MicrosoftDocs
diff --git a/‎learn-pr/azure/configure-and-manage-azure-key-vault/4-store-secrets-in-akv.yml‎
Lines changed: 2 additions & 2 deletions b/‎learn-pr/azure/configure-and-manage-azure-key-vault/4-store-secrets-in-akv.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎learn-pr/azure/configure-and-manage-azure-key-vault/includes/1-introduction.md‎
Lines changed: 12 additions & 12 deletions b/‎learn-pr/azure/configure-and-manage-azure-key-vault/includes/1-introduction.md‎
Lines changed: 12 additions & 12 deletions
diff --git a/‎learn-pr/azure/configure-and-manage-azure-key-vault/includes/2-key-vault-usage.md‎
Lines changed: 89 additions & 89 deletions b/‎learn-pr/azure/configure-and-manage-azure-key-vault/includes/2-key-vault-usage.md‎
Lines changed: 89 additions & 89 deletions
diff --git a/‎learn-pr/azure/configure-and-manage-azure-key-vault/includes/3-manage-access-and-permissions-to-secrets.md‎
Lines changed: 27 additions & 27 deletions b/‎learn-pr/azure/configure-and-manage-azure-key-vault/includes/3-manage-access-and-permissions-to-secrets.md‎
Lines changed: 27 additions & 27 deletions
diff --git a/‎learn-pr/azure/configure-and-manage-azure-key-vault/includes/4-store-secrets-in-akv.md‎
Lines changed: 105 additions & 101 deletions b/‎learn-pr/azure/configure-and-manage-azure-key-vault/includes/4-store-secrets-in-akv.md‎
Lines changed: 105 additions & 101 deletions
@@ -9,8 +9,8 @@ metadata:
   ms.author: mbaldwin
   ms.topic: unit
 durationInMinutes: 8
-azureSandbox: true
-interactive: powershell
+#azureSandbox: true
+#interactive: powershell
 content: |
   [!include[](includes/4-store-secrets-in-akv.md)]
 
@@ -1,12 +1,12 @@
-PetDash is an online pet food delivery company that provides store-to-door service for all their customer's pet needs. They take online orders, store credit cards and personal details in their SQL database, and have a secure website running on Azure App Service to interact with customers. They've been in business a little over a year. Steve, one of the website admins, noticed that their website certificate for the **petdash.com** domain has expired. Steve quickly renews the certificate, gets it installed on the server, and begins to explore ways to ensure that this problem never happens again. The investigation reveals that Azure Key Vault supports certificate management. Even better, Key Vault can communicate with App Service to provide the certification _and_ renew it automatically if necessary.
-
-**Azure Key Vault** helps safeguard cryptographic keys and secrets that cloud applications and services use. Key Vault streamlines the key management process and enables you to maintain control of keys that access and encrypt your data. Developers can create keys for development and testing in minutes, and then migrate them to production keys. Security administrators can grant (and revoke) permission to keys, as needed.
-
-## Learning objectives
-
-In this module, you will:
-
-- Explore proper usage of Azure Key Vault.
-- Manage access to an Azure Key Vault.
-- Explore certificate management with Azure Key Vault.
-- Configure a Hardware Security Module Key-generation solution.
+PetDash is an online pet food delivery company that provides store-to-door service for all their customer's pet needs. They take online orders, store credit cards and personal details in their SQL database, and have a secure website running on Azure App Service to interact with customers. They've been in business a little over a year. Steve, one of the website admins, noticed that their website certificate for the **petdash.com** domain has expired. Steve quickly renews the certificate, gets it installed on the server, and begins to explore ways to ensure that this problem never happens again. The investigation reveals that Azure Key Vault supports certificate management. Even better, Key Vault can communicate with App Service to provide the certification _and_ renew it automatically if necessary.
+
+**Azure Key Vault** helps safeguard cryptographic keys and secrets that cloud applications and services use. Key Vault streamlines the key management process and enables you to maintain control of keys that access and encrypt your data. Developers can create keys for development and testing in minutes, and then migrate them to production keys. Security administrators can grant (and revoke) permission to keys, as needed.
+
+## Learning objectives
+
+In this module, you will:
+
+- Explore proper usage of Azure Key Vault.
+- Manage access to an Azure Key Vault.
+- Explore certificate management with Azure Key Vault.
+- Configure a Hardware Security Module Key-generation solution.
@@ -1,27 +1,27 @@
-Key Vault access has two facets: the management of the Key Vault itself, and accessing the data contained in the Key Vault. Documentation refers to these facets as the *management plane* and the *data plane*.
-
-These two areas are separated because the creation of the Key Vault is a management operation, while storing and retrieving a secret stored in the Key Vault is a different type of role. To access a key vault all users or apps must have proper *authentication* to identify the caller and *authorization* to determine the operations the caller can perform.
