AZ-500: Microsoft Azure Security Technologies

Course

Intro Video

Photo of Shawn Johnson

Shawn Johnson

Azure Training Architect II in Content

Shawn Johnson - International Man of Technology. Actually, I've never been out of the United States. But hey, reputation is everything. I've been in technology for over 20 years. Yes, I'm one of the older TAs around here. But I'm immature enough to compensate for my age. I've been involved in Azure for about 5 years now. Prior to that, I was the digital Cliff Claven (Google it), implementing and supporting Exchange Server all the way back to version 5.0. In my spare time, I brew beer and cook, both indoors and out. I am married with three great kids who are too much like me. When people say they weep for our future, they're not talking about my kids, who are the greatest ever. No bias here. When I release content here at Linux Academy, rest assured that it will be informative and fun. We'll laugh, cry and learn together. So let's get to it.

Length

14:43:36

Difficulty

Intermediate

Course Details

This course is designed to help you master the requisite skills required for the Microsoft Azure AZ-500 certification exam.

The AZ-500 exam is an associate level exam which tests candidates for advanced security knowledge and experience working with various aspects of Microsoft Azure.

Throughout this course you will progressively build and expand upon both your security knowledge, and hands-on experience working with Azure technologies including, but not limited to: identity and security, hybrid cloud, monitoring, encryption, database security, and securing apps and services for the cloud.

Interactive Diagram: https://interactive.linuxacademy.com/diagrams/AZ500.html

Syllabus

Course Introduction

Welcome!

Course Introduction

00:02:39

Lesson Description:

Get ready to embark on your journey to becoming a Certified Azure Security Engineer! This course includes over 60 video lessons, ten hands on labs and loads of other content which is designed to help you master the concepts and skills required to pass the AZ-500 exam. In this course, we are going to discuss the many different ways to improve the security of your new or existing Azure resources. We are going to spend a ton of time on identity and Azure Active Directory, looking at how you can secure your Azure environment by increasing the security of your user identities using multi-factor authentication and conditional access. We will also look at restricting elevated privileges on an as-needed basis with Azure AD Privileged Identity Management. We will learn about the various ways to secure your networking, VM and containerized infrastructures from the Azure resource level all the way down to the individual components themselves. Monitoring plays a key role in this course as well, and we will dive in to Azure Monitor (formerly, yet still in some ways, Log Analytics) as well as vulnerability scanning. And we will look at securing our data using tools such as Azure Information Protection, Encryption of storage accounts and databases and Azure Key Vault. All this and much, much more awaits you in this fantastic course! While this course is considered an associate level course, I consider AZ-500 to be an expert level exam. You should already be familiar with Azure concepts, technologies, and tools prior to taking this course. If you are new to or less experienced in Azure, we recommend taking the following courses/exams prior to proceeding: Microsoft Azure Fundamentals - AZ-900 Exam PrepMicrosoft Azure Administrator - Exam AZ-103 Helpful Support Reach out to me directly with any questions or concerns! I will help you be successful with Azure!Join the Linux Academy Community Slack here and check out the #azure channelThe Linux Academy Community provides you with access to like-minded students and staff who can help you learn!

About the Training Architect

00:01:16

Lesson Description:

Howdy, folks! My name is Shawn Johnson, and I'll be your training architect for this course. Hopefully, you'll gain a ton of knowledge throughout our journey, and have a few laughs along the way (mostly at my expense!). I'd love to hear from you, so please do feel welcome to reach out to me in community or Twitter @ShawnLAAzure.

Using the AZ-500 Guide

00:01:33

Lesson Description:

In this brief lesson we take a look at the purpose of the AZ-500 Guide as well as how to navigate it. The AZ-500 Guide can be found here!

Managing Identity and Access

Configuring Azure Active Directory for Workloads

Azure AD Users

00:14:39

Lesson Description:

In this lesson, we look at Azure Active Directory users. We discuss why user accounts are important and discuss the ways we can manage user accounts in Azure. We also create several user accounts using the Azure Portal, Azure PowerShell and the Azure CLI. Finally, we discuss B2B guest accounts and invite a guest account into our directory to access resources.

