Index
A
access control, 77
configuring for storage accounts, 234–237
VMs (virtual machines) and, 159
access keys
regenerating, 246
access reviews, 45
account SAS (Shared Access Signatures), 255–257
ACR (Azure Container Registry), 163–165
activity log
Add-AzVirtualNetworkPeering cmdlet, 102
adding
administrative units, 21
group members, 9
ADE (Azure Data Encryption), 174–175
administrative units, 21
adding, 21
roles, 23
AKS (Azure Kubernetes), 166–167
logical isolation, 166
Microsoft Defender for Cloud and, 168–169
nodes, 168
physical isolation, 166
alerts
Microsoft Defender for Storage, 242–243
rules, 210
Always Encrypted, 266
deterministic encryption, 266–267
randomized encryption, 267
API management policies, 76
application gateways, 44. See also Azure Application Gateway
application objects, 2
applications
registering with Azure AD, 2
apps
configuring registration permission scopes, 73–74
managing access, 70
managing registration permission consent, 74–75
architecture
Contoso network diagram, 92
ASGs (application security groups), 117–118
associating with the VM, 119–120
assigning
Azure AD roles
permissions to service principals, 3–5
assigning, RBAC roles to storage accounts, 234–237
authentication
Azure AD, 247
domain services for Azure files, 247–248
share-level permissions, configuring, 250–251
Federation Services, 61
multifactor
account lockout, 37
fraud alert settings, 38
implementing, 30
performing a bulk reset, 35–36
phone call settings, 39
utilization reports, 40
pass-through, 61
SAS (Shared Access Signatures), configuring, 253–254
az ad group create command, 9
az storage account update command, 256
AzNetworkSecurityRuleConfig cmdlet, 117
Azure AD (Active Directory), 14, 247, 250
adding and removing members, 9
administrative units, 21
application object, 2
apps
managing access, 70
managing registration permission consent, 74–75
file and folder permissions, configuring, 251
share-level permissions, configuring, 250–251
B2B (business-to-business) accounts, creating, 14–17
configuring domain services authentication for Azure files, 247–248
External Collaboration settings, 20–21
Federation Services, 61
guest accounts, creating, 17–19
identities, 1
MFA (multifactor authentication)
account lockout, 37
fraud alert settings, 38
performing a bulk reset, 35–36
phone call settings, 39
utilization reports, 40
pass-through authentication, 61
password synchronization, 60–61
PIM (Privileged Identity Management, 23–26
monitoring privileged access for, 47–49
RBAC (role-based access control), 78
delegating admin rights, 79–80
interpreting role and resource permissions, 81
resource group permissions, 80
registering applications with, 2
resource audit history, viewing, 48–49
self-service password reset, 61–63, 67
assigning permissions through roles, 3–5
certificate-based authentication, 77
creating, 3
user accounts
administration tasks, 13
user principals, 2
pass-through authentication, 61
password synchronization, 60–61
requirements, 50
deployment accounts, 52
SQL server, 51
advantages and limitations, 170–171
CDS (Common Data Service), 173
encryption
ADE (Azure Data Encryption), 174–175
identity providers, 173
security recommendations, 171
Azure Application Gateway
modes, 140
WAF (web application firewall) and, 139–140
Azure Bastion, 93
Azure CLI
commands for backup and recovery, 298
commands for management Key Vault certifications, 287–288
commands for managing Key Vault secrets, 290–291
configuring access policies, 277
creating user delegation SAS, 255
key management commands, 293–294
Azure DDoS protection, 151
basic versus standard tiers, 151
DoS attack mitigation report, 153–154
Azure Defender for Servers, 159
Azure ExpressRoute, 94
encryption, 109
Microsoft Defender for Storage, 242–243
Premium tier, 122
rules, 121
network, 126
Azure Firewall Manager, 129–130
Firewall policy, 130
hub virtual network deployment, 131
policies, 130
Azure Front Door, 131
capabilities, 132
Azure Key Vault, 243, 278. See also encryption
