Choosing the right authorization model

Your company is migrating to Azure and needs to secure access to secrets stored in Azure Key Vault. The security team has set the following requirements:

Centralized access control across multiple Azure resources
Integration with Azure Active Directory (Azure AD)
Support for Multi-Factor Authentication (MFA) and Conditional Access
Ability to assign roles at the subscription and resource group levels
Avoid reliance on legacy or resource-specific access methods

Which authorization method best meets these requirements?

This exercise is part of the course

Implement Azure Security for Developers

View Course

Hands-on interactive exercise

Turn theory into action with one of our interactive exercises

Start Exercise

This exercise is part of the course

Implement Azure Security for Developers

IntermediateSkill Level

5.0+

4 reviews

Start Course for Free

In this chapter, you’ll first get hands-on with Microsoft Entra ID to manage users, groups, and roles in a secure, centralized way. Then, you’ll build a solid foundation in identity management, exploring how authentication, authorization, and service principals work together to control access. Finally, you’ll learn to use Shared Access Signatures to grant limited, time-bound access to storage without exposing sensitive credentials.

Exercise 1: Getting started with Azure security Exercise 2: Microsoft Entra ID overview Exercise 3: Selecting the right security tool Exercise 4: Authentication and authorization in Entra ID Exercise 5: Creating users in Entra ID Exercise 6: Secure access Exercise 7: Authentication vs. authorization Exercise 8: Microsoft identity platform Exercise 9: Application object vs service principal Exercise 10: App-only access scenarios Exercise 11: Shared Access Signatures (SAS)Exercise 12: Choosing the right SAS Exercise 13: Creating a SAS token Exercise 14: Secure vs. insecure SAS practices

In this chapter, you'll build a strong foundation in securing app settings and sensitive data using Azure App Configuration and Key Vault. You’ll explore how to manage configurations, enable feature flags, and safeguard settings using encryption, private endpoints, and managed identities. Moving into Key Vault, you’ll learn how it stores secrets, keys, and certificates, and how to apply authentication and authorization best practices. Finally, you'll examine advanced protections like Soft Delete and Purge Protection to ensure your critical data remains safe and recoverable.

Exercise 1: Azure App configuration Exercise 2: Deploying App Configuration Exercise 3: Storing settings in App Configuration Exercise 4: Classify feature management components Exercise 5: Getting started with Key vault Exercise 6: Classifying keys, secrets, and certificates Exercise 7: Retrieve Key Vault secrets in Logic App Exercise 8: Managing secrets in Key Vault Exercise 9: Advanced Key vault settings Exercise 10: Choosing the right authorization model

Current Exercise

Exercise 11: Soft delete & purge protection

In this part of the course, you’ll begin with Azure Managed Identities, seeing how they let applications access resources securely without managing credentials. You’ll then move into Microsoft Graph, where you’ll explore its unified API and practice queries in Graph Explorer. Finally, you’ll advance to techniques like pagination and batching to handle data more efficiently and build scalable integrations.

Exercise 1: Secure access with managed identities Exercise 2: Managed identities: system vs user assigned Exercise 3: Assigning UAMI for multiple resources Exercise 4: Introduction to Microsoft Graph Exercise 5: Classifying HTTP methods Exercise 6: Exploring data with Graph explorer Exercise 7: Microsoft Graph explorer's quick tour Exercise 8: Advanced usage of Microsoft Graph Exercise 9: Client-side pagination with $top Exercise 10: Match responses to requests