Microsoft Azure Security Technologies - (AZ-500) - A Certification Guide Get qualified to secure Azure AD, Network, Compute, Storage and Data ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Microsoft
Azure Security
Technologies
(AZ-500) - A
Certification Guide
Get qualified to secure Azure AD, Network,
Compute, Storage and Data services through
Security Center, Sentinel and other Azure security
best practices
Jayant Sharma
www.bpbonline.com
ii
FIRST EDITION 2022
Copyright © BPB Publications, India
ISBN: 978-93-89898-81-1
All Rights Reserved. No part of this publication may be reproduced, distributed or
transmitted in any form or by any means or stored in a database or retrieval system,
without the prior written permission of the publisher with the exception to the program
listings which may be entered, stored and executed in a computer system, but they
can not be reproduced by the means of publication, photocopy, recording, or by any
electronic and mechanical means.
LIMITS OF LIABILITY AND DISCLAIMER OF WARRANTY
The information contained in this book is true to correct and the best of author’s and
publisher’s knowledge. The author has made every effort to ensure the accuracy of these
publications, but publisher cannot be held responsible for any loss or damage arising
from any information in this book.
All trademarks referred to in the book are acknowledged as properties of their
respective owners but BPB Publications cannot guarantee the accuracy of this
information.
Distributors:
BPB PUBLICATIONS DECCAN AGENCIES
20, Ansari Road, Darya Ganj 4-3-329, Bank Street,
New Delhi-110002 Hyderabad-500195
Ph: 23254990/23254991 Ph: 24756967/24756400
MICRO MEDIA BPB BOOK CENTRE
Shop No. 5, Mahendra Chambers, 376 Old Lajpat Rai Market,
150 DN Rd. Next to Capital Cinema, Delhi-110006
V.T. (C.S.T.) Station, MUMBAI-400 001 Ph: 23861747
Ph: 22078296/22078297
Published by Manish Jain for BPB Publications, 20 Ansari Road, Darya Ganj,
New Delhi-110002 and Printed by him at Repro India Ltd, Mumbai
www.bpbonline.com
iii
Dedicated to
My beloved Parents:
Shri Vishnu Sharma
Smt. Anju Lata Sharma
&
My wife Ayushi Upadhyay and My Son Shashwat Gautam
iv
About the Reviewers
I am Jayant Sharma. I completed Bachelor of Technology in Electronics and
Communication. I have a total of 10+ years of experience in various domains
like Windows Server Administration, VMWare Administration, Cloud solution
architecting for Azure and GCP, security architecting for Data, Storage, Virtual
Machines, Application and user identity and access management (IAM). I
have sound experience in security compliance audits PCI DSS, ISO 27001:2013,
HIPPA, GDPR(EU), MeitY(India). I worked with various enterprises such as Tata
Consultancy Services (TCS), Hewlett Packard Enterprise (HPE), International
Business Machines (IBM), Hanu Software Solutions, Rackspace Technology. I
completed various technical certifications issued by Microsoft, VMWare, and IBM.
Currently I am working as Azure Solution Architect. I am a Guinness book of
world record holder for participating in App development marathon conducted by
Microsoft. I am also a Microsoft certified trainer (2020-2021) and provide trainings
for various Microsoft certifications and technologies.
v
About the Reviewer
Lalit is an Azure MVP, MCT and Author of the “Azure Interview Q & A ” and
AZ-104 Azure Administration book. He likes to share his knowledge through his
blog (https://azure4you.com/ ) & manage and share his technical skills in BITPro
and Azure User Meetup group. He has written several articles on Microsoft Azure.
He has changed many lives from his articles and his hands-on training programs
and workshops. He is Speaker and delivered the session on the big platform
including MS Global Bootcamp and other events.
Moreover, and to his credit, he has delivered 500+ training sessions to professionals
worldwide in Microsoft Azure technologies and other technologies including
SCOM, Windows Server. In addition, he provides Instructor-led online training
and hands-on workshops.
His technical prowess and capability of exploring new frontiers of technology &
imparting them to his aspiring team members are his trademark. His execution is
priceless & bringing forth his approach will help you realize your dreams, goals,
and aspirations into reality.