certificate policies, 281
certificate-issuance providers, 282
cmdlets for managing certifications, 286
configuring access to, 275
configuring firewalls and virtual networks, 64
creating, 274
cmdlets, 293
manage permissions to secrets, certificates, and keys, 275–277
network access rules, 279
cmdlets, 290
viewing, 289
X509 certificates, managing, 281
Azure Monitor, 201
alerts
rules, 210
logs
metrics, 203
resources and, 203
Azure portal, creating administrative units, 21
Azure Private Link, isolating data solutions, 270
Azure SQL
Always Encrypted, 266
deterministic encryption, 266–267
randomized encryption, 267
database authentication, 258–259
masking functions, 263
Microsoft Defender for SQL, configuring, 271–272
vulnerability assessment, 198–199
Azure Storage. See also storage accounts
access keys, 243
Azure AD authentication, 247
key management, 239
B
B2B (business-to-business) accounts
backup and recovery, Key Vault items, 296–299
blobs
authorizing access to data, 247
Azure Storage encryption, 237–239
Microsoft Defender for Storage, 242–243
user delegation SAS, 254
BYOK (‘Bring Your Own Key’), 264
C
CDS (Common Data Service), 173
centralized policy management, 181
certificate-based authentication, 66–67, 77
certificates
cmdlets, 286
X509, 281
cloud computing, shared responsibility model, 91
cmdlets, 299. See also PowerShell
Add-AzVirtualNetworkPeering, 102
AzNetworkSecurityRuleConfig, 117
Debug-AzStorage AccountAuth, 250
Get-AzureADTrustedCertificateAuthority, 67
Get-AzureKeyVaultSecret, 289
for group management, 7
key management, 293
for managing Azure Key Vault certificates, 286
New-AzRoleAssignment, 5
New-AzureADMSAdministrativeUnit PowerShell, 21
New-AzureADTrustedCertificateAuthority, 67
New-AzVirtualNetwork, 97
Set-AzKeyVaultAccessPolicy, 276–277
Set-AzStorageAccount, 256
Set-AzVmDiskEncryptionExtension, 175
commands
az ad group create, 9
az storage account update, 256
for backup and recovery of Key Vault items, 298
certificate-management, 287–288
for managing Key Vault secrets, 290–291
Revoke-AzStorageAccountUserDelegationKeys, 254
conditional access policies, 26–29
access to Azure Key Vault, 275
API management policies, 76
app registration permission scopes, 73–74
Azure DDoS protection, 152–153
firewalls
Azure SQL, 145
MFA (multifactor authentication), 30–34
account lockout, 37
fraud alert settings, 38
phone call settings, 39
utilization reports, 40
Microsoft Defender for SQL, 200–201, 271–272
NSGs (network security groups), 114–117
SAS (Shared Access Signatures), 253–254
share-level permissions, 250–251
storage accounts, access control, 234–237
VNets (virtual networks), 94–96, 99–102
VPNs (virtual private networks), authentication, 107–108
connectivity, Azure AD Connect, requirements, 50–51
connectors, Microsoft Sentinel, 217–221
containers. See also storage accounts
ACR (Azure Container Registry), 163–165
storage accounts
access keys, 243
assigning RBAC roles to, 234–237
configuring access control, 234–237
encryption key management, 239
infrastructure encryption, 239–240
manually rotating access keys, 245–246
Microsoft Defender for Storage, 242–243
creating
administrative units, 21
ASGs (application security groups), 118–119
Azure Key Vault, 274
B2B (business-to-business) accounts, 14–17
conditional access policies, 27–29
keys, 292
network rules, 126
NSGs (network security groups), 114–117
service principals, 3
VNets (virtual networks), 97
custom
routes, creating, 99
D
data solutions, isolating, 269
using IP firewall rules, 270
using service endpoints, 269
database(s). See also Azure SQL
isolating, using Azure Private Link, 270
Debug-AzStorage AccountAuth cmdlet, 250
E
encryption
Azure ExpressRoute, 109
key management, 239
BYOK (‘Bring Your Own Key’), 264–266
IPSec, 109
MACsec, 109
randomized, 267
VMs (virtual machines), 159
endpoint
service, isolating data solutions, 269
external identities
F
Federation Services, 61
FIDO2 security key, 43
file shares
Azure AD DS authentication, configuring, 247–248
