1637015925928-Study Guide - AZ-500 Microsoft Azure Security Technologies

Section Introduction
James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
The Azure AD Why Identity Matters
Authentication and Authorization
Identity Platform Azure AD vs Azure Subscriptions
Identities in Azure AD
Organizing Azure AD
James Lee
Training Architect
SECTION INTRODUCTION: THE AZURE AD IDENTITY PLATFORM
The Goal of This Section
Identity
Securing Applications
Fundamentals Securing the solutions we build. Note
this doesn’t always require Azure AD.
We’ll build fundamental knowledge
relating to identity, which will be
leveraged throughout this course. Securing the Platform
Securing Azure services. Note this
doesn’t always require Azure AD.
Identity and Access Management

Securing access to resources and
identity itself.
Azure Active Directory (AD)

The identity platform upon which
security heavily relies.
Azure AD Authentication
and Authorization
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Traditional Security
Azure AD Modern Security
Authentication Identity and Access Management
and Authorization
Example
James Lee
Training Architect
AZURE AD AUTHENTICATION AND AUTHORIZATION
Traditional Network Security Perimeter
The security model in traditional environments was based on the network perimeter. All
resources were typically secured within the network perimeter.
Internet
Firewall
User Network Server Network
On-premises network perimeter

What Happened?
With the advent of cloud, users are now accessing applications, services, and enterprise resources in so
many different ways, both inside and outside of the traditional on-premises environment.
SaaS
Internet
Remote Users
On-Premises
Modern Identity-Centric Security
Identity is now at the center of cloud security, and it is the new security perimeter.
Cloud Resources Software as

a Service
Identity
Azure Active Directory
Cloud-Managed Device On-Premises Resources

Identity Security with Azure AD
IAM AZURE AD
Azure AD facilitates identity and The identity
access management (IAM). This platform.
helps provide security through three
main components.
AUTHORIZATION AUTHENTICATION
Are you allowed Are you who you say
access? you are?
Identity Security with Azure AD
What it looks like

Let’s consider a user trying to shut down
a VM in the Azure portal.
1. Open portal.azure.com. 2. Provide credentials.
3. Credentials verified. 4. Request VM shutdown. 5. Permissions verified. 6. VM shutdown.

Azure AD Tenant and Azure
Subscription Associations
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Azure AD Tenant
and Azure The Association
Example
Subscription Demonstration
Associations
James Lee
Training Architect
AZURE AD TENANT AND AZURE SUBSCRIPTION ASSOCIATIONS
What Is the Association?
If Azure AD can facilitate identity and access management for so many services, how is this established?
Software as a Service Cloud

Microsoft
Resources
Azure

AZURE AD TENANT AND AZURE SUBSCRIPTION ASSOCIATIONS
Example Association
Example Azure AD Tenant and Azure Subscription association.
Microsoft Azure
capsecco.onmicrosoft.com
Production Sub 1 Dev Sub 1

Managing Azure AD Tenant and
Azure Subscription Associations
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Roles and Permissions
Managing Azure Creating a Subscription
AD Tenant and Transferring Ownership
Changing Directories
Azure Subscription
Associations
James Lee
Training Architect
MANAGING AZURE AD TENANT AND AZURE SUBSCRIPTION ASSOCIATIONS
Roles and Permissions
How do we manage all of these resources in the different areas?
Microsoft Azure
Classic Subscription Admin Roles 
(“old" account management roles)
> Account Administrator
> Billing Administrator
> Service Administrator
> Co-Administrator
Production Sub 1
Azure AD Roles
Azure RBAC Roles
(to manage Azure AD resources) (to manage Azure resources)

Creating a Subscription
What a new subscription looks like:
Microsoft Azure
Service Admin
Billing / Account Admin
Associated Tenant
Empty Subscription
Transferring (Billing) Ownership
What a new subscription looks like:
Microsoft Azure
capsecco.onmicrosoft.com capseccodev.onmicrosoft.com
Service Admin
Associated Tenant
Empty Subscription
Transferring Azure Subscriptions to Another Azure AD Tenant
What transferring tenants (changing directory) looks like:
capsecco.onmicrosoft.com capseccodev.onmicrosoft.com
Owner
Role Assignments
Source Tenant Target Tenant
Managed
Identities
Subscription
Azure AD Identities
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Azure AD Common Scenarios
Common Identity Types
Identities Demonstration
James Lee
Training Architect
AZURE AD IDENTITIES
Common Scenarios
Azure AD helps support authentication and authorization for a variety of scenarios. As an identity platform,
it uses objects and metadata to represent security information about users, applications, and much more.
Remote Staff
SaaS
User Account
Internet
Application
Managed
Identity
On-Premises Staff and Resources Azure
Azure AD Tenant
AZURE AD IDENTITIES
Common Identity Types
Identity Types
USER APP MANAGED
High-level overview of some of the
key differences in identity types. Represents a staff Represents an Represents a
member within the application in use service within the
organization. within the tenant. Azure subscription.
To meet the needs of the various

scenarios we discussed, the Azure AD Uses credentials Uses a secret Leverages the
such as username token or certificate Azure platform for
identity platform supports different & password. for authentication. authentication.
identity types.
Can be cloud users, Can include apps Only supports
synchronized, and running in Azure, services running
guest users. or elsewhere. in Azure.
Azure AD Groups
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Introduction
Azure AD Group Types
Membership Types
Groups Demonstration
James Lee
Training Architect
AZURE AD GROUPS
Why Do Groups Matter?
Groups help to reduce the effort required to manage security and access. They can also improve security by
ensuring access controls are kept up to date.
SaaS Apps
Azure AD Tenant
Azure
AZURE AD GROUPS
Group Types
There are two group types available within the Microsoft ecosystem:
SECURITY GROUPS VS M365 GROUPS
Similar to traditional Active Provides access to Microsoft

Directory (AD), security 365 (M365) collaboration
groups are designed to act as resources for a group of staff.
a container for managing Generally relates to a project or
security and access control. program of works underway.
AZURE AD GROUPS
Types of Membership
Membership Types
ASSIGNED DYNAMIC
Overview of some key differences
Members are
in how membership is controlled. Members are assigned
by administrators or
dynamically controlled
based on device/user
owners of the group.
attributes.
To help ensure group membership is Membership is

Members can be
kept up to date and alleviate manually added or
managed by the
platform. No manual
removed at any time.
administrative burden, two changes allowed.
membership types are available.
Requires the most Requires Azure AD
administrative effort to licensing.
manage and maintain.
Azure AD Dynamic Groups
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Azure AD Introduction
Dynamic
Dynamic Group Types
Configuration
Demonstration
Groups
James Lee
Training Architect
AZURE AD DYNAMIC GROUPS
What’s the Problem?
Why do we need more than groups with assigned membership?
SaaS Apps
Group: Apps - Office
Group: Apps - CAPInvoice
Group: Apps - CAPAudit
Sarah from the

Auditing
Finance Team
Group: Azure - Billing Azure

Types of Dynamic Groups
Dynamic Group Types

DYNAMIC USER GROUP DYNAMIC DEVICE GROUP
High-level overview of some of the
key differences in group types. Membership is based on
Membership is based on
the properties of a user
the properties of a device.
account.
To help simplify membership

Leverages a rule to describe what group
management, the platform supports membership is based on (e.g., device OS type). This
two types of groups. runs automatically.
Group types cannot be mixed. A dynamic group can

either be for dynamic users or dynamic devices, but
not both.
Configuring a Dynamic User Group
Membership is controlled through a dynamic query, which evaluates user properties.
Property Value
name Sarah
jobTitle Accountant
department Finance
country Australia
Finance Team
companyName Catch-a-Phish Security
Azure Billing
Management
Sarah from the

(user.department -eq "Finance")
Finance Team
Membership Rule
Configuring a Dynamic Device Group
Membership is controlled through a dynamic query, which evaluates device properties.
Property Value
displayName CAPSECLAP001
deviceOSType Windows
deviceOSVersion 10.0.19042.0
deviceModel Surface Windows 10

Devices Microsoft Endpoint
Management
Corporate Laptop (device.deviceOSType -eq “Windows”) and

(device.deviceOSVersion -startsWith “10”)
Membership Rule
Azure AD Administrative Units
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Azure AD Introduction
Administrative How It Works
Demonstration
Units
James Lee
Training Architect
AZURE AD ADMINISTRATIVE UNITS
Why Do We Need Administrative Units?
What’s missing? Why do we need administrative units, if we have groups?
Australia India
SaaS Apps
- Create users/groups
- Manage membership
- Manage settings and

properties
Administrators
Azure
Azure AD Tenant
AZURE AD ADMINISTRATIVE UNITS
How It Works
How does it work?
Administrative Unit 3. Assign permissions (an AD role)

scoped to the administrative unit.
Note: also requires Azure AD

Premium licensing per admin.
Administrator
2. Add users and groups

(only supports users/groups).
1. Create an administrative unit

(requires Global Admin or
Privileged Role Administrator).
Azure AD Tenant
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: THE AZURE AD IDENTITY PLATFORM
The Beginning: Azure AD
Identity
Fundamentals Securing Applications
Securing the solutions we build. Note
We’ll build fundamental knowledge this doesn’t always require Azure AD.
relating to identity, which will be
leveraged throughout this course.
Securing the Platform
Securing the Azure services. Note

identity itself.

The identity platform, upon which
Modern Identity-Centric Security
Cloud Resources Software as a Service

Azure AD Tenant Association with Azure Subscriptions
Association
Microsoft Azure
capsec.onmicrosoft.com
Authorization
Authentication
Production Sub 1 Dev Sub 1

Identity Types
Azure AD helps support authentication and authorization for a variety of scenarios. As an identity platform,
it uses objects and metadata to represent security information about users, applications, and much more.
Remote Staff
SaaS
User Account
Internet
Application
Managed
Identity
Azure AD Tenant On-Premises Staff and Resources Azure

Security Groups
Why do we need more than groups with assigned membership?
SaaS Apps
Group: Apps - Office
Group: Apps - CAPInvoice
Group: Apps - CAPAudit
Jasmine from the

Auditing
Finance Team
Group: Azure - Billing
Azure
Azure AD Administrative Units
How does it work?
Simplifies the management of

Administrative Unit
administrative Azure AD
Scoped
permissions to logical groups.
Note: also requires Azure AD

Permissions User Premium licensing per admin.
Supports Users and
Groups only.
Creation requires Global Admin

privileges within the Azure AD
tenant (or Privileged Role
Administrator).
Azure AD Tenant
Hybrid Identity with Azure AD Connect
Identity Synchronization
To support features like single sign-on, Authentication
identities must be synchronized between
the source and destination directories.
Synchronization
Authentication Management
In hybrid environments, it is important to
control how and where user
authentication will occur.
On-Premises Active Directory

Hybrid Identity with Azure AD Connect
PASSWORD HASH SYNC PASS-THROUGH AUTHENTICATION AD FEDERATION SERVICES (ADFS)
Registered Apps Registered Apps Registered Apps
Sign-In Request Sign-In Request Sign-In Request

Synchronized Identity Synchronized Identity Synchronized Identity
Authentication Authentication
Synchronization
Authentication
Synchronization
Synchronization
(Identity) Tunnel
(Identity + PHS) (Identity)
Authentication
James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
Hybrid Hybrid Identities
Collaboration with Partners
Identities Supporting External Identities
James Lee
Training Architect
SECTION INTRODUCTION: HYBRID IDENTITY
Extending Identity Securing Applications

Securing the solutions we build. Note
With identity-centric security being that this doesn’t always require
so important, we need to consider Azure AD.
the various identity sources.
that this doesn’t always require
Azure AD.

identity itself.

James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
Securing Azure AD and Azure
Controlling Azure Role-Based Access Control
Azure AD Roles
Access Custom Roles
James Lee
Training Architect
SECTION INTRODUCTION: CONTROLLING ACCESS
Authorization
Leveraging Azure AD, we will learn Securing Applications
methods for controlling access to Securing the solutions we build. Note
both Azure and Azure AD resources. this doesn’t always require Azure AD.


identity itself.

Azure AD Connect and Hybrid
Identities
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Introduction
Azure AD Benefits
Connect and Azure AD Connect
Authentication Methods
Hybrid Identities
James Lee
Training Architect
AZURE AD CONNECT AND HYBRID IDENTITIES
What Is Hybrid Identity?
Identity can exist in a number of places. With hybrid identity, the goal is to make sure identity is
centralized, simplified, and users can leverage a single identity for accessing resources.
Cloud Identities
Azure AD
Azure AD
B2B Connect
Guest Accounts Synchronized Accounts
Azure AD Tenant
Partner Identities On-Premises Identities

Benefits of Hybrid Identity
Seamless access to cloud resources.
Simplify the user login experience by

providing (seamless) single sign-on.
Simplify the management overhead.
Control synchronization and

authentication.
Maintain identity as the perimeter of

security.
Key Functions of Azure AD Connect
Identity Synchronization Authentication

To support features like single sign-on,
identities must be synchronized between
the source and destination directories.
Synchronization
Authentication Management
In hybrid environments, it is important to
control how and where user
authentication will occur.
On-Premises Active Directory

Cloud Authentication: Password Hash Sync (PHS)
Registered Apps
Sign-In Request Lowest effort of the three Azure AD

1
Connect authentication methods.
Synchronized Identity
Authentication Requires the least infrastructure of the

2
three options (synchronization only).
Synchronization
Synchronizes a hash (of a hash) of user
3
(Identity + PHS) passwords.
****** Doesn’t immediately enforce changes in

4
on-premises account states.
Only supports Disabled Account, but not

5
password expiry or account lockout.
Cloud Authentication: Pass-through Authentication (PTA)
Registered Apps
Sign-In Request Medium effort between the three Azure

1
AD Connect authentication methods.
Authentication Requires synchronization and

2
authentication infrastructure.
Synchronization
Authentication
(Identity) Tunnel Uses an outbound network tunnel to

3
support authentication from on-prem.
Enforces the on-premises account

4
policies at the time of sign-in.
Supports additional account states

5
(disabled, lockout, expiry, restricted).
Federated Authentication: Active Directory Federation Services (ADFS)
Registered Apps
Sign-In Request Most complex of the three Azure AD

1
Connect authentication methods.
Requires synchronization, ADFS, and

2
web application proxy infrastructure.
Requires inbound network connectivity

Synchronization
3
(Identity) as authentication is handled on-prem.
Enforces all on-prem account policies as

4
Authentication
authentication occurs on-prem.
Supports advanced scenarios (e.g.,

5
smart card auth, third-party MFA, etc).
Securing Azure and Azure
Active Directory (AD)
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Securing Azure and Securing Azure Resources
Azure Active Securing Azure AD Resources
Directory (AD)
James Lee
Training Architect
SECURING AZURE AND AZURE ACTIVE DIRECTORY (AD)
Securing Access to Azure Subscriptions
Permissions for managing resources within an Azure subscription:
Microsoft Azure Azure Resource Permissions
Restart all VMs
Mal
Full read/write access for web

applications
Jenny
Identities within the Azure AD Tenant
Production Sub 1
Resources within Azure

SECURING AZURE AND AZURE ACTIVE DIRECTORY (AD)
Securing Access to Azure AD Resources
Permissions for managing resources within an Azure AD tenant:
capsec.onmicrosoft.com Azure AD Permissions
Create
Carla
administrative units
Create/modify
Mal user accounts
Reset user
passwords
Identities within the Azure AD Tenant

Azure AD External Identities
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Azure AD External Azure AD B2B
Azure AD B2C
Identities Demonstration
James Lee
Training Architect
AZURE AD EXTERNAL IDENTITIES
Where It Began
External identities help to provide seamless access (single sign-on) to enterprise resources or custom
applications by leveraging the Azure AD identity platform.
Azure AD B2B Azure AD B2C
Enterprise
Custom App
Access Identity
Cloud Accounts Local Accounts
Invite
Integrate
Guest
Synchronized
External
Accounts Accounts Identities
Partner
Identity
Identities Azure AD Tenant

Azure AD B2C Tenant
Providers
capsecco.onmicrosoft.com capseccoapp.onmicrosoft.com
Where It’s Going
External identities are a progression and combination of both Azure AD B2C and Azure AD B2B.
Azure AD External Identities
Cloud Accounts
Enterprise Resources and Custom Apps
Guest
Synchronized
Accounts Accounts
Identity
Providers
Azure AD Tenant
Azure AD Business-to-Business (B2B)
Guest Access
Azure AD B2B allows external users to Enterprise Resources
be invited as guests, providing seamless,
licensed access to resources.
Access
External Identities
Supports several identity providers,
including work/school accounts, Gmail,
Facebook, SAML, and WS-Fed.
Guest Users Invited
Collaboration Settings
Administrators can configure external
collaboration settings for external
identities within the Azure AD tenant.
External Identity Providers

Azure AD Business-to-Customer (B2C)
Identity Platform for a Custom Application

Azure AD B2C provides a centralized
Custom App(s)
identity platform for a customer’s
application (based on Azure AD).
Access to App
B2C Tenant
Identity information is stored within a
dedicated B2C tenant (not within the
Azure AD B2C Tenant
customer’s existing Azure AD tenant).
Integration
External Identities
Many different social identities are
available, as well as SAML and WS-Fed-
based identity provider federation.
External Identity Providers

Azure Role-Based Access
Control (RBAC)
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Azure Role-Based Configuration
Access Control Demonstration
Important Considerations
(RBAC)
James Lee
Training Architect
Azure Role-Based Access Control
Azure-based Follow the Implement

Overview access control principle of
least privilege
flexible
security
How does it help?
Control the ability for Improve security by Leverage
users to create, ensuring that users preconfigured access
modify, or delete Azure only have the controls (built-in), or
resources and permissions to perform create custom access
permissions. the tasks that they controls (roles) as
require. required.
Protecting your Azure resources.

