Microsoft Entra – Get Practical

Designing Safe Azure App Registration Secret Rotation (With Guardrails)

Automating Azure App Registration secret rotation is often discussed as a best practice, but implementing it safely is where the real challenge begins.

In many Azure environments, client secrets are stored in Azure Key Vault, expiry alerts are configured, and operational processes are defined. From a governance perspective, everything appears under control.

But monitoring secret expiration is not the same as designing a safe, deterministic rotation model.

Recently, I worked with a customer who had a mature Azure environment.

They had:

Azure Key Vault properly configured
Monitoring in place for secret expiry
Clear ownership of application registrations
Good operational discipline

So this wasn’t a “wild west” environment.

The problem was different.

Continue reading “Designing Safe Azure App Registration Secret Rotation (With Guardrails)”

Azure Storage: GA Support for Entra ID and RBAC in Supplemental APIs

On 26 August 2025, Microsoft announced the general availability (GA) of Entra ID authentication and role-based access control (RBAC) for several supplemental Azure Storage APIs. This update improves security and gives administrators more precise control over sensitive operations such as managing container, queue, and table access permissions.

What has changed

The following APIs now support Entra ID and RBAC:

GetAccountInfo
GetContainerACL / SetContainerACL
GetQueueACL / SetQueueACL
GetTableACL / SetTableACL

These APIs now support OAuth 2.0 authentication via Entra ID.
A key change is the way error responses are returned:

Before: using OAuth without the right permissions resulted in 404 (not found).
Now:
- 403 (forbidden) is returned when OAuth is used but the caller does not have the required permission (for example, Microsoft.Storage/storageAccounts/blobServices/getInfo/action for GetAccountInfo).
- 401 (unauthorised) is returned for anonymous requests.
- 404 (not found) is still possible if the resource itself does not exist.

If your application logic depends on the old 404 behaviour, you should update it to handle both 404 and 403 responses. Microsoft also recommends not relying on error codes to detect unsupported APIs but instead following the Entra ID authorization guidance.

Why this matters

Improved security – no more reliance on shared keys.
Granular access – assign only the necessary permissions.
Consistent responses – OAuth error codes now match industry standards.
Application impact – developers may need to update their code to support the new response model.

Continue reading “Azure Storage: GA Support for Entra ID and RBAC in Supplemental APIs”

Migrating Risk Policies to Conditional Access: A Strategic Guide for Enhanced Security

Azure AD Conditional Access Best Practices

As the digital security landscape continues to evolve, organizations utilizing Microsoft Azure are encouraged to migrate their Identity Protection risk policies to Conditional Access. With Microsoft’s announcement that legacy risk policies in Microsoft Entra ID Protection will be retired on October 1, 2026, now is the crucial time to plan and execute this transition. This guide not only walks you through the migration process but also incorporates Microsoft’s recommended practices for configuring risk policies to protect your organization effectively.

Understanding the Importance of Migration

The retirement of the old risk policies necessitates a shift to a more robust and integrated system. Conditional Access provides a more dynamic framework that allows for real-time assessments and adaptive responses to identity-based threats, making it a superior choice for managing security risks in Azure.

Preparing for Migration

Begin by auditing your existing risk policies in Microsoft Entra ID Protection. Identify which configurations are active and understand their implications to ensure that all critical aspects of your security setup are transitioned without loss of coverage.

Continue reading “Migrating Risk Policies to Conditional Access: A Strategic Guide for Enhanced Security”