DevOps KB Pages

  1. Microsoft-Owned APIs behave differently The App Registration lives in Microsoft’s tenant (hidden from you) You only see the Service Principal (SP) in your tenant The Microsoft API SP never shows API permissions This is expected and correct Example: Power Platform API → AppID 8578e004-a5c6-46e7-913e-12f58912df43 (Microsoft-owned) 2. API permissions are ALWAYS stored on the client application , not on the Microsoft API When you grant a permission like: CopilotStudio.Copilots.Invoke It gets added to the client application's SP/App Registration , e.g.: "My Application" —not— Power Platform API SP So the client app will show: ✔ API permissions ✔ Delegated permissions ✔ Admin consent The Microsoft API SP will show: ❌ Nothing ❌ No API permissions ❌ No scopes ❌ No roles 3. Why? Because permissions are modeled as: Client App → requests → permission → from → Resource API The resource API (Microsoft-owned SP) does NOT keep track of who...

When deploying secure workloads using Azure Container Apps (ACA) , teams often face confusion between User Assigned Managed Identities (UAMI) and App Registrations . While both entities are visible in Azure Active Directory and have similar identifiers (Application ID, Object ID), they serve very different purposes . This confusion can lead to authentication failures when accessing services like Azure App Configuration or Key Vault . A common issue occurs when a container app is configured with a managed identity, but the environment variables or role assignments mistakenly reference an App Registration instead, causing errors like: "No User Assigned or Delegated Managed Identity found for specified ClientId" This article breaks down the difference between UAMI and App Registrations, explains why this issue happens, and outlines the correct approach to resolve it. Symptoms Azure Container App fails to authenticate to Azure App Configuration or other services. Logs...

DLP is a security solution offered by Microsoft that can identify sensitive information and then help prevent unsafe or unauthorized sharing, transfer, or use of that data. With Microsoft, depending on your license level, you will have the ability to extend DLP to your on-premises file share, cloud-based locations like SharePoint and OneDrive but also a 3rd-party cloud storage provider such as Box or G-Suite by extending DLP to Microsoft Defender for Cloud Apps (more on this in the coming articles), and your managed Endpoints. Good Reads:  https://cloudy-sec.com/2023/04/16/microsoft-purview-data-loss-prevention-part-1/ https://www.axioworks.com/2022/08/ms-purview-one-stop-shop-for-data-governance-across-your-data-estate/#:~:text=Microsoft%20Purview%20Data%20Map%20stores,in%20a%20searchable%20knowledge%20graph. Compliance Console Login Page