AZURE ROLE-BASED ACCESS CONTROL (RBAC)
Example: Access Requirements
Role: Owner
MG1
Administrator Role:
Full
VMVM
Role:
Full Contributor
access
access
Owner
Staff member, Jenny.
Full
Role:storage account
Storage Account
access
Contributor
Needs permissions to manage
Jenny
VMs and one storage account.
All VMs in the subscription.
All storage accounts in a

resource group (RG2).
RG1 RG2 RG3 RG1
Required Permissions Production Sub 1 Development Sub 1

Example: Configuring Permissions for Storage Access
1 Security Principal
Staff member, Jenny.
Built-in role examples:
• Owner
Requires Storage Account Role Definition

Contributor permissions. 2 • Contributor
• Reader
• Virtual Machine Contributor
All storage accounts within

resource group, RG2.
Azure RBAC Assignment

. . . . . . . . . .
3 Scope
Some key points to remember:
Usage Permission Categories

Azure RBAC is for Azure Permissions apply to
resources, not Azure AD. management and data
operations.
Permissions Are Inherited Custom Roles

Permissions are inherited from You can build your own roles
the top down and evaluated with your required permissions.
continuously.
Built-In Roles
Various preconfigured roles exist
like Owner, Contributor, etc.
Azure AD Roles
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Azure AD Configuration
Demonstration
Roles Important Considerations
James Lee
Training Architect
Azure Active Directory Roles
Azure AD- Follow the Implement

Overview based access
control
principle of
least privilege
flexible
security
How does it help?
Control the ability for Improve security by Leverage
users to create, ensuring that users preconfigured access
modify, or delete Azure only have the controls (built-in), or
AD objects, permissions to create custom access
permissions, and perform the tasks that controls (roles) as
configuration. they require. required.
Protecting your Azure AD resources.

AZURE AD ROLES
Example: Access Requirements
Role: Application Role: Global

Administrator Administrator
Admin
Staff member, Carla.

Role: User
Administrator
Needs permissions to manage Carla

user accounts, groups, and
applications.
Full access to manage all

applications, but only
access to manage accounts
and groups in AU1.
Required Permissions
Ungrouped Resources
AU1 AU2
AZURE AD ROLES
Example: Configuring Account Administrator Permissions
Staff member, Carla.
• Global Administrator
Requires User Administrator 2 Role Definition • User Administrator
permissions.
• Application Administrator
• License Administrator
Accounts and groups within

administrative unit, AU1.
Azure AD Role Assignment 3 Scope

AZURE AD ROLES
Some key points to remember:
Usage Default Permissions

Azure AD roles are for Azure Users in Azure AD are provided a
AD resources, not Azure set of default permissions.
resources.
Permissions Are Inherited Custom Roles

Permissions apply at the You can build your own roles
tenant level, but can be with your required permissions.
specifically scoped also.
Built-In Roles
Various preconfigured roles exist
like Global Administrator, User
Administrator, etc.
Custom Roles
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Azure Custom Roles
Custom Roles Azure AD Custom Roles
Demonstration
James Lee
Training Architect
CUSTOM ROLES
Example: Azure Resource Access Requirements
MG1
Role: Storage Account Contributor

Role: VM Contributor
CustomRole:
Role: Contributor
Owner
role for junior help desk staff
Junior help desk staff

member, Hagrid.
Needs permissions to start

virtual machine, view all Hagrid
blob data, and manage
support tickets.
Microsoft
Applies to the Production Support
Sub 1 subscription (but not
Development Sub 1).
RG1 RG2 RG1
Required Permissions Production Sub 1 Development Sub 1

CUSTOM ROLES
Azure RBAC Custom Role Properties
Metadata
"name": "Junior Helpdesk Admins",
"description": "Permissions for Junior Helpdesk staff",

Details such as the name of the custom role,
ID, description, etc.
"permissions": [
"actions": [
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
Permissions
"Microsoft.Support/*"
],
Defines a set of both allowed and denied
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/ permissions for the given role. Can be both

containers/blobs/read"
actions and data actions.
],
"notActions": [],
"notDataActions": []
],
Assignable Scopes
"assignableScopes": [
Specifies where the the management
"/subscriptions/{subscriptionId}"
groups, subscriptions, or resource groups
]
can be assigned to.

CUSTOM ROLES
Azure RBAC Custom Role Properties
Actions and NotActions

{
"name": "Junior Helpdesk Admins",

Specifies the management operations that
"description": "Permissions for Junior Helpdesk staff",
the role allows or excludes (e.g., creating a
"permissions": [
storage account).
{
"actions": [
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
DataActions and NotDataActions
"Microsoft.Support/*"
],
Specifies the data operations that the role
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/
allows or excludes (e.g., reading blobs within
containers/blobs/read"
a storage account).
],
"notActions": [],
"notDataActions": []
}
BONUS TIP
],
Creating, deleting, or updating a custom role requires

"/subscriptions/{subscriptionId}"
the permission Microsoft.Authorization/

]
roleDefinition/write (or just /read to view roles).
}
CUSTOM ROLES
Azure AD Custom Roles
microsoft.directory
Azure AD custom roles are for Azure AD
permissions. This is why the role is based
on microsoft.directory.
Configuring Custom Roles

The Azure portal, PowerShell (with appropriate
module), and Microsoft Graph API can be used
for configuration.
BONUS TIP
Configuration requires Azure AD Premium P1 or P2

licensing. Managing custom roles requires Global
Administrator or Privileged Role Administrator
permissions.
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: CONTROLLING ACCESS
Controlling Access to Azure Resources
Azure Role-Based Access Control
Staff member, Jasmine.
• Owner
Requires Storage Account Role Definition

Contributor permissions. 2 • Contributor
• Reader
• Virtual Machine Contributor
All storage accounts within

resource group, RG2.
. . . . . . . . . .
3 Scope
Controlling Access to Azure AD Resources
Azure Active Directory Roles
Staff member, Terry.
• Global Administrator
Requires Account Role Definition

Administrator permissions. 2 • User Administrator
• Application Administrator
• License Administrator
Accounts and groups within

administrative unit, AU1.
3 Scope
Custom Roles: Azure RBAC
Metadata
"name": “Junior Helpdesk Admins",
"description": “Permissions for Junior Helpdesk staff”,

Details such as the name of the custom role,
ID, description, etc.
"permissions": [
“actions”: [
“Microsoft.Compute/*/read”,
“Microsoft.Compute/virtualMachines/start/action”,
Permissions
“Microsoft.Support/*”,
],
Defines a set of both allowed and denied
“dataActions”: [
“Microsoft.Storage/storageAccounts/blobServices/ permissions for the given role. Can be both

containers/blobs/read”,
actions and data actions.
],
“notActions”: [],
“notDataActions”: [],
],
Assignable Scopes
Specifies where the the management
“/subscriptions/{subscriptionId}”
groups, subscriptions, or resource groups
]
can be assigned to.

Custom Roles: Azure AD
microsoft.directory
Just like RBAC, but for Azure AD…
Azure AD custom roles are for Azure AD
permissions. This is why the role is based on
microsoft.directory.
Configuring Custom Roles

The Azure portal, PowerShell (with appropriate
module), and Microsoft Graph API can be used
for configuration.
James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
Securing Securing Privileges
Reviewing Access
Identities and Protecting Identities
Conditional Access
Access
James Lee
Training Architect
SECTION INTRODUCTION: SECURING IDENTITIES AND ACCESS
Securing Identity and Access
Resources
Needed now?
Assigned roles
Are there risks?
Additional
controls?
SECTION INTRODUCTION: SECURING IDENTITIES AND ACCESS
The Goal of this Section
Intelligent IAM
Leveraging Azure AD, we will learn of Securing the solutions we build.
advanced features and services that Note this doesn’t always require
protect identity and access. Azure AD.
this doesn’t always require Azure
AD.
identity itself.

Azure AD Privileged
Identity Management
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
The Problem
Azure AD Protection and Audit
Getting Started
Privileged Identity Demonstration
Management
James Lee
Training Architect
Azure AD Privileged Identity Management
Protect Audit Review

Overview
How does it help?
Enforce additional Provide an audit trail Simplify and automate
workflow-like tasks for with information on the ability to review
users to be provided privileged usage and whether privileges are
with their privileges. justification. still required by users.
Protecting privileges for Azure AD

and Azure roles.
AZURE AD PRIVILEGED IDENTITY MANAGEMENT
The Problem with Privileges
Hacker
Hacker
Security
Project engineer,
engineer, Lauren.
Freddy.
Compromised
Credentials
Freddy
Has Global
Authentication
Admin privileges
for
Administrator
the Azure AD
fortenant.
an
administrative unit.
Lauren
Privileges
After-hours
Protect Privileges with PIM
Just-in-time access: privileges are only

assigned but not activated until they are User
required.
Time-bound access: privileges are

deactivated after a set period of time
using start/end dates.
Azure AD
Privileged Identity
Management
Approval: users who are assigned
privileges must request approval before
they will be activated.
Multi-factor authentication (MFA):

enforce the use of MFA to activate any Azure AD or Azure
role. Privileges
Audit and Review Privileges with PIM
Justification: require justification to be

included in any requested activation of User
privileges.
Notification: receive notifications when any

privileged roles are activated.
Azure AD
Privileged Identity
Management
Audit history: download and access logs
which detail all Privileged Identity
Management activities.
Access reviews: periodically review

access to ensure users only have roles Azure AD or Azure
they currently require. Privileges
Getting Started with PIM
STEP 1
Privileged Identity Management

requires Azure AD Premium P2 or
EMS E5 licensing.
Key information about STEP 2

PIM is automatically enabled for an
how to deploy and organization when a user with a
privileged role first accesses it.
configure PIM:
STEP 3
Configure role settings for Azure and
Azure AD roles (note: Azure requires
role discovery).
Access Reviews
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Implementation Timeline
Access Important Features
Reviews Review Types
Demonstration
James Lee
Training Architect
Access Reviews
Review Schedule Automate

Overview
How does it help?
Manage and conduct Schedule reviews to be Automate changes
access reviews for performed on a regular (deny/approve) to
groups, apps, and roles basis as part of good access based on the
for staff and guests. identity governance. outcome of a review.
Removing privileges where they are

no longer required.
ACCESS REVIEWS
What It Looks Like
Implementation Timeline
What does an Access Reviews implementation look like in the real world?
Create the Review Start the Review End the Review

Specify the review type and The review will begin, and all Access will be updated
timing (e.g., configure a configured reviewers can based on the results of the
monthly group review). perform the assessment. review (can be automated).
January 15 February 1 February 15

ACCESS REVIEWS
What It Looks Like
Start Review #2 End Review #2

The monthly review will Access will be updated
automatically start again. All based on the latest
reviewers will be notified. assessment.
March 1 March 15
ACCESS REVIEWS
Important Components
Getting Started Access Reviews

• Access Reviews require Azure AD P2
licensing for reviewers.
• Azure resources must be discovered.

Create and manage
reviews
Azure Portal
$ • Configure Access Reviews.
Azure Portal
• Review/apply Access Reviews results.
Owner Self-Review
Access Panel
• Separate interface for reviewers.
• Allows responses (e.g., justification for

access) to be provided.
Access Panel
ACCESS REVIEWS
Review Types
Overview of Review Types

REVIEWER TYPE REVIEW CREATION REVIEWER EXPERIENCE
Specified reviewers, Azure AD Access

GROUP MEMBERSHIP group owners,
Reviews, Azure AD Access panel
self-review groups
Azure AD Access
Specified reviewers,
APP ASSIGNMENT Reviews, Azure AD Access panel
self-review
enterprise apps
AZURE AD ROLE Azure AD PIM Access panel
self-review
AZURE RESOURCE ROLE Azure AD PIM Access panel
self-review
Azure AD Identity
Protection
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Purpose
Configuration Overview
Azure AD Identity Sign-In Risk Policy
User Risk Policy

Protection Demonstration
James Lee
Training Architect
AZURE AD IDENTITY PROTECTION
The Importance of Identity Security
80% 73% 50%
Theft Duplicates Unapproved
81% of breaches are caused by 73% of passwords used are 50% of employees use apps that
credential theft 1 duplicates 2 aren’t approved by the enterprise 3
1 2018 Verizon Data Breach report, aka.ms/dbir2018
2 2016 Telesign Consumer account security report, aka.ms/tcasr2016
3 2019 Igloo State of the Digital Workplace report, aka.ms/isdwr2019

The Importance of Identity Security
“The science behind Azure Active Directory Identity Protection”
-- Microsoft Ignite
9M high-risk enterprise sign-in

attempts flagged in August 2020.
2M
compromised accounts
detected in August 2020.
5.8B attacker-driven sign-ins

detected in August 2020.
Relative impact of COVID-19 themed attacks across the world by file count (as of April 7, 2020)
Azure AD Identity Protection
Detection Risk Analysis Integrate

Overview
How does it help? Automate the Easy access to risk- Export data and
detection and related data and integrate with security
remediation of reports within the monitoring tools.
identity-based risks. Azure portal.
Protecting the identities themselves

from being compromised.
DETAILS
Azure AD Tenant
Azure AD Tenant Requires Azure AD Premium P2 licensing.
Risks that Identity Protection is monitoring for both

proactively and reactively.
Cloud
Resources This includes:
Risk Events • Users with leaked credentials
• Sign-ins from anonymous IP addresses
• Impossible travel to atypical locations
• Sign-ins from infected devices
• Sign-ins from IP addresses with suspicious activity
• Sign-ins from unfamiliar locations
Risk policies define what action to take if risk have

Risk Policies
been found to be associated with an identity.
User
Sign-In Risk Policy
Real-Time Detection Azure AD Tenant
Takes effect in real-time. These policies capsec.onmicrosoft.com

can be used to block a sign-in as it
occurs.
Assignment Cloud
Resources
When the policy will trigger. This
includes defining the applicable users/
groups and the risk level condition.
Control
What to do when the policy triggers. The
action can be to block or allow a sign-in, HIGH Risk
or allow access but require MFA.
User
User Risk Policy
Offline Detection Azure AD Tenant
Takes effect offline. These policies can capsec.onmicrosoft.com

identify user accounts that are found to
be at risk.
Assignment Cloud
When the policy will trigger. This Resources

includes defining the applicable users/
groups and the risk level condition.
Block future access

Control
Enforce password change
What to do when the policy triggers. The
action can be to block or allow access,
HIGH Risk
or force a password change.
User
MFA Registration
Policies that require MFA will block access
if the user is not registered with MFA. MFA
registration can assist with MFA rollouts.
Conditional Access
Azure AD Conditional Access supports
more granular/flexible policies that can
also leverage Identity Protection risk data.
Integration and Reporting

Integration with SIEM solutions (such as
Azure Sentinel) and other products such
as Cloud App Security can help improve
reporting.
Conditional Access
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Azure AD Overview
Conditional Configuration
Demonstration
Access
James Lee
Training Architect
Azure AD Conditional Access
Flexible Leverages Can Enforce

Security Various Different
Overview Controls Signals Controls
Security isn’t one size
How does it help? There are a variety of With Conditional
fits all. Conditional
signals that can be Access, we can require
Access allows us to
checked, including a users to meet special
configure different
user’s location, risk conditions before
rules for different
level, and much more. granting access.
scenarios.
Security controls and restrictions
that are tailored to different
scenarios.
AZURE AD CONDITIONAL ACCESS
Conditional Access Policies
Azure AD Tenant
DETAILS

Cloud
Resources
The users/groups that the policy applies to, as well
as the cloud app or action being accessed.
Access Policy:
Assignment
It is also possible to include the conditions under
which access is being requested.
Conditional Access
Access Policy: Will access be blocked? Or will it be allowed if

Low Risk Access Controls additional controls are used?
Windows
Office
All Users
Conditional Access Policy

Azure AD Passwordless
Authentication
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Azure AD Authentication Flow
Passwordless Methods
Authentication Demonstration
James Lee
Training Architect
AZURE AD PASSWORDLESS AUTHENTICATION
Protecting the Credentials
We’ve spoken about protecting identities and privileges. Let’s look at how we can also protect credentials.
Developer
Username:
jsmith
Password: ********
User Account
Azure AD Azure Subscription

Protecting the Credentials
We’ve spoken about protecting identities and privileges. Let’s look at how we can also protect credentials.
Microsoft
Authenticator App
Registration
Developer
Sign in with Windows Hello for

the app
Business
FIDO2 Security
Keys
User Account
Authentication
Azure AD Admin
Methods > Policies
Authentication Flow: Authenticator App
What it looks like

Let’s consider how this works with one
method, the Authenticator App.
Approve sign-in? 1. User logs in to an app. 2. User enters username.

