Azure Key Vault does support versioning of secrets as well as keys and certificates.

Which Azure service helps in storing and accessing application secrets in a centralized secured manner?

• A. Azure Active Directory.
• B. Azure Blob Storage.
• C. Azure Key Vault.
• D. Azure Logic Apps.

Answer: C. Azure Key Vault.

Explanation: Azure Key Vault is a service to securely store and selectively share keys, passwords, certificates, and other secrets.

Azure Active Directory service principals can be used to authenticate applications, services, and workflows.

• True
• False

Answer: True.

Explanation: Service principals provide applications, services, and workflows with an identity, allowing them to authenticate and access resources.

Azure Key Vault encrypts everything you store in it.

• True
• False

Answer: True.

Explanation: Azure Key Vault encrypts data using hardware security modules (HSMs). The data is encrypted at rest and during transmission.

You cannot recover a deleted Azure Key Vault.

• True
• False

Answer: False.

Explanation: Azure Key Vault can be recoverable if the soft-delete option is enabled.

Interview Questions

What is Azure Key Vault used for in a Microsoft Power Platform implementation?

Azure Key Vault is a cloud service used for managing application secrets. It’s typically used to store and control access to tokens, passwords, certificates, API keys, and other secrets, thus ensuring their security.

What is Azure Active Directory service principal?

An Azure Active Directory service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. It can be thought of as a user identity or role, but for an application.

How does Azure Key Vault protect sensitive data?

Azure Key Vault uses a system of policies and controls that grant selective access to keys, secrets, and certificates. The data is protected both at rest and in transit, ensuring that sensitive information is never exposed.

How can an Azure service principal be created?

An Azure service principal can be created through the Azure portal or using Azure CLI or PowerShell commands. You typically need to specify a name, choose whether it should be a single or multi-tenant application, and provide redirect URIs.

What is the primary function of service principals in Azure Active Directory (Azure AD)?

The primary function of service principals in Azure AD is to authenticate and authorize applications and services to access Azure resources within a specific scope.

Can you use Azure Key Vault with Power Apps?

Yes, you can use Azure Key Vault with Power Apps. You can store and securely access secrets such as connection strings, access keys, or any other pieces of sensitive information that your Power App might need.

How can you assign a role to a service principal in the Azure portal?

Assigning a role to a service principal in the Azure portal can be achieved via the ‘IAM’ (Identity and Access Management) section where you can select ‘Add Role Assignment’, choose the type of role, and then apply it to the service principal.

What types of objects can be stored in the Azure Key Vault?

The Azure Key Vault can secure keys (for encryption and decryption), secrets (like connection strings or passwords), and certificates.

Can a service principal be used to access resources in other Azure AD tenants?

Yes, a service principal can be used to access resources in other Azure AD tenants. This is because a service principal created in one tenant can be treated as a guest in another tenant.

How to configure Azure Key Vault to allow access only from specific virtual networks?

One can configure Azure Key Vault firewall to allow access only from specific virtual networks by enabling ‘Private Endpoints’ or ‘Virtual network service endpoints’ options in the “Firewalls and virtual networks” settings of the Key vault.

What is the purpose of a certificate in Azure Key Vault?

Certificates in Azure Key Vault generally serve authentication purposes. They can be used for SSL/TLS for securing an application, or for client authentication to validate the identity of a user or application.

Which one is a recommended practice — assign permissions to users directly or assign permissions to a group, and then add users to the group?

A recommended practice is to assign permissions to a group, and then add users to the group. This approach greatly simplifies access management and enhances security.

Is it possible to monitor Azure Key Vault usage?

Yes, Azure Key Vault usage can be monitored. Azure Monitor and Azure Security Center provide several services that can monitor Key Vault activity and raise alerts.

How can an application use a service principal to access Azure resources?

An application can use a service principal to access Azure resources by providing the service principal’s credentials as part of its connection configuration. This will allow Azure AD to authenticate and authorize the application to use specified resources.

What types of access policies can be configured in Azure Key Vault?

Azure Key Vault supports several types of access policies, including key permissions, secret permissions, and certificate permissions. These can be configured to grant varying levels of permissions to Azure AD identities like users, groups, and service principals.