-
-## Authentication
-
-Azure Key Vault uses Microsoft Entra ID to authenticate users and apps that try to access a vault. Authentication is always performed by associating the request with the Microsoft Entra tenant of the subscription that the Key Vault is part of. Every user or app making a request must be known to Microsoft Entra ID. There's no support for anonymous access to a Key Vault.
-
-## Authorization
-
-Management operations (creating a new Azure Key Vault) use role-based access control (RBAC). There's a built-in role **Key Vault Contributor** that provides access to management features of key vaults, but it doesn't allow access to the key vault data. This role is the recommended role to use. There's also a **Contributor** role that includes full administration rights - including the ability to grant access to the data plane.
-
-Reading and writing data in the Key Vault uses a separate Key Vault *access policy*. A Key Vault access policy is a permission set assigned to a user or managed identity to read, write, and/or delete secrets and keys. You can create an access policy using the CLI, REST API, or Azure portal as follows.
-
-:::image type="content" source="../media/3-add-key-vault-policy.png" alt-text="Screenshot showing the Add KeyVault policy screen in the Azure portal.":::
-
-The system has a list of predefined management options that define the permissions allowed for this policy. Here we've selected **Key, Secret, & Certificate Management**, which is appropriate to manage secrets in the Key Vault. You can then customize the permissions as desired by changing the **Key permissions** entries. For example, we could adjust the permissions to only allow *read* operations:
-
-:::image type="content" source="../media/3-permissions.png" alt-text="Screenshot showing the permission list cut down to read only in the Azure portal.":::
-
-Developers only need `Get` and `List` permissions to a development-environment vault. A lead or senior developer needs full permissions to the vault to change and add secrets when necessary. Full permissions to production-environment vaults are typically reserved for senior operations staff. Apps only require `Get` permissions as they often only need to retrieve secrets.
-
-## Restrict network access
-
-Another point to consider with Azure Key Vault is what services in your network can access the vault. In most cases, the network endpoints don't need to be open to the Internet. You should determine the minimum network access required. For example, you can restrict Key Vault endpoints to specific Azure Virtual Network subnets, specific IP addresses, or trusted Microsoft services. Services include Azure SQL, Azure App Service, and various data and storage services that use encryption keys.
-
-:::image type="content" source="../media/3-network-rules.png" alt-text="Screenshot showing the network rules for a KeyVault in the Azure portal.":::
+Key Vault access has two facets: the management of the Key Vault itself, and accessing the data contained in the Key Vault. Documentation refers to these facets as the *management plane* and the *data plane*.
+
+These two areas are separated because the creation of the Key Vault is a management operation, while storing and retrieving a secret stored in the Key Vault is a different type of role. To access a key vault all users or apps must have proper *authentication* to identify the caller and *authorization* to determine the operations the caller can perform.
+
+## Authentication
+
+Azure Key Vault uses Microsoft Entra ID to authenticate users and apps that try to access a vault. Authentication is always performed by associating the request with the Microsoft Entra tenant of the subscription that the Key Vault is part of. Every user or app making a request must be known to Microsoft Entra ID. There's no support for anonymous access to a Key Vault.
+
+## Authorization
+
+Management operations (creating a new Azure Key Vault) use role-based access control (RBAC). There's a built-in role **Key Vault Contributor** that provides access to management features of key vaults, but it doesn't allow access to the key vault data. This role is the recommended role to use. There's also a **Contributor** role that includes full administration rights - including the ability to grant access to the data plane.
+
+Reading and writing data in the Key Vault uses a separate Key Vault *access policy*. A Key Vault access policy is a permission set assigned to a user or managed identity to read, write, and/or delete secrets and keys. You can create an access policy using the CLI, REST API, or Azure portal as follows.
+
+:::image type="content" source="../media/3-add-key-vault-policy.png" alt-text="Screenshot showing the Add KeyVault policy screen in the Azure portal.":::
+
+The system has a list of predefined management options that define the permissions allowed for this policy. Here we've selected **Key, Secret, & Certificate Management**, which is appropriate to manage secrets in the Key Vault. You can then customize the permissions as desired by changing the **Key permissions** entries. For example, we could adjust the permissions to only allow *read* operations:
+
+:::image type="content" source="../media/3-permissions.png" alt-text="Screenshot showing the permission list cut down to read only in the Azure portal.":::
+
+Developers only need `Get` and `List` permissions to a development-environment vault. A lead or senior developer needs full permissions to the vault to change and add secrets when necessary. Full permissions to production-environment vaults are typically reserved for senior operations staff. Apps only require `Get` permissions as they often only need to retrieve secrets.
+
+## Restrict network access
+
+Another point to consider with Azure Key Vault is what services in your network can access the vault. In most cases, the network endpoints don't need to be open to the Internet. You should determine the minimum network access required. For example, you can restrict Key Vault endpoints to specific Azure Virtual Network subnets, specific IP addresses, or trusted Microsoft services. Services include Azure SQL, Azure App Service, and various data and storage services that use encryption keys.
