AZ-500: Microsoft Azure Security Technologies

AZ-500: Microsoft Azure Security
Course Navigation Technologies

M an age I den t it y
an d Access
Section 1
Plat f or m Pr ot ect ion

Section 2
Secu r it y Oper at ion s

Section 3
Secu r e Dat a
an d Applicat ion s
Section 4
Exam Pr epar at ion

Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
Topics in t h is sect ion in clu de:
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
Directory or Wor k loads
Workloads
AD User s AAD Con n ect AD Gr ou ps
Azure AD Privileged
Identity Managem ent
Azure Tenant Security
Plat f or m Pr ot ect ion Applicat ion Secu r it y:

Section 2 Registration, perm issions, scopes, and consent!

Section 3 Au t h en t icat ion : Azu r e M FA Con dit ion al
Password sync, Access
pass-through
authentication
Secu r e Dat a
an d Applicat ion s
Section 4
Azu r e Act ive Dir ect or y I den t it y Pr ot ect ion :
Registration, perm ission scopes and perm ission
consent
User s
Back t o M ain
Course Navigation
Act ive Dir ect or y User s
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads
User s:
A Who are they? Why do we care?
Azure AD Privileged

M an agin g User s:
B What tools are available to m anage users?
Section 2
B2B:
C Opening our doors to the outside.
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4
AAD Gr ou ps
Back t o M ain
Course Navigation
an d Access
Section 1
A user account is required to access Azure resources. This includes
Configuring Azure
r e Act ive software as a service (SaaS) applications such as Office 365, as well as
Dir ect or y ffor
Workloads
User s: that are written by your in-house developm ent
custom applications
team .
Azure AD Privileged
This account is also som etim es called a work or school account.
A user accountMcan
an agin g User
be any ones:of the following types:
Plat f or m Pr ot ect ion A cloud-based user account (Azure Active Directory)
Section 2 A synchronized on-prem ises directory account (AD -> AAD)
A guest user, also knows as a B2B collaboration guest.
B2B:
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4 Close
AAD Gr ou ps
Back t o M ain
Course Navigation
Act ive Dir ect or y User s M an agem en t
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads
User s:
Azure AD Privileged

M an agin g User s:
Section 2
B2B:
C AzureOpening our doors toAzure
the outside. Azure
Secu r it y Oper at ion s Portal PowerShell CLI
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4 Close
AAD Gr ou ps
Back t o M ain
Course Navigation
Act ive Dir ect or y User s M an agem en t : Azu r e Por t al
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads
User s:
Azure AD Privileged

M an agin g User s:
Section 2
B2B:
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4
Close
AAD Gr ou ps
Back t o M ain
Course Navigation
Act ive Dir ect or y User s M an agem en t : Azu r e Pow er Sh ell
an d Access
Section 1
Configuring Azure
r e Act ive New- Az ADUs er
Dir ect or y ffor
Workloads
User
- Di s:
s pl ay Name <St r i ng>
A - Us are
Who er Prthey?
i nc i pal
WhyNamdoe we
<St care?
r i ng>
Azure AD Privileged - Pas s wor d <Sec ur eSt r i ng>
Identity Managem ent [ - I mmut abl eI d <St r i ng>]
- Mai l Ni c k name <St r i ng>
Azure Tenant Security [ - For c eChangePas s wor dNex t Logi n]
M [an
- Def
aginaulg tUser
Pr of s:
ile
B <IWhat
Az ur eCont
toolsex t Cont
are ai ner >]
available to m anage users?
[ - What I f ]
Plat f or m Pr ot ect ion [ - Conf i r m]
Section 2 [ <CommonPar amet er s >]
B2B:
$Sec ur eSt r i ngPas s wor d = Conv er t To- Sec ur eSt r i ng - St r i ng
Section 3
" pas s wor d" - As Pl ai nTex t - For c e
New- Az ADUs er - Di s pl ay Name " My Di s pl ay Name"
- Us er Pr i nc i pal Name " my emai l @domai n. c om" - Pas s wor d
$Sec ur eSt r i ngPas s wor d - Mai l Ni c k name " My Mai l Ni c k Name"
Secu r e Dat a
an d Applicat ion s
Section 4
Azu r e PS
Docu m en t at ion
Close
AAD Gr ou ps
Back t o M ain
Course Navigation
Act ive Dir ect or y User s M an agem en t : Azu r e CLI
an d Access
Section 1
Configuring Azure
r e Act ive az ad us er c r eat e - - di s pl ay - name
Dir ect or y ffor
Workloads
User s: - - pas s wor d
A Who are they? Why- do - usweer - care?
pr i nc i pal - name
Azure AD Privileged [ - - f or c e- c hange- pas s wor d- nex t - l ogi n
Identity Managem ent { f al s e, t r ue} ]
[ - - i mmut abl e- i d]
Azure Tenant Security [ - - mai l - ni c k name]
M an agin g User s: [ - - s ubs c r i pt i on]
Section 2
B2B:
C ad usOpening
az er c r eat e - - di s pl ay - name My Di s pl ay Name
our doors to the outside.
- - pas s wor d 123456 - - us er - pr i nc i pal - name
my emai l @domai n. c om - - f or c e- c hange- pas s wor d- nex t - l ogi n
Section 3 t r ue
Secu r e Dat a
an d Applicat ion s
Section 4 Azu r e CLI
Docu m en t at ion
Close
AAD Gr ou ps
Back t o M ain
Course Navigation
an d Access
Section 1
Azure B2B allows you to in vit e an d au t h or ize u ser s f r om
Configuring Azure
r e Act ive ou t side of you r or gan izat ion to access resources you
Dir ect or y ffor
Workloads
User s:
specify.
Azure AD Privileged
Identity Managem ent These users m anage their own identities through their own
identity provider (such as Azure AD) or social m edia accounts.
This m eans they are responsible for keeping track of their
M an agin g User s:
inform
B ation including usernam e and password changes.
What tools are available to m anage users?
Therefore, there is n o addit ion al adm in ist r at ive over h ead.
Section 2
You can choose to increase security for B2B user accounts by
requiring m u lt i-f act or au t h en t icat ion .
B2B:
You can also create a custom API for self -ser vice sign -u p.
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4 Close
AAD Gr ou ps
Back t o M ain
Course Navigation
Act ive Dir ect or y Gr ou ps
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
or Wor k loads Gr ou ps:
Directory Workloads A Exam ining group and m em bership types.
Azure AD Privileged

M an agin g Gr ou ps:
B Reviewing tools available to m anage groups.
Section 2
Tips an d Tr ick s:
C Providing the inside scoop.
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4
AAD Applicat ion s
Back t o M ain
Course Navigation
an d Access
Section 1
Groups are populated with user accounts and those groups can then be
Configuring Azure
r e Act ive granted access to data or applications.
Dir ect or y ffor
Types of groups:
Azure AD Privileged
- Security
Azure Tenant Security - Office 365
B
Mem bership Reviewing tools available
types for security groups:to m anage groups.
Section 2 - Assigned
- Dynam ic User
Tips an(security
- Dynam ic Device d Tr ick s:groups only)
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4
Close
AAD Applicat ion s
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive Security Groups
Dir ect or y ffor
Azure AD Privileged Used to m anage m em ber and device access
Identity Managem ent to shared resources. This way you can give a
Azure Tenant Security set of perm issions to all the m em bers at
onceM an agin g Gr
instead ofou ps:
having to individually add
perm issions to each m em ber.
Section 2
Tips an d Tr ick s: Close

Section 3
Secu r e Dat a
an d Applicat ion s
Section 4
AAD Applicat ion s
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive Office 365 Groups
Dir ect or y ffor
Azure AD Privileged Provide collaboration by giving m em bers
Identity Managem ent access to a shared m ailbox, calendar,
Azure Tenant Security SharePoint site, files, and m ore.
Plat f or m Pr ot ect ion Of f ice 365 Gr ou ps
Section 2
Tips an d Tr ick s: Close

Section 3
Secu r e Dat a
an d Applicat ion s
Section 4
AAD Applicat ion s
Back t o M ain
Course Navigation
an d Access
Section 1
Assigned Mem bership
Configuring Azure
r e Act ive
Dir ect or y ffor
Directory Workloads Static
A in nature. The administrator determines group
Exam ining group and m em bership types.
Azure AD Privileged membership.

Section 2
Tips an d Tr ick s:
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4
Close
AAD Applicat ion s
Back t o M ain
Course Navigation
an d Access
Section 1
Dynam ic Mem bership
Configuring Azure
r e Act ive
Dir ect or y ffor
Directory Workloads A
UserExamandining group
device andbership
m em m em bership types.
based on
Azure AD Privileged
Identity Managem ent at t r ibu t e valu es.
Qu er iesagin
M an determ
g Gr ouine
ps: which attributes are used
B to determ inetools
Reviewing group m emtobership.
available m anage groups.
Section 2 If a particular user or device account
m atches the query, it is added to the group.
Tips an d Tr ick s:
C If the
Providing the changes,
attribute the account is
inside scoop.
Secu r it y Oper at ion s r em oved.
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4
Close
AAD Applicat ion s
Back t o M ain
Course Navigation
Act ive Dir ect or y Gr ou psM an agem en t
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Azure AD Privileged

Section 2
Tips an d Tr ick s:
C AzureProviding Azure
the inside scoop. Azure
Secu r it y Oper at ion s Portal PowerShell CLI
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4 Close
AAD Applicat ion s
Back t o M ain
Course Navigation
Act ive Dir ect or y Gr ou psM an agem en t : Azu r e Por t al
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Azure AD Privileged

Section 2
Tips an d Tr ick s:
Section 3
Secu r e Dat a Close

an d Applicat ion s
Section 4
AAD Applicat ion s
Back t o M ain
Course Navigation
Act ive Dir ect or y Gr ou psM an agem en t : Azu r e Pow er Sh ell
an d Access
Section 1
Configuring Azure
r e Act ive New- Az ADGr oup
Dir ect or y ffor
or Wor k loads Gr -ou
Di ps:
s pl ay Name <St r i ng>
Directory Workloads A - Maiining
Exam l Ni cgroup
k name and
<St r m
i ng>
em bership types.
Azure AD Privileged [ - Def aul t Pr of i l e
Identity Managem ent <I Az ur eCont ex t Cont ai ner >]
[ - What I f ]
Azure Tenant Security [ - Conf i r m]
M an aginmg
[ <Com Gr ou
onPar amps:
et er s >]
Section 2
New- Az ADGr oup - Di s pl ay Name " My Gr oupDi s pl ay Name"

- Mai l Ni Tips an
c k name d" M
Try ick s: c k "
Gr oupNi
Section 3
Azu r e PS
Secu r e Dat a Docu m en t at ion
an d Applicat ion s
Section 4
Close
AAD Applicat ion s
Back t o M ain
Course Navigation
Act ive Dir ect or y Gr ou psM an agem en t : Azu r e CLI
an d Access
Section 1
Configuring Azure
r e Act ive
azGrad
Dir ect or y ffor
or Wor k loads ougr
ps:oup c r eat e - - di s pl ay - name
Directory Workloads A - - mai l - ni c k name
[ - - f or c e { f al s e, t r ue} ]
Azure AD Privileged
[ - - s ubs c r i pt i on]

Section 2 az ad gr oup c r eat e - - di s pl ay - name " Tes t Gr oup 3"
?mai l - ni c k name " Tes t Gr oup3"
Tips an d Tr ick s:
Section 3 Azu r e CLI
Docu m en t at ion
Secu r e Dat a
an d Applicat ion s Close
Section 4
AAD Applicat ion s
Back t o M ain
Course Navigation
Act ive Dir ect or y Gr ou ps: Tips an d Tr ick s
an d Access
Section 1
When using dynam ic user or dynam ic device m em bership
Configuring Azure
r e Act ive
types, you can
Dir ect or y ffor
or Wor k loads Gr only
ou ps:use one or the other, n ot bot h.
Azure AD Privileged When creating a dynam ic device m em bership type, at t r ibu t es
Identity Managem ent f or t h e specif ic device are exam ined to determ ine group
Azure Tenant Security m em bership, not the attributes for the device?s owner.
B have
You also the ability
Reviewing to add
tools a security
available to mgroup
anageto another
groups.
Plat f or m Pr ot ect ion security group. This is known as a n est ed gr ou p. There are a
Section 2 few rules lim iting the nesting of groups, but as long as these
are followed, nested groups can be a way to easily m anage
group m em bership
Tips an as
d Trwell as licenses and perm issions for
ick s:
C
users. Providing the inside scoop.
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4 Close
AAD Applicat ion s
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Th e f ollow in g ar e n ot su ppor t ed in r egar ds t o
Dir ect or y ffor
Workloads n estAed grGr
ououps:
ps:
Azure AD Privileged
Identity Managem ent - Adding groups to a group synced with on-prem ises Active
Directory.
- Adding security groups to Office 365 groups.
- B
Adding Office 365 groups to security groups or other Office 365
Reviewing tools available to m anage groups.
groups.
Plat f or m Pr ot ect ion - Assigning apps to nested groups.
Section 2
- Applying licenses to nested groups.
Tips an d Tr ick s:
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4 Close
AAD Applicat ion s
Back t o M ain
Course Navigation
Secu r in g Applicat ion s Wit h Azu r e Act ive Dir ect or y
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
or Wor k loads Apps an d Azu r e AD:
Directory Workloads A Getting started protecting your app.
Azure AD Privileged

Scopes:
B What can your app do for you?
Section 2
Per m ission s:
C Making sense of the chaos.
Section 3
Con sen t :
Secu r e Dat a D Allowing apps to work for you.
an d Applicat ion s
Section 4
Scopes an d Per m ission s Ch eat Sh eet
AAD Hybr id
Back t o M ain
Course Navigation
an d Access
Section 1
Developers can build line-of-business
Configuring Azure
r e Act ive
Dir ect or y ffor
or Wor k loads
applications
Apps an d Azu rthat
e AD: can be integrated with
the Microsoft protecting
Getting started identityyour app.
platform to
Azure AD Privileged
Identity Managem ent provide secure sign-in and
Azure Tenant Security authorization for their services.
Scopes:
B
- UsersWhat cantheir
can use your existing
app do for you?
Azure AD credentials to access
Plat f or m Pr ot ect ion these applications. No m ore secondary logins for LOB
Section 2 applications!
Per mIdP
- Microsoft ission s:
is based on the OAu t h 2.0 authorization
C Making
protocol. Thissense
allowsofthird-party
the chaos.applications to access
Secu r it y Oper at ion s web-hosted resources on behalf of a logged-in user.
Section 3
- These resources can also define a set of perm issions that

can beCon sento
used t : divide the functionality of that resource into
Secu r e Dat a D Allowing
sm aller chunks.apps to are
These work for you.
known as scopes.
an d Applicat ion s
Section 4 - User and application per m ission s are used with scopes to
m aintain fine-grained control over resource data as well as
Scopes
safeguard an d Per m ission s Ch eat Sh eet
API exposure.
See I t in Act ion !
Close
AAD Hybr id
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Directory Workloads A Sign in
Getting started protecting your app.
Azure AD Privileged
Identity Managem ent IDToken
Microsoft
Identity
Scopes:
B AcquireToken Platform
What can your app do for you?
Section 2 AccessToken
Per m ission s:
Secu r it y Oper at ion s HTTPGet +AccessToken
Section 3 Microsoft
Graph
API
Con sen t :
D HTTPResponse
Secu r e Dat a Allowing apps to work for you.
an d Applicat ion s
Section 4

Close
AAD Hybr id
Back t o M ain
Course Navigation
an d Access
Section 1
Scopes are perm issions used to define what
Configuring Azure
r e Act ive
Dir ect or y ffor
or Wor k loads
actions an application
Apps can perform on behalf of
an d Azu r e AD:
the user against a resource. your app.
Getting started protecting
Azure AD Privileged
Scopes allow for fine-grained control over their data and how API
functionality is exposed. A third-party app can request these
Scopes:
perm issions from users and adm inistrators, who m ust approve
the request before the app can access data or act on a user 's
Plat f or m Pr ot ect ion behalf.
Section 2
Scopes are configured in App Registrations (for application

Per m ission s:
perm
Cissions)Making
OR requested via the sign-in process (for delegated
sense of the chaos.
perm issions).
Section 3
Con sen t :
an d Applicat ion s
Section 4

Azure
API Scope Definition
Close
AAD Hybr id
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive GET
Dir ect or y ffor
Directory Workloads ht t psA: / / l ogiGetting
n. mi c r os of t onl i ne. c om/ c ommon/ oaut h2/ v 2. 0/ aut hor i z e?
started protecting your app.
c l i ent _i d=6731de76- 14a6- 49ae- 97bc - 6eba6914391e
Azure AD Privileged
&r es pons e_t y pe=c ode
&r edi r ec t _ur i =ht t p%3A%2F%2Fl oc al hos t %2Fmy app%2F
Azure Tenant Security &r es pons e_mode=quer y
&s c ope=
Scopes:
ht t ps %3A%2F%2Fgr aph. mi c r os of t . c om%2Fc al endar s . r ead%20
B What
ht t ps %3A%2F% 2Fgr can
aph. your app
mi c r os of tdo
. c for you?
om%2Fm ai l . s end
Plat f or m Pr ot ect ion &s t at e=12345
Section 2
Scope
Per m ission s:
Query at user sign in
Section 3
Close
Con sen t :
an d Applicat ion s
Section 4
AAD Hybr id
Back t o M ain
Course Navigation
an d Access
Section 1
Perm issions for users! Perm issions for apps! So
Apps an dmAzu
any perm issions!
Configuring Azure
r e Act ive
Dir ect or y ffor
or Wor k loads r e AD:
Directory Workloads A Getting started protecting your app.
Azure AD Privileged
While scopes are technically perm issions, we use the term in other
ways. Specifically, perm issions define what a user or an app can
Azure Tenant Security directly access in Azure.
Scopes:
B What can your are
appdefined
do for you?
User and app perm issions via roles. These roles use role
Plat f or m Pr ot ect ion based access control, or RBAC to determ ine privileges to resources.
Section 2
A user m ay have privileges to write to the global directory, but the
defined scope Perofmperm
ission s:
issions for an application m ay only require
C Making
read perm issions. Sosense
what of the chaos.
happens? The user is only allowed read
Secu r it y Oper at ion s perm issions when using the application. This is due to the concept
Section 3
of ef f ect ive per m ission s.
Con ed
- For delegat senper
t : m ission s, the effective perm issions of your
Secu r e Dat a D
app will Allowing
be the leastappsprto work for
ivileged you. the delegated
between
an d Applicat ion s perm issions granted to the app (via consent) and the privileges
Section 4 of the currently signed-in user.
- For applicat ion per m ission s, the effective perm issions of your
app will beScopes
the f u llan d Per
level ofmpr
ission s Chgranted
ivileges eat Sh eet
to the app.
These are used by apps that run without a signed-in user.
Close
AAD Hybr id
Back t o M ain
Course Navigation
an d Access
Section 1
In order for an application to perform a task on
Configuring Azure
r e Act ive
your Apps an d Azu r e AD:
Dir ect or y ffor
Workloads A behalf, you have to agree to let it do so.
Azure AD Privileged
Identity Managem ent This is referred to as con sen t . Consent occurs at user sign-in,
when a scope query has been presented to the Microsoft
identity platform . There are two types of consent:
Scopes:
- Individual u ser con sen t occurs when a user logs in to the
Plat f or m Pr ot ect ion Microsoft identity platform and they are asked to consent
Section 2
to these perm issions.
Per m ission s:
- CAn adm inistrator can grant consent for the application to
Making sense of the chaos.
act on behalf of any user in the tenant. If the adm inistrator
grants consent for the entire tenant, the organization's
Section 3
users won't see a consent page for the application. This is
known as adm in ist r at or con sen t . This can also occur for
Con sen t :
adm inistrator-restricted perm issions, such as the ability to
read all user profiles in the directory.
an d Applicat ion s
Section 4
Close
AAD Hybr id
Back t o M ain
Course Navigation
an d Access
Section 1
Scopes and Perm issions Cheat Sheet
Configuring Azure
r e Act ive
Dir ect or y ffor
Directory Workloads Scopes:
A privileges an app can m ake directly to APIs or on your
Azure AD Privileged behalf.
Identity Managem ent - Application ccopes are set in Azure Portal (API Perm issions)
- Delegated scopes are queries sent with authentication call
to Microsoft identity platform (login) .
Scopes:
Per m ission s: privileges the user or app can m ake to Azure AD
Plat f or m Pr ot ect ion and/or Azure resources.
Section 2
- Azure AD: based on Directory Role.
- Azure: based on the RBAC role and scope assigned to the
Per m ission s:
Cuser or Making
app service principal.
sense of the chaos.
Section 3
Scopes and perm issions work together to grant access (this is
known as ef f ect ive per m ission s).
- Delegat ed per m ission s: used when a signed-in user is
Con sen t :
present.
D
Secu r e Dat a Allowing apps to work for you.
- Least privilege between consented app perm issions
an d Applicat ion s and user perm issions.
Section 4
- The app can never have m ore perm ission than the
sign-ed in user.
Scopes
- Applicat ion per man d Pers:mused
ission ission
bys apps
Ch eatthat
Sh eet
run without a
signed-in user present. For exam ple, apps that run as
background services or daem ons.
Close
AAD Hybr id
Back t o M ain
Course Navigation
Azu r e Act ive Dir ect or y Con n ect (AAD Con n ect )
an d Access
Section 1
Azu r e Act ive Dir ect or y
Configuring Azure
r e Act ive
Au t h en t icat ion
Dir ect or y ffor
Workloads
M et h ods
Azure AD Privileged Users Groups Devices

Section 2
On -Pr em ises Azu r e I n f r ast r u ct u r e
Secu r it y Oper at ion s Site-to-Site VPN

Section 3
AAD Users
Con n ect Azure
ExpressRoute SQL
Secu r e Dat a Instances
an d Applicat ion s Web Services

Section 4 Dom ain Groups
Controller
Servers PCs Virtual Machines
AAD M FA
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads Wh at is Azu r e Act ive Dir ect or y Con n ect ?
M et h ods
Identity Managem ent Azure Active Directory (AD) Connect is the underlying Microsoft
Azure Tenant Security tool used to deploy, configure, m anage, and m onitor hybrid
identity between on-prem ises AD and Azure AD.
Azure AD Connect is supported on Win dow s Ser ver 2012 R2

Section 2
and up.

