Documente Academic
Documente Profesional
Documente Cultură
Secu r e Dat a
an d Applicat ion s
Section 4
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
Directory or Wor k loads
Workloads
AD User s AAD Con n ect AD Gr ou ps
Azure AD Privileged
Identity Managem ent
User s
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Act ive Dir ect or y User s
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
Directory or Wor k loads
Workloads
User s:
A Who are they? Why do we care?
Azure AD Privileged
Identity Managem ent
B2B:
C Opening our doors to the outside.
Secu r it y Oper at ion s
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4
AAD Gr ou ps
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Act ive Dir ect or y User s
an d Access
Section 1
A user account is required to access Azure resources. This includes
Configuring Azure
Con f igu r in g Azu Active
r e Act ive software as a service (SaaS) applications such as Office 365, as well as
Dir ect or y ffor
Directory or Wor k loads
Workloads
User s: that are written by your in-house developm ent
custom applications
A Who are they? Why do we care?
team .
Azure AD Privileged
Identity Managem ent
This account is also som etim es called a work or school account.
Azure Tenant Security
A user accountMcan
an agin g User
be any ones:of the following types:
B What tools are available to m anage users?
Plat f or m Pr ot ect ion A cloud-based user account (Azure Active Directory)
Section 2 A synchronized on-prem ises directory account (AD -> AAD)
A guest user, also knows as a B2B collaboration guest.
B2B:
C Opening our doors to the outside.
Secu r it y Oper at ion s
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4 Close
AAD Gr ou ps
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Act ive Dir ect or y User s M an agem en t
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
Directory or Wor k loads
Workloads
User s:
A Who are they? Why do we care?
Azure AD Privileged
Identity Managem ent
B2B:
C AzureOpening our doors toAzure
the outside. Azure
Secu r it y Oper at ion s Portal PowerShell CLI
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4 Close
AAD Gr ou ps
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Act ive Dir ect or y User s M an agem en t : Azu r e Por t al
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
Directory or Wor k loads
Workloads
User s:
A Who are they? Why do we care?
Azure AD Privileged
Identity Managem ent
B2B:
C Opening our doors to the outside.
Secu r it y Oper at ion s
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4
Close
AAD Gr ou ps
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Act ive Dir ect or y User s M an agem en t : Azu r e Pow er Sh ell
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive New- Az ADUs er
Dir ect or y ffor
Directory or Wor k loads
Workloads
User
- Di s:
s pl ay Name <St r i ng>
A - Us are
Who er Prthey?
i nc i pal
WhyNamdoe we
<St care?
r i ng>
Azure AD Privileged - Pas s wor d <Sec ur eSt r i ng>
Identity Managem ent [ - I mmut abl eI d <St r i ng>]
- Mai l Ni c k name <St r i ng>
Azure Tenant Security [ - For c eChangePas s wor dNex t Logi n]
M [an
- Def
aginaulg tUser
Pr of s:
ile
B <IWhat
Az ur eCont
toolsex t Cont
are ai ner >]
available to m anage users?
[ - What I f ]
Plat f or m Pr ot ect ion [ - Conf i r m]
Section 2 [ <CommonPar amet er s >]
B2B:
C Opening our doors to the outside.
Secu r it y Oper at ion s
$Sec ur eSt r i ngPas s wor d = Conv er t To- Sec ur eSt r i ng - St r i ng
Section 3
" pas s wor d" - As Pl ai nTex t - For c e
New- Az ADUs er - Di s pl ay Name " My Di s pl ay Name"
- Us er Pr i nc i pal Name " my emai l @domai n. c om" - Pas s wor d
$Sec ur eSt r i ngPas s wor d - Mai l Ni c k name " My Mai l Ni c k Name"
Secu r e Dat a
an d Applicat ion s
Section 4
Azu r e PS
Docu m en t at ion
Close
AAD Gr ou ps
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Act ive Dir ect or y User s M an agem en t : Azu r e CLI
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive az ad us er c r eat e - - di s pl ay - name
Dir ect or y ffor
Directory or Wor k loads
Workloads
User s: - - pas s wor d
A Who are they? Why- do - usweer - care?
pr i nc i pal - name
Azure AD Privileged [ - - f or c e- c hange- pas s wor d- nex t - l ogi n
Identity Managem ent { f al s e, t r ue} ]
[ - - i mmut abl e- i d]
Azure Tenant Security [ - - mai l - ni c k name]
M an agin g User s: [ - - s ubs c r i pt i on]
B What tools are available to m anage users?
Plat f or m Pr ot ect ion
Section 2
B2B:
C ad usOpening
az er c r eat e - - di s pl ay - name My Di s pl ay Name
our doors to the outside.
- - pas s wor d 123456 - - us er - pr i nc i pal - name
Secu r it y Oper at ion s
my emai l @domai n. c om - - f or c e- c hange- pas s wor d- nex t - l ogi n
Section 3 t r ue
Secu r e Dat a
an d Applicat ion s
Section 4 Azu r e CLI
Docu m en t at ion
Close
AAD Gr ou ps
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Act ive Dir ect or y User s
an d Access
Section 1
Azure B2B allows you to in vit e an d au t h or ize u ser s f r om
Configuring Azure
Con f igu r in g Azu Active
r e Act ive ou t side of you r or gan izat ion to access resources you
Dir ect or y ffor
Directory or Wor k loads
Workloads
User s:
specify.
A Who are they? Why do we care?
Azure AD Privileged
Identity Managem ent These users m anage their own identities through their own
identity provider (such as Azure AD) or social m edia accounts.
Azure Tenant Security
This m eans they are responsible for keeping track of their
M an agin g User s:
inform
B ation including usernam e and password changes.
What tools are available to m anage users?
Therefore, there is n o addit ion al adm in ist r at ive over h ead.
Plat f or m Pr ot ect ion
Section 2
You can choose to increase security for B2B user accounts by
requiring m u lt i-f act or au t h en t icat ion .
B2B:
C Opening our doors to the outside.
You can also create a custom API for self -ser vice sign -u p.
Secu r it y Oper at ion s
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4 Close
AAD Gr ou ps
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Act ive Dir ect or y Gr ou ps
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
or Wor k loads Gr ou ps:
Directory Workloads A Exam ining group and m em bership types.
Azure AD Privileged
Identity Managem ent
Tips an d Tr ick s:
C Providing the inside scoop.
Secu r it y Oper at ion s
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Act ive Dir ect or y Gr ou ps
an d Access
Section 1
Groups are populated with user accounts and those groups can then be
Configuring Azure
Con f igu r in g Azu Active
r e Act ive granted access to data or applications.
Dir ect or y ffor
or Wor k loads Gr ou ps:
Directory Workloads A Exam ining group and m em bership types.
Types of groups:
Azure AD Privileged
Identity Managem ent
- Security
Azure Tenant Security - Office 365
M an agin g Gr ou ps:
B
Mem bership Reviewing tools available
types for security groups:to m anage groups.
Plat f or m Pr ot ect ion
Section 2 - Assigned
- Dynam ic User
Tips an(security
- Dynam ic Device d Tr ick s:groups only)
C Providing the inside scoop.
Secu r it y Oper at ion s
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4
Close
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Act ive Dir ect or y Gr ou ps
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive Security Groups
Dir ect or y ffor
or Wor k loads Gr ou ps:
Directory Workloads A Exam ining group and m em bership types.
Azure AD Privileged Used to m anage m em ber and device access
Identity Managem ent to shared resources. This way you can give a
Azure Tenant Security set of perm issions to all the m em bers at
onceM an agin g Gr
instead ofou ps:
having to individually add
B Reviewing tools available to m anage groups.
perm issions to each m em ber.
Plat f or m Pr ot ect ion
Section 2
Secu r e Dat a
an d Applicat ion s
Section 4
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Act ive Dir ect or y Gr ou ps
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive Office 365 Groups
Dir ect or y ffor
or Wor k loads Gr ou ps:
Directory Workloads A Exam ining group and m em bership types.
Azure AD Privileged Provide collaboration by giving m em bers
Identity Managem ent access to a shared m ailbox, calendar,
Azure Tenant Security SharePoint site, files, and m ore.
M an agin g Gr ou ps:
B Reviewing tools available to m anage groups.
Plat f or m Pr ot ect ion Of f ice 365 Gr ou ps
Section 2
Secu r e Dat a
an d Applicat ion s
Section 4
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Act ive Dir ect or y Gr ou ps
an d Access
Section 1
Assigned Mem bership
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
or Wor k loads Gr ou ps:
Directory Workloads Static
A in nature. The administrator determines group
Exam ining group and m em bership types.
Azure AD Privileged membership.
Identity Managem ent
Tips an d Tr ick s:
C Providing the inside scoop.
Secu r it y Oper at ion s
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4
Close
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Act ive Dir ect or y Gr ou ps
an d Access
Section 1
Dynam ic Mem bership
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
or Wor k loads Gr ou ps:
Directory Workloads A
UserExamandining group
device andbership
m em m em bership types.
based on
Azure AD Privileged
Identity Managem ent at t r ibu t e valu es.
Azure Tenant Security
Qu er iesagin
M an determ
g Gr ouine
ps: which attributes are used
B to determ inetools
Reviewing group m emtobership.
available m anage groups.
Plat f or m Pr ot ect ion
Section 2 If a particular user or device account
m atches the query, it is added to the group.
Tips an d Tr ick s:
C If the
Providing the changes,
attribute the account is
inside scoop.
Secu r it y Oper at ion s r em oved.
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4
Close
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Act ive Dir ect or y Gr ou psM an agem en t
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
or Wor k loads Gr ou ps:
Directory Workloads A Exam ining group and m em bership types.
Azure AD Privileged
Identity Managem ent
Tips an d Tr ick s:
C AzureProviding Azure
the inside scoop. Azure
Secu r it y Oper at ion s Portal PowerShell CLI
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4 Close
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Act ive Dir ect or y Gr ou psM an agem en t : Azu r e Por t al
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
or Wor k loads Gr ou ps:
Directory Workloads A Exam ining group and m em bership types.
Azure AD Privileged
Identity Managem ent
Tips an d Tr ick s:
C Providing the inside scoop.
Secu r it y Oper at ion s
Section 3
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Act ive Dir ect or y Gr ou psM an agem en t : Azu r e Pow er Sh ell
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive New- Az ADGr oup
Dir ect or y ffor
or Wor k loads Gr -ou
Di ps:
s pl ay Name <St r i ng>
Directory Workloads A - Maiining
Exam l Ni cgroup
k name and
<St r m
i ng>
em bership types.
Azure AD Privileged [ - Def aul t Pr of i l e
Identity Managem ent <I Az ur eCont ex t Cont ai ner >]
[ - What I f ]
Azure Tenant Security [ - Conf i r m]
M an aginmg
[ <Com Gr ou
onPar amps:
et er s >]
B Reviewing tools available to m anage groups.
Plat f or m Pr ot ect ion
Section 2
Azu r e PS
Secu r e Dat a Docu m en t at ion
an d Applicat ion s
Section 4
Close
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Act ive Dir ect or y Gr ou psM an agem en t : Azu r e CLI
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
azGrad
Dir ect or y ffor
or Wor k loads ougr
ps:oup c r eat e - - di s pl ay - name
Directory Workloads A - - mai l - ni c k name
Exam ining group and m em bership types.
[ - - f or c e { f al s e, t r ue} ]
Azure AD Privileged
[ - - s ubs c r i pt i on]
Identity Managem ent
Tips an d Tr ick s:
C Providing the inside scoop.
Secu r it y Oper at ion s
Section 3 Azu r e CLI
Docu m en t at ion
Secu r e Dat a
an d Applicat ion s Close
Section 4
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Act ive Dir ect or y Gr ou ps: Tips an d Tr ick s
an d Access
Section 1
When using dynam ic user or dynam ic device m em bership
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
types, you can
Dir ect or y ffor
or Wor k loads Gr only
ou ps:use one or the other, n ot bot h.
Directory Workloads A Exam ining group and m em bership types.
Azure AD Privileged When creating a dynam ic device m em bership type, at t r ibu t es
Identity Managem ent f or t h e specif ic device are exam ined to determ ine group
Azure Tenant Security m em bership, not the attributes for the device?s owner.
M an agin g Gr ou ps:
B have
You also the ability
Reviewing to add
tools a security
available to mgroup
anageto another
groups.
Plat f or m Pr ot ect ion security group. This is known as a n est ed gr ou p. There are a
Section 2 few rules lim iting the nesting of groups, but as long as these
are followed, nested groups can be a way to easily m anage
group m em bership
Tips an as
d Trwell as licenses and perm issions for
ick s:
C
users. Providing the inside scoop.
Secu r it y Oper at ion s
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4 Close
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Act ive Dir ect or y Gr ou ps
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Th e f ollow in g ar e n ot su ppor t ed in r egar ds t o
Dir ect or y ffor
Directory or Wor k loads
Workloads n estAed grGr
ououps:
ps:
Exam ining group and m em bership types.
Azure AD Privileged
Identity Managem ent - Adding groups to a group synced with on-prem ises Active
Directory.
Azure Tenant Security
- Adding security groups to Office 365 groups.
M an agin g Gr ou ps:
- B
Adding Office 365 groups to security groups or other Office 365
Reviewing tools available to m anage groups.
groups.
Plat f or m Pr ot ect ion - Assigning apps to nested groups.
Section 2
- Applying licenses to nested groups.
Tips an d Tr ick s:
C Providing the inside scoop.
Secu r it y Oper at ion s
Section 3
Secu r e Dat a
an d Applicat ion s
Section 4 Close
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Secu r in g Applicat ion s Wit h Azu r e Act ive Dir ect or y
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
or Wor k loads Apps an d Azu r e AD:
Directory Workloads A Getting started protecting your app.
Azure AD Privileged
Identity Managem ent
Per m ission s:
C Making sense of the chaos.
Secu r it y Oper at ion s
Section 3
Con sen t :
Secu r e Dat a D Allowing apps to work for you.
an d Applicat ion s
Section 4
AAD Hybr id
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Secu r in g Applicat ion s Wit h Azu r e Act ive Dir ect or y
an d Access
Section 1
Developers can build line-of-business
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
or Wor k loads
applications
Apps an d Azu rthat
e AD: can be integrated with
Directory Workloads A
the Microsoft protecting
Getting started identityyour app.
platform to
Azure AD Privileged
Identity Managem ent provide secure sign-in and
Azure Tenant Security authorization for their services.
Scopes:
B
- UsersWhat cantheir
can use your existing
app do for you?
Azure AD credentials to access
Plat f or m Pr ot ect ion these applications. No m ore secondary logins for LOB
Section 2 applications!
Per mIdP
- Microsoft ission s:
is based on the OAu t h 2.0 authorization
C Making
protocol. Thissense
allowsofthird-party
the chaos.applications to access
Secu r it y Oper at ion s web-hosted resources on behalf of a logged-in user.
Section 3
Close
AAD Hybr id
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Secu r in g Applicat ion s Wit h Azu r e Act ive Dir ect or y
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
or Wor k loads Apps an d Azu r e AD:
Directory Workloads A Sign in
Getting started protecting your app.
Azure AD Privileged
Identity Managem ent IDToken
Microsoft
Azure Tenant Security
Identity
Scopes:
B AcquireToken Platform
What can your app do for you?
Plat f or m Pr ot ect ion
Section 2 AccessToken
Per m ission s:
C Making sense of the chaos.