+
+:::image type="content" source="../media/3-network-rules.png" alt-text="Screenshot showing the network rules for a KeyVault in the Azure portal.":::
@@ -1,101 +1,105 @@
-To get some quick experience with Azure Key Vault, let's create a new Key Vault and do the most basic operation available: store a secret. Creating a vault in the Azure portal requires no initial configuration. Your signed-in user identity is automatically granted the full set of secret management permissions, and you can start adding secrets immediately. Once you have a vault, adding and managing secrets can be done from any Azure administrative interface, including the Azure portal, the Azure CLI, and Azure PowerShell.
-
-## Create a new Azure Key Vault
-
-Let's start by creating a new Key Vault in the Azure portal.
-
-1. Sign in to the [Azure portal](https://portal.azure.com?azure-portal=true) using the same credentials you used to activate the Azure Sandbox.
-
-1. Select **Create a resource**. The **Create a resource** pane appears.
-
-1. In the **Search services and marketplace**, search for and select *Key Vault* to find the Azure Key Vault service. The **Key Vault** pane appears.
-
-1. Select **Create**. The **Create key vault** pane appears.
-
-1. On the **Basics** tab, enter the following values for each setting.
-
-    | Setting | Value |
-    |---|---|
-    | **Project details** |
-    | Subscription | From the dropdown, select *Concierge Subscription*. |
-    | Resource group | From the dropdown, select <rgn>[sandbox resource group name]</rgn>. |
-    | **Instance details** |
-    | Key vault name | Enter a globally unique name for the new vault. Vault names must be 3-24 characters long and contain only alphanumeric characters and dashes. The exercise uses the example name of *VaultamortDiary* for the new vault.
-    | Region | Accept default. |
-    | Pricing tier | Accept default. |
-
-1. Select **Review + create**.
-
-1. After validation passes, select **Create** to create the Azure Key Vault.
-
-After the deployment is complete, select **Go to resource**. Your *Key vault* pane appears.
-
-## Add a secret
-
-Next, add a new secret to the vault.
-
-1. In the left menu pane, under **Objects**, select **Secrets**. The **Secrets** pane appears for your key vault.
-
-1. In the top menu bar, select **Generate/Import**. The **Create a secret** pane appears.
-
-1. Enter a name, value, and (optional) content type. An example follows.
-
-   :::image type="content" source="../media/1-create-secret.png" alt-text="Screenshot showing the Create a secret pane in the Azure portal for Azure Key Vault.":::
-
-1. Select **Create** to add the secret. The **Secrets** pane reappears.
-
-## Show the secret
-
-Finally, verify that the secret value has been set.
-
-1. Select your secret from the list. The **Versions** pane appears for your secret.
-
-1. Select the **CURRENT VERSION** of the secret. The **Secret Version** pane appears.
-
-1. Select **Show Secret Value** to see the value assigned to the secret.
-
-   :::image type="content" source="../media/1-show-secret.png" alt-text="Screenshot showing the secret value in the Azure portal.":::
-
-## Other ways to consume the secret
-
-You can create and retrieve secrets from the Azure Key Vault as long as you're authenticated with Microsoft Entra ID using the REST API, native SDKs, Azure CLI, or Azure PowerShell. For example, here's the same process using Azure PowerShell.
-
-```powershell
-Get-AzKeyVault
-```
-
-This command returns the created vault with the name **VaultamortDiary**.
-
-```output
-Vault Name          : VaultamortDiary
-Resource Group Name : Learn-4f01665a-1272-46a8-9c16-83bbf146494e
-Region              : northcentralus
-Resource ID         : /subscriptions/xyz/providers/Microsoft.KeyVault/vaults/VaultamortDiary
-```
-
-With the name of the vault and the key, you can retrieve the secret value:
-
-```powershell
-Get-AzKeyVaultSecret -VaultName 'VaultamortDiary' -Name 'HiddenLocation'
-```
-
-This command returns our set value:
-
-```output
-Vault Name   : vaultamortdiary
-Name         : VaultamortDiary
-Version      : ff4b23af35bf4ba9a5c8792227d00ff6
-Id           : https://vaultamortdiary1972.vault.azure.net:44
-               3/secrets/VaultamortDiary/ff4b23af35bf4ba9
-               a5c8792227d00ff6
-Enabled      : True
-Expires      :
-Not Before   :
-Created      : 12/17/2020 7:54:03 PM
-Updated      : 12/17/2020 7:54:03 PM
-Content Type : text
-Tags         :
-```
-
-> [!NOTE]
-> The module [Manage secrets in your server apps with Azure Key Vault](/training/modules/manage-secrets-with-azure-key-vault/) shows how to use the Azure CLI and various programming languages to create Key Vaults, set, and retrieve secrets.