Section 3
AAD Users
Con n ect M ORE I NFORM ATI ON Azure
ExpressRoute SQL
Key Syn c Ru les
an d Applicat ion s Pr er equ isit es Web Services
FeatGroups
u r es Sch edu ler Edit or
Section 4 Dom ain
Controller
Azu r e Act ive Dir ect or y Con n ect
Close
AAD M FA
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads AAD Con n ect : Key Feat u r es
M et h ods
Identity Managem ent - Synchronization of users, groups, and other objects
Azure Tenant Security between on-prem ises AD and Azure AD
- Provides the ability to configure and deploy the following
hybrid identity solutions:
- Password hash synchronization (PHS)
Section 2
- Pass-through authentication (PTA)
- Federation integration including AD
On -Pr em ises
Federation
Azu r e I n f r ast r u ct u r e
Services
- Health m onitoring by providing m onitoring data visible
Secu r it y Oper at ion s within the Azure Portal
Site-to-Site VPN
Section 3
AAD Users
ExpressRoute SQL
Key Syn c Ru les
FeatGroups
Section 4 Dom ain
Controller
Back
AAD M FA
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads AAD Con n ect : Pr er equ isit es
M et h ods
Plat f or m Pr ot ect ion Dom ain Server SQL Account

Section 2 Prereqs Prereqs Prereqs Prereqs
Microsoft Prerequisite Docum entation

Section 3
AAD Users
ExpressRoute SQL
Key Syn c Ru les
FeatGroups
Section 4 Dom ain
Controller
Back
AAD M FA
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads AAD Con n ect : Dom ain Pr er equ isit es
M et h ods
Identity Managem ent - You have to be using Act ive Dir ect or y as your on-prem ises
Azure Tenant Security identity platform .
- Schem a version and forest functional level m ust be at
Win dow s Ser ver 2003 or later.
- The on-prem ises dom ain controller used by AADC m ust be
Section 2
writable; n o r ead-on ly dom ain con t r oller s.
-On "Dotted"
-Pr em ises
NetBIOS dom ain nam es are unsupported.
- It is st r on gly r ecom m en ded to enable the AD Recycle Bin.
- Dom ain nam e m ust be I n t er n et r ou t able!
Section 3
AAD Users
Con n ect Azure
ExpressRoute SQL

Controller
Back
AAD M FA
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads
AAD Con n ect : Ser ver Pr er equAu
isitt hes
en t icat ion
M et h ods
Identity Managem ent - Win dow s Ser ver 2008 R2 or later.
- This server m u st be dom ain -join ed and m ay be a dom ain
controller or a m em ber server.
- If you install Azure AD Connect on Windows Server 2008 R2,
the ser ver m u st be f u lly pat ch ed.
Plat f or m Pr ot ect ion - .NET Fr am ew or k 4.5.1 or later m ust be installed
Section 2
- M icr osof t Pow er Sh ell 3.0 or later m ust be installed.
- Passw or d syn ch r on izat ion requires the server to be on
Win dow s Ser ver 2008 R2 SP1 or later.
- Gr ou p m an aged ser vice accou n t s require the server to be
on Win dow s Ser ver 2012 or later.
Section 3
AAD Users
Con n ect
Hardware prerequisites: Azure
ExpressRoute SQL
Secu r e Dat a # AD Object s CPU MemoryInstances HD Size
an d Applicat ion s < 50,000 1.6 Ghz 4 GB 70 GB
Web Services
Section 4 Dom Groups
ain - 100K
50K 1.6 Ghz 16 GB 100 GB
Controller
100K - 300 K 1.6 Ghz 32 GB 300 GB
300K - 600 K 1.6 Ghz 32 GB 450 GB
> 600K 1.6 Ghz 32 GB 500 GB
Back
AAD M FA
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads AAD Con n ect : SQL Pr er equ isit es
M et h ods
Identity Managem ent - Azure AD Connect requires a SQL Server database to store
Azure Tenant Security identity data.
- SQL Ser ver 2012 Expr ess LocalDB is installed by
default.
- SQL Server Express has a 10GB size lim it which
Section 2
enables you to m anage approxim ately 100,000
object s.
- If you need to m anage a greater volum e of directory
objects, you need to point the installation wizard to a
Secu r it y Oper at ion s different installation of SQL
Site-to-Site VPN Server.
Section 3 - All versions of Microsoft SQL Server from SQL Ser ver 2008
AAD Users
R2 (with latest Service Pack) to SQL Ser ver 2019 are
Con n ect Azure
supported. ExpressRoute SQL
Secu r e Dat a - Microsoft Azu r e SQL Dat abase is not supported Instances as a
database.
Section 4 -
Dom ain
You mGroups
ust use a case-insensitive SQL collation. These
collations are identified with a _CI_ in their nam e.
Controller
- You can on ly h ave on e syn c en gin e per SQL in st an ce. It
is not supported to share a SQL instance with FIM/MIM
Sync, DirSync, or Azure AD Sync.
Back
AAD M FA
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads AAD Con n ect : Accou n t Pr er equ isit es
M et h ods
Identity Managem ent - An Azu r e AD Global Adm in ist r at or account for the Azure
Azure Tenant Security AD tenant you wish to integrate with. This account m ust be
a school or organization account and cannot be a Microsoft
Account.
- If you use expr ess set t in gs or upgrade from DirSync, then
Section 2
you m ust have an En t er pr ise Adm in ist r at or account for
your on-prem ises Active Directory.
- If you use the cu st om set t in gs installation path, either use
an Enterprise Adm inistrator account for your on-prem ises
Secu r it y Oper at ion s Active Directory or refer to the
Site-to-Site VPNM icr osof t docu m en t at ion .
Section 3
AAD Users
Con n ect Azure
ExpressRoute SQL

Controller
Back
AAD M FA
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads AAD Con n ect : Syn ch r on izat ion Sch edu ler
M et h ods
Identity Managem ent The following is a sum m ary of som e key m anagem ent
Azure Tenant Security operations.
- By default, sync operations will operate ever y 30 m in u t es.
- The Syn ch r on izat ion Ser vice M an ager GUI tool supports
configuration and m onitoring of synchronization
Section 2
operations.
-On To check the status of the synchronization
-Pr em ises
service with
PowerShell use Get -ADSyn cSch edu ler .
- Sync operations can be triggered with PowerShell by using
Secu r it y Oper at ion s St ar t -ADSyn cSyn cCycle.
Site-to-Site VPN
Section 3
AAD Users
ExpressRoute SQL
Key Syn c Ru les
FeatGroups
Section 4 Dom ain
Controller
Close
AAD M FA
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads AAD Con n ect : Ru les Edit or
M et h ods
Identity Managem ent - Allows for cu st om ized syn ch r on izat ion r u les in Azure AD
Azure Tenant Security Connect.
- Provides in -dept h LDAP at t r ibu t e f ilt er in g above and
beyond default AADC filtering options.
- Can be used to f ix m odif ied def au lt r u les.
Section 2
- BE CAREFUL! You can overwrite the default synchronization
options, which can break synchronization!
- Clon e, Clon e, Clon e!

Section 3
AAD Users
ExpressRoute SQL
Key Syn c Ru les
FeatGroups
Section 4 Dom ain
Controller
Close
AAD M FA
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads Azu r e AD Au t h en t icat ion M et h ods
M et h ods
Identity Managem ent To achieve h ybr id iden t it y with Azure AD, one of three
Azure Tenant Security authentication m ethods can be used depending on your
scenarios. The three m ethods are listed below.

Section 2 Choose the right authentication

Section 3
AAD Users
Con n ect AUTHENTI CATI ON M ETHODS
Azure
ExpressRoute SQL
Secu r e Dat a Passw or d Hash Pass-t h r ou gh Instances
an d Applicat ion s Syn ch r on izat ion Au t h en t icat ion Feder at ion
Web Services
Section 4 Dom ain (PHS)
Groups (PTA)
Controller
Close
AAD M FA
Back t o M ain
Course Navigation
an d Access
Section 1
Passw or d Hash Syn ch r on izat ion (PHS)
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads
PHS synchronizes a h ash of a user 's on-prem isesAu t h en t icattoion
password
Azure Active Directory (AD). Using Azure AD Connect, M we
et hcan
ods
configure PHS so all clou d u ser au t h en t icat ion occu r s in
Azu r e AD. PHS can optionally be configured as a backup for
Azure Tenant Security ADFS.
Azu r e AD Con n ect expr ess in st all def au lt s t o deployin g

Plat f or m Pr ot ect ion Passw or d Hash Syn c.
Section 2
TheOnm-Prain
embenefits:
ises Azu r e I n f r ast r u ct u r e
- Synchronizes users, contacts, and group accounts between
on-prem ises and Azure AD.
Secu r it y Oper at ion s - Supports Office 365 hybridSite-to-Site VPN
identity.
Section 3 - Enables users to sign in an d access clou d ser vices/ apps
AAD Users
u sin g on -pr em ises cr eden t ials.
Con n ect Azure
ExpressRoute SQL
Secu r e Dat a Im portant considerations: Instances
an d Applicat ion s - PHS provides the fewest features. Web Services

Section 4 - ain
Dom Multifactor
Groupsauthentication (MFA) with PHS is on ly possible
Controller
u sin g Azu r e AD M FA.
- Som e organizations have security restrictions which
prevent passwords being stored in the cloud.
Close Diagr am
AAD M FA
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads
M et h ods
AAD
Identity Managem ent Co n n
ect
Plat f or m Pr ot ect ion On-Prem ises Active Directory

Section 2
Password1

Section 3
AAD Users d1
Con n ect
or
Azure
w
ss
ExpressRoute SQL
Pa

Controller
Close
AAD M FA
Back t o M ain
Course Navigation
an d Access
Section 1
Pass-Th r ou gh Au t h en t icat ion (PTA)
Configuring Azure
r e Act ive
Au t h en t icat
Dir ect or y ffor
Workloads
PTA provides the sam e seam less single sign-on experience asion
PHS, but offers additional security benefits. M et h ods
The m ain benefits:
Azure Tenant Security - Synchronization of users, contacts, and group accounts
between on-prem ises and Azure AD.
- Supports Office 365 hybrid identity.
Plat f or m Pr ot ect ion - Enables users to sign in and access cloud services and apps
Section 2 using on-prem ises credentials.
- OnDoes not
-Pr em isesrequire password hashes to beAzu stored
r e I n fin the
r ast r u ct u r e
cloud.
- Only requires outbound connectivity from the on-prem ises
Secu r it y Oper at ion s Authentication Agents. Site-to-Site VPN
Section 3 - All on-prem ises account policies are enforced when the
AAD Users
user signs in (e.g. expiry, login hours, etc.)
Con n ect Azure
ExpressRoute SQL
Secu r e Dat a Im portant considerations: Instances
an d Applicat ion s - On-prem ises m ulti-factor authentication (MFA) solutions

Web Services
Section 4 are notGroups
Dom ain supported with PTA.
Controller
- PTA is not integrated with Azure AD Connect Health.
- Detection of users with leaked credentials is not available.
- Seam less Single Sign On!
Close Diagr am
AAD M FA
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads
M et h ods

Section 2

Section 3
AAD Users
Con n ect Azure
ExpressRoute SQL

Controller
Close
AAD M FA
Back t o M ain
Course Navigation
an d Access
Section 1
Feder at ion
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads
Feder at ion is a collection of dom ains that have established
M et hAzure
trusts. When an on-prem ises directory is federated with ods
Active Directory, the trust is established. This provides
authentication (confirm ing you are who you say you are) and
Azure Tenant Security authorization (determ ining what you are allowed access).
With federated identity, all u ser au t h en t icat ion occu r s

Plat f or m Pr ot ect ion on -pr em ises.
Section 2
TheOnm-Prain
embenefits:
ises Azu r e I n f r ast r u ct u r e
- Supports an array of third-party and on-prem ises
m ultifactor authentication solutions.
Secu r it y Oper at ion s - Supports sm art card Site-to-Site VPN
authentication.
Section 3 - Allows the display of password expiry notifications in the
AAD Users
Office Portal and Windows 10 desktop.
Con n ect Azure
- Supports all on-prem ises account policies (e.g.
ExpressRoute SQL expiry, hours
Secu r e Dat a logged in, etc.) as on-prem ises sign in occurs.
Instances

Section 4 Im portant
Dom ain considerations,
Groups
Controller
- Requires m ore infrastructure.
- Is m ore com plex to configure and m aintain.
- Does n ot su ppor t seam less sin gle sign -on .
Close Diagr am
AAD M FA
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads
M et h ods
Plat f or m Pr ot ect ion On-Prem ises Active Web Application

Directory/AD FS Proxy
Section 2
Intranet Sign In

Ext
ra
Section 3
n et
AAD Users
ss
Si g
Con n ect
ce
Azure
n
Ac
ExpressRoute
In
SQL
ss
ce
an d Applicat ion s
Ac
Web Services
Controller
Close
AAD M FA
Back t o M ain
Course Navigation
M u lt i-Fact or Au t h en t icat ion (M FA)
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
or Wor k loads Wh at is M FA?
Directory Workloads A We cover the basics.
Azure AD Privileged

Types of M FA:
B We discuss the various types of MFA, which to
use, and how to get them .
Section 2
Best Pr act ices:

C MFA can cause trem endous headaches. We
Secu r it y Oper at ion s provide som e tips to avoid them .
Section 3
Con f igu r at ion :

Secu r e Dat a D We talk about rolling MFA out to your
an d Applicat ion s organization.
Section 4
AAD Con dit ion al Access
Back t o M ain
Course Navigation
M u lt i-Fact or Au t h en t icat ion (M FA) : Wh at I s I t ?
an d Access
Section 1
Configuring Azure
r e Act ive Sim ply put, m ulti-factor authentication
Wh at is M FA?
Dir ect or y ffor
Workloads A (MFA)
We cover theis logging
basics. into Azure AD using
Azure AD Privileged
Identity Managem ent m ore than one form of authentication.
Types of M FA:
Plat f or m Pr ot ect ion - Provides additional security for user accounts by requiring a
Section 2 second form of authentication.
- Typically, authentication m ethods are:
Best Pr act ices:
- Som et h in g you k n ow : typically a password.
- Som et h in g you h ave: a trusted device that is not easily
duplicated, like a phone.
Section 3
- Som et h in g you ar e: biom etrics.
- Delivers strong authentication via a range of easy to use
authentication m ethods.
Secu r e Dat a D - TextWe talk about rolling MFA out to your
m essage
- Phone call
Section 4 - Authentication request via app
- Auth code via app
- Hard tokens
- MFA can be bypassed based on the configuration of the
product.
Close
Back t o M ain
Course Navigation
M u lt i-Fact or Au t h en t icat ion (M FA) : Types of M FA
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Directory Workloads A There are different
We cover the basics.
types of MFA
Azure AD Privileged available to m eet organizational
security requirem ents.
Types of M FA:
Plat f or m Pr ot ect ion - Azu r e Clou d M FA
Section 2 - M FA Ser ver : used to secure on -pr em ises r esou r ces with
Azure MFA.
Best Pr act ices:
- Rem ote Desktop, IIS Web Apps, etc.
C - DuMFA can cause trem endous headaches. We
al r egist r at ion
- Use only when necessary
Section 3 - RADI US I n t egr at ion : used for integration with RDS and VPN.
- Global Adm in ist r at or s
D
Secu r e Dat a How DoWe talk about rolling MFA out to your
We Get It?
organization.
an d Applicat ion s
Section 4 - Licen ses!
- Azure AD Prem ium
- Azure AD Free or Basic
- Office 365
- Azure AD Global Adm inistrators
- M icr osof t M FA Licen sin g I n f or m at ion
Close
Back t o M ain
Course Navigation
M u lt i-Fact or Au t h en t icat ion (M FA) : Best Pr act ices
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads
MFA
Wh at can be very frustrating
is M FA? for your
A We cover the basics.
Azure AD Privileged
users and support staff if
it isn't
Identity Managem ent im plem ented properly. Here are a few
Azure Tenant Security tips to avoid potential problem s.
Types of M FA:
Plat f or m Pr ot ect ion - Com m unication
Section 2 - Microsoft com m u n icat ion t em plat es and en d-u ser
docu m en t at ion m ake this easier.
Best Pr act ices:
- Conditional access
- Exclu sion s for support staff
- Nam ed locat ion s
Section 3
- Azure Identity Protection

Close
Section 4
Back t o M ain
Course Navigation
M u lt i-Fact or Au t h en t icat ion (M FA) : Con f igu r at ion
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Directory Workloads A We cover the basics.
Azure AD Privileged Making it work!

