- Manage Identity and Access
- Implement Platform Protection
- Manage Security Operations
- Secure Data and Applications
-
Create and manage a managed identity for Azure resources
-
Manage Azure AD groups
-
A group is a collection of users. Types of groups include:
- Security Group
- Office 365 Group
-
Membership types for security groups include:
- Assigned: The administrator adds or remove members.
- Dynamic User: Membership determined based on attribute values. Queries determine which attributes are used to determine group membership.
- Dynamic Device (security groups only)
-
Security groups can be nested. However, there are some restrictions on nested groups. You cannot:
- Add groups to groups synced with on-premises Active Directory.
- Add security groups to Office 365 groups.
- Add Office 365 groups to other Office 365 groups or to security groups.
- Assign apps to nested groups.
- Apply licenses to nested groups.
-
Groups can be managed via:
- Azure Portal
- Azure PowerShell
- Azure CLI
-
To create a group in PowerShell:
New-AzADGroup -DisplayName "Sales" -MailNickname "Sales"
-
To create a group using the CLI:
az ad group create --display-name "Marketing" --mail-nickname "Marketing"
-
-
Manage Azure AD users
-
A user is an account required to access Azure resources. This includes Software as a Service (SaaS) applications such as Office 365, as well as custom applications written by your in-house development team.
-
A user can be one of:
- Cloud based user account (Azure Active Directory)
- A synchronised on-premises directory account
- A guest user
-
Users can be managed via:
- Azure Portal
- Azure PowerShell
- Azure CLI
-
To create a user in PowerShell:
$SecureStringPassword = ConvertTo-SecureString -String "Password.1" -AsPlainText -Force New-AzADUser -DisplayName "Test User2" -UserPrincipalName "testuser2@sjohnsontexansfans.onmicrosoft.com" -Password $SecureStringPassword -MailNickname testuser2
-
To create a user using the CLI:
az ad user create --display-name "Test User3" --password "Password.1" --user-principal-name testuser3@sjohnsonexansfans.onmicrosoft.com
-
-
Manage external identities by using Azure AD
-
Manage administrative units
-
Configure Azure AD Privileged Identity Management (PIM)
-
Implement Conditional Access policies, including multifactor authentication
-
Implement Azure AD Identity Protection
-
Implement passwordless authentication
-
Configure access reviews
-
Integration single sign-on (SSO) and identity providers for authentication
-
Create an app registration
-
Configure app registration permission scopes
-
Manage app registration permission consent
-
Manage API permissions to Azure subscriptions and resources
-
Configure an authentication method for a service principal
-
Configure Azure role permissions for management groups, subscriptions, resource groups, and resources
-
Interpret role and resource permissions
-
Assign built-in Azure AD roles
-
Create and assign custom roles, including Azure roles and Azure AD roles
-
Secure the connectivity of hybrid networks
-
Secure the connectivity of virtual networks
-
Create and configure Azure Firewall
-
Create and configure Azure Firewall Manager
-
Create and configure Azure Application Gateway
-
Create and configure Azure Front Door
-
Create and configure Web Application Firewall (WAF)
-
Create a resource firewall, including storage account, Azure SQL, Azure Key Vault, or Azure App Service
-
Configure network isolation for Web Apps and Azure Functions
-
Implement Azure Service Endpoints
-
Implement Azure Private Endpoints, including integrating with other services
-
Implement Azure Private Links
-
Implement Azure DDoS Protection
-
Configure Azure Endpoint Protection for virtual machines (VMs)
-
Implement and manage security updates for VMs
-
Configure security for container services
-
Manage access to Azure Container Registry
-
Configure security for serverless compute
-
Configure security for an Azure App Service
-
Configure encryption at rest
-
Configure encryption in transit
-
Configure a custom security policy
-
Create a policy initiative
-
Configure security settings and auditing by using Azure Policy
-
Configure Azure Defender for servers (not including Microsoft Defender for Endpoint)
-
Evaluate vulnerability scans from Azure Defender
-
Configure Azure Defender for SQL
-
Use the Microsoft Threat Modelling Tool
-
Create and customise alert rules by using Azure Monitor
-
Configure diagnostic logging and log retention by using Azure Monitor
-
Monitor security logs by using Azure Monitor
-
Create and customise alert rules in Azure Sentinel
-
Configure connections in Azure Sentinel
-
Evaluate alerts and incidents in Azure Sentinel
-
Configure access control for storage accounts
-
Configure storage account access keys
-
Configure Azure AD authentication for Azure Storage and Azure Files
-
Configure delegated access
-
Enable database authentication by using Azure AD
-
Enable database auditing
-
Configure dynamic masking on SQL workloads
-
Implement database encryption for Azure SQL Database
-
Implement network isolation for data solutions, including Azure Synapse Analytics and Azure Cosmos DB
-
Create and configure Key Vault
-
Configure access to Key Vault
-
Manage certificates, secrets, and keys
-
Configure key rotation
-
Configure backup and recovery of certificates, secrets, and keys