Catch-a-Phish Security Company
hagrid@capsecco.onmicrosoft.com
12 2 77
DENY ALLOW
3. The passwordless 4. Provides the additional 5. The user is authenticated

authentication flow begins. user information. with Azure AD.
Passwordless Methods
APP HELLO FIDO2
Microsoft Authenticator App Platform-driven sign-in for Hardware-driven sign-in

Overview
on iOS or Android (v6.0+). Windows 10 (v1809+). from Windows 10 (v1903+).
PIN or biometric recognition PIN or biometric recognition Registered FIDO2 devices

Experience from a registered device. on the registered computer. (PIN, biometrics, NFC).
Passwordless anywhere for Passwordless experience for Passwordless experience

Scenarios
apps on the web. Windows sign-on and apps. suited for unregistered PCs.
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: SECURING IDENTITIES AND ACCESS
Why We Need More
Resources
Needed now?
Assigned Roles
Are there risks?
Additional controls?
Azure AD Privileged Identity Management
Protect Audit Review

Overview
How does it help?
Enforce additional Provide an audit trail Simplify and automate
workflow-like tasks for with information on the ability to review
users to be provided privilege usage and whether privileges are
with their privileges. justification. still required by users.
Protecting privileges for Azure AD

and Azure roles.
Azure AD PIM: Overview
User
Just-in-time access Justification
Time-bound access Notification

Azure AD
Privileged Identity
Approval Audit history Management
Multi-factor authentication (MFA)
Azure AD or Azure
Privileges
Access Reviews
Review Schedule Automate

Overview
How does it help?
Manage and conduct Schedule reviews to be Automate changes
access reviews for performed on a regular (deny/approve) to
groups, apps, and roles basis as part of good access based on the
for staff and guests. identity governance. outcome of a review.
Removing privileges where they are

no longer required.
Access Reviews: Overview
Overview of Review Types

REVIEWER TYPE REVIEW CREATION REVIEWER EXPERIENCE
Specified reviewers, Azure AD access

GROUP MEMBERSHIP group owners,
reviews, Azure AD Access panel
self-review groups
Azure AD access
APP ASSIGNMENT reviews, Azure AD Access panel
self-review
Enterprise apps
AZURE AD ROLE Azure AD PIM Access panel
self-review
AZURE RESOURCE ROLE Azure AD PIM Access panel
self-review
Azure AD Identity Protection
Detection Risk Analysis Integrate

Overview
How does it help?
Automate the Easy access to risk- Export data and
detection and related data and integrate with security
remediation of reports within the monitoring tools.
identity-based risks. Azure portal.
Protecting the identities themselves from

being compromised.
Identity Protection: Overview
DETAILS
Azure AD Tenant
Risks that Identity Protection is proactively and

reactively monitoring for.
Cloud
Resources This includes:
Risk Events • Users with leaked credentials
• Sign-ins from anonymous IP addresses
• Impossible travel to atypical locations
• Sign-ins from infected devices
• Sign-ins from IP addresses with suspicious activity
User Risk Sign-In Risk • Sign-ins from unfamiliar locations
Risk policies define what action to take if risk has

Risk Policies
been found to be associated with an identity.
User
Azure AD Conditional Access
Flexible Leverages Can Enforce

Security Various Different
Overview Controls Signals Controls
How does it help? Security isn’t one size
There are a variety of With Conditional
fits all. Conditional
signals that can be Access, we can require
Access allows us to
checked, including a users to meet special
configure different
user’s location, risk conditions before
rules for different
level, and much more. granting access.
scenarios.
Security controls and restrictions
that are tailored to different
scenarios.
Conditional Access: Overview
Azure AD Tenant
DETAILS
Cloud
Resources
The users/groups that the policy applies to, as well

as the cloud app or action being accessed.
Access Policy:
Assignment
It is also possible to include the conditions under
which access is being requested.
Low Risk Access Policy: Will access be blocked? Or will it be allowed if

Access Controls additional controls are used?
Windows
Office
All Users
Conditional Access Policy

Passwordless Authentication
APP HELLO FIDO2
Microsoft Authenticator App Platform-driven sign-in for Hardware-driven sign-in

Overview
on iOS or Android (v6.0+). Windows 10 (v1809+). from Windows 10 (v1903+).
PIN or biometric recognition PIN or biometric recognition Registered FIDO2 devices

Experience from a registered device. on the registered computer. (PIN, biometrics, NFC).
Passwordless anywhere for Passwordless experience for Passwordless experience

Scenarios
apps on the web. Windows sign-on and apps. suited for unregistered PCs.
James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
Securing Routing
Traffic Filtering
Virtual Policy Management
DDoS Protection
Networks
James Lee
Training Architect
SECTION INTRODUCTION: SECURING VIRTUAL NETWORKS
Defense in Depth Securing Applications

Securing the solutions we build.
In this section, we focus on adding

another layer of security to our
solutions by securing the network. Securing the Platform
Securing the Azure services we use
(e.g. Networking, Compute, Data).

identity itself.

Virtual Network Routing
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Virtual Network Overview
Configuration
Routing Demonstration
James Lee
Training Architect
VIRTUAL NETWORK ROUTING
Routing and Network Security

Default Behavior
Default system routes allow:

vnet1
Internet Connectivity
Using the 0.0.0.0/0 prefix, there
is a default route to the
internet.
subnet1 subnet2
Virtual Network Connectivity
Traffic is automatically routed
between subnets using all
specified address ranges.
Service-Specific Connectivity
Configuring some services
results in route configuration
(e.g., VNet peering or
ExpressRoute).
Custom Routes
Custom routes allow changes

vnet1
to the default routing behavior.
For example:
subnet1 subnet2 Blocking Internet Access

Using the None next hop type, we
can block internet access.
Forcing Traffic via Another Address

Using various next hop types, we
can force traffic elsewhere (e.g., via
Azure Firewall or via an on-premises
router using forced tunneling).
Special scenarios and configuration:

vnet1
Automatic System Routes

System routes can be automatically
generated (e.g., VNet peering or
service endpoints).
subnet1 subnet2
System Routes and BGP

VNet
It is possible to use border gateway
protocol (BGP) to help manage dynamic
routing (e.g., with ExpressRoute or VPN).
Route Priority
When multiple routes contain the
same address prefix, the following
priority is used:
Azure On-Premises Custom > BGP > System.

Network Security Groups
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Network Security Overview
Configuration
Groups Demonstration
James Lee
Training Architect
NETWORK SECURITY GROUPS
Overview
Filter
Prioritized
Multi-Layered
Traffic Rules
Create rules to Enforce traffic Leverage priorities to
define what is and is filtering at the subnet define complex
not allowed. and NIC layers. security rules.
Network Security
Group (NSG)
Filters traffic to and from virtual
networks.
Network Security Group Rules
Filter Traffic
What traffic will we allow or deny? This
includes source, source port, destination,
destination port, and protocol.
Default Rules
NSG rules include several default rules,
such as DenyAllInbound. These cannot
be deleted, but can be overridden.
Priority
To support different scenarios, we must
define priorities for rules. The lower the
number, the higher the priority.
Network Security Group Assignment
Internet
Assign to a NIC
An NSG has no effect unless it is
assigned. NSGs can be associated
directly with a NIC on a virtual machine.
ALLOW
BLOCK
Assign to a Subnet
NSGs can also be associated with a
subnet, meaning the rules apply to all
resources within the subnet.
BLOCK
Precedence and Processing VM1 VM2

“Follow the traffic” to see which rules will
take effect. Once a rule is matched, no
further rules will be processed. subnet1
vnet1
Differences with Public IPs
Without an NSG, all traffic is allowed by
1 default if your resource has a public IP
address. This is not the case for Standard
SKU public IPs.
Important
Considerations 2
Rules Are Stateful
NSGs are stateful, which means that reply
traffic is allowed automatically if the sending
traffic has been allowed.
Best Practice
3 It is considered best practice to block all
traffic, except that which is required. This
is commonly referred to as “default deny.”
Augmented Security
Rules
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Service Tags
Augmented Application Security Groups
Security Rules Demonstration
James Lee
Training Architect
AUGMENTED SECURITY RULES
Service Tags
Represent Microsoft Services

MS Service tags are a collection of IP address
prefixes that correspond to a specific
Azure service.
Microsoft Managed
Microsoft manages the associated IP
addresses of service tags, as Azure
services can regularly change.
Easy to Leverage
Service tags can be used within both
network security groups and Azure
Firewall.
AUGMENTED SECURITY RULES
Application Security Group
Represent Customer Solutions

Application security groups (ASGs) are
logical containers for the network
interfaces used in your solution. Subnet 1 Subnet 2
Simplified Network Security Groups

An ASG can be used easily within network
webservers-asg
security group (NSG) rules to simplify the
management of security rules for a solution.
Virtual Network (VNet) Limitation

All network interface cards for an ASG must exist dbservers-asg
in the same VNet. This is also true when an ASG
is used in a rule for both source and destination.
Virtual Network
(VNet)
Azure Firewall
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Key Features
Deployment
Azure Firewall Configuration
Demonstration
James Lee
Training Architect
AZURE FIREWALL
Overview
Traditional Additional Fully

Firewall Features Managed
Firewall capabilities Includes additional Fully managed,
more akin to an on- capabilities including high
Azure
premises firewall. compared to NSGs. availability and scale.
Firewall
Filtering traffic to and from
virtual networks.
AZURE FIREWALL
Key Features
Firewall as a Service DNAT and SNAT

Stateful firewall, fully managed Configure inbound DNAT and
with high availability and outbound SNAT network
unrestricted cloud scalability. address translation (NAT) rules.
Supports FQDN Threat Intelligence

Support for FQDN filtering Additional functionality to
(outbound HTTP/S), and tags Azure Firewall identify malicious IP addresses
for simplified management. and domains.
Network Filtering Monitoring

Standard firewall rules, Integration with Azure Monitor
supporting source, protocols, logging (archive, streaming,
destination, etc. and Log Analytics).
AZURE FIREWALL
Deployment Overview
1 Configure a Virtual Network

This can be an existing virtual network (VNet), but Internet
is often a centralized VNet connected to your
other VNets (and on-premises).
2 Configure a Subnet
Azure Firewall must be deployed to a dedicated
subnet called AzureFirewallSubnet. NSGs are
disabled for this subnet. AzureFirewallSubnet
spoke2-vnet
3 Configure Routing
In order to have VNet resources leverage Azure
Firewall, a custom route must direct traffic to subnet1
Azure Firewall.
vnet1 spoke1-vnet
AZURE FIREWALL
Network Rules Internet

RDP
Similar to network security groups (NSGs),
but focused on outbound filtering. These
rules are processed before application rules. Target FQDN:
Destination:
Destination:
123.4.5.6 www.microsoft.com
0.0.0.0/0
123.4.5.6
Source:
Source:
Port:
Destination
Application Rules VM1
*
3389
WWW Application rules allow outbound security AzureFirewallSubnet Protocol:
Protocol:
Translated Address:
to be defined with the use of a fully http,

TCP, https
VM2UDP
qualified domain name (FQDN).
Port:
Port:
Translated
80, 443
3389
NAT Rules
123.4.5.6 With an NAT rule, we can configure VM1 VM2
inbound (DNAT) rules. Currently, outbound
(SNAT) is managed by Microsoft using all subnet1
public IPs.
vnet1
Azure Firewall Manager
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Azure Firewall Policy Management
Deployment Architectures
Manager Demonstration
James Lee
Training Architect
AZURE FIREWALL MANAGER
Overview
Centralized Secure Virtual Secure Virtual

Policies Networks Hubs
Centrally manage the Manage Azure Manage Azure
configuration of Firewall for virtual Firewall for Azure
Azure firewalls. networks. Virtual WAN.
Azure Firewall
Manager
Centralized management
interface for Azure Firewall
features and resources.
Centralized Policy Management
Global Policy
Global Security
Team
AU Policy US Policy
Australia East Core

Networking
Australia East West US Core
Project 1 Networking Networking
Policy Configuration Overview
Policy Entity
BaseRuleCollectionGroup1
Policy
NetworkRuleCollection1
A dedicated Azure resource which houses
network, application, NAT, and other Azure
Firewall rules and settings. Policy Entity
ChildRuleCollectionGroup1
ChildNetRuleCollection1
Parent Policy
ChildDNATRuleCollection1
A policy can be assigned a parent policy.
Child policies inherit network, application, ChildAppRuleCollection1
and threat intelligence rules and settings.
Name Inheritance
BaseRuleCollectionGroup1 Parent policy
Precedence
NetworkRuleCollection1 Parent policy
Parent network, application, and threat
intelligence rules and settings take priority. ChildRuleCollectionGroup1
Network rules are always processed
ChildNetRuleCollection1
before application rules.
ChildDNATRuleCollection1
ChildAppRuleCollection1
Deployment Architectures
Hub Virtual Network Secure Virtual Hubs
VNets VNets Virtual WAN

Virtual Secure Networks and Virtual Secure Hubs
Networks Hubs
• Applies to Azure virtual networks.

• Applies to Azure Virtual WAN.
• You must manage routes.

• Routes are managed for you.
vs
• Presently only supports Azure • Provides support for third-party
Firewall. firewalls/services.
DDoS Protection
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Features
DDoS Pricing
Configuration
James Lee
Training Architect
DDOS PROTECTION
Overview
Protect VNet Simplified Included and

Resources Deployment Paid Options
Enabled by default. Default protection is
Protect resources in
Additional features included, but
your virtual networks
are easy to deploy. additional features are
across subscriptions.
available for a fee.
DDoS
Protection
Protect against distributed
denial-of-service attacks.
DDOS PROTECTION
Key Features
Turnkey Protection Native Integration

Associate DDoS Protection with Native integration with the
your virtual networks for Azure platform. Traffic doesn’t
simplified protection. need to leave Azure.
Adaptive Tuning Detailed Analytics

Intelligently identify real traffic Monitoring, alerts, and integration
associated with your with services like Azure Sentinel
applications. and Security Center.
DDoS Protection
Cost Guarantee Rapid Response

Data transfer and application Engage the DDoS Protection
scale out costs will be credited Rapid Response (DRR) team for
if a DDoS attack occurs. assistance with attacks.
DDOS PROTECTION
Pricing Options
Basic Standard
• Included at no additional cost

• Monthly fee
• Protects every property in Azure

• Cost protection
• Active traffic monitoring

vs • Tuned to a customer’s applications
• Automatic attack mitigations • Detailed monitoring and analytics
• Includes support
DDOS PROTECTION
DDoS Protection Plan

$ To enable DDoS Protection Standard
features, you must create a protection plan. DDoS
Protection Plan
Virtual Network
The DDoS protection plan will protect all
resources within a virtual network. eastus-vnet auseast-vnet
Subscription westus-vnet
Associating a DDoS protection plan with a
subscription will protect all virtual
networks within that subscription.
Subscription 1 Subscription 2
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: SECURING VIRTUAL NETWORKS
Routing and Network Security
Route
Route
Route
Traffic
Filtering
Virtual Network Routing
vnet1
The key points to remember:
Default Connectivity
Default internet and intra-VNet
connectivity. Routes can also be added
by the system for some services.
subnet1 subnet2
Custom Routes
Used to change the default routing
behavior, using various next hop
types.
Route Priority
When multiple routes contain the
same address prefix, the following
priority is used:
On-Premises Custom > BGP > System.

Network Security Groups
Internet
Assignment
Applies to NIC or subnet. Note that, at
the subnet level, rules apply to all
resources within a subnet. 100 BLOCK RDP *
200 ALLOW RDP *
Rules and Priorities

TCP/UDP Create rules (port, protocol, source,
destination) including priority (lower is
higher) for traffic filtering.
Rule Processing
VM1 VM2
“Follow the traffic” to see which rules will
take effect. Once a rule is matched, no
further rules will be processed. subnet1
vnet1
Augmented Security Rules
Tag: AzureBackup
Application Security Groups

Subnet 1 Subnet 2
Application Security Groups (ASGs) are
logical containers for the network
interfaces used in your solution.
webservers-asg
Service Tags
Microsoft manages several service tags to
simplify working with various resources
(usable from NSGs or Azure Firewall).
dbservers-asg
Virtual Network (VNet)

Azure Firewall
Fully-Managed Internet RDP

A fully-managed firewall that includes
features such as high availability and
scalability. Application
NAT Rules
Network Rules
Rules
123.4.5.6
Destination:
Target FQDN:
0.0.0.0/0
www.microsoft.com
123.4.5.6
Classic or Policy-Based
Destination
Source:
Port:
Source:
Configuration can be managed on a per- AzureFirewallSubnet 3389

VM1
*
firewall basis or through the use of an
associated Firewall Policy resource. Translated Address:
Protocol:
Protocol:
TCP,VM2
http, UDP
https
Port:
Port:
Translated
80, 443
3389
Traffic Filtering
Security with network, application, and VM1 VM2
NAT rules. Rules can be prioritized, but
network rule collections are processed subnet1
before application rule collections.
vnet1
Azure Firewall Manager
Management interface for:

Hub
Hierarchical
Secure
Virtual
Virtual
Network
Policies
Hubs Centralized Policy Management
Centrally manage policies for
use across multiple firewalls,
including inheritance.
Hub Virtual Network Deployment

Manage firewalls used within a
virtual network architecture
(manual routing required).
Secure Virtual Hub Deployment

Manage firewalls and third-party
VNets Virtual WAN VNets security for Azure Virtual WAN
deployments (routing automated).
DDoS Protection
DDoS Protection Plan

$ To enable DDoS Protection Standard
features, you must create a protection plan.
DDoS
Protection Plan
Virtual Network
The DDoS protection plan will protect all
resources within a virtual network. eastus-vnet auseast-vnet
Subscription westus-vnet
Associating a DDoS protection plan with a
subscription will protect all virtual
networks within that subscription.
Subscription 1 Subscription 2
James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
Securing Integrated Secure Interconnectivity
Networks and Secure Hybrid Networks
Secure Traffic Delivery

Services
James Lee
Training Architect
SECTION INTRODUCTION: SECURING INTEGRATED SERVICES AND NETWORKS
The Goal of this Section

Securing the flow of traffic between
services, solutions, and endpoints.
(e.g. Networking, Compute, Data).

identity itself.

