Professional Documents
Culture Documents
1637015925928-Study Guide - AZ-500 Microsoft Azure Security Technologies
1637015925928-Study Guide - AZ-500 Microsoft Azure Security Technologies
James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
Identities in Azure AD
Organizing Azure AD
James Lee
Training Architect
SECTION INTRODUCTION: THE AZURE AD IDENTITY PLATFORM
Identity
Securing Applications
Fundamentals Securing the solutions we build. Note
this doesn’t always require Azure AD.
We’ll build fundamental knowledge
relating to identity, which will be
leveraged throughout this course. Securing the Platform
Securing Azure services. Note this
doesn’t always require Azure AD.
and Authorization
Example
James Lee
Training Architect
AZURE AD AUTHENTICATION AND AUTHORIZATION
The security model in traditional environments was based on the network perimeter. All
resources were typically secured within the network perimeter.
Internet
Firewall
What Happened?
With the advent of cloud, users are now accessing applications, services, and enterprise resources in so
many different ways, both inside and outside of the traditional on-premises environment.
SaaS
Internet
Remote Users
On-Premises
AZURE AD AUTHENTICATION AND AUTHORIZATION
Identity is now at the center of cloud security, and it is the new security perimeter.
Identity
Azure Active Directory
IAM AZURE AD
Azure AD facilitates identity and The identity
access management (IAM). This platform.
helps provide security through three
main components.
AUTHORIZATION AUTHENTICATION
Are you allowed Are you who you say
access? you are?
AZURE AD AUTHENTICATION AND AUTHORIZATION
Azure AD Tenant
and Azure The Association
Example
Subscription Demonstration
Associations
James Lee
Training Architect
AZURE AD TENANT AND AZURE SUBSCRIPTION ASSOCIATIONS
If Azure AD can facilitate identity and access management for so many services, how is this established?
Example Association
Microsoft Azure
Azure Active Directory
capsecco.onmicrosoft.com
Changing Directories
Azure Subscription
Associations
James Lee
Training Architect
MANAGING AZURE AD TENANT AND AZURE SUBSCRIPTION ASSOCIATIONS
Microsoft Azure
capsecco.onmicrosoft.com
Classic Subscription Admin Roles
(“old" account management roles)
> Co-Administrator
Production Sub 1
Azure AD Roles
Azure RBAC Roles
Creating a Subscription
Microsoft Azure
capsecco.onmicrosoft.com
Service Admin
Associated Tenant
Empty Subscription
MANAGING AZURE AD TENANT AND AZURE SUBSCRIPTION ASSOCIATIONS
Microsoft Azure
capsecco.onmicrosoft.com capseccodev.onmicrosoft.com
Service Admin
Associated Tenant
Empty Subscription
MANAGING AZURE AD TENANT AND AZURE SUBSCRIPTION ASSOCIATIONS
capsecco.onmicrosoft.com capseccodev.onmicrosoft.com
Owner
Role Assignments
Managed
Identities
Subscription
Azure AD Identities
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Identities Demonstration
James Lee
Training Architect
AZURE AD IDENTITIES
Common Scenarios
Azure AD helps support authentication and authorization for a variety of scenarios. As an identity platform,
it uses objects and metadata to represent security information about users, applications, and much more.
Remote Staff
SaaS
User Account
Internet
Application
Managed
Identity
On-Premises Staff and Resources Azure
Azure AD Tenant
AZURE AD IDENTITIES
Identity Types
USER APP MANAGED
High-level overview of some of the
key differences in identity types. Represents a staff Represents an Represents a
member within the application in use service within the
organization. within the tenant. Azure subscription.
identity types.
Can be cloud users, Can include apps Only supports
synchronized, and running in Azure, services running
guest users. or elsewhere. in Azure.
Azure AD Groups
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Introduction
Membership Types
Groups Demonstration
James Lee
Training Architect
AZURE AD GROUPS
Groups help to reduce the effort required to manage security and access. They can also improve security by
ensuring access controls are kept up to date.
SaaS Apps
Azure AD Tenant
Azure
AZURE AD GROUPS
Group Types
There are two group types available within the Microsoft ecosystem:
Types of Membership
Membership Types
ASSIGNED DYNAMIC
Overview of some key differences
Members are
in how membership is controlled. Members are assigned
by administrators or
dynamically controlled
based on device/user
owners of the group.
attributes.
Azure AD Introduction
Dynamic
Dynamic Group Types
Configuration
Demonstration
Groups
James Lee
Training Architect
AZURE AD DYNAMIC GROUPS
SaaS Apps
Group: Apps - Office
Property Value
name Sarah
jobTitle Accountant
department Finance
country Australia
Finance Team
companyName Catch-a-Phish Security
Azure Billing
Management
Membership Rule
AZURE AD DYNAMIC GROUPS
Property Value
displayName CAPSECLAP001
deviceOSType Windows
deviceOSVersion 10.0.19042.0
Membership Rule
Azure AD Administrative Units
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Azure AD Introduction
Demonstration
Units
James Lee
Training Architect
AZURE AD ADMINISTRATIVE UNITS
Australia India
SaaS Apps
- Create users/groups
- Manage membership
Azure AD Tenant
AZURE AD ADMINISTRATIVE UNITS
How It Works
Azure AD Tenant
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: THE AZURE AD IDENTITY PLATFORM
Identity
Fundamentals Securing Applications
Securing the solutions we build. Note
We’ll build fundamental knowledge this doesn’t always require Azure AD.
relating to identity, which will be
leveraged throughout this course.
Securing the Platform
Securing the Azure services. Note
this doesn’t always require Azure AD.
Identity is now at the center of cloud security, and it is the new security perimeter.
Identity is now at the center of cloud security, and it is the new security perimeter.
Association
Microsoft Azure
Azure Active Directory
capsec.onmicrosoft.com
Authorization
Authentication
Identity Types
Azure AD helps support authentication and authorization for a variety of scenarios. As an identity platform,
it uses objects and metadata to represent security information about users, applications, and much more.
Remote Staff
SaaS
User Account
Internet
Application
Managed
Identity
Security Groups
SaaS Apps
Group: Apps - Office
Azure AD Tenant
SECTION CONCLUSION: THE AZURE AD IDENTITY PLATFORM
Identity Synchronization
To support features like single sign-on, Authentication
identities must be synchronized between
the source and destination directories.
Synchronization
Authentication Management
In hybrid environments, it is important to
control how and where user
authentication will occur.
Authentication Authentication
Synchronization
Authentication
Synchronization
Synchronization
(Identity) Tunnel
(Identity + PHS) (Identity)
Authentication
Section Introduction
James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
James Lee
Training Architect
SECTION INTRODUCTION: HYBRID IDENTITY
Azure AD Roles
James Lee
Training Architect
SECTION INTRODUCTION: CONTROLLING ACCESS
Authorization
Leveraging Azure AD, we will learn Securing Applications
methods for controlling access to Securing the solutions we build. Note
both Azure and Azure AD resources. this doesn’t always require Azure AD.
Introduction
Azure AD Benefits
Authentication Methods
Hybrid Identities
James Lee
Training Architect
AZURE AD CONNECT AND HYBRID IDENTITIES
Identity can exist in a number of places. With hybrid identity, the goal is to make sure identity is
centralized, simplified, and users can leverage a single identity for accessing resources.
Cloud Identities
Azure AD
Azure AD
B2B Connect
Azure AD Tenant
capsec.onmicrosoft.com
Synchronization
Authentication Management
In hybrid environments, it is important to
control how and where user
authentication will occur.
Registered Apps
Synchronization
Synchronizes a hash (of a hash) of user
3
(Identity + PHS) passwords.
Registered Apps
Synchronization
Authentication
Registered Apps
Directory (AD)
James Lee
Training Architect
SECURING AZURE AND AZURE ACTIVE DIRECTORY (AD)
capsec.onmicrosoft.com
Mal
Production Sub 1
Create
Carla
administrative units
Create/modify
Reset user
passwords
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Azure AD B2C
Identities Demonstration
James Lee
Training Architect
AZURE AD EXTERNAL IDENTITIES
Where It Began
External identities help to provide seamless access (single sign-on) to enterprise resources or custom
applications by leveraging the Azure AD identity platform.
Enterprise
Custom App
Access Identity
Cloud Accounts Local Accounts
Invite
Integrate
Guest
Synchronized
External
Partner
Identity
External identities are a progression and combination of both Azure AD B2C and Azure AD B2B.
Cloud Accounts
Enterprise Resources and Custom Apps
Guest
Synchronized
Accounts Accounts
Identity
Providers
Azure AD Tenant
capsecco.onmicrosoft.com
AZURE AD EXTERNAL IDENTITIES
Guest Access
Azure AD B2B allows external users to Enterprise Resources
be invited as guests, providing seamless,
licensed access to resources.
Access
External Identities
Supports several identity providers,
including work/school accounts, Gmail,
Azure Active Directory
Facebook, SAML, and WS-Fed.
Collaboration Settings
Administrators can configure external
collaboration settings for external
identities within the Azure AD tenant.
B2C Tenant
Identity information is stored within a
dedicated B2C tenant (not within the
Azure AD B2C Tenant
customer’s existing Azure AD tenant).
Integration
External Identities
Many different social identities are
available, as well as SAML and WS-Fed-
based identity provider federation.
Overview
Azure Role-Based Configuration
Important Considerations
(RBAC)
James Lee
Training Architect
Azure Role-Based Access Control
Role: Owner
MG1
Administrator Role:
Full
VMVM
Role:
Full Contributor
access
access
Owner
Full
Role:storage account
Storage Account
access
Contributor
Needs permissions to manage
Jenny
VMs and one storage account.
1 Security Principal
• Owner
• Reader
Important Considerations
Built-In Roles
Various preconfigured roles exist
like Owner, Contributor, etc.
