Microsoft Azure Security Technologies (AZ-500): Data and Application Security

Key Vault serves as a centralized storage for you to store SSL/TLS certificates, private keys, passwords (not intended for user passwords) for your Azure resources that can be accessed by privileged users at any time. Key Vault also provides key and secret rotation.

IMPORTANT! Study the diagrams below:

2. Storage Account Security

We should never our storage account keys with external third-party application.

If these apps need access to our data, we can use Shared Access Signature (SAS). SAS is a string that contains security token that can be attached to a URI, which we can specify permissions and time range of access.

For example, you can give a customer a Shared Access Signature (SAS) token to upload pictures to a file system in Blob storage.


We can use Stored Access Policy in combination with Shared Access Signature (SAS) to provide additional restrictions for signatures. For example, you can use Stored Access Policy to change the start time, expiry time or permissions for a signature or to revoke it after it has been issued.

Do note that creating a new policy will not have any effects on your existing SAS, which means you would have to modify or delete the existing Stored Access Policy associated with the SAS.

If there is need to have your Blobs always available for anonymous read access, you can enable anonymous, public read access only.

For more fine-grained control, we can look into using Shared Access Signature (SAS).

When secure transfer is enabled, any requests originating from an insecure connection are rejected.

Microsoft recommends that you always require secure transfer for all of your storage account.

3. Application Security

With Microsoft Identity Platform, we can expand our reach to these kinds of users:

i. Work and school accounts (Azure AD provisioned accounts)

ii. Personal accounts (such as or

iii. Your customers who bring their own email or social identity (such as LinkedIn, Facebook, Google) via MSAL and Azure AD B2C

This is another cool feature offered by Azure where you could analyze the risk score of over 16,000 cloud apps to see if it is safe to be deployed in your organization.

Microsoft does not recommend you to deploy cloud app that has risk score lower than 8. There are few categories being considered when it comes to the app reliability assessment, which you can click on the risk score and check on the compliance:

i. General — This category refers to basic facts about the company that produces the app, including its domain, founding year, and popularity.

ii. Security — The security category accounts for all standards dealing with the physical security of the data used by the discovered app. This category includes fields such as multi-factor authentication, encryption, data classification, and data ownership.

iii. Compliance — This category displays which common best-practice compliance standards are upheld by the company that produces the app. The list of specifications includes standards such as HIPAA, CSA, and PCI-DSS.

iv. Legal — This category displays which apps have which regulations and policies in-place to ensure data protection and privacy of the app’s users such as GDPR, DMCA, and data retention policy.

4. Database Security []

There are few options to setup SQL on Azure:

i. IaaS — SQL on Azure VM (on-prem migration)

ii. PaaS — Azure SQL Database / Azure SQL Managed Instance

How to secure SQL Database?

i. SQL Database Authentication

When a user attempts to connect to a database, the user needs to provide a user account and authentication information.

  • Azure Active Directory Authentication — Username and Credential Information stored in Azure Active Directory.

ii. SQL Database Firewalls

  • Database-level firewall rules add allowed client IP address and/or all Azure services and resources.

iii. SQL Database Auditing

  • Configure policies for the server or database level.
  • A new server policy applies to all existing and newly created databases.
  • Configure audit log destination.

iv. Data Discovery and Classification

  • Scans your database and identifies columns that contain potentially sensitive data.
  • Provides classification recommendations and reports.
  • Let’s you apply sensitivity-classification labels.

v. Vulnerability Assessment

  • Findings provide actionable steps to remediate the issue.
  • Set up periodic recurring scans and export reports.

vi. Advanced Threat Protection (ATP)

  • SQL injection, Data exfiltration, Unsafe action, Brute force, Anomalous client login.

vii. Dynamic data Masking

Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics support dynamic data masking. Dynamic data masking limits sensitive data exposure by masking it to non-privileged users.

viii. Transparent Data Encryption (TDE)

Transparent Data Encryption can help protect against malicious offline activity by encrypting data at rest.

It performs real-time encryption and decryption of the database, associated backups and transaction log files at rest without requiring changes to the application.

By default, TDE supports only Azure SQL Database (enabled by default), SQL Managed Instance and Azure Synapse.


[1] Storage account overview — Azure Storage | Microsoft Docs

What is Azure SQL? — Azure SQL | Microsoft Docs

Working with the risk score | Microsoft Docs



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
goay xuan hui

goay xuan hui

A food lover, a cyber security enthusiast, a musician and a traveller, so you will see a mix of different contents in my blog. ☺️