AZ-500: Azure Security Technologies

Manage identity and access (30-35%)

Manage Azure Active Directory identities

• Configure security for service principals
  • Application and service principal objects in Azure Active Directory
  • Authenticate apps to Azure services by using service principals and managed identities for Azure resources (Learn)
• Manage Azure AD directory groups
  • Access with Azure Active Directory groups
  • Manage users and groups in Azure Active Directory (Learn)
• Manage Azure AD users
  • Add or delete users using Azure Active Directory
  • Manage users and groups in Azure Active Directory (Learn)
• Configure password writeback
  • Tutorial: Enable Azure Active Directory self-service password reset writeback to an on-premises environment (Docs)
• Configure authentication methods including password hash and Pass Through Authentication (PTA), OAuth, and passwordless
  • Authentication vs authorization
  • What is password hash synchronization with Azure AD?
  • User sign-in with Azure Active Directory Pass-through Authentication
  • Passwordless authentication options for Azure Active Directory
• Transfer Azure subscriptions between Azure AD tenants
  • Manage access to an Azure subscription by using Azure role-based access control (Learn)
  • Transfer billing ownership of an Azure subscription to another account
  • Associate or add an Azure subscription to your Azure Active Directory tenant

Configure secure access by using Azure AD

• Monitor privileged access for Azure AD Privileged Identity Management (PIM)
  • Configure security alerts for Azure AD roles in Privileged Identity Management
• Configure Access Reviews
  • Create an access review of Azure AD roles in Privileged Identity Management
• Activate and configure PIM
  • Deploy Azure AD Privileged Identity Management (PIM)
• Implement Conditional Access policies including Multi-Factor Authentication
  • Secure Azure Active Directory users with Multi-Factor Authentication
  • Configure Azure Multi-Factor Authentication settings
• Configure Azure AD identity protection
  • What is Azure Active Directory Identity Protection?
  • Protect your identities with Azure AD Identity Protection (Learn)

Manage application access

• Create App Registration
  • QuickStart: Register an application with the Microsoft identity platform
• Configure App Registration permission scopes
  • Permissions and consent in the Microsoft identity platform endpoint
• Manage App Registration permission consent
  • Configure how end-users consent to applications
  • Secure your application by using OpenID Connect and Azure AD (Learn)
• Manage API access to Azure subscriptions and resources
  • Get access on behalf of a user
  • Authentication flows and application scenarios
  • Permissions and Consent Framework (Learn)

Manage access control

• Configure subscription and resource permissions
  • Elevate access to manage all Azure subscriptions and management groups
  • Add or change Azure subscription administrators
  • Lock resources to prevent unexpected changes
• Configure resource group permissions
  • What is Azure role-based access control (Azure RBAC)?
  • Secure your Azure resources with role-based access control (Learn)
• Configure custom RBAC roles
  • Create Custom Roles
  • Secure your cloud resources with access control (Learn)
  • Create custom roles for Azure resources with role-based access control (Learn)
• Identify the appropriate role
  • Azure Built-in Roles
  • Manage access to an Azure subscription by using Azure role-based access control (Learn)
• Apply principle of least privilege
  • Best practices for Azure RBAC
• Interpret permissions
  • Quickstart: View the access a user has to Azure resources
• Check access
  • List Azure role definitions
  • List Azure role assignments using the Azure portal

Implement platform protection (15-20%)

