Unexplainable behavior’s with DefaultAzureCredential()

Long story, short (2 days later)

While implementing an Azure Function that is designed to fetch secrets from Azure KeyVault, I ran into a funny and odd issue. I am not able to explain why and what is going on, but I have tried every trick a google search can conjure, at least until page 30 in the search results. It was by coincidence I came across some of the parameters in the DefaultAzureCredentialOptions class that got me going, at least locally.

The idea, as far as I have understood, is that whenever you invoke the Azure.Identity.DefaultAureCredential class, it provides a flow for attempting authentication using one of the following credentials, in listed order:

I suspect that since I have deployed my Azure Function using the Managed Identity setting to a Systems Assigned identity, like this:

System Assigned Identity

AND the fact that ManagedIdentityCredential is before VisualStudioCredential in the authentication flow, it fails, since it is unable to authenticate the managed identity – which is the main principle of the design – none other than the service can assume the identity of the service.

See more detail here: https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
Snip

  • System-assigned. Some Azure resources, such as virtual machines allow you to enable a managed identity directly on the resource. When you enable a system-assigned managed identity:
    • A service principal of a special type is created in Azure AD for the identity. The service principal is tied to the lifecycle of that Azure resource. When the Azure resource is deleted, Azure automatically deletes the service principal for you.
    • By design, only that Azure resource can use this identity to request tokens from Azure AD.
    • You authorize the managed identity to have access to one or more services.
    • The name of the system-assigned service principal is always the same as the name of the Azure resource it is created for. For a deployment slot, the name of its system-assigned identity is <app-name>/slots/<slot-name>.

Love rears it’s ugly head

Having assigned the proper permissions in the Azure KeyVault, you are able to connect using your credentials in Visual Studio to said KeyVault. A code example of that could look like this:

public static string GetSecret( string keyvault, string secret )
{            
   var kvUri = $"https://{keyvault}.vault.azure.net";
 
   var creds = new DefaultAzureCredential();
 
   var client = new SecretClient(new Uri(kvUri), creds);
   var secret = client.GetSecretAsync(secret).Result.Value.Value;
 
   return secret;
}

(link to NuGet: NuGet Gallery | Azure.Security.KeyVault.Secrets 4.5.0)

Usually this works, and I have no other explanation than having deployed the solution to a live running App Service is what breaks this otherwise elegant piece of code. The above listed code does not work for me.

Workaround

You can instantiate the DefaultAzureCredential class using a constructor that takes a DefaultAzureCredentialOptions object as a parameter and this object has a great number of attributes that are of interest. You can actively remove items in the authentication flow and you can specify the tenant id, if you have access to multiple tenants.

The code that resolved the issue locally looks something like this. (I can probably just do without the ManagedIdentity, will test)

public static string GetSecret( string keyvault, string secret )
{            
   var kvUri = $"https://{keyvault}.vault.azure.net";
 
 
    var creds = new DefaultAzureCredential(
        new DefaultAzureCredentialOptions() {
        TenantId = "<INSERT TENANT ID HERE>"
        , ExcludeAzureCliCredential = true
        , ExcludeAzurePowerShellCredential = true
        , ExcludeSharedTokenCacheCredential = true
        , ExcludeVisualStudioCodeCredential = true
        , ExcludeEnvironmentCredential = true
        , ExcludeManagedIdentityCredential = true
    });
 
 
    var client = new SecretClient(new Uri(kvUri), creds);
   var secret = client.GetSecretAsync(secret).Result.Value.Value;
 
   return secret;
}

I am not sure this will work when I deploy the solution, but I will probably create a test on environment (local debug or running prod)

HTH

Loading

Are you Dino or Carl?

If you are new to IT you might not yet have become aware that the tech stack is ever changing. I’ve been around long enough to have seen my share of DOS, Windows and also SQL server editions, but what is not immediately apparent is that this forces the people in the industry to, at some point, make a choice; become a dinosaur or adapt.

If your choice is dinosaur, you will probably be fighting to keep the workloads coming as time passes by. At best it’s a bit of a gamble, to put all your eggs into one basket so to speak. Tech changes and so will demand for the one tech you have mastered to perfection. Albeit the upside of the gamble is that little to no-one knows the tech in question which means you can ask a higher price for your services.

On the other hand Carl Lewis’s accomplishments is actually a great image of how the modern IT worker has to spread the interest on more than one tech. Carl Lewis was a childhood hero of mine and among other astonishing merits he was undefeated for a period of seven years (7) in long jump (still has the world record indoor) – but many remember him for his incredible performances in 100m and 200m dash. This just helps build the image that I am trying to convey here – modern IT people will almost certainly be specialised in more that one tech – or this particular tech evolves into something new.

So, which one is it? Dino or Carl?

But what’s my point with this?

On September 11th in 2020 I passed the AZ-400 test to become a Microsoft Certified: Azure DevOps Engineer Expert and as this is an Expert level certification, Microsoft requires this certification to be renewed within a specified amount of time. Microsoft operates with four levels of certification.

Fundamentals (⭐) which cannot be renewed and do not expire,

Associate (⭐⭐), Expert (⭐⭐⭐) and Speciality (no stars) which expires after one (1) year*
*) except if taken before June 30th 2021 – then validity lasts two (2) years

In a month from now, at the time of writing, I would no longer be allowed to flash that I am a certified Azure DevOps Engineer, unless… unless I renew the certification. Certification renewals is something fairly new to the Microsoft certification program and I must say I welcome the opportunity given by Microsoft to update your accolades for free. Yes, for free.