Secu r it y Oper at ion s HTTPGet +AccessToken
Section 3 Microsoft
Graph
API
Con sen t :
D HTTPResponse
Secu r e Dat a Allowing apps to work for you.
an d Applicat ion s
Section 4
AAD Hybr id
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Secu r in g Applicat ion s Wit h Azu r e Act ive Dir ect or y
an d Access
Section 1
Scopes are perm issions used to define what
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
or Wor k loads
actions an application
Apps can perform on behalf of
an d Azu r e AD:
Directory Workloads A
the user against a resource. your app.
Getting started protecting
Azure AD Privileged
Identity Managem ent
Scopes allow for fine-grained control over their data and how API
Azure Tenant Security
functionality is exposed. A third-party app can request these
Scopes:
perm issions from users and adm inistrators, who m ust approve
B What can your app do for you?
the request before the app can access data or act on a user 's
Plat f or m Pr ot ect ion behalf.
Section 2
Con sen t :
Secu r e Dat a D Allowing apps to work for you.
an d Applicat ion s
Section 4
Close
AAD Hybr id
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Secu r in g Applicat ion s Wit h Azu r e Act ive Dir ect or y
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive GET
Dir ect or y ffor
or Wor k loads Apps an d Azu r e AD:
Directory Workloads ht t psA: / / l ogiGetting
n. mi c r os of t onl i ne. c om/ c ommon/ oaut h2/ v 2. 0/ aut hor i z e?
started protecting your app.
c l i ent _i d=6731de76- 14a6- 49ae- 97bc - 6eba6914391e
Azure AD Privileged
&r es pons e_t y pe=c ode
Identity Managem ent
&r edi r ec t _ur i =ht t p%3A%2F%2Fl oc al hos t %2Fmy app%2F
Azure Tenant Security &r es pons e_mode=quer y
&s c ope=
Scopes:
ht t ps %3A%2F%2Fgr aph. mi c r os of t . c om%2Fc al endar s . r ead%20
B What
ht t ps %3A%2F% 2Fgr can
aph. your app
mi c r os of tdo
. c for you?
om%2Fm ai l . s end
Plat f or m Pr ot ect ion &s t at e=12345
Section 2
Scope
Per m ission s:
Query at user sign in
C Making sense of the chaos.
Secu r it y Oper at ion s
Section 3
Close
Con sen t :
Secu r e Dat a D Allowing apps to work for you.
an d Applicat ion s
Section 4
AAD Hybr id
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Secu r in g Applicat ion s Wit h Azu r e Act ive Dir ect or y
an d Access
Section 1
Perm issions for users! Perm issions for apps! So
Apps an dmAzu
any perm issions!
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
or Wor k loads r e AD:
Directory Workloads A Getting started protecting your app.
Azure AD Privileged
While scopes are technically perm issions, we use the term in other
Identity Managem ent
ways. Specifically, perm issions define what a user or an app can
Azure Tenant Security directly access in Azure.
Scopes:
B What can your are
appdefined
do for you?
User and app perm issions via roles. These roles use role
Plat f or m Pr ot ect ion based access control, or RBAC to determ ine privileges to resources.
Section 2
A user m ay have privileges to write to the global directory, but the
defined scope Perofmperm
ission s:
issions for an application m ay only require
C Making
read perm issions. Sosense
what of the chaos.
happens? The user is only allowed read
Secu r it y Oper at ion s perm issions when using the application. This is due to the concept
Section 3
of ef f ect ive per m ission s.
Con ed
- For delegat senper
t : m ission s, the effective perm issions of your
Secu r e Dat a D
app will Allowing
be the leastappsprto work for
ivileged you. the delegated
between
an d Applicat ion s perm issions granted to the app (via consent) and the privileges
Section 4 of the currently signed-in user.
- For applicat ion per m ission s, the effective perm issions of your
app will beScopes
the f u llan d Per
level ofmpr
ission s Chgranted
ivileges eat Sh eet
to the app.
These are used by apps that run without a signed-in user.
Close
AAD Hybr id
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Secu r in g Applicat ion s Wit h Azu r e Act ive Dir ect or y
an d Access
Section 1
In order for an application to perform a task on
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
your Apps an d Azu r e AD:
Dir ect or y ffor
Directory or Wor k loads
Workloads A behalf, you have to agree to let it do so.
Getting started protecting your app.
Azure AD Privileged
Identity Managem ent This is referred to as con sen t . Consent occurs at user sign-in,
when a scope query has been presented to the Microsoft
Azure Tenant Security
identity platform . There are two types of consent:
Scopes:
B What can your app do for you?
- Individual u ser con sen t occurs when a user logs in to the
Plat f or m Pr ot ect ion Microsoft identity platform and they are asked to consent
Section 2
to these perm issions.
Per m ission s:
- CAn adm inistrator can grant consent for the application to
Making sense of the chaos.
act on behalf of any user in the tenant. If the adm inistrator
Secu r it y Oper at ion s
grants consent for the entire tenant, the organization's
Section 3
users won't see a consent page for the application. This is
known as adm in ist r at or con sen t . This can also occur for
Con sen t :
adm inistrator-restricted perm issions, such as the ability to
Secu r e Dat a D Allowing apps to work for you.
read all user profiles in the directory.
an d Applicat ion s
Section 4
Close
AAD Hybr id
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Secu r in g Applicat ion s Wit h Azu r e Act ive Dir ect or y
an d Access
Section 1
Scopes and Perm issions Cheat Sheet
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
or Wor k loads Apps an d Azu r e AD:
Directory Workloads Scopes:
A privileges an app can m ake directly to APIs or on your
Getting started protecting your app.
Azure AD Privileged behalf.
Identity Managem ent - Application ccopes are set in Azure Portal (API Perm issions)
- Delegated scopes are queries sent with authentication call
Azure Tenant Security
to Microsoft identity platform (login) .
Scopes:
B What can your app do for you?
Per m ission s: privileges the user or app can m ake to Azure AD
Plat f or m Pr ot ect ion and/or Azure resources.
Section 2
- Azure AD: based on Directory Role.
- Azure: based on the RBAC role and scope assigned to the
Per m ission s:
Cuser or Making
app service principal.
sense of the chaos.
Secu r it y Oper at ion s
Section 3
Scopes and perm issions work together to grant access (this is
known as ef f ect ive per m ission s).
- Delegat ed per m ission s: used when a signed-in user is
Con sen t :
present.
D
Secu r e Dat a Allowing apps to work for you.
- Least privilege between consented app perm issions
an d Applicat ion s and user perm issions.
Section 4
- The app can never have m ore perm ission than the
sign-ed in user.
Scopes
- Applicat ion per man d Pers:mused
ission ission
bys apps
Ch eatthat
Sh eet
run without a
signed-in user present. For exam ple, apps that run as
background services or daem ons.
Close
AAD Hybr id
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e Act ive Dir ect or y Con n ect (AAD Con n ect )
an d Access
Section 1
Azu r e Act ive Dir ect or y
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Au t h en t icat ion
Dir ect or y ffor
Directory or Wor k loads
Workloads
M et h ods
Azure AD Privileged Users Groups Devices
Identity Managem ent
AAD M FA
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e Act ive Dir ect or y Con n ect (AAD Con n ect )
an d Access
Section 1
Azu r e Act ive Dir ect or y
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Au t h en t icat ion
Dir ect or y ffor
Directory or Wor k loads
Workloads Wh at is Azu r e Act ive Dir ect or y Con n ect ?
M et h ods
Azure AD Privileged Users Groups Devices
Identity Managem ent Azure Active Directory (AD) Connect is the underlying Microsoft
Azure Tenant Security tool used to deploy, configure, m anage, and m onitor hybrid
identity between on-prem ises AD and Azure AD.
Close
AAD M FA
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e Act ive Dir ect or y Con n ect (AAD Con n ect )
an d Access
Section 1
Azu r e Act ive Dir ect or y
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Au t h en t icat ion
Dir ect or y ffor
Directory or Wor k loads
Workloads AAD Con n ect : Key Feat u r es
M et h ods
Azure AD Privileged Users Groups Devices
Identity Managem ent - Synchronization of users, groups, and other objects
Azure Tenant Security between on-prem ises AD and Azure AD
- Provides the ability to configure and deploy the following
hybrid identity solutions:
- Password hash synchronization (PHS)
Plat f or m Pr ot ect ion
Section 2
- Pass-through authentication (PTA)
- Federation integration including AD
On -Pr em ises
Federation
Azu r e I n f r ast r u ct u r e
Services
- Health m onitoring by providing m onitoring data visible
Secu r it y Oper at ion s within the Azure Portal
Site-to-Site VPN
Section 3
AAD Users
Con n ect M ORE I NFORM ATI ON Azure
ExpressRoute SQL
Secu r e Dat a Instances
Key Syn c Ru les
an d Applicat ion s Pr er equ isit es Web Services
FeatGroups
u r es Sch edu ler Edit or
Section 4 Dom ain
Controller
Back
AAD M FA
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e Act ive Dir ect or y Con n ect (AAD Con n ect )
an d Access
Section 1
Azu r e Act ive Dir ect or y
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Au t h en t icat ion
Dir ect or y ffor
Directory or Wor k loads
Workloads AAD Con n ect : Pr er equ isit es
M et h ods
Azure AD Privileged Users Groups Devices
Identity Managem ent
Back
AAD M FA
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e Act ive Dir ect or y Con n ect (AAD Con n ect )
an d Access
Section 1
Azu r e Act ive Dir ect or y
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Au t h en t icat ion
Dir ect or y ffor
Directory or Wor k loads
Workloads AAD Con n ect : Dom ain Pr er equ isit es
M et h ods
Azure AD Privileged Users Groups Devices
Identity Managem ent - You have to be using Act ive Dir ect or y as your on-prem ises
Azure Tenant Security identity platform .
- Schem a version and forest functional level m ust be at
Win dow s Ser ver 2003 or later.
- The on-prem ises dom ain controller used by AADC m ust be
Plat f or m Pr ot ect ion
Section 2
writable; n o r ead-on ly dom ain con t r oller s.
-On "Dotted"
-Pr em ises
NetBIOS dom ain nam es are unsupported.
Azu r e I n f r ast r u ct u r e
- It is st r on gly r ecom m en ded to enable the AD Recycle Bin.
- Dom ain nam e m ust be I n t er n et r ou t able!
Secu r it y Oper at ion s Site-to-Site VPN
Section 3
AAD Users
Con n ect Azure
ExpressRoute SQL
Secu r e Dat a Instances
Back
AAD M FA
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e Act ive Dir ect or y Con n ect (AAD Con n ect )
an d Access
Section 1
Azu r e Act ive Dir ect or y
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
Directory or Wor k loads
Workloads
AAD Con n ect : Ser ver Pr er equAu
isitt hes
en t icat ion
M et h ods
Azure AD Privileged Users Groups Devices
Identity Managem ent - Win dow s Ser ver 2008 R2 or later.
- This server m u st be dom ain -join ed and m ay be a dom ain
Azure Tenant Security
controller or a m em ber server.
- If you install Azure AD Connect on Windows Server 2008 R2,
the ser ver m u st be f u lly pat ch ed.
Plat f or m Pr ot ect ion - .NET Fr am ew or k 4.5.1 or later m ust be installed
Section 2
- M icr osof t Pow er Sh ell 3.0 or later m ust be installed.
On -Pr em ises Azu r e I n f r ast r u ct u r e
- Passw or d syn ch r on izat ion requires the server to be on
Win dow s Ser ver 2008 R2 SP1 or later.
- Gr ou p m an aged ser vice accou n t s require the server to be
Secu r it y Oper at ion s Site-to-Site VPN
on Win dow s Ser ver 2012 or later.
Section 3
AAD Users
Con n ect
Hardware prerequisites: Azure
ExpressRoute SQL
Secu r e Dat a # AD Object s CPU MemoryInstances HD Size
an d Applicat ion s < 50,000 1.6 Ghz 4 GB 70 GB
Web Services
Section 4 Dom Groups
ain - 100K
50K 1.6 Ghz 16 GB 100 GB
Controller
100K - 300 K 1.6 Ghz 32 GB 300 GB
300K - 600 K 1.6 Ghz 32 GB 450 GB
> 600K 1.6 Ghz 32 GB 500 GB
Servers PCs Virtual Machines
Back
AAD M FA
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e Act ive Dir ect or y Con n ect (AAD Con n ect )
an d Access
Section 1
Azu r e Act ive Dir ect or y
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Au t h en t icat ion
Dir ect or y ffor
Directory or Wor k loads
Workloads AAD Con n ect : SQL Pr er equ isit es
M et h ods
Azure AD Privileged Users Groups Devices
Identity Managem ent - Azure AD Connect requires a SQL Server database to store
Azure Tenant Security identity data.
- SQL Ser ver 2012 Expr ess LocalDB is installed by
default.
- SQL Server Express has a 10GB size lim it which
Plat f or m Pr ot ect ion
Section 2
enables you to m anage approxim ately 100,000
object s.
On -Pr em ises Azu r e I n f r ast r u ct u r e
- If you need to m anage a greater volum e of directory
objects, you need to point the installation wizard to a
Secu r it y Oper at ion s different installation of SQL
Site-to-Site VPN Server.
Section 3 - All versions of Microsoft SQL Server from SQL Ser ver 2008
AAD Users
R2 (with latest Service Pack) to SQL Ser ver 2019 are
Con n ect Azure
supported. ExpressRoute SQL
Secu r e Dat a - Microsoft Azu r e SQL Dat abase is not supported Instances as a
database.
an d Applicat ion s Web Services
Section 4 -
Dom ain
You mGroups
ust use a case-insensitive SQL collation. These
collations are identified with a _CI_ in their nam e.
Controller
- You can on ly h ave on e syn c en gin e per SQL in st an ce. It
is not supported to share a SQL instance with FIM/MIM
Sync, DirSync, or Azure AD Sync.
Servers PCs Virtual Machines
Back
AAD M FA
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e Act ive Dir ect or y Con n ect (AAD Con n ect )
an d Access
Section 1
Azu r e Act ive Dir ect or y
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Au t h en t icat ion
Dir ect or y ffor
Directory or Wor k loads
Workloads AAD Con n ect : Accou n t Pr er equ isit es
M et h ods
Azure AD Privileged Users Groups Devices
Identity Managem ent - An Azu r e AD Global Adm in ist r at or account for the Azure
Azure Tenant Security AD tenant you wish to integrate with. This account m ust be
a school or organization account and cannot be a Microsoft
Account.
- If you use expr ess set t in gs or upgrade from DirSync, then
Plat f or m Pr ot ect ion
Section 2
you m ust have an En t er pr ise Adm in ist r at or account for
your on-prem ises Active Directory.
On -Pr em ises Azu r e I n f r ast r u ct u r e
- If you use the cu st om set t in gs installation path, either use
an Enterprise Adm inistrator account for your on-prem ises
Secu r it y Oper at ion s Active Directory or refer to the
Site-to-Site VPNM icr osof t docu m en t at ion .
Section 3
AAD Users
Con n ect Azure
ExpressRoute SQL
Secu r e Dat a Instances
Back
AAD M FA
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e Act ive Dir ect or y Con n ect (AAD Con n ect )
an d Access
Section 1
Azu r e Act ive Dir ect or y
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Au t h en t icat ion
Dir ect or y ffor
Directory or Wor k loads
Workloads AAD Con n ect : Syn ch r on izat ion Sch edu ler
M et h ods
Azure AD Privileged Users Groups Devices
Identity Managem ent The following is a sum m ary of som e key m anagem ent
Azure Tenant Security operations.
- By default, sync operations will operate ever y 30 m in u t es.