Implement advanced network security

• Secure the connectivity of virtual networks (VPN authentication, Express Route encryption)
  • VPN Gateway design
  • ExpressRoute encryption
  • About Point-to-Site VPN
  • Create a Site-to-Site connection in the Azure portal
  • Configure virtual network connectivity
  • Connect your on-premises network to the Microsoft global network by using ExpressRoute (Learn)
  • Design a hybrid network architecture on Azure (Learn)
• Configure Network Security Groups (NSGs) and Application Security Groups (ASGs)
  • Network security groups
  • Create, change, or delete a network security group
  • Tutorial: Filter network traffic with a network security group using the Azure portal
  • Application security groups
  • Manage and control traffic flow in your Azure deployment with routes (Learn)
  • Fundamentals of Network Security (Learn)
  • Secure and isolate access to Azure resources by using network security groups and service endpoints (Learn)
• Create and configure Azure Firewall
  • Tutorial: Deploy and configure Azure Firewall using the Azure portal
  • Tutorial: Deploy and configure Azure Firewall in a hybrid network using the Azure portal
• Configure Azure Front Door service as an Application Gateway
  • Quickstart: Create a Front Door for a highly available global web application
  • Encrypt network traffic end to end with Azure Application Gateway (Learn)
• Configure a Web Application Firewall (WAF) on Azure Application Gateway
  • Azure Web Application Firewall on Azure Application Gateway
• Configure Azure Bastion
  • Quickstart: Connect to a virtual machine using a private IP address and Azure Bastion
  • How to use Azure Bastion to connect securely to your Azure VMs (Video)
• Configure a firewall on a storage account, Azure SQL, Key Vault, or App Service
  • Azure SQL Database and Azure Synapse IP firewall rules
  • Configure Azure Storage firewalls and virtual networks
  • Access Azure Key Vault behind a firewall
• Implement Service Endpoints
  • Virtual Network service endpoints
  • Tutorial: Restrict network access to PaaS resources with virtual network service endpoints using the Azure portal
  • Create, change, or delete service endpoint policy using the Azure portal
  • Use private endpoints for Azure Storage
  • Quickstart: Create a Private Endpoint using Azure portal
• Implement DDoS
  • Azure DDoS Protection Standard overview

Configure advanced security for compute

• Configure endpoint protection
  • Feature coverage for machines
  • Security management in Azure
  • Microsoft Antimalware for Azure Cloud Services and Virtual Machines
  • Protect your servers and VMs from brute-force and malware attacks with Azure Security Center (Learn)
• Configure and monitor system updates for VMs
  • Manage updates and patches for your Azure VMs
  • Manage updates for multiple VMs
  • Keep your virtual machines updated
  • Security best practices for IaaS workloads in Azure
• Configure authentication for Azure Container Registry
  • How to use managed identities with Azure Container Instances
  • Authenticate with an Azure container registry
  • Introduction to Docker containers (Learn)
• Configure security for different types of containers
  • Run Docker containers with Azure Container Instances (Learn)
  • Build a containerized web application with Docker (Learn)
• Implement vulnerability management
  • Vulnerability assessments for your Azure Virtual Machines
  • Integrated vulnerability scanner for virtual machines (Standard tier only)
• Configure isolation for AKS
  • Security concepts for applications and clusters in Azure Kubernetes Service (AKS)
  • Best practices for cluster isolation in Azure Kubernetes Service (AKS)
  • Container Security in Azure
  • Azure Kubernetes Service Workshop (Learn)
  • Secure traffic between pods using network policies in Azure Kubernetes Service (Video)
• Configure security for container registry
  • Authenticate with an Azure container registry
  • Build and store container images with Azure Container Registry (Learn)
• Implement Azure Disk Encryption
  • Azure Disk Encryption for Windows VMs
  • Secure your Azure virtual machine disks (Learn)
• Configure authentication and security for Azure App Service
  • Security in Azure App Service
  • Authentication and authorization in Azure App Service and Azure Functions
  • OS and runtime patching in Azure App Service
• Configure SSL/TLS certs
  • Add a TLS/SSL certificate in Azure App Service
  • Secure a custom DNS name with a TLS/SSL binding in Azure App Service
• Configure authentication for Azure Kubernetes Service
  • Service principals with Azure Kubernetes Service (AKS)
  • Integrate Azure Active Directory with Azure Kubernetes Service
  • Use managed identities in Azure Kubernetes Service
• Configure automatic updates
  • Update containers in Azure Container Instances

Manage security operations (25-30%)

Monitor security by using Azure Monitor

• Create and customize alerts
  • Create, view, and manage log alerts using Azure Monitor
  • Create, view, and manage metric alerts using Azure Monitor
  • Improve incident response with alerting on Azure (Learn)
• Monitor logs by using Azure Monitor
  • Tutorial: Get started with Log Analytics queries
  • Get started with log queries in Azure Monitor
  • Analyze your Azure infrastructure by using Azure Monitor logs (Learn)
  • Monitor and report on security events in Azure AD (Learn)
• Configure diagnostic logging and log retention
  • Create diagnostic setting to collect resource logs and metrics in Azure
  • Overview of Azure platform logs

Monitor security by using Azure Security Center

• Create and customize alerts
  • Security alerts in Azure Security Center
  • Manage and respond to security alerts in Azure Security Center
• Evaluate vulnerability scans from Azure Security Center
  • Vulnerability assessments for your Azure Virtual Machines
  • Integrated vulnerability scanner for virtual machines (Standard tier only)
  • Identify security threats with Azure Security Center (Learn)
  • Resolve security threats with Azure Security Center (Learn)
• Configure Just in Time VM access by using Azure Security Center
  • Secure your management ports with just-in-time access
• Configure centralized policy management by using Azure Security Center
  • Working with security policies
  • Azure security policies monitored by Security Center
• Configure compliance policies and evaluate for compliance by using Azure Security Center
  • Tutorial: Improve your regulatory compliance

