Road To AZ-204 - Implement Secure Cloud Solutions


This article's intention is to explain the main skills measured in this sub-topic of the AZ-204 Certification. Azure Key Vault, App Configuration, and Managed Identities are the main components that will have their fundamentals explained here alongside a practical example.
This certification is very extensive and this article approaches only the main topics, make sure you know those components before taking the exam. Another great tip is doing exam simulators before the official exam in order to validate your knowledge.

What is the Certification AZ-204 - Developing Solutions for Microsoft Azure?

The AZ-204 - Developing Solutions for Microsoft Azure certification measures designing, building, testing, and maintaining skills of an application and/or service in the Microsoft Azure Cloud environment. It approaches, among others, those component,
  • Azure Virtual Machines;
  • Docker;
  • Azure Containers;
  • Service Web App;
  • Azure Functions;
  • Cosmos DB;
  • Azure Storage;
  • Azure AD;
  • Azure Key Vault;
  • Azure Managed Identities;
  • Azure Redis Cache;
  • Azure Logic App;
  • Azure Event Grid;
  • Azure Event Hub;
  • Azure Notification Hub;
  • Azure Service Bus;
  • Azure Queue Storage.
Target Audience
Any IT professional willing to improve his knowledge in Microsoft Azure is encouraged to take this certification, it is a great way to measure your skills within trending technologies. But, some groups of professionals are more keen to take maximum advantage of it,
  • Azure Developers, with at least 1 year of experience with Microsoft Azure;
  • Experienced Software Developers, looking for an Architect position in a hybrid environment;
  • Software Developers, working to move applications to the cloud environment.
Skills Measured
According to today's date, the skills that are measured in the exam are split as follows,

Benefits of Getting Certified

The main benefit here is having a worldwide recognized certification that proves that you have knowledge of this topic. Among intrinsic and extrinsic benefits, we have,
  • Higher growth potential, as certifications are a big plus;
  • Discounts and deals in Microsoft products and partners, like PluralSight and UpWork;
  • MCP Newsletters, with trending technologies;
  • Higher exposure on LinkedIn, as recruiters usually search for specific certifications;
  • Higher salary, you will be more valuable to your company;
  • Unique happiness when getting the result and you were approved, knowing that all your efforts were worth it; 

Main skills Measured by this Topic

What are Managed Identities?
Azure Managed Identities is the concept of associating identities to internal resources inside Azure AD, those identities have their own roles as far as its own token. Managed Identities increase your security because you can link directly resources to access others resources without sharing any kind of security information on the network, those resources are going to be authenticated against Azure AD in order to validate if they have enough rights to manipulate other resources. As an example, we can make our Applications access Azure Key Vault in order to retrieve a secret without having to expose any kind of password. Managed Identities is available in two types, as follows,
  • System-assigned Identities, which are created and managed by Azure AD when we create a managed identity in a service instance;
  • User-assigned Identities, also named custom managed identities and are created and managed manually.

What is Azure Key Vault?

Azure Key Vault is the Azure Cloud service designed to store differents Keys, Secrets, and Certificates. Azure Key Vault increases your application security and customization, the Azure Key Vault can make use of Azure AD security in order to be accessed to others applications or services without requiring any confidential information to be exposed to request information from Azure Key Vault. 
Your security is increased because it avoids exposing your app secrets, such as connection strings, passwords, and certificates, when deploying your apps or storing them at a shared repository. You can store all your app secrets, keys, and certificates in the Azure Key Vault and give access to your app internally to retrieve this information.
Your customization is increased because you can define environment variables stored in your Azure Key Vault, those variables are going to be secured stored and those variables may be used by a wide range of applications. Also, you can have a different environment pointing to different values.
Azure Key Vaults has two different types of containers: vaults and HSM pools. Vault Containers support the storing of software and HSM-backed keys, secrets, and certificates, while the HSM pools only support HSM-backed keys. In order to understand more about Key Vault, the following main terminologies need to be explained,
  • Key, API Keys with support of multiple types of key types and algorithms;
  • Secret, can be any kind of password or protected information;
  • Certificate, Certificates with an autorenewal feature; 
Also, Azure provides a Rest API in order to manage your Azure Key Vault with its main functionalities as follows,
  • Create a key or secret; 
  • Import a key or secret;
  • Revoke a key or secret;
  • Delete a key or secret;
  • Authorize user or apps to access its keys or secrets;
  • Monitor and manage key usage;
Azure Key Vault Rest API has three different types of authentications, as follows,
  • Managed Identities, using managed identities authentication mode is recommended as best practices;
  • Service Principal and Certificate, using a pre-configured security user with an associated certificate;
  • Service Principal and Secret, using a pre-configured security user with a secret;  