- The Syn ch r on izat ion Ser vice M an ager GUI tool supports
configuration and m onitoring of synchronization
Plat f or m Pr ot ect ion
Section 2
operations.
-On To check the status of the synchronization
-Pr em ises
service with
Azu r e I n f r ast r u ct u r e
PowerShell use Get -ADSyn cSch edu ler .
- Sync operations can be triggered with PowerShell by using
Secu r it y Oper at ion s St ar t -ADSyn cSyn cCycle.
Site-to-Site VPN
Section 3
AAD Users
Con n ect M ORE I NFORM ATI ON Azure
ExpressRoute SQL
Secu r e Dat a Instances
Key Syn c Ru les
an d Applicat ion s Pr er equ isit es Web Services
FeatGroups
u r es Sch edu ler Edit or
Section 4 Dom ain
Controller
Close
AAD M FA
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e Act ive Dir ect or y Con n ect (AAD Con n ect )
an d Access
Section 1
Azu r e Act ive Dir ect or y
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Au t h en t icat ion
Dir ect or y ffor
Directory or Wor k loads
Workloads AAD Con n ect : Ru les Edit or
M et h ods
Azure AD Privileged Users Groups Devices
Identity Managem ent - Allows for cu st om ized syn ch r on izat ion r u les in Azure AD
Azure Tenant Security Connect.
- Provides in -dept h LDAP at t r ibu t e f ilt er in g above and
beyond default AADC filtering options.
- Can be used to f ix m odif ied def au lt r u les.
Plat f or m Pr ot ect ion
Section 2
- BE CAREFUL! You can overwrite the default synchronization
options, which can break synchronization!
On -Pr em ises Azu r e I n f r ast r u ct u r e
- Clon e, Clon e, Clon e!
Close
AAD M FA
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e Act ive Dir ect or y Con n ect (AAD Con n ect )
an d Access
Section 1
Azu r e Act ive Dir ect or y
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Au t h en t icat ion
Dir ect or y ffor
Directory or Wor k loads
Workloads Azu r e AD Au t h en t icat ion M et h ods
M et h ods
Azure AD Privileged Users Groups Devices
Identity Managem ent To achieve h ybr id iden t it y with Azure AD, one of three
Azure Tenant Security authentication m ethods can be used depending on your
scenarios. The three m ethods are listed below.
Close
AAD M FA
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e Act ive Dir ect or y Con n ect (AAD Con n ect )
an d Access
Section 1
Azu r e Act ive Dir ect or y
Passw or d Hash Syn ch r on izat ion (PHS)
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
Directory or Wor k loads
Workloads
PHS synchronizes a h ash of a user 's on-prem isesAu t h en t icattoion
password
Azure Active Directory (AD). Using Azure AD Connect, M we
et hcan
ods
Azure AD Privileged Users Groups Devices
configure PHS so all clou d u ser au t h en t icat ion occu r s in
Identity Managem ent
Azu r e AD. PHS can optionally be configured as a backup for
Azure Tenant Security ADFS.
Close Diagr am
AAD M FA
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e Act ive Dir ect or y Con n ect (AAD Con n ect )
an d Access
Section 1
Azu r e Act ive Dir ect or y
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Au t h en t icat ion
Dir ect or y ffor
Directory or Wor k loads
Workloads
M et h ods
Azure AD Privileged Users Groups Devices
AAD
Identity Managem ent Co n n
ect
Azure
w
ss
ExpressRoute SQL
Pa
Close
AAD M FA
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e Act ive Dir ect or y Con n ect (AAD Con n ect )
an d Access
Section 1
Azu r e Act ive Dir ect or y
Pass-Th r ou gh Au t h en t icat ion (PTA)
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Au t h en t icat
Dir ect or y ffor
Directory or Wor k loads
Workloads
PTA provides the sam e seam less single sign-on experience asion
PHS, but offers additional security benefits. M et h ods
Azure AD Privileged Users Groups Devices
Identity Managem ent
The m ain benefits:
Azure Tenant Security - Synchronization of users, contacts, and group accounts
between on-prem ises and Azure AD.
- Supports Office 365 hybrid identity.
Plat f or m Pr ot ect ion - Enables users to sign in and access cloud services and apps
Section 2 using on-prem ises credentials.
- OnDoes not
-Pr em isesrequire password hashes to beAzu stored
r e I n fin the
r ast r u ct u r e
cloud.
- Only requires outbound connectivity from the on-prem ises
Secu r it y Oper at ion s Authentication Agents. Site-to-Site VPN
Section 3 - All on-prem ises account policies are enforced when the
AAD Users
user signs in (e.g. expiry, login hours, etc.)
Con n ect Azure
ExpressRoute SQL
Secu r e Dat a Im portant considerations: Instances
Close Diagr am
AAD M FA
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e Act ive Dir ect or y Con n ect (AAD Con n ect )
an d Access
Section 1
Azu r e Act ive Dir ect or y
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Au t h en t icat ion
Dir ect or y ffor
Directory or Wor k loads
Workloads
M et h ods
Azure AD Privileged Users Groups Devices
Identity Managem ent
Close
AAD M FA
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e Act ive Dir ect or y Con n ect (AAD Con n ect )
an d Access
Section 1
Azu r e Act ive Dir ect or y
Feder at ion
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Au t h en t icat ion
Dir ect or y ffor
Directory or Wor k loads
Workloads
Feder at ion is a collection of dom ains that have established
M et hAzure
trusts. When an on-prem ises directory is federated with ods
Azure AD Privileged Users Groups Devices
Active Directory, the trust is established. This provides
Identity Managem ent
authentication (confirm ing you are who you say you are) and
Azure Tenant Security authorization (determ ining what you are allowed access).
Close Diagr am
AAD M FA
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e Act ive Dir ect or y Con n ect (AAD Con n ect )
an d Access
Section 1
Azu r e Act ive Dir ect or y
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Au t h en t icat ion
Dir ect or y ffor
Directory or Wor k loads
Workloads
M et h ods
Azure AD Privileged Users Groups Devices
Identity Managem ent
Section 3
n et
AAD Users
ss
Si g
Con n ect
ce
Azure
n
Ac
ExpressRoute
In
SQL
Secu r e Dat a Instances
ss
ce
an d Applicat ion s
Ac
Web Services
Section 4 Dom ain Groups
Controller
Close
AAD M FA
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
M u lt i-Fact or Au t h en t icat ion (M FA)
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
or Wor k loads Wh at is M FA?
Directory Workloads A We cover the basics.
Azure AD Privileged
Identity Managem ent
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
M u lt i-Fact or Au t h en t icat ion (M FA) : Wh at I s I t ?
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive Sim ply put, m ulti-factor authentication
Wh at is M FA?
Dir ect or y ffor
Directory or Wor k loads
Workloads A (MFA)
We cover theis logging
basics. into Azure AD using
Azure AD Privileged
Identity Managem ent m ore than one form of authentication.
Azure Tenant Security
Types of M FA:
B We discuss the various types of MFA, which to
use, and how to get them .
Plat f or m Pr ot ect ion - Provides additional security for user accounts by requiring a
Section 2 second form of authentication.
- Typically, authentication m ethods are:
Best Pr act ices:
- Som et h in g you k n ow : typically a password.
C MFA can cause trem endous headaches. We
- Som et h in g you h ave: a trusted device that is not easily
Secu r it y Oper at ion s provide som e tips to avoid them .
duplicated, like a phone.
Section 3
- Som et h in g you ar e: biom etrics.
- Delivers strong authentication via a range of easy to use
Con f igu r at ion :
authentication m ethods.
Secu r e Dat a D - TextWe talk about rolling MFA out to your
m essage
an d Applicat ion s organization.
- Phone call
Section 4 - Authentication request via app
- Auth code via app
- Hard tokens
- MFA can be bypassed based on the configuration of the
product.
Close
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
M u lt i-Fact or Au t h en t icat ion (M FA) : Types of M FA
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
or Wor k loads Wh at is M FA?
Directory Workloads A There are different
We cover the basics.
types of MFA
Azure AD Privileged available to m eet organizational
Identity Managem ent
security requirem ents.
Azure Tenant Security
Types of M FA:
B We discuss the various types of MFA, which to
use, and how to get them .
Plat f or m Pr ot ect ion - Azu r e Clou d M FA
Section 2 - M FA Ser ver : used to secure on -pr em ises r esou r ces with
Azure MFA.
Best Pr act ices:
- Rem ote Desktop, IIS Web Apps, etc.
C - DuMFA can cause trem endous headaches. We
al r egist r at ion
Secu r it y Oper at ion s provide som e tips to avoid them .
- Use only when necessary
Section 3 - RADI US I n t egr at ion : used for integration with RDS and VPN.
- Global Adm in ist r at or s
Con f igu r at ion :
D
Secu r e Dat a How DoWe talk about rolling MFA out to your
We Get It?
organization.
an d Applicat ion s
Section 4 - Licen ses!
- Azure AD Prem ium
- Azure AD Free or Basic
- Office 365
- Azure AD Global Adm inistrators
- M icr osof t M FA Licen sin g I n f or m at ion
Close
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
M u lt i-Fact or Au t h en t icat ion (M FA) : Best Pr act ices
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
Directory or Wor k loads
Workloads
MFA
Wh at can be very frustrating
is M FA? for your
A We cover the basics.
Azure AD Privileged
users and support staff if
it isn't
Identity Managem ent im plem ented properly. Here are a few
Azure Tenant Security tips to avoid potential problem s.
Types of M FA:
B We discuss the various types of MFA, which to
use, and how to get them .
Plat f or m Pr ot ect ion - Com m unication
Section 2 - Microsoft com m u n icat ion t em plat es and en d-u ser
docu m en t at ion m ake this easier.
Best Pr act ices:
- Conditional access
C MFA can cause trem endous headaches. We
- Exclu sion s for support staff
Secu r it y Oper at ion s provide som e tips to avoid them .
- Nam ed locat ion s
Section 3
- Azure Identity Protection
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
M u lt i-Fact or Au t h en t icat ion (M FA) : Con f igu r at ion
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
or Wor k loads Wh at is M FA?
Directory Workloads A We cover the basics.
Azure AD Privileged Making it work!
Identity Managem ent
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Con dit ion al Access in Azu r e
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
or Wor k loads Con dit ion al Access Over view :
Directory Workloads A Security on your term s!
Azure AD Privileged
Identity Managem ent
Deploym en t :
Secu r e Dat a D Start securing your environm ent.
an d Applicat ion s
Section 4
AAD AD I DP
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Con dit ion al Access in Azu r e : An Over view
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive Conditional access is autom ated
Con dit ion al Access Over view :
Dir ect or y ffor
Directory or Wor k loads
Workloads A access
Security control
on your term s! that strengthens
user
Azure AD Privileged
Identity Managem ent sign-in and access to cloud
Azure Tenant Security applications.
Access Policies:
-B Not used as a first-factor authentication; passwords are still
The four Ws: Who, What, Where and How...
required.
Plat f or m Pr ot ect ion
- Can be used to r equ ir e m u lt i-f act or au t h en t icat ion .
Section 2
- Com m on scenarios
Best Pr act ices:
C - Sign -in r isk
Dos and Don'ts.
Secu r it y Oper at ion s - Bad actor detection (e.g. leaked credentials)
Section 3 - Need m ore inform ation
- Require MFA
- Block specific
Deploym en t : applications if unable to obtain proof
D - Locat ion
Start securing your environm ent.
Secu r e Dat a
- On-prem ises (nam ed locations) vs. internet
an d Applicat ion s
- Countries and regions
Section 4
- MFA-trusted IPs
- Device m an agem en t
- What device are you using?
- Corporate-owned devices
- BYOD
- Clien t applicat ion
Close
AAD AD I DP
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Con dit ion al Access in Azu r e : Access Policies
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive Access policies are the focus of
Con dit ion al Access Over view :
Dir ect or y ffor
Directory or Wor k loads
Workloads A conditional
Security on your term s! access
Azure AD Privileged
Identity Managem ent Wh en Th is Happen s Do Th is
Azure Tenant Security
Access Policies:
Policies
B are based on con dit ion s and access con t r ols.
The four Ws: Who, What, Where and How...
- When this happens (con dit ion )
Plat f or m Pr ot ect ion
- Wh o are you?
Section 2
- User/group m em bership
- Wh at are you accessing?
Best Pr act ices:
C - Required: User and Application
Dos and Don'ts.
Secu r it y Oper at ion s - Others: location, sign-in risk
Section 3 - Do this (access con t r ol)
- Grant controls
- Used to gaten
Deploym e access
t: (let you in)
D - In order to gain access,
Start securing your environm youent.
m ust:
Secu r e Dat a
- Use MFA.
an d Applicat ion s
- Use a com pliant device
Section 4
- Use a hybrid-joined device (workstation).
- Use an approved client app.
- Session controls
- Lim ited experience within a clou d app.
Close
AAD AD I DP
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Con dit ion al Access in Azu r e : Best Pr act ices
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive Like MFA, failure to carefully execute
Con dit ion al Access Over view :
Dir ect or y ffor
Directory or Wor k loads
Workloads A conditional
Security access
on your term s! policies
could have
Azure AD Privileged
Identity Managem ent catastrophic consequences.
Azure Tenant Security
Access Policies:
Donts:
B The four Ws: Who, What, Where and How...
- For all users/all cloud apps:
Plat f or m Pr ot ect ion
- Block access.
Section 2
- Require com pliant device.
- Require dom ain join.
Best Pr act ices:
C - Require app protection policy.
Dos and Don'ts.
Secu r it y Oper at ion s - For all users, all cloud apps, and all device platform s:
Section 3 - Block access . This configuration blocks your entire
organization, which is definitely not a good idea.
Deploym en t :
Dos:
D Start securing your environm ent.
Secu r e Dat a
- Have exclusions for adm in personnel.
an d Applicat ion s
- Being locked out of Adm in Portal is bad. Trust m e.
Section 4
- Use the What-If tool to test policies.
- Pilot access using groups. Don?t start with everyone!
Close
AAD AD I DP
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Con dit ion al Access in Azu r e : Deploym en t !
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive Now that we've discussed conditional
Con dit ion al Access Over view :
Dir ect or y ffor
Directory or Wor k loads
Workloads A Security access in depth,
on your term s! let 's
roll it out!
Azure AD Privileged
Identity Managem ent
Deploym en t :
Secu r e Dat a D Start securing your environm ent.
an d Applicat ion s
Section 4
AAD AD I DP
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e AD I den t it y Pr ot ect ion
an d Access
Section 1
Risk s:
C Covering the risks and how AADIP helps.
AAD AD PI M
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e AD I den t itAzure
y Pr ot ect
ADion
Identity Managem ent:
an d Access
Section 1
Autom ated Protection for User
Topicf igu1r Lor
Configuring
Con in g em
Azu rIepsu
Azure m
Active
Act ive Wh atIdentities;
is AD I den t it yMore
Pr ot ectSecurity
and Less
ion :
Dir ect or y ffor
Directory or Wor k loads
Workloads
A Going over the basics.
Adm inistration
Azure AD Privileged
Identity Managem ent - Stolen user identities are the num ber one cause of security
Azure Tenant Security breaches. Attackers leverage ph ish in g at t ack s an d m alw ar e
to gainI access
den t it ytoPrsystem
ot ect ion
s. Com pon en t s:
B Getting user
under the hood with
- Even low-level accounts can be AADIP.
used to gain access to a
m ajority of network resources.
Plat f or m Pr ot ect ion
- Adm inistrators m ust protect all identities, n o m at t er t h e
Section 2
pr ivilege level and ensure that com prom ised identities do
Risk s:
Cnot gain access.
