Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
US$ 19.95
The publisher has enabled DRM protection, which means that you need to use the BookFusion iOS, Android or Web app to read this eBook. This eBook cannot be used outside of the BookFusion platform.
Description
Contents
Reviews
Language
English
ISBN
9789389898811
Cover Page
Title Page
Copyright Page
Dedication Page
About the Author
About the Reviewers
Acknowledgements
Preface
Errata
Table of Contents
1. Managing Azure AD Identities and Application Access
Structure
Objectives
Azure AD overview
Building blocks and objects of Azure AD
Available version of Azure AD
Azure AD architecture
Azure AD service architecture design
Scalability
Continuous availability
Datacenters
Some key features workflow
Creating a new tenant in Azure AD
Adding a custom domain to Azure AD
Adding a company brand to Azure AD
Customizing your Azure AD sign-in page
Setting up customized branding
Creating and adding an Azure subscription to your Azure AD
Creating a new subscription and associating to a directory
Transferring a subscription between Azure AD tenants
Managing Azure AD users and groups
Types of user accounts
Types of groups
User management
User creation
Users deletion
Assign licenses to users and groups
Remove licenses from users and groups
Group management in Azure AD
Assigned group creation in Azure AD
Dynamic group creation in Azure AD
Set groups expiration policy
Set policy for groups naming convention
Configuring authentication methods in Azure AD
Types of authentication methods
Pass-through Authentication (PTA)
Password Hash Authentication (PHA)
Active Directory Federation (AD FS)
Choose the authentication method
Prerequisites for Azure AD Connect
Installing Azure AD Connect with Password Hash Synchronization
Installing Azure AD Connect with pass-through authentication
Installing Azure AD Connect for federation with AD FS
Topologies for Azure AD Connect
Single forest, single sync server to single Azure AD tenant
Single forest, multi sync servers to one Azure AD tenant
Multiple forest, single sync servers to one Azure AD tenant
Multiple forest, multi sync servers to one Azure AD tenant
Features of Azure AD Connect
Setting up password writeback through Azure AD Connect
Prerequisites to set up password writeback
Enabling Self Service Password Reset in Azure AD
Selecting authentication and registration options
Setting up account permission for Azure AD Connect account
Configuring Azure AD Connect for password writeback
Passwordless authentication options in Azure AD
Enabling combined registration experience
Enabling passwordless authentication method
Creating app registration in Azure AD
Application object
Service principal object
Azure AD applications account types
Required access level for app registration
New application registration in Azure AD through the Azure portal
App registration permission scopes configuration
Type of permissions
Delegated permission
Application permission
Conclusion
Multiple choice questions
2. Configuring Secure Access by Using Azure Active Directory
Structure
Objectives
What is Azure AD Privileged Identity Management?
Terminology used in PIM
Planning and setting up Azure AD PIM for your organization
Planning Azure AD PIM and other security best practices
Configuring Azure AD PIM
Manage Azure AD PIM for Azure AD roles
Manage Azure AD roles
Role assignment
Review assignments
Manage alerts
Configuring access review
Administrating Azure AD PIM for Azure AD roles
Managing Azure AD PIM for Azure resources
Administrating Azure AD PIM for Azure resources
Managing Azure resource roles
Azure resource role assignment in Azure AD PIM
Managing assignments
Managing alerts
Managing access review
Activating Azure AD and Azure resource role in PIM
Azure AD multi-factor authentication (MFA)
MFA methods
Versions of Azure MFA
Prerequisites to check before setting up MFA
Steps to enable and disable Azure MFA for users
Configuring Azure MFA settings
Azure AD conditional access
Building components of Azure AD conditional access policy
Available conditions in Azure AD conditional access
Azure AD conditional access report only mode
Azure AD Conditional Access What If tool
Service dependencies in Azure AD Conditional Access
Set up location-based Azure AD Conditional Access
Set up Azure AD Conditional Access to enforce MFA for administrators
Create the Conditional Access policy to enforce MFA for administrators
Set up Azure AD terms of use
Set up Azure term of use
VPN connectivity in Azure AD Conditional access
Azure AD Identity Protection
Azure AD Identity Protection dashboard or security overview
Type of risks identified by Azure AD Identity Protection
Sign in risk
Real-time detection types
Offline detection types
User risk
Azure AD Identity Protection simulate risk detection
Unfamiliar sign-in properties
Atypical travel
Anonymous IP address
Azure AD Identity Protection policies
MFA registration policy
User risk policy
Sign-in risk policy
Conclusion
Multiple choice questions
3. Managing Azure Access Control
Structure
Objectives
RBAC to configure permissions over subscription, resource groups, and resources
