pull base content,head:MicrosoftDocs:main,into:wwlpublishsync

Author: wwlpublish

learn-pr/advocates/intro-ai-agent-service-security-controls/includes/1-understand-azure-ai-agent-service.md

@@ -4,8 +4,8 @@ An AI Agent acts as a "smart" microservice that can be used to answer questions
 
 Because Azure AI Agent Service is a service fully managed by Microsoft, you can focus on building workflows and the agents that power them without needing to worry about scaling, security, or management of the underlying infrastructure for individual agents.
 
-As Azure AI Agent Service is a service managed by Microsoft and you don't need to worry about the underlying security of its moving parts, you should still apply standard security principals when you use the AI agent service. These principles include:
+As Azure AI Agent Service is a service managed by Microsoft and you don't need to worry about the underlying security of its moving parts, you should still apply standard security principles when you use the AI agent service. These principles include:
 
-- Restrict access to the service using role based access control. Ensure that only appropriate security principals can interact with the AI agent service.
+- Restrict access to the service using role based access control. Ensure that only appropriate security principals can interact with the AI agent service and institute the principle of least privilege.
 - Restrict the access of the AI Agent service. The AI Agent service is interacting with sensitive resources, such as organizational data. Ensure that the scope of this access is limited and that the AI Agent service and its tools only have necessary visibility of resources such as data stores.
 - Restrict network access to the AI Agent service and the network access of the AI agent service. Limit which network hosts can interact with the AI Agent service and control which network hosts the AI Agent service and it's associated tools are able to reach.

learn-pr/advocates/intro-ai-agent-service-security-controls/includes/4-agent-service-network-access.md

@@ -11,6 +11,6 @@ You have the following options when configuring network access:
 
 ![Screenshot of Azure AI Hub networking configuraiton in Azure portal.](../media/networking-configuration.png)
 
-To access your non-Azure resources located in a different virtual network or located entirely on-premises from your Azure AI Foundry's managed virtual network, you need to configure and deploy an Application Gateway. Through this Application Gateway, you can configure full end to end access to your resources. Once you configure the Application Gateway, you can create a private endpoint from the Azure AI Foundry hub's managed virtual network to the Application Gateway. With the private endpoint, the full end to end path is secured and not routed through the Internet.
+To access your non-Azure resources located in a different virtual network or located entirely on-premises from your Azure AI Foundry's managed virtual network, you need to configure and deploy an Application Gateway. Through this Application Gateway, you can configure full end to end access to your resources. Once you configure the Application Gateway, you can create a private endpoint from the Azure AI Foundry hub's managed virtual network to the Application Gateway. An Azure Private Endpoint enables private access to specific resources, such as Azure Foundry Hubs and their projects, without exposing them to the public internet, ensuring data remains isolated and secure.
 
 ![Architecture diagram of Application Gateway connection from Azure AI Foundary to external resources.](../media/ai-foundry-app-gateway.png)

learn-pr/azure/configure-and-manage-azure-key-vault/1-introduction.yml

@@ -6,7 +6,7 @@ metadata:
   prefetch-feature-rollout: true
   title: Introduction
   description: Introduction
-  ms.date: 03/24/2023
+  ms.date: 03/19/2025
   author: msmbaldwin
   ms.author: mbaldwin
   ms.topic: unit

learn-pr/azure/configure-and-manage-azure-key-vault/2-key-vault-usage.yml

@@ -6,7 +6,7 @@ metadata:
   prefetch-feature-rollout: true
   title: Guidelines for using Azure Key Vault
   description: Guidelines for using Azure Key Vault
-  ms.date: 03/24/2023
+  ms.date: 03/19/2025
   author: msmbaldwin
   ms.author: mbaldwin
   ms.topic: unit

learn-pr/azure/configure-and-manage-azure-key-vault/3-manage-access-and-permissions-to-secrets.yml