Arun Pachehra is a solutions Architect with a specialisation in Microsoft Azure.
He works with one of the best Cloud Service Providers in the world. His focus
areas include cloud consulting, architecture, designing, and migration. He believes
in continuous learning which leads him to clear almost all the certifications
related to Azure and now he is exploring different aspect of cloud which include
advance security, cloud native app development, and other Public Clouds. As an
active member of Azure community, Arun often hosts public webinars for cloud
enthusiasts, writes blog and is the host of an educational YouTube channel covering
cloud services.
Tushar Kumar is an Azure certified Cloud Solutions Architect, awarded most
valuable professional by Alibaba Cloud, former Microsoft Student partner,
Community lead and Microsoft recognized Azure Community Hero. With rich
experience in planning, designing, Implementing, and maintaining secure
applications in Azure Cloud from x86 and non-x86 environments. Recognized
leader in migrating and creating enterprise architecture for transition from on
premise to cloud using Azure services. He is certified with 7 Microsoft Certifications
spanning across Azure Solutions Architect, Azure DevOps Expert, Azure Security
Engineer and Azure Security, and compliance fundamentals.
vi He hold advanced specialization in identity, security, and compliance and working extensively in large transformation of enterprises, Banking Finance, and Insurance institutions towards public cloud and responsible for designing scalable architecture with respective industry standards and security compliance Framework. Abhijeet is an experienced Security and DevOps Cloud Consultant. He has been a part of several enterprise tech transformation generations. Having worked in both Microsoft Azure and AWS, he has a keen sense of services and offerings across both the cloud providers. He has worked with healthcare institutions helping them adopt the cloud where security is of utmost importance. He is currently working with SoftwareONE as a cloud consultant and helps customers to adopt and manage DevOps and cloud methodologies. He currently holds Microsoft Azure Architect Expert, Microsoft Azure DevOps Expert, Microsoft Azure Administrator Associate, Microsoft Azure Security Engineer Associate and is also an active Microsoft Certified Trainer (MCT).
vii
Acknowledgments
Microsoft Azure security services and features are very dynamic technology.
Microsoft is upgrading them regularly to provide industry best security services.
I saw many upgrades in Microsoft Azure security services while writing this
book and had to re-write many topics multiple times because of these continuous
upgrades. Thank you God for giving me the strength to write this book on such a
dynamic technology which changes almost every day.
There are a few people I want to thank for the continued and ongoing support they
have given me during the writing of this book. First and foremost, I would like to
thank my grandparents, parents, uncle, aunty, wife, sister, cousins, in-laws, and all
family members for continuously encouraging me for writing the book — I could
have never completed this book without their support.
I am grateful to the course and the companies which gave me support throughout
the learning process of Microsoft Azure and other technologies. Thank you for all
hidden support provided.
My gratitude also goes to the team at BPB Publication for being supportive enough
to provide me quite a long time to finish the book. Since Microsoft Azure Security
is a vast and very active area of research, it took me sometime to research about
all the topics and services provided by Microsoft Azure for security. I had to cycle
back many times to review the chapters and keep them up to date with latest
updates released by Microsoft.
viii
Preface
This book covers many different aspects of Microsoft Azure Security
recommendations and implementation. This book also introduces the importance
of Security in the field of real time Azure cloud industry. It shows how the cloud
security is important for the industries in their various technical verticals. This
book gives the advance understanding towards Azure Security.
This book takes a practical approach to analyze current security requirements
for organizations. It covers detailed security recommendations, implementation
planning and implementation process for compute, network, web, data, storage,
and identity & access management verticals. The book has wide theory to cover
all the areas of AZ-500 exam syllabus. Along with theory it has detailed hands
on guidance to implement the security recommendations in Azure cloud. This
book covers examples for every security recommendation with clear screenshots.
Security administrators can refer this book not only to clear the exam but also for
real time decision making and implementation of security recommendations.
This book is divided into 11 chapters. They will cover security recommendations,
best practices, implementation planning and implementation process for different
technical verticals of any organization. This book also includes some topics of
other Microsoft Azure Certificates as well such as AZ-104, AZ-303, AZ-304, SC-
200, SC-300, SC-500, SC-900, and MS-500, So learners can get more from single
book. The chapter wise details are listed below.