Types of roles in Azure
Building components and working of RBAC
Types of RBAC roles in Azure
Built-in RBAC roles
Assign built-in RBAC roles
Check assigned access
Remove access from a resource
Custom RBAC role
Create custom RBAC through JSON
Azure resource lock
Apply and remove lock from the Azure resource
Azure Policy
Effects of Azure Policy
Assign Azure Policy from the portal
Azure blueprint
Terminology of a Azure Blueprint
Configuring security settings by the Azure Blueprint
Conclusion
Multiple choice questions
4. Implementing Advance Network Security
Structure
Objectives
Understand Azure Virtual Networking concepts
Azure VNet connectivity scenarios
Setup of Azure VNet to Azure Virtual Network connection
Azure VNet peering between same and different subscription Azure VNets
Creating Azure VNet
Create Azure VNet peering between Azure VNets
Azure VNet to Azure VNet (in same Azure subscription) connectivity through IPsec/IKE tunnel
Create Azure Virtual Network gateway
Creating Azure network gateway connection
Azure VNet to on-premises network connection
Creating local network gateway
Creating Azure network gateway connection
Configuring on-premises VPN device
Azure Network Security Group (NSG) and Application Security Group (ASG)
Components of network security rule
Azure Virtual Network service tags
Traffic flow through Azure NSGs
Inbound traffic
Outbound traffic
Intra-subnet traffic
Create, configure, and manage Azure NSGs
Create Azure NSG
Configure Azure NSG
Manage Azure NSG
Modify security rules
Associate NSGs to network interfaces
Dissociate NSGs from network interface
Associate NSGs to subnets
Dissociate NSG from subnet
Azure Application Security Groups (ASG)
Configure application gateway to secure app service
Application gateway features
Traffic flow through application gateway
How an application gateway accepts a request
How an application gateway routes a request
Application gateway building blocks
Deploy application gateway to host single site
Configure application gateway for multiple sites
Configure application gateway for app service
Configure application gateway with Web Application Firewall (WAF)
Benefits of WAF on application gateway
Features of WAF on application gateway
Deploying application gateway with WAF
Azure Front Door (AFD) service
Features of AFD service
Building blocks and concepts of AFD
AFD frontend host
AFD backend pool
AFD routing rules
Create Azure Front Door
Azure Firewall
Features of Azure Firewall
Create, configure, and manage Azure Firewall
Create Azure Firewall
Create user defined route
Configuring Azure Firewall public IP
Creating, configuring, and managing Azure Firewall policy
Components of Azure Firewall policy
Create Azure Firewall policy
Connect Azure Firewall policy with VNet and hubs
Manage Azure Firewall policy
Firewall policy with Destination Network Address Translation (DNAT) rule collections
Firewall policy with network rule collection
Firewall policy with application rule collection
Enabling custom DNS and DNS proxy in Azure Firewall policy
Enabling threat intelligence in Azure Firewall policy
Enabling TLS inspection in Azure Firewall policy
Enabling IDPS mode in Azure Firewall policy
Azure Firewall Manager
Overview for Azure Firewall Manager
Features for Azure Firewall Manager
Manage Azure Firewall Manager
Shielding your Azure Virtual Network with DDoS protection
Remote access management through Azure Bastion
Architecture
Features of Azure Bastion
Configuring Azure Bastion
Service endpoint in Azure
Configuring service endpoint in Azure Virtual Network
Azure Resource Firewall
Azure PaaS SQL
Azure storage account
Azure Key Vault
Conclusion
Multiple choice questions
5. Configuring Advance Security for Compute
Structure
Objectives
Understand Microsoft Endpoint Protection
Features of Microsoft Endpoint Protection
Architecture of Microsoft Endpoint Protection
Enabling Microsoft Endpoint Protection
Enable Microsoft Endpoint Protection while creating the virtual machine
Enabling Microsoft Endpoint Protection on a running virtual machine
Monitor Microsoft Endpoint Protection on a running virtual machine
Configure and harden security for virtual machines
Update Management solution for servers
Overview of Update Management
Supported and unsupported client
Configure Update Management for virtual machines
Log Analytics workspace
Create Log Analytics workspace
On board Virtual Machines to Workspace
Automation account
Create automation account
Enable Update Management for Azure Virtual Machines
Schedule update deployment
Azure Key Vault
Create Azure Key Vault
Manage Azure Key Vault
Keys in Azure Key Vault
Generate new key in Key Vault
Import new key in Key Vault
Restore keys from backup
Manage deleted keys
Secrets in Azure Key Vault
Generate new secret in Key Vault
Check the value of secret in Key Vault
Restore secrets from backup
Manage deleted secrets
Certificates in Azure Key Vault
Generate a certificate in Azure Key Vault
Azure Key Vault security best practices
Identity and access management for Azure Key Vault
Secure network access to Azure Key Vault
Azure Key Vault monitoring
