To ensure confidentiality and privacy, our application has these features:

• All data is encrypted at rest and in transit​

• No inbound connectivity to the Managed Application​

• Outbound to customer storage only (exception, billable user count goes to MS Billing API) ​

• Information used for billing (user object id) is salted and hashed​ and stored in a Storage Account in the Managed Resource Group

• The Managed Application uses Managed Identity to access MS Graph with read only​

• Azure Keyvault for secrets (Bsure personnel cannot access these secrets)​. The connection string to the Storage Account (provided by you - BYOSA) where user data is stored.

Examples

Example showing how the billing information is salted and hashed:

Example Bsure personnel accessing the Key Vault:

The Keyvault resides in the Managed Resource Group, but Bsure have no access to access the secrets.

Bsure have the Contributor RBAC role, which is not sufficient to read secrets, or elevate permission.

References:

Azure built-in RBAC roles: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Azure built-in roles for Key Vault data plane operations: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations