AZ-500 A: Microsoft Azure Security Technologies

Manage identities in Microsoft Entra ID
This module focuses on effectively managing identities and enhancing security in Microsoft Entra ID, ensuring that users, groups, and external identities are protected against security threats and unauthorized access.

Lessons
•   What is Microsoft Entra ID?
•   Secure Microsoft Entra users
•   Create a new user in Microsoft Entra ID
•   Secure Microsoft Entra groups
•   Recommend when to use external identities
•   Secure external identities
•   Implement Microsoft Entra Identity protection

After completing this module, students will be able to:
•   Enhance security in Microsoft Entra ID to safeguard user identities and accounts.
•   Implement security for group management in Microsoft Entra ID for effective access control.
•   Advise on the secure management of external identities in Microsoft Entra ID.
•   Utilize Microsoft Entra ID Protection for proactive threat detection and response.

Manage authentication by using Microsoft Entra ID
This module is designed to provide administrators with the knowledge and skills needed to manage authentication effectively using Microsoft Entra ID, ensuring secure access to resources and enhancing user experience.

Lessons
•   Microsoft Entra connect
•   Microsoft Entra Cloud Sync
•   Authentication options
•   Password hash synchronization with Microsoft Entra ID
•   Microsoft Entra pass-through authentication
•   Federation with Microsoft Entra ID
•   What is Microsoft Entra authentication?
•   Implement multifactor authentication (MFA)
•   Passwordless authentication options for Microsoft Entra ID
•   Implement passwordless authentication
•   Implement password protection
•   Microsoft Entra ID single sign-on
•   Implement single sign-on (SSO)
•   Integrate single sign-on (SSO) and identity providers
•   Introduction to Microsoft Entra Verified ID
•   Configure Microsoft Entra Verified ID
•   Recommend and enforce modern authentication protocols

After completing this module, students will be able to:
•   Implement multifactor and passwordless authentication for enhanced security and convenience.
•   Enforce password protection measures and single sign-on for simplified, secure access.
•   Integrate SSO with identity providers and endorse modern authentication protocols.
•   Set up Microsoft Entra Verified ID for trusted identity verification.

Manage authorization by using Microsoft Entra ID
This module is designed to provide administrators with the knowledge and skills required to effectively manage authorization using Microsoft Entra ID, ensuring that users have the appropriate access to resources and data.

Lessons
•   Azure management groups
•   Configure Azure role permissions for management groups, subscriptions, resource groups, and resources
•   Azure role-based access control
•   Azure built-in roles
•   Assign Azure role permissions for management groups, subscriptions, resource groups, and resources
•   Microsoft Entra built-in roles
•   Assign built-in roles in Microsoft Entra ID
•   Microsoft Entra role-based access control
•   Create and assign a custom role in Microsoft Entra ID
•   Microsoft Entra Permissions Management
•   Implement and manage Microsoft Entra Permissions Management
•   Zero Trust security
•   Microsoft Entra Privileged Identity Management
•   Configure Privileged Identity Management
•   Microsoft Entra ID Governance
•   Entitlement management
•   Access reviews
•   Identity lifecycle management
•   Lifecycle workflows
•   Delegation and roles in entitlement management
•   Configure role management and access reviews by using Microsoft Entra ID •   Governance
•   Implement Conditional Access policies

After completing this module, students will be able to:
•   Set Azure role permissions across management groups, subscriptions, and resources for access control.
•   Assign built-in roles in Microsoft Entra ID and Azure for predefined user permissions.
•   Create custom roles in Azure and Microsoft Entra ID to match organizational access needs.
•   Manage Entra Permissions, Privileged Identity Management, and Conditional Access for refined control and compliance.

Manage application access in Microsoft Entra ID
This module covers managing application access in Microsoft Entra ID, including controlling enterprise app access, managing app registrations and permissions, utilizing service principals, and configuring the Microsoft Entra Application Proxy for secure access.