Azure AD Roles
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Azure AD Configuration
Demonstration
James Lee
Training Architect
Azure Active Directory Roles
Admin
Required Permissions
Ungrouped Resources
AU1 AU2
AZURE AD ROLES
1 Security Principal
• Global Administrator
permissions.
• Application Administrator
• License Administrator
Important Considerations
Built-In Roles
Various preconfigured roles exist
like Global Administrator, User
Administrator, etc.
Custom Roles
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Demonstration
James Lee
Training Architect
CUSTOM ROLES
MG1
Microsoft
Applies to the Production Support
Sub 1 subscription (but not
Development Sub 1).
Metadata
"name": "Junior Helpdesk Admins",
"actions": [
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
Permissions
"Microsoft.Support/*"
],
Defines a set of both allowed and denied
"dataActions": [
"notActions": [],
"notDataActions": []
],
Assignable Scopes
"assignableScopes": [
Specifies where the the management
"/subscriptions/{subscriptionId}"
groups, subscriptions, or resource groups
]
storage account).
{
"actions": [
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
DataActions and NotDataActions
"Microsoft.Support/*"
],
Specifies the data operations that the role
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/
allows or excludes (e.g., reading blobs within
containers/blobs/read"
a storage account).
],
"notActions": [],
"notDataActions": []
}
BONUS TIP
],
"/subscriptions/{subscriptionId}"
CUSTOM ROLES
microsoft.directory
Azure AD custom roles are for Azure AD
permissions. This is why the role is based
on microsoft.directory.
BONUS TIP
1 Security Principal
• Owner
• Reader
. . . . . . . . . .
3 Scope
SECTION CONCLUSION: CONTROLLING ACCESS
1 Security Principal
• Global Administrator
• Application Administrator
• License Administrator
3 Scope
SECTION CONCLUSION: CONTROLLING ACCESS
Metadata
"name": “Junior Helpdesk Admins",
“actions”: [
“Microsoft.Compute/*/read”,
“Microsoft.Compute/virtualMachines/start/action”,
Permissions
“Microsoft.Support/*”,
],
Defines a set of both allowed and denied
“dataActions”: [
“notActions”: [],
“notDataActions”: [],
],
Assignable Scopes
"assignableScopes": [
Specifies where the the management
“/subscriptions/{subscriptionId}”
groups, subscriptions, or resource groups
]
microsoft.directory
Just like RBAC, but for Azure AD…
Azure AD custom roles are for Azure AD
permissions. This is why the role is based on
microsoft.directory.
Reviewing Access
Conditional Access
Access
James Lee
Training Architect
SECTION INTRODUCTION: SECURING IDENTITIES AND ACCESS
Resources
Needed now?
Assigned roles
Additional
controls?
SECTION INTRODUCTION: SECURING IDENTITIES AND ACCESS
Intelligent IAM
Securing Applications
Leveraging Azure AD, we will learn of Securing the solutions we build.
advanced features and services that Note this doesn’t always require
protect identity and access. Azure AD.
Securing the Platform
Securing the Azure services. Note
this doesn’t always require Azure
AD.
Identity and Access Management
Securing access to resources and
identity itself.
The Problem
Getting Started
Privileged Identity Demonstration
Management
James Lee
Training Architect
Azure AD Privileged Identity Management
Hacker
capsec.onmicrosoft.com
Hacker
Security
Project engineer,
engineer, Lauren.
Freddy.
Compromised
Credentials
Freddy
Has Global
Authentication
Admin privileges
for
Administrator
the Azure AD
fortenant.
an
administrative unit.
Lauren
Privileges
After-hours
AZURE AD PRIVILEGED IDENTITY MANAGEMENT
Privileged Identity
Management
Approval: users who are assigned
privileges must request approval before
they will be activated.
Azure AD
Privileged Identity
Management
Audit history: download and access logs
which detail all Privileged Identity
Management activities.
STEP 1
Overview
Implementation Timeline
Access Important Features
Demonstration
James Lee
Training Architect
Access Reviews
Implementation Timeline
What does an Access Reviews implementation look like in the real world?
March 1 March 15
ACCESS REVIEWS
Important Components
Azure Portal
$ • Configure Access Reviews.
Azure Portal
• Review/apply Access Reviews results.
Owner Self-Review
Access Panel
• Separate interface for reviewers.
Review Types
Azure AD Access
Specified reviewers,
APP ASSIGNMENT Reviews, Azure AD Access panel
self-review
enterprise apps
Specified reviewers,
AZURE AD ROLE Azure AD PIM Access panel
self-review
Specified reviewers,
AZURE RESOURCE ROLE Azure AD PIM Access panel
self-review
Azure AD Identity
Protection
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Purpose
Configuration Overview
James Lee
Training Architect
AZURE AD IDENTITY PROTECTION
81% of breaches are caused by 73% of passwords used are 50% of employees use apps that
credential theft 1 duplicates 2 aren’t approved by the enterprise 3
-- Microsoft Ignite
2M
compromised accounts
detected in August 2020.
Relative impact of COVID-19 themed attacks across the world by file count (as of April 7, 2020)
Configuration Overview
DETAILS
Azure AD Tenant
capsec.onmicrosoft.com
Azure AD Tenant Requires Azure AD Premium P2 licensing.
Cloud
User
AZURE AD IDENTITY PROTECTION
Assignment Cloud
Resources
When the policy will trigger. This
includes defining the applicable users/
groups and the risk level condition.
Control
What to do when the policy triggers. The
action can be to block or allow a sign-in, HIGH Risk
or allow access but require MFA.
User
AZURE AD IDENTITY PROTECTION
Assignment Cloud
Important Considerations
MFA Registration
Policies that require MFA will block access
if the user is not registered with MFA. MFA
registration can assist with MFA rollouts.
Conditional Access
Azure AD Conditional Access supports
more granular/flexible policies that can
also leverage Identity Protection risk data.
Azure AD Overview
Conditional Configuration
Demonstration
Access
James Lee
Training Architect
Azure AD Conditional Access
Azure AD Tenant
capsec.onmicrosoft.com
DETAILS
Resources
The users/groups that the policy applies to, as well
as the cloud app or action being accessed.
Access Policy:
Assignment
It is also possible to include the conditions under
which access is being requested.
Conditional Access
Windows
Office
All Users
Overview
Azure AD Authentication Flow
Passwordless Methods
Authentication Demonstration
James Lee
Training Architect
AZURE AD PASSWORDLESS AUTHENTICATION
We’ve spoken about protecting identities and privileges. Let’s look at how we can also protect credentials.
Developer
Username:
jsmith
Password: ********
User Account
We’ve spoken about protecting identities and privileges. Let’s look at how we can also protect credentials.
Microsoft
Authenticator App
Registration
Developer
FIDO2 Security
Keys
User Account
Authentication
Azure AD Admin
Methods > Policies
AZURE AD PASSWORDLESS AUTHENTICATION
12 2 77
DENY ALLOW
Passwordless Methods
Resources
Needed now?
Assigned Roles
Additional controls?
Azure AD Privileged Identity Management
User
Privileged Identity
Approval Audit history Management
Azure AD or Azure
Privileges
Access Reviews
Azure AD access
Specified reviewers,
APP ASSIGNMENT reviews, Azure AD Access panel
self-review
Enterprise apps
Specified reviewers,
AZURE AD ROLE Azure AD PIM Access panel
self-review
Specified reviewers,
AZURE RESOURCE ROLE Azure AD PIM Access panel
self-review
Azure AD Identity Protection
DETAILS
Azure AD Tenant
capsec.onmicrosoft.com
Azure AD Tenant Requires Azure AD Premium P2 licensing.
Cloud
User
Azure AD Conditional Access
Azure AD Tenant
capsec.onmicrosoft.com
DETAILS
Cloud
Azure AD Tenant Requires Azure AD Premium P1 licensing.
Resources
Access Policy:
Assignment
It is also possible to include the conditions under
which access is being requested.
Office
All Users
Passwordless Authentication
Securing Routing
Traffic Filtering
DDoS Protection
Networks
James Lee
Training Architect
SECTION INTRODUCTION: SECURING VIRTUAL NETWORKS
Configuration
Routing Demonstration
James Lee
Training Architect
VIRTUAL NETWORK ROUTING
Default Behavior
Internet Connectivity
Using the 0.0.0.0/0 prefix, there
is a default route to the
internet.
subnet1 subnet2
Virtual Network Connectivity
Traffic is automatically routed
between subnets using all
specified address ranges.
Service-Specific Connectivity
Configuring some services
results in route configuration
(e.g., VNet peering or
ExpressRoute).
VIRTUAL NETWORK ROUTING
Custom Routes
Important Considerations
Route Priority
When multiple routes contain the
same address prefix, the following
priority is used:
Configuration
Groups Demonstration
James Lee
Training Architect
NETWORK SECURITY GROUPS
Overview
Filter
Prioritized
Multi-Layered
Traffic Rules
Create rules to Enforce traffic Leverage priorities to
define what is and is filtering at the subnet define complex
not allowed. and NIC layers. security rules.
Network Security
Group (NSG)
Filters traffic to and from virtual
networks.
NETWORK SECURITY GROUPS
Filter Traffic
What traffic will we allow or deny? This
includes source, source port, destination,
destination port, and protocol.
Default Rules
NSG rules include several default rules,
such as DenyAllInbound. These cannot
be deleted, but can be overridden.
Priority
To support different scenarios, we must
define priorities for rules. The lower the
number, the higher the priority.
NETWORK SECURITY GROUPS
Internet
Assign to a NIC
An NSG has no effect unless it is
assigned. NSGs can be associated
directly with a NIC on a virtual machine.