What is Azure App Configuration?

Azure App Configuration is an Azure service that helps you to centralize your application settings into a single location. Azure App Configuration is great for multi-environment and multi-geography applications whereas it offers a dynamic way to change your application settings without requiring to restart them, it also works together with Azure Key Vault, which is the place where the application secrets are stored.
Azure App Configuration main benefits are as follows,
  • Easy and fast to set up;
  • Data encryption in rest or in transit;
  • Labels;
  • High security through access of other resources with Managed Identites;
  • A point-In-Time replay of settings with the Restore functionality;
  • Data Import and Export;
  • Data Comparison; 

Practical Examples

Connecting Azure Key Vault with .Net Web API
Here we will be using .Net with Azure Key Vault and App Configuration in order to retrieve secure data. The focus is the connection and consumption of Key Vault and App Configuration so we will be using the following existent project,
Using Key Vault
  • Azure Key Vault previously created; 
  • Nuget Azure.Security.KeyVault.Secrets;
  • Nuget Azure.Identity;
  • Having a secret created named "sampleSecret";
The following example uses a Key Vault being authenticated within the User, checking if the user has the right to see this secret. This is configured in the Key Vault Access Policies,
Road To AZ-204 - Implement secure cloud solutions
Controller Code
  1. private readonly string keyVaultURI = "";  
  3.   [HttpGet]  
  4.   public IActionResult Index()  
  5.   {  
  6.       var client = new SecretClient(new Uri(keyVaultURI), new DefaultAzureCredential());  
  7.       var secret = client.GetSecretAsync("sampleSecret").Result;  
  8.       ViewBag.Secret = secret.Value.Value;  
  9.       return View();  
  10.   }   
View Code
  1. @if (ViewBag.Secret != null)  
  2. {  
  3.     <label>You have a hidden secret retrieved by Azure Key Vault: @ViewBag.Secret</label>  
  4. }   
Road To AZ-204 - Implement secure cloud solutions

Using Key Vault connected with App

  • Azure Key Vault previously created;
  • Azure Application registered;
  • Nuget Azure.Security.KeyVault.Secrets;
  • Nuget Azure.Identity;
  • Having a secret created named "sampleSecret";
Add an Acess Policy from your Azure Key Vault to your App. From your Azure Key Vault go to Access Policies and then click on Add Access Policy.
Select permissions for each type of resource and on Select Principal, select your App previously registered. 
Road To AZ-204 - Implement secure cloud solutions
Controller Code
  1. private readonly string keyVaultURI = "";  
  3.     private readonly string clientAppID = "";  
  5.     private readonly string clientAppSecret = "";  
  8.     [HttpGet]  
  9.     public async Task<IActionResult> Index()  
  10.     {  
  11.         ClientCredential credential = new ClientCredential(clientAppID, clientAppSecret);  
  12.         KeyVaultClient.AuthenticationCallback authenticationCallback = new  
  13.             KeyVaultClient.AuthenticationCallback(async  
  14.             (string authenticationAuthority, string resource, string scope) =>  
  15.         {  
  16.             AuthenticationContext authenticationContext = new AuthenticationContext(authenticationAuthority);  
  17.             AuthenticationResult result = await authenticationContext.AcquireTokenAsync(resource, credential);  
  18.             return result.AccessToken;  
  19.         });  
  20.         KeyVaultClient client = new KeyVaultClient(authenticationCallback);  
  21.         var secret = await client.GetSecretAsync(keyVaultURI, "sampleSecret");  
  23.         ViewBag.Secret = secret.Value;  
  25.         return View();  
  26.     }   