Azure AD Groups

00:13:41

Lesson Description:

In this lesson, we dive into Azure Active Directory groups. We look at the different group types we can manage as well as the difference between assigned and dynamic membership types. We also create several security groups using the Azure Portal, Azure PowerShell, and the Azure CLI. Finally, we create a dynamic user security group and create a query to automatically populate the group with user accounts.

App Registrations, Permissions, Scopes, and Consent

00:11:23

Lesson Description:

Not only can we deploy thousands of Enterprise Applications into our Azure AD tenant using Azure Active Directory as our identity provider, we can also use Azure AD to authenticate and access custom applications as well! In this lesson, we discuss Azure AD access to custom applications by discussing scopes and permissions. We use these to access applications on behalf of a signed-in Azure AD user. They are also used by services and daemons that do not require interactivity. We also touch on consent, which is the process by which the logged-in user allows access to the application based on the priviliges they possess in Azure AD.

Working with Azure AD Connect

00:38:24

Lesson Description:

Over the next few lessons, we discuss hybrid identity. This lesson begins with Azure Active Directory Connect, or AADC. This is a powerful tool enabling organizations to synchronize on-premises Active Directory objects to Azure Active Directory. We discuss key features, prerequisites for installing AADC in our environment, and install and configure AADC in a test lab. We also look at two AADC services: the Synchronization Service and the Synchronization Rules Editor.

Azure AD Connect Authentication Methods Explained

00:21:51

Lesson Description:

In our last lesson, we installed and configured Azure Active Directory Connect for directory synchronization with Microsoft Active Directory. Now, we take our identity journey one step further by discussing authentication methods such as password hash sync, passthrough authentication, and federation. We discuss the pros and cons of each and implement Pass-through Authentication in our environment.

Multi-Factor Authentication: Part I

00:13:48

Lesson Description:

Multi-factor authentication (MFA) is a security system that requires more than one authentication method from independent credential categories to verify the user's identity to log in or for other transactions. In this part of the lesson, we discuss MFA as it relates to Azure identity security. We discuss the various types of MFA available to Azure subscribers, as well as the pros and cons of each. We touch on best practices and how to keep your support desk quiet during an MFA rollout.

Multi-Factor Authentication: Part II

00:21:37

Lesson Description:

Multi-factor authentication (MFA) is a security system requiring more than one method of authentication from independent categories of credentials to verify the user's identity to log in or for other transactions. We continue this lesson by configuring MFA in Azure, registering a user account, and testing the configuration.

Conditional Access: Part I

00:11:22

Lesson Description:

In this three-part lesson, we discuss Conditional Access. Conditional Access is a capability of Azure Active Directory. With Conditional Access, you can implement conditions which automate access control decisions for accessing your cloud apps. In this part, we discuss Conditional Access in depth. We also dive into access policies, the heart of Conditional Access. We cover best practices and wrap up with licensing users as part of our deployment.

Conditional Access: Part II

00:18:22

Lesson Description:

In this three-part lesson, we discuss Conditional Access. Conditional Access is a capability of Azure Active Directory. With Conditional Access, you can implement conditions which automate access control decisions for accessing your cloud apps. In this part of the lesson, we build and test access policies requiring us to use multi-factor authentication to access resources. We also test our policies in a Windows workstation.

Conditional Access: Part III

00:15:24

Lesson Description:

In this three-part lesson, we discuss Conditional Access. Conditional Access is a capability of Azure Active Directory. With Conditional Access, you can implement conditions which automate access control decisions for accessing your cloud apps. In this part of the lesson, we build and test access policies requiring us to use multi-factor authentication to access resources. We also test our policies in a Windows workstation. We wrap this lesson up by creating a few more access policies and testing them. We also explore named locations and how we can use them to exclude trusted networks from Conditional Access. We demonstrate how to "lock" ourselves out of PowerApps, showing that improper planning of Conditional Access policies can cause significant headaches. We finish the lesson by looking at the "What If" tool. This tool helps us look at what policies are being applied to which users.