@@ -6,7 +6,7 @@ metadata:
   prefetch-feature-rollout: true
   title: Manage access to secrets, certificates, and keys
   description: Manage access to secrets, certificates, and keys
-  ms.date: 03/24/2023
+  ms.date: 03/19/2025
   author: msmbaldwin
   ms.author: mbaldwin
   ms.topic: unit

learn-pr/azure/configure-and-manage-azure-key-vault/4-store-secrets-in-akv.yml

@@ -6,7 +6,7 @@ metadata:
   prefetch-feature-rollout: true
   title: Exercise - store secrets in Azure Key Vault
   description: Exercise - store secrets in Azure Key Vault
-  ms.date: 03/24/2023
+  ms.date: 03/19/2025
   author: msmbaldwin
   ms.author: mbaldwin
   ms.topic: unit

learn-pr/azure/configure-and-manage-azure-key-vault/5-manage-certificates.yml

@@ -6,7 +6,7 @@ metadata:
   prefetch-feature-rollout: true
   title: Manage certificates
   description: Manage certificates
-  ms.date: 03/24/2023
+  ms.date: 03/19/2025
   author: msmbaldwin
   ms.author: mbaldwin
   ms.topic: unit

learn-pr/azure/configure-and-manage-azure-key-vault/6-summary.yml

@@ -6,7 +6,7 @@ metadata:
   prefetch-feature-rollout: true
   title: Summary
   description: Summary
-  ms.date: 03/24/2023
+  ms.date: 03/19/2025
   author: msmbaldwin
   ms.author: mbaldwin
   ms.topic: unit

learn-pr/azure/configure-and-manage-azure-key-vault/includes/1-introduction.md

@@ -1,4 +1,4 @@
-PetDash is an online pet food delivery company that provides store-to-door service for all their customer's pet needs. They take online orders, store credit cards and personal details in their SQL database, and have a secure website running on Azure App Service to interact with customers. They've been in business a little over a year and Steve, one of the website admins, noticed that their website certificate for the **petdash.com** domain has expired. Steve quickly renews the certificate and gets it installed on the server, and begins to explore ways to ensure that this problem never happens again. The investigation reveals that Azure Key Vault supports certificate management. Even better, Key Vault can communicate with App Service to provide the certification _and_ renew it automatically if necessary.
+PetDash is an online pet food delivery company that provides store-to-door service for all their customer's pet needs. They take online orders, store credit cards and personal details in their SQL database, and have a secure website running on Azure App Service to interact with customers. They've been in business a little over a year. Steve, one of the website admins, noticed that their website certificate for the **petdash.com** domain has expired. Steve quickly renews the certificate, gets it installed on the server, and begins to explore ways to ensure that this problem never happens again. The investigation reveals that Azure Key Vault supports certificate management. Even better, Key Vault can communicate with App Service to provide the certification _and_ renew it automatically if necessary.
 
 **Azure Key Vault** helps safeguard cryptographic keys and secrets that cloud applications and services use. Key Vault streamlines the key management process and enables you to maintain control of keys that access and encrypt your data. Developers can create keys for development and testing in minutes, and then migrate them to production keys. Security administrators can grant (and revoke) permission to keys, as needed.
 

learn-pr/azure/configure-and-manage-azure-key-vault/includes/2-key-vault-usage.md

@@ -24,32 +24,32 @@ New-AzKeyVault -Name <your-unique-vault-name> -ResourceGroupName <resource-group
 
 ## Keys
 
-Keys are the central actor in the Azure Key Vault service. A given key in a key vault is a cryptographic asset destined for a particular use. Examples are, the asymmetric master key of Microsoft Azure RMS, or the asymmetric keys used for SQL Server TDE (Transparent Data Encryption), CLE (Column Level Encryption) and Encrypted backup.
+Keys are the central actor in the Azure Key Vault service. A given key in a key vault is a cryptographic asset destined for a particular use. Examples are, the asymmetric master key of Microsoft Azure RMS, or the asymmetric keys used for SQL Server TDE (Transparent Data Encryption), CLE (Column Level Encryption), and Encrypted backup.
 