Key Vault API Practical Examples

  • Azure Key Vault previously Created; In this example the Key Vault name is azurekeyvaultsampletwo.
  • Have your Azure Key Vault Authentication token configured in the request header;
Creating Keys, Secrets, and Certificates
Creating Keys,
  1. POST  
  1. {  
  2.   "kty""RSA",  
  3.   "key_size": 2048,  
  4.   "key_ops": [  
  5.     "encrypt",  
  6.     "decrypt",  
  7.     "sign",  
  8.     "verify",  
  9.     "wrapKey",  
  10.     "unwrapKey"  
  11.   ],  
  12.   "attributes": {},  
  13.   "tags": {  
  14.     "purpose""unit test",  
  15.     "test name ""CreateGetDeleteKeyTest"  
  16.   }  
  17. }  
Creating/Updating Secrets,
  1. PUT  
  1. {  
  2.   "value""my secret value"  
  3. }  
Creating Certificates 
  1. POST    
  1. {  
  2.   "policy": {  
  3.     "key_props": {  
  4.       "exportable"true,  
  5.       "kty""RSA",  
  6.       "key_size": 2048,  
  7.       "reuse_key"false  
  8.     },  
  9.     "secret_props": {  
  10.       "contentType""application/x-pkcs12"  
  11.     },  
  12.     "x509_props": {  
  13.       "subject""CN=*",  
  14.       "sans": {  
  15.         "dns_names": [  
  16.           "",  
  17.           ""  
  18.         ]  
  19.       }  
  20.     },  
  21.     "issuer": {  
  22.       "name""Self"  
  23.     }  
  24.   }  