Service Endpoints
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Service Configuration
Considerations
Endpoints Demonstration
James Lee
Training Architect
SERVICE ENDPOINTS
Overview
Private Backbone Secure With

Access Routing Firewalls
Provide access to Traffic between Combined with service
Azure services from configured services firewalls, service
within your private uses the Microsoft endpoints can negate the
Service virtual network. backbone. need for public access.
Endpoints
Providing more secure, direct
network access to supported
services.
SERVICE ENDPOINTS
Connectivity and Configuration
Microsoft Azure
Configuring Service Endpoints

Service endpoints are configured per
service and per subnet to provide secure
Public
connectivity to the supported service.
Endpoints
Supported Services
System Routes
Optimal system routes are added so
that all resources within a subnet use
Microsoft
the backbone for the given service.
Backbone
Service Network Security

Security rules can be configured for
supported services to improve the network
subnet1 subnet2 security by allowing/denying traffic.
Virtual Network
1 Private IP Addressing
Service endpoints do not establish a private IP
address for the configured service(s).
2 Outbound Addressing
The private IP address of the source is
provided to the service being accessed.
3 Large Surface Area

There is no granular control over which
individual services can be accessed once a
service endpoint is configured.
Private Link
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Connectivity
Private Link Architecture
Demonstration
James Lee
Training Architect
PRIVATE LINK
Overview
Private Granular Extended

Addressing Security Accessibility
Access services   More granular   Connect to customer or
over the Microsoft control over available partner-owned services
backbone using a resources compared globally and from on-
private IP address. to service endpoints. premises.
Private Link
Private Link is similar to service endpoints, but
with greater accessibility and control over
security.
PRIVATE LINK
Connectivity
Customer-owned
Secure Network Connectivity
Azure PaaS
Private IP Address Access

Private IP address access to:
• Supported Azure services
• Customer/partner-managed services
US West
Granular Security
Granular protection against data
leakage by supporting mapping to
specific services.
10.1.1.4
Peered VNet Broad Accessibility

Australia Southeast
Greater accessibility, including:
• Accessibility from on-premises
• Access from peered virtual networks
Microsoft Azure On-Premises • Access services in other regions

PRIVATE LINK
Architecture
Private Endpoint
• The network interface that connects
to a supported service.
• Receives a private IP address from  

the registered subnet.
Private Endpoint
• Configured with DNS.
Private Link Service
Connected Resource
Customer-Managed
Solution The scoped Azure PaaS resource
associated with Private Link.
Connected Resource Private Link Service

Customer-managed service operating
behind a standard load balancer enabled
for Private Link accessibility.
Microsoft Storage
VNet Peering
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Purpose
Benefits
VNet Peering Demonstration
Considerations
James Lee
Training Architect
VNET PEERING
Why Do We Need It?
By default, a virtual network has some connectivity to other resources. However, they are otherwise fully isolated,
secure, and completely independent of other virtual networks.
vnet1 vnet3
vnet2
VNET PEERING
Why Do We Need It?
By default, a virtual network has some connectivity to other resources. However, they are otherwise fully isolated,
secure, and completely independent of other virtual networks.
vnet1 vnet3
vnet2
PEERING PEERING
Key Benefits
Virtual network peering (VNet peering) allows us to
establish connectivity between virtual networks.
Fast Secure Flexible
VNet peering provides high bandwidth, Interconnectivity with VNet peering There is support for several scenarios,
low-latency interconnectivity between leverages the Microsoft backbone providing flexible interconnectivity
virtual networks. (avoiding the public internet). between VNets, wherever they are.
VNET PEERING
Key Capabilities and Limitations
vnet1 vnet3
US West Central US
Provides connectivity over private IP.
10.1.1.10 10.3.1.10
Supports cross-subscription connectivity.
10.1.0.0/20
10.1.0.0/16 10.3.0.0/16
Subscription 1
Supports cross-region connectivity.
vnet2
Australia Southeast
Address spaces cannot overlap.
10.2.1.10
Does not support transitive routing.
10.1.0.0/16
Subscription 2
Virtual Private Networks
(VPN)
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Purpose
Configuration
Virtual Private Demonstration
Networks (VPN) Comparison
James Lee
Training Architect
VIRTUAL PRIVATE NETWORKS (VPN)
Why Do We Need It?
Our users regularly need secure network access to the resources we configure within the Microsoft ecosystem.
How do we secure this network access?
Encrypted Network
Point-to-Site VPN Tunnels
Remote Users
Site-to-Site VPN
Microsoft 365
Internet
Users
Virtual Network
On-Premises Microsoft Global Infrastructure

Configuration
10.1.0.0/16
VPN Gateway
A VNet Gateway of VPN type. Must  
exist in a gateway subnet. VPN SKU
VPN Gateway determines features, bandwidth, etc.
GatewaySubnet Subnet1
Azure Virtual Networks Local Network Gateway

A resource used to define the on-
192.168.0.0/16 via VPN premises networks that will be available
via VPN.
192.168.0.0/16
VPN Connection
A resource used to establish the VPN
connection, including authentication,
Public IP: 1.2.3.4 encryption, and the VPN endpoint.
VPN Device
On-Premises Networks
Comparison
VNet Peering VPN
• Designed for VNet-to-VNet • Designed for hybrid connectivity

connectivity.
(site-to-site, point-to-site).
• Supports cross-subscription, cross- • Supports similar VNet connectivity
vs
region, cross-Azure AD tenant.
(cross-subscription, cross-region).
• Leverages the Microsoft backbone • Requires a public IP address to be

for private IP address connectivity.
used for connectivity.
• Typically used for private, low- • Generally used where encryption

latency interconnectivity. and/or transitive routing is needed.
ExpressRoute
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Purpose
ExpressRoute Configuration
Comparison
James Lee
Training Architect
EXPRESSROUTE
Why Do We Need It?
For some enterprises, virtual private networks may not meet all of your organization’s security requirements.
ExpressRoute can provide a more direct and secure connection to Microsoft cloud services.
Point-to-Site VPN
Remote Users
Site-to-Site VPN
Microsoft 365
Internet
ExpressRoute
Secure, Private Network Virtual Network

Connectivity
On-Premises Microsoft Global Infrastructure

EXPRESSROUTE
Configuration
Virtual Network Microsoft 365
ExpressRoute Circuit
The connectivity into Microsoft global
ExpressRoute
infrastructure, which leverages both
Gateway
Microsoft and partner edge networking.
GatewaySubnet
Peering
Private
Microsoft Microsoft
Private or Microsoft peering facilitates a
Peering Edge Peering secure connection to virtual networks or
Microsoft 365, respectively.
ExpressRoute
Circuit
Partner ExpressRoute Gateway
Edge
A VNet Gateway of ExpressRoute type.
Must exist in a gateway subnet. SKU
determines features, bandwidth, etc.
On-Premises
EXPRESSROUTE
Comparison
ExpressRoute VPN
• Provides secure connectivity to • Provides secure connectivity to

virtual networks and Microsoft 365.
virtual networks only.
• Does not traverse the public

internet.
vs • Traverses the public internet

(between the point/site and Azure).
• Does not leverage encryption by • Traffic is encrypted by default as

default (IPsec and MACsec). part of an end-to-end tunnel (IPsec).
Service Firewalls
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Purpose
Service Configuration
Firewalls Demonstration
James Lee
Training Architect
SERVICE FIREWALLS
Why Do We Need Them?
Many Azure services are built for global accessibility and scale. Many such services are publicly accessible by
default. Your organization may still wish to control traffic to these services.
Firewalls for each

service.
Control inbound
traffic.
Remote Users
Public Microsoft Services
Internet
From VNets as
well as public
internet.
Private Virtual Networks
Microsoft Global Infrastructure

On-Premises
SERVICE FIREWALLS
Service Firewall (Default Deny)

Enabling a service firewall creates a
default DENY ALL rule for the public
endpoint of a resource. All traffic will be
blocked unless allowed.
Public IP Allow Rules

Service
Endpoint Firewall rules for services can include

allowed public IP addresses of users/
services you wish to permit.
Public IP: 1.2.3.4

Virtual Network Allow Rules
To allow traffic from a virtual network, a
service endpoint must be enabled and the
respective subnet added.
Application Gateway
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Purpose
Application Features
Configuration
Gateway Demonstration
James Lee
Training Architect
APPLICATION GATEWAY
Why Do We Need It?
Using an Application Gateway, we can build secure, highly available web applications. An Application Gateway is
often referred to as an application-aware (layer 7) load balancer.
www.capsecco.com/
www.capsecco.com/… www.capsecco.com/sec/
APPLICATION GATEWAY
Key Features
Public Load Balancing Autoscaling
Provides public access (private is Scale the Application Gateway up

partially supported), with Azure or down, based on the demands of
Load Balancer type functionality. your users/services.
URL Based Routing Web Security

www
Route traffic to different Web protection features like
backend pools, depending on the Web Application Firewall
the URL path requested. Application  and HTTP header rewrite.
Gateway
Session Affinity SSL Termination
Gateway-managed, cookie-based Terminate SSL/TLS at the gateway,
session affinity that keeps user removing the encryption/decryption
sessions on the same server. overhead from backend servers.
APPLICATION GATEWAY
Frontend IP
Frontend IP
10.1.1.10 The IP address (public and/or private)
associated with the Application Gateway.
Listener
Frontend Port
Certificate
Listener
IP address, port, protocol, and (if HTTPS is
Rule
enabled) the associated SSL certificate
that is used by the Application Gateway. HTTP Setting
Backend
Custom
Probe
Rule (and Settings)
The rule brings everything together,
including HTTP settings (port, persistence,
path-based routing, timeout period, etc.).
Azure Front Door
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
How It Works
Azure Front Configuration
Door Demonstration
James Lee
Training Architect
Web Application
Acceleration and Delivery
at a Global Scale
Azure Front Door provides high availability and

acceleration across the globe.
• Leverages Microsoft’s global edge network.
• Designed for web applications (HTTP/S).
• Supports Azure services, and on-premises (hybrid).
• Supports acceleration, caching, security, and more.

AZURE FRONT DOOR
How Does It Work?
User
Web Solution
Point of Presence
Azure Front Door is a content acceleration solution that leverages Microsoft’s global edge network to
provide fast connectivity to your solution across the globe.
Microsoft global network: https://azure.microsoft.com/en-us/global-infrastructure/global-network/

AZURE FRONT DOOR
Configuration
Frontend
Frontend host/domain (can be custom)
where traffic will be directed to your global
solution.
Backend
Backend pool to service the solution, and
supports integration with many Azure
services, or custom/on-premises also.
Routing
Connects the frontend and backend.
Additional features can be configured,
including caching, and URL path matching.
Web Application Firewalls
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Web Application Comparison
Firewalls Demonstration
James Lee
Training Architect
Protect Web
Applications Against
Threats and Exploits
Microsoft provides a Web Application Firewall (WAF)
capabilities within Azure to protect web applications:
• Protect against common threats and exploits (e.g.,

SQL injection and cross-site scripting).
• Managed and custom rules for controlling access.
• Supported by Application Gateway and Front Door.

WEB APPLICATION FIREWALLS
Comparison
Application Gateway Front Door
• Protects your solution at the virtual • Protects your solution outside of

network in your deployed region.
your virtual network at the edge.
vs
• Supports Azure-managed and • Supports Azure-managed and
customer-managed rulesets.
• Based on OWASP Core Rule Set • Protects against the common top
(CRS) 2.2.9, 3.0, and 3.1.
OWASP vulnerabilities by default.
• Supports custom geo-filtering rules, • Supports geo-filtering and rate-

but rate limiting is unavailable. limiting rules.
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: SECURING INTEGRATED NETWORKS AND SERVICES
Further Protecting our Network Traffic
Remote Users
Microsoft Public Services
On-Premises Virtual Networks

Service Endpoints
Microsoft Azure
Configuring Service Endpoints

Service endpoints are configured per
service and per subnet to provide secure
Public
connectivity to the supported service.
Endpoints
Supported Services
System Routes
Optimal system routes are added so
that all resources within a subnet use
Microsoft
the backbone for the given service.
Backbone
Service Network Security

Security rules can be configured for
supported services to improve the network
subnet1 subnet2 security by allowing/denying traffic.
Virtual Network
Private Link
Private Endpoint
• The network interface that connects
to a supported service.
• Receives a private IP address from

the registered subnet.
• Configured with DNS.

Private
Endpoint Private Link
Service
Connected Resource
Customer Managed
Solution The scoped Azure PaaS resource
associated with Private Link.
Connected
Resource
Private Link Service
Customer-managed service operating
behind a standard load balancer enabled
for Private Link accessibility.
Microsoft Storage
VNet Peering
vnet1 vnet3
US West Central US
Provides connectivity over private IP.
10.1.1.10 10.3.1.10
Supports cross-subscription connectivity.
10.1.0.0/20
10.1.0.0/16 10.3.0.0/16
Subscription 1
Supports cross-region connectivity.
vnet2
Australia Southeast
Address spaces cannot overlap.
10.2.1.10
Does not support transitive routing.
10.1.0.0/16
Subscription 2
Virtual Private Networks (VPN)
Our users regularly need secure network access to the resources we configure within the Microsoft ecosystem.
How do we secure this network access?
Encrypted Network
Point-to-Site Tunnels
Remote Users
Site-to-Site VPN
Microsoft 365
Internet
Users Virtual Network

On-Premises
ExpressRoute
For some enterprises, virtual private networks may not meet all of your organization’s security requirements.
ExpressRoute can provide a more direct and secure connection to Microsoft cloud services.
Microsoft
Remote Users Peering
Microsoft 365
Internet
Private
Peering
ExpressRoute
Secure, Private Network

Virtual Network
Connectivity

On-Premises
Service Firewalls
Many Azure services are built for global accessibility and scale. Many such services are publicly accessible by
default. Your organization may still wish to control traffic to these services.
Firewalls for each

service.
Control inbound
traffic.
Remote Users
Public Microsoft Services
Internet
From VNets as
well as public
internet.
Private Virtual Networks

On-Premises
Application Gateways
Using an Application Gateway, we can build secure, highly available web applications. An Application Gateway is
often referred to as a application-aware (layer 7) load balancer.
www.capsecco.com/app/
…/* …/videos
Azure Front Door
User
Web Solution
Point of Presence
Azure Front Door is a content acceleration solution that leverages Microsoft’s global edge network to
provide fast connectivity to your solution across the globe.
Microsoft global network: https://azure.microsoft.com/en-us/global-infrastructure/global-network/

Web Application Firewalls
Application Gateway Front Door
• Protects your solution at the virtual • Protects your solution outside of

network in your deployed region.
your virtual network at the edge.
• Supports Azure-managed and • Supports Azure-managed and

vs customer-managed rulesets.
• Based on OWASP Core Rule Set • Protects against the common top
(CRS) 2.2.9, 3.0, and 3.1.
OWASP vulnerabilities by default.
• Supports custom geo-filtering rules, • Supports geo-filtering and rate-

but rate limiting is unavailable. limiting rules.
James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
Secure Remote Access

Securing Virtual Protect Against Vulnerabilities
Machines Secure Data
James Lee
Training Architect
SECTION INTRODUCTION: SECURING VIRTUAL MACHINES
Protect the VM Securing Applications

In this section, we discuss protecting
a number of layers associated with
virtual machines. Securing the Platform
(e.g., Networking, Compute, Data).

identity itself.

