Former Employer Abuse
My former employer, Albert Williams, president of American Security Force Inc., keeps adding my outlook accounts, computers and mobile devices to the company's azure cloud even though I left the company more than a year ago. What can I do to remove myself from his grip? Does Microsoft have a solution against abusive employers?
Creating Logic App to Identify Low Storage Devices from Intune
Hello everyone, I’m seeking some assistance with creating a Logic App. I need to identify devices in Intune that have 5GB or less of available space and receive an email with the details of these devices, including their names. Is this achievable?Search for users in Azure AD with PowerShell who have a directory role assigned!
Hi Azure friends, It was about a following customer scenario. The task was to search for users who have been assigned a directory role in Azure Active Directory. Of course this search can be done with the Azure Portal. However, I think we can agree that this might take a bit of time. Let's work together with PowerShell. I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments): #The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE. Set-Location C:\ Clear-Host #We need the cmdlets Install-Module -Name AzureAD -AllowClobber -Force -Verbose #Sometimes the module must be imported Import-Module AzureAD #Let's connect Connect-AzureAD #To explore the available cmdlets in the Azure AD module Get-Command -Module AzureAD | Measure-Object #Fetch list of all directory roles with object ID Get-AzureADDirectoryRole #Fetch a specific directory role by ID $role = Get-AzureADDirectoryRole -ObjectId "6fd5c3ac-2e62-4fca-84fe-9e32ae5282f2" #Fetch role membership for a role (to get an idee) Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Get-AzureADUser #Lets create some variables $roleUsers = @() $roles=Get-AzureADDirectoryRole #We use a loop ForEach($role in $roles) { $users=Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId ForEach($user in $users) { write-host $role.DisplayName,$user.DisplayName,$user.UsageLocation $obj = New-Object PSCustomObject $obj | Add-Member -type NoteProperty -name RoleName -value "" $obj | Add-Member -type NoteProperty -name UserDisplayName -value "" $obj | Add-Member -type NoteProperty -name UsageLocation -value "" $obj.RoleName=$role.DisplayName $obj.UserDisplayName=$user.DisplayName $obj.UsageLocation=$user.UsageLocation $roleUsers+=$obj } } #We have a result $roleUsers #A bit more readable $roleUsers | Sort-Object Userdisplayname | select Userdisplayname, RoleName #Remove the session Disconnect-AzureAD Now we have a listing of users who have been given a directory role in Azure AD. I know that wasn't super fancy at all. But I really wanted to share my experience with you. I hope this article was useful. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM, etc.) that I use can be found on github! https://github.com/tomwechslerDynamic user membership rules, Azure Active Directory Administrative Units and password reset!
Dear Microsoft 365 and Azure Friends, A customer project involved the following issue. A department manager should be able to reset the passwords for his employees who are in his team. However, the department head does not want to bother with group membership. To meet this requirement, I worked with the following functions: - Azure Active Directory administrative units - Dynamic user membership rules - Password Administrator Role Important: Azure Active Directory administrative units are only available with Azure AD Premium P1 (or higher). In order to work with the Dynamic user membership rules feature, it is important that the profiles are maintained on the accounts. What exactly do I mean by that, for example that the attribute department is "Trading" or the city is "Bern". The more attributes are configured with a value, the more detailed you can work with the "Query Rule". Let me now explain this in detail. Let's take a look at an Azure AD account, more specifically the profile. Now it's time to create an Administrative Unit. Let's imagine that Jon Prime is the department manager and he gets the role "Password administrator". The Administrative Unit is created. Now it is a matter of automatically adding the members from his team (from Jon Prime) to this Administrative Unit. Now let's configure it. The first step is to navigate into the Administrative Unit. Now Jon Prime can go to the following URL and log in. For Jon Prime, the Administrative Unit is now visible with the members it contains. He can now reset the password for these members. Important: But only for these members in this Administrative Unit. Not for any other accounts in the Azure Active Directory. I hope this article was useful. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechslerManage licenses with PowerShell in Azure Active Directory!
