Source from repo

Azure Prepare

Prepare applications for Azure deployment by generating infrastructure code, Dockerfiles, and config files.

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page

Files

164

Skill

n/a

Size

546.7 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

references/security.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown272 linesFree

references/security.md

1# Security Hardening
2 
3Secure Azure resources following Zero Trust principles.
4 
5## Security Principles
6 
71. **Zero Trust** — Never trust, always verify
82. **Least Privilege** — Minimum required permissions
93. **Defense in Depth** — Multiple security layers
104. **Encryption Everywhere** — At rest and in transit
11 
12---
13 
14## Security Services
15 
16| Service | Use When | MCP Tools | CLI |
17|---------|----------|-----------|-----|
18| Key Vault | Secrets, keys, certificates | `azure__keyvault` | `az keyvault` |
19| Managed Identity | Credential-free authentication | — | `az identity` |
20| RBAC | Role-based access control | `azure__role` | `az role` |
21| Entra ID | Identity and access management | — | `az ad` |
22| Defender | Threat protection, security posture | — | `az security` |
23 
24### MCP Tools (Preferred)
25 
26When Azure MCP is enabled:
27 
28**Key Vault:**
29- `azure__keyvault` with command `keyvault_list` — List Key Vaults
30- `azure__keyvault` with command `keyvault_secret_list` — List secrets
31- `azure__keyvault` with command `keyvault_secret_get` — Get secret value
32- `azure__keyvault` with command `keyvault_key_list` — List keys
33- `azure__keyvault` with command `keyvault_certificate_list` — List certificates
34 
35**RBAC:**
36- `azure__role` with command `role_assignment_list` — List role assignments
37- `azure__role` with command `role_definition_list` — List role definitions
38 
39### CLI Quick Reference
40 
41```bash
42# Key Vault
43az keyvault list --output table
44az keyvault secret list --vault-name VAULT --output table
45 
46# RBAC
47az role assignment list --output table
48 
49# Managed Identity
50az identity list --output table
51```
52 
53---
54 
55## Identity and Access
56 
57### Checklist
58 
59- [ ] Use managed identities (no credentials in code)
60- [ ] Enable MFA for all users
61- [ ] Apply least privilege RBAC
62- [ ] Use Microsoft Entra ID for authentication
63- [ ] SQL Server: Entra-only auth — NEVER generate `administratorLogin` or `administratorLoginPassword` anywhere in Bicep, including inside conditional branches (see [sql-database/auth.md](services/sql-database/auth.md))
64- [ ] Review access regularly
65 
66### Managed Identity
67 
68```bash
69# App Service
70az webapp identity assign --name APP -g RG
71 
72# Container Apps
73az containerapp identity assign --name APP -g RG --system-assigned
74 
75# Function App
76az functionapp identity assign --name APP -g RG
77```
78 
79### Grant Access
80 
81```bash
82# Grant Key Vault access
83az role assignment create \
84  --role "Key Vault Secrets User" \
85  --assignee IDENTITY_PRINCIPAL_ID \
86  --scope /subscriptions/SUB/resourceGroups/RG/providers/Microsoft.KeyVault/vaults/VAULT
87```
88 
89### Permissions Required to Grant Roles
90 
91> ⚠️ **Important**: To assign RBAC roles to identities, you need a role with the `Microsoft.Authorization/roleAssignments/write` permission.
92 
93| Your Role | Permissions | Recommended For |
94|-----------|-------------|-----------------|
95| **User Access Administrator** | Assign roles (no data access) | ✅ Least privilege for role assignment |
96| **Owner** | Full access + assign roles | ❌ More permissions than needed |
97| **Custom Role** | Specific permissions including roleAssignments/write | ✅ Fine-grained control |
98 
99**Common Scenario**: Granting Storage Blob Data Owner to a Web App's managed identity
100 
101```bash
102# You need User Access Administrator (or Owner) on the Storage Account to run this:
103az role assignment create \
104  --role "Storage Blob Data Owner" \
105  --assignee WEBAPP_PRINCIPAL_ID \
106  --scope /subscriptions/SUB/resourceGroups/RG/providers/Microsoft.Storage/storageAccounts/ACCOUNT
107```
108 
109If you encounter `AuthorizationFailed` errors when assigning roles, you likely need the User Access Administrator role at the target scope.
110 
111### RBAC Best Practices
112 
113| Role | Use When |
114|------|----------|
115| Owner | Full access + assign roles |
116| Contributor | Full access except IAM |
117| Reader | View-only access |
118| Key Vault Secrets User | Read secrets only |
119| Storage Blob Data Reader | Read blobs only |
120 
121```bash
122# Grant minimal role at resource scope
123az role assignment create \
124  --role "Storage Blob Data Reader" \
125  --assignee PRINCIPAL_ID \
126  --scope /subscriptions/SUB/resourceGroups/RG/providers/Microsoft.Storage/storageAccounts/ACCOUNT
127```
