Microsoft
Azure Security
Technologies
(AZ-500) - A
Certification Guide
Get qualified to secure Azure AD, Network,
Compute, Storage and Data services through
Security Center, Sentinel and other Azure security
best practices
Jayant Sharma
www.bpbonline.com
ii

FIRST EDITION 2022
Copyright © BPB Publications, India
ISBN: 978-93-89898-81-1
All Rights Reserved. No part of this publication may be reproduced, distributed or
transmitted in any form or by any means or stored in a database or retrieval system,
without the prior written permission of the publisher with the exception to the program
listings which may be entered, stored and executed in a computer system, but they
can not be reproduced by the means of publication, photocopy, recording, or by any
electronic and mechanical means.
LIMITS OF LIABILITY AND DISCLAIMER OF WARRANTY
The information contained in this book is true to correct and the best of author’s and
publisher’s knowledge. The author has made every effort to ensure the accuracy of these
publications, but publisher cannot be held responsible for any loss or damage arising
from any information in this book.
All trademarks referred to in the book are acknowledged as properties of their
respective owners but BPB Publications cannot guarantee the accuracy of this
information.
Distributors:
BPB PUBLICATIONS
DECCAN AGENCIES
MICRO MEDIA
BPB BOOK CENTRE
20, Ansari Road, Darya Ganj
New Delhi-110002
Ph: 23254990/23254991
4-3-329, Bank Street,
Hyderabad-500195
Ph: 24756967/24756400
Shop No. 5, Mahendra Chambers,
150 DN Rd. Next to Capital Cinema,
V.T. (C.S.T.) Station, MUMBAI-400 001
Ph: 22078296/22078297
376 Old Lajpat Rai Market,
Delhi-110006
Ph: 23861747
Published by Manish Jain for BPB Publications, 20 Ansari Road, Darya Ganj,
New Delhi-110002 and Printed by him at Repro India Ltd, Mumbai
www.bpbonline.com
 iii
Dedicated to
My beloved Parents:
Shri Vishnu Sharma
Smt. Anju Lata Sharma
&
My wife Ayushi Upadhyay and My Son Shashwat Gautam
iv

About the Author
I am Jayant Sharma. I completed Bachelor of Technology in Electronics and
Communication. I have a total of 10+ years of experience in various domains
like Windows Server Administration, VMWare Administration, Cloud solution
architecting for Azure and GCP, security architecting for Data, Storage, Virtual
Machines, Application and user identity and access management (IAM). I
have sound experience in security compliance audits PCI DSS, ISO 27001:2013,
HIPPA, GDPR(EU), MeitY(India). I worked with various enterprises such as Tata
Consultancy Services (TCS), Hewlett Packard Enterprise (HPE), International
Business Machines (IBM), Hanu Software Solutions, Rackspace Technology. I
completed various technical certifications issued by Microsoft, VMWare, and IBM.
Currently I am working as Azure Solution Architect. I am a Guinness book of
world record holder for participating in App development marathon conducted by
Microsoft. I am also a Microsoft certified trainer (2020-2021) and provide trainings
for various Microsoft certifications and technologies.
 v
About the Reviewer
Lalit is an Azure MVP, MCT and Author of the “Azure Interview Q & A ” and
AZ-104 Azure Administration book. He likes to share his knowledge through his
blog (https://azure4you.com/ ) & manage and share his technical skills in BITPro
and Azure User Meetup group. He has written several articles on Microsoft Azure.
He has changed many lives from his articles and his hands-on training programs
and workshops. He is Speaker and delivered the session on the big platform
including MS Global Bootcamp and other events.
Moreover, and to his credit, he has delivered 500+ training sessions to professionals
worldwide in Microsoft Azure technologies and other technologies including
SCOM, Windows Server. In addition, he provides Instructor-led online training
and hands-on workshops.
His technical prowess and capability of exploring new frontiers of technology &
imparting them to his aspiring team members are his trademark. His execution is
priceless & bringing forth his approach will help you realize your dreams, goals,
and aspirations into reality.
Arun Pachehra is a solutions Architect with a specialisation in Microsoft Azure.
He works with one of the best Cloud Service Providers in the world. His focus
areas include cloud consulting, architecture, designing, and migration. He believes
in continuous learning which leads him to clear almost all the certifications
related to Azure and now he is exploring different aspect of cloud which include
advance security, cloud native app development, and other Public Clouds. As an
active member of Azure community, Arun often hosts public webinars for cloud
enthusiasts, writes blog and is the host of an educational YouTube channel covering
cloud services.
Tushar Kumar is an Azure certified Cloud Solutions Architect, awarded most
valuable professional by Alibaba Cloud, former Microsoft Student partner,
Community lead and Microsoft recognized Azure Community Hero. With rich
experience in planning, designing, Implementing, and maintaining secure
applications in Azure Cloud from x86 and non-x86 environments. Recognized
leader in migrating and creating enterprise architecture for transition from on
premise to cloud using Azure services. He is certified with 7 Microsoft Certifications
spanning across Azure Solutions Architect, Azure DevOps Expert, Azure Security
Engineer and Azure Security, and compliance fundamentals.
vi

He hold advanced specialization in identity, security, and compliance and
working extensively in large transformation of enterprises, Banking Finance,
and Insurance institutions towards public cloud and responsible for designing
scalable architecture with respective industry standards and security compliance
Framework.
Abhijeet is an experienced Security and DevOps Cloud Consultant. He has been a
part of several enterprise tech transformation generations. Having worked in both
Microsoft Azure and AWS, he has a keen sense of services and offerings across
both the cloud providers. He has worked with healthcare institutions helping them
adopt the cloud where security is of utmost importance. He is currently working
with SoftwareONE as a cloud consultant and helps customers to adopt and
manage DevOps and cloud methodologies. He currently holds Microsoft Azure
Architect Expert, Microsoft Azure DevOps Expert, Microsoft Azure Administrator
Associate, Microsoft Azure Security Engineer Associate and is also an active
Microsoft Certified Trainer (MCT).
 vii
Acknowledgments
Microsoft Azure security services and features are very dynamic technology.
Microsoft is upgrading them regularly to provide industry best security services.
I saw many upgrades in Microsoft Azure security services while writing this
book and had to re-write many topics multiple times because of these continuous
upgrades. Thank you God for giving me the strength to write this book on such a
dynamic technology which changes almost every day.
There are a few people I want to thank for the continued and ongoing support they
have given me during the writing of this book. First and foremost, I would like to
thank my grandparents, parents, uncle, aunty, wife, sister, cousins, in-laws, and all
family members for continuously encouraging me for writing the book — I could
have never completed this book without their support.
I am grateful to the course and the companies which gave me support throughout
the learning process of Microsoft Azure and other technologies. Thank you for all
hidden support provided.
My gratitude also goes to the team at BPB Publication for being supportive enough
to provide me quite a long time to finish the book. Since Microsoft Azure Security
is a vast and very active area of research, it took me sometime to research about
all the topics and services provided by Microsoft Azure for security. I had to cycle
back many times to review the chapters and keep them up to date with latest
updates released by Microsoft.
viii

Preface
This book covers many different aspects of Microsoft Azure Security
recommendations and implementation. This book also introduces the importance
of Security in the field of real time Azure cloud industry. It shows how the cloud
security is important for the industries in their various technical verticals. This
book gives the advance understanding towards Azure Security.
This book takes a practical approach to analyze current security requirements
for organizations. It covers detailed security recommendations, implementation
planning and implementation process for compute, network, web, data, storage,
and identity & access management verticals. The book has wide theory to cover
all the areas of AZ-500 exam syllabus. Along with theory it has detailed hands
on guidance to implement the security recommendations in Azure cloud. This
book covers examples for every security recommendation with clear screenshots.
Security administrators can refer this book not only to clear the exam but also for
real time decision making and implementation of security recommendations.
This book is divided into 11 chapters. They will cover security recommendations,
best practices, implementation planning and implementation process for different
technical verticals of any organization. This book also includes some topics of
other Microsoft Azure Certificates as well such as AZ-104, AZ-303, AZ-304, SC200, SC-300, SC-500, SC-900, and MS-500, So learners can get more from single
book. The chapter wise details are listed below.
Chapter 1 will cover, as a Microsoft Azure security engineer, how you can check
whether Azure Active Directory (AD) is configured securely to serve as an identity
store for your Azure-based cloud applications. I will cover some of the major topics
such as administering Azure AD users and groups, configuring authentication
methods in Azure AD, and configuring application registrations in Azure AD. I
will also cover password writeback and passwordless authentication methods in
Azure AD. Along with these major topics, we will also go through architecture and
building block of Azure AD.
Chapter 2 will cover how to enforce security services from Azure AD. I will cover
least privilege security access, both for Azure AD and for other Azure resources.
Some of the major topics that will be covered include understanding of use
 ix
cases for Azure AD Privileged Identity Management (PIM), discovering the high
privilege role holders like owners or global admins in Azure AD and in your Azure
subscriptions, configuring time-limited access for privileged roles, and auditing
the entire process to ensure security compliance for IAM. You will also learn about
setting up Azure Multi-Factor Authentication (MFA), Conditional Access, and
Identity Protection.
Chapter 3 will cover how to apply best security practices on your entire subscription
and resource group. Some of the major topics that we will cover include role
base access control, resource locks, Azure policy as well as Azure Blueprint. No
organization wants their resources to be deleted accidently or provide the highest
level of access to everyone. Organizations certainly want to follow certain baselines
and policies to keep their infrastructure secure and manageable. By the end of this
chapter, you will be able to identify appropriate permissions for respective users
and assign them to users.
Chapter 4 will cover some important networking features and services, then we
see how they work in Azure. Starting with network security groups, creating a
VPN between your on-premises data center and Microsoft Azure, finishing with
Azure Firewall, additional services, and features sprinkled in between, of this
chapter. Some of the major topics that we will cover include planning to secure
your Azure network, control who has access to your azure network resources.
We will look at application gateway with WAF, Azure Front Door, Azure DDoS
protection, and Azure Firewall. By the end of this chapter, you will have a
fundamental understanding of how you can better secure your Azure networks
using the features and services they provide.
Chapter 5 will cover, some critical features and services to secure your endpoints
both on-premises as well as in the cloud. I will explain how to manage update
management and Endpoint protection for Azure VM. You will also study about
Azure Key Vault to store keys, secrets, and certificates securely. You will use this
key vault to do disk encryption for your Azure Virtual Machines disks. At the end,
I will explain how to enable secure authentication on your Azure web apps and
how to access them securely. By the end of this chapter, you will understand best
practices to better secure your workloads both on-premises and in the cloud using
the features and services provided by Microsoft.
Chapter 6 will cover how you can harden the security across your containers. We
will start with basic understanding and deployment of containers to network level
x

hardening to vulnerability identification and management for the containerized
environment. Other topics covered will be isolation of containers and access
control on them. By the end of this chapter, you will be able to design and provide
secure containers to host your applications. Along with securing containers, you
will be able to understand the building blocks and concepts of containers.
Chapter 7 will cover various monitoring services in Azure. Monitoring of
infrastructure and application is very important service to take proactive decisions
to prevent unwanted break downs. This chapter will include setting up monitoring
of Azure resources and services, capturing the different logs and diagnostic
parameters, passing these logs to alert generator. After this chapter, you will be
able to setup a monitoring setup for your infrastructure including on-premises
and Azure.
Chapter 8 will cover Azure Security center in detail. Azure Security Center is a
centralized service which keeps an eye on your complete environment resources.
Its surveillance is not only limited to Azure but can also scan any on-premises and
third-party cloud environment. You will study about different SKUs of security
center and their respective features. This chapter will include managing security
baseline polices. After this chapter, you will be able to configure security policies
management and remediation of the recommendations provided by the security
center.
Chapter 9 will cover Microsoft native Security Information Event Management
(SIEM) and Security Orchestration Automated Response (SOAR) tool, Azure
Sentinel. You will study how to configure Azure Sentinel in your environment
and how to on-board different Azure and non-Azure data sources into Azure
Sentinel. You will see how to configure built-in and custom alerts when Azure
Sentinel detects an unusual or threat event. At the end of this chapter, I will explain
how to do in detail analysis of the events generated by Azure Sentinel and how to
configure automated workflow for the event remediation.
Chapter 10 will cover security best practices related to Azure Storage. You will study
different authentication methods for Azure Storage account such as Azure RBAC,
Azure AD, Shared Access Signature (SAS). You will study different encryption
methods for Azure storage accounts. You will also study how to securely access
Azure Storage account from your network. By the end of this chapter, you will be
able to decide the best secure way to store your data in Azure Storage accounts.
 xi
Chapter 11 will cover security best practices for Azure SQL Servers. Azure provides
controls on how and how much you want to secure your data containers. We will
cover different security best practices to secure your Azure SQL Servers and data
such as the best practices to encrypt, authorize and classify the data in Azure SQL
Servers. Enabling auditing and encryption for Azure SQL, different authentication
processes, and data classifications are some major topics which you will study in
this chapter. By the end of this chapter, you will be able to decide the best secure
way to store your data in Azure SQL Servers.
xii

Downloading the
coloured images:
Please follow the link to download
the Coloured Images of the book:
https://rebrand.ly/03f4d1
Errata
We take immense pride in our work at BPB Publications and follow best practices to
ensure the accuracy of our content to provide with an indulging reading experience
to our subscribers. Our readers are our mirrors, and we use their inputs to reflect
and improve upon human errors if any, occurred during the publishing processes
involved. To let us maintain the quality and help us reach out to any readers who
might be having difficulties due to any unforeseen errors, please write to us at:
errata@bpbonline.com
Your support, suggestions and feedbacks are highly appreciated by the BPB
Publications’ Family.
Did you know that BPB offers eBook versions of every book published,
with PDF and ePub files available? You can upgrade to the eBook version
at www.bpbonline.com and as a print book customer, you are entitled to a
discount on the eBook copy. Get in touch with us at business@bpbonline.com
for more details.
At www.bpbonline.com, you can also read a collection of free technical
articles, sign up for a range of free newsletters, and receive exclusive
discounts and offers on BPB books and eBooks.
 xiii
BPB is searching for authors like you
If you're interested in becoming an author for BPB, please visit
www.bpbonline.com and apply today. We have worked with thousands of
developers and tech professionals, just like you, to help them share their
insight with the global tech community. You can make a general application,
apply for a specific hot topic that we are recruiting an author for, or submit
your own idea.
The code bundle for the book is also hosted on GitHub at https://github.
com/bpbpublications/Microsoft-Azure-Security-Technologies-AZ-500--A-Certification-Guide. In case there's an update to the code, it will be
updated on the existing GitHub repository.
We also have other code bundles from our rich catalog of books and videos
available at https://github.com/bpbpublications. Check them out!
PIRACY
If you come across any illegal copies of our works in any form on the internet,
we would be grateful if you would provide us with the location address or
website name. Please contact us at business@bpbonline.com with a link
to the material.
If you are interested in becoming an author
If there is a topic that you have expertise in, and you are interested in either
writing or contributing to a book, please visit www.bpbonline.com.
REVIEWS
Please leave a review. Once you have read and used this book, why not leave
a review on the site that you purchased it from? Potential readers can then
see and use your unbiased opinion to make purchase decisions, we at BPB
can understand what you think about our products, and our authors can see
your feedback on their book. Thank you!
For more information about BPB, please visit www.bpbonline.com.
xiv

Table of Contents
1. Managing Azure AD Identities and Application Access................................ 1
Structure..................................................................................................................... 2
Objectives................................................................................................................... 2
Azure AD overview................................................................................................... 2
Building blocks and objects of Azure AD..................................................... 3
Available version of Azure AD ...................................................................... 4
Azure AD architecture..................................................................................... 5
Creating a new tenant in Azure AD....................................................................... 9
Adding a custom domain to Azure AD............................................................... 10
Adding a company brand to Azure AD............................................................... 13
Customizing your Azure AD sign-in page.................................................. 13
Creating and adding an Azure subscription to your Azure AD....................... 16
Creating a new subscription and associating to a directory..................... 17
Transferring a subscription between Azure AD tenants........................... 18
Managing Azure AD users and groups................................................................ 20
Types of user accounts................................................................................... 20
Types of groups............................................................................................... 21
User management........................................................................................... 21
Group management in Azure AD................................................................ 27
Configuring authentication methods in Azure AD............................................ 30
Types of authentication methods................................................................. 31
Choose the authentication method.............................................................. 32
Prerequisites for Azure AD Connect........................................................... 33
Installing Azure AD Connect with Password Hash Synchronization..... 35
Installing Azure AD Connect with pass-through authentication............ 40
Installing Azure AD Connect for federation with AD FS......................... 46
Topologies for Azure AD Connect.............................................................. 55
Features of Azure AD Connect.................................................................... 56
Setting up password writeback through Azure AD Connect............................ 57
Prerequisites to set up password writeback................................................ 57
 xv
Enabling Self Service Password Reset in Azure AD.................................. 58
Selecting authentication and registration options..................................... 58
Setting up account permission for Azure AD Connect account.............. 60
Configuring Azure AD Connect for password writeback........................ 61
Passwordless authentication options in Azure AD............................................. 62
Enabling combined registration experience............................................... 63
Enabling passwordless authentication method.......................................... 63
Creating app registration in Azure AD................................................................ 65
Azure AD applications account types.......................................................... 66
Required access level for app registration................................................... 66
New application registration in Azure AD through the Azure portal.... 67
App registration permission scopes configuration.................................... 69
Conclusion............................................................................................................... 70
Multiple choice questions....................................................................................... 70
2. Configuring Secure Access by Using Azure Active Directory......................73
Structure................................................................................................................... 73
Objectives................................................................................................................. 74
What is Azure AD Privileged Identity Management?........................................ 74
Terminology used in PIM............................................................................. 75
Planning and setting up Azure AD PIM for your organization........................ 76
Planning Azure AD PIM and other security best practices...................... 77
Configuring Azure AD PIM......................................................................... 79
Manage Azure AD PIM for Azure AD roles............................................... 82
Managing Azure AD PIM for Azure resources.......................................... 94
Activating Azure AD and Azure resource role in PIM............................. 98
Azure AD multi-factor authentication (MFA)..................................................100
MFA methods...............................................................................................100
Versions of Azure MFA...............................................................................101
Prerequisites to check before setting up MFA..........................................101
Steps to enable and disable Azure MFA for users....................................102
Configuring Azure MFA settings...............................................................103
Azure AD conditional access...............................................................................110
Building components of Azure AD conditional access policy...............111
Available conditions in Azure AD conditional access.............................112
xvi

Azure AD conditional access report only mode......................................114
Azure AD Conditional Access What If tool.............................................115
Service dependencies in Azure AD Conditional Access.........................116
Set up location-based Azure AD Conditional Access.............................117
Set up Azure AD Conditional Access to enforce MFA
for administrators....................................................................................121
Set up Azure AD terms of use....................................................................123
VPN connectivity in Azure AD Conditional access................................125
Azure AD Identity Protection.............................................................................126
Azure AD Identity Protection dashboard or security overview.............126
Type of risks identified by Azure AD Identity Protection......................128
Azure AD Identity Protection simulate risk detection............................130
Azure AD Identity Protection policies......................................................131
Conclusion.............................................................................................................135
Multiple choice questions.....................................................................................135
3. Managing Azure Access Control.................................................................139
Structure.................................................................................................................139
Objectives...............................................................................................................140
RBAC to configure permissions over subscription, resource groups,
and resources....................................................................................................140
Types of roles in Azure................................................................................141
Building components and working of RBAC...........................................143
Types of RBAC roles in Azure....................................................................144
Azure resource lock..............................................................................................152
Apply and remove lock from the Azure resource....................................152
Azure Policy...........................................................................................................154
Assign Azure Policy from the portal.........................................................155
Azure blueprint.....................................................................................................160
Terminology of a Azure Blueprint.............................................................161
Configuring security settings by the Azure Blueprint.............................162
Conclusion.............................................................................................................170
Multiple choice questions.....................................................................................170
 xvii
4. Implementing Advance Network Security..................................................173
Structure.................................................................................................................173
Objectives...............................................................................................................174
Understand Azure Virtual Networking concepts.............................................174
Azure VNet connectivity scenarios....................................................................176
Setup of Azure VNet to Azure Virtual Network connection..................176
Azure VNet to on-premises network connection....................................188
Azure Network Security Group (NSG) and Application Security
Group (ASG).....................................................................................................192
Components of network security rule.......................................................192
Azure Virtual Network service tags...........................................................193
Traffic flow through Azure NSGs...............................................................194
Create, configure, and manage Azure NSGs.............................................197
Azure Application Security Groups (ASG)...............................................204
Configure application gateway to secure app service.......................................205
Application gateway features......................................................................205
Traffic flow through application gateway..................................................207
Application gateway building blocks.........................................................209
Deploy application gateway to host single site.........................................211
Configure application gateway for app service.........................................221
Configure application gateway with Web Application Firewall (WAF)...... 224
Azure Front Door (AFD) service........................................................................227
Features of AFD service...............................................................................227
Building blocks and concepts of AFD.......................................................229
Create Azure Front Door.............................................................................234
Azure Firewall........................................................................................................238
Features of Azure Firewall...........................................................................238
Create, configure, and manage Azure Firewall.........................................239
Creating, configuring, and managing Azure Firewall policy..........................245
Components of Azure Firewall policy.......................................................245
Create Azure Firewall policy.......................................................................247
Connect Azure Firewall policy with VNet and hubs...............................248
Manage Azure Firewall policy....................................................................249
xviii

Azure Firewall Manager.......................................................................................259
Overview for Azure Firewall Manager......................................................259
Features for Azure Firewall Manager.........................................................259
Manage Azure Firewall Manager...............................................................260
Shielding your Azure Virtual Network with DDoS protection.......................261
Remote access management through Azure Bastion.......................................262
Architecture..................................................................................................263
Features of Azure Bastion............................................................................263
Configuring Azure Bastion.........................................................................264
Service endpoint in Azure....................................................................................266
Configuring service endpoint in Azure Virtual Network.......................266
Azure Resource Firewall......................................................................................267
Azure PaaS SQL............................................................................................267
Azure storage account..................................................................................268
Azure Key Vault............................................................................................269
Conclusion.............................................................................................................270
Multiple choice questions.....................................................................................270
5. Configuring Advance Security for Compute...............................................273
Structure.................................................................................................................274
Objectives...............................................................................................................274
Understand Microsoft Endpoint Protection......................................................274
Features of Microsoft Endpoint Protection..............................................275
Architecture of Microsoft Endpoint Protection.......................................276
Enabling Microsoft Endpoint Protection..................................................277
Monitor Microsoft Endpoint Protection on a running virtual
machine.....................................................................................................281
Configure and harden security for virtual machines.......................................282
Update Management solution for servers..........................................................284
Overview of Update Management.............................................................285
Supported and unsupported client.............................................................286
Configure Update Management for virtual machines.............................287
Azure Key Vault.....................................................................................................296
Create Azure Key Vault................................................................................297
Manage Azure Key Vault.............................................................................298
 xix
Azure Key Vault security best practices....................................................306
Azure Virtual Machine disk encryption............................................................325
Azure Disk Encryption for Azure Virtual Machines...............................325
Detailed description of security parameters for Azure App Service..............332
Authentication and authorization..............................................................332
Add SSL/TLS certificate in Azure App Service........................................335
Restricted network access on app service.................................................337
Setup Azure private endpoint connection in app service.......................339
Configure hybrid connection endpoints...................................................347
Conclusion.............................................................................................................353
Multiple choice questions.....................................................................................353
6. Configuring Container Security..................................................................357
Structure.................................................................................................................357
Objectives...............................................................................................................358
Overview of container instance...........................................................................358
Features and benefits of Azure Container Instances...............................358
Building blocks and concepts about Azure Container Instances...........360
Azure security best practices and recommendations for Azure
Container Instances (ACI)..............................................................................361
Network security..........................................................................................361
Logging and monitoring..............................................................................361
Identity and access management................................................................362
Data protection.............................................................................................362
Some additional recommendations for container instances..................363
Network planning for Azure Container Instances............................................364
Advantages of deploying Containers in Azure Network.........................364
Unsupported networking features.............................................................365
Deploying Azure Container Instance.................................................................365
Isolation modes of Azure Container Instances.................................................368
Process isolation...........................................................................................368
Hyper-V isolation.........................................................................................368
Overview of Azure Container Registry..............................................................369
Features of Azure Container Registry.......................................................369
Creating container registry.........................................................................370
xx

Configuring authentication for Azure Container Registry (ACR)........372
Geo replicate container registry.................................................................374
Some best practices to use Azure Container Registry.............................377
Security best practices for container registry...........................................377
Secure network connectivity features for container registry..................380
Securing data protection in container registry.........................................384
Configuring security for different types of containers.....................................393
Azure Kubernetes Services..................................................................................394
Configuring authentication for AKS cluster.............................................394
Cluster isolation in AKS cluster..................................................................394
Security best practices for AKS cluster......................................................396
Conclusion.............................................................................................................399
Multiple choice questions.....................................................................................399
7. Monitoring Security by Using Azure Monitor............................................401
Structure.................................................................................................................401
Objectives...............................................................................................................402
Type of logs in Azure............................................................................................402
Configure diagnostic logging......................................................................403
Log retention management..................................................................................411
Control log retention period.......................................................................411
Control log collection quantity...................................................................412
Azure Monitor.......................................................................................................414
Overview.......................................................................................................414
Monitoring data sources..............................................................................415
Insights in Azure Monitor...........................................................................416
Azure Monitor for virtual machine............................................................417
Alerts in Azure......................................................................................................423
Types of alerts...............................................................................................423
Application availability alert.......................................................................424
Metric alert rules..........................................................................................431
Creating active logs alerts in Azure Monitor............................................438
Create custom alerts from Azure Monitor................................................440
Create custom alert from Log Analytics workspace................................442
 xxi
Conclusion.............................................................................................................443
Multiple choice questions.....................................................................................443
8. Monitoring Security by Using Azure Security Center................................445
Structure.................................................................................................................445
Objectives...............................................................................................................446
Azure Security Center..........................................................................................446
Overview.......................................................................................................447
Why to use Azure Security Center?...........................................................447
Azure Security Center support for Azure resources................................449
Upgrade Azure Security Center to Azure Defender................................452
Azure Security Center features...................................................................454
Azure Defender features in security center...............................................464
Centralized management of policies by using Azure Security Center
(regulatory compliance)..........................................................................486
Add industry and regulatory compliance standards...............................488
Disable security policies in security center...............................................489
Configure a playbook for a security event by using Azure Security Center
(workflow automation).....................................................................................490
Create logic apps...........................................................................................490
Configure workflow in Azure Security Center.........................................493
Conclusion.............................................................................................................498
Multiple Choice Questions..................................................................................499
9. Monitoring Security by Using Azure Sentinel.............................................501
Structure.................................................................................................................501
Objective.................................................................................................................502
Overview of Azure Sentinel.................................................................................502
Features of Azure Sentinel...................................................................................503
Terminologies used in Azure Sentinel................................................................504
Configuring data source to Azure Sentinel.......................................................505
Monitoring the data collected by connected data sources...............................508
Azure Sentinel overview dashboard...................................................................513
Analytics in Azure Sentinel.................................................................................515
Creating alerts from built-in scheduled analytics rules..........................516
Creating alerts from built-in Microsoft security analytics rules............525
xxii

Detailed information of threat incidents in Azure Sentinel............................529
Investigating threat incidents in Azure Sentinel...............................................532
Workflow automation in Azure Sentinel...........................................................538
Creating Playbook for Azure Sentinel.......................................................539
Automating threat incident response in Azure Sentinel through
playbook....................................................................................................542
Automating alert response through playbook..........................................544
Threat hunting in Azure Sentinel........................................................................545
User and entity behavior analytics in Azure Sentinel.......................................546
Some preview features of Azure Sentinel...........................................................548
Threat intelligence........................................................................................548
Solutions in Azure Sentinel.........................................................................549
Watchlist in Azure Sentinel.........................................................................549
Conclusion.............................................................................................................550
Multiple Choice Questions..................................................................................551
10. Configuring Security for Azure Storage......................................................553
Structure.................................................................................................................553
Objective.................................................................................................................554
Security Recommendation for Azure Storage...................................................554
Secure data protection recommendations................................................554
Identity and Access Management...............................................................555
Networking....................................................................................................556
Configuring Azure Storage service encryption.................................................557
Encryption of data at rest............................................................................558
Encryption of data in transit.......................................................................561
Encryption scope in Azure Storage............................................................563
Authorizing and Access Control in Azure Storage...........................................569
Azure AD integration for Blobs and queues.............................................570
Manage Azure Storage account access through managed identity........574
Manage Azure Storage account access through shared key....................575
Grant Azure Storage account access through Shared Access
Signature (SAS).................................................................................................. 578
Anonymous access on Azure Storage containers and blobs...................589
Azure Storage access authorize with condition........................................592
 xxiii
Network Security for Azure Storage Accounts..................................................598
Control Azure Storage account access from selected network...............598
Access Azure Storage account through private endpoint.......................601
Network Routing Preference for Azure Storage.......................................603
Enabling advance threat protection on Azure Storage.....................................605
Azure File Share Authentication with Azure AD DS.......................................607
Steps to configure Azure AD DS authentication for Azure File share..607
Conclusion.............................................................................................................611
Multiple Choice Questions..................................................................................612
11. Configuring Security for Azure SQL Databases..........................................613
Structure.................................................................................................................613
Objective.................................................................................................................614
Security Layers for Azure SQL Database...........................................................614
Network Security..........................................................................................615
Access Management.....................................................................................615
Threat Protection..........................................................................................616
Information Protection and Encryption...................................................616
Security Management..................................................................................617
Security best practices for Azure SQL................................................................617
Authentication best practices......................................................................617
Data protection best practices....................................................................618
Network security best practices..................................................................618
Monitoring, logging, and auditing best practices....................................619
Authentication Processes for Azure SQL Server...............................................619
SQL authentication method........................................................................619
Azure Active Directory authentication for Azure SQL server...............621
Enabling auditing on Azure SQL........................................................................628
Enabling server level auditing.....................................................................628
Audit for Microsoft support operations....................................................629
Enabling database level auditing................................................................630
View audit logs..............................................................................................632
Implementing Database Encryption...................................................................635
Transparent data encryption.......................................................................635
xxiv

Implement Azure SQL Database Always encryption..............................638
Enabling Azure Defender for Azure SQL Server..............................................654
Configure Vulnerability Assessment..........................................................655
Configure advance threat protection.........................................................658
Data discovery and classification........................................................................659
Discover, classify, and label sensitive columns.........................................660
Dynamic Data Masking (DDM).........................................................................668
Configure Dynamic Data Masking (DDM) for a Database....................670
Conclusion.............................................................................................................671
Multiple Choice Questions..................................................................................672
Index...................................................................................................................................673
Chapter 1
Managing Azure
AD Identities and
Application Access
In this chapter, you will learn how, as a Microsoft Azure security engineer, you can
check whether Azure Active Directory (AD) is configured securely to serve as an
identity store for your Azure-based cloud applications. In this chapter, there are
some of the major topics that we will cover such as administering Azure AD users
and groups, configuring authentication methods in Azure AD, and configuring
application registrations in Azure AD. By the end of this chapter, you will be able to
improve your company’s Azure AD security posture. Along with these major topics,
we will also go through architecture and building block of Azure AD. Let’s start the
journey to learn Azure AD application security with the configuring Azure AD for
Microsoft Azure Workloads.
Azure AD is a cloud-based identity and access management tool provided by
Microsoft. This helps you to provide authentication and authorization capabilities
for your users. This can be used by IT administrators, application developers, Office
365, Microsoft 365 subscribers, and many more. There are different kinds of licenses
of Azure AD. They provide different features; you can buy the license based on
your business requirement. The available licenses are Azure AD Free, Azure AD
Premium P1, Azure AD Premium P2, and Pay-as-you-go feature license.
2
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Structure
In this chapter, we will learn the following topics:
•
An overview of Azure AD
•
Adding a custom domain in Azure AD
•
•
•
•
•
•
•
•
•
•
•
Creating new domain in Azure AD
Adding a company brand to Azure AD
Creating and adding an Azure subscription to your Azure AD
Managing Azure AD users and groups
Configuring authentication methods in Azure AD
Setting up password writeback through Azure AD Connect
Password less authentication options in Azure AD
Creating the app registration in Azure AD
Configuring and managing app registration permission scopes and consent
Conclusion
Multiple choice questions (MCQ)
Objectives
The objective of this chapter is to understand the architecture and building blocks
of Azure AD, and different versions of Azure AD. You will also go through the
process of deploying and managing Azure AD tenant. After Azure AD tenant
management, you will study about creating, managing, and moving subscriptions
across the tenants. You will study users and groups management in Azure AD and
their authentication methods. You will study different methods to sync on-premises
active directory with Azure AD. You will also study about application registration
in Azure AD.
Azure AD overview
Azure AD is a new identity and access management service provided by Microsoft.
Azure AD is a cloud-based identity and access management service. You can use Azure
AD for authentication and authorization for multiple clouds and on-premises services.
You can use Azure AD with external and internal resources. External resources
include Microsoft Office 365, the Azure portal, and many SaaS applications and
internal resources include your cloud-based or native on-premises applications and
services.
Managing Azure AD Identities and Application Access
 3
Building blocks and objects of Azure AD
Before working on Azure AD, it is important that you know about the building
blocks and components of Azure AD. While working on Azure AD, you will need
to take care of Azure AD components and, you should also have some technical
understanding of their internal relation:
•
•
•
•
•
•
•
Account: In Azure AD, an account represents an identity, and this identity has
some attributes associated with it. You cannot have an account in Azure AD
without the identity attributes. The identity attributes may have a resource
ID, username, application ID, location, address, phone number, and so on.
Azure AD account: You can create an identity through Azure AD or Office
365. These identities are stored in Azure AD. You can use these identities to
access your cloud services, applications, and resources. This kind of account
is also called a work or school account.
Account administrator: An account administrator is a classic subscription
administrator role. This is conceptually the billing owner of a subscription.
The account administrator can access Azure Account Center and manage all
subscriptions in an account.
Azure AD global administrator: This administrator role is automatically
assigned to whoever created the Azure AD tenant. Global administrators
can do all the administrative functions for Azure AD and any services that
federate to Azure AD such as Exchange Online, SharePoint Online, and
Skype for Business Online. Note that this administrator role is called a global
administrator in the Azure portal, but it is called a company administrator in
the Microsoft Graph API and Azure AD PowerShell.
Azure subscription: It is a logical collection of Azure cloud services. You
need a subscription to deploy any component in Azure. You can have many
subscriptions. The subscriptions are linked to a credit card for billing. The
subscription can have different pricing models such as, pay-as-you-go,
enterprise agreement, and so on.
Azure tenant: An Azure tenant represents a single organization. This is
the top of your Microsoft cloud service umbrella. A dedicated and trusted
instance of Azure AD automatically gets created when your organization
signs up for a Microsoft cloud service such as Microsoft Azure, Microsoft
Intune, or Office 365.
Azure AD directory: Each Azure tenant has a dedicated and trusted Azure
AD directory. The Azure AD directory includes the tenant’s users, groups,
and apps, and it is used to perform identity and access management functions
for tenant resources.
4
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
•
•
•
•
•
•
•
Custom domain: Every new Azure AD directory comes with an initial
default domain name, domainname.onmicrosoft.com. In addition to that
default domain name, you can also add your organization’s domain names.
A custom domain name helps you to create usernames that are familiar to
your users such as xyz@mybook.com, abc@mybook.com.
Identity: A thing that can get authenticated. An identity can be a user with a
username and password. Identities can include applications.
Microsoft account: It is a personal account that provides access to Microsoft
products and cloud services such as Outlook, OneDrive, Xbox Live, or Office
365. Microsoft accounts are created and stored in the Microsoft consumer
identity account system that is run by Microsoft.
Multi-tenant: Azure tenants that access other services in a shared
environment, across multiple organizations, are considered multi-tenant.
Owner: This is a built in Role-Based Access Control (RBAC) role that helps
you to manage all Azure resources and accesses. This is a resource-based
RBAC role.
Service administrator: This is a classic subscription administrator role. This
enables you to manage all Azure resources, including access. This role has the
equivalent access of a user who is assigned the owner role at the subscription
scope.
Single tenant: Azure tenants that access services in a dedicated environment
are considered single tenant.
These were some of the building components of Azure AD. You will use them very
frequently while working on Azure AD and studying coming chapters.
Available version of Azure AD
Microsoft Online business services such as Office 365 or Microsoft Azure, require
Azure AD for sign-in and to help with identity protection. If you subscribe to any
Microsoft Online business service, you will automatically get Azure AD with access
to all the free features. To enhance your Azure AD features, you can also add paid
capabilities by upgrading to Azure AD Premium P1 or Premium P2 licenses. Azure
AD paid licenses are additional to the free directory:
•
Azure Active Directory Free: This is the basic and default version of Azure
AD. It provides the basic and standard level of features such as user and
group management, on-premises directory synchronization, basic reports,
Managing Azure AD Identities and Application Access
•
•
•
 5
self-service password change for cloud users, and single sign-on across
Azure, Office 365, and many popular SaaS apps.
Azure Active Directory Premium P1: This is the second level of Azure
AD version. In addition to the free features, Azure AD P1 also allows your
hybrid users’ access both on-premises and cloud resources. It also supports
advanced administration such as dynamic groups, self-service group
management, Microsoft Identity Manager (an on-premises identity and
access management suite), and cloud write-back capabilities, which allow
self-service password reset for your on-premises users.
Azure Active Directory Premium P2: In addition to the free and P1 features,
P2 also offers Azure Active Directory Identity Protection to help provide
risk-based conditional access to your apps and critical company data
and privileged identity management to help discover, restrict, and monitor
administrators and their access to resources and to provide just-in-time
access when needed.
Pay as you go feature licenses: You can also get additional feature licenses
such as Azure AD Business-to-Customer (B2C). B2C can help you provide
identity and access management solutions for your customer-facing apps.
You can choose the Azure AD version based on your organization requirements and
the features you need.
Azure AD architecture
Azure AD enables you to securely manage access to Microsoft cloud services and
resources for your users. Azure AD is a full suite of identity management capabilities.
In Azure AD, you can create and manage users and groups, and enable permissions
to allow and deny access to enterprise resources. You can sync on-premise identities
and their credentials. Azure AD is a geographically distributed Microsoft’s identity
service provider. Azure AD provides extensive monitoring, automated rerouting,
failover, and recovery capabilities.
In this section, we will cover the following elements:
•
Azure AD service architecture design
•
Continuous availability of Azure AD
•
•
•
Scalability of Azure AD
Datacenters arrangement for Azure AD
Some key features workflow of Azure AD
6
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Azure AD service architecture design
In this section, we will learn about the architecture of Azure AD in brief. We will
see how Azure stores customer identities. Azure divides different customer’s user
identities in different partitions. These partitions have the data tier where the data
is actually stored.
The data tier provides read-write capability. The following diagram shows how the
components of a single-directory partition are delivered throughout geographically
distributed datacenters:
Figure 1.1: Azure AD replication process
The components of the Azure AD architecture include a primary replica and
secondary replicas:
•
•
Primary replica: The primary replica receives all writes for the partition it
belongs to. Any write operation is immediately replicated to a secondary
replica in a different datacenter before returning success to the caller, thus
ensuring geo-redundant durability of writes.
Secondary replicas: Secondary replicas are stored in different physical
datacenters. These datacenters are located across different geographies like
US, Europe, Asia. All directory reads are serviced from secondary replicas. There
are many secondary replicas, as data is replicated asynchronously. Directory
reads, such as authentication requests, are serviced from datacenters that are
close to customers’ geography. The secondary replicas are responsible for
read scalability.
Managing Azure AD Identities and Application Access
 7
Scalability
Scalability is the ability of a service to expand to meet increasing performance
demands. Azure achieves write scalability by partitioning the data and read
scalability by replicating data from one partition to multiple secondary replicas
distributed throughout the world.
Requests from directory applications are routed to the datacenter that they are
physically closest to. Writes are transparently redirected to the primary replica to
provide read-write consistency. Secondary replicas significantly extend the scale of
partitions because the directories are typically serving reads most of the time.
Directory applications and users’ requests are routed to the nearest datacenters.
This connection improves performance and therefore, scaling out is possible. Since
a directory partition can have many secondary replicas, secondary replicas can be
placed closer to the directory clients. Only the directory service components that are
write-intensive target the active primary replica directly.
Continuous availability
Availability (or uptime) defines the ability of a system to perform uninterrupted. The
key to Azure AD’s high availability is that the services can quickly shift traffic across
multiple geographically distributed datacenters. Each datacenter is independent,
which enables de-correlated failure modes. Through this high availability design,
Azure AD requires no downtime for maintenance activities:
•
•
Fault tolerance: Azure provides a highly fault tolerance system by assuring
high availability of its hardware, network, and software during any failures.
For each partition on the directory, a highly available master primary replica
exists. Only writes to the partition are performed at this replica. This replica
is being continuously and closely monitored, and writes can be immediately
shifted to another replica (which becomes the new primary) if a failure is
detected. During failover, there could be a loss of write availability typically
of one-two minutes. Read availability is not affected during this time.
Read operations only go to secondary replicas. Since secondary replicas are
idempotent, loss of any one replica in a partition is easily compensated by
directing the reads to another replica, usually in the same datacenter.
Data durability: A write is durably committed to at least two datacenters
prior to it being acknowledged. This happens by first committing the write
on the primary, and then immediately replicating the write to at least one
other datacenter. This write action ensures that a potential catastrophic loss
of the datacenter hosting the primary does not result in data loss.
8
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Datacenters
Azure AD’s replicas are stored in datacenters located across the world with the
following characteristics:
•
•
Authentication, graph, and other AD services reside behind the gateway
service. The gateway manages load balancing of these services. It will fail
over automatically if any unhealthy servers are detected using transactional
health probes. Based on these health probes, the gateway dynamically routes
traffic to healthy datacenters.
For reads, the directory has secondary replicas and corresponding front-end
services in an active-active configuration operating in multiple datacenters.
In case of a failure of an entire datacenter, traffic will be automatically routed
to a different datacenter. For writes, the directory will fail over the primary
(master) replica across datacenters failover procedures. Data durability is
achieved by replicating any commit to at least two datacenters.
Some key features workflow
Following are some key features of Azure AD. Here you will understand how Azure
AD maintains data consistency and high availability.
•
Data consistency: The directory model is one of the eventual consistencies.
One typical problem with distributed asynchronously replicating systems is
that the data returned from a particular replica may not be up to date. Azure
AD provides read-write consistency for applications targeting a secondary
replica by routing its writes to the primary replica and synchronously pulling
the writes back to the secondary replica.
Application writes using the Microsoft Graph API of Azure AD are abstracted
from maintaining affinity to a directory replica for read-write consistency.
The Microsoft Graph API service maintains a logical session, which has
affinity to a secondary replica used for reads; affinity is captured in a replica
token that the service caches using a distributed cache in the secondary
replica datacenter. This token is then used for subsequent operations in the
same logical session. To continue using the same logical session, subsequent
requests must be routed to the same Azure AD datacenter. It is not possible to
continue a logical session if the directory client requests are being routed to
multiple Azure AD datacenters; if this happens, then the client has multiple
logical sessions which have independent read-write consistencies.
Managing Azure AD Identities and Application Access
•
•
 9
Backup protection: The directory implements soft deletes, instead of hard
deletes, for users and tenants for easy recovery in case of accidental deletes
by a customer. If your tenant administrator accidentally deletes users, they
can easily undo and restore the deleted users. Azure AD implements daily
backups of all data; therefore, it can authoritatively restore data in case of
any logical deletions or corruptions.
Metrics and monitors: Running a high-availability service requires very
efficient monitoring capabilities. Azure AD continually analyzes and reports
key service health metrics and success criteria for each of its services. If
any Azure AD service is not working as expected, an action is immediately
taken to restore the functionality as quickly as possible. The most important
metric Azure AD tracks is how quickly live site issues can be detected and
mitigated for customers. Microsoft invests heavily in monitoring and alerts
to minimize time to detect (TTD Target: <5 minutes) and operational readiness
to minimize time to mitigate (TTM Target: <30 minutes).
In this section you studied about Azure AD architecture, some basic functionalities,
and features.
Creating a new tenant in Azure AD
You can create a new tenant for your organization in Azure. Your new tenant
represents your organization and helps you to manage a specific instance of Microsoft
cloud services for your internal and external users. You can also create different
directories for different environments. You may not want your development team
to use the production directory for their testing purposes. For this, you can create a
different AD domain for the development team with some test and dummy users.
Let’s follow the given steps to create a new tenant:
1. Log in to the Azure portal and click on + Create new resource.
2. Search for Azure AD and click on Manage tenants and create.
3. It will open a new window. From there you can create Azure Active Directory
tenant or Azure Active Directory (B2C) tenant.
4. Choose Azure Active Directory option and move to Configuration tab. Fill in
the details of the new tenant:
10
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Figure 1.2: Create a new Azure AD tenant
As shown in the preceding screenshot, fill the name of your organization and domain.
You can choose the country or region where you want to create your directory. You
cannot change the directory location after deployment. This location will keep the
original directory and primary replica of the directory.
To create a new tenant, you should have the global administrator or owner access on
Azure. Once the new tenant is created, the person who creates the tenant becomes
global administrator of the new tenant.
Adding a custom domain to Azure AD
Every new Azure AD tenant comes with an initial domain name, <domainname>.
onmicrosoft.com. You cannot change or delete the initial domain name, but you
can add your organization’s names. Adding custom domain names helps you to
create usernames that are familiar to your users, such as mybookdemo.co.in. In the
previous section, we saw how to create a domain and create a default initial domain.
In this demo, we will see how to add your own custom domain. To add a custom
domain, it’s important that you should own the domain name and the domain
Managing Azure AD Identities and Application Access
 11
should be registered with the domain registrar. Following are the steps to add a
custom domain to Azure AD.
1. To add your custom domain, log in to the Azure portal and go to your Azure
AD.
2. Go to Custom domain names under the Manage section:
Figure 1.3: Azure AD custom domain overview page
As shown in the preceding screenshot, you can see the default domain of
your directory on the custom domain names page.
3. Click on + Add custom domain to enter your domain name:
Figure 1.4: Azure AD custom domain name
Provide a custom domain name which you own and have access to in order
to update the TXT or MX record with the domain registrar. Click on Create
to add the domain name.
4. On the custom domain name dashboard, an unverified domain name will be
added. Click on your custom domain name here to see the DNS information.
Save this information. You will need it later to create a TXT record to configure
DNS:
12
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Figure 1.5: Azure AD custom domain verification status
The preceding screenshot shows our Unverified custom domain. To verify
this domain, you will need to update TXT or MX records to your domain
registrar.
5. Once you click on the custom domain, you will get the details of TXT or MX
records:
Figure 1.6: TXT and MX records for your custom domain
Managing Azure AD Identities and Application Access
 13
As shown in the preceding screenshot, you can copy TXT or MX records to
update the DNS registrar.
6. After you add your custom domain name to Azure AD, you must return
to your domain registrar and add the Azure AD DNS information from
your copied TXT file. Creating this TXT record for your domain verifies
the ownership of your domain name. Go back to your domain registrar
and create a new TXT record for your domain based on your copied DNS
information. Set the time-to-live (TTL) to 3600 seconds (60 minutes), and
then save the record.
7. Once you update details with the domain registrar, come back to the custom
domain names under Azure AD and click on your unverified custom domain.
Now, click on Verify as shown in Figure 1.6.
Once the domain is verified you can use it for user creation, user sync from onpremises AD, and federation. You can use this domain as your brand.
Adding a company brand to Azure AD
When you create Azure AD and the tenant, it comes with default logos and
background. You would like to put your organization brand logo, tag lines, and
background settings in Azure AD. This will provide a consistent look-and-feel on
your Azure AD sign-in pages. Your sign-in pages appear when users sign in to
your organization’s apps, such as Office 365, which uses Azure AD as your identity
provider. For adding custom branding, you need to use Azure AD Premium 1,
Premium 2, or Basic editions, or to have an Office 365 license.
Customizing your Azure AD sign-in page
You can customize your Azure AD sign-in page, which appears when users sign
in to your organization’s tenant-specific apps. Your custom branding will not
immediately appear when your users go to sites such as www.office.com. Instead, the
user must sign-in before your customized branding appears.
The all-available branding elements are optional. You can choose among the
elements. For example, if you specify a banner logo with no background image,
the sign-in page will show your logo with a default background image from the
destination site.
Setting up customized branding
Let’s follow the given steps to set up your company brand with your company
background color, logo, and image:
14
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
1. Log in to the Azure portal using a global administrator account for the
directory.
2. Select Azure AD, and then select Company branding, and then
select Configure under the Manage section:
Figure 1.7: Company branding overview page in Azure AD
The preceding screenshot shows the default configuration. By default, it
does not have any custom background image, logo, or background color.
3. On the Configure company branding page, you will see multiple options
for your branding. You can provide any or all the following information. All
the custom images you add on this page have an image size (pixels), and
potentially file size (KB), restrictions. Because of these restrictions, you’ll
most-likely need to use a photo editor to create the right-sized images:
Figure 1.8: Upload the background image and logo for company branding
Managing Azure AD Identities and Application Access
 15
As shown in the preceding screenshot, upload the files with the desired
size, pixels, and format. As shown in preceding screenshot, there are various
fields to fill the information. Following is the description of these fields.
•
Language: The language is automatically set as your default and can’t
•
Sign-in page background image: Select a .png or .jpg image file
•
Banner logo: Select a .png or .jpg version of your logo to appear on the
sign-in page after the user enters a username and on the My Apps portal
be changed.
to appear as the background for your sign-in page. The image will be
anchored to the center of the browser and will scale to the size of the
viewable space. You cannot select an image larger than 1920x1080 pixels
in size or one that has a file size more than 300 KB.
page. The image can’t be taller than 60 pixels or wider than 280 pixels.
•
Username hint: Type the hint text that appears to users if they forget
•
Sign-in page text and formatting: Type the text that appears at
To begin a new paragraph, use the enter key twice. You can also change
text formatting to include bold, italics, an underline, or clickable link.
Use the following syntax to add formatting to the text:
their username. This text must be Unicode, without links or code, and
cannot exceed 64 characters.
the bottom of the sign-in page. You can use this text to communicate
additional information, such as the phone number to your helpdesk
or a legal statement. This text must be Unicode and not exceed 1024
characters.
• Hyperlink: [text](link)
• Bold: **text** or __text__
• Italics: *text* or _text_
• Underline: ++text++
• Sign-in page background color: Specify the hexadecimal color (for
example, white is #FFFFFF) that will appear in place of your background
image in low-bandwidth connection situations.
