azure-security

# Azure Security Services

## Services

| Service | Use When | MCP Tools | CLI |
|---------|----------|-----------|-----|
| Key Vault | Secrets, keys, certificates | `azure__keyvault` | `az keyvault` |
| Managed Identity | Credential-free authentication | - | `az identity` |
| RBAC | Role-based access control | `azure__role` | `az role` |
| Entra ID | Identity and access management | - | `az ad` |
| Defender | Threat protection, security posture | - | `az security` |

## MCP Server (Preferred)

When Azure MCP is enabled:

### Key Vault
- `azure__keyvault` with command `keyvault_list` - List Key Vaults
- `azure__keyvault` with command `keyvault_secret_list` - List secrets in vault
- `azure__keyvault` with command `keyvault_secret_get` - Get secret value
- `azure__keyvault` with command `keyvault_key_list` - List keys
- `azure__keyvault` with command `keyvault_certificate_list` - List certificates

### RBAC
- `azure__role` with command `role_assignment_list` - List role assignments
- `azure__role` with command `role_definition_list` - List role definitions

**If Azure MCP is not enabled:** Run `/azure:setup` or enable via `/mcp`.

## CLI Fallback

```bash
# Key Vault
az keyvault list --output table
az keyvault secret list --vault-name VAULT --output table
az keyvault secret show --vault-name VAULT --name SECRET

# RBAC
az role assignment list --output table
az role definition list --output table

# Managed Identity
az identity list --output table
```

## Key Security Principles

1. **Use managed identities** - No credentials to manage
2. **Apply least privilege** - Minimum required permissions
3. **Enable Key Vault** - Never hardcode secrets
4. **Use private endpoints** - No public internet access
5. **Enable auditing** - Log all access

## Common RBAC Roles

| Role | Permissions |
|------|-------------|
| Owner | Full access + assign roles |
| Contributor | Full access, no role assignment |
| Reader | Read-only |
| Key Vault Secrets User | Read secrets only |
| Stora