ALLOW
BLOCK
Assign to a Subnet
NSGs can also be associated with a
subnet, meaning the rules apply to all
resources within the subnet.
BLOCK
vnet1
Differences with Public IPs
Without an NSG, all traffic is allowed by
1 default if your resource has a public IP
address. This is not the case for Standard
SKU public IPs.
Important
Considerations 2
Rules Are Stateful
NSGs are stateful, which means that reply
traffic is allowed automatically if the sending
traffic has been allowed.
Best Practice
3 It is considered best practice to block all
traffic, except that which is required. This
is commonly referred to as “default deny.”
Augmented Security
Rules
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Service Tags
Augmented Application Security Groups
James Lee
Training Architect
AUGMENTED SECURITY RULES
Service Tags
Microsoft Managed
Microsoft manages the associated IP
addresses of service tags, as Azure
services can regularly change.
Easy to Leverage
Service tags can be used within both
network security groups and Azure
Firewall.
AUGMENTED SECURITY RULES
Overview
Key Features
Deployment
Demonstration
James Lee
Training Architect
AZURE FIREWALL
Overview
Azure
premises firewall. compared to NSGs. availability and scale.
Firewall
Filtering traffic to and from
virtual networks.
AZURE FIREWALL
Key Features
Deployment Overview
2 Configure a Subnet
Azure Firewall must be deployed to a dedicated
subnet called AzureFirewallSubnet. NSGs are
disabled for this subnet. AzureFirewallSubnet
spoke2-vnet
3 Configure Routing
In order to have VNet resources leverage Azure
Firewall, a custom route must direct traffic to subnet1
Azure Firewall.
vnet1 spoke1-vnet
AZURE FIREWALL
Configuration Overview
Destination:
Destination:
123.4.5.6 www.microsoft.com
0.0.0.0/0
123.4.5.6
Source:
Source:
Port:
Destination
Application Rules VM1
*
3389
Protocol:
Translated Address:
Translated
80, 443
3389
NAT Rules
123.4.5.6 With an NAT rule, we can configure VM1 VM2
inbound (DNAT) rules. Currently, outbound
(SNAT) is managed by Microsoft using all subnet1
public IPs.
vnet1
Azure Firewall Manager
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Deployment Architectures
Manager Demonstration
James Lee
Training Architect
AZURE FIREWALL MANAGER
Overview
Global Policy
Global Security
Team
AU Policy US Policy
Policy Entity
BaseRuleCollectionGroup1
Policy
NetworkRuleCollection1
A dedicated Azure resource which houses
network, application, NAT, and other Azure
Firewall rules and settings. Policy Entity
ChildRuleCollectionGroup1
ChildNetRuleCollection1
Parent Policy
ChildDNATRuleCollection1
A policy can be assigned a parent policy.
Child policies inherit network, application, ChildAppRuleCollection1
and threat intelligence rules and settings.
Name Inheritance
BaseRuleCollectionGroup1 Parent policy
Precedence
NetworkRuleCollection1 Parent policy
Parent network, application, and threat
intelligence rules and settings take priority. ChildRuleCollectionGroup1
Network rules are always processed
ChildNetRuleCollection1
before application rules.
ChildDNATRuleCollection1
ChildAppRuleCollection1
AZURE FIREWALL MANAGER
Deployment Architectures
Networks Hubs
vs
• Presently only supports Azure • Provides support for third-party
Firewall. firewalls/services.
DDoS Protection
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Features
DDoS Pricing
Configuration
Protection Demonstration
James Lee
Training Architect
DDOS PROTECTION
Overview
DDoS
Protection
Protect against distributed
denial-of-service attacks.
DDOS PROTECTION
Key Features
Pricing Options
Basic Standard
• Includes support
DDOS PROTECTION
Configuration Overview
Protection Plan
Virtual Network
The DDoS protection plan will protect all
resources within a virtual network. eastus-vnet auseast-vnet
Subscription westus-vnet
Associating a DDoS protection plan with a
subscription will protect all virtual
networks within that subscription.
Subscription 1 Subscription 2
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: SECURING VIRTUAL NETWORKS
Route
Route
Route
Traffic
Filtering
SECTION CONCLUSION: SECURING VIRTUAL NETWORKS
vnet1
The key points to remember:
Default Connectivity
Default internet and intra-VNet
connectivity. Routes can also be added
by the system for some services.
subnet1 subnet2
Custom Routes
Used to change the default routing
behavior, using various next hop
types.
Route Priority
When multiple routes contain the
same address prefix, the following
priority is used:
Internet
Assignment
Applies to NIC or subnet. Note that, at
the subnet level, rules apply to all
resources within a subnet. 100 BLOCK RDP *
Rule Processing
VM1 VM2
“Follow the traffic” to see which rules will
take effect. Once a rule is matched, no
further rules will be processed. subnet1
vnet1
SECTION CONCLUSION: SECURING VIRTUAL NETWORKS
Tag: AzureBackup
webservers-asg
Service Tags
Microsoft manages several service tags to
simplify working with various resources
(usable from NSGs or Azure Firewall).
dbservers-asg
Azure Firewall
Target FQDN:
0.0.0.0/0
www.microsoft.com
123.4.5.6
Classic or Policy-Based
Destination
Source:
Port:
Source:
Protocol:
Protocol:
TCP,VM2
http, UDP
https
Port:
Port:
Translated
80, 443
3389
Traffic Filtering
Security with network, application, and VM1 VM2
NAT rules. Rules can be prioritized, but
network rule collections are processed subnet1
before application rule collections.
vnet1
SECTION CONCLUSION: SECURING VIRTUAL NETWORKS
DDoS Protection
Protection Plan
Virtual Network
The DDoS protection plan will protect all
resources within a virtual network. eastus-vnet auseast-vnet
Subscription westus-vnet
Associating a DDoS protection plan with a
subscription will protect all virtual
networks within that subscription.
Subscription 1 Subscription 2
Section Introduction
James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
James Lee
Training Architect
SECTION INTRODUCTION: SECURING INTEGRATED SERVICES AND NETWORKS
Overview
Service Configuration
Considerations
Endpoints Demonstration
James Lee
Training Architect
SERVICE ENDPOINTS
Overview
Endpoints
Providing more secure, direct
network access to supported
services.
SERVICE ENDPOINTS
Microsoft Azure
System Routes
Optimal system routes are added so
that all resources within a subnet use
Microsoft
the backbone for the given service.
Backbone
Virtual Network
Important Considerations
1 Private IP Addressing
Service endpoints do not establish a private IP
address for the configured service(s).
2 Outbound Addressing
The private IP address of the source is
provided to the service being accessed.
Connectivity
Demonstration
James Lee
Training Architect
PRIVATE LINK
Overview
Private Link
Private Link is similar to service endpoints, but
with greater accessibility and control over
security.
PRIVATE LINK
Connectivity
Customer-owned
Secure Network Connectivity
Azure PaaS
• Customer/partner-managed services
US West
Granular Security
Granular protection against data
leakage by supporting mapping to
specific services.
10.1.1.4
Architecture
Private Endpoint
• The network interface that connects
to a supported service.
Private Endpoint
• Configured with DNS.
Private Link Service
Connected Resource
Customer-Managed
Solution The scoped Azure PaaS resource
associated with Private Link.
Microsoft Storage
VNet Peering
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Purpose
Benefits
Considerations
James Lee
Training Architect
VNET PEERING
By default, a virtual network has some connectivity to other resources. However, they are otherwise fully isolated,
secure, and completely independent of other virtual networks.
vnet1 vnet3
vnet2
VNET PEERING
By default, a virtual network has some connectivity to other resources. However, they are otherwise fully isolated,
secure, and completely independent of other virtual networks.
vnet1 vnet3
vnet2
PEERING PEERING
Key Benefits
Virtual network peering (VNet peering) allows us to
establish connectivity between virtual networks.
VNet peering provides high bandwidth, Interconnectivity with VNet peering There is support for several scenarios,
low-latency interconnectivity between leverages the Microsoft backbone providing flexible interconnectivity
virtual networks. (avoiding the public internet). between VNets, wherever they are.
VNET PEERING
vnet1 vnet3
US West Central US
Provides connectivity over private IP.
10.1.1.10 10.3.1.10
Supports cross-subscription connectivity.
10.1.0.0/20
10.1.0.0/16 10.3.0.0/16
Subscription 1
Supports cross-region connectivity.
vnet2
Australia Southeast
Address spaces cannot overlap.
10.2.1.10
10.1.0.0/16
Subscription 2
Virtual Private Networks
(VPN)
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Purpose
Configuration
Virtual Private Demonstration
James Lee
Training Architect
VIRTUAL PRIVATE NETWORKS (VPN)
Our users regularly need secure network access to the resources we configure within the Microsoft ecosystem.
How do we secure this network access?
Encrypted Network
Point-to-Site VPN Tunnels
Remote Users
Site-to-Site VPN
Microsoft 365
Internet
Users
Virtual Network
Configuration
10.1.0.0/16
VPN Gateway
A VNet Gateway of VPN type. Must
exist in a gateway subnet. VPN SKU
VPN Gateway determines features, bandwidth, etc.
GatewaySubnet Subnet1
192.168.0.0/16
VPN Connection
A resource used to establish the VPN
connection, including authentication,
Public IP: 1.2.3.4 encryption, and the VPN endpoint.
VPN Device
On-Premises Networks
VIRTUAL PRIVATE NETWORKS (VPN)
Comparison
vs
region, cross-Azure AD tenant.
(cross-subscription, cross-region).
ExpressRoute Configuration
Comparison
James Lee
Training Architect
EXPRESSROUTE
For some enterprises, virtual private networks may not meet all of your organization’s security requirements.
ExpressRoute can provide a more direct and secure connection to Microsoft cloud services.