•
Square logo image: Select a .png (preferred) or .jpg image of your
organization’s logo to appear to users during the setup process for new
Windows 10 Enterprise devices. This image is only used for Windows
authentication and appears only on tenants that are using Windows
autopilot for deployment or for password entry pages in other Windows
10 experiences.
16
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
•
Square logo image, dark theme: This is the same as the preceding
•
Show option to remain signed in: You can choose this option to
square logo image. This logo image takes the place of the square logo
image when used with a dark background such as with Windows 10,
Azure AD joins screens during the out-of-box experience (OOBE). If
your logo looks good on white, dark blue, and black backgrounds, you
don’t need to add this image.
allow your users to remain signed in to Azure AD until explicitly
signing out. If you choose No, this option is hidden, and users must
sign in each time the browser is closed and reopened.
4. After you have finished adding your branding, select Save. Once you have
finished the setup, the custom branding overview page will look as shown
in the following screenshot:
Figure 1.9: Updated company branding overview page
The updated overview page shows the check boxes for custom setups.
In this section, you learned how to add your company logo and background for Azure
AD sign in page. You can edit any setting by clicking on the current configuration.
You cannot change your original configuration’s language from your
default language. However, if you need a configuration in a different
language, you can create a new configuration. For this, click on + New
language. It will open the same window as shown in Figure 1.8. Here, the
language option was the default one but now here you get a drop down to
choose the language. The rest of the options are the same as we discussed
in the previous section.
Creating and adding an Azure subscription
to your Azure AD
An Azure subscription is a logical entity that provides entitlement to deploy and
consume Azure resources. An Azure subscription has a trust relationship with Azure
Managing Azure AD Identities and Application Access
 17
AD. A subscription trusts Azure AD to authenticate users, services, and devices.
Multiple subscriptions can trust the same Azure AD directory. Each subscription
can only trust a single directory. Azure subscription has a pricing model associated
to it. Based on the pricing model, you can consume Azure services and resources.
To consume, create, or use Azure services, you need to attach some payment mode
with your subscription.
If your subscription expires, you lose access to all the other resources associated
with the subscription. However, the Azure AD directory remains in Azure. You can
associate and manage the directory using a different Azure subscription.
If you move the subscription to a different directory, users that have RBAC
roles assigned will lose their access. Also, if you have any policy assigned to the
subscription, it is also removed from the subscription.
Creating a new subscription and associating to
a directory
In the previous section, we saw how to create a new tenant, update your custom
domain, and customize the domain with your company logo. Now in this section,
we will see how to create a new subscription and associate it with Azure AD. To
create a new subscription, perform the following steps:
1. Log in to the Azure portal with the global administrator or owner permission.
2. Select the appropriate tenant under which you want to create the subscription.
3. Search Subscriptions in Azure Portal.
Figure 1.10: Select a tenant and create new subscription
Click on + Add to create a new subscription.
4. This option will open a new tab or window in your browser to select a
subscription type:
18
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Figure 1.11: Select a subscription offering type
The preceding screenshot shows the different types of subscription offers.
Based on your requirement, you can select the subscription type. Each
subscription has its own pricing model and availability of Azure services.
5. Based on the subscription type, on the next page you will see different
agreements and payment mode options. Fill in the payment mode details,
accept the agreements, and click on Activate to activate the subscription and
service plan.
In this section you studied about creation and association of Azure Subscription
with you Azure AD tenant. These are quite simple steps to create and associate an
Azure subscription.
Transferring a subscription between Azure AD
tenants
Once you create a subscription, it automatically goes under the directory which you
selected. But you can move an existing subscription to another tenant also. For this,
let’s follow the given steps:
1. Log in to the Azure portal with the subscription owner account and select
the subscription you want to use from the Subscription page. Click
on Change directory:
Managing Azure AD Identities and Application Access
 19
Figure 1.12: Move the subscription to a different tenant
2. Select the target directory from the drop down, review any warnings that
appear, and then select Change:
Figure 1.13: Select the target tenant to move the subscription
After the directory is changed for the subscription, you will get a success
message.
3. Select Switch directories on the subscription page to go to your new
directory and check the subscription transfer. This process may take few
hours to complete.
When you change the subscription directory, it does not affect the subscription
billing ownership because it is a service-level operation.
20
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Managing Azure AD users and groups
Managing users and groups has always been an important and critical thing for any
administrator. Proper user management helps you to manage respective permissions,
licensing, roles, memberships, policies, and so on. In this section, you will learn how
to manage users and groups in your Azure AD. To manage users and groups, you
must either have a user administrator or global administrator access.
Let’s understand the types of users and groups and then deep dive into their
properties and operations which we can do with them.
Types of user accounts
Azure AD is a multi-tenant directory. We can have different types of users in it. In
this section, we will see the types of users that can be created or invited into Azure
AD:
•
•
•
Native users: Native users are the users who have been created under their
own Azure AD tenant or been synced from on-premise AD. For example,
you have your active directory domain registered with mybookdemo.com, so
any user with the UPN username@mybookdemo.com would be called your
native user.
Guest users: External users are the users who are not part of your Azure
AD tenant but have been invited by you. For example, you have your active
directory domain registered with mybookdemo.com, so any user with any
other domain like username@xyz.com will be a guest user for you. When you
invite any external user, an invitation will be sent to his email ID which is
provided by you as a recipient address. This message describes the invitation
and has an invitation link to join your tenant.
Consumer account user: Azure AD B2C is a business-to-customer identity
provider. This account is been created under Azure AD B2C. With Azure AD
B2C, a user with a third-party identity provider can access Azure applications.
The user can access only an Azure AD B2C registered application but cannot
access other Azure resources such as the Azure portal. This gets created when
the user for the first time logs in to the AD B2C application. But you can also
create it manually in Azure AD B2C. The third-party identity providers can
be Google, Microsoft, Facebook, and so on.
Managing Azure AD Identities and Application Access
 21
You can create appropriate users as per your business requirement and can manage
them from the Azure AD console.
Types of groups
In the preceding section, we saw the types of users supported in Azure AD. We can
have different types of groups also in Azure AD. These groups are defined based on
their uses:
•
•
Security: You can create this kind of group to manage shared Azure resources
access for multiple users. You can assign specific security polices, roles, and
so on to specific groups. This makes administrators task easier to manage
permissions for multiple users at one place, instead of managing permissions
separately for each user.
Office 365: These groups work with O365 services and tools. So, if you want
to collaborate with your teammates on MS projects, MS Words, PPT, this
group will help you to do so.
Mostly all organizations have these both type of groups. In the upcoming sections,
we will see how to manage these groups.
User management
Let’s learn how you can create and delete single and bulk users in Azure AD. You
will also learn about license assigning to users.
User creation
Let’s understand the process of user creation. You must have a user administrator
or global administrator level of access to create users in Azure AD. We will see the
process to create native users, guest users, and consumers in Azure AD.
•
New user (native user): You already know that what are native users in
Azure AD. Let’s follow the given steps to create a new native user:
1. Log in to the Azure portal and go to Azure AD.
2. Select Users and click on + New user:
22
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Figure 1.14: Create a new native user in Azure AD
3. Fill in the details related to the user:
Figure 1.15: Property fields to be filled to create a new native user
Managing Azure AD Identities and Application Access
 23
Following is description of the fields shown in preceding screenshot.
•
•
•
•
•
•
•
•
•
•
User name: This should be in the format of username@domain.com. The
domain section is already filled so you just need to enter the username.
Name: Full name of the user.
First name: First name of the user.
Last name: Last name of the user.
Groups: You can select the group name (if already created) to put the
user under that.
Roles: You can assign a specific role to a user such as User or Limited
Administrator access from the list of directory rules.
Block sign in: You can control whether a user will be able to sign in with
his/her account or not.
Usage location: You can define the location from where the user will
generally log in. This can help you to track the user’s login locations
and can help to set up conditional access and MFA based on the login
location. I will take you through the conditional access in the upcoming
sections. If you don’t specify this, then it inherits the location of Azure
AD of the organization.
Job title: Put the designation or so to get some details about the user; this
is optional.
Department: Put the department of the user, like IT, HR, Management,
Finance etc.
4. Azure will autogenerate a complex password, copy this password, and share
it with the user.
5. Click on Create.
In this section, we learned how to create a new native user in your Azure AD domain.
•
New guest user: In the previous section, we learned about a guest user. Let’s
perform the following steps, and see how you can invite a guest user in your
Azure AD:
1. Log in to the Azure portal with proper administrative access.
2. Go to Azure AD and select Users and click on + New guest user:
24
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Figure 1.16: Invite new guest user in Azure AD
3. Now. fill in the basic details:
Figure 1.17: Property fields to be filled to invite a guest user
• Name: Full name of the user.
• Email address: Email address where the invite will be sent.
•Personal message: Type a greetings message that will be sent along
with the invite.
Managing Azure AD Identities and Application Access
•
 25
In this section, we learned how to invite a guest user in your Azure AD
domain.
Add consumer user: Generally, this gets created when a user log in to the
Azure AD B2C secured application for the first time. But you can create this
kind of user manually from the Azure portal also. Let’s perform the following
steps:
1. Log in to the Azure portal.
2. Select the Directory + subscription filter in the top menu, and then select
the directory that contains your Azure AD B2C tenant.
3. Search for Azure AD B2C in the search bar.
4. Go to Users under the Manage section.
5. Click on + New User and choose Create Azure AD B2C user:
Figure 1.18: Create Azure AD B2C user
•Sign in method: Select an option from the email or username for
signing in.
•Name: Name of the user.
In this section, we learned how to create a consumer user.
There is an option to create bulk new users and invite new users. You
can fill the details in CSV and upload it. The users will be created and
invited.
26
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Users deletion
It is as simple as user creation. To delete any user, just follow the given steps:
1. Log in to the Azure portal and go to Azure AD and users.
2. You can search for the user by the name or email, and select the user.
3. Click on Delete user.
In this section, we learned how quickly and easily we can delete users from Azure
AD.
You can delete users in bulk as well. You need to upload a CSV with
users’ information to do ‘Bulk Delete’. You can see the deleted users under
‘Deleted users’ section. By default, they will stay there for 30 days from
the day of deletion. You can also restore them or delete them permanently
before 30 days. Similar to Bulk Delete, you can ‘Bulk Restore’ also.
Assign licenses to users and groups
There are services which will require users to have a proper active license to access
them. I will tell you how you can assign a license to users or groups. Follow the given
steps to see what licenses are available with you, how many of them are already
assigned, and how many are going to expire soon:
1. Log in to the Azure portal.
2. Go to Azure AD and select Licenses under the Manage section.
3. Select All products to see the details of your available licenses:
Figure 1.19: Available licenses in Azure AD to assign users
4. Select the license you would like to assign and click on “+ Assign”.
Managing Azure AD Identities and Application Access
 27
5. A new window opens, and you see few tabs: Users and groups,
Assignment options, and Review + assign.
6. Click on “+ Add users and groups” under Users and groups tab. It will
open a new window. Search the users’ name and groups’ name to assign the
licenses to users and groups, click on Select.
7. Now move to next tab, Assignment options. The specified license may have
multiple features associated with it, you can select the required features that
you want to assign to the users. So, select the features you would like to
assign to the users from Assignment options tab.
8. Move to next tab and click on Assign.
Licenses are important things in the cloud environment. They control the access
for users over various applications and services. In this section, we learned how to
assign an appropriate license to users.
Remove licenses from users and groups
You may need to remove a license from users and groups based on the business need
or administration purpose. Let’s see how you can achieve that:
1. In Licenses, go to All Products and click on the license which you want to
remove for a user. Licensed users or Licensed groups based on your
target.
2. Select the user’s name or group name from which you want to revoke the
license and click on Remove license.
In this section, we learned how to remove licenses from users.
If a user is inheriting the license from groups level, then you cannot
remove his/her license directly. You need to get that user out from the
group to remove his/her inherited license.
Group management in Azure AD
In the previous section, you learned about user management. It is easier to administer
things collectively. Groups provide the ability to manage users collectively. You
can make a group of users with similar properties. By grouping the users, you can
effectively apply and manage policies, permissions, licenses for large number of
users. This will help to save administration time and reduce the manual errors. Let’s
follow these steps to create groups and to add users to this.
28
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Assigned group creation in Azure AD
In this section, we will study about assigned groups in Azure AD. This is the default
group type in Azure AD:
1. Log in to the Azure portal and go to Azure AD and click on Groups.
2. Click on + New Group. A new window will open. Fill in the required
information and click on Create. Select the group type correctly as per
requirement. We have already understood the use case of security and Office
365 groups:
Figure 1.20: Create a new security group in Azure AD
3. You can also select if administrators can assign Azure AD roles to this group
or not.
4. You can also select Owners and Members for this group while creating the
group.
These were the simple steps to create Azure AD assigned groups.
Membership type: There are Three kinds of memberships: assigned,
dynamic users and dynamic device. Assigned type groups allow you to
add specific users to be members of this. Dynamic users type groups add
Managing Azure AD Identities and Application Access
 29
or remove users based on the attribute of users. Dynamic device type
groups add or remove users based on the attribute of devices.
Dynamic group creation in Azure AD
Sometimes, it becomes a very exhaustive task to add and remove users from Office
365 groups or security groups frequently. Azure AD provides the capability to add
and remove users automatically to groups based on their account attributes, so you
don’t need to do these tasks manually. Since adding or removing of users depends
on their account’s attributes, so whenever there is any change happening in the
users’ properties, Azure AD evaluates all dynamic group rules in your tenant to see
if the user needs to add or remove from any group.
You need minimum Azure AD Premium P1 license to create a dynamic group:
1. Log in to the Azure portal and go to Azure AD.
2. Click on Groups and click on + New group.
3. Fill in the required details as you filled for an assigned group. This time
select Dynamic User under Membership type.
4. Now click on “Add dynamic query”. It will open a new window to create
Dynamic Membership rules. Here you can choose the condition or user
profile attributes based on which you want to add users to this dynamic
group.
Save the configuration of Dynamic Membership rules and click on Create.
We learned how we can create dynamic groups in Azure AD.
Set groups expiration policy
When users can create their own new groups, it becomes important to delete
unused groups to reduce unnecessary manual maintenance tasks. You can set up the
expiration policy only for Office 365 groups.
The following are the examples of expiration policies:
•
•
•
•
A group which is not renewed is deleted.
Group owners are notified to renew expiring groups.
Groups with the user’s activity are automatically renewed.
A group owner or Azure AD administrator can restore deleted groups within
30 days.
Go to Groups > Expiration:
30
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Figure 1.21: Set expiration for dynamic groups
As shown in the preceding screenshot, choose the lifetime of the dynamic group,
email contacts for groups with no owners, and select all groups that are included
under this policy.
Set policy for groups naming convention
You can set up the naming convention policy for the user created Office 365 groups
to maintain organizational standards and also helps in other administrative tasks.
Go to Groups > Naming policy:
•
Blocked words: Here, you can define all words that cannot be used in
•
Group naming policy: Here, you can put the prefix or suffix for groups
the group name. You can upload these words through the CSV file and can
download CSV back to see what all the words are being blocked.
name.
Configuring authentication methods in
Azure AD
Now, with expansion of technology, organizations are moving towards hybrid
environment setup. They are expanding their on-premises infrastructure to cloud.
Now, users need access to both on-premises and cloud applications. Azure’s hybrid
identity solutions help corporates to sync on-prem and cloud users. The solutions
create the common user identity for authentication and authorization to all resources,
Managing Azure AD Identities and Application Access
 31
regardless of the location is called hybrid identity.
Types of authentication methods
You can choose any one among the three available authentication methods to achieve
hybrid identity, depending on your business requirement:
•
•
•
Pass-through Authentication (PTA)
Password Hash Authentication (PHA)
Active Directory Federation (AD FS)
Pass-through Authentication (PTA)
PTA allows your users to log in to both on-premises and cloud-based applications
using the same passwords. When users sign in using Azure AD, this feature validates
users’ passwords directly against your on-premises AD. This service uses an agent
that runs on one or more on-premises servers, which ensure that authentication,
happens through on-premises AD and not from cloud AD. This way of authentication
is more useful when organizations wanting to enforce their on-premises AD security
and password policies.
Password Hash Authentication (PHA)
In the AD domain service, users’ passwords are stored in the form of a hash value
representation of the actual user password. AD uses a hashing algorithm to get the
hash value of the user’s password. Azure AD Connect extracts the password hash
from the on-premises AD and applies extra security layer before it is synchronized
to the Azure AD authentication service. The password hash synchronization
process runs every two-minute. You cannot modify the frequency of this process.
When you change user’s password in on-premises AD, the updated password is
automatically synchronized to Azure AD. When you synchronize a password, it
overwrites the existing cloud password. The newly synchronized password does
not impact the user who is currently signed in with old password. The cloud services
session will not be immediately affected by this synchronization. However, when
the cloud services require you to reauthenticate, then you will need to provide the
new password.
Active Directory Federation (AD FS)
Federation is a collaboration of trusted domains. You can federate your Azure
environment with on-premise AD, and this federation will allow users to get
32
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
authenticated. In this process, also the authentication happens through on-premises
AD.
Choose the authentication method
Let’s take a look at the following table to understand the various business
requirements and choose the respective authentication method. X indicates the
availability of features:
Business requirement
PHA
PTA
ADFS
Sync new user, contact, and group accounts created in
my on-premises AD to the cloud automatically.
X
X
X
Set up my tenant for Office 365 hybrid scenarios.
X
X
X
Enable my users to sign in and access cloud services using
their on-premises password.
X
X
X
Implement single sign-on using corporate credentials.
X
X
X
X
X
X
X
Ensure no password hashes are stored in the cloud.
Enable cloud-based MFA solutions.
X
Enable on-premises MFA solutions.
X
Support smartcard authentication for my users.
X
Display password expiry notifications in the Office portal
and on the Windows 10 desktop.
X
Table 1.1: Compare different authentication methods of Azure MFA
The following decision tree will help you to choose the right authentication method
for your hybrid identity management.
Managing Azure AD Identities and Application Access
 33
Figure 1.22: Decision tree to choose the correct authentication method
Prerequisites for Azure AD Connect
Let’s discuss about all the resources you may need to set up Azure AD Connect.
You need a specific environment and components to be set up for each type of
authentication. This section will take you through the requirements for each
component. I have divided components in two categories: Cloud (Azure) and onpremises:
•
Azure AD: The following are the resources you need in Azure AD:
•
•
•
•
You need an Azure AD tenant.
A custom domain to be verified.
A global administrator account.
On-premises AD: The following are the resources you need in on-premises
AD:
•
•
•
•
The AD schema version and forest functional level must be Windows
Server 2003 or later.
The domain controllers must be on Windows Server 2008 R2 or later if
you want to use the password writeback feature.
Azure AD Connect does not support the read-only domain controller
(RODC).
You can run IdFix to identify errors such as duplicates and formatting
34
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
problems in your on-premises active directory before you synchronize to
Azure AD.
•
Azure AD Connect server: Azure AD Connect server is the key element for
AD sync. The following are the configurations and resources you need to set
up Azure AD Connect server:
•
•
•
•
•
•
•
•
•
•
Azure AD Connect can only be installed on a domain joined Windows
Server 2012 standard or better but Windows Server Essentials 2019 is
supported.
It is not recommended to install Azure AD Connect on a domain
controller due to security practices.
If your global administrators have MFA enabled, then the URL https://
secure.aadcdn.microsoftonline-p.com must be in the trusted sites list.
Azure AD Connect requires a SQL Server database to store identity data.
By default, a SQL Server 2012 Express LocalDB is installed.
Azure AD Connect supports all versions of Microsoft SQL Server from
2008 R2 (with latest service pack) to SQL Server 2019. Microsoft Azure
SQL Database is not supported as a database.
You will need one domain administrator account.
The Azure AD Connect server needs DNS resolution for both intranet
and Internet. The DNS server must be able to resolve names both to your
on-premises AD and the Azure AD endpoints.
Azure AD Connect depends on Microsoft PowerShell and .NET
Framework 4.5.1. You need this version, or a later version installed on
your server.
The minimum configuration for AD Connect server is 2 Core CPU, 4 GB
RAM, and 70 GB disk space.
SSL certificate: The following are requirements to set up SSL certification:
•
•
•
•
It is recommended to use the same SSL certificate across all nodes of your
AD FS farm and all web application proxy servers.
The certificate must be an X509 certificate.
For the production environment, you should get a certificate from public
CA.
Wild-card certificates are supported.
In this section, we studied about the prerequisites of various components to set up
Azure AD Connect.
Managing Azure AD Identities and Application Access
 35
Installing Azure AD Connect with Password
Hash Synchronization
Let’s understand the process of Azure AD Connect configuration with Password
Hash Synchronization authentication. Hope you have gone through the preceding
prerequisites before setting up this. Follow the given steps to set up Azure AD
Connect:
1. Download Azure AD Connect software and install it on the domain joined
Windows 2012 R2 or the preceding OS version server, with minimum
configuration of 2 Core CPU, 4 GB RAM, and 70 GB disk space.
On the welcome screen of the AD Connect tool, accept the license agreement
and choose Custom settings. You can leave these boxes unchecked; Azure
AD Connect installs all the required things automatically:
Figure 1.23: Select Azure AD connect installation type and required components
2. Now, select the required authentication method based on your business
requirement. In the previous sections, we understood when to choose
what. In this section, we will go through password hash synchronization,
so select Password Hash Synchronization as shown in the following
screenshot:
36
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Figure 1.24: Select password hash sync authentication method in Azure AD Connect
3. On the next screen, the Connect to Azure AD screen, enter the username
and password of the global administrator for Azure AD. Click on Next:
Figure 1.25: Connect Azure AD connect with Azure AD
Managing Azure AD Identities and Application Access
 37
4. On the Connect your directories screen, select your active directory forest
name and click on Add Directory:
Figure 1.26: Connect Azure AD Connect with on-premises AD
A new window pops up to select the username for the sync process. You can
create a new user or can use an existing user. The latest version of Azure AD
Connect does not support the domain admin or enterprise admin accounts
as the AD DS Connector account:
Figure 1.27: Create Azure AD Connect sync user account
Click on OK and then click on Next.
38
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
5. In the next step, you will see the list of domains verified in Azure AD:
Figure 1.28: Select verified Azure AD domain
6. You have the liberty to select what domain or OU you want to sync from your
active directory forest. You can either select Sync all domains and OUs
or Sync selected domains and OUs. By default, the Sync all domains
and OUs option is selected:
Figure 1.29: Select on-premises domain and OU to be synced into Azure AD
7. A user might be represented only once in the whole active directory forest
but there may be chances that a user has multiple representation across the
Managing Azure AD Identities and Application Access
 39
domains in your forest. You would not like to represent the same user multiple
times while syncing. You can choose what in such a case. If the user has only
one representation, then it is easy to take a decision and select the Users
are represented only once across all directories option. If the user has
multiple representations, then you need to choose an attribute, based on that
user’s multiple representation will be joined and synced to Azure AD:
Figure 1.30: Select a method to identify on-premises users uniquely
8. Now, you can dive even deeper and select which groups, users, and devices
need to sync. Either you can select the Synchronize all users and devices
option or Synchronize selected as shown in the following screenshot:
Figure 1.31: Select users and devices to be synced into Azure AD
40
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
9. You can choose other features also to be installed with this process. The
Password writeback feature allows password changes that originate in
Azure AD is written back to your on-premises directory:
Figure 1.32: Select any other feature to be installed with password hash synchronization
Click on Next.
10. On the next page, you will see a summary of all your configurations. Click
on Configure and Verify.
In this section, we studied how to configure Azure AD Connect with the password
hash synchronization method. You can now use these steps to configure Azure AD
Connect in your environment.
Installing Azure AD Connect with pass-through
authentication
It has similar steps as in the previous section (password hash synchronization); the
only change here is that you need to choose Pass-through authentication in the
authentication type. On successful completion, a PTA agent is installed on the same
server as Azure AD Connect and the PTA feature is enabled on your tenant. Let’s go
through the steps:
1. Download Azure AD Connect software and install it on the domain joined
Windows 2012 R2 or above OS version server, with minimum configuration
of 2 Core CPU, 4 GB RAM, and 70 GB disk space.
2. On the welcome screen of AD Connect tool, accept the license agreement and
choose Customize settings. You will see next this on the next screen.
You can leave these boxes unchecked; Azure AD Connect installs all the
Managing Azure AD Identities and Application Access
 41
required things automatically:
Figure 1.33: Select Azure AD Connect installation type and required components
3. Now, select the required authentication method based on your business
requirement. In the previous sections, we understood when to choose what.
In this section, we will go through pass-through authentication, so select
Pass-through authentication as shown in the following screenshot:
Figure 1.34: Select the pass-through authentication method in Azure AD Connect
4. On the next screen, the Connect to Azure AD screen, enter the username
and password of the global administrator for Azure AD. Click on Next:
42
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Figure 1.35: Connect Azure AD Connect with Azure AD
5. On the Connect your directories screen, select your active directory forest
name and click on Add Directory:
Figure 1.36: Connect Azure AD Connect with On-premises AD
A new window pops up to select the username for the synchronization
process. You can create a new user, or you can use an existing user. The
latest version of Azure AD Connect does not support the domain admin or
enterprise admin accounts as the AD DS Connector account:
Managing Azure AD Identities and Application Access
 43
Figure 1.37: Create Azure AD Connect sync user account
Click on OK and then click on Next.
6. In the next step, you will see a list of domains verified in Azure AD:
Figure 1.38: Select the verified Azure AD domain
7. You have the liberty to select the domain or OU you want to sync from your
forest. You can either select Sync all domains and OUs or Sync selected
domains and OUs. By default, the Sync all domains and OUs option is
selected:
44
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Figure 1.39: Select on-premises domain and OU to be synced into Azure AD
8. A user might be represented only once in the whole forest but there may
be chances that a user has multiple representations across the domains in
your forest. You would not like to represent the same user multiple times
while syncing. You can choose what in such a case. If a user has only one
representation, then it is easy to take the decision and select the Users are
represented only once across all directories option. If the user has
multiple representations, then you need to choose an attribute, and based on
that the user’s multiple representation will be joined and synced to Azure AD:
Figure 1.40: Select a method to identify on-premises users uniquely
Managing Azure AD Identities and Application Access
 45
9. Now, you can dive even deeper and select the groups, users, and devices that
need to be synced. Either you can select the Synchronize all users and
devices option or Synchronize selected:
Figure 1.41: Select users and devices to be synced into Azure AD
10. You can choose other features also to be installed with this process. The
Password writeback feature allows password changes that originate in
Azure AD to be written back to your on-premises directory:
Figure 1.42: Select users and devices to be synced into Azure AD
46
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Click on Next.
11. On the next page, you will see a summary of all your configurations. Click
on Configure and Verify.
If you are deploying PTA in a production environment, you should install
additional standalone authentication agents. Install these authentication agent(s)
on server(s) other than the one running Azure AD Connect. This setup provides
you with high availability (not the load balancing) for user sign-in requests. For
the production environment, it is recommended to have at least three agents, the
maximum can be forty agents under a tenant.
Installing Azure AD Connect for federation
with AD FS
Now, let’s understand how to set up federation between on-premises domain and
Azure AD domain to sync users. This method requires some extra resources to be
deployed which are as follows:
•
•
•
A Windows Server 2012 R2 or later server for the federation server with
remote management enabled.
A Windows Server 2012 R2 or later server for the Web Application Proxy
(WAP) server with remote management enabled.
An SSL certificate for the federation service name you intend to use.
Although we have seen Azure AD Connect installation process in previous section
but let’s have a look again and following are the steps to install Azure AD connect
with ADFS.
1. Download Azure AD Connect software and install it on domain joined
Windows 2012 R2 or the preceding OS version server, with minimum
configuration of 2 Core CPU, 4 GB RAM, and 70 GB disk space.
2. On the Welcome screen of the AD Connect tool, accept the license agreement
and choose Use customize settings. You will see this on the next screen.
You can leave these boxes unchecked; Azure AD Connect installs all the
required things automatically:
Managing Azure AD Identities and Application Access
 47
Figure 1.43: Select Azure AD Connect installation type and required components
3. Now, select the required authentication method based on your business
requirement. In the previous sections, we understood when to choose what.
In this section, we will go through federation with Azure AD so select
Federation with AD FS.
4. On the next screen, the Connect to Azure AD screen, enter the username
and password of the global administrator for Azure AD. Click on Next:
Figure 1.44: Connect Azure AD Connect with Azure AD
On the Connect your directories screen, select your active directory forest
name and click on Add Directory:
48
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Figure 1.45: Connect Azure AD Connect with On-premises AD
A new window pops up to select the username for the sync process. You
can create a new user or use an existing user. The latest version of Azure AD
Connect does not support the domain admin or enterprise admin accounts
as the AD DS Connector account:
Figure 1.46: Create Azure AD Connect sync user account
Click on OK and then click on Next.
Managing Azure AD Identities and Application Access
 49
5. In the next step, you will see a list of domains verified in Azure AD:
Figure 1.47: Select verified Azure AD domain
6. You have the liberty to select what domain or OU you want to sync from your
forest. You can either select Sync all domains and OUs or Sync selected
domains and OUs. By default, the Sync all domains and OUs option is
selected:
Figure 1.48: Select on-premises domain and OU to be synced into Azure AD
7. A user might be represented only once in the whole forest but there can
be chances that a user has multiple representations across the domains in
50
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
your forest. You would not like to represent the same user multiple times
while syncing. You can choose what in such a case. If the user has only one
representation, then it is easy to take a decision and select the Users are
represented only once across all directories option; if the user has
multiple representations, then you need to choose an attribute, based on that
user’s multiple representation, you will be joined and synced to Azure AD:
Figure 1.49: Select a method to identify on-premises users uniquely
8. Now, you can dive even deeper and select the groups, users, and devices that
need to be synced. Either you can select the Synchronize all users and
devices option or Synchronize selected:
Figure 1.50: Select users and devices to be synced into Azure AD
Managing Azure AD Identities and Application Access
 51
9. You can choose other features also to be installed with this process.
Figure 1.51: Select users and devices to be synced into Azure AD
Click on Next.
10. You can use an existing AD FS farm, or you can choose to create a new AD FS
farm. If you choose to create a new one, you are required to provide the SSL
certificate. If the SSL certificate is protected by a password, you are prompted
for the password.
Choose the certificate file and upload:
Figure 1.52: Select the existing AD FS configuration or create a new AD FS setup
52
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
11. Enter the name of the server where you want to install ADFS. The ADFS
server should be domain joined:
Figure 1.53: Select the AD FS server to connect with Azure AD Connect
12. Now, enter the details of the WAP server. This server is a front end server for
any external request. Since the WAP server is not necessary to be a domain
so you must have local admin credentials:
Figure 1.54: Select the WAP server to connect with Azure AD Connect
Managing Azure AD Identities and Application Access
 53
13. Now, enter the domain administrator credentials to install the AD FS role on
the server which was listed in Step 12:
Figure 1.55: Put the domain administrator account credentials to set up federation
14. Now, specify the account to run the AD FS service on AD FS servers. It is
recommended to have a separate domain service account to run the AD FS
service:
Figure 1.56: Select the service account to run the federation service
54
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
15. Now, select the Azure AD domain which you want to federate with the onpremises domain:
Figure 1.57: Select Azure AD which you want to federate with on-premises AD domain
16. Once you provide the details of your Azure AD custom domain in the
previous step. Azure AD Connect provides you with necessary information
to verify an unverified domain. AD Connect verifies the custom domain in
the configuration step:
Figure 1.58: Verify the Azure AD domain which you want to federate with the on-premises domain
Managing Azure AD Identities and Application Access
 55
Set up DNS records for the AD Federation service name (for
example, mybook.com) for both the intranet (your internal DNS server)
and the extranet (public DNS through your domain registrar). For
the intranet DNS record, ensure that you use A records and not
CNAME records. This is required for Windows authentication to
work correctly from your domain joined machine.
If you are deploying more than one AD FS server or WAP server,
then ensure that you have configured your load balancer and
that the DNS records for the AD FS federation service name (for
example, mybook.com) point to the load balancer.
17. Go to the configuration page and start installation.
18. In the next step, verify the connectivity.
In this section, we learned how to configure Azure AD Connect with ADFS
synchronization method. You can now use these steps to configure Azure AD
Connect in for your environment.
Topologies for Azure AD Connect
While setting up Azure AD Connect for the synchronization purpose, it is required
to know all the scenarios that are supported and what are not. In this section, you
will see various on-premises and Azure AD topologies that use Azure AD Connect
sync as the key integration solution.
Single forest, single sync server to single Azure AD
tenant
This is the most common scenario, having single on-premises forest, with one or
multiple domains, single Azure AD Connect server and a single Azure AD tenant.
This scenario is easily supported by Azure AD Connect.
Single forest, multi sync servers to one Azure AD
tenant
Multiple Azure AD Connect servers connected to the same Azure AD tenant is
not supported, except for a staging server. It’s unsupported even if these servers
are configured to synchronize with a mutually exclusive set of objects. You might
consider this topology if you can’t reach all domains in the forest from a single
server, or if you want to distribute load across several servers.
56
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Multiple forest, single sync servers to one Azure AD
tenant
When you have multiple forests and want them to be synced by single Azure AD
Connect, all forests must be reachable by a single Azure AD Connect synchronization
server. The server must be joined to a domain. If necessary, to reach all forests, you
can place the Azure AD Connect server in a perimeter network (DMZ). This scenario
is supported.
Multiple forest, multi sync servers to one Azure AD
tenant
This scenario is not supported.
Features of Azure AD Connect
Apart from just user synchronization, Azure AD Connect has multiple other features
as well. Let’s discuss them briefly:
•
Exchange hybrid deployment: This feature allows the co-existence
•
Exchange mail public folders: This feature allows you to synchronize
•
Azure AD app and attribute filtering: By enabling the Azure AD app
•
Password hash synchronization: We have learned in detail about this;
•
Password writeback: By enabling password writeback, password changes
•
Group writeback: If you use the Office 365 groups feature, then you can
of Exchange mailboxes both at on-premises and in Office 365. Azure AD
Connect synchronizes a specific set of attributes from Azure AD back into
your on-premises directory.
mail-enabled public folder objects from your on-premises AD to Azure AD.
and attribute filtering, the set of synchronized attributes can be tailored.
in addition to this, if you select federation as the sign-in solution, then you
can enable this option as a backup option. If you select Pass-through
Authentication, this option can also be enabled to ensure support for
legacy clients and as a backup option.
that originate in Azure AD need to be written back to your on-premises
directory.
have these groups represented in your on-premises AD. This option is only
available if you have Exchange present in your on-premises AD.
Managing Azure AD Identities and Application Access
 57
•
Device writeback: This allows you to writeback device objects in Azure
•
Directory extension attribute synchronization: By enabling the
AD to your on-premises AD for conditional access scenarios.
directory extensions attribute synchronization, attributes specified are
synced to Azure AD.
Setting up password writeback through
Azure AD Connect
In the last section, we learned about setting up Azure AD Connect to sync onpremises AD users with Azure AD. In Azure AD Connect features section, we learned
that Azure AD Connect can be used for password write back also. In this section,
we will use our previous section’s knowledge to set up password writeback for our
test environment. In the hybrid environment scenario, it would be difficult to have
two passwords for two different directories (Azure AD and on-premises AD). To
solve this, we can use any of the synchronization methods which we learned in the
preceding sections.
You can use password writeback to synchronize password change in Azure AD to onpremises AD. This synchronization happens securely through Azure AD Connect.
Prerequisites to set up password writeback
We require some setup to be in place to set up password writeback. Here is the list
of them:
•
•
•
•
Azure AD tenant with Azure AD Premium P1 license.
•
•
On-premises AD DS server should be on Windows 2012 or higher.
An Azure AD user with the global administrator privilege.
Self Service Password Reset (SSPR) should be enabled in Azure AD.
An on-premises AD DS environment with the latest version of Azure AD
Connect.
Azure AD Connect should be configured for user sync process.
In this chapter, we have already learned how to assign a license to a user and how
to assign a global administrator role to a user. We also know how to configure Azure
AD Connect on Windows Server for the user synchronization process. During this
setup, we will go through the process to enable SSPR in Azure AD and password
writeback in Azure AD Connect.
58
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Enabling Self Service Password Reset in Azure
AD
With Azure AD SSPR, users can reset their password without reaching out to
administrators or helpdesk. Users can reset their password if they forget it or if their
account is locked. Let’s follow the given steps to enable SSPR in Azure AD:
1. Log in to the Azure portal and go to Azure AD.
2. In the left panel, you will see the Password reset option under the Manage
section. Go to the Password reset option.
3. It will open a new window. Go to Properties under the Manage section.
On the Properties page, you will get an option to enable SSPR for a group
of users or all users:
Figure 1.59: Select a group for SSPR
In the preceding screenshot, I chose the Selected option and then chose a
group of users to cover under SSPR. After selecting the group, click on Save.
You can follow the preceding steps to enable SSPR for users in your environment. In
the next step, we will see how to configure authentication and registration method
for a user for SSPR.
Selecting authentication and registration options
When users want to reset their password or unlock their account, they will be asked
for additional confirmation. This additional confirmation verifies the user. As an
Managing Azure AD Identities and Application Access
 59
administrator, you can choose how much additional information users need to
provide and all options for additional information that are available for users. To set
up this, perform the following steps:
1. Log in to the Azure portal and go to Azure AD.
2. In the left panel, you will see the Password reset option under the Manage
section. Go to the Password reset option.
3. On the Password reset page, go to Authentication methods. On this
page, you can set up the number of additional information required to do the
password reset or account unlock:
Figure 1.60: Select authentication methods for SSPR
As shown in the preceding screenshot, you can ask for up to two additional
information. There is a list of supported methods also. You can choose any of
these to provide additional information. Once you make your choices, save
the configuration.
4. Now, move to the next Registration section. Users need to register them
with their contact details before resetting the password or unlocking the
account. This contact information is used by the additional information
methods:
60
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Figure 1.61: Enable registration for users
As shown in the preceding screenshot, click on Yes to ask users to register
themselves on the next sign in.
5. To keep the contact information up to date, you can set a duration after which
users will be asked to re-verify their contact information. In the preceding
screenshot, I set up 180 days, so after 180 days of registration, users will be
asked to re-verify their contact information.
In this section you learnt about the password reset configuration for SSPR.
Setting up account permission for Azure AD
Connect account
In the preceding sections, we configured Azure AD Connect many times. As
discussed in the preceding sections, you need a domain administrator account to
setup AD Connect between on-premises AD DS and Azure AD. Before setting up
password writeback, it is important that the domain administrator account has
correct permissions and options set. Let’s follow the given steps to check and set up
correct permissions for the domain administrator account:
1. Log in to on-premises AD DS server and go to Active Directory Users
and Computers.
2. In the View menu, click on Advanced Features to turn it on.
3. In the left panel, right click on your domain name and click on Properties >
Security > Advance.
4. It will open a new window. On the Permission tab, click on Add.
5. In the next window, click on Select a principal. It will open a new box to
take the input of user account. Give the user account name which is going to
be used for AD Connect. Click on OK.
6. Keep the type to Allow. In the Applies to drop-down, select Descendant
User objects at the end of this list.
Managing Azure AD Identities and Application Access
 61
7. Now, under the Permissions section, select Reset password. Under the
Properties section, select Write lockoutTime and Write pwdLastSet.
8. Now, click on OK and Apply and come out of all open boxes. It may take
up to an hour to reflect on all users.
9. For most efficient password writeback, you should modify the on-premises
AD DS group policy. The group policy for minimum password age must
be set to 0. This setting can be found under Computer Configuration >
Policies > Windows Settings > Security Settings > Account Policies
> Password Policies.
Once you are done with the preceding setting, you can move on to Azure AD
Connect setup.
Configuring Azure AD Connect for password
writeback
Now, once you have completed all prerequisites, you can go to your Azure AD
Connect server to enable password writeback. You can enable this on an existing AD
Connect setup or on a new setup:
1. You can refer to the previous sections to see the steps to install Azure AD
Connect.
2. When you start the installation, in the Optional features section, select
Password writeback:
Figure 1.62: Enable password writeback in Azure AD Connect
As shown in the preceding screenshot, select the Password writeback
check box and complete the configuration.
62
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
3. Once this sync is completed, you need to complete few steps in Azure AD
SSPR. So, go back to Password reset in Azure AD. Here, it will check
the status of your Azure AD Connect and give a notification; Yes, you are
connected to on-premises password writeback client.
4. Here, you can enable write back password to your on-premises directory.
You can also enable users to unlock their account without changing their
password:
Figure 1.63: Enable on-premises integration for Password writeback
Make the configuration as shown in the preceding screenshot and save it.
In this section, we learned how to set up SSPR and password write back in your
Azure environment.
Passwordless authentication options in
Azure AD
As the use of technology is increasing day by day, every device and application
requires a password to safeguard the authentication. With multiple apps and devices,
it is very difficult to remember multiple passwords for all of them. Microsoft came
up with a concept of passwordless authentication. Here, you can use Microsoft
Authenticator App to sign in to any Azure AD connected app and device without
a password.
To use this functionality, your users should be covered under Azure MFA, combined
registration experience should be enabled on your Azure AD, and users should have
the latest version of Microsoft Authenticator App.
Managing Azure AD Identities and Application Access
 63
Enabling combined registration experience
Combined registration experience helps users to register them only once for both
Azure MFA and SSPR. Combined registration experience is also required for
passwordless authentication. Let’s enable it by performing the following steps:
1. Log in to the Azure portal and go to Azure AD.
2. Go to Users > User settings > Manage user feature preview settings.
It will open a new window:
Figure 1.64: Enable combine registration experience
As shown in the preceding screenshot, this feature is already enabled for
new tenants but if you are having an old and existing tenant, then you can
enable it from here. You can choose if you want to enable it for all users or
selected user and groups. Save the changes.
Once you have enabled combined registration experience, you can enable
passwordless authentication methods.
Enabling passwordless authentication method
Being an administrator, you can choose allowed passwordless authentication
methods for users. Here is the list of supported passwordless authentication methods:
•
•
•
•
FIDO2 security key
Microsoft authenticator
Text message (preview)
Temporary access pass (preview)
64
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
To configure this, let’s follow the given steps:
1. Log in to the Azure portal and go to Azure AD.
2. In Azure AD, go to Security > Authentication Methods > Policy.
3. Under Policies, you will see a list of supported passwordless authentication
methods. Click on Microsoft Authenticator and choose following options:
•
•
ENABLE: Yes
TARGET: All users or Select users
•
•
Browse to ... > Configure.
4. The users and groups which you added are by default enabled to use
Microsoft Authenticator in both passwordless and push notification modes.
You can change the authentication method by clicking on the three dots at
end of Target:
For Authentication mode: Any, Passwordless, or Push
Figure 1.65: Set Microsoft Authenticator as passwordless authentication method
Managing Azure AD Identities and Application Access
 65
As shown in the preceding screenshot, make the configuration.
5. Save the changes to apply the policy.
Similarly, you can enable other passwordless authentication methods also.
Creating app registration in Azure AD
Application of this term can be understood in the wrong manner when it comes
in the context of Azure AD. We will understand the concept of application and app
registration with respect to Azure AD. When an application is been integrated with
Azure AD, it goes beyond a software or piece of a code. In Azure AD, the term
application generally used as a concept, it is not only the software application but
also a way of authentication and authorization. This application registration can be
used in multi-tenant for authentication.
There are two components created when an application gets registered to Azure AD
Tenant:
•
•
The application object (attached with an object ID)
The service principal
Application object
The Azure AD application is defined by its application object. This application object
resides in Azure AD tenant where the application is been registered. But this can be
used globally across multi-tenants, after consenting to each tenant.
Service principal object
Service principal is the entity or representative which requires the permission to
access the Azure AD Tenant resources. So, in simpler words, to access the resources
in Azure tenant, you need a service principal. This service principal should have the
required permission to access the resources. This is a local representation of your
application to be used in home tenant.
The attached permissions define the level of access of the respective user or
application. For example, they can have read-only access on certain resources and
owner access for certain resources. This enables authentication and authorization
capabilities during signing in and accesses the resources, respectively.
If the application is used in other tenants (after consenting), a new service principal
gets created in each tenant, but the application object remains unique in the parent or
66
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
home tenant. So Azure AD application has a one-to-one relation with the application
object and one-to-many with its corresponding service principal objects across the
tenants.
Azure AD applications account types
Azure AD has three types of application accounts. Let’s understand them briefly
here:
•
•
•
Single tenant: If the application is going to be used only by internal users, that
is, by users from the same directory where the application is been registered,
then you need to choose a single tenant account type while registering the
app in Azure AD.
Multi-tenant: If the application is going to be used by external users, that
is, by the users from any tenant, any Office 365 account (included work and
school accounts only), then you need to choose a multi-tenant account type
while registering the app in Azure AD.
Multi-tenant with personal Microsoft accounts: The previous account type
included only work or school Office 365 accounts from any tenant. But if
the application is going to be used by external users, with their personal
Microsoft account, then you should select this account type. This will cover
the widest range of audience.
You need to assign the account type while registration of the application.
For single tenant account type application, if you make any changes in
application object, the same will be reflected to the service principal object
in the application’s home tenant only. For a multitenant account type
application, the changes made to application object will not reflect to all
service principals (across other tenants) until you remove the access from
the application access panel and grant again.
Required access level for app registration
Although the default setting allows users to go app registration on their own, but if
the default setting is changed, then you may need to make some changes to allow
users to do app registration in Azure AD.
To do so, follow the given steps:
1. Log in to the Azure portal.
2. Go to Azure AD.
Managing Azure AD Identities and Application Access
 67
3. Go to Users in the Manage section.
4. Go to user settings.
5. Make Users can register application to Yes.
You need to set Users can register application to No if you do not want normal
users to register their apps. Ideally, this setting is recommended so no one can
register apps without the administrator’s permission.
New application registration in Azure AD
through the Azure portal
After understanding the basic terminology, concept and required access of apps and
service principal, let’s start with the steps to register the app in Azure AD:
1. Log in to the Azure portal with your Microsoft account.
2. If you have access to multiple tenants, then select the correct tenant from
the top-right hand corner. This will make your portal session specific to a
selected tenant:
Figure 1.66: Select a tenant in Azure AD
3. Now, search for Azure AD in the search box at the top middle of Azure
portal.
4. On the Active Directory page, select App registration under the
Manage section.
5. Click on + New registration as shown in the following screenshot:
68
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Figure 1.67: Create a new Azure AD application
6. Once the New app registration page opens, fill in the relevant information:
•
•
Name: Put a meaningful name of the app which will be visible to users.
Select the account type based on the audience. We have learned about
the selection criteria of this account type.
Figure 1.68: Fill in the details about the Azure AD application
7. Once you fill in all the values, click on Register.
In this section, we learned how to do app registration in Azure AD. This new app
can be used as a service principal in your Azure environment.
Managing Azure AD Identities and Application Access
 69
App registration permission scopes
configuration
Microsoft identity platform allows developers to build applications which can use
Azure AD for authentication and authorization. It uses OAuth 2.0 and OpenID
protocols for authentication. OAuth 2.0 is an authentication method through which
a third-party app can access web-hosted resources on behalf of a user. Any webhosted resource that integrates with the Microsoft identity platform has a resource
identifier called application ID URI. Developers should always abide by the concept
of least privilege, asking for only the permissions they need for their applications to
function. In OAuth 2.0, permissions are called scopes. You can assign the application
administrator directory role to manage the app registration.
Type of permissions
Let’s understand the different ways of permission granting. We will discuss two
kinds of permissions, supported by Microsoft identity platform.
Delegated permission
This kind of permission is used by the apps when they have any signed in user. The
user delegates his/her permissions to the app. Any user or administrator can give
consent for the permissions that the application needs. Now, the application can act
as a signed in user and has permission equal to the user who consented. Normal
permissions can be consent by a non-admin user but there are few high-privileged
permissions which require consent from an administrator only.
For delegated permissions, the effective permissions of your app will be the least
privileged intersection of the delegated permissions the app has been granted (via
consent) and the privileges of the currently signed-in user. Your app can never have
more privileges than the signed-in user.
For example, assume your app has been granted the permission to read and write
the user profile for every user in your organization. If the signed-in user, who is
consenting, is a user’s administrator, your app will be able to update the profile of
every user in the organization. However, if the signed-in user, who is consenting
isn’t in an administrator role, your app will be able to update only the profile of
the signed-in user. It will not be able to update the profiles of other users in the
organization because the user that it has permission to act on behalf of does not have
those privileges.
70
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Application permission
This kind of permission used by apps when they run without a signed-in user
present. Only an administrator can consent this kind of permission. For application
permissions, the effective permissions of your app will be the full level of privileges
implied by the permission. For example, an app that has the user read and write for
all, can update the profile of every user in the organization. Since the consent does
not depend on the signed in user, so the app will have all permissions assigned to it.
Conclusion
In this chapter, you learned about Azure Active Directory and Azure Subscription in
detail. Now, you would be able to deploy and manage multiple Azure AD. You also
learned how to create new subscriptions and move across different tenants. You can
now decide what kind of subscription offering is suitable for your organization. You
can create different subscriptions based on different applications, environments, and
business units.
You studied Azure AD architecture along with user and group management. You
studied various methods to sync on-premises user accounts with Azure AD. So, now
you can setup a hybrid identity management system by syncing on-premises AD
user accounts with Azure AD.
In the next chapter, we will learn various methods for secure access by using Azure
AD. We will learn about Azure MFA, identity protection, Azure PIM, and conditional
access.
Multiple choice questions
1. Which of the following is not a supported authentication method in Azure
AD Connect?
A. Pass-through authentication.
C. Password hash authentication.
B. Mixed mode authentication.
D. AD FS.
Answer: B
2. In Pass-through Authentication synchronization method, the user’s
password validation happens in Azure Active Directory:
A. True.
Managing Azure AD Identities and Application Access
 71
B. False.
Answer: B
3. You want to assign O365 licenses to users based on their groups. You have 16
groups and 387 users in total. Which and how many licenses will you buy?
A. 16 Office 365 licenses.
C. 387 Azure AD Basic licenses.
B. 16 Azure AD Basic licenses.
D. 387 Office 365 licenses.
Answer: D
4. Which directory role would you assign to manage the app registration?
A. Users administrator
C. Application administrator
B. Security administrator
D. Application developer
Answer: C
5. Which authentication method stores a copy of password in Azure Active
Directory?
A. Pass-through Authentication
C. Federation Authentication (AD FS)
B. Password Hash Authentication
D. Mixed mode authentication
Answer: B
6. Being a global admin of your directory, you are trying to remove a license
from a user from your directory, but you are not able to do so. What could be
the reason?
A. The user is inheriting a license from the group.
C. You need to disable the user account before revoking the license.
B. You don’t have the required permission.
D.The user is currently using a service where the license is required and
you have to ask the user to stop using that service, before revoking the
license.