Types of M FA:
Plat f or m Pr ot ect ion - Licen sin g users
Section 2 - Con f igu r in g MFA service
- Other configuration options
Best Pr act ices:
- App passwords
- Authenticator app
- Per -u ser vs. con dit ion al access vs. I DP
Section 3
- We will discuss conditional access in an upcom ing
lesson.
- We will discuss IDP in an upcom ing lesson.
Close
Section 4
Back t o M ain
Course Navigation
Con dit ion al Access in Azu r e
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
or Wor k loads Con dit ion al Access Over view :
Directory Workloads A Security on your term s!
Azure AD Privileged

Access Policies:
B The four Ws: Who, What, Where and How...
Section 2
Best Pr act ices:

C Dos and Don'ts.
Section 3
Deploym en t :
Secu r e Dat a D Start securing your environm ent.
an d Applicat ion s
Section 4
AAD AD I DP
Back t o M ain
Course Navigation
Con dit ion al Access in Azu r e : An Over view
an d Access
Section 1
Configuring Azure
r e Act ive Conditional access is autom ated
Con dit ion al Access Over view :
Dir ect or y ffor
Workloads A access
Security control
on your term s! that strengthens
user
Azure AD Privileged
Identity Managem ent sign-in and access to cloud
Azure Tenant Security applications.
Access Policies:
-B Not used as a first-factor authentication; passwords are still
The four Ws: Who, What, Where and How...
required.
- Can be used to r equ ir e m u lt i-f act or au t h en t icat ion .
Section 2
- Com m on scenarios
Best Pr act ices:
C - Sign -in r isk
Dos and Don'ts.
Secu r it y Oper at ion s - Bad actor detection (e.g. leaked credentials)
Section 3 - Need m ore inform ation
- Require MFA
- Block specific
Deploym en t : applications if unable to obtain proof
D - Locat ion
Start securing your environm ent.
Secu r e Dat a
- On-prem ises (nam ed locations) vs. internet
an d Applicat ion s
- Countries and regions
Section 4
- MFA-trusted IPs
- Device m an agem en t
- What device are you using?
- Corporate-owned devices
- BYOD
- Clien t applicat ion
Close
AAD AD I DP
Back t o M ain
Course Navigation
Con dit ion al Access in Azu r e : Access Policies
an d Access
Section 1
Configuring Azure
r e Act ive Access policies are the focus of
Dir ect or y ffor
Workloads A conditional
Security on your term s! access
Azure AD Privileged
Identity Managem ent Wh en Th is Happen s Do Th is
Access Policies:
Policies
B are based on con dit ion s and access con t r ols.
- When this happens (con dit ion )
- Wh o are you?
Section 2
- User/group m em bership
- Wh at are you accessing?
Best Pr act ices:
C - Required: User and Application
Dos and Don'ts.
Secu r it y Oper at ion s - Others: location, sign-in risk
Section 3 - Do this (access con t r ol)
- Grant controls
- Used to gaten
Deploym e access
t: (let you in)
D - In order to gain access,
Start securing your environm youent.
m ust:
Secu r e Dat a
- Use MFA.
an d Applicat ion s
- Use a com pliant device
Section 4
- Use a hybrid-joined device (workstation).
- Use an approved client app.
- Session controls
- Lim ited experience within a clou d app.
Close
AAD AD I DP
Back t o M ain
Course Navigation
Con dit ion al Access in Azu r e : Best Pr act ices
an d Access
Section 1
Configuring Azure
r e Act ive Like MFA, failure to carefully execute
Dir ect or y ffor
Workloads A conditional
Security access
on your term s! policies
could have
Azure AD Privileged
Identity Managem ent catastrophic consequences.
Access Policies:
Donts:
B The four Ws: Who, What, Where and How...
- For all users/all cloud apps:
- Block access.
Section 2
- Require com pliant device.
- Require dom ain join.
Best Pr act ices:
C - Require app protection policy.
Dos and Don'ts.
Secu r it y Oper at ion s - For all users, all cloud apps, and all device platform s:
Section 3 - Block access . This configuration blocks your entire
organization, which is definitely not a good idea.
Deploym en t :
Dos:
D Start securing your environm ent.
Secu r e Dat a
- Have exclusions for adm in personnel.
an d Applicat ion s
- Being locked out of Adm in Portal is bad. Trust m e.
Section 4
- Use the What-If tool to test policies.
- Pilot access using groups. Don?t start with everyone!
Close
AAD AD I DP
Back t o M ain
Course Navigation
Con dit ion al Access in Azu r e : Deploym en t !
an d Access
Section 1
Configuring Azure
r e Act ive Now that we've discussed conditional
Dir ect or y ffor
Workloads A Security access in depth,
on your term s! let 's
roll it out!
Azure AD Privileged

Access Policies:
-B Licensing users.
- Configuring access policies.
- Testing with client user accounts.
Section 2
- Locking ourselves out (don't try this at hom e)!
Best Pr act ices:
C Dos and Don'ts.
Section 3 Close
Deploym en t :
Secu r e Dat a D Start securing your environm ent.
an d Applicat ion s
Section 4
AAD AD I DP
Back t o M ain
Course Navigation
Azu r e AD I den t it y Pr ot ect ion
an d Access
Section 1
Topicf igu1r Lor

Configuring
Con in g em rIepsu
Azure
Azu m
Active
Act ive Wh at is AD I den t it y Pr ot ect ion :
Dir ect or y ffor
Workloads
A Going over the basics.
Azure AD Privileged

I den t it y Pr ot ect ion Com pon en t s:
B Getting under the hood with AADIP.

Section 2
Risk s:
C Covering the risks and how AADIP helps.

Section 3
Best Pr act ices:

D Providing security without the headaches.
Secu r e Dat a
an d Applicat ion s
Section 4
E Securing our environm ent using AADIP.
AAD AD PI M
Back t o M ain
Course Navigation
Azu r e AD I den t itAzure
y Pr ot ect
ADion
Identity Managem ent:
an d Access
Section 1
Autom ated Protection for User
Topicf igu1r Lor
Configuring
Con in g em
Azu rIepsu
Azure m
Active
Act ive Wh atIdentities;
is AD I den t it yMore
Pr ot ectSecurity
and Less
ion :
Dir ect or y ffor
Workloads
Adm inistration
Azure AD Privileged
Identity Managem ent - Stolen user identities are the num ber one cause of security
Azure Tenant Security breaches. Attackers leverage ph ish in g at t ack s an d m alw ar e
to gainI access
den t it ytoPrsystem
ot ect ion
s. Com pon en t s:
B Getting user
under the hood with
- Even low-level accounts can be AADIP.
used to gain access to a
m ajority of network resources.
- Adm inistrators m ust protect all identities, n o m at t er t h e
Section 2
pr ivilege level and ensure that com prom ised identities do
Risk s:
Cnot gain access.
Covering the risks and
- This typically involves f u ll-t im how
e awAADIP helps.
ar en ess an d m on it or in g
Secu r it y Oper at ion s of all user identities. The adm inistrative effort is huge, and
Section 3 m ost of the tim e, com pletely reactive in nature.
- Azure AD Identity Protection rem oves m uch of this effort by
Best Pr act ices:
Dproviding a com
Providing
prehensive
security
solution that:
without
Secu r e Dat a - Proactively prevents com promthe headaches.
ised identities from
accessing resources.
an d Applicat ion s
Section 4
- Provides recom m endations to im prove security by
analyzing vulnerabilities, such as user and sign-in risk
E levels and risk events, as well as environm ental factors.
Securing our environm ent using AADIP.
- Notifies adm inistrators of risk events.
- Allows adm inistrators to create policies to autom atically
m itigate risk events.
Close
AAD AD PI M
Back t o M ain
Course Navigation
an d Access
Section 1 Azure AD
Identity Protection
Topicf igu1r Lor
Configuring
Con in g em rIepsu
Azure
Azu m
Active
Dir ect or y ffor
Workloads
Azure AD Privileged
Azure Tenant Security Risk s

User I den t it y Pr ot ect ion Com pon en t s:

Section 2
M ach in e Lear n in g
Risk s:

Section 3 *****
Vu ln er abilit ies
Best Pr act ices:
Secu r e Dat a
an d Applicat ion s
Section 4
Policies
Not if icat ion s

Adm in
Close
AAD AD PI M
Back t o M ain
Course Navigation
Azu r e AD I den t it y What
Risks: Pr ot ect ion AD Identity Protection
Azure
an d Access
Section 1
Is Designed to Mitigate
Topicf igu1r Lor
Configuring
Con in g em rIepsu
Azure
Azu m
Active
Dir ect or y ffor
Workloads
Azure AD Privileged
There are two types of risks:
Azure Tenant Security - Sign -in r isk

- Represents the likelihood a given authentication request isn?t
authorized by the identity owner.
- Two evaluations of sign-in risk:
Plat f or m Pr ot ect ion - Sign-in risk (Real-tim e)
Section 2 - Sign-in risk (Aggregate)
- User rRisk
isk s:
C - Represents the likelihood a given identity is com prom ised.
Covering the risks and how AADIP helps.
- Calculated by:
Secu r it y Oper at ion s - All risky sign-ins
Section 3 - All risky events not linked to a sign-in
- The current user risk
Best
- AnyPr actrem
risk ices:
ediation or dism issal actions
Secu r e Dat a Types of r isk even t s:
an d Applicat ion s
Section 4 - Atypical travel
- Anonym ous IP addresses
- UnfamCon
iliar fsign-in
igu r atproperties
ion :
E
- IP addresses linked toenvironm
Securing our m alware ent using AADIP.
- Leaked credentials
Diagr am
AAD Close AD PI M
Back t o M ain
Course Navigation
an d Access
Section 1
Topicf igu1r Lor

Configuring
Con in g em rIepsu
Azure
Azu m
Active
Dir ect or y ffor
Workloads
Azure AD Privileged


Section 2
Risk s:

Section 3
Best Pr act ices:

Secu r e Dat a
an d Applicat ion s
Section 4 Close
AAD AD PI M
Back t o M ain
Course Navigation
an d Access
Section 1
Topicf igu1r Lor

Configuring
Con in g em rIepsu
Azure
Azu m
Active
Dir ect or y ffor
Workloads
Azure AD Privileged
Identity Managem ent Machine Learning
B Active
Azure Directory
Getting usesthe
under adapt
hoodive m ach in
with e lear n in g algor it h m s
AADIP.
an d h eu r ist ics to detect anom alies and suspicious incidents. These
Plat f or m Pr ot ect ion could indicate potentially com prom ised identities.
Section 2
Using this data, Identity Protection generates reports and alerts
Risk
enabling you tos:evaluate the detected issues and take appropriate
mCitigationCovering the risks
or rem ediation and how AADIP helps.
actions.
Secu r it y Oper at ion s This data is also used when evaluating conditional access policies to
Section 3 determ ine autom atic rem ediation of user or sign-in risks.
Best Pr act ices:

Secu r e Dat a
an d Applicat ion s
Section 4
E Securing our environmClose
ent using AADIP.
AAD AD PI M
Back t o M ain
Course Navigation
an d Access
Section 1
Topicf igu1r Lor

Configuring
Con in g em rIepsu
Azure
Azu m
Active
Dir ect or y ffor
Workloads
Azure AD Privileged
Vulnerabilities
Vu ln er abilit ies are weaknesses in an environm ent that can be
Azure Tenant Security exploited by an attacker.
B GettingProtection
Azure AD Identity under the hood with
identifies theseAADIP.
vulnerabilities and
presents them in the Over view Dash boar d. Clicking on each one
Plat f or m Pr ot ect ion provides m ore inform ation and recom m endations on how to
Section 2 rem ediate them , strengthening the security score of the organization.
Risk s:
If C
configured, alerts from Pr ivileged I den t it y M an agem en t appear
here.
Section 3
Best Pr act ices:

Secu r e Dat a
an d Applicat ion s
Section 4
Close
AAD AD PI M
Back t o M ain
Course Navigation
an d Access
Section 1
Topicf igu1r Lor

Configuring
Con in g em rIepsu
Azure
Azu m
Active
Dir ect or y ffor
Workloads
Azure AD Privileged
Policies
In order to take advantage of risks and vulnerabilities detected by
Azure Tenant Security Azure AD Identity Protection, there are three policies we can configure
I den
to autom ate t it y Pr to
responses ot these
ect ion Com pon
potential en t s:
threats.
- M u lt i-f act or au t h en t icat ion r egist r at ion policy
Plat f or m Pr ot ect ion - This policy is used to r equ ir e r egist r at ion to the Azure MFA
Section 2 service.
- The RiskAzure
s: MFA service should be configured beforehand.
C - User com m unication should occur bef or e im plem enting this
policy.
Secu r it y Oper at ion s - User r isk policy
Section 3 - Autom atically responds to a user risk (iden t it y com pr om ise).
- Policy can be configured to block access to your resources or
Best aPrpassword
require act ices:change.
D
- Sign -inProviding
r isk policysecurity without the headaches.
Secu r e Dat a - Used to react to suspicious actions that com e along with the
an d Applicat ion s user sign-in.
Section 4 - Can be configured to block the account or require MFA.

Close
AAD AD PI M
Back t o M ain
Course Navigation
an d Access
Section 1
Topicf igu1r Lor

Configuring
Con in g em rIepsu
Azure
Azu m
Active
Dir ect or y ffor
Workloads
Azure AD Privileged
Notifications
Azure AD Identity Protection sends two types of au t om at ed
Azure Tenant Security n ot if icat ion em ails to help adm inistrators m anage user risk and risk
events. I den t it y Pr ot ect ion Com pon en t s:
- User s at r isk det ect ed em ail
Plat f or m Pr ot ect ion - Em ails are sent per used incident.
Section 2 - Risk levels and recipients are adjustable for these
notifications.
Risk s:
C - EmCovering
ail contains a User s f lagged f or r isk report.
the risks and how AADIP helps.
- Adm inistrators will only receive one em ails when the user
Secu r it y Oper at ion s reaches this risk level.
Section 3 - Upon receipt, the user sh ou ld im m ediat ely be in vest igat ed.
- Week ly digest em ail
- EmBest
ails are Pr sent
act ices:
once a week to all Global Adm in ist r at or s,
D Secu r it y Adm security
Providing in ist r at orwithout
s, an d Secu
ther itheadaches.
y Reader s.
Secu r e Dat a - Contains a sum m ary of new risk events. This includes:
an d Applicat ion s - Users at risk
Section 4 - Suspicious activities
- Detected vulnerabilities
- Con
Links f igu
to rthe
at ion :
related reports in Identity Protection
Close
AAD AD PI M
Back t o M ain
Course Navigation
an d Access
Section 1 Azure AD Identity Protection: Best
Practices
Topicf igu1r Lor
Configuring
Con in g em rIepsu
Azure
Azu m
Active
Dir ect or y ffor
Workloads
Azure AD Privileged
- A h igh threshold reduces the num ber of tim es a policy is
triggered.
Azure Tenant Security - Minim izes the im pact to users.
B - Excludes
Getting
low and m edium sign-ins flagged for risk.
under the hood with AADIP.
- May not block an attacker.
- When setting the policy:
Plat f or m Pr ot ect ion - Exclude users who do n ot or can n ot h ave m u lt i-f act or
Section 2 au t h en t icat ion .
- Exclude
Risk s:users in locales where enabling the policy is not
C practical
Covering (e.g.the
n o risks
access t o hhow
and elpdesk
AADIP). helps.
- Exclude users who are lik ely t o gen er at e m an y
Secu r it y Oper at ion s f alse-posit ives, such as developers and security analysts.
Section 3 - Use a high threshold during initial policy roll-out.
- Use a low threshold if your organization requires greater security.
Besta low
- Selecting Pr act ices: introduces additional user sign-in
threshold
D challenges,
Providing security
but grants without
increased the headaches.
security.
Secu r e Dat a - Th e r ecom m en ded def au lt f or m ost or gan izat ion s is t o
an d Applicat ion s con f igu r e a r u le f or a m ediu m t h r esh old.
Section 4
AAD Close AD PI M
Back t o M ain
Course Navigation
an d Access
Section 1 Azure AD Identity Protection
Configuration Steps
Topicf igu1r Lor
Configuring
Con in g em rIepsu
Azure
Azu m
Active
Dir ect or y ffor
Workloads
Azure AD Privileged
Identity Managem ent - Licen se users (Azure AD Prem ium P2).
- Onboard Azure AD Identity Protection.
Azure Tenant Security - Configure
I denMt it
FAy rPr
egist r at ion
ot ect ion policy (optional
Com pon en t s:but recom m ended).
B- Configure u ser r isk policy.
Getting under the hood with AADIP.
- Configure sign -in r isk policy.
- Test the configurations.
Section 2
Risk s:

Section 3
Best Pr act ices:

Secu r e Dat a
an d Applicat ion s
Section 4
AAD Close AD PI M
Back t o M ain
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
Identity en t ent

Section 2
Over view an d Act ivat ion

A Let 's talk PIM and get started!
Section 3
Con f igu r at ion , Access Requ est s, an d Appr oval

B Security wizard, role settings and m ore.
Secu r e Dat a
an d Applicat ion s
Section 4
Review in g Access
C Auditing and access reviews.
AAD Ten an t Secu r it y
Back t o M ain
Course Navigation
an d Access Par t I : Over view an d Act ivat ion
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads
M an agemManagem
Identity en t ent
What Is Azure Azure

PIM? AD Resources
Section 2

Section 3
PIM Licensing PIM

Con
Term f igu r at ion , Access
inology Requ est s, an d Activation
Requirem ents
Appr oval
Secu r e Dat a
an d Applicat ion s
Section 4
Review in g Access
MS PIM
Docum entation
Close
Back t o M ain
Course Navigation
an d Access
Section 1 Azure AD Privileged
Configuring
Dir ect or y ffor
Directory
Azure
Con f igu r in g Azu
or Wor
Active
r e Act ive
k loads
Workloads
M an agemManagem
Identity en t ent - Concerned about privileged access?
Azure Tenant Security - Too m any adm inistrators?
- Duplicate access rights?

Section 2
Azu r e Act ive Dir ect or y Pr ivileged I den t it y
M an agem en t (PI M ) can h elp by pr ovidin g:
Secu r it y Oper at ion s - Ju st -in -t im e (as needed) privileged access to Azure AD and
Section 3
Azure resources.
- Tim e-bou n d (expiring) access to resources.
B- ApprSecurity
oval r equ ir em en t s to activate privileged roles.
wizard, role settings and m ore.
Secu r e Dat a - M u lt i-f act or au t h en t icat ion enforcem ent to activate any
an d Applicat ion s role.
Section 4 - Ju st if icat ion to understand why users activate.
- Not if icat ion s when privileged roles are activated.
Review in g Access
C- Access r eview s to ensure users still need roles.
Auditing and access reviews.
- Downloadable h ist or y for internal or external audit.
AAD Close Ten an t Secu r it y
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads
M an agemManagem
Identity en t

ent
+
PIM allows for on-dem and m em bership of users in
Plat f or m Pr ot ect ion elevated directory roles, such as:
Section 2
- Global adm in ist r at or
Overr it yview
adman indistAct
r ativat
or ion
A - Secu
Let 's talk PIM and get started!
- User adm in ist r at or
Secu r it y Oper at ion s - Exch an ge adm in ist r at or
Section 3 - Sh ar ePoin t adm in ist r at or
- I n t u n e adm in ist r at or
- SecuCon r itf igu r at ion , Access Requ est s, an d Appr oval
y r eader
B
Secu r e Dat a - SerSecurity
vice adm wizard,
in ist r role
at or settings and m ore.
an d Applicat ion s - Billin g adm in ist r at or
Section 4 - Sk ype f or Bu sin ess adm in ist r at or
- An d m ost ot h er s!
Review in g Access
Close
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads
M an agemManagem
Identity en t

ent
+
In addition to m anagem ent of AD directory roles, PIM
Plat f or m Pr ot ect ion allows for on-dem and m anagem ent of m em bers for Azure
Section 2 resource roles. These include:
Over
n er view an d Act ivat ion
A - OwLet
- Con t r'sibu
talk
t orPIM and get started!
Secu r it y Oper at ion s - User Access Adm in ist r at or
Section 3 - Secu r it y Adm in
Con f igu r at ion

Subscription-level , Access
roles RequManagem
and Azure est s, an dent
Appr oval
Groups
B
Secu r e Dat a can beSecurity
m anaged wizard, role settings and m ore.
with PIM.
an d Applicat ion s
Section 4
Review in g Access
Close
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads
M an agemManagem
Identity en t ent
PIM Term inology
These are relevant term s used in PIM architecture. You

Plat f or m Pr ot ect ion should review these to better understand PIM
Section 2 m anagem ent of AD roles and Azure resources.

A - Eligible
- Act ive
Secu r it y Oper at ion s - Act ivat e
Section 3 - Act ivat ed
- Assign ed
B - Per m an en t eligible
Security wizard, role settings and m ore.
Secu r e Dat a - Per m an en t act ive
an d Applicat ion s - Expir e eligible
Section 4 - Expir e act ive
- Ju st -in -t im e (JI T) access
- PrReview
in cipleinofg least
Access pr ivilege access
Close
Back t o M ain
Course Navigation
an d Access
Section 1
Licensing PIM
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads Azure AD m ust have one of the following paid or trial
licenses in order to use PIM:
M an agemManagem
Identity en t ent
- Azu r e AD Pr em iu m P2
Azure Tenant Security - En t er pr ise M obilit y + Secu r it y (EM S) E5
- M icr osof t 365 M 5
Plat f or m Pr ot ect ion Which users m ust have licenses? Each adm inistrator or
Section 2 user interacting with or receiving a benefit from PIM.

A - Adm in ist r at or s with Azure AD roles m anaged using
PIM.
Secu r it y Oper at ion s - Adm in ist r at or s with Azure resource roles m anaged
Section 3
using PIM.
- Adm in ist r at or s assigned to the Privileged Role
B Adm inistrator role.
Secu r e Dat a Security wizard, role settings and m ore.
- User s assigned as eligible to Azure AD roles m anaged
an d Applicat ion s using PIM.
Section 4 - User s able to approve or reject requests in PIM.
- User s assigned to an Azure resource role with
Review in g Access
just-in-tim e or direct (tim e-based) assignm ents.
- User s assigned to an access review.
- User s who perform access reviews.
- I n sh or t ...EVERYONE!
AAD Close Ten an t Secu r it y
Back t o M ain
Course Navigation
an d Access
Section 1
Activating PIM
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads
M an agemManagem
Identity en t ent

Section 2
To Act ivat e PI M :
- You m ust be a Global A Let 's talk PIM and get started!
Adm in ist r at or .
Secu r it y- Oper
You mat ion
ust uses an
Section 3
or gan izat ion al
accou n t (not a
personal account).
Secu r e Dat a
an d Applicat ion s
Upon Act
Section 4 ivat ion :
- You are autom atically
assigned the Secu r it y Review in g Access
Adm in ist r at or and
Pr ivileged Role
Adm in ist r at or roles
in Azure AD.

Close
Back t o M ain
Course Navigation
an d Access Par t I I : Con f igu r at ion , Access Requ est s, an d Appr oval
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads ADM I N: AZURE AD ROLES
M an agemManagem
Identity en t ent

Security Roles and AD Role
Wizard Mem bers Settings
Section 2
ADM I N: AZURE RESOURCE ROLES
Section 3
Discover Roles and AD Resource

Con f igu r at ion , Access
Resources Requ est s, an d Appr
Mem bers
oval
Settings
Secu r e Dat a
an d Applicat ion s
Section 4 PI M ELI GI BLE M EM BERS
Review in g Access
My Approve
Roles Requests
Close
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads
M an agemManagem
en t
PIM Security Wizard
Identity ent
Azure Tenant Security - Use the Secu r it y Wizar d to determ ine the current
m em bership of all high-privileged AD Security Roles.
You can then use the Wizard to r edu ce t h e n u m ber of
Plat f or m Pr ot ect ion per m an en t ly assign ed r ole h older s by converting
Section 2 those to eligible role assignm ents.
- You can choose not to act on any security assignm ents
Over
at the view
tim an instead
e and d Act ivat ion
per f or m t h e ch an ges lat er .
- If you choose to m odify the security assignm ents,
Secu r it y Oper at ion s m ake sure the ch an ges ar e an n ou n ced t o all
Section 3 adm in ist r at or s an d bu sin ess u n it s ah ead of t im e!
- At least on e or gan izat ion al accou n t (not a personal
Con f igu
account) mrust
at ion , Access
hold Requ est
perm anent s, anAdm
Global d Appr oval
inistrator
B Security wizard,
Secu r e Dat a and Privileged Rolerole
Admsettings and
inistrator m ore.
rights.
an d Applicat ion s - If there is only one Privileged Role Adm inistrator in the
Section 4 organization, t h e or gan izat ion w ill n ot be able t o
m an age PI M if t h at accou n t is delet ed.
Review in g Access
Close
Back t o M ain
Course Navigation
an d Access
Section 1 Azure AD Roles and
Configuring
Dir ect or y ffor
Directory
Azure
or Wor
Active
r e Act ive
k loads
Workloads
Mem bers
M an agemManagem
Identity en t ent

Section 2

Section 3

Roles: B
Secu Security wizard, role settings and m ore.
User Azu
e Dat
re a
AD r oles to
an d add
Applicat ion s m em ber
an eligible
toSection 4
a privileged group.
You can also convert the
Review in g Access
eligible assignm ent to
perm anent or
vice-versa.
M em ber s:
Use M em ber s to view
assignm ents or add an
assignm ent.
Close
Back t o M ain
Course Navigation
an d Access
Section 1
Azure AD Role Settings
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads
M an agemManagem
Identity en t ent
Use Azu r e AD Role
Azure Tenant
Set t in gsSecurity
to configure
activation duration,
notifications, MFA,
Plat f or m Pr ot and
approval, ect ion
other
Section per
settings 2 AD role.

Settings can also be A Let 's talk PIM and get started!
configured for aler t s
Secu ran
it yd Oper
accessatrion s s for
eview
Section 3
AD role elevation.

Secu r e Dat a
an d Applicat ion s
Section 4
Review in g Access
Close
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads
M an agemManagem
Identity en t ent

Discover Azure Resources
Plat f or m Pr ot ect ion - When first setting up PIM for Azure resources, discover
Section 2 and select the resources PIM. protects
- There's no lim it to the num ber of resources you can
Over view
m anage withan d Act ivat ion
PIM.
- Resources are discovered based on Azure subscription
Secu r it y Oper at ion s and m anagem ent group.
Section 3 - Once a m anagem ent group or subscription is set to
m anaged, it can't be unm anaged. This prevents
Con f igu
another r at ion , adm
resource Access Requ est
inistrator s, an
from d Appr
rem ovingoval
PIM
Secu r e Dat a settings.
an d Applicat ion s
Section 4
Review in g Access
C Auditing and accessClose
reviews.
Back t o M ain
Course Navigation
an d Access
Section 1 Azure Resource Roles and
Configuring
Dir ect or y ffor
Directory
Azure
or Wor
Active
r e Act ive
k loads
Workloads
Mem bers
M an agemManagem
Identity en t ent

Section 2

Section 3

Secu r e Dat a
an d Roles:
Applicat ion s
Use Azu4r e r esou r ce r oles to add an eligible m em ber to a privileged role. You can also
Section
convert the eligible assignm ent to perm anent or vice-versa.
Review in g Access
M em ber s: C Auditing and access reviews.
Use M em ber s to view assignm ents or add an assignm ent.
Close
Back t o M ain
Course Navigation
an d Access
Section 1
Azure Resource Settings
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads
M an agemManagem
Identity en t ent

Section 2

Section 3

Use B t in gsSecurity wizard, role settings and m ore.
Secu r e Azu
Datr a
e Resou r ce Role Set to configure
activation duration, notifications, MFA, approval,
an d Applicat ion s
and other settings per AD role.
Section 4
Review in g Access
Close
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
My Roles
Dir ect or y ffor
Workloads
M an agemManagem
Identity en t ent

Section 2

Section 3
M y Roles: Con f igu r at ion , Access Requ est s, an d Appr oval

Secu
User M
e yDat a to view
r oles
an d and
Applicat ionany
activate s Azure
AD or Azure
Section 4 resource
privilege elevation.
Review in g Access
M FA:
If the elevation requires
m ulti-factor
authentication, you will
be required to verify
your identity prior to
activation.
Close
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Approve Requests
Dir ect or y ffor
Workloads
M an agemManagem
Identity en t ent

Section 2

Section 3
Appr ove Requ est s:
Use Appr ove r equ est s
to view and approve any B
Secu r e Dat Security wizard, role settings and m ore.
requests fora Azure AD
an d or
Applicat ion s
Azure resource
Section 4elevation.
privilege
Review in g Access
Em ail:
If notifications are
enabled for requests,
then the approver will
receive a m essage
asking them to review
the request.
Close
Back t o M ain
Course Navigation
an d Access Par t I I I : Review in g Access
Section 1
Configuring Azure
r e Act ive
Dir ect or y ffor
Workloads
M an agemManagem
Identity en t ent

Section 2

Section 3 Access My Audit Directory Roles
Reviews History Audit History
Secu r e Dat a
Close
an d Applicat ion s
Section 4
Review in g Access
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Access Reviews
Dir ect or y ffor
Workloads
M an agemManagem
Identity en t ent Since access to privileged Azure AD roles
for em ployees change over tim e, you
should r egu lar ly r eview access to
determ ine if elevated privileges are still
necessary.
Section 2
You can use Azure Active Directory
Over view an (Azure
d ActAD)
ivatPrivileged
ion Identity
A Managem
Let 's talk PIM and getent (PIM) to create access
started!
Secu r it y Oper at ion s r eview s for privileged Azure AD roles as
Section 3 well as Azure resources.
Con f igu r atYou

ion ,can also Requ
Access configure
est s, ran
ecud rAppr
r in g oval
access
B r eview s that autom atically
Security wizard, role settings and m ore. occur.
Secu r e Dat a
an d Applicat ion s Eligible m em bers of privileged roles are
Section 4
n ot if ied in t h e Azu r e Por t al when they
Review in gare required to justify access. Em ail
Access
C com
Auditing and m u n icat
access ion can also be configured
reviews.
to notify your users of an access review.
Azure PIM can determ ine the

appropriate course of action based on
factors such as tim e since elevation and
m ore. Th ese r ecom m en dat ion s can be
AAD im plem en t ed f or n on -r espon
Tender
an ts.Secu r it y
Close
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
My Audit History
Dir ect or y ffor
Workloads
UseManagem
M an agem
Identity Mt y au dit
en enth ist or y to view all PIM activites for the signed-in user. This includes role
assignm ents and activations within the past 30 days for all privileged roles. You can use
M y au dit h ist or y to view assignm ents and activations for Azure AD and Azure resource
privileged roles.

Section 2

Section 3

Secu r e Dat a
an d Applicat ion s
Section 4
Review in g Access
Close
Back t o M ain
Course Navigation
an d Access
Section 1 Directory Roles
Configuring
Dir ect or y ffor
Directory
Azure
or Wor
Active
r e Act ive
k loads
Workloads
Audit History
MUse
an agem
Identity
Dir
enect
t or y ent
Managem
r oles au dit h ist or y to to view all events for all Azure AD roles. This includes
events perform ed by all Privileged Role Adm inistrators as well as PIM.

Section 2

Section 3

Secu r e Dat a
an d Applicat ion s
Section 4
Review in g Access
Close
Back t o M ain
Course Navigation
Azu r e Ten an t Secu r it y
an d Access
Section 1
Configuring Azure
r e Act ive
Directory
Dir ect or y ffor Workloads
or Wor k loads
M an agemManagem
en t
Identity ent
Azure Tenant
Azu r e Ten Security
an t Secu r it y
A Tr an sf er r in g Azu r e Su bscr ipt ion s

Section 2

Section 3
This section contains som e im portant topics that w ill be

Secu r e Dat a in clu ded on t h e exam but don't really fit in the other lessons.
an d Applicat ion s
Section 4
AD PI M Plat f or m Pr ot ect ion
Back t o M ain
Course Navigation
an d Access
Section 1 Transferring an Azure Subscription
- Transferring billing ownership of an Azure subscription
Configuring Azure
r e Act ive
Directory
or Wor k loads takes place in the Cost M an agem en t + Billin g pane or
in the Accou n t Cen t er .
M an agemManagem
en t
Topics in t htransferring
- When is sect iontoinanother
clu de:tenant, all u ser s,
Identity ent
gr ou ps, an d RBAC access t o r esou r ces in t h e sou r ce
Azure Tenant
an t Secu r it y t en an t ar e lost on the resources in the subscription.
The user accepting the transfer request is the only
A account with access to the resources.
Tr an sf er r in g Azu r e Su bscr ipt ion s
Plat f or m Pr ot ect ion - M an agem en t cer t if icat es, access k eys, an d r em ot e
Section 2 access cr eden t ials w ill r em ain in t act . These should
be updated if the source account no longer requires
access to these resources.
- Visual Studio, MPN, and Pay-As-You-Go Dev/Test
Secu r it y Oper at ion s subscriptions with recurring Azure credits will not
Section 3
transfer between accounts. Th e su bscr ipt ion w ill u se
t h e cr edit in t h e dest in at ion Visu al St u dio accou n t ,
sh ou ldcontains
This section on e exist . e im portant topics that w ill be
som
Secu r e Dat a - ded
in clu Onlyon t htese su bscrbut
h e exam ipt ion
don'tt ypes
reallyare
fit eligible for transfer.
in the other lessons.
an d Applicat ion s - Transfers between countries cannot be perform ed in
Section 4 the portal. You n eed t o con t act su ppor t t o in it iat e a
cr oss-cou n t r y t r an sf er.
- In order to com plete the transfer, t h e r ecipien t m u st
accept billin g ow n er sh ip an d pr ovide paym en t
det ails.
- If the recipient does not have an Azure account, t h ey
m u st cr eat e on e to accept the transfer.
AD PI M Close Plat f or m Pr ot ect ion
Back t o M ain
Course Navigation
an d Access
Section 1
Configuring Azure
r e Act ive
Directory
or Wor k loads
M an agemManagem
en t
Identity ent
Azure Subscriptions Eligible for Transfer
Azure Tenant
an t Secu r it y
Subscription transfer in the Azure portal is available for the

subscription
A Tr antypes listed
sf er r in g Azubelow. Currently
r e Su bscr ipt iontransfer
s is n ot
Plat f or m Pr ot ect ion su ppor t ed f or Fr ee Tr ial or Azu r e in Open (AI O)
Section 2 su bscr ipt ion s.
- Microsoft Partner Network

- Visual Studio Enterprise (MPN) subscribers
Secu r it y Oper at ion s - MSDN Platform s
Section 3
- Pay-As-You-Go
- Pay-As-You-Go Dev/Test
This- section
Visual Studio
contains Enterprise
som e im portant topics that w ill be
Secu r e Dat a - ded
in clu Visual
on Studio Enterprise:
t h e exam BizSpark
but don't really fit in the other lessons.
an d Applicat ion s - Visual Studio Professional
Section 4 - Visual Studio Test Professional
- Enterprise Agreem ent (EA) - Through the EA Portal.
- Microsoft Azure Plan - Only supported for accounts
created during signup on the Azure website.
Close
AD PI M Plat f or m Pr ot ect ion
Back t o M ain
Platform Protection
Course Navigation
Net w or k Secu r it y
Topics I n clu ded in Th is Sect ion
an d Access
Section 1
Plat f or m Pr ot ect ion Vir t u al Net w or k [Review ]

Section 2
Net w or kSecurity
Network Secu r it y
Host Security Net w or k Secu r it y Gr ou ps [Review ]

Securing Azure
Resources
Container Security
Applicat ion Secu r it y Gr ou ps

Section 3
Azu r e Fir ew all

Secu r e Dat a
an d Applicat ion s
Section 4
Resou r ce Fir ew alls
VNet s
Back t o M ain
Platform Protection
Course Navigation
Net
Topics
w or k I Secu
n clu ded
r it y:in
VirTh
t uisalSect
Netion
w or k s
an d Access
Section 1
Vir t u al Net w or k s (VNet s) are used to create a virtual private network
within Azure where resources can be networked to one another
sim ilar to a private on-prem ises environm ent.
Section 2 - The VNet has an in t er n al addr ess space (e.g. 10.1.0.0/16).
- Resources connect to su bn et s w it h in a VNet to gain network
Net w or kSecurity
Network Secu r it y access.
- Subnets within the VNet m u st exist w it h in t h e sam e addr ess
space.
Securing Azure - All su bn et s within a virtual network can com m u n icat e w it h
Resources each ot h er .
Container Security - Default routing can be m odified with u ser -def in ed r ou t e t ables.

VNets can be peer ed with one another to allow for com m unication
Secu r it y Oper at ion s between each other.
Section 3
VNets can also be connected with on-prem ises networks (as well as
otherAzu
VNets)
r e Firwith Site-to-Site VPN or ExpressRoute connections. These
ew all
Secu r e Dat a require Vir t u al Net w or k Gat ew ays to be present inside the VNet.
an d Applicat ion s
Section 4
VNet Rou t in g VNet Peer in g VPN Gat ew ays
AZ-300 Blu esh if t Gu ide: Net w or k in g
VNet s
Net w or k Secu r it y NSGs
Back t o M ain
Platform Protection
Course Navigation
Net
Topics
w or k I Secu
n clu ded
r it y:in
Net
ThwisorSect
k Secu
ion r it y Gr ou ps
an d Access
Section 1
Net w or k Secu r it y Gr ou ps (NSGs) are used to provide network layer
security for resources within a Virtual Network (VNet). When attached
to a resource, they can allow or den y t r af f ic based on rules you
configure.
Section 2
Overview:
Net w or kSecurity
Network Secu r it y - The best practice is to block ALL t r af f ic except required
com m unication. This is som etim es called ?default deny.?
Host Security Net wcan
or k be
Secu r it y Grtoou ps [Review ] or k I n t er f ace Car d (NI C), a
- NSGs applied either a Net w
Securing Azure su bn et , or bot h .
Resources - When NSGs are assigned to both, r u les f r om bot h ar e
Container Security evalu at ed.
- NSG rules are stateful, so r eply t r af f ic is au t om at ically allow ed
regardless of other rules.
Secu r it y Oper at ion s - NSGs contain "Default Rules" which can n ot be delet ed; you need
Section 3 higher priority rules to override them .
- Once a rule is m atched, n o f u r t h er r u les ar e pr ocessed.
Azu r e Fir ew all
Secu r e Dat a
an d Applicat ion s Net w or k
Section 4
Secu r it y Gr ou ps
AZ-300 Blu esh if t Gu ide: Net w or k in g
VNet s
Net w or k Secu r it y Fir ew all
Back t o M ain
Platform Protection
Course Navigation
Net
Topics
w or k I Secu
n clu ded
r it y:in
Applicat
Th is Sect
ionion
Secu r it y Gr ou ps
an d Access
Section 1
An Applicat ion Secu r it y Gr ou p (ASG) is a logical collect ion of virtual
m achines, specifically their network interface cards (NI Cs). You join
virtual m achines to the ASG and then use the application security
Plat f or m Pr ot ect ion groupVirast uaalsource
Net w or kdestination
[Review ] in NSG r u les.
Section 2
Think of ASGs as a way to create cu st om ser vice t ags for a network
Net w or kSecurity
Network Secu r it y security group.

Securing Azure
Resources
Internet
Container Security
TCP
Port 80
Section 3
NSGMaster
Azu r e Fir ew all

Secu r e Dat a
ASGWeb ASGLogic
an d Applicat ion s Subnet0
Section 4
TCP
Resou r ce Fir ew alls Port 1433
NSGMaster
ASGDB Subnet1
VNet s
Net w or k Secu r it y Rem ot e Desk t op
Back t o M ain
Platform Protection
Course Navigation
Net
Topics
w or k I Secu
n clu ded
r it y:in
Azu
Thris
e Fir
Sect
ewion
all
an d Access
Section 1
In addition to NSGs, there are a few other network-layer Azure

offerings we can im plem ent to harden network security. Typically,
Plat f or m Pr ot ect ion theseVir t u althird-party
were Net w or k [Review
products] called Network Virtual Appliances
Section 2 (NVAs) used to inspect all inbound and outbound network traffic to an
entire virtual network.
Net w or kSecurity
Network Secu r it y
Microsoft recently released Azu r e Fir ew all-as-a-Service, intending it
to be an alternative to third-party NVAs. Microsoft designed Azure
Securing Azure Firewall for The Cloud, specif ically Azu r e.
Resources
Container Security

Section 3
Ben ef it s Con f igu r at ion Lim it at ion s
Azu r e Fir ew all
Secu r e Dat a
an d Applicat ion s
Section 4 AZURE FI REWALL
VNet s
Net w or k Secu r it y ASGs
Back t o M ain
Platform Protection
Course Navigation
an d Access
Section 1
Azure Firewall offers:

Section 2 - A st at ef u l firewall as a service.
- Built-in h igh -availabilit y with unrestricted cloud
Net w or kSecurity
Network Secu r it y scalability.
- FQDN f ilt er in g an d t ags.
Host Security - Rules
Net w or k for
Secufiltering
r it y Gr network traffic.
ou ps [Review ]
Securing Azure - Outbound SNAT support.
Resources - Inbound DNAT support (port forwarding).
- A central place to create, enforce, and log application and
Container Security
network con n ect ivit y policies across Azure subscriptions
and VNETs.
Secu r it y Oper at ion s - Fu ll in t egr at ion w it h Azu r e M on it or for logging and
Section 3 analytics.
Azu r e Fir ew all

Secu r e Dat a
an d Applicat ion s
Section 4 Close
VNet s
Back t o M ain
Platform Protection
Course Navigation
Azu
Topics
r e FirIew
n clu
allded
Conin
f igu
Thris
atSect
ion ion
an d Access
Section 1 The typical deploym ent for Azure Firewall is in a central virtual
network. Other virtual networks are then peered to it in a
hub-and-spoke fashion. Default routes from the peered virtual
Plat f or m Pr ot ect ion networks arewpointed
Vir t u al Net to the
or k [Review ] central firewall virtual network.
Section 2 The firewall, subnet, VNet, and the public IP address m ust all
be in the sam e resource group.
Net w or kSecurity
Network Secu r it y
Global VNet peering is supported, but it isn't recom m ended
Host Security because
Net w or kofSecu
potential
r it y Grperform ance and
ou ps [Review ] latency issues across
Securing Azure regions. For best perform ance, deploy one firewall per region.
Resources
The advantage of this m odel is the ability to centrally exert
Container Security
control on m ultiple spoke VNETs across different subscriptions.
Section 3
Spoke Spoke
Azu r e Fir ew all VNet VNet
Secu r e Dat a
an d Applicat ion s
Section 4
Hub
Resou r ce Fir ew alls VNet
On-Prem ises
Internet
Network
VNet s
Close
Back t o M ain
Platform Protection
Course Navigation
an d Access
Section 1
Azu r e Fir ew all Lim it at ion s
Plat f or m Pr ot ect ion - t Network