Point-to-Site VPN
Remote Users
Site-to-Site VPN
Microsoft 365
Internet
ExpressRoute
Configuration
ExpressRoute Circuit
The connectivity into Microsoft global
ExpressRoute
infrastructure, which leverages both
Gateway
Microsoft and partner edge networking.
GatewaySubnet
Peering
Private
Microsoft Microsoft
Private or Microsoft peering facilitates a
Peering Edge Peering secure connection to virtual networks or
Microsoft 365, respectively.
ExpressRoute
Circuit
Partner ExpressRoute Gateway
Edge
A VNet Gateway of ExpressRoute type.
Must exist in a gateway subnet. SKU
determines features, bandwidth, etc.
On-Premises
EXPRESSROUTE
Comparison
ExpressRoute VPN
Purpose
Service Configuration
Firewalls Demonstration
James Lee
Training Architect
SERVICE FIREWALLS
Many Azure services are built for global accessibility and scale. Many such services are publicly accessible by
default. Your organization may still wish to control traffic to these services.
Control inbound
traffic.
Remote Users
Internet
From VNets as
well as public
internet.
Configuration Overview
Purpose
Application Features
Configuration
Gateway Demonstration
James Lee
Training Architect
APPLICATION GATEWAY
Using an Application Gateway, we can build secure, highly available web applications. An Application Gateway is
often referred to as an application-aware (layer 7) load balancer.
www.capsecco.com/
www.capsecco.com/… www.capsecco.com/sec/
APPLICATION GATEWAY
Key Features
Configuration Overview
Frontend IP
Frontend IP
10.1.1.10 The IP address (public and/or private)
associated with the Application Gateway.
Listener
Frontend Port
Certificate
Listener
IP address, port, protocol, and (if HTTPS is
Rule
enabled) the associated SSL certificate
that is used by the Application Gateway. HTTP Setting
Backend
Custom
Probe
Rule (and Settings)
The rule brings everything together,
including HTTP settings (port, persistence,
path-based routing, timeout period, etc.).
Azure Front Door
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
How It Works
Azure Front Configuration
Door Demonstration
James Lee
Training Architect
Web Application
Acceleration and Delivery
at a Global Scale
User
Web Solution
Point of Presence
Azure Front Door is a content acceleration solution that leverages Microsoft’s global edge network to
provide fast connectivity to your solution across the globe.
Configuration
Frontend
Frontend host/domain (can be custom)
where traffic will be directed to your global
solution.
Backend
Backend pool to service the solution, and
supports integration with many Azure
services, or custom/on-premises also.
Routing
Connects the frontend and backend.
Additional features can be configured,
including caching, and URL path matching.
Web Application Firewalls
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Web Application Comparison
Firewalls Demonstration
James Lee
Training Architect
Protect Web
Applications Against
Threats and Exploits
Microsoft provides a Web Application Firewall (WAF)
capabilities within Azure to protect web applications:
Comparison
vs
• Supports Azure-managed and • Supports Azure-managed and
customer-managed rulesets.
customer-managed rulesets.
• Based on OWASP Core Rule Set • Protects against the common top
(CRS) 2.2.9, 3.0, and 3.1.
OWASP vulnerabilities by default.
Remote Users
Microsoft Public Services
Service Endpoints
Microsoft Azure
System Routes
Optimal system routes are added so
that all resources within a subnet use
Microsoft
the backbone for the given service.
Backbone
Virtual Network
SECTION CONCLUSION: SECURING INTEGRATED NETWORKS AND SERVICES
Private Link
Private Endpoint
• The network interface that connects
to a supported service.
Connected Resource
Customer Managed
Solution The scoped Azure PaaS resource
associated with Private Link.
Connected
Resource
Private Link Service
Customer-managed service operating
behind a standard load balancer enabled
for Private Link accessibility.
Microsoft Storage
SECTION CONCLUSION: SECURING INTEGRATED NETWORKS AND SERVICES
VNet Peering
vnet1 vnet3
US West Central US
Provides connectivity over private IP.
10.1.1.10 10.3.1.10
Supports cross-subscription connectivity.
10.1.0.0/20
10.1.0.0/16 10.3.0.0/16
Subscription 1
Supports cross-region connectivity.
vnet2
Australia Southeast
Address spaces cannot overlap.
10.2.1.10
10.1.0.0/16
Subscription 2
SECTION CONCLUSION: SECURING INTEGRATED NETWORKS AND SERVICES
Our users regularly need secure network access to the resources we configure within the Microsoft ecosystem.
How do we secure this network access?
Encrypted Network
Point-to-Site Tunnels
Remote Users
Site-to-Site VPN
Microsoft 365
Internet
ExpressRoute
For some enterprises, virtual private networks may not meet all of your organization’s security requirements.
ExpressRoute can provide a more direct and secure connection to Microsoft cloud services.
Microsoft
Microsoft 365
Internet
Private
Peering
ExpressRoute
Service Firewalls
Many Azure services are built for global accessibility and scale. Many such services are publicly accessible by
default. Your organization may still wish to control traffic to these services.
Control inbound
traffic.
Remote Users
Internet
From VNets as
well as public
internet.
Application Gateways
Using an Application Gateway, we can build secure, highly available web applications. An Application Gateway is
often referred to as a application-aware (layer 7) load balancer.
www.capsecco.com/app/
…/* …/videos
SECTION CONCLUSION: SECURING INTEGRATED NETWORKS AND SERVICES
User
Web Solution
Point of Presence
Azure Front Door is a content acceleration solution that leverages Microsoft’s global edge network to
provide fast connectivity to your solution across the globe.
vs customer-managed rulesets.
• Based on OWASP Core Rule Set • Protects against the common top
(CRS) 2.2.9, 3.0, and 3.1.
OWASP vulnerabilities by default.
James Lee
Training Architect
SECTION INTRODUCTION: SECURING VIRTUAL MACHINES
Purpose
Demonstration
James Lee
Training Architect
AZURE BASTION
Administration of both Windows and Linux virtual machines is often a privileged responsibility. Azure Bastion can
help us secure the way in which we perform this type of management.
SSL
Internet
Remote Administrator
Azure Bastion
Virtual Network
Usage Overview
AzureBastionSubnet Subnet
Peered Network
Important Considerations
Connectivity requires port 443 for SSL and
HTML5 support in a web browser.
Web Client
Just-in-Time VM Access
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Just-in-Time VM Purpose
Demonstration
Security Center)
James Lee
Training Architect
JUST-IN-TIME VM ACCESS
We’ve talked about time-limited access to privileges within Azure AD, but what about network access? Just-in-
time VM access helps block traffic, except for times when access is needed.
Internet
Implementation
Auditing
The activity log provides an audit trail to
view VM access requests and
Remote Management
configuration information.
(e.g., RDP or SSH)
VM Endpoint Protection
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
VM Endpoint Features
Implementation
Protection Demonstration
James Lee
Training Architect
VM ENDPOINT PROTECTION
Overview
Antimalware
Free protection for your
Microsoft virtual machines.
VM ENDPOINT PROTECTION
Implementation
Security Center
Deployment and reporting is managed
through Security Center.
VM Extension
VM extensions are deployed to virtual
machines to manage configuration
and connectivity.
Agent
Supports the agent of the respective
Windows operating system, and will apply
configuration as appropriate.
Azure Disk Encryption
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Purpose
Implementation
Encryption Demonstration
James Lee
Training Architect
AZURE DISK ENCRYPTION
Azure VM disks are encrypted at rest by default. The goal of Azure Disk Encryption is to protect the actual
volumes stored within the VM disks themselves.
OS Data Temp
Azure Storage
Server-Side
Encryption (SSE)
Azure Global
Infrastructure
AZURE DISK ENCRYPTION
Overview
(ADE)
Free protection for your
Microsoft virtual machines.
AZURE DISK ENCRYPTION
Implementation
Virtual Machine
Virtual Machine
Azure Disk Encryption can be enabled for a
virtual machine (standalone, or within a
virtual machine scale set).
VM Extension
Key Vault
Virtual Machine Extension
A VM extension configures operating
system encryption. Linux uses dm-crypt,
and Windows uses BitLocker.
Encryption Key
Di
O
D
Da Key Vault
Te
Ep
The keys/secrets used as part of the
encryption and decryption of data are
stored within Azure Key Vault.
AZURE DISK ENCRYPTION
Important Considerations
OS Support
Supported on Windows (BitLocker)
and Linux (dm-crypt + VFAT).
VM Support
Does not support Basic, A-series
VMs, or VMs that do not meet
memory requirements.
Overview
Workflow
Updates Demonstration
James Lee
Training Architect
MANAGING VM UPDATES
Overview
Management
Automated and centralized
update management.
MANAGING VM UPDATES
Operating System
Automation
Hybrid Runbook
Worker
1. Pre-steps Windows
Update Agent
Commence
2. Updates
4
updates.
Log Analytics
Yum/APT/Zypper
3. Post-steps Agent
Operating System
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: SECURING VIRTUAL MACHINES
Protect the VM
Storage
Encrypted with Server-Side
Encryption and Azure Disk Encryption.
Infrastructure
Azure Bastion
Administration of both Windows and Linux virtual machines is often a privileged responsibility. Azure Bastion can
help us secure the way we perform this type of management.
SSL
Internet
Peered Virtual Network
Remote
Administrator
AzureBastionSubnet
Virtual Network
Just-in-Time VM Access
Deployment
100 ALLOW RDP Just-in-time VM access requires Azure
4096 DENY ALL Defender for Servers, and works by
managing Azure Firewall and NSGs.
Auditing
The activity log provides an audit trail to
view VM access requests and
configuration information.