128 
129---
130 
131## Network Security
132 
133### Checklist
134 
135- [ ] Use private endpoints for PaaS services
136- [ ] Configure NSGs on all subnets
137- [ ] Disable public endpoints where possible
138- [ ] Enable DDoS protection
139- [ ] Use Azure Firewall or NVA
140 
141### Private Endpoints
142 
143```bash
144# Create private endpoint for storage
145az network private-endpoint create \
146  --name myEndpoint -g RG \
147  --vnet-name VNET --subnet SUBNET \
148  --private-connection-resource-id STORAGE_ID \
149  --group-id blob \
150  --connection-name myConnection
151```
152 
153### NSG Rules
154 
155```bash
156# Deny all inbound by default, allow only required traffic
157az network nsg rule create \
158  --nsg-name NSG -g RG \
159  --name AllowHTTPS \
160  --priority 100 \
161  --destination-port-ranges 443 \
162  --access Allow
163```
164 
165### Best Practices
166 
1671. **Default deny** — Block all traffic by default, allow only required
1682. **Segment networks** — Use subnets and NSGs to isolate workloads
1693. **Private endpoints** — Use for all PaaS services in production
1704. **Service endpoints** — Alternative to private endpoints for simpler scenarios
1715. **Azure Firewall** — Centralize egress traffic control
172 
173---
174 
175## Data Protection
176 
177### Checklist
178 
179- [ ] Enable encryption at rest (default for most Azure services)
180- [ ] Use TLS 1.2+ for transit
181- [ ] Store secrets in Key Vault
182- [ ] Enable soft delete for Key Vault
183- [ ] Use customer-managed keys (CMK) for sensitive data
184 
185### Key Vault Security
186 
187```bash
188# Enable soft delete and purge protection
189az keyvault update \
190  --name VAULT -g RG \
191  --enable-soft-delete true \
192  --enable-purge-protection true
193 
194# Enable RBAC permission model
195az keyvault update \
196  --name VAULT -g RG \
197  --enable-rbac-authorization true
198```
199 
200### Best Practices
201 
2021. **Never store secrets in code** — Use Key Vault or managed identity
2032. **Rotate secrets regularly** — Set expiration dates and automate rotation
2043. **Enable soft delete** — Protect against accidental deletion
2054. **Enable purge protection** — Prevent permanent deletion during retention
2065. **Use RBAC for Key Vault** — Prefer over access policies
2076. **Customer-managed keys** — For sensitive data requiring key control
208 
209---
210 
211## Monitoring and Defender
212 
213### Checklist
214 
215- [ ] Enable Microsoft Defender for Cloud
216- [ ] Configure diagnostic logging
217- [ ] Set up security alerts
218- [ ] Enable audit logging
219 
220### Microsoft Defender for Cloud
221 
222```bash
223# Enable Defender plans
224az security pricing create \
225  --name VirtualMachines \
226  --tier Standard
227```
228 
229### Security Assessment
230 
231Use Microsoft Defender for Cloud for:
232- Security score
233- Recommendations
234- Compliance assessment
235- Threat detection
236 
237### Best Practices
238 
2391. **Enable Defender** — For all production workloads
2402. **Review security score** — Address high-priority recommendations
2413. **Configure alerts** — Set up notifications for security events
2424. **Diagnostic logs** — Enable for all resources, send to Log Analytics
2435. **Audit logging** — Track administrative actions and access
244 
245---
246 
247## Azure Identity SDK
248 
249All Azure SDKs use their language's Identity library for credential-free authentication. Use `DefaultAzureCredential` for **local development only**; in production, use `ManagedIdentityCredential` or another deterministic credential — see [auth-best-practices.md](auth-best-practices.md). Rust uses `DeveloperToolsCredential` as it doesn't have a `DefaultAzureCredential` equivalent.
250 
251| Language | Package | Install |
252|----------|---------|---------|
253| .NET | `Azure.Identity` | `dotnet add package Azure.Identity` |
254| Java | `azure-identity` | Maven: `com.azure:azure-identity` |
255| JavaScript | `@azure/identity` | `npm install @azure/identity` |
256| Python | `azure-identity` | `pip install azure-identity` |
257| Go | `azidentity` | `go get github.com/Azure/azure-sdk-for-go/sdk/azidentity` |
258| Rust | `azure_identity` | `cargo add azure_identity` |
259 
260For Key Vault SDK examples, see: [Key Vault Reference](services/key-vault/README.md)
261 
262For Storage SDK examples, see: [Storage Reference](services/storage/README.md)
263 
264---
265 
266## Further Reading
267 
268- [Key Vault documentation](https://learn.microsoft.com/azure/key-vault/general/overview)
269- [Managed identities documentation](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview)
270- [Azure RBAC documentation](https://learn.microsoft.com/azure/role-based-access-control/overview)
271- [Microsoft Defender for Cloud](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction)
272