Lessons
•   Manage access to enterprise applications in Microsoft Entra ID, including OAuth permission grants
•   Manage app registrations in Microsoft Entra ID
•   Configure app registration permission scopes
•   Manage app registration permission consent
•   Manage and use service principals
•   Manage managed identities for Azure resources
•   Recommend when to use and configure a Microsoft Entra Application Proxy, including authentication

After completing this module, students will be able to:
•   Manage enterprise application access in Microsoft Entra ID, including OAuth permission grants for access control.
•   Govern application integration with identity platforms through Microsoft Entra ID app registrations.
•   Configure app registration permission scopes for appropriate resource access levels.
•   Manage app registration consent and use service principals and managed identities for automated management and enhanced security.

Plan and implement security for virtual networks
This module is designed to provide administrators with the knowledge and skills needed to plan and implement robust security measures for Azure virtual networks, ensuring the confidentiality, integrity, and availability of network resources.

Lessons
•   What is an Azure Virtual Network
•   Plan and implement Network Security Groups (NSGs) and Application Security •   Groups (ASGs)
•   Plan and implement User-Defined Routes (UDRs)
•   Plan and implement Virtual Network peering or gateway
•   Plan and implement Virtual Wide Area Network, including secured virtual hub
•   Secure VPN connectivity, including point-to-site and site-to-site
•   Azure ExpressRoute
•   Implement encryption over ExpressRoute
•   Configure firewall settings on PaaS resources
•   Monitor network security by using Network Watcher, including network security groups

After completing this module, students will be able to:
•   Implement security measures for Azure virtual networks to safeguard data and resources.
•   Utilize NSGs and ASGs for network traffic security, and manage UDRs for optimal traffic routing.
•   Establish secure network connectivity through Virtual Network peering, VPN gateways, and Virtual WAN.
•   Enhance network security with VPN configurations, ExpressRoute encryption, PaaS firewall settings, and Network Watcher monitoring.

Plan and implement security for private access to Azure resources
This module focuses on equipping administrators with the knowledge and skills required to plan and implement robust security measures for private access to Azure resources, safeguarding sensitive data and enhancing network integrity.

Lessons
•   Plan and implement virtual network Service Endpoints
•   Plan and implement Private Endpoints
•   Plan and implement Private Link services
•   Plan and implement network integration for Azure App Service and Azure Functions
•   Plan and implement network security configurations for an App Service Environment (ASE)
•   Plan and implement network security configurations for an Azure SQL Managed Instance

After completing this module, students will be able to:
•   Develop security strategies for private access to Azure resources to protect sensitive data.
•   Utilize virtual network Service Endpoints and Private Endpoints for secure Azure service access.
•   Manage Private Link services for secure resource exposure and integrate Azure App Service and Functions with virtual networks.
•   Configure network security for App Service Environment and Azure SQL Managed Instance to safeguard web applications and databases.

Plan and implement security for public access to Azure resources
This module empowers admins to plan and implement strong security for Azure resources, ensuring app/service confidentiality, integrity, and availability.

Lessons
•   Plan and implement Transport Layer Security (TLS) to applications, including Azure App Service and API Management
•   Plan, implement, and manage an Azure Firewall, Azure Firewall Manager and firewall policies
•   Plan and implement an Azure Application Gateway
•   Plan and implement a Web Application Firewall (WAF)
•   Plan and implement an Azure Front Door, including Content Delivery Network (CDN)
•   Recommend when to use Azure DDoS Protection Standard

After completing this module, students will be able to:
•   Develop strategies for secure public access to Azure resources, preventing unauthorized access and breaches.
•   Implement TLS for Azure App Service and API Management to encrypt data in transit.
•   Protect network traffic with Azure Firewall and Application Gateway for optimized web application security and delivery.
•   Enhance web app performance with Azure Front Door and CDN, and deploy WAF and DDoS Protection for robust defense against attacks.

Plan and implement advanced security for compute
This module is designed to provide administrators with the knowledge and skills needed to plan and implement advanced security measures for Azure compute resources, safeguarding applications and data against evolving security threats.