Vir u al Net wfiltering rules] for non-TCP/UDP protocols (such as
or k [Review
Section 2 ICMP) don't work for Internet-bound traffic.
- You can n ot m ove Azu r e Fir ew all to a different resource
Net w or kSecurity
Secu r it y
group or subscription.
Network
- Lim ited port range.
Host Security - No
Net w orcu
k st omr DNS
Secu it y Grsupport.
ou ps [Review ]
Securing Azure - No SNAT/ DNAT for private IP destinations.
Resources - Com plete list of lim itations available here.
Container Security

Section 3
Azu r e Fir ew all

Secu r e Dat a
an d Applicat ion s
Section 4 Close
VNet s
Back t o M ain
Platform Protection
Course Navigation
Net w or k I Secu
Topics r it y:in
n clu ded Resou
Th is rSect
ce Fir ew alls
ion
an d Access
Section 1
Individual Azure resources also m aintain their own set of firewall

rules. These rules can allow or deny access to Azure virtual networks,
Plat f or m Pr ot ect ion Azu r eVirser
t uvices
al Netsuch
w or kas[Review
backup] and SQL, and Internet hosts.
Section 2
These access rules are configured within the Azure resources
Net w or kSecurity
Network Secu r it y them selves. The m ost com m on resources with this additional
protection are Azure Storage Accounts and Azure SQL server
databases.
Securing Azure
Resources
Container Security St or age Accou n t s SQL Dat abase Ser ver s

Section 3
RESOURCE FI REWALLS
Azu r e Fir ew all
Secu r e Dat a
an d Applicat ion s
Section 4
Net w or k Secu r it y Host Secu r it y

VNet s
Back t o M ain
Platform Protection
Course Navigation
an d Access
Section 1

Section 2
Azure Services that can be allowed via resource firewalls:
Net w or kSecurity
Network Secu r it y
- Azure Backup
- Azure Data Box
Securing Azure - Azure DevTest Labs
Resources
- Azure Event Grid
Container Security - Azure Event Hubs
- Azure HDInsight
- Azure Monitor
Secu r it y Oper at ion s - Azure Networking
Section 3
- Azure Site Recovery
- Azure SQL Data Warehouse
Azu r e Fir ew all
Secu r e Dat a
an d Applicat ion s
Close
Section 4
VNet s
Back t o M ain
Platform Protection
Course Navigation
an d Access
Section 1
Azu r e Resou r ce Fir ew alls: St or age Accou n t s

Section 2
Net w or kSecurity
Network Secu r it y

Securing Azure
Resources
Container Security

Section 3
Azu r e Fir ew all

Secu r e Dat a
an d Applicat ion s
Section 4
Close
VNet s
Back t o M ain
Platform Protection
Course Navigation
an d Access
Section 1
Azu r e Resou r ce Fir ew alls: SQL Ser ver s

Section 2
Net w or kSecurity
Network Secu r it y

Securing Azure
Resources
Container Security

Section 3
Azu r e Fir ew all

Secu r e Dat a
an d Applicat ion s
Section 4

Close
VNet s
Back t o M ain
Platform Protection
Course Navigation
Host Secu r it y
an d Access Topics in t h is sect ion in clu de:
Section 1
En dpoin t Pr ot ect ion :

Plat f or m Pr ot ect ion A Securing your hosts against viruses and
Section 2 m alware.
Net w or kSecurity
Network Secu r it y
Updat e M an agem en t :
Host Security
Host Secu r it y B Keeping your Azure VMs up-to-date.
Securing Azure
Resources
Container Security

Section 3
Secu r e Dat a
an d Applicat ion s
Section 4
En dpoin t Pr ot ect ion
Back t o M ain
Platform Protection
Course Navigation
Host Secu r it y
Host Secu
Topics inr itt hy:isVM
sectEn dpoin
ion t Secu
in clu de: r it y
an d Access
Section 1
Microsoft Antim alware for Azure is a free real-tim e protection service
that helps identify and rem ove viruses, spyware, and other m alicious
software.
A It generates alerts when known m alicious or unwanted
Plat f or m Pr ot ect ion Securing your hosts against viruses and
Section 2
software tries to install itself or run on your Azure system s.
m alware.
Features include:
Net w or kSecurity
Network Secu r it y
Host Security
Host Secu r it y - BReal-timKeeping
e protection
your Azure VMs up-to-date.
- Malware rem ediation
Securing Azure
Resources - Signature updates
- Antim alware engine updates
Container Security
- Antim alware platform updates
- Active protection
Secu r it y Oper at ion s - Sam ples reporting
Section 3 - Exclusions
- Antim alware event collection
Secu r e Dat a
an d Applicat ion s
Section 4
Sin gle VM M u lt iple VM
Pr os an d Con s
Deploym en t Deploym en t
VM ENDPOI NT PROTECTI ON

Host Secu r it y VM Updat es
Back t o M ain
Platform Protection
Course Navigation
Host Secu r it y
Section 1

Section 2 m alware.
Net w or kSecurity
Network Secu r it y
Host Security
Securing Azure VM En dpoin t Pr ot ect ion : Pr os an d Con s
Resources
Container Security
Advantages (Pros) Disadvantages (Cons)
Secu r it y Oper at ion s Free!! Difficult to modify
Section 3 Easy to deploy Limited client availability
Fully featured No centralized management
Secu r e Dat a
an d Applicat ion s
Close
Section 4
Back t o M ain
Platform Protection
Course Navigation
Host Secu r it y
an d Access
An t im alw
Topics in t har
ise: Sin
sect gle
ion VMde:Deploym en t
in clu
Section 1
Configure and deploy Microsoft Antim alware using Azure

En dpoin
extensions. Thist can
Pr otbe
ectperform
ion : ed on new VM deploym ents as
Plat f or m Pr ot ect ion A
well asSecuring your hosts against viruses and
existing VMs.
Section 2 m alware.
Net w or kSecurity
Network Secu r it y
Host Security
Securing Azure
Resources
Container Security
Exclusions and
Secu r it y Oper at ion s protection
Section 3
param eters are
specified at
deploym ent.
Secu r e Dat a
an d Applicat ion s
Section 4
Close
Back t o M ain
Platform Protection
Course Navigation
Host Secu r it y
Section 1
An t im alw ar e:
En dpoin t PrM u ltion
ot ect iple
: VM Deploym en t
Section 2 Configurem alware.
and deploy Microsoft Antim alware using Azure Policy
or Azure Security Center.
Net w or kSecurity
Network Secu r it y
Host Security
Securing Azure
Resources
Container Security

Section 3
Secu r e Dat a
an d Applicat ion s
Section 4
Close
Back t o M ain
Platform Protection
Course Navigation
Host Secu r it y
Host Secu
Topics inr itt hy:isUpdat e Minan
sect ion agem
clu de: en t
an d Access
Section 1
Azure provides the Update Managem ent solution to allow you to
m anage updates and patches for your Windows Virtual Machines. The
solution
A requires Azure Log Analytics and an Azure Autom ation
Plat f or m Pr ot ect ion Securing your hosts against viruses and
Section 2
Account. If these are not available at deploym ent, they can be
m alware.
provisioned for you.
Net w or kSecurity
Network Secu r it y
Host Security
Securing Azure
Resources
Container Security

Section 3
Secu r e Dat a
an d Applicat ion s
Section 4

Host Secu r it y Con t ain er Secu r it y
Back t o M ain
Platform Protection
Course Navigation
Secu r in g Azu r e Resou r ces
Section 1
Role-based Access Con t r ol (RBAC) [Review ]:

Plat f or m Pr ot ect ion A Managing perm issions on Azure resources.
Section 2
Net w or kSecurity
Network Secu r it y
M an aged I den t it ies [Review ]:
Host Security
Host Secu r it y B Access to resources without credentials!
Securing
Secu r in gAzure
Azu r e
Resources
Resou r ces
Container Security
Azu r e Resou r ce Lock s:
C Preventing deletion of Azure resources.
Section 3
M an agem en t Gr ou ps:
Secu r e Dat a D Managing m ultiple subscriptions with ease!
an d Applicat ion s
Section 4
Azu r e Policies:
E Autom atically enforce com pliance in Azure.
RBAC
Back t o M ain
Platform Protection
Course Navigation
Secu r in ginAzu
Topics t hrise sect
Resouionr ces:
in cluRBAC
de: [Review ]
an d Access
Section 1
While Conditional Access and Identity Protection are used to control
access to Azure AD m anaged resources, r ole-based access con t r ol
Role-based
(RBAC) is used Access
to provide gr an uCon
lar taccess
r ol (RBAC) [Review
to Azure ]:
resources.
Plat f or m Pr ot ect ion A Managing perm issions on Azure resources.
Section 2 These roles can be assigned at the su bscr ipt ion , r esou r ce gr ou p, or
r esou r ce level.
Net w or kSecurity
Network Secu r it y
M an aged
- Azure includes I den t it
a range ofies [Review
over 70 bu ]:
ilt -in r oles for controlling
Host Security
Host Secu r it y Baccess Access
to Azure toresources.
resources Somwithout credentials!
e exam ples are:
Securing
Secu r in gAzure
Azu r e - Ow n er : Includes full access to the assigned resource(s)
Resources
Resou r ces
including rights to grant access to others.
Container Security - Con t r ibu t or : Provides full access to the assigned resource(s)
Azu rfor
e Resou
rightsr ce Lock s: perm issions.
C except
Preventing
to change
deletion of Azure resources.
- Reader : Provides full view access to the assigned resource(s),
Secu r it y Oper at ion s but no ability to m ake changes.
Section 3
For m ore inform ation, refer to the ar t icle on bu ilt -in r oles f or Azu r e
r esou r ces. M an agem en t Gr ou ps:
an d Applicat ion s If the built-in roles are not sufficient, cu st om r oles can be created.
Section 4
- For roles to take affect, they m ust be assigned.
Azuare
r e Policies:
E - Roles assigned to an Azu r e AD u ser, gr ou p, or ser vice
pr in cipal.atically enforce com pliance in Azure.
Autom
- They m ust be assigned to som ething: a su bscr ipt ion , r esou r ce
gr ou p, or r esou r ce.
AZ-300: RBAC
RBAC
Secu r in g Resou r ces M an aged I den t it ies
Back t o M ain
Platform Protection
Course Navigation
Secu r in g in
Topics Azu
t hris
e sect
Resouionr ces: Mde:
in clu an aged I den t it ies [Review ]
an d Access
Section 1
M an aged I den t it ies provides a secure m ethod for authenticating
Azure resources against other Azure services w it h ou t n eedin g t o
Plat f or m Pr ot ect ion A de cr eden
in clu t ials. Managed Identities is a feature of Azure AD which
Managing perm issions on Azure resources.
Section 2 specifically provides an Azure resource with a m anaged identity within
Azure AD.
Net w or kSecurity
Network Secu r it y
This feature provides the ability to authenticate an Azure resource
Host Security
Host Secu r it y ?behind-the-scenes.?
B This does not provide any im plicit perm issions
Access to resources without credentials!
Securing
Secu r in gAzure
Azu r e
(authorization) though. Those m ust be configured separately.
Resources
Resou r ces
- Avoids t h e n eed f or applicat ion cr eden t ials t o be st or ed in code
Container Security
(e.g. Client
Azu rID and secrets).
e Resou r ce Lock s:
- CIs f u llyPreventing
m an aged by M icr osof
deletion t , so credentials
of Azure resources. no longer need to
Secu r it y Oper at ion s be rotated by developers.
Section 3 - Au t om at es t h e cr eat ion an d r egist r at ion of an applicat ion
within Azure AD, Service Principal, and Client ID.
- Includes built-in functionality for Azure resources to secu r ely
Secu r e Dat a Dobt ain Managing
an au t h en t icat ion t ok en .
m ultiple subscriptions with ease!
- Does n ot im ply an y au t h or izat ion , since the identity m ust still be
an d Applicat ion s
granted whatever perm issions are desired.
Section 4
Azu r e Policies:
AZ-300: M an aged I Ds
RBAC
Secu r in g Resou r ces Resou r ce Lock s
Back t o M ain
Platform Protection
Course Navigation
Secu r in g in
Topics Azu
t hris
e sect
Resouionr ces: Azu
in clu de:r e Resou r ce Lock s
an d Access
Section 1
We can use Azu r e r esou r ce lock s to prevent other users in our
organization from acciden t ally delet in g or m odif yin g critical
resources
A such as a subscriptions, resource groups, or resources.
Plat f or m Pr ot ect ion Managing perm issions on Azure resources.
Section 2
There are two types of resource locks:
Net w or kSecurity
Network Secu r it y
- Can Not Delet e m eans authorized users can still read and m odify a
Host Security
Host Secu r it y Bresource, but they can't delete that resource.
- ReadOn ly m eans authorized users can read a resource, but they
Securing
Secu r in gAzure
Azu r e
Resources
Resou r ces can't delete or update it. Applying this lock is sim ilar to restricting
all authorized users to the perm issions granted by the Reader role.
Container Security
When C a resource lock is used at a parent scope, such as a subscription
Preventing deletion of Azure resources.
Secu r it y Oper at ion s or resource group, all r esou r ces w it h in t h at scope in h er it t h e sam e
Section 3 lock . Resources added later inherit the lock from the parent. When a
resource inherits m ultiple locks, the m ost r est r ict ive lock in t h e
in h er it an ce t ak es pr eceden ce.
Unlike role-based access control, resource locks apply a restriction
an d Applicat ion s
acr oss all u ser s an d r oles.
Section 4
We m ust haveAzuaccess to Mi cr osof t . Aut hor i zat i on/ * or

r e Policies:
Mi crEosof t Autom
. Aut hor i zat enforce
atically i on/ l ocks/ * actions
com pliance in to create or delete
Azure.
m anagem ent locks. Ow n er and User Access Adm in ist r at or are the
only built-in roles granted those actions.
RBAC
Secu r in g Resou r ces Azu r e Policies
Back t o M ain
Platform Protection
Course Navigation
Secu r in g in
Topics Azu
t hris
e sect
Resouionr ces: Mde:
in clu an agem en t Gr ou ps
an d Access
Section 1
Azure m an agem en t gr ou ps allow us to group subscriptions to m anage
access, policies, and com plian ce. Think of them as on e level above
su bscr
A ipt ion s, but only for m anagem ent. Billing responsibility is still
Section 2
handled on the subscription level.
Subscriptions within a m anagem ent group in h er it t h e access, policies,

Net w or kSecurity
Network Secu r it y
and ot h er com plian ce factors applied to it. A m anagem ent group m ay
Host Security
Host Secu r it y conBt ain in dividu al su bscr ipt ion s or ot h er m an agem en t gr ou ps in a
nested hierarchy.
Securing
Secu r in gAzure
Azu r e
Resources
Resou r ces
You can create m anagem ent groups and apply a policy requiring all
Container Security
Azure resources to be created in a particular Azure region for
comCpliance purposes. Another m anagem ent group can be used to
Secu r it y Oper at ion s determ ine access to m ultiple subscriptions (via RBAC), as opposed to
Section 3 granting access on the subscription level.
When using m anagem ent groups, the first group is called the Ten an t
Root
D Gr ou pManaging
and is used to m anage all subscriptions. If you are a Global
Secu r e Dat a m ultiple subscriptions with ease!
Adm inistrator, you can elevat e you r access to allow you to m anage
an d Applicat ion s
access to the root group.
Section 4
Azu r e Policies:
RBAC
Secu r in g Resou r ces Azu r e Policies
Back t o M ain
Platform Protection
Course Navigation
Secu r in ginAzu
Topics t hrise sect
Resouionr ces:
in cluAzu
de:r e Policies
an d Access
Section 1
Azu r e Policy is a service in Azure you use to create, assign, and
m anage policies. These policies en f or ce dif f er en t r u les an d ef f ect s
overA your resources so those resources stay com pliant with your
Section 2
cor por at e, t ech n ical, or gover n m en t st an dar ds.
For exam ple, you can define the policy to allow on ly a cer t ain SKU
Net w or kSecurity
Network Secu r it y
size of virtual m achines in your environm ent. If an Azure
Host Security
Host Secu r it y admBinistrator attem pts to deploy a virtual m achine outside one of
your defined SKU sizes, t h e deploym en t w ill f ail validat ion an d w ill
Securing
Secu r in gAzure
Azu r e
Resources
Resou r ces n ot be deployed.
Container Security
Also, existing resources found to be non-com pliant can be
r emCediat ed.
Section 3 Policy def in it ion s outline the specif ic cr it er ia to be evaluated.
Assign m en t s determ ine where these policies are applied. They can
be applied to Azure subscriptions and optionally to child resource
groups.
D Child resources in h er it t h e policy set t in gs applied to their
Secu r e Dat a Managing m ultiple subscriptions with ease!
parents.
an d Applicat ion s
Section 4
Policy in it iat ives are collect ion s of policy def in it ion s designed to
accom plish Azu a singular goal, such as the overall com pliance of
r e Policies:
E
corporate standards. Theyenforce
Autom atically are assigned in the in
com pliance sam e m anner as
Azure.
individual definitions.
RBAC
Secu r in g Resou r ces Secu r it y Oper at ion s
Back t o M ain
Platform Protection
Course Navigation
Con t ain er Secu r it y
Section 1
Con f igu r e an d Secu r e Azu r e Con t ain er Regist r y

Plat f or m Pr ot ect ion Protecting your im age repositories the Azure way!
Section 2
Net w or kSecurity
Network Secu r it y
Con t ain er I n st an ce Secu r it y
Host Security
Host Secu r it y
ACR Tasks and security considerations.
Securing
Secu r in gAzure
Azu r e
Resources
Resou r ces
Container
Con t ain erSecurity
Secu r it y
Con t ain er Gr ou ps
Container collections working together.
Section 3
Con t ain er Vu ln er abilit y M an agem en t

Secu r e Dat a Scan im ages for vulnerabilities.
an d Applicat ion s
Section 4
Azu r e Ku ber n et es Ser vice (AKS) Secu r it y

Best Practices for AKS.
Back t o M ain
Platform Protection
Course Navigation
an d Access Topics in t ht ain
Azu r e Con is sect ion in rclu
er Regist y de:
Section 1
1 Con f igu r e an d Secu r e Azu r e Con t ain er Regist r y

Plat f or m Pr ot ect ion Cr eat Protecting
in g a your im age repositories
- Azure Portal the Azure way!
Section 2 Con t ain er - Azure CLI
Regist r y - Azure PowerShell
Net w or kSecurity
Network Secu r it y
Host Security
Host Secu r it y
2 ACR Tasks and security considerations.
Securing
Secu r in gAzure
Azu r e CR - Accessing the registry
Resources
Resou r ces - Azure AD
Container
Secu r it y - Service principals
Con t ain er Gr ou ps - Adm in account
3
Section 3
Pu sh in g an
- Supported im age form ats
I m age t o t h e
Con t ain er Vu ln er abilit y M an agem
- Pushing usingen t
Azure CLI
Regist r y
an d Applicat ion s
Section 4
4
Lock s/Azu r e /Ku ber n et es Ser vice (AKS) Secu r it y
VNet
- Locking a container im age
Fir ew Best
all Practices for AKS.
- Preventing deletion and update
- VNet and Firewall rules
Close
Back t o M ain
Platform Protection
Course Navigation
Section 1
Azu r e Con t ain er Regist r y:

Cr eat in gCon f igu rteain
a Con an derSecu r e Azu
Regist r yr e Con t ain er
Regist r y
Section 2 Azure Portal
Net w or kSecurity
Network Secu r it y
Host Security
Host Secu r it y
Securing
Secu r in gAzure
Azu r e
Resources
Resou r ces
Container
Secu r it y
Section 3

Secu r e Dat a Azure CLI Scan im ages for vulnerabilities.
az gr oup c r eat e - - name my Res our c eGr oup - - l oc at i on eas t us
an d Applicat ion s az ac r c r eat e - - r es our c e- gr oup my Res our c eGr oup - - name
Section 4 my Cont ai ner Regi s t r y 007 - - s k u Bas i c

Azure PowerShell
Best
New- Az Res our Practices
c eGr oup - Namfore AKS.
my Res our c eGr oup - Loc at i on Eas t US
New- Az Cont ai ner Regi s t r y - Res our c eGr oupName " my Res our c eGr oup"
- Name " my Cont ai ner Regi s t r y 007" - Enabl eAdmi nUs er - Sk u Bas i c
Close
Back t o M ain
Platform Protection
Course Navigation
an d Access Topics
Azu r e in
Con t htis sect
ain ion in clu
er Regist r y:de:
Section 1 Secu r it y