90 days (and 30 days) or so in advance, Microsoft sends a notification, that your certification will expire unless you renew it. The process of renewing is really simple and it all comes down to you and how updated your skills are on the subject. One of the smart things about renewals is that Microsoft gets to test your knowledge on features and tech added to its services since you first took the test. And this could potentially be a lot of new ground to cover. Even though Microsoft aquired Github back in the summer of 2018, there has been put in a lot of work to inhale Github into the Microsoft stack – much of this work has surfaced since I took the test initially, so the renewal test has a lot more questions on Github – which makes so much sense.

The email you receive would look similar to this one, except of course time and type of certification would be different:

All you have to do is click the link, log in with your Microsoft Learn account and off you go.

It could be that the number of questions vary, but I have had a two (2) renewals lately and both consisted of about 25 questions. There have been no cases like in the real tests, hence just 25 individual questions on tech stuff related to the overall topic of the certification. Also, all of my question have been multiple choice/single answer – meaning no multiple possible answers/ranking of tasks to perform or code to complete. But I am sure they are working on getting that in there.

Once you’ve completed all questions you will be directed to either a pass or fail page (unfortunately I didn’t screen grab that when I failed the AZ-400 renewal the first time, so I am not able to display how that look). Microsoft Learn even provides you with a collection of learning materials (from Microsoft Learn) that fits your weak areas so you can concentrate on getting that up to speed- this is very helpful!

If you pass, the resulting page looks something like this

There is also an explanation on the various areas of the test and how you performed in those categories:

This one is from my DA-100 renewal which is now outdated and superseded by PL-300

Final thoughts

Having a history of every other year having to take on new certifications, even in the same tech space, I really welcome the idea of certification renewals. For instance I have SQL Server 2005, 2008 and 2016 certifications but, at least in my mind, it makes a lot more sense to be able to communicate that I am certified in SQL Server and the certification is up to date, for instance with the Azure SQL Server Administrator certification – no editions attached – it’s just active or not. This goes for any technology/role that manages to stick around and evolve.

Best of luck to all you out there who are either renewing or taking on new exams.

Loading

2.000 members milestone

It’s only been a couple of months since I took over the reins from co-partner Erik Svensen (t|l) for the Danish Power BI User Group. But even just a few months in, I see and appreciate all the hard work and effort Erik has put into this user group. It’s because of Erik’s relentless efforts over the past four-five years that I can now announce that the user group has 2.000 members!

Bravo Erik – Well done!

Loading

New Microsoft certifications passed

This summer my family and I spent almost three weeks driving to Germany and into Italy by car. Not just any car I might add. The old Volvo clicked in 4.000 km and handled it like a charm 🥰 even when it was super packed for the final stage of the journey from the duty free shop just across the border.

Main cities visited Nürnberg, Venice, Bologna, Brisighella, Comacchio… and obviously I had to make a stop at the Mutti field of tomatoes, as Mutti is a client of ours 🙂

Assorted Pictures from the vacation

Just before the vacation began, I got notice, that I had passed the two beta exams I attended in the middle of May. With beta exams you do not get the passing score immediately, you have to wait ’till the program has collected enough data on the individual questions/answers to release the final version of the test.

Microsoft Power Automate RPA Developer (PL-500)

First of I passed the Microsoft Power Automate RPA Developer (PL-500) exam, which was quite a stretch for me, and I had even raised some concerns about the scope of the test before, in the below announcement on LinkedIn:

Candidates for this exam automate time-consuming and repetitive tasks by using Microsoft Power Automate (formerly known as Flow). They review solution requirements, create process documentation, and design, develop, troubleshoot, and evaluate solutions.

Candidates work with business stakeholders to improve and automate business workflows. They collaborate with administrators to deploy solutions to production environments, and they support solutions.

Additionally, candidates should have experience with JSON, cloud flows and desktop flows, integrating solutions with REST and SOAP services, analyzing data by using Microsoft Excel, VBScript, Visual Basic for Applications (VBA), HTML, JavaScript, one or more programming languages, and the Microsoft Power Platform suite of tools (AI Builder, Power Apps, Dataverse, and Power Virtual Agents).

 Important

Passing score: 700. Learn more about exam scores. (which is exactly what I scored 😁)

Part of the requirements for: Microsoft Certified: Power Automate RPA Developer Associate

The detailed skills are outlined here: Exam PL-500: Microsoft Power Automate RPA Developer – Skills Measured

Designing and Implementing Enterprise-Scale Analytics Solutions Using Microsoft Azure and Microsoft Power BI (DP-500)

Candidates for this exam should have advanced Power BI skills, including managing data repositories and data processing in the cloud and on-premises, along with using Power Query and Data Analysis Expressions (DAX). They should also be proficient in consuming data from Azure Synapse Analytics and should have experience querying relational databases, analyzing data by using Transact-SQL (T-SQL), and visualizing data.

 Important

Passing score: 700. Learn more about exam scores.

 Tip

Part of the requirements for: Microsoft Certified: Azure Enterprise Data Analyst Associate

Active certifications

New/Renewed 2022

Other Active Certifications

Loading

Recertified as Azure Administrator Associate!

For the second time this year, I have successfully passed a re-certification test. This time around was the Azure Administrator Associate – AZ-104 certification, which I passed initially about two (2) years go (August 14th – 2020). I am happy and thrilled to be able to add this badge to my collection for the next year.

New Certifications/Re-Certifications this Year

Past, but still active, certifications

Loading