Before Lab 1.2 — Management Plane and Data Plane

Mitch Mommers18/05/2026About 2 min

In Lab 1.1, you discovered that the backend managed identity has broad access.

In Lab 1.2, you will test the impact of that access.

Before doing that, we need one important cloud security distinction:

management plane
versus
data plane

Management plane

The management plane is about managing the Azure resource itself.

Examples:

These actions manage the infrastructure.

The data plane is about accessing the data inside a resource.

Examples:

These actions access the content handled by the service.

An identity can have broad management-plane access and still not have the correct data-plane access.

For example:

Contributor on the resource group

can allow broad management actions on resources in that resource group.

But that does not automatically mean:

read Key Vault secret value

Reading a Key Vault secret requires a suitable Key Vault data-plane permission.

For example:

Key Vault Secrets User

In the lab, you will test two things.

Test	What it proves
Can the backend modify an Azure resource?	The identity has management-plane access
Can the backend read the Key Vault secret?	The identity has or lacks data-plane access

Key idea

Broad access is not the same as correct access.

During the lab or recap, screenshots can help show the difference between both tests.

Screenshot suggestion

Add a screenshot of the endpoint that demonstrates management-plane access.

Suggested screenshot:

Browser or API client → POST /api/impact-demo/tag-self

Show that the request succeeds.

Also add a screenshot of the Azure Portal showing that the tag was added to the App Service.

Screenshot suggestion

Add a screenshot of the Key Vault secret endpoint failure.

Suggested screenshot:

Browser or API client → GET /api/secret-demo

Show the error message or 403-style response.

Avoid showing real secret values in screenshots.