Get in touch

Secure Azure Deployment - An example of the handoff you receive

Every Secure Azure Deployment engagement ends with a written production handoff: where your app lives, how access works, how to add and remove users, how backups and recovery are handled, and how to keep it running. Each handoff is tailored to the project, so yours will differ, but the anonymized example below shows the kind of artifact your team walks away with at go-live.

Secure Azure Deployment handoff · anonymized example

Northwind Bakery Orders — Production Handoff

Client: Northwind Bakery (fictional sample)
Contractor: Will Pickeral
Company: William Belle
Application: Northwind Bakery Orders — online order & pickup scheduler
Hosting provider: Azure
Region: East US 2
Handoff date: 2026-05-14

About this document. This is an anonymized example of the production handoff every client receives at the end of a deployment engagement. All names, URLs, and identifiers are fictional.

1. Summary

Northwind Bakery Orders is a web app where customers place pickup orders and staff manage the daily queue. It has been deployed to a managed Azure production environment: sign-in is handled by Microsoft Entra ID with MFA for staff, all secrets live in Azure Key Vault, the database runs on a private PostgreSQL server with 14-day backups, and application logs flow to Azure Monitor.

Item Value
Production URL https://orders.northwindbakery.example
Go-live status ✅ Live since 2026-05-14
Launch prerequisites Staff accounts provisioned; test orders cleared

2. Production access

URL: https://orders.northwindbakery.example

How staff sign in:

  1. Open the production URL.
  2. Click Sign in with Microsoft.
  3. Authenticate with the staff member's @northwindbakery.example account.
  4. Complete the MFA prompt (second factor).
  5. The app loads with the role assigned to that account (Manager or Counter Staff).

Access is HTTPS-only; HTTP is redirected to HTTPS. Customers order through the public storefront without an account; only staff sign in.

3. Resource inventory

All resources live in rg-northwind-prod, region East US 2, on Azure.

Resource Name Tier / SKU Purpose
App Service Plan asp-northwind-prod Linux S1 Hosts the web app
Web App app-northwind-prod Node 24 LTS, HTTPS-only, managed identity The orders application
PostgreSQL Flexible Server pg-northwind-prod B_Standard_B1ms, PostgreSQL 16 Order & customer data (private VNet only)
Database northwind_orders UTF8 Application data
Key Vault kv-northwind-prod Standard, RBAC, purge protection Secret storage
Log Analytics workspace log-northwind-prod 90-day retention Central log store
Application Insights appi-northwind-prod Node.JS App telemetry & errors

Infrastructure-as-code: all infrastructure is defined in Terraform under infra/ and managed via remote state. To list live values:

cd infra/environments/production
terraform output

4. User management

Staff roles are assigned in Entra ID, not inside the app.

App role Entra app role
Manager Northwind.Manager
Counter Staff Northwind.Staff

Add a user / assign a role

  1. Azure Portal → Entra IDEnterprise Applications.
  2. Open "Northwind Bakery Orders" (set Application type to All applications if it isn't listed).
  3. Users and GroupsAdd user/group.
  4. Select the staff member, assign the role (Northwind.Manager / Northwind.Staff), and confirm.

Change a user's role

Remove the existing assignment (below) and add a new one with the correct role.

Remove / offboard a user

  1. Entra ID → Enterprise Applications → Northwind Bakery Orders → Users and Groups.
  2. Select the user → Remove.

Access is revoked immediately. For full offboarding, also disable the account in Entra ID.

5. Security posture

Control Status
Hosting on a reputable provider Azure
Authentication Microsoft Entra ID (staff)
MFA Enforced via Conditional Access for all staff
Secrets Azure Key Vault — none in code or repo
Encryption in transit HTTPS / TLS 1.2+
Encryption at rest Azure-managed
Database exposure Private VNet only — no public endpoint
Logging & audit Azure Monitor / Log Analytics
Session / idle handling Entra session policy

Secrets

Key Vault: https://kv-northwind-prod.vault.azure.net/

Secret Name
Database connection string DATABASE-URL
PostgreSQL admin password PG-ADMIN-PASSWORD
Entra ID client secret ENTRA-CLIENT-SECRET

No secrets are stored in the application code or repository. The App Service reads DATABASE-URL via a Key Vault reference using its managed identity.

Audit / activity log

The app logs staff sign-ins and order status changes; platform logs flow to Log Analytics. Sample query (last hour of traces):

AppTraces
| where TimeGenerated > ago(1h)
| order by TimeGenerated desc

6. Backups & recovery

  • Automated backups: PostgreSQL Flexible Server, 14-day point-in-time retention. View at Portal → PostgreSQL server → Backups.
  • Restore procedure: point-in-time restore creates a new server from any moment in the retention window; data is validated before cutover.

Documented restore test

az postgres flexible-server restore \
  --resource-group rg-northwind-prod \
  --name pg-northwind-restore-test \
  --source-server pg-northwind-prod \
  --restore-time "2026-05-13T18:00:00Z"
# validate, then delete the test server
az postgres flexible-server delete \
  --resource-group rg-northwind-prod \
  --name pg-northwind-restore-test --yes

Restore-test record: 2026-05-13 — restored to 18:00 UTC on pg-northwind-restore-test; schema and orders verified intact; success; performed by Will Pickeral.

7. Go-live checklist

# Item Status
1 Production URL confirmed working
2 Resource inventory documented (§3)
3 Data migration notes documented
4 User add/remove/offboarding documented (§4)
5 MFA confirmed
6 Backups + restore test
7 Logging/audit confirmed
8 Secrets documented; none in code
9 Test/demo data removed
10 Real staff provisioned
11 Any compliance/legal gate signed n/a
12 Target launch date set ✅ 2026-05-14

8. One-page maintenance guide

Restart the app: Portal → App Service app-northwind-prodOverviewRestart.

Check logs:

  • Live stream: App Service → Log stream.
  • Searchable: Application Insights → Logs.
  • Health check: https://orders.northwindbakery.example/api/health returns { "ok": true }.

Add a user: Entra ID → Enterprise Applications → Northwind Bakery Orders → Users and Groups → Add user → assign role. (Full steps in §4.)

Deploy an update: push to main. The pipeline builds, deploys to a staging slot, waits at a manual approval gate, then deploys to production. Database migrations run automatically on startup.

Rotate a secret: update the value in Key Vault kv-northwind-prod; the App Service picks up Key Vault references on restart.

Emergency contact: Will Pickeral — support@williambelle.co.

9. Ongoing support & future work

Ongoing maintenance, support, and development of new features fall outside this deployment engagement and would be arranged under a separate contract or milestone. This engagement is being left open so that anticipated features or changes can be scoped and added as future milestones without a new agreement.

Will Pickeral is available for:

  • Maintenance & support — platform updates, dependency patching, incident response, and operational questions.
  • New feature development — enhancements, new screens/workflows, and integrations.

To initiate support or new work, contact us and we'll scope it as a new milestone under the open engagement.

10. Contractor contact

Will Pickeral Web: williambelle.co Email: support@williambelle.co

Ready to get your app moving?

Tell me what you’ve built and where you’re stuck. I’ll get back to you within one business day.

Get in touch