Azure 500 the TL;DR study guide

Photo by Sajad Nori on Unsplash

Azure 500 the TL;DR study guide

Following is a set of questions on the Cloud Guru AZ-500 guide

Which Azure AD External Identities feature lets you invite guest users to collaborate with your organization?

  • Azure AD B2B

What are the Azure AD Connect hybrid identity authentication solutions?

  • Federation

  • Pass-through authentication

  • Password hash sync

How can you allow external users to sign up for specific applications themselves?

  • Configure user flows.

  • Enable guest self-service sign-up via user flows.

Which Azure Active Directory authentication options can enforce on-premises account policies at sign-in?

  • Pass-through authentication

  • Federation

What can be used to synchronize on-premises Active Directory users to Azure Active Directory?

  • Azure AD Connect

Which Azure AD feature can be used to provide access for consumers using their preferred social, enterprise, or local account identities?

  • Azure AD B2C

Which Azure AD External Identities feature lets you invite guest users to collaborate with your organization?

  • Azure AD B2B

Contributor vs Owner

Contributor cannot modify permissions

Which of the following are examples of Azure AD permissions?

  • Create a security group

  • Create an administrative unit

Azure RBAC custom role definitions can include which types of permissions?

  • notActions define what actions cannot be performed at the management layer in a custom role.'

  • 'notDataActions define what actions cannot be performed at the data layer in a custom role.'

  • 'actions define what actions can be performed at the management layer in a custom role.'

  • 'dataActions define what actions can be performed at the data layer in a custom role.'

What is the difference between Owner and Contributor Azure roles?

  • The Contributor role has full access to a resource but cannot modify permissions.

  • An Owner role has full access to a resource and can modify permissions.

Custom roles are defined in which format?

  • JSON

Which components make up an Azure RBAC assignment?

  • Security principal

  • Scope

  • Role definition

What is a valid requirement to create an Azure AD custom role?

  • The Global Administrator role

  • The Privileged Role Administrator role

  • An Azure AD Premium P1 or P2 license

Note: The User Access Administrator role does not permit the creation of Azure AD custom roles. It is an Azure RBAC role, not an Azure AD Role.

Azure RBAC permission assignments can be scoped to which Azure management scopes?

  • Management groups

  • Subscriptions

  • Resource groups

  • Resources

Scope for a role assignment

What is the principle of least privilege?

  • When a user is given the minimum levels of access required to perform their job functions.

Which of the following are an example of an Azure permission (sometimes referred to as Azure RBAC)?

  • Create a virtual machine

  • Modify an Azure web app

Azure AD RBAC role assignments can be scoped to _____?

  • A tenant

  • Azure AD resources (e.g., applications)

  • Administrative units

There are four fundamental Azure roles:

Differences between Azure roles and Azure AD roles

Azure roles control permissions to manage Azure resources, while Azure AD roles control permissions to manage Azure Active Directory resources



The intention is to provide long term knowledge beyond of an exam which one day may expire and may become irrelevant. I'll write about the fundamentals that won't change over the longterm.

Thanks for reading Cloud Fabric! Subscribe for free to receive new posts and support my work.

Azure AD identities

Application Object:

Service principal: Think of it as a service account in Windows Active Directory

Difference between Azure AD and On-premise Active Directory

Azure AD Groups, 2 types

Security Groups: Are used to give group members access to applications, resources and assign licenses. Group members can be users, devices, service principals, and other groups.

Microsoft 365 groups: Used for collaboration, giving members access to a shared mailbox, calendar, files, SharePoint site, and so on. Group members can only be users.

Note no membership: Assigned or Dynamic - this last one requires at least a P1 license.

Multi-factor Authentication states

Disabled→Enabled→Enforced. Only administrators may move users between states

Disabled. User not enrolled for MFA

Enabled. User is enrolled in Azure AD Multi-Factor Authentication, but can still use their password for legacy authentication.

Enforced. The user is enrolled for MFA. Users who complete registration while in the Enabled state are automatically moved to the Enforced state.

Authentication Alternatives

  • Do you need on-premises Active Directory integration? No? then you would use Cloud-Only authentication.

  • If you do need on-premises Active Directory integration, then you would use Password Hash Sync + Seamless SSO.

  • If you do need on-premises Active Directory integration, but you do not need to use cloud authentication, password protection, and your authentication requirements are natively supported by Azure AD, then you would use Pass-through Authentication Seamless SSO.

  • If you do need on-premises Active Directory integration, but you do not need to use cloud authentication, password protection, and your authentication requirements are natively supported by Azure AD, then you would use Pass-through Authentication Seamless SSO.

Password Hash Sync

Users and devices are shown connecting to the on-premises AD, Azure AD, Microsoft 365, and SaaS Apps. Password1 is being used to connect.

It is important to understand that this is same sign-in, not single sign-on. The user still authenticates against two separate directory services, albeit with the same user name and password.

