AgentSkillsCN

azure-security

Azure 安全服务,包括 Key Vault、托管身份、RBAC、Entra ID 以及 Defender。提供秘密管理、免密认证、基于角色的访问控制,以及威胁防护功能。

SKILL.md
--- frontmatter
name: azure-security
description: Azure Security Services including Key Vault, Managed Identity, RBAC, Entra ID, and Defender. Provides secrets management, credential-free authentication, role-based access control, and threat protection.

Azure Security Services

Services

ServiceUse WhenMCP ToolsCLI
Key VaultSecrets, keys, certificatesazure__keyvaultaz keyvault
Managed IdentityCredential-free authentication-az identity
RBACRole-based access controlazure__roleaz role
Entra IDIdentity and access management-az ad
DefenderThreat protection, security posture-az security

MCP Server (Preferred)

When Azure MCP is enabled:

Key Vault

  • azure__keyvault with command keyvault_list - List Key Vaults
  • azure__keyvault with command keyvault_secret_list - List secrets in vault
  • azure__keyvault with command keyvault_secret_get - Get secret value
  • azure__keyvault with command keyvault_key_list - List keys
  • azure__keyvault with command keyvault_certificate_list - List certificates

RBAC

  • azure__role with command role_assignment_list - List role assignments
  • azure__role with command role_definition_list - List role definitions

If Azure MCP is not enabled: Run /azure:setup or enable via /mcp.

CLI Fallback

bash
# Key Vault
az keyvault list --output table
az keyvault secret list --vault-name VAULT --output table
az keyvault secret show --vault-name VAULT --name SECRET

# RBAC
az role assignment list --output table
az role definition list --output table

# Managed Identity
az identity list --output table

Key Security Principles

  1. Use managed identities - No credentials to manage
  2. Apply least privilege - Minimum required permissions
  3. Enable Key Vault - Never hardcode secrets
  4. Use private endpoints - No public internet access
  5. Enable auditing - Log all access

Common RBAC Roles

RolePermissions
OwnerFull access + assign roles
ContributorFull access, no role assignment
ReaderRead-only
Key Vault Secrets UserRead secrets only
Storage Blob Data ReaderRead blobs only

Service Details

For deep documentation on specific services: