{"results":[{"id":"acr-auth-entra-service-principal-admin","text":"ACR authentication options are Azure identity, Microsoft Entra service principal, or admin account; all image transfers use HTTPS with TLS.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-authentication-entra-service-principal-admin","text":"ACR authentication options are Azure identity, Microsoft Entra service principal, or admin account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-five-authentication-methods","text":"ACR supports five authentication methods: individual Microsoft Entra identity, service principal, managed identity, admin user, and non-Microsoft Entra token-based permissions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-non-entra-tokens-basic-100-standard-500-premium-50000","text":"ACR non-Entra token limits: Basic 100, Standard 500, Premium 50,000.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-token-permissions-no-entra-rbac","text":"ACR token-based repository permissions are not integrated with Microsoft Entra ID and do not support RBAC role assignments.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-token-permissions-not-entra-rbac","text":"ACR token-based repository permissions are not integrated with Microsoft Entra ID and do not support RBAC role assignments.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appservice-new-apps-ftps-only-by-default","text":"New Azure App Service apps default to FTPS-only; basic auth should be disabled in favor of Entra ID OAuth 2.0.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appservice-new-apps-ftps-only-default","text":"New Azure App Service apps default to FTPS-only; basic auth should be disabled in favor of Entra ID OAuth 2.0","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appservice-new-apps-ftps-only-disable-basic-auth","text":"New App Service apps default to FTPS-only; basic auth should be disabled in favor of Entra ID OAuth 2.0 tokens.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-data-plane-access-security-gradient","text":"Azure data-plane access follows a security gradient from weakest to strongest: SAS tokens provide delegated access with varying revocability (account key SAS is least secure, user delegation SAS most secure), while the Entra identity-to-authorization chain provides full RBAC-governed access — and the gradient position is determined by how deeply a workload integrates with the identity chain, with SAS appropriate for cross-boundary sharing and Entra RBAC for intra-platform access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-data-plane-identity-convergence","text":"Azure data plane access increasingly supports Entra ID-based authentication alongside traditional key/SAS-based access, with identity-based access providing stronger auditability and more granular RBAC controls.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-disallow-shared-key-forces-entra-id","text":"Disallowing Shared Key authorization on a storage account forces all requests to use Microsoft Entra ID.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-entra-identity-data-plane-lifecycle","text":"Azure's identity-first data-plane convergence (managed identity as universal authentication, shared key deprecation, user delegation SAS) operates within the Entra dual-model lifecycle framework — system-assigned identities provide zero-config data-plane authentication while user-assigned identities enable cross-resource sharing, making the managed identity lifecycle tradeoff the key design decision for data-plane identity architecture across all Azure services.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-identity-convergence-reinforces-security-pillars","text":"Azure's three independently enforced security pillars (identity, governance, network) are increasingly unified as data-plane access converges toward Entra-based managed identity as the universal authentication mechanism: the convergence reduces the number of independent credential types (deprecating shared keys and non-delegated SAS tokens) while the three-pillar model ensures this identity root is enforced consistently across governance (RBAC), network (Private Link), and cryptographic (Key Vault) boundaries.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-identity-drives-key-protection-scope","text":"Azure identity model choices constrain cryptographic key protection scope: the Entra identity-to-authorization chain determines Key Vault data-plane access, while Key Vault's network-isolated defense-in-depth lifecycle provides tiered FIPS protection — the identity topology (system vs user-assigned MI, app registration across tenants) bounds what key protection levels are reachable.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-identity-first-data-plane-convergence","text":"Azure is converging toward managed identity as the universal data-plane authentication mechanism: user-assigned identities are the recommended type for cross-resource sharing, user delegation SAS provides the most secure form of delegated access by requiring Entra credentials, and disabling shared key authorization forces all storage requests through Entra ID — creating a consistent identity-first access model that eliminates shared secrets from the data plane.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-identity-verified-end-to-end-data-plane","text":"Azure achieves fully identity-verified end-to-end data-plane access — from Entra authentication through RBAC authorization to cryptographic key access — when the identity-to-authorization chain controls both Key Vault data-plane access and the data-plane security gradient across storage, messaging, and compute services.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-managed-identity-fic-limit-20","text":"The limit for managed identities as Federated Identity Credentials on an Entra ID application is 20.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-monitor-observability-depends-on-identity-chain","text":"Azure Monitor's compound risk surface is coupled to the identity system: Sentinel and Defender (sharing Log Analytics workspaces) consume identity events generated by Entra, while workspace access itself is governed by the same RBAC model that the Entra identity-to-authorization chain provides — monitoring integrity depends on identity integrity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-observability-depends-on-governance-and-identity","text":"Effective Azure observability requires alignment across three independently configurable systems: the identity chain (Entra→RBAC) determines workspace data access and who can see what telemetry, the governance hierarchy (Policy+RBAC) determines which monitoring policies are enforced across subscriptions, and the network default-deny stack (NSG+firewall) determines whether telemetry data can flow from on-premises and multi-cloud sources to Log Analytics workspaces.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":114,"limit":20,"offset":0}