Monitor security by using Azure Sentinel

• Create and customize alerts
  • Automatically create incidents from Microsoft security alerts
  • Tutorial: Create custom analytic rules to detect suspicious threats
  • Quickstart: Get started with Azure Sentinel
• Configure data sources to Azure Sentinel
  • Connect data sources
  • Improve security with Azure Sentinel, a cloud-native SIEM and SOAR solution (Video)
• Evaluate results from Azure Sentinel
  • Tutorial: Visualize and monitor your data
  • Tutorial: Investigate incidents with Azure Sentinel
  • Use a framework to identify threats and find ways to reduce or eliminate risk (Learn)
• Configure a playbook for a security event by using Azure Sentinel
  • Tutorial: Set up automated threat responses in Azure Sentinel

Configure security policies

• Configure security settings by using Azure Policy
  • Tutorial: Create and manage policies to enforce compliance
  • Tutorial: Create a custom policy definition
  • Integrate Azure Key Vault with Azure Policy
  • Apply and monitor infrastructure standards with Azure Policy (Learn)
• Configure security settings by using Azure Blueprint
  • What is Azure Blueprints?
  • Overview of the Azure Security Benchmark blueprint sample
  • Tutorial: Create an environment from a blueprint sample

Secure data and applications (20-25%)

Configure security for storage

• Configure access control for storage accounts
  • Authorizing access to data in Azure Storage
  • Secure your Azure Storage accounts (Learn)
• Configure key management for storage accounts
  • Manage storage account access keys
  • Use the Azure portal to access blob or queue data
• Configure Azure AD authentication for Azure Storage
  • Authorize access to blobs and queues using Azure Active Directory
  • Acquire a token from Azure AD for authorizing requests from a client application
• Configure Azure AD Domain Services authentication for Azure Files
  • Overview – on-premises Active Directory Domain Services authentication over SMB for Azure file shares
  • Enable Azure Active Directory Domain Services authentication on Azure Files
  • Store and share files in your application with Azure Files (Learn)
• Create and manage Shared Access Signatures (SAS)
  • Grant limited access to Azure Storage resources using shared access signatures
  • Control access to Azure Storage with shared access signatures (Learn)
• Create a shared access policy for a blob or blob container
  • Security recommendations for Blob storage
• Configure Storage Service Encryption
  • Azure Storage encryption for data at rest
  • Configure customer-managed keys with Azure Key Vault by using the Azure portal

Configure security for databases

• Enable database authentication
  • Use Azure Active Directory authentication
  • Configure and manage Azure AD authentication with Azure SQL
  • Configure security policies to manage data (Learn)
• Enable database auditing
  • Auditing for Azure SQL Database and Azure Synapse Analytics
• Configure Azure SQL Database Advanced Threat Protection
  • Advanced Threat Protection for Azure SQL Database, SQL Managed Instance, and Azure Synapse Analytics
• Implement database encryption
  • Tutorial: Secure a database in Azure SQL Database
  • Transparent Data Encryption
• Implement Azure SQL Database Always Encrypted
  • Always Encrypted
  • Overview of key management for Always Encrypted
  • Configure Always Encrypted by using Azure Key Vault

Configure and manage Key Vault

• Manage access to Key Vault
  • Azure Key Vault security
  • Secure access to a key vault
• Manage permissions to secrets, certificates, and keys
  • Provide Key Vault authentication with a managed identity
  • Manage secrets in your server apps with Azure Key Vault (Learn)
• Configure RBAC usage in Azure Key Vault
  • Azure Policy built-in policy definitions for Key Vault
• Manage certificates
  • Tutorial: Import a certificate in Azure Key Vault
• Manage secrets
  • About Azure Key Vault secrets
  • Configure and manage secrets in Azure Key Vault (Learn)
• Configure key rotation
  • About Azure Key Vault keys
  • Set up Azure Key Vault with key rotation and auditing
  • Tutorial: Configure certificate autorotation in Key Vault
  • Automate the rotation of a secret for resources that use single-user/single-password authentication
• Backup and restore of Key Vault items
  • Azure Key Vault soft-delete overview