Covering the risks and
- This typically involves f u ll-t im how
e awAADIP helps.
ar en ess an d m on it or in g
Secu r it y Oper at ion s of all user identities. The adm inistrative effort is huge, and
Section 3 m ost of the tim e, com pletely reactive in nature.
- Azure AD Identity Protection rem oves m uch of this effort by
Best Pr act ices:
Dproviding a com
Providing
prehensive
security
solution that:
without
Secu r e Dat a - Proactively prevents com promthe headaches.
ised identities from
accessing resources.
an d Applicat ion s
Section 4
- Provides recom m endations to im prove security by
analyzing vulnerabilities, such as user and sign-in risk
Con f igu r at ion :
E levels and risk events, as well as environm ental factors.
Securing our environm ent using AADIP.
- Notifies adm inistrators of risk events.
- Allows adm inistrators to create policies to autom atically
m itigate risk events.
Close
AAD AD PI M
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e AD I den t it y Pr ot ect ion
an d Access
Section 1 Azure AD
Identity Protection
Topicf igu1r Lor
Configuring
Con in g em rIepsu
Azure
Azu m
Active
Act ive Wh at is AD I den t it y Pr ot ect ion :
Dir ect or y ffor
Directory or Wor k loads
Workloads
A Going over the basics.
Azure AD Privileged
Identity Managem ent
Close
AAD AD PI M
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e AD I den t it y What
Risks: Pr ot ect ion AD Identity Protection
Azure
an d Access
Section 1
Is Designed to Mitigate
Topicf igu1r Lor
Configuring
Con in g em rIepsu
Azure
Azu m
Active
Act ive Wh at is AD I den t it y Pr ot ect ion :
Dir ect or y ffor
Directory or Wor k loads
Workloads
A Going over the basics.
Azure AD Privileged
There are two types of risks:
Identity Managem ent
Diagr am
AAD Close AD PI M
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e AD I den t it y Pr ot ect ion
an d Access
Section 1
Risk s:
C Covering the risks and how AADIP helps.
AAD AD PI M
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e AD I den t it y Pr ot ect ion
an d Access
Section 1
Secu r it y Oper at ion s This data is also used when evaluating conditional access policies to
Section 3 determ ine autom atic rem ediation of user or sign-in risks.
AAD AD PI M
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e AD I den t it y Pr ot ect ion
an d Access
Section 1
AAD AD PI M
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e AD I den t it y Pr ot ect ion
an d Access
Section 1
AAD AD PI M
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e AD I den t it y Pr ot ect ion
an d Access
Section 1
Close
AAD AD PI M
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e AD I den t it y Pr ot ect ion
an d Access
Section 1 Azure AD Identity Protection: Best
Practices
Topicf igu1r Lor
Configuring
Con in g em rIepsu
Azure
Azu m
Active
Act ive Wh at is AD I den t it y Pr ot ect ion :
Dir ect or y ffor
Directory or Wor k loads
Workloads
A Going over the basics.
Azure AD Privileged
- A h igh threshold reduces the num ber of tim es a policy is
Identity Managem ent
triggered.
Azure Tenant Security - Minim izes the im pact to users.
I den t it y Pr ot ect ion Com pon en t s:
B - Excludes
Getting
low and m edium sign-ins flagged for risk.
under the hood with AADIP.
- May not block an attacker.
- When setting the policy:
Plat f or m Pr ot ect ion - Exclude users who do n ot or can n ot h ave m u lt i-f act or
Section 2 au t h en t icat ion .
- Exclude
Risk s:users in locales where enabling the policy is not
C practical
Covering (e.g.the
n o risks
access t o hhow
and elpdesk
AADIP). helps.
- Exclude users who are lik ely t o gen er at e m an y
Secu r it y Oper at ion s f alse-posit ives, such as developers and security analysts.
Section 3 - Use a high threshold during initial policy roll-out.
- Use a low threshold if your organization requires greater security.
Besta low
- Selecting Pr act ices: introduces additional user sign-in
threshold
D challenges,
Providing security
but grants without
increased the headaches.
security.
Secu r e Dat a - Th e r ecom m en ded def au lt f or m ost or gan izat ion s is t o
an d Applicat ion s con f igu r e a r u le f or a m ediu m t h r esh old.
Section 4
Con f igu r at ion :
E Securing our environm ent using AADIP.
AAD Close AD PI M
Back t o M ain
Manage Identity and Access
Course Navigation
Con f igu r in g Azu r e Act ive Dir ect or y f or Wor k loads
M an age I den t it y
Azu r e AD I den t it y Pr ot ect ion
an d Access
Section 1 Azure AD Identity Protection
Configuration Steps
Topicf igu1r Lor
Configuring
Con in g em rIepsu
Azure
Azu m
Active
Act ive Wh at is AD I den t it y Pr ot ect ion :
Dir ect or y ffor
Directory or Wor k loads
Workloads
A Going over the basics.
Azure AD Privileged
Identity Managem ent - Licen se users (Azure AD Prem ium P2).
- Onboard Azure AD Identity Protection.
Azure Tenant Security - Configure
I denMt it
FAy rPr
egist r at ion
ot ect ion policy (optional
Com pon en t s:but recom m ended).
B- Configure u ser r isk policy.
Getting under the hood with AADIP.
- Configure sign -in r isk policy.
- Test the configurations.
Plat f or m Pr ot ect ion
Section 2
Risk s:
C Covering the risks and how AADIP helps.
AAD Close AD PI M
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
M an age I den t it y
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
Directory or Wor k loads
Workloads
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
Identity en t ent
Review in g Access
C Auditing and access reviews.
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
M an age I den t it y
an d Access Par t I : Over view an d Act ivat ion
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
Directory or Wor k loads
Workloads
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
Identity en t ent
Review in g Access
C Auditing and access reviews.
MS PIM
Docum entation
Close
AAD Ten an t Secu r it y
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
M an age I den t it y
an d Access
Section 1 Azure AD Privileged
Configuring
Dir ect or y ffor
Directory
Azure
Con f igu r in g Azu
or Wor
Active
r e Act ive
k loads
Workloads
Identity Managem ent
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
Identity en t ent - Concerned about privileged access?
Azure Tenant Security - Too m any adm inistrators?
- Duplicate access rights?
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
M an age I den t it y
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
Directory or Wor k loads
Workloads
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
Identity en t
Close
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
M an age I den t it y
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
Directory or Wor k loads
Workloads
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
Identity en t
Over
n er view an d Act ivat ion
A - OwLet
- Con t r'sibu
talk
t orPIM and get started!
Secu r it y Oper at ion s - User Access Adm in ist r at or
Section 3 - Secu r it y Adm in
Review in g Access
C Auditing and access reviews.
Close
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
M an age I den t it y
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
Directory or Wor k loads
Workloads
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
Identity en t ent
PIM Term inology
Azure Tenant Security
Close
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
M an age I den t it y
an d Access
Section 1
Licensing PIM
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
Directory or Wor k loads
Workloads Azure AD m ust have one of the following paid or trial
licenses in order to use PIM:
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
Identity en t ent
- Azu r e AD Pr em iu m P2
Azure Tenant Security - En t er pr ise M obilit y + Secu r it y (EM S) E5
- M icr osof t 365 M 5
Plat f or m Pr ot ect ion Which users m ust have licenses? Each adm inistrator or
Section 2 user interacting with or receiving a benefit from PIM.
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
M an age I den t it y
an d Access
Section 1
Activating PIM
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
Directory or Wor k loads
Workloads
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
Identity en t ent
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
M an age I den t it y
an d Access Par t I I : Con f igu r at ion , Access Requ est s, an d Appr oval
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
Directory or Wor k loads
Workloads ADM I N: AZURE AD ROLES
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
Identity en t ent
Review in g Access
C Auditing and access reviews.
My Approve
Roles Requests
Close
AAD Ten an t Secu r it y
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
M an age I den t it y
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
Directory or Wor k loads
Workloads
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
en t
PIM Security Wizard
Identity ent
Azure Tenant Security - Use the Secu r it y Wizar d to determ ine the current
m em bership of all high-privileged AD Security Roles.
You can then use the Wizard to r edu ce t h e n u m ber of
Plat f or m Pr ot ect ion per m an en t ly assign ed r ole h older s by converting
Section 2 those to eligible role assignm ents.
- You can choose not to act on any security assignm ents
Over
at the view
tim an instead
e and d Act ivat ion
per f or m t h e ch an ges lat er .
A Let 's talk PIM and get started!
- If you choose to m odify the security assignm ents,
Secu r it y Oper at ion s m ake sure the ch an ges ar e an n ou n ced t o all
Section 3 adm in ist r at or s an d bu sin ess u n it s ah ead of t im e!
- At least on e or gan izat ion al accou n t (not a personal
Con f igu
account) mrust
at ion , Access
hold Requ est
perm anent s, anAdm
Global d Appr oval
inistrator
B Security wizard,
Secu r e Dat a and Privileged Rolerole
Admsettings and
inistrator m ore.
rights.
an d Applicat ion s - If there is only one Privileged Role Adm inistrator in the
Section 4 organization, t h e or gan izat ion w ill n ot be able t o
m an age PI M if t h at accou n t is delet ed.
Review in g Access
C Auditing and access reviews.
Close
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
M an age I den t it y
an d Access
Section 1 Azure AD Roles and
Configuring
Dir ect or y ffor
Directory
Azure
Con f igu r in g Azu
or Wor
Active
r e Act ive
k loads
Workloads
Mem bers
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
Identity en t ent
M em ber s:
Use M em ber s to view
assignm ents or add an
assignm ent.
AAD Ten an t Secu r it y
Close
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
M an age I den t it y
an d Access
Section 1
Azure AD Role Settings
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
Directory or Wor k loads
Workloads
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
Identity en t ent
Use Azu r e AD Role
Azure Tenant
Set t in gsSecurity
to configure
activation duration,
notifications, MFA,
Plat f or m Pr ot and
approval, ect ion
other
Section per
settings 2 AD role.
Review in g Access
C Auditing and access reviews.
Close
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
M an age I den t it y
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
Directory or Wor k loads
Workloads
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
Identity en t ent
Plat f or m Pr ot ect ion - When first setting up PIM for Azure resources, discover
Section 2 and select the resources PIM. protects
- There's no lim it to the num ber of resources you can
Over view
m anage withan d Act ivat ion
PIM.
A Let 's talk PIM and get started!
- Resources are discovered based on Azure subscription
Secu r it y Oper at ion s and m anagem ent group.
Section 3 - Once a m anagem ent group or subscription is set to
m anaged, it can't be unm anaged. This prevents
Con f igu
another r at ion , adm
resource Access Requ est
inistrator s, an
from d Appr
rem ovingoval
PIM
B Security wizard, role settings and m ore.
Secu r e Dat a settings.
an d Applicat ion s
Section 4
Review in g Access
C Auditing and accessClose
reviews.
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
M an age I den t it y
an d Access
Section 1 Azure Resource Roles and
Configuring
Dir ect or y ffor
Directory
Azure
Con f igu r in g Azu
or Wor
Active
r e Act ive
k loads
Workloads
Mem bers
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
Identity en t ent
Close
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
M an age I den t it y
an d Access
Section 1
Azure Resource Settings
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
Directory or Wor k loads
Workloads
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
Identity en t ent
Review in g Access
C Auditing and access reviews.
Close
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
M an age I den t it y
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
My Roles
Dir ect or y ffor
Directory or Wor k loads
Workloads
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
Identity en t ent
Close
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
M an age I den t it y
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Approve Requests
Dir ect or y ffor
Directory or Wor k loads
Workloads
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
Identity en t ent
Review in g Access
Em ail:
C Auditing and access reviews.
If notifications are
enabled for requests,
then the approver will
receive a m essage
asking them to review
the request.
Close
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
M an age I den t it y
an d Access Par t I I I : Review in g Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Dir ect or y ffor
Directory or Wor k loads
Workloads
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
Identity en t ent
Review in g Access
C Auditing and access reviews.
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
M an age I den t it y
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Access Reviews
Dir ect or y ffor
Directory or Wor k loads
Workloads
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
Identity en t ent Since access to privileged Azure AD roles
for em ployees change over tim e, you
Azure Tenant Security
should r egu lar ly r eview access to
determ ine if elevated privileges are still
necessary.
Plat f or m Pr ot ect ion
Section 2
You can use Azure Active Directory
Over view an (Azure
d ActAD)
ivatPrivileged
ion Identity
A Managem
Let 's talk PIM and getent (PIM) to create access
started!
Secu r it y Oper at ion s r eview s for privileged Azure AD roles as
Section 3 well as Azure resources.
Close
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
M an age I den t it y
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
My Audit History
Dir ect or y ffor
Directory or Wor k loads
Workloads
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
UseManagem
M an agem
Identity Mt y au dit
en enth ist or y to view all PIM activites for the signed-in user. This includes role
assignm ents and activations within the past 30 days for all privileged roles. You can use
Azure Tenant Security
M y au dit h ist or y to view assignm ents and activations for Azure AD and Azure resource
privileged roles.
Review in g Access
C Auditing and access reviews.
Close
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e AD Pr ivileged I den t it y M an agem en t
M an age I den t it y
an d Access
Section 1 Directory Roles
Configuring
Dir ect or y ffor
Directory
Azure
Con f igu r in g Azu
or Wor
Active
r e Act ive
k loads
Workloads
Audit History
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
MUse
an agem
Identity
Dir
enect
t or y ent
Managem
r oles au dit h ist or y to to view all events for all Azure AD roles. This includes
events perform ed by all Privileged Role Adm inistrators as well as PIM.
Azure Tenant Security
Review in g Access
C Auditing and access reviews.
Close
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e Ten an t Secu r it y
M an age I den t it y
Azu r e Ten an t Secu r it y
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Directory
Dir ect or y ffor Workloads
or Wor k loads
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
en t
Topics in t h is sect ion in clu de:
Identity ent
Azure Tenant
Azu r e Ten Security
an t Secu r it y
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e Ten an t Secu r it y
M an age I den t it y
Azu r e Ten an t Secu r it y
an d Access
Section 1 Transferring an Azure Subscription
- Transferring billing ownership of an Azure subscription
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Directory
Dir ect or y ffor Workloads
or Wor k loads takes place in the Cost M an agem en t + Billin g pane or
in the Accou n t Cen t er .
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
en t
Topics in t htransferring
- When is sect iontoinanother
clu de:tenant, all u ser s,
Identity ent
gr ou ps, an d RBAC access t o r esou r ces in t h e sou r ce
Azure Tenant
Azu r e Ten Security
an t Secu r it y t en an t ar e lost on the resources in the subscription.
The user accepting the transfer request is the only
A account with access to the resources.
Tr an sf er r in g Azu r e Su bscr ipt ion s
Plat f or m Pr ot ect ion - M an agem en t cer t if icat es, access k eys, an d r em ot e
Section 2 access cr eden t ials w ill r em ain in t act . These should
be updated if the source account no longer requires
access to these resources.
- Visual Studio, MPN, and Pay-As-You-Go Dev/Test
Secu r it y Oper at ion s subscriptions with recurring Azure credits will not
Section 3
transfer between accounts. Th e su bscr ipt ion w ill u se
t h e cr edit in t h e dest in at ion Visu al St u dio accou n t ,
sh ou ldcontains
This section on e exist . e im portant topics that w ill be
som
Secu r e Dat a - ded
in clu Onlyon t htese su bscrbut
h e exam ipt ion
don'tt ypes
reallyare
fit eligible for transfer.
in the other lessons.
an d Applicat ion s - Transfers between countries cannot be perform ed in
Section 4 the portal. You n eed t o con t act su ppor t t o in it iat e a
cr oss-cou n t r y t r an sf er.