Pass-through Authentication

  • Pass-through authentication (PTA) is a feature of Azure AD Connect.

  • The password need not be present in Azure AD (in any form)

  • The agent connects outbound to Azure AD and listens for authentication requests, so it only requires outbound ports to be open.

Federation with Azure AD

Diagram showing an internal user going to on-premises AD and Azure. External users are using the web application proxy.

This sign-in method ensures that all user authentication occurs on-premise

Authentication Decision tree

Authentication decision tree described in the text.

Important authentication considerations:

  1. Azure AD can handle sign-in for users without relying on on-premises components to verify passwords.

  2. Azure AD can hand off user sign-in to a trusted authentication provider such as ADFS.

  3. Security policies such as account expired, disabled account, password expired, account locked out, and sign-in hours on each user sign-in, Azure AD requires some on-premises components.

  4. Sign-in features not natively supported by Azure AD:

    1. Sign-in using smartcards or certificates.

    2. Sign-in using on-premises MFA Server.

    3. Sign-in using third-party authentication solution

    4. Multi-site on-premises authentication solution.

    5. Organizations can fail over to Password Hash Sync if their primary sign-in method fails and it was configured before the failure event.

Azure AD identity protection

Identity Protection is a tool that allows organizations to accomplish three key tasks:

  • Automate the detection and remediation of identity-based risks.

  • Investigate risks using data in the portal.

  • Export risk detection data to third-party utilities for further analysis.

Multifactor authentication in Azure

The security of MFA two-step verification lies in its layered approach.Authentication methods include:

  • Something you know (typically a password)

  • Something you have (a trusted device that is not easily duplicated, like a phone)

  • Something you are (biometrics)


The Trusted IPs bypass works only from inside of the company intranet.

Enable multifactor authentication

  • Remember you can only enable MFA for organizational accounts stored in Active Directory. These are also called work or school accounts.

  • All users start out Disabled.

  • When you enroll users in Azure AD Multi-Factor Authentication, their state changes to Enabled.

  • When enabled users sign in and complete the registration process, their state changes to Enforced.

Conditional access conditions

With access controls, you can either Block Access altogether or Grant Access with more requirements by selecting the desired control:

  • Require MFA from Azure AD or an on-premises MFA (combined with AD FS).

  • Grant access to only trusted devices.

  • Require a domain-joined device.

  • Require mobile devices to use Intune app protection policies.

Image showing a Condition to test a user's access. The Condition will allow enforce MFA, or block the user's access.

In this example always require MFA for Teams for a specific user.

Who can reset passwords? See table below:

Zero Trust

  1. Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network.

  2. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to never trust, always verify.

  3. Every access request is fully authenticated, authorized, and encrypted before granting access.

  4. No longer is trust assumed based on the location inside an organization's perimeter.

A Zero Trust model requires:

  1. Signals to inform decisions

  2. Policies to make access decisions

  3. Enforcement capabilities to implement those decisions effectively.

Note: Identity is the control plane. If you can’t determine who the user is, you can’t establish a trust relationship for other transactions.

Guiding principles of Zero Trust

  • Verify explicitly. Always authenticate and authorize based on all available data points.

  • Use least privileged access. Limit user access with Just In Time and Just Enough Access (JIT/JEA).

  • Assume breach.

  • Verify all sessions are encrypted end to end. Use analytics to get visibility, drive threat detection, and improve defenses

The National Institute of Standards and Technology has a Zero Trust Architecture, NIST 800-207, publication. Click to download, it's a free PDF.

Some key tenets of the Zero Trust Architecture:

  • The entire enterprise private network is not considered an implicit trust zone.

  • No resource is inherently trusted.

  • All communication is secured regardless of network location.

  • Trust in the requester is evaluated before the access is granted.

  • Access should also be granted with the least privileges needed to complete the task

Tenets of Zero Trust

  1. All data sources and computing services are considered resources.

  2. All communication is secured regardless of network location.

  3. Access to individual enterprise resources is granted on a per-session basis.

  4. Access to resources is determined by a dynamic policy.

  5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.

  6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.

  7. The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

Zero Trust view of Networks

  1. The enterprise network is not considered an implicit trust zone.

  2. Devices on the network may not be owned or configurable by the enterprise.

  3. No resource is inherently trusted.

  4. Not all enterprise resources are on enterprise-owned infrastructure.

Migrating to a Zero Trust Architecture

It is unlikely that any significant enterprise can migrate to zero trust in a single technology refresh cycle. There may be an indefinite period when ZTA workflows coexist with non-ZTA workflows in an enterprise.

Migration to a ZTA approach to the enterprise may take place one business process at a time. Migrating an existing workflow to a ZTA will likely require (at least) a partial redesign.

Key PIM features, Privileged Identity Management

  • Providing just-in-time privileged access to Azure AD and Azure resources

  • PIM allows you to set an end time for the role.

  • Requiring approval to activate privileged roles.

  • Enforcing Azure Multi-Factor Authentication (MFA) to activate any role.Using justification to understand why users activate.