Hi Azure friends, In this article, I will describe how you can use PowerShell in Azure Active Directory to quickly get information about licenses. I have summarized a few experiences and would like to share them with you. I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments): #The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE Set-Location C:\Temp Clear-Host #We need the cmdlets Install-Module -Name AzureAD -AllowClobber -Force -Verbose #Sometimes the module must be imported Import-Module AzureAD #Lets connect to the Azure Active Directory Connect-AzureAD #What licenses are available? Get-AzureADSubscribedSku #More info about the license package Get-AzureADSubscribedSku | Select-Object -Property ObjectId, SkuPartNumber, ConsumedUnits -ExpandProperty PrepaidUnits #What is included in the license package Get-AzureADSubscribedSku ` -ObjectId 95b14fab-6bbf-4756-94d4-99993dd27f55_05e9a617-0261-4cee-bb44-138d3ef5d965 | Select-Object -ExpandProperty ServicePlans #To list all licensed users Get-AzureAdUser | ForEach { $licensed=$False ; For ($i=0; $i -le ($_.AssignedLicenses | Measure).Count ; $i++)` { If( [string]::IsNullOrEmpty( $_.AssignedLicenses[$i].SkuId ) -ne $True) { $licensed=$true } } ; If( $licensed -eq $true)` { Write-Host $_.UserPrincipalName} } #To list all of the unlicensed users Get-AzureAdUser | ForEach{ $licensed=$False ; For ($i=0; $i -le ($_.AssignedLicenses | Measure).Count ; $i++)` { If( [string]::IsNullOrEmpty( $_.AssignedLicenses[$i].SkuId ) -ne $True) { $licensed=$true } } ; If( $licensed -eq $false)` { Write-Host $_.UserPrincipalName} } #Do users have a usage location? Get-AzureADUser | Select DisplayName,Department,UsageLocation #We select a user $User = Get-AzureADUser -ObjectId fred.prefect@tomscloud.ch #The user needs a location Set-AzureADUser -ObjectId $User.ObjectId -UsageLocation CH #We need the SKU ID Get-AzureADSubscribedSku | Select SkuPartNumber, SkuID #Create the AssignedLicense object $Sku = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense #Set the SKU ID $Sku.SkuId = "6fd2c87f-b296-42f0-b197-1e91e994b900" #Create the AssignedLicenses Object $Licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses #Add the SKU $Licenses.AddLicenses = $Sku #Setting a License to a User Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $Licenses #Creating a Custom License $User = Get-AzureADUser -ObjectId fred.prefect@tomscloud.ch.ch #Create the AssignedLicense object $Sku = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense #Add the SKU $Sku.SkuId = "6fd2c87f-b296-42f0-b197-1e91e994b900" #Show the ServicePlans Get-AzureADSubscribedSku -ObjectId 95b14fab-6bbf-4756-94d4-99993dd27f55_05e9a617-0261-4cee-bb44-138d3ef5d965 | Select-Object -ExpandProperty ServicePlans #Get the LicenseSKU and create the Disabled ServicePlans object $Sku.DisabledPlans = @("a23b959c-7ce8-4e57-9140-b90eb88a9e97","aebd3021-9f8f-4bf8-bbe3-0ed2f4f047a1") #Create the AssignedLicenses Object $Licenses = New-Object –TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses #Add the SKU $Licenses.AddLicenses = $Sku #Assign the license to the user Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $Licenses Now you have successfully edited the licenses with PowerShell in Azure Active Directory! Congratulations! I hope this article was useful. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechslerMy learning path to the Microsoft Certified: Windows Server Hybrid Administrator Associate!
