Author: Shahzad Khan

Software developer / Architect

Role-Based Document Protection with Sensitivity Labels in Microsoft Purview

A practical guide for enforcing secure, identity-driven access to sensitive files

Organizations handling legal, regulatory, or citizen data often face a common challenge:
How do you ensure that only authorized roles can open sensitive documents—regardless of where the file travels?

The answer lies in document-level protection, not folder permissions.

With Microsoft Purview Sensitivity Labels, you can encrypt files and enforce role-based access using identity, ensuring protection stays with the document everywhere it goes.

Why Document-Level Protection Matters

Traditional access control depends on storage location:

  • SharePoint permissions
  • Folder restrictions
  • Network access rules

But once a file is downloaded or shared, control weakens.

Sensitivity Labels solve this by:

  • Encrypting documents
  • Binding access to user identity
  • Defining explicit roles (Viewer, Editor, Co-Owner)
  • Enforcing protection across devices and locations

This model is especially valuable for:

  • Legal and court records
  • Government documentation
  • HR and personnel files
  • Financial reports
  • Investigation materials

Sensitivity Labels apply encryption and define who can access a document and what actions they can perform.

Key characteristics:

✔ Protection travels with the file
✔ Access is identity-based
✔ Unauthorized users cannot bypass encryption
✔ Enforcement works across email, downloads, and cloud sharing

Step-by-Step: Configuring Role-Based Document Access

1️⃣ Create a Security Group

Start by defining authorized users in Microsoft Entra ID.

Example:
Security Group: District_Attorney_Authorized_Users
Members: District Attorney user accounts

This group becomes the foundation for permission enforcement.

2️⃣ Create a Sensitivity Label

In Microsoft Purview:

Label Name: Sealed – Court Record
Protection Setting: Enable encryption

Define explicit permissions:

RoleAccess Level
Judge (Owner)Co-Owner
District Attorney GroupViewer or Editor
OthersNo Access

3️⃣ Apply the Label

When the document owner classifies the file:

  • The document becomes encrypted
  • Only authorized roles can decrypt
  • Unauthorized users are blocked automatically

Even if uploaded to Microsoft SharePoint or shared externally, protection remains intact.

What Unauthorized Users Experience

If someone outside the allowed roles attempts to open the file:

  • They see an access denied message
  • They cannot override encryption
  • Admin roles do not bypass document-level protection

This ensures compliance and confidentiality.

Real-World Use Cases

✔ Sealed court records
✔ Law enforcement documentation
✔ Public sector investigations
✔ Contract negotiations
✔ Executive communications

This model supports compliance frameworks requiring strict confidentiality controls.

Key Takeaway

Sensitivity Labels provide identity-driven document protection, ensuring that:

🔐 Access is role-based
📁 Protection travels with the file
🌐 Storage location becomes irrelevant
🛡 Compliance and confidentiality remain intact

For public-sector and regulated environments, this is one of the most reliable ways to protect sensitive information at scale.

Governance Is the Real Architecture of Agentic AI

In today’s hiring landscape, especially for roles involving agentic AI in regulated environments, not every question is about technology. Some are about integrity under pressure.

You might hear something like:
“Can you share agentic AI patterns you’ve seen in other sectors? Keep it concise. Focus on what’s transferable to regulated domains.”

It sounds professional. Even collaborative.
But experienced architects recognize the nuance — this is often not a request for public knowledge. It’s a test of boundaries.

Because in real regulated work, “patterns” aren’t abstract design ideas. They encode how risk was governed, how data exposure was minimized, how operational safeguards were enforced, and how failure was prevented. Those lessons were earned within specific organizational contexts, under specific compliance obligations.

An agentic AI system typically includes multiple layers: planning, memory, tool usage, orchestration, and execution. Most teams focus heavily on these. They’re visible. They’re measurable. They’re marketable.

But the layer that ultimately determines whether your work is trusted in sectors like banking, healthcare, or energy is the one rarely advertised: governance.

Governance is not documentation. It’s behavior under pressure.
It’s a refusal protocol.

It’s the ability to say:

  • I won’t share client-derived artifacts.
  • I won’t reconstruct internal workflows.
  • I won’t transfer third-party operational knowledge.
    Even when an NDA is offered — because a new agreement doesn’t nullify prior obligations.

This is the point where AI stops being just software and starts resembling staff. Staff require access. Access demands controls. Controls require ethics.

In regulated environments, professionals rarely lose opportunities because they lack capability. More often, they lose them because they refuse to compromise trust. And paradoxically, that refusal is what proves they are ready for responsibility.

When we talk about agentic AI maturity, we often ask how advanced the planning is, how persistent the memory is, or how autonomous the orchestration becomes. The more important question is simpler:

Where does your AI initiative stop?
At execution?
Or at governance?

Because in the end, intelligent systems are not judged only by what they can do — but by what they are designed to refuse.

xAI just shook up the AI video space.

xAI has released the Grok Imagine API — a new AI video generation and editing suite that jumped to the top of Artificial Analysis rankings for both text-to-video and image-to-video outputs, while undercutting competitors on price.