Loading source

Preparing the source view

Pulling the file list, source metadata, and syntax-aware rendering for this listing.

Marketplace

Source from repo

Azure Prepare

Prepare applications for Azure deployment by generating infrastructure code, Dockerfiles, and config files.

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page

Files

164

Skill

n/a

Size

546.7 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

references/security.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown272 linesFree

references/security.md

1# Security Hardening
2 
3Secure Azure resources following Zero Trust principles.
4 
5## Security Principles
6 
71. **Zero Trust** — Never trust, always verify
82. **Least Privilege** — Minimum required permissions
93. **Defense in Depth** — Multiple security layers
104. **Encryption Everywhere** — At rest and in transit
11 
12---
13 
14## Security Services
15 
16| Service | Use When | MCP Tools | CLI |
17|---------|----------|-----------|-----|
18| Key Vault | Secrets, keys, certificates | `azure__keyvault` | `az keyvault` |
19| Managed Identity | Credential-free authentication | — | `az identity` |
20| RBAC | Role-based access control | `azure__role` | `az role` |
21| Entra ID | Identity and access management | — | `az ad` |
22| Defender | Threat protection, security posture | — | `az security` |
23 
24### MCP Tools (Preferred)
25 
26When Azure MCP is enabled:
27 
28**Key Vault:**
29- `azure__keyvault` with command `keyvault_list` — List Key Vaults
30- `azure__keyvault` with command `keyvault_secret_list` — List secrets
31- `azure__keyvault` with command `keyvault_secret_get` — Get secret value
32- `azure__keyvault` with command `keyvault_key_list` — List keys
33- `azure__keyvault` with command `keyvault_certificate_list` — List certificates
34 
35**RBAC:**
36- `azure__role` with command `role_assignment_list` — List role assignments
37- `azure__role` with command `role_definition_list` — List role definitions
38 
39### CLI Quick Reference
40 
41```bash
42# Key Vault
43az keyvault list --output table
44az keyvault secret list --vault-name VAULT --output table
45 
46# RBAC
47az role assignment list --output table
48 
49# Managed Identity
50az identity list --output table
51```
52 
53---
54 
55## Identity and Access
56 
57### Checklist
58 
59- [ ] Use managed identities (no credentials in code)
60- [ ] Enable MFA for all users
61- [ ] Apply least privilege RBAC
62- [ ] Use Microsoft Entra ID for authentication
63- [ ] SQL Server: Entra-only auth — NEVER generate `administratorLogin` or `administratorLoginPassword` anywhere in Bicep, including inside conditional branches (see [sql-database/auth.md](services/sql-database/auth.md))
64- [ ] Review access regularly
65 
66### Managed Identity
67 
68```bash
69# App Service
70az webapp identity assign --name APP -g RG
71 
72# Container Apps
73az containerapp identity assign --name APP -g RG --system-assigned
74 
75# Function App
76az functionapp identity assign --name APP -g RG
77```
78 
79### Grant Access
80 
81```bash
82# Grant Key Vault access
83az role assignment create \
84  --role "Key Vault Secrets User" \
85  --assignee IDENTITY_PRINCIPAL_ID \
86  --scope /subscriptions/SUB/resourceGroups/RG/providers/Microsoft.KeyVault/vaults/VAULT
