Cloud

In today’s post, I’m sharing the process of setting up an Azure Point-to-Site VPN connection using Entra ID for authentication. I’ve already got my Azure VPN Gateway deployed in my environment. Configure the Point to Site Settings Under Settings, click to enable and configure the Point-to-Site VPN. We will need to allocate a subnet for the VPN client connections. For my environment, I will assign 172.20.20.0/24. Select Azure Active Directory for the Authentication type and we need to specify our Entra ID Tenant information. ...

This post walks through how I configured a certificate authority in Azure Key Vault. Currently, it natively supports integration with DigiCert and GlobalSign which is convenient. Public CAs have reduced certificate validity periods and are pushing towards shorter lifetimes. That means certificates expire more frequently, and manual renewal becomes a constant chore. Automating renewals in Azure Key Vault isn’t just a convenience anymore; it’s practically a necessity. In my lab environment, I have an Azure Application Gateway with multiple backend applications. Each HTTP listener on my Application Gateway consumes the public certificates hosted on my Azure Key Vault. ...

Protecting backup infrastructure has become a critical part of cloud security. Attackers increasingly target backups because disabling retention, deleting vaults, or modifying policies can neutralize an organization’s recovery strategy before an attack is even launched. Azure Backup already includes safeguards like soft delete and immutable retention. But these controls still rely on the security posture of the subscription where the vault resides. If that subscription is compromised, an attacker may still be able to perform destructive operations. For example, compromised admin accounts or malicious actors can still attempt destructive operations such as purging recovery points or disabling the VM backup operation. Azure Resource Guard introduces a hardened and isolated approval boundary that enforces separation of duties for critical backup operations. ...

I was setting up a Conditional Access policy to block sign ins from outside the country. I created a policy based on IP-based Named Locations, and specifying a country as the trusted region. However, the problem is that users who travel overseas could still sign in if they connected through a VPN or proxy which would then show their IP as being in the country. In some cases, mobile phone roaming plans would assign IP addresses from the country even when the device was physically overseas. The IP-based restriction wasn’t truly enforcing location. This reminds me of how we could get around streaming services like Netflix where you can use a VPN to see movie catalogs from a different country. ...

As I’ve been exploring passwordless authentication like Windows Hello for Business in my previous posts, one concept that has really captured my attention is the idea of phishing-resistant MFA. Traditional MFA methods, like SMS codes or OTP, can still be intercepted or tricked out of users through social engineering. Passkeys, however, are designed to close that gap by relying on cryptographic protocols that make phishing essentially impossible. Let’s say I’m signing into my account. I type in my username and password, and the system asks for a second factor. That could either be a text message with a six‑digit code or a push notification from Microsoft Authenticator on my phone. Both feel secure at first glance. But suppose I click on a fake login page that looks identical to the real one. I enter my username and password, and the fake site instantly relays those details to the real service. The service then sends me the MFA challenge. If it’s SMS, I get the code on my phone and type it into the fake page, not realizing the attacker is capturing it in real time. If it’s Authenticator, I see a push notification and approve it, thinking it’s legitimate but in reality, I’ve just confirmed the attacker’s login attempt. ...

In my previous post, I explored Windows Hello for Business using the Key Trust model. This time, I’m turning my attention to configuring Windows Hello to authenticate with Cloud Kerberos Trust. For this test, I’m working on an Entra ID–joined machine and attempting to access an on‑premises Active Directory domain‑joined file server. Signing in with Windows Hello for Business against Entra ID works perfectly for cloud applications, but the moment I try to reach on‑premises resources such as file shares, printers, or legacy apps, Kerberos is required. Traditionally the device must be domain‑joined, or the user is prompted again to supply their AD credentials. ...

Last time, I walked through exporting secrets from one Key Vault to another using PowerShell. That script could definitely be polished up and even automated with a scheduled task or an Azure runbook. In this post, I’ll take a different approach: using an Azure Logic App to copy secrets between Key Vaults. Logic Apps bring a low-code, workflow-based way to handle automation, so you don’t need to maintain scripts or worry about infrastructure. I’ll show how to set it up using a consumption based Azure LogicApp. ...

Recently, I investigated the process of backing up and copying secrets between two Key Vaults. I wanted to check what happens when you need to move secrets from one key vault to another, maybe for disaster recovery or cross‑region deployments or copy secrets from dev to staging or production. From the Azure Portal, I can backup a secret to a file, then restore it to another key vault. But I can’t restore to a key vault in a different subscription. The backup file is encrypted and can only be restored within the same subscription. ...

If you run Microsoft 365 or Azure in a hybrid setup, chances are you’ve deployed Entra ID Connect (formerly Azure AD Connect). This handy tool keeps your on-premises Active Directory (AD) in sync with Entra ID, so users can log in seamlessly whether they’re working on-prem or in the cloud. When you create a user in your on-prem AD, Entra ID Connect syncs that account up to Entra ID. In Entra ID, every account has a property called On-premises Sync Enabled. ...