Remote Management
(e.g., RDP or SSH)
SECTION CONCLUSION: SECURING VIRTUAL MACHINES
Microsoft Antimalware
Security Center
Deployment and reporting is managed
through Security Center.
VM Extension
VM extensions are deployed to virtual
machines to manage configuration and
connectivity.
Agent
Supports the agent of the respective
Windows operating system and will apply
configuration as appropriate.
SECTION CONCLUSION: SECURING VIRTUAL MACHINES
Azure VM disks are encrypted at rest by default. The goal of Azure Disk Encryption is to protect the actual
volumes stored within the VM disks themselves.
OS Data Temp
Azure Storage
Server-Side
Encryption (SSE)
Automation Account
Automation Account
Service to facilitate the process automation
and configuration management. Hybrid Runbook Worker
James Lee
Training Architect
SECTION INTRODUCTION: SECURING APPLICATIONS WITH AZURE AD
Overview
Demonstration
James Lee
Training Architect
SERVICE PRINCIPALS
Authenticating an Application
Let’s assume the role of a developer creating a web app that can access resources in an Azure subscription.
Username + Password
Authenticating an Application
Let’s assume the role of a developer creating a web app that can access resources in an Azure subscription.
Client Secret
Authenticating an Application
Let’s assume the role of a developer creating a web app that can access resources in an Azure subscription.
Client Secret
Authenticating an Application
Let’s assume the role of a developer creating a web app that can access resources in an Azure subscription.
Authorization RBAC
Overview
Demonstration
James Lee
Training Architect
MANAGED IDENTITIES
Authentication CLIENT/CERTIFICATE
Authentication Credentials
Managed Identities leverage the Azure platform to perform authentication without the need of
client secrets or certificates.
Web App
2 Credential Security
Avoid the need for having to store credentials
for your application/script within code.
Key Components
Managed Identity
An Azure resource must be assigned a Services Supporting
Managed
Service
Identity
Principal
Endpoint
Token Endpoint
REST Azure AD provides this as a place to
retrieve an access pass for a resource.
Access Token
The access token can be used to Services Supporting
Recap of APIs
Securing APIs
Microsoft Authentication
James Lee
Training Architect
API ACCESS TO MICROSOFT
APIs are something you already use in your day-to-day lives. They’re just as helpful when developing solutions in
the cloud, or even traditionally.
We’ve already been using an API extensively when working with Azure.
Microsoft Graph
Microsoft Graph is a gateway to volumes of information stored across Microsoft 365 services. This includes data
from Microsoft 365, Windows 10, and Enterprise Mobility + Security.
Device
Calendar
User Application
Files
In accordance with the OAuth 2.0 standard, access to a resource can be controlled granularly through the use of
resource permissions (also known as scopes).
Calendars.ReadWrite.Shared
Calendar Calendars.ReadWrite
Mail.Read
Files
User.Read.All
User.ReadWrite.All
Let’s consider the flow of information required when a web application accesses an API on behalf of a user.
User.ReadWrite.All
Mail.Read
Overview
Delegated App Registration
Consent Demonstration
James Lee
Training Architect
DELEGATED PERMISSIONS AND CONSENT
Let’s assume the role of a developer creating a web app that can read and write through the Microsoft Graph API.
Our focus is on security, but it helps to understand how this is set up.
Let’s assume the role of a developer creating a web app that can read and write through the Microsoft Graph API.
Our focus is on security, but it helps to understand how this is set up.
Let’s assume the role of a developer creating a web app that can read and write through the Microsoft Graph API.
Our focus is on security, but it helps to understand how this is set up.
Let’s assume the role of a developer creating a web app that can read and write through the Microsoft Graph API.
Our focus is on security, but it helps to understand how this is set up.
Users are able to consent to permissions that do not require administrator consent, but they cannot consent to
wide-ranging permissions like unrestricted read/write access to all user information.
User Consent
A Global Administrator is able to modify the default
behavior: Azure AD > Enterprise Apps >
Consent > User Settings
DELEGATED PERMISSIONS AND CONSENT
User Consent
Overview
Application App Registration
Consent Demonstration
James Lee
Training Architect
APPLICATION PERMISSIONS AND CONSENT
Let’s assume the role of a developer creating a non-interactive service that can read and write through the
Microsoft Graph API. This application will authenticate as itself and require application permissions.
Let’s assume the role of a developer creating a non-interactive service that can read and write through the
Microsoft Graph API. This application will authenticate as itself and require application permissions.
Let’s assume the role of a developer creating a non-interactive service that can read and write through the
Microsoft Graph API. This application will authenticate as itself and require application permissions.
Let’s assume the role of a developer creating a non-interactive service that can read and write through the
Microsoft Graph API. This application will authenticate as itself and require application permissions.
Admin
Admin Consent
To consent for application permissions requires
Global Admin or Privileged Role Admin
privileges.
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: SECURING APPLICATIONS WITH AZURE AD
Service Principals
We use service principals to provide an identity for an application within Azure AD.
Client
Client
Secret Certificate
Managed Identities
Managed identities provide supported Azure resources a more secure way to authenticate against Azure AD.
Authentication PLATFORM-MANAGED
System-Assigned: tied to the resource.
Platform
Authentication
Service Principal
Applications registered in Azure AD can be configured to access resources via an API using permissions.
Device
Calendar
Files
User App
Applications accessing resources on behalf of a user require delegated permissions and consent.
Mail.Read
Azure AD Device
Calendar
Applications accessing resources on behalf of a user require delegated permissions and consent.
Consent to App
Permissions
Admin
User.ReadWrite.All
Mail.Read
Azure AD Device
Calendar
Overview
James Lee
Training Architect
SECTION INTRODUCTION: SECURING DATA WITH KEY VAULT
Securing
Securing Applications
Application Data Securing the solutions we build.
Key Vault is an important Azure
service that helps to secure data
used for applications, automation, Securing the Platform
and administration. Securing the Azure services we use
(e.g., networking, compute, data).
Overview
Key Vault Access Control
Overview Demonstration
James Lee
Training Architect
KEY VAULT OVERVIEW
Overview
When securing applications, we often have to store secret information that an application needs to access
programmatically.
Certificate
App
Secret
App
Compute
Key
Key Vault
APIs
Key Vault
Important Features
Supports data types commonly Provides support for FIPS 140-2 Level 3 Designed for programmatic access with
leveraged by modern cloud apps, hardware security modules (HSM) or centralized, secure accessibility through
including secrets, keys, and certificates. secure software-protected storage. a REST endpoint.
KEY VAULT OVERVIEW
Important Components
Key Vault
Secure storage (software protection
or hardware security modules
(HSM)) accessible by a REST API.
Secret Information
Support for secrets, keys, and
certificates. This also includes some
additional management capabilities. Management Plane
Access Control
Access to the Key Vault data plane Access
can be controlled through either Control
access policies or RBAC. Data Plane
Key Vault
KEY VAULT OVERVIEW
Access Control
Managing Objects
Lifecycle Control
Administration Demonstration
James Lee
Training Architect
KEY VAULT ADMINISTRATION
Managing Objects
Keys and certificates can be either
generated or imported. Secrets can
be created (as a binary object).
secret1
Version Control
v1 Multiple versions of objects can exist.
v1 v2
This helps for rotation of security
objects, minimizing downtime. key1
Activate: mm/dd/yyyy
Expire: mm/dd/yyyy
Lifecycle Control
Activation and expiration dates can be
cert1
configured for versions of objects.
They also can be enabled/disabled.
Key Vault
Key Vault Backup and
Recovery
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Soft Delete
James Lee
Training Architect
KEY VAULT BACKUP AND RECOVERY
Same subscription
Soft-Delete
Soft-delete provides recycle bin-like
functionality so items can be Region Pair
recovered for a retention period.
secret1
Purge Protection
Purge protection ensures soft-deleted
items cannot be purged until the
retention period has elapsed. key1
Key Vault
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: SECURING DATA WITH KEY VAULT
Key Vault
Secure storage (software protection
or hardware security modules
(HSM)) accessible by a REST API.
Secret Information
Support for secrets, keys, and
certificates. This also includes some
additional management capabilities. Management Plane
Access Control
Access to the Key Vault data plane Access
can be controlled through either Control
access policies or RBAC.
Data Plane
Key Vault
SECTION CONCLUSION: SECURING DATA WITH KEY VAULT
Managing Objects
Keys and certificates can be either
generated or imported. Secrets can
be created (as a binary object).
secret1
Version Control
v1 Multiple versions of objects can exist.
This helps for rotation of security v1 v2
objects, minimizing downtime. key1 Activate: mm/dd/yyyy
Expire: mm/dd/yyyy
Lifecycle Control
Activation and expiration dates can be
configured for versions of objects. cert1
They also can be enabled/disabled.
Key Vault
SECTION CONCLUSION: SECURING DATA WITH KEY VAULT
Same subscription
Soft-Delete
Soft-delete provides recycle bin-like
functionality so items can be Region Pair
recovered for a retention period.
secret1
Purge Protection
Purge protection ensures soft-deleted
items cannot be purged until the
retention period has elapsed. key1
Key Vault
Section Introduction
James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
Securing Apps
Isolating Apps
Securing Application Securing Containers
Hosting
James Lee
Training Architect
SECTION INTRODUCTION: SECURING APPLICATION HOSTING
General Considerations
James Lee
Training Architect
AZURE APP SERVICE SECURITY
General Considerations
When securing an app running in Azure App Service, it’s important to understand how the service is operated.
VNet
Integration
Users
Hybrid
Connections
Internet VNet
App Service Plan
https://www.capsecco.com
https://capseccoapp.azurewebsites.net
Custom Domain
www An app must be running on an App Service
Certificate plan that supports custom domains (all
except free pricing).
Certificate
To facilitate secure HTTPS encryption, a
private certificate must be uploaded
(password-protected PFX with 3DES).