Overview
Basic Key Vault metrics to monitor
Configure alerts on your Key Vault
Azure Key Vault logging
Configure logging for Azure Key Vault
Access your logs
Interpret your Key Vault logs
Turn on recovery options
Backup
Soft delete for Azure Key Vault
Deleting a soft delete protected Key Vault
Recovering a key vault
Enable Azure Defender for Azure Key Vault
Azure Virtual Machine disk encryption
Azure Disk Encryption for Azure Virtual Machines
Unsupported scenarios
Prepare Azure Key Vault
Azure Disk Encryption for existing VM
Disk Encryption for already attached and initialized disks
Enable encryption on newly added data disk
Disable disk encryption
Detailed description of security parameters for Azure App Service
Authentication and authorization
Configuring Azure App Service to use Microsoft account as identity provider
Add SSL/TLS certificate in Azure App Service
Restricted network access on app service
Setup Azure private endpoint connection in app service
Regional virtual network integration
Gateway-required virtual network integration
Configure hybrid connection endpoints
Workflow for hybrid connection
Benefits of hybrid connections in app service
Limitations of hybrid connections in app service
Connection test from app service to target server without hybrid connection
Add and create hybrid connections in your app
Connection test after hybrid connection
Conclusion
Multiple choice questions
6. Configuring Container Security
Structure
Objectives
Overview of container instance
Features and benefits of Azure Container Instances
Building blocks and concepts about Azure Container Instances
Container group
Azure security best practices and recommendations for Azure Container Instances (ACI)
Network security
Logging and monitoring
Identity and access management
Data protection
Some additional recommendations for container instances
Network planning for Azure Container Instances
Advantages of deploying Containers in Azure Network
Unsupported networking features
Deploying Azure Container Instance
Isolation modes of Azure Container Instances
Process isolation
Hyper-V isolation
Overview of Azure Container Registry
Features of Azure Container Registry
Creating container registry
Configuring authentication for Azure Container Registry (ACR)
Individual login with Azure AD identity
Login with Azure AD service principal
Login through managed identity
Login with AKS service
Login with ACR local admin
Geo replicate container registry
Some best practices to use Azure Container Registry
Security best practices for container registry
Network security best practices
Logging and monitoring best practices
Identity and access control related best practices
Data protection best practices
Secure network connectivity features for container registry
Connect container registry through a private link
Accessing registry from selected public network
Securing data protection in container registry
Encryption of container registry
Create managed identity
Create Azure Key Vault
Creating container registry with encryption
Content trust in Azure Container Registry
Vulnerability scan for Azure Container Registry
Enabling monitoring for container registry
Creating Log Analytics workspace
Enable collection of diagnostic logs
Configuring security for different types of containers
Azure Kubernetes Services
Configuring authentication for AKS cluster
Cluster isolation in AKS cluster
Security best practices for AKS cluster
Networking best practices
Logging and monitoring best practices
Identity and access management best practices
Data protection best practices
Vulnerability management best practices
Inventory and asset management
Conclusion
Multiple choice questions
7. Monitoring Security by Using Azure Monitor
Structure
Objectives
Type of logs in Azure
Configure diagnostic logging
Choose the proper destination
Configure diagnostic settings in Azure portal
Configuring diagnostic from Azure resource menu
Configure diagnostic logs from Azure Monitor
Log retention management
Control log retention period
Control log collection quantity
Azure Monitor
Overview
Monitoring data sources
Insights in Azure Monitor
Azure Monitor for virtual machine
Configuring Log Analytics workspace
Connect virtual machine to workspace
Configuring logs collection
Connecting Log Analytics workspace to Azure Monitor
Enable monitoring for Azure Virtual Machine
See the performance charts and mapping
Alerts in Azure
Types of alerts
Application availability alert
Create Azure Application Insights
Setup availability test
Setup alert for URL ping test failure
Metric alert rules
How do metric alerts work?
Alert rule with static condition type
Alert rule with dynamic condition type
Setup metric alert
Review and manage the alerts
Creating active logs alerts in Azure Monitor
See activity logs in Azure Monitor
Creating alert for activity logs
Create custom alerts from Azure Monitor
Create custom alert from Log Analytics workspace
Conclusion
Multiple choice questions
8. Monitoring Security by Using Azure Security Center
Structure
Objectives
Azure Security Center
Overview
Why to use Azure Security Center?
