Storage accounts are often the security weak point in an Azure environment. You must actively harden them against insider threats, data exfiltration, and external attack vectors.

Data protection in Azure must be layered. To truly secure your data, you need a defense-in-depth strategy that covers authentication, network isolation, encryption, and recovery.

I have compiled this 11-point non-negotiable checklist to help you lock down your Azure Storage Accounts. These configurations cover the critical control plane and data plane settings you need to implement today.

Based on my experience, these are the 6 core steps that ensure your Azure network environment is not only secure today but scalable for the long term.

Read more about my essential blueprint for building enterprise-grade Azure architectures.

Designing a clear Azure structure requires deciding which taxonomy level should enforce Azure Policy, RBAC, and isolation. This article presents the hierarchy from Entra ID Tenant down to Azure Resources, explains where to apply governance, and gives practical tips you can use to build a maintainable cloud structure.

As the diagram shows, the first takeaway is that Microsoft Entra ID is the identity management branch and Azure is the resource governance branch.

When an Application Gateway reports backend health check failures, a frequent but easy-to-miss cause is a TLS negotiation mismatch between the gateway and the backend. This article shows how to diagnose the problem, align TLS settings and probes, validate the fix, and codify the correct configuration in IaC.

When working with Azure, you will encounter various types of IDs in the form of GUIDs (Globally Unique Identifiers). Understanding these IDs is crucial for managing resources, configuring access, and using the Azure CLI (az) effectively.

We’ll explore these IDs (terms in backticks match the Azure portal labels):

• Tenant ID — identifies your Microsoft Entra ID directory; used for authentication and identity management.
• Subscription ID — identifies a subscription; used for billing and scoping resource operations.
• Resource GUID — an internal GUID assigned to a resource instance; helpful for cross-referencing resources.
• Resource ID — the full ARM path showing where a resource lives; used in ARM templates and API calls.
• Application (Client) ID — the client identifier (appId) for a registered application; used in OAuth flows.
• Object ID — a tenant-scoped identifier for directory objects like users and service principals.

When working with Azure Logic Apps (Standard) and you try to use a User-Assigned Managed Identity for accessing a storage account, you might encounter the following error:

Microsoft.Azure.Workflows.Data.Edge authentication credential type for the storage account isn't valid

In my case the error was because I was using the wrong ID as value of the AzureWebJobsStorage__managedIdentityResourceId app setting.

Imagine the following scenario on Azure: You have an App Registration A which should be able to administrate another App Registration B. For that, App Registration A should be made an owner of App Registration B. However, on the Azure Portal it is only possible to add a real user as an owner and not a Service Principal (in this case, an App Registration).

In this article, we’ll use an Azure CLI command to achieve our goal. But first, let’s clarify the difference between an App Registration and its associated Enterprise Application.

Ever struggled with cryptic Azure resource URLs like myapp123.westeurope.cloudapp.azure.com or mystorageaccount.blob.core.windows.net?

While these work perfectly fine, they’re not always the most user-friendly or company-branded names for your internal teams to remember and use. That’s where Azure Private DNS zones come to the rescue, allowing you to create custom, company-friendly aliases for your Azure resources.

This guide walks you through:

• Creating a Private DNS Zone in Azure
• Linking it to a Virtual Network
• Adding custom CNAME records for internal aliasing
• Validating resolution from within the network

Imagine the following scenario on Azure. You have an App Registration A which should be able to administrate another App Registration B. For that, the A should be made owner of B. However, on the Azure Portal it is only possible to add a real user as an owner and not a Service Principal, in our case an App Registration.

We will have to use an Azure CLI command to achieve our goal and before deep diving into the solution, let us first understand what an App Registration and an Enterprise Application are, since we are going to use their IDs

When building workflows with Azure Logic Apps (Standard), a common requirement is to connect securely to Azure resources such as Blob Storage. In this article, we’ll show how to automate the creation of API Connections and Access Policies using Bicep, enabling your Logic Apps to access Blob Storage securely. We’ll cover both authentication methods: Shared Key and Managed Identity.

When integrating Azure AI Search with Cosmos DB, you might encounter the following error:

The connection to the Cosmos DB database '<the-name-of-the-database>' could not be made due to missing authorizations

This error typically means that the Managed Identity used by your Azure AI Search service does not have the necessary data plane permissions on the Cosmos DB account.

While RBAC roles are the preferred access control method for Key Vaults, there are still projects where you need to work with access policies, where a Managed Identity is given specific permissions to the Key Vault.

In the latter case, a common challenge arises when recreating a Key Vault with Bicep - you lose all existing access policies. This phenomenon is documented in this GitHub issue.

In this article, you will find a simple trick to preserve and reapply them during deployment.

When calling an Azure Function from a Logic App, you might encounter a 403 Forbidden error with the response header x-ms-forbidden-ip. This happens when the Function’s networking rules block the IP address or the subnet of the Logic App.

When working with Managed Identities in Azure you might encounter the error No user assigned or delegated managed identity found for specified clientid/resourceid/principalid.