Answer: A
72
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
7. You have on-premises Active directory syncing with Azure Active Directory.
Which of the following will you use to enable password write back feature?
A. In Azure conditional access
C. In Azure MFA setting
B. In on-premises Active Directory
D. In Azure Active Directory Connect
Answer: D
8. Which of the following is not an Azure AD version type?
A. Azure AD Premium P1
C. Azure AD Free
B. Azure AD Premium P2
D. Azure AD Dev/Test
Answer: D
9. Azure AD primary replication is created in which of the following?
A. Different region to the master directory region
C. US Government region
B. Same region to the master directory region
D. None of above
Answer: B
10. In the Azure AD architecture, the read requests are served by_______.
A. Primary replica
C. Both the replicas
B. Secondary replica
D. None of these
Answer: B.
11. In the Azure AD architecture, the write requests are served by ________.
A. Primary replica
C. Both the replicas
B. Secondary replica
D. None of these
Answer: A
Chapter 2
Configuring Secure
Access by Using
Azure Active
Directory
In this chapter, you will learn how to enforce security services from Azure AD. We
will cover least privilege security access, both for Azure AD and for other Azure
resources. Some of the major topics that will be covered include understanding
of use cases for Azure AD Privileged Identity Management (PIM), discovering
the high privilege role holders like owners or global admins in Azure AD and in
your Azure subscriptions, configuring time-limited access for privileged roles, and
auditing the entire process to ensure security compliance for IAM. We will also learn
about setting up Azure Multi-Factor Authentication (MFA), Conditional Access,
and Identity Protection. By the end of this chapter, you will be able to improve the
security of your organization’s identity management in Azure.
Structure
In this chapter, we will learn the following topics:
•
•
•
•
•
What is Azure AD PIM?
Planning and setting up Azure AD PIM for your organization
Relation between MFA and PIM
Monitoring of PIM
Configuring and managing access review
74
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
•
•
•
•
•
Azure AD MFA
Azure AD Conditional Access
Azure AD Identity Protection
Conclusion
Multiple choice questions (MCQ)
Objectives
The objective of this chapter is to understand security features of Azure AD. After
reading this chapter, you will be able to plan and configure Azure AD PIM. While
configuring Azure AD PIM you will learn about setting up access reviews to audit
assigned eligible and permanent roles in Azure AD PIM. You will also learn planning
to roll out Azure AD PIM for production and manage Azure AD roles and Azure
AD resource roles in Azure AD PIM. Along with Azure AD PIM, you will also go
through other security features of Azure AD like Azure MFA, Conditional access,
and Azure Identity protection. For Azure MFA, you will be able to learn planning
and enabling Azure MFA for users and administrators. In conditional access you
will learn how to control user access based on different conditions such as trusted
network and trusted locations. Azure Identity Protection is another security feature
of Azure AD and here you will be able to review the secure score of users and their
sign ins.
What is Azure AD Privileged Identity
Management?
As the name indicates, Privileged Identity Management service provides time
bound and approval-based capability to manage, monitor, and control access for
various resources such as Microsoft Office 365, Microsoft Azure, and so on. You
would not want to provide high privileges all the time to all users. You can control,
who can access what and when. You can set up time duration for a user to use certain
resources with certain level of permissions. By giving access for a restricted time
period, also known as Just-in-Time (JIT) access, you can reduce the chances of
malicious attacks.
You require the Privileged Role, Administrator role, and any of these license Azure
AD Premium P2, Enterprise Mobility + Security (EMS) E5, Microsoft 365 M5, to
manage Azure AD PIM. Anyone who is going to interact, manage, control, or take
benefits of PIM will need any of the following license:
Configuring Secure Access by Using Azure Active Directory
•
•
•
•
•
•
•
•
 75
Administrators with Azure AD roles managed using PIM
Administrators with Azure resource roles managed using PIM
Administrators assigned to the privileged role administrator role
Users assigned as eligible to Azure AD roles managed using PIM
Users able to approve/reject requests in PIM
Users assigned to an Azure resource role with Just-In-Time or direct (timebased) assignments
Users assigned to an access review
Users who perform access reviews
You will not be able to manage PIM-related things if your license expires. If there
is an ongoing session for a user with privilege access, the user will not lose the
privilege access.
Terminology used in PIM
Let’s understand the different terms used in Azure AD PIM. These definitions will
help you understand the concept quickly. You can divide these terms or concepts
broadly in three categories: type, state, and duration:
•
•
•
•
•
•
Eligible: A role assignment that requires a user to perform one or more
actions to use the role. If a user has been made eligible for a role, that means
they can activate the role when they need to perform privileged tasks. There’s
no difference in the access given to someone with a permanent versus an
eligible role assignment. The only difference is that some people don’t need
that access all the time.
Active: A role assignment that does not require a user to perform any action
to use the role. Users assigned as active have the privileges assigned to the
role.
Assigned: A user that has an active role assignment with privilege access.
Activated: A user that has an eligible role assignment performs the actions to
activate the role and is now active. Once activated, the user can use the role
for a preconfigured period of time before they need to activate again.
Permanent Eligible: A role assignment where a user is always eligible to
activate the role.
Permanent Active: A role assignment where a user can always use the role
without performing any actions. If PIM is not configured and enabled, then
this is the default setting of a role assignment in Azure AD.
76
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
•
•
•
•
•
Expire Eligible: A role assignment where a user is eligible to activate the
role within a specified start and end date. After the end time, the user cannot
activate the role and must request again.
Expire Active: A role assignment where a user can use the role without
performing any actions within a specified start and end date.
Activate: The process of performing one or more actions to use a role that a
user is eligible for. Actions might include performing a MFA check, providing
a business justification, or requesting approval from designated approvers.
Just-in-time (JIT) access: A model in which users receive temporary
permissions to perform privileged tasks, which prevents malicious or
unauthorized users from gaining access after the permissions have expired.
Access is granted only when users need it. This is a time bound access.
Principle of least privilege access: A recommended security practice in
which every user is provided with only the minimum privileges needed to
accomplish the tasks they are authorized to perform. This practice minimizes
the number of Global Administrators and instead uses specific administrator
roles for certain scenarios.
You cannot manage classic subscription account administrator, service
administrator, and co-administrator roles through Azure AD PIM.
Except Exchange administrator and SharePoint administrator roles, other
Exchange Online or SharePoint Online roles are not represented in Azure
AD so they cannot be managed in PIM.
Planning and setting up Azure AD PIM for
your organization
You went through the preceding best practices, and now you need to apply them in
your environment as per your business requirement. As I earlier said, security is a
relative thing, needs continuous improvement, and needs to maintain consistency.
Before enforcing any of the best practices, you should go through a planning phase,
where you should understand what all solutions are relevant for your business
needs and who all (users) need to be part of which security best practice. Then,
before applying the policies to production, you should test this to a set of users. In
this section, I will take you through the planning phase and then the deployment
phase of Azure AD PIM.
Configuring Secure Access by Using Azure Active Directory
 77
Planning Azure AD PIM and other security best
practices
Being a security administrator, your actions can affect multiple users. Before
applying any new security policy or modifying the existing policy, you should do
some planning. In this section, we will study how we can plan to roll out Azure AD
PIM for your organization:
•
Identify target stakeholders: You need to bring stakeholders from different
departments to understand their requirements related to identity and access
management security and to make them understand what is Azure AD PIM,
how it can help them, how to use it, and how to manage it. The stakeholders
will be able to communicate the relevant information to their team members.
You can plan to invite stakeholders from the following departments:
•
•
•
•
•
•
•
•
•
Global admins
Line managers
Tower heads
Practice heads
Security heads
IT or helpdesk
Privilege access pilot users
Identify target Azure resources to be covered by Azure AD PIM: You can
bring Azure resources also under the umbrella of Azure AD PIM. We will
go through this in detail in the upcoming sections. So, you can plan what all
resources you want to keep under PIM.
Enforce least privilege access policy: Extract the report to see who has
privilege accesses and if they really require those accesses, see if you can
cut down unwanted accesses from users. There could be scenarios where
the security admin access was assigned to someone long back to complete
some tasks but they were never revoked after completion of the task. Take
the justification why they need that role. So, for all Azure AD users, review
their roles and based on their justification, decide what role suites them and
remove privilege access who no longer need the role.
You can set up access reviews from Azure AD PIM to automate the review
role assignment task. We will go through setting up access reviews in Azure
AD PIM in the upcoming sections.
You should perform access reviews for Azure subscription owners, resource
group owners, and resources’ owners. You need to ask justifications why they
78
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
need access to a particular resource. You can work with subscription owners
or resources group owners to understand the use of any resource under their
subscription or resource group and then can ask for the justification for user
access on the resources.
•
Decide roles to be part of Azure AD PIM: Once you have cleaned up
privileged role assignments, you will need to decide which roles need to be
protected with PIM. It is important to prioritize protecting Azure AD roles
that have the greatest number of permissions. Here are few of the critical
roles which you should plan to cover under Azure AD PIM:
•
•
•
•
•
•
•
•
•
•
•
Global administrator
Security administrator
User administrator
Exchange administrator
SharePoint administrator
Intune administrator
Security reader
Service administrator
Billing administrator
Skype for Business administrator
Since reader roles such as the Directory Reader, Message Center Reader,
and Security Reader do not have write permission so sometimes they are
believed to be less important compared to other roles. However, attackers
who have gained access to these accounts may be able to read sensitive
data such as personally identifiable information. You should take this into
consideration when deciding whether reader roles in your organization
need to be managed using Azure AD PIM.
Decide permanent and eligible role assignments: Once you have decided
which roles will be managed under Azure AD PIM, you must decide which
users should get the eligible role and which user the permanently active role.
Permanently active roles are the normal roles assigned through Azure AD
while eligible roles can only be assigned in PIM.
It is recommended to assign a permanent global admin role for
break glass emergency accounts.
•
Draft Azure AD PIM setting: Before you implement your PIM solution, it
is a good practice to draft your PIM settings for every privileged role your
organization uses. For example:
Configuring Secure Access by Using Azure Active Directory
 79
For a global administrator role, there would the following settings:
•
•
•
•
•
MFA is required.
A notification will be sent to the global administrator, security
administrator, and privileged role administrator.
An incident ticket number is required to activate the role.
An appropriate approval from other global admin, security admin, or
privileged role admin is required to activate the role.
Activation duration would be 2 hours.
For subscription owners:
•
•
•
•
MFA is required.
A notification will be sent to the global administrator, security
administrator, and privileged role administrator.
An appropriate approval from other active subscription owners is
required to activate the role.
Activation duration would be 2 hours.
So, like this, you can create a list for other roles as well so you can set up
correct conditions all the time.
Configuring Azure AD PIM
After doing all the planning, you are not ready for implementation. Follow the given
steps if you want to set up Azure AD PIM for the first time:
1. Log in to the Azure portal as a global administrator.
2. Search for Azure AD and go to Licenses under the Manage section.
3. In licenses, click on All products under Manage.
4. Click on the + Try / Buy option to purchase the trial version or paid version
of license. For PIM, you need to choose the Azure AD Premium P2 or
Enterprise Mobility + Security E5 license:
80
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Figure 2.1: Select license to buy or try
5. Before assigning the license, the user should have the usage location defined
for them. To set up the usage location, go to Users in Azure AD.
6. Select the user for whom you want to set up the usage location:
Figure 2.2: Setup user’s usage location in Azure AD user profile
7. In the Profile section, edit the Settings option and choose the location from
the drop-down menu.
8. In the User section, you can assign the license to this user. Go to the Licenses
section and click on + Assignments as shown in the following figure:
Configuring Secure Access by Using Azure Active Directory
 81
Figure 2.3: Assign a license to a user
9. A new window will open, and you will see available licenses which you
purchased to assign your users. Select the Enterprise mobility + Security
E5 or Azure Active Directory Premium P2 license. Once you select the
license, you will see the available feature with that license. You can choose
the required features. Once it is selected, click on Save as shown in the
following figure:
Figure 2.4: Choose the license and license feature to assign to a user
82
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
10. Refresh the Licenses page and now you will notice that the license has been
assigned to the user:
Figure 2.5: Verify and see the status of the assigned license in a user profile
11. Once the required license (EMS E5) is assigned to the user or you, you can set
up Azure AD PIM for the first time.
The other pre-requisite to set up Azure AD PIM is that the privilege role administrator
should be covered by MFA. In coming section “Steps to Enable and Disable Azure
MFA for Users”, we will see how to enable Azure MFA for users. Please refer to
section “Steps to Enable and Disable Azure MFA for Users” and enable Azure MFA
for yourself.
Manage Azure AD PIM for Azure AD roles
In the preceding section, you performed steps to set up Azure AD PIM for the first
time use. Now in this section, you will be taken through to enforce Azure AD PIM.
From the Azure AD PIM home page, you have three options to manage: Azure AD
roles, Azure resources, and Privileged access groups. Management of Privileged
access groups is in preview at the time of writing this book.
Manage Azure AD roles
Let’s understand what you can do here in the Azure AD role management. You need
to sign up into PIM before managing Azure AD roles. In the previous section, you
have been taken to sign up the process. Once you have signed up, you can manage
multiple things such as role assignment, role activation, request approval, privilege
access request and level auditing, and many more from here.
Role assignment
Here, you can select an Azure AD role and assign it to users to make them eligible
to activate this role when they require. Before assigning the roles, you should define
what all parameters or justifications a user must pass or give to activate the assigned
Configuring Secure Access by Using Azure Active Directory
 83
eligible role. These parameters or justification are called as passing parameters.
Perform the given steps to set up the required parameters:
1. In Azure AD roles, go to Settings. Here, you can configure passing parameters
for Roles.
2. Under settings, you will see all available directory roles for which you can
set up the required passing parameters. In this exercise, I am considering
the Billing Administrator role to be assigned as the eligible role. So, let’s
configure passing parameter for Billing Administrator. When you click
on Billing Administrator role a new blade will open. This new window is
divided in multiple parts such as, Activation, Assignment, and notifications
settings. Here you can see current settings for the Azure AD role. Click on
edit to make changes in role settings:
Figure 2.6: Edit settings for Azure AD PIM role
Once you click on Edit, a new page will open, and you will see three tabs
for Activation, Assignment, and Notification.
•
In Activations, you set up following configurations:
84
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
•How long this role will remain active after any user activates his/her
Billing Administrator eligible role.
•
Does the user need to go through MFA to activate the role?
•Does the user need to provide any justification, ticket number or
approval to activate the role? You enable users to enter the ticketing
information when they request a role activation.
•In case of required approval, you can select a user as an approver. you
look for an approval from the selected approver. Being a privileged
role administrator, you can select an appropriate approver for each
directory role. For example, for a billing administrator role, you can
make the Head of finance the approver, for the user administrator
role, you can make the global administrator the approver. If you do
not select any approver, the global administrator and privileged role
administrators will become default approvers.
Figure 2.7: Update activation settings for Azure AD PIM role
The preceding figure shows the settings options available for Azure
AD PIM role activation.
•
In Assignment, you can setup following configurations:
Configuring Secure Access by Using Azure Active Directory
 85
•You can choose whether this role can be assigned as permanent
eligible assignment.
•You can set expiation of eligible assignment if this role cannot be
assigned as permanent eligible assignment.
•You can choose whether this role can be assigned as permanent active
assignment.
•You can set expiation of active assignment if this role cannot be
assigned as permanent active assignment.
•
•
Does this role require Azure MFA on active assignment?
Does this role require justification on active assignment?
Figure 2.8: Update assignment settings for Azure AD PIM role
The preceding figure shows the settings options available for Azure AD
PIM role assignment.
•
In Notifications, you can setup following configurations:
•Send notification when any user is assigned as eligible to this role.
•Send notification when any user is assigned as active to this role.
•Send notification when eligible user activates this role.
•Default recipients for each type of notifications and you can also add
additional users as recipients for these notifications.
86
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Figure 2.9: Update notification settings for Azure AD PIM role
The preceding figure shows the settings options available for Azure AD
PIM role notifications.
In the preceding steps, you configured passing parameters for the billing
administrator role. Although it is recommended that you configure a separate
parameter check list for each role depending on the criticality of the role.
You have configured the passing parameters now so you can perform the following
steps to grant eligible roles to users:
1. Click on Roles under the Manage section. You will see a list of all available
Azure AD roles.
2. Click on the desired role. You will see the Assignments, Description, and Role
settings options. In the Description option, you will see a brief description
about the role and all the permissions users will get by assigning this role.
Here, I am considering the Billing Administrator role to be assigned as the
eligible role. The following screenshot displays what you will see when you
go to description:
Figure 2.10: See the permissions associated with the billing administrator Azure AD role
Configuring Secure Access by Using Azure Active Directory
 87
3. In Assignments, Click on + Add Assignments to assign this role to any user.
A new window will open and there you can select users. Once you add the
user, you can see the role assignment type as Eligible. You can make this
user permanent or can remove from here:
Figure 2.11: Assign an eligible role to a user
Assignments option has three tabs, Eligible assignments, Active assignments,
and Expired assignments. There you can see the list of users with eligible
assignments, active assignments, and expired assignments respectively.
Review assignments
You can see which user has what permission permanent or eligible role assigned.
Assignments section has three tabs, Eligible assignments, Active assignments, and
Expired assignments. There you can see the list of users with eligible assignments,
active assignments, and expired assignments respectively. You can add a new
member from here also. The eligible assignments tab will show the result as shown
in Fig 2.11. There is an option to export this list:
Figure 2.12: See members and their assigned roles
88
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Manage alerts
You can configure conditions on which you would like to get alerts. In the Alerts
section, you can check the present alerts based on your condition configuration.
You can set up these conditions in Settings. Perform the following steps to set up
conditions and their threshold limit to trigger alerts. There are some pre-created
conditions for which you can modify the threshold limit:
1. Go to Alerts and select Settings. You will find a list of pre-created conditions.
You can go to the required conditions and set up the threshold limit. Once
your environment meets the threshold, it generates an alert. You can see
these alerts in Alerts under the Manage section. The following is a list of
pre-created conditions:
•
•
•
•
•
•
•
Eligible administrators aren’t activating their privileged role
The organization does not have Azure AD Premium P2.
Potential stale accounts in a privileged role (Preview).
Roles are being assigned outside of PIM.
There are too many global administrators.
Roles are being activated too frequently.
Potential stale accounts in a privileged role
Figure 2.13: Set up alerts in Azure AD PIM
2. You can scan your environment by clicking on Scan to see active alerts. It
shows the alerts with their respective severity.
Configuring access review
You can set up a periodic review for Azure AD roles. A periodic review is important
to ask justification from users to keep the assigned role with them. You can set up the
review for individual roles or can select multiple directory roles together; selecting
Configuring Secure Access by Using Azure Active Directory
 89
multiple roles will create multiple reviews. If you select four directory roles, then it
will create four access reviews. You can set up automated duration for reviews. Let’s
perform the following steps to set up access reviews for Azure AD roles:
1. Log in to the Azure portal and go to Azure AD roles in Azure AD PIM.
2. Click on Access reviews under Manage. You will get an option to create new
reviews. When you click on New, a new window opens, and here you can
create review rules.
3. Fill in the details as shown in the following figure:
Figure 2.14: Set up Azure AD PIM access review, fill basic details
In the preceding screenshot, few things are self-explanatory but let’s still go
ahead and discuss them:
•
•
•
•
Review name: This is the name of the review plan.
Description: Give a brief description like why this has been created and
who all are covered under this review.
Start date: Put the start date of this review when you want this review to
start.
Frequency: You can choose how frequent you want to review the access.
The following options are One time, Weekly, Monthly, Quarterly, Semiannually, and Annually.
90
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
•
Duration (in days): How long the review will be active. How much time
users have to respond back or provide justification?
•
End and End date: This shows how this series of access review will end.
You can choose from never ends, on a specific date, or end after a fixed
number of times. You can also stop the review anytime in the middle by
changing the End date option.
•
In Users Scope, every user who has an eligible role assigned is the
default selection. In our example, whoever has the billing administrator
role assigned will be in your review access scope. Now you can create
this access review for service accounts as well.
Figure 2.15: Set up Azure AD PIM access review, select directory roles and reviewer
•
•
•
In Review role membership, you can select a privilege role or select
multiple privilege roles for access review.
In Assignment type, you select for what kind of role assignment (Active
and Eligible) you want to create this access review.
In Reviewers, if you have a clear idea about who should be the reviewer
for all users’ access, then you can choose the Selected users option, but if
you do not know whom you should reach to review the access, then you
Configuring Secure Access by Using Azure Active Directory
 91
can choose Members (self). In this case, you can ask members to justify
their privilege access.
•
•
You can set what will happen after completion of the review. If you want
to automatically remove access for users that were denied, set Auto
apply results to resource to Enable. If you want to manually apply the
results when the review completes, set the switch to Disable.
In the If reviewers don’t respond list, you can specify what happens for
users that are not reviewed by the reviewer within the review period. This
setting does not impact users who have been reviewed by the reviewers
manually. If the final reviewer’s decision is Deny, then the user’s access
will be removed:
• No change: Leave the user’s access unchanged.
• Remove access: Remove the user’s access.
• Approve access: Approve the user’s access.
•Take recommendations: Take the system’s recommendation on
denying or approving the user’s continued access.
Figure 2.16: Set up Azure AD PIM access review, completion settings
•
In Advance settings, you can define the following things:
•
Enable Show recommendations to show the reviewers the system
recommendations based on the user’s access information.Enable
Require reason on approval to ask reasons from the reviewer for
approval.
•
Enable Mail notifications to allow Azure AD send email
notifications to reviewers when an access review starts and to
administrators when a review completes.
•
Enable Reminders to allow Azure AD send reminders of access
92
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
reviews in progress to reviewers who have not completed their
review.
4. Once you have created access review for the Azure AD role, you will see it
soon under the list of reviews. You can click on this review; you will be taken
to the dashboard to see options to manage this review. If the start date was
the current date and has been started, then the review will be in active status,
and if the start date is in future, the status will be not started. You cannot
prepone the review if you have set a later date, but you can change the end
date any time.
5. On the dashboard, you will see the following details. When any reviewer
approves or denies access, he/she is just telling whether you are still using
this role or not. Users choose Approve if they want to stay in the role
or Deny if they do not need the access anymore. Users’ access and status
won’t change right away, until the administrator applies the results:
Figure 2.17: Azure AD PIM access review dashboard
6. Under Results, you can see who has completed the review, what reason is
provided, and what action is applied. You can apply the action manually
also from here and see the system recommendations:
Configuring Secure Access by Using Azure Active Directory
 93
Figure 2.18: See Azure AD PIM access review result
7. You can manage reviewers under Reviewers. You can add and remove
reviewers and send a reminder to reviewers. The review should be in the
active state in order to send the reminder:
Figure 2.19: Manage Azure AD role reviewers
8. Under Settings, you can modify the settings which you made while creating
this review.
9. Audit logs give you visibility about activities that happen on this review.
In this section you learnt how to define passing parameters for an Azure AD role,
how to enable Azure AD PIM role for a user, how to setup alerts for Azure AD PIM
role, and how to create access review.
Administrating Azure AD PIM for Azure AD roles
In the preceding sections, you learned how you can set up Azure AD PIM and how
you can manage or set up PIM for Azure AD roles. Now in this section, you will
94
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
learn how to administrate or complete assigned tasks related to Azure AD roles. You
may be assigned as a reviewer for some review access or you may be assigned as an
approver for some eligible roles:
•
•
•
•
My roles: Here, you can see all permanent and eligible roles that are assigned
to you. You can also see the other roles that are assigned to you but have not
yet been activated.
My request: Here, you can see the status of your requests which you might
have raised to activate any privilege role. You can revoke any request made
by you.
Approve request: Being an approver, here you can take decisions on the
request raised by someone to activate their eligible role.
Review access: If you are assigned as a reviewer for any review access task,
then you can check the reviews pending with you.
In the previous version of PIM for Azure AD roles, you had only two
options for role assignment: eligible and permanent. Now, you can set a start
and end time for each type of assignment. The new addition of Azure AD
PIM gives you four possible states in which you can place an assignment:
• Eligible permanently
• Active permanently
• Eligible with specified start/end dates for assignment
Active with specified start/end dates for assignment
Another new feature added to Azure AD PIM, in previous version you
could only configure activation settings on a per-role basis. That is,
activation settings such as multi-factor authentication requirements and
incident/request ticket requirements were applied to all users eligible
for a specified role. Now, you can configure whether an individual user
needs to perform multi-factor authentication before they can activate a
role.
Managing Azure AD PIM for Azure resources
In the previous section, you configured Azure AD PIM for Azure AD roles.
You understood how to manage, configure, audit, and set alerts for Azure AD
directory roles. Azure AD PIM gives feasibility to configure, manage, and control
privilege access over Azure resources. You can set up PIM at the subscription level,
Configuring Secure Access by Using Azure Active Directory
 95
management groups, resource groups, or individual resource. In this section, let’s go
through what you can do in Azure AD PIM for Azure resources.
Administrating Azure AD PIM for Azure resources
You will learn how to administrate or complete assigned tasks related to Azure
resources. You may be assigned as a reviewer for some review access or you may be
assigned as an approver for some eligible role. You should be aware of few things
while administrating Azure AD PIM roles. Here is a list of them:
•
•
•
•
My roles: Here, you can see all permanent and eligible roles that are assigned
to you.
My request: Here, you can see the status of your requests which you might
have raised to activate any privilege role. You can revoke any request made
by you.
Approve request: Being an approver, here you can take decisions on the
request raised by someone to activate their access on Azure resources.
Review access: If you are assigned as a reviewer for any review access task,
then you can check the reviews pending with you.
Managing Azure resource roles
You can manage built in and custom Azure resource roles through Azure AD PIM.
Subscription owners, subscription user access administrators, and Azure AD global
administrators who enable subscription management in Azure AD have resource
administrator permissions by default. These resource administrators can assign
roles, configure role settings, and review access using Azure AD PIM for Azure
resources. A user can’t manage Azure AD PIM for Azure resources without having
resource administrator permissions.
Azure resource role assignment in Azure AD PIM
Before you assign any Azure resources role through Azure AD PIM, you can
configure settings for Azure resource roles. These settings will define the passing
parameters users must pass to activate their role. To configure passing parameters
settings for roles, perform the following steps:
1. Log in to the Azure portal with the privilege role administrator role and go
to Azure AD PIM.
96
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
2. Select Azure resources under the Manage section. Now click on Discover
resources, you can filter resources you want to manage from the Resource
filter drop-down menu. Once you select the appropriate resource type, click
on Manage resources to manage resources through Azure PIM:
Figure 2.20: Select the resources which you want to manage through the Azure resource role
Once you onboarded any Azure resources in Azure resources PIM,
you cannot offboard them. Although you still will be able to
manage role assignment outside Azure PIM as a usual method.
3. Now click on the onboarded resource and go to Settings under Manage. A
new blade opens which shows all available resource roles for the selected
resource in Step 2:
Figure 2.21: Select the resources role for which you want to modify passing parameters
4. You can select any role to modify passing parameters. The passing parameters
have same configurations as described in previous section “Manage Azure
AD PIM for Azure AD roles”. You can follow steps described under “Role
assignment” section to set up the passing parameters and settings for any
Azure resources role.
Configuring Secure Access by Using Azure Active Directory
 97
Once you have configured the role setting, you can do role assignments. Let’s follow
these steps to assign Azure resource roles:
1. Select Roles under the Manage section. You can see a list of resource roles.
2. Click on the desired role. A new page will open, there you can see three tabs
Eligible assignments, Active assignments, and Expired assignments. On
the same page, click on + Add Assignments to assign this role to any user.
A new window will open and there you can select users. Once you add the
user, you can see the role assignment type as Eligible.
Figure 2.22: Assign an eligible role to a user
Here I choose Azure resource role Owner. In Eligible assignments, Active
assignments, and Expired assignments tabs you can see the list of users
with eligible assignments, active assignments, and expired assignments
respectively.
In this section you learnt how to set up passing parameters and settings for Azure
resources roles in Azure PIM and then how to assign Azure resources role to a user
through Azure resource PIM.
Managing assignments
Here, you can manage the members’ access. You can see who all have access on
which resource and what level of access. You can add and revoke permissions for
members to resources.
98
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Managing alerts
Azure AD PIM generates alerts when there is a suspicious or unsafe activity in your
organization. When an alert is triggered, it shows up on the Alerts page. There are
few preconfigured alerts which get triggered when the threshold meets. You can
configure the threshold under Alerts. There are three severity levels: high, medium,
and low.
Managing access review
Here you can create access review for Azure resource role assignment. This access
review process has similar configuration as we discussed in Azure AD role access
review. Please refer to that section to understand the access review for Azure resource
roles.
Activating Azure AD and Azure resource role in
PIM
If you have been assigned any eligible role for a privileged administrative role,
that means you can activate that role when you need to perform privileged actions.
For example, if you occasionally deploy applications in Azure AD and also create
resources in a resource group, your organization’s privileged role administrators
may not make you a permanent application administrator and not give you the
owner access on the resource group, since that role impacts multiple users and
resources, respectively. So, they make you eligible for Azure AD roles as application
administrators and also make eligible for the Azure resource role as the owner for the
resource group where you want to create a new resource. You can request to activate
those roles when you need its privileges, and then you’ll have the administrator and
owner control for a predetermined time period.
In this section, you will understand how to activate your Azure AD and Azure
resource role in Azure AD PIM. Follow these steps to activate your roles:
1. Log in to the Azure portal and go to Azure AD PIM.
2. You can manage your roles from My roles under Tasks. Click on my roles
and a new window opens.
3. Here, you will see options to activate different roles such as Azure AD roles,
and Azure resources roles.
4. You can choose the appropriate option to activate your eligible role. You will
see the list of eligible roles assigned to you:
Configuring Secure Access by Using Azure Active Directory
 99
Figure 2.23: Choose the assigned eligible role to activate
5. Click on Activate to activate your role. You will be asked to provide
justification for your role activation as per the role’s passing parameter and
settings.
6. In the next step, you do not need to do anything, but Azure AD PIM
processes your role activation request and validates that the activation
process was successful and asks you to sign out and re-login to start using
the new activated role. It will ask you to through the passing parameters
to activate the role, if the privilege role administrator would have set them
under Settings > Roles > Application Administrator.
7. Once you activate your eligible role, you can see your active role under
Active assignments.
Figure 2.24: See your active role assignments
As you can see in preceding figure, you get an option to Deactivate your
role, so you can also deactivate your active role from this tab.
In this section you learnt how to activate your eligible role and how to see your
active roles.
100
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Azure AD multi-factor authentication (MFA)
Through MFA, you can get multi-layer security enablement for your user’s
authentication. This extra layer of security provides challenge to hackers.
Authentication through MFA includes a combination of the user’s password and
input from another authentication method. Azure MFA safeguards applications
and data by requiring an input from the second authentication method along with
the user password. Azure MFA provides multiple options to use for the second
authentication method. We will see them in the upcoming sections.
The following are some use cases of MFA:
•
•
•
When an extra layer of security is required for secure login.
Because of conditional access, you may be asked to verify your identity.
You want to use self-service password change to reset your password.
We will see some of these use cases in the upcoming sections.
MFA methods
Here are the available second level of authentication methods:
•
•
•
•
•
•
Password
Voice call
SMS
App passwords
Microsoft authenticator app
OATH hardware token
Microsoft has come up with two new features to simplify the user experience in
securing them:
•
•
Passwordless authentication
Combined security information registration
They are explained as follows:
•
Passwordless is more favorite with users because in this, the password needs
to be removed and replaced with something you have and something you
are or something you know. In something you have, you can consider the
devices like Windows 10 device, phones, and security keys. In something you
are, it’s about your biometric signs like fingerprint, face, or voice recognition.
In something you know, it’s about the PIN or password.
Configuring Secure Access by Using Azure Active Directory
Passwordless authentication has three methods to be used by organizations
depending on their requirement:
•
•
•
•
 101
Windows Hello for Business
FIDO2 security keys
Microsoft authenticator app
Combined security information registration is a simplified way to register for
MFA and self-service password reset (SSPR) in one shot. Earlier, users must
register two times to enable MFA and SSPR. That process was a little frustrating
for users because of similar steps being used for both the registrations. Now,
with this feature, users register once and get the benefit of both.
Versions of Azure MFA
There are four versions of Azure MFA:
•
•
•
•
Free Option: It comes up with the default security benefits for the users who
have free Azure AD. It has a limit of 5,00,000 directory objects.
MFA for Azure AD administrators: Azure provides an extra layer of security
free of cost for privileged users such as Azure AD global admin.
MFA for Office 365: Since this is part of O365 subscription, so this has been
used to manage O365 users. This has been managed from O365 or Microsoft
365 portal.
Azure MFA: This is the full version of offering. It has maximum features
available. This comes up with Premium Azure AD subscription.
You can choose the required version based on your business requirement.
Prerequisites to check before setting up MFA
Depending on the environment setup, you need to check the prerequisites before
enabling Azure MFA. Few scenarios are described as follows:
•
•
Cloud-only identity environment: This has Azure only AD setup with
Azure only users and directory objects. For such a kind of setup, there is no
need to check any extra setup. Azure MFA is very much compatible without
any more requirement.
Hybrid identity environment: This has users synced from on-premise AD
to Azure AD. To enable Azure MFA for this scenario, you must check that
Azure AD Connect is deployed and users’ identities are synced from the onpremise AD to Azure AD.
102
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
•
•
On-premise legacy applications published for cloud access: In this case,
you must check whether the Azure AD application proxy setup is deployed
or not.
Use Azure MFA with RADIUS authentication: In this scenario, you should
have a Network Policy Server (NPS) deployed to serve your RADIUS
authentication request.
Steps to enable and disable Azure MFA for users
In this section, we will go through the steps to enable and disable Azure MFA for
your Azure AD users:
1. Log in to the Azure portal with global admin privileges and search for Azure
Active Directory in Azure portal search bar.
2. In Azure Active Directory, go to Users. Select the All users option. You will
see Per-user MFA option on this page:
Figure 2.25: Select users in Azure AD
3. When you click on the MFA option, you will be redirected to a new web
page. Here, you can select users to whom you want to enable or disable
Azure MFA:
Figure 2.26: Enable Azure MFA for selected users in Azure AD
Configuring Secure Access by Using Azure Active Directory
 103
4. There is an option to update the MFA status in bulk also. So, if you don’t want
to select users one by one or you have custom requirement where you want
to enable MFA for few users, and if you want to disable MFA for few other
users, then you can upload a CSV and Azure will take care of MFA update
for listed users. Once you click on bulk update, a box opens to upload the
CSV file:
Figure 2.27: Upload CSV for bulk MFA update in Azure AD
You can download the sample file from the same box. Make sure that you do
not make any changes in columns’ name. You just need to fill the required
information such as username and status to make.
All users’ initial status will be Disabled. When you enroll users in Azure
MFA, their state changes to Enabled and when enabled users sign in and
complete the registration process, their state changes to Enforced.
Configuring Azure MFA settings
Before enabling Azure MFA, let’s make arrangements in the MFA settings. So, once
the MFA is enabled, these settings reflect to users. You will learn about the available
feature in Azure MFA, but not all features are available in every version of Azure
MFA. You need to choose the proper Azure MFA version based on your requirement.
Here is list of the MFA version and available feature with them:
1. To make configuration in Azure MFA, go to Azure Active Directory >
Security > Multi-Factor Authentication and click on Additional cloudbased MFA settings:
104
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Figure 2.28: Select the option to configure additional setting for Azure MFA
2. This will open another web page; here, you can set up the second verification
option, exclusion for trusted IP locations, and so on:
Figure 2.29: Fill the Azure MFA settings
Configuring Secure Access by Using Azure Active Directory
•
•
•
app passwords: Some legacy applications like Office 2010 and Apple
mail before iOS 11 do not support multifactor authentication. These
applications were not designed to support the MFA. For these applications,
you can use the app password feature to bypass the MFA. App password
is automatically generated and because of its complexity, it is very hard
to crack for attackers. App passwords cannot be used to authenticate
on-premises systems, because app passwords are not known outside the
work or school accounts.
trusted ips: Administrators enable this feature to bypass MFA for users
who are signing in from the company Intranet. It can work for both
managed and federated users but sign in should happen only from
the company Intranet. If the federated user signs in from outside the
company Intranet or private IP range, then they must go through the
MFA. You can set up maximum 50 IP ranges in the trusted IP. This feature
is only available in full version on Azure MFA.
verification options: You can choose the available verification methods
for your user. So, when they register themselves, they can choose methods
from the options which you allowed for them. The available verification
methods are as follows:
•
•
•
•
•
 105
Call to phone
Text message to phone
Notification through mobile app
Verification code from mobile app or hardware token
remember multifactor-authentication: This feature can be enabled to
bypass the subsequent MFA requests for a specified number of days, after
they have successfully signed into a device by using MFA. This feature
saves a persistent cookie on the browser when you select Don’t ask again
for X days. Until the cookie is not expired, the user will not be prompted
for MFA again. If the user opens a different browser on the same device
or clears the cookie, they will be prompted for MFA again.
Non browser applications like Outlook, Skype of Business, Teams,
and many more support modern authentication methods but still
for them Don’t ask again for X days option will not be shown. But still
in the background, Azure AD verifies the token and bypasses your
authentication for X days.
Apart from the preceding settings, there are multiple other settings available on the
Azure MFA home page. You can opt for them based on your requirements and your
Azure MFA version. Let’s go through them one by one to understand them in detail:
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
106
•
•
Account lockout: This feature locks out the user account temporarily after
multiple wrong login attempts.
Block/unblock users: This feature will block users to get the MFA
authentication request. So, by doing this, any authentication request from the
blocked user will be denied automatically. By default, the account remains
blocked for 90 days.
1. To block any user, go to Multi-Factor Authentication > Block/unblock
users.
2. Click on + Add to block a user.
3. Enter the username for the blocked user as username@domain.com. Enter a
comment about blocking in the Reason field:
Figure 2.30: Select a user to block
4. Select Add to finish the blocking process.
6. Select Unblock in the Action column next to the user to unblock:
5. Similarly, to unblock users, go to Multi-Factor Authentication > Block/
unblock users
Figure 2.31: Select a user to unblock
7. Enter the reason of unblocking the user:
Configuring Secure Access by Using Azure Active Directory
 107
Figure 2.32: Put a reason of unblocking the user
Click on OK to finish the process.
•
Fraud alert: This feature allows users to report fraudulent attempts happened
to access their account or data:
1. To enable this, go to Multi-Factor Authentication > Fraud alert.
2.Change Allow users to submit fraud alerts to On as shown in the
following figure:
Figure 2.33: Enable a fraud alert in Azure MFA
3. Click on Save to save your configuration.
An administrator can see the fraud report from the Azure Active Directory.
Go to Azure Active Directory > Sign ins.
•
•
Block user when fraud is reported: If this configuration is set, the user
gets blocked for 90 days or until an administrator unblocks the account.
An administrator can see the sign in activities from Azure AD and can
take appropriate actions to prevent such things in future.
Code to report fraud during initial greeting: When users get a voice
call for second verification, generally they press # to confirm their sign
108
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
in. But in case of the fraud report, they press a code before pressing #. By
default, this code is 0. You can customize this setting and can choose any
other code to be pressed to report fraud before pressing #.
•
Notifications: Here, you need to configure the email address of the user who
is going to receive fraud alert emails. Generally, it is security admins who
should get such notifications:
Figure 2.34: Enable notifications in Azure MFA
•
OATH tokens: It is kind of hardware tokens provided by multiple vendors
such as Token2, DeepNet Security, and so on. You need to enter details
about each token associated with the respective user. You can upload a CSV
with the details of multiple users. The CSV should have the columns such
as the UPN of user, serial number of the token, secret key of the token, time
interval to refresh the code, manufacturer of the token, and model of the
token:
Figure 2.35: Register OATH tokens in Azure MFA
•
Phone call settings: Here, you can define settings for a voice call such caller
number, custom greetings, language of the greeting message, and so on:
•
MFA caller ID number: You can set up a number from which users will
get the call for second authentication. Only US numbers are allowed in
this field:
Configuring Secure Access by Using Azure Active Directory
 109
Figure 2.36: Set up caller ID number in Azure MFA
•
•
Custom voice message: Here, you can upload a custom greeting for twostep authentications. The recording message should not be longer than
20 seconds and larger than 1 MB and the supported file types are .wav
and .mp3. To upload, click on + Add greeting. A new window will open.
You can choose the type of message for which you want to upload the
custom recording and default language of the greeting to be played:
One-time bypass: This feature allows a user to authenticate one time without
performing the second-step verification. This bypass is temporary and gets
expired after a specified number of seconds. This is helpful where the mobile
app or phone does not receive a notification or phone call; you can allow a
one-time bypass so the user can access his desired resources.
Steps to set up one-time bypass are as follows:
1. Go to Multi-Factor Authentication > One-time bypass, and click on +
Add.
2. Enter the username of the user in the format username@domain.com.
4. Click on OK. The time starts immediately and the user needs to sign in
before the bypass expires:
3. Enter the number of seconds that the bypass should pass and enter the
reason of bypass.
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
110
Figure 2.37: Set up one-time bypass in Azure MFA
•
Caching rules: Here, you can set up the time duration for which
reauthentication will not be asked after the first authentication. So, once
a user has been authenticated, Azure will not ask for reauthentication till
caching time duration. This caching can be set for a user, an application, or
IP address. Following are the steps to configure caching:
1. To enable this, go to Multi-Factor Authentication > Catching rules.
Click on + Add.
2. Select the cache type from the drop down and enter the maximum
number of seconds.
3. Click on OK.
Figure 2.38: Set up caching rules in Azure MFA
In this section, we studied about Azure MFA. We learned what is Azure MFA, the
features it provides, and how to configure Azure MFA for a user. We also saw the
different versions of Azure MFA with their capabilities.
Azure AD conditional access
Conditional access is modern identity and access management tool used by Azure
AD. It brings multiple signals together to make decisions and enforce organizational
Configuring Secure Access by Using Azure Active Directory
 111
policies. Conditional access policies are just if-then statements, if a user wants to
access a resource, then they must complete an action or meet some requirements. For
example, if a user is a global administrator in Azure tenant, then he/she should go
through MFA to log in to the Azure portal.
Conditional access policies are enforced and evaluated after the first-factor
authentication has been completed. Conditional access is not intended as an
organization’s first line of defense. To enforce this feature, you need the Azure Active
Directory Premium P1 license. You need to be a global administrator, or security
administrator to create and manage the conditional access policy.
Building components of Azure AD conditional
access policy
As explained in the preceding section, the policy is an if-then statement. The
conditional access policy can be divided into two parts:
•
Assignment: Here, you can define the target to whom, to what, and from
where. It decides for whom this is applied, what condition will be applied,
and from where the access request is coming. So, let’s understand them:
•
•
•
•
Users and groups: Here, you can define who are all included or excluded
from the policy. This assignment can include all users, specific groups of
users, directory roles, or external guest users.
Cloud apps or actions: Here, you can define what cloud apps and user
actions are included or excluded from the policy.
Conditions: Here, you can define the condition of policy; a policy can
have multiple conditions associated. I will take you through different
conditions in the upcoming sections.
Access control: Here, you can define the action against your condition. You
can control the access based on the fulfilment of conditions and failures to
meet the condition:
•
•
Block access: It will block access in case of specific conditions. You need
to be careful before enforcing this. This can affect your access also.
Grant access: It will allow users to access resources but will trigger
enforcement of one or more controls from the following list. Being an
administrator, you can choose what all you want to select:
•
•
Require MFA.
Require a device to be marked as compliant
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
112
•
•
•
•
Require hybrid Azure AD joined device
Require an approved client app
Require the app protection policy
Session: Here, you can give partial access to the user. For example, if a
user is not meeting a particular condition, then he/she may be able to
log in but won’t be able to modify things. So, in this case, you can give
partial access.
Available conditions in Azure AD conditional
access
When this happen is called the condition, then do this is called an access control. The
combination of these both is called the conditional access policy. The conditions
configured in the policy are only applied, which you have not configured are not
applied. Let’s see the available conditions and see how you can use them:
•
Users and groups: The Users and groups condition is mandatory in a
conditional access policy. In your policy, you can either select All users or
select specific users and groups:
Figure 2.39: Set up users to be included for Azure AD conditional access
•
When you select All users, your policy is applied to all users in the directory,
including guest users.
When you select Select users and groups, you can set the following options:
All guest users (preview): It targets a policy to B2B guest users. This condition
matches any user account that has the userType attribute set to guest. You
should use this setting when a policy needs to be applied as soon as the
account is created in an invite flow in Azure AD.
Configuring Secure Access by Using Azure Active Directory
•
•
•
When you choose:
•
All cloud apps: You choose this when you want to apply this to the entire
organization.
Select apps: You choose this to target specific services by your policy.
For example, you may require users to have a compliant device to access
Microsoft Teams or Outlook. This policy is also applied to other services
when they access Outlook content.
Sign-in risk: There may be chances that the user’s identity needs to be
compromised and an unauthorized person tries to log in either from an
unknown location or device. To prevent unauthorized access, Azure AD
calculates the sign in risk based on certain parameters such as usual login
locations, usual login device, usual login time, and so on. This calculation
happens during the user’s sign in process.
There are four risk levels as per Azure AD’s calculation and you can choose
among those four to apply a Conditional Access policy:
•
•
•
•
Users and groups: It targets specific sets of users and/or groups. For
example, you can select a group that contains all members of the account
department when an account app is selected as the cloud app. A group
can be any type of group in Azure AD, including dynamic or assigned
security and distribution groups.
Cloud apps and actions: The Cloud apps or actions condition is also
mandatory in a Conditional Access policy. In your policy, you can either
select All cloud apps or specify apps with Select apps.
•
Directory roles (preview): It targets a policy based on a user’s
role assignment in Azure AD like a security administrator, global
administrator, users administrator, or password administrator.
You can also exclude specific users or groups from a policy. One common use
case is service accounts if your policy enforces MFA.
•
•
 113
High
Medium
Low
No Risk
You can block access for high-risk users or can enable the second factor
authentication for high and medium risk users. You should have Azure AD
Identity Protection enabled to use this feature.
Device platform: You can control users access based on their device’s
operating system. You can set which operating system’s devices can be
allowed and which can be blocked.
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
114
•
•
•
Device state: You can control access based on the device whether it is complaint
or not. You would not like users to access your app or infrastructure from an
unpatched device, or a device which does not meet anti-virus requirement,
or a device which is not part of your domain.
Locations: You can define a condition from where the connection was
attempted. You can select:
Any location: All networks, including your intranet and extranet.
All trusted locations: This may have your office network IP ranges, countries,
or regions.
Selected locations: This may have your office network IP ranges or some
selected extranet public IPs.
•
Client apps: You can apply the conditional access policy based on the types
of applications such as browser apps, mobile app, or desktop clients.
Azure AD conditional access report only mode
As I said in earlier sections that you need to be careful while applying the policy; this
may block your access also, if not be applied with proper conditions and for the right
audience. You would not like to come in that situation where you end up blocking
genuine and compliant users. Sometimes, the target audience is also not confirmed,
and you would not like to again mess up with the access of compliant users.
To make this private, you would like to be sure about the users, groups, and
applications for which you want to apply the condition access policy and what
policy needs to be apply. Report-only mode allows administrators to evaluate the
impact of Conditional Access policies before enabling them in their environment.
Once you enable Report-only mode, Azure Conditional Access will not restrict any
user’s access but it just creates respective logs. You can see these logs in Azure Active
Directory > Sign ins (under the Monitoring section). Report-only mode creates four
kinds of events:
•
•
•
Report-only: Success: All the conditional polices and non-interactive grants
were passed successfully by selected users.
Report-only: Failure: All the conditions were satisfied but all non-interactive
grants were passed successfully.
Report-only: User action required: All configured policy conditions were
satisfied but user actions would be required to satisfy the required grant
controls.
Configuring Secure Access by Using Azure Active Directory
•
 115
Report-only: Not applied: Not all configured policy conditions were
satisfied because the user was not part of this testing. For example, the user is
excluded from the policy or the policy only applies to certain trusted named
locations.
Azure AD Conditional Access What If tool
Like Report-only setup, What if is also a testing tool, which helps you to determine
the impact of a specific policy on a specific user. So, you can determine what will
happen if being an administrator, a certain policy can be applied on you. Certainly,
you would not like to block your or other administrators’ access by applying the
wrong policy.
This tool helps you to reduce your multiple sign ins while testing the impact of the
policy. This tool simulates the user’s sign in process and gives a simulation report. It
detects all the applied policies in a user.
To start the simulation, first you need to do some settings:
1. Go to Azure Active Directory > Security > Conditional Access and select
What if option at home page of Conditional access:
Figure 2.40: Set up What-if in Azure AD conditional access
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
116
You can fill the required values in their respective fields to create a policy. User
is the only mandatory field; you can select only one user for the simulation
process. Once the evaluation is complete, you will see the report. The report
tells you all the policies that will be applied to the user, all the policies that
will not be applied, and an indicator which shows if you have any classic
policy in your environment:
Figure 2.41: See the applied conditional access policies
Service dependencies in Azure AD Conditional
Access
There are multiple Microsoft apps which can access or have dependencies on other
services. Let’s understand this by an example. You are using Microsoft Teams, but
you can access other applications or services directly from Microsoft Teams such as
MS Planner, Skype for Business, SharePoint, and Exchange. So, if you have a setup
a policy to use MFA for someone who wants to access Exchange. Although, you are
not logging in directly to Exchange and just signing in to MS Teams, you need to go
through the MFA because you are subject to the Exchange MFA policy
The policy enforcement can happen in two ways, depending on the relation between
calling app and downstream apps:
•
Early-bound policy enforcement means a user must satisfy the dependent
service policy before accessing the calling app. For example, a user must
satisfy the Exchange MFA policy before signing into MS Teams.
Configuring Secure Access by Using Azure Active Directory
•
 117
Late-bound policy enforcement occurs after the user signs in to the calling
app. Enforcement is deferred to when calling app requests a token for the
downstream service. For example, there is no need to go through the MFA
until you really access Exchange from MS Teams. So, for only accessing
MS Teams, you will not be prompted for MFA, but if you want to access
Exchange after logging in to MS Teams from the MS Teams, then you will be
prompted for MFA.
Set up location-based Azure AD
Conditional Access
The location condition of a Conditional Access policy enables you to tie access
controls settings to the network locations of your users. The use cases of this
condition are as follows:
•
•
Allow users without MFA from specified locations.
Block users’ access when the connection is been established from a specific
country or region.
Ask for MFA when the user accesses services from outside the office network.