file and folder permissions, configuring, 251
share-level permissions, configuring, 250–251
Firewall policy, 130
firewalls. See also Azure Firewall
WAF (web application firewall), 121, 138–140
folder permissions, configuring, 251
G
Get-AzureADTrustedCertificateAuthority cmdlet, 67
Get-AzureKeyVaultSecret cmdlet, 289
adding and removing members, 9
H
hub virtual network, Azure Firewall Manager deployment, 130–131
hybrid networks, VPNs (virtual private networks), 106–107
types of, 107
I
IaaS (Infrastructure as a Service), 91
identities, 1. See also external identities
PIM (Privileged Identity Management, 23–26
monitoring privileged access for, 47–49
implementing, MFA (multifactor authentication), 30
importing, certificates, 285–286
inbound rules, NSGs (network security groups), 113
incidents
infrastructure, Azure Storage encryption, 239–240
installing, Azure AD Connect, 52–59
IP addressing, NAT (network address translation), 102–103
IP firewall rules, isolating data solutions, 270
IPSec, 109
isolating data solutions, 269
using Azure Private Link, 270
using IP firewall rules, 270
using service endpoints, 269
J-K
Kerberos, creating a storage account key, 248–249
key management
Azure Key Vault, 276
Azure Storage encryption, 239
BYOK (‘Bring Your Own Key’), 264–266
cmdlets, 293
L
licensing, PIM (Privileged Identity Management, 25–26
Linux
Microsoft Defender for Servers, 191–192
VMs, ADE (Azure Data Encryption) and, 175
logs
M
MACsec, 109
managing
access to apps, 70
groups, 7
manually rotating access keys, 245–246
members, adding and removing from groups, 9
MFA (multifactor authentication), 107
account lockout, 37
fraud alert settings, 38
implementing, 30
performing a bulk reset, 35–36
phone call settings, 39
utilization reports, 40
Microsoft 365
external sharing, 19
Microsoft Authenticator app, 44
Microsoft Defender for Cloud and, 168–169
Microsoft Defender for Servers, 190–191
vulnerability assessment, 195–197
for Windows, 191
Microsoft Defender for SQL
vulnerability assessment, 198–199
Microsoft Defender for Storage, 242–243
Microsoft Sentinel, 201
incidents
Log Analytics workspace, 228
scheduled query rule, creating, 222–226
Microsoft Threat Intelligence, 121
mobile devices
apps
configuring registration permission scopes, 73–74
managing access, 70
managing registration permission consent, 74–75
MFA (multifactor authentication) and, 30
N
NAT (network address translation), 102–105
network rules, 126
network segmentation, 94
New-AzRoleAssignment cmdlet, 5
New-AzureADMSAdministrativeUnit PowerShell cmdlet, 21
New-AzureADTrustedCertificateAuthority cmdlet, 67
New-AzVirtualNetwork cmdlet, 97
nodes, AKS (Azure Kubernetes), 168
NSGs (network security groups), 93, 111–112
inbound rules, 113
O
OATH tokens, MFA (multifactor authentication), 38–39
OneDrive, external sharing, 19
P
PaaS (Platform as a Service), 91
pass-through authentication, 61
passwordless authentication, 43–45
password(s)
writeback, 67
assigning to service principals, 3–5
Azure Key Vault, 276
file and folder, configuring, 251
resource group, 80
share-level, configuring, 250–251
PIM (Privileged Identity Management, 23–26
monitoring privileged access for, 47–49
point-to-site VPNs, 110
advantages and limitations, 110
policy(ies), 158, 181–182, 186
API management, 76
certificate, 281
definition, 185
dynamic masking, 263
Firewall, 130
initiatives, creating, 182–185
stored access, 257
PowerShell
cmdlets
Add-AzVirtualNetworkPeering, 102
AzNetworkSecurityRuleConfig, 117
for backup and recovery of Key Vault items, 299
Debug-AzStorage AccountAuth, 250
Get-AzureADTrustedCertificateAuthority, 67
Get-AzureKeyVaultSecret, 289
for group management, 7
key management, 293
for managing Azure Key Vault certificates, 286
for managing Key Vault secrets, 290
New-AzRoleAssignment, 5
New-AzureADMSAdministrativeUnit PowerShell, 21
New-AzureADTrustedCertificateAuthority, 67
New-AzVirtualNetwork, 97
Set-AzStorageAccount, 256
Set-AzVmDiskEncryptionExtension, 175
creating user delegation SAS, 254–255