Dear Microsoft Azure Friends, When I read from Microsoft Learn that there was again a Windows Server exam along with Microsoft Azure, I was excited. The new certification is called: Microsoft Certified: Windows Server Hybrid Administrator Associate! This certification consists of two exams: AZ-800 and AZ-801. If you successfully pass both exams you will receive the certification. This article is all about the AZ-801 exam. I have described my learning path to the AZ-800 in this article! https://techcommunity.microsoft.com/t5/azure/my-preparations-for-the-exam-az-800-administering-windows-server/m-p/3262042 After I had passed the AZ-800, I quickly asked myself, will the AZ-801 be even more difficult? For me, it is always best to read the skills measured first. This gives me a first impression of the exam. Now let me show you how my preparation for the exam was: 1. First of all, I looked at the Exam Topics to get a first impression of the scope of topics. https://docs.microsoft.com/en-us/learn/certifications/exams/az-801 Please take a close look at the skills assessed: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWKPgH 2. So that I can prepare for an exam I need an Azure test environment (this is indispensable for me). You can sign up for a free trial here. https://azure.microsoft.com/en-us/free/ I have also set up a small local test environment with a couple of Windows Server 2022. You can get the operating systems directly from Microsoft: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2022 https://www.microsoft.com/en-us/evalcenter/evaluate-windows-11-enterprise https://www.microsoft.com/en-us/evalcenter/evaluate-windows-admin-center 3. Now it goes to the Microsoft Learning paths content. Work through the learning paths at your leisure. They are really super helpful to prepare for the exam. At this point, many thanks to Microsoft Learn ( SandraMarin ) for the great learning content: https://docs.microsoft.com/en-us/learn/paths/secure-windows-server-premises-hybrid-infrastructures/ https://docs.microsoft.com/en-us/learn/paths/implement-windows-server-high-availability/ https://docs.microsoft.com/en-us/learn/paths/implement-disaster-recovery-windows-server-premises/ https://docs.microsoft.com/en-us/learn/paths/migrate-servers-workloads-premises-hybrid-environments/ https://docs.microsoft.com/en-us/learn/paths/monitor-troubleshoot-windows-server-environments/ 4. Register for the exam early. This creates some pressure and you stay motivated. https://docs.microsoft.com/en-us/learn/certifications/exams/az-801 5. Please also have a look at thomasmaurer 's website this is also very helpful! https://www.thomasmaurer.ch/2022/03/az-801-exam-study-guide-configuring-windows-server-hybrid-advanced-services/ 6. I have created a repository on GitHub for the two exams AZ-800 and AZ-801. There are links, scripts and a lot of content in it, please have a look: https://github.com/tomwechsler/Microsoft_Certified_Windows_Server_Hybrid_Administrator_Associate 7. I started (in german) with a YouTube playlist (it's still early days) to become a Microsoft Certified: Windows Server Hybrid Administrator Associate https://www.youtube.com/playlist?list=PLi0MTIjZai_xLvMSMgOxnk-0QFSxjSEe5 8. More helpful information directly from Microsoft, divided into the functional groups (Skills measured)! Secure Windows Server On-premises and Hybrid Infrastructures: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-exploit-protection https://docs.microsoft.com/de-de/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-configure-custom-password-protection https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-h--securing-local-administrator-accounts-and-groups https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory https://docs.microsoft.com/en-us/defender-for-identity/what-is https://docs.microsoft.com/en-us/azure/sentinel/data-connectors-reference?tabs=LAA#windows-security-events-via-ama https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-introduction https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/best-practices-configuring https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-models https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview Implement and manage Windows Server high availability: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-shared https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets https://docs.microsoft.com/en-us/windows-server/failover-clustering/create-failover-cluster https://docs.microsoft.com/en-us/windows-server/storage/storage-replica/stretch-cluster-replication-using-shared-storage https://docs.microsoft.com/en-us/windows-server/storage/storage-replica/cluster-to-cluster-azure-cross-region https://docs.microsoft.com/en-us/windows-server/failover-clustering/clustering-requirements https://docs.microsoft.com/en-us/windows-server/storage/storage-replica/cluster-to-cluster-azure-cross-region https://docs.microsoft.com/en-us/windows-server/failover-clustering/clustering-requirements https://docs.microsoft.com/en-us/windows-server/failover-clustering/manage-cluster-quorum https://docs.microsoft.com/en-us/windows-server/failover-clustering/failover-clustering-overview https://docs.microsoft.com/en-us/azure-stack/hci/deploy/cluster-set https://docs.microsoft.com/en-us/windows-server/failover-clustering/sofs-overview