Lessons
•   Plan and implement remote access to public endpoints, Azure Bastion and just-in-time (JIT) virtual machine (VM) access
•   Configure network isolation for Azure Kubernetes Service (AKS)
•   Secure and monitor Azure Kubernetes ServiceConfigure authentication for Azure Kubernetes Service
•   Configure security for Azure Container Instances (ACIs)
•   Configure security for Azure Container Apps (ACAs)
•   Manage access to Azure Container Registry (ACR)
•   Configure disk encryption, Azure Disk Encryption (ADE), encryption as host, and confidential disk encryption
•   Recommend security configurations for Azure API Management

After completing this module, students will be able to:
•   Enhance Azure compute resources’ security against vulnerabilities and attacks with advanced measures.
•   Secure remote access via Azure Bastion and JIT VM access, and implement network isolation for AKS.
•   Strengthen AKS clusters’ security, monitor Azure Container Instances and Apps, and manage access to Azure Container Registry.
•   Implement disk encryption methods like ADE and manage API access securely in Azure API Management.

Plan and implement security for storage
This module is designed to provide administrators with the knowledge and skills required to plan and implement comprehensive security measures for Azure storage resources, safeguarding data integrity, confidentiality, and availability.

Lessons
•   Azure Storage
•   Configure access control for storage accounts
•   Manage life cycle for storage account access keys
•   Select and configure an appropriate method for access to Azure Files
•   Select and configure an appropriate method for access to Azure Blobs
•   Select and configure an appropriate method for access to Azure Tables
•   Select and configure an appropriate method for access to Azure Queues
•   Select and configure appropriate methods for protecting against data security threats, including soft delete, backups, versioning, and immutable storage
•   Configure Bring your own key (BYOK)
•   Enable double encryption at the Azure Storage infrastructure level

After completing this module, students will be able to:
•   Develop security strategies for Azure storage resources, ensuring data protection during rest and transit.
•   Manage storage account access with effective access control and secure key lifecycle management.
•   Tailor access methods for Azure Files, Blob Storage, Tables, and Queues to specific use cases.
•   Strengthen data security with soft delete, backups, versioning, immutable storage, BYOK, and double encryption.

Plan and implement security for Azure SQL Database and Azure SQL Managed Instance
This module is designed to empower administrators with the knowledge and skills needed to plan and implement robust security measures for Azure SQL Database and Azure SQL Managed Instance, ensuring data protection and regulatory compliance.

Lessons
•   Azure SQL Database and SQL Managed Instance security
•   Enable database authentication by using Microsoft Entra ID
•   Enable and monitor database audit
•   Identify use cases for the Microsoft Purview governance portal
•   Implement data classification of sensitive information by using the Microsoft Purview governance portal
•   Plan and implement dynamic mask
•   Implement transparent data encryption
•   Recommend when to use Azure SQL Database Always Encrypted

After completing this module, students will be able to:
•   Implement security for Azure SQL Managed Instance to safeguard sensitive data.
•   Use Microsoft Enterprise Identity for database authentication and conduct database auditing for compliance.
•   Utilize Microsoft Purview for data governance and classification to protect sensitive information.
•   Apply dynamic masking and Transparent Database Encryption, and recommend Always Encrypted for client-side data protection.

Plan, implement, and manage governance for security
This module focuses on enabling administrators to effectively plan, implement, and manage security governance in Azure, ensuring compliance with organizational policies and best practices.

Lessons
•   Azure governance
•   Create, assign, and interpret security policies and initiatives in Azure Policy
•   Configure security settings by using Azure Blueprint
•   Deploy secure infrastructures by using a landing zone
•   Azure Key Vault
•   Azure Key Vault security
•   Azure Key Vault authentication
•   Create and configure an Azure Key Vault
•   Recommend when to use a dedicated Hardware Security Module (HSM)
•   Configure access to Key Vault, including vault access policies and Azure Role Based Access Control
•   Manage certificates, secrets, and keys
•   Configure key rotation
•   Configure backup and recovery of certificates, secrets, and keys

After completing this module, students will be able to:
•   Enforce compliance using Azure Policy to create and manage security policies.
•   Streamline secure infrastructure deployment with Azure Blueprint.
•   Utilize landing zones for consistent Azure security and manage sensitive data with Azure Key Vault.
•   Enhance key security with HSM recommendations, effective access control, and regular key rotation and backup processes.