Binding
To enable HTTPS access, a binding must
be configured using a domain (SNI SSL) or
a public IP address (IP SSL).
Users
AZURE APP SERVICE SECURITY
App Setting
To load certificates, you must configure
WEBSITE_LOAD_CERTIFICATES = <comma-
Certificate
separated-certificate-thumbprints>
WEBSITE_LOAD_CERTIFICATES
Certificates
Both private and public certificates can be
used from within code.
Code
The app itself must leverage the
certificates using the features/functions of
the respective programming language.
Remote Service/App/Site
Azure Functions Security
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
General Considerations
James Lee
Training Architect
AZURE FUNCTIONS SECURITY
General Considerations
When securing function apps in Azure, it’s important to understand how the service is operated.
VNet
Users
Hybrid
Internet
VNet
Azure Functions
Configuring SSL/TLS
WEBSITE_LOAD_CERTIFICATES
Levering Certificates with Code
To load certificates, you must configure
WEBSITE_LOAD_CERTIFICATES = <comma-
separated-certificate-thumbprints>.
Enforcing HTTPS
You can redirect all HTTP requests to the
HTTPS port by configuring HTTPS Only.
Users
AZURE FUNCTIONS SECURITY
Host Keys
Master Key Host Key
Can be used to access any function within
the function app. A master key also exists
for full administrative access.
Function
Function Keys
Keys Function keys provide access for a given
function only. They take precedence over host
keys if both are named the same.
Key Rotation
Keys can be rotated manually by creating
multiple keys for app/client use and
renewing key values as required.
App Service Environment
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Architecture
Environment Demonstration
James Lee
Training Architect
App Service Environment
Deployed to a virtual network Access can be configured for Leverage greater scale-out
(and dedicated hosts). either internal or external use. limits for hyperscale
APP SERVICE ENVIRONMENT
Architecture
Hosting
Normal deployment uses multi-tenant
App Service Plan(s) hypervisors. Dedicated hosts can be used
ILB Public IP for further isolation.
Network
An App Service Environment (ASE) is
deployed to an ASE subnet within a
customer’s virtual network. Apps can
communicate through the VNet.
App Service Environment
Accessibility
Can be accessed publicly (external ASE)
with public DNS, or privately (internal ASE)
with private DNS zones.
Virtual Network
App Service Plan (ASP)
An app is deployed to an ASP, which is
deployed to an ASE. These are used as
normal (based on OS and resources).
Azure Container Registry
Security
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Recap of Containers
Access Control
Demonstration
James Lee
Training Architect
AZURE CONTAINER REGISTRY SECURITY
Recap of Containers
Let’s quickly recap some of the key components of a solution built with containers.
FROM nginx:alpine
WORKDIR /usr/share/nginx/html
COPY ./index.html ./
Access Control
Service Principal
Admin Account
~$ docker push image
Disabled by default, an admin account
~$ docker pull image
includes two access keys that provide full
unfettered access to a registry.
Push
AcrPush
Azure AD (RBAC)
Container
Azure AD identities (e.g., service principals)
Image Image
can be provided access to ACR (e.g., using
the roles AcrPush or AcrPull).
Pull
AcrPull
Network Security
The Premium SKU supports security
features such as dedicated endpoints,
Container Registry Container Engine private endpoints, and network rules.
AZURE CONTAINER REGISTRY SECURITY
Content Trust
Premium SKU.
ACR Tasks
Helps to automate tasks like
image builds, OS and
framework patching, and more.
Image Scanning
Container images should be
scanned regularly for
vulnerabilities.
Credential Protection
We can use services like
managed identities and Azure
Key Vault to help secure
credentials.
Azure Container Instances
Security
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
General Guidelines
Container Groups
Instances Security Demonstration
James Lee
Training Architect
AZURE CONTAINER INSTANCES SECURITY
General Guidelines
Let’s consider how Azure Container Instances fits within an overarching container strategy.
Container Group
Automation
Container Registry Azure Container Instances
AZURE CONTAINER INSTANCES SECURITY
Variables
Image
Purpose of Variables
$ Variables help provide dynamic information
to containers (so it doesn’t have to be
Container baked into the image).
Environment Variables
sqlserver1
Environment variables can be configured
value: ”sqlserver1”
when a container instance is created. They
secureValue: ”******” use key-value pairs.
Secure Values
Azure Container When using secure as an environment
Instances variable type, this data is only accessible
from within the container.
AZURE CONTAINER INSTANCES SECURITY
Container Groups
Purpose
Container Group When building an application sidecar for
things like logging, monitoring, or when a
Container Container second attached process is needed.
Hosting
Container group containers are scheduled
on the same host machine and share a
lifecycle, resources, network, and storage.
Configuration
Container Instances Can be deployed via ARM or YAML, but
only support Linux. Can sit behind a public
IP with optional exposed ports.
Azure Kubernetes Service
Security
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
General Guidelines
James Lee
Training Architect
AZURE KUBERNETES SERVICE SECURITY
General Guidelines
Virtual Network
Master Security
Microsoft manages master components. You Management VM
should keep the version up to date when
possible and use private clusters if needed.
Node Security
Nodes are Azure VMs that customers manage/
maintain. Linux patching is scheduled nightly.
Windows patching must be configured. Pods
Kubernetes Secrets
Control Plane Nodes/Node Pools
Prevents secret information from being stored
in the YAML manifest. Instead, the data is
provided through the Kubernetes API to a Pod.
AKS Cluster
AKS Cluster Identities
Identities are used to create resources and
interact with others (e.g., ACR).
Container Registry
Kubernetes RBAC
Granular access control for the Kubernetes
cluster. Can be integrated with Azure AD.
Azure Resources
RBAC Binding
Administrators AKS Apps Managed Identity
Used for Azure AD integration to facilitate
the authentication of a user with Azure AD.
Azure AD
AZURE KUBERNETES SERVICE SECURITY
AKS Cluster
AKS Cluster Identities
Identities are used to create resources and
interact with others (e.g., ACR).
Container Registry
Kubernetes RBAC
Granular access control for the Kubernetes
cluster. Can be integrated with Azure AD.
Azure Resources
AKS-Managed Azure AD
The resource provider manages all
required apps for Azure AD integration.
Azure AD
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: SECURING APPLICATION HOSTING
When securing an app running in Azure App Service, it’s important to understand how the service is operated.
VNet
Integration
Users
Hybrid
Connections
Internet VNet
When securing function apps in Azure, it’s important to understand how the service is operated.
VNet
Integration
Users
Hybrid
Connections
Internet VNet
Azure Functions
Configuring SSL/TLS
WEBSITE_LOAD_CERTIFICATES
Levering Certificates with Code
To load certificates, you must configure:
WEBSITE_LOAD_CERTIFICATES = <comma-
separated-certificate-thumbprints>.
Enforcing HTTPS
You can redirect all HTTP requests to the
HTTPS port by configuring HTTPS Only.
Users
SECTION CONCLUSION: SECURING APPLICATION HOSTING
Host Keys
Master Key Host Key Can be used to access any function within
the function app. A master key also exists
for full administrative access.
Function
Function Keys
Keys Function keys provide access for a given
function only. They take precedence over host
keys if both are named the same.
Key Rotation
Keys can be rotated manually by creating
multiple keys for app/client use and
renewing key values as required.
SECTION CONCLUSION: SECURING APPLICATION HOSTING
Hosting
Normal deployment uses multi-tenant
App Service Plan(s) hypervisors (virtual machines). Dedicated
ILB Public IP Hosts can be used for further isolation.
Network
An App Service Environment (ASE) is
deployed to an ASE subnet within a
customer’s virtual network. Apps can
communicate through the VNet.
App Service Environment
Accessibility
Can be accessed publicly (external ASE)
with public DNS, or privately (internal ASE)
with private DNS zones.
Virtual Network
Admin Account
~$ docker push image
Service Principal Disabled by default, an admin account
~$ docker pull image
includes two access keys that provide full
unfettered access to a registry.
PUSH
AcrPush Azure AD (RBAC)
Container
Azure AD identities (e.g., service principals)
Image Image
can be provided access to ACR (e.g., using
the roles AcrPush or AcrPull).
Pull
AcrPull
Premium Features
The Premium SKU supports dedicated
endpoints, private endpoints, network
rules, and content trust.
Container Registry Container Engine
SECTION CONCLUSION: SECURING APPLICATION HOSTING
value: ”sqlserver1”
sqlserver1 Container Groups
secureValue: ”******”
Container group containers are scheduled
Container Group
on the same host machine and share a
lifecycle, resources, network, and storage.
Container Container
Variables
Variables help provide dynamic information
to containers. Secure variables ensure data
is only available from within a container.
Container Instances
SECTION CONCLUSION: SECURING APPLICATION HOSTING
Virtual Network
AD Integration
AKS-managed AD integration requires an
administrator group, but it manages the group Pods
and Azure AD authentication apps for you.
James Lee
Training Architect
SECTION INTRODUCTION: SECURING STORAGE
Security Recap
Overview
Demonstration
James Lee
Training Architect
STORAGE ACCOUNT ACCESS CONTROL
Security Overview
Let’s take a high-level look at how access can be controlled for storage accounts.
Resource
Blobs Files Tables Queues
Firewall
Internet
saname.queue.core.windows.net Anonymous
Access keys provide administrative access to an entire storage account. Microsoft recommend these are only
used for administrative purposes.
Access Keys
End Users
Storage Account
STORAGE ACCOUNT ACCESS CONTROL
Shared access signatures (SAS) are like a token that can be used to provide granular access to resources within a
storage account. Access is provided to whoever or whatever has the token.
