AZURE CYBERSECURITY TRAINING

Azure security technical capabilities

This article provides an introduction to security services in Azure that help you protect your data, resources, and
applications in the cloud and meet the security needs of your business.

Azure platform

Microsoft Azure is a cloud platform comprised of infrastructure and application services, with integrated data services
and advanced analytics, and developer tools and services, hosted within Microsoft’s public cloud data centers.
Customers use Azure for many different capacities and scenarios, from basic compute, networking, and storage, to
mobile and web app services, to full cloud scenarios like Internet of Things, and can be used with open-source
technologies, and deployed as hybrid cloud or hosted within a customer’s datacenter. Azure provides cloud technology
as building blocks to help companies save costs, innovate quickly, and manage systems proactively. When you build on,
or migrate IT assets to a cloud provider, you are relying on that organization’s abilities to protect your applications and
data with the services and the controls they provide to manage the security of your cloud-based assets.

Microsoft Azure is the only cloud computing provider that offers a secure, consistent application platform and
infrastructure-as-a-service for teams to work within their different cloud skillsets and levels of project complexity, with
integrated data services and analytics that uncover intelligence from data wherever it exists, across both Microsoft and
non-Microsoft platforms, open frameworks and tools, providing choice for integrating cloud with on-premises as well
deploying Azure cloud services within on-premises datacenters. As part of the Microsoft Trusted Cloud, customers rely
on Azure for industry-leading security, reliability, compliance, privacy, and the vast network of people, partners, and
processes to support organizations in the cloud.

With Microsoft Azure, you can:

 Accelerate innovation with the cloud

 Power business decisions & apps with insights

 Build freely and deploy anywhere

 Protect their business

Manage and control identity and user access

Azure helps you protect business and personal information by enabling you to manage user identities and credentials
and control access.

Microsoft Entra ID

Microsoft identity and access management solutions help IT protect access to applications and resources across the
corporate datacenter and into the cloud, enabling additional levels of validation such as multifactor authentication and
Conditional Access policies. Monitoring suspicious activity through advanced security reporting, auditing and alerting
helps mitigate potential security issues. Microsoft Entra ID P1 or P2 provides single sign-on to thousands of cloud apps
and access to web apps you run on-premises.

Security benefits of Microsoft Entra ID include the ability to:

 Create and manage a single identity for each user across your hybrid enterprise, keeping users, groups, and
devices in sync.

 Provide single sign-on access to your applications including thousands of pre-integrated SaaS apps.
  Enable application access security by enforcing rules-based multifactor authentication for both on-premises and
cloud applications.

 Provision secure remote access to on-premises web applications through Microsoft Entra application proxy.

The following are core Azure identity management capabilities:

 Single sign-on

 Multifactor authentication

 Security monitoring, alerts, and machine learning-based reports

 Consumer identity and access management

 Device registration

 Privileged identity management

 Identity protection

Single sign-on

Single sign-on (SSO) means being able to access all the applications and resources that you need to do business, by
signing in only once using a single user account. Once signed in, you can access all the applications you need without
being required to authenticate (for example, type a password) a second time.
Many organizations rely upon software as a service (SaaS) applications such as Microsoft 365, Box, and Salesforce for
end-user productivity. Historically, IT staff needed to individually create and update user accounts in each SaaS
application, and users had to remember a password for each SaaS application.

Microsoft Entra ID extends on-premises Active Directory into the cloud, enabling users to use their primary
organizational account to not only sign in to their domain-joined devices and company resources, but also all the web
and SaaS applications needed for their job.

Not only do users not have to manage multiple sets of usernames and passwords, application access can be
automatically provisioned or de-provisioned based on organizational groups and their status as an employee. Microsoft
Entra ID introduces security and access governance controls that enable you to centrally manage users' access across
SaaS applications.

Multifactor authentication

Microsoft Entra multifactor authentication (MFA) is a method of authentication that requires the use of more than one
verification method and adds a critical second layer of security to user sign-ins and transactions. MFA helps
safeguard access to data and applications while meeting user demand for a simple sign-in process. It delivers strong
authentication via a range of verification options—phone call, text message, or mobile app notification or verification
code and third-party OAuth tokens.

Security monitoring, alerts, and machine learning-based reports

Security monitoring and alerts and machine learning-based reports that identify inconsistent access patterns can help
you protect your business. You can use Microsoft Entra ID's access and usage reports to gain visibility into the integrity
and security of your organization’s directory. With this information, a directory admin can better determine where
possible security risks may lie so that they can adequately plan to mitigate those risks.

In the Azure portal, reports are categorized in the following ways:

 Anomaly reports – contain sign in events that we found to be anomalous. Our goal is to make you aware of such
activity and enable you to be able to decide about whether an event is suspicious.

 Integrated application reports – provide insights into how cloud applications are being used in your organization.
Microsoft Entra ID offers integration with thousands of cloud applications.

 Error reports – indicate errors that may occur when provisioning accounts to external applications.

 User-specific reports – display device and sign in activity data for a specific user.

 Activity logs – contain a record of all audited events within the last 24 hours, last 7 days, or last 30 days, and
group activity changes, and password reset and registration activity.

Consumer identity and access management

Azure Active Directory B2C is a highly available, global, identity management service for consumer-facing applications
that scales to hundreds of millions of identities. It can be integrated across mobile and web platforms. Your consumers
can log on to all your applications through customizable experiences by using their existing social accounts or by creating
new credentials.

In the past, application developers who wanted to sign up and sign in consumers into their applications would have
written their own code. And they would have used on-premises databases or systems to store usernames and
passwords. Azure Active Directory B2C offers your organization a better way to integrate consumer identity management
into applications with the help of a secure, standards-based platform, and a large set of extensible policies.
When you use Azure Active Directory B2C, your consumers can sign up for your applications by using their existing social
accounts (Facebook, Google, Amazon, LinkedIn) or by creating new credentials (email address and password, or
username and password).

Device registration

Microsoft Entra device registration is the foundation for device-based Conditional Access scenarios. When a device is
registered, Microsoft Entra device registration provides the device with an identity that is used to authenticate the device
when the user signs in. The authenticated device, and the attributes of the device, can then be used to enforce
Conditional Access policies for applications that are hosted in the cloud and on-premises.

When combined with a mobile device management (MDM) solution such as Intune, the device attributes in Microsoft
Entra ID are updated with additional information about the device. This allows you to create Conditional Access rules
that enforce access from devices to meet your standards for security and compliance.

Privileged identity management

Microsoft Entra Privileged Identity Management lets you manage, control, and monitor your privileged identities and
access to resources in Microsoft Entra ID as well as other Microsoft online services like Microsoft 365 or Microsoft
Intune.

Sometimes users need to carry out privileged operations in Azure or Microsoft 365 resources, or other SaaS apps. This
often means organizations have to give them permanent privileged access in Microsoft Entra ID. This is a growing
security risk for cloud-hosted resources because organizations can't sufficiently monitor what those users are doing with
their admin privileges. Additionally, if a user account with privileged access is compromised, that one breach could
impact their overall cloud security. Microsoft Entra Privileged Identity Management helps to resolve this risk.

Microsoft Entra Privileged Identity Management lets you:

 See which users are Microsoft Entra admins

 Enable on-demand, "just in time" administrative access to Microsoft Online Services like Microsoft 365 and
Intune

 Get reports about administrator access history and changes in administrator assignments

 Get alerts about access to a privileged role

Identity protection

Microsoft Entra ID Protection is a security service that provides a consolidated view into risk detections and potential
vulnerabilities affecting your organization’s identities. Identity Protection uses existing Microsoft Entra ID’s anomaly
detection capabilities (available through Microsoft Entra ID’s Anomalous Activity Reports), and introduces new risk
detection types that can detect anomalies in real time.

Secure resource access

Access control in Azure starts from a billing perspective. The owner of an Azure account, accessed by visiting the Azure
portal, is the Account Administrator (AA). Subscriptions are a container for billing, but they also act as a security
boundary: each subscription has a Service Administrator (SA) who can add, remove, and modify Azure resources in that
subscription by using the Azure portal. The default SA of a new subscription is the AA, but the AA can change the SA in
the Azure portal.
Subscriptions also have an association with a directory. The directory defines a set of users. These can be users from the
work or school that created the directory, or they can be external users (that is, Microsoft Accounts). Subscriptions are
accessible by a subset of those directory users who have been assigned as either Service Administrator (SA) or Co-
Administrator (CA); the only exception is that, for legacy reasons, Microsoft Accounts (formerly Windows Live ID) can be
assigned as SA or CA without being present in the directory.

Security-oriented companies should focus on giving employees the exact permissions they need. Too many permissions
can expose an account to attackers. Too few permissions mean that employees can't get their work done
efficiently. Azure role-based access control (Azure RBAC) helps address this problem by offering fine-grained access
management for Azure.
Using Azure RBAC, you can segregate duties within your team and grant only the amount of access to users that they
need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources,
you can allow only certain actions. For example, use Azure RBAC to let one employee manage virtual machines in a
subscription, while another can manage SQL databases within the same subscription.

Data security and encryption

One of the keys to data protection in the cloud is accounting for the possible states in which your data may occur, and
what controls are available for that state. For Azure data security and encryption best practices the recommendations be
around the following data’s states.

 At-rest: This includes all information storage objects, containers, and types that exist statically on physical media,
be it magnetic or optical disk.

 In-transit: When data is being transferred between components, locations or programs, such as over the
network, across a service bus (from on-premises to cloud and vice-versa, including hybrid connections such as
ExpressRoute), or during an input/output process, it is thought of as being in-motion.

Encryption at rest

Encryption at rest is discussed in detail in Azure Data Encryption at Rest.

Encryption in-transit

Protecting data in transit should be essential part of your data protection strategy. Since data is moving back and forth
from many locations, the general recommendation is that you always use SSL/TLS protocols to exchange data across
different locations. In some circumstances, you may want to isolate the entire communication channel between your on-
premises and cloud infrastructure by using a virtual private network (VPN).

For data moving between your on-premises infrastructure and Azure, you should consider appropriate safeguards such
as HTTPS or VPN.
For organizations that need to secure access from multiple workstations located on-premises to Azure, use Azure site-to-
site VPN.

For organizations that need to secure access from one workstation located on-premises to Azure, use Point-to-Site VPN.

Larger data sets can be moved over a dedicated high-speed WAN link such as ExpressRoute. If you choose to use
ExpressRoute, you can also encrypt the data at the application-level using SSL/TLS or other protocols for added
protection.

If you are interacting with Azure Storage through the Azure portal, all transactions occur via HTTPS. Storage REST
API over HTTPS can also be used to interact with Azure Storage and Azure SQL Database.

You can learn more about Azure VPN option by reading the article Planning and design for VPN Gateway.

Enforce file level data encryption

Azure Rights Management (Azure RMS) uses encryption, identity, and authorization policies to help secure your files and
email. Azure RMS works across multiple devices—phones, tablets, and PCs by protecting both within your organization
and outside your organization. This capability is possible because Azure RMS adds a level of protection that remains with
the data, even when it leaves your organization’s boundaries.

Secure your application

While Azure is responsible for securing the infrastructure and platform that your application runs on, it is your
responsibility to secure your application itself. In other words, you need to develop, deploy, and manage your application
code and content in a secure way. Without this, your application code or content can still be vulnerable to threats.

Web application firewall

Web application firewall (WAF) is a feature of Application Gateway and Azure Front Door that provides centralized
protection of your web applications from common exploits and vulnerabilities.

Web application firewall is based on rules from the OWASP core rule sets. Web applications are increasingly targets of
malicious attacks that exploit common known vulnerabilities. Common among these exploits are SQL injection attacks,
cross site scripting attacks to name a few. Preventing such attacks in application code can be challenging and may require
rigorous maintenance, patching and monitoring at multiple layers of the application topology. A centralized web
application firewall helps make security management much simpler and gives better assurance to application
administrators against threats or intrusions. A WAF solution can also react to a security threat faster by patching a known
vulnerability at a central location versus securing each of individual web applications. Existing application gateways can
be converted to a web application firewall enabled application gateway easily.

Some of the common web vulnerabilities which web application firewall protects against includes:

 SQL injection protection

 Cross site scripting protection

 Common Web Attacks Protection such as command injection, HTTP request smuggling, HTTP response splitting,
and remote file inclusion attack

 Protection against HTTP protocol violations

 Protection against HTTP protocol anomalies such as missing host user-agent and accept headers

 Prevention against bots, crawlers, and scanners

 Detection of common application misconfigurations (that is, Apache, IIS, etc.)

Note

For a more detailed list of rules and their protections see the following core rule sets for Azure Application
Gateway and Azure Front Door.

Azure provides several easy-to-use features to help secure both inbound and outbound traffic for your app. Azure helps
customers secure their application code by providing externally provided functionality to scan your web application for
vulnerabilities. See Azure App Services to learn more.

Azure App Service uses the same Antimalware solution used by Azure Cloud Services and Virtual Machines. To learn
more about this refer to our Antimalware documentation.

Secure your network

Microsoft Azure includes a robust networking infrastructure to support your application and service connectivity
requirements. Network connectivity is possible between resources located in Azure, between on-premises and Azure
hosted resources, and to and from the Internet and Azure.

The Azure network infrastructure enables you to securely connect Azure resources to each other with virtual networks
(VNets). A VNet is a representation of your own network in the cloud. A VNet is a logical isolation of the Azure cloud
network dedicated to your subscription. You can connect VNets to your on-premises networks.

If you need basic network level access control (based on IP address and the TCP or UDP protocols), then you can
use Network Security Groups. A Network Security Group (NSG) is a basic stateful packet filtering firewall that enables you
to control access.

Azure Firewall is a cloud-native and intelligent network firewall security service that provides threat protection for your
cloud workloads running in Azure. It's a fully stateful firewall as a service with built-in high availability and unrestricted
cloud scalability. It provides both east-west and north-south traffic inspection.

Azure Firewall is offered in three SKUs: Basic, Standard and Premium. Azure Firewall Basic offers simplified security
similar to the Standard SKU but without advanced features. Azure Firewall Standard provides L3-L7 filtering and threat
intelligence feeds directly from Microsoft Cyber Security. Azure Firewall Premium provides advanced capabilities include
signature-based IDPS to allow rapid detection of attacks by looking for specific patterns.
Azure networking supports the ability to customize the routing behavior for network traffic on your Azure Virtual
Networks. You can do this by configuring User-Defined Routes in Azure.

Forced tunneling is a mechanism you can use to ensure that your services are not allowed to initiate a connection to
devices on the Internet.

Azure supports dedicated WAN link connectivity to your on-premises network and an Azure Virtual Network
with ExpressRoute. The link between Azure and your site uses a dedicated connection that does not go over the public
Internet. If your Azure application is running in multiple datacenters, you can use Azure Traffic Manager to route requests
from users intelligently across instances of the application. You can also route traffic to services not running in Azure if
they are accessible from the Internet.

Azure also supports private and secure connectivity to your PaaS resources (for example, Azure Storage and SQL
Database) from your Azure Virtual Network with Azure Private Link. PaaS resource is mapped to a private endpoint in
your virtual network. The link between private endpoint in your virtual network and your PaaS resource uses Microsoft
backbone network and does not go over the public Internet. Exposing your service to the public internet is no longer
necessary. You can also use Azure Private Link to access Azure hosted customer-owned and partner services in your
virtual network. In addition, Azure Private Link enables you to create your own private link service in your virtual network
and deliver it to your customers privately in their virtual networks. Setup and consumption using Azure Private Link is
consistent across Azure PaaS, customer-owned, and shared partner services.

Virtual machine security

Azure Virtual Machines lets you deploy a wide range of computing solutions in an agile way. With support for Microsoft
Windows, Linux, Microsoft SQL Server, Oracle, IBM, SAP, and Azure BizTalk Services, you can deploy any workload and
any language on nearly any operating system.

With Azure, you can use antimalware software from security vendors such as Microsoft, Symantec, Trend Micro, and
Kaspersky to protect your virtual machines from malicious files, adware, and other threats.

Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a real-time protection capability that helps
identify and remove viruses, spyware, and other malicious software. Microsoft Antimalware provides configurable alerts
when known malicious or unwanted software attempts to install itself or run on your Azure systems.

Azure Backup is a scalable solution that protects your application data with zero capital investment and minimal
operating costs. Application errors can corrupt your data, and human errors can introduce bugs into your applications.
With Azure Backup, your virtual machines running Windows and Linux are protected.

Azure Site Recovery helps orchestrate replication, failover, and recovery of workloads and apps so that they are available
from a secondary location if your primary location goes down.

Ensure compliance: Cloud services due diligence checklist

Microsoft developed the Cloud Services Due Diligence Checklist to help organizations exercise due diligence as they
consider a move to the cloud. It provides a structure for an organization of any size and type—private businesses and
public-sector organizations, including government at all levels and nonprofits—to identify their own performance,
service, data management, and governance objectives and requirements. This allows them to compare the offerings of
different cloud service providers, ultimately forming the basis for a cloud service agreement.

The checklist provides a framework that aligns clause-by-clause with a new international standard for cloud service
agreements, ISO/IEC 19086. This standard offers a unified set of considerations for organizations to help them make
decisions about cloud adoption, and create a common ground for comparing cloud service offerings.

The checklist promotes a thoroughly vetted move to the cloud, providing structured guidance and a consistent,
repeatable approach for choosing a cloud service provider.
Cloud adoption is no longer simply a technology decision. Because checklist requirements touch on every aspect of an
organization, they serve to convene all key internal decision-makers—the CIO and CISO as well as legal, risk
management, procurement, and compliance professionals. This increases the efficiency of the decision-making process
and ground decisions in sound reasoning, thereby reducing the likelihood of unforeseen roadblocks to adoption.

In addition, the checklist:

 Exposes key discussion topics for decision-makers at the beginning of the cloud adoption process.

 Supports thorough business discussions about regulations and the organization’s own objectives for privacy,
personal information and data security.

 Helps organizations identify any potential issues that could affect a cloud project.

 Provides a consistent set of questions, with the same terms, definitions, metrics, and deliverables for each
provider, to simplify the process of comparing offerings from different cloud service providers.

Azure infrastructure and application security validation

Azure Operational Security refers to the services, controls, and features available to users for protecting their data,
applications, and other assets in Microsoft Azure.

Azure Operational Security is built on a framework that incorporates the knowledge gained through a various capabilities
that are unique to Microsoft, including the Microsoft Security Development Lifecycle (SDL), the Microsoft Security
Response Center program, and deep awareness of the cybersecurity threat landscape.

Microsoft Azure Monitor

Azure Monitor is the IT management solution for the hybrid cloud. Used alone or to extend your existing System Center
deployment, Azure Monitor logs gives you the maximum flexibility and control for cloud-based management of your
infrastructure.
With Azure Monitor, you can manage any instance in any cloud, including on-premises, Azure, AWS, Windows Server,
Linux, VMware, and OpenStack, at a lower cost than competitive solutions. Built for the cloud-first world, Azure Monitor
offers a new approach to managing your enterprise that is the fastest, most cost-effective way to meet new business
challenges and accommodate new workloads, applications and cloud environments.

Azure Monitor logs

Azure Monitor logs provides monitoring services by collecting data from managed resources into a central repository.
This data could include events, performance data, or custom data provided through the API. Once collected, the data is
available for alerting, analysis, and export.

This method allows you to consolidate data from a variety of sources, so you can combine data from your Azure services
with your existing on-premises environment. It also clearly separates the collection of the data from the action taken on
that data so that all actions are available to all kinds of data.

Microsoft Sentinel

Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security
orchestration, automation, and response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and
threat intelligence across the enterprise, providing a single solution for attack detection, threat visibility, proactive
hunting, and threat response.

Microsoft Defender for Cloud

Microsoft Defender for Cloud helps you prevent, detect, and respond to threats with increased visibility into and control
over the security of your Azure resources. It provides integrated security monitoring and policy management across your
Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of
security solutions.

Defender for Cloud analyzes the security state of your Azure resources to identify potential security vulnerabilities. A list
of recommendations guides you through the process of configuring needed controls.

Examples include:

 Provisioning antimalware to help identify and remove malicious software

 Configuring network security groups and rules to control traffic to VMs

 Provisioning of web application firewalls to help defend against attacks that target your web applications

 Deploying missing system updates

 Addressing OS configurations that do not match the recommended baselines

Defender for Cloud automatically collects, analyzes, and integrates log data from your Azure resources, the network, and
partner solutions like antimalware programs and firewalls. When threats are detected, a security alert is created.
Examples include detection of:

 Compromised VMs communicating with known malicious IP addresses

 Advanced malware detected by using Windows error reporting

 Brute force attacks against VMs

 Security alerts from integrated antimalware programs and firewalls

Azure monitor

Azure Monitor provides pointers to information on specific types of resources. It offers visualization, query, routing,
alerting, auto scale, and automation on data both from the Azure infrastructure (Activity Log) and each individual Azure
resource (Diagnostic Logs).

Cloud applications are complex with many moving parts. Monitoring provides data to ensure that your application stays
up and running in a healthy state. It also helps you to stave off potential problems or troubleshoot past ones.
 I
n addition, you can use monitoring data to gain deep insights about your application. That knowledge can help you to
improve application performance or maintainability, or automate actions that would otherwise require manual
intervention.

Auditing your network security is vital for detecting network vulnerabilities and ensuring compliance with your IT
security and regulatory governance model. With Security Group view, you can retrieve the configured Network Security
Group and security rules, as well as the effective security rules. With the list of rules applied, you can determine the
ports that are open and ss network vulnerability.

Network watcher

Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network level in, to, and
from Azure. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose,
and gain insights to your network in Azure. This service includes packet capture, next hop, IP flow verify, security group
view, NSG flow logs. Scenario level monitoring provides an end to end view of network resources in contrast to individual
network resource monitoring.

Storage analytics

Storage Analytics can store metrics that include aggregated transaction statistics and capacity data about requests to a
storage service. Transactions are reported at both the API operation level as well as at the storage service level, and
capacity is reported at the storage service level. Metrics data can be used to analyze storage service usage, diagnose
issues with requests made against the storage service, and to improve the performance of applications that use a
service.

Application Insights
Application Insights is an extensible Application Performance Management (APM) service for web developers on multiple
platforms. Use it to monitor your live web application. It will automatically detect performance anomalies. It includes
powerful analytics tools to help you diagnose issues and to understand what users do with your app. It's designed to
help you continuously improve performance and usability. It works for apps on a wide variety of platforms including .NET,
Node.js and Java EE, hosted on-premises or in the cloud. It integrates with your DevOps process, and has connection
points to a various development tools.