Manage security posture by using Microsoft Defender for Cloud
This module teaches administrators to manage and improve cloud security using Microsoft Defender for Cloud, focusing on proactive risk identification and remediation.

Lessons
•   Implement Microsoft Defender for Cloud
•   Identify and remediate security risks by using the Microsoft Defender for Cloud  Secure Score and Inventory
•   Assess compliance against security frameworks and Microsoft Defender for Cloud
•   Add industry and regulatory standards to Microsoft Defender for Cloud
•   Add custom initiatives to Microsoft Defender for Cloud
•   Connect hybrid cloud and multicloud environments to Microsoft Defender for Cloud
•   Identify and monitor external assets by using Microsoft Defender External Attack Surface Management

After completing this module, students will be able to:
•   Utilize Microsoft Defender for Cloud Secure Score and Inventory to identify and mitigate security risks, enhancing overall security posture.
•   Assess and align with security frameworks using Microsoft Defender for Cloud to ensure adherence to security standards and best practices.
•   Integrate specific industry and regulatory standards into Microsoft Defender for Cloud for tailored compliance.
•   Connect hybrid and multicloud environments to Microsoft Defender for Cloud for centralized security management, and monitor external assets to safeguard against external threats.

Configure and manage threat protection by using Microsoft Defender for Cloud
This module focuses on configuring and managing security monitoring and automation solutions using Azure Monitor and Microsoft Sentinel, enabling organizations to proactively identify and respond to security incidents in their cloud environment.

Lessons
•   Enable workload protection services in Microsoft Defender for Cloud
•   Configure Microsoft Defender for Servers
•   Configure Microsoft Defender for Azure SQL Database
•   Container security in Microsoft Defender for Containers
•   Managed Kubernetes threat factors
•   Defender for Containers architecture
•   Configure Microsoft Defender for Containers components
•   Vulnerability assessments for Azure
•   Defender for Storage
•   Malware scanning in Defender for Storage
•   Detect threats to sensitive data
•   Deploy Microsoft Defender for Storage
•   Enable configure Azure built-in policy
•   Microsoft Defender for Cloud DevOps Security
•   DevOps Security support and prerequisites
•   DevOps environment security posture
•   Connect your GitHub lab environment to Microsoft Defender for Cloud
•   Configure the Microsoft Security DevOps GitHub action
•   Manage and respond to security alerts in Microsoft Defender for Cloud
•   Configure workflow automation by using Microsoft Defender for Cloud
•   Evaluate vulnerability scans from Microsoft Defender for Server

After completing this module, students will be able to:
•   Utilize Azure Monitor for comprehensive monitoring of cloud security events.
•   Aggregate diverse security data efficiently with data connectors in Microsoft Sentinel.
•   Detect threats using customized analytics rules in Microsoft Sentinel.
•   Assess and automate incident responses in Microsoft Sentinel for enhanced security management.

Configure and manage security monitoring and automation solutions
This module teaches how to set up and manage security tools with Azure Monitor and Microsoft Sentinel. It helps organizations quickly find and deal with security issues in their cloud setup.

Lessons
•   Monitor security events by using Azure Monitor
•   Configure data connectors in Microsoft Sentinel
•   Create and customize analytics rules in Microsoft Sentinel
•   Evaluate alerts and incidents from Microsoft Sentinel
•   Configure automation in Microsoft Sentinel

After completing this module, students will be able to:
•   Use Azure Monitor for effective security event monitoring in cloud environments.
•   Implement data connectors in Microsoft Sentinel for comprehensive security data collection.
•   Develop customized analytics rules in Microsoft Sentinel for targeted threat detection.
•   Assess and automate responses to security incidents in Microsoft Sentinel to enhance workflow efficiency.