https://docs.microsoft.com/en-us/windows-server/failover-clustering/deploy-cloud-witness https://docs.microsoft.com/en-us/troubleshoot/windows-server/high-availability/cluster-information-ip-address-failover https://docs.microsoft.com/en-us/windows-server/failover-clustering/cluster-aware-updating https://docs.microsoft.com/en-us/azure-stack/hci/concepts/storage-spaces-direct-overview https://docs.microsoft.com/en-us/windows-server/storage/storage-spaces/deploy-storage-spaces-direct Implement disaster recovery: https://docs.microsoft.com/en-us/azure/backup/backup-windows-with-mars-agent https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-windows-server https://docs.microsoft.com/en-us/azure/backup/backup-mabs-whats-new-mabs https://docs.microsoft.com/en-us/azure/backup/backup-azure-microsoft-azure-backup https://docs.microsoft.com/en-us/azure/backup/backup-instant-restore-capability https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-userestapi-createorupdatepolicy https://docs.microsoft.com/en-us/azure/backup/backup-client-automation https://docs.microsoft.com/en-us/azure/virtual-machines/backup-and-disaster-recovery-for-azure-iaas-disks https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-manage-network-interfaces-on-premises-to-azure https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-create-recovery-plans https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-about-networking https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-about-networking https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/manage/set-up-hyper-v-replica Migrate servers and workloads: https://docs.microsoft.com/en-us/windows-server/storage/storage-migration-service/cutover https://docs.microsoft.com/en-us/windows-server/storage/storage-migration-service/overview https://docs.microsoft.com/en-us/azure/storage/files/storage-files-migration-overview https://docs.microsoft.com/en-us/azure/migrate/deploy-appliance-script https://docs.microsoft.com/en-us/azure/migrate/how-to-set-up-appliance-physical https://docs.microsoft.com/en-us/azure/migrate/how-to-migrate https://docs.microsoft.com/en-us/iis/publish/using-web-deploy/migrate-a-web-site-from-iis-60-to-iis-7-or-above https://docs.microsoft.com/en-us/virtualization/windowscontainers/quick-start/building-sample-app https://docs.microsoft.com/en-us/windows-server/get-started/upgrade-migrate-roles-features Monitor and troubleshoot Windows Server environments: https://docs.microsoft.com/en-us/troubleshoot/windows-server/performance/performance-overview https://docs.microsoft.com/en-us/windows-server/manage/system-insights/overview https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/azure-monitor https://docs.microsoft.com/en-us/windows-server/manage/system-insights/overview https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agent-windows https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agent-windows https://docs.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-overview https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/networking-overview https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/boot-error-troubleshoot https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/performance-diagnostics https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/support-agent-extensions https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/reset-directory-services-restore-mode-admin-pwd https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-pass-through-authentication https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/troubleshooting-domain-controller-deployment More helpful links: https://docs.microsoft.com/en-us/windows-server/failover-clustering/bitlocker-on-csv-in-ws-2022 https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-controlled-folders?view=o365-worldwide https://docs.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm https://docs.microsoft.com/en-us/defender-for-identity/technical-faq https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview https://docs.microsoft.com/en-us/windows-server/failover-clustering/deploy-cloud-witness https://docs.microsoft.com/en-us/windows-server/failover-clustering/sofs-overview https://docs.microsoft.com/en-us/azure/site-recovery/recovery-plan-overview https://docs.microsoft.com/en-us/windows-server/storage/storage-migration-service/migrate-data https://docs.microsoft.com/en-us/windows-server/storage/storage-migration-service/overview https://docs.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections https://docs.microsoft.com/en-us/azure/migrate/tutorial-discover-physical https://docs.microsoft.com/en-us/iis/publish/using-web-deploy/synchronize-iis I want to emphasize it again in this article, read the questions very carefully. The difference is very often in the details. If it says you have to back up the server and all data to Azure, then that is something different than if it would only say all data. This small difference has a big impact on the subsequent solution! One final tip: When you have learned something new, try to explain what you have learned to another person (whether or not they know your subject). If you can explain it in your own words, you understand the subject. That is exactly how I do it, except that I do not explain it to another person, but record a video for YouTube! I hope this information helps you and that you successfully pass the exam. I wish you success! Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechslerMy exam preparation for Microsoft Azure Administrator Associate (AZ-104)