Azure Bastion
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Purpose
Azure Bastion Usage
Demonstration
James Lee
Training Architect
AZURE BASTION
Why Do We Need It?
Administration of both Windows and Linux virtual machines is often a privileged responsibility. Azure Bastion can
help us secure the way in which we perform this type of management.
HTML5 Web Client over

Port 443 (SSL)
Public IP: 1.2.3.4
SSL
Internet
Remote Administrator
Azure Bastion
Virtual Network

AZURE BASTION
Usage Overview
Deploy a Bastion Host

Create and deploy to a VNet. Note that a
bastion must be deployed to a subnet
Azure Bastion called “AzureBastionSubnet”.
AzureBastionSubnet Subnet
Connect to a Virtual Machine

Use the Azure portal client to access VMs
or VM scale set instances. This is also
supported for peered VNet resources.
Peered Network
Connectivity requires port 443 for SSL and
HTML5 support in a web browser.
Web Client
Just-in-Time VM Access
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Just-in-Time VM Purpose
Access (Azure Implementation
Demonstration
Security Center)
James Lee
Training Architect
JUST-IN-TIME VM ACCESS
Why Do We Need It?
We’ve talked about time-limited access to privileges within Azure AD, but what about network access? Just-in-
time VM access helps block traffic, except for times when access is needed.
Internet
Remote Administration Virtual Network

Hacker
JUST-IN-TIME VM ACCESS
Implementation
100 ALLOW RDP Deployment

4096 DENY RDP
Just-in-time VM access requires Azure
Defender for servers, and works by
managing Azure Firewall and network
security groups (NSGs).
4096 DENY RDP
JIT Access Policies

Access policies define the port, protocol,
and allowed source IPs. Creating and
requesting access requires privileges.
Auditing
The activity log provides an audit trail to
view VM access requests and
Remote Management  configuration information.
(e.g., RDP or SSH)
VM Endpoint Protection
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
VM Endpoint Features
Implementation
James Lee
Training Architect
VM ENDPOINT PROTECTION
Overview
Security Supports Free

Center Windows Protection
Integrated with Security Supports Windows MS Antimalware is free
Center for centralized 2008 R2 and above. (whereas Defender for
Microsoft administration. Does not support Linux. Endpoint is paid).
Antimalware
Free protection for your
Microsoft virtual machines.
Microsoft Antimalware - Key Features
Real-Time Protection Protection and Reporting

Monitors cloud services and Reports metadata and samples of
virtual machines to detect and detected threats to Microsoft to
block malware execution. ensure rapid response.
Malware Remediation Exclusions

Automatically deletes or Allows administrators to
quarantines malicious files configure exclusions for files,
and registry entries. Microsoft processes, and drives.
Antimalware
Automatic Updates Auditing
Includes automatic updates of Records health, suspicious
signatures, the engine, and the activities, and remediation actions
platform itself. to event logs (and Azure Storage).
Implementation
Security Center
Deployment and reporting is managed
through Security Center.
VM Extension
VM extensions are deployed to virtual
machines to manage configuration
and connectivity.
Agent
Supports the agent of the respective
Windows operating system, and will apply
configuration as appropriate.
Azure Disk Encryption
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Purpose
Azure Disk Overview
Implementation
Encryption Demonstration
James Lee
Training Architect
AZURE DISK ENCRYPTION
Why Do We Need It?
Azure VM disks are encrypted at rest by default. The goal of Azure Disk Encryption is to protect the actual
volumes stored within the VM disks themselves.
Operating System Azure Disk 

Encryption (ADE)
OS Data Temp
Azure Storage
Server-Side  
Encryption (SSE)
Azure Global
Infrastructure
Overview
Volume Windows and Extended

Encryption Linux Encryption
Encrypts boot (OS) Supports both Azure Disk Encryption
Azure Disk and data volumes
to further protect
Windows and Linux
virtual machines.
can be enabled in
conjunction with SSE.
Encryption your data.
(ADE)
Free protection for your
Microsoft virtual machines.
Implementation
Virtual Machine
Virtual Machine
Azure Disk Encryption can be enabled for a
virtual machine (standalone, or within a
virtual machine scale set).
VM Extension
Key Vault
Virtual Machine Extension
A VM extension configures operating
system encryption. Linux uses dm-crypt,
and Windows uses BitLocker.
Encryption Key
Di
O
D
Da Key Vault
Te
Ep
The keys/secrets used as part of the
encryption and decryption of data are
stored within Azure Key Vault.
Some key points to be aware of:
OS Support
Supported on Windows (BitLocker)
and Linux (dm-crypt + VFAT).
VM Support
Does not support Basic, A-series
VMs, or VMs that do not meet
memory requirements.
Disk Type Support

Does not currently support
Ephemeral OS Disks.
Managing VM Updates
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Managing VM Key Components
Workflow
Updates Demonstration
James Lee
Training Architect
MANAGING VM UPDATES
Overview
Patch Windows and Hybrid

Management Linux Support
Patch management, Supports both Can manage updates
Azure Update scheduling, and
reporting.
Windows and Linux
virtual machines.
for machines inside and
outside of Azure.
Management
Automated and centralized
update management.
MANAGING VM UPDATES
Azure Update Management: Components
Automation Account Automation Account

Service to facilitate the process automation
and configuration management. Hybrid Runbook Worker
Hybrid Runbook Worker

Customer-managed Windows or Linux
Log Analytics Workspace
operating system which performs tasks.
Log Analytics Data

Repository for log information. In this
scenario, it is for updating management data.
Operating System
Log Analytics Agent

Log Analytics Agent
The software which routes logs/metric data
from Linux or Windows to the workspace.
MANAGING VM UPDATES
Azure Update Management: Workflow
Automation
2 Configure update schedules and Account

review update assessments and
deployment statuses.
1 Report status (pre-update).
3 Check for maintenance
window and deployment. 5 Report status (post-update).
Hybrid Runbook
Worker
1. Pre-steps Windows
Update Agent
Commence
2. Updates
4
updates.
Log Analytics
Yum/APT/Zypper
3. Post-steps Agent
Operating System
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: SECURING VIRTUAL MACHINES
Protect the VM
Defense in Depth Access

Management access protected with
just-in-time access and Azure
We spoke of a number of ways to protect Bastion.
the different layers of VM security.
Operating System
Kept up-to-date and protected
against malware.
Storage
Encrypted with Server-Side
Encryption and Azure Disk Encryption.
Infrastructure
Managed and secured by Microsoft.

Azure Bastion
Administration of both Windows and Linux virtual machines is often a privileged responsibility. Azure Bastion can
help us secure the way we perform this type of management.
HTML5 Web Client over

Port 443 )
SSL
Internet
Peered Virtual Network
Remote
Administrator
AzureBastionSubnet
Virtual Network

Just-in-Time VM Access
Deployment
100 ALLOW RDP Just-in-time VM access requires Azure
4096 DENY ALL Defender for Servers, and works by
managing Azure Firewall and NSGs.
4096 DENY ALL

JIT Access Policies
Access policies define the port, protocol,
and allowed source IPs. Creating and
requesting access requires privileges.
Auditing
The activity log provides an audit trail to
view VM access requests and
configuration information.
Remote Management 
(e.g., RDP or SSH)
Microsoft Antimalware
Security Center
Deployment and reporting is managed
through Security Center.
VM Extension
VM extensions are deployed to virtual
machines to manage configuration and
connectivity.
Agent
Supports the agent of the respective
Windows operating system and will apply
configuration as appropriate.
Azure Disk Encryption
Azure VM disks are encrypted at rest by default. The goal of Azure Disk Encryption is to protect the actual
volumes stored within the VM disks themselves.
Operating System Azure Disk 

Encryption (ADE)
OS Data Temp
Azure Storage
Server-Side  
Encryption (SSE)
Azure Global Infrastructure

Azure Update Management
Automation Account
Automation Account
Service to facilitate the process automation
and configuration management. Hybrid Runbook Worker
Hybrid Runbook Worker

Customer-managed Windows or Linux
operating system that performs tasks.
Log Analytics Data

Repository for log information. In this
scenario, it is for updating management data.
Operating System
Log Analytics Agent

Log Analytics Agent
The software that routes logs/metric data
from Linux or Windows to the workspace.
James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
Identities for Apps

Securing Managed Identities
Applications Secure Access to APIs
with Azure AD Permissions and Consent
James Lee
Training Architect
SECTION INTRODUCTION: SECURING APPLICATIONS WITH AZURE AD

Leveraging Azure AD to securely
authenticate applications and access
resources. Securing the Platform
(e.g. networking, compute, data).

identity itself.

Service Principals
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Service Principals Authentication Methods
Demonstration
James Lee
Training Architect
SERVICE PRINCIPALS
Authenticating an Application
Let’s assume the role of a developer creating a web app that can access resources in an Azure subscription.
Developer Web App
Username + Password
User Account Service Principal

SERVICE PRINCIPALS
Authentication CLIENT SECRET
A service principal can authenticate using a client

Developer Web App
secret, which is similar to a password for a user.
Client Secret

SERVICE PRINCIPALS
Authentication CLIENT CERTIFICATE
Considered more secure than a client secret, an

Developer Web App
app can also authenticate with a certificate.
Client Secret

SERVICE PRINCIPALS
Authorization RBAC
Authorization to Azure resources works similar to

Developer Web App user accounts, leveraging role-based access
control (RBAC).
Role Assignment for Service Principal

Managed Identities
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Managed Identities Key Components
Demonstration
James Lee
Training Architect
MANAGED IDENTITIES
How Do They Help?
Is there a better way to authenticate with service principals?
Authentication CLIENT/CERTIFICATE
We’ve learnt about managing client secrets and

Developer Web App certificates to perform authentication.
Authentication Credentials

MANAGED IDENTITIES
How Do They Help?
Managed Identities leverage the Azure platform to perform authentication without the need of
client secrets or certificates.
Authentication PLATFORM AUTH
For Azure resources, this authentication can be

Developer managed by the platform itself.
Platform Authentication
Web App
User Account Managed Identity

Features of Managed Identities
1 Azure AD Identities for Azure Resources

The platform manages integrated identities in
Azure AD identities for Azure resources.
2 Credential Security
Avoid the need for having to store credentials
for your application/script within code.
3 Support for Several Azure Resources

Many services support managed identities,
and these can authenticate to Azure AD.
MANAGED IDENTITIES
Key Components
Managed Identity
An Azure resource must be assigned a Services Supporting
system or user-managed identity. Managed Identities
Managed
Service
Identity
Principal
Azure AD Service Principal

The managed identity establishes a
service principal within Azure.
Token
Endpoint
Token Endpoint
REST Azure AD provides this as a place to
retrieve an access pass for a resource.
Access Token
The access token can be used to Services Supporting
authenticate with Azure AD. Azure AD Authentication

API Access to Microsoft
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Recap of APIs
API Access to Microsoft Graph API
Securing APIs
Microsoft Authentication
James Lee
Training Architect
API ACCESS TO MICROSOFT
Why Do We Need APIs?
APIs are something you already use in your day-to-day lives. They’re just as helpful when developing solutions in
the cloud, or even traditionally.
Customer Server Chef

Why Do We Need APIs?
We’ve already been using an API extensively when working with Azure.
Azure Resource Manager
Client Tools and Apps Azure Resources

REST API
Microsoft Graph
Microsoft Graph is a gateway to volumes of information stored across Microsoft 365 services. This includes data
from Microsoft 365, Windows 10, and Enterprise Mobility + Security.
Device
Calendar
Mail
User Application
Files
Microsoft Graph API User Information

Protecting Resource Permissions
In accordance with the OAuth 2.0 standard, access to a resource can be controlled granularly through the use of
resource permissions (also known as scopes).
Calendars.ReadWrite.Shared
Device Read and write user and shared calendars.
Calendar Calendars.ReadWrite
Have full access to user calendars.
Mail.Read
Mail Read user mail.
Files
User.Read.All
Read all users' full profiles.
User.ReadWrite.All
Read and write all users' full profiles.

OAuth 2.0 Authentication Flow
Let’s consider the flow of information required when a web application accesses an API on behalf of a user.
User Application Azure AD Microsoft Graph
1. Open the web app. 2. Log in and consent.
User.ReadWrite.All
Mail.Read
3. Return a token to the web app.
4. Use the token to retrieve data.

Delegated Permissions
and Consent
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Delegated App Registration
Permissions and Managing Permissions
Consent Demonstration
James Lee
Training Architect
DELEGATED PERMISSIONS AND CONSENT
Building a Web App to Use Delegated Permissions
Let’s assume the role of a developer creating a web app that can read and write through the Microsoft Graph API.
Our focus is on security, but it helps to understand how this is set up.
User Web App Azure AD Microsoft Graph

Develop the Web App
We need to develop a web app to interact with the

Microsoft Graph API on behalf of a user.
Register the Application in Azure AD
The application needs to be registered in Azure AD,

including configuration of the authentication
method (e.g., client secret).
Configure the Permissions
The application registration should be configured to

include the permissions it requires of the Microsoft
Graph API.
Managing Permissions and Consent
Users are able to consent to permissions that do not require administrator consent, but they cannot consent to
wide-ranging permissions like unrestricted read/write access to all user information.
User Consent
A Global Administrator is able to modify the default
behavior: Azure AD > Enterprise Apps >
Consent > User Settings
Administrators can provide tenant-wide consent for permissions.
Admin Web App Azure AD Microsoft Graph
User Consent
Tenant-wide consent requires Global Admin,

Privileged Role Admin, App Admin, or
Cloud App Admin privileges.
Application Permissions
and Consent
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Application App Registration
Permissions and Managing Permissions
Consent Demonstration
James Lee
Training Architect
APPLICATION PERMISSIONS AND CONSENT
Building a Service to Use Application Permissions
Let’s assume the role of a developer creating a non-interactive service that can read and write through the
Microsoft Graph API. This application will authenticate as itself and require application permissions.
Service/Daemon Azure AD Microsoft Graph

Develop the Application
We need to develop a web app to interact with the

Microsoft Graph API directly.
Register the Application in Azure AD
The application needs to be registered in Azure AD,

including configuration of the authentication
method (e.g., client secret).
Configure the Permissions
The application registration should be configured to

include the permissions it requires of the Microsoft
Graph API.
Administrators can provide consent for application permissions.
Web App Azure AD Microsoft Graph
Admin
Admin Consent
To consent for application permissions requires
Global Admin or Privileged Role Admin
privileges.
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: SECURING APPLICATIONS WITH AZURE AD
Service Principals
We use service principals to provide an identity for an application within Azure AD.
Authentication CLIENT SECRET OR CLIENT CERTIFICATE
Authorization RBAC OR APP PERMISSIONS

App
Client
Client
Secret Certificate
Role Assignment for
Service Principal Service Principal

Managed Identities
Managed identities provide supported Azure resources a more secure way to authenticate against Azure AD.
Authentication PLATFORM-MANAGED
System-Assigned: tied to the resource.
User-Assigned: managed by the user.

App
Platform
Authentication
Service Principal

API Access to Microsoft
Applications registered in Azure AD can be configured to access resources via an API using permissions.
Device
Calendar
Mail
Files
User App

Delegated Permissions and Consent
Applications accessing resources on behalf of a user require delegated permissions and consent.
Consent User Settings

Admin
User.ReadWrite.All
Admin/Tenant Consent
Mail.Read
Azure AD Device
Calendar
Mail
User App Files

Application Permissions and Consent
Applications accessing resources on behalf of a user require delegated permissions and consent.
Consent to App
Permissions
Admin
User.ReadWrite.All
Mail.Read
Azure AD Device
Calendar
Mail
User App Files

James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
Overview
Securing Data Administration
with Key Vault Backup and Recovery
James Lee
Training Architect
SECTION INTRODUCTION: SECURING DATA WITH KEY VAULT
Securing
Application Data Securing the solutions we build.
Key Vault is an important Azure
service that helps to secure data
used for applications, automation, Securing the Platform
and administration. Securing the Azure services we use
(e.g., networking, compute, data).

identity itself.

Key Vault Overview
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Key Vault Access Control
Overview Demonstration
James Lee
Training Architect
KEY VAULT OVERVIEW
Overview
When securing applications, we often have to store secret information that an application needs to access
programmatically.
Certificate
App
Secret
App
Compute
Key
Key Vault
APIs
Key Vault
Important Features
Data Types Secure Storage Accessible
Supports data types commonly Provides support for FIPS 140-2 Level 3 Designed for programmatic access with
leveraged by modern cloud apps, hardware security modules (HSM) or centralized, secure accessibility through
including secrets, keys, and certificates. secure software-protected storage. a REST endpoint.
KEY VAULT OVERVIEW
Important Components
Key Vault
Secure storage (software protection
or hardware security modules
(HSM)) accessible by a REST API.
Secret Information
Support for secrets, keys, and
certificates. This also includes some
additional management capabilities. Management Plane
Access Control
Access to the Key Vault data plane Access
can be controlled through either Control
access policies or RBAC. Data Plane
Key Vault
KEY VAULT OVERVIEW
Access Control
Access Policies RBAC
• Traditional model for controlling • Newer model for controlling access

access to the data plane.
to the data plane.
Key Vault approach to security Familiar approach to security

vs
• •
leveraging Azure AD identities.
leveraging Azure AD identities.
• Access policies take effect • RBAC assignments can take some

immediately.
time to take effect.
• Applies access control to objects • Supports granular control at an

within the entire Key Vault. individual object level.
Key Vault Administration
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Managing Objects
Key Vault Version Control
Lifecycle Control
Administration Demonstration
James Lee
Training Architect
KEY VAULT ADMINISTRATION
Common Administrative Tasks
Managing Objects
Keys and certificates can be either
generated or imported. Secrets can
be created (as a binary object).
secret1
Version Control
v1 Multiple versions of objects can exist.
v1 v2
This helps for rotation of security
objects, minimizing downtime. key1
Activate: mm/dd/yyyy
Expire: mm/dd/yyyy
Lifecycle Control
Activation and expiration dates can be
cert1
configured for versions of objects.
They also can be enabled/disabled.
Key Vault
Key Vault Backup and
Recovery
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Soft Delete
Key Vault Backup Purge Protection
Backup and Recovery

and Recovery Demonstration
James Lee
Training Architect
KEY VAULT BACKUP AND RECOVERY
Common Backup and Recovery Tasks
Same subscription
Soft-Delete
Soft-delete provides recycle bin-like
functionality so items can be Region Pair
recovered for a retention period.
secret1
Purge Protection
Purge protection ensures soft-deleted
items cannot be purged until the
retention period has elapsed. key1
Backup and Recovery

Backup is possible (but not
recommended). Recovery is managed cert1
by the platform by default.
Key Vault
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: SECURING DATA WITH KEY VAULT
Key Vault Overview
Key Vault
Secure storage (software protection
or hardware security modules
(HSM)) accessible by a REST API.
Secret Information
Support for secrets, keys, and
certificates. This also includes some
additional management capabilities. Management Plane
Access Control
Access to the Key Vault data plane Access
can be controlled through either Control
access policies or RBAC.
Data Plane
Key Vault
Common Administrative Tasks
Managing Objects
Keys and certificates can be either
generated or imported. Secrets can
be created (as a binary object).
secret1
Version Control
v1 Multiple versions of objects can exist.
This helps for rotation of security v1 v2
objects, minimizing downtime. key1 Activate: mm/dd/yyyy
Expire: mm/dd/yyyy
Lifecycle Control
Activation and expiration dates can be
configured for versions of objects. cert1
They also can be enabled/disabled.
Key Vault
Common Backup and Recovery Tasks
Same subscription
Soft-Delete
Soft-delete provides recycle bin-like
functionality so items can be Region Pair
recovered for a retention period.
secret1
Purge Protection
Purge protection ensures soft-deleted
items cannot be purged until the
retention period has elapsed. key1
Backup and Recovery

Backup is possible (but not
recommended). Recovery is managed cert1
by the platform by default.
Key Vault
James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
Securing Apps
Isolating Apps
Securing Application Securing Containers
Hosting
James Lee
Training Architect
SECTION INTRODUCTION: SECURING APPLICATION HOSTING
The App Host Securing Applications

We’ll discuss important security
considerations for several of Azure’s
application hosting services. Securing the Platform

identity itself.

