Blogs by Ashwin

  To read part 1 please click  here To read part 3 please click  here Microsoft Graph Permissions Microsoft graph exposes granular permissions that can control the access that apps have to resources, like users, groups, and mails and as a developer you can decide which permissions to request for Microsoft Graph, as well as the apps that don't take a signed-in user, permissions can be pre-consented to by an administrator when the app is installed. Microsoft Graph has two types of permissions- Delegated Permissions are used  by apps that has a signed-in user present. Some delegated permissions can be consented by non-administrative users, but some higher-privileged permissions required administrator consent. Application Permissions are used by apps that runs without a signed-in user present. They can only be consented by an administrator. Effective permissions are the permissions that your app will have when making requests to the Microsoft Graph and for the delegated permissions, th

To read part 2 please click  here To read part 3 please click  here Microsoft Identity Platform Microsoft identity platform is an evolution of Azure Active Directory (AD) developer platform while allowing the developers to build applications that sign in users, and get tokens to call APIs, such as Microsoft Graph, or APIs that developers have built. It supports industry standard protocols like OAuth 2.0 and OpenID connect. The unified Microsoft Identity Platform (v2.0) helps you to write code once and authenticate any Microsoft identity into your application while for several platforms, the fully supported Open-source Microsoft Authentication Library (MSAL) is recommended for use against the identity platform endpoints. MSAL also supports Azure Active Directory B2C, so your customers can easily use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs.  With Microsoft identity platform, one can expand their reach to t

  To read part 1 please click  here Key Vault Keys Cryptographic keys in Key Vault are represented as JSON Web Key (JWK) objects. There are two types of keys, depending on how they were created: Soft Keys- They are the keys processed in software by Key Vault, but is encrypted at rest using a system key that is in a Hardware Security Module (HSM).  Hard Keys- They are the keys processed in HSM and are protected in one of the Key Vault HSM Security Worlds (there's one security world per geography to maintain isolation). Key Operations Key Vault supports many operations on key objects, they are: Create- It allows a client to create a key in Key Vault. The value of the key is generated by Key Vault and stored, not released to the client. Asymmetric keys can also be created in the Key Vault. Import- It allows a client to import an existing key to the Key Vault. Asymmetric keys can also be imported to the Key Vault by using a number of different packaging methods within a JWK construct.

  To read part 2 please click  here Azure Key Vault Azure Key Vault helps you to safeguard cryptographic keys as well as secrets that cloud applications and services use while using it to create multiple secure containers called vaults that help reduce the chances of accidental loss of security information by centralizing application secrets storage.Key vaults also control and log the access to anything stored in them. Azure Key Vault helps address the following issues: Secrets management- You can use Azure Key Vault to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets. Key management- You can use Azure Key Vault as a key management solution, making it easier to create and control the encryption keys used to encrypt your data. Certificate management- Azure Key Vault is also a service that lets you easily provision, manage, and deploy public as well as private SSL/TLS certificates for use with Azure and internal connected resources

  To read part 1 of 3 please click  here To read part 2 of 3 please click  here Azure Kubernetes Service (AKS) Kubernetes is a rapidly evolving platform that manages container-based applications and their associated networking as well as storage components while supporting both the stateless and stateful applications as teams progress through the adoption of microservices-based applications. As an open platform, it also allows you to build your applications with your preferred programming language, OS, libraries, or messaging bus.  AKS provides a managed kubernetes service that reduces the complexity for deployment and core management tasks, including coordinating upgrades. AKS is built on top of the open-source Azure Kubernetes Service Engine (aks-engine) and you only pay for the AKS nodes that run your applications.  Features of AKS Fully managed Public IP and FQDN (private IP option) Accessed with RBAC or Azure AD Deployment of containers Dynamic scale containers Automation of rolli

  To read part 1 of 3 please click  here To read part 3 of 3 please click  here Azure Container Registry (ACR) Registry A container registry is known as a service that stores and distributes container images while providing the users with direct control of their images, with integrated authentication, geo-replication supporting global distribution and reliability for network-close deployments, virtual network and firewall configuration, tag locking, and many other enhanced features. Besides Docker container images, ACR supports related content artifacts including Open Container Initiative (OCR) image formats. Security and Access ACI transfers container's images over HTTPS and supports TLS to secure client connections. Security features of the Premium SKU includes content trust for image tag signing, firewalls and virtual networks to restrict access to the registry. Azure Security Center optionally integrates with ACR to scan images whenever an image is pushed to a registry. Reposit

  To read part 2 of 3 please click  here To read part 3 of 3 please click  here Containers A container is an isolated, lightweight silo for running an application on the host operating system. Although it shares the host operating system's kernel, it doesn't get unfettered access to the kernel. Instead, the container gets an isolated一  and in some cases virtualized― view of the system and to save the data the container can mount persistent storage such as an Azure Disk or a file share (including Azure Files).   You will need Docker in order to work with the Windows Containers which consists of the Docker Engine (dockerd.exe), and the Docker Client (docker.exe). How it works? A container is built on the top of the kernel, but the kernel doesn't provide all of the APIs and services an app needs to run, in fact most of these are provided by system files (libraries) that run above the kernel in user mode. As the container is isolated from the host's user mode environment, i

  Azure disk encryption for Windows VMs Azure Disk Encryption helps you to protect and safeguard your data to meet your organizational security and compliance commitments while using the Bitlocker feature of Windows to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), also it is  integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. If you use Azure Security Center, you will be alerted about the non-encrypted VMs as High Severity with a recommendation to encrypt them. Supported VMs and Operating Systems Supported VMs Windows VMs are available in a range of various sizes. Azure Disk Encryption is not available on Basic, A-series VMs, or on virtual machines with less than 2GB of memory, Generation 2 VMs, and Lsv2-series VMs. However, it is available for VMs with premium storage. Supported operating systems Windows client- Windows 8 and later. Windows Server- Windows Server 2008 R2 and later.   Networking re

  Azure Bastion The Azure Bastion service is a fully platformed-managed PaaS service that you provision inside your virtual network which provides a secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over TLS.  When you connect using Azure Bastion, your virtual machines do not need a public IP address and with it you can easily connect to the virtual machine directly from the Azure portal. Architecture Once you provision an Azure Bastion service in your virtual network, the RDP/SSH experience is available to all your VMs in the same virtual network. RDP and SSH are some of the fundamental means through which you can easily connect to your workloads running in Azure. Bastion servers also provides RDP and SSH connectivity to the workloads sitting behind the Bastion, as well as further inside the network.   This figure shows the architecture of an Azure Bastion deployment. In this diagram: The Bastion host is deployed in the virtual network. The