Chapter 1 will cover, as a Microsoft Azure security engineer, how you can check
whether Azure Active Directory (AD) is configured securely to serve as an identity
store for your Azure-based cloud applications. I will cover some of the major topics
such as administering Azure AD users and groups, configuring authentication
methods in Azure AD, and configuring application registrations in Azure AD. I
will also cover password writeback and passwordless authentication methods in
Azure AD. Along with these major topics, we will also go through architecture and
building block of Azure AD.
Chapter 2 will cover how to enforce security services from Azure AD. I will cover
least privilege security access, both for Azure AD and for other Azure resources.
Some of the major topics that will be covered include understanding of use
ix cases for Azure AD Privileged Identity Management (PIM), discovering the high privilege role holders like owners or global admins in Azure AD and in your Azure subscriptions, configuring time-limited access for privileged roles, and auditing the entire process to ensure security compliance for IAM. You will also learn about setting up Azure Multi-Factor Authentication (MFA), Conditional Access, and Identity Protection. Chapter 3 will cover how to apply best security practices on your entire subscription and resource group. Some of the major topics that we will cover include role base access control, resource locks, Azure policy as well as Azure Blueprint. No organization wants their resources to be deleted accidently or provide the highest level of access to everyone. Organizations certainly want to follow certain baselines and policies to keep their infrastructure secure and manageable. By the end of this chapter, you will be able to identify appropriate permissions for respective users and assign them to users. Chapter 4 will cover some important networking features and services, then we see how they work in Azure. Starting with network security groups, creating a VPN between your on-premises data center and Microsoft Azure, finishing with Azure Firewall, additional services, and features sprinkled in between, of this chapter. Some of the major topics that we will cover include planning to secure your Azure network, control who has access to your azure network resources. We will look at application gateway with WAF, Azure Front Door, Azure DDoS protection, and Azure Firewall. By the end of this chapter, you will have a fundamental understanding of how you can better secure your Azure networks using the features and services they provide. Chapter 5 will cover, some critical features and services to secure your endpoints both on-premises as well as in the cloud. I will explain how to manage update management and Endpoint protection for Azure VM. You will also study about Azure Key Vault to store keys, secrets, and certificates securely. You will use this key vault to do disk encryption for your Azure Virtual Machines disks. At the end, I will explain how to enable secure authentication on your Azure web apps and how to access them securely. By the end of this chapter, you will understand best practices to better secure your workloads both on-premises and in the cloud using the features and services provided by Microsoft. Chapter 6 will cover how you can harden the security across your containers. We will start with basic understanding and deployment of containers to network level
x hardening to vulnerability identification and management for the containerized environment. Other topics covered will be isolation of containers and access control on them. By the end of this chapter, you will be able to design and provide secure containers to host your applications. Along with securing containers, you will be able to understand the building blocks and concepts of containers. Chapter 7 will cover various monitoring services in Azure. Monitoring of infrastructure and application is very important service to take proactive decisions to prevent unwanted break downs. This chapter will include setting up monitoring of Azure resources and services, capturing the different logs and diagnostic parameters, passing these logs to alert generator. After this chapter, you will be able to setup a monitoring setup for your infrastructure including on-premises and Azure. Chapter 8 will cover Azure Security center in detail. Azure Security Center is a centralized service which keeps an eye on your complete environment resources. Its surveillance is not only limited to Azure but can also scan any on-premises and third-party cloud environment. You will study about different SKUs of security center and their respective features. This chapter will include managing security baseline polices. After this chapter, you will be able to configure security policies management and remediation of the recommendations provided by the security center. Chapter 9 will cover Microsoft native Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) tool, Azure Sentinel. You will study how to configure Azure Sentinel in your environment and how to on-board different Azure and non-Azure data sources into Azure Sentinel. You will see how to configure built-in and custom alerts when Azure Sentinel detects an unusual or threat event. At the end of this chapter, I will explain how to do in detail analysis of the events generated by Azure Sentinel and how to configure automated workflow for the event remediation. Chapter 10 will cover security best practices related to Azure Storage. You will study different authentication methods for Azure Storage account such as Azure RBAC, Azure AD, Shared Access Signature (SAS). You will study different encryption methods for Azure storage accounts. You will also study how to securely access Azure Storage account from your network. By the end of this chapter, you will be able to decide the best secure way to store your data in Azure Storage accounts.