- In order to com plete the transfer, t h e r ecipien t m u st
accept billin g ow n er sh ip an d pr ovide paym en t
det ails.
- If the recipient does not have an Azure account, t h ey
m u st cr eat e on e to accept the transfer.
Back t o M ain
Manage Identity and Access
Course Navigation
Azu r e Ten an t Secu r it y
M an age I den t it y
Azu r e Ten an t Secu r it y
an d Access
Section 1
Configuring Azure
Con f igu r in g Azu Active
r e Act ive
Directory
Dir ect or y ffor Workloads
or Wor k loads
Azure ADPrPrivileged
Azu r e AD ivileged I den t it y
M an agemManagem
en t
Topics in t h is sect ion in clu de:
Identity ent
Azure Subscriptions Eligible for Transfer
Azure Tenant
Azu r e Ten Security
an t Secu r it y
Close
Back t o M ain
Platform Protection
Course Navigation
Net w or k Secu r it y
M an age I den t it y
Topics I n clu ded in Th is Sect ion
an d Access
Section 1
Net w or kSecurity
Network Secu r it y
Container Security
VNet s
Back t o M ain
Platform Protection
Course Navigation
Net w or k Secu r it y
M an age I den t it y
Net
Topics
w or k I Secu
n clu ded
r it y:in
VirTh
t uisalSect
Netion
w or k s
an d Access
Section 1
Vir t u al Net w or k s (VNet s) are used to create a virtual private network
within Azure where resources can be networked to one another
sim ilar to a private on-prem ises environm ent.
Plat f or m Pr ot ect ion Vir t u al Net w or k [Review ]
Section 2 - The VNet has an in t er n al addr ess space (e.g. 10.1.0.0/16).
- Resources connect to su bn et s w it h in a VNet to gain network
Net w or kSecurity
Network Secu r it y access.
- Subnets within the VNet m u st exist w it h in t h e sam e addr ess
Host Security Net w or k Secu r it y Gr ou ps [Review ]
space.
Securing Azure - All su bn et s within a virtual network can com m u n icat e w it h
Resources each ot h er .
Container Security - Default routing can be m odified with u ser -def in ed r ou t e t ables.
VNet s
Net w or k Secu r it y NSGs
Back t o M ain
Platform Protection
Course Navigation
Net w or k Secu r it y
M an age I den t it y
Net
Topics
w or k I Secu
n clu ded
r it y:in
Net
ThwisorSect
k Secu
ion r it y Gr ou ps
an d Access
Section 1
Net w or k Secu r it y Gr ou ps (NSGs) are used to provide network layer
security for resources within a Virtual Network (VNet). When attached
to a resource, they can allow or den y t r af f ic based on rules you
Plat f or m Pr ot ect ion Vir t u al Net w or k [Review ]
configure.
Section 2
Overview:
Net w or kSecurity
Network Secu r it y - The best practice is to block ALL t r af f ic except required
com m unication. This is som etim es called ?default deny.?
Host Security Net wcan
or k be
Secu r it y Grtoou ps [Review ] or k I n t er f ace Car d (NI C), a
- NSGs applied either a Net w
Securing Azure su bn et , or bot h .
Resources - When NSGs are assigned to both, r u les f r om bot h ar e
Container Security evalu at ed.
- NSG rules are stateful, so r eply t r af f ic is au t om at ically allow ed
Applicat ion Secu r it y Gr ou ps
regardless of other rules.
Secu r it y Oper at ion s - NSGs contain "Default Rules" which can n ot be delet ed; you need
Section 3 higher priority rules to override them .
- Once a rule is m atched, n o f u r t h er r u les ar e pr ocessed.
Azu r e Fir ew all
Secu r e Dat a
an d Applicat ion s Net w or k
Section 4
Secu r it y Gr ou ps
VNet s
Back t o M ain
Platform Protection
Course Navigation
Net w or k Secu r it y
M an age I den t it y
Net
Topics
w or k I Secu
n clu ded
r it y:in
Applicat
Th is Sect
ionion
Secu r it y Gr ou ps
an d Access
Section 1
An Applicat ion Secu r it y Gr ou p (ASG) is a logical collect ion of virtual
m achines, specifically their network interface cards (NI Cs). You join
virtual m achines to the ASG and then use the application security
Plat f or m Pr ot ect ion groupVirast uaalsource
Net w or kdestination
[Review ] in NSG r u les.
Section 2
Think of ASGs as a way to create cu st om ser vice t ags for a network
Net w or kSecurity
Network Secu r it y security group.
NSGMaster
NSGMaster
ASGDB Subnet1
VNet s
Net w or k Secu r it y Rem ot e Desk t op
Back t o M ain
Platform Protection
Course Navigation
Net w or k Secu r it y
M an age I den t it y
Net
Topics
w or k I Secu
n clu ded
r it y:in
Azu
Thris
e Fir
Sect
ewion
all
an d Access
Section 1
Container Security
VNet s
Net w or k Secu r it y ASGs
Back t o M ain
Platform Protection
Course Navigation
Net w or k Secu r it y
M an age I den t it y
Topics I n clu ded in Th is Sect ion
an d Access
Section 1
VNet s
Back t o M ain
Platform Protection
Course Navigation
Net w or k Secu r it y
M an age I den t it y
Azu
Topics
r e FirIew
n clu
allded
Conin
f igu
Thris
atSect
ion ion
an d Access
Section 1 The typical deploym ent for Azure Firewall is in a central virtual
network. Other virtual networks are then peered to it in a
hub-and-spoke fashion. Default routes from the peered virtual
Plat f or m Pr ot ect ion networks arewpointed
Vir t u al Net to the
or k [Review ] central firewall virtual network.
Section 2 The firewall, subnet, VNet, and the public IP address m ust all
be in the sam e resource group.
Net w or kSecurity
Network Secu r it y
Global VNet peering is supported, but it isn't recom m ended
Host Security because
Net w or kofSecu
potential
r it y Grperform ance and
ou ps [Review ] latency issues across
Securing Azure regions. For best perform ance, deploy one firewall per region.
Resources
The advantage of this m odel is the ability to centrally exert
Container Security
control on m ultiple spoke VNETs across different subscriptions.
Applicat ion Secu r it y Gr ou ps
Secu r it y Oper at ion s
Section 3
Spoke Spoke
Azu r e Fir ew all VNet VNet
Secu r e Dat a
an d Applicat ion s
Section 4
Hub
Resou r ce Fir ew alls VNet
On-Prem ises
Internet
Network
VNet s
Close
Back t o M ain
Platform Protection
Course Navigation
Net w or k Secu r it y
M an age I den t it y
Topics I n clu ded in Th is Sect ion
an d Access
Section 1
Container Security
VNet s
Back t o M ain
Platform Protection
Course Navigation
Net w or k Secu r it y
M an age I den t it y
Net w or k I Secu
Topics r it y:in
n clu ded Resou
Th is rSect
ce Fir ew alls
ion
an d Access
Section 1
RESOURCE FI REWALLS
Azu r e Fir ew all
Secu r e Dat a
an d Applicat ion s
Section 4
Back t o M ain
Platform Protection
Course Navigation
Net w or k Secu r it y
M an age I den t it y
Topics I n clu ded in Th is Sect ion
an d Access
Section 1
VNet s
Back t o M ain
Platform Protection
Course Navigation
Net w or k Secu r it y
M an age I den t it y
Topics I n clu ded in Th is Sect ion
an d Access
Section 1
Net w or kSecurity
Network Secu r it y
Container Security
Close
VNet s
Back t o M ain
Platform Protection
Course Navigation
Net w or k Secu r it y
M an age I den t it y
Topics I n clu ded in Th is Sect ion
an d Access
Section 1
Net w or kSecurity
Network Secu r it y
Container Security
VNet s
Back t o M ain
Platform Protection
Course Navigation
Host Secu r it y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Net w or kSecurity
Network Secu r it y
Updat e M an agem en t :
Host Security
Host Secu r it y B Keeping your Azure VMs up-to-date.
Securing Azure
Resources
Container Security
Secu r e Dat a
an d Applicat ion s
Section 4
Back t o M ain
Platform Protection
Course Navigation
Host Secu r it y
M an age I den t it y
Host Secu
Topics inr itt hy:isVM
sectEn dpoin
ion t Secu
in clu de: r it y
an d Access
Section 1
Microsoft Antim alware for Azure is a free real-tim e protection service
that helps identify and rem ove viruses, spyware, and other m alicious
En dpoin t Pr ot ect ion :
software.
A It generates alerts when known m alicious or unwanted
Plat f or m Pr ot ect ion Securing your hosts against viruses and
Section 2
software tries to install itself or run on your Azure system s.
m alware.
Features include:
Net w or kSecurity
Network Secu r it y
Updat e M an agem en t :
Host Security
Host Secu r it y - BReal-timKeeping
e protection
your Azure VMs up-to-date.
- Malware rem ediation
Securing Azure
Resources - Signature updates
- Antim alware engine updates
Container Security
- Antim alware platform updates
- Active protection
Secu r it y Oper at ion s - Sam ples reporting
Section 3 - Exclusions
- Antim alware event collection
Secu r e Dat a
an d Applicat ion s
Section 4
Sin gle VM M u lt iple VM
Pr os an d Con s
Deploym en t Deploym en t
VM ENDPOI NT PROTECTI ON
Back t o M ain
Platform Protection
Course Navigation
Host Secu r it y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Net w or kSecurity
Network Secu r it y
Updat e M an agem en t :
Host Security
Host Secu r it y B Keeping your Azure VMs up-to-date.
Securing Azure VM En dpoin t Pr ot ect ion : Pr os an d Con s
Resources
Container Security
Advantages (Pros) Disadvantages (Cons)
Secu r it y Oper at ion s Free!! Difficult to modify
Section 3 Easy to deploy Limited client availability
Fully featured No centralized management
Secu r e Dat a
an d Applicat ion s
Close
Section 4
Back t o M ain
Platform Protection
Course Navigation
Host Secu r it y
M an age I den t it y
an d Access
An t im alw
Topics in t har
ise: Sin
sect gle
ion VMde:Deploym en t
in clu
Section 1
Net w or kSecurity
Network Secu r it y
Updat e M an agem en t :
Host Security
Host Secu r it y B Keeping your Azure VMs up-to-date.
Securing Azure
Resources
Container Security
Exclusions and
Secu r it y Oper at ion s protection
Section 3
param eters are
specified at
deploym ent.
Secu r e Dat a
an d Applicat ion s
Section 4
Close
Back t o M ain
Platform Protection
Course Navigation
Host Secu r it y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
An t im alw ar e:
En dpoin t PrM u ltion
ot ect iple
: VM Deploym en t
Plat f or m Pr ot ect ion A Securing your hosts against viruses and
Section 2 Configurem alware.
and deploy Microsoft Antim alware using Azure Policy
or Azure Security Center.
Net w or kSecurity
Network Secu r it y
Updat e M an agem en t :
Host Security
Host Secu r it y B Keeping your Azure VMs up-to-date.
Securing Azure
Resources
Container Security
Secu r e Dat a
an d Applicat ion s
Section 4
Close
Back t o M ain
Platform Protection
Course Navigation
Host Secu r it y
M an age I den t it y
Host Secu
Topics inr itt hy:isUpdat e Minan
sect ion agem
clu de: en t
an d Access
Section 1
Azure provides the Update Managem ent solution to allow you to
m anage updates and patches for your Windows Virtual Machines. The
En dpoin t Pr ot ect ion :
solution
A requires Azure Log Analytics and an Azure Autom ation
Plat f or m Pr ot ect ion Securing your hosts against viruses and
Section 2
Account. If these are not available at deploym ent, they can be
m alware.
provisioned for you.
Net w or kSecurity
Network Secu r it y
Updat e M an agem en t :
Host Security
Host Secu r it y B Keeping your Azure VMs up-to-date.
Securing Azure
Resources
Container Security
Secu r e Dat a
an d Applicat ion s
Section 4
Back t o M ain
Platform Protection
Course Navigation
Secu r in g Azu r e Resou r ces
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Net w or kSecurity
Network Secu r it y
M an aged I den t it ies [Review ]:
Host Security
Host Secu r it y B Access to resources without credentials!
Securing
Secu r in gAzure
Azu r e
Resources
Resou r ces
Container Security
Azu r e Resou r ce Lock s:
C Preventing deletion of Azure resources.
Secu r it y Oper at ion s
Section 3
M an agem en t Gr ou ps:
Secu r e Dat a D Managing m ultiple subscriptions with ease!
an d Applicat ion s
Section 4
Azu r e Policies:
E Autom atically enforce com pliance in Azure.
RBAC
Back t o M ain
Platform Protection
Course Navigation
Secu r in g Azu r e Resou r ces
M an age I den t it y
Secu r in ginAzu
Topics t hrise sect
Resouionr ces:
in cluRBAC
de: [Review ]
an d Access
Section 1
While Conditional Access and Identity Protection are used to control
access to Azure AD m anaged resources, r ole-based access con t r ol
Role-based
(RBAC) is used Access
to provide gr an uCon
lar taccess
r ol (RBAC) [Review
to Azure ]:
resources.
Plat f or m Pr ot ect ion A Managing perm issions on Azure resources.
Section 2 These roles can be assigned at the su bscr ipt ion , r esou r ce gr ou p, or
r esou r ce level.
Net w or kSecurity
Network Secu r it y
M an aged
- Azure includes I den t it
a range ofies [Review
over 70 bu ]:
ilt -in r oles for controlling
Host Security
Host Secu r it y Baccess Access
to Azure toresources.
resources Somwithout credentials!
e exam ples are:
Securing
Secu r in gAzure
Azu r e - Ow n er : Includes full access to the assigned resource(s)
Resources
Resou r ces
including rights to grant access to others.
Container Security - Con t r ibu t or : Provides full access to the assigned resource(s)
Azu rfor
e Resou
rightsr ce Lock s: perm issions.
C except
Preventing
to change
deletion of Azure resources.
- Reader : Provides full view access to the assigned resource(s),
Secu r it y Oper at ion s but no ability to m ake changes.
Section 3
For m ore inform ation, refer to the ar t icle on bu ilt -in r oles f or Azu r e
r esou r ces. M an agem en t Gr ou ps:
Secu r e Dat a D Managing m ultiple subscriptions with ease!
an d Applicat ion s If the built-in roles are not sufficient, cu st om r oles can be created.
Section 4
- For roles to take affect, they m ust be assigned.
Azuare
r e Policies:
E - Roles assigned to an Azu r e AD u ser, gr ou p, or ser vice
pr in cipal.atically enforce com pliance in Azure.
Autom
- They m ust be assigned to som ething: a su bscr ipt ion , r esou r ce
gr ou p, or r esou r ce.
AZ-300: RBAC
RBAC
Secu r in g Resou r ces M an aged I den t it ies
Back t o M ain
Platform Protection
Course Navigation
Secu r in g Azu r e Resou r ces
M an age I den t it y
Secu r in g in
Topics Azu
t hris
e sect
Resouionr ces: Mde:
in clu an aged I den t it ies [Review ]
an d Access
Section 1
M an aged I den t it ies provides a secure m ethod for authenticating
Azure resources against other Azure services w it h ou t n eedin g t o
Role-based Access Con t r ol (RBAC) [Review ]:
Plat f or m Pr ot ect ion A de cr eden
in clu t ials. Managed Identities is a feature of Azure AD which
Managing perm issions on Azure resources.
