AZ-500: Azure

Security Engineer
Subtitle or speaker name
Module 01: Manage identity and access
Module Agenda
 Configure Microsoft Azure Active Directory (Azure AD) Privileged
Identity Management
 Configure and manage Azure Key Vault
 Configure Azure AD for Azure workloads and subscriptions
 Configure security for an Azure subscription
Lesson 1: Configure Azure AD Privileged
Identity Management
Lesson 1 introduction
 Zero Trust model
 Identity Management
 Azure AD Privileged Identity Management (PIM)
 Configure PIM
 Activate a role
 Monitor the status of your requests
 Resource audit history
Zero Trust Model
 The Zero Trust model states to never assume trust but instead to
validate trust continually
 With most users now accessing apps and data from the internet,
most transaction components are no longer under organizational
control
 Trust determination components include:
 Identity provider 
 Device directory 
 Policy evaluation service 
 Access proxy 
Implementing a Zero Trust Model
Zero Trust model (cont.)
 Identity as a Service (IDaaS)—the
new control plane
 Our identity is like a control plane
because it controls:
 What protocols we interact with
 Which organizations’ programs
we can access  
 What devices we can use to
access them
Identity Management
On-premises Active Directory, Azure AD, or a hybrid combination of
the two all offer services for user and device authentication, identity
and role management, and provisioning
Credentials + privileges = digital identity
Azure AD Privileged Identity Management
Azure AD PIM is a service that enables you to manage, control, and
monitor access to important resources in your organization

 Key features of PIM allow you to:

 Provide just-in-time privileged access to Azure AD
 Assign time-bound access to resources
 Require approval to activate privileged roles
Azure AD Privileged Identity Management (Cont.)
 Key features of PIM allow you to (continued):
 Enforce multi-factor authentication (MFA) for role activation
 Use justification to understand why users activate roles
 Get notifications when privileged roles are activated
 Conduct access reviews to ensure users still need roles
 Download audit history

To use PIM, you must have one of the following paid or trial licenses:
• Azure AD Premium P2​
• Enterprise Mobility + Security (EMS) E5
 Configure PIM
 The first person to use PIM in an
instance of Azure AD is
automatically assigned the Security
Administrator and Privileged Role
Administrator roles in the directory
 Only privileged role administrators
can manage Azure AD directory role
assignments to users
 To start using PIM in your directory,
you must first enable PIM by using
the Azure portal
Activate a role
 With PIM enabled,
access to privileged
operations must be
activated when the
need to perform
privileged actions arises
 You can request
activation by using the
My roles navigation
option in PIM
Activate a role (Cont.)
 If the role does not
require approval, it is
activated and added to
the list of active roles
 After defining PIM
roles, you can start
adding users to those
roles 
 Monitor the status of your requests
 You can view the status of
your pending requests to
activate a privileged role
 To manage the request
status, you should:
1. Open Azure AD
Privileged Identity
Management
2. Click My requests
3. Scroll to the right to view
the Request Status
column
 Resource audit history
Resource audit allows you to view all role activity for a resource
To perform auditing, you should:
1. Open Azure AD Privileged Identity Management
2. Click Azure resources
3. Click the resource for which you want to view audit history
4. Click Resource audit
5. Filter the history by using a predefined date or custom range
6. For Audit type, select Activate (Assigned + Activated)
7. Under Action, click (activity) for a user to observe that user's
activity detail in Azure resources
Lesson 2: Configure and Manage Azure Key
Vault
Configure and Manage Secrets in Azure Key Vault
Features of Azure Key Vault:
• Azure Key Vault helps safeguard cryptographic keys and secrets that
cloud applications and services use.
• Key Vault streamlines the key management process and enables you
to maintain control of keys that access and encrypt your data.
• Developers can create keys for development and testing in minutes,
and then migrate them to production keys.
• Security administrators can grant (and revoke) permission to keys, as
needed.
Key Vault Uses
Azure Key Vault helps address the following issues:
• Secrets management. Azure Key Vault can securely store (with
HSMs) and tightly control access to tokens, passwords, certificates,
API keys, and other secrets.
• Key management. Azure Key Vault is a cloud-based key
management solution, making it easier to create and control the
encryption keys used to encrypt your data. Azure services such as
App Service integrate directly with Azure Key Vault and can decrypt
secrets without knowledge of the encryption keys.
Key Vault Uses (Cont.)
Azure Key Vault helps address the following issues:
• Certificate management. Azure Key Vault is also a service that lets
you easily provision, manage, and deploy public and private SSL/TLS
certificates for use with Azure and your internal connected resources.
It can also request and renew TLS certificates through partnerships
with certificate authorities, providing a robust solution for certificate
lifecycle management.