 Microsoft and your apps don't have access to the stored keys directly once a key is created or added to a key vault. Applications must use your keys by calling cryptography methods on the Key Vault service. The Key Vault service performs the requested operation within its hardened boundary. The application never has direct access to the keys.
 
-Keys can be single instanced (only one key exists), or be versioned. In the versioned case, a key is an object with a primary (active) key, and a collection of zero, one or more secondary (archived) keys created when keys are rolled (renewed). Key Vault supports asymmetric keys (RSA 2048). Your applications may use these keys for encryption or digital signatures.
+Keys can be single instanced (only one key exists) or be versioned. In the versioned case, a key is an object with a primary (active) key, and a collection of zero, one, or more secondary (archived) keys created when keys are rolled (renewed). Key Vault supports asymmetric keys (RSA 2048). Your applications may use these keys for encryption or digital signatures.
 
-There are two variations on keys in Key Vault: hardware-protected, and software-protected.
+There are two variations on keys in Key Vault: hardware-protected and software-protected.
 
 ### Hardware-protected keys
 
 The Key Vault service supports using hardware security modules (HSMs) that provide a hardened, tamper-resistant environment for cryptographic processing and key generation. Azure has dedicated HSMs validated to FIPS 140-2 Level 2 that Key Vault uses to generate or store keys. These HSM-backed keys are always locked to the boundary of the HSM. When you query the Key Vault service to decrypt or sign with a key, the operation is performed inside an HSM.
 
-You can import keys from your own HSMs, and transfer them to Key Vault without leaving the HSM boundary. This scenario is often referred to as _bring your own key_, or BYOK. More details about generating your own HSM-protected key and then transferring it to Azure Key Vault is available in the summary of this module. You can also use these Azure HSMs directly through the Microsoft Azure Dedicated Hardware Security Module (HSM) service if you need to migrate HSM-protected apps or maintain a high security compliance requirement.
+You can import keys from your own HSMs, and transfer them to Key Vault without leaving the HSM boundary. This scenario is often referred to as _bring your own key_ or BYOK. More details about generating your own HSM-protected key and then transferring it to Azure Key Vault is available in the summary of this module. You can also use these Azure HSMs directly through the Microsoft Azure Dedicated Hardware Security Module (HSM) service if you need to migrate HSM-protected apps or maintain a high security compliance requirement.
 
 ### Software-protected keys
 
 Key Vault can also generate and protect keys using software-based RSA and ECC algorithms. In general, software-protected keys offer most of the features as HSM-protected keys except the FIPS 140-2 Level 2 assurance:
 
-- Your key is still isolated from the application (and Microsoft) in a container that you manage
-- It's stored _at rest_ encrypted with HSMs
-- You can monitor usage using Key Vault logs
+- Your key is still isolated from the application (and Microsoft) in a container that you manage.
+- It's stored _at rest_ encrypted with HSMs.
+- You can monitor usage using Key Vault logs.
 
-The primary difference (besides price) with a software-protected key, is that cryptographic operations are performed in software using Azure compute services. With HSM-protected keys, the cryptographic operations are performed within the HSM.
+The primary difference (besides price) with a software-protected key is that cryptographic operations are performed in software using Azure compute services. With HSM-protected keys, the cryptographic operations are performed within the HSM.
 
 > [!TIP]
-> For production use, it's recommended to use HSM-protected keys and use software-protected keys in only test/pilot scenarios. There is an additional charge for HSM-backed keys per-month if the key is used in that month. The summary page has a link to the pricing details for Azure Key Vault.
+> For production use, it's recommended to use HSM-protected keys and use software-protected keys in only test/pilot scenarios. There's an additional charge for HSM-backed keys per-month if the key is used in that month. The summary page has a link to the pricing details for Azure Key Vault.
 
