Microsoft – Get Practical

Designing Safe Azure App Registration Secret Rotation (With Guardrails)

Automating Azure App Registration secret rotation is often discussed as a best practice, but implementing it safely is where the real challenge begins.

In many Azure environments, client secrets are stored in Azure Key Vault, expiry alerts are configured, and operational processes are defined. From a governance perspective, everything appears under control.

But monitoring secret expiration is not the same as designing a safe, deterministic rotation model.

Recently, I worked with a customer who had a mature Azure environment.

They had:

Azure Key Vault properly configured
Monitoring in place for secret expiry
Clear ownership of application registrations
Good operational discipline

So this wasn’t a “wild west” environment.

The problem was different.

Continue reading “Designing Safe Azure App Registration Secret Rotation (With Guardrails)”

Azure Health Check – A Free Script to Audit and Visualise Cloud Hygiene

Are you running Azure subscriptions and want a quick, human-friendly overview of your governance, compute, storage, network and Key Vault hygiene?
The Azure Health Check PowerShell script gives you exactly that — scanning multiple subscriptions, flagging weak spots, and producing a clean interactive HTML report (with charts!).

Why this matters

Large and growing Azure estates can easily drift into insecure or unsupported configurations: unprotected VMs, public storage blobs, missing resource locks, orphaned disks, exposed network ports — all of which can lead to security, availability or compliance issues.

Yet manually auditing each subscription is time-consuming. That’s where automation helps. With this script, you get a multi-subscription health summary, scored, visualised and exportable — ideal for periodic reviews, customer readiness checks, or even compliance audits.

Continue reading “Azure Health Check – A Free Script to Audit and Visualise Cloud Hygiene”

Azure Private Link Service Direct Connect – Simplified Private Connectivity (Public Preview)

Azure Private Link Service (PLS) has long been the go-to option for exposing your services privately to consumers across Azure — ensuring that traffic never crosses the public internet.
Until recently, this required a Standard Load Balancer to sit in front of your service. That setup worked well, but it added complexity and limited flexibility, especially in hybrid or custom routing scenarios.
Now, with Private Link Service Direct Connect, Microsoft has simplified the model. You can route traffic directly to any privately routable IP address, removing the dependency on load balancers altogether.
This new feature opens the door to several use cases — from simplifying secure hybrid connections to enabling private access to third-party SaaS and appliances.

Continue reading “Azure Private Link Service Direct Connect – Simplified Private Connectivity (Public Preview)”

Azure Storage: GA Support for Entra ID and RBAC in Supplemental APIs

On 26 August 2025, Microsoft announced the general availability (GA) of Entra ID authentication and role-based access control (RBAC) for several supplemental Azure Storage APIs. This update improves security and gives administrators more precise control over sensitive operations such as managing container, queue, and table access permissions.

What has changed

The following APIs now support Entra ID and RBAC:

GetAccountInfo
GetContainerACL / SetContainerACL
GetQueueACL / SetQueueACL
GetTableACL / SetTableACL

These APIs now support OAuth 2.0 authentication via Entra ID.
A key change is the way error responses are returned:

Before: using OAuth without the right permissions resulted in 404 (not found).
Now:
- 403 (forbidden) is returned when OAuth is used but the caller does not have the required permission (for example, Microsoft.Storage/storageAccounts/blobServices/getInfo/action for GetAccountInfo).
- 401 (unauthorised) is returned for anonymous requests.
- 404 (not found) is still possible if the resource itself does not exist.

If your application logic depends on the old 404 behaviour, you should update it to handle both 404 and 403 responses. Microsoft also recommends not relying on error codes to detect unsupported APIs but instead following the Entra ID authorization guidance.

Why this matters

Improved security – no more reliance on shared keys.
Granular access – assign only the necessary permissions.
Consistent responses – OAuth error codes now match industry standards.
Application impact – developers may need to update their code to support the new response model.

Continue reading “Azure Storage: GA Support for Entra ID and RBAC in Supplemental APIs”

Azure Resource Locks – The One Feature You’re Probably Not Using (But Should Be)

Accidental deletion or modification of critical resources in Azure is more common than most teams would like to admit. And unlike on-prem environments, where layers of approvals or access barriers might slow someone down, Azure’s agility can sometimes be its own worst enemy — especially when production workloads are one click away from disappearing.

Enter: Azure Resource Locks — your environment’s seatbelt.

What Are Azure Resource Locks?

Azure Resource Locks are a built-in feature that allow you to restrict operations on resources, resource groups, or subscriptions. These locks act as a last line of defense — even if someone has Contributor or Owner permissions, a lock will block unwanted actions like deletion or configuration changes.

Continue reading “Azure Resource Locks – The One Feature You’re Probably Not Using (But Should Be)”