This is a continuation of an article that describes operational considerations for hosting solutions on Azure public cloud.

The order in which a conditional access policy is implemented depends on the assignments and access controls. It brings together signals with which it makes decisions and then enforces organizational policies. If there are multiple conditional access policies, they must all apply to grant access. Assignments such as requiring an MFA and a compliant device must be ANDed. Policies are enforced in two phases: 1) session details are collected and 2) policies are enforced. Phase 1 involves gathering session details via connection properties which are also evaluated in report-only mode Phase 2 prompts the user but enforces all the policies.

Azure AD conditional access is frequently used to secure cloud applications with a single policy that grants access for selected users and groups who are required to pass multi-factor authentication. This comes helpful when access is originated from a location that is not trusted.

Networking resources must belong to the same subscription, region and resource group to set up virtual end points.  Microsoft peering must be created to configure ExpressRoute circuit. The provider status is checked to ensure that the circuit is fully provisioned by the connectivity provider.

Azure Monitors provide tremendous insight into operations of Azure Resources. It is always recommended to create multiple application insights resources and usually one per environment. This results in better separation of telemetry,alerts, workitems, configurations and permissions. Limits are spread such as web test count, throttling, data allowance etc and it also helps with cross-resource queries.

Limits should not be configured for the prod environment because it will result in loss of data once the limits are breached. They apply instead to dev and test environments.

When the data does not show in the telemetry, we could check the firewall practice, ikey configurations, user account under which the IIS is running and if it has privileges to access the internet. The Flush method can be called periodically.

Status Monitor tool can be used when the app is instrumented with the .Net 4.6 SDK. It collects basic information about outbound HTTP and SQL calls. Alert should not be configured unnecessarily. They could generate a lot of noise and make it harder to detect those that matter. RBAC controls must be properly set as with all resources.