This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Fabrikam's code review orchestrator, security analysis agent, and style analysis agent all share one managed identity with Storage Blob Contributor permissions. Why is this a security risk, and what's the correct approach?
The shared identity is a risk because any agent can modify storage that other agents depend on. Each agent should have its own identity with only the specific permissions it requires.
The shared identity is acceptable as long as all agents run in the same virtual network, which provides sufficient network-layer isolation.
The risk is that shared identities expire simultaneously. Rotating to individual identities with the same permissions solves the expiration coordination problem.
Fabrikam detects that the code parsing agent—normally isolated to communicate only with the orchestrator—is attempting to reach the customer output storage agent directly. What does this traffic pattern indicate, and which control catches it?
This is normal behavior—agents can route requests to any other agent for efficiency. No control is needed.
This may indicate lateral movement from a compromised agent. Network policy with default-deny and explicit allow-list rules would prevent the connection, and anomaly detection on the communication graph would alert on the deviation.
This is a configuration error. Update the network policy to add the parsing agent to the output storage agent's allow-list.
Fabrikam serves EU enterprise customers and processes their proprietary source code. Under EU data privacy law, what architectural requirements apply to where and how this code is processed?
EU customer source code must be processed only within EU Azure regions. Cross-region API calls that transfer code data outside the EU are prohibited, and Azure Policy should enforce allowed regions for all agent deployments.
EU data privacy regulations only apply to personal data like names and email addresses. Source code is intellectual property, not personal data, so it can be processed in any region.
Encryption in transit between Azure regions satisfies EU data privacy transfer requirements, so regional restrictions aren't needed.
You must answer all questions before checking your work.
Was this page helpful?
Need help with this topic?
Want to try using Ask Learn to clarify or guide you through this topic?