But first of all let us see what a Managed Identity is and does.

When working with Azure, you might encounter the error message Error: The scope ... cannot perform delete operation because following scope(s) are locked: ... Please remove the lock and try again while attempting to delete a resource. This error typically occurs when a resource is locked by another operation, preventing its deletion. In our example we will try to delete a Subnet in a Virtual Network.

Reducing operational costs on the Azure cloud is a task that is often overlooked. However, the Cost analysis service is designed to provide in-depth, easy-to-access insights into your cloud expenses.

Especially when participating in projects for large companies you will not believe the amount of cash that can be saved on resources that nobody uses and forgot to delete.

In this article I would like to share with you the ten most important terms, based on my experience so far, of the Microsoft Defender for Cloud service. On Microsoft Defender, there are multiple overviews of security issues and navigating can be daunting. To make the introduction easier to grasp, I use the following screenshot to highlight the features in the UI and then explain each one in no more than three sentences. Let’s begin.

When working with Azure Pipelines, you may encounter a situation where you don’t know the repository name before the pipeline runs. In such cases, using the checkout: git://MyProject/MyRepo method won’t work, as variables can’t be used as values in that syntax.

You will get the following error from Git:

fatal: Cannot prompt because terminal prompts have been disabled.
fatal: could not read Password for 'https://[email protected]/...': terminal prompts disabled

To overcome this challenge, I came up with a solution: create a task at the beginning of your job definition that “authenticates” the pipeline against your Azure DevOps project.

Let’s see this in action.

Consider the following real-life application scenario. Your Web App (Azure App Service) accesses a CosmosDB instance to read data. Your users access the web application from its UI, and you want to ensure they cannot directly access the CosmosDB instance using its public URL.

In this article, you will learn:

• How to use a System Managed Identity and RBAC roles to access your CosmosDB instance from your Web App
• How to integrate your Web App and your CosmosDB with an Azure Virtual Network
• How to create a Service Endpoint to allow only the Virtual Network to access CosmosDB
• All the necessary az CLI commands to complete the tutorial, without using the Azure Portal UI :)

In this article, I will show you a full tutorial on how to create a .NET application using Angular for the frontend and deploy this application with Azure DevOps pipelines on multiple App Service environments.

You are going to learn:

• How to use pipeline templates to simplify the structure of our pipeline
• How to use multiple stages to split semantically different jobs
• How to use multiple Azure environments by elevating the power of a for loop in the pipeline
• How to use Bicep for setting up the needed Azure infrastructure
• How to deploy the application on an Azure App Service by using different deployment slots

You can find the code for this tutorial on my GitHub account.

Consider the following scenario in Azure:

• We want to create a new Azure Function triggered by an HTTP request containing some data.
• We want to write this data as new entities into a Storage Table.
• We want to avoid storing any connection string in your code and instead use an Entra ID Managed Identity.
• We want to avoid writing any specific code by using the SDK for accessing the Table.

The TableOutputAttribute comes to the rescue. Let us see how.

Azure Key Vault is a cloud service that provides secure storage for secrets, keys, and certificates of your applications. Integrating Key Vault with Azure DevOps pipelines enhances security by managing sensitive information efficiently.

This article will guide you through the process of accessing secrets from an Azure Key Vault using a Service Principal with a certificate within an Azure pipeline. We will start for the very first steps of creating all the needed resources in Azure, before going back to Azure DevOps. For training reasons, we will perform all the configuration steps with CLI commands, avoiding the Azure Portal UI.

When working with Docker in Visual Studio, the default behavior of the IDE is to place the Dockerfile at the project level. However, if your solution has multiple projects and you want to achieve easier integration of the Dockerfile into your Azure pipelines, then you might want to move the file to the solution level. Let us see how to achieve this task.

In this article, we’ll walk through the steps to create a User Managed Identity, and use it to authenticate between Azure Resources, create events from an .NET Azure App Service and push them into an Event Grid topic. All this will be done using only Azure CLI commands. But first of all lets see why a Managed Identity should be used in the first place.

I recently wanted to configure the CI/CD process in Azure DevOps of a new application I created and wire it with my Azure account so that the application will be deployed on an App Service. A missing user permission in the project settings was the problem. Lets see the steps to solve the error.

Bicep, a domain-specific language (DSL) for deploying Azure resources, simplifies the process of writing infrastructure as code. However, like any programming language, it has its own set of rules and syntax that must be followed. One common error that developers encounter is the BCP001 error, which occurs when Bicep encounters an unrecognized token.

An iterator in C# is a method that utilizes the yield keyword to return elements one at a time to the caller. Such methods are very useful for traversing collections, without needing to create an intermediate collection inside the method for storing results.

This article will help you understand how to use yield by using practical examples.

This error indicates that the function’s runtime is unable to operate as expected. In my case, the Azure Function App could not started at all, due to a misconfigured AzureWebJobsStorage variable. Let us investigate the issue further.

In this tutorial we are going to see how to set up your .NET code as a Nuget Package and host this package on an private Azure DevOps Feed. You can then use the Package on other .NET projects.