Let’s follow the given steps to set up location-based condition:
1. Log in to the Azure portal and go to Azure Active Directory.
2. Click on Security under the Manage section.
3. Click on Conditional Access under the Protect section.
4. Click on Named locations. It will open a new window. You will see three
options there, Countries location, IP ranges location, and MFA trusted
IPs. In countries location option, you can choose the countries for trusted
and untrusted location. The countries’ location can be determined by their
IP addresses or GPS coordinates. In IP ranges location option, you mark
trusted and untrusted location based on locations’ public IP addresses. In
MFA trusted IPs option, you can put trusted private IP addresses of your
office network.
5. Now click on + Countries location to set Named locations based on
countries.
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
118
Figure 2.42: Set named location based on countries
A new window will open, there you can put a name for this new location,
you can choose between IP address and GPS coordinates to determine the
countries. Now selected the countries from the list which you want to mark
for trusted or untrusted location. Here as shown in preceding figure, I choose
United States and United Kingdom as trusted countries and these countries
will be identified by their IP addresses.
Location determination by GPS coordinate collects user’s mobile device
location where they are running the Microsoft authenticator app. When
you choose Determine location by GPS coordinates option to determine
location, the user will need to have Microsoft authenticator app installed in
their mobile device.
6. Click on + IP ranges location to set up Named location based on public IP
addresses.
Figure 2.43: Set named location based on IP addresses
Configuring Secure Access by Using Azure Active Directory
 119
A new window will open, there you can put public IP addresses of the
devices to mark them trusted or untrusted IP addresses. Here I am putting a
public IP of my VPN devices and checking the box Mark as trusted location
to trust any network traffic coming from this IP address range.
2. Click on Configure MFA trusted IPs to set up Named location based on your
network private IP addresses.
Figure 2.44: Set trusted IP addresses in Azure MFA
It will open a new web page, here you can put private IP addresses of your
network.
1. Once you have created the named location, click on Policies and + New
Policy.
2. Fill in the required fields as shown in the following figure:
120
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Figure 2.45: Set up Azure AD conditional access policy based on the trusted location
•
•
•
•
Name: Name of this conditional access policy.
Users and groups: Select the user or group to be included or excluded
from this conditional access policy.
Cloud apps or actions: Select the cloud app which you want to include
or exclude from this conditional access policy.
Condition: Select the condition for which you want to create this policy.
There are multiple conditions supported by Azure Conditional access
policy, such as User risk, Sign-in risk, Device platforms, Locations, Client
apps, Device states, Filter for devices.
Configuring Secure Access by Using Azure Active Directory
•
•
 121
Grant: Set the permission for selected users and groups; either grant or
block.
Session: Do you want to keep a persistent session?
10. Click on Create.
The location-based conditional access policy is successfully created and applied to
selected users.
Set up Azure AD Conditional Access to
enforce MFA for administrators
Administrator accounts are highly critical entities in Azure AD. These are
mostly targeted by hackers. You can easily reduce the risk by enforcing MFA for
administrators.
You can choose administrator roles for this condition based on your requirement.
But it is recommended that you include the following list of roles in this condition:
•
•
•
•
•
•
•
•
•
Global administrator
SharePoint administrator
Exchange administrator
Conditional Access administrator
Security administrator
Helpdesk administrator
Password administrator
Billing administrator
User administrator
It is recommended that you exclude Emergency access or break-glass accounts to
prevent tenant-wide account lockout. In the unlikely situation, all administrators
are locked out of your tenant; your emergency-access administrative account can be
used to log in to the tenant to take steps to recover access.
Likely, you would like to exclude service accounts and service principles to
be excluded from this condition. Service accounts are the accounts which are
not associated with any user but they have been used to run some services
programmatically. They are mostly used under codes and scripts, since service
accounts are working programmatically so they can’t response to MFA. Azure has
come up with a new feature called Managed Identities; you can replace your service
accounts with managed identities.
122
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Create the Conditional Access policy to
enforce MFA for administrators
It is recommended that you have MFA enabled for highly privileged accounts such
as administrators. Let’s follow the given steps to set up Azure MFA for Azure AD
administrative accounts:
1. Log in to the Azure portal with the required role and go to Azure Active
Directory.
2. Go to Security (under the Manage section) > Conditional Access (under the
Protect section).
3. Click on Policies and then + New Policy.
4. Fill in the required details as shown in the following figure:
Figure 2.46: Set up Azure AD conditional access policy for administrators
•
Name: Name of the conditional access policy.
Configuring Secure Access by Using Azure Active Directory
•
 123
Users and groups: Under this, go to Include, and choose the Select users
and groups option. Now, choose Directory roles. It will open a dropdown menu of all available directory roles. You can select the required
roles from this list.
Now, go to Exclude, select Users and groups and choose your
organization›s emergency access or break-glass accounts.
Click on Done.
•
•
•
•
Cloud apps and actions: Go to Include, and select All cloud apps. Click
on Done.
Conditions: No need for any condition here as the condition is already
defined in terms of directory roles.
Under Access controls > Grant, select Grant access, Require multifactor authentication, and click on Select.
Click on On to enable the policy.
In this section, we saw how to enable Azure MFA for administrative directory roles
through Conditional Access.
Set up Azure AD terms of use
You would have seen prompts which ask you to accept terms before moving forward
to access some tools or web pages. You can ask users to accept your terms before they
access your applications. You can set up such practice for your organization through
Azure AD Conditional Access Terms of Use. The following are few use cases where
you would like to use terms:
•
•
•
•
Require employees or guests to accept your terms of use before getting
access.
Require employees or guests to accept your terms of use on every device
before getting access.
Require employees or guests to accept your terms of use on a recurring
schedule.
Present general terms of use for all users in your organization.
You will require Azure Active Directory Premium P1 or Premium P2, EMS E3 or EMS
E5. You will require the access level of a global administrator, security administrator,
or Conditional Access administrator.
Azure terms of use uses the PDF format document to present content. For mobile
devices, the recommended font size is 24 points.
124
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Set up Azure term of use
Follow the given steps to set up your own terms of use:
1. Prepare a PDF document with your terms, which you want users to accept.
2. Log in to the Azure portal with proper access.
3. Go to Conditional Access and click on Terms of use.
4. Here, you have multiple options; click on + New terms.
5. Fill in the required information as shown in the following figure:
Figure 2.47: Set up terms of use in Azure AD conditional access
•
•
•
Name: This is the name of the term. This name is limited to the Azure
portal and can be used only to manage things inside the portal.
Display name: This name will be visible to end users when they sign in.
Terms of use document: Upload the PDF document that contains terms
of use, which the end user must accept. You can select multiple versions
Configuring Secure Access by Using Azure Active Directory
 125
of the term of use document in different languages. The document will be
shown to the end user in his preferred language. The preferred language
will be selected from his/her browser settings.
•
•
•
•
•
•
•
Require users to expand the terms of use: Set it On, if you want users to
see the terms before accepting them.
Require users to consent on every device: Set it On, if you want users to
accept terms on every device from they are accessing.
Expire consents: If you want to renew terms periodically and want to set
up the expiry date for every version, then you can set it here.
Expire starting on: You can set up from when the expiry period will start.
Frequency: It tells after Expire starting on date, in what period the
consent will expire. Let’s understand it in this way, suppose you set 15
April 2020 as the expire start date and select Bi-annually the frequency
of expire, then the consent will expire on 15 October 2020.
Duration before re-acceptance required (days): Here, you can define in
what interval the user must reaccept the consent. So, if you choose 30
days, then the user must reaccept the consent in every 30 days after his
previous acceptance.
Enforce with conditional access policy templates: If you want to assign
this term of use to certain users or groups or based on any other condition
such as location, device type, and so on, then you can define them here.
6. Click on Create.
You can see the audit logs on the Term of use page, how many users accepted or
declined the terms, and who all accepted and declined.
VPN connectivity in Azure AD Conditional
access
This is a new feature in Azure AD conditional access. There can be a scenario, where
you have a VPN device configured in your environment and users connect to the
office network through the VPN device. Now you can set up a conditional access
policy for the users who tries to connect to the VPN device to access your office
network.
To configure this, you need to create a certificate in VPN connectivity section of
Azure AD conditional access. This certificate will be uploaded to the VPN device.
Now while creating the condition access policy, you can define if selected users try
to connect to the VPN device, they may be asked to go through Azure MFA.
126
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Azure AD Identity Protection
An attack on users’ identity is one of the biggest threats and challenge for security
administrators. Azure Identity Protection helps organizations to analyze their users
sign in behaviors and any threat associated with that. Identity Protection compares
signing in signals captured from other Microsoft tools and applications such as
Azure AD, users Microsoft account logins, and so on. Microsoft compares 6.5 trillion
signals per day to protect customers from threats. The signal generated by identity
protection can be fed to any other SIEM tool for further investigation or can be used
to set up a policy for conditional access.
You will require the Azure Active Directory Premium P2 license to get full
functionality of Identity Protection. You need a global administrator, global reader,
security administrator, security operator, or security reader access to work on the
identity protection feature.
Let’s deep dive to understand different components, features, and capabilities of
Identity Protection.
Azure AD Identity Protection dashboard or
security overview
The dashboard gives you an insight on your organization’s security posture. It
analyzes your security polices and tells the effectiveness of your polices and gives
potential attacks. Dashboard has trends, with wide timelines to show risky users
and sign ins, and tiles, which shows the current risk level for users:
Figure 2.48: Azure AD Identity Protection dashboard
Configuring Secure Access by Using Azure Active Directory
 127
Let’s understand how to read this dashboard:
•
•
•
•
•
New risky users detected: This chart shows the number of new risky users
that were detected over the chosen time period. You can filter the view of this
chart by the user risk level (low, medium, high) and for a time period. If you
click on this chart, you will be redirected to the Risky users report.
New risky sign-ins detected: This chart shows the number of risky signins detected over the chosen time period. You can apply filters to view this
chart by the sign-in risk type (real-time or aggregate) and the sign-in risk
level (low, medium, high). Unprotected sign-ins are successful real-time risk
sign-ins that were not MFA challenged. If you click on this chart, you will be
redirected to the Risky sign-ins report.
High risk users: This tile shows the latest count of users with high probability
of identity compromise. These should be a top priority to investigate these
users’ identity. If you click on the tile, you will redirect to a filtered view of
the Risky users report showing only users with a high-risk level.
Medium risk users: This tile shows the latest count of users with medium
probability of identity compromise. If you click on the Medium risk users
tile, you will be redirected to a filtered view of the Risky users report
showing only users with a medium risk level.
Unprotected risky sign-ins: This tile shows the last week’s count of
successful, real-time risky sign-ins. These are potentially compromised
logins those were successful, and MFA challenged by a Conditional Access
policy. To protect such sign-ins in future, apply a sign-in risk policy. To set up
a sign in, click on the Unprotected risky sign-ins tile that will redirect you to
the sign-in risk policy configuration blade where you can configure the signin risk policy.
•
Legacy authentication: This tile shows the last week’s count of legacy
authentications in your organization. Legacy authentication protocols do
not support modern security methods such as an MFA. To prevent legacy
authentication, you can apply a Conditional Access policy. If you click on
the Legacy authentication tile, you will be redirected to the Identity Secure
Score.
•
Identity Secure Score: The Identity Secure Score measures and compares
your security posture to industry patterns. You can get more details about
how to improve your security posture by clicking on the Identity Secure
Score tile.
128
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Type of risks identified by Azure AD
Identity Protection
Azure Identity Protection helps organizations to identify and act on any suspicious
activity of user’s sign in. Two types of risks can be identified such as sign in and
user. The detection can scan real time and offline. Let’s understand the risk types
and their respective detections in depth.
Sign in risk
It indicates the probability that the given authentication request is not coming from
the authorized user. Azure Identity Protection calculates the risk using Microsoft’s
intelligent sources in the customer’s environment, security teams at Microsoft, and
other trusted sources.
Real-time detection types
In this detection type, Azure scans users’ authentication requests in real time while
the action is happening:
•
Anonymous IP address: Anonymous IP address risk detection type
indicates sign-ins from an anonymous IP address (for example, Tor browser
or anonymous VPN). These IP addresses are typically used by attackers who
want to hide their login details such as IP address, location, device, MAC
address, and so on for potentially malicious activities.
•
Unfamiliar sign-in properties: Unfamiliar sign-in risk detection type
considers past sign-in history (IP, location’s latitude/longitude) to look for
anomalous sign-ins. The system stores information about previous locations
used by a user to sign in and considers them as familiar locations. So, a risk
detection is triggered when the sign-in occurs from an unfamiliar location or
a location that is not already in the list of familiar locations.
•
For a duration, newly created users will be in the learning mode, in which
unfamiliar sign-in properties risk detections will be turned off. In the
learning mode, the algorithms learn the user’s sign in behavior. The learning
mode duration is dynamic and depends on how much time it takes for the
algorithm to gather enough information about the user’s sign-in patterns.
The minimum duration of the learning mode is five days.
Configuring Secure Access by Using Azure Active Directory
 129
Offline detection types
In the offline detection type, Azure scans users’ sign in behavior based on their past
authentication process. Here are few of the scanning parameters checked in the
offline detection mode:
•
•
•
•
Atypical travel: Atypical travel risk detection type identifies two sign-ins
originating from geographically distant locations, where at least one of the
locations may also be atypical or unfamiliar for the user, given the past
behavior. Among several other factors, this learning algorithm considers the
time between the two sign-ins and the time it would have taken for the user
to travel from the first location to the second. If the time taken between two
sign ins coming from two different locations is genuine, it indicates that the
same user is signing in from different locations.
Malware linked IP address: Malware linked IP address risk detection type
indicates sign-ins from IP addresses infected with malware. The IP is known
to actively communicate with a bot server setup by Microsoft. Microsoft
has deployed bot servers to detect malware activities. This detection is
determined by comparing IP addresses of the user’s device against IP
addresses that were in contact with a bot server while the bot server was
active.
Admin confirmed user compromised: Admin confirmed user compromised
detection indicates that an administrator has marked a user as confirm user
compromised.
Malicious IP address: Malicious IP address detection indicates sign-in from
a malicious IP address. An IP address is considered malicious based on high
failure rates because of multiple invalid credentials received from the IP
address.
User risk
User risk indicates that a user’s account is compromised. The following are the
methods through which Azure AD identifies the risky user:
•
Leaked credentials: As the name indicates leaked credentials risk detection
type indicates that user’s valid credentials have been leaked. The
cybercriminals compromise valid passwords of legitimate users; they often
share those credentials over various platforms. They typically share them
by posting publicly on the dark web, paste sites, or by trading and selling
the credentials on the black market. When Microsoft leaked credentials, the
130
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
service acquires user credentials from the dark web, paste sites, or other
sources; they are checked against Azure AD users’ current valid credentials
to find valid matches.
•
Azure AD threat intelligence: Azure AD threat intelligence risk detection type
indicates a user activity that is unusual for the given user or is consistent
with known attack patterns based on Microsoft’s internal and external threat
intelligence sources.
Administrators cannot dismiss or remediate a risky B2B collaboration
user in their resource directory. This loss of functionality is due to
administrators in the resource directory not having access to the B2B
user’s home directory.
Azure AD Identity Protection simulate risk
detection
You as a security administrator may require simulating the policies before rolling it
out for users. For this simulation, you may need to generate a test risk data. In this
section, you will learn how to set up a simulation environment and get the testing
data.
You can set up the simulation environment for only few detection types, such as
atypical travel, anonymous IP address, and unfamiliar sign-in properties.
Unfamiliar sign-in properties
We have already covered what this detection means. It sees the past sign in history
of the user, checks the device IP, location, and so on and compares the data with
the current sign in request. Before rolling this out for production, you can set up a
simulation environment to test its functioning. Let’s go through the following steps
to set up the simulation environment.
You will require the following things to complete this simulation:
•
•
•
•
A test account which has 30 days login history.
The test account should already have MFA enabled.
A virtual machine to work as a new device.
A VPN to simulate a new location.
Configuring Secure Access by Using Azure Active Directory
 131
After completing the preceding requirement:
1. Log in with your test account at https://outlook.office.com from the VPN
connected virtual machine.
2. Enter your credentials.
3. When it prompts for MFA, fail it by giving wrong responses.
You will see this sign-in in Risky Sign-ins report in 15-20 minutes.
Atypical travel
Simulation of this detection type is difficult because the algorithm uses a machine
learning to weed out false-positives such as atypical travel from familiar devices, or
sign-ins from VPNs that are used by other users in the directory. Additionally, the
algorithm requires a sign-in history of 14-days and ten logins of the user before it
begins generating risk detections:
1. Try to log in to https://outlook.office.com from your standard browser.
2. Enter the credentials of the test account you want to generate an atypical
travel risk detection scenario.
3. Now to change your IP address. To get a new IP, you can log in from the
VPN, a Tor add-on, or create a new virtual machine in Azure in a different
data center.
4. Sign-in to https://outlook.office.com again from the new VM or new IP, using
the same credentials as before and within a few minutes after the previous
sign-in.
The sign-in shows up in the Identity Protection dashboard within 3-4 hours.
Anonymous IP address
As the preceding simulation, you can use the VPN, a Tor add-on, or create a new
virtual machine in Azure in a different data center to get a new IP address. You will
require a test account without MFA.
Now, log in to https://outlook.office.com from the new VM or Tor browser and you
will see this account activity in the Risky sign-in report in 15-20 minutes.
Azure AD Identity Protection policies
You can see three kinds of policies available in Azure Identity Protection: MFA
registration policy, sign-in risk policy, and user risk policy. In this section, you will
learn about policies and ways to configure them.
132
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
MFA registration policy
Azure MFA provides a second layer of security to user sign-ins, which is beyond
your username and password. You can ask all users or selected users to enable
MFA for them. You can enforce this easily through the conditional access policy.
By doing this, you can make them secure from day one. In the previous sections,
we understood the various second step authentication methods provided by Azure
MFA. This is an easy and efficient way to protect users’ identity. To set up this policy,
follow the given steps:
1. Log in to the Azure portal and search for Identity Protection in the search
bar.
2. Click on MFA registration policy under the Protect section.
3. A new blade will open, fill the details here.
4. Under Users, choose All users or Select individuals and groups.
5. You can exclude some accounts such as service accounts.
6. Under the control section, check Require Azure MFA registration. Click on
Select.
7. Set On to enforce the policy. Click on Save:
Figure 2.49: Setup MFA registration policy in Azure AD Identity Protection
Here, we saw the process to enable Azure MFA through Azure AD Identity Protection
service.
Configuring Secure Access by Using Azure Active Directory
 133
User risk policy
Identity Protection calculates what it believes is normal sign in behavior for a user
and use that to base decisions for their risk. User risk is a calculation of probability
that user’s identity has been compromised. Being an administrator, you can enforce
the policy based on the risk score. You can choose to block access, allow access, or
allow access but require a password change. Let’s set this:
1. Log in to the Azure portal and search for Identity Protection.
2. Click on User risk policy, and a new blade will open.
3. Under Users, choose All users or Select individuals and groups.
4. You can exclude some accounts such as service accounts.
5. In the Conditions section, select the risk level.
6. Now, choose appropriate control. You can either block access, allow access,
or allow access after password reset.
7. Set On to enable the policy. Click on Save:
Figure 2.50: Set up the user risk policy in Azure AD Identity Protection
In this section, we saw how to force risky users to change their password before
allowing their logins.
134
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Sign-in risk policy
Identity Protection analyses real-time and offline signals from each sign-in and
calculates a risk score based on the probability that the sign-in wasn’t performed by
the authorised user. Administrators can decide based on this risk score to enforce
organizational requirements. Administrators can choose to block access, allow
access, or allow access but require MFA. Let’s follow the given steps to set this:
1. Log in to the Azure portal and search for Identity Protection.
2. Click on Sign-in risk policy, and a new blade will open.
3. Under Users, choose All users or Select individuals and groups.
4. You can exclude some accounts such as service accounts.
5. In the Condition section, select the risk level.
6. Now, choose the appropriate control. You can either block access, allow
access, or allow access after MFA.
7. Set On to enable the policy. Click on Save:
Figure 2.51: Set up sign-in policy in Azure AD Identity Protection
Configuring Secure Access by Using Azure Active Directory
 135
By setting up the user risk and sign-in risk policy, you are setting up a conditional
access policy for the user:
•
•
Require a password change for risky users: In the user risk policy, you are
asking users to change their password, if they want to log in successfully and
access the resources.
Require MFA for risky sign-in users: In the sign-in risk policy, you are asking
users to use MFA authentication, if they want to log in successfully and want
to access the resources. For MFA authentication, the MFA should be enabled
for users. You can enforce that through the MFA registration policy.
In this section, we saw how to enforce Azure MFA for risky sign- ins in Azure AD
Identity Protection.
Conclusion
In this chapter, you got an depth knowledge about what is Azure AD PIM, Azure
MFA, Conditional Access, and Identity Protection. You learned how they work, how
to configure, and manage them in detail. By the end of this chapter, you would be
able to take a decision about all users and Azure resources that should be part of
Azure AD PIM, Azure MFA, Conditional Access, and Identity Protection. You can
identify the stakeholders who you should consider before rolling out this feature.
You are now able to plan, configure, and manage these identity-based security
services in your environment.
Multiple choice questions
1. What Azure AD license you require to configure and manage Azure AD
PIM?
A. Azure AD Free license.
C. Azure AD Premium P1.
B. Azure AD Premium P2.
D. Enterprise + Mobility Services E3.
Answer: B
2. What Azure AD directory role you would require to configure and manage
Azure AD PIM?
A. Privileged role administrator.
B. User administrator.
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
136
C. Security reader.
D. Password administrator.
Answer: A
3. It is not recommended to assign eligible role for _________. Choose the
correct option:
A. Privileged role administrator.
C. Guest user.
B. Home directory user.
D. Break glass account.
Answer: D
4. You want to automatically remove Azure resource roles from users who do
not need them. How would you ensure that access reviews automatically
remove Azure resource roles, even if users do not respond to email
notifications?
A. Configure access review to auto apply result to resources and set remove
access if the reviewer does not respond.
B. Create Azure logic apps and use the access review as a trigger to take
actions.
C. Configure the access review policy to disable if the user does not respond
to email notifications.
D. Set up automation account and execute a runbook.
Answer: C
5. Which Azure AD technology manages the user access risk by ensuring the
principles of least privilege access, time-bound, and limited to required
resources?
A. Azure AD Conditional Access.
C. Azure Security Center.
B. Azure AD Identity protection.
D. Azure AD Privileged Identity Management.
Answer: D
6. Can you convert an eligible role to a permanent role?
A. No.
B. Yes.
Answer: B
Configuring Secure Access by Using Azure Active Directory
 137
7. Being a privileged role administrator, you are not able to configure the Azure
resource role, what could be the reason?
A. You do not have access to the Azure resource where you want to assign
the Azure resource role.
B. You need to be a global administrator at the subscription level.
C. Azure resources cannot be covered by Azure AD PIM.
D. You are missing some license to manage the Azure resource role in Azure
AD PIM.
Answer: A
8. You want to block access for high risky users, where would you configure
such a policy?
A. Azure MFA
C. Azure App registration
B. Azure Identity Protection
D. Azure Privileged Identity Management
Answer: B
9. The minimum version of Azure AD required to configure Azure
Conditional Access:
A. Azure AD Premium P2
B. Azure AD Free
C. Azure AD Premium P1
D. Azure AD Security S2
Answer. C
10. An organization wants to restrict access for a user who is logging in
from outside India, where would you configure such settings?
A. Azure AD Conditional Access
B. Azure AD app registration
C. Azure AD Privileged Identity
D. Azure AD Identity Protection
Answer: A
138
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Chapter 3
Managing Azure
Access Control
In this chapter, we will cover how to apply best security practices on your entire
subscription and resource group. You can set up certain security baselines and
policies to restrict unwanted security breaches. Some of the major topics that we will
cover include role base access control, resource locks, Azure policy as well as Azure
Blueprint. No organization wants their resources to be deleted accidently or provide
the highest level of access to everyone. Organizations certainly want to follow certain
baselines and policies to keep their infrastructure secure and manageable. By the end
of this chapter, you will be able to identify appropriate permissions for respective
users and assign them to users. You would be able to control unwanted modification
and deletion of resources through the resource lock. With help of Azure policy, you
would be able to determine the baseline for your environment. You will be able to
keep your environment compliant with the Azure policy baseline.
There may be some repetitive tasks in your environment. With the help of Azure
Blueprints, your development teams will be able to rapidly build and standup new
environments with organizational compliance.
Structure
In this chapter, we will learn the following topics:
•
Role-based access control (RBAC) to configure subscription and resource
permissions
140
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
•
•
•
•
•
•
Security management at resource group level
Custom RBAC
Azure resource lockConfiguration of Azure Policy
Azure Blueprints
Conclusion
Multiple choice questions (MCQ)
Objectives
The objective of this chapter is to understand access control features in Azure.
Azure provides various services and features to manage user access on other Azure
services. After reading this chapter you should be able to understand Azure role base
access control (RBAC). You will be able to assign and manage RBAC roles for users.
You will learn how to create custom RBAC roles with custom access permissions.
You will be able to prevent accidental deletion and modification of Azure resources
through Azure Resource Lock. You will be able create, apply and manage Azure
policies to meet industry standard and internal compliances. You will be able to
create and use Azure blueprint to complete repetitive tasks quickly.
RBAC to configure permissions over
subscription, resource groups, and
resources
Principle of least access is the key theorem for security administrators. In order to
follow this theorem, granting an appropriate level of access is always an important
task for security administrators. Different cloud platforms have their own ways to
control the access. Azure uses RBAC to provide fine-grained access control. With
RBAC, you can manage who has access to Azure resources, what they can do with
those resources, and what areas they have access to.
Azure has several built-in RBAC roles to control user access. The following three
rules apply to all resources:
•
•
•
Owner: A security principal with owner access has full access to all resources,
including the right to delegate access to others.
Contributor: A security principal with contributor access can create and
manage all types of Azure resources but cannot grant access to others.
Reader: A security principal with reader access can view existing Azure
resources but cannot modify anything.
Managing Azure Access Control
 141
Apart from these listed roles, there are many built-in roles you can use to manage
other resources. If these built-in roles do not meet the specific access need of your
organization, you can create your own custom roles for Azure resources.
Types of roles in Azure
You can broadly define Azure roles in three categories: classic administrator roles,
Azure RBAC roles, and Azure Active Directory administrator roles.
•
Classic subscription administrator role: Classic subscription administrator
roles are inherited from the classic version of Azure. The classic version
has three administrator roles such as account administrator, service
administrator, and co-administrator. Among these three classic subscription
roles, account administrator and service administrator roles have full access
to the Azure subscription. The account that is used to sign up for Azure is
automatically becomes account administrator and service administrator. The
service administrator role can add additional co-administrators after getting
into the subscription. The service administrator and the co-administrators
have equivalent access of users who have been assigned the owner role (an
Azure RBAC role) at the subscription scope:
•
•
•
Account administrator: The account administrator role does not have
access to the Azure portal. It is a billing owner of the subscription. It
can access the Azure Account Center (https://account.azure.com/
Subscriptions), manage all subscriptions in an account, create new
subscriptions, cancel subscriptions, change the billing for a subscription,
and change the service administrator. You can have one account
administrator per Azure account.
Service administrator: For a new subscription, the account administrator
is also the service administrator. The service administrator role has
equivalent access of a user who is assigned the owner role at the
subscription scope. The service administrator role has full access to
the Azure portal. It can manage services in the Azure portal, cancel the
subscription, and assign users to the co-administrator role. You can have
one service administrator per Azure subscription.
Co-administrator: The co-administrator role has equivalent access of a
user who is assigned the owner role at the subscription scope. It has the
same access as the service administrator but can’t change the association
of subscriptions to Azure directories. It can assign users to the coadministrator role but cannot change the service administrator role. You
can have 200 co-administrators per subscription.
142
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
The classic administrator roles can be assigned at the subscription level only. To
assign the role, follow the given steps:
1. Go to the Azure portal and select the subscription where you want to assign
the role.
2. In the subscription, go to Access control (IAM) and go to Classic
administrators tab:
Figure 3.1: Add classic Administrator role
3. You can click on + Add to add a new co-administrator.
4. You can see the existing service and co-administrators under the Classic
administrators tab.
•
•
Azure RBAC roles: It is a fine-grained access management system built
on Azure Resource Manager. Azure has over 70 built-in RBAC roles.
Through RBAC, you can manage only the Azure portal and the Azure
Resource Manager APIs. Users, groups, and applications that are assigned
RBAC roles cannot use the Azure classic deployment model APIs. In Figure
3.1, you can do role assignment by clicking on Add role assignment. You can
see the assigned roles under Role assignment and all built-in roles under the
Roles tab.
Azure AD administrator roles: By using Azure AD administrator roles,
you can manage Azure AD resources in a directory such as create or edit
users, assign administrative roles to others, reset user passwords, manage
user licenses, and manage domains. You can see available Azure AD roles in
Roles and administrators in Azure AD under the Manage section.
These are the broadly defined access roles in Azure. These roles have many built-in
granular roles with different levels of permissions. If you feel the in-built roles are
not fulfilling your business requirement for access control, you can create your own
custom RBAC roles as well. We will study about them in the upcoming sections.
Managing Azure Access Control
 143
Azure RBAC roles control permissions to manage Azure resources, while
Azure AD administrator roles control permissions to manage Azure
Active Directory resources.
Building components and working of RBAC
Let’s understand all the parameters you need to define RBAC rules and how do they
grant permissions on Azure resources. To control access on any resource, you can
create a role assignment. This role assignment has three components such as security
principal, role definition, and scope:
•
•
Security principal: It is an object that represents the user, service principal,
group, or managed identity that is requesting access on Azure resources.
Role definition: Role definition is a collection of permissions. It lists the
operations that can be performed such as read, write, and delete. There are
two kinds of role definitions: built-in and custom.
You can list the role definition details by a simple PowerShell command:
Get-AzRoleDefinition <role_name>
A role definition has the following structure:
•
•
•
•
Name: Name of the Azure RBAC role.
ID: Resource ID of the Azure RBAC role.
IsCustom: This field shows that this a custom role or a built-in role.
Description: A brief description to understand this role.
•
Actions []: The Actions permission describes the operations that the
•
NotActions []: The NotActions permission describes the operations that
are excluded from the allowed Actions.
•
DataActions
•
NotDataActions []: The NotDataActions permission describes the data
operations that are excluded from the allowed DataActions. The access
role allows to be performed.
[]: The DataActions permission describes the data
operations that the role allows to be performed to your data within that
object. For example, if a user has read BLOB data access to a storage
account, then they can read the BLOBs within that storage account.
granted by a role (effective permissions) is computed by subtracting
the NotDataActions operations from the DataActions operations.
•
AssignableScopes []: The AssignableScopes property describes the
scopes (management groups, subscriptions, or resource groups) that
have this role definition available. You can make the role available for an
144
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
assignment in only the management groups, subscriptions, or resource
groups that require it. You must use at least one management group,
subscription, or resource group. Built-in roles have AssignableScopes set
to the root scope (/). The root scope indicates that the role is available for
assignments in all scopes.
•
Scope: Scope is the set of resources on which the access applies to. When
you assign a role to the security principal, you can further limit the
actions allowed by defining a scope.
To do a role assignment, you can attach a role definition to a security principal at
a particular scope for the purpose of granting access. You can grant permission by
accessing a role assignment and can revoke the access by removing a role assignment.
Role assignments can be done by using the Azure portal, Azure CLI, Azure
PowerShell, Azure SDKs, or REST APIs. Each subscription can have up to 2000 role
assignments and each management group can have up to 500 role assignments.
You require Microsoft.Authorization/roleAssignments/* permission to work on
role assignments. RBAC works on the additive model, so effective permissions on
a scope are the sum of your role assignments. For an example, a user is granted the
owner role at the subscription scope and the reader role on a resource group. The
sum of the owner permissions and the reader permissions is effectively the owner
role for the resource group. Therefore, in this case, the reader role assignment has
no impact.
Now, RBAC supports deny assignments also. Like a role assignment, a deny
assignment ties a set of deny actions to a security principal at a particular scope
for the purpose of denying access. A role assignment talks about allowed actions,
but a deny assignment tells that which actions are not allowed. Deny assignments
stop users from performing specified actions even if a role assignment grants them
access. Deny assignments take precedence over role assignments.
Types of RBAC roles in Azure
There are two types of RBAC roles in Azure: built-in and custom. Azure comes
up with over 70 built-in RBAC roles but they may not be enough to fulfill your
access control requirements. Sometimes, you may need to add few more Actions
or NotActions items to get your required access permission settings. You can create
your own RBAC role and can attach it to the defined scope. Let’s discuss about these
roles in detail.
Managing Azure Access Control
 145
Built-in RBAC roles
These roles have default role definitions to allow or restrict any action. In this section,
we will see how to manage built-in RBAC roles.
Assign built-in RBAC roles
Perform the following steps:
1. Login to the Azure portal and search for the resource where you want to
apply the role.
2. Go to Access control (IAM) option, this option is available for all Azure
resources.
3. A new window will open to take inputs, click on + Add, then Add role
assignment as shown in the following figure:
Figure 3.2: Assign built-in RBAC
4. In the next blade, you can choose the required role from the drop-down list
and put the name of the user, group or any service principal to whom you
want to assign this role.
Here, we saw the process to assign built-in roles to users. You can use the same
process to assign the role to service principals and user groups also. In the next
section, we will see the process to check the status of our assigned roles.
Check assigned access
Here, you can see all the accesses a user has on an Azure resource. To know about
this, perform the following steps:
146
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
1. Log in to the Azure portal and search for the resource where you want to
check the assigned access.
2. Go to the Access control (IAM) option. This option is available for all Azure
resources.
3. Under the Check access section, put the username in the Search field and
it will show all role assigned to the user on this resource. These roles are
not necessary to be assigned directly to this resource only; it will show the
inherited roles also:
Figure 3.3: Check access for a user
You can also see a list of all users and their respective access under the Role
assignment tab.
In this section, we saw the process to check the status of our assigned roles. This helps
you to monitor or scan your environment periodically. As a security administrator, it
is required that you regularly monitor assigned permissions to the users.
Remove access from a resource
To remove the access from the Access control (IAM) portal, perform the following
steps:
1. Log in to Azure portal and go the resource from which you want to remove
the access.
2. Go to the Access control (IAM) option; this option is available for all Azure
resources.
3. Go to the Role assignments tab to remove the access:
Managing Azure Access Control
 147
Figure 3.4: Remove the access from a resource
4. Select the security principal for which you want to revoke the access and
click on Remove.
When you scan your environment for access control audit, you may find that there
are many users who do not need assigned permissions anymore. In this section, we
saw how to remove unwanted permissions from users.
You can just remove access if that is directly assigned to this resource.
You cannot remove an inherited access from a resource. To remove an
inherited access, you need to remove it from the root parent resource.
Custom RBAC role
If the built-in RBAC roles for Azure resources do not meet the specific needs of your
organization to control the user access, then Azure provides feasibility to create your
own custom roles. Just like built-in roles, custom roles can also be assigned to users,
groups, and service principals at management group, subscription, and resource
group scopes. The custom roles can be shared among the subscriptions that trust the
same Azure AD directory. You can have maximum 5,000 custom roles per directory.
Create custom RBAC through JSON
There are multiple ways to create custom RBAC roles, but here, we will discuss
the most suitable and easy way. You can use Azure PowerShell, Azure CLI, Azure
portal, and JSON to create custom RBAC roles. We will learn how to create a custom
role using JSON. You can apply custom RBAC at any resource level but not at the
root (/) scope. Following are the steps to create custom RBAC role.
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
148
1. Create role definition in JSON: RBAC roles have a predefined structure to
write a role definition:
{
“properties”: {
“roleName”: “”,
“description”: “”,
“assignableScopes”: [],
“permissions”: [
{
“actions”: [],
“notActions”: [],
“dataActions”: [],
“notDataActions”: []
}
]
}
2. The preceding code shows the structure and components to create a custom
RBAC role. You need to fill the details in each section. We already have seen
the purpose of each section.
Actions, NotActions, DataActions, and NotDataActions are the important
sections. Under these sections, you can define the allowed and not allowed
actions. There is separate resource provider for each Azure resource. Like
how the Azure Active Directory domain service comes under Microsoft.
AAD, Azure virtual machines, virtual machine scale sets, and many more
come under Microsoft.Compute.
3. It is important for you to identify the correct resource provider for your
resource for which you want to create a custom role:
https://docs.microsoft.com/en-us/azure/role-based-access-control/
resource-provider-operations
You can browse the preceding link to identify the correct resource provider
for your resource and this link will help you choose the right and supportive
action also.
For example, if you want to create a custom role to allow users to create
virtual machines but not delete a virtual machine. If you want to apply this
custom role at the subscription level, so the scope will your subscription. In
this case, your sample JSON file will look like this:
Managing Azure Access Control
 149
{
“properties”: {
“roleName”: “Control VM creation and deletion”,
“description”: “ Allow users to create VM but do not allow to delete the VM “,
“assignableScopes”: [
“/subscriptions/<Subscription_ID>”
],
“permissions”: [
{
“actions”: [
“Microsoft.Compute/virtualMachines/write”
],
“notActions”: [
“Microsoft.Compute/virtualMachines/delete”
],
“dataActions”: [],
“notDataActions”: []
}
]
}
}
You can create this JSON file in any file editor. Save this file with the .JSON
format.
4. Now, to create the custom RBAC role, go to the Azure portal and go to
subscriptions.
5. In subscription, click on the Access control (IAM) option. In the window,
click on + Add. It will show you the option to Add custom role. When you
click on this option, a new window will open to take details.
6. Since you are creating a custom role through JSON, you don’t need to fill
other details. Just choose the Start from JSON option. You need to browse
the JSON file which you created in the previous section:
150
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Figure 3.5: Create a custom RBAC role through JSON
7. Once you upload the file, all parameters will be filled as per the JSON file
code:
Figure 3.6: Upload JSON for a custom RBAC role
Managing Azure Access Control
 151
8. Once you upload the JSON file, you can see auto filled values in all sections.
You can review the sections by clicking on them. Under the Permission
section, you can see the defined Actions, NotActions, DataActions, and
NotDataActions:
Figure 3.7: See the permissions of a custom RBAC role
9. Under Assignable scopes, you can see the scope where you can assign this
role:
Figure 3.8: See the assignable scope for a custom RBAC role
10. Under the JSON section, you can see the JSON which you uploaded.
11. Click on Review + create to create the role.
152
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
12. Once the role creation is completed, you can assign this role to subscriptions
or resource groups. The process of a role assignment is the same as built-in
roles.
As discussed in the previous section, you can create your own custom RBAC roles to
fulfill your access control requirements. In this section, we saw the detailed process
to create a custom RBAC role.
Azure resource lock
Organizations are always afraid of manual errors and the errors which lead to the
deletion and modification of business-critical resources. As an administrator, you
always wished to have a capability to prevent accidental deletion and modification
of resources. Azure provides the resource lock feature. In Azure there are two lock
levels which you can choose CanNotDelete and ReadOnly. In the portal, these locks
are called Delete and Read-only, respectively:
•
CanNotDelete: It means authorized users can still read and modify a resource,
•
ReadOnly: It means authorized users can read a resource, but they can’t delete
but they can’t delete the resource.
or update the resource.
When you apply a lock at a parent scope, all resources within that scope inherit
the same lock. If you add any resource later, that will also inherit the lock from the
parent. In inheritance, the most restrictive lock takes precedence. The Azure resource
lock restricts the changes in resources, but resource operations aren’t restricted.
For example, a ReadOnly lock on a storage account prevents you from deleting or
modifying the BLOB or storage account. It doesn’t prevent you from uploading,
downloading, or modifying the data in the storage account.
The Azure backup service supports maximum 18 restore points. When it
gets a new restore point, it deletes the oldest 18th restore point. So, if you
lock the resource group created by the Azure backup service, then after
some time, the backup will start to fail due to the resource lock feature.
Because backup service will not be able to delete the oldest restore point
to accommodate new restore points.
Apply and remove lock from the Azure resource
You can apply the resource lock through the Azure portal, Azure CLI, PowerShell,
JSON template, and REST API. It is quite easier from the Azure portal. Following are
the steps to apply and remove resource lock:
Managing Azure Access Control
 153
1. Log in to Azure portal and search for the resource where you want to apply
the lock. You can apply the lock directly on the resource, or you can apply the
lock on the parent resource. When you apply the lock on the parent resource,
all child resources inherit that lock.
2. In all resources, you will find the option Locks under the Settings section.
Click on Locks, and a new window will open to configure the lock settings:
Figure 3.9: Enable Azure resource lock
3. As shown in the preceding figure, give a name to this lock, select the lock
type from the drop-down list, and give a small description about this role.
4. Once you hit OK, the lock will be applied to this resource and all its child
resources.
5. To remove the lock from any resource, you need to go to the same place, that
is, Locks under Settings:
Figure 3.10: Remove Azure resource lock from a resource
6. In this panel, you will see the existing locks. You can click on Delete to
remove the unwanted lock.
In this section, we studied about the Azure resource lock, assignment, and removal
of resource lock in detail. Now, you should be able to apply the resource lock on
your Azure resources to prevent accidental deletion and modification to them.
154
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
You cannot delete the lock for a chile resource if the lock is inherited from
the parent resource. To remove the lock from the child resource, first you
need to remove the lock from the parent resource.
Azure Policy
Each organization wants to be compliant with its blueprint and to follow its standards
in terms to the infrastructure creation and application deployment. Azure Policy is
a service in Azure that you can use to create, assign, and manage policies. These
policies enforce different rules and effects over your resources, so those resources
stay compliant with your corporate standards and service level agreements. Azure
Policy evaluates your resources with assigned policies.
For example, you can have a policy to allow only certain Azure resources only in
certain geographies. Once this policy is implemented, new and existing resources
are evaluated for compliance.
Effects of Azure Policy
Each Azure Policy definition has a single effect. The effect determines what happens
when the policy rule is matched with some condition. The effects behave differently
if they are for a new resource, an updated resource, or an existing resource.
Currently, Azure Policy supports these following listed effects. The following list
also shows the order of evaluation:
1. Disable
2. Append
3. Modify
4. Deny
5. Audit
6. AuditIfNotExists
7. DeployIfNotExists
8. EnforceOPAConstraint
9. EnforceRegoPolicy
As of now, there is no order of evaluation for EnforceOPAConstraint and
EnforceRegoPolicy effects and also in preview at the time of writing this. Each
effect has its own properties; based on those, it can control and manage your Azure
resource deployments. Let’s understand the use of these effects:
Managing Azure Access Control
•
•
•
•
•
•
•
 155
Disabled: This means the policy is not yet active and is in the disabled state.
Append: It is used to add additional fields to the requested resource during
creation or updation. For example, all virtual machines should have NSGs
connected to them.
Modify: It is used to add, update, or remove tags on a resource during
creation or updation. Modify is currently used only for tags.
Deny: It prevents the resource request if the defined resource standards do
not meet the policy definition.
Audit: It does not prevent the resource request but creates an activity log
when the defined resource standards do not meet the policy definition.
AuditIfNotExists: It evaluates the scope where this policy is been assigned,
and if the evaluation is non-complaint, then it creates an activity log.
DeployIfNotExists: It evaluates the scope where this policy is been assigned
and if the evaluation is non-complaint, then it deploys the required things to
make the scope complaint.
Here, we explained the types of effects of Azure Policy. With the help of these effects,
you can define the action of Azure Policy. With these effect types, the same policy
can be used just for audit purpose and also to modify the environment.
Assign Azure Policy from the portal
Let’s practically understand Azure Policy. In this section, we will see what all options
are available on the Azure Policy page and how to manage and apply the policy
from the portal:
1. First, let’s log in to the Azure portal and search for Policy.
2. The first page will be the Overview page. It shows the details about applied
policies, percentage complaint resources, number of non-complaint policies,
initiatives, and resources:
Figure 3.11: Azure policy overview page
156
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
3. Policy definition: Under the Definitions section, you can see the existing
built-in policies. Azure provides many built-in policies. You can directly opt
for the built-in policy and can apply to the required scope. But if there is no
built-in policy to fulfill your business requirement, then you can create a
custom policy as well.
4. Under the Definitions section, you will see two options: + Initiative definition
and + Policy definition. The Policy definition option will lead you to create
a custom policy. Initiative definition is a collection of multiple policies.
So, to understand this, let’s take an example. You may get a requirement
where you want to apply the same policies on different resources. There are
chances that you miss few policies on some of the resources. To avoid this,
Azure provides an option to club all required policies and then apply this
group to the target resources. This grouping is called initiative definition.
In the Initiative definition policy, you can club multiple built-in and custom
policies.
5. On the Policy| Definitions page, you can see all custom and built-in policies
and initiatives:
Figure 3.12: Azure policy definition page
6. When you click on + Initiative definition, a new window opens with the
details:
Managing Azure Access Control
 157
Figure 3.13: Create initiative definition
7. Fill the basic details as shown in the preceding figure. In the Category field,
you can choose either to create a new category to put your initiative definition,
or you can select the default list. The category is a logical grouping or type of
definitions.
8. In the right panel, you can see the list of all available policies. You can click
on + sign to add the respective policy to your initiative definition. Azure also
provides some built-in initiative definitions; you can use them directly.
9. Once you create the initiative definition, it will be shown in the Definitions
page.
10. You can click on any initiative definition or policy definition to edit, see
properties, and assign:
Figure 3.14: Manage initiative definition in Azure policy
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
158
As shown in the preceding figure, I see options to edit, assign, and delete this
initiative:
11. When you click on Assign, a new window will open to take the inputs:
Figure 3.15: Assign initiative definition over a subscription
Here, you can fill the details as shown in the preceding figure. The Scope
field defines where you want to apply this initiative. Under Exclusions, you
can choose the resources which you want to exclude from this initiative. Put
a brief description and click on Create.
The Assignments section also has Assign initiative and Assign policy
options. The same assignment you can do from here also. There you can see
the list of all assignments:
Managing Azure Access Control
 159
Figure 3.16: Assignment overview page
As shown in the preceding screenshot, it shows the total assignments,
number of initiatives, and policy assignments.
12. Under the Compliance section, you will see all the applied policies and their
respective compliant levels. It shows detailed information which was shown
on the Overview page:
Figure 3.17: Compliance overview page
The preceding screenshot shows a list of all applied initiatives and policies.
The respective columns show the name of the policy and initiative, scope,
compliance status, percentage of resource complaint, number of noncomplaint resources, and number of non-complaint policies.
160
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
14. The Remediation page will show policies only with DeployIfNotExists and
Modify effects. From here, you can push these policies to take actions and
can make resources complaint.
RBAC focuses on user actions on resources while Azure Policy focuses
on resource properties during deployment and for already existing
resources. For example, you have the owner access on the subscription
and there is a policy not to deploy virtual machines in the subscription.
Being the owner, you will not be able to create a virtual machine in the
subscription.
Here, we saw the process to apply policies to your Azure resources. You can choose
appropriate policies to apply to your Azure resources. These policies can help you
to achieve compliance and follow the Azure baseline.
If there are multiple policy assignments on a resource, then each
assignment is individually evaluated. As such, there isn’t an opportunity
for a resource to slip through a gap from differences in scope. The net
result of layering policies or policy overlap is considered to be cumulative
most restrictive.
Azure blueprint
Engineers and architects sketch a blueprint before starting any project. The blueprint
gives them an overview of the entire project. In the blueprint, they describe all tasks
and details of tasks. Blueprints also help them to keep their work aligned with their
organization’s compliances and also help make repetitive tasks easier. The Azure
blueprint also helps cloud engineers and architects to follow compliances and
give an easy and fast way to perform repetitive tasks. These repetitive tasks can be
deployment of applications, infrastructure creation, applying some policies and role
assignment over the environment, and so on.
Azure Blueprint uses Azure Cosmos DB to replicate its objects into multiple Azure
regions. This multi-region replication provides high availability and low latency
to your blueprint objects. Because of this, you can deploy resources in any Azure
region from the same blueprint.
Azure Blueprint is designed to help customers in their Azure
environment setup. Azure Blueprint often consists of a set of resource
groups, policies, role assignments, and ARM template deployments.
Azure Blueprint is a native service of Azure whereas an ARM template
is a code document. It is not native to Azure. It is stored either locally
Managing Azure Access Control
 161
or in source control. With Azure blueprints, the relationship between
the blueprint definition (what should be deployed) and the blueprint
assignment (what was deployed) is preserved. This connection supports
improved tracking and auditing of deployments. The template is used for
deployments of one or more Azure resources, but once those resources
deploy, there’s no active connection or relationship to the template.
Terminology of a Azure Blueprint
It is important to know the terminology and core components of a Azure Blueprint
before deploying and configuration of the Azure Blueprint:
•
•
Definition: The Azure Blueprint tells the capabilities of a blueprint. In the
definition, you set the task which you want to perform through the blueprint.
Artifacts: Artifacts are the services or resources which you need to bind with
the Azure Blueprint definition. You can use one or more artifacts to create an
Azure Blueprint definition. An Azure Blueprint definition must have at least
one artifact bonded. The Azure Blueprint supports four types of artifacts:
•
•
•
•
•
•
Azure Policy
Role assignment
ARM template
Resource groups
If you choose Azure Policy as an artifact, then you can assign a policy or
initiative to your subscription. With the role assignment artifact, you can define
which user, group or application gets what RBAC role in the environment.
The ARM template artifact allows you to deploy ARM templates in your
environment. The Resource groups artifact creates resource groups in your
environment to place resources.
Based on your requirement, you can choose one or more artifacts to create
the blueprint definition.
Azure Blueprint definition location: When you create a blueprint definition,
you need to define where to save this definition. The definition can be saved
to the management group or to the subscription. If you save the definition to
a management group, then it can be applied to all child subscriptions under
that management group.
Parameters in Azure Blueprint: When you choose the ARM template or
Azure Policy as an artifact, then you may need to define parameters for the
ARM template or Azure Policy. The value of parameters can be passed while
creating the definition or assignment of the definition.
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
162
•
•
Blueprint publishing: When you start creating a blueprint, it first goes
into the draft state. Before assigning this blueprint, it needs to go to in the
published mode. In the published mode, you need to provide a version to
this definition and a change note about this version.
Blueprint assignment: After publishing the blueprint, you can assign this to
the management group or the subscription in your environment.
Configuring security settings by the Azure
Blueprint
You can use the Azure Blueprint to deploy the ARM templates, role, or policy
assignment in your environment. In this section, we will see how to use the Azure
Blueprint to apply security settings in your environment. Following are the steps to
configure security settings by Azure blueprint:
1. Log in to the Azure portal and go to Azure Blueprint.
2. On the Blueprints page, go to the Blueprint definitions tab:
Figure 3.18: Blueprint definitions home page
As shown in the preceding figure, you can see the existing blueprint definition
or else you can create a new one by clicking on + Create blueprint.