xi Chapter 11 will cover security best practices for Azure SQL Servers. Azure provides controls on how and how much you want to secure your data containers. We will cover different security best practices to secure your Azure SQL Servers and data such as the best practices to encrypt, authorize and classify the data in Azure SQL Servers. Enabling auditing and encryption for Azure SQL, different authentication processes, and data classifications are some major topics which you will study in this chapter. By the end of this chapter, you will be able to decide the best secure way to store your data in Azure SQL Servers.
xii
Downloading the
coloured images:
Please follow the link to download
the Coloured Images of the book:
https://rebrand.ly/03f4d1
Errata
We take immense pride in our work at BPB Publications and follow best practices to
ensure the accuracy of our content to provide with an indulging reading experience
to our subscribers. Our readers are our mirrors, and we use their inputs to reflect
and improve upon human errors if any, occurred during the publishing processes
involved. To let us maintain the quality and help us reach out to any readers who
might be having difficulties due to any unforeseen errors, please write to us at:
errata@bpbonline.com
Your support, suggestions and feedbacks are highly appreciated by the BPB
Publications’ Family.
Did you know that BPB offers eBook versions of every book published,
with PDF and ePub files available? You can upgrade to the eBook version
at www.bpbonline.com and as a print book customer, you are entitled to a
discount on the eBook copy. Get in touch with us at business@bpbonline.com
for more details.
At www.bpbonline.com, you can also read a collection of free technical
articles, sign up for a range of free newsletters, and receive exclusive
discounts and offers on BPB books and eBooks.xiii
BPB is searching for authors like you
If you're interested in becoming an author for BPB, please visit
www.bpbonline.com and apply today. We have worked with thousands of
developers and tech professionals, just like you, to help them share their
insight with the global tech community. You can make a general application,
apply for a specific hot topic that we are recruiting an author for, or submit
your own idea.
The code bundle for the book is also hosted on GitHub at https://github.
com/bpbpublications/Microsoft-Azure-Security-Technologies-AZ-500-
--A-Certification-Guide. In case there's an update to the code, it will be
updated on the existing GitHub repository.
We also have other code bundles from our rich catalog of books and videos
available at https://github.com/bpbpublications. Check them out!
PIRACY
If you come across any illegal copies of our works in any form on the internet,
we would be grateful if you would provide us with the location address or
website name. Please contact us at business@bpbonline.com with a link
to the material.
If you are interested in becoming an author
If there is a topic that you have expertise in, and you are interested in either
writing or contributing to a book, please visit www.bpbonline.com.
REVIEWS
Please leave a review. Once you have read and used this book, why not leave
a review on the site that you purchased it from? Potential readers can then
see and use your unbiased opinion to make purchase decisions, we at BPB
can understand what you think about our products, and our authors can see
your feedback on their book. Thank you!