Hi Azure Friends, Why should I take a certification? What does this certificate bring me? These are questions I am often asked. In all honesty, there is no exact answer to these questions. Let me explain how it would answer for me. The first question: I'm getting to know a new technology, I invest a lot of time, so why not complete this assignment with a certificate! Question number two: For me it is just a great feeling to learn new things, to keep up with the times and to get a new certificate. It also looks great in the CV (curriculum vitae) ;-)! So now let's look at the next steps together! My exam preparation checklist: 1. Read through the skills measured at your leisure https://docs.microsoft.com/en-us/learn/certifications/exams/az-104 2.Read the Study Guide by thomasmaurer . This is super helpful information! https://www.thomasmaurer.ch/2020/03/az-104-study-guide-azure-administrator/ 3. Create a free Azure account, if you don't already have one, so that you can do all the exercises in a hands-on manner https://azure.microsoft.com/en-us/free/ 4. Take a close look at the Microsoft learning path, even better work through it right away (the learning paths are listed a little further down on the website) https://docs.microsoft.com/en-us/learn/certifications/exams/az-104 5. Register for the exam early. This creates some pressure and you stay motivated https://docs.microsoft.com/en-us/learn/certifications/exams/az-104 6. Now it goes to the Microsoft Learn content. These learn paths (as you can see below) I have worked through completely and "mapped"/reconfigured as much as possible in my test environment. https://docs.microsoft.com/en-us/learn/paths/az-104-administrator-prerequisites/ https://docs.microsoft.com/en-us/learn/paths/az-104-manage-identities-governance/ https://docs.microsoft.com/en-us/learn/paths/az-104-manage-storage/ https://docs.microsoft.com/en-us/learn/paths/az-104-manage-compute-resources/ https://docs.microsoft.com/en-us/learn/paths/az-104-manage-virtual-networks/ https://docs.microsoft.com/en-us/learn/paths/az-104-monitor-backup-resources/ 7. Practice, practice, practice ... With examples from the Microsoft Azure documentation portal https://docs.microsoft.com/en-us/azure/?product=compute https://docs.microsoft.com/en-us/azure/?product=identity https://docs.microsoft.com/en-us/azure/?product=networking https://docs.microsoft.com/en-us/azure/?product=storage Perhaps as an additional tip. If you have learned something new, try to explain it to another person (regardless of whether this person is familiar with this topic), if you succeed without effort, you have understood the newly learned super. I do this in a similar way. Not that I explain it to another person, no I create a YouTube video. I hope this information helps you and that you successfully pass the exam. I wish you success! Kind regards, Tom Wechsler
Azure Key Vault RBAC (Role Based Access Control) versus Access Policies!
Dear Microsoft Azure Friends, With an Azure Key Vault, RBAC (Role Based Access Control) and Access Policies always leads to confusion. Let me take this opportunity to explain this with a small example. First of all, let me show you with which account I logged into the Azure Portal. You can see this in the graphic on the top right. Now let's examine the subscription named "MSDN Platforms" by navigating to (Access Control IAM). In "Check Access" we are looking for a specific person. It is the Jane Ford, we see that Jane has the Contributor right on this subscription. So she can do (almost) everything except change or assign permissions. This is in short the Contributor right. Now we search for the Azure Kay Vault in "All resources", for this it is good to work with a filter. As you can see, Azure Key Vault (twkv77) is part of the "MSDN Platforms" subscription. We check again that Jane Ford has the Contributor Role (Inherited) by navigating to "Access Control IAM) in the Azure Kay Vault and clicking on "Role assignment". Now we navigate to "Access Policies" in the Azure Key Vault. As you can see there is a policy for the user "Tom" but none for Jane Ford. With an Access Policy you determine who has access to the key, passwords and certificates. This means that if there is no access policy for Jane, she will not have access to keys, passwords, etc. That's exactly what we're about to check. As you can see in the upper right corner I registered as "Jane Ford" (she gave me the authorization ;-)). If I now navigate to the keys we see immediately that the Jane has no right to look at the keys. There is no access policy for Jane where for example the right "List" is included, so she can't access the keys. With RBAC you control the so-called Management Plane and with the Access Policies the Data Plane. Now you know the difference between RBAC and an Access Policy in an Azure Key Vault! Sure this wasn't super exciting, but I still wanted to share this information with you. I hope this article was helpful for you? Thank you for taking the time to read this article. Best regards, Tom Wechsler