It monitors:

 Request rates, response times, and failure rates - Find out which pages are most popular, at what times of day,
and where your users are. See which pages perform best. If your response times and failure rates go high when
there are more requests, then perhaps you have a resourcing problem.

 Dependency rates, response times, and failure rates - Find out whether external services are slowing you down.

 Exceptions - Analyze the aggregated statistics, or pick specific instances and drill into the stack trace and related
requests. Both server and browser exceptions are reported.

 Page views and load performance - reported by your users' browsers.

 AJAX calls from web pages - rates, response times, and failure rates.

 User and session counts.

 Performance counters from your Windows or Linux server machines, such as CPU, memory, and network usage.

 Host diagnostics from Docker or Azure.

 Diagnostic trace logs from your app - so that you can correlate trace events with requests.

 Custom events and metrics that you write yourself in the client or server code, to track business events such as
items sold, or games won.

The infrastructure for your application is typically made up of many components – maybe a virtual machine, storage
account, and virtual network, or a web app, database, database server, and 3rd party services. You do not see these
components as separate entities, instead you see them as related and interdependent parts of a single entity. You want
to deploy, manage, and monitor them as a group. Azure Resource Manager enables you to work with the resources in
your solution as a group.

You can deploy, update, or delete all the resources for your solution in a single, coordinated operation. You use a
template for deployment and that template can work for different environments such as testing, staging, and production.
Resource Manager provides security, auditing, and tagging features to help you manage your resources after
deployment.

The benefits of using Resource Manager

Resource Manager provides several benefits:

 You can deploy, manage, and monitor all the resources for your solution as a group, rather than handling these
resources individually.

 You can repeatedly deploy your solution throughout the development lifecycle and have confidence your
resources are deployed in a consistent state.

 You can manage your infrastructure through declarative templates rather than scripts.

 You can define the dependencies between resources, so they are deployed in the correct order.
  You can apply access control to all services in your resource group because Azure role-based access control
(Azure RBAC) is natively integrated into the management platform.

 You can apply tags to resources to logically organize all the resources in your subscription.

 You can clarify your organization's billing by viewing costs for a group of resources sharing the same tag.

Note

Resource Manager provides a new way to deploy and manage your solutions. If you used the earlier deployment model
and want to learn about the changes, see Understanding Resource Manager Deployment and classic deployment.

What is Microsoft Defender XDR?

✅ Microsoft Defender XDR

In this article

1. Microsoft Defender XDR protection

2. Get started

Microsoft Defender XDR is a unified pre- and post-breach enterprise defense suite that natively coordinates detection,
prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated
protection against sophisticated attacks.

Microsoft Defender XDR helps security teams protect and detect their organizations by using information from other
Microsoft security products, including:

 Microsoft Defender for Endpoint

 Microsoft Defender for Office 365

 Microsoft Defender for Identity

 Microsoft Defender for Cloud Apps

 Microsoft Defender Vulnerability Management

 Microsoft Defender for Cloud

 Microsoft Entra ID Protection

 Microsoft Data Loss Prevention

 App Governance

 Microsoft Purview Insider Risk Management

With the integrated Microsoft Defender XDR solution, security professionals can stitch together the threat signals that
each of these products receive and determine the full scope and impact of the threat; how it entered the environment,
what it's affected, and how it's currently impacting the organization. Microsoft Defender XDR takes automatic action to
prevent or stop the attack and self-heal affected mailboxes, endpoints, and user identities.

Note

Microsoft Defender XDR correlates signals from Microsoft security products that you have licensed and provisioned
access to.

Microsoft Defender XDR protection

Microsoft Defender XDR services protect:

 Endpoints with Defender for Endpoint - Microsoft Defender for Endpoint is a unified endpoint platform for
preventative protection, post-breach detection, automated investigation, and response.

 Assets with Defender Vulnerability Management - Microsoft Defender Vulnerability Management delivers
continuous asset visibility, intelligent risk-based assessments, and built-in remediation tools to help your security
and IT teams prioritize and address critical vulnerabilities and misconfigurations across your organization.

 Email and collaboration with Defender for Office 365 - Defender for Office 365 safeguards your organization
against malicious threats posed by email messages, links (URLs) and collaboration tools.

 Identities with Defender for Identity and Microsoft Entra ID Protection - Microsoft Defender for Identity is a
cloud-based security solution that uses your on-premises Active Directory signals to identify, detect, and
investigate advanced threats, compromised identities, and malicious insider actions directed at your
organization. Microsoft Entra ID Protection uses the learnings Microsoft acquired from their position in
organizations with Microsoft Entra ID, the consumer space with Microsoft Accounts, and in gaming with Xbox to
protect your users.

 Applications with Defender for Cloud Apps - Microsoft Defender for Cloud Apps is a comprehensive cross-SaaS
solution bringing deep visibility, strong data controls, and enhanced threat protection to your cloud apps.

Microsoft Defender XDR's unique cross-product layer augments the individual service components to:

 Help protect against attacks and coordinate defensive responses across the services through signal sharing and
automated actions.

 Narrate the full story of the attack across product alerts, behaviors, and context for security teams by joining
data on alerts, suspicious events and impacted assets to incidents.

 Automate response to compromise by triggering self-healing for impacted assets through automated
remediation.

 Enable security teams to perform detailed and effective threat hunting across endpoint and Office data.

Microsoft Defender XDR cross-product features include:

 Cross-product single pane of glass in the Microsoft Defender portal - A central view for all information on
detections, impacted assets, automated actions taken, and related evidence in a single queue and a single pane
in Microsoft Defender portal.

 Combined incidents queue - To help security professionals focus on what is critical by ensuring the full attack
scope, impacted assets and automated remediation actions are grouped together and surfaced in a timely
manner.

 Automatic response to threats - Critical threat information is shared in real time between the Microsoft
Defender XDR products to help stop the progression of an attack.

For example, if a malicious file is detected on an endpoint protected by Defender for Endpoint, it instructs Defender for
Office 365 to scan and remove the file from all e-mail messages. The file is blocked on sight by the entire Microsoft 365
security suite.

 Self-healing for compromised devices, user identities, and mailboxes - Microsoft Defender XDR uses AI-
powered automatic actions and playbooks to remediate impacted assets back to a secure state. Microsoft
Defender XDR leverages automatic remediation capabilities of the suite products to ensure all impacted assets
related to an incident are automatically remediated where possible.
  Cross-product threat hunting - Security teams can leverage their unique organizational knowledge to hunt for
signs of compromise by creating their own custom queries over the raw data collected by the various protection
products. Microsoft Defender XDR provides query-based access to 30 days of historic raw signals and alert data
across endpoint and Defender for Office 365 data.

Get started

Microsoft Defender XDR licensing requirements must be met before you can enable the service in the Microsoft
Defender portal at https://security.microsoft.com For more information, see:

 Licensing requirements

 Turn on Microsoft Defender XDR

 Microsoft Defender XDR in the Microsoft Defender portal

Azure DDoS Protection has two types of protection, DDoS IP Protection and DDoS Network Protection, both of which
provide protection against DDoS attacks without needing a separate protection plan for each service or application.

Azure DDoS Protection overview

In today's digital landscape, the frequency and complexity of distributed denial-of-service or DDoS attacks have been on
the rise. These attacks can cause serious damage to organizations, disrupting their operations, and even causing financial
losses. To combat this threat, Microsoft Azure offers a comprehensive DDoS Protection service.

This lesson explores this service and what it has to offer. It'll cover the fundamentals of how it works, the advantages it
provides, how to begin implementing it, and what different types there are. You may know this already, but let's start
with what exactly a DDoS attack is. It's when a server hosting a website or app is flooded with so much traffic that it
becomes overloaded and crashes. This happens when many computers called bots are deployed by cyber attackers to
send traffic to a server all at the same time. The traffic overload makes it impossible for real users to access the website,
causing frustration for users and loss of business revenue, and disruption of business operations for the website owner.

DDoS attacks can be targeted at any website or app that is publicly reachable through the Internet. How can businesses
protect themselves from a DDoS attack? One solution is to use Azure DDoS protection, which helps defend against DDoS
attacks by automatically detecting and blocking malicious traffic.

While those services running on Azure are inherently protected by default infrastructure-level DDoS protection, it may
not be sufficient for certain applications. By onboarding to the Azure DDoS protection service, applications get
dedicated monitoring to detect attacks and application-specific thresholds, providing tighter defense against DDoS
attacks. Overall, Azure DDoS protection is an important tool for businesses that rely on online services to protect against
DDoS attacks and ensure that their services are always available to their customers. Let's examine some of the key
benefits of Azure DDoS Protection.

Azure DDoS protection helps protect against DDoS attacks by constantly monitoring the traffic patterns of your
applications. Additionally, Azure DDoS Protection uses intelligent traffic profiling to learn your application's traffic
patterns over time. This means that it can adapt to new types of attacks and become more effective at protecting your
business over time. If it detects a DDoS attack, it will automatically and instantly take action to mitigate the attack,
ensuring that your website or online services stay up and running. Furthermore, Azure DDoS Protection uses multiple
layers of protection to prevent and mitigate the effects of DDoS attacks. These layers include firewalls. Azure DDoS
protection uses firewalls to monitor and control incoming and outgoing network traffic. Firewalls can block traffic that
does not meet specific criteria, such as traffic that is coming from a suspicious source or that has an unusually high
volume. There's also network segmentation. Azure DDoS protection uses network segmentation to divide the network
into smaller, more secure subnetworks. This helps to limit the impact of a DDoS attack by containing it to a smaller
area. Then there's traffic analysis. Azure DDoS protection uses traffic analysis to monitor network traffic and identify
patterns that indicate a DDoS attack. This analysis can help to detect and mitigate attacks before they cause
significant damage. Last, there's machine-learning algorithms. Azure DDoS protection uses machine-learning
algorithms to detect and block DDoS attacks. These algorithms can learn from past attacks and adapt to new attack
patterns, making them more effective at preventing future attacks.

By using multiple layers of protection, Azure DDoS Protection can provide a more comprehensive and effective defense
against DDoS attacks. This helps to ensure that Azure customers can continue to provide reliable and secure services to
their users, even in the face of cyber threats.

Azure DDoS protection comes in two types. The first type is called DDoS IP Protection, and it can protect any public IP
resource without needing a separate protection plan. Resources include things like websites, virtual machines, and
Cloud services that can be accessed over the Internet. To access an online resource from the Internet, it needs to have
a public IP address assigned to it. Not needing a separate protection plan is helpful if you have multiple services or
applications that you want to protect, but don't want to set up a separate protection plan for each one.

The second type is called DDoS Network Protection, and it can protect multiple subscriptions with just one protection
plan. This is useful if you have several services or applications that you want to protect and you want to simplify the
management of your protection plans. Azure DDoS Protection has a fixed monthly charge that covers up to 100 public
IP addresses. This means that you can use Azure DDoS Protection to protect up to 100 online resources with a single
subscription. If you need to protect more than 100 resources, additional protection is available for an additional
charge.

If there is an attack, you can get help from the Azure DDoS Rapid Response team who can investigate and help you
deal with the attack. If a customer experiences a documented DDoS attack, which means there is proof of the attack,
they will receive credits for data transfer and application scale-out service costs. This is a way of compensating the
customer for any costs incurred due to the attack.

In summary, Azure DDoS Protection is a very helpful tool that businesses and organizations can use to protect
themselves from harmful DDoS attacks. It has many features that help keep your services safe, such as always monitoring
your network traffic, adapting to changing patterns, and providing protection at multiple levels. It works well with other
tools in Azure, so you don't need to worry about setting it up yourself. If an attack does occur, the DDoS Rapid Response
team is available to help. With Azure DDoS Protection, you can focus on your business and not worry about the effects of
DDoS attacks.

Azure DDoS Protection configuration

Azure DDoS protection is a resource – let’s configure it. In this lesson, you will go through the steps to create a
DDoS protection plan and enable DDoS protection for a new virtual network using the Azure Portal. You will also learn
how to view your protected resources and monitor your DDoS protection settings.

1) Create a DDoS protection plan. This plan defines a group of virtual networks that are protected by DDoS
Network protection across subscriptions. You only need one plan for your organization, and you can
link virtual networks from different subscriptions to the same plan. Before you move on to the rest of
the video, please note that it's not necessary for you to follow along in Azure during the demonstration.
Configuring DDoS protection and linking the plan to a virtual network will be costly. Let's get started.

2) Open the Azure Portal and select Create a Resource in the upper left corner.
3) Now search for DDoS in the search bar, and once the DDoS protection plan appears in the search results,
select it.

4) Once selected, click on Create to create a new DDoS protection plan.

5) Enter or select values for the subscription, select your subscription. For the resource group, select RG
web server. For the name, enter Plan One, and for the region, enter East US. After entering the values,
select Review and Create to review details, then click on Create to create the DDoS Protection plan.
6) Note that although DDoS protection plan resources need to be associated with a region, users can
enable DDoS protection on virtual Networks in different regions and across multiple subscriptions under
a single Azure Active Directory Tenant. A tenant is a dedicated and trusted instance of Azure ad. It's
automatically created when your organization signs up for a Microsoft Cloud Service subscription. Now
click Create, wait for the deployment process to finish, and that's it. You've successfully created a DDoS
protection plan on the Azure Portal.

7) Once you have created a DDoS Protection plan, the next step is to link it to a Virtual Network. This will
enable DDoS network protection for the Virtual Network. So now you are going to apply the earlier
created DDoS protection plan to a new Virtual Network.
8) Create a new Virtual Network. To do this, follow these steps log into your Azure Portal and select Create
a Resource. In the upper left corner, let's search for Virtual Network, and once the Virtual Network
appears in the search results, select it and click Create.
9) Enter the values for subscription, select your Subscription for the resource group. Select Use Existing
and then select RG web server. For the Virtual Network name, enter Myvnet one word with a V. For the
region, enter East US and then select Next.

10) Enable DDoS protection for your virtual network by selecting Enable Azure DDoS Network Protection.
Select the plan one. You created earlier. Click next to move to IP addresses. Leave this as the default,
select Review and Create, and then select Create.

That's it, you have now enabled DDoS protection for your virtual network in Azure. Please note that once you
have enabled DDoS Protection for a Virtual Network, you cannot move it to another resource, group or
subscription. If you need to move a Virtual Network with DDoS Protection enabled, you must first disable
DDoS Protection. After that, move the Virtual Network and then enable DDoS protection again. Also note
that after the move, the Auto Tuned policy thresholds for all the protected public IP addresses in the Virtual
Network will be reset.

Now it's time to learn how to view protected resources. Under protected resources, you can view your
protected public IP addresses and virtual networks or add more virtual networks to your DDoS protection
plan.

Congratulations, you have successfully learned how to set up Azure DDoS network protection using the
Azure Portal. By following the steps outlined in this video, you should now be able to create a DDoS
Protection plan and enable DDoS Protection for your Virtual Network in just a few clicks. Later in this lesson,
you will be creating a Virtual Network with a Virtual Machine. Do not try to create DDoS Protection for the
sake of testing it out, because the cost is very high.

Azure DDoS Protection features and best practices

You now know what Azure DDoS protection is and how to configure it through the Azure Portal to protect a
virtual network. But you haven't really explored its key features and best practices, which is what this is
about. In this lesson, you will learn about

 Always on traffic monitoring

 Adaptive real time tuning
 DDoS protection telemetry monitoring and alerting
 Azure DDoS protection mitigation policies
 Web application
 Firewall for resource attacks
 Protection planning

Always-on traffic monitoring: Azure DDoS protection constantly monitors traffic usage, and when the traffic
threshold is exceeded, DDoS mitigation is automatically initiated. During mitigation, traffic is redirected to
the DDoS protection service, where several checks are performed to ensure packets conform to Internet
specifications and are not malformed. Attack traffic is dropped, and the remaining traffic is forwarded to its
intended destination. Within a few minutes of attack detection, you'll be notified via Azure Monitor Metrics
and you can save logs on DDoS Protection Telemetry, which will allow you to save them to security
information and event management systems or scene metric. Data in Azure Monitor for DDoS protection is
retained for 30 days.

Adaptive real-time tuning: Tailored protection policies are necessary per subscriber because of the
complexity of attacks and the application specific needs of subscribers. Azure DDoS protection accomplishes
this by using automatic learning of the traffic patterns of each subscriber for layer three, the network layer
and layer four, the transport layer of the OSI model. Other items in this lesson also refer to OSI model layers,
and you can refer to the additional resources reading for a source that will refresh your memory. With
adaptive real-time tuning, it doesn't matter what amount of traffic you receive, as long as they are legitimate
connections, azure can automatically scale.

DDoS protection telemetry monitoring and alerting: Telemetry refers to information gathered from a
network system that can be examined to keep track of the network and the condition, efficiency, accessibility
and security of its parts. Azure DDoS protection gives a lot of information about attacks and how well the
protection is working. This information can be accessed using Azure Monitor. You can configure alerts for any
of the Azure Monitor metrics that DDoS protection uses. You can also integrate Telemetry logging with other
monitoring services like Splunk or Azure Monitor logs, or with Azure Storage for advanced analysis via the
Azure Monitor diagnostics interface.
Mitigation policies: DDoS protection for a public IP applies automatic mitigation policies for TCP, TCP SYN
and UDP. You can view the policy thresholds by selecting the inbound packets to trigger DDoS mitigation
metric. As illustrated in this screenshot, the increases and decreases can clearly be seen, as well as the
expected baseline for incoming traffic.

The policy thresholds are automatically configured via machine learning based
network traffic profiling. DDoS mitigation occurs for an IP address under attack only when the
network traffic exceeds the limits specified in the policy. If the public IP address is under attack, you'll be
notified through the Under DDoS “Attack or Not” metric. Configuring an alert on this metric is recommended
so you'll be notified when an active DDoS mitigation is performed on your public IP address. The spikes on
the graph indicate incidents where potential attacks happened.
Web Application Firewalls: For resource attacks at the application layer, you should configure a Web
Application Firewall or WAF to help secure Web applications. A WAF inspects inbound Web traffic to block
attacks. Azure provides WAF as a feature of Azure application gateway for
centralized protection of your Web applications from common exploits and
vulnerabilities. There are also other WAF offerings available from Azure partners
that might be helpful.
Protection planning: Protection planning is not a feature of Azure DDoS protection, but a best practice for
subscribers to make the most of the features. It's essential for a subscriber to prepare for a DDoS attack and
understand how a system will perform under such circumstances. It is important to design an incident
management response plan as part of this effort.

For example, DDoS protection isn't automatically deployed, so if you have DDoS
protection, it is recommended to make sure that it's enabled on the virtual network
of Internet-facing endpoints. And configuring DDoS alerts can help constantly
monitor potential attacks on the infrastructure. Independent monitoring of
applications is also advised. Knowing the normal behavior of an application can
help you prepare for any deviations during a DDoS attack and take prompt action .
In this lesson, you learned about the key features of DDoS protection and the best practice of protection
planning. Azure DDoS protection constantly monitors traffic utilization and initiates mitigation when the
traffic threshold is exceeded. It also uses automatic learning of per-customer traffic patterns and minimizes
false positives.

The rich telemetry provided by Azure DDoS protection can be used to configure alerts and integrate logging
with other monitoring services and Azure storage. You also learned how DDoS protection applies auto-tuned
mitigation policies and notifies you when a public IP address is under attack.

For resource attacks at the application layer, it is recommended to configure a web application firewall for
centralized protection. Finally, you learned about the importance of protection planning, which includes
designing an Incident Management Response Plan, ensuring DDoS protection is enabled on virtual network
endpoints, and independently monitoring applications to understand their normal behavior. Overall, Azure
DDoS protection provides a comprehensive solution for protecting against DDoS attacks.

Azure DDoS Network Protection in detail

Introduction So far in this lesson you have learned about Azure DDoS Protection, how to configure it, and
features and best practices. In this reading, you will learn about Azure DDoS Protection reference
architecture for Windows and Linux virtual machines and how you can monitor your Azure DDoS Protection
for potential security threats.

Azure offers DDoS Protection to mitigate distributed denial-of-service (DDoS) attacks. However, before you
explore reference architecture, you should be aware of its limitations. Public IP resources attached
to a Virtual Network Gateway (NAT Gateway) are not protected. Most PaaS
services are supported, but there are some exceptions. Ones that aren’t protected
include Azure App Service Environment for Power Apps, Azure Virtual WAN, and
Azure API Management in deployment modes other than the ones discussed here.
Most other PaaS services with public IP are currently supported, but DDoS Network Protection
can’t protect PaaS services without public IP addresses. Furthermore, DDoS IP Protection
can only perform public IP Standard and Premium SKU protection, while DDoS Network Protection protects
not only Basic SKU but also Standard and Premium SKUs.

Note: SKU stands for Stock Keeping Unit, which is a unique identifier used by
businesses to internally track and manage inventory or products. In the context of
cloud services such as Azure, SKU refers to a specific configuration or set of features
offered for a particular service or product. Each SKU has its own pricing and
availability options, and customers can choose the SKU that best fits their needs
and budget. For example, Azure offers different SKUs for its virtual machines, with
varying amounts of processing power, memory, and storage capacity.
Reference architecture is a framework that provides guidance and best practices
for designing and building a system or solution. It showcases a proven set of
practices for deploying multiple Windows virtual machines in a scale set with a
load balancer for improved scalability and availability. This architecture can be
applied to any stateless workload, such as a web server, which refers to an
application or system that doesn't rely on or store any previous state or data,
allowing for easier maintenance and scaling.
For virtual machine workloads, Azure provides reference architectures for DDoS
Network Protection and DDoS IP Protection. The reference architecture involves
enabling protections on the load balancer or public IP address. In the case of a
Windows N-tier architecture (An N-tier architecture divides an application into
logical layers and physical tiers. Layers are a way to separate responsibilities and
manage dependencies. Each layer has a specific responsibility. A higher layer can
use services in a lower layer, but not the other way around), OSI Layer 7 protection
can be achieved by deploying Application Gateway in the Web Application Firewall
SKU. Application Gateway is a web traffic load balancer that manages and secures
traffic to web applications.
Now let’s examine the reference architectures of DDoS Network Protection and DDoS IP Protection.