Azure App Service
Security
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
General Considerations
Azure App Service Configuring Certificates
Using Certificates in Code

Security Demonstration
James Lee
Training Architect
AZURE APP SERVICE SECURITY
When securing an app running in Azure App Service, it’s important to understand how the service is operated.
VNet 
Integration
Users
Hybrid 
Connections
Internet VNet
App Service Plan
Azure App Service

Configuring SSL/TLS Certificates
https://www.capsecco.com
https://capseccoapp.azurewebsites.net
Custom Domain
www An app must be running on an App Service
Certificate plan that supports custom domains (all
except free pricing).
Certificate
To facilitate secure HTTPS encryption, a
private certificate must be uploaded
(password-protected PFX with 3DES).
Binding
To enable HTTPS access, a binding must
be configured using a domain (SNI SSL) or
a public IP address (IP SSL).
Users
Accessing Certificates with Code
App Setting
To load certificates, you must configure
WEBSITE_LOAD_CERTIFICATES = <comma-
Certificate
separated-certificate-thumbprints>
WEBSITE_LOAD_CERTIFICATES
Certificates
Both private and public certificates can be
used from within code.
Code
The app itself must leverage the
certificates using the features/functions of
the respective programming language.
Remote Service/App/Site
Azure Functions Security
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Azure Functions Configuring SSL/TLS
Function Access Keys

Security Demonstration
James Lee
Training Architect
AZURE FUNCTIONS SECURITY
When securing function apps in Azure, it’s important to understand how the service is operated.
VNet 
Users
Hybrid 
Internet
VNet
Azure Functions

Configuring SSL/TLS
https:// www.capsecco.com Securing Website Access

Requires a custom domain, an SSL
certificate (PFX format, 3DES), and a
binding. Consumption plan supported.
Code Certificate
Levering Certificates with Code
To load certificates, you must configure
separated-certificate-thumbprints>.
Enforcing HTTPS
You can redirect all HTTP requests to the
HTTPS port by configuring HTTPS Only.
Users
Host Keys
Master Key Host Key
Can be used to access any function within
the function app. A master key also exists
for full administrative access.
Function
Function Keys
Keys Function keys provide access for a given
function only. They take precedence over host
keys if both are named the same.
Key Rotation
Keys can be rotated manually by creating
multiple keys for app/client use and
renewing key values as required.
App Service Environment
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
App Service Overview
Architecture
Environment Demonstration
James Lee
Training Architect
Dedicated Environment Secure Access High Scale
Deployed to a virtual network Access can be configured for Leverage greater scale-out
(and dedicated hosts). either internal or external use. limits for hyperscale
APP SERVICE ENVIRONMENT
Architecture
Hosting
Normal deployment uses multi-tenant
App Service Plan(s) hypervisors. Dedicated hosts can be used
ILB Public IP for further isolation.
Network
An App Service Environment (ASE) is
deployed to an ASE subnet within a
customer’s virtual network. Apps can
communicate through the VNet.
Accessibility
Can be accessed publicly (external ASE)
with public DNS, or privately (internal ASE)
with private DNS zones.
Virtual Network
App Service Plan (ASP)
An app is deployed to an ASP, which is
deployed to an ASE. These are used as
normal (based on OS and resources).
Azure Container Registry
Security
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Recap of Containers
Access Control
Azure Container Content Trust
Registry Security General Considerations
Demonstration
James Lee
Training Architect
AZURE CONTAINER REGISTRY SECURITY
Recap of Containers
Let’s quickly recap some of the key components of a solution built with containers.
Container Image Container
FROM nginx:alpine
WORKDIR /usr/share/nginx/html
COPY ./index.html ./
Container Registry Container Engine

Dockerfile
Access Control
Service Principal
Admin Account
~$ docker push image
Disabled by default, an admin account
~$ docker pull image
includes two access keys that provide full
unfettered access to a registry.
Push
AcrPush
Azure AD (RBAC)
Container
Azure AD identities (e.g., service principals)
Image Image
can be provided access to ACR (e.g., using
the roles AcrPush or AcrPull).
Pull
AcrPull
Network Security
The Premium SKU supports security
features such as dedicated endpoints,
Container Registry Container Engine private endpoints, and network rules.
Content Trust
Registry Level Trust

Content trust is enabled at the Azure
~$ export DOCKER_CONTENT_TRUST=1
Container Registry level. This requires the

Premium SKU.
Pushing Signed Images

Container
Image Image Users must be assigned AcrImageSigner
permissions (plus AcrPush). The first push
of a signed image creates signing keys.
Pulling Signed Images

When a consumer enables content trust
for their Docker client, only signed images
Container Registry Consumer will be available.
General Security Considerations
ACR Tasks
Helps to automate tasks like
image builds, OS and
framework patching, and more.
Image Scanning
Container images should be
scanned regularly for
vulnerabilities.
Credential Protection
We can use services like
managed identities and Azure
Key Vault to help secure
credentials.
Azure Container Instances
Security
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
General Guidelines
Azure Container Variables
Container Groups
Instances Security Demonstration
James Lee
Training Architect
AZURE CONTAINER INSTANCES SECURITY
General Guidelines
Let’s consider how Azure Container Instances fits within an overarching container strategy.
Container Group
Container Image Container Container
Automation
Container Registry Azure Container Instances
Variables
Image
Purpose of Variables
$ Variables help provide dynamic information
to containers (so it doesn’t have to be
Container baked into the image).
Environment Variables
sqlserver1
Environment variables can be configured
value: ”sqlserver1”
when a container instance is created. They
secureValue: ”******” use key-value pairs.
Secure Values
Azure Container When using secure as an environment
Instances variable type, this data is only accessible
from within the container.
Container Groups
Purpose
Container Group When building an application sidecar for
things like logging, monitoring, or when a
Container Container second attached process is needed.
Hosting
Container group containers are scheduled
on the same host machine and share a
lifecycle, resources, network, and storage.
Configuration
Container Instances Can be deployed via ARM or YAML, but
only support Linux. Can sit behind a public
IP with optional exposed ports.
Azure Kubernetes Service
Security
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
General Guidelines
Azure Kubernetes Legacy Azure AD Integration
AKS-Managed Azure AD Integration

Service Security Demonstration
James Lee
Training Architect
AZURE KUBERNETES SERVICE SECURITY
General Guidelines
Virtual Network
Master Security
Microsoft manages master components. You Management VM
should keep the version up to date when
possible and use private clusters if needed.
Node Security
Nodes are Azure VMs that customers manage/
maintain. Linux patching is scheduled nightly.
Windows patching must be configured. Pods
Kubernetes Secrets
Control Plane Nodes/Node Pools
Prevents secret information from being stored
in the YAML manifest. Instead, the data is
provided through the Kubernetes API to a Pod.
Kubernetes Secret Administration

Legacy Azure AD Integration
AKS Cluster
AKS Cluster Identities
Identities are used to create resources and
interact with others (e.g., ACR).
Container Registry
Kubernetes RBAC
Granular access control for the Kubernetes
cluster. Can be integrated with Azure AD.
Azure Resources
RBAC Binding Azure AD Apps (Groups and Auth)

• An app for reading group membership.
• An app for performing authentication.
RBAC Binding
Administrators AKS Apps Managed Identity
Used for Azure AD integration to facilitate
the authentication of a user with Azure AD.
Azure AD
AKS-Managed Azure AD Integration
AKS Cluster
AKS Cluster Identities
Identities are used to create resources and
interact with others (e.g., ACR).
Container Registry
Kubernetes RBAC
Granular access control for the Kubernetes
cluster. Can be integrated with Azure AD.
Azure Resources
AKS-Managed Azure AD
The resource provider manages all
required apps for Azure AD integration.
Cluster Admin Group

Admin Group Managed Identity
Registered as an admin group on the
cluster to grant cluster admin permissions.
Azure AD
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: SECURING APPLICATION HOSTING
Azure App Service Security
When securing an app running in Azure App Service, it’s important to understand how the service is operated.
VNet 
Integration
Users
Hybrid
Connections
Internet VNet
Azure App Service

Azure Functions Security
When securing function apps in Azure, it’s important to understand how the service is operated.
VNet 
Integration
Users
Hybrid 
Connections
Internet VNet
Azure Functions

Configuring SSL/TLS
https:// www.capsecco.com Securing Website Access

Requires a custom domain, an SSL
certificate (PFX format, 3DES), and a
binding. Consumption Plan supported.
Code Certificate
Levering Certificates with Code
To load certificates, you must configure:
separated-certificate-thumbprints>.
Enforcing HTTPS
You can redirect all HTTP requests to the
HTTPS port by configuring HTTPS Only.
Users
Host Keys
Master Key Host Key Can be used to access any function within
the function app. A master key also exists
Function
Function Keys
Keys Function keys provide access for a given
function only. They take precedence over host
keys if both are named the same.
Key Rotation
Keys can be rotated manually by creating
multiple keys for app/client use and
renewing key values as required.
Hosting
Normal deployment uses multi-tenant
App Service Plan(s) hypervisors (virtual machines). Dedicated
ILB Public IP Hosts can be used for further isolation.
Network
An App Service Environment (ASE) is
deployed to an ASE subnet within a
customer’s virtual network. Apps can
communicate through the VNet.
Accessibility
Can be accessed publicly (external ASE)
with public DNS, or privately (internal ASE)
with private DNS zones.
Virtual Network
App Service Plan (ASP)

An app is deployed to an ASP, which is
deployed to an ASE. These are used as
normal (based on OS and resources).
Azure Container Registry Security
Admin Account
Service Principal Disabled by default, an admin account
~$ docker pull image
includes two access keys that provide full
unfettered access to a registry.
PUSH
AcrPush Azure AD (RBAC)
Container
Azure AD identities (e.g., service principals)
Image Image
can be provided access to ACR (e.g., using
the roles AcrPush or AcrPull).
Pull
AcrPull
Premium Features
The Premium SKU supports dedicated
endpoints, private endpoints, network
rules, and content trust.
Container Registry Container Engine
Azure Container Instance Security
value: ”sqlserver1”
sqlserver1 Container Groups
secureValue: ”******”
Container group containers are scheduled
Container Group
on the same host machine and share a
lifecycle, resources, network, and storage.
Container Container
Variables
Variables help provide dynamic information
to containers. Secure variables ensure data
is only available from within a container.
Container Instances
Azure Kubernetes Service Security
Virtual Network
Master and Node Security

Management VM
Microsoft manages master components. You
should use master version and node patching,
and use private clusters if required.
AD Integration
AKS-managed AD integration requires an
administrator group, but it manages the group Pods
and Azure AD authentication apps for you.
Kubernetes Secrets Control Plane Nodes / Node Pools
Prevents secret information from being stored

in the YAML manifest. Instead, the data is
provided through the Kubernetes API to a Pod.
Kubernetes Secret Azure AD

James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
Securing Access Control
Azure AD Access Control

Storage
James Lee
Training Architect
SECTION INTRODUCTION: SECURING STORAGE
Securing Storage Securing Applications

We’ll focus on the Azure Storage
service, including how to use identity
to secure access. Securing the Platform

identity itself.

Storage Account Access
Control
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Security Recap
Overview
Storage Account Access Keys
Access Control Shared Access Signatures
Demonstration
James Lee
Training Architect
STORAGE ACCOUNT ACCESS CONTROL
Security Overview
Let’s take a high-level look at how access can be controlled for storage accounts.
Management REST API
Resource
Blobs Files Tables Queues
Firewall
Internet
saname.blob.core.windows.net VNet Access

End Users saname.file.core.windows.net
saname.queue.core.windows.net Anonymous
saname.table.core.windows.net Data Layer REST API
Network Access Storage Account

Security Overview: Access Keys
Access keys provide administrative access to an entire storage account. Microsoft recommend these are only
used for administrative purposes.
Access Keys
Management Layer REST API

Microsoft.Storage/storageAccounts/listkeys/action
End Users
Data Layer REST API
Storage Account
Security Overview: Shared Access Signatures
Shared access signatures (SAS) are like a token that can be used to provide granular access to resources within a
storage account. Access is provided to whoever or whatever has the token.
SAS
Management Layer

Account SAS
End Users Service SAS
Data Layer REST API
Storage Account
Security Overview: Identity-Based
Azure Storage supports Azure AD identity-based access control through measures such as RBAC, which we will
discuss separately.
Management Layer
Azure AD Blobs Files Tables Queues
End Users
Data Layer REST API
Storage Account
Access Keys
Provides Full Access

Should be used carefully, as access keys
provide full access to all services within a
storage account.
Used to Create a SAS

When you create a SAS, you do so using an
access key (unless using Azure AD, which we
will discuss later).
Key Rotation
Access keys can be regenerated, revoking
all access granted by the key (including
any associated SAS).
Shared Access Signatures
Account SAS
Provides access to resources in one or
more services within a storage account.
Service SAS
Provides access to resources within a single
service (e.g., Blob or Files).
Stored Access Policies

Provide greater control over a service SAS,
which is otherwise very difficult to control
once it has been created.
Shared Access Signatures: Stored Access Policies
Account SAS
Can be used to access any function within
Blob the function app. A master key also exists
Access Policy
Service SAS
SAS
SAS
User, App, Device, etc. Provide greater control over a service SAS,
which is otherwise very difficult to control
User, App, Device, etc. once it has been created.
Azure Storage with Azure
AD Authentication
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Azure Storage with Role-Based Access Control
Azure AD User Delegation SAS
Demonstration
Authentication
James Lee
Training Architect
AZURE STORAGE WITH AZURE AD AUTHENTICATION
Role-Based Access Control (RBAC)
Role-based access-control (RBAC) can be used to control access to both the management and data layer.
RBAC
Management Layer
Storage Blob
Data Owner
End Users
Data Layer REST API
Storage Account
AZURE STORAGE WITH AZURE AD AUTHENTICATION
User Delegation SAS
A user delegation SAS is just like a normal SAS. However, instead of being created with a storage account access
key, it is associated with an Azure AD identity.
SAS
Management Layer
Service
SAS
Users, Resources, and

Applications
Data Layer REST API
Storage Account
Azure Files with Azure AD
DS Authentication
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Recap
Azure Files with Azure Architecture
AD DS Authentication Demonstration
James Lee
Training Architect
Fully Managed File-Level Sharing
1 Provides traditional on-premises-like
file sharing functionality with a true
folder hierarchy.
Azure Files Designed for SMB Connectivity
- Recap 2 Provides connectivity over the SMB protocol.

End users or applications access files over a
network connection.
Extended by Azure File Sync

3 Supports synchronization between
multiple Windows Server file servers and
the Azure Files service.
AZURE FILES WITH AZURE AD DS AUTHENTICATION
Identity-Based Authentication and Authorization
For SMB access to Azure file shares, Azure AD identities can be used for authentication and authorization. This
type of access control is for SMB access from domain-joined devices.
Management Layer
Sync
AAD Azure Active Azure AD DS
Directory Managed Domain File Share File Share

Connect
Domain-
Joined
SMB
Access Data Layer
On-Premises End Users and Windows

Identities Virtual Machines Storage Account
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: SECURING STORAGE
Storage Access Keys
Provides Full Access

Should be used carefully, as access keys
provide full access to all services within a
storage account.
Used to Create a SAS

When you create a SAS, you do so using an
access key (unless using Azure AD).
Key Rotation
Access keys can be regenerated, revoking
all access granted by the key (including
any associated SAS).
Shared Access Signatures
Account SAS
Provides access to resources within one or
more services in a storage account.
Service SAS

Provides greater control over a SAS, which
is otherwise very difficult to control once it
has been created.
Role-Based Access Control (RBAC)
Role-based access-control (RBAC) can be used to control access to both the management and data layer.
RBAC
Management Layer
Storage Blob
Data Owner
End Users
Data Layer REST API
Storage Account
User Delegation SAS
A user delegation SAS is just like a normal SAS. However, instead of being created with a storage account access
key, it is associated with an Azure AD identity.
SAS
Management Layer
Service
Users, Resources, and SAS

Applications.
Data Layer REST API
Storage Account
Azure Files Authentication with AAD DS
For SMB access to Azure file shares, Azure AD identities can be used for authentication and authorization. This
type of access control is for SMB access from domain-joined devices.
Management Layer
Sync
AAD Azure Active Azure AD DS
Directory Managed Domain File Share File Share

Connect
Domain-
Joined
SMB
Access Data Layer
On-Premises End Users and Windows

Storage Account
Identities Machines
James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
Authentication
Securing Data Security
Network Security
Data Auditing
James Lee
Training Architect
SECTION INTRODUCTION: SECURING DATA
Securing Data Securing Applications

Platforms Securing the solutions we build.
We’ll focus on the methods for

protecting data platforms, such as Securing the Platform
Azure SQL, Synapse Analytics, etc.
(e.g. networking, compute, data).

identity itself.