Importing Keys and Certificates

Importing Keys
  1. PUT    
  1. {  
  2.   "key": {  
  3.     "kty""RSA",  
  4.     "n""nKAwarTrOpzd1hhH4cQNdVTgRF-b0ubPD8ZNVf0UXjb62QuAk3Dn68ESThcF7SoDYRx2QVcfoMC9WCcuQUQDieJF-lvJTSer1TwH72NBovwKlHvrXqEI0a6_uVYY5n-soGt7qFZNbwQLdWWA6PrbqTLIkv6r01dcuhTiQQAn6OWEa0JbFvWfF1kILQIaSBBBaaQ4R7hZs7-VQTHGD7J1xGteof4gw2VTiwNdcE8p5UG5b6S9KQwAeET4yB4KFPwQ3TDdzxJQ89mwYVi_sgAIggN54hTq4oEKYJHBOMtFGIN0_HQ60ZSUnpOi87xNC-8VFqnv4rfTQ7nkK6XMvjMVfw",  
  5.     "e""AQAB",  
  6.     "d""GeT1_D5LAZa7qlC7WZ0DKJnOth8kcPrN0urTEFtWCbmHQWkAad_px_VUpGp0BWDDzENbXbQcu4QCCdf4crve5eXt8dVI86OSah-RpEdBq8OFsETIhg2Tmq8MbYTJexoynRcIC62xAaCmkFMmu931gQSvWnYWTEuOPgmD2oE_F-bP9TFlGRc69a6MSbtcSRyFTsd5KsUr40QS4zf2W4kZCOWejyLuxk88SXgUqcJx86Ulc1Ol1KkTBLadvReAZCyCMwKBlNRGw46BU_iK0vK7rTD9fmEd639Gjti6eLpnyQYpnVe8uGgwVU1fHBkAKyapWoEG6VMhMntcrvgukKLIsQ",  
  7.     "dp""ZGnmWx-Nca71z9a9vvT4g02iv3S-3kSgmhl8JST09YQwK8tfiK7nXnNMtXJi2K4dLKKnLicGtCzB6W3mXdLcP2SUOWDOeStoBt8HEBT4MrI1psCKqnBum78WkHju90rBFj99amkP6UeQy5EASAzgmKQu2nUaUnRV0lYP8LHMCkE",  
  8.     "dq""dtpke0foFs04hPS6XYLA5lc7-1MAHfZKN4CkMAofwDqPmRQzCxpDJUk0gMWGJEdU_Lqfbg22Py44cci0dczH36NW3UU5BL86T2_SPPDOuyX7kDscrIJCdowxQCGJHGRBEozM_uTL46wu6UnUIv7m7cuGgodJyZBcdwpo6ziFink",  
  9.     "qi""Y9KD5GaHkAYmAqpOfAQUMr71QuAAaBb0APzMuUvoEYw39PD3_vJeh9HZ15QmJ8zCX10-nlzUB-bWwvK-rGcJXbK4pArilr5MiaYv7e8h5eW2zs2_itDJ6Oebi-wVbMhg7DvUTBbkCvPhhIedE4UlDQmMYP7RhzVVs7SfmkGs_DQ",  
  10.     "p""v1jeCPnuJQM2PW2690Q9KJk0Ulok8VFGjkcHUHVi3orKdy7y_TCIWM6ZGvgFzI6abinzYbTEPKV4wFdMAwvOWmawXj5YrsoeB44_HXJ0ak_5_iP6XXR8MLGXbd0ZqsxvAZyzMj9vyle7EN2cBod6aenI2QZoRDucPvjPwZsZotk",  
  11.     "q""0Yv-Dj6qnvx_LL70lUnKA6MgHE_bUC4drl5ZNDDsUdUUYfxIK4G1rGU45kHGtp-Qg-Uyf9s52ywLylhcVE3jfbjOgEozlSwKyhqfXkLpMLWHqOKj9fcfYd4PWKPOgpzWsqjA6fJbBUMYo0CU2G9cWCtVodO7sBJVSIZunWrAlBc"  
  12.   },  
  13.   "tags": {  
  14.     "purpose""unit test"  
  15.   }  
  16. }    
Importing Certificates 
  1. POST    
  1. {  
  2.   "value""MIIJOwIBAzCCCPcGCSqGSIb3DQEHAaCCCOgEggjkMIII4DCCBgkGCSqGSIb3DQEHAaCCBfoEggX2MIIF8jCCBe4GCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAj15YH9pOE58AICB9AEggTYLrI+SAru2dBZRQRlJY7XQ3LeLkah2FcRR3dATDshZ2h0IA2oBrkQIdsLyAAWZ32qYR1qkWxLHn9AqXgu27AEbOk35+pITZaiy63YYBkkpR+pDdngZt19Z0PWrGwHEq5z6BHS2GLyyN8SSOCbdzCz7blj3+7IZYoMj4WOPgOm/tQ6U44SFWek46QwN2zeA4i97v7ftNNns27ms52jqfhOvTA9c/wyfZKAY4aKJfYYUmycKjnnRl012ldS2lOkASFt+lu4QCa72IY6ePtRudPCvmzRv2pkLYS6z3cI7omT8nHP3DymNOqLbFqr5O2M1ZYaLC63Q3xt3eVvbcPh3N08D1hHkhz/KDTvkRAQpvrW8ISKmgDdmzN55Pe55xHfSWGB7gPw8sZea57IxFzWHTK2yvTslooWoosmGxanYY2IG/no3EbPOWDKjPZ4ilYJe5JJ2immlxPz+2e2EOCKpDI+7fzQcRz3PTd3BK+budZ8aXX8aW/lOgKS8WmxZoKnOJBNWeTNWQFugmktXfdPHAdxMhjUXqeGQd8wTvZ4EzQNNafovwkI7IV/ZYoa++RGofVR3ZbRSiBNF6TDj/qXFt0wN/CQnsGAmQAGNiN+D4mY7i25dtTu/Jc7OxLdhAUFpHyJpyrYWLfvOiS5WYBeEDHkiPUa/8eZSPA3MXWZR1RiuDvuNqMjct1SSwdXADTtF68l/US1ksU657+XSC+6ly1A/upz+X71+C4Ho6W0751j5ZMT6xKjGh5pee7MVuduxIzXjWIy3YSd0fIT3U0A5NLEvJ9rfkx6JiHjRLx6V1tqsrtT6BsGtmCQR1UCJPLqsKVDvAINx3cPA/CGqr5OX2BGZlAihGmN6n7gv8w4O0k0LPTAe5YefgXN3m9pE867N31GtHVZaJ/UVgDNYS2jused4rw76ZWN41akx2QN0JSeMJqHXqVz6AKfz8ICS/dFnEGyBNpXiMRxrY/QPKi/wONwqsbDxRW7vZRVKs78pBkE0ksaShlZk5GkeayDWC/7Hi/NqUFtIloK9XB3paLxo1DGu5qqaF34jZdktzkXp0uZqpp+FfKZaiovMjt8F7yHCPk+LYpRsU2Cyc9DVoDA6rIgf+uEP4jppgehsxyT0lJHax2t869R2jYdsXwYUXjgwHIV0voj7bJYPGFlFjXOp6ZW86scsHM5xfsGQoK2Fp838VT34SHE1ZXU/puM7rviREHYW72pfpgGZUILQMohuTPnd8tFtAkbrmjLDo+k9xx7HUvgoFTiNNWuq/cRjr70FKNguMMTIrid+HwfmbRoaxENWdLcOTNeascER2a+37UQolKD5ksrPJG6RdNA7O2pzp3micDYRs/+s28cCIxO//J/d4nsgHp6RTuCu4+Jm9k0YTw2Xg75b2cWKrxGnDUgyIlvNPaZTB5QbMid4x44/lE0LLi9kcPQhRgrK07OnnrMgZvVGjt1CLGhKUv7KFc3xV1r1rwKkosxnoG99oCoTQtregcX5rIMjHgkc1IdflGJkZzaWMkYVFOJ4Weynz008i4ddkske5vabZs37Lb8iggUYNBYZyGzalruBgnQyK4fz38Fae4nWYjyildVfgyo/fCePR2ovOfphx9OQJi+M9BoFmPrAg+8ARDZ+R+5yzYuEc9ZoVX7nkp7LTGB3DANBgkrBgEEAYI3EQIxADATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IAGEAOAAwAGQAZgBmADgANgAtAGUAOQA2AGUALQA0ADIAMgA0AC0AYQBhADEAMQAtAGIAZAAxADkANABkADUAYQA2AGIANwA3MF0GCSsGAQQBgjcRATFQHk4ATQBpAGMAcgBvAHMAbwBmAHQAIABTAHQAcgBvAG4AZwAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABlAHIwggLPBgkqhkiG9w0BBwagggLAMIICvAIBADCCArUGCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEGMA4ECNX+VL2MxzzWAgIH0ICCAojmRBO+CPfVNUO0s+BVuwhOzikAGNBmQHNChmJ/pyzPbMUbx7tO63eIVSc67iERda2WCEmVwPigaVQkPaumsfp8+L6iV/BMf5RKlyRXcwh0vUdu2Qa7qadD+gFQ2kngf4Dk6vYo2/2HxayuIf6jpwe8vql4ca3ZtWXfuRix2fwgltM0bMz1g59d7x/glTfNqxNlsty0A/rWrPJjNbOPRU2XykLuc3AtlTtYsQ32Zsmu67A7UNBw6tVtkEXlFDqhavEhUEO3dvYqMY+QLxzpZhA0q44ZZ9/ex0X6QAFNK5wuWxCbupHWsgxRwKftrxyszMHsAvNoNcTlqcctee+ecNwTJQa1/MDbnhO6/qHA7cfG1qYDq8Th635vGNMW1w3sVS7l0uEvdayAsBHWTcOC2tlMa5bfHrhY8OEIqj5bN5H9RdFy8G/W239tjDu1OYjBDydiBqzBn8HG1DSj1Pjc0kd/82d4ZU0308KFTC3yGcRad0GnEH0Oi3iEJ9HbriUbfVMbXNHOF+MktWiDVqzndGMKmuJSdfTBKvGFvejAWVO5E4mgLvoaMmbchc3BO7sLeraHnJN5hvMBaLcQI38N86mUfTR8AP6AJ9c2k514KaDLclm4z6J8dMz60nUeo5D3YD09G6BavFHxSvJ8MF0Lu5zOFzEePDRFm9mH8W0N/sFlIaYfD/GWU/w44mQucjaBk95YtqOGRIj58tGDWr8iUdHwaYKGqU24zGeRae9DhFXPzZshV1ZGsBQFRaoYkyLAwdJWIXTi+c37YaC8FRSEnnNmS79Dou1Kc3BvK4EYKAD2KxjtUebrV174gD0Q+9YuJ0GXOTspBvCFd5VT2Rw5zDNrA/J3F5fMCk4wOzAfMAcGBSsOAwIaBBSxgh2xyF+88V4vAffBmZXv8Txt4AQU4O/NX4MjxSodbE7ApNAMIvrtREwCAgfQ",  
  3.   "pwd""123",  
  4.   "policy": {  
  5.     "key_props": {  
  6.       "exportable"true,  
  7.       "kty""RSA",  
  8.       "key_size": 2048,  
  9.       "reuse_key"false  
  10.     },  
  11.     "secret_props": {  
  12.       "contentType""application/x-pkcs12"  
  13.     }  
  14.   }  
  15. }   