Section 2 specifically provides an Azure resource with a m anaged identity within
Azure AD.
Net w or kSecurity
Network Secu r it y
This feature provides the ability to authenticate an Azure resource
M an aged I den t it ies [Review ]:
Host Security
Host Secu r it y ?behind-the-scenes.?
B This does not provide any im plicit perm issions
Access to resources without credentials!
Securing
Secu r in gAzure
Azu r e
(authorization) though. Those m ust be configured separately.
Resources
Resou r ces
- Avoids t h e n eed f or applicat ion cr eden t ials t o be st or ed in code
Container Security
(e.g. Client
Azu rID and secrets).
e Resou r ce Lock s:
- CIs f u llyPreventing
m an aged by M icr osof
deletion t , so credentials
of Azure resources. no longer need to
Secu r it y Oper at ion s be rotated by developers.
Section 3 - Au t om at es t h e cr eat ion an d r egist r at ion of an applicat ion
within Azure AD, Service Principal, and Client ID.
- Includes built-in functionality for Azure resources to secu r ely
M an agem en t Gr ou ps:
Secu r e Dat a Dobt ain Managing
an au t h en t icat ion t ok en .
m ultiple subscriptions with ease!
- Does n ot im ply an y au t h or izat ion , since the identity m ust still be
an d Applicat ion s
granted whatever perm issions are desired.
Section 4
Azu r e Policies:
E Autom atically enforce com pliance in Azure.
AZ-300: M an aged I Ds
RBAC
Secu r in g Resou r ces Resou r ce Lock s
Back t o M ain
Platform Protection
Course Navigation
Secu r in g Azu r e Resou r ces
M an age I den t it y
Secu r in g in
Topics Azu
t hris
e sect
Resouionr ces: Azu
in clu de:r e Resou r ce Lock s
an d Access
Section 1
We can use Azu r e r esou r ce lock s to prevent other users in our
organization from acciden t ally delet in g or m odif yin g critical
Role-based Access Con t r ol (RBAC) [Review ]:
resources
A such as a subscriptions, resource groups, or resources.
Plat f or m Pr ot ect ion Managing perm issions on Azure resources.
Section 2
There are two types of resource locks:
Net w or kSecurity
Network Secu r it y
- Can Not Delet e m eans authorized users can still read and m odify a
M an aged I den t it ies [Review ]:
Host Security
Host Secu r it y Bresource, but they can't delete that resource.
Access to resources without credentials!
- ReadOn ly m eans authorized users can read a resource, but they
Securing
Secu r in gAzure
Azu r e
Resources
Resou r ces can't delete or update it. Applying this lock is sim ilar to restricting
all authorized users to the perm issions granted by the Reader role.
Container Security
Azu r e Resou r ce Lock s:
When C a resource lock is used at a parent scope, such as a subscription
Preventing deletion of Azure resources.
Secu r it y Oper at ion s or resource group, all r esou r ces w it h in t h at scope in h er it t h e sam e
Section 3 lock . Resources added later inherit the lock from the parent. When a
resource inherits m ultiple locks, the m ost r est r ict ive lock in t h e
in h er it an ce t ak es pr eceden ce.
M an agem en t Gr ou ps:
Secu r e Dat a D Managing m ultiple subscriptions with ease!
Unlike role-based access control, resource locks apply a restriction
an d Applicat ion s
acr oss all u ser s an d r oles.
Section 4
RBAC
Secu r in g Resou r ces Azu r e Policies
Back t o M ain
Platform Protection
Course Navigation
Secu r in g Azu r e Resou r ces
M an age I den t it y
Secu r in g in
Topics Azu
t hris
e sect
Resouionr ces: Mde:
in clu an agem en t Gr ou ps
an d Access
Section 1
Azure m an agem en t gr ou ps allow us to group subscriptions to m anage
access, policies, and com plian ce. Think of them as on e level above
Role-based Access Con t r ol (RBAC) [Review ]:
su bscr
A ipt ion s, but only for m anagem ent. Billing responsibility is still
Plat f or m Pr ot ect ion Managing perm issions on Azure resources.
Section 2
handled on the subscription level.
When using m anagem ent groups, the first group is called the Ten an t
M an agem en t Gr ou ps:
Root
D Gr ou pManaging
and is used to m anage all subscriptions. If you are a Global
Secu r e Dat a m ultiple subscriptions with ease!
Adm inistrator, you can elevat e you r access to allow you to m anage
an d Applicat ion s
access to the root group.
Section 4
Azu r e Policies:
E Autom atically enforce com pliance in Azure.
RBAC
Secu r in g Resou r ces Azu r e Policies
Back t o M ain
Platform Protection
Course Navigation
Secu r in g Azu r e Resou r ces
M an age I den t it y
Secu r in ginAzu
Topics t hrise sect
Resouionr ces:
in cluAzu
de:r e Policies
an d Access
Section 1
Azu r e Policy is a service in Azure you use to create, assign, and
m anage policies. These policies en f or ce dif f er en t r u les an d ef f ect s
Role-based Access Con t r ol (RBAC) [Review ]:
overA your resources so those resources stay com pliant with your
Plat f or m Pr ot ect ion Managing perm issions on Azure resources.
Section 2
cor por at e, t ech n ical, or gover n m en t st an dar ds.
For exam ple, you can define the policy to allow on ly a cer t ain SKU
Net w or kSecurity
Network Secu r it y
size of virtual m achines in your environm ent. If an Azure
M an aged I den t it ies [Review ]:
Host Security
Host Secu r it y admBinistrator attem pts to deploy a virtual m achine outside one of
Access to resources without credentials!
your defined SKU sizes, t h e deploym en t w ill f ail validat ion an d w ill
Securing
Secu r in gAzure
Azu r e
Resources
Resou r ces n ot be deployed.
Container Security
Also, existing resources found to be non-com pliant can be
Azu r e Resou r ce Lock s:
r emCediat ed.
Preventing deletion of Azure resources.
Secu r it y Oper at ion s
Section 3 Policy def in it ion s outline the specif ic cr it er ia to be evaluated.
Assign m en t s determ ine where these policies are applied. They can
be applied to Azure subscriptions and optionally to child resource
M an agem en t Gr ou ps:
groups.
D Child resources in h er it t h e policy set t in gs applied to their
Secu r e Dat a Managing m ultiple subscriptions with ease!
parents.
an d Applicat ion s
Section 4
Policy in it iat ives are collect ion s of policy def in it ion s designed to
accom plish Azu a singular goal, such as the overall com pliance of
r e Policies:
E
corporate standards. Theyenforce
Autom atically are assigned in the in
com pliance sam e m anner as
Azure.
individual definitions.
RBAC
Secu r in g Resou r ces Secu r it y Oper at ion s
Back t o M ain
Platform Protection
Course Navigation
Con t ain er Secu r it y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Net w or kSecurity
Network Secu r it y
Con t ain er I n st an ce Secu r it y
Host Security
Host Secu r it y
ACR Tasks and security considerations.
Securing
Secu r in gAzure
Azu r e
Resources
Resou r ces
Container
Con t ain erSecurity
Secu r it y
Con t ain er Gr ou ps
Container collections working together.
Secu r it y Oper at ion s
Section 3
Back t o M ain
Platform Protection
Course Navigation
Con t ain er Secu r it y
M an age I den t it y
an d Access Topics in t ht ain
Azu r e Con is sect ion in rclu
er Regist y de:
Section 1
Close
Back t o M ain
Platform Protection
Course Navigation
Con t ain er Secu r it y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Net w or kSecurity
Network Secu r it y
Con t ain er I n st an ce Secu r it y
Host Security
Host Secu r it y
ACR Tasks and security considerations.
Securing
Secu r in gAzure
Azu r e
Resources
Resou r ces
Container
Con t ain erSecurity
Secu r it y
Con t ain er Gr ou ps
Container collections working together.
Secu r it y Oper at ion s
Section 3
Close
Back t o M ain
Platform Protection
Course Navigation
Con t ain er Secu r it y
M an age I den t it y
an d Access Topics
Azu r e in
Con t htis sect
ain ion in clu
er Regist r y:de:
Section 1 Secu r it y
Close
Back t o M ain
Platform Protection
Course Navigation
Con t ain er Secu r it y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Net w or kSecurity
Network Secu r it y
Createaresourcegroup:
az gr Con
oup t ain
c r er
eatI n
e st- -an cee Secu
nam r itour
my Res y c eGr oup - - l oc at i on
Host Security
Host Secu r it y
eas tACR
us Tasks and security considerations.
Securing
Secu r in gAzure
Azu r e Createacontainer registry:
Resources
Resou r ces az ac r c r eat e - - r es our c e- gr oup my Res our c eGr oup
- - name my Cont ai ner Regi s t r y 008 - - s k u Bas i c
Container
Con t ain erSecurity
Secu r it y Log in to theregistry:
az ac Con
r tl ain
ogi er
n -Gr ou ps
- nam e my Cont ai ner Regi s t r y 008
Push im age Container collections working together.
to theregistry:
Secu r it y Oper at ion s 1. doc k er pul l hel l o- wor l d
Section 3 2. doc k er t ag hel l o- wor l d
my Cont ai ner Regi s t r y 008. az ur ec r . i o/ hel l o- wor l d: v 1
3. doc k er pus h
Conait ain
my Cont ner er
RegiVusln
t rer abilit
y 008. azyurMecanr .agem
i o/ helenl to- wor l d: v 1
Secu r e Dat a Run im ageScan im ages
from the for vulnerabilities.
registry:
an d Applicat ion s 1. doc k er r un
my Cont ai ner Regi s t r y 008. az ur ec r . i o/ hel l o- wor l d: v 1
Section 4
Back t o M ain
Platform Protection
Course Navigation
Con t ain er Secu r it y
M an age I den t it y
an d Access Topics
Azu r e in
Cont htis sect
ain ion in clu
er Regist r y:de:
Section 1 Lock / VNet / Fir ew all
Close
Back t o M ain
Platform Protection
Course Navigation
Con t ain er Secu r it y
M an age I den t it y
an d Access Topics
Azu r e in
Con t htis sect
ain er Iion
n st in
anclu de:
ces:
Section 1 Secu r it y
Close
Back t o M ain
Platform Protection
Course Navigation
Con t ain er Secu r it y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Back t o M ain
Platform Protection
Course Navigation
Con t ain er Secu r it y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Close
Back t o M ain
Platform Protection
Course Navigation
Con t ain er Secu r it y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Azu r e Con t ain er I n st an ces:
Cr eat in g a Con t ain er I n st an ce
Con f igu r e an d Secu r e Azu r e Con t ain er Regist r y
Plat f or m Pr ot ect ion Azure CLI Protecting your im age repositories the Azure way!
Section 2
Createaserviceprincipal:
Net w or kSecurity
Network Secu r it y #! / bi n/ bas h
ACR_NAM Con t ain
E=m er Iain st
y c ont neranr ce
egi Secu
s t r y r it y
Host Security
Host Secu r it y
SERVI ACRCE_PRI NCI PAL_NAM
Tasks and securityE=ac r considerations.
- s er v i c e- pr i nc i pal
Securing ACR_REGI STRY_I D=$( az ac r s how - - name $ACR_NAME - - quer y
Secu r in gAzure
Azu r e
Resources i d - - out put t s v )
Resou r ces
SP_PASSWD=$( az ad s p c r eat e- f or - r bac - - name
Container
Con t ain erSecurity
Secu r it y ht t p: / / $SERVI CE_PRI NCI PAL_NAME - - s c opes $ ACR_REGI STRY_I D
- - r ol Con
e actrain
pulerl Gr
- - ou
querpsy pas s wor d - - out put t s v )
SP_APP_I D=$( az collections
Container ad s p s how - - i d together.
working
Secu r it y Oper at ion s ht t p: / / $SERVI CE_PRI NCI PAL_NAME - - quer y appI d - - out put
t sv)
Section 3
ec ho " Ser v i c e pr i nc i pal I D: $SP_APP_I D"
ec ho Con
" Sertvain
i c eerprVu
i nc
ln ierpal pas
abilit y sM
wor
and:agem
$SP_PASSW
en t D"
Secu r e Dat a Scan im ages for vulnerabilities.
Createacontainer instance:
an d Applicat ion s az c ont ai ner c r eat e \
Section 4 - - r es our c e- gr oup my Res our c eGr oup \
- - name my c ont ai ner \
- - i mage
Azum r yecKu
ontber
ai ner
n etres
egiSer
s t rvice
y . az(AKS)
ur ec r Secu
. i o/ m
r yiti ymage: v 1 \
- - r egiBest
s t r yPractices
- l ogi n- sfor
er vAKS.
er my c ont ai ner r egi s t r y . az ur ec r . i o \
- - r egi s t r y - us er name <s er v i c e- pr i nc i pal - I D> \
- - r egi s t r y - pas s wor d <s er v i c e- pr i nc i pal - pas s wor d>
Close
Back t o M ain
Platform Protection
Course Navigation
Con t ain er Secu r it y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Back t o M ain
Platform Protection
Course Navigation
Con t ain er Secu r it y
M an age I den t it y
an d Access Topics
Azu r e in
Cont htis sect
ain er Iion
n st in
anclu de:
ces:
Section 1 Con t ain er Gr ou ps
Close
Back t o M ain
Platform Protection
Course Navigation
Con t ain er Secu r it y
M an age I den t it y
an d Access Topics
Azu r e in
Cont htis sect
ain er Iion
n st in
anclu de:
ces:
Section 1 Vu ln er abilit y M an agem en t
Tw
Con t ain er Vu ln er ist lock
abilit y M an agem en t
Secu r e Dat a Scan im ages for vulnerabilities.
an d Applicat ion s
Section 4
Close
Back t o M ain
Platform Protection
Course Navigation
Con t ain er Secu r it y
M an age I den t it y
an d Access Topics
Azu r e in
Kutber
h isnsect
et esion
Serinvice:
clu de:
Section 1 Secu r it y
Close
Back t o M ain
Platform Protection
Course Navigation
Con t ain er Secu r it y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Azu r e Ku ber n et es Ser vice:
Secu r it y Con cept s
Con f igu r e an d Secu r e Azu r e Con t ain er Regist r y
M ast er secu r it y
Plat f or m Pr ot ect ion Protecting your im age repositories the Azure way!
- In AKS, the Kubernetes m aster com ponents are part of the
Section 2
m anaged service provided by Microsoft. Each AKS cluster has its
own single-tenanted, dedicated Kubernetes m aster to provide
Net w or kSecurity
Network Secu r it y
the API Server, Scheduler, etc.
Con t ain er I n st an ce Secu r it y
Host Security
Host Secu r it y - This m aster is m anaged and m aintained by Microsoft.
ACR Tasks and security considerations.
- By default, the Kubernetes API server uses a public IP address
Securing
Secu r in gAzure
Azu r e
Resources with fully qualified dom ain nam e (FQDN). We can control access
Resou r ces
to the API server using Kubernetes role-based access controls
Container
Con t ain erSecurity
Secu r it y and Azure Active Directory.
Con t ain er Gr ou ps
Node secu r it y
Container collections working together.
Secu r it y Oper at ion s - AKS nodes are Azure virtual m achines we m anage and
Section 3 m aintain.
- Linux nodes run an optim ized Ubuntu distribution using the
Moby container runtim e.
Con t ain er Vu ln er abilit y M an agem en t
- Windows Server nodes (currently in preview in AKS) run an
Secu r e Dat a Scan im ages for vulnerabilities.
optim ized Windows Server 2019 release and also use the Moby
an d Applicat ion s container runtim e.
