0
# Security and Identity
1

2
Azure security and identity services provide key management, secret storage, certificate management, and identity/access management capabilities. This includes Azure Key Vault for secure key and secret storage, and Graph RBAC for identity and access management operations.
3

4
## Capabilities
5

6
### Azure Key Vault
7

8
Securely stores and manages cryptographic keys, secrets, and certificates used by cloud applications and services. Provides centralized secret management with access control and audit logging.
9

10
```python { .api }
11
class KeyVaultClient:
12
    """
13
    Client for Azure Key Vault operations.
14
    
15
    Parameters:
16
    - credentials: KeyVaultAuthentication credentials
17
    """
18
    def __init__(self, credentials, **kwargs): ...
19
    
20
    # Key operations
21
    def create_key(self, vault_base_url: str, key_name: str, kty: str, **kwargs): ...
22
    def import_key(self, vault_base_url: str, key_name: str, key: object, **kwargs): ...
23
    def delete_key(self, vault_base_url: str, key_name: str, **kwargs): ...
24
    def update_key(self, vault_base_url: str, key_name: str, key_version: str, **kwargs): ...
25
    def get_key(self, vault_base_url: str, key_name: str, key_version: str, **kwargs): ...
26
    def get_keys(self, vault_base_url: str, **kwargs): ...
27
    def get_key_versions(self, vault_base_url: str, key_name: str, **kwargs): ...
28
    def backup_key(self, vault_base_url: str, key_name: str, **kwargs): ...
29
    def restore_key(self, vault_base_url: str, key_bundle_backup: str, **kwargs): ...
30
    
31
    # Secret operations  
32
    def set_secret(self, vault_base_url: str, secret_name: str, value: str, **kwargs): ...
33
    def delete_secret(self, vault_base_url: str, secret_name: str, **kwargs): ...
34
    def update_secret(self, vault_base_url: str, secret_name: str, secret_version: str, **kwargs): ...
35
    def get_secret(self, vault_base_url: str, secret_name: str, secret_version: str, **kwargs): ...
36
    def get_secrets(self, vault_base_url: str, **kwargs): ...
37
    def get_secret_versions(self, vault_base_url: str, secret_name: str, **kwargs): ...
38
    def backup_secret(self, vault_base_url: str, secret_name: str, **kwargs): ...
39
    def restore_secret(self, vault_base_url: str, secret_bundle_backup: str, **kwargs): ...
40
    
41
    # Certificate operations
42
    def create_certificate(self, vault_base_url: str, certificate_name: str, **kwargs): ...
43
    def import_certificate(self, vault_base_url: str, certificate_name: str, certificate_data: str, **kwargs): ...
44
    def delete_certificate(self, vault_base_url: str, certificate_name: str, **kwargs): ...
45
    def update_certificate(self, vault_base_url: str, certificate_name: str, certificate_version: str, **kwargs): ...
46
    def get_certificate(self, vault_base_url: str, certificate_name: str, certificate_version: str, **kwargs): ...
47
    def get_certificates(self, vault_base_url: str, **kwargs): ...
48
    def get_certificate_versions(self, vault_base_url: str, certificate_name: str, **kwargs): ...
49
    
50
    # Cryptographic operations
51
    def encrypt(self, vault_base_url: str, key_name: str, key_version: str, algorithm: str, value: str, **kwargs): ...
52
    def decrypt(self, vault_base_url: str, key_name: str, key_version: str, algorithm: str, value: str, **kwargs): ...
53
    def sign(self, vault_base_url: str, key_name: str, key_version: str, algorithm: str, value: str, **kwargs): ...
54
    def verify(self, vault_base_url: str, key_name: str, key_version: str, algorithm: str, digest: str, signature: str, **kwargs): ...
55
    def wrap_key(self, vault_base_url: str, key_name: str, key_version: str, algorithm: str, value: str, **kwargs): ...
56
    def unwrap_key(self, vault_base_url: str, key_name: str, key_version: str, algorithm: str, value: str, **kwargs): ...
57
```
58

59
### Key Vault Authentication
60

61
Provides authentication mechanisms for Key Vault operations.
62

63
```python { .api }
64
class KeyVaultAuthentication:
65
    """
66
    Authentication for Key Vault operations.
67
    
68
    Parameters:
69
    - authorization_callback: callable, function that returns access token
70
    """
71
    def __init__(self, authorization_callback: callable): ...
72
    
73
    def signed_session(self, session=None):
74
        """Create authenticated session for Key Vault requests."""
75

76
class KeyVaultAuthBase:
77
    """Base class for Key Vault authentication."""
78
    def __init__(self): ...
79

80
class AccessToken:
81
    """Represents an access token for Key Vault authentication."""
82
    def __init__(self, token: str, expires_on: int): ...
83
    
84
    token: str  # Access token string
85
    expires_on: int  # Token expiration timestamp
86
```
87

88
### Key Vault Models
89

90
Identity classes for Key Vault resources.
91

92
```python { .api }
93
class KeyVaultId:
94
    """Base class for Key Vault resource identifiers."""
95
    def __init__(self, vault: str, name: str, version: str = None): ...
96
    
97
    @property
98
    def vault(self) -> str: ...  # Vault URL
99
    
100
    @property  
101
    def name(self) -> str: ...  # Resource name
102
    
103
    @property
104
    def version(self) -> str: ...  # Resource version
105

106
class KeyId(KeyVaultId):
107
    """Identifier for Key Vault keys."""
108
    pass
109

110
class SecretId(KeyVaultId):
111
    """Identifier for Key Vault secrets."""  
112
    pass
113

114
class CertificateId(KeyVaultId):
115
    """Identifier for Key Vault certificates."""
116
    pass
117

118
class CertificateIssuerId(KeyVaultId):
119
    """Identifier for certificate issuers."""
120
    pass
121

122
class CertificateOperationId(KeyVaultId):
123
    """Identifier for certificate operations."""
124
    pass
125

126
class StorageAccountId(KeyVaultId):
127
    """Identifier for managed storage accounts."""
128
    pass
129

130
class StorageSasDefinitionId(KeyVaultId):
131
    """Identifier for storage SAS definitions."""
132
    pass
133
```
134

135
### HTTP Challenge Authentication
136

137
Low-level HTTP authentication components for Key Vault.
138

139
```python { .api }
140
class HttpBearerChallenge:
141
    """Represents an HTTP Bearer authentication challenge."""
142
    def __init__(self, request_uri: str, challenge: str): ...
143

144
class HttpChallenge:
145
    """Base HTTP authentication challenge."""
146
    def __init__(self): ...
147

148
class HttpBearerChallengeCache:
149
    """Cache for HTTP Bearer challenges."""
150
    def __init__(self): ...
151
    
152
    def get_challenge_for_url(self, url: str): ...
153
    def set_challenge_for_url(self, url: str, challenge: object): ...
154
    def clear(self): ...
155

156
def generate_pop_key() -> str:
157
    """Generate a Proof of Possession (PoP) key for authentication."""
158
```
159

160
### Graph RBAC Management
161

162
Manages Azure Active Directory identity and access control operations including applications, service principals, users, and groups.
163

164
```python { .api }
165
class GraphRbacManagementClient:
166
    """
167
    Client for Azure Active Directory Graph RBAC operations.
168
    
169
    Parameters:
170
    - credentials: Authentication credentials
171
    - tenant_id: str, Azure Active Directory tenant ID  
172
    """
173
    def __init__(self, credentials, tenant_id: str, **kwargs): ...
174
    
175
    @property
176
    def applications(self): ...  # Application operations
177
    
178
    @property
179
    def service_principals(self): ...  # Service principal operations
180
    
181
    @property
182
    def users(self): ...  # User operations
183
    
184
    @property
185
    def groups(self): ...  # Group operations
186
    
187
    @property
188
    def oauth2(self): ...  # OAuth2 operations
189
    
190
    @property
191
    def signed_in_user(self): ...  # Current user operations
192
```
193

194
#### Application Operations
195

196
Manage Azure AD applications.
197

198
```python { .api }
199
class ApplicationOperations:
200
    def create(self, parameters, **kwargs):
201
        """Create a new application."""
202
    
203
    def delete(self, application_object_id: str, **kwargs):
204
        """Delete an application."""
205
    
206
    def get(self, application_object_id: str, **kwargs):
207
        """Get an application by object ID."""
208
    
209
    def list(self, **kwargs):
210
        """List applications in the tenant."""
211
    
212
    def patch(self, application_object_id: str, parameters, **kwargs):
213
        """Update an application."""
214
    
215
    def list_owners(self, application_object_id: str, **kwargs):
216
        """Get owners of an application."""
217
    
218
    def add_owner(self, application_object_id: str, parameters, **kwargs):
219
        """Add an owner to an application."""
220
    
221
    def remove_owner(self, application_object_id: str, owner_object_id: str, **kwargs):
222
        """Remove an owner from an application."""
223
    
224
    def list_key_credentials(self, application_object_id: str, **kwargs):
225
        """Get key credentials for an application."""
226
    
227
    def update_key_credentials(self, application_object_id: str, parameters, **kwargs):
228
        """Update key credentials for an application."""
229
    
230
    def list_password_credentials(self, application_object_id: str, **kwargs):
231
        """Get password credentials for an application."""
232
    
233
    def update_password_credentials(self, application_object_id: str, parameters, **kwargs):
234
        """Update password credentials for an application."""
235
```
236