  • Getting notifications. Conducting access reviews. Downloading an audit history.

Shared responsibility model

Diagram that depicts the responsibility zones, which indicate who handles each responsibility scope.

Regardless of the deployment type, you always retain responsibility for the following:

  • Data

  • Endpoints

  • Accounts

  • Access management

Azure hierarchy of systems

Azure Resource Manager is the deployment and management service for Azure.

Azure Resource Manager authenticates and handles requests for backend services.


Azure provides four levels of scope:

  • Management groups

  • Subscriptions

  • Resource groups

  • Resources

Lower levels inherit settings from higher levels.

Resource Groups

  • All the resources in your group should share the same lifecycle. You deploy, update, and delete them together. If one resource, such as a database server, needs to exist on a different deployment cycle it should be in another resource group.

Azure role-based access control (RBAC)

RBAC is:

Control the ability for users to create, modify, or delete Azure resources and permissions.

  • RBAC is an authorization system built on Resource Manager that provides fine-grained access management of Azure resources.

  • You can use RBAC to let one employee manage virtual machines in a subscription while another manages SQL databases within the same subscription.

  • Each Azure subscription is associated with one Azure AD directory.

RBAC manages who has access to Azure resources, what areas they have access to and what they can do with those resource, examples:

  • Allowing a user, the ability to only manage virtual machines in a subscription and not the ability to manage virtual networks

  • Allowing a user, the ability to manage all resources, such as virtual machines, websites, and subnets, within a specified resource group

  • Allowing an app, to access all resources in a resource group

  • Allowing a DBA group, to manage SQL databases in a subscription

Defense in depth

Firewalls, DMZ, VNets, are no longer enough.

Network Micro-Segmentation

A best practice recommendation is to adopt a Zero Trust strategy based on user, device, and application identities. Zero Trust enforces and validates access control at “access time:

  • Azure Network Security Groups can be used for basic layer 3 & 4 access controls between Azure Virtual Networks, their subnets, and the Internet.

  • Application Security Groups enable you to define fine-grained network security policies based on workloads, centralized on applications, instead of explicit IP addresses.

IP addresses

  • Private - A private IP address is dynamically or statically allocated to a VM from the defined scope of IP addresses in the virtual network. VMs use these addresses to communicate with other VMs in the same or connected virtual networks which conforms to RFC 1918.

  • Public - Public IP addresses, which allow Azure resources to communicate with external clients

Network adapters

A VM can have more than one network adapter for different network configurations.

Distributed Denial of Service (DDoS) Protection

  • If the attack originates from one location, it is called a DoS.

  • f the attack originates from multiple networks and systems, it is called distributed denial of service (DDoS). A DDoS generally involves many systems sending traffic to targets as part of a botnet.

    • botnets are also made up of Internet of Things (IoT) devices

Designing and building for DDoS resiliency:

Best practice 1

  • Ensure that security is a priority throughout the entire lifecycle of an application

Best practice 2

Design your applications to scale horizontally to meet the demands of an amplified load—specifically, in the event of a DDoS.

Best practice 3

Implement security-enhanced designs for your applications by using the built-in capabilities of the platform.

How Azure denial-of-service protection works

DDoS Protection blocks attack traffic and forwards the remaining traffic to its intended destination. Within a few minutes of attack detection, you’ll be notified with Azure Monitor metrics.

DDoS Protection Standard can mitigate the following types of attacks:

  • Volumetric attacks: The attack's goal is to flood the network layer with a substantial amount of seemingly legitimate traffic.

  • Protocol attacks: Exploiting a weakness in the layer 3 and layer 4 protocol stack. It includes, SYN flood attacks, reflection attacks, and other protocol attacks.

DDOS pricing as of 02/08/2022:

DDoS Protection Standard protects resources in:

  • virtual network including public IP addresses associated with virtual machines,

  • load balancers

  • application gateways.

Azure Firewall

  • Built-in high availability - Because high availability is built in, no additional load balancers are required and there’s nothing you need to configure.

  • Unrestricted cloud scalability

  • Network traffic filtering rules

  • Outbound Source Network Address Translation (OSNAT) support

  • Inbound Destination Network Address Translation (DNAT) support

  • Azure Monitor logging

Azure Firewall has three rule types:

  • NAT rules

  • Network rules, Applied first

  • Application rules, Applied second

Azure Firewall Pricing as of 03/08/22

Standard size

Premium Size

Configure VPN forced tunneling

You configure forced tunneling in Azure via virtual network User Defined Routes (UDR).

User Defined Routes and Network Virtual Appliances

A User Defined Routes (UDR) is a custom route in Azure that overrides Azure's default system routes or adds routes to a subnet's route table.

Network Virtual Appliances

The following figure shows a high-availability architecture that implements an ingress perimeter network behind an internet-facing load balancer. This architecture is designed to provide connectivity to Azure workloads for layer 7 traffic, such as HTTP or HTTPS traffic. To make an NVA highly available, deploy more than one NVA into an availability set.