Azure AD Identity Protection: Part I

00:17:41

Lesson Description:

The ability to protect user identites, no matter how privileged, is of paramount importance in today's cloud-first enterprise. Azure AD Identity Protection (IDP) provides a comprehensive solution to detect and automatically respond to potentially compromised accounts. In the first part of this lesson, we discuss IDP, learn about the different components comprising the service, and discuss the different risks IDP can detect.

Azure AD Identity Protection: Part II

00:14:03

Lesson Description:

The ability to protect user identites, no matter how privileged, is of paramount importance in today's cloud-first enterprise. Azure AD Identity Protection (IDP) provides a comprehensive solution to detect and automatically respond to potentially compromised accounts. In the second part of this lesson, we discuss best practices for implementing IDP. We also onboard and configure IDP in our lab environment. We create several Conditional Access policies as well as set up alerts for events. We test IDP by logging on to the Azure Portal via an anonymous IP address using the Tor web browser.

Azure AD Privileged Identity Management

AD PIM Overview and Activation

00:12:40

Lesson Description:

We continue our identity journey by discussing privileged access. Specifically, giving our administrators and resource owners access to Azure AD and Azure reources when they need it. We do this with Azure AD Privileged Identity Mangement, and we will discuss what it is and how to configure it in this lesson. We will go over what AD PIM can do for us to secure access to our key Azure resources. We will also discuss key terminology used in PIM. We will activate PIM in our environment in preparation for our next lesson.

PIM Configuration, Access Requests and Approval: Part I

00:16:37

Lesson Description:

We continue our identity journey by discussing privileged access. Specifically, giving our administrators and resource owners access to Azure AD and Azure reources when they need it. We do this with Azure AD Privileged Identity Mangement, and we continue our discussion about AD PIM in this lesson. In this lesson, we will configure PIM for our environment. We will run the Security Wizard to determine existing privileged access and determine a course of action on the members and discover Azure Resources of these groups. We will also configure several Azure AD roles and Azure resource roles for PIM management. (Part I) We will then request access to these roles with a few test user identities and approve (or deny) these requests. (Part II)

PIM Configuration, Access Requests and Approval: Part II

00:10:08

Lesson Description:

We continue our identity journey by discussing privileged access. Specifically, giving our administrators and resource owners access to Azure AD and Azure reources when they need it. We do this with Azure AD Privileged Identity Mangement, and we continue our discussion about AD PIM in this lesson. In this lesson, we will configure PIM for our environment. We will run the Security Wizard to determine existing privileged access and determine a course of action on the members and discover Azure Resources of these groups. We will also configure several Azure AD roles and Azure resource roles for PIM management. (Part I) We will then request access to these roles with a few test user identities and approve (or deny) these requests. (Part II)

Reviewing Access in PIM

00:12:37

Lesson Description:

We continue our identity journey by discussing privileged access. Specifically, giving our administrators and resource owners access to Azure AD and Azure reources when they need it. We do this with Azure AD Privileged Identity Mangement, and we continue our discussion about AD PIM in this lesson. In this lesson, we will review access requests in the Azure Portal so we can determine when and how a requestor accessed the resources they were assigned. We will then finish up by discussing Access Reviews, where we can periodically audit our privileged access and remove membership or eligibility from these privileged groups when they are no longer required.

Azure Tenant Security

Transferring Azure Subscriptions Between Tenants

00:07:03

Lesson Description:

This lesson focuses on transeferring an Azure subscription to another Azure account. Discussed are do's and don'ts as well as an example of a transfer.

Platform Protection

Network Security

Virtual Networks [Review]

00:02:32

Lesson Description:

This lesson provides a brief discussion on Virtual Networks (VNets). VNets are the foundation for the next several lessons, so we touch on them here.

Network Security Groups [Review]

00:01:40

Lesson Description:

This lesson focuses on network security groups, which act as a virtual firewall to protect your Azure resources from unauthorized access. Using inbound and outbound control lists, we can configure NSGs to guard our Azure VMs (via their NICs) and subnets, allowing only specified inbound and outbound network traffic.

Application Security Groups

00:09:57

Lesson Description:

An application security group (ASG) is a logical collection of virtual machines (NICs). You join virtual machines to the application security group and then use the application security group as a source or destination in NSG rules. We discuss ASGs and see them in action!