As it is stated in the Azure Portal Application settings are encrypted at rest and transmitted over an encrypted channel. You can choose to display them in plain text in your browser by using the controls below. Application Settings are exposed as environment variables for access by your application at runtime.

Storing sensitive data as application settings is preferred over having them in plain text in your code. In this article we are going to see how to define them in your Azure Portal, how to integrate them in your Function-code and how to give them values when you are debugging your Functions locally.

Here is a small and quick article about how to perform the update in your C# project that contains the Azure Functions of your application

If you use the Azure cloud for hosting your application, chances are that you are also using a Storage Account and you are accessing its content via the Azure Storage Explorer tool.

If you are all of the sudden get the Unable to retrieve child resources. This request is not authorized to perform this operation error, then a possible reason for that is that the IP you are using to connect to Azure is not yet white-listed

Azure Functions are compact and lightweight chunks of code hosted in Azure cloud and can be accessed via HTTP. Since these functions might access sensible data of your application, you want a safe way to call them.

When you are in the development phase, you can use the Host Keys which is a way of authenticating yourself when calling an Azure Function.

When in production, you will have to change to App Service Authentication, since the Host Keys should not be stored in the client’s machines.

When you run your application on an Azure App Service there will the case where you want some extra logging information when errors happen. A fast way to get the exact error and its stacktrace in your application is to activate the Application Logging. To activate it, you have to do the following simple steps:

In the previous article we focused on building the Continuous Integration Pipeline of our hello-world Vue app.

In Part 2 we are going to do the steps for deploying the result of the CI Pipeline to Azure. From there our static website is going to be visible to the rest of the world.

Here are the steps you will have to take:

While I have some extra free time because of the Corona virus outbreak, I decided to experiment with Vue and build a small static HTML Hello-World application for getting to know the framework better. The website contains no backend code.

The article focuses on how to automate the Build and Deploy process of our small application. I will try to clarify the steps needed till our static website is visible through an Azure URL.

In this article I will skip the Vue logic of my app and focus solely on the DevOps tasks that have to be made in Azure DevOps. Our static website will then be deployed on an Azure Storage Container. The article focuses on Windows users.

Back in 2017, I wrote an article about how to program an Azure Function in Visual Studio. With the current article I want to give the current state of creating Functions, this time in Visual Studio Code.

We are going to create a GET Function that retrieves all the rows from an Azure Storage Table and returns them the caller.

Here are the steps from scratch:

Some time ago I wrote an article with an example of an Azure Function which I used in my applications. With the current article I want to present you another real-life example of using different Azure Services and combining them together in a Logic App.

A Logic App represents a workflow of steps that are defined to be done in a sequential or in a parallel manner.

Our scenario contains a company which owns an eshop. We are going to build a workflow for getting customer orders, pushing them into a queue for almost-real-time process (A queue is a good way to balance load of large number of requests in your servers), retrieving them back, storing them in a storage table and informing the user about her order with an email. The most important thing, we are going to develop all the steps inside the Azure Portal; the use of Visual Studio is optional.

After we finish with the creation of our Logic App, we are going to have the following workflow:

When writing SQL queries to test them against your CosmosDB collections, you might encounter the following error message:

SC2001: Identifier XXX could not be resolved.

Here, XXX is the name of a property inside your collection. For example, consider the following query:

The last few days I have been experimenting with the different types of App Services that the Azure platform provides. One very interesting combination of app services is a ASP.NET MVC client (Azure Web app) or a WebAPI (Azure API app) which acts as the middleware between a JavaScript client and an internal “business” WebAPI (Azure API app). The architecture looks like this:

Today I invested some time into getting deeper to the topic of Azure Functions. Together with the new microservices architecture, new ways of doing business logic arise. Azure Functions are small chunks of code that run in a “serverless” (you do not care about allocating new hardware resources, even when the requests to the function raise) environment and each of them is meant to do one specific job.

Apart from the great examples and templates with Functions that you can find inside the Azure Portal, I tried to think of some use cases that I would use an Azure Function for a web application and I came up with the following one:

Non-relational databases are becoming more and more popular as a solution for storing your data. Cloud solutions like Microsoft Azure also get more popular with every day.

Currently Azure supports two types of “NoSQL” databases in the Azure portal. The one is DocumentDB (the NoSQL option in the main menu of the portal) and the other is the Table Storage (from the Storage accounts option in main menu). Do not confuse this Table with the tables of a relational database, they are not the same! A detailed analysis of the differences and similarities of the two technologies is beyond the purpose of this article, but we can summarize them to the following points:

With the Azure cloud solution from Microsoft we can create a new web application with Visual Studio, deploy it as a Azure Web App and “go live” in only few minutes.

I recently was faced with the “The subscription is not registered for the resource type ‘components’ in the location ‘Central US’” error when I was trying to publish my new web application to a Website (or a Web App) in Azure. Either starting from scratch with a web project and doing the mapping or by using the Publish option of an already created project, I was getting the same error. Visual Studio tried to publish the application to Windows Azure with no success.