High availability is provided by two NVAs in an availability set.

  • The benefit of this architecture is that all NVAs are active, and if one fails, the load balancer directs network traffic to the other NVA.

  • Both NVAs route traffic to the internal load balancer, so if one NVA is active, traffic will continue to flow.

  • The NVAs are required to terminate SSL traffic intended for the web tier VMs.

  • UDRs and NSGs help provide layer 3 and layer 4 (of the OSI model) security. NVAs help provide layer 7, application layer, security.

Deploy a Network Security Group

  • An individual subnet can have zero, or one, associated NSG.

  • An individual network interface can also have zero, or one, associated NSG.

  • You can effectively have dual traffic restriction for a virtual machine by associating an NSG first to a subnet, and then another NSG to the VM's network interface.

Network traffic flow is controlled by NSGs.

In this example, for inbound traffic:

  • The Subnet NSG is evaluated first.

  • Any traffic allowed through Subnet NSG is then evaluated by VM NSG.

  • The reverse is applicable for outbound traffic

  • with VM NSG being evaluated first.

  • Any traffic allowed through VM NSG is then evaluated by Subnet NSG.

How traffic is evaluated

You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine.

Inbound traffic

NSGs control network traffic to and from the internet .

  • VM1: To allow port 80 to the virtual machine, both NSG1 and NSG2 must have a rule that allows port 80 from the internet.

  • VM4: Traffic is allowed to VM4, because a network security group isn't associated to Subnet3, or the network interface in the virtual machine. All network traffic is allowed through a subnet and network interface if they don't have a network security group associated to them.

Traffic outbound is evaluated in the reverse order, Network Card NSG 1st then Vnet NSG.

Unless you have a specific reason to, we recommended that you associate a network security group to a subnet, or a network interface, but not both.

Why use a service endpoint?

  • Improved security for your Azure service resources

  • Optimal routing for Azure service traffic from your virtual network

  • Endpoints always take service traffic directly from your virtual network to the service on the Microsoft Azure backbone network.

  • Endpoints always take service traffic directly from your virtual network to the service on the Microsoft Azure backbone network.

  • With service endpoints, the source IP addresses of the virtual machines in the subnet for service traffic switches from using public IPv4 addresses to using private IPv4 addresses

Azure application gateway

Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example URI path or host headers. For example, you can route traffic based on the incoming URL. So if /images is in the incoming URL.

An application gateway uses rules to access the backend pool.


  • Secure Sockets Layer (SSL/TLS) termination

  • Autoscaling

  • URL-based routing

  • Multiple-site hosting

  • Redirection

  • Session affinity

  • Custom error pages

  • Rewrite HTTP headers

Azure front door

Front Door works at Layer 7 or HTTP/HTTPS layer and uses split TCP-based anycast protocol. Front Door ensures that your end users promptly connect to the nearest Front Door POP (Point of Presence).

Diagram showing tcp traffic being re-routed using Azure Front Door


  • Accelerate application performance - Using split TCP-based anycast protocol

  • Increase application availability with smart health probes

  • URL-based routing

  • Multiple-site hosting

  • Session affinity

  • TLS termination

  • Custom domains and certificate management

  • Application layer security

  • URL redirection

  • URL rewrite


ExpressRoute is a direct, private connection from your WAN (not over the public Internet) to Microsoft Services, including Azure.

ExpressRoute Encryption

Azure Virtual WAN uses an Internet Protocol Security (IPsec) Internet Key Exchange (IKE) VPN connection from your on-premises network to Azure over the private peering of an Azure ExpressRoute circuit.

A network within the on-premises network connected to the Azure hub VPN gateway over ExpressRoute private peering.

Endpoint protection

  • First step: Install antimalware to help identify and remove viruses, spyware, and other malicious software

  • Second Step: Monitor the status of the antimalware. Integrate your antimalware solution with Microsoft Defender for Cloud to monitor the status of the antimalware protection.

Privileged access

Process flow diagram that shows that hardware is most secure, when purchased from a trusted OEM that uses Autopilot to provision the device before delivery, then stong security polices are enforced throughout its usage

Zero Trust, means that you don't purchase from generic retailers but only supply hardware from an authorized OEM that support Autopilot.

Hardware root-of-trust

To have a secured workstation you need to make sure the following security technologies are included on the device:

  • Trusted Platform Module (TPM) 2.0

  • BitLocker Drive Encryption

  • UEFI Secure Boot

  • Drivers and Firmware Distributed through Windows Update

  • Virtualization and HVCI Enabled

  • Drivers and Apps HVCI-Ready

  • Windows Hello

  • DMA I/O Protection

  • System Guard

  • Modern Standby

Virtual machine templates

How you define templates and resource groups is entirely up to you and how you want to manage your solution. For example, you can deploy your three tier application through a single template to a single resource group.

A single template is used to deploy different resoureces.