For more information about BPB, please visit www.bpbonline.com.xiv
Table of Contents
1. Managing Azure AD Identities and Application Access ............................... 1
Structure .................................................................................................................... 2
Objectives .................................................................................................................. 2
Azure AD overview.................................................................................................. 2
Building blocks and objects of Azure AD .................................................... 3
Available version of Azure AD ..................................................................... 4
Azure AD architecture .................................................................................... 5
Creating a new tenant in Azure AD ...................................................................... 9
Adding a custom domain to Azure AD .............................................................. 10
Adding a company brand to Azure AD .............................................................. 13
Customizing your Azure AD sign-in page................................................. 13
Creating and adding an Azure subscription to your Azure AD ...................... 16
Creating a new subscription and associating to a directory .................... 17
Transferring a subscription between Azure AD tenants .......................... 18
Managing Azure AD users and groups ............................................................... 20
Types of user accounts .................................................................................. 20
Types of groups .............................................................................................. 21
User management .......................................................................................... 21
Group management in Azure AD ............................................................... 27
Configuring authentication methods in Azure AD ........................................... 30
Types of authentication methods ................................................................ 31
Choose the authentication method............................................................. 32
Prerequisites for Azure AD Connect .......................................................... 33
Installing Azure AD Connect with Password Hash Synchronization .... 35
Installing Azure AD Connect with pass-through authentication ........... 40
Installing Azure AD Connect for federation with AD FS........................ 46
Topologies for Azure AD Connect ............................................................. 55
Features of Azure AD Connect.................................................................... 56
Setting up password writeback through Azure AD Connect ........................... 57
Prerequisites to set up password writeback ............................................... 57xv
Enabling Self Service Password Reset in Azure AD ................................. 58
Selecting authentication and registration options .................................... 58
Setting up account permission for Azure AD Connect account............. 60
Configuring Azure AD Connect for password writeback ....................... 61
Passwordless authentication options in Azure AD ............................................ 62
Enabling combined registration experience .............................................. 63
Enabling passwordless authentication method ......................................... 63
Creating app registration in Azure AD ............................................................... 65
Azure AD applications account types......................................................... 66
Required access level for app registration .................................................. 66
New application registration in Azure AD through the Azure portal ... 67
App registration permission scopes configuration ................................... 69
Conclusion .............................................................................................................. 70
Multiple choice questions...................................................................................... 70
2. Configuring Secure Access by Using Azure Active Directory .....................73
Structure .................................................................................................................. 73
Objectives ................................................................................................................ 74
What is Azure AD Privileged Identity Management? ....................................... 74
Terminology used in PIM ............................................................................ 75
Planning and setting up Azure AD PIM for your organization....................... 76
Planning Azure AD PIM and other security best practices..................... 77
Configuring Azure AD PIM ........................................................................ 79
Manage Azure AD PIM for Azure AD roles.............................................. 82
Managing Azure AD PIM for Azure resources ......................................... 94
Activating Azure AD and Azure resource role in PIM ............................ 98
Azure AD multi-factor authentication (MFA) .................................................100
MFA methods ..............................................................................................100
Versions of Azure MFA ..............................................................................101
Prerequisites to check before setting up MFA .........................................101
Steps to enable and disable Azure MFA for users ...................................102
Configuring Azure MFA settings ..............................................................103
Azure AD conditional access ..............................................................................110
Building components of Azure AD conditional access policy ..............111
Available conditions in Azure AD conditional access ............................112xvi
Azure AD conditional access report only mode .....................................114
Azure AD Conditional Access What If tool.............................................115
Service dependencies in Azure AD Conditional Access ........................116
Set up location-based Azure AD Conditional Access ............................117
Set up Azure AD Conditional Access to enforce MFA
for administrators ...................................................................................121
Set up Azure AD terms of use ...................................................................123
VPN connectivity in Azure AD Conditional access ...............................125
Azure AD Identity Protection ............................................................................126
Azure AD Identity Protection dashboard or security overview............126
Type of risks identified by Azure AD Identity Protection .....................128
Azure AD Identity Protection simulate risk detection ...........................130
Azure AD Identity Protection policies .....................................................131
Conclusion ............................................................................................................135
Multiple choice questions....................................................................................135
3. Managing Azure Access Control ................................................................139
Structure ................................................................................................................139
Objectives ..............................................................................................................140
RBAC to configure permissions over subscription, resource groups,
and resources ...................................................................................................140
Types of roles in Azure ...............................................................................141
Building components and working of RBAC ..........................................143
Types of RBAC roles in Azure ...................................................................144
Azure resource lock .............................................................................................152
Apply and remove lock from the Azure resource ...................................152
Azure Policy ..........................................................................................................154
Assign Azure Policy from the portal.........................................................155