3. Once you click on + Create blueprint, a new blade will open. In this window,
you can choose the option to create the blueprint. Either you can create the
blueprint definition from scratch or you can choose it from the sample. Here,
let’s start from scratch and choose Start with blank blueprint:
Managing Azure Access Control
 163
Figure 3.19: Choose a blueprint definition sample
As shown in the preceding figure, you can choose a blank or predefined
sample for the blueprint definition.
4. The blank blueprint option opens a new window. Here, you need to fill the
basic details about the blueprint:
•
•
•
Blueprint name: Give a meaningful name to this blueprint definition.
Blueprint description: Write a description about this definition. This can
help you in future to know more about this definition.
Definition location: You can choose a location to store this definition for
the three dots. You can choose the management group or subscription. If
you choose a management group, then you can apply this blueprint over
all child subscriptions of that management group.
Click on Next to move to the Artifacts section:
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
164
Figure 3.20: Fill basic details of the blueprfint definition
Fill in the details as shown in the preceding figure as described.
5. In the Artifacts section, you can choose artifacts from the drop down. You
can choose one or many artifacts for a definition:
Figure 3.21: Select the type of artifact for the blueprint definition
Managing Azure Access Control
 165
As shown in the preceding figure, click on + Add artifact… and a new blade
will open a drop-down menu. From the drop-down menu, you can select the
artifact type which you want to add to this blueprint.
For this exercise, I am selecting Policy assignment as an artifact for this definition.
6. Once you choose Policy assignment from the drop down, a new blade will
open with a list of all the available policies and initiatives present in your
subscription. I want to show you how you can configure security settings for
your environment, so I am choosing a built-in initiative NIST SP 800-171 R2:
Figure 3.22: Select the security policy from the list
7. Click on the initiative to select it and it will be added to your artifacts list.
8. After adding the artifact, you need to come back to the Artifacts dashboard.
Here, you get the option to edit existing artifacts or to add more artifacts:
Figure 3.23: Edit parameters of the policy
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
166
In the previous step, we added an Azure Policy initiative as an artifact.
Azure Policy may have some parameters. The value of these parameters can
be passed at this stage or later while assigning this definition.
9. If you want to pass the parameter value now, then click on the artifact and it
will open a new blade with all the parameters:
Figure 3.24: Pass the value of parameters
As shown in the preceding figure, uncheck the parameter whose value you
want to fill now and check whose value you want to decide during the
assignment. Click on Save. It will bring you back to the Artifacts dashboard
page.
10. On this page, click on Save draft. The Blueprint definition will be saved in
the draft:
Figure 3.25: Updated blueprint definition dashboard
Managing Azure Access Control
 167
As shown in the preceding figure, the Blueprint definitions page has an
entry now in the draft stage. It will show that your blueprint is in the Draft
stage, and it is not yet published.
11. Now, before assigning this definition to your environment, you need to publish
it. To publish it, either you can click on it or on the three dots at the end of it:
Figure 3.26: Publish the blueprint
As shown in the preceding figure, click on Publish blueprint. Now, it will
ask you the version of this publishing and a description about this change note:
Figure 3.27: Enter the details about the version and change note
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
168
As shown in the preceding figure, enter the version and change note about
this blueprint. Now, click on Publish.
12. Now, you can see these changes on the Blueprint definitions page:
Figure 3.28: Updated view of the blueprint dashboard
The preceding figureshows that your blueprint is now in the published stage
and does not have any unpublished changes. It also shows the version of
your blueprint.
13. Now, to assign this blueprint, you can again click on the same or you can
click on the three dots at the end of it. Now, click on Assign Blueprint, and
it will open a new blade to take some inputs:
Figure 3.29: Properties to be filled while assigning the blueprint
Managing Azure Access Control
 169
As shown in the preceding figure, Blueprints use the managed identity to
deploy your resources, which requires a location so select a location for
that managed identity. The managed identity can be system assigned or
user assigned. You can select the version of the blueprint definition from
the drop-down menu. Lock assignment gives you the facility to apply the
resource lock from here:
Figure 3.30: Fill in the values of the artifacts’ parameters
Here, you can fill the value of parameters which were left in Step 9. Once you
fill the value for all parameters, you can click on Assign.
14. Now, go to the Assigned blueprints section on the Azure Blueprint home
page:
Figure 3.31: Check blueprint assignment status
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
170
As shown in the preceding figure, you will see that your blueprint is assigned
to the subscription. If you click on this assignment, you can see the details
about this blueprint.
In this section, you saw how to apply the Azure Blueprint in your environment. You
can choose multiple artifacts as per your requirement.
Conclusion
In this chapter, you learned how you can control the user access on different resources
RBAC. Now, you can plan to provide only the required access to users, instead of
providing limit less owner or contributor access. You also learned about the custom
RBAC so you can create modified RBAC roles to fulfill the business requirements of
additional RBAC roles which are not present in the built-in roles list. With the help
of the Azure resource lock, you learned how to prevent any accidental deletion of
your resources. You can set up a standard baseline through Azure Policy to deploy
resources in Azure. You can control the kind of resources that are allowed, SKUs that
are allowed or denied, at which location you can create resources, and many more.
Now, using the Azure Blueprint, you can complete repetitive tasks quickly within
the organization compliance.
In the next chapter, we will study about the Azure Network security. We will see
the features and services Azure provides to secure your network. We will also study
different connectivity options between Azure to Azure and Azure to on-premises
networks.
Multiple choice questions
1. 0You want to restrict a user to restart a virtual machine. Which Azure service
will you use?
A. Azure resource lock.
C. Azure Policy.
B. Azure RBAC.
D. Azure NSG.
Answer: B
2. You want to restrict the deployment of Azure SQL MI in one of your
subscriptions. Which Azure service will you use?
A. Azure NSG.
B. Azure RBAC.
Managing Azure Access Control
 171
C. Azure resource lock.
D. Azure Policy.
Answer: D
3. You have the resource lock assigned on one of your resource groups. Being
an owner also you are not able to remove the lock from one of the resources
under this resource group. What could be the reason of this?
A. You do not have enough privilege to remove the lock.
C. You need to remove the lock from the parent resource to remove the
inherited lock from the child resource.
B. You cannot remove the lock once you have applied it.
D. You need to delete the resource to remove the resource lock.
Answer: C
4. You do not see the required RBAC role in the list of built-in RBAC roles.
What can you do to meet your business requirement?
A. Create a custom Azure Policy.
C. You do not have any option and have to use built-in RBAC roles only.
B. Create a custom RBAC role.
D. You can apply the resource lock to fill the gap of a new RBAC requirement.
Answer: B
5. There are multiple policies assigned to a resource. How will the relative
effect be calculated?
A. The policy with less restrictions will take effect.
C. The effect will be cumulative most restrictive.
B. The policy with most restrictions will take effect.
D. The effect will be subtractive of all policies.
Answer: C
6. Which of the following is not a type of artifact supported by the Azure
Blueprint?
A. Azure Key Vault
C. Role assignment
B. Azure Policy
D. Resource groups
Answer: A
172
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Chapter 4
Implementing
Advance Network
Security
In this chapter, we will identify and locate some important networking features and
services, then we see how they work in Azure. Starting with network security groups,
creating a VPN between your on-premise data center and Microsoft Azure, finishing
with Azure Firewall, additional services, and features sprinkled in between, of this
chapter. Some of the major topics that we will cover include planning to secure your
Azure network, control who has access to your azure network resources. We will
look at application gateway with WAF, Azure Front Door, Azure DDoS protection,
and Azure Firewall. By the end of this chapter, you will have a fundamental
understanding of how you can better secure your Azure networks using the features
and services they provide.
After this chapter, you will be able to do a secure network planning for your
organization. As described in the preceding paragraph, we will see different network
security services and features so you will learn how to create and manage them in
Azure.
Structure
In this chapter, we will learn about following topics:
•
•
Understand Azure Virtual Networking concepts
Azure Virtual Network connectivity scenarios
174
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
•
•
•
•
•
•
•
•
•
•
•
•
Azure Network Security Group (NSG) and Application Security Group
(ASG)
Configure application gateway to secure app service
Azure Front Door (AFD) service
Azure Firewall
Create, configure, and manage Azure Firewall policy
Azure Firewall manager
Shield your Azure Virtual Network with Distributed Denial-of-Service
(DDoS) protection
Remote access management through Azure Bastion
Service endpoint in Azure
Azure Resource firewall
Conclusion
Multiple choice questions (MCQs)
Objectives
The objective of this chapter is to understand security best practices for Azure
networking. After reading this chapter, you should be able to plan secure networking
for your Azure environment. You will be able to understand how to set up secure
connections between Azure VNets and on-premises networks. You will be able to
setup, configure, and manage Azure Firewall. You will also go through some other
features to safeguard Azure environment with Azure standard DDoS protection.
Apart from securing infrastructure, you will also learn the methods to secure web
applications by using Azure application gateway and WAF. By the end of this
chapter, you will be able to create and manage Azure Front Door for traffic routing
and load balancing.
Understand Azure Virtual Networking
concepts
Networking is a fundamental component of any IT infrastructure. Azure provides
Azure Virtual Network (VNet) to set up secure connection between many types of
resources such as virtual machines, storages, databases, and your other on-premises
networks. For a network administrator, it would be easier to manage Azure VNet
due to its scalability, availability, and isolation. Azure VNet itself is a long and very
descriptive topic and can digest few books on it. We will discuss networking in brief
Implementing Advance Network Security
 175
to make you comfortable to understand the network security concepts but will take
network security in depth. Let’s discuss basic definitions and fundamental concepts
of Azure VNet:
•
•
•
•
•
•
•
Network address space range: Every Azure VNet must have a private IP
address range. You need to specify this range while creating the Azure VNet.
When you create any resource such as Azure Virtual Machine, load balancer,
containers, and so on, they require an IP address to communicate and connect
with other resources. The required IP addresses are been assigned from this
address range. For example, if you deploy a virtual machine in the Azure
VNet with address space, 192.10.10.0/24, the VM will be assigned a private
IP like 192.10.10.4.
Network address subnet range: Subnet enables you to segment the Azure
VNet into one or more sub-networks and allocates a portion of the virtual
network’s address space range to each subnet. You can then deploy Azure
resources in a specific subnet.
Regions or locations: Azure VNet is scoped to a single region/location;
but Azure provides capabilities to connect multiple virtual networks from
different regions using virtual network peering. Azure VNet is a regional
resource.
You need to ensure that there is no overlapping of address spaces. It becomes
more important when you plan to extend your on-premises network to
Azure. You need to make sure that your Azure VNet address space does not
overlap with your organization’s other network ranges.
When you create subnets into your Azure VNet, your subnets should not
cover the entire address space of the VNet. You need to plan address spacing
ahead and reserve some address space for the future. It would be a good
plan to have few large address space ranges than having multiple small
VNet ranges.
Since, by default, all the resources in Azure VNet can communicate outbound
and you can access them from internet by using public IP. So, it becomes best
practice to secure your network by using some kind of firewall.
Communication ways between Azure resources: There are multiple ways
that Azure resources can communicate to each other. Few of them are:
•
•
•
Through a virtual network.
Through Azure VNet peering (a way to connect two or multiple Azure
VNets).
Through service end points.
176
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
•
Communication ways between Azure resources and on-premises resources:
You can set up the following connections to access Azure resources (resources
in Azure VNet) from on-premises and vice-versa. We will discuss a few of
them in the coming sections:
•
•
•
•
Through Azure ExpressRoute.
Through Azure Point-to-Site VPN connection.
Through Azure Site-to-Site VPN connection.
There are multiple ways to create Azure VNet, through portal, PowerShell,
and ARM templates. We will see Azure VNet creation in the coming sections.
In this section, we studied about the terminology and building blocks of Azure VNet.
These points will help you to understand coming topics and to plan networking in
your environment.
Azure VNet connectivity scenarios
We saw that there are different ways to connect Azure VNet with another Azure
VNet and with on-premises networks. These connectivity methods provide you
capability to access resources from another Azure VNet or on-premises networks.
We will go through few connecting methods. Since you require to deploy and
configure physical hardware, network tunnel, or physical cabling to set up some
kind of connections such as Azure ExpressRoute and Azure Site-to-Site, you will not
be able to set up those connections in your lab. I will try to put steps as descriptive
as I can.
Setup of Azure VNet to Azure Virtual Network
connection
Now as you understand that there can be two kind of connections from an Azure
VNet, lets discuss the first scenario where you will understand how to connect two
Azure VNets. These Azure VNets can be in same region or in different region or in
different subscription. We will cover all three scenarios here and you can also achieve
this in your test environment because it does not need any physical hardware setup.
Azure VNet peering between same and
different subscription Azure VNets
In an enterprise environment, you may have multiple subscriptions and they
may have multiple VNets. This VNet distribution may depend on your business
Implementing Advance Network Security
 177
requirements and architecture. But still, you may want to make connections between
different VNets. So, maybe you have a hub and a spoke VNet and now you want
their resources to connect with each other. Azure provides a beautiful networking
feature of VNet peering. By using VNet peering, you can connect multiple Azure
VNet to each other. Once you peer two Azure VNet, resources in both virtual
networks can communicate with each other, with the same latency and bandwidth
as if the resources were in the same virtual network. In this section, we will see two
scenarios: in first scenario, we will go through the VNet peering between multiple
Azure VNets in same subscription and in second scenario we will see VNet peering
between multiple VNets from different subscriptions.
Creating Azure VNet
Let’s follow these steps to set up Azure VNet peering; in this first example I am
going to take your through the Azure VNet creation as well, you can use the same
steps of Azure VNet creation wherever require in the coming sections and chapters:
1. Login to Azure portal with network contributor, subscription contributor, or
subscription owner role.
2. Search for Azure VNet in search bar and select Virtual network from search
result.
3. To create new Azure VNet, click on + Create. This opens a new window
to fill the required information. Fill the basic information as shown in the
following figure and described in the following points:
Figure 4.1: Azure VNet creation basic tab information
178
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
•
•
•
•
Subscription: Select the subscription where you want to deploy this
VNet.
Resource Group: Either you can create a new resource group or use the
existing resource group to accommodate your Azure VNet.
Name: Give a name to your Azure VNet. It is always advised to use some
naming convention in your environment.
Region: Select the geographical location where you want to deploy the
Azure VNet. You should choose the geographical location wisely to reduce
latency between Azure VNet and on-premises network.
4. After filling the basic details, now move to next tab, IP addresses. Here you
can add multiple IP address ranges to your VNet. These IP address ranges
can be divided further into subnets. Azure VNet supports both IPv4 and
IPv6 address spaces.
Figure 4.2: Azure VNet creation IP addresses tab information
•
•
Address space: Define a network address space in CIDR format. You
can also see the number of IP addresses you get by defining the address
range. You need to keep in mind that you do not overlap this address
space with any other address space range in your organization. Now you
can define IPv6 address space also.
Subnet: Subnet is further division of your Azure VNet. Here, you do
segmentation of your large network space range. Give a name of the
segment. You can create different segments to manage different kind of
Implementing Advance Network Security
 179
workloads such as database servers, web server, app servers, domain
controllers, and so on. You can give any name to subnet based on your
naming convention but few Azure resources such as Azure gateway,
needs their own subnet and in that case, you have to give subnet name
as required by the Azure resources. So, if you want to deploy Azure
gateway then you need to give subnet name GatewaySubnet.
•
Subnet Address range: You define that what would be the address
space allocated to a particular subnet or segment. You need to choose
the address space based on the number of IPs required to you to
accommodate workloads. From portal, you can create only one subnet
while creating the VNet. You can create multiple subnets after the VNet
gets deployed. To do so click on + Subnet in VNet:
Figure 4.3: Create Azure subnet under Azure VNet
5. After setting up IP address ranges and subnet address ranges, now you
can move to next tab, Security. Here you can choose some of the network
security services while creating the VNet.
•
•
•
DDoS protection Standard: By default, basic DDoS protection is enabled
from Azure side, but you can go for standard DDoS protection also to
achieve more security based on your business requirement.
Bastion Host: The Azure Bastion service is a platform-managed service.
It provides secure and seamless RDP/SSH connectivity to your virtual
machines directly in the Azure portal over SSL. When you connect via
Azure Bastion, your virtual machines do not need a public IP address.
Firewall: As I said in the previous section, that you should protect your
network with some kind of firewall. By enabling this option, you can
either create a new Azure Firewall or can use an existing one to protect
your Azure VNet.
6. Once you have filled all details, click on Create.
Now your Azure VNet is created. You can use this VNet for connectivity and security
features demos.
180
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Create Azure VNet peering between Azure VNets
In this section, we will see how to set up peering between two Azure VNets. Now
to enable Azure VNet peering, you should have two or more Azure VNets. You
can use same preceding steps to create another Azure VNet. I created another
VNet by name Jay-RG-VNet. Follow these steps to peer two VNets:
1. Now to peer them, you can choose any of the Azure VNet which you created
in the preceding steps. Here let’s choose DemoVNet1.
2. Go to the Azure VNet, scroll down to Peerings under Settings and click on
+ Add.
3. Once you click on Add, a new window opens, fill the details there:
Figure 4.4: Create Azure VNet peering between two virtual networks 1
•
•
•
Peering link name: You need to define the peering name of your first
VNet to second VNet peering.
Traffic to remote virtual network: Select this option if you wish to allow
communication between the two virtual networks. This allows the testrg-vnet address space to be included as part of the Virtual_Network tag.
Traffic forwarded from remote virtual network: This setting allows
forwarded traffic from test-rg-vnet (traffic not originating from inside
test-rg-vnet) into DemoVNet1.
Implementing Advance Network Security
•
 181
Virtual network gateway or Route Server: Allow gateway transit comes
into the picture when, you have site-to-site connection between your onpremises network and one of your Azure VNet (let’s say to DemoVNet1).
Now you can extend the site-to-site connection to another Azure VNet
(test-rg-vnet) also by just peering it with DemoVNet1 and enabling the
Allow gateway transit feature. Although test-rg-vnet does not have
direct site-to-site connection with on-premises network but still its
resources will be able to access on-premises resource through DemoVNet1.
Figure 4.5: Create Azure VNet peering between two virtual networks 2
182
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
•
•
•
Peering link name: You need to define the peering name of your second
VNet to first VNet peering.
VNet deployment model: You can create peering between Resource
manger based and classic VNets also. So here select the deployment
model of your second VNet. If you want to peer Azure Classic VNet,
then select the option Classic.
Now select the target or second Azure VNet which you want to peer with
DemoVNet1. To select the target Azure VNet, you need to first select the
subscription of target Azure VNet and then the name of the target Azure
VNet. Here you need to pay attention that by select the subscription you
can peer two Azure VNets from two different subscriptions also. If you
select subscription other than your current subscription, you will get the
list of Azure VNets from another subscription and you can choose any of
that to peer with your first Azure VNet. So, here we cover our two kinds
of peering scenarios.
4. Once you fill all these details click on OK. You can see the peering status in
both the Azure VNets. You can create multiple peering by clicking + Add:
Figure 4.6: Status of VNet peering
In this section, we studied about VNet peering between two Azure VNets. Like this
you can create peering between other two VNets.
Let’s say you have three Azure VNets. VNet A, VNet B, and VNet C. If you peer
VNet A and VNet B, VNet B and VNet C. That means resources of VNet A and
resources of VNet B can access each other. Similarly, resources of VNet B and
resources of VNet C can access each other. But since VNet A and VNet C are not
peered with each other so resources of VNet A and VNet C cannot access each
other. You will need to setup dedicated peering between VNet A and VNet C to
make them access each other’s resources.
Implementing Advance Network Security
 183
Azure VNet to Azure VNet (in same Azure
subscription) connectivity through IPsec/IKE tunnel
In the previous section, we studied about Azure VNet peering. There is any another
way to connect two Azure VNets through IPsec/IKE tunnel. This kind of connection
is mostly used when you want to connect two VNets from two different tenants. In
this section, you will understand how you can connect Azure VNet by using the
VNet-to-VNet connection type. These Azure VNet can be in the same or different
regions, and from the same or different subscriptions. This type of connectivity
uses a VPN gateway to provide a secure tunnel using IPsec/IKE. In this chapter,
we will connect Azure VNets from same subscription. If the Azure VNets are in
same subscription then you can connect them from portal, but if Azure VNets are in
different subscription then you need to use Azure PowerShell.
Create Azure Virtual Network gateway
You require two Azure VNets in the same subscription. You already know the
process to create Azure VNet. You can use steps from the preceding section to create
new Azure VNets. I am using DemoVNet1 and DemoVNet2 for this exercise.
VNet-to-VNet connection uses Azure Virtual Network gateway as an edge device.
You need to have an Azure Virtual Network gateway in each Azure VNet which you
want to connect through Azure VNet-to-VNet connection. The gateway advertises
your Azure VNet’s IP address ranges to another Azure VNet. The virtual network
gateway needs to be deployed in a specific subnet that is called gateway subnet.
Follow these steps to create Azure Virtual Network in each VNet:
1. Once you have created Azure VNets, go to Azure VNet and click on Subnets.
2. You will see available subnets and option to create new subnets. To create
gateway subnet, click on + Gateway subnet.
3. A new blade opens to fill the details. It does not give option to update the
subnet name. You can choose an address range for your gateway subnet. It is
recommended to have at least /27 or /28 address range.
4. Click on OK, once you filled the details.
5. You can use same steps to create gateway subnet for another Azure VNet
also:
184
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Figure 4.7: Create gateway subnet under Azure Virtual Network
6. Under Subnets, you can now see the newly created gateway subnet in both
VNets.
7. Now you have required setup to create virtual network gateway. Search for
virtual network gateway in Azure Marketplace. Fill the following details:
Figure 4.8: Create Azure Virtual Network gateway 1
8. Select the Azure subscription where you have your Azure VNet.
9. Resource group would be the same as your Azure VNet and will be auto
populated when you select your Azure VNet in the coming fields.
10. Give a meaning full name to identify this virtual network gateway.
11. Select the Azure region where your Azure VNet is been created.
12. For VNet-to-VNet connection you need to select VPN as Gateway type.
Implementing Advance Network Security
 185
13. Select Route-based VPN type.
14. There are different SKUs available for this gateway which can support higher
bandwidth. You can select appropriate SKU based on your bandwidth
requirement.
15. Select Generation 1. There was only one generation option at the time of
writing this book:
Figure 4.9: Create Azure Virtual Network gateway 2
16. In the Virtual network field, select the VNet for which you want to set up
connection.
17. Once you select the VNet, the respective gateway subnet gets populated.
18. Virtual network gateway needs a public IP, you can either use an existing
public IP or can create a new public IP.
19. Enable active-active mode, if you want high availability with load balancing
for your virtual network gateway. This will ask you to create another public
IP.
20. You can assign tags to any Azure resource. Tags can be used for different
purposes such as billing, owners, application, and so on.
21. Click on Review and create. It will take around 45 minutes to deploy this
virtual network gateway.
186
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Follow the same process to create virtual network gateway for another Azure VNet.
Once you have virtual network gateways created for VNet-to-VNet connection, you
can move to next step to stablish connection between these gateways.
.
When you are working with gateway subnets, avoid associating a network security
group (NSG) to the gateway subnet. Associating a network security group to this
subnet may cause your virtual network gateway (VPN, ExpressRoute gateway) to
stop functioning as expected.
ExpressRoute lets you extend your on-premises networks into the Microsoft cloud
over a private connection facilitated by a connectivity provider. It provides Layer
3 connectivity between your on-premises network and the Microsoft Cloud. With
ExpressRoute, you can establish connections to Microsoft cloud services, such
as Microsoft Azure and Office 365. ExpressRoute connections do not go over the
public internet. This allows ExpressRoute connections to offer more reliability,
faster speeds, consistent latencies, and higher security than typical connections
over the internet.
Creating Azure network gateway connection
When the virtual network gateways for both DemoVNet1 and DemoVNet2 have
deployed successfully, you can create virtual network gateway connections. In this
section, you will create a connection from DemoVNet1 to DemoVNet2. These steps
work only for the VNets in the same subscription. If your VNets are in different
subscriptions, you must use PowerShell to make the connection:
1. In Azure resources search for DemoVNet1_VNetGateway and go to the gateway:
Figure 4.10: Overview of Azure Virtual Network gateway
2. On the Overview page, you will the details about the virtual network
gateway. Go to Connections under Settings.
3. In the Connections panel, you get option to create new connection, click on
+ Add.
Implementing Advance Network Security
 187
4. Once you click on + Add to create new connection, a new blade opens as
shown in the following figure. Fill the details.
5. In the Name field, put the name of connection.
6. Since this virtual network gateway can be used for other connection types
also, so select VNet-to-VNet connection type from the drop down.
7. First virtual network gateway is already populated.
8. In second virtual network gateway, select your second virtual network
gateway.
9. Shared key is a mixture of letters and numbers, used to establish encryption
for the connection. The same shared key must be used in both the virtual
network gateways. You can give any random string here and make sure you
provide same string when you create connection from second VNet gateway
to first VNet gateway.
10. Keep the other things default and click on OK:
Figure 4.11: Create connection between Azure Virtual Network gateways
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
188
11. When you go to DemoVNet2_VNetGateway, you will see the previous
connection already there. That is unidirectional so you need to create another
connection from DemoVNet2_VNetGateway to DemoVNet1_VNetGateway. Follow
the preceding same steps to create connection from DemoVNet2_VNetGateway
to DemoVNet1_VNetGateway.
12. It will take some time but both the connections will get connected:
Figure 4.12: Status of Azure Virtual Network gateway connection
As shown in the preceding figure, after some time when you go to any of the
virtual network gateways and then connection, you will find there are two
connections and Connected state.
With the preceding steps, you have connected both Azure VNets. The resources
from each VNet will be able to communicate to each other. You can use same virtual
network gateways to make connections with other VNets.
You cannot manage classic subscription account administrator, service
administrator, and co-administrator roles through Azure AD PIM. Except
Exchange administrator and SharePoint administrator roles other Exchange
Online or SharePoint Online roles are not represented in Azure AD so they cannot
be managed in PIM.
Azure VNet to on-premises network connection
In this section, you will understand how to use the Azure portal to create a site-tosite VPN gateway connection from your on-premises network to the Azure VNet. A
site-to-site VPN gateway connection is used to connect your on-premises network
to an Azure VNet over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of
connection requires a VPN device located on-premises that has an externally (public)
facing public IP address assigned to it.
You need to make sure that you have a compatible public facing VPN device in your
on-premises network. You can get the list of compatible VPN devices from Microsoft
Implementing Advance Network Security
 189
site. This VPN device should have public IPv4 address. You should have someone
who can configure this VPN device to set up connection with Azure VNet. If you
do not have on-premises network with you then it would be difficult to test this
scenario in your lab. You require the following listed resources to set up site-to-site
connection between on-premises network and Azure VNet:
•
•
•
•
•
On-premises network.
On-premises VPN device with IPv4 public IP.
Azure virtual network (IP address range should not overlap with onpremises network IP address range).
Azure Virtual Network gateway.
Local network gateway.
From the preceding list, only local network gateway would be new for you in this
section. I will be using my old Azure VNet DemoVNet1 to set up this site-to-site
connection. You can ready your Azure environment by creating Azure VNet and
Azure VNet gateway.
I assume that you already have your on-premises network and also have created
Azure VNet and virtual network gateway. To set up site-to-site connection, our next
step would be to create local network gateway.
Creating local network gateway
The local network gateway refers to your on-premises location. You give the site
a name by which Azure can refer to it. Then you specify the IP address of the onpremises VPN device to which you will create a connection. You also specify the IP
address prefixes that will be routed through the VPN gateway to the VPN device. The
address prefixes you specify are the prefixes located on your on-premises network.
Follow these steps to create local network gateway:
1. Login to Azure portal and search for local network gateway, click on + Add.
2. Once you click on + Add, a new blade opens and there you need to fill the
details of your on-premises network:
•
•
•
•
Name of the on-premises site.
Public IP of your on-premises VPN terminal device.
Network address range of your on-premises network. You can add
multiple address ranges.
Select the subscription where you want to deploy this local network
gateway.
190
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
•
Resource group and location of the local network gateway:
Figure 4.13: Create local network gateway
3. Click on Create.
It will take some time to complete the deployment of local network gateway. Once
the deployment is completed, your on-premises network’s representative is ready
in Azure.
Creating Azure network gateway connection
Although from the previous section, you know how to create Azure Virtual Network
gateway connection but there is slit change in configuration, we will cover that here.
1. Go to the Azure Virtual Network gateway, in our case it would be DemoVNet1_
VNetGateway and select Connections under Settings.
2. You get an option to add new connection. A new blade opens to fill the
details:
•
Give a name to this connection.
Implementing Advance Network Security
•
•
•
•
•
 191
Select Site-to-site from the Connection type drop-down.
The virtual network gateway is already selected.
Choose the local network gateway which you created in the previous
section.
Give a complex shared key.
Keep the remaining settings as default:
Figure 4.14: Create connection with local network gateway
3. Click on OK to create the connection.
Once the connection is created, it means a tunnel setup is been initiated between
Azure VNet and on-premises network.
Configuring on-premises VPN device
Site-to-site connections to an on-premises network require a VPN device. In this
section, you configure your VPN device. When you are configuring your VPN
device, you need the following:
192
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
•
•
•
A shared key. This is the same shared key that you specify when creating
your site-to-site VPN connection in the previous section.
The public IP address of your virtual network gateway. You can view the
public IP address by using the Azure portal. To find the Public IP address
of your virtual network gateway using the Azure portal, navigate
to Virtual network gateways, then click the name of your gateway.
You can use Microsoft official link to help you to download VPN device
configuration scripts:
Figure 4.15: Status of connection between on-premises network and Azure
Once on-premises VPN is configured, your connection status will become connected
and you will be able access Azure resources from on-premises network and vice
versa.
Azure Network Security Group (NSG) and
Application Security Group (ASG)
Being at on-premises or in Azure network, you would like to allow and deny certain
traffic. Network Security Group (NSG) provides you capability to allow and deny
network traffic based on your requirement. NSG is one of the traffic filtering service
in Azure. By using NSG, you can allow and deny network traffic to and from Azure
resources in an Azure VNet. An NSG contains security rules that allow or deny
inbound network traffic to, or outbound network traffic from, several types of Azure
resources. Each NSG rule contains some components to allow or deny traffic. In this
section, we will go through the different components of security rules, creation, and
management of NSG.
You can assign NSG at network interface card (NIC) and/or to network subnet.
Components of network security rule
A NSG can have multiple security rules. These rules have some components, you
would like to understand those components and how to use them:
•
Name: Name of the security rule.
Implementing Advance Network Security
•
•
•
•
•
•
•
 193
Priority: Each NSG can have multiple security rules. These security rules
are assigned a priority number. The rules are processed in priority order. So
with priority numbers the lower numbers processed before higher numbers
because lower numbers have higher priority. The priority can be defined
between number between 100 and 4096. Once traffic matches a security rule,
processing stops.
Source: This defines the sources of traffic. You have multiple options to
assign a source such as Any (any public or private IPs and services), or an
individual IP address, IP address range in classless inter-domain routing
(CIDR) block format (for example, 192.0.0.0/8), service tag, or application
security group. NSGs are processed after Azure translates a public IP address
to a private IP address for inbound traffic, and before Azure translates a
private IP address to a public IP address for outbound traffic.
We will understand service tag and application security group in deep in the
coming sections.
Destination: This defines the destination of traffic. It has same options to
assign destination, such as Any (any public or private IPs and services), or an
individual IP address, IP address range in CIDR block format (for example,
192.0.0.0/8), service tag, or application security group.
Protocol: While creating network security rule you can restrict traffic at port
level also. You can select different port types such as TCP, UDP, ICMP or
can give a wild card by selecting Any.
Port range: Once you have decided the type of protocol, you can select the
ports. You can select multiple ports or port range with comma separated (80,
443, 1443, 300-1000) or in a range (1000-5000).
Direction: The security rule can be defined in two kind of traffic flow, in
bound and out bound. You can select either of these flow directions. For
in bound rule, the destination would be your private network, and for out
bound rule, the source would be your private network.
Action: Each rule has an action aligned with it. The rule can allow or deny traffic.
NSG security rules are defined with priority. The priority number is used to evaluate
to allow or deny the traffic. While creating Azure NSG, it creates few default security
rules in both inbound and outbound groups. These default security rules cannot be
deleted, but you can override them by creating higher priority rules.
Azure Virtual Network service tags
Every Azure PaaS service has few public IP assigned to them. These public IPs are
managed and controlled by Microsoft. Microsoft can change these public IPs as per
194
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
their requirement without informing customers. It could be difficult to keep the track
of these public IPs while creating a network rule to access these PaaS services. So,
Microsoft came up with a concept of service tags. A service tag represents a group
of IP address prefixes from a given Azure service. Microsoft manages the address
prefixes encompassed by the service tag and automatically updates the service tag
as addresses change.
You can use service tags on network security groups or Azure Firewall. Instead of
using specific IP address, it is recommended to use service tags. By specifying the
service tag name in the appropriate source or destination field of a rule, you can
control (Allow or Deny) the traffic for the corresponding Azure service.
Service tags also protect you to allow whole internet traffic just to access some Azure
services. You can use service tags to achieve network isolation and protect your
Azure resources from the general internet.
Traffic flow through Azure NSGs
Azure VNet can accommodate multiple resources from several Azure services. As
we studied in the previous section, network security rules can be associated with
virtual network subnet and network interface. Virtual network subnet and network
interface can have zero or one or multiple NSG associated with them. You can also
associate same network security group to as many subnets and network interfaces.
The following diagram shows different scenarios for how network security groups
might be deployed to allow network traffic to and from the internet over TCP port 443:
Figure 4.16: Traffic flow through NSG
Implementing Advance Network Security
 195
Reference the previous diagram, along with the following text, to understand how
Azure processes inbound and outbound rules for NSGs.
Inbound traffic
For incoming traffic, Azure checks and processes the subnet level NSG rules first
and then network interface level rules. Here we will see how you should plan NSG
rules to allow incoming traffic from the internet at port 443:
•
•
•
•
VM1: VM1 has NSG rules at both the places, at subnet level and at NIC level.
To access VM1 from the internet over port 443, the security rules in Subnet1_
NSG will be processed first because it is associated to Subnet1 and VM1 is
in Subnet1. If you do not have a rule that allows port 443 inbound, the traffic
will be denied by the DenyAllInbound default security rule. Although VM1
has NIC1_NSG at NIC level but since the traffic is been denied at subnet level
so it will not be evaluated further by NIC1_NSG. Now, if you have a security
rule in Subnet1_NSG that allows port 443, then the traffic will be processed
by NIC1_NSG. To allow incoming traffic at port 443 the virtual machine must
have a rule that allows port 443 from the internet, in both Subnet1_NSG
and NIC1_NSG.
VM2: VM2 does not have any NSG rule at NIC level. But since VM2 is also
residing in subnet 1 so Subnet1_NSG rules will be applied on VM2. Now
to access VM2 from the internet, only the rules in Subnet1_NSG will be
processed. Since VM2 does not have any NSG associated with its NIC, it will
receive all traffic allowed through Subnet1_NSG or denied all traffic denied
by Subnet1_NSG. When NSG is assigned at subnet level, the same NSG rules
get applied on all underlined resources in that subnet.
VM3: VM3 resides in Subnet2 and just has NSG assigned at network
interface level. There is no network security group associated to Subnet2. So,
all incoming traffic is allowed into the subnet. Now since VM3 just has NIC1_
NSG at network interface level so the traffic will and processed by NIC1_NSG.
VM4: VM4 resides in Subnet3. There is no NSG associated at subnet and
network interface level for VM4. Since there is not NSG so all traffic is allowed
to VM4. If there is not NSG associated to any resource then all network traffic
is allowed through a subnet and network interface.
Outbound traffic
For outbound traffic, Azure checks and processes the network interface level NSG
rules first and then subnet level rules. We will refer to Figure 4.16 to understand NSG
196
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
rule processing. Here we will see how you should plan NSG rules to block outbound
traffic to internet at port 443.
•
•
•
•
VM1: VM1 is residing in subnet1 and has NSG rule associated at both
subnet and network interface level. For any outbound connection, NIC1_
NSG rules will be processed first. By default, outbound traffic to internet is
allowed by default NSG rule AllowInternetOutbound in both Subnet1_NSG
and NIC1_NSG. To block outbound traffic at port 443 you will need to create a
security rule that denies port 443 outbound to the internet. If NIC1_NSG has a
security rule that denies port 443, the traffic is denied, and never evaluated
by Subnet1_NSG. To deny port 443 from the virtual machine, either, or both
of the NSGs must have a rule that denies port 443 to the internet.
VM2: VM2 also resides in subnet1 but does not have any NSG rule at network
interface level. So, all traffic will be sent to subnet and will be evaluated by
Subnet1_NSG only. If Subnet1_NSG has any deny rule for 443 traffic then the
outbound traffic will be blocked otherwise it will get allowed due to default
NSG rule AllowInternetOutbound
VM3: VM3 resides in Subnet2 and just has NSG rule at network interface
level. There is not NSG rule at subnet level. Since there is no NSG associated
with subnet level then if NIC1_NSG has a security rule that denies port 443,
the traffic is denied, If NIC1_NSG has a security rule that allows port 443, then
port 443 is allowed outbound to the internet.
VM4: VM4 is residing in subnet3. VM4 does not have any NSG associated
with it. Neither at subnet level nor at network interface level. All network
traffic is allowed from VM4 because it does not have any NSG rule associated
with it.
Intra-subnet traffic
Although by default, resources in same subnet can communicated with each other
without any specific NSG. But you can restrict this communication by using NSG
rules. For example, if you add a rule to Subnet1_NSG to denies all inbound and
outbound traffic, VM1 and VM2 will no longer be able to communicate with each
other. Another rule would have to be added specifically to allow this.
You can easily view the aggregate rules applied to a network interface by viewing
the effective security rules for a network interface. You can also use the IP flow
verify capability in Azure Network Watcher to determine whether communication
is allowed to or from a network interface. IP flow verify tells you whether
communication is allowed or denied, and which network security rule allows or
denies the traffic.
Implementing Advance Network Security
 197
Create, configure, and manage Azure NSGs
In the preceding sections, you went through the building blocks and functionality
of NSGs. In this section, you will understand how to create, configure, and manage
NSGs. It is recommended that you associate a NSG to a subnet, or a network
interface, but not both. Since rules in a NSG associated with a subnet can conflict
with rules in a NSG associated with a network interface. This may lead unexpected
communication problems that require troubleshooting.
You require network contributor Azure AD built in RBAC role to work on NSGs.
Create Azure NSG
Follow these steps to create NSGs:
1. Login to Azure portal, search for NSG and click on + Add to create new NSG.
2. Once you add new NSG, a new blade opens. Fill the details shown as follows:
•
•
•
•
Select the subscription.
Choose the existing resource group or you can create a new resource
group from here.
Give a meaningful name to this NSG, as per your naming convention.
Select the region where you want to create this NSG. It is recommended
to have this in same region where you have your virtual network:
Figure 4.17: Create network security group
3. Once you filled the required details, you can click on Create. A new NSG will
be created.
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
198
Configure Azure NSG
In the previous section, you have created NSG, you can find this new NSG by
searching it from its name or under NSGs list. A newly created NSG just has default
security rules. Also, the new NSG is associated with any network interface and
subnet. You may need to create new rules as per your requirement to flow network
traffic and will also need to associate it with subnet or network interface to get its
functionality:
Figure 4.18: Azure NSG overview
The preceding figure shows the overview of the NSG which was created in the
previous section. It shows the default NSG rules and various options to configure
and manage NSG. We will go through the options in this section:
•
Activity log: The Activity log section stores the logs related to any activity
happen on this NSG. If there is been any modification in NSG configuration,
a log will be recorded under Activity log. You can feed activity logs into
Azure alerts or any other monitoring tool to get notification and alerts:
Figure 4.19: Azure NSG activity logs
I created some inbound and outbound security rules in NSG. My activities
are captured under Activity logs. You can see who did what and when.
Implementing Advance Network Security
•
 199
Access control (IAM): Here, you can define who can control and manage
NSG. It is important that you manage access control very carefully because
you would not want everyone to manage the rules:
Figure 4.20: Manage access control over Azure NSG
•
You can assign required role to users by selecting the Add role assignment
option.
Inbound security rules: Here, you define what kind of incoming traffic is
allowed and blocked. While creating the rules you need to provide some
information such as priority, name of the rule, port range, protocol name,
source, destination, and action. We have discussed all the preceding factors
in the previous section:
Figure 4.21: Create inbound rule in Azure NSG
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
200
•
In the preceding figure, I allowed incoming traffic from any source to any
destination on port 80 and 443. The priority of this rule is 100 and I gave name
Allow_Internet to this rule. In Service field, you can select some predefined
service also. So, by selecting the predefined service, the respective port and
protocol get selected automatically. For example, if I would have selected
HTTPS from the Service field dropdown then port 443 and protocol TCP
would have been selected automatically.
Outbound security rules: Here, you define what kind of out going traffic
is allowed and blocked. While creating the rules you need to provide some
information such as priority, name of the rule, port range, protocol name,
source, destination, and action. We have discussed all the preceding factors
in the previous section:
Figure 4.22: Create outbound rule in Azure NSG
•
In the preceding figure, I blocked out going HTTPS traffic from any source
to any destination. Here I selected Service HTTPS from the service field
dropdown, and you can see the respective port (443) and protocol (TCP)
get selected automatically. The priority of this rule is 1a0 and I gave name
Deny_Internet_outbound to this rule. This rule will prevent you to access
internet from your system.
Network interfaces: In the previous sections, we discussed that you could
attach NSG to subnet and/or network interface (NSG) of any virtual machine:
Implementing Advance Network Security
 201
Figure 4.23: Attach Azure NSG to network interface
•
You can click on Network interfaces to see on which NIC this NSG is
attached. You can associate this NSG to other NICs also by selecting the
Associate option.
Subnets: A NSG can be attached to network interfaces (NIC) and virtual
network subnets. When you apply NSG over subnet then the security rules
get applied on all Azure resources which reside inside that subnet. You need
to take this decision wisely that you want to apply same security rule on all
VMs in that subnet or not.
You can click on Subnets to see on which subnets this NSG is associated. You can
associate this NSG to other subnets also by selecting the Associate option.
The preceding points will help you to configure and manage NSGs in your
environment. They make it clear that what operations you can do with NSG.
Manage Azure NSG
You have knowledge now to create and configure Azure NSG. But being a security
administrator, it is not the only think you require. You need to know how to modify
the security rules, associate, and dissociate NSGs from the network interface and
subnets. You may require this when you get a new request to allow or deny some
network traffic. To do so, you will need to adjust security rules of NSG.
Modify security rules
In the previous sections, you created an NSG. This NSG has few default rules created.
But you may get requirement to add few more rules or to modify the existing rules.
Let’s go through the steps to modify the NSG
1. Login to Azure portal and go to the NSG which you want to modify.
2. On the left side option panel of NSG, you will the Inbound security rules
option and Outbound security rules. You can choose the appropriate option
to create or modify the rules. For this demo, I am creating a new inbound
rule.
3. When you click on any of the option, a new blade opens. This blade shows
202
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
you the existing NSG rules. At the top of this blade, you will see + Add to
create a new rule:
Figure 4.24: Create inbound rule in Azure NSG
4. The preceding figure shows the sample to create a new NSG rule. I am
creating a new inbound rule for allowing the RDP from internet.
5. Once you put all the details click on Add, this new rule will be added to
NSG.
6. To modify the existing rule, you need to click on the rule and the same blade
opens. You can change the values of desired field to modify the rule.
Here we saw how to add new security rule to modify existing NSG rules. You can
also delete not required rules by clicking on three dots at the end of these rules.
Associate NSGs to network interfaces
Once you have created an NSG with proper rules, this NSG is ready to be attached
with network interface card(s) of a virtual machine(s). Let’s see how you can attach
this NSG to network interface cards:
1. On the same NSG, in left option panel you an Network interfaces option.
Implementing Advance Network Security
 203
2. A new window opens once you click on network interfaces option. This
window shows the detail of network interfaces and virtual machines to
which this NSG is been already attached.
3. To attach this NSG with new network interface, there is an Associate option
at the top of this window.
4. When you click on Associate, a new blade opens with the list of network
interfaces. You can choose a desired network interface to attach this NSG.
Here you saw how you can attach new NSG rule to network interface. You can repeat
these steps to associate this NSG with other interfaces.
Dissociate NSGs from network interface
You may need to dissociate NSG from the network interface because of any reason.
Let’s follow these simple steps to dissociate NSG from a network interface:
1. On the same NSG, in left option panel you an Network interfaces option.
2. A new window opens once you click on the Network interfaces option.
This window shows the detail of network interfaces and virtual machines to
which this NSG has been already attached.
3. On the attached network interface list, choose the desired network interface
from which you want to dissociate this NSG. At the end of network interface
entry, there are three dots.
4. Click on those dots and an option will appear to dissociate this NSG. Click
on Dissociate, it will ask for the confirmation, if you say Yes, NSG will be
dissociated from the network interface. After this the network interface will
not be seen in the list of network interfaces.
5. Here you saw how you can dissociate NSG rule from the network interface.
You can repeat these steps to dissociate this NSG with other interfaces.
Associate NSGs to subnets
Once you have created an NSG with proper rules, this NSG is ready to be attached
with subnet(s). Let’s see how you can attach this NSG to subnets:
1. On the same NSG, in left option panel you an Subnets option.
2. A new window open once you click on the Subnets option. This window
shows the detail of subnets to which this NSG has been already attached.
3. To attach this NSG with new subnet, there is an Associate option at the top
of this window.
204
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
4. When you click on Associate, a new blade opens. You need to choose a
desired virtual network and a subnet under that virtual network to attach
this NSG.
Here, you saw how you can attach new NSG rule to subnet. You can repeat these
steps to associate this NSG with other subnets.
Dissociate NSG from subnet
You may need to dissociate NSG from the subnet because of any reason. Let’s follow
these simple steps to dissociate NSG from a subnet:
1. On the same NSG, in left option panel you an Subnets option.
2. A new window opens once you click on the Subnets option. This window
shows the detail of subnets to which this NSG has been already attached.
3. On the attached subnets list, choose the desire subnet from which you want
to dissociate this NSG. At the end of subnet entry, there are three dots.
4. Click on those dots and an option will appear to dissociate this NSG. Click
on Dissociate, it will ask for the confirmation, if you say Yes, NSG will be
dissociated from the subnet. After this the subnet will not be seen in the list
of subnets.
Here, you saw how you can dissociate NSG rule from subnet. You can repeat these
steps to dissociate this NSG with other subnets.
Azure Application Security Groups (ASG)
Azure Application Security Group (ASG) allows you to group virtual machines
based on their application, roles and functionality. Then you can define network
security policies based on those groups. With the help of ASGs, you do not need
to specify the IP addresses of servers or network range, you can specify the ASG to
define source or destination servers. The security rule that specifies an ASG as the
source or destination are only applied to the network interfaces that are members
of the application security group. If the network interface is not a member of an
application security group, the rule is not applied to the network interface, even
though the network security group is associated with the subnet.
•
•
In one security rule, you can only specify one application security group as
the source and destination.
All network interfaces assigned to an application security group have to exist
in the same virtual network that the first network interface assigned to the
application security group is in. For example, if the first network interface
assigned to an application security group named DataASG is in the virtual
Implementing Advance Network Security
 205
network named DemoVNet1, then all subsequent network interfaces assigned
to DataASG must exist in DemoVNet1. You cannot add network interfaces from
different virtual networks to the same ASG.
•
If you specify an ASG as the source and destination in a security rule, the
network interfaces in both ASGs must exist in the same virtual network.
For example, if DataASG contained network interfaces from DemoVNet1,
and WebASG contained network interfaces from DemoVNet2, you could not
assign DataASG as the source and WebASG as the destination in a rule. All
network interfaces for both the source and destination ASGs need to exist in
the same virtual network.
Here we learnt about ASG. This concept is basically developed to apply same type
of rules on multiple servers of a same application. So, if you have multiple servers
for an application and you want to apply same NSG rules then instead of applying
multiple NSG rules on each server, you can create ASG and apply that ASG to
multiple servers. This will reduce your manual efforts and chances of missing rules.
Configure application gateway to secure
app service
Azure Application Gateway is a layer 7 web traffic load balancer. It helps you to
manage traffic across your web applications. Traditional load balancers operate at
the transport layer (OSI layer 4: TCP and UDP) and route traffic based on source IP
address and port, to a destination IP address and port.
Application gateway routes traffic based on HTTP requests, URI path or host
headers. For an example, you can route traffic based on the incoming URL. So, if /
images is in the incoming URL, you can route traffic to a specific set of backend
servers configured for images. If /video is in the URL, that traffic can be routed to
another pool that is optimized for videos.
Application gateway features
In this section, let’s discuss the features of application Gateway in detail. These
features will help you to decision to choose application gateway for your app service:
•
Secure Sockets Layer (SSL/TLS) termination: Application gateway supports
SSL/TLS termination at the gateway. After this SSL termination traffic flows
unencrypted to the backend servers. SSL termination at application gateway
keeps web servers unburdened from heave encryption and decryption
process overhead. But sometimes unencrypted communication to the servers
206
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
is not an acceptable option. This can be because of security requirements,
compliance requirements, or the application may only accept a secure
connection. To meet these requirements, application gateway supports end
to end SSL/TLS encryption.
•
•
•
•
•
•
•
•
Autoscaling: Autoscaling feature is supported by application gateway
Standard_v2. With this feature, application gateway can scale up or down
based on changing traffic load patterns.
Zone redundancy: To get better fault resiliency, application gateway
Standard_v2 supports multiple availability zones.
Static VIP: Static VIP is supported by application gateway Standard_v2 SKU.
Web Application Firewall: Web Application Firewall (WAF) is a service
that provides centralized protection of your web applications from common
exploits and vulnerabilities. It is difficult to prevent such attacks in application
code so a centralized WAF helps make security management much simpler
and gives better assurance to application administrators against threats or
intrusions.
Ingress controller for AKS: Application Gateway Ingress Controller
(AGIC) allows you to use application gateway as the ingress for an Azure
Kubernetes Service (AKS) cluster. Application gateway ingress controller
runs as a pod within the AKS cluster and consumes Kubernetes ingress
resources and converts them to an application gateway configuration,
which allows the gateway to load-balance traffic to the Kubernetes pods.
The ingress controller only supports application gateway Standard_v2 and
WAF_v2 SKUs.
URL-based routing: URL path-based routing allows you to route traffic to
back-end server pools based on URL paths of the request. One of the scenarios
is to route requests for different content types to different pool. For example,
requests for http://mybook.com/video/* are routed to VideoServerPool,
and http://mybook.com/images/* are routed to ImageServerPool.