What stands out
• Supports text-to-video, image-to-video, and advanced editing
• Generates clips up to 15 seconds with native audio included
• Pricing: $4.20/min, well below Veo 3.1 ($12/min) and Sora 2 Pro ($30/min)
• Editing tools allow object swaps, full scene restyling, character animation, and environment changes
• Debuted at #1 on Artificial Analysis leaderboards for text and image-to-video

Why this matters
If the quality holds at scale, this could dramatically lower the barrier for creators and developers building video-first AI experiences. Aggressive pricing + competitive performance may make Grok Imagine a go-to choice for rapid prototyping and production use alike.

The bigger signal: AI video is moving from experimental to economically viable for mainstream apps.

Curious to see how teams integrate this into real products over the next few months.

https://x.ai/news/grok-imagine-api

Designing Safer Production Releases: A Practical Journey with Azure DevOps

Production systems don’t usually fail because of missing tools.
They fail because too much happens implicitly.

A merge triggers a deploy.
A fix goes live unintentionally.
Weeks later, no one is entirely sure what version is actually running.

This article documents a deliberate shift I made in how production releases are handled—moving from implicit deployment behavior to explicit, intentional releases using Git tags and infrastructure templates in Azure DevOps.

This wasn’t about adding complexity.
It was about removing ambiguity.

The Problem I Wanted to Solve

Before the change, the release model had familiar weaknesses:

  • Merges to main were tightly coupled to deployment
  • Production changes could happen without a conscious “release decision”
  • Version visibility in production was inconsistent
  • Pipelines mixed application logic and platform concerns

None of this caused daily failures—but it created latent risk.

The question I asked was simple:

How do I make production boring, predictable, and explainable?

The Guiding Principles

Instead of starting with tooling, I started with principles:

  1. Production changes must be intentional
  2. Releases must be immutable and auditable
  3. Application code and platform logic should not live together
  4. Developers should not need to understand deployment internals
  5. The system should scale from solo to enterprise without redesign

Everything else followed from these.

The Core Decision: Tag-Based Releases

The single most important change was this:

Production deployments are triggered only by Git tags.

Not by merges.
Not by branch updates.
Not by UI clicks.

A release now requires an explicit action:

git tag vX.Y.Z
git push origin vX.Y.Z

That’s the moment a human says: “This is production.”

Separating Responsibilities with Repositories

To support this model cleanly, responsibilities were split across two repositories:

Application Repository

  • Contains UI, APIs, and business logic
  • Has a single, thin pipeline entry file
  • Decides when to release (via tags)

Infrastructure Repository

  • Contains pipeline templates and deployment logic
  • Builds and deploys applications
  • Defines how releases happen

This separation ensures:

  • Platform evolution doesn’t pollute application repos
  • Multiple applications can share the same release model
  • Infrastructure changes are treated as infrastructure—not features

Pipelines as Infrastructure, Not Code

A key mindset shift was treating pipelines as platform infrastructure.

That meant:

  • Pipeline entry files are locked behind PRs
  • Changes are rare and intentional
  • Developers generally don’t touch them
  • Deployment logic lives outside the app repo

This immediately reduced accidental breakage and cognitive load.

Versioning: Moving from Build-Time to Runtime

Once releases were driven by tags, traditional assembly-based versioning stopped being useful—especially for static web applications.

Instead, version information is now injected at build time into a runtime artifact:

/version.json

Example:

{ "version": "v2.0.5" }

The application reads this file at runtime to display its version.

This approach:

  • Works cleanly with static hosting
  • Reflects exactly what was released
  • Is easy to extend with commit hashes or timestamps
  • Decouples versioning from build tooling

The Day-to-Day Experience

After the setup, daily work became simpler—not more complex.

  • Developers work in feature branches
  • Code is merged into main without fear
  • Nothing deploys automatically
  • Production changes require an explicit tag

Releases are boring.
And that’s exactly the goal.

Rollbacks and Auditability

Because releases are immutable:

  • Redeploying a version is trivial
  • Rollbacks are predictable
  • There’s always a clear answer to: “What code is running in production?”

This is especially valuable in regulated or client-facing environments.

Tradeoffs and Honest Costs

This approach isn’t free.

Costs:

  • Initial setup takes time
  • Azure DevOps YAML has sharp edges
  • Pipelines must exist before tags will trigger
  • Early experimentation may require tag resets

Benefits:

  • Zero accidental prod deploys
  • Clear ownership and accountability
  • Clean separation of concerns
  • Reusable platform foundation
  • Long-term operational confidence

For long-lived systems, the tradeoff is worth it.

When This Pattern Makes Sense

This model works best when:

  • Production stability matters
  • Systems are long-lived
  • Auditability or compliance is a concern
  • Teams want clarity over convenience

It’s less suitable for:

  • Hackathons
  • Throwaway prototypes
  • “Merge = deploy” cultures

The Leadership Lesson

The most important takeaway wasn’t technical.

Good systems make intent explicit.
Great systems remove ambiguity from critical outcomes.

Production safety doesn’t come from moving slower.
It comes from designing systems where important changes happen on purpose.