Azure blueprint.....................................................................................................160
Terminology of a Azure Blueprint ............................................................161
Configuring security settings by the Azure Blueprint ............................162
Conclusion ............................................................................................................170
Multiple choice questions....................................................................................170xvii
4. Implementing Advance Network Security .................................................173
Structure ................................................................................................................173
Objectives ..............................................................................................................174
Understand Azure Virtual Networking concepts ............................................174
Azure VNet connectivity scenarios ...................................................................176
Setup of Azure VNet to Azure Virtual Network connection.................176
Azure VNet to on-premises network connection ...................................188
Azure Network Security Group (NSG) and Application Security
Group (ASG) ....................................................................................................192
Components of network security rule ......................................................192
Azure Virtual Network service tags ..........................................................193
Traffic flow through Azure NSGs ..............................................................194
Create, configure, and manage Azure NSGs ............................................197
Azure Application Security Groups (ASG) ..............................................204
Configure application gateway to secure app service ......................................205
Application gateway features .....................................................................205
Traffic flow through application gateway .................................................207
Application gateway building blocks ........................................................209
Deploy application gateway to host single site ........................................211
Configure application gateway for app service ........................................221
Configure application gateway with Web Application Firewall (WAF)..... 224
Azure Front Door (AFD) service .......................................................................227
Features of AFD service ..............................................................................227
Building blocks and concepts of AFD ......................................................229
Create Azure Front Door............................................................................234
Azure Firewall.......................................................................................................238
Features of Azure Firewall..........................................................................238
Create, configure, and manage Azure Firewall........................................239
Creating, configuring, and managing Azure Firewall policy .........................245
Components of Azure Firewall policy ......................................................245
Create Azure Firewall policy......................................................................247
Connect Azure Firewall policy with VNet and hubs ..............................248
Manage Azure Firewall policy ...................................................................249xviii
Azure Firewall Manager ......................................................................................259
Overview for Azure Firewall Manager .....................................................259
Features for Azure Firewall Manager........................................................259
Manage Azure Firewall Manager ..............................................................260
Shielding your Azure Virtual Network with DDoS protection......................261
Remote access management through Azure Bastion ......................................262
Architecture..................................................................................................263
Features of Azure Bastion...........................................................................263
Configuring Azure Bastion ........................................................................264
Service endpoint in Azure...................................................................................266
Configuring service endpoint in Azure Virtual Network ......................266
Azure Resource Firewall .....................................................................................267
Azure PaaS SQL ...........................................................................................267
Azure storage account.................................................................................268
Azure Key Vault ...........................................................................................269
Conclusion ............................................................................................................270
Multiple choice questions....................................................................................270
5. Configuring Advance Security for Compute ..............................................273
Structure ................................................................................................................274
Objectives ..............................................................................................................274
Understand Microsoft Endpoint Protection.....................................................274
Features of Microsoft Endpoint Protection .............................................275
Architecture of Microsoft Endpoint Protection ......................................276
Enabling Microsoft Endpoint Protection .................................................277
Monitor Microsoft Endpoint Protection on a running virtual
machine ....................................................................................................281
Configure and harden security for virtual machines ......................................282
Update Management solution for servers .........................................................284
Overview of Update Management ............................................................285
Supported and unsupported client............................................................286
Configure Update Management for virtual machines ............................287
Azure Key Vault ....................................................................................................296
Create Azure Key Vault...............................................................................297
Manage Azure Key Vault ............................................................................298xix
Azure Key Vault security best practices ...................................................306
Azure Virtual Machine disk encryption ...........................................................325
Azure Disk Encryption for Azure Virtual Machines ..............................325
Detailed description of security parameters for Azure App Service .............332
Authentication and authorization .............................................................332
Add SSL/TLS certificate in Azure App Service........................................335
Restricted network access on app service ................................................337
Setup Azure private endpoint connection in app service ......................339
Configure hybrid connection endpoints ..................................................347
Conclusion ............................................................................................................353
Multiple choice questions....................................................................................353
6. Configuring Container Security .................................................................357
Structure ................................................................................................................357
Objectives ..............................................................................................................358
Overview of container instance..........................................................................358
Features and benefits of Azure Container Instances...............................358
Building blocks and concepts about Azure Container Instances..........360
