Professional Documents
Culture Documents
AZ-500: Azure Security Engineer: Subtitle or Speaker Name
AZ-500: Azure Security Engineer: Subtitle or Speaker Name
AZ-500: Azure Security Engineer: Subtitle or Speaker Name
Security Engineer
Subtitle or speaker name
Module 01: Manage identity and access
Module Agenda
Configure Microsoft Azure Active Directory (Azure AD) Privileged
Identity Management
Configure and manage Azure Key Vault
Configure Azure AD for Azure workloads and subscriptions
Configure security for an Azure subscription
Lesson 1: Configure Azure AD Privileged
Identity Management
Lesson 1 introduction
Zero Trust model
Identity Management
Azure AD Privileged Identity Management (PIM)
Configure PIM
Activate a role
Monitor the status of your requests
Resource audit history
Zero Trust Model
The Zero Trust model states to never assume trust but instead to
validate trust continually
With most users now accessing apps and data from the internet,
most transaction components are no longer under organizational
control
Trust determination components include:
Identity provider
Device directory
Policy evaluation service
Access proxy
Implementing a Zero Trust Model
Zero Trust model (cont.)
Identity as a Service (IDaaS)—the
new control plane
Our identity is like a control plane
because it controls:
What protocols we interact with
Which organizations’ programs
we can access
What devices we can use to
access them
Identity Management
On-premises Active Directory, Azure AD, or a hybrid combination of
the two all offer services for user and device authentication, identity
and role management, and provisioning
Credentials + privileges = digital identity
Azure AD Privileged Identity Management
Azure AD PIM is a service that enables you to manage, control, and
monitor access to important resources in your organization
To use PIM, you must have one of the following paid or trial licenses:
• Azure AD Premium P2
• Enterprise Mobility + Security (EMS) E5
Configure PIM
The first person to use PIM in an
instance of Azure AD is
automatically assigned the Security
Administrator and Privileged Role
Administrator roles in the directory
Only privileged role administrators
can manage Azure AD directory role
assignments to users
To start using PIM in your directory,
you must first enable PIM by using
the Azure portal
Activate a role
With PIM enabled,
access to privileged
operations must be
activated when the
need to perform
privileged actions arises
You can request
activation by using the
My roles navigation
option in PIM
Activate a role (Cont.)
If the role does not
require approval, it is
activated and added to
the list of active roles
After defining PIM
roles, you can start
adding users to those
roles
Monitor the status of your requests
You can view the status of
your pending requests to
activate a privileged role
To manage the request
status, you should:
1. Open Azure AD
Privileged Identity
Management
2. Click My requests
3. Scroll to the right to view
the Request Status
column
Resource audit history
Resource audit allows you to view all role activity for a resource
To perform auditing, you should:
1. Open Azure AD Privileged Identity Management
2. Click Azure resources
3. Click the resource for which you want to view audit history
4. Click Resource audit
5. Filter the history by using a predefined date or custom range
6. For Audit type, select Activate (Assigned + Activated)
7. Under Action, click (activity) for a user to observe that user's
activity detail in Azure resources
Lesson 2: Configure and Manage Azure Key
Vault
Configure and Manage Secrets in Azure Key Vault
Features of Azure Key Vault:
• Azure Key Vault helps safeguard cryptographic keys and secrets that
cloud applications and services use.
• Key Vault streamlines the key management process and enables you
to maintain control of keys that access and encrypt your data.
• Developers can create keys for development and testing in minutes,
and then migrate them to production keys.
• Security administrators can grant (and revoke) permission to keys, as
needed.
Key Vault Uses
Azure Key Vault helps address the following issues:
• Secrets management. Azure Key Vault can securely store (with
HSMs) and tightly control access to tokens, passwords, certificates,
API keys, and other secrets.
• Key management. Azure Key Vault is a cloud-based key
management solution, making it easier to create and control the
encryption keys used to encrypt your data. Azure services such as
App Service integrate directly with Azure Key Vault and can decrypt
secrets without knowledge of the encryption keys.
Key Vault Uses (Cont.)
Azure Key Vault helps address the following issues:
• Certificate management. Azure Key Vault is also a service that lets
you easily provision, manage, and deploy public and private SSL/TLS
certificates for use with Azure and your internal connected resources.
It can also request and renew TLS certificates through partnerships
with certificate authorities, providing a robust solution for certificate
lifecycle management.
Eliminates these
Manage access and permissions to secrets, certificates,
and keys to Key Vault
You control access to a key vault through two interfaces: the
management plane and the data plane
Management plane:
Operations: create and delete vaults, update access policies,
retrieve vault properties
Authentication: Azure AD
Authorization: RBAC
Manage access and permissions to secrets, certificates,
and keys to Key Vault (cont.)
You control access to a key vault through two interfaces: the management
plane and the data plane
Data plane:
Operations: view and manage certificates, keys, and secrets
Authentication: Azure AD
Authorization: Key vault access policies
Upload a secret
$secretvalue = ConvertTo-SecureString `
-String 'hVFkk965BuUv' `
-AsPlainText -Force
$secret = Set-AzKeyVaultSecret
-VaultName 'ContosoKeyVault'
-Name 'ExamplePassword'
-SecretValue -SecretValue $secretvalue
Configure key rotation
A key vault allows you to update keys and secrets without affecting
the behavior of your application
You can rotate secrets in several ways:
As part of a manual process
Programmatically by using REST API
Through an Azure Automation script
Lesson 3: Configure Azure AD for Azure
workloads and subscriptions
Lesson 3 introduction
Multi-factor for time-bound elevation
Configure MFA for applications
Configure MFA for passwords
Understand users and groups
Install and configure Azure AD Connect
Manage Azure AD directory roles
Configure authentication methods
Manage app registration
Multi-factor for time-bound elevation
Azure MFA is the multi-step verification solution from Microsoft
Azure MFA supplies added security for your identities by requiring
two or more elements for full authentication
These elements fall into three categories:
Something you know: password or answer to security question
Something you possess: mobile app or token device
Something you are: biometric property such as fingerprint
Using Azure MFA increases identity security by limiting the impact of
credential exposure
Multi-factor for time-bound elevation (cont.)
[Preview]: Audit external accounts External accounts with owner permissions should be
with owner permissions on a removed from your subscription to prevent
subscription unmonitored access
[Preview]: Audit external accounts External accounts with write privileges should be
with write permissions on a removed from your subscription to prevent
subscription unmonitored access
[Preview]: Audit external accounts External accounts with read privileges should be
with read permissions on a removed from your subscription to prevent
subscription unmonitored access
Transfer Azure subscriptions between Azure AD
tenants
Typically, large organizations
assign Azure subscriptions to
various business units of the
company
Occasionally, organizations need
to transfer the subscription
between owners and Azure AD
tenants
Azure provides a process for
transferring the ownership of an
Azure subscription
Manage API access to Azure subscriptions and
resources
When you publish APIs through Azure API Management, it's
common to secure access to those APIs by using subscription keys
Client applications that need to consume the published APIs must
include a valid subscription key in HTTP requests when they make
calls to those APIs
API Management also supports other mechanisms for securing
access to APIs, including the following examples:
OAuth 2.0
Client certificates
IP whitelisting
Service Fabric with Azure API Management
Module 1 Labs
Connect to GitHub -
http://github.com/MicrosoftLearning/AZ-500-Azure-Security