Multiple-site hosting: Multiple-site hosting enables you to configure more
than one web site on the same application gateway instance. This feature
allows you to configure a more efficient topology for your deployments by
adding up to 100 web sites to one application gateway. Each web site can
be directed to its own pool. For example, application gateway can serve
traffic for mybook.com and mywebapp.com from two server pools called
MyBookPool and MyWebAppPool. Requests for http://mybook.com are routed
to MyBookPool, and http://mywebapp.com are routed to MyWebAppPool.
Session affinity: When you want to keep a user session on the same server the
Implementing Advance Network Security
 207
then cookie-based session affinity feature is very useful. By using gatewaymanaged cookies, the application gateway can direct subsequent traffic from
a user session to the same server for processing.
•
•
Connection draining: Connection draining helps you achieve graceful
removal of backend pool members during planned service updates. This
setting is enabled via the backend HTTP setting and can be applied to all
members of a backend pool during rule creation. Once enabled, application
gateway ensures all deregistering instances of a backend pool do not receive
any new request while allowing existing requests to complete within a
configured time limit. This applies to both backend instances that are
explicitly removed from the backend pool by a user configuration change,
and backend instances that are reported as unhealthy as determined by the
health probes.
Custom error pages: Application gateway allows you to create custom error
pages instead of displaying default error pages.
These are few of the features supported by Azure Application Gateway.
Traffic flow through application gateway
In this section, we will see how traffic flows through application gateway. This will
help you to understand networking architecture of application gateway.
How an application gateway accepts a request
In this sub-section, we will see how application gateway accepts a request, what
happens when a user requests to access web app covered with application gateway.
1. Once a request hits to an application gateway, first it resolves the domain
name of the application gateway by using an Azure managed DNS server
because application gateways are in the azure.com domain.
2. After resolution, Azure DNS returns the frontend IP address of the application
gateway to the client.
3. The application gateway accepts incoming traffic on its listeners. A listener
is a logical entity that checks for connection requests. Listener is configured
with a frontend IP address, protocol, and port number for connections from
clients to the application gateway.
4. If application gateway has a web application firewall (WAF) in use, the
application gateway checks the request headers and the body against WAF
rules. This action determines if the request is valid request or a security
208
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
threat. If the request is valid, then the load balancing rules will be checked.
Based on the load balancing rule, the request is routed to the backend server
pool. If the request is not valid and WAF is in prevention mode, it is blocked
as a security threat. If WAF is in detection mode, the request is evaluated and
logged, but still forwarded to the backend server.
Azure Application Gateway can be used as an internal or external (internet-facing)
application load balancer. An external application gateway uses public IP addresses.
The DNS name of an external application gateway is publicly resolvable to its public
IP address. As a result, external application gateways can route client requests to the
internet.
Internal application gateways use only private IP addresses. Internal load-balancers
can only route requests from clients with access to a virtual network for the
application gateway.
How an application gateway routes a request
In this sub-section, we will study what happens with the request if it is valid and
not blocked by WAF. The application gateway evaluates the request routing rule
that is associated with the listener. This action determines which backend pool to
route the request to. Based on the request routing rule, the application gateway
determines whether to route all requests on the listener to a specific backend pool,
route requests to different backend pools based on the URL path or redirect requests
to another port or external site.
When the application gateway selects the backend pool, it sends the request to one
of the healthy backend servers in the pool. If the backend pool contains multiple
healthy servers, the application gateway uses a round-robin algorithm to route the
requests.
The traffic routing behavior changes based on type of backend pool. There can be
three types of backend pools:
•
•
•
Backend pools with public endpoint: If backend pool has public endpoints,
the application gateway uses its frontend public IP to reach the server.
Backend pool contains an internally resolvable FQDN or a private IP
address: If backend pool has private endpoints, the application gateway routes
the request to the backend server by using its instance private IP addresses.
If backend pool contains an external endpoint or an externally resolvable
FQDN: If backend pool has an external endpoint, the application gateway
routes the request to the backend server by using its frontend public IP
address. The DNS resolution is based on a private DNS zone or custom DNS
Implementing Advance Network Security
 209
server, if configured, or it uses the default Azure-provided DNS. If there is
not a frontend public IP address, one is assigned for the outbound external
connectivity.
Application gateway building blocks
In the coming sections, we will deploy an application gateway and do various
configurations. It will be helpful if we understand application gateway building
blocks before deploying and configuring it:
•
•
•
Frontend IP addresses: Frontend IP address is the landing zone for any
incoming traffic. Any incoming traffic first hits the frontend IP address of
application gateway. A frontend IP address is the IP address associated with
an application gateway. An application gateway can be configured to have a
public IP address, a private IP address, or both. After it is created, a frontend
IP address is associated with a listener.
Listeners: A listener is a logical entity in Azure Application Gateway. It
checks for incoming connection requests. A listener accepts a request if the
protocol, port, hostname, and IP address associated with the request match
the same elements associated with the listener configuration. There can be
multiple listeners attached to an application gateway, and they can be used
for the same protocol. After a listener detects incoming requests from clients,
the application gateway routes these requests to members in the backend
pool configured in the rule.
There are two types of listeners in application gateway based on domain
hosting:
•
•
•
Basic: This type of listener listens to a single domain site, where it has a
single DNS mapping to the IP address of the application gateway. This
listener configuration is required when you host a single site behind an
application gateway.
Multi-site: This listener configuration is required when you configure
more than one web application on the same application gateway instance.
It allows you to configure a more efficient topology for your deployments.
You can add up to 100 websites to one application gateway. Each website
can be directed to its own backend pool. For example, three subdomains:
app.mybook.com, image.mybook.com, and video.myboo.com, point to the
IP address of the application gateway. You would create three multi-site
listeners and configure each listener for the respective port and protocol
setting.
Custom error pages: In Azure Application Gateway, you can create
your own custom error pages instead of displaying default error pages.
210
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Application gateway displays a custom error page when a request cannot
reach the backend.
•
Request routing rules: A request routing rule is a key component of an
application gateway. It determines how to route traffic on the listener.
The rule binds the listener, the back-end server pool, and the backend
HTTP settings. When a listener accepts a request, the request routing
rule forwards the request to the backend or redirects it elsewhere. If the
request is forwarded to the backend, the request routing rule defines
which backend server pool to forward it to. One listener can be attached
to one rule.
You can classify routing rules in two types:
•
Basic: All requests on the associated listener (for example, mybook.
com/*) are forwarded to the associated backend pool by using the
associated HTTP setting.
•
Path-based: This routing rule lets you route the requests on the
associated listener to a specific backend pool, based on the URL in the
request. If the path of the URL in a request matches the path pattern
in a path-based rule, the rule routes that request. It applies the path
pattern only to the URL path, not to its query parameters. If the URL
path on a listener request does not match any of the path-based rules,
it routes the request to the default backend pool and HTTP settings.
•
•
•
Redirection support: The request routing rule allows you to redirect
traffic on the application gateway. You can redirect traffic from HTTP to
HTTPS, this is a generic redirection mechanism. You can redirect to and
from any port you define by using rules. You can choose the redirection
target to be another listener or an external site. You can also choose to
have the redirection be temporary or permanent.
Rewrite HTTP headers: By using the request routing rules, you can add,
remove, or update HTTP(S) request and response headers as the request
and response packets move between the client and backend pools through
the application gateway. The headers can be set to static values or to
other headers and server variables. This helps with important use cases,
such as extracting client IP addresses, removing sensitive information
about the backend and adding more security.
HTTP settings: An application gateway routes traffic to the backend
servers by using the port number, protocol, and other settings detailed
in this component. These all configurations are defined in HTTP settings.
The port and protocol used in the HTTP settings determine whether the
traffic between the application gateway and backend servers is encrypted
Implementing Advance Network Security
 211
(providing end-to-end TLS) or unencrypted. The HTTP settings is also
used to:
•Determine whether a user session is to be kept on the same server by
using the cookie-based session affinity.
•Gracefully remove backend pool members by using connection
draining.
•Associate a custom probe to monitor the backend health, set the
request timeout interval, override host name, and path in the request,
and provide one-click ease to specify settings for the app service
backend.
•
Backend pools: A backend pool routes request to backend servers, which
serve the request. Backend pools can contain:
•
•
•
•
•
•
•
NICs.
Virtual machine scale sets.
Public IP addresses.
Internal IP addresses.
FQDN.
Multitenant backends (e.g., app service).
An application gateway can communicate with instances outside of the
virtual network that it is in. As a result, the members of the backend
pools can be across clusters, across datacenters, or outside Azure, if there
is network connectivity. An application gateway can also communicate
with to on-premises servers when they are connected by Azure
ExpressRoute or VPN tunnels if traffic is allowed.
Health probes: By default, an application gateway monitors the health of
all resources in its backend pool and automatically removes unhealthy ones.
It then monitors unhealthy instances and adds them back to the healthy
backend pool when they become available and respond to health probes.
We will use these components in the next section while deploying and configuring
the application gateway.
Deploy application gateway to host single site
Azure Application Gateway can be configured with an internet-facing VIP or with
an internal endpoint that is not exposed to the internet. An internal endpoint uses a
private IP address for the frontend, which is also known as an internal load balancer
(ILB) endpoint.
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
212
Configuring the gateway using a frontend private IP address is useful for internal
line-of-business applications that are not exposed to the internet. It’s also useful for
services and tiers within a multi-tier application that are in a security boundary that
isn’t exposed to the internet but still require round-robin load distribution, session
stickiness, or Transport Layer Security (TLS), previously known as Secure Sockets
Layer (SSL), termination.
To deploy application gateway, you need a virtual network. This virtual network
requires two or more subnets to create application gateway. Application gateway
needs its own dedicated subnet so one subnet is application gateway and other
subnets can be backend pools and other services. For this exercise, we need one
virtual network, one subnet for application gateway, one or more servers for backend
pool. You can create these resources. For backend pool, I will deploy two VMs with
IIS to host a web site:
1. Login to Azure portal, search for application gateway and click on + Add to
create new application gateway.
2. It will open a new window to fill the details for application gateway:
Figure 4.25: Fill basic details while application gateway creation
On the Basics page, you can select the subscription, resource group, region,
virtual network, and subnet where you want to deploy your application
gateway. My application gateway subnet is 10.0.2.0/24. So, I will get
application gateway frontend IP address from this range.
3. In the next step, we will configure frontend of application gateway:
Implementing Advance Network Security
 213
Figure 4.26: Application gateway frontend details
Frontends is the entry point for traffic on application gateway. You can select
type of frontend address based on your application accessibility. I choose
both to access same web app publicly and privately.
4. Now in the next step, we will setup backend pool to respond incoming
request:
Figure 4.27: Add backend pool to application gateway
As shown in the preceding figure, I included two backend servers. Please
ignore the name of servers. They both are web hosting servers for me.
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
214
The server with name Databaseservervm is working as web server1 and
Webserver is working as web server2. Both the servers are from address range
10.0.0.0/24.
5. In the next step, we will configure listener and routing rules. We already
studied about the definition of listener and routing rules. Please refer the
previous sections to know more about these two components:
Figure 4.28: Add listener rule to application gateway
As shown in the preceding figure, you can fill the basic details about listener.
6. Now on the same page, you need to configure backend pool with this listener.
Click on Backend targets as shown in the following figure. Here, you can see
options to route your request to different endpoints:
Implementing Advance Network Security
 215
Figure 4.29: Add backend target details to listener
In this demo, we are doing simplest setting, so I selected Backend pool in
Target type. Once you filled all these details, click on Create.
7. The creation may take some time. Once the creation is completed. You can
configure DNS entry for frontend IP address. Now browse the public URL
from your browser:
Figure 4.30: Accessing web server1 through application gateway over internet
As shown in the preceding figure, we are able to access web server1 publicly
through application gateway.
8. The same web page you can access privately also from your private network.
For that login to a virtual machine in private network and browse the
application gateway over its private IP:
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
216
Figure 4.31: Accessing web server1 through application gateway over private network
As shown in the preceding figure, we are able to access web server1 over
application gateway’s private IP. You can create DNS entry in your private DNS,
of app gateway private IP for name resolution. I do not have DNS configured
so I am accessing application gateway through IP and not through name.
In this section, we saw how to configure application gateway for single site hosted
on two virtual machines. We also saw how to use same application gateway to access
same site internally and externally.
To access web app through application gateway over internal network,
you need to configure NSG rules so your source machine can reach to
application gateway subnet.
Configure application gateway for multiple sites
Now in this section, we will set up application gateway to reach on two different
sites. As we studied in the previous sections, we can use same application gateway
for multiple sites. For this demo, I will use two web servers, each will host different
web sites. You can clean up the previous application gateway’s configuration or can
deploy a fresh. My Databaseservervm will host bookimage.com and Webserver will
host bookvideo.com. Let’s jump to the configuration steps:
1. We already have required web servers, virtual network, and subnets, so we
can jump to application gateway creation. If you are starting from this step
or have deleted previous resources, then you will need to create one virtual
network, one subnet for backend pool, one subnet for application gateway
and two web servers in backend pool subnet.
2. Login to Azure portal, search for application gateway and click on + Add to
create new application gateway.
3. Basic and frontend configuration will be same as we did in the last section.
You can refer Figure 4.25 for basic and Figure 4.26 for frontend configuration.
Implementing Advance Network Security
 217
4. Now we need to create two different backend pools for two different
websites:
Figure 4.32: Add backend pool for site1 (bookimage.com)
In the preceding figure, I am creating backend pool for bookimage.com
website. I added server which is hosting bookimage.com site.
Figure 4.33: Add backend pool for site2 (bookvideo.com)
5. In the preceding figure, I am creating backend pool for another website,
bookvideo.com. I added webserver which will host this site.
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
218
6. Now in the next step, we need to configure listeners and routing rules. We
will configure individual listener and routing rule for both websites:
Figure 4.34: Add listener details for site1 (bookimage.com)
In the preceding figure, I am configuring listener for bookimage.com website.
Since we are binding two websites with same application gateway, so we
need to select Multi site listener type and in host name we need to give
name of the website. So, when we will try to browse bookimage.com the
incoming request will check appropriate listener with host name and will
follow respective backend pool and HTTP settings.
After configuring listener, we need to configure Backend targets:
Figure 4.35: Add backend target details for site1 (bookimage.com)
Implementing Advance Network Security
 219
In Backend targets, we select the backend pool where the request will be
routed for incoming traffic.
7. Like this only we need to create another combination of listener and backend
target for bookvideo.com website. I am not putting the process of that but
have created them in backend. You need to be careful to select port for second
website listener. Both listeners cannot have same ports. So, for bookimage.
com, I choose port 80 and for bookvideo.com, I choose port 8080. Once you
are done with these configurations, click on Create:
Figure 4.36: Add backend target details for site2 (bookvideo.com)
In the preceding figure, I put different listener port for bookvideo.com
website.
8. Now to test the website. Go to your browser and put the public DNS URL of
your application gateway, http://bookwebappgw.eastus.cloudapp.azure.
com. Without any specific port, the request will land on port 80 and it will
take you to bookimage.com website:
Figure 4.37: Access site1 (bookimage.com) through application gateway
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
220
The preceding figure shows that we are able to reach to bookimage.com
through application gateway public URL over default port 80:
Figure 4.38: Access site2 (bookvideo.com) through application gateway
The preceding figure shows that we are able to reach to bookvideo.com
through application gateway public URL over defined port 8080.
9. After the application gateway is created with its public IP address, you can
get the DNS address and use it to create a CNAME record in your domain.
You can get public IP of application gateway from its Overview page. Copy
the FQDN value of the DNS settings and use it as the value of the CNAME
record that you create. Using A-records isn’t recommended if you are using
V1 SKU for application gateway because the Virtual IP (VIP) may change
when the application gateway is restarted in the V1 SKU.
10. Since I do not have DNS provider, so I did not register application gateway
DNS and because of that I had to browse websites with application gateway
public DNS name.
11. Now, since we configured public and private both IPs to frontend, so you
can access these websites over private network also. Similar to public
accessibility, you need to provide http://<private IP of application
gateway> to browse bookimage.com and http://<private IP of application
gateway>:8080 to browse bookvideo.com.
12. You can create DNS record for application gateway private IP to browse
websites by name.
So, in this section, we saw how to configure two different websites behind same
application gateway. We can configure up to 100 websites behind an application
gateway. In the same way, you can configure sub-domain websites as well. For
example, you can configure image\bookdemo.com and video\bookdemo.com.
In the preceding demo, we deployed application gateway through portal. You
can deploy it through PowerShell, Azure CLI, and ARM template also. When
you deploy through command line, you can use same listener port for multiple
listeners. In the preceding example, we had to use different ports (80 and 8080) for
different listeners but you could use same listener port if you deploy application
gateway through command line. But you will be able to browse website only after
creating CNAME entry in DNS.
Implementing Advance Network Security
 221
Configure application gateway for app service
Azure App Service is a multi-tenant service instead of a dedicate deployment, it uses
host header in the incoming request to resolve the request to the correct app service
endpoint. Usually, the DNS name of the application, which in turn is the DNS name
associated with the application gateway fronting the app service, is different from
the domain name of the backend app service. Therefore, the host header in the
original request received by the application gateway is not the same as the host
name of the backend service. Because of this, unless the host header in the request
from the application gateway to the backend is changed to the host name of the
backend service, the multi-tenant backends are not able to resolve the request to the
correct endpoint.
Application gateway provides a switch called Pick host name from backend
address which overrides the host header in the request with the host name of the
backend when the request is routed from the application gateway to the backend. In
this section, we will learn how to add app service as backend pool and create HTTP
settings and custom probe with Override host name switches enabled:
1. For this demo, I assume that you already have an app service created. You
can refer the previous sections to understand how to create app service.
2. Login to Azure portal, search for application gateway and click on + Add to
create new application gateway.
3. Basic and frontend configuration remain same for this exercise also. We need
to look for backend pool configuration:
Figure 4.39: Add Azure App Service as backend pool to application gateway
As shown in the preceding figure, this time I am selecting App Services as
Target type. It will show app services in drop-down. You can only select those
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
222
app services which are in same subscription where the application gateway
is residing. If you want to add app service from different subscription, then
you can choose IP address and FQDN option.
4. Now in the next step, we will configure listener and backend target:
Figure 4.40: Create listener rule for app service
We have done this step many times. We are just putting basic details here.
5. Now in the Backend targets section, click on HTTP Settings. This will open
a new blade. Here, input a name for the HTTP setting, you can enable or
disable cookie-based affinity as per your requirement, choose the protocol as
HTTP or HTTPS as per your use case:
Figure 4.41: Override request host name with new host name
Implementing Advance Network Security
 223
As shown in the preceding figure, enable Host name override for incoming
request. This will override the incoming HTTP host header with backend
target HTTP header.
6. Once you have made this configuration, click on Create to start deployment.
7. As shown in the following figure, it will create a custom health probe also.
The health probe is used to test the health of backend pool. To make any
changes in health probe, you can go to Health probes under the Settings
section:
Figure 4.42: Custom health probes settings in application gateway
You can also run a test the connectivity and health of backend before adding
to new health probe or modifying the existing probe.
8. Once the deployment is completed, you can open application gateway URL
in browser:
224
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Figure 4.43: Browse app service through application gateway
As shown in the preceding figure, we are able to browse app service through
application gateway.
In this section, we saw how to configure application gateway for app service. In
this demo, we just used one app service, but you can use multiple app services as
application gateway backend.
Configure application gateway with Web
Application Firewall (WAF)
In the previous sections, we studied about how to configure application gateway for
single domain site, multi domain site, and Azure App Services. In this section, we
will study about application gateway with WAF capability. Let’s understand WAF
in brief before configuring it with application gateway.
You can get centralized protection from exploits and vulnerabilities for your
application with WAF on Azure Application Gateway. With new technologies web
applications are becoming soft targets for malicious attacks. In these attacks, SQL
injection and cross-site scripting are the most common attacks. WAF works on Core
Implementing Advance Network Security
 225
Rule Set (CRS) 3.1, 3.0, or 2.2.9 from the Open Web Application Security Project
(OWASP). Microsoft automatically updates WAF rules to include protection against
new vulnerabilities. There is no need of additional configuration to apply these
changes. A WAF policy includes multiple features inside it. We will see these features
in the coming sections. To have separate policies for each site behind application
gateway, you can create multiple policies. These policies can be associated with an
application gateway, to individual listeners, or to path-based routing rules on an
application gateway.
Benefits of WAF on application gateway
In this section, we will see the core benefits that WAF on application gateway
provides:
•
Protection
•
•
•
•
•
Create custom WAF policies for different sites behind the same WAF.
Protect your web applications from malicious bots with the IP reputation
rule set (preview).
Protect multiple web applications at the same time. An instance of
application gateway can host up to 40 websites that are protected by a
web application firewall.
Monitoring
•
•
•
Protect your web applications from web vulnerabilities and attacks
without modification to back-end code.
The application gateway WAF is integrated with Azure Security Center.
Security center provides a central view of the security state of all your
Azure resources.
Monitor attacks against your web applications by using a real-time WAF
log. The log is integrated with Azure Monitor to track WAF alerts and
easily monitor trends.
Customization
•
•
•
Customize WAF rules and rule groups to suit your application
requirements and eliminate false positives.
Create custom rules to suit the needs of your application.
Associate a WAF policy for each site behind your WAF to allow for sitespecific configuration.
226
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Features of WAF on application gateway
In the previous section, we saw the benefits of WAF on application gateway. In this
section, we will study about features of WAF on application gateway:
•
•
•
•
•
•
•
•
•
•
•
•
•
SQL-injection protection.
Cross-site scripting protection.
Protection against HTTP protocol violations.
Protection against HTTP protocol anomalies, such as missing host useragent and accept headers.
Protect your applications from bots with the bot mitigation ruleset. (Preview)
Inspect JSON and XML in the request body.
Protection against crawlers and scanners.
Detection of common application misconfigurations (e.g., Apache and IIS).
Create custom rules to suit the specific needs of your applications.
Geo-filter traffic to allow or block certain countries/regions from gaining
access to your applications. (Preview)
Configurable request size limits with lower and upper bounds.
Exclusion lists let you omit certain request attributes from a WAF evaluation.
A common example is AD-inserted tokens that are used for authentication or
password fields.
WAF can function in two modes:
•
•
Detection mode: In detection mode, it just works as an observer and
monitors and logs all threat alerts. In detection mode, it does not block
any incoming requests.
Prevention mode: In prevention mode, it blocks intrusions and attacks
that the rules detect. The attacker receives a 403 unauthorized access
exception, and the connection is closed. Prevention mode records such
attacks in the WAF logs.
Same as other firewalls, WAF also works on polices and rules. Azure WAF has
some predefined rule sets to analyze incoming traffic. With WAF version V2, you
can create your own custom policies as well. When your WAF has both Microsoft
Managed and custom rules, custom rules are processed before Microsoft Managed
rules. A rule is made of a match condition, a priority, and an action. Action types
supported are: Allow, Block, and Log. Rules within a policy are processed in a
priority order.
Implementing Advance Network Security
 227
Deploying application gateway with WAF
In “Deploy application gateway to host single site” section, we saw how to deploy
application gateway. So, you can refer that section for detailed explanation. In this
section, we will just cover the different step:
Figure 4.44: Create application gateway with WAF feature
As shown in the preceding figure, you can select WAF or WAF V2 from the Tier
drop-down. In Firewall mode, you can select between Detection and Prevention as
per your requirement.
Next all steps will be same as we learnt in the previous sections.
Azure Front Door (AFD) service
Azure Front Door (AFD) service is a web traffic management service. It enables
you to define, manage, and monitor the global routing for your web traffic. It also
optimizes the best performance and instant global failover for high availability. With
Azure Front Door, you can transform your multi-region consumer and enterprise
applications into robust, high-performance personalized modern applications, APIs,
and content that reach a global audience. AFD works at Layer 7 or HTTP/HTTPS
layer.
Features of AFD service
AFD service comes with wide range of features to give high performance, high
availability, and multiple capabilities to monitor and manage your enterprise
applications. We will go through the AFD features in this section:
228
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
•
•
•
•
•
•
URL-based routing: URL based routing mechanism allows you to route
traffic to backend pools based on URL paths of the request. For example,
the requests coming for http://www.myfrontdoor.com/users/* are routed
to UserProfileWebPool, and http://www.myfrontdoor.com/products/* are
routed to ProductInventoryWebPool. If none of the path patterns match,
then the traffic will be routed to your default routing rule for http://www.
myfrontdoor.com/*.
Session affinity: AFD helps you to keep cookie-based session affinity. This
feature is useful when you want to keep a user session on the same application
backend. By using front door managed cookies, subsequent traffic from a
particular user session gets redirected to the same application backend for
processing. This feature is important in cases where session state is saved
locally on the backend pool for a user session.
Accelerate application performance: AFD uses split TCP-based anycast
protocol. By this technique, front door ensures that your end users promptly
connect to the nearest front door Point of Presence (POP). AFD uses
Microsoft’s global network for connecting to your application backends from
front door POPs. Microsoft’s global network ensures higher availability and
reliability while maintaining performance.
Higher application availability with smart health probes: High availability
of any enterprise application is very critical aspect. Front door provides high
availability for your business-critical applications using its smart health
probes by monitoring your backends for both latency and availability. Front
door also provides instant automatic failover when a backend goes down.
So, you can run planned maintenance or DR operations on your applications
without any business downtime. Front Door directs traffic to alternative
backends while the maintenance is in progress.
Multiple site hosting: You can configure more than one web site on the
same front door configuration. This feature allows you to manage less AFD
instances to your deployments by adding different web sites to a single
front door configuration. Based on your application’s architecture, you can
configure AFD to either direct each web site to its own backend pool or have
various web sites directed to the same backend pool. For example, front door
can serve traffic for images.myfrontdoor.com and videos.myfrontdoor.
com from two backend pools called ImageWebPool and VideoWebPool.
Alternatively, you can configure both the front-end hosts to direct traffic to a
single backend pool called MediaWebPool.
Similarly, you can have two different domains www.myfrontdoor.com and
www.contoso.com configured on the same front door.
Implementing Advance Network Security
•
•
•
•
•
 229
URL redirection: Most of the customers want supporting only secure
communication and for that web applications are expected to automatically
redirect any HTTP traffic to HTTPS. This process ensures that all
communication between the users and the application occurs over an
encrypted path.
Traditionally, application developers have dealt with this requirement by
creating a dedicated service, whose sole purpose was to redirect requests
it receives on HTTP to HTTPS. AFD service has built in ability to redirect
traffic from HTTP to HTTPS. This simplifies application configuration work
for developers, optimizes the resource usage and supports new redirection
scenarios, including global, and path-based redirection.
Application layer security: You can create your custom WAF rules in AFD
for access control to protect your HTTP/HTTPS workload from exploitation
based on client IP addresses, country code, and HTTP parameters. AFD
platform is protected by Azure DDoS protection basic. You can enable Azure
DDoS Protection standard at your VNets for further protection. Front door is
a layer 7 reverse proxy.
Custom domains and certificates management: When you use front door to
deliver you content over the web, you need a custom domain if you would
like your own domain name to be visible in your Azure Front Door URL.
Custom domain name would be convenient for your customers to verify
your organization and useful for branding purposes. For HTTPs traffic, you
need a certificate with your custom domain, you can use choose front door
managed certificates for your traffic or can upload your own custom SSL
certificate.
Secure socket layer (SSL) termination: Communication over HTTPS is more
favorite for organizations; AFD supports SSL termination. Additionally,
front door supports both HTTP and HTTPS connectivity between front door
environments and your backends. So, you can also set up end-to-end SSL
encryption.
The preceding points explained some of the key features of AFD service. Based on
these you can decide if you want to use AFD service or not in your environment.
Also, if you use AFD, then you can decide what features or services you would like
to select for among these.
Building blocks and concepts of AFD
In the following sections, we will be discussion how to create and configure AFD for
your applications. Before going to deployment, it is important that you understand
the building blocks and concepts.
230
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
AFD frontend host
AFD has two major components: frontend host and backend host pool. Frontend
host is the first point of contact for your application which is running on backend
host pool. The default URL of your AFD is <Hostname>.azurefd.net. You can buy
your custom domain to advertise your own domain.
AFD backend pool
A backend is equal to an instance where your application is been deployed. You can
add both Azure and non-Azure instances as a backend to AFD service. Backend pool
is a group of multiple backend instances. So, AFD backend pool is not only restricted
to Azure regions, but it can also be your on-premises data center or an application
instance in another cloud. To add instances as a backend, the application hosing
instances should have public IPs or publicly resolvable host name with them. For
backend, you should not be confused with your database tier, storage tier, and so on.
There are multiple sub-components of your backend pool:
•
•
•
•
Backend host type: In the Backend host type section, you define the type of
backend instances. AFD supports different types of backend instances. The
backend instance types could be both Azure and non-Azure services.
Subscription and backend host name: Select the subscription from which
you want to pick your backend host and select the backend host from the
drop down. For any non-Azure backend host, you will not need to select the
subscription.
Backend host header: When AFD sends a request to a backend, the request
includes a host header field. This header is used to identify the correct target
resource in backend pool. When you select any Azure resource as a backend,
the value for this field typically comes from the URI of backend and has the
host name and port.
For example, a request made for www.myfrontdoor.com will have the host
header www.myfrontdoor.com. If you use Azure portal to configure your
backend, the default value for this field is the host name of the backend.
If your backend is myfrontdoor-eastus.azurewebsites.net, in the Azure
portal, the auto populated value for the backend host header will be
myfrontdoor-eastus.azurewebsites.net. However, if you use Azure
Resource Manager (ARM) templates or another method deployment
method such as PowerShell, without explicitly setting this field, front door
service will send the incoming host name as the value for the host header.
Implementing Advance Network Security
 231
If the request was made for www.myfrontdoor.com, and your backend is
myfrontdoor-eastus.azurewebsites.net that has an empty header field,
front door service will set the host header as www.myfrontdoor.com.
•
•
•
•
Priority: Here, you assign priority to your different backend hosts. Based on
the priority the traffic will hit the respective backend host.
Weight: Here, you assign the weight of traffic distribution. Here either you
can distribute the traffic evenly or in a specified ratio. The default value of
this field is 50.
Backend pool: A backend pool in AFD service refers to the set of backends
that receive similar traffic for their app. Backend pool is a logical grouping
of your backend instances, they receive the same traffic and respond. These
backends can be from different regions or within the same region, they can
be Azure or non-Azure resources.
Health probes: Health probes configuration is used to evaluate the health of
any backend host. This evaluation is important to maintain high availability
of your application. AFD service sends periodic HTTP/HTTPS probe
requests to your each backends. The following settings are available for
health probes configuration:
•
•
•
•
•
Path: The URL used for probe requests for all the backends in the backend
pool. For example, if one of your backends is myfrontdoor-eastus.
azurewebsites.net and the path is set to /probe/healthtest.aspx,
then front door service environments, assuming the protocol is set to
HTTP, will send health probe requests to http://myfrontdoor-eastus.
azurewebsites.net/probe/healthtest.aspx.
Protocol: Here, you define whether to send the health probe requests
from front door service to your backends with HTTP or HTTPS protocol.
Interval (In seconds): Here you define the frequency of health probes to
your backends, or the intervals in which the front door environment sends a
probe.
Load balancing: In load balancing settings for the backend hosts, you define
how you evaluate health probes. Based on the health probes evaluation,
these settings determine if the backend is healthy or unhealthy. They also
check how to load-balance traffic between different healthy and unhealthy
backends in the backend pool. The following settings are available for loadbalancing configuration:
Sample size: Define a number of samples of health probes you need to
consider for backend health evaluation.
232
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
•
•
Successful sample size: Here you define the sample size as previously
mentioned, the number of successful samples needed to call the backend
healthy. For example, assume a front door health probe interval is 10 seconds,
sample size is 5, and successful sample size is 3. Each time you evaluate the
health probes for your backend, you look at the last five samples over 50
seconds (5 × 10). At least three successful probes are required to declare the
backend as healthy.
Latency sensitivity (in milliseconds): Here you define the value of minimum
latency. AFD sends the requests to backend hosts to check respective latency
with them.
The preceding points were related to configurations which you need to do to set up
AFD. They are helpful to understand the building blocks of AFD while deploying,
configuring, and managing AFD.
AFD routing rules
Once a connection has been stablished and SSL handshake is been done, a request
land on AFD environment. AFD determines all configurations, which routing rule
is matching with the request and then taking the defined action. In this section, you
will understand the different kind of routing configurations.
You can consider the request as left-hand-side configuration and action as right-handside configuration.
Left-hand-side configuration contains the following fields:
•
•
•
Accepted Protocols: You can define the type of incoming traffic. You can
have three choices to select from: HTTP only, HTTPS only, and HTTP &
HTTPS. Based on your website hosting you can select the type of accepted
incoming traffic.
Frontend Host: You can select the name of the frontend host on which the
traffic will be landing.
Paths: Select all the URL path patterns that this route will accept.
Right-hand-side configuration defines the action. The actions could be of two types:
•
Forward and serve from the cache: In this process, request first checks
the available data in cache and then respond back to the requester. If the
required data is not found in cache, then request goes to the backend pool.
You can control what TCP protocol request can reach to backend pool, it can
be HTTP, HTTPS, or Any:
•
URL Rewrite: You can customize your forwarding URL. For an example,
Implementing Advance Network Security
 233
your incoming traffic request matches for path /a/b/c but you can
customize this path and can redirect the traffic to /d/e/f.
•
•
•
Caching: AFD service can deliver large files without any cap on file
size. Front door uses chunking technique. When a large file is requested,
front door retrieves smaller pieces of the file from the backend. AFD
environment requests the file from the backend in chunks of 8 MB.
After the chunk arrives at the front door environment, it is cached and
immediately served to the user. Front door then pre-fetches the next
chunk in parallel. This pre-fetch ensures that the content stays one chunk
ahead of the user, which reduces latency. This process continues until the
entire file is downloaded (if requested), all byte ranges are available (if
requested), or the client terminates the connection.
Dynamic compression: Front door can dynamically compress content
on the edge, resulting in a smaller, and faster response to your clients.
URL redirect: AFD service can redirect traffic multiple levels (protocol,
hostname, path, query string). This simplifies application configuration,
optimizes the resource usage, and supports new redirection scenarios
including global and path-based redirection. There are different types of
redirection:
•
•
•
•
301 (Moved permanently): It indicates that the target resource has been
assigned a new permanent URI and any future references to this resource
ought to use one of the enclosed URIs. Use 301 status code for HTTP to
HTTPS redirection.
302 (Found): It indicates that the target resource resides temporarily
under a different URI. Since the redirection might be altered on occasion,
the client ought to continue to use the effective request URI for future
requests.
307 (Temporary redirect): It indicates that the target resource resides
temporarily under a different URI and the user agent MUST NOT change
the request method if it performs an automatic redirection to that URI.
Since the redirection can change over time, the client ought to continue
using the original effective request URI for future requests.
308 (Permanent redirect): It indicates that the target resource has
been assigned a new permanent URI and any future references to this
resource ought to use one of the enclosed URIs. Clients with link editing
capabilities, ought to automatically relink references to the effective
request URI to one or more of the new references sent by the server,
where possible.
234
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
•
•
•
•
Destination host: As part of configuring a redirect routing, you can
also change the hostname or domain for the redirect request. You can
set this field to change the hostname in the URL for the redirection or
otherwise preserve the hostname from the incoming request. So, using
this field, you can redirect all requests sent on https://www.mybook.
com/* to https://www.myfrontdoor.com/*.
Destination path: For cases where you want to replace the path segment
of a URL as part of redirection, you can set this field with the new
path value. Otherwise, you can choose to preserve the path value as
part of redirect. So, using this field, you can redirect all requests sent
to https://www.myfrontdoor.com/* to https://www.myfrontdoor.com/
redirectedsite.
Query string parameter: You can also replace the query string parameters
in the redirected URL. In order to replace any existing query string from
the incoming request URL, set this field to Replace and then set the
appropriate value. Otherwise, you can retain the original set of query
strings by setting the field to Preserve. As an example, using this field,
you can redirect all traffic sent to https://www.myfrontdoor.com/image/
office to https://www.myfrontdoor.com/image/office.
Destination fragment: The destination fragment is the portion of URL
after #, normally used by browsers to land on a specific section on a page.
You can set this field to add a fragment to the redirect URL.
In this section, we learnt about the routing mechanism in AFD. This will help you to
define routes while deployment and understand the routes while managing AFD.
Create Azure Front Door
We have gone through the basic building components of AFD. The preceding
concepts would help you to take appropriate decision to enable and opt for correct
options while creating AFD. In this section, we will go through the steps to deploy
AFD:
1. Login to Azure portal and search for front door in search bar.
2. Chose the subscription and resource group where you want to deploy AFD.
You can create new resource group also.
3. In the next step, click on Configuration. Here, you need to put details about
frontend host. Put the host name of front door’s frontend host. This name
Implementing Advance Network Security
 235
should be globally unique. You can choose to enable or disable session
affinity and WAF:
Figure 4.45: Create frontend host for Azure Front Door
4. Now you need to add front door backend pool. You can choose different
kind of Azure services as the backend. Click on + Add backend pool to add
backend resources. Once you click on + Add backend pool, a new window
opens to enter the details of backend resource. There are different kind of
resources types which you can choose for backend pool:
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
236
Figure 4.46: Add backend host to Azure Front Door
You can add multiple backend pools and assign different priorities and
weight. You can keep default the health prob and load balancing settings.
5. In the Configuration step, the next important step is to create routing roles:
Implementing Advance Network Security
 237
Figure 4.47: Create routing rules for Azure Front Door
Once you have chosen required route type and other settings, you are good
to click on Create.
In this section, you learnt how to create and configure AFD. Now you can deploy
AFD in your environment and can set up proper backend pool for AFD. You also
understood the routing process of AFD. In the next section, we will study about
Azure Firewall in detail. We will see the features of Azure Firewall and ways to
configure it.
238
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Azure Firewall
Azure Firewall is a cloud-based managed network security service that protects your
Azure Virtual Network resources. You can centrally create, control, manage, enforce,
application, and network connectivity policies across subscriptions and virtual
networks. Azure Firewall uses a static public IP address for your virtual network
resources allowing outside firewalls to identify traffic originating from your virtual
network.
Features of Azure Firewall
Every firewall has its own features. Being security administrator, you need to select
right firewall option for your organization. In this section, let’s understand the
features of Azure Firewall. Based on them you can decide to choose Azure Firewall
for your environment:
•
•
•
•
•
•
•
High availability: Azure Firewall is a complete PaaS service and has in build
high availability feature. So, you do not need to deploy any additional load
balancers.
Availability zone: You can add Azure Firewall into availability zone to
increase high availability of it, while deploying it. You get 99.99% uptime
with Azure Firewall in availability zones. The 99.99% uptime SLA is offered
when two or more availability zones are selected.
Scalability: Azure Firewall has in built scalability option, so you do not need
to worry about your peak times. It can scale up as much as you need to
accommodate your network traffic.
Application FQDN filtering: You can restrict outbound HTTP and HTTPS
traffic to restricted application URLs. In this way, you can control outbound
internet exposer.
Network traffic filtering: You can control outbound and inbound network
traffic to and from a specific IP/IP range and port. This feature works as
Network Security Group (NSG).
FQDN tags: You can control Azure services traffic through this.
Service tags: We discussed about the service tag in the previous section,
it represents a group of IP address prefixes to help minimize complexity
for security rule creation. There is a restriction that you can’t create your
own service tag, nor specify which IP addresses are included within a tag.
Microsoft manages the address prefixes encompassed by the service tag, and
automatically updates the service tag as addresses change.
Implementing Advance Network Security
•
•
•
•
•
•
•
•
•
 239
Threat intelligence: Azure Firewall can help you to cover IPS and IDS. It
uses threat intelligence-based filtering to alert and deny traffic from/to
known malicious IP addresses and domains. The IP addresses and domains
are sourced from the Microsoft Threat Intelligence feed.
Outbound SNAT: When any traffic flows outside from your virtual network,
traffic IP addresses are translated to the Azure Firewall public IP (source
Network Address Translation (NAT)).
Inbound DNAT: Inbound internet network traffic to your firewall public
IP address is translated (destination NAT) and filtered to the private IP
addresses on your virtual networks.
Multiple public IP address: You can associate multiple public IP addresses
(up to 100) with your firewall.
Complaint certificates: Azure Firewall is Payment Card Industry (PCI),
Service Organization Controls (SOC), International Organization for
Standardization (ISO), and ICSA labs compliant.
TLS inspection: This is an Azure Firewall Premium version feature. Azure
Firewall Premium terminates outbound and east-west TLS connections.
Before sending the data to the destination, it decrypts outbound traffic,
analyze the data, and again encrypts and send to the destination.
Support for IPS/IDS: This is also Azure Firewall Premium version feature.
This feature allows you to monitor your network for malicious activity, log
information about this activity, and optionally attempt to block it.
URL filtering: With this you can be more specific to block or allow the right
web page. Now with Azure Firewall Premium feature, you can control URL
till www.mybook.com/video/azurefirewall instead of directly blocking www.
mybook.com.
Traffic control based on web categories: This feature allows you to block
web traffic based on their categories. Like if you want to block, social media,
music, entertainment sites.
The preceding features will help you to decide that you should choose Azure Firewall
or not. You can decide which feature you want to opt and use in your environment
as per your business requirement.
Create, configure, and manage Azure Firewall
Control over inbound and outbound network access is an important part of an overall
network security plan for any of the organization. For example, your organization
may want to limit access to certain web sites or to limit the outbound IP addresses
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
240
and ports that can be accessed. Azure Firewall provides capability to control and
monitor inbound and outbound traffic. Azure Firewall Premium came up with
new features of IDPS, threat detection, TLS inspection, and DNS settings. These all
features are now controlled by Azure Firewall policy. These firewall policies can be
created and managed from Azure portal or Azure Firewall Manager portal. We will
study about these components in the coming sections.
Create Azure Firewall
To deploy Azure Firewall, you require a virtual network with a dedicated subnet for
Azure Firewall with name AzureFirewallSubnet. Let’s follow these steps to deploy
and configure Azure Firewall:
1. Login to Azure portal.
2. As a prerequisite, you need a virtual network and a subnet to deploy
Azure Firewall. You are aware of the process to create virtual network and
subnet. Please follow those steps to get virtual network and subnet. The
AzureFirewallSubnet should be in /26 range. The resource group of virtual
network and Azure Firewall should be same.
3. Once you have virtual network and subnet for azure firewall is ready, now
you can search for firewall in the search bar. I created a virtual network AzHub-VNet to deploy firewall. This virtual network has AzureFirewallSubnet.
Fill the information as shown in the following figure:
Figure 4.48: Create Azure Firewall 1
Select the subscription, resources group name, Azure Firewall name, region
to deploy, and availability zones. If you choose availability zone, then the
Implementing Advance Network Security
 241
public IP address also should belong to the same availability zone:
Figure 4.49: Create Azure Firewall 2
Azure Firewall is now available in Premium tier also. I am selecting Premium
version to demonstrate maximum features. You can choose the tier based on
your business requirements.
Premium Azure Firewall works on Azure Firewall policies. We will study
about Azure Firewall policies in the coming sections. Here, you can create
new firewall policy or can use an existing if you have. Here we are just
creating a default firewall policy. This firewall policy can be managed directly
from Azure portal or from Firewall Manager.
Now in the next step, you need to select a virtual network where you want to
deploy the firewall. You can choose an existing virtual network or can create
a new. Azure Firewall also requires a public IP to communicate to public
internet.
After putting appropriate details, you can click on Create to start Azure Firewall
deployment. It may take some time to complete the deployment.
Create user defined route
In the preceding steps, you have created Azure Firewall. This firewall is not effective
until it gets associated with other network resources and until it has some firewall
rules. To bring the firewall in function the traffic should pass through this and you
need to create appropriate routes to pass the traffic through the firewall. In Azure,
you can use User Defined Routes (UDR) to control the follow of your traffic. Now
we will see how to create UDR.
242
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
We well create UDR to route traffic from Azure Virtual Machine which is residing in
web subnet in AZ-Spoke-VNet. For this, we have created AZ-Spoke-VNet, web subnet,
and a virtual machine for testing. Follow these steps to create UDR:
1. Login to Azure portal and search for UDR or route table.
2. Click on + Add to create new UDR. Fill the details as shown in the following
figure. Give a name to the routing rule, select the subscription, and resource
group. I am creating this UDR to route traffic from web subnet (in Spoke
VNet) to Azure Firewall:
Figure 4.50: Create User Defined Route
3. After filling the details, click on Create. Now in the next steps, we will see
how to attach, configure, and use this UDR to route the traffic to Azure
Firewall.
4. Once the UDR deployment is completed, the overview looks like this:
Implementing Advance Network Security
 243
Figure 4.51: Azure user defined route overview
There is no routing rule and also this UDR is not associated with any of the
subnet.
5. To create a rule, click on Rules in the left panel, a new window opens to fill
the details:
Figure 4.52: Create routing rule in Azure user defined route
Here, I am creating rule to route any outbound internet traffic from web
subnet (in AZ-Spoke-VNet) to Azure Firewall. For this I gave a name to this
rule, I gave internet IP that is 0.0.0.0/0. When there is a traffic going to
internet the next hop would be the virtual appliance (Azure Firewall) and
the IP of our Azure Firewall is 10.2.0.4.
6. Now you have rule to route the traffic to Azure Firewall. But the rule only
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
244
says about the destination, there is no provision to talk about the source.
To define the source, you need to associate this routing rule with a subnet.
Now to attach this to subnet click on Subnets and + Associate. In the new
blade, you will get option to select the network first and then the subnet
under that VNet. For this demo, I already have AZ-Spoke-VNet with IP range
10.3.0.0/16 created and peered with Az-Hub-VNet:
Figure 4.53: Associate Azure user defined route to a subnet
I have selected Spoke VNet and corresponding subnet for association.
7. Now you can see the details on the Overview page that you have a routing
rule (TrafficToInternet) created to route internet traffic through Azure
Firewall and this rule is associated with the WebSubnet. So, in this manner,
you have covered all VMs from the web subnet as a source, whichever VM
sends traffic to internet the traffic will first pass through the Azure Firewall:
Figure 4.54: Azure user defined route updated overview
As shown in the preceding figure, now we have routing rule created for the
firewall. With the help of this routing rule, we can redirect our traffic to land
on Azure Firewall.
Now we need to configure firewall rules in Azure Firewall. Let’s move to other
components of Azure Firewall to configure it.
Implementing Advance Network Security
 245
Configuring Azure Firewall public IP
You can attach multiple public IPs to Azure Firewall. These public IPs can be used
for NAT so you can use firewall public IP to translate incoming traffic to private IP
of you network. This helps direct exposure of your web server to internet. To connect
multiple public IP over you firewall, you can go to the Public IP section in left panel.
There you can click on + Add to add new public IP. You can either use an unattached
existing public IP or can create a new public IP.
Creating, configuring, and managing Azure
Firewall policy
Azure Firewall policy a set of configurations and rules. It contains NAT, application,
and network rule collection. It also keeps the settings about threat intelligence, TLS
inspections, and IDPS. A firewall policy can be associated with one or more virtual
hubs or VNets in any subscription and region.
You can create a new firewall policy or can inherit from existing policy. Child policy
inherits all rule collections from the parent policy. Network and application rules
inherited from the parent policy takes precedence over locally created rules. NAT
rules are not inherited because they are specific to the local firewall. Network rules
are always processed before application rules.
Threat intelligence mode can also be inherited. If it is inherited and enabled in parent
policy, it cannot be disabled in child policy. But you can override parent value with
child value.
Components of Azure Firewall policy
Let’s discuss what all are the building blocks of a firewall policy. It will help you to
create and manage firewall policies easily. You encounter with the following listed
components when you create a new policy or manage an existing policy:
•
•
DNS settings: DNS settings allow you to put your custom DNS for name
resolution. If you do not mention any custom domain, Azure Firewall uses
Azure DNS as default. Azure Firewall can have multiple DNS server entries.
DNS proxy: Azure Firewall can also act as DNS proxy. If you enable custom
DNS setting, then you should enable DNS proxy also on Azure Firewall.
This will help you to avoid mismatch in DNS resolution and enable FQDN
filtering in network rules.
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
246
•
•
•
•
•
•
•
TLS inspection: With TLS inspection, Azure Firewall premium can terminate
outbound TLS connections. In TLS inspection, Azure Firewall premium uses
a certificate to re-encrypt the outbound request and sends to the original
destination.
Rule collection type: Azure Firewall rules will decide what happens when
traffic reaches to the firewall. You can take different actions based on the
requirements and deal with the traffic. There are three kind of firewall rules:
Network Address Translation (NAT) rule collections.
Network rule collection.
Application rule collection.
We will discuss about these rules in detail while configuring firewall policy.
IDPS support in Azure Firewall: Azure Firewall premium is upgraded with
IPS/IDS functionality. This helps you to monitor your malicious activity
on your network. When you enable this feature, you can configure Azure
Firewall to alert only or alert and deny mode. In alert only mode, it detects
the suspicious traffic and generates an alert. In alert and deny mode, it
detects the suspicious traffic, generates an alert, and block the suspicious
traffic.
In IDPS bypass list, you can allow not to filter traffic to any of the IP
addresses, ranges, and subnets specified in the bypass list.
Threat intelligence: You can filter traffic in your Azure Firewall based on
threat intelligence. This can be configured for any inbound and outbound
traffic. You can configure Azure Firewall in to alert only or alert and deny
mode. In alert only mode, it detects the suspicious traffic and generates an
alert. In alert and deny mode, it detects the suspicious traffic, generates an
alert, and block the suspicious traffic. Threat intelligence gets the IP and
domain information from Microsoft Threat Intelligence feeds.
If you enable threat intelligence-based filtering, the associated rules are
processed before any NAT, network, and application rules. You can also add
a list of allowed IP addresses and FQDNs.
Parent Policy: Azure Firewall policy can be configured in parent and child
hierarchy. You can assign any policy as a parent policy to any other policy.
We already have learnt about the inheritance of rules in parent and child
hierarchy setup.
We will use these preceding discussed components in the coming section while
configuring and managing Azure Firewall policy.
Implementing Advance Network Security
 247
Create Azure Firewall policy
In the last section, you saw the components of Azure Firewall policy. In this section,
let’s see how to create Azure Firewall policy. In this section, we will just see process
to create Azure Firewall policy. The configuration part we will cover in the coming
section.
There are two ways to create Azure Firewall policy:
•
From Azure portal:
•
•
•
•
•
In this option, you login to Azure portal and search for firewall policy.
It will open a Firewall policy page. There you can see existing firewall
policies and also create new.
Click on + Add to create new firewall policy. It will open a new window
with multiple tabs for various feature. The tabs are related to firewall
policy features which we discussed in the last section.