Azure Security Center support for Azure resources
Azure Security Center features for Azure Virtual Machines
Azure Security Center support for Azure PaaS services
Configure Azure Security Center
Upgrade Azure Security Center to Azure Defender
Azure Security Center features
Azure Security Center overview
Pricing and Settings
Coverage
Secure Score
Recommendations
Inventory
Security solutions
Azure Defender features in security center
Adaptive application control
Adaptive network hardening
File integrity monitoring in Azure Security Center
Manage JIT access through Azure Security Center
VM vulnerability assessment through security center
Container registry image scanning
Vulnerability scan for SQL database
Network map
Azure Defender for IoT devices
Centralized management of policies by using Azure Security Center (regulatory compliance)
Overview
Enable and disable security policies in security center
Add industry and regulatory compliance standards
Disable security policies in security center
Configure a playbook for a security event by using Azure Security Center (workflow automation)
Create logic apps
Configure workflow in Azure Security Center
Investigate security center threat alerts
Conclusion
Multiple Choice Questions
9. Monitoring Security by Using Azure Sentinel
Structure
Objective
Overview of Azure Sentinel
Features of Azure Sentinel
Terminologies used in Azure Sentinel
Configuring data source to Azure Sentinel
Monitoring the data collected by connected data sources
Azure Sentinel overview dashboard
Analytics in Azure Sentinel
Creating alerts from built-in scheduled analytics rules
Creating alerts from built-in Microsoft security analytics rules
Detailed information of threat incidents in Azure Sentinel
Investigating threat incidents in Azure Sentinel
Workflow automation in Azure Sentinel
Creating Playbook for Azure Sentinel
Automating threat incident response in Azure Sentinel through playbook
Automating alert response through playbook
Threat hunting in Azure Sentinel
User and entity behavior analytics in Azure Sentinel
Some preview features of Azure Sentinel
Threat intelligence
Solutions in Azure Sentinel
Watchlist in Azure Sentinel
Conclusion
Multiple Choice Questions
10. Configuring Security for Azure Storage
Structure
Objective
Security Recommendation for Azure Storage
Secure data protection recommendations
Identity and Access Management
Networking
Configuring Azure Storage service encryption
Encryption of data at rest
Enable infrastructure encryption
Use customer-managed keys with Azure Key Vault to manage Azure Storage encryption
Encryption of data in transit
Encryption scope in Azure Storage
Authorizing and Access Control in Azure Storage
Azure AD integration for Blobs and queues
Overview
Assign Azure AD RBAC roles for access control
Manage Azure Storage account access through managed identity
Manage Azure Storage account access through shared key
View Azure Storage account access key
Manually Azure Storage account access key management
Grant Azure Storage account access through Shared Access Signature (SAS)
Types of shared access signatures
Working mechanism of shared access signature
Best practices when using SAS
Setup account shared access signature
Stored access policy in Azure Storage
Anonymous access on Azure Storage containers and blobs
Setup anonymous access on Azure Storage containers and blobs
Azure Storage access authorize with condition
Add attribute based access control (ABAC) on blob
Network Security for Azure Storage Accounts
Control Azure Storage account access from selected network
Access Azure Storage account through private endpoint
Network Routing Preference for Azure Storage
Routing via Microsoft global network
Routing over Public Internet (ISP network)
Configure routing preference for Azure Storage
Enabling advance threat protection on Azure Storage
Azure File Share Authentication with Azure AD DS
Steps to configure Azure AD DS authentication for Azure File share
Create Azure AD DS
Enable Azure AD DS identity-based authentication for Azure File share
Assign permission to an identity
Mount file share from domain joined VM
Configure NTFS permission over SMB share
Conclusion
Multiple Choice Questions
11. Configuring Security for Azure SQL Databases
Structure
Objective
Security Layers for Azure SQL Database
Network Security
Access Management
Threat Protection
Information Protection and Encryption
Security Management
Security best practices for Azure SQL
Authentication best practices
Data protection best practices
Network security best practices
Monitoring, logging, and auditing best practices
Authentication Processes for Azure SQL Server
SQL authentication method
Azure Active Directory authentication for Azure SQL server
Steps to configure Azure Active Directory authentication for Azure SQL Database and Azure SQL Managed Instance
Enabling auditing on Azure SQL
Enabling server level auditing
Audit for Microsoft support operations
Enabling database level auditing
View audit logs
View audit logs in Azure portal
View audit logs in Azure storage
Implementing Database Encryption
Transparent data encryption
Service-managed transparent data encryption
Customer-managed transparent data encryption
Enable TDE on Azure SQL Database
Implement Azure SQL Database Always encryption
Always encryption workflow
Types of encryptions in Always Encryption
Getting started with Always Encrypted
Enabling Azure Defender for Azure SQL Server
Configure Vulnerability Assessment
Configure advance threat protection
Data discovery and classification
Discover, classify, and label sensitive columns
Dynamic Data Masking (DDM)
Configure Dynamic Data Masking (DDM) for a Database
Conclusion
Multiple Choice Questions
Index
The book hasn't received reviews yet.