Plat f or m Pr ot ect ion Azu r e AD
Protecting - repositories
your im age Used when working
the Azurewith
way! your
Section 2 registry directly.
- Role-based access (AcrPull,
Net w or kSecurity
Secu r it y AcrPush, Owner).
Network
Host Security
Host Secu r it y
Securing
Secu r in gAzure
Azu r e Ser vice Pr in cipal - Applications or services can use
Resources
Resou r ces it for headless authentication.
Container
Secu r it y - Role-based access (AcrPull,
Con t ain er Gr ou ps AcrPush, Owner).
3
Section 3
Adm in Accou n t - Designed for a single user to
access the registry.
- Full access to the registry.
an d Applicat ion s
Section 4

Close
Back t o M ain
Platform Protection
Course Navigation
Section 1
Azu r e Con t ain er Regist r y:

Pu sh in g Con f igutr ain
a Con e aner
d Secu r e Azu r e Con t ain er
I m age Regist r y
Section 2 Azure CLI
Net w or kSecurity
Network Secu r it y
Createaresourcegroup:
az gr Con
oup t ain
c r er
eatI n
e st- -an cee Secu
nam r itour
my Res y c eGr oup - - l oc at i on
Host Security
Host Secu r it y
eas tACR
us Tasks and security considerations.
Securing
Secu r in gAzure
Azu r e Createacontainer registry:
Resources
Resou r ces az ac r c r eat e - - r es our c e- gr oup my Res our c eGr oup
- - name my Cont ai ner Regi s t r y 008 - - s k u Bas i c
Container
Secu r it y Log in to theregistry:
az ac Con
r tl ain
ogi er
n -Gr ou ps
- nam e my Cont ai ner Regi s t r y 008
Push im age Container collections working together.
to theregistry:
Secu r it y Oper at ion s 1. doc k er pul l hel l o- wor l d
Section 3 2. doc k er t ag hel l o- wor l d
my Cont ai ner Regi s t r y 008. az ur ec r . i o/ hel l o- wor l d: v 1
3. doc k er pus h
Conait ain
my Cont ner er
RegiVusln
t rer abilit
y 008. azyurMecanr .agem
i o/ helenl to- wor l d: v 1
Secu r e Dat a Run im ageScan im ages
from the for vulnerabilities.
registry:
an d Applicat ion s 1. doc k er r un
my Cont ai ner Regi s t r y 008. az ur ec r . i o/ hel l o- wor l d: v 1
Section 4

Close
Back t o M ain
Platform Protection
Course Navigation
an d Access Topics
Azu r e in
Cont htis sect
ain ion in clu
er Regist r y:de:
Section 1 Lock / VNet / Fir ew all

1
Section 2 Lock s - Sim ilar to other Azure resource
locks.
- Locks prevent deletion and
Net w or kSecurity
Network Secu r it y
updates.
Host Security
Host Secu r it y
Securing
Secu r in gAzure
Azu r e 2
Resources
Resou r ces
VNet / Fir ew all - Only resources in the virtual
Container
Secu r it y network access the registry.
- Firewall rules allow registry
access only from specific IPs.
Section 3

an d Applicat ion s
Section 4

Close
Back t o M ain
Platform Protection
Course Navigation
an d Access Topics
Azu r e in
Con t htis sect
ain er Iion
n st in
anclu de:
ces:

Plat f or m Pr ot ect ion ACR Task s
Protecting - repositories
your im age Autom ate container
the Azureimway!
age
Section 2 builds and m aintenance.
- Tight control of im ages used in
Net w or kSecurity
Secu r it y Container Instance deploym ent.
Network
Host Security
Host Secu r it y
Securing
Secu r in gAzure
Azu r e Secu r it y - Private registries.
Resources
Resou r ces - Monitor and scan container
Con sider at ion s
Container
Secu r it y im ages.
Con t ain er Gr ou ps - Protect credentials.
3
Section 3
Cr eat in g a - Authenticate with Azure
Con t ain er Container Registry from
I n st an ce Azure Container Instances.
an d Applicat ion s
Section 4
4
Con t Azu
en t rTr
e uKu - vice
stber n et es Ser Pushing and
(AKS) pulling
Secu r it y of signed
Best Practices for AKS. im ages.
Close
Back t o M ain
Platform Protection
Course Navigation
Section 1

Section 2
Azu r e Con t ain er I n st an ces:
Net w or kSecurity
Network Secu r it y
ACR Task s
Host Security
Host Secu r it y
Securing
Secu r in gAzure
Azu r e
Resources ACR Task s is a suite of features within Azure Container Registry. It
Resou r ces
provides cloud-based container im age building for Linux, Windows,
Container
Secu r it y and ARM. It can also au t om at e OS an d f r am ew or k pat ch in g for
our Docker containers.
Secu r it y Oper at ion s - On-dem and container im age builds.
Section 3 - Autom ated builds on source code com m it or when a container 's
base im age is updated.

Close
an d Applicat ion s
Section 4

Back t o M ain
Platform Protection
Course Navigation
Section 1

Secu r it y Con
Conf igu r e an d Secu r e Azu r e Con t ain er
sider at ion s Regist r y
Section 2
Use private registries.

Net w or kSecurity
Network Secu r it y
- A pu blicly available con t ain er im age does n ot gu ar an t ee
Host Security
Host Secu r it y secu r it y!
- Docker trusted registry (on-prem ises).
Securing
Secu r in gAzure
Azu r e
Resources - Azure Container registry (cloud-based).
Resou r ces
Container
Secu r it y Monitor and scan container im ages.
- Security m onitoring and scanning solutions are available
Secu r it y Oper at ion s through the Azure Marketplace.
Section 3 - Use them to scan container im ages in a private registry and
identify potential vulnerabilities.
- Scan bef or e pu sh in g!
Protect credentials.
an d Applicat ion s
- Inventory all credential secrets.
Section 4
- Require developers to use em erging secrets-m anagem ent tools
that are
Azudesigned
r e Ku berfor
n etcontainer
es Ser viceplatform s. r it y
(AKS) Secu
- Azu r eBest
Key Practices
Vau lt . for AKS.
Close
Back t o M ain
Platform Protection
Course Navigation
Section 1
Cr eat in g a Con t ain er I n st an ce
Plat f or m Pr ot ect ion Azure CLI Protecting your im age repositories the Azure way!
Section 2
Createaserviceprincipal:
Net w or kSecurity
Network Secu r it y #! / bi n/ bas h
ACR_NAM Con t ain
E=m er Iain st
y c ont neranr ce
egi Secu
s t r y r it y
Host Security
Host Secu r it y
SERVI ACRCE_PRI NCI PAL_NAM
Tasks and securityE=ac r considerations.
- s er v i c e- pr i nc i pal
Securing ACR_REGI STRY_I D=$( az ac r s how - - name $ACR_NAME - - quer y
Secu r in gAzure
Azu r e
Resources i d - - out put t s v )
Resou r ces
SP_PASSWD=$( az ad s p c r eat e- f or - r bac - - name
Container
Secu r it y ht t p: / / $SERVI CE_PRI NCI PAL_NAME - - s c opes $ ACR_REGI STRY_I D
- - r ol Con
e actrain
pulerl Gr
- - ou
querpsy pas s wor d - - out put t s v )
SP_APP_I D=$( az collections
Container ad s p s how - - i d together.
working
Secu r it y Oper at ion s ht t p: / / $SERVI CE_PRI NCI PAL_NAME - - quer y appI d - - out put
t sv)
Section 3
ec ho " Ser v i c e pr i nc i pal I D: $SP_APP_I D"
ec ho Con
" Sertvain
i c eerprVu
i nc
ln ierpal pas
abilit y sM
wor
and:agem
$SP_PASSW
en t D"
Createacontainer instance:
an d Applicat ion s az c ont ai ner c r eat e \
Section 4 - - r es our c e- gr oup my Res our c eGr oup \
- - name my c ont ai ner \
- - i mage
Azum r yecKu
ontber
ai ner
n etres
egiSer
s t rvice
y . az(AKS)
ur ec r Secu
. i o/ m
r yiti ymage: v 1 \
- - r egiBest
s t r yPractices
- l ogi n- sfor
er vAKS.
er my c ont ai ner r egi s t r y . az ur ec r . i o \
- - r egi s t r y - us er name <s er v i c e- pr i nc i pal - I D> \
- - r egi s t r y - pas s wor d <s er v i c e- pr i nc i pal - pas s wor d>
Close
Back t o M ain
Platform Protection
Course Navigation
Section 1

Plat f or m Pr ot ect ion Azu r e Protecting
Con t ain er your
I n stim
anage repositories the Azure way!
ces:
Section 2
Con t en t Tr u st
Net w or kSecurity
Network Secu r it y
Host Security
Host Secu r it y Azure Container Registry im plem ents Dock er 's con t en t t r u st
Securing m odel, enabling pushing and pulling of signed im ages.
Secu r in gAzure
Azu r e
Resources
Resou r ces
Content trust is a feature of the Pr em iu m SKU of Azure Container
Container
Secu r it y
Registry. Con t ain er Gr ou ps
Secu r it y Oper at ion s Content trust allows us to sign t h e im ages we push to our registry.
Section 3 Consum ers of our im ages (people or system s pulling im ages from
our registry) can configure their clients to pu ll on ly sign ed im ages.
When an im age
Con consum
t ain er Vu lnererpulls
abilita ysigned im age,
M an agem en their
t Docker client
Secu r e Dat a ver if ies t hScan
e in tim
egr it y of the im age.
ages for vulnerabilities.
an d Applicat ion s
Section 4
Close
Back t o M ain
Platform Protection
Course Navigation
an d Access Topics
Azu r e in
Cont htis sect
ain er Iion
n st in
anclu de:
ces:
Section 1 Con t ain er Gr ou ps

Plat f or m Pr ot ect ion A con t ain er gr ou p isyour
Protecting a collection of containers
im age repositories that
the get scheduled
Azure way!
Section 2 on the sam e host m achine. The containers in a container group
sh ar e a lif ecycle, r esou r ces, local n et w or k , an d st or age
Net w or kSecurity
Network Secu r it y volu m es. It 's sim ilar in concept to a pod in Ku ber n et es.
Host Security
Host Secu r it y A containerACR
group is useful when building an application sidecar
Tasks and security considerations.
Securing
Secu r in gAzure
Azu r e for loggin g, m on it or in g, or an y ot h er con f igu r at ion where a
Resources
Resou r ces service needs a second attached process.
Container
Secu r it y
Container Con
groups
t ain er Gr ou ps
- Are deployed
Containeron collections
a single VM.
working together.
Secu r it y Oper at ion s - Only support Linux VMs.
Section 3 - Can sit behind a public IP with optional exposed ports.
- Can be deployed via ARM or YAML.
an d Applicat ion s
Section 4

Close
Back t o M ain
Platform Protection
Course Navigation
an d Access Topics
Azu r e in
Cont htis sect
ain er Iion
n st in
anclu de:
ces:
Section 1 Vu ln er abilit y M an agem en t

Plat f or m Pr ot ect ion As m entioned in the Security
Protecting Considerations
your im age repositorieslesson, vulnerability
the Azure way!
Section 2 m anagem ent is an im portant part of container security. Scanning
containerized im ages for vulnerabilities of bad configurations is
Net w or kSecurity
Network Secu r it y crucial to m aintaining secure container instances.
Host Security
Host Secu r it y Security mACR
onitoring
Tasksand
and scanning solutions such as Tw ist lock and
security considerations.
Securing
Secu r in gAzure
Azu r e Aqu a Secu r it y are available through the Azure Marketplace. These
Resources
Resou r ces can be used to scan container im ages in a private registry and
Container
identify potential vulnerabilities.
Secu r it y
Secu r it y Oper at ion s Aqu a Secu r it y
Section 3
Tw
Con t ain er Vu ln er ist lock
abilit y M an agem en t
an d Applicat ion s
Section 4

Close
Back t o M ain
Platform Protection
Course Navigation
an d Access Topics
Azu r e in
Kutber
h isnsect
et esion
Serinvice:
clu de:

Plat f or m Pr ot ect ion Secu Protecting
r it y your im age
- repositories the Azure way!
Master security.
Section 2 Con cept s - Node security.
- Kubernetes secrets.
Net w or kSecurity
Network Secu r it y
Host Security
Host Secu r it y
Securing
Secu r in gAzure
Azu r e Best - Secure access to the API server
Resources
Resou r ces and cluster nodes.
Pr act ices
Container
Secu r it y
- Upgrade cluster.
Con t ain er Gr ou ps - Update nodes.
3
Section 3
Au t h en t icat in g
t o ACR f r om - Security principals.
Con t ain er Vu ln er abilit y M an agemSecrets.
- Kubernetes en t
AKS
an d Applicat ion s
Section 4

Close
Back t o M ain
Platform Protection
Course Navigation
Section 1
Azu r e Ku ber n et es Ser vice:
Secu r it y Con cept s
M ast er secu r it y
- In AKS, the Kubernetes m aster com ponents are part of the
Section 2
m anaged service provided by Microsoft. Each AKS cluster has its
own single-tenanted, dedicated Kubernetes m aster to provide
Net w or kSecurity
Network Secu r it y
the API Server, Scheduler, etc.
Host Security
Host Secu r it y - This m aster is m anaged and m aintained by Microsoft.
- By default, the Kubernetes API server uses a public IP address
Securing
Secu r in gAzure
Azu r e
Resources with fully qualified dom ain nam e (FQDN). We can control access
Resou r ces
to the API server using Kubernetes role-based access controls
Container
Secu r it y and Azure Active Directory.
Node secu r it y
Secu r it y Oper at ion s - AKS nodes are Azure virtual m achines we m anage and
Section 3 m aintain.
- Linux nodes run an optim ized Ubuntu distribution using the
Moby container runtim e.
- Windows Server nodes (currently in preview in AKS) run an
optim ized Windows Server 2019 release and also use the Moby
an d Applicat ion s container runtim e.
Section 4
- When an AKS cluster is created or scaled up, the nodes are
automAzu atically
r e Kudeployed
ber n et eswith the latest
Ser vice (AKS)OS
Secusecurity
r it y updates and
configurations.
Ku ber n et es Secr et s
- A Kubernetes Secret is used to inject sensitive data into pods,
such as access credentials or keys.
Close
Back t o M ain
Platform Protection
Course Navigation
Section 1

Section 2
Azu r e Ku ber n et es Ser vice:
Net w or kSecurity
Network Secu r it y
Best Pr act ices
Host Security
Host Secu r it y
Securing
Secu r in gAzure
Azu r e
Resources - Secu r e access.
Resou r ces
- Secu r e con t ain er access t o r esou r ces.
Container
Secu r it y - Regu lar ly u pdat e t o t h e lat est ver sion of Ku ber n et es.
- Pr ocess Lin u x n ode u pdat es an d r eboot s u sin g k u r ed.
Section 3

Close
an d Applicat ion s
Section 4

Back t o M ain
Platform Protection
Course Navigation Azu r e Ku ber n et es Ser vice:
Au t h en t icat ion t o ACR
an d Access Topics
Azure CLIin t h is sect ion in clu de:
Section 1
Grant AKSaccessto ACR:
#! / bi n/ bas h
Con f igu r e an dy AKSRes
AKS_RESOURCE_GROUP=m Secu r eour Azu r e oup
c eGr Con t ain er Regist r y
Plat f or m Pr ot ect ion Protecting
AKS_CLUSTER_NAM E=myour im age
y AKSCl us t errepositories the Azure way!
Section 2 ACR_RESOURCE_GROUP=my ACRRes our c eGr oup
ACR_NAME=my ACRRegi s t r y
# Get t he i d of t he s er v i c e pr i nc i pal c onf i gur ed f or AKS
Net w or kSecurity
Network Secu r it y CLI ENT_I D=$( az ak s s how - - r es our c e- gr oup $AKS_RESOURCE_GROUP
Con t ain er I n st anEce- -Secu
- - name $AKS_CLUSTER_NAM querryit y
Host Security
Host Secu r it y " s er v i c ePr i nc i pal and
Pr of security
i l e. c l i ent I d" - - out put t s v )
ACR Tasks considerations.
Securing # Get t he ACR r egi s t r y r es our c e i d
Secu r in gAzure
Azu r e
ACR_I D=$( az ac r s how - - name $ACR_NAME - - r es our c e- gr oup
Resources
Resou r ces $ACR_RESOURCE_GROUP - - quer y " i d" - - out put t s v )
Container
Secu r it y # Cr eat e r ol e as s i gnment
az r ol e Con as s ti ain
gnmer
entGrcou pse - - as s i gnee $CLI ENT_I D - - r ol e
r eat
ac r pul l Container
- - s c ope $ACR_I D
collections working together.
Accesswith KubernetesSecrets:
Section 3
#! / bi n/ bas h
ACR_NAME=my ac r i ns t anc e
SERVI CE_PRICon tNCI
ainPAL_NAM
er Vu lnE=ac r - s er
er abilit y vMi an
c e-agem
pr i ncen
i pal
t
Secu r e Dat a # Popul at e t he ACR l ogi n s er v er and r es our c e i d.
Scan im ages for vulnerabilities.
ACR_LOGI N_SERVER=$( az ac r s how - - name $ACR_NAME - - quer y
an d Applicat ion s l ogi nSer v er - - out put t s v )
Section 4 ACR_REGI STRY_I D=$( az ac r s how - - name $ACR_NAME - - quer y i d
- - out put t s v )
# Cr eat eAzu acr epul
Kul ber
r olneet as
essSer
i gnm ent (AKS)
vice wi t h Secu
a s crope
it y of t he ACR
r es our c e.
SP_PASSWD=$( az ad s p c r eat e- f or - r bac - - name
ht t p: / / $SERVI CE_PRI NCI PAL_NAME - - r ol e ac r pul l - - s c opes
$ACR_REGI STRY_I D - - quer y pas s wor d - - out put t s v )
# Get t he s er v i c e pr i nc i pal c l i ent i d.
CLI ENT_I D=$( az ad s p s how - - i d
ht t p: / / $SERVI CE_PRI NCI PAL_NAME - - quer y appI d - - out put t s v )
# Out put us ed when c r eat i ng Kuber net es s ec r et .
ec ho " Ser v i c e pr i nc i pal I D: $CLI ENT_I D"
ec ho " Ser v i c e pr i nc i pal pas s wor d: $SP_PASSWD"
Close
Back t o M ain
Security Operations
Course Navigation
Con f igu r in g Secu r it y Ser vices
Section 1
M icr osof t Azu r e M on it or [Review ]

Plat f or m Pr ot ect ion Keeping an eye on your Azure environm ent.
Section 2
Diagn ost ic Loggin g an d Log Ret en t ion

Secu r it y Oper at ion s Working with your log data.
Section 3
Con f igu r in gSecurity

Configuring Secu r it y
Ser vices
Services
Security Policies
Security Alerts
Secu r e Dat a
an d Applicat ion s
Section 4
Back t o M ain
Security Operations
Course Navigation
Section 1
Con f igu r in g Secu r it y Ser vices:

Plat f or m Pr ot ect ion Azu r e MKeeping
on it or an
[Review ] Azure environm ent.
eye on your
Section 2
M on it or in g is the act of collecting and analyzing data to determ ine the

perform ance, health, and availability of our business application and
Secu r it y Oper at ion s the resources it depends on.
Working with your log data.
Section 3
Monitoring in Azure is prim arily provided by Azu r e M on it or which
Secu r it y
provides com m on stores for storing m onitoring data, m ultiple data
Configuring
Ser vices
Services
sources for collecting data from the different tiers supporting our
application, and features for analyzing and responding to collected data
Security Policies su ch as qu er y an d aler t f u n ct ion alit y.
Security Alerts
Secu r e Dat a
an d Applicat ion s
Section 4
Azu r e M on it or Log An alyt ics Log Sear ch
AZ-300: Azu r e M on it or
Close
Back t o M ain
Security Operations
Course Navigation
Section 1

Plat f or m Pr ot ect ion Diagn ostKeeping
ic Loggin g on
an eye anyour
d Ret en t environm
Azure ion ent.
Section 2
Diagn ost ic logs provide data about the operation of Azure resources.
There are two different types of diagnostic logs.
Secu r it y Oper at ion s - Ten anWorking withoriginating
t logs: Logs your log data.
from tenant-level services such as
Section 3 Azure Active Directory.
- Resou r ce logs: Logs originate from resources within an Azure
Configuring Secu r it y subscription, such as network security groups or Storage accounts.
Ser vices
Services
Security Policies These do n ot in clu de the Azure Activity Log or any OS-level logging.
Security Alerts
Secu r e Dat a
an d Applicat ion s
Section 4
Loggin g Opt ion s Loggin g Set t in gs
Diagn ost ic Loggin g an d Ret en t ion
Close
Back t o M ain
Security Operations
Course Navigation
Section 1
Loggin g Opt ion s

Section 2

Section 3

Ser vices
Services
Security Policies
Security Alerts
Secu r e Dat a
an d Applicat ion s
Section 4
We have a few options available for working with diagnostic logs:
- Save them to a St or age accou n t for auditing or m anual inspection.