You can fill the details in these tabs and can configure the firewall policy
here also. But if you do not want to fill all the details now, you can
configure it later as well. We will see how to configure these tabs in the
coming section.
Once you have filled the details or left just kept default configuration,
you can click on Create to create new firewall policy.
From Azure Firewall Manager:
•
•
•
•
•
•
This is second option to create firewall policy. In this option, you go
to Azure Firewall Manager in Azure portal and go to Azure Firewall
Policies under the Security section. Here, you will see existing Azure
Firewall policies to manage and an option to create new Azure Firewall
policy.
You can click on Create Azure Firewall Policy to create new firewall
policy.
You will see the same tabs for features as you would have seen in the
previous option.
You can fill the details in these tabs and can configure the firewall policy
here also. But if you do not want to fill all the details now, you can
configure it later as well. We will see how to configure these tabs in the
coming section.
Once you have filled the details or left just kept default configuration,
you can click on Create to create new firewall policy.
You can use any of the option to create Azure Firewall policy.
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
248
Connect Azure Firewall policy with VNet and
hubs
Once you created an Azure Firewall policy, you can associate it with your Azure VNets
and hubs through Azure Firewall Manager. While creating Azure Firewall policy
either you can choose to fill information in all the tabs or can just create a firewall
policy with default configuration and update the configuration after attaching it to
firewall. Let’s see how you can attach a policy to Azure Firewall Manager:
1. Login to Azure portal and go to Azure Firewall Manager. You will see few
options under Deployment and Security sections in left panel.
2. Go to Azure Firewall Policies under the Security section. Here, you will
see existing Azure Firewall policies to manage and an option to create new
Azure Firewall policy.
3. You can click on Create Azure Firewall Policy to create new firewall policy.
4. Select existing firewall policy to manage its association:
Figure 4.55: Manage associated Azure Firewall policy
As shown in the preceding figure, I selected an existing firewall policy. This
firewall policy is associated with an Azure VNet. To manage its association,
click on Manage associations. From here, you can associate and disassociate
this policy with VNets and hubs.
5. Similarly, if you select an unassociated firewall policy, you just get options to
associate it with VNets and hubs:
Implementing Advance Network Security
 249
Figure 4.56: Manage unassociated Azure Firewall policy
As shown in the preceding figure, I selected an unassociated firewall policy.
When you click on Manage associations, you get options to associate it with
VNets and hubs.
In this section, we learnt the process to associate firewall policy with Azure VNet
and hub. So, when any traffic lands on Azure Firewall through user defined routes
(UDR) or from the internet, Azure Firewall checks Azure Firewall policies. If it finds
any associated firewall policy for source or destination VNet, it takes action as per
the rules configured into the firewall policy.
So, you should configure the firewall rules very carefully because it will be impacting
to devices in associated VNet.
Manage Azure Firewall policy
Now after the last section, you got knowledge about the components of Azure
Firewall policy, process to create and associate it. Let’s use this information to
manage Azure Firewall policies for various scenarios. We will create Azure policies
for different types of rules collection and then apply them to see how they work.
Firewall policy with Destination Network Address
Translation (DNAT) rule collections
In this setup, we will see how you can configure Azure Firewall to translate and
filter inbound internet traffic to your subnets. Each DNAT rule in the DNAT rule
250
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
collection translates your firewall public IP and port to a private IP and port. DNAT
rule collection is a collection of inbound rules.
To test this, I already have a VM created in web subnet. This VM does not have public
IP to connect from Internet. In this demo, we will create a DNAT rule to translate
Azure Firewall’s public to VMs private IP to login to the VM. In this process, we will
login to VM through Azure Firewall’s public IP. Let’s configure the DNAT rule for
this:
1. Go to Azure Firewall policy and click on Rule Collections in the left panel.
You will see option to create new rule collection. Click on + Add to create
new rule collection. Select the rule collection type DNAT.
2. The fields are simple to understand. Give a name to this rule collection. This
collection can have multiple DNAT rules. Then you need to give priority to
this collection rule. The lowest number has highest priority. In the next field,
you can select Allow or Deny as rule collection action. This action defines
what happens with the traffic once you attach this policy to a subnet. Then
in the next block you have few more fields to create a rule:
•
•
•
•
•
•
•
•
•
Name: Name of the DNAT rule. Since I am creating RDP rule for web
VM so I gave name RDPWebVM.
Source type: It can be IP address or IP group.
Source: Based on the source type, you can choose the source. I chose IP
Address and I want to access my web VM from any internet IP so gave *
in source. * includes all IPs.
Protocol: You can choose TCP or UDP protocol for incoming traffic.
Destination Ports: Define the port where your incoming traffic will hit
the firewall.
Destination Type: It will be the public IP of your firewall.
Destination addresses: This is your first interaction destination address.
This would be your Azure Firewall’s public IP.
Translated address: Now this becomes your web VM’s private IP. This
will get translated from the public IP of the firewall.
Translated Port: This is the port where the incoming traffic will hit to the
VM. You can translate your Azure Firewall port to VM’s port. Since this
rule is for RDP so translated port should be 3389:
Implementing Advance Network Security
 251
Figure 4.57: Create NAT rule in Azure Firewall
3. Like this you can create multiple rules for different VMs and network
resources.
4. Now you can RDP to this VM through firewall’s public IP, that is,
20.185.104.120:
Figure 4.58: Login on a server with Azure Firewall public IP
The preceding figure shows the server has been logged in by Azure Firewall’s public
IP. So, now your incoming RDP traffic coming through Azure Firewall. You can
access VM through public IP in secure way.
Firewall policy with network rule collection
Network rules collection is a collection of outbound rules. Here you can define what
kind of traffic is allowed and denied from the associated subnet. The configuration is
somehow same as outbound rules of NSG. To create a network rule collection, click
on the Rule Collections in the left panel of Azure Firewall and then click on + Add.
You will get a new window to create collection and rules. Let’s follow these steps
and understand how it works:
252
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
1. Go to Azure Firewall policy and click on Rule Collections in the left panel.
You will see option to create new rule collection. Click on + Add to create
new rule collection. Select the rule collection type as Network.
2. The fields are simple to understand. Give a name to this rule collection. This
collection can have multiple network rules. Then you need to give priority
to this collection rule. The lowest number has highest priority. Then in next
block you have few more fields to create a rule:
•
•
•
•
•
Name: Name of the collection. We are creating this collection to allow
outbound traffic from web servers which are residing in web subnet.
Priority: It decides which collection will take precedence among multiple
collections. The collection with lower number takes higher priority.
Action: You can define the collection rules are created to allow the traffic
or to block the traffic.
Source type: You can control the traffic for IP address or a group of IPs.
Source IP: To control traffic based on IP ranges you need to fill the details
in this section. Give a name to the rule, I am creating a rule to allow SQL
traffic from web servers which are residing in web subnet (10.3.0.0/24)
to SQL servers which are residing in subnet (10.3.1.0/24) on SQL port
1443.
Like this you can create other rules as well.
•
Destination Ports: Here you mention on which port of destination you
want your traffic to reach. Like in this example we will be hitting 1443
port of destination.
•
•
Protocol: Here you select the network traffic transmission protocol for
destination.
Destination Type: Here you can select type of destination. Azure Firewall
policy supports multiple types of destinations. You are familiar with IP
address and IP group:
•Service Tag: You can control the traffic for Azure services also.
For them you would not require the IP addresses and it is also not
recommended to use IP addresses to control access for Azure services.
For Azure services, you can use service tags. As here we are creating
another rule to allow outbound traffic from web servers which are in
web subnet (10.3.0.0/24) to Azure backup service.
•
FQDN: Here you can put the FQDN of any public service:
Implementing Advance Network Security
 253
Figure 4.59: Create network rule collection in Azure Firewall
3. Once you have filled the preceding details, you can add this rule and it will
come in action.
Firewall policy with application rule collection
In application rule collection, you can create outbound rule based on the application
URL. You can define at what URLs the traffic is allowed and blocked from the
associated subnet. For this demo, we have a WebVM created, we will create an
application rule to block www.msn.com. Let’s follow these steps to understand the
configuration and functionality of this:
1. Go to Azure Firewall policy and click on Rule Collections in the left panel.
You will see option to create a new rule collection. Click on + Add to create
new rule collection. Select the rule collection type as Application.
2. The fields are simple to understand. Give a name to this rule collection. This
collection can have multiple application rules. Then you need to give priority
to this collection rule. The lowest number has highest priority. Then in next
block you have few more fields to create a rule:
•
•
•
•
Name: Name of the collection. I am creating this collection to block
certain web sites, so I gave name relevant to that.
Priority: There can be multiple application rule collections, to decide
that which one will take precedence you need to assign priority to them.
Same as other resources, here also the lower number will have higher
priority.
Action: I chose to deny because I want to block traffic.
Source type: You can control the traffic for IP address or a group of IPs.
254
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
•
Source IP: To control traffic based on IP ranges you need to fill the details
in this section. Give a name to the rule, I am creating a rule to block traffic
on Windows Update Azure service from web servers which are residing
in web subnet (10.3.0.0/24) to WindowsUpdate.
Like this you can create other rules as well.
•
TLS inspection: You can check the box if you want to enable TLS
inspection.
•
•
Protocol: Here you select the network traffic transmission protocol for
destination.
Destination Type: Here you define the type of destination. Azure
Firewall supports various types of destinations:
•FQDN tags: FQDN tags represent a group of fully qualified domain
names (FQDNs) associated with well-known Microsoft services.
You can use an FQDN tag to allow or deny the required outbound
network traffic through your firewall.
•
For example, to manually allow or block Windows Update network
traffic through your firewall, you need to create multiple application
rules. Using FQDN tags, you can create an application rule, include
the Windows Updates tag, and now network traffic to Microsoft
Windows Update endpoints can be controlled through your firewall.
•
Here, I am blocking Windows Update traffic for web servers residing
in web subnet (10.3.0.0/24). You can create multiple such rules.
•FQDN: The next supported destination type is FQDN. Here you can
control outbound traffic to target FQDN or URL. I am creating a rule
to block browsing of www.msn.com from web servers.
•URL: In this destination type, you can define a path of a URL. For
example, here we are creating a rule to block www.indiatimes.com/
video. So, users will be able browse www.indiatimes.com and any
other child page of this but will not be able to browse /video page.
URL based destination helps you to control page level access on a
website. For URL based destination, enabling TLS inspection is
mandatory.
•Web Category: You may want to block all gambling related websites,
but you do not know the complete list of such available websites.
This type of destination category helps you to define web category
which you want to allow or block and then Microsoft takes care of
blocking all such URL:
Implementing Advance Network Security
 255
Figure 4.60: Create application rule collection in Azure Firewall
As shown in the preceding figure, you can create multiple rules for different
destination types.
Enabling custom DNS and DNS proxy in Azure
Firewall policy
In the previous section, we learnt about custom DNS and DNS proxy. In this section,
let’s see the steps to configure them:
1. Go to your Azure Firewall policy and in left section select DNS under
Settings.
2. Under setting, a new window will open. As shown the following figure,
select the Enabled option to enable DNS settings on this firewall.
3. Now you get options to choose between Azure provided DNS and your
custom DNS server. You can put yours custom DNS server address also.
4. It is recommended to use DNS proxy when you enable DNS setting on Azure
Firewall. So, next enable DNS proxy.
5. Now if you enabled DNS proxy in Azure Firewall, then it is recommended to
enter your Azure Firewall’s private IP in custom DNS settings of your Azure
VNet. So, the Azure VNet can route DNS traffic to this Azure Firewall:
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
256
Figure 4.61: Enable custom DNS setting in Azure Firewall policy
As shown in the preceding figure, you can configure DNS settings for your
Azure Firewall. I defined 10.3.1.4 as custom DNS in this firewall.
Enabling threat intelligence in Azure Firewall policy
In the previous section, we learnt the use of threat intelligence. In this section, let’s
see how to enable threat intelligence in Azure Firewall policy:
1. Go to your Azure Firewall policy and in the left section, select Threat
intelligence under Settings.
2. It will open a new window; there you can select the mode of threat intelligence.
You can select among Off, Alert only, and Alert and deny.
3. In the Allow list addresses option, you can put the IP address, IP range, or
FQDN. Threat intelligence will not filter traffic for the listed IP, IP range, and
FQDN:
Implementing Advance Network Security
 257
Figure 4.62: Enable threat intelligence in Azure Firewall policy
Now, it’s time to enable threat intelligence as shown in the preceding figure.
Enabling TLS inspection in Azure Firewall policy
In this section, let’s see how to enable TLS inspection in Azure Firewall policy:
1. Go to your Azure Firewall policy and in the left section select TLS Inspection
under Settings.
2. It will open a new window, click on Enable to enable this feature in your
firewall policy.
3. As you know TLS inspection encrypts any out bound traffic with a
predefined certificate. So, to configure TLS inspection you need a certificate.
This certificate can be placed in Azure Key Vault.
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
258
As shown in the following figure, you need to select a Key Vault, and a
certificate from that.
4. To get access on this certificate, Azure Firewall policy needs access on Azure
Key Vault. This access can be granted through managed identity. So, you will
require a user defined managed identity:
Figure 4.63: Enable TLS inspection in Azure Firewall policy
I do not have any certificate, so I could not fill the valid details in these fields.
You can buy or upload your certificate in Azure Key Vault and can use that
here.
In this section, we learnt how to enable TLS inspection in Azure Firewall policy. TLS
inspection is mandatory requirement if you want to create URL-based application
rule collection.
Enabling IDPS mode in Azure Firewall policy
In the previous section, we studied about the IPS/IDS detection feature of Azure
Firewall. In this section, we will see how to enable IDPS in Azure Firewall. The
procedure is simple as other the preceding discussed features:
Implementing Advance Network Security
 259
1. Go to your Azure Firewall policy and in the left section select IDPS under
Settings.
2. It will open a new window, you will see three options there: Disabled, Alert
only, Alert, and Deny. Click on Alert only or Alert and Deny option to
enable this feature in your firewall policy.
3. In the next tab, you can put the signature ID and corresponding action for
that rule.
4. The next tab is for Bypass list, here you can define the destination for
which you want to bypass IDPS feature. So, any traffic reaching to defined
destination will not be assessed and bypassed direct to the destination.
This IDPS feature is still in preview while writing this book and hopefully come in
general availability soon.
Azure Firewall Manager
With Azure Firewall Premium version, you can manage firewall rules and policies
from Azure Firewall Manager. In this section, we will learn more about Azure
Firewall Manager.
Overview for Azure Firewall Manager
As I said in previous section, Azure Firewall is just left as an infrastructure component
and all configuration and management options are moved to Azure Firewall policy
and Azure Firewall Manager. Azure Firewall Manager provides centralized security
policy and route management. Azure Firewall Manager can provide security
management for Azure managed virtual WAN hub and Azure Virtual Network.
Azure virtual WAN hub is a Microsoft managed resources which helps you to create
hub and spoke network architecture. When you connect Azure Firewall with virtual
WAN hub, it is called as secure virtual hub. On another side, when you just have
Azure VNet, created, and managed by you, protected with Azure Firewall but not
connected with virtual WAN hub, it is called as hub virtual network. This standard
virtual network can be peered with other virtual networks.
Policies from Azure Firewall Manager can be extended to any network connected
through VPN or ExpressRoute.
Features for Azure Firewall Manager
Before moving forward, let’s discuss about the features of Azure Firewall Manager:
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
260
•
•
•
•
Centralized management of Azure Firewall policy: With Azure Firewall
Manager, you can create and manage firewall policies from one place. These
policies can be connected with multiple virtual networks and WAN hubs.
Hierarchical policy assignment: You can create Azure Policies in child and
parent relation. Child policy inherits rules from parent policy and parent
policy rules take precedence over child rules.
Integrate with third party security services: Azure Firewall Manager can be
integrated with third party security services to analyze network traffic flow.
Regional availability of Azure Firewall policy: You can create firewall
policy in any region and those can be used in any region. For example, you
create firewall policy in Japan East and use that in Central US.
Manage Azure Firewall Manager
Azure Firewall Manager has two sections: Deployments and Security. Let’s see
what you can do under these sections:
•
Virtual networks: It is a part of deployment section, when you click on
virtual network, a new window opens. There you can find all existing Azure
VNets across the regions. Under Virtual Networks, you also get an option
to create new secured virtual network. When you choose this option, you
will be taken to next page where you will be asked to create a new VNet and
Azure Firewall:
Figure 4.64: Convert Azure VNet to secure VNet with Azure Firewall policy
•
As shown in the preceding figure, you can create new secure Azure VNet by
clicking on + Create new Secured Virtual Network. If you select an existing
VNet then the Manage Security option gets activated. From there, you can
deploy new Azure Firewall in the selected network.
Virtual hubs: Virtual hubs section also provides the same options as virtual
Implementing Advance Network Security
 261
network provides. From there, you can create new virtual hubs with Azure
Firewall and can create new firewall for an existing hub.
•
•
Azure Firewall Policies: We already have discussed about this in the
previous section. From here, you can create new firewall policies and manage
association for existing policies.
Security Partner Providers: From here, you can manage third party NVAs.
In this section, you learnt about Azure Firewall Manager and its capability. After this
section, you would be able to manage firewall policies for your environment from
Azure Firewall Manager.
Shielding your Azure Virtual Network
with DDoS protection
DDoS attack is one of the largest security concerns for customers after moving
their applications to the cloud. A DDoS attacker attempts to exhaust application’s
resources. This makes the application unavailable to legitimate users. Azure provides
two SKUs of DDoS protection: Basic and Standard. All Azure services are by default
covered with basic protection at no extra cost.
There are various types of DDoS attacks. Azure standard DDoS protection covers
you from most common and popular attacks:
•
•
•
Volumatic attacks.
Protocol attacks.
Resource (application) layer attacks.
Standard DDoS protection can be enabled easily in your environment without
making any changes in application or resources. Let’s follow these steps to enable
standard DDoS protection on your virtual network:
1. Login to Azure portal and search for DDoS protection plans.
2. I will open a new window. You just need to give a name to this plan, select
subscription, and location. That’s it, click on Create and standard DDoS plan
will be created.
3. A single DDoS plan can be attached to multiple resources across the
subscription under your tenant.
4. To attach this plan with your resources, go to the DDoS plan, and click on
Protected resources under Settings.
5. A new window will open, there you can see multiple tabs for different Azure
262
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
services to connect this plan with them:
Figure 4.65: Attach standard DDoS plan to an existing VNet
As shown in the preceding figure, select the Azure service tab and click on
+ Add to attach standard DDoS protection with that. Here, we are attaching
standard DDoS plan with VNet. When you click on Add under VNet tab, it
asks you the details about the VNet. Click on Save.
In this section, we learnt what security standard DDoS protection can give to your
environment and how you can enable this in your environment.
Remote access management through Azure
Bastion
Securely allowing users to access your servers remotely is the big challenge for
organizations. Organizations may need to allow administrators to access servers
from home location in case of critical situation. This has always been a challenge to
stablish secure connection between administrator’s home network and server. For
this, either you have to setup a point to site VPN connection between administrator’s
home network and your server’s network or you need to allow public IP in the
servers.
Allowing public IP on any of the server is least secure way to grant access. Microsoft
came up with a PaaS service called Azure Bastion, which can help you to setup a
secure RDP/SSH connection to your servers.
The Azure Bastion service is a new fully platform-managed service. You provision
this inside your virtual network. You can connect securely and seamlessly through
RDP/SSH to your virtual machines directly in the Azure portal over SSL. Your
virtual machines do not need a public IP address when you connect through Azure
Bastion.
Implementing Advance Network Security
 263
You can protect your servers to be exposed to outer world by provisioning Azure
Bastion. It provides secure RDP and SSH connectivity to all of the VMs in the virtual
network in which it is provisioned. Azure Bastion deployment is per virtual network
level, not per subscription/account or virtual machine. Once you provision an Azure
Bastion service in your virtual network, you can RDP/SSH to all your VMs in the
same virtual network.
Architecture
Here is high level architecture of Azure Bastion service:
Figure 4.66: High level architecture and traffic flow diagram of Azure Bastion
This diagram shows the architecture of an Azure Bastion deployment. In this
diagram, the Bastion host is deployed in the virtual network. The user connects to
the Azure portal using any HTML5 browser. The user selects the virtual machine
to connect to. With a single click, the RDP/SSH session opens in the browser. As
accessing the server through Azure Bastion, there is no requirement of public IP.
Features of Azure Bastion
Let’s understand the features of Azure Bastion. This will help you to configure and
choose Azure Bastion for your environment:
•
•
RDP/SSH directly in Azure portal: You can connect to your servers directly
from the Azure portal using a single click seamless experience.
Remote session over SSL and firewall traversal for RDP/SSH: Azure
Bastion uses an HTML5 based web client that is automatically streamed to
your local device, so that you get your RDP/SSH session over SSL on port
264
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
443. You can route this traffic through your firewall.
•
•
•
•
No public IP required on the Azure VM: Since Azure Bastion opens the
RDP/SSH connection to your Azure Virtual Machine using private IP on
your VM, so you don’t need a public IP on your virtual machine to access
your servers remotely.
No hassle of managing NSGs: Azure Bastion is a fully managed platform
PaaS service from Azure that is hardened internally to provide you secure
RDP/SSH connectivity. You don’t need to apply any NSGs on Azure Bastion
subnet. Because Azure Bastion connects to your virtual machines over
private IP, you can configure your NSGs to allow RDP/SSH from Azure
Bastion only.
Protection against port scanning: Because you do not need to expose your
virtual machines to public internet, your VMs are protected against port
scanning by rogue and malicious users located outside your virtual network.
Protect against zero-day exploits. Hardening in one place only: Azure
Bastion is a fully platform-managed PaaS service. Because it sits at the
perimeter of your virtual network, you don’t need to worry about hardening
each of the virtual machines in your virtual network. The Azure platform
protects against zero-day exploits by keeping the Azure Bastion hardened
and always up to date for you.
The preceding is the list of features of Azure Bastion. This will make your decision
easy to select Azure Bastion for remote connection. The preceding features clear that
Bastion is a secure way to access Azure Virtual Machines.
Configuring Azure Bastion
Setting up Azure Bastion in your network is very simple task. It just needs few
clicks. To setup Azure Bastion you will need an Azure Virtual Network, a subnet
with name AzureBastionSubnet and a CIDR of minimum /27 range. Let’s follow
these steps to deploy Azure Bastion in your network:
1. Login to Azure portal and search for the virtual network where you want to
deploy Azure Bastion. If you do not have a virtual network already created
then please create a VNet.
2. In the selected virtual network, create a subnet with name AzureBastionSubnet.
You are already aware of the process to create Azure VNet and subnet.
3. Once you have VNet and subnet created, search for Bastion in Azure portal
search bar.
4. Fill the following details and click on Create:
Implementing Advance Network Security
 265
Figure 4.67: Create Azure Bastion
5. It will deploy a Bastion resource in your network.
6. Now to connect with any virtual machine you can go to the machine, click on
the Connect option. You will see option to connect through Bastion.
7. Click on Bastion, you will be prompted to enter username and password of
the server to get into the server.
By the end of this section, now you are able to understand Azure Bastion in detail.
You can configure Azure Bastion for your environment.
Let’s assume you have two Azure VNets, VNet A, and VNet B. Each VNet has two
virtual machines. VNet A has VM1 and VM2 where as VNet B has VM3 and VM4.
Now if you deploy Azure Bastion service in VNet A, then you can connect to
VM1 and VM2 through Bastion but you cannot connect to VM3 andVM4 through
Bastion service. If you want to connect to VM3 and VM4 through Bastion service
then you need to deploy Bastion service in VNet B as well. So, you will require
dedicated Bastion service in each VNet to connect to virtual machines in that
VNet through Azure Bastion.
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
266
Service endpoint in Azure
Azure service endpoint is an Azure networking feature. This allows you to reach
securely to Azure PaaS service over Microsoft backbone network. Service endpoint
enables your private IP address to reach to Azure PaaS services without public IP.
Service endpoint can only route traffic originated from Azure VNet, it cannot be
used for the traffic originated from on-premises network.
Configuring service endpoint in Azure Virtual
Network
In this section, we will see how to configure service endpoint on Azure subnet:
1. Login to Azure portal and go to the subnet where you want to enable service
endpoint in Azure Virtual Network.
2. Click on the subnet name and a new blade will open. There you get an option
to select Microsoft services from the drop-down:
Figure 4.68: Enable Azure service endpoints in subnet
As shown in the preceding figure, you can select multiple Azure services’
endpoint at a time. Click on Save to add those endpoints to the subnet.
Implementing Advance Network Security
 267
You can configure service endpoint for multiple subnets in your virtual network. This
will help you to reach PaaS services securely through Microsoft backbone network.
Azure Resource Firewall
Azure provides option to secure your all resources through some kind of firewall.
For most of the IaaS resources, Azure provides Azure Firewall, third party firewall,
and NSG option. For PaaS resources also, you can control traffic through some
firewall rules. We will see some PaaS resources which you can cover under firewall
and how can you cover them.
Azure PaaS SQL
Secure your databases for unauthorised access is very important. Although you
cannot cover Azure PaaS SQL through Azure Firewall but there are other ways by
which you can control and restrict traffic your PaaS SQL. Let’s see what all you can
control and how on a PaaS SQL:
1. Login to Azure portal and search for PaaS SQL Server. You can choose any
existing PaaS SQL Server or can create a new one also.
2. On the left panel of the SQL server, you will see an option of Firewalls and
virtual networks under Security. Click on the option and a new window
opens, as shown in the following figure:
Figure 4.69: Setup firewall for Azure PaaS SQL
3. Here you can control the incoming traffic on the SQL server. You can allow
or deny access on this server from public network, you can also control the
access for other Azure services to access this SQL server.
4. In the client IP section, you can allow an IP or a range of IP to access this SQL
server.
268
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
5. In the next section, you can restrict traffic only from a defined Azure
network also. If you wish to allow access only from an azure network, then
you can choose this option. You can choose an existing or can create a new
network from which you want to access this SQL server. If you choose the
existing network option, then a new window opens to take the details of
existing network. As shown in the preceding figure, you just need to choose
a network from the subscription. When you set up a network level access
then a service end point creates in the subnet. Service end point establishes
backend connection between PaaS SQL server and other Azure resources in
the subnet through Microsoft backbone network.
In this section, we saw the resource firewall in Azure PaaS SQL server. You learnt
how to control inbound traffic on your Azure PaaS SQL server.
Azure storage account
Similarly, you can setup this kind of firewall for Azure storage account as well. You
need to enable service end point for storage account on the subnet from where you
want to connect to this storage. Let’s follow these steps to set up firewall on storage:
1. Login to Azure portal and search for storage account on which you want to
apply the firewall. You can choose an existing storage account or can create a
new one also.
2. Once you get the required storage account then select Firewalls and virtual
networks in the left panel:
Figure 4.70: Setup Azure Resource Firewall for Azure storage
3. To get the preceding shown options you need to select the Selected networks
option. By default, the All networks option has been selected.
4. If you just want to access the storage from a selected network, then click on
the Existing virtual network option. A new window will open to take the
details of the network.
Implementing Advance Network Security
 269
5. You can grant access to this storage from a select IP or IP range also. You can
put the details of that in the Address range field.
6. You can add some exceptions for Microsoft services. Some trusted Microsoft
services such as Azure Backup, Azure Event Grid, Azure Data Box, and
so on may want to access the storage account to serve you. By clicking the
first check box, you allow Microsoft trusted services to access this storage
account.
In this section, we saw the resource firewall in Azure storage account. You learnt
how to control inbound traffic on your Azure storage account.
Azure Key Vault
You can set up this kind of resource firewall for Azure Key Vault as well. You need
to enable service end point for Azure Key Vault on the subnet from where you want
to connect to this Key Vault. Let’s follow these steps to set up firewall on Key Vault:
1. Login to Azure portal and search for key vault on which you want to apply
the firewall. You can choose an existing key vault or can create a new one
also.
2. Once you get the required key vault then click on Networking and select
Firewalls and virtual networks in the left panel:
Figure 4.71: Setup Azure Resource Firewall for Azure Key Vault
3. To get the preceding shown options you need to select the Private endpoint
and selected networks option. By default, the All networks option has been
selected.
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
270
4. If you just want to access the storage from a selected network, then click on
the Existing virtual network option. A new window will open to take the
details of the network.
5. You can grant access to this key vault from a select IP or IP range also. You
can put the details of that in the Address range field.
6. You can add some exceptions for Microsoft services. Some trusted Microsoft
services such as Azure Backup, Azure Event Grid, Azure Data Box, and
so on may want to access the storage account to serve you. By clicking the
first check box, you allow Microsoft trusted services to access this storage
account.
In this section, we saw the resource firewall in Azure Key Vault. You learnt how to
control inbound traffic on your Azure Key Vault from trusted network, IPS, and
Microsoft services.
Conclusion
Network, storage, firewall these are the core components of any foundation
infrastructure. In this chapter, you went through the security parameters related
to a foundation service. After this chapter, now you are ready to design a security
baseline for your organization to take decision when and how much you need to
invest on the security. Now you can take decision when to use Azure Front Door and
Azure Firewall. You can cover you public facing applications with Azure Application
Gateway with WAF, Azure Front Door, and rest of the infrastructure with Azure
Firewall.
You can now set up a secure connection between Azure to Azure and Azure onpremises networks. We also explored Azure service endpoint which gives you secure
connection between Azure PaaS services and IaaS services over Microsoft backbone
network. You also saw the implementation of standard DDoS protection.
In the next chapter, we will go in deep to learn about security parameters for Azure
Virtual Machine (compute resources).
Multiple choice questions
1. Which of the following services will you use to secure your environment
from IPS and IDS?
A. Azure Firewall
B. Azure Front Door
Implementing Advance Network Security
 271
C. Azure NSG
D. Azure Service Endpoint
Answer: A
2. Among these Azure services, which service needs its own dedicated subnet?
A. Azure Baseline
C. Azure Firewall
B. Azure Virtual Machine
D. Azure NSG
Answer: C
3. You need to restrict certain URLs from some subnet, which Azure service
you will choose?
A. Azure NSG
C. Azure Firewall
B. Azure ASG
D. Azure Baseline
Answer: C
4. Which Azure service would help you to route network traffic in manually
desired direction?
A. Azure Front Door
C. Azure Firewall
B. Azure UDR
D. Azure NSG
Answer: B
5. While setting up Azure Site-to-Site VPN connection, which network device
represents your on-premises gateway device in Azure?
A. Azure Virtual Network Gateway
C. Azure Front Door
B. Azure ExpressRoute
D. Local network gateway
Answer: D
6. What Azure service provides you the ability to RDP a windows server
directly from Azure portal?
A. Azure Front Door.
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
272
B. Azure Bastion.
D. Azure Baseline.
C. Azure Firewall.
Answer: B
7. Which Azure service provides URL redirection capability?
A. Azure Front Door
C. Azure NSG
B. Azure Firewall
D. Azure Remote Access
Answer: A
8. Among the followings, which one is not a feature of application gateway?
A. Auto scaling
C. DNS based global traffic routing
B. SSL/TLS termination
D. URL redirection
Answer: C
Chapter 5
Configuring Advance
Security for Compute
Endpoint security both in the data center and on desktop is critical to any
organization. So, what about the workloads in the cloud? Aren’t they safe and secure
by default because it is the cloud? So ideally, not so much. The customer bears the
responsibility to configure the right services properly to better secure their resources.
In Azure, Microsoft is responsible for making sure that lights are on in their data
center and the platform is available and secure. But it is up to you to secure your
hosts. No worries, Azure has plenty of resources to make your hosts secure. In this
chapter, we will identify some critical features and services to secure our endpoints
both on-premise as well as in the cloud. We will also study about Azure Key Vault
to store keys, secrets, and certificates securely. We will use this key vault to do disk
encryption for your Azure Virtual Machines disks. At the end, we will study how
to enable secure authentication on your Azure web apps and how to access them
securely.
By the end of this chapter, you will understand how to better secure your workloads
both on-premises and in the cloud using the features and services provided
by Microsoft. You will be able to use Azure Key Vault to save keys, secrets, and
certificates. You can use these keys to do disk encryption for your Azure VMs, secrets
to store app passwords, and connection strings, and certificates for SSL connection
over secure HTTP traffic.
274
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Structure
In this chapter, we will learn about following topics:
•
•
•
•
•
•
•
•
•
•
•
Understand Microsoft Endpoint Protection.
Configure endpoint security within Azure Virtual Machine.
Configure and manage Azure Virtual Machine security.
Harden security on Azure Virtual Machine.
Configure Update Management for Azure Virtual Machine.
Configure security baseline for Azure Virtual Machine.
Azure Key Vault.
Azure Virtual Machine disk encryption.
Detailed description of security parameters for Azure App Service.
Conclusion.
Multiple choice questions (MCQs).
Objectives
The objective of this chapter is to provide you insights about Azure security services
to secure compute resources in Azure environment. Some of them can cover onpremises compute resources also. After studying this chapter, you should be able
to secure Azure VMs with Microsoft Endpoint Protection. You will be able to
configure Update Management to patch Azure VM and on-premises servers. You
will also go through some security baseline for Azure VM like encryption, access
control, network traffic control and many more. Along with Azure VM, you will
also learn how to secure Azure Web app hosting PaaS platforms such as App Service
Environments, App Service Plans.
Understand Microsoft Endpoint Protection
Microsoft Endpoint Protection is Microsoft’s in-house solution to secure your
servers from virus attacks. Microsoft Endpoint Protection provides a real-time
protection feature in Azure and it alerts you when viruses, spyware, and other
potentially unwanted software attempts to install itself or run on your virtual
machine. The alerts are categorized in High, Medium, and Low severities. You can
set up automatic actions based on the alert severity. Microsoft Endpoint Protection
for Azure automatically takes action to remove the malicious software and protect
your virtual machine from potential further infection.
Configuring Advance Security for Compute
 275
Microsoft Endpoint Protection supports three ways to protect your virtual machine
from malware and other potentially unwanted software:
•
•
•
Real-time protection: In real-time protection offering, Microsoft Endpoint
Protection for Azure sends instant alerts any when malware, spyware, or
potentially unwanted software attempts to install or run on your virtual
machine. It also alerts you when programs attempt to change important
Windows settings.
Scanning options: Scanning offering is a scheduled activity. You can plan to
scan your environment based on your business feasibility. You may choose a
periodic timeline for this activity. In scheduled scanning, Microsoft Endpoint
Protection for Azure scans for threats, viruses, spyware, and other potentially
unwanted software that might be installed on your virtual machine. You
can also define automatic actions to remove any malicious software that is
detected during a scan.
Detection/remediation: When Microsoft Endpoint Protection for Azure
detects on your virtual machine, certain actions will automatically be taken
to, remove the malicious software and protect your virtual machine from
potential further infection.
Now let’s learn about the features and architecture of Microsoft Endpoint Protection.
In coming sections, we will also see how to deploy and configure Microsoft Endpoint
Protection in your environment.
Features of Microsoft Endpoint Protection
Microsoft Endpoint Protection for Azure is Microsoft’s core in-house endpoint
protection solution. It has bundle of features. Let’s see understand the functionality
of these features:
•
•
History retention: Microsoft Endpoint Protection for Azure keeps the history
of previous scans and redamation actions. It provides a list of all malware
or suspected malware that detected on your virtual machine. In the History
tab, you can also see the actions that were taken when suspicious programs
were detected. The History tab shows the items detected for all users - not
per user.
Automatic scanning for malware: As we saw there are three scanning
modes. In automatic scanning, you can schedule the scanning time. You can
also turned on or off and you can change the frequency and type of scanning
using the Microsoft Endpoint Protection for Azure Settings tab.
276
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
•
•
•
•
•
Action on malware detection: You can also choose which actions are
automatically applied to software that Microsoft Endpoint Protection for
Azure detects during a scheduled scan. For severe threats, certain actions
will automatically be taken by default to remove the malicious software and
protect your virtual machine from potential further infection.
Real time protection: This feature alerts you when any viruses, spyware,
and other potentially unwanted software attempts to install itself or run on
your virtual machine.
Shell extension: With the help of Shell extension you can select specific
files and\or folders and scan them using Microsoft Endpoint Protection for
Azure.
Signature update: It automatically installs the latest protection signatures
(virus definitions) to ensure protection is up-to-date on a pre-determined
frequency.
Exclusion: As an administrator, you can configure exclusions for files,
processes, and drives.
These are some features of Microsoft Endpoint Protection. There are multiple
Endpoint Protection solutions available in market. This list of features will help you
to choose best suitable Endpoint Protection for your environment.
Architecture of Microsoft Endpoint Protection
Microsoft Antimalware is supported on Windows Server 2008 R2 and later operating
system families. It is not supported on the Windows Server 2008 operating system
and is not supported in Linux. To secure your PaaS environment, the underlying
infrastructure of Azure App Service also has Microsoft Antimalware enabled
on it. So being a customer, you do not need to worry about securing underlying
infrastructure of your Azure App Service.
The Microsoft Antimalware Client and Service is installed by default in a disabled
state in all supported Azure guest operating system families in and services platform.
The Microsoft Antimalware Client and Service is not installed by default in the onpremises infrastructure. But you can install and enable Microsoft Antimalware Client
and Service on any on-premises or other cloud environment. This feature can be
enabled through the Azure portal and Visual Studio Virtual Machine configuration
under Security Extensions.
Microsoft Antimalware Client can be pushed through Azure portal or PowerShell.
The Azure virtual machine guest agent launches the Antimalware Extension and
applies the Antimalware configuration settings supplied as input. This step enables
Configuring Advance Security for Compute
 277
the Antimalware service with either default or custom configuration settings. If no
custom configuration is provided, then the antimalware service is enabled with the
default configuration settings. You can set up the Antimalware solution with custom
configuration by using XML file or JSON. In custom configuration, you can make
changes for these policies:
•
•
•
•
•
•
•
•
•
•
Extensions exclusion: You can list the file extensions which you want to
exclude from the scanning. Extensions such as .log, .txt, .gif, and so on.
Path exclusion: You can define the path of files and folders which you do not
want to scan. For example, D:\appdata\userinfo.
Process exclusion: You can define the path of processes, so any file opened
by the excluded process will be excluded from the scanning.
Real time protection: You can choose to enable or disable the real time
protection.
Scheduled scanning setting: You can choose to enable or disable the setting
for scheduled scanning. Once you enable this you can set up schedule as
well.
Scheduled scan setting day: You can choose the day on which you want
to schedule the scanning. 0-scan daily, 1-Sunday, 2-Monday, 3-Tuesday,
4-Wednesday, 5-Thursday, 6-Friday, 7-Saturday, and 8-Disabled.
Scheduled scan setting time: Here you can choose at what hour you want
to start scanning. The hours are calculated from the midnight. So, 60 mins =
1 AM, 120 mins = 2 AM …. 1380 mins = 11 PM, and 1440 = 12 AM.
Scan type: You can set up you want to go for quick scan or full scan.
Monitoring: You can enable or disable antimalware event collection.
Storage account name: You need to give the same of storage account where
you want to store the monitoring logs.
A running Microsoft Antimalware Client downloads the latest protection engine
and signature definitions from the internet and loads them on the systems where it
is running. The Microsoft Antimalware service writes service-related events to the
system OS events log under the Microsoft Antimalware event source.
Enabling Microsoft Endpoint Protection
You can enable Microsoft Endpoint Protection on a virtual machine easily. You can
attach it while creation of the VM or after the VM has been created. You can do it
from Azure portal, PowerShell, JSON, or visual studio. Let’s go through the process
which you can use to enable Microsoft Endpoint Protection while creating virtual
278
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
machine or after you have created the virtual machine.
Enable Microsoft Endpoint Protection while creating
the virtual machine
In this section, you will see that how to enable Microsoft Endpoint Protection while
creating a virtual machine:
1. Login to Azure portal and search for virtual machines.
2. Click on + Add. On the Basic information page, you can fill the required
details such as subscription name, resource group name, virtual machine
name, size, location, and few other. The most important field is Image. Since
Microsoft Endpoint Protection supports only windows machines so you
need to select only windows machine.
3. In the next sections, you need to choose about Disk, Networking, and
Management. Here you decide what would be the type of storage account,
what would be the IP and other networking configuration of this server and
some levers to manage the machine.
4. In the next Advanced section, you see an option to add extension to
this server. Azure provides various types of extension for your virtual
machines. You can add multiple extensions to your virtual machines. These
extensions provide extra functionality and features to your virtual machines
such as desired state configuration, antivirus add-on, changes in OS level
configurations:
Figure 5.1: Add extension to Azure Virtual Machine
Configuring Advance Security for Compute
 279
5. When you click on Select an extension to install, a list of available extension
opens. You will see Microsoft Antimalware in the list, only if you have
chosen Windows as OS image.
6. Click on Microsoft Antimalware to install the extension. When you choose
Microsoft Antimalware, a new blade opens to fill the configuration. I am
setting up the configuration in a manner to exclude a folder location and an
extension type. I also choose to have real time protection and scheduled a
quick scan on every Sunday 2 AM:
Figure 5.2: Configuration settings of Microsoft Antimalware Extension
7. Click on OK to add the extension.
Here we learnt how to add Microsoft Antimalware Extension while deploying a
virtual machine. In the next section, we will see how to add Microsoft Antimalware
Extension to an existing virtual machine.
280
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Enabling Microsoft Endpoint Protection on a running
virtual machine
You can enable Microsoft Endpoint Protection even after the virtual machine is
created. Let’s see these simple steps to install extension on a running virtual machine:
1. Login to Azure portal and search for the virtual machine on which you want
to install the extension.
2. On the right-side option panel, select Extensions under Settings. A new
window will open, here you can see the installed extensions and can add
new extension by clicking + Add:
Figure 5.3: See existing extensions attached and add new extension to running virtual machine
3. Once you click on + Add, a list of extensions opens. Choose Microsoft
Antimalware from the list. You will see the following options for the
configuration:
Configuring Advance Security for Compute
 281
Figure 5.4: Configuration settings of Microsoft Antimalware extension
4. Click on OK to install extension with preceding configuration.
Here, we learnt how to add Microsoft Antimalware extension to an existing virtual
machine. In the next section, we will see how to monitor Microsoft Antimalware
extension to an existing virtual machine.
Monitor Microsoft Endpoint Protection on a
running virtual machine
When you want to follow a strict security baseline which mandates you to have
Antimalware solution installed in all virtual machines, you need a solution which
can provide you an insight about this. Azure has Azure Security Center which can
scan the servers to identify that which server has Antimalware installed and which
282
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
does not. Azure Security Center can monitor the status of antimalware protection
on servers and cloud services. Security Center highlights issues, such as detected
threats and insufficient protection.
The following are some issues which Security Center reports:
•
•
•
Endpoint Protection not installed on Azure VMs: This will be shown if a
supported Antimalware solution is not installed on these Azure VMs.
Endpoint Protection not installed on non-Azure computers: This will be
shown if a supported Antimalware is not installed on these non-Azure
computers.
Endpoint protection health:
•
•
•
•
Signature out of date: This will be shown if an Antimalware solution is
installed on these VMs and computers, but the solution does not have
the latest Antimalware signatures.
No real-time protection: This will be shown if an Antimalware solution
is installed on these VMs and computers, but it is not configured for realtime protection.
Not reporting: This will be shown if an Antimalware solution is installed
but not reporting data.
Unknown: This will be shown if an Antimalware solution is installed but
its status is unknown or reporting an unknown error.
Here we saw how Azure Security Center can help you to follow security best
practices for your virtual machines. Also, you saw what all things Azure Security
Center can detect about your Endpoint Protection service.
Configure and harden security for virtual
machines
Now moving forward to secure your infrastructure, in this section, we will go through
other security levers to protect your virtual machines. Most of the recommendations
are applicable for most of the organizations but still you can opt for appropriate
recommendations from the following described:
•
Virtual machine disk encryption: An unencrypted data is always a big risk
for most of the organizations. It is always recommended to encrypt the data
at rest and in transit. Azure Disk Encryption is a capability to encrypt your
Windows and Linux virtual machine disks. Azure Disk Encryption uses the
industry-standard BitLocker feature of Windows and the DM-crypt feature
of Linux to provide volume encryption for the OS and the data disks.
Configuring Advance Security for Compute
•
•
•
•
You can control your encryption key versioning and manage and store them
in Azure Key Vault. It is recommended to take snapshot or backup of the
virtual machine before encrypting the virtual machines.
Network level isolation: Azure Virtual Machine is a key component of your
infrastructure and is capable to run and hold multiple applications and
services. This functionality requires virtual machines to communicate with
some other Azure and non-Azure services. These services can be part of your
network or over the internet. You need to take care of the traffic which is
coming and going out from the virtual machine. You can apply firewall or
NSG policies to control inbound and outbound of traffic.
Azure backup: Azure backup of your virtual machines can protect your data
in case of any failure on running virtual machine. Human errors or application
bugs can corrupt data on disks. With the help of Azure backup service, you
can retrieve the complete data and even the complete virtual machine.
Antimalware: We have discussed about the feature and functionality of
Microsoft Antimalware in the previous sections. You can even use some
third-party Antimalware such as Symantec, Trend Micro, and Kaspersky.
Windows Defender Advance Threat Protection: You can use Windows
Defender Advanced Threat Protection to prevent, detect, investigate, and
respond to advanced threats. You have the following features from the
Windows Defender Advance Threat Protection:
•
•
•
•
•
•
•
•
•
•
 283
Attack surface reduction.
Next generation protection.
Endpoint protection and response.
Automated investigation and remediation.
Secure score.
Advanced hunting.
Management and APIs.
Microsoft Threat Protection.
Azure site recovery service: Azure site recovery service is a business
continuity and disaster recovery (BCDR) solution for you. It helps you to
recover your business in case of planned and unplanned outage. Azure site
recovery helps you to replicate, failover, and recovery of workloads and apps
so that they’re available from a secondary location if your primary location
goes down.
Hardware security module: You can enhance security of your encryption
keys by using hard security module.
284
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
•
•
•
•
•
•
•
•
•
Compliance: Azure Virtual Machines is certified for industry standard
compliances such as FISMA, FedRAMP, HIPAA, PCI DSS Level 1, and
other key compliance programs.
Monitor security policies and reporting: Monitoring of current policies and
infrastructure is as important as apply the security policies. Azure Security
Center gives you the capability to keep an eye on applied policies and on the
resources, which are not covered under appropriate security policy.
Virtual machine access policy: It is always recommended to provide limited
access for a certain time period only. You can control access on virtual
machines through Azure RBAC, Azure Privileged Identity Management
(PIM), and Just-in-Time (JIT) access. You should also setup complex
password and password rotation group policy in active directory.
Avoid single point failure: It is always recommended to run business
critical application virtual machines in high availability. You can achieve
high availability by using availability set or availability zone.
Patch management: It is always recommended to keep your virtual machine
up to date with latest patch. You can use Azure native Update Manager,
SCCM, or WSU to patch your servers.
Update the base image: Sometimes you may need to deploy virtual machines
from a golden image. You need to keep this image up to date with latest
software updates, security updates, and OS updates. You should periodically
redeploy your VMs to force a fresh version of the OS.
Restrict internet exposer: You should prevent your virtual machines to be
exposed to internet. You can use Azure VPN, Network Address Translation
(NAT) through Azure Firewall or third-party firewall, Azure Bastion, or
jump servers to access your virtual machines from the internet.
Complex password policy: Being a security administrator you need to set
up a complex password policy. There are multiple combinations to create
complex password policy such as alphanumeric 16-digit password with
special character.
Updated OS version: Use only 64-bit OS version.
The preceding listed points describe some basic security best practices to secure your
virtual machines. These best practices are not only applicable for your Azure Virtual
Machines but can be used for any compute service at any platform.
Update Management solution for servers
For any organizations, it is very important to have updated operating system for
their servers. Most of the organizations uses Windows- and Linux-based operating
Configuring Advance Security for Compute
 285
systems. Microsoft and other OS providers release regular updates for their
operating systems. These updates can be a break fix of any OS feature, vulnerability
resolution, security update, or system updates. There are many Microsoft and thirdparty solutions to apply these updates to servers.
Update Management is a cloud-based solution to push updates and security patches
to servers. Here, we will study about the required components to configure Update
Management, how to deploy and configure these components, and how to push and
manage updates for your servers.
Azure Update Management can help you to manage operating system updates for
your Windows and Linux machines at any platform.
Overview of Update Management
Security patching, operating system updates are the critical part of virtual machine
security baseline. There are multiple patch management tools from Microsoft and
third-party. SCCM, WSUS, and Azure Update Management are the most common
and widely used solutions. In this section, we will see the use case of Azure Update
Management. Update Management is a solution in Azure automation to manage
operating system updates for your Windows and Linux machines at any platform.
You can enable update management in three ways:
•
•
•
For multiple virtual machines from Azure automation account.
For single Azure Virtual Machine, enable it from settings panel of the virtual
machine in Azure portal.
For multiple virtual machines from virtual machines page in Azure portal.
We will discuss all these ways in coming sections. To enable Update Management
in Azure you need an automation account and Log Analytics workspace in your
subscription. You can connect VMs from multiple subscriptions in the same tenant.
After a patch package is released, Update Management takes two to three hours for
the patch to show up for Linux machines for assessment and twelve to fifteen hours
for the Windows machines assessment. For a Linux machine, the compliance scan
is performed every hour by default and for Windows machine, the compliance scan
is run every twelve hours by default. After a machine completes a scan for update
compliance, the agent forwards the information in bulk to Azure Monitor logs.
You can create groups of multiple VMs based on your line of business, application or
any other parameter. You can setup different schedule for different groups or virtual
machines. You can also choose to reboot the server or not after patch installation.
On the scheduled date and time only the patch installation starts. Before patching, it
scans again to verify that the updates are still required or not.
286
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Supported and unsupported client
Here is the list of supported and unsupported client. To plan Update Management
for your organization you need to identify that which client are supported and
which are not:
Operating system
Windows Server 2019 (Datacenter/
Datacenter Core/Standard)
Windows Server 2016 (Datacenter/
Datacenter Core/Standard)
Windows Server 2012
R2(Datacenter/Standard)
Windows Server 2012
Windows Server 2008 R2 (RTM and SP1
Standard)
CentOS 6 (x86/x64) and 7 (x64)
Red Hat Enterprise 6 (x86/x64) and
7 (x64)
SUSE Linux Enterprise Server 11 (x86/
x64) and 12 (x64)
Ubuntu 14.04 LTS, 16.04 LTS, and 18.04
(x86/x64)
Windows client
Windows Server 2016 Nano Server
Azure Kubernetes Service Nodes
Notes
Update Management can assess and install the
patches on these OS versions without any issues.
These OS are fully compatible with Update
Management.