87```
88 
89### Permissions Required to Grant Roles
90 
91> ⚠️ **Important**: To assign RBAC roles to identities, you need a role with the `Microsoft.Authorization/roleAssignments/write` permission.
92 
93| Your Role | Permissions | Recommended For |
94|-----------|-------------|-----------------|
95| **User Access Administrator** | Assign roles (no data access) | ✅ Least privilege for role assignment |
96| **Owner** | Full access + assign roles | ❌ More permissions than needed |
97| **Custom Role** | Specific permissions including roleAssignments/write | ✅ Fine-grained control |
98 
99**Common Scenario**: Granting Storage Blob Data Owner to a Web App's managed identity
100 
101```bash
102# You need User Access Administrator (or Owner) on the Storage Account to run this:
103az role assignment create \
104  --role "Storage Blob Data Owner" \
105  --assignee WEBAPP_PRINCIPAL_ID \
106  --scope /subscriptions/SUB/resourceGroups/RG/providers/Microsoft.Storage/storageAccounts/ACCOUNT
107```
108 
109If you encounter `AuthorizationFailed` errors when assigning roles, you likely need the User Access Administrator role at the target scope.
110 
111### RBAC Best Practices
112 
113| Role | Use When |
114|------|----------|
115| Owner | Full access + assign roles |
116| Contributor | Full access except IAM |
117| Reader | View-only access |
118| Key Vault Secrets User | Read secrets only |
119| Storage Blob Data Reader | Read blobs only |
120 
121```bash
122# Grant minimal role at resource scope
123az role assignment create \
124  --role "Storage Blob Data Reader" \
125  --assignee PRINCIPAL_ID \
126  --scope /subscriptions/SUB/resourceGroups/RG/providers/Microsoft.Storage/storageAccounts/ACCOUNT
127```
128 
129---
130 
131## Network Security
132 
133### Checklist
134 
135- [ ] Use private endpoints for PaaS services
136- [ ] Configure NSGs on all subnets
137- [ ] Disable public endpoints where possible
138- [ ] Enable DDoS protection
139- [ ] Use Azure Firewall or NVA
140 
141### Private Endpoints
142 
143```bash
144# Create private endpoint for storage
145az network private-endpoint create \
146  --name myEndpoint -g RG \
147  --vnet-name VNET --subnet SUBNET \
148  --private-connection-resource-id STORAGE_ID \
149  --group-id blob \
150  --connection-name myConnection
151```
152 
153### NSG Rules
154 
155```bash
156# Deny all inbound by default, allow only required traffic
157az network nsg rule create \
158  --nsg-name NSG -g RG \
159  --name AllowHTTPS \
160  --priority 100 \
161  --destination-port-ranges 443 \
162  --access Allow
163```
164 
165### Best Practices
166 
1671. **Default deny** — Block all traffic by default, allow only required
1682. **Segment networks** — Use subnets and NSGs to isolate workloads
1693. **Private endpoints** — Use for all PaaS services in production
1704. **Service endpoints** — Alternative to private endpoints for simpler scenarios
1715. **Azure Firewall** — Centralize egress traffic control
172 
173---
174 
175## Data Protection
176 
177### Checklist
178 
179- [ ] Enable encryption at rest (default for most Azure services)
180- [ ] Use TLS 1.2+ for transit
181- [ ] Store secrets in Key Vault
182- [ ] Enable soft delete for Key Vault
183- [ ] Use customer-managed keys (CMK) for sensitive data
184 
