Azure Key Vault – Best Practices
Key Vault – A cloud service to store passwords, certificates, keys etc. Make sure its very secure.
Tips – Use Multiple Vaults to separate your key areas, Backup the vault, set logging and alerts, and use soft delete
How to create a key vault
GUI – Key Vaults > Add
Create a Resource Group
az group create –name “labstudy2020kv” –location uksouth
Create a Key Vault in the Resource Group
az keyvault create –name “labstudy2020Vault” –resource-group “labstudy2020kv” –location uksouth
Add a secret to your key vault info
az keyvault secret set --vault-name "labstudy2020Vault" --name "ExamplePassword" --value "ReallyComplexPassword"
Next step, create a Role which can access the vault. Microsoft Example Info
Give a service principal access to your key vault
az keyvault set-policy -n labstudy2020Vault –spn <clientId-of-your-service-principal> –secret-permissions list get set delete purge
To remove the resource group example
az group delete –name labstudy2020kv
Additional Reference Meterial
Use Azure Key Vault to pass secure parameter value during deployment
- Grant access to the secrets
- Reference secrets with static ID
- Reference secrets with dynamic ID
Licenses and Limitations of Encryption and Exchange Online in you Microsoft 365 subscription.
Example Send a New message and there is an “Encrypt” button. Great feature but is there a gotcha you need to configure or another license version you require?
Slightly frustrating a button exists even if its not configured and gives your end users and error message.
“Your machine isn’t set up for Information Rights Management (IRM). To set up IRM, sign in to Office, open and existing IRM protected message or document, or contact your help desk.”
You created and new message in Outlook, clicked options, Encrypt, and Connect to Rights Management Servers and get templates
You received this message because RMS isn’t setup in your Microsoft 365 tenancy. Azure Information Protection is only included with certain licenses in Office 365. See License Data Sheet.
OME stands for Office 365 Message Encryption (OME).
OME is offered as part of “Office 365 Enterprise E3 and E5, Microsoft Enterprise E3 and E5, Microsoft 365 Business Premium, Office 365 A1, A3, and A5, and Office 365 Government G3 and G5.”
Microsoft provide this guide to choosing your activation method.
Features available to improve security with mobile devices by using encryption and a password policy when connecting to Exchange Online (O365). Anyone who has been a Active Directory Admin will by default expect to configure additional security, the same logic should apply for the Office 365 admin / Exchange Online Admin.
How to configure, start in Exchange Admin Center
Browse “Mobile” and edit the “Default”
To apply additional security settings to mobile services by default. I’ve highlighted some more restrictive settings to configure from the default.
- Require Password
- Require an Alphanumeric Password
- Require Encryption
- Min Password Length
- Wipe Device on Sign-In Failures
- Sign In time
- Password Lifetime and Recycle Count