Application running on load-balanced virtual machines

DDoS Network Protection virtual machine architecture

In this architecture, a workload is distributed across multiple virtual machine instances. There's a single
public IP address, and internet traffic is distributed to the virtual machine through a load balancer. The load
balancer distributes incoming internet requests to the VM instances. Virtual machine scale sets allow the
number of VMs to be scaled in or out manually or automatically based on predefined rules. This is important
if the resource is under DDoS attack. DDoS Network Protection is enabled on the virtual network of the
Azure (internet) load balancer that has the public IP associated with it.

DDoS IP Protection virtual machine architecture

With this architecture, DDoS IP Protection is enabled on the frontend public IP address of a public load
balancer.

Application running on Windows N-tier There are many ways to implement an N-tier architecture. The
following diagrams show a typical three-tier web application. The web and business tiers use load-balanced
VMs.

DDoS Network Protection Windows N-tier architecture

In this architecture diagram, DDoS Network Protection is enabled on the virtual network. All public IPs in the
virtual network get DDoS protection for Layer 3 and 4. For Layer 7 protection, Application Gateway in the
WAF SKU needs to be deployed.
DDoS IP Protection Windows N-tier architecture

In this architecture diagram DDoS IP Protection is enabled on the public IP address.

Now that you’ve learned about the reference architectures, it's essential to go through the steps
of monitoring Azure DDoS Protection for security issues and viewing metrics from the DDoS protection plan.
 Monitor Azure DDoS Protection for security issues
View metrics of the DDoS protection plan

1. Sign in to the Azure portal and select your DDoS protection plan.

2. On the Azure portal menu, select or search for and select DDoS protection plans, then select your DDoS
protection plan.

3. Under Monitoring, select Metrics.

4. Select Add metric, then select Scope.

5. In the Select a scope menu, select the Subscription that contains the public IP address you want to log.

6. Select Public IP Address for Resource type, then select the specific public IP address you want to log metrics for,
and then select Apply.

7. For Metric, select Under DDoS attack or not.

8. Select the Aggregation type as Max.

You can refer to the screenshot below to determine where the settings options that need to be set up are.

View metrics of the virtual network

1. Sign in to the Azure portal and browse to your virtual network that has DDoS protection enabled.

2. Under Monitoring, select Metrics.

3. Select Add metric, then select Scope.

4. In the Select a scope menu, select the Subscription that contains the public IP address you want to log.

5. Select Public IP Address for Resource type, then select the specific public IP address you want to log metrics for,
and then select Apply.

6. Under Metric, select your chosen metric, then under Aggregation, select type as Max.

Note: To filter IP Addresses select Add filter. Under Property, select Protected IP Address, and the operator
should be set to =. Under Values, you will see a dropdown of public IP addresses, associated with the virtual
network, that are protected by Azure DDoS Protection.
 The image below illustrates how you view metrics in DDoS telemetry.

View metrics from Public IP address

1. Sign in to the Azure portal and browse to your public IP address.

2. On the Azure portal menu, select or search for and select Public IP addresses, then select your public IP address.

3. Under Monitoring, select Metrics.

4. Select Add metric, then select Scope.

5. In the Select a scope menu, select the Subscription that contains the public IP address you want to log.

6. Select Public IP Address for Resource type, then select the specific public IP address you want to log metrics for,
and then select Apply.

7. Under Metric, select your chosen metric, then under Aggregation, select type as Max.

Note: When changing DDoS IP protection from enabled to disabled, telemetry for the public IP resource will not be
available.

Conclusion In conclusion, the reference architectures for deploying multiple Windows virtual machines in a
scale set with a load balancer provide a proven set of practices for improving scalability and availability
of stateless workloads such as web servers. By enabling DDoS Network Protection and DDoS IP
Protection on the virtual network and public IP address, respectively, organizations can further enhance
their security posture against DDoS attacks. Additionally, monitoring Azure DDoS Protection for security
issues and viewing metrics from the DDoS protection plan is crucial in detecting and mitigating potential
DDoS attacks. With the use of Azure's powerful tools and features, organizations can better protect their workloads
and ensure business continuity.
Azure and virtual machines
As one of Azure's on-demand scalable computing resources, virtual machines offer users greater control over
their computing environment. This lesson provides an overview of virtual machine considerations and uses.

Before creating a virtual machine, several factors should be considered such as resource names, locations, sizes
and pricing. It is crucial to choose the appropriate size as it will affect processing power, memory, storage
capacity, and network bandwidth. Remember that the region you select for your virtual machine affects the
latency and performance for your end-users and determines the physical location where your virtual machine
runs.

Availability options such as availability sets and availability zones provide redundancy and high availability for
your virtual machine to ensure that it remains available even if there is a failure on a physical host or in a
datacenter.

The VM size you select for your virtual machine determines the amount of CPU, memory, and storage resources
available for your workload and can affect the performance and cost of your virtual machine.

An Azure virtual machine gives you the flexibility of virtualization without having to buy and maintain the
physical hardware that runs it. However, you still need to maintain the virtual machine by performing tasks such
as configuring, installing, and patching the software that runs on it.

Azure virtual machines are a cost-effective and flexible solution that can be used in various ways. Some examples
are to develop and test. Azure virtual machines offer a quick and easy way to create a computer with specific
configurations required to code and test an application. You can also run applications in the Cloud. Because
demand for your application can fluctuate, it might make economic sense to run it on a virtual machine in Azure.
You pay for extra virtual machines when you need them and shut them down when you don't.

You could also create an extended datacenter. Virtual machines in an Azure virtual network can easily be
connected to your organization's network.

In conclusion, Azure Virtual Machines are a powerful, cost-effective, and flexible solution for a variety of
computing needs. With greater control over the computing environment, users can choose the appropriate size
and pricing to match their specific requirements. While maintaining the virtual machine is necessary, it is far less
cumbersome than managing physical hardware. From development and testing to Cloud-based applications and
extended datacenters, virtual machines offer a multitude of use cases that can be easily scaled up to meet
growing demands.

Spinning up a virtual machine

In this video, you will learn how to create a virtual machine in Azure and explore the concepts of region,
availability and VM size.

Step one is to log into the Azure Portal.

Step two is to create a new virtual machine. Once you are signed into the Azure Portal, select the Create a
Resource button located on the left-hand side of the screen. Search for virtual machine and select Create.

Step three is to fill out the Basics tab. In the Basics tab of the Create a Virtual Machine Wizard, fill out the
following information, that is subscription select the subscription you want to use, Resource Group select an
existing resource group or create a new one. Virtual Machine Name, enter a name for your virtual machine.
Select a region that is closest to you or your end users.

Step four is to choose your Availability options. In the Basics tab, you can choose between four Availability
options.
  No Infrastructure Redundancy Required: this option is suitable for noncritical workloads or when you do
not require any redundancy or high availability.
 Availability Zone: this option is suitable for critical workloads or when you require high availability and
redundancy.
 Virtual Machine Scale Set: this option in Azure allows you to easily deploy and manage a group of
identical load-balanced VMs that are automatically scale-based on demand.
 Availability Set: this option is suitable for workloads that require some level of redundancy and
availability, but do not require the high Availability provided by the Availability Zone.

Step five is to choose the image and size. In the Basics tab select Windows Server 2022 Data Center Azure Edition
X64 Gen2 as the image and select an appropriate size for your virtual machine, based on your workload
requirements and budget.

Step six is to enter a username and password. Enter a username and strong password that meets the Azure
password requirements.

Step seven is to configure disks and networking. Head over to the Disks tab and configure your virtual machine
storage settings. In Microsoft Azure this is accomplished using Managed Disk, which provide a simplified storage
solution for your virtual machines. By using Managed Disk, you can offload storage management tasks to Azure,
eliminating the need to configure and manage storage accounts yourself. In the Next tab, Networking, you will
need to create a new virtual network or select an existing one. Create a new subnet or select an existing one and
create a new public IP address or select an existing one. Now you can select the Create button to create your
virtual machine.

You have to wait for Azure to deploy and provision your virtual machine, which may take a few minutes. Once
the deployment is complete, you can go to Resource and you'll note that the virtual machine is ready and
running. By following these steps, you have created a virtual machine in Microsoft Azure and explored the
concepts of region, availability options and VM core size. Congratulations, you have successfully spun up a virtual
machine in Azure.

Exemplar: Create a Windows virtual machine in the Azure portal

Case study In this exercise you had to create a Windows virtual machine in Azure to host a new
website for Sam’s Scoops. You deployed the virtual machine for the Sam’s Scoops web server using the
virtual network Web_Server on a 172.16.1.0 subnet. This virtual machine was named
"SamScoopsWeb".

This exemplar will guide you through the steps of the exercise with screenshots that demonstrate the
correct actions that you had to take.

Azure User Interface Given the dynamic nature of Microsoft Cloud tools, you might experience
changes in the Azure User Interface (UI) that have taken place after the development of this training
content. As a result, the screenshots in the videos, readings, or exercises might not align exactly with how
you experience the UI. However, please note that these changes do not impact the functionalities of the UI.
Hence, you will still be able to perform all the steps shown in that video, reading, or exercise.

Create the network and resource group

Step 1
Sign into the Azure portal with your credentials.

Step 2

In the Azure portal menu, select the Create a resource button located on the left-hand side of the
screen.

Step 3 Next, search for "Virtual network" in the search bar, select Virtual network from the results
and select Create.
Step 4

In the Basics tab of the Create a virtual network wizard, fill out the following information:

1. Subscription: the subscription that you want to use.

2. Resource group: Create new and enter "RG_Web_Server" as the name of the new resource
group.
3. Name: Enter "Web_Server" as the name of the virtual network.
4. Region: the region that is closest to you.
Step 5

1. Select IP addresses.
 1. Delete the default address space by selecting the dots (...) next to Add a Subnet and select
Delete Address Space.
2. There is a warning: You must add at least one address space to the virtual
network.
3. Select Add an Address Space.
4. Fill in starting address: 172.16.1.0
5. Fill in address space size: /24 (256 Addresses).
6. Select Add.

Step 6 Now, a Subnet has to be added.

1. Select + Add a subnet.

2. Leave the details as default and select Add.

Step 7 Select the Review+ create button to review the settings.

Step 8 Select the Create button to create the virtual network.

At this stage there should be a notification that says Deployment in progress. When the deployment
is completed it should say Your deployment is complete.
Once the virtual network is created, you can proceed with creating the virtual machine for the Sam’s Scoops
web server.

Create the virtual machine

Step 1 Sign in to the Azure portal with your credentials.

Step 2 In the Azure portal menu, select the Create a resource button located on the left-hand side
of the screen.

Step 3 Search for "Windows Server" in the search bar and select Windows Server from the results.
 1. Select the Create and select Windows Server 2022 Datacenter: Azure Edition.

Step 4 In the Basics tab of the Create a virtual machine wizard, fill out the following information:

1. Subscription: The subscription that you want to use.

2. Resource group: The existing resource group, RG_Web_Server.
3. Virtual machine name: Enter "SamScoopsWeb".
4. Region: The region that is closest to you.
5. Image: Windows Server 2022 Datacenter –x64 Gen2.
6. Size: An appropriate size for your virtual machine. It will be good idea to cheapest option for this
exercise.
7. Username: AzAdmin
8. Password: P@$$@1234567
9. Confirm Password: P@$$@1234567
Step 5 Select the Next: Disks button to proceed to the Disks tab.

Step 6 Leave the default settings for OS disk and select the Next: Networking button to proceed to
the Networking tab.
Step 7 In the Networking tab, select the following settings:

1. Virtual network: Web_Server.

2. Subnet: default.
3. Public IP: Create new and enter a name for the new public IP address.
4. NIC network security group: Leave the default setting.

Step 8 Select the Next: Management button to proceed to the Management tab.

Step 9 In the Management tab, leave the default settings and select the Next: Monitoring
button to proceed to the Monitoring tab. Leave everything as default. Then select the Next:
Advanced button to proceed to the Advanced tab.
Step 10 In the Advanced tab, leave the default settings and select the Review + create button.
Step 11 Review the settings for your virtual machine and select the Create button to create your
virtual machine and wait for deployment.

Step 12 Wait for the deployment to complete.

Well done. The virtual machine is now deployed. You are now ready for the next phase where you need to
connect to the virtual machine.

Connect to virtual machine

Step 1 Once the deployment is complete, select the Go to resource button to navigate to the virtual
machine page.
Step 2 On the virtual machine page, select the Connect button.

Step 3 Select RDP from the options menu to download the RDP file. Select Download RDP file.

Step 4 Open the downloaded RDP file and connect by using the credentials you have set while creating
the virtual machine to connect to the virtual machine.
You have now created a Windows virtual machine in the Azure portal for SamScoopsWeb. You should
be presented with the desktop of the Windows server.
Clean-up If you are using your own Azure subscription, it is recommended that you follow the clean-up
instructions to stop compute resources after completing each lesson. When you're working in your own
subscription, it's also a good idea at the end of a project to identify whether you still need the resources you
created. Resources left running can cost you money. You can delete resources individually or delete the
resource group to delete the entire set of resources. Please refer to the reading, Clean up resources for
instructions on how to delete resources after you've completed the exercise.

Conclusion By following these steps, you have created a Windows virtual machine in the Azure portal,
and installed a web server.

Azure Cloud Shell

Azure Cloud Shell is an interactive, authenticated, browser-accessible terminal for
managing Azure resources. It provides the flexibility of choosing the shell experience
that best suits the way you work, either Bash or PowerShell.

Cloud Shell runs on a temporary host provided on a per-session, per-user basis. Your
Cloud Shell session times out after 20 minutes without interactive activity. Cloud Shell
persists your files in your $HOME location using a 5-GB file share.

Multiple access points Cloud Shell is a flexible tool that can be used from:

 portal.azure.com
 shell.azure.com
 Azure CLI documentation
 Azure PowerShell documentation
 Azure mobile app
 Visual Studio Code Azure Account extension

Authenticated and configured Azure workstation

Microsoft manages Cloud Shell so you don't have to. Cloud Shell comes with popular
command-line tools and language support. Cloud Shell automatically securely
authenticates for instant access to your resources through the Azure CLI or Azure
PowerShell cmdlets. See the list of tools installed in Cloud Shell.

Cloud Shell offers an integrated graphical text editor so you can create and edit files for
seamless deployment through Azure CLI or Azure PowerShell. For more information,
see Using the Azure Cloud Shell editor.

Security and compliance

 Encryption at rest

All Cloud Shell infrastructure is compliant with double encryption at rest by

default. You don't have to configure anything.
  Shell permissions

Your user account has the permissions of a regular Linux user.

Pricing Use of the machine hosting Cloud Shell is free. Cloud Shell requires a
storage account to host the mounted Azure Files share. Regular storage costs apply.

SETTING UP CLOUDSHELL (Cloudshell must be registered)

1. Sign in to the Azure portal.

2. On the Azure portal menu, search for Subscriptions. Select it from the available options.

3. On the Subscriptions page, select your subscription.

4. On your subscription page, expand Settings in left menu and select Resource providers.

5. In the Filter by name... box, enter cloudshell to search for the resource provider.

6. Select the Microsoft.CloudShell resource provider from the provider list.

7. Select Register to change the status from unregistered to Registered.

Start Cloud Shell

1. Launch Cloud Shell from the top navigation of the Azure portal.

The first time you start Cloud Shell you're prompted to create an Azure Storage
account for the Azure file share.

2. Select the Subscription used to create the storage account and file share.
3. Select Create storage.

Note By following these steps, Cloud Shell creates a standard storage account and
allocates 5 GB of storage for the file share. You can also create a storage account
manually and specify the storage account and file share to use. If you use a Premium
storage account, Cloud Shell allocates 100 GB of storage for the file share.

Select your shell environment Cloud Shell allows you to select

either Bash or PowerShell for your command-line experience.

Set your subscription

1. List subscriptions you have access to.

 o Azure CLI
o Azure PowerShell
Azure CLICopy
Open Cloud Shell
az account list

2. Set your preferred subscription:

o Azure CLI
o Azure PowerShell
Azure CLICopy
Open Cloud Shell
az account set --subscription 'my-subscription-name'

Tip

Your subscription is remembered for future sessions

using /home/<user>/.azure/azureProfile.json.

Get a list of Azure commands

 Azure CLI
 Azure PowerShell
Run the following command to see a list of all Azure CLI commands.
Azure CLICopy
Open Cloud Shell
az

Run the following command to get a list of Azure CLI commands that apply to WebApps:

Azure CLICopy
Open Cloud Shell
az webapp --help

Why would someone need to deploy a windows server with Active Directory in Azure when Azure has active directory
incorporated within it?

ChatGPT said:

Great question—and it's one that confuses a lot of people at first, especially because Azure Active Directory (Azure AD)
and Windows Server Active Directory (AD DS) sound like they should be the same thing. But they serve different
purposes, and sometimes you still need to deploy a Windows Server with AD DS in Azure. Here's the breakdown:

🧠 Core Difference:

 Windows Server Active Directory (AD DS): Traditional, domain-based identity management for on-premises
networks (or cloud VMs simulating one).
  Azure Active Directory (Azure AD): Cloud-based identity and access management for cloud resources (like Office
365, Azure services, SaaS apps).

🧱 Why Deploy Windows Server AD DS in Azure?

✅ 1. Legacy Application Compatibility

Some older or enterprise-grade apps require a traditional domain environment—things like Kerberos authentication,
Group Policy Objects (GPOs), or LDAP. Azure AD doesn't support those directly.

✅ 2. Lift-and-Shift Migrations

If you're moving on-prem infrastructure to Azure (rehosting VMs), your servers still expect a domain controller. You’d
need to deploy a Windows Server with AD DS to maintain the same environment.

✅ 3. Hybrid Environments

A lot of businesses use Hybrid Identity—they sync on-prem AD with Azure AD using Azure AD Connect. If they want to
go cloud-only but keep traditional AD functionality, they’ll set up a domain controller in Azure.

✅ 4. Group Policy Needs

Azure AD has some device configuration ability via Intune, but it doesn’t fully replace Group Policy Objects (GPOs) that
are widely used in AD DS environments.

✅ 5. Authentication for VMs in Azure

If you want Azure VMs (e.g., Windows Server VMs) to join a domain and apply domain policies, you need AD DS. Azure
AD Join only works for Windows 10/11/Server 2022+ in a more limited way.

⚠️Azure AD Limitations (compared to AD DS):

Feature Azure AD Windows Server AD DS

Kerberos/NTLM ❌ Not supported ✅ Yes

Group Policy ❌ No ✅ Yes

LDAP ❌ No ✅ Yes

Domain Join (classic) ❌ No (partial) ✅ Yes

Organizational Units (OUs) ❌ No ✅ Yes

On-prem apps integration ❌ Limited ✅ Yes

🧩 Summary:

You’d deploy a Windows Server with AD in Azure when you still need traditional domain services that Azure AD doesn’t
offer—whether for legacy support, lift-and-shift, or hybrid identity strategies.

Azure networking
Microsoft Azure provides many resources and services that can replace or complement on-premise services. Like on-
premise services are provided over a network to allow communication between services and network components,
Microsoft Azure also uses networks for services. However, these networks are virtual networks or VNets.

Over the next few minutes, you'll learn about the components of an Azure Virtual Network and how they are
interconnected to allow different services within Microsoft Azure to communicate.

Azure Virtual Networks, or VNets, are the fundamental building blocks of a private network in Azure. Similar to an on-
premises network that uses a switch to interconnect devices, VNets enabling you to build complex virtual networks. But
the additional benefits of using VNets compared to on-premises networks are their scalability, availability, and isolation
as part of Azure Infrastructure.

Virtual Networks can connect to virtual machines and other Azure resources, such as the App Service Environment,
Azure Kubernetes service, or firewall services. VNets can also connect to other Azure resource types, such as Azure SQL
databases and storage accounts. Ultimately, Azure VNets enable resources in Azure to securely communicate with each
other, the Internet and on-premises networks. All resources in a VNet can communicate outbound to the Internet by
default. You can communicate inbound to resource by assigning a public IP address or a public load balancer to it.
When adding resources on Azure, it is good practice to add resources used for related tasks to a resource group to keep
them separate from others. Resource groups act as logical containers into which Azure resources, like web apps, virtual
networks, and storage accounts are deployed and managed.

Like an on-premises network, a VNet can consist of multiple subnets, but we'll also have a network security group or NSG
for each subnet you create. A Network Security Group allows you to filter the inbound and outbound traffic through your
virtual network or subnet. You can also use NSGs to filter traffic by source and destination, IP address, port, or protocol.

Just like physical networks, different subnets in VNets need to be able to talk to each other. Can you recall what network
device allows two subnets to communicate in a physical network? That's right, a router. How does it work with VNets?
The simplest and quickest way to connect virtual networks is by using Azure Virtual Network peering. It enables you to
connect to Azure Virtual Networks and provide routing capabilities just like a router does in an on-premise network.

Peer virtual networks operate as a single connected network. There are two types of peering: regional and global
virtual network peering. Regional virtual network peering connects Azure Virtual Networks that exist in the same
physical region, like West US or East US. Whereas global virtual network peering connects the regional virtual
networks.
Now that you understand what VNets are, let's discuss the Azure network topology: the hub-spoke network. Hub-spoke
networks are commonly used for hybrid Cloud architectures. In a hub-spoke network, a central virtual network called
the hub, is connected to several other virtual networks called the spokes.

This type of network can be simpler to implement and maintain in the long term compared to interconnecting lots of
spokes together. The hub acts as a central location for managing external connectivity into and out of Azure and
coordinates all communications to and from the spokes. It also hosts services that can be used by multiple spoke
networks across Azure. In this way, the hub-and-spoke topology gives companies IT departments an effective way to
centrally enforce security policies. The spokes host different services known as workloads and connect to the central hub
through virtual network peering.

Let's examine an example of a hub-spoke network with two VNets, each with a different workload, one for a website and
one for a quote app. Both VNets or spokes are connected to a central hub. The hub provides a firewall and DDos
protection that is connected to the Internet and on-premise offices.

So far, you've learned that VNets are essential in building out a comprehensive network in the Cloud and utilizing Azure
services across your network. But how can businesses with on-premise networks start using VNets?

Azure makes it possible to connect on-premise computers and networks to a virtual network using any of the following
options:

 Point-to-site virtual private network

 Site-to-site VPN
 Azure ExpressRoute

When working towards integrating your on-premises network with Azure, you need a bridge between the two networks.
Azure VPN Gateway provides this functionality.