 You determine the key generation type when you create the key. For example, the Azure PowerShell command `Add-AzureKeyVaultKey` has a `Destination` parameter that can be set to either `Software` or `HSM`:
 
@@ -65,9 +65,9 @@ Secrets are small (less than 10K) data blobs protected by a HSM-generated key cr
 
 With these three elements, an Azure Key Vault helps address the following issues:
 
-- **Secrets management**. Azure Key Vault can securely store (with HSMs) and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
-- **Key management**. Azure Key Vault is a cloud-based key management solution, making it easier to create and control the encryption keys used to encrypt your data. Azure services such as App Service integrate directly with Azure Key Vault and can decrypt secrets without knowledge of the encryption keys.
-- **Certificate management**. Azure Key Vault is also a service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with Azure and your internal connected resources. It can also request and renew TLS certificates through partnerships with certificate authorities, providing a robust solution for certificate lifecycle management.
+- **Secrets management:** Azure Key Vault can securely store (with HSMs) and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
+- **Key management:** Azure Key Vault is a cloud-based key management solution, making it easier to create and control the encryption keys used to encrypt your data. Azure services such as App Service integrate directly with Azure Key Vault and can decrypt secrets without knowledge of the encryption keys.
+- **Certificate management:** Azure Key Vault is also a service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with Azure and your internal connected resources. It can also request and renew TLS certificates through partnerships with certificate authorities, providing a robust solution for certificate lifecycle management.
 
 > [!IMPORTANT]
 > **Key Vault is designed to store configuration secrets for server applications.** It's not intended for storing data belonging to your app's users, and it shouldn't be used in the client-side part of an app. This is reflected in its performance characteristics, API, and cost model.
@@ -81,7 +81,7 @@ Here are some security best practices for using Azure Key Vault.
 | Best practice | Solution |
 |---------------|----------|
 | Grant access to users, groups, and applications at a specific scope.| Use RBAC's predefined roles. For example, to grant access to a user to manage key vaults, you would assign the predefined role Key Vault Contributor to this user at a specific scope. The scope, in this case, would be a subscription, a resource group, or just a specific key vault. If the predefined roles don't fit your needs, you can define your own roles. |
-| Control what users have access to.| Access to a key vault is controlled through two separate interfaces: management plane, and data plane. The management plane and data plane access controls work independently. Use RBAC to control what users have access to. For example, if you want to grant an application the rights to use keys in a key vault, you only need to grant data plane access permissions using key vault access policies. No management plane access is needed for this application. Conversely, if you want a user to be able to read vault properties and tags but not have any access to keys, secrets, or certificates. You can use RBAC to grant read access to the management plane. No access to the data plane is required. |
+| Control what users have access to.| Access to a key vault is controlled through two separate interfaces: management plane and data plane. The management plane and data plane access controls work independently. Use RBAC to control what users have access to. For example, if you want to grant an application the rights to use keys in a key vault, you only need to grant data plane access permissions using key vault access policies. No management plane access is needed for this application. Conversely, if you want a user to be able to read vault properties and tags but not have any access to keys, secrets, or certificates. You can use RBAC to grant read access to the management plane. No access to the data plane is required. |
 | Store certificates in your key vault.| Azure Resource Manager can securely deploy certificates stored in Azure Key Vault to Azure VMs when the VMs are deployed. By setting appropriate access policies for the key vault, you also control who gets access to your certificate. Another benefit is that you manage all your certificates in one place in Azure Key Vault. |
 | Ensure that you can recover a deletion of key vaults or key vault objects.| Deletion of key vaults or key vault objects can be either inadvertent or malicious. Enable the soft delete and purge protection features of Key Vault, particularly for keys that are used to encrypt data at rest. Deletion of these keys is equivalent to data loss, so you can recover deleted vaults and vault objects if needed. Practice Key Vault recovery operations regularly. |