237
#### Service Principal Operations
238

239
Manage Azure AD service principals.
240

241
```python { .api }
242
class ServicePrincipalOperations:
243
    def create(self, parameters, **kwargs):
244
        """Create a new service principal."""
245
    
246
    def delete(self, object_id: str, **kwargs):
247
        """Delete a service principal."""
248
    
249
    def get(self, object_id: str, **kwargs):
250
        """Get a service principal by object ID."""
251
    
252
    def list(self, **kwargs):
253
        """List service principals in the tenant."""
254
    
255
    def patch(self, object_id: str, parameters, **kwargs):
256
        """Update a service principal."""
257
    
258
    def list_owners(self, object_id: str, **kwargs):
259
        """Get owners of a service principal."""
260
    
261
    def list_key_credentials(self, object_id: str, **kwargs):
262
        """Get key credentials for a service principal."""
263
    
264
    def update_key_credentials(self, object_id: str, parameters, **kwargs):
265
        """Update key credentials for a service principal."""
266
    
267
    def list_password_credentials(self, object_id: str, **kwargs):
268
        """Get password credentials for a service principal."""
269
    
270
    def update_password_credentials(self, object_id: str, parameters, **kwargs):
271
        """Update password credentials for a service principal."""
272
```
273

274
## Usage Examples
275

276
### Working with Key Vault Secrets
277

278
```python
279
from azure.keyvault import KeyVaultClient
280
from azure.keyvault.authentication import KeyVaultAuthentication
281

282
# Authentication callback
283
def auth_callback(server, resource, scope):
284
    # Implement your authentication logic here
285
    # This should return an access token
286
    return access_token
287

288
# Create client
289
credentials = KeyVaultAuthentication(auth_callback)
290
client = KeyVaultClient(credentials)
291

292
vault_url = "https://myvault.vault.azure.net/"
293

294
# Set a secret
295
secret = client.set_secret(vault_url, "database-password", "my-secret-value")
296
print(f"Secret ID: {secret.id}")
297

298
# Get a secret
299
retrieved_secret = client.get_secret(vault_url, "database-password", "")
300
print(f"Secret value: {retrieved_secret.value}")
301

302
# List all secrets
303
secrets = client.get_secrets(vault_url)
304
for secret in secrets:
305
    print(f"Secret: {secret.id}")
306
```
307

308
### Working with Key Vault Keys
309

310
```python
311
from azure.keyvault import KeyVaultClient
312

313
# Create a key
314
key = client.create_key(vault_url, "encryption-key", "RSA")
315
print(f"Key ID: {key.key.kid}")
316

317
# Encrypt data
318
encryption_result = client.encrypt(
319
    vault_url, 
320
    "encryption-key", 
321
    "", 
322
    "RSA-OAEP", 
323
    "Hello, World!"
324
)
325
print(f"Encrypted: {encryption_result.result}")
326

327
# Decrypt data  
328
decryption_result = client.decrypt(
329
    vault_url,
330
    "encryption-key",
331
    "",
332
    "RSA-OAEP", 
333
    encryption_result.result
334
)
335
print(f"Decrypted: {decryption_result.result}")
336
```
337

338
### Managing Azure AD Applications
339

340
```python
341
from azure.graphrbac import GraphRbacManagementClient
342
from azure.graphrbac.models import ApplicationCreateParameters
343

344
# Create Graph RBAC client
345
graph_client = GraphRbacManagementClient(credentials, tenant_id)
346

347
# Create an application
348
app_params = ApplicationCreateParameters(
349
    display_name="My Application",
350
    homepage="https://myapp.com",
351
    identifier_uris=["https://myapp.com/app"]
352
)
353

354
app = graph_client.applications.create(app_params)
355
print(f"Created application: {app.display_name} (ID: {app.object_id})")
356

357
# List applications
358
applications = graph_client.applications.list()
359
for app in applications:
360
    print(f"Application: {app.display_name}")
361

362
# Create service principal for the application
363
sp_params = ServicePrincipalCreateParameters(app_id=app.app_id)
364
service_principal = graph_client.service_principals.create(sp_params)
365
print(f"Created service principal: {service_principal.object_id}")
366
```