Microsoft Azure Security – Study Notes

A collection of all my study notes and lab work while working towards passing the badge Microsoft Certified Security Engineer Associate by passing the AZ-500 exam

These notes are in no order and are not focused towards any exam content other than sharing my experience of configuring and automating security within Azure in the run up to the final exam.

  1. Azure – Setup Azure Blueprints
  2. Azure – Advisor
  3. Azure – AD Identity Protection
  4. Azure – Install and Configure Antimalware On A Virtual Machine
  5. Creating Security Baselines In Microsoft Azure
  6. Azure – Log Analytics Workspace and AzureVirtual Machine Agent Install
  7. Azure – Access Control and Role Assignment
  8. Azure – Configure Management Locks – Prevent Accidental Deletion Of Core Resources
  9. AZURE – Control Storage Access by Networks
  10. Azure – Update Management
  11. Azure – Monitoring Alert On Virtual Machine CPU Usage
  12. Azure – Register An Application in AD and Generate App Password
  13. Azure – Activity Log
  14. Azure – Route Tables – How To Force Traffic Down A Specific Route
  15. Azure – Content Trust in ACR and Roles
  16. Azure – Creating Key Vaults
  17. Azure – Create Kubernetes Cluster with ACR Integration
  18. Azure – Monitor / Alerts – Create Action Group to Notify Admin/User by SMS & Email
  19. Azure – Security Center and Pricing
  20. Azure Conditional Access Policies – Greyed Out
  21. Azure – Configure Web App Custom Domain and TLS
  22. Azure – Configure Web App and Licenses
  23. AZ-500: Microsoft Azure Security Technologies – EXAM PASSED!!!

MS365 – Azure AD – Dynamic Groups and Expiration Settings

Maintain groups in Azure AD with dynamic groups and set expiration settings.

Example scenario : Controlling remote access to sub contractors working on a short term project. The project owner should remove all access for sub contractors after the project completes

How to guide :

If we combine Dynamic Groups and Expiration settings, we can automatically populate groups and then invoke regular check to maintain groups are still required. Group owners will be reminded regularly to verify groups are required. Owners will have a better understanding of who has access and this help assist with your security policies.

Dynamic Group Example

Steps: Azure Active Directory > New Group > Type : Office 365 > Name, Description, Dynamic User > Owner > Dynamic user Members

Group Name : Sub Contractors    – Set the value for department equals “Sub Contractor”

Dynamic User Members    – Add Experssion

(user.department -eq “Sub Contractor”)

Configure Group lifetime / Expiration Settings

Steps: Azure Active Directory > Groups > Expiration > Days > No Owner email > Selected > Group > Save

“Renewal notifications are emailed to group owners 30 days, 15 days, and one day prior to group expiration. Group owners must have Exchange licenses to receive notification emails. If a group is not renewed, it is deleted along with its associated content from sources such as Outlook, SharePoint, Teams, and PowerBI.” Info from the portal Expiration settings.

AZ-500: Microsoft Azure Security Technologies – EXAM PASSED!!!

AZ-500: Microsoft Azure Security Technologies

EXAM PASSED!!!

#Azure #Security #AzureSecurity #CertifiedProfessional #CloudSecurity #CloudFamily #CyberSecurity #MicrosoftAzure #MicrosoftCloud #Microsoft #alwaysbelearning #AZ500 #EXAM #PASSED 

Azure – Setup Azure Blueprints

Challenge: Separate subscriptions for multiple disciplines under the same Azure Active Directory Tenancy.

Required : Each subscription to have the same role assignments

Solution : Azure Blueprints to define a repeatable set of Azure resources

How ?

Azure Blueprints provides

  • Role & Policy Assignments
  • ARM templates
  • And Resource Groups

Reference guides

Getting Started Azure Blueprints (PREVIEW)

Creating Blueprint Guide – Focused on Roles

Create a blue print, if your new, start with a sample predefined Blueprint.

For this example I have selected Resource Groups with RBAC (Role-based Access Control)

Create blueprint> Enter Name, Description and Definition Location

Next : Artifacts

Click Save Draft


How to Publish Blueprint

Click Blueprints > Blueprint Definitions > Select the version to publish


Click Publish blueprint.

Enter version and change notes > Click Publish

Azure – Advisor

Sample screen shots of Azure Advisor

Recommendations : Cost , Security, High Availability, Performance, Operational Excellence

Example Recommendations report export, output as a PDF or CSV

Azure – Log Analytics Workspace and AzureVirtual Machine Agent Install

How to prepare to collect security log data from your Azure Windows virtual machines. You require two things:

  1. Log Analystics Workspace to be created
  2. The agent to be installed on the Virtual machine.

This guide shows how to setup the workspace and install the agents on the virtual machine.

Create a Log Analytics Workspace

Pricing is Pay as you go

Next you connect to the data source

Click Virtual Machines > Select Virtual Machine and click Connect.

The Agent is then automatically installed and ready to configure for the log analytics workspace

Next Configure workspace under advanced settings. See MS Doc Quick Start Guide

Windows event log collect from Windows VM

  • Click Data > Windows Event Logs.
  • Add an event log. Example type System and then select “+”.
  • In the table, check the options Error and Warning.
  • Select Save at the top of the page to save the configuration.

Azure – Configure Management Locks – Prevent Accidental Deletion Of Core Resources

Locking prevents the accidental deletion or modifying of critical resources. Example Azure Subscription, Resource Group, Network, Files, VMs.

How to configure Management locks to prevent the accidental deletion of core networks?

In this example we will put a “Delete” lock on a virtual network.

Virtual Network > Select the network > Locks > Add > Name + Set lock type to delete > Ok

Configured

To remove a lock / delete the lock

Azure – Update Management

How to maintain the patch status of your Windows and Linux machines

You can use Update Management in Azure Automation to manage operating system updates for your Windows and Linux machines in Azure, in on-premises environments, and in other cloud environments.” Microsoft

To enable on a specific virtual machine in Azure

Note – You only pay for logs stored (Log Analytics)

Enabling the option can take up to 15mins

Useful reference links

Bulk Add Azure VMs and Non Azure Machines