Section 4
- When an AKS cluster is created or scaled up, the nodes are
automAzu atically
r e Kudeployed
ber n et eswith the latest
Ser vice (AKS)OS
Secusecurity
r it y updates and
configurations.
Best Practices for AKS.
Ku ber n et es Secr et s
- A Kubernetes Secret is used to inject sensitive data into pods,
such as access credentials or keys.
Close
Back t o M ain
Platform Protection
Course Navigation
Con t ain er Secu r it y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Back t o M ain
Platform Protection
Course Navigation Azu r e Ku ber n et es Ser vice:
Con t ain er Secu r it y
Au t h en t icat ion t o ACR
M an age I den t it y
an d Access Topics
Azure CLIin t h is sect ion in clu de:
Section 1
Grant AKSaccessto ACR:
#! / bi n/ bas h
Con f igu r e an dy AKSRes
AKS_RESOURCE_GROUP=m Secu r eour Azu r e oup
c eGr Con t ain er Regist r y
Plat f or m Pr ot ect ion Protecting
AKS_CLUSTER_NAM E=myour im age
y AKSCl us t errepositories the Azure way!
Section 2 ACR_RESOURCE_GROUP=my ACRRes our c eGr oup
ACR_NAME=my ACRRegi s t r y
# Get t he i d of t he s er v i c e pr i nc i pal c onf i gur ed f or AKS
Net w or kSecurity
Network Secu r it y CLI ENT_I D=$( az ak s s how - - r es our c e- gr oup $AKS_RESOURCE_GROUP
Con t ain er I n st anEce- -Secu
- - name $AKS_CLUSTER_NAM querryit y
Host Security
Host Secu r it y " s er v i c ePr i nc i pal and
Pr of security
i l e. c l i ent I d" - - out put t s v )
ACR Tasks considerations.
Securing # Get t he ACR r egi s t r y r es our c e i d
Secu r in gAzure
Azu r e
ACR_I D=$( az ac r s how - - name $ACR_NAME - - r es our c e- gr oup
Resources
Resou r ces $ACR_RESOURCE_GROUP - - quer y " i d" - - out put t s v )
Container
Con t ain erSecurity
Secu r it y # Cr eat e r ol e as s i gnment
az r ol e Con as s ti ain
gnmer
entGrcou pse - - as s i gnee $CLI ENT_I D - - r ol e
r eat
ac r pul l Container
- - s c ope $ACR_I D
collections working together.
Secu r it y Oper at ion s
Accesswith KubernetesSecrets:
Section 3
#! / bi n/ bas h
ACR_NAME=my ac r i ns t anc e
SERVI CE_PRICon tNCI
ainPAL_NAM
er Vu lnE=ac r - s er
er abilit y vMi an
c e-agem
pr i ncen
i pal
t
Secu r e Dat a # Popul at e t he ACR l ogi n s er v er and r es our c e i d.
Scan im ages for vulnerabilities.
ACR_LOGI N_SERVER=$( az ac r s how - - name $ACR_NAME - - quer y
an d Applicat ion s l ogi nSer v er - - out put t s v )
Section 4 ACR_REGI STRY_I D=$( az ac r s how - - name $ACR_NAME - - quer y i d
- - out put t s v )
# Cr eat eAzu acr epul
Kul ber
r olneet as
essSer
i gnm ent (AKS)
vice wi t h Secu
a s crope
it y of t he ACR
r es our c e.
Best Practices for AKS.
SP_PASSWD=$( az ad s p c r eat e- f or - r bac - - name
ht t p: / / $SERVI CE_PRI NCI PAL_NAME - - r ol e ac r pul l - - s c opes
$ACR_REGI STRY_I D - - quer y pas s wor d - - out put t s v )
# Get t he s er v i c e pr i nc i pal c l i ent i d.
CLI ENT_I D=$( az ad s p s how - - i d
ht t p: / / $SERVI CE_PRI NCI PAL_NAME - - quer y appI d - - out put t s v )
# Out put us ed when c r eat i ng Kuber net es s ec r et .
ec ho " Ser v i c e pr i nc i pal I D: $CLI ENT_I D"
ec ho " Ser v i c e pr i nc i pal pas s wor d: $SP_PASSWD"
Close
Back t o M ain
Security Operations
Course Navigation
Con f igu r in g Secu r it y Ser vices
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Security Policies
Security Alerts
Secu r e Dat a
an d Applicat ion s
Section 4
Back t o M ain
Security Operations
Course Navigation
Con f igu r in g Secu r it y Ser vices
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Secu r e Dat a
an d Applicat ion s
Section 4
AZ-300: Azu r e M on it or
Close
Back t o M ain
Security Operations
Course Navigation
Con f igu r in g Secu r it y Ser vices
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Security Policies These do n ot in clu de the Azure Activity Log or any OS-level logging.
Security Alerts
Secu r e Dat a
an d Applicat ion s
Section 4
Close
Back t o M ain
Security Operations
Course Navigation
Con f igu r in g Secu r it y Ser vices
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Con f igu r in g Secu r it y Ser vices:
Section 1
Loggin g Opt ion s
Security Policies
Security Alerts
Secu r e Dat a
an d Applicat ion s
Section 4
Close
Back t o M ain
Security Operations
Course Navigation
Con f igu r in g Secu r it y Ser vices
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Con f igu r in g Secu r it y Ser vices:
Section 1
Loggin g Set t in gs
Security Policies
Security Alerts
Secu r e Dat a
an d Applicat ion s
Section 4
Close
Back t o M ain
Security Operations
Course Navigation
Secu r it y Policies
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Security Alerts
Secu r e Dat a
an d Applicat ion s
Section 4
Back t o M ain
Security Operations
Course Navigation
Secu r it y Policies
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1 Con f igu r in g Secu r it y Policies:
Ju st in Tim e VM Access Usin g Azu r e Secu r it y
Cen t er Ju st in Tim e VM Access Usin g M icr osof t
Plat f or m Pr ot ect ion Azu r e Secu r it y Cen t er
Section 2 Ju st -in -t imVM
e (JIaccess
T) vir tonly
u al mwhen
ach inrequired.
e (VM ) access allows us to lock down
access to our Azure virtual m achines, allowing access only when
required by our support personnel or other users.
Secu r it y Oper at ion s Azu r e Secu r it y Cen t er st an dar d is r equ ir ed to configure this feature.
Section 3
Close
Back t o M ain
Security Operations
Course Navigation
Secu r it y Aler t s
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Secu r it yAlerts
Security Aler t s
Secu r e Dat a
an d Applicat ion s
Section 4
Back t o M ain
Security Operations
Course Navigation
Secu r it y Aler t s
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Secu r it y Aler t s:
Review in g an d Respon din g t o Aler t s an d
Plat f or m Pr ot ect ion Recom mReview
en datinion
g an d Respon din g t o Aler t s an d
s
Recom m en dat ion s
Section 2
Secu r it y Aler t s:
Based on data collected by Azure Security Center, threats are detected.
For each threat, an alert is generated.
Secu r it y Oper at ion s M icr osof t Azu r e Secu r it y Cen t er Playbook s
Section 3 A list of alerts is shown in Secu r it y Cen t er along with the inform ation
we need to quickly investigate the problem and recom m endations for
Con f igu r in gSecurity
Configuring Secu r it y how to rem ediate an attack.
Ser vices
Services
Secu r it yPolicies
Security Policies Recom m en dat ion s:
Recom m endations are actions to take to secure our resources. The
Secu r it yAlerts
Security Aler t s
recom m endations are based on best practices and trusted security
advisories.
Secu r e Dat a
an d Applicat ion s Each recom m endation provides the following:
Section 4
- A description.
- Rem ediation steps.
- Affected resources.
- Secure score im pact.
Close
Back t o M ain
Security Operations
Course Navigation
Secu r it y Aler t s
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1 Secu r it y Aler t s:
M icr osof t Azu r e Secu r it y Cen t er Playbook s
Review in g an d Respon din g t o Aler t s an d
Plat f or m Pr ot ect ion Recom m en dat ply
ion a
s collection of procedures. These
Section 2 A security playbook is sim
procedures are executed when a playbook is triggered. Security alerts
are the trigger that starts playbook running.
Secu r it yAlerts
Security Aler t s
Secu r e Dat a
an d Applicat ion s
Section 4
Close
Back t o M ain
Secure Data and Applications
Course Navigation
Dat a Secu r it y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Secu r it y Oper at ion s St or age An alyt ics Dat a Ret en t ion Policies
Section 3
Secu r e Dat a
Dat a Sover eign t y w it h Azu r e Policy
an d Applicat ion s
Section 4
Data
Dat a Security
Secu r it y
Back t o M ain
Secure Data and Applications
Course Navigation
Dat a Secu r it y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Secu r it y Oper at ion s St or age An alyt ics Dat a Ret en t ion Policies
Section 3 Wh at I s Azu r e I n f or m at ion Pr ot ect ion (AI P)?
Secu r e Dat a
Dat a Sover eign t y w it h Azu r e Policy
an d Applicat ion s
Section 4 AI P Per m ission s
Data
Dat a Security
Secu r it y
Back t o M ain
Secure Data and Applications
Course Navigation
Dat a Secu r it y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Dat a Classif icat ion u sin g Azu r e
Section 1
I n f or m at ion Pr ot ect ion : Wh at is AI P?
Azu r e I n f orDat
m at
a ion Pr ot
Classif ection
icat ionUsin
(AI P)
g is
Azua cloud-based rights
r e I n f or m at ion
Plat f or m Pr ot ect ion m anagem ent solution
Pr ot ect ion that helps our organization classif y an d
Section 2 pr ot ect docum ents and em ails.
Secu r e Dat a Azure Active Directory Prem ium P1 or P2 licenses are required to
Dat a Sover eign t y w it h Azu r e Policy
an d Applicat ion s use AIP. A com parison of AIP features can be found h er e.
Section 4
Data
Dat a Security
Secu r it y
Close
Back t o M ain
Secure Data and Applications
Course Navigation
Dat a Secu r it y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Back t o M ain
Secure Data and Applications
Course Navigation
Dat a Secu r it y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Dat a Classif icat ion u sin g Azu r e
Section 1
I n f or m at ion Pr ot ect ion : Labellin g
In AIP, labels
Datdeterm
a Classifineicat
theion
classification
Usin g Azuofr e aI npiece
f or mof data. Data
at ion
Plat f or m Pr ot ect ion labelled "General" is
Pr ot ect ionnot protected and can be distriuted inside and
Section 2 outside of an organization, whereas data labelled "Confidential"
cannot. Labels can be applied m anually to a piece of data or can be
applied autom atically based on conditions, such as the data form at.
Secu r it y Oper at ion s St or age An alyt ics Dat a Ret en t ion Policies
AIP contains 100 preconfigured conditions, or we can create our
Section 3
own based upon a regular expression.
Data
Dat a Security
Secu r it y
Close
Back t o M ain
Secure Data and Applications
Course Navigation
Dat a Secu r it y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Close
Back t o M ain
Secure Data and Applications
Course Navigation
Dat a Secu r it y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Dat eign
Dat a Sover a Classif
t y icat
w ition UsinrgeAzu
h Azu r e I n f or m at ion
Policy
Plat f or m Pr ot ect ion Pr ot ect ion
Section 2
Som etim es, due to governm ental or other regulations, it is
necessary to ensure our organizational data resides in a particular
country of origin. In Azure, we are able to create Azure resources in
Secu r it y Oper at ion s St or age
regions located An alyt
all over theics Dat aTo
world. Ret en t iondata
enforce Policies
sovereignty, we
Section 3 can use Azure Policy to enforce where Azure resources and the data
contained therein are located.
Secu r e Dat a Azure Policy contains m any preconfigured policies to assist us with
Dat a Sover eign t y w it h Azu r e Policy
an d Applicat ion s our com pliance goals. One of these determ ines allowed locations
Section 4 where Azure resources can be deployed.
Data
Dat a Security
Secu r it y
Close
Back t o M ain
Secure Data and Applications
Course Navigation
Azu r e Key Vau lt
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Secu r e Dat a
an d Applicat ion s
Section 4 M an agin g Cer t if icat es an d Secr et s
Data
Dat a Security
Secu r it y
Azure
Azu r eKey
KeyVault
Vau lt
Security for Data
Infrastructure
Back t o M ain
Secure Data and Applications
Course Navigation
Azu r e Key Vau lt
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Secu r it y Oper at ion s Azure Key Vault helps safeguard and m anage keys for cryptography
Section 3 and secretsMused
an agin g Access
by Azure t o Key Vau
applications lt , services.
and Secr et s,
Cer t if icat es, an d Keys
With Azure Key Vault, we can perform the following tasks:
Secu r e Dat a
- Securely store and tightly control access to tokens, passwords,
an d Applicat ion s certificates, API keys,
Section 4 M an agin g Cerand other
t if icat secrets.
es an d Secr et s
- Create and control the encryption keys used to encrypt data.
Data
Dat a Security
Secu r it y - Provision, m anage, and deploy public and private Secure
Sockets Layer/Transport Layer Security (SSL/TLS) certificates for
Azure
Azu r eKey
KeyVault
Vau lt use with internal connected resources.
Security for Data - Azure Resource Manager tem plates can access secrets and keys
Infrastructure stored in key vault during deploym ent of other Azure resources.
Encryption for Data at
Rest
Back t o M ain
Secure Data and Applications
Course Navigation
Azu r e Key Vau lt
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
an d Applicat ion s
RBAC is alsoMused to g
an agin determ
Cer t ifine
icataccess
es an dtoSecr
theetKey
s Vault resource.
Section 4
Data
Dat a Security
Secu r it y
Azure
Azu r eKey
KeyVault
Vau lt
Security for Data
Infrastructure
Back t o M ain
Secure Data and Applications
Course Navigation
Azu r e Key Vau lt
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
We can use the Azure Portal, PowerShell, and the CLI to set and
Secu r it y Oper at ion s retrieve both secrets and certificates from Azure Key Vault.
Section 3 M an agin g Access t o Key Vau lt , Secr et s,
Cer t if icat es, an d Keys
Secu r e Dat a
an d Applicat ion s
Section 4 M an agin g Cer t if icat es an d Secr et s
Data
Dat a Security
Secu r it y
Azure
Azu r eKey
KeyVault
Vau lt
Security for Data
Infrastructure
Back t o M ain
Secure Data and Applications
Course Navigation
Secu r it y f or Dat a I n f r ast r u ct u r e
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Data
Dat a Security
Secu r it y
Azure
Azu r eKey
KeyVault
Vau lt Secu r it y f or HDI n sigh t s
Security
Secu r it yfor f orData
Dat a
Infrastructure
I n f r ast r u ct u r e
Encryption for Data at
Rest Secu r it y f or Cosm os DB
Security for Application
Delivery
Back t o M ain
Secure Data and Applications
Course Navigation
Secu r it y f or Dat a I n f r ast r u ct u r e
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Data
Dat a Security
Secu r it y SQL Dat abase Au dit in g
Azure
Azu r eKey
KeyVault
Vau lt Secu r it y f or HDI n sigh t s
Security
Secu r it yfor f orData
Dat a
Infrastructure
I n f r ast r u ct u r e
Encryption for Data at Close
Rest Secu r it y f or Cosm os DB
Security for Application
Delivery
Back t o M ain
Secure Data and Applications
Course Navigation
Secu r it y f or Dat a I n f r ast r u ct u r e
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Dat abase Au t h en t icat ion an d Au dit in g:
SQL Dat abase Au t h en t icat ion w it h Azu r e AD
Dat abase Au t h en t icat ion an d Au dit in g
Plat f or m Pr ot ect ion
By default, Azure SQL databases, m anaged instances, and data
Section 2
warehouses use local user accounts for authentication. When one of
the above m entioned resources is initially deployed, a SQL server
account is created for adm inistration (t h in k SA accou n t in M S SQL
Azu r e SQL Dat abase Th r eat Pr ot ect ion
Secu r it y Oper at ion s Ser ver ).