Eliminates these
Manage access and permissions to secrets, certificates,
and keys to Key Vault
You control access to a key vault through two interfaces: the
management plane and the data plane
Management plane:
 Operations: create and delete vaults, update access policies,
retrieve vault properties
 Authentication: Azure AD
 Authorization: RBAC
Manage access and permissions to secrets, certificates,
and keys to Key Vault (cont.)
You control access to a key vault through two interfaces: the management
plane and the data plane
Data plane: 
 Operations: view and manage certificates, keys, and secrets
 Authentication: Azure AD
 Authorization: Key vault access policies

To access a key vault in either plane, all callers (users or

applications) must have proper authentication and authorization
Manage certificates
Azure Key Vault–supported
x509 certificate capabilities:
 Creation of certificates:
 Support for exportable and
nonexportable private keys in
PFX or PEM format
 Autogenerating of addressable
key and secret associated with
the certificate
 Secure storage and
management without
interaction with private keys
Manage certificates (cont.)
 Policy-based lifecycle
management:
 Autogenerating of a default
policy following
certificate import (customers
must define
new policies when creating
certificates)
 Support for vault-level access
control
 Auditing and notifications
 Support for certificate contacts
 Automatic renewal
Configure an HSM key-generation solution

Primary characteristics of Azure hardware security modules:

 Comply with Federal Information Processing Standard (FIPS) 140-2
Level 2 security standard
 Host cryptographic material managed by Azure Key Vault
 Support cryptographic operations within the HSM boundaries
 Support secure transfer of existing keys in Bring Your Own Key
(BYOK) scenarios
Configure an HSM key-generation solution (Cont.)
Transferring HSM-protected keys:
 A customer generates a key in their on-premises environment
 The customer uses a target key vault to generate a nonexportable
Key Exchange Key
 The customer encrypts the key with the Key Exchange Key and
binds it to the vault by using an HSM-specific toolset
 The customer transfers the key into the key vault


Upload a secret
 $secretvalue = ConvertTo-SecureString `
-String 'hVFkk965BuUv' `
-AsPlainText -Force
 $secret = Set-AzKeyVaultSecret
-VaultName 'ContosoKeyVault'
-Name 'ExamplePassword'
-SecretValue -SecretValue $secretvalue
Configure key rotation
 A key vault allows you to update keys and secrets without affecting
the behavior of your application
 You can rotate secrets in several ways:
 As part of a manual process
 Programmatically by using REST API
 Through an Azure Automation script
Lesson 3: Configure Azure AD for Azure
workloads and subscriptions
Lesson 3 introduction
 Multi-factor for time-bound elevation
 Configure MFA for applications
 Configure MFA for passwords
 Understand users and groups
 Install and configure Azure AD Connect
 Manage Azure AD directory roles
 Configure authentication methods 
 Manage app registration
Multi-factor for time-bound elevation
 Azure MFA is the multi-step verification solution from Microsoft
 Azure MFA supplies added security for your identities by requiring
two or more elements for full authentication
 These elements fall into three categories:
 Something you know: password or answer to security question
 Something you possess: mobile app or token device
 Something you are: biometric property such as fingerprint
 Using Azure MFA increases identity security by limiting the impact of
credential exposure
Multi-factor for time-bound elevation (cont.)

Azure MFA comes as part of the following offerings:

 Azure Active Directory Premium licenses
 Azure MFA Service (Cloud)
 Azure MFA Server (on premise)
 Multi-Factor Authentication for Microsoft Office 365
 Azure Active Directory Global Administrators
Multi-factor for time-bound elevation (cont.)
Configure MFA for applications
To configure Azure MFA to work with applications, you should:
1. Sign into the Azure portal by using a Global Administrator account
2. Browse to Azure Active Directory, Conditional access
3. Select the New policy option
4. Name your policy
5. Select users and groups 
6. Select apps 
7. Review the cconditions 
8. Enable policy 
9. Create the policy
Configure Azure MFA for passwords
Open the Azure Active Directory blade and perform the following
steps:
1. Click Users
2. Click Multi-Factor Authentication
3. Click service settings
4. Scroll to app passwords and select the app passwords option that
you wish to use
5. Save the settings that you configured
Understand users and groups
 In Azure AD, every user who needs access to resources needs a user
account
 Azure AD defines users in three ways:
 Cloud identities
 Directory-synchronized identities
 Guest users
 You can add cloud identities to Azure AD by using:
 Azure portal
 Azure PowerShell
Understand users and groups (Cont.)
Understand users and groups (cont.)
 A group helps organize users to make it easier to manage
permissions
 There are two types of groups:
 security groups
 distribution groups
 There are two ways to add members to Azure groups:
 directly assigned
 dynamically assigned
Understand users and groups (cont.)
 Exercises
 Manage group membership
 Try the Manage group membership for users in your Azure AD tenant: this
article explains how to manage the members for a group in Azure AD 
 Create a group and add members
 Try the Create a group and add members in Azure Active Directory: this
article explains how to create and populate a new group in Azure AD, and how
you can use a group to perform management tasks such as assigning licenses
or permissions to several users or devices at once 
 Manage profile information
 Try the Add or change profile information for a user in Azure Active
Directory: this article explains how to add user profile information, such as a
profile picture or phone and email authentication information, in Azure AD 
Install and configure Azure AD Connect
 Azure AD Connect integrates your on-premises directories with Azure
Active Directory
 This integration allows you to provide a common identity for your
users for Office 365, Azure, and SaaS applications integrated with
Azure AD in a hybrid identity environment
 Azure AD Connect provides:
 Sync Services
 Health monitoring
 Active Directory Federation Services (AD FS)
 Password hash synchronization
 Pass-through authentication
Install and configure Azure AD Connect (Cont.)
Manage Azure AD directory roles
Azure AD provides many built-in roles to address the most common
security scenarios
 These roles include:
 Owner: has full access to all resources including the right to
delegate access to others
 Contributor: can create and manage all types of Azure resources
but can’t grant access to others
 Reader: can view existing Azure resources
Manage Azure AD directory roles
Each role is a set of properties defined in a JavaScript Object Notation
(JSON) file, which includes:
 Name, ID, and Description
 Allowable permissions (Actions), denied permissions (NotActions),
and scope (read access, etc.) for the role
Configure authentication methods
Microsoft highly recommends that administrators enable users to
select more than the minimum required number of authentication
methods, in case they do not have access to one method.