A VPN gateway sends encrypted traffic between the two networks over the Internet. Gateways support multiple
connections that route the VPN tunnels through the available bandwidth. Although a virtual network can only have one
gateway assigned, you can also use a VPN gateway network to network connections in Azure.

Azure ExpressRoute is another option to consider for bridging. ExpressRoute allows you to extend your on-premises
networks over a private connection to Azure. This connection is facilitated by a connectivity or Cloud exchange provider
express route extends wider than just Azure resources and allows you to establish connections to other Microsoft Cloud
services like Office 365.

In this lesson, you learned that

network connectivity is key to
delivering services on-premises,
but it's just as important in the
Cloud. Microsoft Azure uses
virtual networks or VNets to
provide this connectivity to
services. Azure Virtual Networks
enables you to create subnets
and add additional network
filtering via network security
groups, NSGs. These different
virtual networks can be connected together using Virtual Network peering within Azure regions and globally. Each of
these VNets creates spokes that can all connect to a hub. Hub-spoke networks forms the foundations of an Azure
network. You should now have a deeper understanding of Azure infrastructure and how different components interact.
This knowledge will help you with the planning and implementation of security measures for Cloud infrastructure.

AZURE FIREWALL
With ever more cybersecurity threats around the world, protecting data and users should always be a priority on any
network. Firewalls have always been a key part of a network defense strategy, and it's no different when using cloud
technologies and Microsoft Azure. Over the next few minutes, you will learn about the features of the Azure Firewall,
and how it integrates with other Azure services to provide protection.

Azure Firewall is a cloud-based security service managed by Microsoft. It protects Azure virtual networks and their
resources by letting you manage and enforce connectivity policies centrally. Like all firewalls, Azure Firewall acts as a
shield for your Azure virtual network, allowing only legitimate incoming and outgoing traffic while denying unauthorized
or unknown traffic. You can configure Azure Firewall with filtering rules according to different parameters. These include
source and destination IP address, port, and protocol. Azure Firewall is a fully stateful network firewall that tracks the
operating state and the characteristics of network connections traversing it.

For Azure Firewall to do its job effectively, you must set it up as a barrier between a trusted network you want to protect
and an untrusted network that offers potential threats. Most commonly, you deploy Azure Firewall as a barrier between
your Azure Virtual network and the Internet. You can deploy Azure Firewall within a subnet of a single Azure Virtual
network. However, in most configurations, Azure Firewall is provisioned inside a hub of a virtual network. This provides
the optimal position to build a security policy. Because all traffic to and from the spoke VNETs on-premises networks and
the internet can be filtered at this point.

Let's move on to discuss the deployment of Azure Firewalls. Interestingly, an Azure Firewall is deployed with two IP
addresses. A public IP address to which all inbound traffic is sent, and a private IP address to which all outbound traffic is
sent. All
traffic inbound and outbound goes through the firewall. By default, the
firewall denies access to everything. It's up to the network administrators to
configure the firewall with the conditions under which the traffic is allowed
through the firewall. Each condition is called a rule, and each rule applies one or
more checks on the data. Only traffic that passes every check in all the rules is
allowed to pass through. By placing the Azure Firewall at the hub of the network, the firewall can filter traffic
whether it is coming directly from the Internet, from an on-premise network or from different spokes or VNETs. For
example, a business could run a web server within spoke one and only allow network traffic on ports 80 and 443 for the
web service, thereby reducing the risk from threats.

Azure caters for a wide range of security needs. The Azure Firewall has three different SKUs to choose from based on
specific business needs, basic, standard, and premium:

 Azure Firewall Basic is ideal for small to medium-sized businesses that only have a few virtual machines and
need protection for low data throughput demands typically less than 250 megabits per second.
 Azure Firewall Standard is recommended for customers that have multiple virtual machines, and therefore
require auto-scaling to handle peak traffic periods of up to 30 gigabits per second. This option provides
protection for OSI layer 3-7 processes, which is the network to application layer. The standard option also
supports enterprise features like Threat Intelligence, Domain Name System or DNS proxy, Custom DNS, and Web
categories.
 Azure Firewall Premium provides the most comprehensive cover and is for customers who need to secure highly
sensitive applications such as payment processing. In addition to all features of the Azure Firewall standard, it
also supports advanced threat protection capabilities.

In this lesson, you've learned that Azure Firewall protects virtual networks within Microsoft Azure and is typically set up
within the hub of a network. This position enables it to filter traffic to and from the Internet and on-premise networks.
Additionally, from this position, it can also protect services that are hosted within network spokes. By setting up deny
and access rules, Azure Firewall can filter traffic according to source and destination IP address, port, and protocol. Using
a firewall to guard the entrance to your virtual network is a significant part of your cloud security strategy. And Azure
Firewall offers many useful features and levels of SKUs for keeping your virtual network guarded from malicious traffic.

AZURE FIREWALL STANDARD AND BASIC

Previously you learned that Microsoft Azure Firewall, has different SKUs offering different levels of protection, but there
are certain factors that determine what SKU will be optimal for a network.

Imagine a website where fans can book tickets for soccer matches. Soccer is a very popular sport, so websites like these
have a large amount of user data and handle thousands of online transactions, and that makes it a lucrative target for
cyber attacks. Ticket sales are significantly higher for the soccer finals than during the rest of the season. They need a
firewall that can scale according to the fluctuation in data traffic. It sounds like Microsoft Azure Firewall is the perfect
option for this kind of website.

In this lesson, you will learn about key features of the different firewall levels, and specifically focus on how Azure
Firewall Standard protects networks.

Earlier, you learned that all Azure Firewalls can filter traffic based on one or more of the following three network
parameters: IP address, Port and Protocol. For example, you might use a network rule to allow outbound traffic to access
a particular DNS server at a specified IP address. Like 168.63.129.16, using Port 53 and the UDP Protocol.

All Azure Firewalls can also filter traffic based on a fully qualified domain name or FQDN. For example, you might use an
application rule to allow outbound traffic to access a server within the Sam' Scoops network using the FQDN
icecream.samscoops.com.

But there are some significant differences between the basic and standard Azure Firewall SKUs. For starters, one of the
big differences is how they scale. The basic version can only scale to allow a maximum data throughput of 250 megabits
per second, for example, handling traffic for a text-based website, whereas the standard firewall can scale to 30 gigabits
per second to accommodate changing network traffic flows. This is ideal for video-on-demand websites. This means that
with the standard option, businesses like the soccer ticket vendor don't need to worry if traffic levels to their Cloud
networks increase or decrease.

The second big difference is that the basic firewall only supports threat intelligence alerts, whereas the standard
supports threat intelligence-based filtering. This means that the standard firewall will alert you to traffic going to or
coming from flagged malicious IP addresses and domains, but also automatically deny its passing. But how does Azure
Standard Firewall know about these flagged IP addresses and domains? It uses continuous data streams that provide
information on threats that can affect an organization's security. This is known as the Microsoft Threat Intelligence feed.
This feed is generated from multiple sources, including the Microsoft cybersecurity team. It comprises a list of Indicators
of Compromise or IOCs, that includes malicious URLs, malware hashes, and malicious email and IP addresses related to
attacks worldwide.
As Microsoft gathers this data, it's fed into its security devices such as firewalls, by automatically creating rules to
block threats that have been detected anywhere in the world. Getting alerts about threats will benefit the soccer ticket
vendor, but they can benefit even more from automatic protection against these threats. The standard firewall also has
additional features that simplify administrative tasks. For example, the web categories feature lets administrators allow
or deny user access to entire categories of websites, such as gambling websites, social media websites and others.

In this video, you learned that the basic Azure Firewall provides useful filtering tools, just like an on-premises firewall,
whereas the standard firewall uses Cloud-enabled scalability to deal with traffic demand fluctuations. The standard
firewall also differs from the basic, with additional automation features and threat intelligence-based filtering.
Additionally, features like web categories make the standard firewall easier to manage. It is important to understand the
features of different Azure Firewall SKUs to determine what option will work best for different businesses. You now know
about the major differences between the basic and standard firewall but be sure to explore the complete list of
differences between the different SKUs, and the additional resources reading at the end of this lesson.

Web Application Firewall

Can you imagine managing your social or work life without using apps? There are millions of web applications that
people use every day, and because of their popularity, they are a major target for cyber-attacks. Did you know that bots,
or cyber attackers probe new web apps for weaknesses within minutes of deployment? In fact, as soon as an app
launches, threat actors start testing it for vulnerabilities. Such probes will most likely continue for the lifetime of the app.

This has major implications for Sam's Scoops’ new web app, which is going to launch soon. Sam can request the app
developers to build custom protection, but that will be difficult and time consuming. Additionally, attackers come up with
new methods all the time. This means developing protection for the app will be a continuous process to keep up with the
latest threats.

Fortunately, Azure has a tool specifically developed for app security that can overcome these challenges: Azure Web
Application Firewall. In this lesson, you will learn how the Azure Web Application firewall protects web applications from
common exploits and vulnerabilities.

Let's start by discussing how the Azure Web Application firewall forms part of the Azure services you can use to develop
and deploy a web app. Why? Now you should know that Azure app services can be used to quickly build and deploy a
web app that's available on the Internet. Services such as Azure SQL database and Azure Active Directory provide data
and authentication for web apps.

To complete the service offering, Microsoft also offers protection for web apps with the Azure Web Application firewall.
It provides centralized protection for web applications from common attacks such as SQL injection and cross site
scripting. Let's consider an example. Most users of Sam's Scoops web app will only be able to access data such as the
menu prices, and delivery information. Some of Sam's employees, on the other hand, will be authorized to sign in and
also access account information and other vulnerable data.

In each case, users can only access the data that the web app allows them to access. A proper access control system will
protect data from unauthorized access. But web app security is not that simple. There are many common exploits that
malicious hackers and bots might use to target these vulnerabilities to gain unauthorized access to the app. By gaining
access to your network, attackers can steal, corrupt, or destroy your data.

Developers could spend countless hours protecting Sam's Scoops web app against these exploits. However, it's easier,
faster, and more efficient to deploy the Azure Web Application firewall. The Azure Web Application firewall has been
configured by Microsoft's team of security experts to defend against common exploits, and it's constantly updated to
defend against new threats. But how exactly does it work? The firewall sits between the Internet and the web app to
provide centralized protection of Azure hosted web apps. Azure Web Application firewall protects web apps from
common threats and only allows authorized users through to the application.
A great advantage of the Azure Web Application firewall is that you can deploy it in minutes. This means that the
Sam's Scoops web app can get powerful protection from known threats immediately, without writing a single line of
security code. It's that great.

In this lesson, you learned that because web applications are so popular, they are a major target for cybersecurity
attacks. With so many different and new attack methods that constantly arise, it is a continuous, difficult, expensive, and
time-consuming process to develop protection for web apps. In contrast, the Azure Web Application firewall can be
deployed in minutes to instantly provide powerful protection for Azure-hosted web apps against hundreds of common
exploits. What's more, Microsoft updates the web application firewall continuously to provide protection from the latest
exploits. That's why it's a better security option for Sam's Scoops’ new web app.

AZURE FIREWALL IN DEPTH

Introduction Previously you have been introduced to the different firewall SKUs that Microsoft Azure can provide, from
the Basic and Standard Azure firewalls offering Virtual network protection to the more specific Web Application Firewall
protecting web applications from web-specific attacks. In this reading, you will explore the Basic and Standard Azure
Firewall in more depth, specifically its role in providing cloud-based network security.

Azure Firewall For Azure Firewall to do its job effectively, you must set it up as a barrier between a trusted network you
want to protect and an untrusted network that offers potential threats. You commonly deploy Azure Firewall as a
barrier between your Azure virtual network and the Internet.

Azure Firewall is best deployed using a hub and spoke network topology with the following characteristics:

 A virtual network that acts as the central connectivity point. This is the hub virtual network.

 One or more virtual networks that are peered to the hub. These peers are the spoke virtual networks used to
provision workload servers.

Like illustrated in the image below, you deploy the firewall instance in a subnet of the hub virtual network and then
configure all inbound and outbound traffic to go through the firewall.
Network address translation In addition to the Threat Intelligence (Threat Intel) application and network firewall rules,
the Azure firewall also uses network address translation (NAT) to translate public to private IP addresses and vice versa.

The type of NAT used depends on where the traffic is heading. For allowed inbound traffic, Azure Firewall uses
Destination NAT (DNAT) to translate the firewall's public IP address to the private IP address of the appropriate
destination resource in the virtual network. For allowed outbound traffic, Azure Firewall uses Source NAT (SNAT) to
translate the source IP address to the firewall's public IP address.

NAT is actually a firewall rule type, just like application and network rules, and it’s used to translate and filter traffic
based on public IP addresses. More on NAT can be found in the additional resources. The image below demonstrates
how to enable a remote desktop connection to a virtual machine. A NAT rule translates the firewall's public IP address
and port 3389 to the private IP address of the virtual machine.

Firewall rules and features below are additional features that can be used when deploying an Azure Firewall.

Rules Features

FQDN A fully qualified domain name or FQDN is a domain name of a host or one or more IP addresses. Adding
an FQDN to an application rule allows access to that domain. When you use an FQDN in an application
rule, you can use wild cards, such as *.google.com.

FQDN tag A group of well-known Microsoft FQDNs. Adding an FQDN tag to an application rule allows outbound
access to the tag's FQDNs. There are FQDN tags for Windows Update, Azure Virtual Desktop, Windows
Diagnostics, Azure Backup, and more. FQDN tags are managed by Microsoft and can't be created or
modified.

Service tag A group of IP address prefixes related to a specific Azure service. Adding a service tag to a network rule
allows access to the service represented by the tag. There are service tags for dozens of Azure services,
including Azure Backup, Azure Cosmos DB, Logic Apps, and more. Service tags are managed by
Microsoft and can't be created or modified.

IP groups A group of IP addresses, such as 10.2.0.0/16 or 10.1.0.0-10.1.0.31. You can use an IP group as the
source address in a NAT or application rule or as the source or destination address in a network rule.

Custom DNS A custom DNS server that resolves domain names to IP addresses. If you use a custom DNS server
rather than Azure DNS, you must also configure Azure Firewall as a DNS proxy.
 Rules Features

DNS proxy You can configure Azure Firewall to act as a DNS proxy, which means that all client DNS requests go
through the firewall before going to the DNS server.

Threats Some of the threats that these rules and features protect against within the Azure firewall include:

 Protecting your network against infiltration - Azure Firewall is designed to help prevent such intrusions. For
example, a malicious hacker might try to infiltrate the network by requesting access to a network resource. Azure
Firewall uses stateful inspection of network packets to examine the context of such requests. If a request is a
response to earlier legitimate activity, then the firewall will likely allow the request. But if a request comes
unexpectedly and has no relation to previous network activity, chances are good that it is an infiltration
attempt. In this case, the firewall will deny the request.

 Protecting your network against user error - Azure Firewall prevents attacks by using threat intelligence to
deny access to known malicious domains and IP addresses.

Azure firewall manager and firewall policies Azure Firewall Manager provides a central point of configuration and
management of multiple Azure Firewall instances. The image below illustrates how Azure Firewall Manager enables you
to create one or more firewall policies and rapidly apply them to multiple firewalls.

The configuration of a single Azure Firewall can be complicated. For example, the firewall might be configured with
multiple rule collections. A collection is a combination of any or all of the following items:

 One or more network address translation (NAT) rules.

 One or more network rules.

 One or more application rules.

When you include other firewall settings, such as custom DNS and threat intelligence rules, configuring just a single
firewall can be a burden. Adding to that burden are two common network security scenarios:

 Your network architectures require multiple firewalls.

  You want each firewall to implement both a base level of security rules that apply to everyone, plus special rules
for designated groups such as developers, database users, and the marketing department.

To simplify the complexity of managing these and similar firewall scenarios, you can implement firewall policies.
A firewall policy is an Azure resource that contains one or more collections of NAT, network, and application rules,
custom DNS settings, threat intelligence settings, and more.

The key point here is that Azure offers a resource called Firewall Policy. A firewall policy that you create is an instance of
that resource. As a separate resource, you can rapidly apply the policy to multiple firewalls using Azure Firewall
Manager. You can create one policy to be the base policy, then have more specialized policies inherit the base policy's
rules.

For Sam’s Scoops, the Firewall Manager will really help reduce the workload on the business when they need to expand
to multiple firewalls. This is because once the firewall policies have been set up, they can be applied to future firewall
devices, reducing the time to bring new services online.

Conclusion The Azure Firewall is a critical part of Azure cloud security, protecting VNets and services that are running on
them. Filtering of traffic is determined by application, network, and NAT rules. Additionally, NAT rules can provide access
to key resources too. By setting up a firewall policy, you can simplify the management of firewalls. It allows you to
control all firewalls through one interface rather than multiple firewall interfaces, reducing the risk of errors.

Activity: Resource group & VNet creation

Introduction In an earlier exercise, you built a virtual machine(VM) within Microsoft Azure for the Sam’s Scoops
webserver. But this virtual machine needs to be protected from cybersecurity threats. By now, you should know that
deploying the Azure Firewall is the best way to offer this protection since it acts as a shield for Azure Virtual Networks
(VNets) and all resources in them.

Earlier you learned that when adding resources on Azure, it is good practice to create resource groups for similar
resources to keep them separate from others. So, when configuring security devices in Azure, it’s best to add them to a
separate resource group. In this way, you can keep them separate from the virtual machine that you created earlier.

Before you learn how to deploy the Azure Firewall in a later exercise, this activity will guide you in creating an additional
resource group and virtual network (VNet). You will follow a different method of doing this than in the previous exercise.

During this lesson you also learned that it is important to centralize key devices such as a Firewall in a hub VNet. So, by
creating the additional VNet you will be extending the Sam’s Scoops network to a hub-spoke network and will therefore
have to set up VNet peering too. Let’s get started.

Case Study Now that Sam’s Scoops has a VM that will run the web server, it needs to be protected by a firewall. But this
means that the network needs to extend to a hub-spoke topology to position the firewall centrally, offering protection to
other services and spokes that might be added to the network later. You are tasked to configure this required network
setup.

Instructions For this exercise to be successful the exercise Create a Windows virtual machine in the Azure portal from
Lesson 2 has to have been completed and the machine still needs to be present. If not, please revisit that exercise first.

Step 1: Create a resource group Create a resource group called "Firewall". This resource group will be used to store
anything to do with the Sam’s Scoops firewall like VNets and centralized Azure security services.

1. Sign in to your Azure subscription.

2. On the Azure home page, select the Resource Groups service.

3. Click Create.
 4. Give the resource group the name "Firewall" and choose a Region near you.

5. Click on Review + create, and then on Create.

Tip: If you need help with this step, this Microsoft guide on how to create a resource group will be helpful.

Step 2: Create a VNet As discussed earlier, firewalls should protect many areas of the network so placing them in a
separate VNet at the hub of the network is a good idea. Add a new VNet called "Firewall-Hub" and create a 192.168.1.0
subnet.

1. On the Azure home page, select the Virtual Networks service.

2. Select Resource group Firewall created in Step 1.

3. Name the VNet "Firewall-Hub".

4. Choose the same region as your resource group.

5. Select Next and Next again.

6. Select on Add an IP address space and fill in the following details: For the address space select IPv4; For the
starting address enter 192.168.1.0 and for the address space size enter /24 and then click Add.

7. Delete any other address spaces.

8. Select Add subnet and use the name "AzureFirewallSubnet" and click Save.

And if you need additional help, use this Microsoft guide on how to create a VNet.

Step 3: VNet peering The Sam’s Scoops Azure network now has a Hub VNet and a spoke VNet containing the virtual
machine for the web server. You need to set up VNet peering to allow the two VNets to communicate with each other.

1. Select Virtual networks from the Azure services bar.

2. Select the Firewall-Hub VNet.

3. Select Peerings either on the left or on the middle of the page.

4. Select Add to add a new peering.

5. Name the peering "Hub-Web".

6. Leave the default settings and under Remote virtual network - peering link name type "Web-Hub".

7. Under the Virtual network dropdown, select Web_Server.

8. Select Add and the network peering will be setup.

Clean-up If you are using your own Azure subscription, it is recommended that you follow the clean-up instructions to
stop compute resources after completing each lesson. When you're working in your own subscription, it's also a good
idea at the end of a project to identify whether you still need the resources you created. Resources left running can cost
you money. You can delete resources individually or delete the resource group to delete the entire set of resources.

Please refer to the reading, Clean up resources for instructions on how to delete resources after you've completed the
activity.

Conclusion By following the steps in this activity, you should have successfully created a Firewall resource group with a
Firewall-Hub VNet containing the AzureFirewall Subnet peered with the Web_Server VNet. This sets you up for the
following exercise in which you will configure the firewall.
DEPLOYING AN AZURE FIREWALL

By now you know that the Azure Firewall protects Azure services and VNets with different rules. It's time to learn how
this works in practice. In this lesson, you’ll deploy an Azure Firewall in the Azure portal.

On the Azure portal homepage, click Firewalls in the Azure services bar. Next, click Create Firewall. Once loaded, the
create firewall screen will display and it has a number of settings that you need to fill in for the initial firewall creation.

First, select your Azure subscription and the resource group you intend to use. In this case, the firewall resource group.
The firewall will need a name, typically something you will recognize in the future. For this example, give it the name of
FirewallTest. Next, you need to specify the Azure region in which the firewall should be deployed. In this example, use US
West. Notice that the Azure Firewall can be placed in a number of availability zones for redundancy but leave it as none.
You now have the choice between the different firewall SKUs from basic to premium. For this example, select the
standard firewall.
Previously, you learned that firewalls can be managed by a firewall policy. This is good when managing many firewalls but
since you're only configuring one firewall, choose “Firewall Rules” instead. Next, you need to specify the virtual network
on which the firewall needs to be. Select the VNet that we created previously, the FirewallHub VNet.

To get access to the Internet, the firewall need a public IP address, so you need to create a new address first. Click on
Add New and give it a name. In this case, firewall pub and click Okay. For this firewall deployment, you do not need force
tunneling to manage traffic, so leave it at the default disabled setting, then click Review plus create. On the next page,
you can review the settings that you just configured and if everything is in order, click Create.

Azure will now deploy the firewall, which will take a few minutes. At first, you will notice the public IP addresses that are
being created and then the firewall itself will be created. Once it's been deployed go to resource button appears, which
you can click to go straight to the firewall. Deploying the Azure standard firewall is one of the first steps in protecting
your Azure VNets on virtual machines. Careful planning will then be needed to move onto the next stage of firewall
configuration, taking into account what the firewall should be protecting and following an organization's security policy.