Azure SQL Authentication
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Azure AD Authentication: SQL Logins
Azure SQL Azure AD Authentication: DB Users
Authentication Supported Authentication Methods
Demonstration
James Lee
Training Architect
AZURE SQL AUTHENTICATION
Overview : SQL Authentication
Let’s take a high-level look at how access can be controlled for Azure SQL.
SQL Login Database User

Server:
sqlserver1
Username:
adm.sql
Password: ******** Database: master Database: productsdb
Database Engine
End Users
(sqlserver1)
Overview : Authentication with Azure AD Identities
To authenticate with Azure AD identities, we need to associate them with SQL logins or database users.
Users
SQL Login
Database: master
Groups
Azure Active
Directory
DB User
Database: productsdb
End Users
Azure SQL Database
Azure SQL Managed Instances
Azure AD Authentication : SQL Logins
SQL Login Creation

The following SQL logins are supported:
Admin User/Group • SQL login
• Windows logins (SQL VM only)
• Azure AD logins (unsupported by Azure SQL DB)

SQL Login
User Database: master

Azure AD Admin for SQL
An Azure AD admin must be configured to
Azure Active Azure SQL
enable Azure AD authentication. The admin
Directory Managed Instances can be either an Azure AD user or group.
--Windows Logins from SQL VM only
Read Permissions
CREATE LOGIN <domain\loginname> FROM WINDOWS
For managed instances, be aware that a Global
Administrator must also configure read
--Azure AD Logins created using an AAD-based Login
permissions to your Azure AD tenant.
CREATE LOGIN <AAD_Username> FROM EXTERNAL PROVIDER
Azure AD Authentication : DB Users
SQL Database User Creation

Supports the following database users:
Admin User/Group • Database user (contained, or mapped to login)
• Database user mapped to AAD-based login
• Contained database user mapped to AAD

DB User
User Database: productsdb

Must be configured to enable Azure AD
authentication. The admin can be either a
Directory Database Azure AD user or group.
--DB User mapped to an AAD-based SQL Login

Read Permissions
CREATE USER <User> FOR <Login> LOGIN  
FROM EXTERNAL PROVIDER

--Contained DB User authenticated by AAD
CREATE USER <AAD_Username> FROM EXTERNAL PROVIDER

Supported Authentication Methods
METHOD OVERVIEW SUPPORT
Authentication supporting cloud identities (username

AAD Password DB user, SQL login
and password) from local (non domain-joined) machines
Seamless sign-on experience when authenticating from

AAD Integrated DB user, SQL login
a domain-joined machine (federated or managed)
An interactive authentication method that supports

AAD Universal with MFA DB user, SQL login
the use of MFA
Authentication using the identity of an application DB user

Application Token
registered within Azure AD
Azure SQL Database
Encryption
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Azure SQL Database Configuration
Encryption Demonstration
James Lee
Training Architect
AZURE SQL DATABASE ENCRYPTION
Encryption Overview
Let’s take a high-level look at how Azure SQL Database can be encrypted.
Azure SQL Database
Encryption in Transit  ID Name CreditCard

(using Transport Layer Security (TLS))
156 Freddy 764893112
445 Jessica 766713445
Database: paymentsdb
CreditCard

Encryption at Rest
Database
(using Transparent Data Encryption (TDE))
Administrator
Always Encrypted
Always Encrypted encrypts data within columns that we want to secure.
CreditCard Azure SQL Database

Application  ID Name CreditCard

User 156 Freddy 0x019AE4F…
445 Jessica 0x0100D1F…
Database: payments
CreditCard
Database
Administrator
Always Encrypted Implementation
Azure SQL Database
Column Encryption Types

ID Name CreditCard Randomized: less predictable encryption.
156 Freddy 0x019AE4F… Deterministic: generates the same encrypted

value for a given text value (but supports point
lookups, equality joins, grouping, and indexing).
Key Storage Options

Freddy 0xAE12 Freddy 0xAE12
The database engine does not store encryption
0x0F10 0xAE12 keys. These must be stored elsewhere (e.g.,
Key Vault, or Windows Certificate Store).
0x0DE0 0xAE12
App User
Application Client
To access encrypted column data in plaintext, an
application must use an Always Encrypted-enabled
client driver with access to the key storage.
Key Storage
Dynamic Masking for SQL
on Azure
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Dynamic Masking Configuration
for SQL on Azure Demonstration
James Lee
Training Architect
DYNAMIC MASKING FOR SQL ON AZURE
Overview
Dynamic masking helps to hide information that might be sensitive, without changing or encrypting it.
Azure SQL Database
ID Name CreditCard
156 Freddy 764893112
445 Jessica 766713445
CreditCard

Database: payments
Application 
User
DYNAMIC MASKING FOR SQL ON AZURE
Dynamic Data Masking Policies
Azure SQL Database
Masking Data
ID Name CreditCard Masking rules specify which columns should be
156 Freddy 764893112 masked, and with what mask function (precisely
how the text will be changed).
445 Jessica 766713445
Applicable Users
SQL Database users can be excluded from
Column:
CreditCard
having data masking applied (administrators are

Function: Credit Card Mask always excluded).
Masking Rule
CreditCard Important Note

Dynamic data masking does not change the data

in a database. Through the use of SQL queries,
users could potentially still discern the data.
User
Network Isolation for Data
Solutions
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Network Access Control
Network Isolation Virtual Network Integration
Virtual Network Isolation

for Data Solutions
James Lee
Training Architect
NETWORK ISOLATION FOR DATA SOLUTIONS
Network Access Control
Most data platforms within Azure support network-level access control through a resource firewall.
Database
Azure SQL Database
End User
Collection
Cosmos DB
Virtual Network Integration
Most data platforms within Azure support network isolation from within a firewall, leveraging features such as
service endpoints and Private Link.
Service
Endpoint
Microsoft
Database
Backbone
Azure SQL Database
10.1.1.4
subnet1 subnet2
Virtual
Network
Private  Collection
Endpoint
Cosmos DB
Virtual Network Isolation
Many data platforms in Azure are multi-tenant, but often provide some form of network isolation.
Workspace Database
Synapse Analytics Managed VNet Azure SQL Managed Instance

End User
Virtual Network Virtual Network

Database Auditing
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Database Overview
Configuration
Auditing Demonstration
James Lee
Training Architect
DATABASE AUDITING
Overview
Database auditing helps provide a log of events that occur.
ID Name CreditCard
156 Freddy 764893112
445 Jessica 766713445
Administrator
Database
Azure SQL Database
Resource Group
End User
DATABASE AUDITING
Configuration
Azure SQL Database
Server Auditing
Auditing configured at the server level will apply
to all existing and new databases within the
server (in addition to database auditing).
Database Auditing
Database Database
Auditing configured on the database level can
be in addition to server auditing (if both are
Azure SQL Server configured, both will exist side by side).
Audit Destination
Auditing events can be recorded to the following:
• Storage
• Log Analytics
• Event Hubs
Audit Log Destination

Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: SECURING DATA
Azure AD and SQL Authentication: SQL Logins
SQL Login Creation

The following SQL logins are supported:
Admin User/Group • SQL login
• Windows logins (SQL VM only)
• Azure AD logins (managed instances only)

SQL Login
User Database: master

An Azure AD admin must be configured to
enable Azure AD authentication. The admin
Directory can be either an Azure AD user or group.
--Windows Logins from SQL VM only
Read Permissions
CREATE LOGIN <domain\loginname> FROM WINDOWS
--Azure AD Logins created using an AAD-based Login
permissions for your Azure AD tenant.
CREATE LOGIN <AAD_Username> FROM EXTERNAL PROVIDER
Azure AD and SQL Authentication: DB Users
SQL Database User Creation

Supports the following database users:
Admin User/Group • Database user (contained, or mapped to login)
• Database user mapped to AAD-based login
• Contained database user mapped to AAD

DB User
User Database: productsdb

Must be configured to enable Azure AD
Azure Active Azure SQL authentication. The admin can be either a
Directory
Azure AD user or group.
--Contained DB User authenticated by AAD

Read Permissions
CREATE USER <AAD_Username> FROM EXTERNAL PROVIDER

--DB User mapped to an AAD-based SQL Login

CREATE USER <User> FOR <Login> LOGIN  
FROM EXTERNAL PROVIDER
Always Encrypted
Azure SQL Database
Column Encryption Types

ID Name CreditCard Randomized: less predictable encryption.
156 Freddy 0x019AE4F… Deterministic: generates the same encrypted

value for a given text value (but supports point
lookups, equality joins, grouping, and indexing).
Key Storage Options

The database engine does not store encryption
keys. These must be stored elsewhere (e.g.,
Key Vault, or Windows Certificate Store).
App User
Application Client
To access encrypted column data in plaintext, an
application must use an Always Encrypted-enabled
client driver with access to the key storage.
Key Storage
Dynamic Data Masking
Azure SQL Database
Masking Data
ID Name CreditCard Masking rules specify which columns should be
156 Freddy 764893112 masked, and with what mask function (precisely
how the text will be changed).
445 Jessica 766713445
Applicable Users
SQL Database users can be excluded from
Column:
CreditCard
having data masking applied (administrators are
Function: Credit Card Mask
always excluded).
Masking Rule
CreditCard Important Note

Dynamic data masking does not change the data

in a database. Through the use of SQL queries,
users could potentially still discern the data.
User
Network Isolation for Data Platforms
Many data platforms in Azure are multi-tenant, but they often provide some form of network isolation.
Workspace Database
End User Synapse Analytics Managed VNet Azure SQL Managed Instance
Virtual Network Virtual Network

Database Auditing
Azure SQL Database

Server Auditing
Auditing configured at the server level will apply
to all existing and new databases within the
server (in addition to database auditing).
Database Auditing
Database Database Auditing configured on the database level can
be in addition to server auditing (if both are
configured, both will exist side by side).
Azure SQL Server
Audit Destination
Auditing events can be recorded to the following:
• Storage
• Log Analytics
• Event Hubs
Audit Log Destination

James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
Policies
Security Policies Resource Protection
and Standards Standardized Deployments
James Lee
Training Architect
SECTION INTRODUCTION: SECURITY POLICIES AND STANDARDS
Securing Standard Securing Applications

Deployments Securing the solutions we build.
Helping to ensure solutions are

deployed securely, and to company Securing the Platform
standards.

identity itself.

Azure Policy
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Azure Policy Configuration
Demonstration
James Lee
Training Architect
AZURE POLICY
Overview
Enforce Prevent Non- Report on

Standards Compliance Compliance
Provide supported Deny operations that Audit and report on
options that adhere to do not adhere to resources and their
company standards. standards. adherence to standards.
Azure Policy
A versatile service that helps
organizations implement and
monitor standards.
AZURE POLICY
Configuration
Conditions
Condition
• Require a tag and value
Conditions help to define standards:
• Deploy an agent for Windows VMs

• Look at a resource property for a given value.
• Allowed locations for resources

• Specified within a policy definition.
• Disk encryption required • E.g., does the resource location = US West?

Effect
Effects
Block Audit Modify Trigger an effect if the condition is met (e.g.,
block the operation (Deny), or report if an
Policy Definition item is missing (AuditIfNotExist)).
Assignment
. . . . . . . . . .
Policies must be assigned to a scope. This can
include a resource, resource group,
subscription, or management group.
Scope
Resource Locks
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Resource Purpose
Configuring Resource Locks
Locks Demonstration
James Lee
Training Architect
RESOURCE LOCKS
Purpose
Let’s have a quick chat about why we use resource locks.
Helpdesk
Team
Network
Engineers
corenet-rg pubweb1-rg secapp1-rg
Automation
Azure Subscription
RESOURCE LOCKS
Configuring Resource Locks
Resource Lock: CanNotDelete

Authorized users can fully access, read, and
modify resources as usual. However, they
cannot delete resources.
CanNotDelete ReadOnly
Resource Lock: ReadOnly

Authorized users can read and access
resources. However, they cannot be modified
or deleted.
Scope and Inheritance

Locks can be applied to subscriptions, resource
corenet-rg pubweb1-rg groups, and resources. Locks can be inherited,
but they do not apply to data plane operations.
Azure Subscription
Azure Blueprints
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Azure Purpose
Configuration
Blueprints Demonstration
James Lee
Training Architect
AZURE BLUEPRINTS
Purpose
What problem can we solve with Azure Blueprints?
Resource Lock Azure Policy
office1-net-rg office1-itmgmt-rg
Helpdesk
Network Engineers
Engineers
Standard Office Deployment
AZURE BLUEPRINTS
Implementing Blueprints
Blueprint Definition
The definition describes the solution you wish
to deploy/manage. It is made up of ARM
templates, policies, RBAC, and resource groups.
Publishing and Version Control

Assignment v2.0 For a blueprint to be used, it must be
published. Publishing supports the use of
version control.
. . . Assignment
Deploying a solution using a blueprint creates
an assignment. This provides an audit trail of
how/when the solution was deployed.
Scope
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: SECURITY POLICIES AND STANDARDS
Azure Policy
Conditions
Condition
• Require a tag and value
Conditions help to define standards:
• Deploy an agent for Windows VMs

• Look at a resource property for a given value.
• Allowed locations for resources
• Disk encryption required

• Specified within a policy definition.
• E.g., does the resource location = US West?

Effect
Effects
Block Audit Modify Trigger an effect if the condition is met (e.g.,
block the operation (Deny), or report if an
Policy Definition item is missing (AuditIfNotExist)).
Assignment
. . . . . . . . . .
Policies must be assigned to a scope. This can
include a resource, resource group,
subscription, or management group.
Scope
Resource Locks
Resource Lock: CanNotDelete

Authorized users can fully access, read, and
modify resources as usual. However, they
cannot delete resources.
CanNotDelete ReadOnly
Resource Lock: ReadOnly

Authorized users can read and access
resources. However, they cannot be modified
or deleted.
Scope and Inheritance

Can be applied to subscriptions, resource
corenet-rg pubweb1-rg groups, and resources. Locks can be inherited,
but they do not apply to data plane operations.
Azure Subscription
Azure Blueprints
The definition describes the solution you wish
to deploy/manage. It is made up of ARM
templates, policies, RBAC, and resource groups.
Publishing and Version Control

v2.0
Assignment For a blueprint to be used, it must be
published. Publishing supports the use of
version control.
. . . Assignment
Deploying a solution using a blueprint creates
an assignment. This provides an audit trail of
Scope how/when the solution was deployed.
James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
Azure Security Center
Threat Protection Security Policies
Azure Defender
in Azure Vulnerability Assessment
James Lee
Training Architect
SECTION INTRODUCTION: THREAT PROTECTION IN AZURE
Defending the
Environment Securing the solutions we build.
In this section, we’ll discuss ways to

monitor, assess, and respond to
threats within your environment. Securing the Platform

identity itself.

Overview
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Azure Security Key Features
Azure Defender
Center Overview Demonstration
James Lee
Training Architect
AZURE SECURITY CENTER OVERVIEW
Overview
A central management interface for understanding the security posture of your environment.
83%
Restrict HTTPS on storage accounts.
Install endpoint protection.
Enable MFA.

Overview
A central management interface for understanding the security posture of your environment.
Servers Servers
83%
Restrict HTTPS on storage accounts.
Install endpoint protection. Log Analytics Log Analytics

Agent Agent
Enable MFA.
Other Cloud On-Premises

AZURE SECURITY CENTER
Recommendations Compliance Monitoring Defender

Azure Defender
Comparison
Security Center Defender
Azure Defender is part of the Azure
Free Service Subscription-Based
Security Center ecosystem, but it has a
different focus. Basic functionality available Enabled for additional cost on
at no extra cost. a per-service basis.
Broad Focus Narrow Focus

Focuses on a variety of Typically focused on a
services and resource types. specific service or product.
Security Posture Workload Protection

Reviews adherence to best Provides product-specific
practice security standards. protection.
Policy Management
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Azure Security Overview
Center Policy Configuring Custom Initiatives
Demonstration
Management
James Lee
Training Architect
AZURE SECURITY CENTER
Recommendations Compliance Reporting Defender

AZURE SECURITY CENTER POLICY MANAGEMENT
How Recommendations Work
Recommendations compare your environment against standards defined in an Azure Policy initiative.
View/Edit
Security Center Default Policy
(Azure Security Benchmark)
Add
Industry & Regulatory Standards
Add/Edit
corenet-rg pubweb1-rg
Custom Initiatives
Azure Subscription
AZURE SECURITY CENTER POLICY MANAGEMENT
Configuring Custom Initiatives
Configure the Policy Initiative

Create your custom initiative (containing one
or more policies) in accordance with your
security needs.
Azure
Security Center
Add the Initiative to a Security Policy
The initiative must be assigned to a
management group or subscription to take
effect.
Subscription Hierarchy
Optional: Add ASC Metadata

”metadata”: { 
Custom policies can be extended to include
“securityCenter”: { 
metadata for details such as severity levels and
“RemediationDescription”: ”Your description”, 
remediation instructions.
“Severity”: ”Low”
},
Azure Defender for SQL
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Azure Defender Vulnerability Assessment
for SQL Demonstration
James Lee
Training Architect
AZURE DEFENDER FOR SQL
Key Features
SQL Injection Baselines

Defends against potential SQL
Approves identified
injection attacks, including
vulnerabilities as baseline if it is
when apps generate faulty SQL
ok for your environment.
statements.
Anomalous Access Recommendations

Detects anomalous database
Offers recommendations for
access and query patterns (e.g.,
how to address identified
a high number of failed login
vulnerabilities.
attempts).
Suspicious Activity Server and Database

Identifies suspicious activity
Vulnerabilities are identified
(e.g., a legitimate user
based on best practices for
accessing Azure SQL from a
both servers and databases.
breached computer).
AZURE DEFENDER FOR SQL
Configuring Vulnerability Assessment
Databases Azure Defender for SQL

Enabled for the server using either:
• Defender for Azure SQL Database servers
• Defender for SQL servers on virtual

machines
Vulnerability Assessment
Scans are configured at the server level,
SQL Server
including the storage account and email
address for scan reports.
Baseline
Vulnerability assessment findings can be
marked as baseline if this is considered an
Vulnerability Assessment
acceptable occurrence within your environment.
Settings
Azure Defender for
Servers
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Azure Defender Agent Configuration
for Servers Demonstration
James Lee
Training Architect
AZURE DEFENDER FOR SERVERS
Key Features
JIT Access App Controls

Network access control for Adaptive application controls
secure management access to (AAC) for intelligent safelisting
your virtual machines. of applications.
Vulnerability Scanning Network Hardening

Identification of vulnerabilities Adaptive network hardening
according to a variety of (ANH) for monitoring traffic to
benchmarks and best practices. identify normal patterns.
File Integrity Monitoring Defender for Endpoint

Monitoring of changes within Integrated license for Microsoft
files, operating system data, Defender for Endpoint (not the
and application software. same as Azure Defender).
AZURE DEFENDER FOR SERVERS
Agent Configuration
Azure Defender for Servers

Defender for
Servers Azure Security Azure Defender for Servers can be switched
Center on for servers at the subscription level (within
Azure Security Center).
Log Analytics Agent

Installed on servers in order to gather
information for vulnerability assessment. Note
Log Analytics Agent that auto-enrollment can be configured for
VMs.