Azure security best practices and recommendations for Azure
Container Instances (ACI) .............................................................................361
Network security .........................................................................................361
Logging and monitoring.............................................................................361
Identity and access management ...............................................................362
Data protection ............................................................................................362
Some additional recommendations for container instances .................363
Network planning for Azure Container Instances...........................................364
Advantages of deploying Containers in Azure Network ........................364
Unsupported networking features.............................................................365
Deploying Azure Container Instance ................................................................365
Isolation modes of Azure Container Instances ................................................368
Process isolation ..........................................................................................368
Hyper-V isolation ........................................................................................368
Overview of Azure Container Registry .............................................................369
Features of Azure Container Registry ......................................................369
Creating container registry ........................................................................370xx
Configuring authentication for Azure Container Registry (ACR) .......372
Geo replicate container registry ................................................................374
Some best practices to use Azure Container Registry ............................377
Security best practices for container registry ..........................................377
Secure network connectivity features for container registry .................380
Securing data protection in container registry ........................................384
Configuring security for different types of containers ....................................393
Azure Kubernetes Services..................................................................................394
Configuring authentication for AKS cluster ............................................394
Cluster isolation in AKS cluster.................................................................394
Security best practices for AKS cluster .....................................................396
Conclusion ............................................................................................................399
Multiple choice questions....................................................................................399
7. Monitoring Security by Using Azure Monitor ...........................................401
Structure ................................................................................................................401
Objectives ..............................................................................................................402
Type of logs in Azure ...........................................................................................402
Configure diagnostic logging.....................................................................403
Log retention management .................................................................................411
Control log retention period ......................................................................411
Control log collection quantity..................................................................412
Azure Monitor ......................................................................................................414
Overview ......................................................................................................414
Monitoring data sources .............................................................................415
Insights in Azure Monitor ..........................................................................416
Azure Monitor for virtual machine...........................................................417
Alerts in Azure .....................................................................................................423
Types of alerts ..............................................................................................423
Application availability alert ......................................................................424
Metric alert rules .........................................................................................431
Creating active logs alerts in Azure Monitor ...........................................438
Create custom alerts from Azure Monitor ...............................................440
Create custom alert from Log Analytics workspace ...............................442xxi
Conclusion ............................................................................................................443
Multiple choice questions....................................................................................443
8. Monitoring Security by Using Azure Security Center ...............................445
Structure ................................................................................................................445
Objectives ..............................................................................................................446
Azure Security Center .........................................................................................446
Overview ......................................................................................................447
Why to use Azure Security Center? ..........................................................447
Azure Security Center support for Azure resources ...............................449
Upgrade Azure Security Center to Azure Defender ...............................452
Azure Security Center features ..................................................................454
Azure Defender features in security center..............................................464
Centralized management of policies by using Azure Security Center
(regulatory compliance) .........................................................................486
Add industry and regulatory compliance standards...............................488
Disable security policies in security center ..............................................489
Configure a playbook for a security event by using Azure Security Center
(workflow automation) ....................................................................................490
Create logic apps ..........................................................................................490
Configure workflow in Azure Security Center ........................................493
Conclusion ............................................................................................................498
Multiple Choice Questions .................................................................................499
9. Monitoring Security by Using Azure Sentinel............................................501
Structure ................................................................................................................501
Objective................................................................................................................502
Overview of Azure Sentinel ................................................................................502
Features of Azure Sentinel ..................................................................................503
Terminologies used in Azure Sentinel...............................................................504
Configuring data source to Azure Sentinel.......................................................505
Monitoring the data collected by connected data sources ..............................508
Azure Sentinel overview dashboard ..................................................................513
Analytics in Azure Sentinel ................................................................................515
Creating alerts from built-in scheduled analytics rules .........................516
Creating alerts from built-in Microsoft security analytics rules ...........525xxii
Detailed information of threat incidents in Azure Sentinel ...........................529
Investigating threat incidents in Azure Sentinel ..............................................532
Workflow automation in Azure Sentinel ..........................................................538