AZURE FIREWALL RULE CONFIGURATION

Once an Azure firewall has been deployed, you need to configure its NAT, network, and application rules. These rules will
determine how the firewall secures your Azure deployment and what traffic it allows through to your VNets and virtual
machines. In this lesson, you will learn how to set up each of these three types of firewall rules. You will also learn how
to change Microsoft Threat Intelligence from alert to alert and deny.

On the Azure portal homepage, click "Firewalls" in the Azure services bar, to go to the Firewall services page where you
will set up firewall rules. But before doing so, you need to get the firewall's new public IP address.
On the main page, click "Firewall public IP" and copy the IP address for later use. To go back to the main firewall page,
use the directory navigation at the top, then click on "Go to resource".

There are many settings that you can configure on the Firewall services page, but in this video, you will focus on creating
firewall rules. Click "Rules" in the left panel. Three tabs will appear for the three different rule collections. The NAT rule
collection, the network rule collection, and the application rule collection. Start by creating a NAT rule collection by
clicking on "Add NAT rule collection". All rule collections need a name and it's good practice to give them a name that
identifies the task they are fulfilling. In this case, just name it, NAT test.
Every rule needs a priority number which determines the order of processing. These numbers should be in increments of
100 between collections to allow you to insert new rules in between, for instance, at 150. In this example, use the
priority number of 200. You can create a number of rules under collection, but you are just going to create one. Call the
rule Nat1Web as it's going to translate the public IP to the web server's private IP. For the protocol, choose TCP and add a
star for the source IP, which means anything as the IP could be from anywhere in the world. Paste the firewall's public IP
address that you copied earlier in the space for the destination address. The destination port will be 443 for secure web
traffic, which will be translated into the address of the web server, 172.1.1.4. Keep the same port 443 for the translated
port. Once you are done, click "Add" to create the rule. After a short time, the rule will display under the NAT rule
collection tab.

Network rule collection creation is very similar. Click "Add Network Rule Collection" and give the rule a name – again,
something relevant to the job it's doing. In this example, it will be a rule to allow DNS traffic, so name it DNS and give it a
priority of 200. Set the action to allow, which is the alternative to the deny action. Next, under the rules and IP addresses
section, gives the first rule a name, in this case, DNS1, and select the protocol that it will allow for DNS, in this case, UDP.

Next, select the source IP address, which in this example is the web server with the IP of 172.16.1.4. You can specify
specific allied DNS servers at the destination address, but in this example, add a star, thus allowing anything and add a
destination port for DNS, which is 53. Once complete, click "Add". The firewall will update, adding the rule in the
background.

Lastly, let's create the application rule collection by clicking on Add application rule. This rule will enable access to the
Microsoft website from the web server. Name the rule collection Microsoft, using the priority number of 200 and
choosing allow as the action. For application rules, you use the target FQDN section. Give the individual rule a name, in
this case, Microsoft. Next, specify the source IP address of the web server, 172.16.1.4, and specifying the protocol that
can be used, which is HTTP and HTTPS. The last section to fill in is the target FQDN box, which in this case will be
www.microsoft.com. Again, more rules can be added, but for now, click "Add". The firewall will again update with the
latest rule.

Finally, let's configure Threat Intelligence, which you can do from the left-hand menu under the settings section. By
default, Threat Intelligence is set to alert only. You can change it to off or alert and deny if you want Threat Intelligence to
automatically create rules. Select Alert and deny, and click on the "Save" button, which will turn on this automatic Threat
Intelligence feature.

In this lesson, you learned how to configure three firewall rule collection types, NAT, network, and application. These
rules have many different variables that can help to customize network security by permitting or denying certain traffic.
You also discovered how easy it is to turn on Microsoft Threat Intelligence to automatically create deny rules for new
threats.
Exercise: Configure Azure Firewall
Introduction If you have been following along with the activities and exercises, the Sam’s Scoops network should have
the following components:

 A resource group RG_Web_Server with a VM called SamScoopsWeb.

 A Firewall resource group with a VNet called Firewall-Hub containing the AzureFirewallSubnet.

These VNets should also be peered to communicate with one another. By now you know how the different Microsoft
Azure firewall SKUs can be used to protect networks and devices within Microsoft Azure. In this exercise you will deploy
and configure an Azure Standard Firewall to begin the process of protecting devices and networks within an Microsoft
Azure environment.

Case study With the VM for the Sam’s Scoops webserver in place and the hub-spoke network topology set up, it’s time to
install an Azure Standard Firewall to protect the network and its resources. You also need to provide remote access via
the firewall as well as access to additional protocols so that a web developer can develop the web server.

Instructions For this exercise to be successful, the exercise Create a Windows virtual machine in the Azure portal from
Lesson 2 has to have been completed and the machine still needs to be present. If not, please revisit that exercise first.

Step 1: Firewall deployment Traffic on the Sam’ Scoops network will fluctuate since demand for its products will most
likely increase over weekends, holidays and hot weather. That’s why an Azure Standard Firewall is the best fit for the
business. To deploy the Azure Standard Firewall on the Firewall-Hub 192.168.1.0 subnet follow these steps:

1. Sign into your Azure subscription from the Azure portal.

2. On the Azure home page, select Firewalls under the Azure services bar.

3. Select on Create Firewall.

4. Subscription: Select your subscription.

5. Resource group: Select the Firewall resource group from the dropdown, created in the earlier activity.

6. Give the firewall instance the name "ScoopsFirewall".

7. Region: Select the same location that you have used previously.

8. Firewall SKU: Select Standard from the Firewall SKU selection boxes.

9. For firewall management, select Use Firewall rules (classic) to manage this firewall.

10. For Choose a virtual network select Use existing and select the Firewall-Hub network for the virtual network
created in a previous activity.

11. IP address: For the Public IP address select Add new and give it the name "FirewallScoops", select OK.

12. Select Review + create. The firewall will now be deployed.

Step 2: Firewall application rule creation The web server will need access to Google once it is set up, so an application
rule needs to be setup to allow outbound access. To do this, follow these steps:

1. Open the Firewall resource group, and select the ScoopsFirewall firewall.

2. On the ScoopsFirewall page, under Settings, select Rules (classic).

3. Select the Application rule collection tab.

4. Select Add application rule collection.

 5. For Name, type "AppRule1".

6. For Priority, type " 200".

7. For Action, select Allow.

8. Under Rules, Target FQDNs, for Name, type "Allow-Google".

9. For Source type, select IP address.

10. Type 172.16.1.0/24 for the Source.

11. For Protocol:port, type "http, https".

12. For Target FQDNS, type "www.google.com".

13. Select Add and after a while the rule will be created.

Step 3: Firewall network rule creation The web server will also need to use DNS to resolve IP addresses so you need to
create a network rule to allow this. Follow these steps to do this:

1. Select the Network rule collection tab.

2. Select Add network rule collection.

3. For Name, type "Net-Rule1".

4. For Priority, type "200".

5. For Action, select Allow.

6. Under Rules, IP addresses, for Name, type "Allow-DNS".

7. For Protocol, select UDP.

8. For Source type, select IP address.

9. Type 172.16.1.0/24 for the Source.

10. For Destination type select IP address.

11. For Destination address, type 209.244.0.3,209.244.0.4 (These are public DNS servers operated by Level 3)

12. For Destination Ports, type "53".

13. Select Add.

Step 4: Firewall NAT rules creation To allow the web developer to setup the web server you need to provide remote
access to the VM. Follow these steps to create a destination NAT rule for RDP.

1. Select the NAT rule collection tab.

2. Select Add NAT rule collection.

3. For Name, type " rdp".

4. For Priority, type "200".

5. Under Rules, for Name, type "rdp-nat".

6. For Protocol, select TCP.

7. For Source type, select IP address.

 8. Type "*.(* = anything)" for the Source.

9. For Destination address, type the firewall public IP address.

10. For Destination Ports, type "3389".

11. For Translated address, type the SamScoopsWeb virtual machine's private IP address.

12. For Translated port, type "3389".

13. Select Add.

Step 5: Advanced threat protection Earlier you learned that one of the great advantages of using the Azure Standard
Firewall is the automatic rule creation for threats with Threat Intelligence. But recall that by default, the firewall is set to
only create threat alerts. Follow these steps to enable the alert and deny option.

1. On the ScoopsFirewall page, under Settings, select Threat Intelligence.

2. For Threat Intel mode select Alert and deny.

3. Select Save.

Clean-up Note: Once you have finished with this exercise please delete the Standard Firewall as it cannot be powered off
and you will continue being charged if it stays active.

If you are using your own Azure subscription, it is recommended that you follow the clean-up instructions to stop
compute resources after completing each lesson. When you're working in your own subscription, it's also a good idea at
the end of a project to identify whether you still need the resources you created. Resources left running can cost you
money. You can delete resources individually or delete the resource group to delete the entire set of resources.

Please refer to the reading, Clean up resources for instructions on how to delete resources after you've completed the
exercise.

Conclusion You have now configured and deployed an Azure Standard Firewall that will protect the Sam’s Scoops virtual
machine and network. By enabling remote access, you made it possible for a web developer to develop a web server on
this virtual machine. The virtual machine is also protected by a centrally installed firewall that only allows DNS traffic and
access to the Google web page for the virtual machine.

Exemplar: Configure Azure Firewall

Introduction

In the exercise Configure Azure Firewall you were tasked to configure and deploy an Azure Standard Firewall to protect
the Sam’s Scoops network. You also had to enable remote access to their virtual machine where the webserver will be
installed and set up firewall rules to allow DNS traffic and access to the Google website. Lastly you had to allow advanced
threat protection by enabling alert and deny rules.

This exemplar serves as a solution to the exercise and includes screenshots that demonstrates the steps you had to take.

Case study

Earlier you deployed a virtual machine for the Sam’s Scoops webserver and also set up a hub-spoke network topology.
The next step was to ensure the network is protected centrally by installing an Azure Standard Firewall. You also had to
allow an external web developer to set up the webserver by providing remote access to the VM, as well as access to
additional protocols.

Instructions

Step 1: Firewall deployment

Traffic on the Sam’ Scoops network will fluctuate since demand for its products will most likely increase over weekends,
holidays and hot weather. That’s why an Azure Standard Firewall is the best fit for the business. To deploy the Azure
Standard Firewall on the Firewall-Hub 192.168.1.0 subnet follow these steps:

1. Sign into your Azure subscription from the Azure portal.

1. On the Azure home page select Firewalls under the Azure services bar.

1. Select Create Firewall.

1. Subscription: Select your subscription.

2. For the resource group, select the Firewall resource group from the dropdown, created in the earlier activity.

3. Give the firewall instance the name "ScoopsFirewall".

4. For the region, select the same location that you have used previously.

5. For the Firewall SKU, select Standard from the Firewall SKU selection boxes.

6. For Firewall management, select Use Firewall rules (classic) to manage this firewall.

7. For Choose a virtual network, select Use existing and select the Firewall-Hub network for the virtual network
created in a previous activity.

8. For the Public IP address, select Add new and give it the name "FirewallScoops", select OK.
1. Select Review + create then create. The firewall will now be deployed.
Step 2: Firewall application rules creation

The web server will need access to Google once it is set up, so you need to set up an application rule to allow outbound
access. To do this, follow these steps:

1. From the Azure services bar select Resource groups.

1. Open the Firewall resource group, and select the ScoopsFirewall firewall.
1. On the ScoopsFirewall page, under Settings, select Rules (classic).

1. Select the Application rule collection tab.

1. Select Add application rule collection.

2. For Name, type "AppRule1".

3. For Priority, type "200".

4. For Action, select Allow.

5. Under Rules, Target FQDNs, for Name, type "Allow-Google".

6. For Source type, select IP address.

7. Type 172.16.1.0/24 for the source.

8. For Protocol:port, type "http, https".

9. For Target FQDNS, type "www.google.com".

 1. Select Add and after a short time the rule will be created.

Step 3: Firewall network rule creation

The web server will also need to use DNS to resolve IP addresses so you need to create a network rule to allow this.
Follow these steps to do this:
1. Select the Network rule collection tab.

2. Select Add network rule collection.

1. For Name, type "Net-Rule1".

2. For Priority, type "200".

3. For Action, select Allow.

4. Under Rules, IP addresses, for Name, type "Allow-DNS".

5. For Protocol, select UDP.

6. For Source type, select IP address.

7. Type 172.16.1.0/24 for the Source.

8. For Destination type select IP address.

9. For Destination address, type 209.244.0.3,209.244.0.4 (These are public DNS servers operated by Level3).

10. For Destination Ports, type "53".

 1. Select Add.

Step 4: Firewall NAT rules creation

To allow the web developer to set up the web server you need to provide remote access to the VM. Follow these steps to
create a destination NAT rule for RDP:
1. Select the NAT rule collection tab.

2. Select Add NAT rule collection.

1. For Name, type " rdp".

2. For Priority, type "200".

3. Under Rules, for Name, type "rdp-nat2".

4. For Protocol, select TCP.

5. For Source type, select IP address.

6. Type "*.(* = anything)" for the Source.

7. For Destination address, type the firewall public IP address.

8. For Destination Ports, type "3389".

9. For Translated address, type the SamScoopsWeb virtual machines private IP address.

10. For Translated port, type "3389".

 1. Select Add.

Step 5: Advanced threat protection

Earlier you learned that one of the great advantages of using the Azure Standard Firewall is that you can create rules
automatically for threat using Threat Intelligence. By by default the firewall is set to only create threat alerts. Follow
these steps to enable the alert and deny option.
1. On the ScoopsFirewall page, under Settings, select Threat intelligence.

1. For Threat intel mode select Alert and deny.

1. Select Save.
Clean-up Note: Once you have finished with this exercise please delete the Standard Firewall as it cannot be powered off
and you will continue being charged if it stays active.

If you are using your own Azure subscription, it is recommended that you follow the clean-up instructions to stop
compute resources after completing each lesson. When you're working in your own subscription, it's also a good idea at
the end of a project to identify whether you still need the resources you created. Resources left running can cost you
money. You can delete resources individually or delete the resource group to delete the entire set of resources.

Please refer to the reading, Clean up resources for instructions on how to delete resources after you've completed the
exercise.

Conclusion This exemplar guided you through the steps you had to take in the exercise Configure Azure Firewall. You
should now know how to configure and deployed the Azure Standard Firewall to provide centralized protecting for a hub-
spoke network that includes a VM on a VNet spoke. You should also be comfortable with allowing remote access and
setting up firewall rules to allow DNS traffic and access to the Google web page for the virtual machine. Additionally, you
are now familiar with the required steps for enabling Threat Intelligence alert and deny rules. Well done! The last step
was to perform clean-up to prevent incurred costs. But remember to only stop the VM and not delete it because you will
be using it in coming exercises.

Choose the right Azure Firewall version to meet your needs

In this article

1. Feature comparison

2. Flow chart

3. Next steps

Azure Firewall offers three versions to meet various customer needs:

 Azure Firewall Premium: Ideal for securing highly sensitive applications, such as payment processing. It includes
advanced threat protection features like malware and TLS inspection.

 Azure Firewall Standard: Suitable for customers requiring Layer 3–Layer 7 firewall capabilities with autoscaling to
manage peak traffic up to 30 Gbps. It includes enterprise features like threat intelligence, DNS proxy, custom
DNS, and web categories.

 Azure Firewall Basic: Designed for SMB customers with throughput requirements up to 250 Mbps.

Feature comparison

Compare the features of the three Azure Firewall versions:

Expand table

Category Feature Firewall Firewall Firewall Premium

Basic Standard

L3-L7 filtering Application level FQDN filtering (SNI based) for ✓ ✓ ✓

HTTPS/SQL

Network level FQDN filtering – all ports and protocols ✓ ✓

Stateful firewall (5 tuple rules) ✓ ✓ ✓

Network address translation (SNAT+DNAT) ✓ ✓ ✓

Category Feature Firewall Firewall Firewall Premium
Basic Standard

Reliability & Availability zones ✓ ✓ ✓

performance

Built-in HA ✓ ✓ ✓

Cloud scalability (auto-scale as traffic grows) Up to Up to 30 Up to 100 Gbps

250Mbps Gbps

Fat flow support N/A 1 Gbps 10 Gbps

Ease of Central management via firewall manager ✓ ✓ ✓

management

Policy analytics (rule management over time) ✓ ✓ ✓

Enterprise Full logging including SIEM integration ✓ ✓ ✓

integration

Service tags and FQDN tags for easy policy management ✓ ✓ ✓

Easy DevOps integration using ✓ ✓ ✓

REST/PowerShell/CLI/templates/Terraform

Web content filtering (web categories) ✓ ✓

DNS proxy + custom DNS ✓ ✓

Advanced threat Threat intelligence-based filtering (known malicious IP Alert ✓ ✓

protection address/domains)

Inbound TLS termination (TLS reverse proxy) Using Azure

Application Gateway

Outbound TLS termination (TLS forward proxy) ✓

Fully managed IDPS ✓

URL filtering (full path - including SSL termination) ✓

Flow chart Use the following flow chart to determine the best Azure Firewall version for your needs.
NAT on Azure VPN Gateway
This article provides an overview of NAT (Network Address Translation) support in Azure VPN Gateway. NAT
defines the mechanisms to translate one IP address to another in an IP packet. There are multiple scenarios for
NAT:
 Connect multiple networks with overlapping IP addresses
 Connect from networks with private IP addresses (RFC1918) to the Internet (Internet breakout)
 Connect IPv6 networks to IPv4 networks (NAT64)
Important Azure VPN Gateway NAT supports the first scenario to connect on-premises networks or branch
offices to an Azure virtual network with overlapping IP addresses. Internet breakout and NAT64
are NOT supported.
Overlapping address spaces Organizations commonly use private IP addresses defined in RFC1918 for internal
communication in their private networks. When these networks are connected using VPN over the Internet or
across private WAN, the address spaces must not overlap, otherwise communications will fail. To connect two
or more networks with overlapping IP addresses, NAT is deployed on the gateway devices connecting the
networks.
NAT type: static & dynamic NAT on a gateway device translates the source and/or destination IP addresses,
based on the NAT policies or rules to avoid address conflict. There are different types of NAT translation rules:
 Static NAT: Static rules define a fixed address mapping relationship. For a given IP address, it will be
mapped to the same address from the target pool. The mappings for static rules are stateless because
the mapping is fixed.
 Dynamic NAT: For dynamic NAT, an IP address can be translated to different target IP addresses based
on availability, or with a different combination of IP address and TCP/UDP port. The latter is also called
NAPT, Network Address and Port Translation. Dynamic rules will result in stateful translation mappings
depending on the traffic flows at any given time.
Note When Dynamic NAT rules are used, traffic is unidirectional which means communication must be
initiated from the site that is represented in the Internal Mapping field of the rule. If traffic is initiated from
the External Mapping, the connection will not be established. If you require bidirectional traffic initiation,
then use a static NAT rule to define a 1:1 mapping.
Another consideration is the address pool size for translation. If the target address pool size is the same as the
original address pool, use static NAT rule to define a 1:1 mapping in a sequential order. If the target address
pool is smaller than the original address pool, use dynamic NAT rule to accommodate the differences.
Important
 NAT is supported on the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ.
 NAT is supported on IPsec cross-premises connections only. VNet-to-VNet connections or P2S
connections are not supported.
 Every Dynamic NAT rule can be assigned to a single connection.
NAT mode: ingress & egress Each NAT rule defines an address mapping or translating relationship for the
corresponding network address space:
 Ingress: An IngressSNAT rule maps an on-premises network address space to a translated address
space to avoid address overlap.
 Egress: An EgressSNAT rule maps the Azure VNet address space to another translated address space.
For each NAT rule, the following two fields specify the address spaces before and after the translation:
 Internal Mappings: The address space before the translation. For an ingress rule, this field corresponds
to the original address space of the on-premises network. For an egress rule, this is the original VNet
address space.
 External Mappings: The address space after the translation for on-premises networks (ingress) or VNet
(egress). For different networks connected to an Azure VPN gateway, the address spaces for all External
Mappings must not overlap with each other and with the networks connected without NAT.
NAT and routing Once a NAT rule is defined for a connection, the effective address space for the connection
will change with the rule. If BGP is enabled on the Azure VPN gateway, select the "Enable BGP Route
Translation" to automatically convert the routes learned and advertised on connections with NAT rules:
 Learned routes: The destination prefixes of the routes learned over a connection with the IngressSNAT
rules will be translated from the Internal Mapping prefixes (pre-NAT) to the External Mapping prefixes
(post-NAT) of those rules.
 Advertised routes: Azure VPN gateway will advertise the External Mapping (post-NAT) prefixes of the
EgressSNAT rules for the VNet address space, and the learned routes with post-NAT address prefixes
from other connections.
 BGP peer IP address consideration for a NAT'ed on-premises network:
o APIPA (169.254.0.1 to 169.254.255.254) address: NAT isn't supported with BGP APIPA
addresses.
o Non-APIPA address: Exclude the BGP Peer IP addresses from the NAT range.
Note The learned routes on connections without IngressSNAT rules will not be converted. The VNet routes
advertised to connections without EgressSNAT rules will also not be converted.
NAT example The following diagram shows an example of Azure VPN NAT configurations:
The diagram shows an Azure VNet and two on-premises networks, all with address space of 10.0.1.0/24. To
connect these two networks to the Azure VNet and VPN gateway, create the following rules:
 IngressSNAT rule 1: This rule translates the on-premises address space 10.0.1.0/24 192.168.2.0/24.
 IngressSNAT rule 2: This rule translates the on-premises address space 10.0.1.0/24 to 192.168.3.0/24.
 EgressSNAT rule 1: This rule translates the VNet address space 10.0.1.0/24 to 192.168.1.0/24.
In the diagram, each connection resource has the following rules:
 Connection 1 (VNet-Branch1):
o IngressSNAT rule 1
o EgressSNAT rule 1
 Connection 2 (VNet-Branch2)
o IngressSNAT rule 2
o EgressSNAT rule 1
Based on the rules associated with the connections, here are the address spaces for each network:
Expand table

Network Original Translated

VNet 10.0.1.0/24 192.168.1.0/24

Branch 1 10.0.1.0/24 192.168.2.0/24

Branch 2 10.0.1.0/24 192.168.3.0/24

The following diagram shows an IP packet from Branch 1 to VNet, before and after the NAT translation:

Important
A single SNAT rule defines the translation for both directions of a particular network:
 An IngressSNAT rule defines the translation of the source IP addresses coming into the Azure VPN
gateway from the on-premises network. It also handles the translation of the destination IP addresses
leaving from the VNet to the same on-premises network.
 An EgressSNAT rule defines the translation of the source IP addresses leaving the Azure VPN gateway to
on-premises networks. It also handles the translation of the destination IP addresses for packets
coming into the VNet via those connections with the EgressSNAT rule.
  In either case, no DNAT rules are needed.
NAT configuration To implement the NAT configuration shown in the previous section, first create the NAT
rules in your Azure VPN gateway, then create the connections with the corresponding NAT rules associated.
See Configure NAT on Azure VPN gateways for steps to configure NAT for your cross-premises connections.
NAT limitations and considerations
Important There are a few constraints for the NAT feature.
 NAT is supported on the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ.
 NAT is supported for IPsec/IKE cross-premises connections only. VNet-to-VNet connections or P2S
connections aren't supported.
 NAT rules aren't supported on connections that have Use Policy Based Traffic Selectors enabled.
 The maximum supported external mapping subnet size for Dynamic NAT is /26.
 Port mappings can be configured with Static NAT types only. Dynamic NAT scenarios aren't applicable
for port mappings.
 Port mappings can't take ranges at this time. Individual port needs to be entered.
 Port mappings can be used for both TCP and UDP protocols.
NAT FAQ Is NAT supported on all Azure VPN Gateway SKUs? NAT is supported on VpnGw2 to VpnGw25 and on
VpnGw2AZ to VpnGw5AZ.
Can I use NAT on VNet-to-VNet or P2S connections? No.
How many NAT rules can I use on a VPN gateway? You can create up to 100 NAT rules (ingress and egress
rules combined) on a VPN gateway.
Can I use a slash (/) in a NAT rule name? No. You'll receive an error.
Is NAT applied to all connections on a VPN gateway? NAT is applied to the connections that have NAT rules. If
a connection doesn't have a NAT rule, NAT won't take effect on that connection. On the same VPN gateway,
you can have some connections with NAT and other connections without NAT working together.
What types of NAT do VPN gateways support? VPN gateways support only static 1:1 NAT and dynamic NAT.
They don't support NAT64.
Does NAT work on active-active VPN gateways? Yes. NAT works on both active-active and active-standby VPN
gateways. Each NAT rule is applied to a single instance of the VPN gateway. In active-active gateways, create a
separate NAT rule for each gateway instance through the IP configuration ID field.
Does NAT work with BGP connections?
Yes, you can use BGP with NAT. Here are some important considerations:
 To ensure that the learned routes and advertised routes are translated to post-NAT address prefixes
(external mappings) based on the NAT rules associated with the connections, select Enable BGP Route
Translation on the configuration page for NAT rules. The on-premises BGP routers must advertise the
exact prefixes as defined in the IngressSNAT rules.
  If the on-premises VPN router uses a regular, non-APIPA address and it collides with the VNet address
space or other on-premises network spaces, ensure that the IngressSNAT rule will translate the BGP
peer IP to a unique, non-overlapped address. Put the post-NAT address in the BGP peer IP address field
of the local network gateway.
 NAT isn't supported with BGP APIPA addresses.
Do I need to create the matching DNAT rules for the SNAT rule? No. A single source network address
translation (SNAT) rule defines the translation for both directions of a particular network:
 An IngressSNAT rule defines the translation of the source IP addresses coming into the VPN gateway
from the on-premises network. It also handles the translation of the destination IP addresses leaving
from the virtual network to the same on-premises network.
 An EgressSNAT rule defines the translation of the VNet source IP addresses leaving the VPN gateway to
on-premises networks. It also handles the translation of the destination IP addresses for packets
coming into the virtual network via the connections that have the EgressSNAT rule.
In either case, you don't need destination network address translation (DNAT) rules.
What do I do if my VNet or local network gateway address space has two or more prefixes? Can I apply NAT
to all of them or just a subset?
You need to create one NAT rule for each prefix, because each NAT rule can include only one address prefix for
NAT. For example, if the address space for the local network gateway consists of 10.0.1.0/24 and 10.0.2.0/25,
you can create two rules:
 IngressSNAT rule 1: Map 10.0.1.0/24 to 192.168.1.0/24.
 IngressSNAT rule 2: Map 10.0.2.0/25 to 192.168.2.0/25.
The two rules must match the prefix lengths of the corresponding address prefixes. The same guideline applies
to EgressSNAT rules for the VNet address space.
Important If you link only one rule to the preceding connection, the other address space won't be translated.
What IP ranges can I use for external mapping? You can use any suitable IP range that you want for external
mapping, including public and private IPs.
Can I use different EgressSNAT rules to translate my VNet address space to different prefixes for on-premises
networks? Yes. You can create multiple EgressSNAT rules for the same VNet address space and then apply
the EgressSNAT rules to different connections.
Can I use the same IngressSNAT rule on different connections? Yes. You typically use the
same IngressSNAT rule when the connections are for the same on-premises network, to provide redundancy.
You can't use the same ingress rule if the connections are for different on-premises networks.
Do I need both ingress and egress rules on a NAT connection? You need both ingress and egress rules on the
same connection when the on-premises network address space overlaps with the VNet address space. If the
VNet address space is unique among all connected networks, you don't need the EgressSNAT rule on those
connections. You can use the ingress rules to avoid address overlap among the on-premises networks.
What do I choose as the IP configuration ID? IP configuration ID is simply the name of the IP configuration
object that you want the NAT rule to use. With this setting, you're simply choosing which gateway public IP
address applies to the NAT rule. If you haven't specified any custom name at gateway creation time, the
gateway's primary IP address is assigned to the default IP configuration, and the secondary IP is assigned to
the activeActive IP configuration.

Azure best practices for network security

This article discusses a collection of Azure best practices to enhance your network security. These best
practices are derived from our experience with Azure networking and the experiences of customers like
yourself.
For each best practice, this article explains:
 What the best practice is
 Why you want to enable that best practice
 What might be the result if you fail to enable the best practice
 Possible alternatives to the best practice
 How you can learn to enable the best practice
These best practices are based on a consensus opinion, and Azure platform capabilities and feature sets, as
they exist at the time this article was written. Opinions and technologies change over time and this article will
be updated regularly to reflect those changes.
Use strong network controls You can connect Azure virtual machines (VMs) and appliances to other
networked devices by placing them on Azure virtual networks. That is, you can connect virtual network
interface cards to a virtual network to allow TCP/IP-based communications between network-enabled devices.
Virtual machines connected to an Azure virtual network can connect to devices on the same virtual network,
different virtual networks, the internet, or your own on-premises networks.
As you plan your network and the security of your network, we recommend that you centralize:
 Management of core network functions like ExpressRoute, virtual network and subnet provisioning,
and IP addressing.
 Governance of network security elements, such as network virtual appliance functions like
ExpressRoute, virtual network and subnet provisioning, and IP addressing.
If you use a common set of management tools to monitor your network and the security of your network, you
get clear visibility into both. A straightforward, unified security strategy reduces errors because it increases
human understanding and the reliability of automation.
Logically segment subnets Azure virtual networks are similar to LANs on your on-premises network. The idea
behind an Azure virtual network is that you create a network, based on a single private IP address space, on
which you can place all your Azure virtual machines. The private IP address spaces available are in the Class A
(10.0.0.0/8), Class B (172.16.0.0/12), and Class C (192.168.0.0/16) ranges.
Best practices for logically segmenting subnets include:
Best practice: Don't assign allow rules with broad ranges (for example, allow 0.0.0.0 through
255.255.255.255).
Detail: Ensure troubleshooting procedures discourage or ban setting up these types of rules. These allow rules
lead to a false sense of security and are frequently found and exploited by red teams.
Best practice: Segment the larger address space into subnets.
Detail: Use CIDR-based subnetting principles to create your subnets.
Best practice: Create network access controls between subnets. Routing between subnets happens
automatically, and you don't need to manually configure routing tables. By default, there are no network
access controls between the subnets that you create on an Azure virtual network.
Detail: Use a network security group to protect against unsolicited traffic into Azure subnets. Network security
groups (NSGs) are simple, stateful packet inspection devices. NSGs use the 5-tuple approach (source IP, source
port, destination IP, destination port and protocol) to create allow/deny rules for network traffic. You allow or
deny traffic to and from a single IP address, to and from multiple IP addresses, or to and from entire subnets.
When you use network security groups for network access control between subnets, you can put resources
that belong to the same security zone or role in their own subnets.
Best practice: Avoid small virtual networks and subnets to ensure simplicity and flexibility. Detail: Most
organizations add more resources than initially planned, and reallocating addresses is labor intensive. Using
small subnets adds limited security value, and mapping a network security group to each subnet adds
overhead. Define subnets broadly to ensure that you have flexibility for growth.
Best practice: Simplify network security group rule management by defining Application Security Groups.
Detail: Define an Application Security Group for lists of IP addresses that you think might change in the future
or be used across many network security groups. Be sure to name Application Security Groups clearly so others
can understand their content and purpose.
Adopt a Zero Trust approach Perimeter-based networks operate on the assumption that all systems within a
network can be trusted. But today's employees access their organization's resources from anywhere on various
devices and apps, which makes perimeter security controls irrelevant. Access control policies that focus only
on who can access a resource aren't enough. To master the balance between security and productivity,
security admins also need to factor in how a resource is being accessed.
Networks need to evolve from traditional defenses because networks might be vulnerable to breaches: an
attacker can compromise a single endpoint within the trusted boundary and then quickly expand a foothold
across the entire network. Zero Trust networks eliminate the concept of trust based on network location within
a perimeter. Instead, Zero Trust architectures use device and user trust claims to gate access to organizational
data and resources. For new initiatives, adopt Zero Trust approaches that validate trust at the time of access.
Best practice: Give Conditional Access to resources based on device, identity, assurance, network location, and
more.
Detail: Microsoft Entra Conditional Access lets you apply the right access controls by implementing automated
access control decisions based on the required conditions. For more information, see Manage access to Azure
management with Conditional Access.
Best practice: Enable port access only after workflow approval.
Detail: You can use just-in-time VM access in Microsoft Defender for Cloud to lock down inbound traffic to your
Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.
Best practice: Grant temporary permissions to perform privileged tasks, which prevents malicious or
unauthorized users from gaining access after the permissions have expired. Access is granted only when users
need it.
Detail: Use just-in-time access in Microsoft Entra Privileged Identity Management or in a third-party solution to
grant permissions to perform privileged tasks.
Zero Trust is the next evolution in network security. The state of cyberattacks drives organizations to take the
"assume breach" mindset, but this approach shouldn't be limiting. Zero Trust networks protect corporate data
and resources while ensuring that organizations can build a modern workplace by using technologies that
empower employees to be productive anytime, anywhere, in any way.
Control routing behavior When you put a virtual machine on an Azure virtual network, the VM can connect to
any other VM on the same virtual network, even if the other VMs are on different subnets. This is possible
because a collection of system routes enabled by default allows this type of communication. These default
routes allow VMs on the same virtual network to initiate connections with each other, and with the internet
(for outbound communications to the internet only).
Although the default system routes are useful for many deployment scenarios, there are times when you want
to customize the routing configuration for your deployments. You can configure the next-hop address to reach
specific destinations.
We recommend that you configure user-defined routes when you deploy a security appliance for a virtual
network. We talk about this recommendation in a later section titled secure your critical Azure service
resources to only your virtual networks.
Note User-defined routes aren't required, and the default system routes usually work.
Use virtual network appliances Network security groups and user-defined routing can provide a certain
measure of network security at the network and transport layers of the OSI model. But in some situations, you
want or need to enable security at high levels of the stack. In such situations, we recommend that you deploy
virtual network security appliances provided by Azure partners.
Azure network security appliances can deliver better security than what network-level controls provide.
Network security capabilities of virtual network security appliances include:
 Firewalling
 Intrusion detection/intrusion prevention
 Vulnerability management
 Application control
 Network-based anomaly detection
 Web filtering
  Antivirus
 Botnet protection
To find available Azure virtual network security appliances, go to the Azure Marketplace and search for
"security" and "network security."

Deploy perimeter networks for security zones A perimeter network (also known as a DMZ) is a physical or
logical network segment that provides an extra layer of security between your assets and the internet.
Specialized network access control devices on the edge of a perimeter network allow only desired traffic into
your virtual network.
Perimeter networks are useful because you can focus your network access control management, monitoring,
logging, and reporting on the devices at the edge of your Azure virtual network. A perimeter network is where
you typically enable distributed denial of service (DDoS) protection, intrusion detection/intrusion prevention
systems (IDS/IPS), firewall rules and policies, web filtering, network antimalware, and more. The network
security devices sit between the internet and your Azure virtual network and have an interface on both
networks.
Although this is the basic design of a perimeter network, there are many different designs, like back-to-back,
tri-homed, and multi-homed.
Based on the Zero Trust concept mentioned earlier, we recommend that you consider using a perimeter
network for all high security deployments to enhance the level of network security and access control for your
Azure resources. You can use Azure or a third-party solution to provide an extra layer of security between your
assets and the internet:
 Azure native controls. Azure Firewall and Azure Web Application Firewall offer basic security
advantages. Advantages are a fully stateful firewall as a service, built-in high availability, unrestricted
cloud scalability, FQDN filtering, support for OWASP core rule sets, and simple setup and configuration.
 Third-party offerings. Search the Azure Marketplace for next-generation firewall (NGFW) and other
third-party offerings that provide familiar security tools and enhanced levels of network security.
Configuration might be more complex, but a third-party offering might allow you to use existing
capabilities and skillsets.
Avoid exposure to the internet with dedicated WAN links
Many organizations have chosen the hybrid IT route. With hybrid IT, some of the company's information assets
are in Azure, and others remain on-premises. In many cases, some components of a service are running in
Azure while other components remain on-premises.
In a hybrid IT scenario, there's usually some type of cross-premises connectivity. Cross-premises connectivity
allows the company to connect its on-premises networks to Azure virtual networks. Two cross-premises
connectivity solutions are available:
  Site-to-site VPN. It's a trusted, reliable, and established technology, but the connection takes place over
the internet. Bandwidth is constrained to a maximum of about 1.25 Gbps. Site-to-site VPN is a desirable
option in some scenarios.
 Azure ExpressRoute. We recommend that you use ExpressRoute for your cross-premises connectivity.
ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private
connection facilitated by a connectivity provider. With ExpressRoute, you can establish connections to
Microsoft cloud services like Azure, Microsoft 365, and Dynamics 365. ExpressRoute is a dedicated
WAN link between your on-premises location or a Microsoft Exchange hosting provider. Because this is
a telco connection, your data doesn't travel over the internet, so it isn't exposed to the potential risks
of internet communications.
The location of your ExpressRoute connection can affect firewall capacity, scalability, reliability, and network
traffic visibility. You'll need to identify where to terminate ExpressRoute in existing (on-premises) networks.
You can:
 Terminate outside the firewall (the perimeter network paradigm). Use this recommendation if you
require visibility into the traffic, if you need to continue an existing practice of isolating datacenters, or
if you're solely putting extranet resources on Azure.
 Terminate inside the firewall (the network extension paradigm). This is the default recommendation. In
all other cases, we recommend treating Azure as another datacenter.
Optimize uptime and performance If a service is down, information can't be accessed. If performance is so
poor that the data is unusable, you can consider the data to be inaccessible. From a security perspective, you
need to do whatever you can to make sure that your services have optimal uptime and performance.
A popular and effective method for enhancing availability and performance is load balancing. Load balancing is
a method of distributing network traffic across servers that are part of a service. For example, if you have front-
end web servers as part of your service, you can use load balancing to distribute the traffic across your
multiple front-end web servers.
This distribution of traffic increases availability because if one of the web servers becomes unavailable, the
load balancer stops sending traffic to that server and redirects it to the servers that are still online. Load
balancing also helps performance, because the processor, network, and memory overhead for serving requests
is distributed across all the load-balanced servers.
We recommend that you employ load balancing whenever you can, and as appropriate for your services.
Following are scenarios at both the Azure virtual network level and the global level, along with load-balancing
options for each.
Scenario: You have an application that:
 Requires requests from the same user/client session to reach the same back-end virtual machine.
Examples of this are shopping cart apps and web mail servers.
 Accepts only a secure connection, so unencrypted communication to the server isn't an acceptable
option.
 Requires multiple HTTP requests on the same long-running TCP connection to be routed or load
balanced to different back-end servers.
Load-balancing option: Use Azure Application Gateway, an HTTP web traffic load balancer. Application
Gateway supports end-to-end TLS encryption and TLS termination at the gateway. Web servers can then be
unburdened from encryption and decryption overhead and traffic flowing unencrypted to the back-end
servers.
Scenario: You need to load balance incoming connections from the internet among your servers located in an
Azure virtual network. Scenarios are when you:
 Have stateless applications that accept incoming requests from the internet.
 Don't require sticky sessions or TLS offload. Sticky sessions is a method used with Application Load
Balancing, to achieve server-affinity.
Load-balancing option: Use the Azure portal to create an external load balancer that spreads incoming
requests across multiple VMs to provide a higher level of availability.
Scenario: You need to load balance connections from VMs that are not on the internet. In most cases, the
connections that are accepted for load balancing are initiated by devices on an Azure virtual network, such as
SQL Server instances or internal web servers.
Load-balancing option: Use the Azure portal to create an internal load balancer that spreads incoming
requests across multiple VMs to provide a higher level of availability.
Scenario: You need global load balancing because you:
 Have a cloud solution that is widely distributed across multiple regions and requires the highest level of
uptime (availability) possible.
 Need the highest level of uptime possible to make sure that your service is available even if an entire
datacenter becomes unavailable.
Load-balancing option: Use Azure Traffic Manager. Traffic Manager makes it possible to load balance
connections to your services based on the location of the user.
For example, if the user makes a request to your service from the EU, the connection is directed to your
services located in an EU datacenter. This part of Traffic Manager global load balancing helps to improve
performance because connecting to the nearest datacenter is faster than connecting to datacenters that are
far away.
Disable RDP/SSH Access to virtual machines It's possible to reach Azure virtual machines by using Remote
Desktop Protocol (RDP) and the Secure Shell (SSH) protocol. These protocols enable the management VMs
from remote locations and are standard in datacenter computing.
The potential security problem with using these protocols over the internet is that attackers can use brute
force techniques to gain access to Azure virtual machines. After the attackers gain access, they can use your
VM as a launch point for compromising other machines on your virtual network or even attack networked
devices outside Azure.
We recommend that you disable direct RDP and SSH access to your Azure virtual machines from the internet.
After direct RDP and SSH access from the internet is disabled, you have other options that you can use to
access these VMs for remote management.
Scenario: Enable a single user to connect to an Azure virtual network over the internet.
Option: Point-to-site VPN is another term for a remote access VPN client/server connection. After the point-to-
site connection is established, the user can use RDP or SSH to connect to any VMs located on the Azure virtual
network that the user connected to via point-to-site VPN. This assumes that the user is authorized to reach
those VMs.
Point-to-site VPN is more secure than direct RDP or SSH connections because the user has to authenticate
twice before connecting to a VM. First, the user needs to authenticate (and be authorized) to establish the
point-to-site VPN connection. Second, the user needs to authenticate (and be authorized) to establish the RDP
or SSH session.
Scenario: Enable users on your on-premises network to connect to VMs on your Azure virtual network.
Option: A site-to-site VPN connects an entire network to another network over the internet. You can use a site-
to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises
network connect by using the RDP or SSH protocol over the site-to-site VPN connection. You don't have to
allow direct RDP or SSH access over the internet.
Scenario: Use a dedicated WAN link to provide functionality similar to the site-to-site VPN.
Option: Use ExpressRoute. It provides functionality similar to the site-to-site VPN. The main differences are:
 The dedicated WAN link doesn't traverse the internet.
 Dedicated WAN links are typically more stable and perform better.
Secure your critical Azure service resources to only your virtual networks Use Azure Private Link to access
Azure PaaS Services (for example, Azure Storage and SQL Database) over a private endpoint in your virtual
network. Private Endpoints allow you to secure your critical Azure service resources to only your virtual
networks. Traffic from your virtual network to the Azure service always remains on the Microsoft Azure
backbone network. Exposing your virtual network to the public internet is no longer necessary to consume
Azure PaaS Services.
Azure Private Link provides the following benefits:
 Improved security for your Azure service resources: With Azure Private Link, Azure service resources
can be secured to your virtual network using private endpoint. Securing service resources to a private
endpoint in virtual network provides improved security by fully removing public internet access to
resources, and allowing traffic only from private endpoint in your virtual network.
 Privately access Azure service resources on the Azure platform: Connect your virtual network to
services in Azure using private endpoints. There's no need for a public IP address. The Private Link
platform will handle the connectivity between the consumer and services over the Azure backbone
network.
 Access from On-premises and peered networks: Access services running in Azure from on-premises
over ExpressRoute private peering, VPN tunnels, and peered virtual networks using private endpoints.
There's no need to configure ExpressRoute Microsoft peering or traverse the internet to reach the
service. Private Link provides a secure way to migrate workloads to Azure.
 Protection against data leakage: A private endpoint is mapped to an instance of a PaaS resource
instead of the entire service. Consumers can only connect to the specific resource. Access to any other
resource in the service is blocked. This mechanism provides protection against data leakage risks.
  Global reach: Connect privately to services running in other regions. The consumer's virtual network
could be in region A and it can connect to services in region B.
 Simple to set up and manage: You no longer need reserved, public IP addresses in your virtual
networks to secure Azure resources through an IP firewall. There are no NAT or gateway devices
required to set up the private endpoints. Private endpoints are configured through a simple workflow.
On service side, you can also manage the connection requests on your Azure service resource with
ease. Azure Private Link works for consumers and services belonging to different Microsoft Entra
tenants too.
To learn more about private endpoints and the Azure services and regions that private endpoints are available
for, see Azure Private Link.
Next steps See Azure security best practices and patterns for more security best practices to use when you're
designing, deploying, and managing your cloud solutions by using Azure.

JUST-IN-TIME ACCESS
All virtual machines are potential targets for an attack. When a VM is successfully compromised, it's used as an entry
point to attack further resources within a virtual environment.

