AZ-500 | Microsoft Azure Security Technologies

• Configure Azure AD and Azure AD Domain Services for security

• Create users and groups that enable secure usage of your tenant

• Use MFA to protect user's identities

• Configure passwordless security options

• Deploy Azure AD Connect

• Pick and configure that best authentication option for your security needs

• Configure password writeback

• Deploy and configure Identity Protection

• Configure MFA for users, groups, and applications

• Create Conditional Access policies to ensure your security

• Create and follow an access review process

• Describe Zero Trust and how it impacts security

• Configure and deploy roles using Privileged Identity Management (PIM)

• Evaluate the usefulness of each PIM setting as it relates to your security goals

• Explain the shared responsibility model and how it impacts your security configuration

• Create Azure policies to protect your solutions

• Configure and deploy access to services using RBAC

• Define defense in depth

• Protect your environment from denial-of-service attacks

• Secure your solutions using firewalls and VPNs

• Explore your end-to-end perimeter security configuration based on your security posture

• Deploy and configure network security groups to protect your Azure solutions

• Configure and lockdown service endpoints and private links

• Secure your applications with Application Gateway, Web App Firewall, and Front Door

• Configure ExpressRoute to help protect your network traffic

• Configure and deploy Endpoint Protection

• Deploy a privileged access strategy for devices and privileged workstations

• Secure your virtual machines and access to them

• Deploy Windows Defender

• Practice layered security by reviewing and implementing Security Center and Security Benchmarks

• Define the available security tools for containers in Azure

• Configure security settings for containers and Kubernetes services

• Lock down network, storage, and identity resources connected to your containers

• Deploy RBAC to control access to containers

• Define what a key vault is and how it protects certificates and secrets

• Deploy and configure Azure Key Vault

• Secure access and administration of your key vault

• Store keys and secrets in your key vault

• Explore key security considers like key rotation and backup / recovery

• Register an application in Azure using app registration

• Select and configure which Azure AD users can access each application

• Configure and deploy web app certificates

• Define data sovereignty and how that is achieved in Azure

• Configure Azure Storage access in a secure and managed way

• Encrypt your data while it is at rest and in transit

• Apply rules for data retention

• Configure which users and applications have access to your SQL databases

• Block access to your servers using firewalls

• Discover, classify, and audit the use of your data

• Encrypt and protect your data while is it stored in the database.

• Configure and monitor Azure Monitor

• Define metrics and logs you want to track for your Azure applications

• Connect data sources to and configure Log Analytics

• Create and monitor alerts associated with your solutions security

• Define the most common types of cyber-attacks

• Configure Azure Security Center based on your security posture

• Review Secure Score and raise it

• Lock down your solutions using Security Center and Defender

• Enable Just-in-Time access and other security features

• Explain what Azure Sentinel is and how it is used

• Deploy Azure Sentinel

• Connect data to Azure Sentinel, like Azure Logs, Azure AD, and others

• Track incidents using workbooks, playbooks, and hunting techniques

This course is for Azure Security Engineers who are planning to take the associated certification exam, or who are performing security tasks in their day-to-day job. This course would also be helpful to an engineer that wants to specialize in providing security for Azure-based digital platforms and play an integral role in protecting an organization's data.

Successful learners will have prior knowledge and understanding of:

• Security best practices and industry security requirements such as defense in depth, least privileged access, role-based access control, multi-factor authentication, shared responsibility, and zero trust model.

• Be familiar with security protocols such as Virtual Private Networks (VPN), Internet Security Protocol (IPSec), Secure Socket Layer (SSL), disk and data encryption methods.

• Have some experience deploying Azure workloads. This course does not cover the basics of Azure administration, instead the course content builds on that knowledge by adding security specific information.

• Have experience with Windows and Linux operating systems and scripting languages. Course labs may use PowerShell and the CLI.

Manage Microsoft Entra identities

• Secure Microsoft Entra users

• Secure Microsoft Entra groups

• Recommend when to use external identities

• Secure external identities

• Implement Microsoft Entra ID Protection

Manage Microsoft Entra authentication

• Implement multi-factor authentication (MFA)

• Configure Microsoft Entra Verified ID

• Implement password less authentication

• Implement password protection

• Implement single sign-on (SSO)

• Integrate single sign on (SSO) and identity providers

• Recommend and enforce modern authentication methods

Manage Microsoft Entra authorization

• Configure Azure role permissions for management groups, subscriptions, resource groups, and resources

• Assign Microsoft Entra built-in roles

• Assign Azure built-in roles

• Create and assign custom roles, including Azure roles and Microsoft Entra roles

• Implement and manage Microsoft Entra Permissions Management

• Configure Microsoft Entra Privileged Identity Management

• Configure role management and access reviews in Microsoft Entra

• Implement Conditional Access policies

Manage Microsoft Entra application access

• Manage access to enterprise applications in Microsoft Entra ID, including OAuth permission grants