Section 3
Azu r e Act ive Dir ect or y can be con f igu r ed to sim plify
authentication to any of these resources,. Benefits to Azure AD
authentication
M anare:
agin g Access Con t r ol an d Keys f or
Secu r e Dat a
St or age Accou n t s [Review ]
an d Applicat ion s - Sin gle u ser accou n t f or DB au t h en t icat ion .
Section 4
- Passw or d st r en gt h based on Azu r e AD policies.
Data
Dat a Security
Secu r it y - Su ppor t f or ADFS au t h en t icat ion .
- Su ppor t f or M FA.
Azure
Azu r eKey
KeyVault
Vau lt Secu r it y f or HDI n sigh t s
- Use of SQL m an agem en t t ools w it h Azu r e AD
Security
Secu r it yfor f orData
Dat a au t h en t icat ion .
Infrastructure
I n f r ast r u ct u r e
Encryption for Data at In order to integrate with Azure AD, an Azu r e AD adm in ist r at or
Rest m u st be assign
Secu red
it ytof or
the SQLos
Cosm database,
DB m anaged instance, or data
warehouse. This can be either a user or group object. This user or
Security for Application
Delivery
group can assign other Azure AD users and groups to SQL
resources.
Back t o M ain
Secure Data and Applications
Course Navigation
Secu r it y f or Dat a I n f r ast r u ct u r e
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Dat abase Au t h en t icat ion an d Au dit in g:
Section 1
SQL Dat abase Au dit in g
Datdatabases
Auditing SQL abase Au tand
h endata
t icatwarehouses
ion an d Au dit in g us m ain t ain
helps
Plat f or m Pr ot ect ion com plian ce an d gain in sigh t into the activity in these critical Azure
Section 2
resources.
Close
Back t o M ain
Secure Data and Applications
Course Navigation
Secu r it y f or Dat a I n f r ast r u ct u r e
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
M an agin
Advanced Threat g Accesscan
Protection Conidentify
t r ol anpotential
d Keys f orSQL injections,
Secu r e Dat a
access fromStan
or age Accou
unusual n t s [Review
location or data ] center, access from an
an d Applicat ion s
unfam iliar principal or potentially harm ful application, and brute
Section 4
force SQL credentials.
Data
Dat a Security
Secu r it y
Notifications onr alerts
Secu it y f orcan
HDIbe viewed
n sigh t s in the Azure Portal or e-m ailed.
Azure
Azu r eKey
KeyVault
Vau lt
Security
Secu r it yfor f orData
Dat a Advanced data security is a prem ium service that entails additional
Infrastructure
I n f r ast r u ct u r e cost. Refer to Azure pricing for m ore inform ation.
Encryption for Data at
Rest Secu r it y f or Cosm os DB
Security for Application
Delivery
Close
Back t o M ain
Secure Data and Applications
Course Navigation
Secu r it y f or Dat a I n f r ast r u ct u r e
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
M an agin g Access Con t r ol an d Keys f or
St or age Accou n t s [Review ]
Dat abase Au t h en t icat ion an d Au dit in g
Plat f or m Pr ot ect ion
Section 2
Azure storage accounts are the repositories for data accessed by
users, applications, and other Azure services. Locking down these
storage accounts is a critical com ponent of Azure security.
Azure St or
Secu r it y f or HDI n age
sigh Accou
ts nt
Azu r eKey
KeyVault
Vau lt
Secu r it y
Security
Secu r it yfor f orData
Dat a
Infrastructure
I n f r ast r u ct u r e
Encryption for Data at
Rest Secu r it y f or Cosm os DB
Security for Application
Delivery AZ-300 Blu esh if t Gu ide
Back t o M ain
Secure Data and Applications
Course Navigation
Secu r it y f or Dat a I n f r ast r u ct u r e
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Security
Once these prerequisites are com plete, the HDInsight cluster with
Secu r it yfor f orData
Dat a
Infrastructure ESP can be deployed in Azure.
I n f r ast r u ct u r e
Encryption for Data at
Rest Secu rM
it yicrf or
osof t : HDI
Cosm osnDB
sigh t w it h ESP
Security for Application
Delivery
Close
Back t o M ain
Secure Data and Applications
Course Navigation
Secu r it y f or Dat a I n f r ast r u ct u r e
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Secu r it y f or Cosm os DB
Dat abase Au t h en t icat ion an d Au dit in g
Plat f or m Pr ot ect ion Azure Cosm os DB uses two types of keys to authenticate users and
Section 2
provide access to its data and resources:
Back t o M ain
Secure Data and Applications
Course Navigation
Secu r it y f or Dat a I n f r ast r u ct u r e
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Secu r it yAzu
f orr eMSQL
icr osof t Azu
Dat abase Thrreeat
Dat a ect
Pr ot Lak e
ion
Secu r it y Oper at ion s
Section 3
Securing data in Azure Data Lake Storage uses a com bination of
Azure AD role-based perm issions and access control lists within the
Data Lake file
M ansystem
agin g. Access Con t r ol an d Keys f or
Secu r e Dat a
St or age Accou n t s [Review ]
an d Applicat ion s - AAD security principals control access to the Data Lake Storage
Section 4 Gen1 account from the portal and m anagem ent operations
Data
from the portal or through APIs.
Dat a Security
Secu r it y
- These principals also regulate access control on the data stored
Azure
Azu r eKey
KeyVault
Vau lt Secu r it y f or HDI n sigh t s
in Data Lake Storage Gen1.
Security
Secu r it yfor f orData
Dat a - We can also lock down access to the Data Lake at the network
Infrastructure
I n f r ast r u ct u r e level by using a resource firewall.
Encryption for Data at
Rest Secu r it y f or Cosm os DB
Close
Security for Application
Delivery
Back t o M ain
Secure Data and Applications
Course Navigation
En cr ypt ion f or Dat a at Rest
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Data
Dat a Security
Secu r it y
Azure
Azu r eKey
KeyVault
Vau lt Disk En cr ypt ion
Security
Secu r it yfor f orData
Dat a
Infrastructure
I n f r ast r u ct u r e
Encryption
En cr ypt ionfor
f orData
Dat aatat
Rest
Rest Back u p En cr ypt ion
Security for Application
Delivery
Back t o M ain
Secure Data and Applications
Course Navigation
En cr ypt ion f or Dat a at Rest
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Data
Dat a Security
Secu r it y Always Encrypted is configured in SQL Server Managem ent Studio
Azure
using the Always
Disk EnEncrypted
cr ypt ion Wizard.
Azu r eKey
KeyVault
Vau lt
Security
Secu r it yfor f orData
Dat a We can use Always Encrypted to encrypt entire databases or
Infrastructure
I n f r ast r u ct u r e individual colum ns and rows within the database.
Encryption
En cr ypt ionfor
f orData
Dat aatat
Rest
Rest Back u p En cr ypt ion
Security for Application Close
Delivery
Back t o M ain
Secure Data and Applications
Course Navigation
En cr ypt ion f or Dat a at Rest
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Security
Secu r it yfor f orData
Dat a
Infrastructure
I n f r ast r u ct u r e
Encryption
En cr ypt ionfor
f orData
Dat aatat DP-200: Diagr am
Rest
Rest Back u p En cr ypt ion
Security for Application
Delivery
Close
Back t o M ain
Secure Data and Applications
Course Navigation
En cr ypt ion f or Dat a at Rest
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Azure Storage
Dat autom
abase atically
En cr yptencrypts your] data with 256-bit AES
ion [Review
Secu r it y Oper at ion s encryption. Data in Azure Storage is encrypted and decrypted
Section 3 transparently.
Azure Storage encryption is enabled for all new and existing storage
Secu r e Dat a accounts and cannot
St or bevice
age Ser disabled.
En cr ypt ion
an d Applicat ion s
Section 4 All Azure Storage account tiers and deploym ent m odels are
encrypted.
Data
Dat a Security
Secu r it y
Azure
Azu r eKey
KeyVault
Vau lt Disk
Azure custom ersEnhave
cr ypt
a ion
choice of choosing Microsoft to m anage the
encryption key for storage accounts, or we can provide our own key
Security
Secu r it yfor f orData
Dat a
Infrastructure
and m anage the key using Azure Key Vault.
I n f r ast r u ct u r e
Encryption
En cr ypt ionfor
f orData
Dat aatat Custom er-m anaged keys can be configured using the Azure Portal,
Rest
Rest PowerShell,Back
and uthe
p En cr yptCLI.
Azure ion
Security for Application
Delivery
Close
Back t o M ain
Secure Data and Applications
Course Navigation
En cr ypt ion f or Dat a at Rest
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Security
Azure Key Vault can be used to m anage keys used to encrypt disks.
Secu r it yfor f orData
Dat a
Infrastructure Azu r e Disk En cr ypt ion r equ ir es t h at you r k ey vau lt an d VM s
I n f r ast r u ct u r e
r eside in t h e sam e Azu r e r egion an d su bscr ipt ion .
Encryption
En cr ypt ionfor
f orData
Dat aatat
Rest
Rest Back u p En cr ypt ion
Su ppor t ed Oper at in g Syst em s
Security for Application
Delivery
Close
Back t o M ain
Secure Data and Applications
Course Navigation
En cr ypt ion f or Dat a at Rest
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Back t o M ain
Secure Data and Applications
Course Navigation
En cr ypt ion f or Dat a at Rest
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Close
Back t o M ain
Secure Data and Applications
Course Navigation
Secu r it y f or Applicat ion Deliver y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Data
Dat a Security
Secu r it y
Azure
Azu r eKey
KeyVault
Vau lt Pr ot ect in g Web Apps
Security
Secu r it yfor f orData
Dat a
Infrastructure
I n f r ast r u ct u r e
Encryption
En cr ypt ionfor
f orData
Dat aatat
Rest
Rest
Security
Secu r it yfor
f orApplication
Applicat ion
Delivery
Deliver y
Back t o M ain
Secure Data and Applications
Course Navigation
Secu r it y f or Applicat ion Deliver y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
I m plem en t in g Secu r it y Validat ion s f or
Applicat Iion Developm
m plem enr itt y Validat ion s f or
en t in g Secu
Plat f or m Pr ot ect ion Applicat ion Developm en t
Application developm ent using PaaS resources allows easier
Section 2
deploym ent of web and m obile applications, as we, the end user,
are n o lon ger r espon sible f or it em s su ch as ph ysical
in f r ast r u ctSyn
u r et h
anetdicnSecu
et w or
r itkyinTr
g.an sact ion s t o M on it or
Secu r it y Oper at ion s Sit e Availabilit y
Section 3 This is not to say that security is no longer of im portance when
developing and deploying PaaS-based applications. Caution m ust be
taken when securing these applications, w h ich by design ar e m or e
vu ln er able than on-prem ises applications.
Secu r e Dat a SSL/ TLS Cer t if icat es
an d Applicat ion s Som e best practices for securing PaaS applications:
Section 4
Data
Dat a Security
Secu r it y - Adopt a policy of iden t it y as the prim ary security perim eter.
- Secu r e you r k eys an d cr eden t ials to secure your PaaS
Azure
Azu r eKey
KeyVault
Vau lt Pr ot ect in g Web Apps
deploym ent.
Security
Secu r it yfor f orData
Dat a - M an age you r PaaS r esou r ces dir ect ly whenever possible.
Infrastructure
I n f r ast r u ct u r e - Use strong authentication and authorization.
Encryption
En cr ypt ionfor
f orData
Dat aatat
- Use a web application firewall.
Rest
Rest - Monitor app perform ance.
- Perform penetration testing.
Security
Secu r it yfor
f orApplication
Applicat ion
Delivery
Deliver y
Close
Back t o M ain
Secure Data and Applications
Course Navigation
Secu r it y f or Applicat ion Deliver y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Syn t h et ic Secu r it y Tr an sact ion s t o
M on it or I Sit e Availabilit
m plem en t in g Secuyr it y Validat ion s f or
Plat f or m Pr ot ect ion Applicat ion Developm en t
Azure Application Insights can be used to m onitor App Service by
Section 2
running recurring tests to m onitor availability and responsiveness.
Perform ance
Synand
t h etavailability
ic Secu r it yissues could
Tr an sact ionbes taoresult
M on itoforunderlying
Secu r it y Oper at ion s security problem s, so it is
Sit e Availabilit y recom m ended to run these tests often.
Section 3
There are three types of availability tests:
- URL pin g t est
- M u lt i-st ep w eb t est
Secu r e Dat a SSL/ TLS Cer t if icat es
- Cu st om t r ack availabilit y t est s
an d Applicat ion s
Section 4
Data
Dat a Security
Secu r it y
Azure
Azu r eKey
KeyVault
Vau lt Pr ot ect in g Web Apps
Security
Secu r it yfor f orData
Dat a
Infrastructure
I n f r ast r u ct u r e
Encryption
En cr ypt ionfor
f orData
Dat aatat
Rest
Rest
Security
Secu r it yfor
f orApplication
Applicat ion
Delivery
Deliver y
Close
Back t o M ain
Secure Data and Applications
Course Navigation
Secu r it y f or Applicat ion Deliver y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Back t o M ain
Secure Data and Applications
Course Navigation
Secu r it y f or Applicat ion Deliver y
M an age I den t it y
an d Access Topics in t h is sect ion in clu de:
Section 1
Data
Dat a Security
Secu r it y Web application firewall (WAF) is a feature of Application Gateway
Azure
Azu r eKey
KeyVault
Vau lt
that provides cen
Pr ot ectt rinalized
g WebprApps
ot ect ion of ou r w eb applicat ion s from
com m on exploits and vulnerabilities. WAF is based on rules from the
Security
Secu r it yfor f orData
Dat a OWASP (Open Web Applicat ion Secu r it y Pr oject ) cor e r u le set s
Infrastructure
I n f r ast r u ct u r e
3.0 or 2.2.9.
Encryption
En cr ypt ionfor
f orData
Dat aatat
Rest
Rest
Security
Secu r it yfor
f orApplication
Applicat ion Close
Delivery
Deliver y
Back t o M ain
Exam Preparation
Course Navigation
M an age I den t it y
an d Access The AZ-500 Exam
Section 1
Abou t t h e Exam :
Length: 180 Minutes
Plat f or m Pr ot ect ion - Num ber of Questions: ~40
Section 2 - Form at:
- Case study
- Drag and drop
- Exhibit
Secu r it y Oper at ion s - True or false
Section 3
The exam can be taken at a local test center, at your hom e office, or
at a Pearson VUE test center. If you choose at hom e or office, you m ust
have the following system requirem ents:
h t t ps:/ / w w w.m icr osof t .com / en -u s/ lear n in g/ on lin e-exam s.aspx
Pr epar in g f or t h e Exam :
- Watch and follow along with all the video lessons.
- Com plete every hands-on lab at least twice.
- Take and pass the practice exam at least twice.
- Mem orize the flashcard deck and create your own to increase
m em orization.
- Review the interactive diagram and understand the concepts.
- Participate in the Linux Academ y com m unity.
- Participate in a Linux Academ y study group or start your own!
Back t o M ain