185### Key Vault Security
186 
187```bash
188# Enable soft delete and purge protection
189az keyvault update \
190  --name VAULT -g RG \
191  --enable-soft-delete true \
192  --enable-purge-protection true
193 
194# Enable RBAC permission model
195az keyvault update \
196  --name VAULT -g RG \
197  --enable-rbac-authorization true
198```
199 
200### Best Practices
201 
2021. **Never store secrets in code** — Use Key Vault or managed identity
2032. **Rotate secrets regularly** — Set expiration dates and automate rotation
2043. **Enable soft delete** — Protect against accidental deletion
2054. **Enable purge protection** — Prevent permanent deletion during retention
2065. **Use RBAC for Key Vault** — Prefer over access policies
2076. **Customer-managed keys** — For sensitive data requiring key control
208 
209---
210 
211## Monitoring and Defender
212 
213### Checklist
214 
215- [ ] Enable Microsoft Defender for Cloud
216- [ ] Configure diagnostic logging
217- [ ] Set up security alerts
218- [ ] Enable audit logging
219 
220### Microsoft Defender for Cloud
221 
222```bash
223# Enable Defender plans
224az security pricing create \
225  --name VirtualMachines \
226  --tier Standard
227```
228 
229### Security Assessment
230 
231Use Microsoft Defender for Cloud for:
232- Security score
233- Recommendations
234- Compliance assessment
235- Threat detection
236 
237### Best Practices
238 
2391. **Enable Defender** — For all production workloads
2402. **Review security score** — Address high-priority recommendations
2413. **Configure alerts** — Set up notifications for security events
2424. **Diagnostic logs** — Enable for all resources, send to Log Analytics
2435. **Audit logging** — Track administrative actions and access
244 
245---
246 
247## Azure Identity SDK
248 
249All Azure SDKs use their language's Identity library for credential-free authentication. Use `DefaultAzureCredential` for **local development only**; in production, use `ManagedIdentityCredential` or another deterministic credential — see [auth-best-practices.md](auth-best-practices.md). Rust uses `DeveloperToolsCredential` as it doesn't have a `DefaultAzureCredential` equivalent.
250 
251| Language | Package | Install |
252|----------|---------|---------|
253| .NET | `Azure.Identity` | `dotnet add package Azure.Identity` |
254| Java | `azure-identity` | Maven: `com.azure:azure-identity` |
255| JavaScript | `@azure/identity` | `npm install @azure/identity` |
256| Python | `azure-identity` | `pip install azure-identity` |
257| Go | `azidentity` | `go get github.com/Azure/azure-sdk-for-go/sdk/azidentity` |
258| Rust | `azure_identity` | `cargo add azure_identity` |
259 
260For Key Vault SDK examples, see: [Key Vault Reference](services/key-vault/README.md)
261 
262For Storage SDK examples, see: [Storage Reference](services/storage/README.md)
263 
264---
265 
266## Further Reading
267 
268- [Key Vault documentation](https://learn.microsoft.com/azure/key-vault/general/overview)
269- [Managed identities documentation](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview)
270- [Azure RBAC documentation](https://learn.microsoft.com/azure/role-based-access-control/overview)
271- [Microsoft Defender for Cloud](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction)
272