Week 5 of the AZ-104 Learning Labs on jmcnairtech.com

Week 5 Goal

This week, you will learn how to secure sensitive application secrets using:

• Azure Key Vault (Secrets Management)

• System-Assigned Managed Identity

• RBAC roles for Key Vault

• PowerShell secret retrieval from inside an Azure VM

This is an important skill for Azure Administrators — useful to learn for the exam and will be necessary on the job.

Why This Lab Matters (Real Azure Admin Scenario)

Suppose you’re supporting an application that runs on an Azure Virtual Machine.
The application needs to securely access:

• Application passwords

• API keys

• Database connection strings

• Sensitive configuration values

Storing these secrets inside the VM or code repository is insecure.

Instead, you will:

• Store secrets in Azure Key Vault

• Give the VM a Managed Identity

• Assign the VM one specific role: Key Vault Secrets User

• Retrieve secrets securely using Azure AD authentication

• No passwords, No access keys, No service principals, No SAS

This is the modern, recommended way to secure secrets across Azure.

Lab Prerequisites

• Active Azure Subscription

• Basic familiarity with Azure Portal

• Region: East US (recommended)

• RDP access to one Windows VM (we will create it)

Step 1 — Create the Resource Group

• In the Azure Portal search bar, type Resource groups.

  1. Click + Create.

  2. Fill in:

     • Subscription: your default

     • Resource group name: rg-week5-keyvault

     • Region: East US

  3. Click Review + create → Create.

This will hold your Key Vault, VM, and related resources.

Step 2 — Create the Azure Key Vault (2025 Portal UI)

Azure has updated the Key Vault creation wizard, so follow this carefully.

2.1 Open the Key Vault creation blade

• In the Azure Portal search bar, type Key Vaults.

• Click + Create.

2.2 — Basics Tab

Project Details:

• Subscription: your subscription

• Resource Group: rg-week5-keyvault

Instance Details:

• Key Vault Name: kv-week5-mcnairtech (must be globally unique)

• Region: East US

• Pricing Tier: Standard (premium is not required)

Click Next: Access Configuration →

2.3 — Access Configuration

Choose:

Azure RBAC (NOT Vault Access Policy)
This is the modern recommended approach.

2.4 — Networking Tab

• Public access: Enabled

• Firewall: Allow access from all networks (for lab)

Click Review + create → Create

Wait for deployment to finish.

Your Key Vault is now deployed.

Next, you will give your user account permission to create and manage secrets inside the vault (required when using Azure RBAC).

Step 3 — Assign Yourself Key Vault Permissions & Add a Secret

Because the vault uses Azure RBAC, your user needs a Key Vault data-plane role to manage secrets.

Without this, you’ll see the error:

The operation is not allowed by RBAC…

Let’s fix that and add your first secret.

3.1 — Open Access Control (IAM)

1. Go to your Key Vault: kv-week5-mcnairtech

2. On the left menu → click Access control (IAM)

3. Click + Add → Add role assignment

3.2 — Assign yourself a Key Vault role

In the Role tab, search for:

Key Vault Secrets Officer

(Recommended — lets you create & read secrets, but not keys/certificates.)

OR, if you want full permissions:

Key Vault Administrator

(Admin-level: manage everything in the vault)

Select the role → click Next

3.3 — Choose your user account

Assign access to:
User, group, or service principal

1. Click + Select members

2. Search for your user account (e.g., ITAdmin@yourdomain.com)

3. Select → Next

4. Click Review + assign

Wait 30–60 seconds for RBAC propagation.

3.4 — Add a secret to the Vault

1. In the left menu, go to Objects → Secrets

2. Click + Generate/Import

3. Fill in:

• Name: dbPassword

• Value: SuperSecurePassword123!

4. Click Create

Your secret is now stored securely.

Step 4 — Create a Virtual Machine with a System-Assigned Managed Identity

This VM will securely retrieve the secret you stored in Key Vault.
Instead of storing passwords locally, the VM will authenticate using its built-in Managed Identity.

4.1 — Open the VM creation wizard

1. In the Azure Portal search bar, type Virtual machines

2. Click + Create → Azure virtual machine
   This opens the modern 2025 VM creation UI.

4.2 — Basics tab

Instance details:

• Virtual machine name: vm-week5-client

• Region: East US

• Availability options: No infrastructure redundancy required

• Security type: Standard

• Image:

  • Click See all images

  • Search for: Windows Server 2025 Datacenter: Azure Edition (Gen 2)

• Architecture: x64

• Size:

  • Recommended: Standard_B2s

  • Budget option: Standard_B1s

Administrator account:

• Username: azureuser

• Password: (choose a strong password)

Inbound port rules:

• Public inbound ports: Allow selected ports

• Select inbound ports: RDP (3389)

Click Next: Disks → and keep defaults
Click Next: Networking → and keep defaults

4.3 — Management tab (Enable Managed Identity)

Scroll to the Identity section:

• System-assigned managed identity: On

This allows the VM to authenticate to Key Vault without keys or credentials.