- Stream them to even t h u bs for ingestion by a custom analytics
solution such as Pow er BI .
- Analyze them with Azu r e M on it or .
Close
Back t o M ain
Security Operations
Course Navigation
Section 1
Loggin g Set t in gs

Section 2

Section 3

Ser vices
Services
Security Policies
Security Alerts
Secu r e Dat a
an d Applicat ion s
Section 4
Resource diagnostic logs are configured using r esou r ce diagn ost ic

set t in gs. Tenant diagnostic logs are configured using a t en an t
diagn ost ic set t in g. These settings determ ine:
- Diagnostic logs and m etrics destinations.

- Log categories and m etric data options.
- Retention tim e (St or age accou n t on ly).
Close
Back t o M ain
Security Operations
Course Navigation
Secu r it y Policies
Section 1
Ju st in Tim e VM Access Usin g M icr osof t

Plat f or m Pr ot ect ion Azu r e Secu r it y Cen t er
Section 2 VM access only when required.

Section 3

Ser vices
Services
Secu r it yPolicies
Security Policies
Security Alerts
Secu r e Dat a
an d Applicat ion s
Section 4
Back t o M ain
Security Operations
Course Navigation
Secu r it y Policies
Section 1 Con f igu r in g Secu r it y Policies:
Ju st in Tim e VM Access Usin g Azu r e Secu r it y
Cen t er Ju st in Tim e VM Access Usin g M icr osof t
Plat f or m Pr ot ect ion Azu r e Secu r it y Cen t er
Section 2 Ju st -in -t imVM
e (JIaccess
T) vir tonly
u al mwhen
ach inrequired.
e (VM ) access allows us to lock down
access to our Azure virtual m achines, allowing access only when
required by our support personnel or other users.
Secu r it y Oper at ion s Azu r e Secu r it y Cen t er st an dar d is r equ ir ed to configure this feature.
Section 3
Security Center just-in-tim e VM access currently su ppor t s on ly VM s

deployed t h r ou gh Azu r e Resou r ce M an ager .
Ser vices
Services
Secu r it yPolicies
Security Policies
To cr eat e or edit a JI T policy:
Security Alerts - Mi c r os of t . Sec ur i t y / l oc at i ons / j i t Net wor k Ac c es s Pol i c i es / wr i t e
(subscription or resource group)
- Mi c r os of t . Comput e/ v i r t ual Mac hi nes / wr i t e
Secu r e Dat a
(subscription, resource group, or VM)
an d Applicat ion s
Section 4
To r equ est JI T access:
- Mi c r os of t . Sec ur i t y / l oc at i ons / { t he_l oc at i on_of _t he_VM} /
j i t Net wor k Ac c es s Pol i c i es / i ni t i at e/ ac t i on
(subscription or resource group)
- Mi c r os of t . Comput e/ v i r t ual Mac hi nes / r ead
(subscription, resource group, or VM)
Close
Back t o M ain
Security Operations
Course Navigation
Secu r it y Aler t s
Section 1
Review in g an d Respon din g t o Aler t s an d

Plat f or m Pr ot ect ion Recom m en dat ion s
Section 2
Secu r it y Oper at ion s M icr osof t Azu r e Secu r it y Cen t er Playbook s

Section 3

Ser vices
Services
Secu r it yPolicies
Security Policies
Secu r it yAlerts
Security Aler t s
Secu r e Dat a
an d Applicat ion s
Section 4
Back t o M ain
Security Operations
Course Navigation
Section 1
Secu r it y Aler t s:
Plat f or m Pr ot ect ion Recom mReview
en datinion
g an d Respon din g t o Aler t s an d
s
Recom m en dat ion s
Section 2
Secu r it y Aler t s:
Based on data collected by Azure Security Center, threats are detected.
For each threat, an alert is generated.
Secu r it y Oper at ion s M icr osof t Azu r e Secu r it y Cen t er Playbook s
Section 3 A list of alerts is shown in Secu r it y Cen t er along with the inform ation
we need to quickly investigate the problem and recom m endations for
Configuring Secu r it y how to rem ediate an attack.
Ser vices
Services
Secu r it yPolicies
Security Policies Recom m en dat ion s:
Recom m endations are actions to take to secure our resources. The
Secu r it yAlerts
Security Aler t s
recom m endations are based on best practices and trusted security
advisories.
Secu r e Dat a
an d Applicat ion s Each recom m endation provides the following:
Section 4
- A description.
- Rem ediation steps.
- Affected resources.
- Secure score im pact.
Close
Back t o M ain
Security Operations
Course Navigation
Section 1 Secu r it y Aler t s:
M icr osof t Azu r e Secu r it y Cen t er Playbook s
Plat f or m Pr ot ect ion Recom m en dat ply
ion a
s collection of procedures. These
Section 2 A security playbook is sim
procedures are executed when a playbook is triggered. Security alerts
are the trigger that starts playbook running.
Secu r it y Oper at ion s Playbooks M icrhelp

can osof tusAzu r e Secu
craft r it y Cenautom
and execute t er Playbook s
ated responses to
Section 3 security alerts, helping us m anage our Azure environm ent with little
adm inistrative effort.
Ser vices
Services Security playbooks in Secu r it y Cen t er are based on Azure Logic Apps.
Secu r it yPolicies
Security Policies
Secu r it yAlerts
Security Aler t s
Secu r e Dat a
an d Applicat ion s
Section 4
Close
Back t o M ain
Secure Data and Applications
Course Navigation
Dat a Secu r it y
Section 1
Dat a Classif icat ion Usin g Azu r e I n f or m at ion

Plat f or m Pr ot ect ion Pr ot ect ion
Section 2
Secu r it y Oper at ion s St or age An alyt ics Dat a Ret en t ion Policies
Section 3
Secu r e Dat a
Dat a Sover eign t y w it h Azu r e Policy
an d Applicat ion s
Section 4
Data
Dat a Security
Secu r it y
Azure Key Vault
Security for Data

Infrastructure
Encryption for Data at

Rest
Security for Application

Delivery
Back t o M ain
Course Navigation
Dat a Secu r it y
Section 1

Plat f or m Pr ot ect ion Dat a Classif icat ion Usin g Azu r e
Pr ot ect ion
Section 2 I n f or m at ion Pr ot ect ion
Section 3 Wh at I s Azu r e I n f or m at ion Pr ot ect ion (AI P)?
Secu r e Dat a
an d Applicat ion s
Section 4 AI P Per m ission s
Data
Dat a Security
Secu r it y
Azure Key Vault
Security for Data

Labellin g Dat a in AI P
Infrastructure

Rest

Delivery Close
Back t o M ain
Course Navigation
Dat a Secu r it y
Dat a Classif icat ion u sin g Azu r e
Section 1
I n f or m at ion Pr ot ect ion : Wh at is AI P?
Azu r e I n f orDat
m at
a ion Pr ot
Classif ection
icat ionUsin
(AI P)
g is
Azua cloud-based rights
r e I n f or m at ion
Plat f or m Pr ot ect ion m anagem ent solution
Pr ot ect ion that helps our organization classif y an d
Section 2 pr ot ect docum ents and em ails.
Classification is achieved by applying labels. Labels determ ine the

confidentiality of the data based on conditions that can be set by
adm inistrators or optionally by end users. AIP can also recom m end
Section 3
certain labels be applied to docum ents and em ails based on the
type of data created.
Secu r e Dat a Azure Active Directory Prem ium P1 or P2 licenses are required to
an d Applicat ion s use AIP. A com parison of AIP features can be found h er e.
Section 4
Data
Dat a Security
Secu r it y
Azure Key Vault
Security for Data

Infrastructure

Rest

Delivery
AIP in Microsoft Word
Close
Back t o M ain
Course Navigation
Dat a Secu r it y
Section 1

Section 2
Dat a Classif icat ion Usin g Azu r e

I n f or m at
St ion PrAn
or age otalyt
ectics
ion : Per
Dat men
a Ret ission s
t ion Policies
Section 3 AIP includes several built-in perm ission sets for access to labeled
data. These roles can be applied to m em bers of our Azure Active
Directory as well as external recipients (specified by internet dom ain
Secu r e Dat a nam e).
an d Applicat ion s
Section 4 - Co-Ow n er
- Co-Au t h or
Data
Dat a Security
Secu r it y - Review er
Azure Key Vault - View er
- Cu st om
Security for Data
Infrastructure
Encryption for Data at Close

Rest

Delivery
Back t o M ain
Course Navigation
Dat a Secu r it y
Dat a Classif icat ion u sin g Azu r e
Section 1
I n f or m at ion Pr ot ect ion : Labellin g
In AIP, labels
Datdeterm
a Classifineicat
theion
classification
Usin g Azuofr e aI npiece
f or mof data. Data
at ion
Plat f or m Pr ot ect ion labelled "General" is
Pr ot ect ionnot protected and can be distriuted inside and
Section 2 outside of an organization, whereas data labelled "Confidential"
cannot. Labels can be applied m anually to a piece of data or can be
applied autom atically based on conditions, such as the data form at.
AIP contains 100 preconfigured conditions, or we can create our
Section 3
own based upon a regular expression.
Applying conditions to a label requires Azure Active Directory P2

Secu r e Dat a licensing.
an d Applicat ion s
Section 4
Data
Dat a Security
Secu r it y
Azure Key Vault
Security for Data

Infrastructure

Rest

Delivery
AIP in Microsoft Word
Close
Back t o M ain
Course Navigation
Dat a Secu r it y
Section 1

Section 2 St or age An alyt ics Dat a Ret en t ion Policies
In our Diagnostic Logging and Retention lesson, we discussed the

Secu r it y Oper at ion s ability to configure
St or age the retention
An alyt ics Datsettings
a Ret enon Azure
t ion Storage
Policies
Section 3 Accounts. If we wish to retain our storage analytics logging data,
then there are a few things we should take note of.
- By default, Storage Analytics w ill n ot delet e any logging or

Secu r e Dat a
m etrics Dat a Sover eign t y w it h Azu r e Policy
data.
an d Applicat ion s - Blobs and table entities w ill con t in u e t o be w r it t en until the
Section 4
shared 20TB lim it is reached.
Data
Dat a Security
Secu r it y - Once the 20TB lim it is reached, St or age An alyt ics w ill st op
w r it in g n ew dat a and will not resum e until free space is
Azure Key Vault
available.
Security for Data
Infrastructure To better m anage this data, we can cr eat e a r et en t ion policy.
Encryption for Data at Retention policies can be created via the REST API or in the Azure
Rest Portal.
Delivery
Close
Back t o M ain
Course Navigation
Dat a Secu r it y
Section 1
Dat eign
Dat a Sover a Classif
t y icat
w ition UsinrgeAzu
h Azu r e I n f or m at ion
Policy
Section 2
Som etim es, due to governm ental or other regulations, it is
necessary to ensure our organizational data resides in a particular
country of origin. In Azure, we are able to create Azure resources in
Secu r it y Oper at ion s St or age
regions located An alyt
all over theics Dat aTo
world. Ret en t iondata
enforce Policies
sovereignty, we
Section 3 can use Azure Policy to enforce where Azure resources and the data
contained therein are located.
Secu r e Dat a Azure Policy contains m any preconfigured policies to assist us with
an d Applicat ion s our com pliance goals. One of these determ ines allowed locations
Section 4 where Azure resources can be deployed.
Data
Dat a Security
Secu r it y
Azure Key Vault
Security for Data

Infrastructure

Rest
Security for Application Azure Allowed Locations Policy

Delivery
Close
Back t o M ain
Course Navigation
Azu r e Key Vau lt
Section 1

Section 2 Wh at I s Azu r e Key Vau lt ?

Section 3 M an agin g Access t o Key Vau lt , Secr et s,
Cer t if icat es, an d Keys
Secu r e Dat a
an d Applicat ion s
Section 4 M an agin g Cer t if icat es an d Secr et s
Data
Dat a Security
Secu r it y
Azure
Azu r eKey
KeyVault
Vau lt
Security for Data
Infrastructure

Rest

Delivery
Back t o M ain
Course Navigation
Azu r e Key Vau lt
Section 1

Wh at is Azu r e Key Vau lt ?
Secu r it y Oper at ion s Azure Key Vault helps safeguard and m anage keys for cryptography
Section 3 and secretsMused
an agin g Access
by Azure t o Key Vau
applications lt , services.
and Secr et s,
With Azure Key Vault, we can perform the following tasks:
Secu r e Dat a
- Securely store and tightly control access to tokens, passwords,
an d Applicat ion s certificates, API keys,
Section 4 M an agin g Cerand other
t if icat secrets.
es an d Secr et s
- Create and control the encryption keys used to encrypt data.
Data
Dat a Security
Secu r it y - Provision, m anage, and deploy public and private Secure
Sockets Layer/Transport Layer Security (SSL/TLS) certificates for
Azure
Azu r eKey
KeyVault
Vau lt use with internal connected resources.
Security for Data - Azure Resource Manager tem plates can access secrets and keys
Infrastructure stored in key vault during deploym ent of other Azure resources.
Rest
Security for Application Close

Delivery
Back t o M ain
Course Navigation
Azu r e Key Vau lt
Section 1
M an agin g Access t o Key Vau lt , Secr et s,

Section 2 Cer t if icatWh
es,
at an d Keys
I s Azu r e Key Vau lt ?
Because Azure Key Vault data is sensitive and business critical, we

need to secure access to our key vaults by allowing only authorized
Secu r it y Oper at ion s applications and users.
Cer t ifKey
Access to Azure icatVault
es, anisdcontrolled
Keys by an access policy. Access
policies determ ine what privileges are granted for keys, secrets, and
Secu r e Dat a certificates stored in Key Vault.
an d Applicat ion s
RBAC is alsoMused to g
an agin determ
Cer t ifine
icataccess
es an dtoSecr
theetKey
s Vault resource.
Section 4
Data
Dat a Security
Secu r it y
Azure
Azu r eKey
KeyVault
Vau lt
Security for Data
Infrastructure

Rest

Delivery
Close
Back t o M ain
Course Navigation
Azu r e Key Vau lt
Section 1

M an agin g Cer t if icat es an d Secr et s
We can use the Azure Portal, PowerShell, and the CLI to set and
Secu r it y Oper at ion s retrieve both secrets and certificates from Azure Key Vault.
Secu r e Dat a
an d Applicat ion s
Section 4 M an agin g Cer t if icat es an d Secr et s
Data
Dat a Security
Secu r it y
Azure
Azu r eKey
KeyVault
Vau lt
Security for Data
Infrastructure
Encryption for Data at Key Vault in the Azure Portal

Rest

Delivery Close
Back t o M ain
Course Navigation
Secu r it y f or Dat a I n f r ast r u ct u r e
Section 1
Dat abase Au t h en t icat ion an d Au dit in g

Section 2
Azu r e SQL Dat abase Th r eat Pr ot ect ion

Section 3
M an agin g Access Con t r ol an d Keys f or

Secu r e Dat a
St or age Accou n t s [Review ]
an d Applicat ion s
Section 4
Data
Dat a Security
Secu r it y
Azure
Azu r eKey
KeyVault
Vau lt Secu r it y f or HDI n sigh t s
Security
Secu r it yfor f orData
Dat a
Infrastructure
I n f r ast r u ct u r e
Rest Secu r it y f or Cosm os DB
Delivery
Secu r it y f or M icr osof t Azu r e Dat a Lak e
Back t o M ain
Course Navigation
Section 1

Section 2

Section 3
SQL Dat abase Au t h en t icat ion w it h Azu r e AD

Secu r e Dat a
an d Applicat ion s
Section 4
Data
Dat a Security
Secu r it y SQL Dat abase Au dit in g
Azure
Azu r eKey
KeyVault
Security
Dat a
Infrastructure
Encryption for Data at Close
Delivery
Back t o M ain
Course Navigation
Section 1
Dat abase Au t h en t icat ion an d Au dit in g:
SQL Dat abase Au t h en t icat ion w it h Azu r e AD
By default, Azure SQL databases, m anaged instances, and data
Section 2
warehouses use local user accounts for authentication. When one of
the above m entioned resources is initially deployed, a SQL server
account is created for adm inistration (t h in k SA accou n t in M S SQL
Secu r it y Oper at ion s Ser ver ).
Section 3
Azu r e Act ive Dir ect or y can be con f igu r ed to sim plify
authentication to any of these resources,. Benefits to Azure AD
authentication
M anare:
agin g Access Con t r ol an d Keys f or
Secu r e Dat a
an d Applicat ion s - Sin gle u ser accou n t f or DB au t h en t icat ion .
Section 4
- Passw or d st r en gt h based on Azu r e AD policies.
Data
Dat a Security
Secu r it y - Su ppor t f or ADFS au t h en t icat ion .
- Su ppor t f or M FA.
Azure
Azu r eKey
KeyVault
- Use of SQL m an agem en t t ools w it h Azu r e AD
Security
Dat a au t h en t icat ion .
Infrastructure
Encryption for Data at In order to integrate with Azure AD, an Azu r e AD adm in ist r at or
Rest m u st be assign
Secu red
it ytof or
the SQLos
Cosm database,
DB m anaged instance, or data
warehouse. This can be either a user or group object. This user or
Delivery
group can assign other Azure AD users and groups to SQL
resources.

Close
Back t o M ain
Course Navigation
Dat abase Au t h en t icat ion an d Au dit in g:
Section 1
SQL Dat abase Au dit in g
Datdatabases
Auditing SQL abase Au tand
h endata
t icatwarehouses
ion an d Au dit in g us m ain t ain
helps
Plat f or m Pr ot ect ion com plian ce an d gain in sigh t into the activity in these critical Azure
Section 2
resources.
We can use SQL auditing to r et ain au dit in g dat a of events

pertaining Azu r e SQL
to our SQL Dat abase Th
databases, crreat
eatePr ot ectt sion
r epor on database
activity, and an alyze t h ese r epor t s with Azure Monitor to discover
Section 3
unusual events and activities.
SQL audit logs

M ancanaginbe configured
g Access Con for
t r olthe SQL
an d server
Keys f or as a whole or at
Secu r e Dat a the individual database level. If you define server-level auditing,
an d Applicat ion s dat abase-level au dit in g w ill be en abled as w ell. If you audit both
Section 4 server-level and database-level com ponents, then som e au dit dat a
w ill be capt u r ed t w ice. Be careful when doing this, as you could
Data
Dat a Security
Secu r it y
deplete the space allocated for auditing data in your Azure storage
Azure
Azu r eKey
KeyVault
Vau lt account. SeeSecu r it y ost
Diagn f oricHDI n sighgt an
Loggin s d Ret en t ion for m ore
Security inform ation.

Dat a
Infrastructure
Auditing logs can be sent to Azu r e st or age accou n t s, Log
An alyt ics (to be used by Azure Monitor), or Even t Hu b (to be
ingested by a third-party solution or Power BI).
Delivery
Logging can be configured using the Azure Portal, PowerShell, the
REST API, or ARM tem plates.
Close
Back t o M ain
Course Navigation
Section 1

Section 2 Azu r e SQL Dat abase Th r eat Pr ot ect ion
Advanced Threat Protection, part of Advanced Data Security in SQL

Secu r it y Oper at ion s databases, can help protect your Azure SQL infrastructure by
Section 3 detecting and alerting on activities indicating unusual and
potentially harm ful attem pts to access or exploit databases.
M an agin
Advanced Threat g Accesscan
Protection Conidentify
t r ol anpotential
d Keys f orSQL injections,
Secu r e Dat a
access fromStan
or age Accou
unusual n t s [Review
location or data ] center, access from an
an d Applicat ion s
unfam iliar principal or potentially harm ful application, and brute
Section 4
force SQL credentials.
Data
Dat a Security
Secu r it y
Notifications onr alerts
Secu it y f orcan
HDIbe viewed
n sigh t s in the Azure Portal or e-m ailed.
Azure
Azu r eKey
KeyVault
Vau lt
Security
Dat a Advanced data security is a prem ium service that entails additional
Infrastructure
I n f r ast r u ct u r e cost. Refer to Azure pricing for m ore inform ation.
Delivery
Close
Back t o M ain
Course Navigation
Section 1
Section 2
Azure storage accounts are the repositories for data accessed by
users, applications, and other Azure services. Locking down these
storage accounts is a critical com ponent of Azure security.