• Manage Microsoft Entra app registrations

• Configure app registration permission scopes

• Manage app registration permission consent

• Manage and use service principals

• Manage managed identities for Azure resources

• Recommend when to use and configure a Microsoft Entra Application Proxy, including authentication

Plan and implement security for virtual networks

• Plan and implement Network Security Groups (NSGs) and Application Security Groups (ASGs)

• Plan and implement user-defined routes (UDRs)

• Plan and implement Virtual Network peering or VPN gateway

• Plan and implement Virtual WAN, including secured virtual hub

• Secure VPN connectivity, including point-to-site and site-to-site

• Implement encryption over ExpressRoute

• Configure firewall settings on PaaS resources

• Monitor network security by using Network Watcher, including NSG flow logging

Plan and implement security for private access to Azure resources

• Plan and implement virtual network Service Endpoints

• Plan and implement Private Endpoints

• Plan and implement Private Link services

• Plan and implement network integration for Azure App Service and Azure Functions

• Plan and implement network security configurations for an App Service Environment (ASE)

• Plan and implement network security configurations for an Azure SQL Managed Instance

Plan and implement security for public access to Azure resources

• Plan and implement Transport Layer Security (TLS) to applications, including Azure App Service and API Management

• Plan, implement, and manage an Azure Firewall, including Azure Firewall Manager and firewall policies

• Plan and implement an Azure Application Gateway

• Plan and implement an Azure Front Door, including Content Delivery Network (CDN)

• Plan and implement a Web Application Firewall (WAF)

• Recommend when to use Azure DDoS Protection Standard

Plan and implement advanced security for compute

• Plan and implement remote access to public endpoints, including Azure

• Bastion and just-in-time (JIT) virtual machine (VM) access

• Configure network isolation for Azure Kubernetes Service (AKS)

• Secure and monitor AKS

• Configure authentication for AKS

• Configure security monitoring for Azure Container Instances (ACIs)

• Configure security monitoring for Azure Container Apps (ACAs)

• Manage access to Azure Container Registry (ACR)

• Configure disk encryption, including Azure Disk Encryption (ADE), encryption at host, and confidential disk encryption

• Recommend security configurations for Azure API Management

Plan and implement security for storage

• Configure access control for storage accounts

• Manage life cycle for storage account access keys

• Select and configure an appropriate method for access to Azure Files

• Select and configure an appropriate method for access to Azure Blob Storage

• Select and configure an appropriate method for access to Azure Tables

• Select and configure an appropriate method for access to Azure Queues

• Select and configure appropriate methods for protecting against data security threats, including soft delete, backups, versioning, and immutable storage

• Configure Bring your own key (BYOK)

• Enable double encryption at the Azure Storage infrastructure level

Plan and implement security for Azure SQL Database and Azure SQL Managed Instance

• Enable Microsoft Entra database authentication

• Enable database auditing

• Identify use cases for the Microsoft Purview governance portal

• Implement data classification of sensitive information by using the Microsoft Purview governance portal

• Plan and implement dynamic masking

• Implement Transparent Data Encryption (TDE)

• Recommend when to use Azure SQL Database Always Encrypted

Plan, implement, and manage governance for security

• Create, assign, and interpret security policies and initiatives in Azure Policy

• Configure security settings by using Azure Blueprints

• Deploy secure infrastructures by using a landing zone

• Create and configure an Azure Key Vault

• Recommend when to use a dedicated Hardware Security Module (HSM)

• Configure access to Key Vault, including vault access policies and Azure Role Based Access Control

• Manage certificates, secrets, and keys

• Configure key rotation

• Configure backup and recovery of certificates, secrets, and keys

Manage security posture by using Microsoft Defender for Cloud

• Identify and remediate security risks by using the Microsoft Defender for Cloud Secure Score and Inventory

• Assess compliance against security frameworks and Microsoft Defender for Cloud

• Add industry and regulatory standards to Microsoft Defender for Cloud

• Add custom initiatives to Microsoft Defender for Cloud

• Connect hybrid cloud and multi-cloud environments to Microsoft Defender for Cloud

• Identify and monitor external assets by using Microsoft Defender External Attack Surface Management Configure and manage threat protection by using Microsoft Defender for Cloud

• Enable workload protection services in Microsoft Defender for Cloud, including Microsoft Defender for Storage, Databases, Containers, App Service, Key Vault, and Resource Manager

• Configure Microsoft Defender for Servers

• Configure Microsoft Defender for Azure SQL Database

• Manage and respond to security alerts in Microsoft Defender for Cloud

• Configure workflow automation by using Microsoft Defender for Cloud

• Evaluate vulnerability scans from Microsoft Defender for Server Configure and manage security monitoring and automation solutions

• Monitor security events by using Azure Monitor

• Configure data connectors in Microsoft Sentinel

• Create and customize analytics rules in Microsoft Sentinel

• Evaluate alerts and incidents in Microsoft Sentinel

• Configure automation in Microsoft Sentinel