Sam Scoops has the new web server up and running in Microsoft Azure and is looking to use more virtual machines for
different aspects of the business. A firewall has been deployed to protect these virtual machines, but ports like RDP
and SSH have to be open to allow remote access for management through that firewall, which creates a security risk.
Threat actors actively hunt accessible machines with open management ports. To solve this dilemma, Microsoft Azure
offers just-in-time or JIT VM Access, which is used to prevent these attacks.

In this lesson, you’ll learn how JIT can protect virtual machines as well as allowing remote access when needed. First,
what exactly is just-in-time VM access? It's a security feature that allows administrators to control and limit access to
VMs by enabling temporary on-demand access for authorized users. It works by defining a set of policies and rules that
determine when and for whom access to a VM should be granted.

As with all cybersecurity prevention techniques, the goal is to reduce the attack surface. In this case, that means having
fewer open ports, especially management ports, but the problem is legitimate users also use these ports, so it's not
practical to keep them closed all of the time.
The solution is to configure an enable just-in-time access which will block inbound traffic but allow access on specific
management ports. This reduces exposure to attacks while providing easy access to connect to VMs when needed. JIT is
a part of defender for Cloud, which ensures deny all inbound traffic rules exist for your selected ports in the network
security group or NSG and Azure firewall rules. These deny all rules restrict access to your Azure VMs management ports
and defend them from attack.

If other rules already exist for the selected ports then those existing rules take priority over the new deny all inbound
traffic rules. However, if there are no existing rules on the selected ports, then the new rules take top priority in the NSG
and Azure Firewall.

JIT offers the perfect security solution for the Sam's Scoops virtual machine running its website because the developer of
the website only need to access when updating content once a month. Enabling JIT keeps the machine secure until the
developer needs access to it. Say a web developer request access to the VM web server. Defender for Cloud checks that
he has Azure Role-Based Access Control or RBAC. If the request is approved, Defender for Cloud configures the NSGs and
Azure Firewall to allow inbound traffic to the selected ports from the relevant IP address or range for the amount of time
that was specified when giving just-in-time access. When you enable JIT VM access for your VMs, you can create a policy
that determines which ports need protection, how long the ports should remain open, and the approved IP addresses
that can access these ports. The policy enables you to control what users can do when they request access. In this
example of the activity log in the Azure portal, you can note that requests are logged, allowing you to easily monitor and
audit access for all JIT events.

The policy also helps you quickly identify the existing VMs that are JIT VM Access enabled, and you can note the VMs
where JIT VM access is recommended.
In conclusion, for Sam's Scoops, JIT protection of the virtual machines make sense for the business, as most of the time
management access will not be needed. In this video, you learned that JIT is a great way to control access and reduce the
risk from open management ports on your Azure Virtual Machines. It enables you to close down these ports and only
open them when a legitimate user needs access to that particular machine.

Key management and encryption

You learned how to better manage access to virtual machines with just in time or JIT. But gaining access to a machine is
not the only way data can be accessed. Data stored in the cloud could be hosted with other company's data, all on the
same hardware, and when transporting the data, it is vulnerable to interception.

When using any public cloud service, it is critical to protect data at all times across the cloud, and this is where
encryption comes in. In this lesson, you will explore the best practices around encryption when using virtual machines in
Microsoft Azure and learn how to describe key management processes that are used to protect data.

To understand the different types of encryption, you should know that all data can be in different states at different
moments in time. At the most basic level, data can have the following two states, data at rest is settled and stored
somewhere. It can include storage objects and files that are on physical media. The media can be optical disks or
magnetic disks, such as hard drive disks or HDDs, and data in transit is being moved whether over a network or between
two locations or between applications.

First, let's examine data at rest encryption. This kind of encryption is a mandatory step to ensure data privacy,
compliance and sovereignty. The at rest encryption in Azure uses symmetric encryption to encrypt and decrypt large
amounts of data quickly, and the following two best practices are recommended, you should apply disk encryption to
help safeguard your data.
You can use Azure Disk Encryption for Linux VMs, or Azure Disk Encryption for Windows VMs. Disk Encryption combines
the industry standard Linux dm-crypt or Windows BitLocker feature to provide volume encryption for the operating
system and data disks.

You should also use encryption to help mitigate risks related to unauthorized data access. To do so, you have to encrypt
your drives before you write sensitive data to them. Protecting data in transit is also an essential part of any data
protection strategy.

Because data is moving back and forth from many locations, it is recommended to use TLS protocols to exchange data
across different locations.

In some circumstances, you can isolate the entire communication channel between your on premises and cloud
infrastructures by using a VPN.
It also depends what service is being used and by whom. For example, Azure customer traffic has to be encrypted when
it moves between data centers. In other words, outside the physical boundaries of Microsoft's control. A data link layer
encryption method using the IEEE 802.1AE MAC Security Standards, also known as MACsec, is applied from point to
point across the underlying network hardware. The packets are encrypted on the devices before being sent, preventing
physical man in the middle, sniffing and spoofing attacks.

Best practices for data in transit include securing access from individual workstations located on premises to an Azure
virtual network by using a point-to-site VPN. Securing access from multiple workstations located on premises to an Azure
virtual network by using a site-to-site VPN and moving larger datasets over a dedicated high speed WAN link. If you
choose to use ExpressRoute to create a high-speed WAN link, you can also encrypt the data at the application level by
using SSL, TLS or other protocols for added protection. The combination ensure data is protected at the application,
transport and data link layers of the OSI model.
Next, let's move on to Azure key management. In Azure, encryption keys can be either platform managed or customer
managed. Platform-managed Keys, or PMKs, are encryption keys that are generated, stored, and managed entirely by
Azure. Customers do not interact with PMKs. For example, the keys used for Azure data encryption at rest are PMKs by
default. Customer-managed Keys or CMKs, on the other hand, are those that can be read, created, deleted, updated, and
or administered by one or more customers.

For example, Bring Your Own Key or BYOK is a CMK scenario in which a customer imports keys from an outside storage
location into an Azure key management service.

Another specific kind of customer managed key is the key encryption Key, or KEK. A KEK is a primary key that controls
access to one or more encryption keys that are themselves encrypted. Customer-managed keys can be stored on
premises or, more commonly, in a cloud key management service.
Key Vault is the Microsoft recommended solution for managing and controlling access to encryption keys used by
cloud services. Permissions to access keys can be assigned to services or to users through Azure Active Directory
accounts. When you use Key Vault, the customer maintains control, and Microsoft never sees your keys and
applications don't have direct access to them.

In conclusion, securing data across any public cloud platform is a vital part of any data protection strategy, whether the
data is in transit or at rest. Microsoft Azure provides encryption mechanisms to cover both states. For at-rest, data
symmetric encryption is used because it's quick. With in-transit data, many different mechanisms exist depending on
what service and location is being used, including VPN or MACsec technologies. Using a key management service like
Microsoft Key Vault can help manage and control access to the keys used across your Azure deployment. Following best
practices is essential to reduce risk to your data, and this includes managing the different encryption keys in use.

JIT and encryption

Introduction Previously you learned that data within Microsoft Azure can be in two different states: at rest or in transit.
For both of these states, Microsoft Azure offers different solutions and best practices to keep the data secure. For
example, using VPNs, TLS, MACsec, symmetric encryption and many more encryption technologies. With all of these
technologies, a key or certificate is used to encrypt the data, so looking after your keys and having a good key
management process is important to keep your data secure.

Sam’s Scoops is using JIT to protect access to its virtual machines, but that data has to be encrypted, while still giving
access to third-party developers to work on applications for the business. For this, the developers will need access to
keys. In this reading, you will learn about key management within Azure and identify the technical steps involved in the
key management process.

Azure encryption in transit and at rest Sam’s Scoops now has a warehouse, and several shops with employees.
Employees as well as customers produce data, and customer data is used for marketing the business. All this data needs
to be stored somewhere secure, but easily accessible. It can be stored in different types of storage across Azure,
depending on the type of data and service.

Sam’s Scoops, for example, needs file share and storage for the operating systems of virtual machines like the web server.
The data can be secured with Azure disk encryption to encrypt data at rest, but how do you ensure that the data in these
files is encrypted before it’s moved to Azure? For this you can use client-side encryption or server-side encryption.

Client-side encryption Client-side encryption is performed outside of Azure. It includes:

 Data encrypted by an application that’s running in the customer’s datacenter or by a service application.

 Data that is already encrypted when it is received by Azure.

With client-side encryption, cloud service providers don’t have access to the encryption keys and cannot decrypt this
data. You maintain complete control of the keys.

To encrypt the data using client-side encryption a content encryption key (CEK) first has to be created. You need this CEK
to encrypt the data on the client network. This key is then encrypted through a key encryption key (KEK). Finally, the
encrypted data can be stored in Azure Storage. This process is called envelope encryption as demonstrated in this
graphic.
This is just one of the encryption processes that can be used across Azure, and it can get quite complicated.

Server-side encryption There are three server-side encryption models which offer different key management
characteristics, and you can choose one according to your requirements. The models are:

 Service-managed keys: Provides a combination of control and convenience with low overhead.

 Customer-managed keys: Gives you control over the keys, including Bring Your Own Keys (BYOK) support, or
allows you to generate new ones.

 Service-managed keys in customer-controlled hardware: Enables you to manage keys in your proprietary
repository, outside of Microsoft control. This characteristic is called Host Your Own Key (HYOK). However,
configuration is complex, and most Azure services don’t support this model.

Businesses can have many users and a lot of data so it’s critical to have something to manage all of these keys. That’s
where Azure Key Vault comes in.

Azure Key Vault As you have previously learned, Azure Key Vault is one of several key management solutions in Azure
and helps solve the following problems.

 Key management: Azure Key Vault can be used as a key management solution. Azure Key Vault makes it easy to
create and control the encryption keys used to encrypt your data.

 Secrets management: Azure Key Vault can be used to securely store and tightly control access to tokens,
passwords, certificates, API keys, and other secrets.

Azure Key Vault also helps with certificate management as it lets you easily provision, manage, and deploy public and
private Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates for use with Azure and your internally
connected resources. Below is an example of a certificate in the Key Vault.
When you use client-side encryption with Key Vault, your data is encrypted using a one-time symmetric Content
Encryption Key (CEK) that is generated by the Azure Storage client SDK. More information on using the Azure storage
client SDK can be found in the additional resources at the end of this lesson. The CEK is encrypted using a Key Encryption
Key (KEK), which can be either a symmetric key or an asymmetric key pair. You can manage it locally or store it in Key
Vault. The encrypted data is then uploaded to Azure Storage.

To perform any operations with Key Vault, you first need to authenticate it. Authentication with Key Vault works with
Azure Active Directory, which is responsible for authenticating the identity of any given security principal.

When deploying an app on a virtual machine in Azure, you can assign an identity to the virtual machine that has access
to Key Vault. You can also assign identities to other Azure resources. The benefit of this approach is that the app or
service isn't managing the rotation of the first secret. Azure automatically rotates the service principal client secret
associated with the identity. This is the recommended approach as a best practice.
Azure Key Vault enforces Transport Layer Security (TLS) protocol to protect data when it’s traveling between Azure Key
Vault and clients. Clients negotiate a TLS connection with Azure Key Vault.

Anybody with an Azure subscription can create and use key vaults. Although Key Vault benefits developers and security
administrators, it can be implemented and managed by an organization's administrator who manages other Azure
services. For example, the administrator can sign in with an Azure subscription, create a vault for the organization in
which to store keys, and then be responsible for operational tasks like:

 Creating or importing a key or secret

 Revoking or deleting a key or secret

 Authorizing users or applications to access the key vault so they can then manage or use its keys and secrets

 Configuring key usage, for example, sign or encrypt

 Monitoring key usage

For developers, applications can securely access the information they need by using URIs. While URLs allow you to locate
a resource, a URI simply identifies a resource. This means that a URI is not necessarily intended as an address to get a
resource. It is meant just as an identifier. These URIs allow the applications to retrieve specific versions of a secret.
There's no need to write custom code to protect any of the secret information stored in Key Vault.

In the example below, the administrator gives developers URIs to call from their applications for the keys they can use.
This administrator also has access to key usage and logging information.
This is a setup that will work well for Sam’s Scoops. The web developer can use JIT to gain access to the virtual machine
and they can also be assigned the correct access rights to use the key vault and store secrets.

Conclusion When using a public cloud service like Microsoft Azure, it’s important to encrypt any data that is stored
within its datacenters. It’s just as important to encrypt all of that data before it has even been moved to the cloud. Many
methods exist, like the envelope encryption process, but they all create and need encryption keys, and with many keys to
manage a key management process is needed.

For key management, the Azure key vault service can be used to manage and monitor key usage. For key management to
work, users, applications, and machines all have to be identified and Azure Active Directory can be used to authenticate
users and give them access to the relevant keys they need to perform their role. Azure Key Vault would work for Sam’s
Scoops as the developer can use JIT for machine access and authenticate using Azure Active Directory to gain access to
the correct encryption keys within the Azure Key Vault.

Implementing just-in-time access

You have learned about just-in-time access and the benefits of protecting but still allowing access to management ports.
Configurating JIT can be performed in a number of different ways. You can use Defender for Cloud, programmatically
enable JIT VM access with your own custom options, or you can enable JIT with default hard coded parameters from
Azure Virtual Machines.

In this lesson, you’ll focus on how to configure JIT using hard coded parameters from Azure Virtual Machines enabling
SSH remote access. Before enabling JIT, Defender for Cloud has to be enabled. It has a 30-day free trial that converts to a
paid subscription. From the Azure Homepage, search for and select Virtual machines. Click the SamScoopsWeb virtual
machine and select Configuration from the left-hand menu, select Upgrade your Microsoft Defender for Cloud
subscription to enable a just-in-time access.

Select Upgrade on the Microsoft Defender for Cloud page, select Continue without installing agents on the right-hand
side. You are now running the 30-day Defender for Cloud subscription, and now you can follow along to learn how to
enable JIT on a VM from the Azure Virtual Machines pages of the Azure Portal.

On the Azure Portal, search for and select Virtual machines. Select the SamScoopsWeb virtual machine you want to
protect with JIT. In the left-hand menu, select Configuration. You can now select Enable just-in-time, by default, just-in-
time access for the VM for Windows Machines allow RDP access on port 3389 for 3 hours and from any IP address as in
this example.
To edit any of these values and add SSH access, use Microsoft Defender for Cloud's just-in-time page. Under the just-in-
time VM access, click on Open Microsoft Defender for Cloud, from the Configured tab, right-click on the VM to which you
want to add a port and select Edit. Under JIT VM access configuration, you can either edit the existing settings of an
already protected port or add a new custom port. To add SSH, select Add and add the port number for the SSH, which is
22.
Select TCP and leave the allowed source at per-request, which is any IP address. Also, leave the default of 3 hours and
select OK. Now that SSH has been added, you can delete access for RDP by clicking the three dots on the right of the
page and selecting Delete.

The SamScoopsWeb machine now just supports remote access via SSH. In this video, you saw how JIT access can be set
up to manage virtual machines. This can be achieved in a number of ways, but to start, you have to enable Defender for
Cloud to enable the JIT feature. From here, you can configure JIT via Defender for Cloud or from the virtual machine
itself, as in the example. Once configured, JIT restricts access to machines until a user requests access to the device.

Best practices for securing Azure resources

Introduction Securing resources within Microsoft Azure is about reducing the cybersecurity threat landscape. You have
learned that management access to VMs is necessary but can expose the device to threats so using tools like JIT is
important because it can reduce this exposure. Any data that is on Azure or is being moved to Azure needs to be
encrypted at rest or in transit and many different options exist from VPN connections to symmetric encryption.

In this reading, you will explore the best practices that will help you secure resources in the future.

Security best practices Azure virtual machines (VMs) are the main workload for organizations that use cloud computing.
This fact is highlighted in hybrid scenarios where organizations slowly migrate workloads to the cloud, so protecting
these workloads is a priority. Below is a set of best practices you should follow.
Ensure that only authorized users can set up new VMs and access VMs

Best practice: Secure privileged access.

Detail: Use a least-privilege approach and built-in Azure roles to enable users to access and set up VMs. These roles
include:

 Virtual Machine Contributor: Can manage VMs, but not the virtual network or storage account to which they are
connected.

 Classic Virtual Machine Contributor: Can manage VMs created by using the classic deployment model, but not
the virtual network or storage account to which the VMs are connected.

 Security Admin in Defender for Cloud only: Can view security policies and security states, edit security policies,
view alerts and recommendations, and dismiss alerts and recommendations.

 DevTest Labs User: Can view everything and connect, start, restart, and shut down VMs.

Protect machines from malware

Best practice: Install an antimalware solution to help identify and remove viruses, spyware, and other malicious
software.

Detail: Install a Microsoft partner solution or Microsoft Antimalware or a Microsoft partner solution. For example, Trend
Micro, Broadcom, McAfee, Windows Defender, or System Center Endpoint Protection.

Best practice: Integrate the antimalware solution with Defender for Cloud to monitor the status of your protection.

Detail: Manage endpoint protection issues with Defender for Cloud.

Manage VM updates

Azure doesn't push Windows updates to VMs so VM updates need to managed.

Best practice: Keep VMs current.

Detail: Use the Update Management solution in Azure Automation to manage operating system updates. You can do this
for your Windows and Linux computers that are deployed in Azure, in on-premises environments, or in other cloud
providers. You can quickly assess the status of available updates on all agent computers and manage the process of
installing required updates for servers. If you’re using Windows Update, leave the automatic Windows Update setting
enabled.

Best practice: Ensure at deployment that images built include the most recent round of Windows updates.

Detail: Check for and install all Windows updates as a first step of every deployment. This measure is especially
important to apply when deploying images that come from a business’s own library. Although images from the Azure
Marketplace are updated automatically by default, there can be a lag time (up to a few weeks) after a public release.

Best practice: Periodically redeploy your VMs to force a fresh version of the OS.

Detail: Define VMs with an Azure Resource Manager template so they can easily redeploy it. Using a template provides a
patched and secure VM when its needed.

Organizations that don't enforce software update policies are more exposed to threats that exploit known, previously
fixed vulnerabilities. To comply with industry regulations, companies must prove that they are diligent and using correct
security controls to help ensure the security of their workloads located in the cloud.

Encrypt virtual hard disk files It is recommended that virtual hard disks (VHDs) are encrypted to help protect boot
volume and data volumes at rest in storage, along with encryption keys and secrets.

Azure Disk Encryption for Linux VMs and Azure Disk Encryption for Windows VMs helps you encrypt your Linux and
Windows IaaS virtual machine disks. Azure Disk Encryption uses the industry-standard DM-Crypt feature of Linux and
the BitLocker feature of Windows to provide volume encryption for the OS and the data disks. The solution is integrated
with Azure Key Vault to help you control and manage the disk-encryption keys and secrets in your key vault subscription.
The solution also ensures that all data on the virtual machine disks are encrypted at rest in Azure Storage. Below are best
practices for using Azure Disk Encryption.

Best practice: Enable encryption on VMs.

Detail: Azure Disk Encryption generates and writes the encryption keys to Key Vault. Managing encryption keys in Key
Vault requires Azure AD authentication. You should create an Azure AD application for this purpose. For authentication
purposes, you can use either client secret-based authentication or client certificate-based Azure AD authentication.

Best practice: Use a key encryption key (KEK) for an additional layer of security for encryption keys. Add a KEK to your key
vault.

Detail: Create a key encryption key in the key vault. Businesses can also import a KEK from an on-premises hardware
security module (HSM) for key management. When a key encryption key is specified, Azure Disk Encryption uses that key
to wrap the encryption secrets before writing to Key Vault.

Best practice: Take a snapshot and/or backup before disks are encrypted. Backups provide a recovery option if an
unexpected failure happens during encryption.

Detail: VMs with managed disks require a backup before encryption occurs. For more information about how to back up
and restore encrypted VM using Azures, visit the additional resources.

Monitor and restrict VM direct internet connectivity

Attackers constantly scan public cloud IP ranges for open management ports and attempt straightforward attacks like
common passwords and known unpatched vulnerabilities.

Best practice: Prevent inadvertent exposure to network routing and security.

Detail: Use Azure RBAC to ensure that only the central networking group has permission to access networking resources.

Best practice: Identify and remediate exposed VMs that allow access from any source IP address.

Detail: Use Microsoft Defender for Cloud. Defender for Cloud will recommend that access should be restricted through
internet-facing endpoints if any network security groups have one or more inbound rules that allow access from any
source IP address. Defender for Cloud will recommend that these inbound rules are set to restrict access to source IP
addresses that actually need access.

Best practice: Restrict management ports (RDP, SSH).

Detail: Just-in-time (JIT) VM access can be used to lock down inbound traffic to Azure VMs, reducing exposure to attacks
while providing easy access to connect to VMs when needed. When JIT is enabled, Defender for Cloud locks down
inbound traffic to Azure VMs by creating a network security group rule. Select the ports on the VM to which inbound
traffic will be locked down. These ports are controlled by the JIT solution.

Conclusion Reducing the threat landscape across your whole cloud deployment in Microsoft Azure is important, and for
your VM resources it’s critical. This is because VMs in the cloud are the workloads for organizations and if they fail it can
negatively affect how a business functions. Microsoft Azure offers many different security options, and best practices
should be followed. This allows a business to ensure only authorized access to their VMs is allowed, that data is
encrypted at all stages, VMs are kept up-to-date, machines are protected from malware and their exposure on to the
internet is reduced.

Exercise: Secure ports with JIT

Introduction

You have previously configured an Azure standard firewall to protect a virtual network hosting a virtual machine. You
have also learned that some ports are still exposed so that virtual machines can be managed remotely within Azure.
JIT can help reduce this exposure and in this exercise you implemented JIT so that SSH and RDP sessions can be used
to manage a virtual machine.

Case study

Now that the Azure firewall is protecting the Sam Scoops web server, the server is nearly ready to be handed over to
the website developers. However the management ports needed to develop the server are exposed 24/7 and your
manager has tasked you to reducing this exposure using JIT.

Instructions

For this exercise to be successful the exercise Create a Windows virtual machine in the Azure portal from Lesson 2 has
to have been completed and the machine needs to still be present. If not please revisit that exercise first.

Step 1: Enable Azure Defender for cloud

This is a free 30-day trial that converts to a paid for subscription after the 30 days.