Creating Playbook for Azure Sentinel ......................................................539
Automating threat incident response in Azure Sentinel through
playbook ...................................................................................................542
Automating alert response through playbook .........................................544
Threat hunting in Azure Sentinel .......................................................................545
User and entity behavior analytics in Azure Sentinel......................................546
Some preview features of Azure Sentinel ..........................................................548
Threat intelligence .......................................................................................548
Solutions in Azure Sentinel ........................................................................549
Watchlist in Azure Sentinel ........................................................................549
Conclusion ............................................................................................................550
Multiple Choice Questions .................................................................................551
10. Configuring Security for Azure Storage .....................................................553
Structure ................................................................................................................553
Objective................................................................................................................554
Security Recommendation for Azure Storage ..................................................554
Secure data protection recommendations ...............................................554
Identity and Access Management..............................................................555
Networking...................................................................................................556
Configuring Azure Storage service encryption ................................................557
Encryption of data at rest ...........................................................................558
Encryption of data in transit ......................................................................561
Encryption scope in Azure Storage ...........................................................563
Authorizing and Access Control in Azure Storage ..........................................569
Azure AD integration for Blobs and queues ............................................570
Manage Azure Storage account access through managed identity .......574
Manage Azure Storage account access through shared key ...................575
Grant Azure Storage account access through Shared Access
Signature (SAS) ................................................................................................. 578
Anonymous access on Azure Storage containers and blobs ..................589
Azure Storage access authorize with condition .......................................592xxiii
Network Security for Azure Storage Accounts.................................................598
Control Azure Storage account access from selected network ..............598
Access Azure Storage account through private endpoint ......................601
Network Routing Preference for Azure Storage ......................................603
Enabling advance threat protection on Azure Storage ....................................605
Azure File Share Authentication with Azure AD DS ......................................607
Steps to configure Azure AD DS authentication for Azure File share .607
Conclusion ............................................................................................................611
Multiple Choice Questions .................................................................................612
11. Configuring Security for Azure SQL Databases.........................................613
Structure ................................................................................................................613
Objective................................................................................................................614
Security Layers for Azure SQL Database ..........................................................614
Network Security .........................................................................................615
Access Management ....................................................................................615
Threat Protection .........................................................................................616
Information Protection and Encryption ..................................................616
Security Management .................................................................................617
Security best practices for Azure SQL ...............................................................617
Authentication best practices.....................................................................617
Data protection best practices ...................................................................618
Network security best practices .................................................................618
Monitoring, logging, and auditing best practices ...................................619
Authentication Processes for Azure SQL Server..............................................619
SQL authentication method .......................................................................619
Azure Active Directory authentication for Azure SQL server ..............621
Enabling auditing on Azure SQL .......................................................................628
Enabling server level auditing....................................................................628
Audit for Microsoft support operations ...................................................629
Enabling database level auditing ...............................................................630
View audit logs.............................................................................................632
Implementing Database Encryption..................................................................635
Transparent data encryption ......................................................................635xxiv
Implement Azure SQL Database Always encryption .............................638
Enabling Azure Defender for Azure SQL Server .............................................654
Configure Vulnerability Assessment.........................................................655
Configure advance threat protection ........................................................658
Data discovery and classification .......................................................................659
Discover, classify, and label sensitive columns ........................................660
Dynamic Data Masking (DDM) ........................................................................668
Configure Dynamic Data Masking (DDM) for a Database ...................670
Conclusion ............................................................................................................671
Multiple Choice Questions .................................................................................672
Index ..................................................................................................................................673Chapter 1
Managing Azure
AD Identities and
Application Access
In this chapter, you will learn how, as a Microsoft Azure security engineer, you can
check whether Azure Active Directory (AD) is configured securely to serve as an
identity store for your Azure-based cloud applications. In this chapter, there are
some of the major topics that we will cover such as administering Azure AD users
and groups, configuring authentication methods in Azure AD, and configuring
application registrations in Azure AD. By the end of this chapter, you will be able to
improve your company’s Azure AD security posture. Along with these major topics,
we will also go through architecture and building block of Azure AD. Let’s start the
journey to learn Azure AD application security with the configuring Azure AD for
Microsoft Azure Workloads.
Azure AD is a cloud-based identity and access management tool provided by
Microsoft. This helps you to provide authentication and authorization capabilities
for your users. This can be used by IT administrators, application developers, Office
3 , Microsoft 3 subscribers, and many more. There are different kinds of licenses
of Azure AD. They provide different features you can buy the license based on
your business requirement. The available licenses are Azure AD Free, Azure AD
Premium P1, Azure AD Premium P2, and Pay-as-you-go feature license.You can also read