You don't have to define your entire infrastructure in a single template. Often, it makes sense to divide your deployment requirements into a set of targeted, purpose-specific templates. When you deploy a template, Resource Manager converts the template into REST API operations.

Multiple templates are used to deploy resources.

Azure Bastion

  • The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network.

  • It provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over TLS.

  • When you connect using Azure Bastion, your virtual machines do not need a public IP address.

  • Azure Bastion is deployed to a virtual network and supports virtual network peering. Specifically, Azure Bastion manages RDP/SSH connectivity to VMs created in the local or peered virtual networks.

Architecture of a bastion host.

  • The Bastion host is deployed in the virtual network.

  • The user connects to the Azure portal using any HTML5 browser.

  • The user selects the virtual machine to connect to.

  • With a single click, the RDP/SSH session opens in the browser.

  • No public IP is required on the Azure VM.

Disk encryption

Supported operating systems

  • Windows client: Windows 8 and later.

  • Windows Server: Windows Server 2008 R2 and later.

  • Windows 10 Enterprise multi-session.

Azure Disk Encryption uses the BitLocker external key protector for Windows VMs. For domain joined VMs, don't push any group policies that enforce TPM protectors.

Features of Containers

  • Isolation

  • Operating System,Runs the user mode portion of an operating system.

  • Deployment

  • Persistent storage

  • Fault tolerance

  • Networking

Azure Container Instances

A container builds on top of the kernel, but the kernel doesn't provide all of the APIs and services an app needs to run–most of these are provided by system files (libraries) that run above the kernel in user mode.

Because a container is isolated from the host's user mode environment, the container needs its own copy of these user mode system files, which are packaged into something known as a base image.

Because containers require far fewer resources (for example, they don't need a full OS), they're easy to deploy and they start fast. This allows you to have higher density, meaning that it allows you to run more services on the same hardware unit, thereby reducing costs.

Diagram of the Docker architecture

Containers are built from images that are stored in one or more repositories. These repositories can belong to a public registry, like Docker Hub, or to a private registry.

Azure Container Instances (ACI), is a PaaS service for scenario that can operate in isolated containers:

  • Including simple applications, task automation, and build jobs

  • For full container orchestration, including service discovery across multiple containers, automatic scaling, and coordinated application upgrades, best to use the Azure Kubernetes Service

Features of ACI

  • Deploy containers from DockerHub or Azure Container Registry.

  • Azure Container Instances enables exposing your container groups directly to the internet with an IP address and a fully qualified domain name (FQDN).

  • Azure Container Instances guarantees your application is as isolated in a container as it would be in a VM.

  • Custom sizes

  • Persistent storage

  • Flexible billing, Supports per-GB, per-CPU, and per-second billing.

  • Linux and Windows containers

A container registry

is a service that stores and distributes container images. Docker Hub is a public container registry that supports the open source community and serves as a general catalog of images.

Monitor container

The container monitoring solution in Log Analytics can help you view and manage your Docker and Windows container hosts in a single location:

  • View detailed audit information that shows commands used with containers.

  • Troubleshoot containers by viewing and searching centralized logs without having to remotely view Docker or Windows hosts.

  • Find containers that may be noisy and consuming excess resources on a host.

  • View centralized CPU, memory, storage, and network usage and performance information for containers.

Azure Container Registry authentication

  • Individual login with Azure AD

  • Service principal

  • Admin account

Azure Kubernetes Service (AKS)

  • Kubernetes is a platform that manages container-based applications and their associated networking and storage components.

  • The focus is on the application workloads, not the underlying infrastructure components.

Kubernetes cluster architecture

A Kubernetes cluster is divided into two components:

  • Control plane nodes provide the core Kubernetes services and orchestration of application workloads.

  • Nodes run your application workloads.

kubernetes cluster architecture

Azure Kubernetes Service architecture


Cluster master

  • kube-apiserver

  • etcd

  • kube-scheduler

  • kube-controller-manager

Nodes and node pools

To run your applications and supporting services, you need a Kubernetes node. An AKS cluster has one or more nodes, which is an Azure virtual machine (VM) that runs the Kubernetes node components and container runtime:

A VM kubelet connects to a container through the container runtime. The container access disks and files. The kube-proxy access virtual networking.

AKS Terminology

  • Pools,Group of nodes with identical configuration

  • Node, Individual VM running containerized applications

  • Pods, Single instance of an application. A pod can contain multiple containers

  • Deployment, One or more identical pods managed by Kubernetes

  • Manifest, YAML file describing a deployment

Azure Kubernetes Service networking

  • Cluster IP - Creates an internal IP address for use within the AKS cluster.

  • NodePort - Creates a port mapping on the underlying node that allows the application to be accessed directly with the node IP address and port.

  • LoadBalancer - Creates an Azure load balancer resource, configures an external IP address, and connects the requested pods to the load balancer backend pool.

  • ExternalName - Creates a specific DNS entry for easier application access.