regenerating storage account access keys, 246
on-premises Active Directory. See also Azure AD (Active Directory)
pass-through authentication, 61
password synchronization, 60–61
pricing, ACR (Azure Container Registry), 163
Private Link service, 151
Q-R
RADIUS, 108
randomized encryption, 267
RBAC (role-based access control), 77–78
administrative units and, 23
assigning roles to storage accounts, 234–237
configuring in Azure Key Vault, 277–278
delegating admin rights, 79–80
interpreting role and resource permissions, 81
resource group permissions, 80
scopes, 78
regenerating access keys, 246
removing, group members, 9
requirements, Azure AD Connect, 50
deployment accounts, 52
SQL server, 51
resources, 203
API management policies, 76
permissions, 81
updating tags, 187
restoring Key Vault items, PowerShell cmdlets, 299
Revoke-AzStorageAccountUserDelegationKeys command, 254
revoking, user delegation SAS, 254
roles, 78
administrative units and, 23
assigning to applications, 3–4
for passwordless authentication, 44
permissions, 81
PIM (Privileged Identity Management, 23–26
verifying, 5
creating custom routes, 99
resource audit history, viewing, 48–49
rules
alert, 210
Azure Firewall, 121
network, 126
S
SAS (Shared Access Signatures)
stored access policies, 257
token parameters, 256
scheduled query rule, creating, 222–226
secrets
cmdlets for managing, 290
viewing, 289
Security Alert dashboard, 192–195
Security Center, 155, 159, 160
security groups, 6. See also groups
adding and removing members, 9
security updates
segmentation, 94
self-service password reset, 61–63, 67
serverless compute, AKS (Azure Kubernetes), 166–167
logical isolation, 166
Microsoft Defender for Cloud and, 168–169
nodes, 168
physical isolation, 166
service endpoints, isolating data solutions, 269
service principal, 2
assigning permissions through roles, 3–5
certificate-based authentication, 77
creating, 3
roles, verifying, 5
Set-AzKeyVaultAccessPolicy cmdlet, 276–277
Set-AzStorageAccount cmdlet, 256
Set-AzVmDiskEncryptionExtension cmdlet, 175
shared responsibility model, 91
share-level permissions, configuring, 250–251
SharePoint Online, external sharing, 19–21
sign-in risk policies, 41
site-to-site VPNs, 111
SQL, Azure AD Connect requirements, 51. See also Azure SQL
storage accounts
access keys, 243
regenerating, 246
authentication, SAS (Shared Access Signatures), 253–254
Azure-supported, 234
configuring access control, 234–237
key management, 239
Microsoft Defender for Storage, 242–243
stored access policies, 257
subnetting, NSGs (network security groups), 93
subscriptions, API management policies, 76
T
TDE (transparent data encryption), 264–266
threat
for Windows, 191
protection, 190
TLS (Transport Layer Security), 140
token parameters, SAS (Shared Access Signatures), 256
U
user accounts. See also permissions
Azure AD (Active Directory)
administration tasks, 13
fraud alert settings, 38
PIM (Privileged Identity Management, 23–26
requirements for Azure AD Connect deployment, 52
user delegation SAS
revoking, 254
user principals, 2
user-risk policies, 41
utilization reports, MFA (multifactor authentication), 40
V
verifying, service principal roles, 5
viewing
guest accounts, 18
secrets, 289
virtual hubs, Azure Firewall Manager deployment, 130
virtual network gateway, 93
VMs (virtual machines), 93
access control, 159
ADE (Azure Data Encryption), 174–175
ASGs (application security groups), 117–118
associating with the VM, 119–120
disk encryption, 159
threat detection, 159
vulnerability assessment, 195–197
VNets (virtual networks), 92–93
creating, 97
NAT (network address translation), 102–105
NSGs (network security groups), 111–112
inbound rules, 113
segmentation, 94
service endpoints, isolating data solutions, 269
VPNs (virtual private networks), 106
point-to-site, 110
site-to-site, 111
types of, 107
vulnerability assessment
W
WAF (web application firewall), 121, 138–140
Windows
Hello for Business, 43
Microsoft Defender for Servers, 191
X-Y-Z
X509 certificates
managing, 281