Before Lab 1.3 — Least Privilege and Correct Privilege
18/05/2026About 1 min
Before Lab 1.3 — Least Privilege and Correct Privilege
In the previous labs, you found and tested an incorrect permission model.
Now you will improve it.
The goal is not to remove all access.
The goal is to give the right access.
Least privilege
Least privilege means:
Give an identity only the permissions it needs to perform its task, and nothing more.
For the backend application, ask:
What does the backend actually need to do?If the answer is:
Read a secret from Key Vaultthen the backend does not need:
Contributor on the entire resource groupLeast privilege means the permission must match the actual task. A narrow but correct permission is better than a broad (and even incorrect) permission.
| Bad model | Better model |
|---|---|
| Contributor on resource group | Key Vault Secrets User on Key Vault |
| Broad management access | Specific data access |
| Access to many resources | Access to the required resource |
| Works by accident | Works by design |
The intended change
What to verify after the fix
After changing permissions, always test both sides.
| Test | Desired result after fix |
|---|---|
| Backend modifies its own Azure resource | Should fail |
| Backend reads required Key Vault secret | Should work |
Lab focus
A good security fix reduces unnecessary access without breaking the legitimate application flow.