Internal traffic uses Cluster IP to access the pod. Incoming direct traffic uses NodePort. Incoming non-direct traffic uses the load balancer.

Authentication to Azure Kubernetes Service with Active Directory

The security of AKS clusters can be enhanced with the integration of Azure Active Directory (AD).

A user is authenticated on first connection. The Cluster Master verifies credentials against Azure AD.

Azure AD authentication in AKS clusters uses OpenID Connect, an identity layer built on top of the OAuth 2.0 protocol.

Azure Monitor

You can analyze log data that Azure Monitor collects by using queries to quickly retrieve, consolidate, and analyze the collected data.

Diagram that shows an overview of Azure Monitor.

On the left side of the figure are the sources of monitoring data that populate these data stores.

Processed events that Microsoft Defender for Cloud produces are published to the Azure activity log, one of the log types available through Azure Monitor.


  • Provides SIEM & SOAR

SIEM: Security information and event management

SOAR: Security orchestration, automation, and response (SOAR)

  • Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.

  • Detect previously undetected threats

  • Investigate threats with artificial intelligence

  • Respond to incidents

Defender for Cloud

Defender for Cloud is a unified infrastructure security management system, addresses the three most urgent security challenges:

  • Changing workloads

  • Increasingly sophisticated attacks

  • Security skills are in short supply

Security Center provides the tools to:

  • Strengthen security posture

  • Protect against threats

  • Get secure faster

Security Center (Note: called simply Security in Azure) protects non-Azure servers and virtual machines in the cloud or on-premise.

Security Center

Enables you to detect and prevent threats at the Infrastructure as a Service (IaaS) layer, non-Azure servers as well as for Platforms as a Service (PaaS) in Azure. Security Center's supported kill chain intents are based on the MITRE ATT&CK™ framework.

MITRE ATT&CK®: is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

Illustration of the Cyber Kill Chain, the 9 steps used to infiltrate and damage an organization.

Security center policies

Azure Security Benchmark is the foundation for Security Center’s recommendations and has been fully integrated as the default policy initiative.

Security Center automatically creates a default security policy for each of your Azure subscriptions.

Azure policy:

  • A policy is a rule.

  • An initiative is a collection of policies.

  • An assignment is the application of an initiative or a policy to a specific scope (management group, subscription, or resource group).

In practice, it works like this:

  1. Azure Security Benchmark is an initiative that contains requirements.

    For example, Azure Storage accounts must restrict network access to reduce their attack surface.

  2. The initiative includes multiple policies, ex: "Storage accounts should restrict network access using virtual network rules".

  3. Microsoft Defender for Cloud continually assesses your connected subscriptions. If it finds a resource that doesn't satisfy a policy, it displays a recommendation to fix that situation and harden the security of resources that aren't meeting your security requirements.

Screenshot of Microsoft Defender for Cloud Security Recommendations.

Microsoft Defender for Cloud has two main goals:

  • understand your current security situation

  • improve your security score

Security Center continually assesses your resources, subscriptions, and organization for security issues.

It then aggregates all the findings into a single score so that you can tell, at a glance, your current security situation: the higher the score, the lower the identified risk level

Improving your secure score

To improve your secure score, remediate security recommendations from your recommendations list.

Defender for Cloud

Offered in two modes:

  • Without enhanced security features (Free) - Defender for Cloud is enabled for free on all your Azure subscriptions.

  • Defender for Cloud with all enhanced security features- not Free

    • Microsoft Defender for Endpoint - Microsoft Defender for Servers

    • Vulnerability assessment for virtual machines, container registries, and SQL resources

    • Multi-cloud security

    • Hybrid security

    • Threat protection alerts

    • Track compliance with a range of standards

    • Access and application controls

    • Container security features

    • Breadth threat protection for resources connected to Azure

Log Analytics

Log Analytics helps you monitors cloud and on-premises environments to maintain availability and performance. Log Analytics is the primary tool in the Azure portal for writing log queries and interactively analyzing their results.

Connected sourses illustration moving data to Azure Monitor

Data destinations

The Log Analytics agent sends data to a Log Analytics workspace in Azure Monitor. The Windows agent can be multihomed to send data to multiple workspaces and System Center Operations Manager management groups. The Linux agent can send to only a single destination.


  • Alerts in Azure Monitor notify you of critical conditions and potentially attempt to take corrective action.

  • Alert rules based on metrics provide near real time alerting based on numeric values

  • Rules based on logs allow for complex logic across data from multiple sources.

An alert rule has a target and condition.

Azure Monitor makes two types of diagnostic logs available:

  • Tenant logs. These logs come from tenant-level services that exist outside an Azure subscription, such as Azure Active Directory

  • Resource logs. These logs come from Azure services that deploy resources within an Azure subscription, such as Network Security Groups

Uses for diagnostic logs

Diagnostic logs are exported to Event hubs, storage, and Monitor.