+To get some quick experience with Azure Key Vault, let's create a new Key Vault and do the most basic operation available: store a secret. Creating a vault in the Azure portal requires no initial configuration. Your signed-in user identity is automatically granted the full set of secret management permissions, and you can start adding secrets immediately. Once you have a vault, adding and managing secrets can be done from any Azure administrative interface, including the Azure portal, the Azure CLI, and Azure PowerShell.
+
+[!INCLUDE[](../../../includes/azure-optional-exercise-subscription-note.md)]
+
+[!INCLUDE[](../../../includes/azure-optional-exercise-create-resource-group-note.md)]
+
+## Create a new Azure Key Vault
+
+Let's start by creating a new Key Vault in the Azure portal.
+
+1. Sign in to the [Azure portal](https://portal.azure.com?azure-portal=true) using the same credentials you used to activate the Azure Sandbox.
+
+1. Select **Create a resource**. The **Create a resource** pane appears.
+
+1. In the **Search services and marketplace**, search for and select *Key Vault* to find the Azure Key Vault service. The **Key Vault** pane appears.
+
+1. Select **Create**. The **Create key vault** pane appears.
+
+1. On the **Basics** tab, enter the following values for each setting.
+
+    | Setting | Value |
+    |---|---|
+    | **Project details** |
+    | Subscription | From the dropdown, select your subscription. |
+    | Resource group | From the dropdown, select your resource group. |
+    | **Instance details** |
+    | Key vault name | Enter a globally unique name for the new vault. Vault names must be 3-24 characters long and contain only alphanumeric characters and dashes. The exercise uses the example name of *VaultamortDiary* for the new vault.
+    | Region | Accept default. |
+    | Pricing tier | Accept default. |
+
+1. Select **Review + create**.
+
+1. After validation passes, select **Create** to create the Azure Key Vault.
+
+After the deployment is complete, select **Go to resource**. Your *Key vault* pane appears.
+
+## Add a secret
+
+Next, add a new secret to the vault.
+
+1. In the left menu pane, under **Objects**, select **Secrets**. The **Secrets** pane appears for your key vault.
+
+1. In the top menu bar, select **Generate/Import**. The **Create a secret** pane appears.
+
+1. Enter a name, value, and (optional) content type. An example follows.
+
+   :::image type="content" source="../media/1-create-secret.png" alt-text="Screenshot showing the Create a secret pane in the Azure portal for Azure Key Vault.":::
+
+1. Select **Create** to add the secret. The **Secrets** pane reappears.
+
+## Show the secret
+
+Finally, verify that the secret value has been set.
+
+1. Select your secret from the list. The **Versions** pane appears for your secret.
+
+1. Select the **CURRENT VERSION** of the secret. The **Secret Version** pane appears.
+
+1. Select **Show Secret Value** to see the value assigned to the secret.
+
+   :::image type="content" source="../media/1-show-secret.png" alt-text="Screenshot showing the secret value in the Azure portal.":::
+
+## Other ways to consume the secret
+
+You can create and retrieve secrets from the Azure Key Vault as long as you're authenticated with Microsoft Entra ID using the REST API, native SDKs, Azure CLI, or Azure PowerShell. For example, here's the same process using Azure PowerShell.
+
+```powershell
+Get-AzKeyVault
+```
+
+This command returns the created vault with the name **VaultamortDiary**.
+
+```output
+Vault Name          : VaultamortDiary
+Resource Group Name : Learn-4f01665a-1272-46a8-9c16-83bbf146494e
+Region              : northcentralus
+Resource ID         : /subscriptions/xyz/providers/Microsoft.KeyVault/vaults/VaultamortDiary
+```
+
+With the name of the vault and the key, you can retrieve the secret value:
+
+```powershell
+Get-AzKeyVaultSecret -VaultName 'VaultamortDiary' -Name 'HiddenLocation'
+```
+
+This command returns our set value:
+
+```output
+Vault Name   : vaultamortdiary
+Name         : VaultamortDiary
+Version      : ff4b23af35bf4ba9a5c8792227d00ff6
+Id           : https://vaultamortdiary1972.vault.azure.net:44
+               3/secrets/VaultamortDiary/ff4b23af35bf4ba9
+               a5c8792227d00ff6
+Enabled      : True
+Expires      :
+Not Before   :
+Created      : 12/17/2020 7:54:03 PM
+Updated      : 12/17/2020 7:54:03 PM
+Content Type : text
+Tags         :
+```
+
+> [!NOTE]
+> The module [Manage secrets in your server apps with Azure Key Vault](/training/modules/manage-secrets-with-azure-key-vault/) shows how to use the Azure CLI and various programming languages to create Key Vaults, set, and retrieve secrets.