Final Thoughts

This wasn’t about Azure DevOps specifically.
The same principles apply anywhere.

If you can answer these questions clearly, you’re on the right path:

  • Who decided this went to production?
  • When did that decision happen?
  • What exactly was released?

If those answers are obvious, production becomes boring.

And boring production is a feature.

WordPress on Azure Container Apps (ACA)

Architecture, Backup, and Recovery Design

1. Overview

This document describes the production architecture for WordPress running on Azure Container Apps (ACA) with MariaDB, including backup, recovery, monitoring, and automation. The design prioritizes:

  • Low operational overhead
  • Cost efficiency
  • Clear separation of concerns
  • Fast, predictable recovery
  • No dependency on VM-based services or Backup Vault

This architecture is suitable for long-term operation (multi‑year) with minimal maintenance.

2. High-Level Architecture

Core Components

  • Azure Container Apps Environment
    • Hosts WordPress and MariaDB container apps
  • WordPress Container App (ca-wp)
    • Apache + PHP WordPress image
    • Stateless container
    • Persistent content via Azure Files
  • MariaDB Container App (ca-mariadb)
    • Dedicated container app
    • Internal-only access
    • Database for WordPress
  • Azure Files (Storage Account: st4wpaca)
    • File share: wpcontent
    • Mounted into WordPress container
    • Stores plugins, themes, uploads, logs
  • Azure Blob Storage
    • Stores MariaDB logical backups (.sql.gz)

3. Data Persistence Model

WordPress Files

  • wp-content directory is mounted to Azure Files
  • Includes:
    • Plugins
    • Themes
    • Uploads
    • Logs (debug.log)

Database

  • MariaDB runs inside its own container
  • No local persistence assumed
  • Database durability ensured via daily logical backups

4. Backup Architecture

4.1 WordPress Files Backup (Primary)

Method: Azure Files Share Snapshots

  • Daily snapshots of wpcontent file share
  • Snapshot creation automated via Azure Automation Runbook
  • Retention enforced (e.g., 14 days)

Why this works well:

  • Instant snapshot creation
  • Very fast restore
  • Extremely low cost
  • No application involvement

4.2 MariaDB Backup (Primary)

Method: Logical database dumps (mysqldump)

  • Implemented via Azure Container App Jobs
  • Backup job runs on schedule (daily)
  • Output compressed SQL file
  • Stored in Azure Blob Storage

Additional Jobs:

  • Cleanup job to enforce retention
  • Restore job for controlled database recovery

4.3 Backup Automation

Azure Automation Account (aa-wp-backup)

  • Central automation control plane
  • Uses system-assigned managed identity
  • Hosts multiple runbooks:
    • Azure Files snapshot creation
    • Snapshot retention cleanup

Key Vault Integration:

  • Secrets stored in kv-tanolis-app
    • Storage account key
    • MariaDB host
    • MariaDB user
    • MariaDB password
    • MariaDB database name
  • Automation and jobs retrieve secrets securely

5. Restore Scenarios

Scenario 1: Restore WordPress Files Only

Use case:

  • Plugin or theme deletion
  • Media loss

Steps:

  1. Select Azure Files snapshot for wpcontent
  2. Restore entire share or specific folders
  3. Restart WordPress container app

Scenario 2: Restore Database Only

Use case:

  • Content corruption
  • Bad plugin update

Steps:

  1. Download appropriate SQL backup from Blob
  2. Execute restore job or import via MariaDB container
  3. Restart WordPress container
  4. Save permalinks in WordPress admin

Scenario 3: Full Site Restore

Use case:

  • Major failure
  • Security incident
  • Rollback to known-good state

Steps:

  1. Restore Azure Files snapshot
  2. Restore matching MariaDB backup
  3. Restart WordPress container
  4. Validate site and permalinks

6. Monitoring & Alerting

Logging

  • Azure Container Apps logs
  • WordPress debug log (wp-content/debug.log)

Alerts

  • MariaDB backup job failure alert
  • Container restart alerts
  • Optional resource utilization alerts

External Monitoring

  • HTTP uptime checks for site availability

7. Security Considerations

  • No public access to MariaDB container
  • Secrets stored only in Azure Key Vault
  • Managed Identity used for automation
  • No credentials embedded in scripts
  • Optional IP restrictions for /wp-admin

8. Cost Characteristics

  • Azure Files snapshots: very low cost (delta-based)
  • Azure Blob backups: pennies/month
  • Azure Automation: within free tier for typical usage
  • No Backup Vault protected-instance fees

Overall cost remains low single-digit USD/month for backups.

9. Operational Best Practices

  • Test restore procedures quarterly
  • Keep file and DB backups aligned by date
  • Maintain at least 7–14 days retention
  • Restart WordPress container after restores
  • Document restore steps for operators

10. Summary

This architecture delivers:

  • Reliable backups without over-engineering
  • Fast and predictable recovery
  • Minimal cost
  • Clear operational boundaries
  • Long-term maintainability

It is well-suited for WordPress workloads running on Azure Container Apps and avoids VM-centric or legacy backup models.