Retrieving Keys, Secrets, and Certificates

Retrieving Keys
  1. GET   
Retrieving Secrets
  1. GET    
Retrieving Certificates 
  1. GET    

Deleting Keys, Secrets, and Certificates 

Deleting Keys
  1. DELETE     
Deleting Secrets
  1. DELETE     
Deleting Certificates 
  1. DELETE    

Azure App Configuration with Azure Key Vault in a .Net Web API using Managed Identities

  • Azure App Configuration previously created. Here named as appConfigurationSample
  • Azure Key Vault previously created. Here named as sampleazkeyvault;
  • Have a secret in your Azure Key Vault. Here named sampleSecret;
  • Nuget Azure.Identity;
  • Nuget Microsoft.Extensions.Configuration.AzureAppConfiguration;
From your Azure App Configuration, go to Configurations Explorer, under Operations, and click on create and then Key Vault reference.
Road To AZ-204 - Implement secure cloud solutions 
Point to your existing secret on your Azure Key Vault
Road To AZ-204 - Implement secure cloud solutions
Enable managed identity for your App Configuration. (It could be already enabled)
Then, click on Azure role assignments.
Road To AZ-204 - Implement secure cloud solutions
In Scope, select Key Vault then in Resource select your Key vault resource, select an appropriate role for it, and click on Save. Here I will set it as Owner.
Road To AZ-204 - Implement secure cloud solutions
From our .Net project, update the Program.cs class to include the connection to your Azure App Configuration and Azure Key Vault,
  1. .ConfigureAppConfiguration((hostingContext, config) =>  
  2.             {  
  3.                 var settings = config.Build();  
  5.                 config.AddAzureAppConfiguration(options =>  
  6.                 {  
  7.                     options.Connect("your app configuration connection string goes here")  
  8.                             .ConfigureKeyVault(kv =>  
  9.                             {  
  10.                                 kv.SetCredential(new DefaultAzureCredential());  
  11.                             });  
  12.                 });  
  13.             })  
In your Controller, update it to receive an IConfiguration through dependency injection and retrieve your secrets.
  1. private readonly IConfiguration configuration;  
  2. public HomeController(IConfiguration configuration)  
  3. {  
  4.     this.configuration = configuration;  
  5. }  
  6. [HttpGet]  
  7. public IActionResult Index()  
  8. {  
  9.     ViewBag.Secret = this.configuration["samplekeyonappconfiguration"];  
  10.     return View();  
  11. }  
Road To AZ-204 - Implement secure cloud solutions
Other Managed Identities practical examples
This is a huge topic deeply covered by my friend in his article with a .net Web API practical example. Please check Use Azure Active Directory Managed Identities for your services.
External References