Azure Firewall

00:16:16

Lesson Description:

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It replaces third-party network virtual applicances for centralized management of network routing configurations for your Azure subscriptions and their virtual networks. In this lesson, we discuss Azure Firewall and it's recommended deployment configurations as well as demonstrate using it to restrict outbound Internet traffic on a virtual network.

Resource Firewalls

00:11:53

Lesson Description:

In addition to securing an entire virtual network with Azure Firewall, certain Azure resources have their firewall protection. In this lesson, we look at Storage Group and SQL Database Server firewalls that we can use to restrict access to certain virtual networks, Azure services, and even Internet hosts. We demonstrate each of these in the lesson!

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

02:00:00

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

00:30:00

Host Security

VM Endpoint Security

00:09:41

Lesson Description:

Endpoint protection, antivirus, AV, and many other names. It's as important today as it ever was. Fortunately, Azure can help protect your Windows virtual machines with Microsoft Antimalware, a free antimalware client that can be deployed and configured on single or multiple virtual machines to help protect your Azure IaaS workloads. In this lesson, we discuss the offering and show how to deploy it on multiple VMs using Azure Security Center.

VM System Updates in Azure

00:05:28

Lesson Description:

Keeping your Windows virtual machines up-to-date in Azure has never been easier, thanks to Azure Update Management available in the portal! With Log Analytics and Automation, you can create update deployments that keep your VMs up-to-date and protected from security and performance issues. In this lesson, we touch on Update Management and update one of our VMs.

Securing Azure Resources

Role-Based Access Control (RBAC) [Review]

00:03:10

Lesson Description:

Role-Based Access Control (RBAC) allows fine-graned access to Azure resources. In this lesson, we discuss RBAC at a very high level. Further information on RBAC can be obtained in Linux Academy's course: Microsoft AZ-300: Architecting Solutions for Microsoft Azure.

Managed Identities [Review]

00:02:06

Lesson Description:

Managed identites allow us to grant access to Azure resources without managing usernames and passwords in underlying code. In this lesson, we discuss managed IDs at a very high level. Further information on managed IDs can be obtained in Linux Academy's course: Microsoft AZ-300: Architecting Solutions for Microsoft Azure.

Azure Resource Locks

00:08:47

Lesson Description:

Resource locks allow for protection against unintentional modification or deletion of Azure resources. We discuss them here and see each type of lock in action!

Azure Management Groups

00:06:36

Lesson Description:

Ever wanted the ability to manage multiple Azure subscriptions simultaneously? Or how about applying an Azure policy assignment once and have it affect multiple subscriptions? Have no fear, friends, management groups are here! In this lesson, we cover management groups and how they can ease our administrative life in Azure. We also look at them in action in a couple of different Azure tenants.

Azure Policies

00:11:24

Lesson Description:

Azure Policy is a service in Azure we use to create, assign, and manage policies. These policies enforce different rules and effects over our resources so those resources stay compliant with our corporate standards and service level agreements. In this lesson, we discuss the components of Azure Policy and apply a policy that limits virtual machine sizes we can deploy in our environment.

Container Security

Container Registry Security

00:11:39

Lesson Description:

In this lesson, we will discuss best practices for securing your Azure Container Registry. We will also create a container registry, pull an image from the Docker Public Hub, and push it to our registry.

Configuring Instance Security

00:09:34

Lesson Description:

This lesson discusses securing Azure Container Instances. And while we will discuss instances, a lot of this lesson will continue to focus on container registry. We will discuss ACR tasks, which allow us to build, deploy and update our container images. We will use these tasks to create a container image in Azure. We will also discuss best practices and touch on content trust.

Container Groups

00:07:52

Lesson Description:

A container group is a collection of containers that get scheduled on the same host machine. The containers in a container group share a lifecycle, resources, local network, and storage volumes. It's similar in concept to a pod in Kubernetes. In this lesson, we will deploy a two-instance container group running WordPress and MySQL. We will look at the components of the container group.