Secu r it y Oper at ion s We can use several different m ethods for securing storage
Section 3 accounts. We can utilize access keys, which grant the user full
control to the entire storage account.
We can alsoMuse shared

an agin accessCon
g Access signatures
t r ol an d(SAS),
Keys which
f or grant
Secu r e Dat a
fine-grainedStaccess to storage
or age Accou account] services. For exam ple, we
n t s [Review
an d Applicat ion s can apply an SAS to grant read-only access to a blob container
Section 4
within a storage account.
Data
Dat a Security
Secu r it y
Azure St or
Secu r it y f or HDI n age
sigh Accou
ts nt
Azu r eKey
KeyVault
Vau lt
Secu r it y
Security
Dat a
Infrastructure
Delivery AZ-300 Blu esh if t Gu ide

Close
Back t o M ain
Course Navigation
Section 1

Plat f or m Pr ot ect ion Secu r it y f or HDI n sigh t
Section 2
Enterprise Security Package (ESP) clusters provide m ulti-user access
on Azure HDInsight clusters. HDInsight clusters with ESP are
connected Azu
to ardom
e SQL
ainDat
so abase
dom ainThusers
r eat Pr
canot use
ect ion
their dom ain
Secu r it y Oper at ion s credentials to authenticate with the clusters and run big data jobs.
Section 3
In order to create an HDInsight cluster with ESP, Azure Active

Directory Dom ain Services (Azure AD DS) m ust be deployed in our
Secu r e Dat a Azure tenant.
an d Applicat ion s
Section 4 Once enabled, a m anaged identity for the HDInsight cluster m ust be
created and assigned the HDInsight Dom ain Services Contributor
Data
Dat a Security
Secu r it y
role in the AD DS instance.
Azure
Azu r eKey
KeyVault
Security
Once these prerequisites are com plete, the HDInsight cluster with
Dat a
Infrastructure ESP can be deployed in Azure.
Rest Secu rM
it yicrf or
osof t : HDI
Cosm osnDB
sigh t w it h ESP
Delivery
Close
Back t o M ain
Course Navigation
Section 1
Secu r it y f or Cosm os DB
Plat f or m Pr ot ect ion Azure Cosm os DB uses two types of keys to authenticate users and
Section 2
provide access to its data and resources:
- Master keys: used for adm inistrative resources such as

Azuaccounts,
database r e SQL Dat abase Th rusers,
databases, eat Prand
ot ect ion issions.
perm
- Resource tokens: used for application resources such as
Section 3
containers, docum ents, attachm ents, stored procedures,
triggers, and UDFs.
Secu r e Dat a Each account consists of two
St or age Accou n t sm[Review
aster keys:
] a prim ary key and a
an d Applicat ion s secondary key. The purpose of dual keys is so we can regenerate or
Section 4 roll keys, providing continuous access to our account and data.
Data
Dat a Security
Secu r it y
We can use a resource token (by creating Cosm os DB users and
Azure
Azu r eKey
KeyVault
Vau lt Secu
perm issions) r it ywe
when f orwant
HDI nto
sigh ts
provide access to resources in our
Security
Dat a Cosm os DB account to a client that cannot be trusted with the
Infrastructure
I n f r ast r u ct u r e m aster key.
Security for Application M icr osof t : Azu r e Cosm os DB
Delivery

Close
Back t o M ain
Course Navigation
Section 1

Section 2
Secu r it yAzu
f orr eMSQL
icr osof t Azu
Dat abase Thrreeat
Dat a ect
Pr ot Lak e
ion
Section 3
Securing data in Azure Data Lake Storage uses a com bination of
Azure AD role-based perm issions and access control lists within the
Data Lake file
M ansystem
agin g. Access Con t r ol an d Keys f or
Secu r e Dat a
an d Applicat ion s - AAD security principals control access to the Data Lake Storage
Section 4 Gen1 account from the portal and m anagem ent operations
Data
from the portal or through APIs.
Dat a Security
Secu r it y
- These principals also regulate access control on the data stored
Azure
Azu r eKey
KeyVault
in Data Lake Storage Gen1.
Security
Dat a - We can also lock down access to the Data Lake at the network
Infrastructure
I n f r ast r u ct u r e level by using a resource firewall.
Close
Delivery
Back t o M ain
Course Navigation
En cr ypt ion f or Dat a at Rest
Section 1
M icr osof t Azu r e SQL Dat abase Alw ays En cr ypt ed

Section 2
Dat abase En cr ypt ion [Review ]

Section 3
Secu r e Dat a St or age Ser vice En cr ypt ion

an d Applicat ion s
Section 4
Data
Dat a Security
Secu r it y
Azure
Azu r eKey
KeyVault
Vau lt Disk En cr ypt ion
Security
Dat a
Infrastructure
Encryption
En cr ypt ionfor
f orData
Dat aatat
Rest
Rest Back u p En cr ypt ion
Delivery
Back t o M ain
Course Navigation
Section 1

Section 2 M icr osof t Azu r e SQL Dat abase Alw ays
En cr ypt ed
Always Encrypted is aEn

Dat abase data encryption
cr ypt technology
ion [Review ] in Azure SQL
Secu r it y Oper at ion s Database and SQL Server that helps protect sensitive data at rest on
Section 3 the server, during m ovem ent between client and server, and while
the data is in use. This ensures sensitive data never appears as
plaintext inside the database system .
After we encrypt data, only client applications or app servers that
an d Applicat ion s
Section 4
have access to the keys can access plaintext data.
Data
Dat a Security
Secu r it y Always Encrypted is configured in SQL Server Managem ent Studio
Azure
using the Always
Disk EnEncrypted
cr ypt ion Wizard.
Azu r eKey
KeyVault
Vau lt
Security
Dat a We can use Always Encrypted to encrypt entire databases or
Infrastructure
I n f r ast r u ct u r e individual colum ns and rows within the database.
Encryption
En cr ypt ionfor
f orData
Dat aatat
Rest
Security for Application Close
Delivery
Back t o M ain
Course Navigation
Section 1

Plat f or m Pr ot ect ion Dat abase En cr ypt ion [Review ]
Section 2
Database encryption is available for Azure SQL Server, SQL

Database, SQL Data Warehouse, Cosm os DB, and Data Lake using
Dat abase En cr ypt ion [Review ]
various technologies.
Section 3
In Linux Academ y's M icr osof t Azu r e Exam DP-200 - I m plem en t in g
an Azu r e Dat a Solu t ion course, Brian Roehm explains how
encryption is achieved for each type of Azure database solution.
an d Applicat ion s
Section 4 En cr ypt ion at
Rest an d in
Data
Dat a Security
Secu r it y M ot ion
Azure
Azu r eKey
KeyVault
Security
Dat a
Infrastructure
Encryption
En cr ypt ionfor
f orData
Dat aatat DP-200: Diagr am
Rest
Delivery
Close
Back t o M ain
Course Navigation
Section 1

Section 2 St or age Ser vice En cr ypt ion
Azure Storage
Dat autom
abase atically
En cr yptencrypts your] data with 256-bit AES
ion [Review
Secu r it y Oper at ion s encryption. Data in Azure Storage is encrypted and decrypted
Section 3 transparently.
Azure Storage encryption is enabled for all new and existing storage
Secu r e Dat a accounts and cannot
St or bevice
age Ser disabled.
En cr ypt ion
an d Applicat ion s
Section 4 All Azure Storage account tiers and deploym ent m odels are
encrypted.
Data
Dat a Security
Secu r it y
Azure
Azu r eKey
KeyVault
Vau lt Disk
Azure custom ersEnhave
cr ypt
a ion
choice of choosing Microsoft to m anage the
encryption key for storage accounts, or we can provide our own key
Security
Dat a
Infrastructure
and m anage the key using Azure Key Vault.
Encryption
En cr ypt ionfor
f orData
Dat aatat Custom er-m anaged keys can be configured using the Azure Portal,
Rest
Rest PowerShell,Back
and uthe
p En cr yptCLI.
Azure ion
Delivery
Close
Back t o M ain
Course Navigation
Section 1

Section 2 Disk En cr ypt ion
Azure custom ers can choose to encrypt their Virtual Machine

Dat abase
m anaged disks En cr data.
to protect ypt ion [Review ]
Section 3
Azure uses Bit Lock er disk en cr ypt ion f or Win dow s m anaged disks
and DM -Cr ypt disk en cr ypt ion f or Lin u x m an aged disk s.
Secu r e Dat a St orprem

Standard and age ium
Ser vice
disksEncan
cr ypt ion from disk encryption.
benefit
an d Applicat ion s
Section 4 We can use Azu r e Secu r it y Cen t er to be alerted of any virtual
m achines not utilizing disk encryption and view instructions on how
Data
Dat a Security
Secu r it y
to encrypt these disks.
Azure
Azu r eKey
KeyVault
Security
Azure Key Vault can be used to m anage keys used to encrypt disks.
Dat a
Infrastructure Azu r e Disk En cr ypt ion r equ ir es t h at you r k ey vau lt an d VM s
r eside in t h e sam e Azu r e r egion an d su bscr ipt ion .
Encryption
En cr ypt ionfor
f orData
Dat aatat
Rest
Su ppor t ed Oper at in g Syst em s
Delivery
Close
Back t o M ain
Course Navigation
Section 1

Section 2 Disk En cr ypt ion
Su ppor t ed Oper at in g Syst em s
Secu r it y Oper at ion s Windows: Dat abase En cr ypt ion [Review ]

Section 3
- Workstation: Windows 8 and later
- Server: Windows Server 2008 R2 and later

Linux:
an d Applicat ion s
Section 4
- Ubuntu: 14.04.5, 16.04, 18.04
Data
Dat a Security
Secu r it y - RHEL: 6.7, 6.8, 7.2 - 7.6
- CentOS: 6.8, 7.2n, 7.3 - 7.6
Azure
Azu r eKey
KeyVault
- openSUSE: 42.3
Security
Dat a - SLES: 12-SP3,SP4
Infrastructure
Encryption
En cr ypt ionfor
f orData
Dat aatat
Rest
Close
Delivery
Back t o M ain
Course Navigation
Section 1

Back u p En cr ypt ion
Section 2
Backups in Azure are encrypted with AES-256 encryption and are

transm ittedDat
to abase
the Azure
En crBackup
ypt ion vault using
[Review ] secure HTTPS
Secu r it y Oper at ion s com m unication.
Section 3
Azure backups are encrypted at rest by default. No configuration is
necessary to enable this feature.
an d Applicat ion s - On-prem ise backups use the passphrase configured when
Section 4 installing the Azure Backup client.
- Azure VMs are encrypted at rest using Storage Service
Data
Dat a Security
Secu r it y Encryption.
Azure
Azu r eKey
KeyVault
If the passphrase created at client installation is lost, then the
Security
Dat a backup data is unrecoverable.
Infrastructure
Encryption
En cr ypt ionfor
f orData
Dat aatat Azure Key Vault can be used to store Azure backup passphrases as
Rest
Rest secrets. Back u p En cr ypt ion
Delivery
Close
Back t o M ain
Course Navigation
Secu r it y f or Applicat ion Deliver y
Section 1
I m plem en t in g Secu r it y Validat ion s f or

Plat f or m Pr ot ect ion Applicat ion Developm en t
Section 2
Syn t h et ic Secu r it y Tr an sact ion s t o M on it or

Secu r it y Oper at ion s Sit e Availabilit y
Section 3
Secu r e Dat a SSL/ TLS Cer t if icat es

an d Applicat ion s
Section 4
Data
Dat a Security
Secu r it y
Azure
Azu r eKey
KeyVault
Vau lt Pr ot ect in g Web Apps
Security
Dat a
Infrastructure
Encryption
En cr ypt ionfor
f orData
Dat aatat
Rest
Rest
Security
Secu r it yfor
f orApplication
Applicat ion
Delivery
Deliver y
Back t o M ain
Course Navigation
Section 1
Applicat Iion Developm
m plem enr itt y Validat ion s f or
en t in g Secu
Application developm ent using PaaS resources allows easier
Section 2
deploym ent of web and m obile applications, as we, the end user,
are n o lon ger r espon sible f or it em s su ch as ph ysical
in f r ast r u ctSyn
u r et h
anetdicnSecu
et w or
r itkyinTr
g.an sact ion s t o M on it or
Section 3 This is not to say that security is no longer of im portance when
developing and deploying PaaS-based applications. Caution m ust be
taken when securing these applications, w h ich by design ar e m or e
vu ln er able than on-prem ises applications.
an d Applicat ion s Som e best practices for securing PaaS applications:
Section 4
Data
Dat a Security
Secu r it y - Adopt a policy of iden t it y as the prim ary security perim eter.
- Secu r e you r k eys an d cr eden t ials to secure your PaaS
Azure
Azu r eKey
KeyVault
deploym ent.
Security
Dat a - M an age you r PaaS r esou r ces dir ect ly whenever possible.
Infrastructure
I n f r ast r u ct u r e - Use strong authentication and authorization.
Encryption
En cr ypt ionfor
f orData
Dat aatat
- Use a web application firewall.
Rest
Rest - Monitor app perform ance.
- Perform penetration testing.
Security
Secu r it yfor
f orApplication
Applicat ion
Delivery
Deliver y
Close
Back t o M ain
Course Navigation
Section 1
Syn t h et ic Secu r it y Tr an sact ion s t o
M on it or I Sit e Availabilit
m plem en t in g Secuyr it y Validat ion s f or
Azure Application Insights can be used to m onitor App Service by
Section 2
running recurring tests to m onitor availability and responsiveness.
Perform ance
Synand
t h etavailability
ic Secu r it yissues could
Tr an sact ionbes taoresult
M on itoforunderlying
Secu r it y Oper at ion s security problem s, so it is
Sit e Availabilit y recom m ended to run these tests often.
Section 3
There are three types of availability tests:
- URL pin g t est
- M u lt i-st ep w eb t est
- Cu st om t r ack availabilit y t est s
an d Applicat ion s
Section 4
Data
Dat a Security
Secu r it y
Azure
Azu r eKey
KeyVault
Security
Dat a
Infrastructure
Encryption
En cr ypt ionfor
f orData
Dat aatat
Rest
Rest
Security
Secu r it yfor
f orApplication
Applicat ion
Delivery
Deliver y
Close
Back t o M ain
Course Navigation
Section 1

Section 2
SSL/ TLS Cer t if icat es

Syn t h et ic Secu r it y Tr an sact ion s t o M on it or
Section 3 Private and public SSL certificates can be used to secure
com m unication on Azure Web Apps. Com bined with custom
dom ains, we can give our applications a "vanity" nam espace for
user access.
an d Applicat ion s
App Service Plans in the Basic, Standard, Prem ium , or Isolated tiers
Section 4
are required to use custom SSL certificates.
Data
Dat a Security
Secu r it y
CertificatesPrcan be in
ot ect mganaged with the Azure Portal, CLI, or
Web Apps
Azure
Azu r eKey
KeyVault
Vau lt
PowerShell.
Security
Dat a
Infrastructure
Encryption
En cr ypt ionfor
f orData
Dat aatat Close
Rest
Rest
Security
Secu r it yfor
f orApplication
Applicat ion
Delivery
Deliver y
Back t o M ain
Course Navigation
Section 1

Pr ot ect in g Web Apps
Section 2
Azure Web Apps can be protected by deploying other Azure

Syn t h
resources such asetApplication
ic Secu r it y Gateway
Tr an sactand
ion sWeb
t o MApp
on itFirewall
or in
Secu r it y Oper at ion s Sit web
front of your e Availabilit
apps. y
Section 3
Applicat ion Gat ew ays provide network load balancing and traffic
m anagem ent for Azure virtual m achines, virtual m achine scale-sets,
Secu r e Dat a and app services.
SSL/ TLSWith
Cer tan application
if icat es gateway, we can configure
an d Applicat ion s URL-based r ou t in g an d m u lt i-sit e h ost in g along with other
Section 4 features to increase the availability of web applications.
Data
Dat a Security
Secu r it y Web application firewall (WAF) is a feature of Application Gateway
Azure
Azu r eKey
KeyVault
Vau lt
that provides cen
Pr ot ectt rinalized
g WebprApps
ot ect ion of ou r w eb applicat ion s from
com m on exploits and vulnerabilities. WAF is based on rules from the
Security
Dat a OWASP (Open Web Applicat ion Secu r it y Pr oject ) cor e r u le set s
Infrastructure
3.0 or 2.2.9.
Encryption
En cr ypt ionfor
f orData
Dat aatat
Rest
Rest
Security
Secu r it yfor
f orApplication
Applicat ion Close
Delivery
Deliver y
Back t o M ain
Exam Preparation
Course Navigation
an d Access The AZ-500 Exam
Section 1
Abou t t h e Exam :
Length: 180 Minutes
Plat f or m Pr ot ect ion - Num ber of Questions: ~40
Section 2 - Form at:
- Case study
- Drag and drop
- Exhibit
Secu r it y Oper at ion s - True or false
Section 3
Cost: $165.00 USD
Secu r e Dat a Regist er f or t h e Exam :

an d Applicat ion s
Section 4 h t t ps:/ / w w w.m icr osof t .com / en -u s/ lear n in g/ exam -az-500.aspx
The exam can be taken at a local test center, at your hom e office, or
at a Pearson VUE test center. If you choose at hom e or office, you m ust
have the following system requirem ents:
h t t ps:/ / w w w.m icr osof t .com / en -u s/ lear n in g/ on lin e-exam s.aspx
Pr epar in g f or t h e Exam :
- Watch and follow along with all the video lessons.
- Com plete every hands-on lab at least twice.
- Take and pass the practice exam at least twice.
- Mem orize the flashcard deck and create your own to increase
m em orization.
- Review the interactive diagram and understand the concepts.
- Participate in the Linux Academ y com m unity.
- Participate in a Linux Academ y study group or start your own!
Back t o M ain

AZ-500: Microsoft Azure Security Technologies

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

AZ-500: Microsoft Azure Security Technologies

Încărcat de

Drepturi de autor:

Formate disponibile

AZ-500: Microsoft Azure Security

Course Navigation Technologies

Plat f or m Pr ot ect ion

Secu r it y Oper at ion s

Exam Pr epar at ion

Azure Tenant Security

Plat f or m Pr ot ect ion Applicat ion Secu r it y:

Secu r it y Oper at ion s

Azure Tenant Security

Azure Tenant Security

Azure Tenant Security

Azure Tenant Security

AAD Applicat ion s

AAD Applicat ion s

Tips an d Tr ick s: Close

AAD Applicat ion s

Tips an d Tr ick s: Close

AAD Applicat ion s

Azure Tenant Security

AAD Applicat ion s

AAD Applicat ion s

Azure Tenant Security

AAD Applicat ion s

Azure Tenant Security

Secu r e Dat a Close

AAD Applicat ion s

New- Az ADGr oup - Di s pl ay Name " My Gr oupDi s pl ay Name"

AAD Applicat ion s

Azure Tenant Security

AAD Applicat ion s

AAD Applicat ion s

AAD Applicat ion s

Azure Tenant Security

Scopes an d Per m ission s Ch eat Sh eet

- These resources can also define a set of perm issions that

See I t in Act ion !

Scopes an d Per m ission s Ch eat Sh eet

Scopes are configured in App Registrations (for application

Scopes an d Per m ission s Ch eat Sh eet

Scopes an d Per m ission s Ch eat Sh eet

Scopes an d Per m ission s Ch eat Sh eet

Azure Tenant Security

Plat f or m Pr ot ect ion

Secu r it y Oper at ion s Site-to-Site VPN

an d Applicat ion s Web Services

Servers PCs Virtual Machines

Azure AD Connect is supported on Win dow s Ser ver 2012 R2

Secu r it y Oper at ion s Site-to-Site VPN

Azu r e Act ive Dir ect or y Con n ect

Servers PCs Virtual Machines

Azu r e Act ive Dir ect or y Con n ect

Servers PCs Virtual Machines

Azure Tenant Security

Plat f or m Pr ot ect ion Dom ain Server SQL Account

Microsoft Prerequisite Docum entation

Azu r e Act ive Dir ect or y Con n ect

Servers PCs Virtual Machines

an d Applicat ion s Web Services

Servers PCs Virtual Machines

an d Applicat ion s Web Services

Servers PCs Virtual Machines

Azu r e Act ive Dir ect or y Con n ect

Servers PCs Virtual Machines

Secu r it y Oper at ion s Site-to-Site VPN