Leave all other options at default.

Click Review + create → Create
Deployment takes 1–3 minutes.

Step 5 — Grant the VM Permission to Read Key Vault Secrets (RBAC)

Your VM now has a Managed Identity — but it has zero permissions until you grant them.
In this step, you’ll assign the VM the Key Vault Secrets User role.

This gives it read-only access to secrets (perfect for lab and real-world scenarios).

5.1 — Open your Key Vault’s IAM blade

1. Open the vault: kv-week5-mcnairtech

2. Left-hand menu → Access control (IAM)

3. Click + Add → Add role assignment

5.2 — Select the correct role

In the Role tab:

• Search: Key Vault Secrets User

• Select the role

• Click Next

This role allows your VM to read secrets, but not write or delete them.

5.3 — Assign role to the VM’s system-assigned identity

Assign access to: Managed identity

1. Click + Select members

2. In the scope selector:

   • Resource type: Virtual machine

   • Select: vm-week5-client

3. Click Select → Next → Review + assign

RBAC propagation usually takes 10–60 seconds.

Step 6 — Connect to the VM & Retrieve the Secret Using Managed Identity

Now it’s time to test the full chain:

• VM authenticates using its identity

• Key Vault authorizes the VM through RBAC

• PowerShell retrieves the secret through Azure AD

No passwords, no access keys, no SAS tokens — this is exactly how secure workloads operate in Azure.

6.1 — RDP into the VM

1. Go to Virtual machines

2. Click vm-week5-client

3. Click Connect → RDP

4. Download the RDP file and open it

5. Sign in with:

   • Username: azureuser

   • Password: the one you created

6.2 — Open PowerShell (as Administrator)

Right-click → Run as administrator. Install the Az PowerShell module (if needed)

6.3 — Install the Az PowerShell module (if needed)

Install-Module -Name Az -Repository

PSGallery -Force Import-Module Az

6.4 — Authenticate using the VM’s Managed Identity

Connect-AzAccount -Identity

Expected output:

• Account: Managed Identity

• Environment: AzureCloud

• Tenant: your directory

• Subscription: your Azure subscription

If you see that, authentication succeeded.

6.5 — Retrieve the Secret Object (Secure Access Validation)

Set variables for readability: $vaultName = "kv-week5-mcnairtech" $secretName = "dbPassword"

Retrieve the secret object: $secret = Get-AzKeyVaultSecret -VaultName $vaultName -Name $secretName -ErrorAction Stop

Now validate that the VM was able to securely access the secret: $secret

This proves the VM successfully accessed the secret.

6.6 — Secure Handling: Keep the Secret Encrypted

Because the purpose of this lab is to learn identity-based authentication, not reveal sensitive values, we will keep the secret in its secure form.

The following confirms the secret exists and is usable — without ever exposing the plaintext value:

$secret.SecretValue

This returns a SecureString, which is the recommended format for:

• Applications

• Scripts

• Automation

• Production workloads

No plaintext exposure = best practice.

6.7 — (Optional) Use the Secure Secret in a Script

Here’s a common real-world pattern:

$securePassword = $secret.SecretValue

This is how admins securely use secrets without ever printing them.

Final Summary — Week 5: Azure Key Vault + Managed Identity

In this lab, you built a complete, real-world Azure security workflow centered around identity-based access.
By combining Azure Key Vault, RBAC, and System-Assigned Managed Identity, you secured application secrets using the same model enterprises rely on today.

By the end of Week 5, you successfully:

• ✔️ Created a new Azure Key Vault using the 2025 Portal UI

• ✔️ Assigned yourself proper data-plane RBAC to manage secrets

• ✔️ Added a secret (dbPassword) to the vault

• ✔️ Created a Windows Server 2025 VM with a system-assigned Managed Identity

• ✔️ Granted Key Vault Secrets User to the VM’s identity

• ✔️ Connected to the VM using RDP

• ✔️ Authenticated the VM to Azure AD using Connect-AzAccount -Identity

• ✔️ Retrieved the Key Vault secret securely (as a SecureString)

• ✔️ Verified identity-based access without exposing any sensitive values

  Identity authentication with RBAC is the recommended design for any secure Azure workload, and it is heavily tested in the AZ-104 exam.

You now understand how to:

• Protect secrets with Key Vault

• Leverage Managed Identity

• Apply least-privilege RBAC

• Authenticate securely inside Azure resources

This is a major skill for Azure Administrators and a powerful addition to your cloud portfolio.