Tag: infrastructure as code

Designing Safe Azure App Registration Secret Rotation (With Guardrails)

Automating Azure App Registration secret rotation is often discussed as a best practice, but implementing it safely is where the real challenge begins.

In many Azure environments, client secrets are stored in Azure Key Vault, expiry alerts are configured, and operational processes are defined. From a governance perspective, everything appears under control.

But monitoring secret expiration is not the same as designing a safe, deterministic rotation model.

Recently, I worked with a customer who had a mature Azure environment.

They had:

  • Azure Key Vault properly configured
  • Monitoring in place for secret expiry
  • Clear ownership of application registrations
  • Good operational discipline

So this wasn’t a “wild west” environment.

The problem was different.

Continue reading “Designing Safe Azure App Registration Secret Rotation (With Guardrails)”

Why most Azure environments fail at governance

As I progressed from “keeping Azure running” to actually owning platform decisions, one thing became painfully clear:
most Azure governance failures are not caused by missing tools — they’re caused by weak technical foundations and late architectural decisions.

I’ll walk through a few very realistic situations I’ve personally encountered over the years. They’re anonymised, but the technical problems are absolutely real.

Continue reading “Why most Azure environments fail at governance”

Azure Resource Locks – The One Feature You’re Probably Not Using (But Should Be)

Accidental deletion or modification of critical resources in Azure is more common than most teams would like to admit. And unlike on-prem environments, where layers of approvals or access barriers might slow someone down, Azure’s agility can sometimes be its own worst enemy — especially when production workloads are one click away from disappearing.

Enter: Azure Resource Locks — your environment’s seatbelt.

What Are Azure Resource Locks?

Azure Resource Locks are a built-in feature that allow you to restrict operations on resources, resource groups, or subscriptions. These locks act as a last line of defense — even if someone has Contributor or Owner permissions, a lock will block unwanted actions like deletion or configuration changes.

Continue reading “Azure Resource Locks – The One Feature You’re Probably Not Using (But Should Be)”