Microsoft identity platform

Is an evolution of the Azure Active Directory (Azure AD) developer platform, It consists of

  • an authentication service

  • open-source libraries

  • application registration, and configuration (through a developer portal and application API),

  • full developer documentation

  • quickstart samples

  • code samples,

  • tutorials,

  • how-to guides

The Microsoft identity platform supports industry-standard protocols such as OAuth 2.0 and OpenID Connect.

Microsoft Authentication Library (MSAL) is recommended for use against the identity platform endpoints. MSAL supports Azure Active Directory B2C

Microsoft identity platform for developers

Microsoft identity platform has two endpoints (v1.0 and v2.0), always aim for v2.0. V2.0 endpoint is the unification of Microsoft personal accounts and works accounts into a single authentication system

Azure AD represents applications following a specific model:

  • Identify the app according to the authentication protocols it supports:

    • This involves enumerating all the identifiers

    • URLs

    • Secrets, and related information

    • Holds all the data needed to support authentication at run time

    • Holds all the data for deciding which resources an app might need to access

  • Handle user consent during token request time and facilitate the dynamic provisioning of apps across tenants:

    • Enables users and administrators to dynamically grant or deny consent for the app to access resources on their behalf.

    • Enables administrators to ultimately decide what apps are allowed to do, which users can use specific apps, and how directory resources are accessed.

An application object describes an application as an abstract entity. Azure AD uses a specific application object as a blueprint to create a service principal. It's the service principal that defines what the app can do in a specific target directory, who can use it, what resources it has access to.

Provisioning steps described in the text.

Register an application with App Registration

  • Before an app can get a token from the Microsoft identity platform, it must be registered in the Azure portal.

  • Registration integrates the app (yours) with the Microsoft identity platform and establishes the information that it uses to get tokens, including:

    1. Application ID: A unique identifier assigned by the Microsoft identity platform.

    2. Redirect URI/URL: One or more endpoints at which your app will receive responses from the Microsoft identity platform.

    3. Application Secret: A password or a public/private key pair that your app uses to authenticate with the Microsoft identity platform. (Not needed for native or mobile apps.)

Microsoft Graph two types of permissions

  • Delegated permissions are used by apps that have a signed-in user present

  • Application permissions are used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be consented by an administrator.

Your app can never have more privileges than the signed-in user.

For application permissions, the effective permissions of your app will be the full level of privileges implied by the permission. For example, an app that has the User.ReadWrite.All application permission can update the profile of every user in the organization.

Graph API

  • Graph Security API is an intermediary service (or broker) that provides a single programmatic interface to connect multiple Microsoft Graph Security providers (also called security providers or providers).

  • Graph Security API federates requests to all providers in the Microsoft Graph Security ecosystem.

Managed identities

Challenge: how to manage the credentials in your code for authenticating to cloud services.


Managed Identities = Client ID + Principal ID + Azure Instance Metadata Service (IMDS)

Azure Key Vault provides a way to securely store credentials, secrets, and other keys, but your code has to authenticate to Key Vault to retrieve them.

Two types of managed identities:

  • A system-assigned managed identity is enabled directly on an Azure service instance.

  • A user-assigned managed identity

Data sovereignty

Data sovereignty is the concept that information, which has been converted and stored in binary digital form, is subject to the laws of the country or region in which it is located.

In Azure, customer data might be replicated within a selected geographic area for enhanced data durability during a major data center disaster, and in some cases will not be replicated outside it.

Paired regions

Each Azure region is paired with another region within the same geography, forming a regional pair.

A Geography box contains a regional pair box, which in turn contains two region boxes, each with a box in it labeled datacenter.

Benefits of Azure paired regions

  • Physical isolation

  • Platform-provided replication

  • Region recovery order.

    • If a broad outage occurs, recovery of one region is prioritized out of every pair.
  • Sequential updates

  • Data residency - To meet data residency requirements for tax and law enforcement jurisdiction purposes, a region resides within the same geography as its pair

Options for authorizing requests to Azure Storage include:

  • Azure AD provides superior security and ease of use over other authorization options

    • can use role-based access control (RBAC)

    • can grant permissions that are scoped to the level of an individual container or queue.

    • Azure AD

  • Azure Active Directory Domain Services (Azure AD DS) authorization for Azure Files

  • Shared Key. encrypted signature string that is passed on via the request in the Authorization header.

  • Shared Access Signatures - A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources.

  • Anonymous access to containers and blobs

Azure AD, you avoid having to store your account access key with your code, as you do with Shared Key authorization.

Shared access signatures

  • As a best practice, you shouldn't share storage account keys with external third-party applications.

  • For untrusted clients, use a shared access signature (SAS).

Azure AD storage authentication

You can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Blob service.

A Storage Blob Data Contributor and Reader are accessing storage.

With Azure AD, access to a resource is a two-step process. First, the security principal's identity is authenticated and an OAuth 2.0 token is returned. Next, the token is passed as part of a request to the Queue service and used by the service to authorize access to the specified resource.