Log Analytics
Workspace
Stores the information required for the
vulnerability assessments (can be your own, or
can be managed by Azure Security Center).
Azure Subscription
Microsoft Threat Modeling
Tool
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Software Development Overview

Microsoft Threat Purpose of the Tool
Modeling Tool Demonstration
James Lee
Training Architect
MICROSOFT THREAT MODELING TOOL
Software Development Overview
Let’s consider the design of a software solution.

Elevation of
Privilege
Information S T R I D E
Disclosure
Denial of
Spoofing Tampering Repudiation
Security Service
Engineers
User Web App API Data Store
Project
Management
Software
Developers CAPSECCO Web App
MICROSOFT THREAT MODELING TOOL
Purpose of the Tool
Security by Design COMMUNICATE

Guided collaboration on security during Collaborate on security
the design phase to mitigate threats. design for solutions.
MANAGE ANALYZE
Suggest and Analyze the design
manage mitigations of solutions for
for security issues. security issues.
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: THREAT PROTECTION
Azure Security Center and Azure Defender
Comparison
Security Center Defender
Azure Defender is part of the Azure
Free Service Subscription-Based
Security Center ecosystem, but it has a
different focus. Basic functionality available Enabled for additional cost on
at no extra cost. a per-service basis.
Broad Focus Narrow Focus

Focuses on a variety of Typically focused on a
services and resource types. specific service or product.
Security Posture Workload Protection

Reviews adherence to best Provides product-specific
practice security standards. protection.
Azure Security Center Policy Management
Recommendations compare your environment against standards defined in an Azure Policy initiative.
View/Edit
Security Center Default Policy
(Azure Security Benchmark)
Add
Industry and Regulatory Standards
Add/Edit
corenet-rg pubweb1-rg
Custom Initiatives
Azure Subscription
Defender for SQL
SQL Injection Baselines

Defends against potential SQL
Approves identified
injection attacks, including
vulnerabilities as baseline if it is
when apps generate faulty SQL
ok for your environment.
statements.
Anomalous Access Recommendations

Detects anomalous database
Offers recommendations for
access and query patterns (e.g.,
how to address identified
a high number of failed login
vulnerabilities.
attempts).
Suspicious Activity Server and Database

Identifies suspicious activity
Vulnerabilities are identified
(e.g., a legitimate user
based on best practices for
accessing Azure SQL from a
both servers and databases.
breached computer).
Defender for Servers
JIT Access App Controls

Network access control for Adaptive application controls
secure management access to (AAC) for intelligent safelisting
your virtual machines. of applications.
Vulnerability Scanning Network Hardening

Identification of vulnerabilities Adaptive network hardening
according to a variety of (ANH) for monitoring traffic to
benchmarks and best practices. identify normal patterns.
File Integrity Monitoring Defender for Endpoint

Monitoring of changes within Integrated license for Microsoft
files, operating system data, Defender for Endpoint (not the
and application software. same as Azure Defender).
Microsoft Threat Modeling Tool
Security by Design COMMUNICATE

Collaborate on security
Guided collaboration on security during design for solutions.
the design phase to mitigate threats.
MANAGE ANALYZE
Suggest and Analyze the design
manage mitigations of solutions for
for security issues. security issues.
James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
Azure Monitor Overview
Monitoring Security Logging and Retention
Azure Monitor Logs

with Azure Monitor Azure Monitor Alerts
James Lee
Training Architect
SECTION INTRODUCTION: MONITORING SECURITY WITH AZURE MONITOR
Monitoring the Securing Applications
Environment Securing the solutions we build.
Capabilities for monitoring

actions and operations across Securing the Platform
your solutions. Securing the Azure services we use

identity itself.

James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Azure Monitor Key Monitoring Capabilities
Overview Demonstration
James Lee
Training Architect
AZURE MONITOR OVERVIEW
Overview
Monitoring Sources
Application Operating System Azure Resources

Centralized Hybrid
Subscription Azure AD Tenant Custom Sources
Monitoring
Monitoring Data Monitor Everything

Centralized management interface for
monitoring workloads anywhere.
Metrics Logs
Respond
Various capabilities support acting on
monitoring information in many ways.
Actions
Understand the Big Picture

Monitoring from code through to the
Alert Export Visualize Insights Integrate
platform provides holistic insights.
AZURE MONITOR OVERVIEW
Key Monitoring Capabilities
Metrics Explorer Application Insights

View and graph small, time- Intelligent analytics of
based data (e.g., CPU or applications (both client and
memory utilization). server side).
Azure Monitor Logs Monitoring Insights

Analyze and explore verbose Resource-specific monitoring
logging information. Can be queried solutions (e.g., Azure Monitor
with Kusto Query Language. for Containers).
Activity Logs Alerts and Action Groups

Logs of REST API write actions Respond to monitoring data
performed on Azure resources with an alert management
(retained for 90 days by default). system, including automation.
Logging and Retention
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Logging and Overview
Diagnostic Settings
Retention Demonstration
James Lee
Training Architect
LOGGING AND RETENTION
Overview
Let’s consider how we might want to work with monitoring data.
Metrics
Logs
Security Engineer
pubweb1-rg monitor-rg
Monitoring Tools
Azure Subscription
LOGGING AND RETENTION
Diagnostic Settings
Platform Monitoring
Route data for the following:
Metrics • Platform logs (resource or Activity Log)
Agent
• Platform metrics
StorageRead
Logs
Data Categories
Diagnostic
Depending on the data type being collected,
Setting there may be multiple categories available for
the platform item.
Resources
Destination
• Storage account (retain and analyze)
• Log Analytics workspace (powerful analytics)
Monitoring Data Destination • Event Hubs (stream to external systems)

Azure Monitor Logs
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Azure Overview
Architecture
Monitor Logs Demonstration
James Lee
Training Architect
Azure Monitor Logs
also known as Log Analytics
Versatile Analytics Solutions
Handles a variety of monitoring data Provides powerful analytics capabilities Supports many different monitoring
types and data sources. This includes for querying data. This is provided solutions, which are prepackaged sets of
Azure, on-premises, and other clouds. through the Kusto Query Language. features for a specific system/solution.
AZURE MONITOR LOGS
Architecture
Source
Source
Source data typically originates from either:
• Platform (via diagnostic settings)
• Log Analytics agent
Log Analytics Agent Diagnostic Settings

To house all monitoring data, a Log Analytics
workspace must be created.
Analytics
Perform analysis with tools such as:
Workspace • Kusto Query Language
• Workbooks
Azure Monitor Logs • Solutions

Azure Monitor Alerts
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Azure Monitor Configuring Alerts
Alerts Demonstration
James Lee
Training Architect
AZURE MONITOR ALERTS
Configuring Alerts
Alert Rule Alert Rule

Defines when an alert should occur using:
• Targeted resource (and signal) to monitor
Target
Resource • The criteria/logic for the alert to be triggered

Metrics
Logs Action Group

The action to take place once the alert
Alert Condition
triggers. Many actions are supported, from
email alerts to automation runbooks.
Action Group Alert
Alert
When an alert triggers, an alert state will be
logged within Azure Monitor. This is based on
the severity configured in the alert rule.
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: MONITORING SECURITY WITH AZURE MONITOR
Metrics Explorer Application Insights

View and graph small, time- Intelligent analytics of
based data (e.g., CPU or applications (both client and
memory utilization). server side).
Azure Monitor Logs Monitoring Insights

Analyze and explore verbose Resource-specific monitoring
logging information. Can be queried solutions (e.g., Azure Monitor
with Kusto Query Language. for Containers).
Activity Logs Alerts and Action Groups

Logs of REST API write actions Respond to monitoring data
performed on Azure resources with an alert management
(retained for 90 days by default). system, including automation.
Logging and Retention
Platform Monitoring
Route data for the following:
Metrics • Platform logs (resource or activity log)
Agent • Platform metrics

StorageRead
Logs
Data Categories
Depending on the data type being collected,
Diagnostic
Setting there may be multiple categories available for

the platform item.
Resources
Destination
• Storage account (retain and analyze)
• Log Analytics workspace (powerful analytics)
Monitoring Data Destination

• Event Hubs (stream to external systems)
Azure Monitor Logs (or Log Analytics)
Source
Source
Source data typically originates from either:
• Platform (via diagnostic settings)
• Log Analytics agent
Log Analytics Agent Diagnostic Settings

Analytics
Perform analysis with tools such as:
Workspace
• Kusto Query Language
• Workbooks
Azure Monitor Logs • Solutions

Azure Monitor Alerts
Alert Rule
Alert Rule
Defines when an alert should occur using:
Target
Resource • Targeted resource (and signal) to monitor
Metrics • The criteria/logic for the alert to be triggered
Logs
Action Group
Alert Condition The action to take place once the alert
triggers. Many actions are supported, from
email alerts to automation runbooks.
Action Group Alert
Alert
When an alert triggers, an alert state will be
logged within Azure Monitor. This is based on
the severity configured in the alert rule.
James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
Monitoring What Is Azure Sentinel?
Basic Configuration
Security with Analysis and Alerts
Azure Sentinel
James Lee
Training Architect
SECTION INTRODUCTION: MONITORING SECURITY WITH AZURE SENTINEL
Learn the basics of

Azure Sentinel.
Actioning Data
We’ll walk through the fundamentals Implement analysis and alerts based
of the Azure Sentinel service, as well on specific criteria.
as collecting and actioning data.
Gathering Data
Learn how to deploy Azure Sentinel
and collect security monitoring data.
Understanding Azure Sentinel

Understand the key pillars of the
Azure Sentinel capabilities.
Azure Sentinel Overview
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Azure Sentinel Fundamental Capabilities
Overview Key Features
James Lee
Training Architect
AZURE SENTINEL OVERVIEW
Overview
Azure Sentinel is a security information event management (SIEM) and security orchestration
automated response (SOAR) solution.
Web Servers Azure Sentinel Azure Resources
Other Cloud Providers Microsoft 365

COLLECT RESPOND
DETECT INVESTIGATE
Defender On-Premises Resources

Fundamental Capabilities
COLLECT security data

across your enterprise.
Azure Sentinel
(SIEM + SOAR)
RESPOND rapidly DETECT threats
with automation. with intelligence.
INVESTIGATE incidents
with the help of AI.
Key Features
Data Connectors Automation/Orchestration

Connect to a variety of data Automate security tasks and
sources, including Microsoft responses through Azure Logic
and other third-party products. Apps-based playbooks.
Analytics and Alerts Hunting

Intelligently analyze monitoring data Proactively hunt for security
and create alerts for suspicious threats across monitoring data,
activities or threats. before an alert is triggered.
Workbooks Notebooks
Integrate with Azure Monitor Leverage Azure Machine
workbooks for interactive Learning to extend analytics
reporting and analysis. through Jupyter notebooks.
Azure Sentinel
Configuration
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Architecture
Demonstration
Azure Sentinel
Configuration
James Lee
Training Architect
AZURE SENTINEL CONFIGURATION
Architecture
Data Sources

Data Connectors Data Ingestion

We use data connectors to retrieve data.
These are created by a variety of providers for
a variety of data types.
Azure Sentinel
SIEM/SOAR
Sentinel’s power is in what we do with the data
(e.g., using analytics, workbooks, hunting,
automation, or other capabilities).

Azure Sentinel Alerts and
Incidents
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Azure Sentinel Configuring Alerts
Alerts and Rule Types
Demonstration
Incidents
James Lee
Training Architect
AZURE SENTINEL ALERTS AND INCIDENTS
Configuring Alerts
Azure Sentinel
Analytics Rule Templates

Alerts Microsoft provides several pre-built rule
templates. These can be used (and often
customized) to identify security issues.
Analytics Active Analytics Rules

Once an analytics rule has been created and
enabled, it will perform the appropriate
analysis to look for security issues.
Incidents
If an issue is identified by an analytics rule, an
incident can be created. Azure Sentinel provides
incident management capabilities.

AZURE SENTINEL ALERTS AND INCIDENTS
Rule Types
Microsoft Security Anomaly

Automatically create incidents from alerts Use SOC-ML to detect specific types of
generated by other Microsoft security anomalous behavior. Can be fine-tuned
solutions (in real time). using a duplicate in Flighting mode.
Fusion Scheduled
Multi-stage attack detection using Leverages built-in queries written by
machine learning. Logic is hidden and not Microsoft security experts. The rules query
customizable. Only one rule allowed. data on a scheduled basis.
ML Behavioral
Proprietary Microsoft machine learning-
based analytics. Logic is hidden and not
customizable. Only one rule allowed.
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: MONITORING SECURITY WITH AZURE SENTINEL
Sentinel Overview
COLLECT security data

across your enterprise.
Azure Sentinel
(SIEM + SOAR)
RESPOND rapidly DETECT threats
with automation. with intelligence.
INVESTIGATE incidents
with the help of AI.
Sentinel Architecture
Data Sources

Data Ingestion
Data Connectors
We use data connectors to retrieve data.
These are created by a variety of providers for
a variety of data types.
Azure Sentinel
SIEM/SOAR
Sentinel’s power is in what we do with the data.
For example, by using analytics, workbooks,
hunting, automation, or other capabilities.

Sentinel Analytics and Alerts
Azure Sentinel
Analytics Rule Templates

Alerts Microsoft provides several pre-built rule
templates. These can be used (and often
customized) to identify security issues.
Analytics Active Analytics Rules

Once an analytics rule has been created and
enabled, it will perform the appropriate
analysis to look for security issues.
Incidents
If an issue is identified by an analytics rule, an
incident can be created. Azure Sentinel provides
incident management capabilities.

Preparing for the Exam
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Preparing for About the Exam
Tips
the Exam Final Words
James Lee
Training Architect
AZ-500 Microsoft Azure
Security Technologies
About the Exam
Exam Questions Passing
Review the exam page Be prepared for different The passing score for
for important details. question types. AZ-500 is 700.
The exam page includes Microsoft exams include a AZ-500 scores are reported on a
important details like the exam variety of question types, like scale of 1 to 1,000, and are
skills outline and scheduling. multi-choice and drag and drop. scaled such that 700 is a pass.
Review the
Documentation
Configure and
Implement
Review the
Course Content
Set a date and
schedule your exam.
Final Words Study in whatever

way you find works
“Success is not final, failure is best for you.
not fatal; it is the courage to
continue that counts.” —
Winston Churchill
Remember to take
some time to relax.

1637015925928-Study Guide - AZ-500 Microsoft Azure Security Technologies

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1637015925928-Study Guide - AZ-500 Microsoft Azure Security Technologies

Uploaded by

Copyright:

Available Formats

Section Introduction

The Azure AD Why Identity Matters

Authentication and Authorization

Identity Platform Azure AD vs Azure Subscriptions

The Goal of This Section

Identity and Access Management

Azure Active Directory (AD)

Authentication Identity and Access Management

Traditional Network Security Perimeter

User Network Server Network

On-premises network perimeter

Modern Identity-Centric Security

Cloud Resources Software as

Cloud-Managed Device On-Premises Resources

Identity Security with Azure AD

Identity Security with Azure AD

What it looks like

1. Open portal.azure.com. 2. Provide credentials.

3. Credentials verified. 4. Request VM shutdown. 5. Permissions verified. 6. VM shutdown.

What Is the Association?

Software as a Service Cloud

Azure Active Directory

Cloud-Managed Device On-Premises Resources

Example Azure AD Tenant and Azure Subscription association.

Production Sub 1 Dev Sub 1

AD Tenant and Transferring Ownership

Roles and Permissions

How do we manage all of these resources in the different areas?

> Account Administrator

> Billing Administrator

> Service Administrator

(to manage Azure AD resources) (to manage Azure resources)

What a new subscription looks like:

Billing / Account Admin

Transferring (Billing) Ownership

What a new subscription looks like:

Billing / Account Admin

Transferring Azure Subscriptions to Another Azure AD Tenant

What transferring tenants (changing directory) looks like:

Billing / Account Admin

Source Tenant Target Tenant

Azure AD Common Scenarios

Common Identity Types

Common Identity Types

To meet the needs of the various

Azure AD Group Types

Why Do Groups Matter?

SECURITY GROUPS VS M365 GROUPS

Similar to traditional Active Provides access to Microsoft

To help ensure group membership is Membership is

What’s the Problem?

Why do we need more than groups with assigned membership?

Group: Apps - CAPInvoice

Group: Apps - CAPAudit

Sarah from the

Group: Azure - Billing Azure

Types of Dynamic Groups

Dynamic Group Types

To help simplify membership

Group types cannot be mixed. A dynamic group can

Configuring a Dynamic User Group

Membership is controlled through a dynamic query, which evaluates user properties.