SAS
Management Layer
Storage Account
STORAGE ACCOUNT ACCESS CONTROL
Azure Storage supports Azure AD identity-based access control through measures such as RBAC, which we will
discuss separately.
Management Layer
End Users
Storage Account
STORAGE ACCOUNT ACCESS CONTROL
Access Keys
Key Rotation
Access keys can be regenerated, revoking
all access granted by the key (including
any associated SAS).
STORAGE ACCOUNT ACCESS CONTROL
Account SAS
Provides access to resources in one or
more services within a storage account.
Service SAS
Provides access to resources within a single
service (e.g., Blob or Files).
Account SAS
Can be used to access any function within
Blob the function app. A master key also exists
for full administrative access.
Access Policy
Service SAS
Provides access to resources within a single
service (e.g., Blob or Files).
SAS
SAS
Stored Access Policies
User, App, Device, etc. Provide greater control over a service SAS,
which is otherwise very difficult to control
User, App, Device, etc. once it has been created.
Azure Storage with Azure
AD Authentication
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Demonstration
Authentication
James Lee
Training Architect
AZURE STORAGE WITH AZURE AD AUTHENTICATION
Role-based access-control (RBAC) can be used to control access to both the management and data layer.
RBAC
Management Layer
Storage Blob
Data Owner
End Users
Storage Account
AZURE STORAGE WITH AZURE AD AUTHENTICATION
A user delegation SAS is just like a normal SAS. However, instead of being created with a storage account access
key, it is associated with an Azure AD identity.
SAS
Management Layer
Service
SAS
Storage Account
Azure Files with Azure AD
DS Authentication
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Recap
Azure Files with Azure Architecture
AD DS Authentication Demonstration
James Lee
Training Architect
Fully Managed File-Level Sharing
1 Provides traditional on-premises-like
file sharing functionality with a true
folder hierarchy.
For SMB access to Azure file shares, Azure AD identities can be used for authentication and authorization. This
type of access control is for SMB access from domain-joined devices.
Management Layer
Sync
Domain-
Joined
SMB
Key Rotation
Access keys can be regenerated, revoking
all access granted by the key (including
any associated SAS).
SECTION CONCLUSION: SECURING STORAGE
Account SAS
Provides access to resources within one or
more services in a storage account.
Service SAS
Provides access to resources within a single
service (e.g., Blob or Files).
Role-based access-control (RBAC) can be used to control access to both the management and data layer.
RBAC
Management Layer
Storage Blob
Data Owner
End Users
Storage Account
SECTION CONCLUSION: SECURING STORAGE
A user delegation SAS is just like a normal SAS. However, instead of being created with a storage account access
key, it is associated with an Azure AD identity.
SAS
Management Layer
Service
Storage Account
SECTION CONCLUSION: SECURING STORAGE
For SMB access to Azure file shares, Azure AD identities can be used for authentication and authorization. This
type of access control is for SMB access from domain-joined devices.
Management Layer
Sync
Domain-
Joined
SMB
Authentication
Network Security
Data Auditing
James Lee
Training Architect
SECTION INTRODUCTION: SECURING DATA
Overview
Demonstration
James Lee
Training Architect
AZURE SQL AUTHENTICATION
Let’s take a high-level look at how access can be controlled for Azure SQL.
Username:
adm.sql
Database Engine
End Users
(sqlserver1)
AZURE SQL AUTHENTICATION
To authenticate with Azure AD identities, we need to associate them with SQL logins or database users.
Users
SQL Login
Database: master
Groups
Azure Active
Directory
DB User
Database: productsdb
End Users
Azure SQL Database
Azure SQL Managed Instances
AZURE SQL AUTHENTICATION
Read Permissions
CREATE LOGIN <domain\loginname> FROM WINDOWS
For managed instances, be aware that a Global
Administrator must also configure read
--Azure AD Logins created using an AAD-based Login
permissions to your Azure AD tenant.
CREATE LOGIN <AAD_Username> FROM EXTERNAL PROVIDER
AZURE SQL AUTHENTICATION
Overview
Azure SQL Database Configuration
Encryption Demonstration
James Lee
Training Architect
AZURE SQL DATABASE ENCRYPTION
Encryption Overview
Let’s take a high-level look at how Azure SQL Database can be encrypted.
Database: paymentsdb
CreditCard
Encryption at Rest
Database
(using Transparent Data Encryption (TDE))
Administrator
AZURE SQL DATABASE ENCRYPTION
Always Encrypted
Database: payments
CreditCard
Database
Administrator
AZURE SQL DATABASE ENCRYPTION
Application Client
To access encrypted column data in plaintext, an
application must use an Always Encrypted-enabled
client driver with access to the key storage.
Key Storage
Dynamic Masking for SQL
on Azure
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Dynamic Masking Configuration
James Lee
Training Architect
DYNAMIC MASKING FOR SQL ON AZURE
Overview
Dynamic masking helps to hide information that might be sensitive, without changing or encrypting it.
ID Name CreditCard
156 Freddy 764893112
445 Jessica 766713445
CreditCard
Database: payments
Application
User
DYNAMIC MASKING FOR SQL ON AZURE
Masking Data
ID Name CreditCard Masking rules specify which columns should be
156 Freddy 764893112 masked, and with what mask function (precisely
how the text will be changed).
445 Jessica 766713445
Applicable Users
SQL Database users can be excluded from
Column:
CreditCard
Masking Rule
CreditCard Important Note
James Lee
Training Architect
NETWORK ISOLATION FOR DATA SOLUTIONS
Most data platforms within Azure support network-level access control through a resource firewall.
Database
End User
Collection
Cosmos DB
NETWORK ISOLATION FOR DATA SOLUTIONS
Most data platforms within Azure support network isolation from within a firewall, leveraging features such as
service endpoints and Private Link.
Service
Endpoint
Microsoft
Database
Backbone
Azure SQL Database
10.1.1.4
subnet1 subnet2
Virtual
Network
Private
Collection
Endpoint
Cosmos DB
NETWORK ISOLATION FOR DATA SOLUTIONS
Many data platforms in Azure are multi-tenant, but often provide some form of network isolation.
Workspace Database
Database Overview
Configuration
Auditing Demonstration
James Lee
Training Architect
DATABASE AUDITING
Overview
ID Name CreditCard
156 Freddy 764893112
445 Jessica 766713445
Administrator
Database
Resource Group
End User
DATABASE AUDITING
Configuration
Server Auditing
Auditing configured at the server level will apply
to all existing and new databases within the
server (in addition to database auditing).
Database Auditing
Database Database
Auditing configured on the database level can
be in addition to server auditing (if both are
Azure SQL Server configured, both will exist side by side).
Audit Destination
Auditing events can be recorded to the following:
• Storage
• Log Analytics
• Event Hubs
Read Permissions
CREATE LOGIN <domain\loginname> FROM WINDOWS
For managed instances, be aware that a Global
Administrator must also configure read
--Azure AD Logins created using an AAD-based Login
permissions for your Azure AD tenant.
CREATE LOGIN <AAD_Username> FROM EXTERNAL PROVIDER
SECTION CONCLUSION: SECURING DATA
Always Encrypted
Application Client
To access encrypted column data in plaintext, an
application must use an Always Encrypted-enabled
client driver with access to the key storage.
Key Storage
SECTION CONCLUSION: SECURING DATA
Masking Data
ID Name CreditCard Masking rules specify which columns should be
156 Freddy 764893112 masked, and with what mask function (precisely
how the text will be changed).
445 Jessica 766713445
Applicable Users
SQL Database users can be excluded from
Column:
CreditCard
having data masking applied (administrators are
Function: Credit Card Mask
always excluded).
Masking Rule
CreditCard Important Note
Many data platforms in Azure are multi-tenant, but they often provide some form of network isolation.
Workspace Database
End User Synapse Analytics Managed VNet Azure SQL Managed Instance
Database Auditing
Database Auditing
Database Database Auditing configured on the database level can
be in addition to server auditing (if both are
configured, both will exist side by side).
Azure SQL Server
Audit Destination
Auditing events can be recorded to the following:
• Storage
• Log Analytics
• Event Hubs
Policies
Security Policies Resource Protection
James Lee
Training Architect
SECTION INTRODUCTION: SECURITY POLICIES AND STANDARDS
Overview
Demonstration
James Lee
Training Architect
AZURE POLICY
Overview
Azure Policy
A versatile service that helps
organizations implement and
monitor standards.
AZURE POLICY
Configuration
Conditions
Condition
• Require a tag and value
Conditions help to define standards:
Effects
Block Audit Modify Trigger an effect if the condition is met (e.g.,
block the operation (Deny), or report if an
Policy Definition item is missing (AuditIfNotExist)).
Assignment
. . . . . . . . . .
Policies must be assigned to a scope. This can
include a resource, resource group,
subscription, or management group.
Scope
Resource Locks
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Resource Purpose
Locks Demonstration
James Lee
Training Architect
RESOURCE LOCKS
Purpose
Helpdesk
Team
Network
Engineers
corenet-rg pubweb1-rg secapp1-rg
Automation
Azure Subscription
RESOURCE LOCKS
CanNotDelete ReadOnly
Azure Subscription
Azure Blueprints
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Azure Purpose
Configuration
Blueprints Demonstration
James Lee
Training Architect
AZURE BLUEPRINTS
Purpose
office1-net-rg office1-itmgmt-rg
Helpdesk
Network Engineers
Engineers
Standard Office Deployment
AZURE BLUEPRINTS
Implementing Blueprints
Blueprint Definition
Blueprint Definition
The definition describes the solution you wish
to deploy/manage. It is made up of ARM
templates, policies, RBAC, and resource groups.
. . . Assignment
Deploying a solution using a blueprint creates
an assignment. This provides an audit trail of
how/when the solution was deployed.