You can assign a role to a user, group, service principal, or managed identity. This is also called a security principal.

Security principal for a role assignment

  • Service principal - A security identity used by applications or services to access specific Azure resources

  • Managed identity - An identity in Azure Active Directory that is automatically managed by Azure

Storage service encryption

  • All data (including metadata) written to Azure Storage is automatically encrypted using Storage Service Encryption (SSE).

  • Azure AD integration is supported for blob and queue data operations.

  • Data can be secured in transit between an application and Azure by using Client-Side Encryption, HTTPS, or SMB 3.0

  • OS and data disks used by Azure virtual machines can be encrypted using Azure Disk Encryption.

  • Delegated access to the data objects in Azure Storage can be granted using a shared access signature.

All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted.

Azure files authentication

  • Azure Files enforces authorization on user access to both the share and the directory/file levels

  • Share-level permission assignment can be performed on Azure Active Directory (Azure AD) users or groups managed through the role-based access control (RBAC) model

  • With RBAC, the credentials you use for file access should be available or synced to Azure AD.

  • You can assign built-in RBAC roles like Storage File Data SMB Share Reader to users or groups in Azure AD to grant read access to an Azure file share.

  • At the directory/file level, Azure Files supports preserving, inheriting, and enforcing Windows DACLs just like any Windows file servers.

Identity-based authentication for Azure Files offers several benefits over using Shared Key authentication:

  • Azure Files supports using both on-premises AD DS or Azure AD DS credentials to access Azure file shares over SMB from either on-premises AD DS or Azure AD DS domain-joined VMs.

  • Enforce granular access control on Azure file shares.

  • Back up Windows ACLs (also known as NTFS) along with your data

Diagram of how identity-based authentication works or Azure files.

  1. Before you can enable authentication on Azure file shares, you must first set up your domain environment.

  2. For Azure AD DS authentication, you should enable Azure AD Domain Services and domain join the VMs you plan to access file data from.

  3. Your domain-joined VM must reside in the same virtual network (VNET) as your Azure AD DS.

  4. Similarly, for on-premises AD DS authentication, you need to set up your domain controller and domain join your machines or VMs.

  • Azure file shares supports Kerberos authentication for integration with either Azure AD DS or on-premises AD DS.

Before you can enable authentication on Azure file shares, you must first set up your domain environment

  • Azure Files supports preserving directory or file level ACLs when copying data to Azure file shares.

  • You can copy ACLs on a directory or file to Azure file shares using either Azure File Sync or common file movement toolsets. For example, you can use robocopy

Azure Storage doesn't support HTTPS for custom domain names, this option is not applied when you're using a custom domain name.

SQL database authentication

Data authentication flow for AAD and SQL server. An Azure AD database adminstrator and SQL database administrator are shown.

Use Azure Active Directory authentication to centrally manage identities of database users and as an alternative to SQL Server authentication.

Initially, all access to your Azure SQL Database is blocked by the SQL Database firewall. To access a database server, you must specify one or more server-level IP firewall rules that enable access to your Azure SQL Database.

A diagram has two clouds that both point to database-level firewall rules. After the database-level rules are evaluated the server-level rules are applied.

database auditing

You can use SQL database auditing to:

  • Retain an audit trail of selected events. You can define categories of database actions to be audited.

  • Report on database activity. You can use pre-configured reports and a dashboard to get started quickly with activity and event reporting.

  • Analyze reports. You can find suspicious events, unusual activity, and trends.

Key Vault

  • You can use Key Vault to create multiple secure containers, called vaults.

  • Vaults help reduce the chances of accidental loss of security information by centralizing application secrets storage.

  • Key vaults also control and log the access to anything stored in them.

Azure Key Vault helps address the following issues:

  • Secrets management.

  • Key management

  • Certificate management

  • Store secrets backed by hardware security modules (HSMs)

Azure Key Vault is designed to support application keys and secrets. Key Vault is not intended as storage for user passwords.

Key Vault access

Access to a key vault is controlled through two interfaces: the management plane, and the data plane:

  • The management plane is where you manage Key Vault itself. Operations in this plane include creating and deleting key vaults, retrieving Key Vault properties, and updating access policies.

  • The data plane is where you work with the data stored in a key vault. You can add, delete, and modify keys, secrets, and certificates from here.

Authentication establishes the identity of the caller. Authorization determines which operations the caller can execute.

Users and apps authenticate and then are authorized to the management or data plane.

key rotation

A key is updated using event grid and function apps.

  1. Thirty days before the expiration date of a secret, Key Vault publishes the "near expiry" event to Event Grid.

  2. Event Grid checks the event subscriptions and uses HTTP POST to call the function app endpoint subscribed to the event.

  3. The function app receives the secret information, generates a new random password, and creates a new version for the secret with the new password in Key Vault.

  4. The function app updates SQL Server with the new password.


Thanks for reading Cloud Fabric! Subscribe for free to receive new posts and support my work.