Container Vulnerability Management

00:01:38

Lesson Description:

Vulnerability management throughout the container development lifecycle helps you identify and resolve security concerns before they become a more serious problem. Scanning for and identifying vulnerabilities is a continuous process. In this lesson, we will discuss third-party scanning options for your Azure container registry.

AKS Security

00:09:09

Lesson Description:

Azure Kubernetes Service (AKS) manages your hosted Kubernetes environment, making it quick and easy to deploy and manage containerized applications without container orchestration expertise. It also eliminates the burden of ongoing operations and maintenance by provisioning, upgrading, and scaling resources on demand, without taking your applications offline. In this lesson, we will discuss best practices for AKS security and see an AKS cluster up close.

Security Operations

Configuring Security Services

Microsoft Azure Monitor [Review]

00:02:19

Lesson Description:

Azure Monitor maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. In this lesson, we discuss Azure Monitor at a very high level. Further information on Azure Monitor can be obtained in Linux Academy's course: Microsoft AZ-300: Architecting Solutions for Microsoft Azure.

Diagnostic Logging and Log Retention

00:05:36

Lesson Description:

Diagnostic logs provide rich, frequent data about the operation of an Azure resource. Azure Monitor makes the following two types of diagnostic logs available. Tenant logs: These logs come from tenant-level services that exist outside of an Azure subscription, such as Azure Active Directory logs. Resource logs: These logs come from Azure services that deploy resources within an Azure subscription, such as Network Security Groups or Storage Accounts. In this lesson, we discuss these logs, how to manage them, and how to make them available to other Azure services such as Azure Monitor and Event Hubs.

Security Policies

Just in Time VM Access Using Microsoft Azure Security Center

00:07:50

Lesson Description:

Just-in-time (JIT) virtual machine (VM) access can be used to lock down inbound traffic to your Azure VMs. This reduces exposure to attacks while providing easy access to connect to VMs when needed. In this lesson, we discuss JIT access and, more importantly, see it in action!

Security Alerts

Reviewing and Responding to Alerts and Recommendations

00:05:29

Lesson Description:

This lesson focuses on using Azure Security Center to view and respond to automated security alerts affecting our Azure resources. We can then follow recommendations in the alerts to take appropriate action to strengthen our Azure security posture.

Microsoft Azure Security Center Playbooks

00:04:13

Lesson Description:

Security playbook is a collection of procedures that can be executed from Security Center once a certain playbook is triggered from a selected alert. Security playbook can help automate and orchestrate our response to a specific security alert detected by Security Center. We create and run a playbook against our Azure resources in this lesson.

Secure Data and Applications

Managing Data

Data Classification Using Azure Information Protection

00:13:57

Lesson Description:

In this lesson, we touch on Azure Information Protection, a cloud-based rights management service that helps us classify and protect our data. We will discuss AIP policies and labels, as well as test a label to prevent us from editing and forwarding a document.

Storage Analytics Data Retention Policies

00:04:05

Lesson Description:

In our "Diagnostic Logging and Retention" lesson, we discussed the ability to configure the retention settings on Azure storage accounts. This lesson expands on that and discusses why we should be mindful of our storage analytics retention.

Data Sovereignty with Azure Policy

00:04:14

Lesson Description:

We looked at Azure policies earlier in the course. In this section, we implement a policy to determine where we can deploy Azure resources. This ensures data sovereignty, or the concept that information that has been converted and stored in binary digital form is subject to the laws of the country in which it is located.

Azure Key Vault

Working with Azure Key Vault

00:13:37

Lesson Description:

In this lesson, we will: Discuss what Key Vault is.Walk through working with policies to determine access to the vault.Touch on keys, secrets, and certificates and how they are stored.Show how we can access the key vault to set an admin password on Linux and Windows VMs without presenting them in clear text.

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

02:00:00

Security for Data Infrastructure

Database Authentication and Auditing

00:11:40

Lesson Description:

In this lesson, we will discuss the benefits of integrating Azure AD with your Azure SQL servers. We will also discuss the available auditing options for Azure SQL.

Azure SQL Database Threat Detection

00:02:02

Lesson Description:

Advanced Threat Protection detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Advanced Threat Protection can identify potential SQL injections, access from unusual locations or data centers, access from an unfamiliar principal or potentially harmful application, and brute-force SQL credentials. Here, we discuss how to enable and configure ATP in an Azure environment.