Update Management only supports performing
assessments for this operating system, patching is
not supported as the Hybrid Runbook Worker is
not supported for Windows Server 2008 R2.
Linux agents requires access to an update
repository.
Classification-based
patching
requires yum to return security data that CentOS
doesn’t have in its RTM releases.
Linux agents requires access to an update
repository.
Linux agents requires access to an update
repository.
Linux agents requires access to an update
repository.
Client operating systems (such as Windows 7
and Windows 10) aren’t supported.
Not supported.
Not supported. There is different way to patch
AKS nodes.
Table 5.1: List of supported and unsupported OS for Update Management
Windows servers require Log Analytics agent for Windows to be installed on virtual
machines and the Linux machine requires access to an update repository. The Linux
machine must also have Python 2.x and Log Analytics agent for Linux installed.
Configuring Advance Security for Compute
 287
Configure Update Management for virtual
machines
Update Manager require two Azure services essentially, Azure automation account
and Log Analytics workspace. Before enabling Update Manager on virtual machines,
you need to create these two services. Let’s see how to deploy these services:
Log Analytics workspace
Log Analytics workspace is centralized location to store multiple events, logs,
performance data, and configuration. It provides availability and performance of
your applications and services by delivering a comprehensive solution for collecting,
analyzing, and acting on telemetry from your cloud and on-premises environments.
Create Log Analytics workspace
Update Management requires a Log Analytics workspace to store the patching
related telemetry of your servers. Since Log Analytics workspace works to collect
and store the telemetry data so you can use single workspace for multiple purposes.
Follow these simple steps to create Log Analytics workspace:
1. Login to Azure portal and search for Log Analytics workspace.
2. Click on + Add and new blade will open to get details:
Figure 5.5: Create Log Analytics workspace
288
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
3. Just fill the basic details as shown in the preceding figure and click on the
Create button to create workspace.
Here we created a Log Analytics workspace for Update Management service. We
can use this Log Analytics workspace for many more services such as analysis of
activity logs, performance logs, service maps, and so on.
On board Virtual Machines to Workspace
Workspace is a collection of logs and configuration so, once you have created the
workspace, you need to attach your target virtual machines to this workspace:
1. Login to Azure portal and search for the preceding created workspace.
2. Once you are in the workspace, scroll to Virtual machines under Workspace
Data Sources.
3. Here you will see the virtual machines which are available in your all
subscription. Select the target virtual machines, which you want to add into
this workspace:
Figure 5.6: Attach Azure Virtual Machines to workspace
4. Click on the name of the virtual machine. In the next blade, you will get
option to connect that to this workspace. Click on Connect to connect the
virtual machine to this workspace.
5. It will take some time to connect the machines to this workspace:
Figure 5.7: Status of virtual machines in workspace
Configuring Advance Security for Compute
 289
6. Once the machines are connected to this workspace then you can do multiple
operations from the automation account.
Here, we onboarded our Azure Virtual Machine into Log Analytics workspace. Now
we can use multiple services of Log Analytics workspace for our virtual machine.
Here, we will use Update Management service of Log Analytics workspace.
Automation account
Azure automation delivers a cloud-based automation and configuration service that
provides consistent management across your Azure and non-Azure environments.
It consists of process automation, update management, and configuration features:
•
•
•
Process automation: Azure automation provides you the ability to automate
frequent, time-consuming, and error-prone cloud management tasks. This
automation helps you focus on work that adds business value. By reducing
errors and boosting efficiency, it also helps to lower your operational costs.
You can integrate Azure services and other public systems that are required
in deploying, configuring, and managing your end-to-end processes.
Configuration management: Azure automation desired state configuration is
a cloud-based solution for PowerShell DSC that provides services required
for enterprise environments. Manage your DSC resources in Azure
automation and apply configurations to virtual or physical machines from
a DSC pull server in the Azure cloud. It provides rich reports that inform
you of important events such as when nodes have deviated from their
assigned configuration. You can monitor and automatically update machine
configuration across physical and virtual machines, Windows or Linux, in
the cloud, or on-premises.
Update management: Update Windows and Linux systems across
hybrid environments with Azure automation. You get visibility of update
compliance across Azure, on-premises, and other clouds. You can create
schedule deployments to orchestrate the installation of updates within
a defined maintenance window. If an update should not be installed on a
machine, you can exclude those updates from a deployment.
Create automation account
Automation account is the another required building block for Update Management.
You can use an automation account for multiple purposes. So, you can use existing
automation account or can create new to configure Update Management. Creation
of automation account is also as simple as creation of Log Analytics workspace:
290
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
1. Login to Azure portal and search for automation accounts.
2. Click on + Add to create new account, a new blade opens:
Figure 5.8: Create Azure automation account
3. Fill the basic details as shown in the preceding figure and click on Create.
Here we created an automation account for Update Management service. We can
use this Log Analytics workspace for many more services such as inventory, change
management, process automation, scheduling, and so on.
Enable Update Management for Azure Virtual
Machines
Once you have created Log Analytics workspace and automation account, you can
now enable Update Management service. Let’s follow these steps to enable Update
Management:
Configuring Advance Security for Compute
 291
1. Login to Azure portal and search for the automation account which you
created in last step.
2. On the left panel of automation account page, you will see different services.
There you will see Update management, click on it and a new window will
open:
Figure 5.9: Enable Update Management
3. In new window, fill the details as shown in the preceding figure. The
important detail is to select proper Log Analytics workspace. You need to
select the workspace where you added your machines in previous section.
Select the subscription and workspace name and click on Enable. It may take
some to enable the solution.
4. Refresh the page after some time. You will see a dashboard from Update
Management:
Figure 5.10: New Update Management dashboard
292
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
5. Now you have complete setup ready to on board VMs to the Update
Management. Click on + Add Azure VMs to add VMs.
6. In next window, you will see the list of virtual machines. You can put
appropriate filters on name of the subscriptions and location to search
your target virtual machines. You can only select those machines which are
connected to this workspace:
Figure 5.11: Onboard Azure Virtual Machine to Update Management
7. Once you find your target machines, select them and click on Enable. It will
take some time machines to report to update management dashboard.
8. You can enable Update Management for non-Azure servers as well. This
requires you to install Microsoft Monitoring Agent Setup on on-premises
servers.
9. After some time, you will see the updated Update Management dashboard
as shown in the following figure:
Configuring Advance Security for Compute
 293
Figure 5.12: Update Management dashboard after Azure Virtual Machine onboarding
Here we enabled Update Management for our Azure Virtual Machines. In coming
section, we will see how to schedule and plan the update deployment for our
onboarded virtual machines.
Schedule update deployment
After onboarding the servers to Update Management, now you can schedule update
deployment. To manage the patching, you can configure multiple settings such as
scheduling, patch inclusion and exclusion, type of patches, and so on. We will see
available configuration options in this section:
1. To schedule patch installation, click on Schedule update deployment. A
new blade will open to fill the configuration.
2. The field says to give a name to this schedule. For an example, you can
create a schedule to install critical updates on all production servers for an
application. Like this you can create multiple schedules. You have multiple
ways to apply patches on machines. You can either choose individual server
or can create a group.
3. Group Azure VMs: In the Items to update section you have option to create
groups for your machines. You can plan this grouping based on environment,
application, type of updates, and so on. Click on Groups to update, in next
window you will get option to select Azure and non-Azure machines. When
you select Azure as your target machines for updates installation, it gives you
the option to select the virtual machines. Select the appropriate subscription
and it will show the respective attached virtual machine:
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
294
Figure 5.13: Create Azure Virtual Machines group in Update Management
Select the subscription, click on Add. You can see the available machines
when you click on Preview.
4. Select individual machines: Here you can select individual machine among
all connected machines. Click on Machines to update and it will show the
list of all connected machines. You can click on the machine name to select
that for update:
Figure 5.14: Select individual Azure Virtual Machine in Update Management
5. Update classification: Here you can select what kind of updates you want
push to clients. You can select all required update types:
Figure 5.15: Types of updates in Update Management
Configuring Advance Security for Compute
 295
6. Include/exclude updates: The updates release by Microsoft have an KB
number assigned with them. In this section, you can define if you want to
add any additional updates to be included or any particular update to be
excluded. You can just put the KB number of such updates in respective
include or exclude section. I am not putting any KB because I just want to go
with default:
Figure 5.16: Include or Exclude specific KB in Update Management
7. Schedule the update: Once you have decided the client machines, types of
the updates and inclusion and exclusion of specific update, now you can
plan the date and time to push the updates to the clients. In schedule setting,
I am selecting start date and time to push the updates. I am also making it to
reoccur for Fourth Saturday of every month:
Figure 5.17: Schedule update push in Update Management
296
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
8. Pre and post scripts: You may require to perform certain tasks before and
after Update Management activity. Like starting and stopping services. In
this section you can define the tasks that can be automatically executed
before or after an update deployment run. These tasks can be automated
through pre-script and post-script. You can configure up to one pre-script
and post-script per deployment.
9. Maintenance Window: Update deployment requires a maintenance window
to finish the installation and reboot of the server. You can set a maintenance
window of 30 minutes and less than 6 hours. The last 20 minutes of the
maintenance window is dedicated for machine restart and any remaining
updates will not be started once this interval is reached. In-progress updates
will finish being applied.
10. Reboot options: Here, you can choose what to happen once you install the
updates because mostly Microsoft updates require a reboot of the client to
take in place.
Now after this section, you would be able to set up Update Management in your
Azure environment. We learnt all components of Update Management in detail
and the process to configure them. Now you can have a reliable patch management
setup for your environment. You can onboard your on-premises servers also to log
analytics workspace and connect to Update Management.
Azure Key Vault
In coming chapters, we will see the use of Azure Key Vault for Transparent Data
Encryption in Azure SQL database, customer managed Azure storage account
encryption, disk encryption of Azure Virtual Machines. Azure Key Vault provides
secure way to store keys, secrets, and certificates. Secure management of these
resources always been a challenge for all organizations. With Azure Key Vault, you
can easily and securely manage keys, secrets, and certificates. In coming sections, we
will see how you can use keys from Azure Key Vault for data encryption, secrets to
store password and connection strings, and certificates for secure HTTPs connections.
Azure Key Vault helps you in:
•
•
Secrets management: With Azure Key Vault, you can securely store and
tightly control access to tokens, passwords, connection strings, API keys,
and other secrets.
Key management: With Azure Key Vault, you can easily create and control
the encryption keys used to encrypt your data.
Configuring Advance Security for Compute
•
•
 297
Certificate management: Azure Key Vault also lets you easily provision,
manage, and deploy public and private Transport Layer Security/Secure
Sockets Layer (TLS/SSL) certificates for use with Azure and your internal
connected resources.
Store secrets backed by hardware security modules: In Azure Key Vault,
you can protect secrets and keys either by software or FIPS 140-2 Level 2
validated HSMs.
With Azure Key Vault, you can store and use several types of secret/key data:
•
•
•
•
Cryptographic keys: Supports multiple key types and algorithms and
enables the use of Hardware Security Modules (HSMs) for high value keys.
Secrets: Provides secure storage of secrets, such as passwords and database
connection strings.
Certificates: Supports certificates, which are built on top of keys and secrets
and add an automated renewal feature.
Azure storage: Can manage keys of an Azure storage account for you.
Internally, Key Vault can list (sync) keys with an Azure storage account, and
regenerate (rotate) the keys periodically.
Create Azure Key Vault
Let’s have a look how to create Azure Key Vault in your environment. It has simple
steps to deploy:
1. Login to Azure portal, search for key vault and click on + Create.
2. It will open a new window, there you need to fill some basic details such as
subscription, location, name, and SKU.
3. Azure Key Vault has two SKUs: Standard and Premium. Premium SKU
supports HSM backed keys. These configurations are simple and straight
forward. You can leave rest of the settings default for retention days and
purge protection; we will study about them in coming sections.
4. In the next tab, you get option to control access on Key Vault through
access policy. If you want to configure it here then refer Identity and access
management for Azure Key Vault section of this chapter, else you can leave it
blank and configure it later.
5. The next section is for networking, here you control resource level firewall.
It helps you to allow and block traffic from defined network and IPs. We
already have seen this configuration in Chapter 4, Implementing Advance
Network Security.
298
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Click on Review and create to start the deployment.
These were the simple steps to deploy Key Vault in your environment. In coming
sections, we will see how to create key, secrets, and certificates in this Key Vault.
Manage Azure Key Vault
In the last section, we studied about how to deploy Azure Key Vault. In this section,
we will see how to create keys, secrets, and certificates in Key Vault.
Keys in Azure Key Vault
Key in Azure Key Vault is a cryptographic key. This can be used for encryption on
various types of Azure resources. In Key Vault, you can create a new key, restore it
from backup, and import any existing key. Let’s see the processes for these operations.
Generate new key in Key Vault
1. To generate new key in Key Vault, go to the Key Vault in your Azure
subscription.
2. Click on Keys under the Settings section. It will open a new window. Here
you can see any existing key or can create new key.
3. Click on the + Generate/Import option to create new key:
Figure 5.18: Generate key in Azure Key Vault
Configuring Advance Security for Compute
 299
As shown in the preceding figure, select Generate from the Options dropdown, give a name to this key, you can select the type of key, and encryption
level (key size). You can also set activation and expiration date for this key.
If you do not select any date, it activates right after generation and remains
activated. You can also enable and disable this key; the default setting is
enabled.
Once you filled all these values, click on Create. A new with given
configuration will be created.
Import new key in Key Vault
In the last section, you saw how to generate new key in your Key Vault. You can
also import your existing key into key vault. That you can call bring your own key
(BYOK). The supported key types for this option are .pfx, .pem, and .byok.
To import key, you need to select Import from the Options drop-down:
Figure 5.19: Import key in Azure Key Vault
As shown in the preceding figure, you can upload a key file. RSA is the only supported
key type. Rest of the features are same as previous section. Click on Create to bring
the key in Key Vault.
Restore keys from backup
Azure gives you a feasibility to restore backed-up keys. This helps you to recover old
version or old key. Let’s see how to back up the key and then how to restore:
300
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
1. Login to Azure portal and go to the Key Vault where you want to perform
backup and restore.
2. In the Key Vault, click on Keys in left panel. You will see existing keys there.
3. Click on the key, it will open a new window. There you get an option to
Download backup. You can click on it to back up your key. You can keep the
download key at any secure location.
4. Now to restore the key, you just need to go back to Keys under the Settings
section and click on Restore backup. It will ask the location to browse the
backed-up key.
Select the proper backed-up file and it will restore the key.
You can follow the preceding steps to restore a backed-up key.
Manage deleted keys
In this section, we will see how to recover deleted key. To restore deleted key,
purge protection should be enabled on the Key Vault. It cannot be disabled once
it is enabled. You can enable purge protection while creating the Key Vault or later
from the Properties section. Let’s follow these steps to restore deleted key from purge
protected Key Vault:
1. Login to Azure portal and go to the Key Vault where you want to recover the
deleted key.
2. In the Key Vault, click on Keys in left panel. You will see existing keys there
and also an Manage deleted keys option.
3. Click on Manage deleted keys, it will open a new window. There you will
see all deleted key which are under retention period.
4. Select the appropriate key which you want to restore and click on Recover.
The preceding steps will recover your deleted key during the retention period. The
retention period can be set only while creating the Key Vault. You cannot modify the
retention period once you have created the Key Vault. You cannot recover the key
with this method if you have deleted the complete Key Vault. To recover key from
deleted key vault first you will need to recover the Key Vault and then you will need
to recover the key. The Key Vault recovery is not supported from Azure portal at this
time. You need to use Azure PowerShell or CLI to restore the Key Vault and deleted
key under that. We will see this scenario in coming section.
Configuring Advance Security for Compute
 301
Secrets in Azure Key Vault
With Azure Key Vault secrets, you can store your passwords and connection strings
securely. These passwords and connection strings can be fetched by application
through secret URI. So, now you do have a need to mention passwords and
connection strings into your codes. The secret values are encrypted in key vault.
Generate new secret in Key Vault
1. Login to Azure portal and go to Key Vault where you want to create the
secret.
2. Click on Secrets under the Settings section. It will open a new blade there
you can see existing secrets and can also create new secrets.
3. Click on Generate to create a new secret:
Figure 5.20: Generate secret in Key Vault
As shown in the preceding figure, select Manual from the Upload options
drop-down, give a name to this secret, and type the value of this secret. You
can also type a hint or context of this secret to identify this later. The function
of activation and expiration date is same as key.
4. Click on Create once you have filled these details. Your secret will be
generated in the Key Vault.
Check the value of secret in Key Vault
1. Go back to the Secrets section in your Key Vault to see the value of your
secrets.
302
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
2. You would see multiple versions of your secret. Select the current version
and a new window will open.
3. Click on Show Secret Value and it will show the secret vault:
Figure 5.21: Show the value of secret in key vault
4. You can copy this value and click back on Hide Secret Value to hide it.
In this section, we studied how to see the value to a secret.
Restore secrets from backup
Secret backup and restore is also as simple as key vault. This helps you to recover old
version or old secret. Let’s see how to back up the secret and then how to restore it:
1. Login to Azure portal and go to the Key Vault where you want to perform
backup and restore.
2. In the Key Vault, click on Secrets in the left panel. You will see existing secrets
there.
3. Click on the secrets, it will open a new window. There you get an option to
Download backup. You can click on it to back up your secret. You can keep
the download secret at any secure location.
4. Now to restore the secret, you just need to go back to Secrets under the
Settings section and click on Restore backup. It will ask the location to
browse the backed-up secret.
5. Select the proper backed-up file and it will restore the secret.
You can follow the preceding steps to restore a backed-up key.
Configuring Advance Security for Compute
 303
Manage deleted secrets
In the last section, we studied how to restore backed-up secret. In this section, we
will see how to recover deleted secret. To restore deleted secret, purge protection
should be enabled on the Key Vault. Let’s follow these steps to restore deleted secret
from purge protected Key Vault:
1. Login to Azure portal and go to the Key Vault where you want to recover
deleted secret.
2. In the Key Vault, click on Secrets in the left panel. You will see existing secrets
there and also an Manage deleted secrets option.
3. Click on Manage deleted secrets, it will open a new window. There you will
see all deleted secret which are under retention period.
4. Select the appropriate secret which you want to restore and click on Recover.
5. The preceding steps will recover your deleted secret during the retention
period.
Certificates in Azure Key Vault
You require certificates to set up secure connection between your web app and client.
You need to set up SSL connection for this secure connection. You can store and
create SSL certificates in Azure Key Vault. You can create self-signed, issued from
non-integrated certificate authority and issued from integrated certificate authority
certificate. Integrated certificate authorities are managed by key vault, currently
supported certificate authorities are DigiCert and GlobalSign.
You should have registered account with integrated certificate authority to generate
certificate from them. Let’s follow these steps to register your certificate authority
with Azure Key Vault:
1. Login to Azure portal and go to the Key Vault where you want to register the
certificate authority.
2. In the Key Vault, click on Certificates in left panel. You will see existing
secrets there and also an Certificate Authorities option.
3. Click on Certificate Authorities, it will open a new blade to ask the details
about your registration:
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
304
Figure 5.22: Register certificate authority with your key vault
As shown in the preceding figure, you can give a name to this registration,
select the certificate provider from the drop-down. Account ID, account
password, and organization ID are the unique details which are registered
with your certificate provider.
4. Once you enter these details, your certificate authority account gets connected
with your Azure Key Vault. Now you can use these CA to issue you the
certificates and those certificates can be stored into the Key Vault.
The Certificates page also has an option of Certificate contacts. Here you can put
email addresses of who should get notification about certificate expiration. In the
next section, let’s see how to generate certificates in Key Vault.
Generate a certificate in Azure Key Vault
Let’s see how to generate a certificate in Azure Key Vault:
1. Login to Azure portal and go to the Key Vault where you want to generate
the certificate.
2. Click on Certificates in the left panel, it will open a new window. There you
can see any existing certificates and can also create new certificates.
Configuring Advance Security for Compute
 305
3. Click on Generate/Import to generate new certificate. In this exercise, we
will generate self-signed certificate:
Figure 5.23: Generate self-signed certificate in key vault
4. As shown in the preceding figure, select Generate from the drop-down, give
a name to this certificate, select self-signed certificate from Type of Certificate
Authority (CA) drop-down. This option supports:
•
Self-signed certificate
•
Certificate issued by integrated CA
•
Certificate issued by non-integrated CA
In the Subject field, you need to give a name of your domain for which
you want to generate certificate. Validation Period (in months) shows the
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
306
validity of this certificate. In Lifetime Action Type, you can select what
happens when the certificate is about to expire. This action type has the
following options:
•
Automatically renew at a given percentage lifetime
•
Email all contacts at a given percentage lifetime
•
•
Automatically renew at a given number of days before expiry
Email all contacts at a given number of days before expiry
Next field is about lifetime expiry. Based on the preceding selection in the
drop-down, this field converts to percentage or days.
5. Fill the details as shown and described in the preceding points and click on
Create. In the Certificates section, you will see new certificate there.
Certificates also can be managed as keys and secrets. They also can be backed up and
restored. You can also recover deleted certificate in purge protected Key Vault. It has
the same steps as we did for keys and secrets to restore from back up and to recover
from deleted items.
Azure Key Vault security best practices
In Azure Key Vault, you can protect encryption keys and secrets like certificates,
connection strings, and passwords in the cloud. Since you are storing sensitive and
business critical data, you need to take steps to maximize the security of your vaults
and the data stored in them. This section we will see some of the security parameters
to secure Azure Key Vault.
Identity and access management for Azure Key Vault
When you create a Key Vault in an Azure subscription, it is automatically associated
with the Azure AD tenant of the subscription. Anyone trying to manage or retrieve
content from a vault must be authenticated by Azure AD:
•
Access model overview: Access to vaults takes place through two planes.
These planes are the management plane and the data plane as follows:
•
•
The management plane is where you manage Key Vault itself and it is the
interface used to create and delete vaults. You can also read key vault
properties and manage access policies.
The data plane allows you to work with the data stored in a key vault. You
can add, delete, and modify keys, secrets, and certificates.
Configuring Advance Security for Compute
•
 307
To access a Key Vault in either plane, all users or applications must be
authenticated and authorized. Both planes use Azure AD for authentication.
For authorization, the management plane uses role-based access control
(RBAC) and the data plane uses a Key Vault access policy.
Controlling access to Key Vault data: Key Vault access policies grant
permissions separately to keys, secrets, or certificate. You can grant a user
access only to keys and not to secrets. Access permissions for keys, secrets,
and certificates are managed at the vault level.
Key Vault access policies do not support granular, object-level permissions
like a specific key, secret, or certificate. When a user is granted permission to
create and delete keys, they can perform those operations on all keys in that
Key Vault. You can set up management plane access through RBAC. Let’s
follow these steps to set up data plane access policy:
1. Login to Azure portal and go to Key Vault.
2. Select Access policies under Settings. On this page you will see default
access policy. Azure Key Vault supports two kind of access policies, Vault
access policy and Azure RBAC:
Figure 5.24: Default access policy in Key Vault
3. You see three options to use this Key Vault. You can use this Key Vault for
multiple things. But for certain tasks you need to explicitly enable the Key
Vault. For example,
a. If you want this Key Vault to be used for encryption purpose, then you
need to select Azure Disk Encryption for volume encryption check box
from the list.
b. If you want ARM templates to retrieve secrets from this Key Vault while
deployment, then you need to select Azure Resource Manager for
template deployment check box from the list.
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
308
c. If you want Azure Virtual Machines to retrieve certificates key from
this key vault, then you need to select Azure Virtual Machines for
deployment check box from the list. These check boxes enable this Key
Vault to be used for different Azure services.
4. Now if any user or application want to access keys, secrets, and certificates,
you need to grant appropriate access to them. This appropriate access on
keys, secrets, and certificates is called access policy. Access policy defines the
actions can be performed by user.
5. For different services and task different combinations of permissions are
required. Click on + Add Access Policy to define new access policy. It will
open a new blade there you can see six fields as shown in the following
figure. Let’s understand them one by one:
Figure 5.25: Access policy permissions
•
•
•
•
Key permissions: This drop-down has a list of actions which can be
performed on keys.
Secret permissions: This drop-down has a list of actions which can be
performed on secrets.
Certificate permissions: This drop-down has a list of actions which can
be performed on certificates.
Select principal: Here you can select user ID from Azure AD to whom
you want to assign the permissions on key, secret, and certificate.
Configuring Advance Security for Compute
•
•
 309
Authorized application: Here you can select Azure application ID from
Azure AD to which you want to assign the permissions on key, secret,
and certificate.
Configure from template (optional): As I mentioned earlier, each
operation needs different combination of permissions. Azure provides
some built-in combinations as templates for certain tasks. You can select
those tasks from the drop-down and respective permissions combination
will be made. For example, if you want Azure backup to access this
Key Vault then you will need to grant certain permissions on key and
secret. For this, you may need to think what appropriate permissions
combination would be. Azure made it easy for you, when you select
Azure Backup from the drop-down, as per pre-defined template, it
will automatically choose appropriate permissions on key, secrets, and
certificate:
Figure 5.26: Access policy for backup
6. As shown in the preceding figure, required permissions on key and secret
are granted to Azure backup. Click on Add and Save. Now Azure backup
can access this Key Vault.
7. Now if you want any user or application to access and manage key, secret,
and certificate, you can select user or application ID and choose appropriate
permissions from the drop-down:
310
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Figure 5.27: Updated access policy dashboard
8. In the preceding figure, you can Backup Management application and
jayantsharma2202 user have permissions on key, secret, and certificate in
this Key Vault.
After assigning these permissions the applications or users can create, update, delete,
and access the key, secret, and certificate as per their permission.
Secure network access to Azure Key Vault
You can specify IP address from where you want users to access the Key Vault. This
helps to reduce the exposure of your vaults. The virtual network service endpoint
for Azure Key Vault allows you to restrict access to a specified virtual network. The
endpoints also allow you to restrict access to a list of IPv4 address ranges. Any user
connecting to your Key Vault from outside those sources is denied access.
After firewall rules are in effect, users can only read data from Key Vault when their
requests originate from allowed virtual networks. Although users can browse to a key
vault from the Azure portal, they might not be able to list keys, secrets, or certificates
if their client machine is not in the allowed list. We already have seen this in Chapter 4,
Implementing Advance Network Security in the Azure resource firewall section.
Azure Key Vault monitoring
To see who is accessing your Key Vault you need to enable logging on your Key
Vault. Logging saves information about the activities performed on your vault. Key
Vault logs:
Configuring Advance Security for Compute
•
•
•
 311
Operations on the key vault itself. These operations include creation, deletion,
setting access policies, and updating key vault attributes such as tags.
Operations on keys and secrets in the Key Vault, such as creating, modifying,
or deleting these keys or secrets. Signing, verifying, encrypting, decrypting,
wrapping, and unwrapping keys, getting secrets, and listing keys and secrets
(and their versions).
Unauthenticated requests that result in a 401 response. Examples are requests
that do not have a bearer token, that are malformed or expired, or that have
an invalid token.
You can access logging information within 10 minutes after the key vault operation.
You can also manage your logs in your storage account.
Overview
It is important to monitor the health of your Key Vault to make sure your service
operates as intended. As you start to scale your services the number of requests
sent to your Key Vault will rise. This has a potential to increase the latency of your
requests and in extreme cases, cause your requests to be throttled which will impact
the performance of your service. You also need to be alerted if your Key Vault is
sending an unusual number of error codes, so you can be quickly notified of any
access policy or firewall configuration issues. In this section, we will cover:
•
•
•
Basic Key Vault metrics to monitor.
How to configure metrics and create a dashboard.
How to create alerts at specified thresholds.
Basic Key Vault metrics to monitor
There are multiple built-in and custom metrics which you can monitor but few
are more critical which you should monitor frequently. The following is the list of
important metrics for which you should setup monitoring and alert:
•
•
Vault availability: This metric should always be at 100% this is an important
metric to monitor since it can quickly show you if your Key Vault experienced
an outage.
Vault saturation: The number of requests per second that a Key Vault can serve
is based on the type of operation being performed. Some vault operations
have a lower requests-per-second threshold. This metric aggregates the
total usage of your Key Vault across all operation types to come up with a
percentage value that indicates your current Key Vault usage.
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
312
•
•
•
Service API latency: This metric shows the average latency of a call to
Key Vault. Although your Key Vault may be within service limits, a high
utilization of Key Vault could introduce latency that causes applications
downstream to fail.
Total API hits: This metric shows all the calls made to your Key Vault. This
will help you identify which applications are calling your Key Vault.
Error codes: This metric will show you if your key vault is experiencing an
unusual number of errors.
How to configure metrics and create a dashboard
In this section, we will see how to configure metrics in Azure Key Vault and how to
pin them to dashboard. Let’s follow these steps:
1. Login to Azure portal and search or Azure Key Vault.
2. Go to Metrics under Monitoring. On this page, you will see options and
filters to select required metrics:
Figure 5.28: Performance metrics of Key Vault
As you can see in the preceding figure, there are multiple options to configure
metrics. With default configurations, you can select required metric from the
Metric drop-down. In the preceding figure, I selected the Total Service Api
Hits metric and aggregation Count. This metric shows the count of all the
calls made to your key vault.
You can add more filters from the Add filter option. You can also change the
time range. I choose time range of Last 48 hours and time granularity of 6 hours.
Configuring Advance Security for Compute
 313
3. You can add other metrics from the Add metric option. Click on Pin to
dashboard to attach this metric to dashboard. You get two options, either
Pin to current dashboard or Select another dashboard.
In this section, we saw how to configure diagnostic metrics and read the information
from them. By using diagnostic, you can monitor the performance of your Key Vault.
Configure alerts on your Key Vault
In this section, we will see how to configure alerts on your Key Vault so you can act
immediately if your Key Vault is in an unhealthy state. You can configure alerts that
send an email, preferably to a team DL, fire an event grid notification, or call or text
a phone number. You can choose static or dynamic value-based alerts. Let’s follow
these steps to set up alerts:
1. Login to Azure portal and go to the Key Vault for which you want to set up
alert.
2. Go to Alerts under the Monitoring section. Here you can see any existing
alerts or can create new alerts:
3. Click on + New alert rule if you want to create new alert. It will open a new
window to configure new alert condition, action group, and alert description:
Figure 5.29: Select alert condition
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
314
As shown in the preceding figure, the current Key Vault is selected as Scope
for this alert. Click on Select condition to set condition and threshold for
alert triggering.
4. Once you click to select the condition, a new blade will open to choose signal
types. There are two categories of signal types: Metric and Activity Log:
Figure 5.30: Select alert logic
Metric based alerts work on the values in respective metrics. It triggers alerts
when the metric value beats threshold value. Activity logs based alerts work
when they see any particular kind of activity happening on Key Vault.
1. You can select required signal based on your business need. I am selecting
Total Service Api Hits signal.
2. It will open a new blade, on next page please fill these values in the Alert
logic section, you can change them as per your requirement:
Configuring Advance Security for Compute
•
Set the Threshold to Static.
•
Set the Aggregation Type to Count.
•
•
•
•
•
 315
Set the Operator to Greater than.
Set the Threshold Value to 100.
Set Aggregation Period to 5 minutes.
Set the Evaluation Frequency to 1 minute.
Select Done.
3. Now you need to configure Action group. Action group is the user or group
who gets notification based on the event. Click on Select action group. It will
open a new window. Here you can choose any existing action group or can
create a new one:
Figure 5.31: Select existing action group
You can select the listed action group(s) if you want to choose an existing
action group. You have another option to create new action group.
316
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
4. Click on + Create action group. It will open a new blade. Fill the details as
shown in the following figure. You can select the action type from the dropdown. In this example, we will create an email alert:
Figure 5.32: Create new action group
5. Select Email/SMS message/Push/Voice to trigger email alert:
Configuring Advance Security for Compute
 317
Figure 5.33: Enter email address of alert receiver
Check the box for Email and give the email address of alert receiver. You can
add multiple receivers by separating email address with comma. Click on OK.
2. Now back on the Create alert rule page, you can find the condition and
action group which we selected in the preceding steps:
Figure 5.34: Set alert rule severity and description
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
318
As shown in the preceding figure, give a name and description to this alert.
Set severity. Check the box if you want to enable this alert now. Click on
Create alert rule.
Here we saw how to set up alerts for Azure Key Vault activities. You can follow the
preceding steps to set up other alerts also. You can choose different signal types and
thresholds for different alerts. In the preceding example, we choose static value alert.
But you can create dynamic value alerts also.
Azure Key Vault logging
Azure Key Vault saves sensitive and confidential information of your organization so
you would like to monitor how and when your Key Vaults are accessed, and by whom.
You can do this by enabling logging for Azure Key Vault, which saves information
in an Azure storage account that you provide. A new container named insightslogs-auditevent is automatically created for your specified storage account. You
can collect logs from multiple Key Vaults in same storage account.
Configure logging for Azure Key Vault
For setting up logging I assume you already have an Azure storage account and a
Key Vault. Let’s follow these steps to set up logging for Azure Key Vault:
1. Login to Azure portal and go to the Key Vault for which you want to enable
logging.
2. In the Key Vault, select Diagnostic settings under the Monitoring section. It
will show the current logging settings. By default, this setting is not enabled:
Figure 5.35: Default configuration of diagnostic settings
Configuring Advance Security for Compute
 319
3. Click on + Add diagnostic setting to enable it:
Figure 5.36: Archive Key Vault logs to a storage account
Fill the details as shown in the preceding figure. Give a name to this log
setting. You can choose what kind of logs you want to store in storage
account. This could audit events and all metrics. You can also set how long
you want to keep logs in storage account. There are multiple destinations
where you can send logs. But in this example, we are sending logs to Azure
storage. When you select Archive to a storage account option, then you need
to select an existing storage account where you want to store the logs.
4. After making all these arrangements, save the changes. You can see the logs
in storage account in 10 minutes.
In this section, we saw how to archive logs from Azure Key Vault to Azure storage
account. Since Azure just stores 90 days logs and you may need to see some older logs
because of any business reason. This can certainly help you to refer the logs in future.
The following is the list of information which you can get from Azure Key Vault’s logs:
•
•
•
•
•
All authenticated REST API requests, including failed requests as a result of
access permissions, system errors, or bad requests.
Operations on the Key Vault itself, including creation, deletion, setting Key
Vault access policies, and updating Key Vault attributes such as tags.
Operations on keys and secrets in the Key Vault, including creating,
modifying, or deleting these keys or secrets.
Operations on keys and secrets in the Key Vault, including signing, verifying,
encrypting, decrypting, wrapping, and unwrapping keys, getting secrets,
and listing keys and secrets (and their versions).
Unauthenticated requests that result in a 401 response. Examples are requests
that do not have a bearer token, that are malformed or expired, or that have
an invalid token.
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
320
Access your logs
Key Vault audit logs are stored in insights-logs-auditevent and metric performance
logs are stored in insights-metrics-pt1m container in the storage account that you
provided in the preceding step. To view the logs, you will need to download BLOBs:
1. Login to Azure portal and go to the storage account where you are collection
the logs.
2. In storage account, go to Containers. You will see containers with name
insights-logs-auditevent and insights-metrics-pt1m:
Figure 5.37: See key vault logs in storage account
Follow the hierarchical path and open all subfolders till you find the Key
Vault log files. The log file will be with name PT1H.JSON:
Figure 5.38: Download key vault audit log file
3. You can store logs of multiple key vaults in same storage account. Go to
required Key Vault folder and download this log file.
Configuring Advance Security for Compute
 321
In this section, you learnt how you can retrieve the archived logs from Azure storage.
You can use these logs for the investigation of any issue.
Interpret your Key Vault logs
The log file is formatted as a JSON BLOB. You can open it to any text editor. Let’s
look at an example log entry:
{ “count”: 2, “total”: 2, “minimum”: 1, “maximum”: 1, “average”: 1, “resourceId”: “/SUBSCRIPTIONS/XXXXXXX-XX51-4330-949F-226E6CC8XXXX/
RESOURCEGROUPS/JAY-DEMO-RG/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/
TDEKEYVAULTDEMO3”, “time”: “2020-06-22T03:15:00.0000000Z”, “metricName”: “ServiceApiHit”, “timeGrain”: “PT1M”}
The preceding code shows a sample performance log result. It shows log for
ServiceAPIHit metric.
Turn on recovery options
You can turn on soft delete and purge protection if you want to guard against force
deletion of the secret / vault even after soft delete is turned on.
Backup
Make sure you take regular backups of your vault on update/delete/create of objects
within a vault. There is no built-in backup process for Key Vault, but you can backup
Key Vault items. Let’s follow these steps to backup Key Vault items:
1. Login to Azure portal and go to the Key Vault.
2. In Key Vault go to key, secret, and certificate to backup them:
Figure 5.39: Backup key vault’s key
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
322
In the preceding figure, I am taking backup of a key in Key Vault. Go to the key
in Key Vault and click on Download Backup. It will download a text file for Key
Vault backup. You can open this text file but cannot retrieve key information.
The key can be read only by Azure Key Vault when you upload this text file.
Soft delete for Azure Key Vault
You can enable soft delete to recovery a deleted Key Vault, or objects stored in a
Key Vault. Enabling soft delete on a Key Vault is an irreversible action. Once the soft
delete property has been set to true, it cannot be changed or removed.
Enable soft delete and purge protection for existing key vault
You could enable soft delete after creating this if you missed to enable it while
creation. The following are the steps to enable soft delete on existing Key Vault:
1. Login to Azure portal and go to the Key Vault.
2. In Key Vault, go to Properties under the Settings section. There you will see
Soft delete option is in disabled state. Switch this option to Enable to enable
soft delete. In the next field, the retention period is asked. You can choose
retention from 7 days to 90 days:
Figure 5.40: Enable soft delete for Key Vault
3. Purge protection is an optional feature of Azure Key Vault which is disabled
by default. Purge protection can only be enabled once soft delete is enabled
for the Key Vault. When purge protection is on, a vault or an object in the
deleted state cannot be purged until the retention period has passed. By
Configuring Advance Security for Compute
 323
default, Purge protection is also disabled. You can enable also enable it. Save
the changes.
You cannot disable soft delete and purge protection once they are enabled. Once you
saved the changes, you can come back to Key Vault properties to verify that softdelete protection is enabled. The purge protection retention policy uses the same
interval. Once set, the retention policy interval cannot be changed.
Deleting a soft delete protected Key Vault
If you delete a Key Vault which does not have soft delete protection enabled, it will
delete the Key Vault and its content permanently. But if you delete the Key Vault
which has soft delete enabled, they you get options to recover it after deletion.
When soft delete is enabled:
•
•
•
A deleted Key Vault is removed from its resource group and placed in a
reserved namespace, associated with the location where it was created.
Deleted objects such as keys, secrets, and certificates, are inaccessible as long
as their containing Key Vault is in the deleted state.
The DNS name for a deleted Key Vault is reserved, preventing a new Key
Vault with same name from being created.
You may view deleted state Key Vaults, associated with your subscription, using the
following PowerShell command:
Get-AzKeyVault -InRemovedState
The preceding command will show you list of deleted Key Vaults present in your
subscription.
Recovering a key vault
Now Azure provides an option to recover deleted Key Vault directly from Azure
Portal also. You can also use PowerShell or Azure CLI commands to recover a Key
Vault.
1. Log in to Azure portal and search for Key Vault.
2. On Key vaults page, you will find an option Manage deleted vaults. Click
on it and it will open a new window.
3. In new window you can select the subscription in which you want to recover
the key vault. It will show a list of all deleted and not purged key vaults.
4. Click on the key vault name and click on Recover. It will recover the deleted
key vault in the original resource group. If the original resource group is also
324
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
not present, the recovery process will also create a new resource group with
original resource group name.
5. Just like Key Vaults, a deleted key, secret, or certificate, remains in deleted
state for up to 90 days, unless you recover it or purge it. The maximum
retention period is 90 days. You cannot recover the key vault which has
passed its retention period..
Enable Azure Defender for Azure Key Vault
Azure Key Vault provides you a secure way to store your keys, secrets, and
certificates. It is important to safeguard your Key Vault from unusual and potential
harmful attacks. Azure Defender provides an extra layer of security to safeguard
your Key Vault from harmful attacks. Azure Defender sends alerts and notifications
if it sees any unusual activities on your Key Vault.
Azure Defender for Key Vault can be enabled from Azure Security Center. For this
Azure Security Center should be at Azure Defender version:
1. Login to Azure portal and to enable Azure Defender version on Azure
Security Center.
2. Go to Pricing & settings in left panel. Click on the subscription on which
you want to enable Azure Defender. It will open a new window.
3. Select Azure Defender plan from left side settings panel.
4. Click on Azure Defender On to enable Azure Defender plan in your security
center for selected subscription.
5. Scroll down and you will see a list of Azure resources on which you can
enable Azure Defender:
Figure 5.41: Enable Azure Defender for Key Vault in security center
Configuring Advance Security for Compute
 325
As shown in the preceding figure, you can toggle between On and Off to
enable Azure Defender for Azure services. I kept On for Key Vault and Off
for rest of the services.
Like this you can enable Azure Defender for any of the Azure service.
Azure Virtual Machine disk encryption
Azure Disk Encryption protects and safeguards your data to meet your security and
compliance commitments. It uses the BitLocker feature of Windows and DM-Crypt
feature of Linux to provide volume encryption for the OS and data disks of Azure
Virtual Machines (VMs) and is integrated with Azure Key Vault to help you control
and manage the disk encryption keys and secrets.
Azure Disk Encryption for Azure Virtual Machines
Azure Disk Encryption for Windows VMs uses the BitLocker feature of Windows and
DM-Crypt to provide full disk encryption of the OS disk and data disk. Additionally,
it provides encryption of the temporary disk when the VolumeType parameter is All.
Unsupported scenarios
Let’s understand the unsupported scenarios of Azure Disk Encryption for VMs.
Azure Disk Encryption does not work for the following scenarios, features, and
technology (This list may change over the time):
•
•
•
•
•
•
•
•
•
•
Encrypting basic tier VM or VMs created through the classic VM creation
method.
Encrypting VMs configured with software-based RAID systems.
Encrypting VMs configured with Storage Spaces Direct (S2D), or Windows
Server versions before 2016 configured with Windows storage spaces.
Integration with an on-premises key management system.
Azure files (shared file system).
Network File System (NFS).
Dynamic volumes.
Windows Server containers, which create dynamic volumes for each
container.
Ephemeral OS disks.
Encryption of shared/distributed file systems like (but not limited to) DFS,
GFS, DRDB, and CephFS.
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
326
•
•
•
•
•
•
Moving an encrypted VMs to another subscription or region.
Creating an image or snapshot of an encrypted VM and using it to deploy
additional VMs.
Gen2 VMs.
Lsv2 series VMs.
M-series VMs with write accelerator disks.
Unendorsed Linux versions are not support for ADE.
Prepare Azure Key Vault
Azure Disk Encryption uses Azure Key Vault to store encryption keys. You need to
create a Key Vault and enable that to be used for encryption purpose. In the previous
sections, we have seen how to create Azure Key Vault and keys in it. In this section,
we will see how to configure Key Vault for encryption. I assume you already have a
Key Vault and a key created for this exercise:
1. Login to Azure portal and go to the Key Vault which you want to use for disk
encryption.
2. Go to Access policies under the Settings section:
Figure 5.42: Enable key vault for volume encryption
As shown in the preceding figure, you can see three access options. To
enable disk encryption capability, you need to select third option. It specifies
whether Azure Disk Encryption is permitted to retrieve secrets from the
vault and unwrap keys.
Save the changes to enable Key Vault to be used for disk encryption. This process is
required for both Windows and Linux OS.
Configuring Advance Security for Compute
 327
Azure Disk Encryption for existing VM
In this section, we will see how to prepare for windows VMs disk encryption. We will
go through the steps to achieve all prerequisites and then the process of encryption.
Disk Encryption for already attached and initialized
disks
In this section, we will go through the disk encryption steps for existing Windows
servers:
1. Login to Azure portal and go to the virtual machine which you want to
encrypt.
2. For disk encryption VM should be in the running state.
3. Go to Disks under the Settings section. It will open a new blade, here you
can see the attached disks and their encryption status. By default, all disks
are only encrypted with Platform Managed Key (PMK):
Figure 5.43: See attached disks to a virtual machine
As shown in the preceding figure, there is only one disk (OS disk) is attached
to this VM.
4. Go to Additional settings option and a new page will open. There select the
required disks for encryption in Encryption settings option. You can select
OS disk if you just want to encrypt OS disk. You can select OS and data
disks if you want to encrypt all disks.
5. Once to select the required disk type, this shows few new options to select
Azure Key Vault and key for encryption:
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
328
Figure 5.44: Select disk type for encryption
As shown in preceding figure, you can select any existing key vault and key
or can create new key vault and key for encryption. Now select Key vault,
Key, and Version for disk encryption:
Figure 5.45: Select key vault, key, and key version for encryption
Click on Save to confirm the selection.
6. Save the configuration. It will notify you that encryption process may restart
the virtual machine.
7. Once you go back to Disks page, you can see the disk is encrypted now with
Azure Disk Encryption also along with PMK:
Configuring Advance Security for Compute
 329
Figure 5.46: Updated disk encryption for existing disk
In the preceding figure, you can see the encryption state is changed and
Azure Disk Encryption (ADE) is also added.
In this section, we saw how to encrypt disks of an existing VM. In the next section,
we will study about the process to encrypt newly added data disk.
Enable encryption on newly added data disk
In some cases, you may need to add new disk to an encrypted virtual machine. By
default, the new data disk is encrypted only with PMK. But to match with your
security compliance, you may need to encrypt this new data disk with Azure Disk
Encryption. For this, I am assuming you already have attached a data disk from
portal and initialized it in VM through Disk Management. Now follow these steps,
to encrypt new data disk. The steps are almost same as the last section:
1. Login to Azure portal and go to the virtual machine which you want to
encrypt.
2. For disk encryption VM should be in the running state.
3. Go to Disks under the Settings section. It will open a new blade, here you
can see the attached disks and their encryption status. By default, all new
data disks are only encrypted with PMK:
Figure 5.47: Attached new data disk and encryption state of this disk
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
330
In the preceding figure , you can see the newly added data disk is encrypted
with just PMK.
4. Login to virtual machine and go to disk management to initialize the disks.
Now deallocate (Stop) the Azure VM. For individual disk’s encryption the
disk should be unattached from the VM or the VM should be in deallocated
state.
5. Now go to Disks section on the Azure VM in Azure portal. You cannot
encrypt new data disk from portal. You will need to use Azure PowerShell
or Azure CLI to encrypt new data disk. Here we will see how to encrypt new
data disk through Azure PowerShell:
$KVRGname = ‘KeyVaultResourceGroupName’
$VMRGName = ‘VirtualMachineResourceGroupName’
$vmName = ‘VMName’
$KeyVaultName = ‘AzureKeyVaultName’
$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName
-ResourceGroupName $KVRGname
$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$sequenceVersion = [Guid]::NewGuid()
Set-AzVMDiskEncryptionExtension -ResourceGroupName
$VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl
$diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId
$KeyVaultResourceId -VolumeType “Data” –SequenceVersion
$sequenceVersion
6. Fill the preceding script with your environment values and run into Azure
PowerShell:
Figure 5.48: Output of encryption script
Sample PowerShell commands output can look as shown in the preceding
figure:
Configuring Advance Security for Compute
 331
Figure 5.49: Updated encryption state of newly added disk
The preceding figure shows the updated encryption status of newly added
data disk. After running the preceding commands, the data disk is now
encrypted with Azure Disk Encryption. There are other ways also to encrypt
newly added disks.
You can also follow the steps described in section “Disk Encryption for
already attached and initialized disks” to encrypt newly added disk. But
remember to initialize the newly added disks from inside the VM before
starting the encryption process.
In this section, we saw to encrypt newly added data disk. In the next section, let’s see
how to disable disk encryption.
Disable disk encryption
You can disable encryption using Azure PowerShell, the Azure CLI, or with a
Resource Manager template. Disabling data disk encryption on Windows VM when
both OS and data disks have been encrypted does not work as expected. Disable
encryption on all disks instead.
Replace variable values with your environment:
Disable-AzVMDiskEncryption -ResourceGroupName
‘VirtualMachineResourceGroupName’ -VMName‘VMName’ -VolumeType “all”
Figure 5.50: Output of encryption disabling script
The preceding figure shows the output of disabling disk encryption:
332
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
Figure 5.51: Updated state after disabling encryption
The preceding figure show the result of disabling disk encryption. Encryption status
is back to default, PMK.
Detailed description of security parameters
for Azure App Service
In this section, we will see how to deploy security parameters for Azure App Service
which we discussed in the previous section.
Authentication and authorization
Azure App Service provides built-in authentication and authorization support, so
you can sign in users and access data by writing minimal or no code in your web
app, RESTful API, and mobile back end, and Azure functions. In this section, we will
see how app service helps simplify authentication and authorization for your app.
App service uses federated identity, in which a third-party identity provider manages
the user identities and authentication flow for you. For now, five identity providers
are available by default:
•
•
•
Azure AD
Microsoft account
Facebook
Configuring Advance Security for Compute
•
•
 333
Google
Twitter
You can use any of these identity providers for authentication. In this chapter, we
will see how to integrate your app with Microsoft account for authentication.
Configuring Azure App Service to use Microsoft
account as identity provider
This article shows you how to configure Azure App Service or Azure functions to
use Microsoft account as an authentication provider:
1. Login to Azure portal and search for your app service.
2. In app service, click on Authentication under the Settings section.
3. On that page, you will see the default settings. The app service authentication
is in Off state. Click on Add identity provider to see other authentication
options.
4. It will open a new window with two tabs. In Basic tab, you can select the
identity provider from the dropdown:
Figure 5.52: Select Authentication providers for app service
The preceding figure shows a dropdown for Identity provider field, you can
select Microsoft account, Facebook, Google, or Twitter for authentication
from this dropdown. When you set this functionality, your app requires all
requests to be authenticated. It also redirects all access request to Microsoft
for authentication.
 Microsoft Azure Security Technologies (AZ-500) - A Certification Guide
334
5. As shown in preceding figure, you will need to do app registration in Azure
AD for setting up authentication process based on third party identity
provider.
6. Now set the configuration of authentication after selecting the identity
provider. You can still bypass the authentication process and can choose
for anonymous access by selecting Allow unauthenticated access option in
Authentication field. But here we are not bypassing the authentication, so we
chose Require authentication option:
Figure 5.53: Express settings for Azure AD authentication for app service
As shown in preceding figure, you can also choose for the error code for
unauthorized access. Once you fill this information, click on Add.
7. Now borrows your app service. It will ask Microsoft account credentials to
login:
Figure 5.54: Enter your Azure AD credentials to access your app service
Configuring Advance Security for Compute
 335
As shown in the