AZ-500 - USAROM TECHNOLOGY

Exam AZ-500: Microsoft Azure Security Technologies

Link: AZ-500 Microsoft Azure Security Technologies Study Cram – Feb 8, 2022 – John Savill

Introduction0:00 AZ-500 overview and resources
0:26 Azure AD
3:00 Licensing for Azure AD
6:15 Azure AD roles
9:10 Sync from ADDS
12:03 Authentication to AAD options16:45 SSO20:00 AD in Azure and AADDS20:44 Guest users and B2B24:30 Auth options and MFA27:14 Groups34:23 Administrative Units37:10 Conditional Access40:10 Identity Protection46:13 Privileged Identity Management50:15 Access Reviews54:30 App use of AAD and MSAL55:21 Managed Identity
57:18App Registration and Service Principal
1:01:25 Resource governance
1:04:07 Azure, Resource Providers and Resources
1:05:09 Management Groups, Subscriptions and Resource Groups
1:06:15 RBAC, Policy and Budget
1:07:33 Resource Locks
1:14:28 Blueprints
1:15:30 Network aspects
1:19:28 Virtual network and types of IP1:20:33 Types of regional load balancing solutions1:23:54 Azure Front Door1:27:27 Peering and controlling access, NSG1:29:16 Service Endpoints and Private Endpoints1:36:40 Azure Firewall and UDR1:38:58 DDoS protection1:42:30 Connectivity to other networks (ExpressRoute)1:44:45 Host considerations (health and templates)1:48:08 Disk encryption1:55:25 Connectivity to resources1:57:35 Containers and Kubernetes1:59:50 Azure Key Vault2:05:22 Storage access permission options2:11:18 Storage encryption2:19:30 Database authentication and firewall2:25:15 Database encryption, audit and classification2:27:56 Azure Monitor2:32:03 Alerts2:36:40 Azure Sentinel2:43:15 Microsoft Defender for Cloud (Azure Security Center)2:48:45 Closing thoughts2:53:30

A AD is Identity Provider ( IdP ).
AUTHN: SAML, WS-FED, OIDC
AUTHZ : OAUTH 2.0
INTERACTING: to comunicate use REST API – Ms Graph
Services like 365, Azure that Trusting a potential TENANT (a active directory with users, group, devices)
3rd PARTY Providers (SaaS) the same trust Azure AD
It is per user License and per SKU to use Azure AD
PRICE for licence
Azure AD Multi-Factor Authentication can be used, and licensed, in a few different ways depending on your organization’s needs.
Azure Active Directory Authentication documentation

9:00
Azure AD is a flat structure
ROLES and Administrators
Privilege Role Administrator
Global Asministrator the most powerfull Role Clik – I can assign it (Company Administrator)
In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as “Company Administrator”. It is “Global Administrator” in the Azure portal.
Assign to a user or to a GROUP (For Regular GROUPS I have to do a SETTING – Only groups eligible for role assignment are displayed (If select eligibil – setting can not be change later)
QUESTION 49/78 ( GROUP deleted automatically after 180 days.-Only Office 365 groups)

12:00
You do not start from scracth you have a AD DS
AAD Connect run on premise and sync. direction to AAD -little staff replicate Back – see right back password – Password writeback allows password changes in the cloud to be written back to an on-premises directory in real time by using either Azure AD Connect or Azure AD Connect cloud sync.
How does self-service password reset writeback work in Azure Active Directory
AD DS speak Kerberos, Ldap, GPO, OU
Component AAD Connect HEALTH check overall replication
sync hash of the Hash in Azure

16:00 AUTHENTICATION OPTIONS
1. Authenticate against Azure AD
2. Pass-Through-Authn-( PTA ) sent for AAD auth that check with DC
3. Federation (redirect you
SSO
A AD DS managed service in Azure

Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services

The device can be managed using Mobile Device Management (MDM) software like Microsoft Intune
Azure Active Directory Domain Services I can not extend SCHEMA
B2B ( like AAD2 outside -authentication is in B2B and AUTH in my AAD —- Gest
Users————-Directory synced (come from NO come from AAD —-yes come from on-premise)
I can have a guest……………………………..come from facebook
mail ……..OTP ( one time password)
A one-time password (OTP) is an automatically generated numeric or alphanumeric string of characters that authenticates a user for a single transaction or login session. An OTP is more secure than a static password
27:00 Security…….Auth Method
Security………..MFA……..Number of day users can trust devices – 14 QUESTION 50/78
Azure Active Directory>; Users. Under Multi-Factor Authentication, select service settings. remember multi-factor authentication on devices they trust option.
trusted ips
YOU can go to AAD……..Security…………………………….MFA……..Additional cloud-based MFA settings
Account lockout
MFA FREE IF SELECT SECURITY DEFAULT
Password less……………………………..user Auth Method……Add authentication method Create a Temporary Access Pass for Maria Iulian
33:00

Azure AD Conditional Access with P2

34:00 Groups

Dynamic
Licence

36:00 Roles – Tenant Level

Role isTenant level
39:00 Administrative UNIT

40:00 Conditional Access

46:00 Identity Protection -RISK -P2

User-linked detections Leaked credentials
Signing risk is in
real-time 1. IP 2. Location can be set in Conditional Access
off time only in reports

50:00 PIM – minimize the number of people who have access to secure information or resources

Provide just-in-time
Require approval https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
Conduct access reviews

54:00 access reviews

56:00 Managed Identity – Example App

What is the difference between a service principal and a managed identity? A Service Principal could be looked at as similar to a service account-alike in a more traditional on-premises application or service scenario. Managed Identities are used for “linking” a Service Principal security object to an Azure Resource like a Virtual Machine, Web App, Logic App or similar.

System-assigned. Some Azure services allow you to enable a managed identity directly on a service instance. When you enable a system-assigned managed identity, an identity is created in Azure AD. The identity is tied to the lifecycle of that service instance. When the resource is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Azure AD.
User-assigned. You may also create a managed identity as a standalone Azure resource. You can create a user-assigned managed identity and assign it to one or more instances of an Azure service. For user-assigned managed identities, the identity is managed separately from the resources that use it.
QUESTION 133/235 A. From the Azure portal, modify the Managed Identity settings of VM1
QUESTION 21/158 C. From the Azure portal, modify the value of the Managed Service Identity option for VM1.
QUESTION 100/451 App1 and App2 use SAS
QUESTION 76/412 App1 Accesss Key App2 SAS
1:00 I can assign Both of them to VM

Enable system-assigned managed identity during creation of a VM

101:00 Service Principal

You do not see Service Principal YOU SEE APP REGISTRATION
Azure Active Directory.
Under Manage, select App registrations > New registration.
Enter a display Name for your application. Users of your application might see the display name when they use the app, for example during sign-in. You can change the display name at any time and multiple app registrations can share the same name. The app registration’s automatically generated Application (client) ID, not its display name, uniquely identifies your app within the identity platform.
Specify who can use the application, sometimes called its sign-in audience.
Select this option if you’re building an application for use only by users (or guests) in your tenant.
Often called a line-of-business (LOB) application, this app is a single-tenant application in the Microsoft identity platform.
Don’t enter anything for Redirect URI (optional). You’ll configure a redirect URI in the next section
Select Register to complete the initial app registration.
A redirect URI is the location where the Microsoft identity platform redirects a user’s client and sends security tokens after authentication.

1:01:25 Resource governance

115:00 PRIVENT ACCIDENTAL DELETION Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion or changing of a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users.

Azure has basically two kinds of locks known as read-only and delete lock.

Read-only lock is something similar to assigning a reader role for your users. …
With delete lock, authorized users will be able to read and modify the resource, but will not be allowed to delete the resource.
QUESTION 20/54/575 C. Remove the resource lock from VNET1 and delete all data in Vault1.
QUESTION 106/122/575 A. From the Recovery Service vault, stop the backup of each backup item.
QUESTION 47/127/575 C. Assign tags to the virtual machines
QUESTION 49/179/575 C. Upload a blob to storageaccount1.
QUESTION 106/459/575 Box 1: retained until manually deleted Box 2: deleted immediately