Managing Access Control and Keys for Storage Accounts [Review]

00:01:59

Lesson Description:

Azure storage accounts are the repositories for data accessed by users, applications, and other Azure services. Locking down these storage accounts is a critical component of Azure security. We can use several different methods for securing storage accounts. Further information on RBAC can be obtained in the Linux Academy course Microsoft Azure Architect Technologies – Exam AZ-300.

Security for HDInsight

00:02:28

Lesson Description:

In this lesson, we briefly touch on HDInsight clusters, specifically Enterprise Security Package (ESP) clusters that provide multi-user access on Azure HDInsight clusters. HDInsight clusters with ESP are connected to a domain so domain users can use their domain credentials to authenticate with the clusters and run big data jobs.

Security for Cosmos DB

00:04:01

Lesson Description:

Cosmos DB security is a multifaceted approach combining master keys with access tokens and relying on Azure AD to determine permissions. We discuss all of this here in an overview of Cosmos DB security.

Security for Microsoft Azure Data Lake

00:03:10

Lesson Description:

In this lesson, we cover the various ways we can secure our Data Lake Gen1 accounts using RBAC roles and permissions, file system ACLs, and virtual network integration.

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

01:30:00

Encryption for Data at Rest

Microsoft Azure SQL Database Always Encrypted

00:06:21

Lesson Description:

Always Encrypted is a data encryption technology in Azure SQL Database and SQL Server that helps protect sensitive data at rest on the server, during movement between client and server, and while the data is in use, ensuring sensitive data never appears as plaintext inside the database system. Here, we discuss Always Encrypted and see it in action as we encrypt columns in our sample SQL database.

Database Encryption

00:01:12

Lesson Description:

This lesson highlights encryption at rest on several Azure database offerings. Further information on RBAC can be obtained in the Linux Academy course Microsoft Azure Exam DP-200 - Implementing an Azure Data Solution.

Storage Service Encryption

00:02:34

Lesson Description:

In this lesson, we discuss storage service encryption in Azure and how we can configure the multitude of options regarding encryption (one!).

Disk Encryption

00:08:30

Lesson Description:

In this lesson, we cover the different types of encryption technologies for Azure virtual machines. We will also use PowerShell and the CLI to configure disk encryption on a couple VMs, as well as explore how Security Center can help us see which managed disks aren't currently encrypted.

Backup Encryption

00:06:02

Lesson Description:

Azure backups are an easy and cost-effective way to securely back up your critical data from workloads in the cloud and on-premises. Security is important, and we will discuss how backup data is encrypted as well as how to ensure we can recover data from on-premises systems using Azure Key Vault.

Security for Application Delivery

Implementing Security Validations for Application Development

00:05:44

Lesson Description:

While we share responsibility with our cloud provider, securing our PaaS applications and application development environment still falls on us. In this lesson, we discuss best practices and Azure technologies that can help us do just that.

Synthetic Security Transactions

00:06:35

Lesson Description:

Application Insights can assist us in determining the availability and performance of our web applications. Here, we discuss the different tests we can run in Application Insights to gauge responsiveness and availability.

SSL/TLS Certificates

00:06:44

Lesson Description:

SSL and TLS certificates can help secure transmission of data between clients and cloud-based applications. Here, we cover applying an SSL cert to an Azure web app to secure communication using HTTPS encryption and give us a custom hostname for our Azure-hosted web application.

Protecting Web Apps

00:05:14

Lesson Description:

In our final lesson, we discuss Application Gateway and, specifically, web app firewall to protect our PaaS web applications from common exploits and vulnerabilities.

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

01:30:00

Course Conclusion

Final Steps

Course Completion and How to Prepare for the Exam

00:05:17

Lesson Description:

You made it! Congratulations on completing the AZ-500: Microsoft Azure Security Technologies course here at Linux Academy! So, you're probably asking yourself, "What's next?" Most (if not all) of you should take and pass the AZ-500 exam. This video will show you what to expect from the exam and how to best prepare.