Scope
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: SECURITY POLICIES AND STANDARDS
Azure Policy
Conditions
Condition
• Require a tag and value
Conditions help to define standards:
Effects
Block Audit Modify Trigger an effect if the condition is met (e.g.,
block the operation (Deny), or report if an
Policy Definition item is missing (AuditIfNotExist)).
Assignment
. . . . . . . . . .
Policies must be assigned to a scope. This can
include a resource, resource group,
subscription, or management group.
Scope
SECTION CONCLUSION: SECURITY POLICIES AND STANDARDS
Resource Locks
CanNotDelete ReadOnly
Azure Subscription
SECTION CONCLUSION: SECURITY POLICIES AND STANDARDS
Azure Blueprints
Blueprint Definition
Blueprint Definition
The definition describes the solution you wish
to deploy/manage. It is made up of ARM
templates, policies, RBAC, and resource groups.
. . . Assignment
Deploying a solution using a blueprint creates
an assignment. This provides an audit trail of
Scope how/when the solution was deployed.
Section Introduction
James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
Azure Defender
in Azure Vulnerability Assessment
James Lee
Training Architect
SECTION INTRODUCTION: THREAT PROTECTION IN AZURE
Defending the
Securing Applications
Environment Securing the solutions we build.
Overview
Azure Defender
Center Overview Demonstration
James Lee
Training Architect
AZURE SECURITY CENTER OVERVIEW
Overview
A central management interface for understanding the security posture of your environment.
83%
Enable MFA.
Overview
A central management interface for understanding the security posture of your environment.
Servers Servers
83%
Azure Defender
Comparison
Security Center Defender
Azure Defender is part of the Azure
Free Service Subscription-Based
Security Center ecosystem, but it has a
different focus. Basic functionality available Enabled for additional cost on
at no extra cost. a per-service basis.
Demonstration
Management
James Lee
Training Architect
AZURE SECURITY CENTER
Recommendations compare your environment against standards defined in an Azure Policy initiative.
View/Edit
Add
Add/Edit
corenet-rg pubweb1-rg
Custom Initiatives
Azure Subscription
AZURE SECURITY CENTER POLICY MANAGEMENT
Azure
Security Center
Add the Initiative to a Security Policy
The initiative must be assigned to a
management group or subscription to take
effect.
Subscription Hierarchy
},
Azure Defender for SQL
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Azure Defender Vulnerability Assessment
James Lee
Training Architect
AZURE DEFENDER FOR SQL
Key Features
Vulnerability Assessment
Scans are configured at the server level,
SQL Server
including the storage account and email
address for scan reports.
Baseline
Vulnerability assessment findings can be
marked as baseline if this is considered an
Vulnerability Assessment
acceptable occurrence within your environment.
Settings
Azure Defender for
Servers
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Overview
Azure Defender Agent Configuration
James Lee
Training Architect
AZURE DEFENDER FOR SERVERS
Key Features
Agent Configuration
Azure Subscription
Microsoft Threat Modeling
Tool
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
James Lee
Training Architect
MICROSOFT THREAT MODELING TOOL
Denial of
Spoofing Tampering Repudiation
Security Service
Engineers
Project
Management
Software
Developers CAPSECCO Web App
MICROSOFT THREAT MODELING TOOL
MANAGE ANALYZE
Suggest and Analyze the design
manage mitigations of solutions for
for security issues. security issues.
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: THREAT PROTECTION
Comparison
Security Center Defender
Azure Defender is part of the Azure
Free Service Subscription-Based
Security Center ecosystem, but it has a
different focus. Basic functionality available Enabled for additional cost on
at no extra cost. a per-service basis.
Recommendations compare your environment against standards defined in an Azure Policy initiative.
View/Edit
Add
Add/Edit
corenet-rg pubweb1-rg
Custom Initiatives
Azure Subscription
SECTION CONCLUSION: THREAT PROTECTION
MANAGE ANALYZE
Suggest and Analyze the design
manage mitigations of solutions for
for security issues. security issues.
Section Introduction
James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
James Lee
Training Architect
SECTION INTRODUCTION: MONITORING SECURITY WITH AZURE MONITOR
Overview
Azure Monitor Key Monitoring Capabilities
Overview Demonstration
James Lee
Training Architect
AZURE MONITOR OVERVIEW
Overview
Monitoring Sources
Diagnostic Settings
Retention Demonstration
James Lee
Training Architect
LOGGING AND RETENTION
Overview
Metrics
Logs
Security Engineer
pubweb1-rg monitor-rg
Monitoring Tools
Azure Subscription
LOGGING AND RETENTION
Diagnostic Settings
Platform Monitoring
Route data for the following:
Agent
• Platform metrics
StorageRead
Logs
Data Categories
Diagnostic
Depending on the data type being collected,
Setting there may be multiple categories available for
the platform item.
Resources
Destination
• Storage account (retain and analyze)
Azure Overview
Architecture
James Lee
Training Architect
Azure Monitor Logs
also known as Log Analytics
Handles a variety of monitoring data Provides powerful analytics capabilities Supports many different monitoring
types and data sources. This includes for querying data. This is provided solutions, which are prepackaged sets of
Azure, on-premises, and other clouds. through the Kusto Query Language. features for a specific system/solution.
AZURE MONITOR LOGS
Architecture
Source
Source
Source data typically originates from either:
Analytics
Perform analysis with tools such as:
• Workbooks
Alerts Demonstration
James Lee
Training Architect
AZURE MONITOR ALERTS
Configuring Alerts
Target
Alert
When an alert triggers, an alert state will be
logged within Azure Monitor. This is based on
the severity configured in the alert rule.
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: MONITORING SECURITY WITH AZURE MONITOR
Platform Monitoring
Route data for the following:
Destination
• Storage account (retain and analyze)
Source
Source
Source data typically originates from either:
Analytics
Perform analysis with tools such as:
Workspace
• Kusto Query Language
• Workbooks
Alert Rule
Alert Rule
Defines when an alert should occur using:
Target
Logs
Action Group
Alert Condition The action to take place once the alert
triggers. Many actions are supported, from
email alerts to automation runbooks.
Action Group Alert
Alert
When an alert triggers, an alert state will be
logged within Azure Monitor. This is based on
the severity configured in the alert rule.
Section Introduction
James Lee
TRAINING ARCHITECT
SECTION BREAKDOWN
Basic Configuration
Security with Analysis and Alerts
Azure Sentinel
James Lee
Training Architect
SECTION INTRODUCTION: MONITORING SECURITY WITH AZURE SENTINEL
Gathering Data
Learn how to deploy Azure Sentinel
and collect security monitoring data.
Overview
Azure Sentinel Fundamental Capabilities
James Lee
Training Architect
AZURE SENTINEL OVERVIEW
Overview
Azure Sentinel is a security information event management (SIEM) and security orchestration
automated response (SOAR) solution.
DETECT INVESTIGATE
Fundamental Capabilities
Azure Sentinel
(SIEM + SOAR)
RESPOND rapidly DETECT threats
INVESTIGATE incidents
with the help of AI.
AZURE SENTINEL OVERVIEW
Key Features
Workbooks Notebooks
Integrate with Azure Monitor Leverage Azure Machine
workbooks for interactive Learning to extend analytics
reporting and analysis. through Jupyter notebooks.
Azure Sentinel
Configuration
James Lee
TRAINING ARCHITECT
LESSON BREAKDOWN
Architecture
Demonstration
Azure Sentinel
Configuration
James Lee
Training Architect
AZURE SENTINEL CONFIGURATION
Architecture
Data Sources
Azure Sentinel
SIEM/SOAR
Sentinel’s power is in what we do with the data
(e.g., using analytics, workbooks, hunting,
automation, or other capabilities).
Demonstration
Incidents
James Lee
Training Architect
AZURE SENTINEL ALERTS AND INCIDENTS
Configuring Alerts
Azure Sentinel
Incidents
If an issue is identified by an analytics rule, an
incident can be created. Azure Sentinel provides
incident management capabilities.
Rule Types
Fusion Scheduled
Multi-stage attack detection using Leverages built-in queries written by
machine learning. Logic is hidden and not Microsoft security experts. The rules query
customizable. Only one rule allowed. data on a scheduled basis.
ML Behavioral
Proprietary Microsoft machine learning-
based analytics. Logic is hidden and not
customizable. Only one rule allowed.
Section Conclusion
James Lee
TRAINING ARCHITECT
SECTION CONCLUSION: MONITORING SECURITY WITH AZURE SENTINEL
Sentinel Overview
Azure Sentinel
(SIEM + SOAR)
RESPOND rapidly DETECT threats
INVESTIGATE incidents
with the help of AI.
SECTION CONCLUSION: MONITORING SECURITY WITH AZURE SENTINEL
Sentinel Architecture
Data Sources
Data Ingestion
Data Connectors
We use data connectors to retrieve data.
These are created by a variety of providers for
a variety of data types.
Azure Sentinel
SIEM/SOAR
Sentinel’s power is in what we do with the data.
For example, by using analytics, workbooks,
hunting, automation, or other capabilities.
Azure Sentinel
Incidents
If an issue is identified by an analytics rule, an
incident can be created. Azure Sentinel provides
incident management capabilities.
Tips
James Lee
Training Architect
AZ-500 Microsoft Azure
Security Technologies
Review the exam page Be prepared for different The passing score for
for important details. question types. AZ-500 is 700.
The exam page includes Microsoft exams include a AZ-500 scores are reported on a
important details like the exam variety of question types, like scale of 1 to 1,000, and are
skills outline and scheduling. multi-choice and drag and drop. scaled such that 700 is a pass.
Review the
Documentation
Configure and
Implement
Review the
Course Content
Set a date and
schedule your exam.
Winston Churchill
Remember to take
some time to relax.