Authentication method Usage

Password MFA and SSPR
Security questions SSPR only
Email address SSPR only
Microsoft Authenticator app MFA and SSPR
OATH hardware token MFA and SSPR
SMA MFA and SSPR
Voice call MFA and SSPR
App passwords MFA only in certain cases
Configure authentication methods (cont.)
You can use the following authentication methods with Azure AD:
 Password
 Security questions
 Email address
 Microsoft Authenticator app
 OATH hardware tokens
 Mobile phone
 App password
 Manage app registration
 The Microsoft identity platform is an evolution of the Azure AD
identity service and developer platform
 The Microsoft identity platform has two endpoints (v1.0 and v2.0)
and two sets of client libraries to handle these endpoints
 Azure AD supports five primary application scenarios:
 Single-page application (SPA)
 Web browser to web application
 Native application to web API
 Web application to web API
 Daemon or server application to web API
Manage app registration (Cont.)
 Manage app registration (cont.)
 Any application that outsources authentication to Azure AD must be
registered in a directory 
 Registration involves telling Azure AD about the application, including
the URL where it’s located, the URL to send replies to after
authentication, the URI to identify your application, and more
 Azure AD represents applications following a specific model that's
designed to fulfill two main functions
 Identify the app according to the authentication protocols it
supports 
 Handle user consent during token request time and facilitate the
dynamic provisioning of apps across tenants 
Manage app registration (cont.)
Lesson 4: Configure security for an Azure
subscription
Lesson 4 introduction
 Configure custom Azure role-based access control (RBAC)
 Configure subscription and resource permissions 
 Identify external accounts that have Azure management access
 Transfer Azure subscriptions between Azure AD tenants 
 Manage API access to Azure subscriptions and resources 
Configure custom Azure RBAC

 When most organizations consider using the public cloud, they

are concerned about two things:
 Ensuring that when people leave the organization, they lose
access to resources in the cloud
 Striking the right balance between autonomy and central
governance
 Azure AD and RBAC make it simple for you to achieve out these
goals
Configure custom Azure RBAC (Cont.)
Configure subscription and resource permissions
 You can create additional subscriptions for your account in Azure
 To create Azure subscriptions under your organization's Enterprise
Agreement (EA), you must have the Account Owner role for your
organization
Identify external accounts that have Azure
management access
 Azure Security Center is a unified infrastructure security
management system that strengthens the security posture of your
datacenters, and provides advanced threat protection across your
hybrid workloads 
 Azure Policy is a service in Azure that you use to create, assign, and
manage policies
Identify external accounts that have Azure
management access
Policy What the policy does

[Preview]: Audit external accounts External accounts with owner permissions should be
with owner permissions on a removed from your subscription to prevent
subscription unmonitored access

[Preview]: Audit external accounts External accounts with write privileges should be
with write permissions on a removed from your subscription to prevent
subscription unmonitored access

[Preview]: Audit external accounts External accounts with read privileges should be
with read permissions on a removed from your subscription to prevent
subscription unmonitored access
Transfer Azure subscriptions between Azure AD
tenants
 Typically, large organizations
assign Azure subscriptions to
various business units of the
company
 Occasionally, organizations need
to transfer the subscription
between owners and Azure AD
tenants
 Azure provides a process for
transferring the ownership of an
Azure subscription
Manage API access to Azure subscriptions and
resources
 When you publish APIs through Azure API Management, it's
common to secure access to those APIs by using subscription keys
 Client applications that need to consume the published APIs must
include a valid subscription key in HTTP requests when they make
calls to those APIs
 API Management also supports other mechanisms for securing
access to APIs, including the following examples:
 OAuth 2.0
 Client certificates
 IP whitelisting
Service Fabric with Azure API Management
Module 1 Labs
Connect to GitHub -
http://github.com/MicrosoftLearning/AZ-500-Azure-Security

Enter the Instruction/Labs folder.

Enter the Module 1 folder
© Copyright Microsoft Corporation. All rights reserved.