1. From the Azure home page, search for and select Virtual machines.
2. Select the SamScoopsWeb virtual machine.

3. Select Configuration from the left-hand side menu.

4. Select Upgrade your Microsoft Defender for Cloud subscription to enable a just-in-time access.

5. Select Upgrade on the Microsoft Defender for Cloud page.

6. Select continue without installing agents on the right-hand side.

Step 2: Enable JIT access

1. From the Azure homepage, search for and select Virtual machines.
2. Select the SamScoopsWeb virtual machine.

3. In the left-hand menu, select Configuration.

4. Select Enable just-in-time.

Step 3: Configure JIT policies for SSH and RDP from Microsoft Defender for Cloud

1. From the SamScoopsWeb Configuration page select Open Microsoft Defender for Cloud.
2. From the Configured tab, right-click on the VM to which you want to add a port, and select edit.

3. To add SSH select Add and add the port number for SSH which is 22.
4. Select TCP and leave the defaults.

5. Select OK.
Step 4: Test remote access

1. Select Microsoft Azure at the top of the page to take you back to the portal home page.

2. Search for and select Virtual machines.

3. Select the SamScoopsWeb virtual machine.

4. Select Start to power on virtual machine from top of page.

5. Select Connect from the left-hand menu.

6. Select Request access.

7. Select Download RDP file.

8. Select the downloaded RDP file from your downloads folder.

9. Select Connect.
10. Enter the username AzAdmin and the password P@$$@1234567 and select OK.

You have now connected to the webserver using JIT access and you should see a window like the one below.
Clean-up

If you are using your own Azure subscription, it is recommended that you follow the clean-up instructions to stop
compute resources after completing each lesson. When you're working in your own subscription, it's also a good idea
at the end of a project to identify whether you still need the resources you created. Resources left running can cost
you money. You can delete resources individually or delete the resource group to delete the entire set of resources.

Please refer to the reading, Clean up resources for instructions on how to delete resources after you've completed the
exercise.

Conclusion You should now have successfully configured JIT access on the Sam’s Scoops web server, and tested that
remote access is still working. Access to this machine will still work for the web developers, but the management
ports are no longer exposed 24/7.

AZURE ENCRYPTION OVERVIEW

This article provides an overview of how encryption is used in Microsoft Azure. It covers the major areas of encryption,
including encryption at rest, encryption in flight, and key management with Azure Key Vault. Each section includes links
to more detailed information.

Encryption of data at rest Data at rest includes information that resides in persistent storage on physical media, in any
digital format. The media can include files on magnetic or optical media, archived data, and data backups. Microsoft
Azure offers a variety of data storage solutions to meet different needs, including file, disk, blob, and table storage.
Microsoft also provides encryption to protect Azure SQL Database, Azure Cosmos DB, and Azure Data Lake.

Data encryption at rest using AES 256 data encryption is available for services across the software as a service (SaaS),
platform as a service (PaaS), and infrastructure as a service (IaaS) cloud models. This article summarizes and provides
resources to help you use the Azure encryption options. For a more detailed discussion of how data at rest is encrypted
in Azure, see Azure Data Encryption-at-Rest.
Azure encryption models Azure supports various encryption models, including server-side encryption that uses service-
managed keys, customer-managed keys in Key Vault, or customer-managed keys on customer-controlled hardware. With
client-side encryption, you can manage and store keys on-premises or in another secure location.

Client-side encryption Client-side encryption is performed outside of Azure. It includes:

 Data encrypted by an application that’s running in the customer’s datacenter or by a service application.

 Data that is already encrypted when it is received by Azure.

With client-side encryption, cloud service providers don’t have access to the encryption keys and cannot decrypt this
data. You maintain complete control of the keys.

Server-side encryption The three server-side encryption models offer different key management characteristics, which
you can choose according to your requirements:

 Service-managed keys: Provides a combination of control and convenience with low overhead.

 Customer-managed keys: Gives you control over the keys, including Bring Your Own Keys (BYOK) support, or
allows you to generate new ones.

 Service-managed keys in customer-controlled hardware: Enables you to manage keys in your proprietary
repository, outside of Microsoft control. This characteristic is called Host Your Own Key (HYOK). However,
configuration is complex, and most Azure services don’t support this model.

Azure disk encryption All Managed Disks, Snapshots, and Images are encrypted using Storage Service Encryption using a
service-managed key. Azure also offers options to protect temp disks, caches, and manage keys in Azure Key Vault. For
more information, see Overview of managed disk encryption options.

Azure Storage Service Encryption Data at rest in Azure Blob storage and Azure file shares can be encrypted in both
server-side and client-side scenarios.

Azure Storage Service Encryption (SSE) can automatically encrypt data before it is stored, and it automatically decrypts
the data when you retrieve it. The process is completely transparent to users. Storage Service Encryption uses 256-
bit Advanced Encryption Standard (AES) encryption, which is one of the strongest block ciphers available. AES handles
encryption, decryption, and key management transparently.

Client-side encryption of Azure blobs You can perform client-side encryption of Azure blobs in various ways. You can use
the Azure Storage Client Library for .NET NuGet package to encrypt data within your client applications prior to uploading
it to your Azure storage. To learn more about and download the Azure Storage Client Library for .NET NuGet package,
see Windows Azure Storage 8.3.0.

When you use client-side encryption with Key Vault, your data is encrypted using a one-time symmetric Content
Encryption Key (CEK) that is generated by the Azure Storage client SDK. The CEK is encrypted using a Key Encryption Key
(KEK), which can be either a symmetric key or an asymmetric key pair. You can manage it locally or store it in Key Vault.
The encrypted data is then uploaded to Azure Storage.

To learn more about client-side encryption with Key Vault and get started with how-to instructions, see Tutorial: Encrypt
and decrypt blobs in Azure Storage by using Key Vault.

Finally, you can also use the Azure Storage Client Library for Java to perform client-side encryption before you upload
data to Azure Storage, and to decrypt the data when you download it to the client. This library also supports integration
with Key Vault for storage account key management.

Encryption of data at rest with Azure SQL Database Azure SQL Database is a general-purpose relational database service
in Azure that supports structures such as relational data, JSON, spatial, and XML. SQL Database supports both server-side
encryption via the Transparent Data Encryption (TDE) feature and client-side encryption via the Always Encrypted
feature.

Transparent Data Encryption TDE is used to encrypt SQL Server, Azure SQL Database, and Azure Synapse Analytics data
files in real time, using a Database Encryption Key (DEK), which is stored in the database boot record for availability
during recovery.

TDE protects data and log files, using AES and Triple Data Encryption Standard (3DES) encryption algorithms. Encryption
of the database file is performed at the page level. The pages in an encrypted database are encrypted before they are
written to disk and are decrypted when they’re read into memory. TDE is now enabled by default on newly created Azure
SQL databases.

Always Encrypted feature With the Always Encrypted feature in Azure SQL you can encrypt data within client
applications prior to storing it in Azure SQL Database. You can also enable delegation of on-premises database
administration to third parties and maintain separation between those who own and can view the data and those who
manage it but should not have access to it.

Cell-level or column-level encryption With Azure SQL Database, you can apply symmetric encryption to a column of data
by using Transact-SQL. This approach is called cell-level encryption or column-level encryption (CLE), because you can use
it to encrypt specific columns or even specific cells of data with different encryption keys. Doing so gives you more
granular encryption capability than TDE, which encrypts data in pages. CLE has built-in functions that you can use to
encrypt data by using either symmetric or asymmetric keys, the public key of a certificate, or a passphrase using 3DES.

Azure Cosmos DB database encryption Azure Cosmos DB is Microsoft's globally distributed, multi-model database. User
data that's stored in Azure Cosmos DB in non-volatile storage (solid-state drives) is encrypted by default. There are no
controls to turn it on or off. Encryption at rest is implemented by using a number of security technologies, including
secure key storage systems, encrypted networks, and cryptographic APIs. Encryption keys are managed by Microsoft and
are rotated per Microsoft internal guidelines. Optionally, you can choose to add a second layer of encryption with keys
you manage using the customer-managed keys or CMK feature.

At-rest encryption in Data Lake Azure Data Lake is an enterprise-wide repository of every type of data collected in a
single place prior to any formal definition of requirements or schema. Data Lake Store supports "on by default,"
transparent encryption of data at rest, which is set up during the creation of your account. By default, Azure Data Lake
Store manages the keys for you, but you have the option to manage them yourself.

Three types of keys are used in encrypting and decrypting data: the Master Encryption Key (MEK), Data Encryption Key
(DEK), and Block Encryption Key (BEK). The MEK is used to encrypt the DEK, which is stored on persistent media, and the
BEK is derived from the DEK and the data block. If you are managing your own keys, you can rotate the MEK.

Encryption of data in transit Azure offers many mechanisms for keeping data private as it moves from one location to
another.

Data-link Layer encryption in Azure Whenever Azure Customer traffic moves between datacenters-- outside physical
boundaries not controlled by Microsoft (or on behalf of Microsoft)-- a data-link layer encryption method
using the IEEE 802.1AE MAC Security Standards (also known as MACsec) is applied from
point-to-point across the underlying network hardware. The packets are encrypted on the
devices before being sent, preventing physical “man-in-the-middle” or snooping/wiretapping
attacks. Because this technology is integrated on the network hardware itself, it provides
line rate encryption on the network hardware with no measurable link latency increase. This
MACsec encryption is on by default for all Azure traffic traveling within a region or between
regions, and no action is required on customers’ part to enable.
TLS encryption in Azure Microsoft gives customers the ability to use Transport Layer Security (TLS) protocol to protect
data when it’s traveling between the cloud services and customers. Microsoft datacenters negotiate a TLS connection
with client systems that connect to Azure services. TLS provides strong authentication, message privacy, and integrity
(enabling detection of message tampering, interception, and forgery), interoperability, algorithm flexibility, and ease of
deployment and use.

Perfect Forward Secrecy (PFS) protects connections between customers’ client systems and Microsoft cloud services by
unique keys. Connections also support RSA-based 2,048-bit key lengths, ECC 256-bit key lengths, SHA-384 message
authentication, and AES-256 data encryption. This combination makes it difficult for someone to intercept and access
data that is in transit.

Azure Storage transactions When you interact with Azure Storage through the Azure portal, all transactions take place
over HTTPS. You can also use the Storage REST API over HTTPS to interact with Azure Storage. You can enforce the use of
HTTPS when you call the REST APIs to access objects in storage accounts by enabling the secure transfer that's required
for the storage account.

Shared Access Signatures (SAS), which can be used to delegate access to Azure Storage objects, include an option to
specify that only the HTTPS protocol can be used when you use Shared Access Signatures. This approach ensures that
anybody who sends links with SAS tokens uses the proper protocol.

SMB 3.0, which used to access Azure Files shares, supports encryption, and it's available in Windows Server 2012 R2,
Windows 8, Windows 8.1, and Windows 10. It allows cross-region access and even access on the desktop.

Client-side encryption encrypts the data before it’s sent to your Azure Storage instance, so that it’s encrypted as it travels
across the network.

SMB encryption over Azure virtual networks By using SMB 3.0 in VMs that are running Windows Server 2012 or later,
you can make data transfers secure by encrypting data in transit over Azure Virtual Networks. By encrypting data, you
help protect against tampering and eavesdropping attacks. Administrators can enable SMB encryption for the entire
server, or just specific shares. By default, after SMB encryption is turned on for a share or server, only SMB 3.0 clients are
allowed to access the encrypted shares.

In-transit encryption in VMs Data in transit to, from, and between VMs that are running Windows can be encrypted in a
number of ways, depending on the nature of the connection.

RDP sessions You can connect and sign in to a VM by using the Remote Desktop Protocol (RDP) from a Windows client
computer, or from a Mac with an RDP client installed. Data in transit over the network in RDP sessions can be protected
by TLS. You can also use Remote Desktop to connect to a Linux VM in Azure.

Secure access to Linux VMs with SSH For remote management, you can use Secure Shell (SSH) to connect to Linux VMs
running in Azure. SSH is an encrypted connection protocol that allows secure sign-ins over unsecured connections. It is
the default connection protocol for Linux VMs hosted in Azure. By using SSH keys for authentication, you eliminate the
need for passwords to sign in. SSH uses a public/private key pair (asymmetric encryption) for authentication.

Azure VPN encryption You can connect to Azure through a virtual private network that creates a secure tunnel to protect
the privacy of the data being sent across the network.

Azure VPN gateways You can use an Azure VPN gateway to send encrypted traffic between your virtual network and your
on-premises location across a public connection, or to send traffic between virtual networks. Site-to-site VPNs
use IPsec for transport encryption. Azure VPN gateways use a set of default proposals. You can configure Azure VPN
gateways to use a custom IPsec/IKE policy with specific cryptographic algorithms and key strengths, rather than the
Azure default policy sets.

Point-to-site VPNs Point-to-site VPNs allow individual client computers access to an Azure virtual network. The Secure
Socket Tunneling Protocol (SSTP) is used to create the VPN tunnel. It can traverse firewalls (the tunnel appears as an
HTTPS connection). You can use your own internal public key infrastructure (PKI) root certificate authority (CA) for point-
to-site connectivity.

You can configure a point-to-site VPN connection to a virtual network by using the Azure portal with certificate
authentication or PowerShell.

To learn more about point-to-site VPN connections to Azure virtual networks, see:

Configure a point-to-site connection to a virtual network by using certification authentication: Azure portal

Configure a point-to-site connection to a virtual network by using certificate authentication: PowerShell

Site-to-site VPNs You can use a site-to-site VPN gateway connection to connect your on-premises network to an Azure
virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires an on-premises VPN
device that has an external-facing public IP address assigned to it.

You can configure a site-to-site VPN connection to a virtual network by using the Azure portal, PowerShell, or Azure CLI.

For more information, see:

Create a site-to-site connection in the Azure portal

Create a site-to-site connection in PowerShell

Create a virtual network with a site-to-site VPN connection by using CLI

In-transit encryption in Data Lake Data in transit (also known as data in motion) is also always encrypted in Data Lake
Store. In addition to encrypting data prior to storing it in persistent media, the data is also always secured in transit by
using HTTPS. HTTPS is the only protocol that is supported for the Data Lake Store REST interfaces.

To learn more about encryption of data in transit in Data Lake, see Encryption of data in Data Lake Store.

Key management with Key Vault Without proper protection and management of the keys, encryption is rendered
useless. Key Vault is the Microsoft-recommended solution for managing and controlling access to encryption keys used
by cloud services. Permissions to access keys can be assigned to services or to users through Microsoft Entra accounts.

Key Vault relieves organizations of the need to configure, patch, and maintain hardware security modules (HSMs) and key
management software. When you use Key Vault, you maintain control. Microsoft never sees your keys, and applications
don’t have direct access to them. You can also import or generate keys in HSMs.

CONFIGURE SERVER SETTINGS FOR P2S VPN GATEWAY

CERTIFICATE AUTHENTICATION
VPN gateway connection architecture relies on the configuration of multiple resources, each of which contains
configurable settings. The sections in this article discuss the resources and settings that relate to a VPN gateway for a
virtual network. You can find descriptions and topology diagrams for each connection solution in the VPN Gateway
topology and design article.

The values in this article specifically apply to VPN gateways (virtual network gateways that use the -GatewayType Vpn). If
you're looking for information about the following types of gateways, see the following articles:

 For values that apply to -GatewayType 'ExpressRoute', see Virtual network gateways for ExpressRoute.

 For zone-redundant gateways, see About zone-redundant gateways.

 For Virtual WAN gateways, see About Virtual WAN.

Gateways and gateway types A virtual network gateway is composed of two or more Azure-managed VMs that are
automatically configured and deployed to a specific subnet that you create called the gateway subnet. The gateway VMs
contain routing tables and run specific gateway services. When you create a virtual network gateway, the gateway VMs
are automatically deployed to the gateway subnet (always named GatewaySubnet), and configured with the settings that
you specified. The process can take 45 minutes or more to complete, depending on the gateway SKU that you selected.

One of the settings that you specify when creating a virtual network gateway is the gateway type. The gateway type
determines how the virtual network gateway is used and the actions that the gateway takes. A virtual network can have
two virtual network gateways; one VPN gateway and one ExpressRoute gateway. The -GatewayType 'Vpn' specifies that
the type of virtual network gateway created is a VPN gateway. This distinguishes it from an ExpressRoute gateway.

Gateway SKUs and performance See About Gateway SKUs article for the latest information about gateway SKUs,
performance, and supported features.

VPN types Azure supports two different VPN types for VPN gateways: policy-based and route-based. Route-based VPN
gateways are built on a different platform than policy-based VPN gateways. This results in different gateway
specifications. The following table shows the gateway SKUs that support each of the VPN types, and associated
supported IKE versions.

Expand table

Gateway VPN type Gateway SKU IKE versions supported

Policy-based gateway Basic IKEv1

Route-based gateway Basic IKEv2

Route-based gateway VpnGw1, VpnGw2, VpnGw3, VpnGw4, VpnGw5 IKEv1 and IKEv2

Route-based gateway VpnGw1AZ, VpnGw2AZ, VpnGw3AZ, VpnGw4AZ, VpnGw5AZ IKEv1 and IKEv2

In most cases, you'll create a route-based VPN gateway. Previously, the older gateway SKUs didn't support IKEv1 for
route-based gateways. Now, most of the current gateway SKUs support both IKEv1 and IKEv2.

 As of Oct 1, 2023, policy-based gateways can only be configured using PowerShell or CLI, and aren't available in
the Azure portal. To create a policy-based gateway, see Create a Basic SKU VPN gateway using PowerShell.

 If you already have a policy-based gateway, you aren't required to change your gateway to route-based unless
you want to use a configuration that requires a route-based gateway, such as point-to-site.

 You can't convert a policy-based gateway to route-based. You must delete the existing gateway, and then create a
new gateway as route-based.

Active-active mode gateways Azure VPN gateways can be configured as active-standby or active-active. In an active-
active configuration, both instances of the gateway VMs establish site-to-site VPN tunnels to your on-premises VPN
device. Active-active mode gateways are a key part of highly available gateway connectivity design. For more
information, see the following articles:

 About active-active gateways

 Design highly available gateway connectivity for cross-premises and VNet-to-VNet connections

Gateway Private Ips This setting is used for certain ExpressRoute private peering configurations. For more information,
see Configure a Site-to-Site VPN connection over ExpressRoute private peering.

Connection types Each connection requires a specific virtual network gateway connection type. The available PowerShell
values for New-AzVirtualNetworkGatewayConnection -Connection Type are: IPsec, Vnet2Vnet, ExpressRoute, VPNClient.
Connection modes The Connection Mode property only applies to route-based VPN gateways that use IKEv2
connections. Connection modes define the connection initiation direction and apply only to the initial IKE connection
establishment. Any party can initiate rekeys and further messages. InitiatorOnly means the connection needs to be
initiated by Azure. ResponderOnly means the connection needs to be initiated by the on-premises device.
The Default behavior is to accept and dial whichever connects first.

Gateway subnet Before you create a VPN gateway, you must create a gateway subnet. The gateway subnet contains the
IP addresses that the virtual network gateway VMs and services use. When you create your virtual network gateway,
gateway VMs are deployed to the gateway subnet and configured with the required VPN gateway settings. Never deploy
anything else (for example, more VMs) to the gateway subnet. The gateway subnet must be named 'GatewaySubnet' to
work properly. Naming the gateway subnet 'GatewaySubnet' lets Azure know that this is the subnet to which it should
deploy the virtual network gateway VMs and services.

When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The IP addresses
in the gateway subnet are allocated to the gateway VMs and gateway services. Some configurations require more IP
addresses than others.

When you're planning your gateway subnet size, refer to the documentation for the configuration that you're planning to
create. For example, the ExpressRoute/VPN Gateway coexist configuration requires a larger gateway subnet than most
other configurations. While it's possible to create a gateway subnet as small as /29 (applicable to the Basic SKU only), all
other SKUs require a gateway subnet of size /27 or larger (/27, /26, /25 etc.). You might want to create a gateway subnet
larger than /27 so that the subnet has enough IP addresses to accommodate possible future configurations.

The following PowerShell example shows a gateway subnet named GatewaySubnet. You can see the CIDR notation
specifies a /27, which allows for enough IP addresses for most configurations that currently exist.

Azure PowerShellCopy

Open Cloud Shell

Add-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.0.3.0/27

Considerations:

 User-defined routes with a 0.0.0.0/0 destination and network security groups (NSGs) on the gateway subnet are
not supported. Gateways with this configuration are blocked from being created. Gateways require access to the
management controllers in order to function properly. Border Gateway Protocol (BGP) route propagation should
be enabled on the gateway subnet to ensure availability of the gateway. If BGP route propagation is disabled, the
gateway won't function.

 Diagnostics, data path, and control path can be affected if a user-defined route overlaps with the gateway subnet
range or the gateway public IP range.

Local network gateways A local network gateway is different than a virtual network gateway. When you're working with
a VPN gateway site-to-site architecture, the local network gateway usually represents your on-premises network and the
corresponding VPN device.

When you configure a local network gateway, you specify the name, the public IP address or the fully qualified domain
name (FQDN) of the on-premises VPN device, and the address prefixes that are located on the on-premises location.
Azure looks at the destination address prefixes for network traffic, consults the configuration that you specified for your
local network gateway, and routes packets accordingly. If you use Border Gateway Protocol (BGP) on your VPN device,
you provide the BGP peer IP address of your VPN device and the autonomous system number (ASN) of your on-premises
network. You also specify local network gateways for VNet-to-VNet configurations that use a VPN gateway connection.

The following PowerShell example creates a new local network gateway:

Azure PowerShellCopy

Open Cloud Shell

New-AzLocalNetworkGateway -Name LocalSite -ResourceGroupName testrg `

-Location 'West US' -GatewayIpAddress '23.99.221.164' -AddressPrefix '10.5.51.0/24'

Sometimes you need to modify the local network gateway settings. For example, when you add or modify the address
range, or if the IP address of the VPN device changes. For more information, see Modify local network gateway settings.

REST APIs, PowerShell cmdlets, and CLI For technical resources and specific syntax requirements when using REST APIs,
PowerShell cmdlets, or Azure CLI for VPN Gateway configurations, see the following pages:

 PowerShell

 Azure CLI

 REST API

TUTORIAL: CREATE AND MANAGE A VPN GATEWAY USING THE AZURE PORTAL
This tutorial helps you create and manage a virtual network gateway (VPN gateway) using the Azure portal. The VPN
gateway is one part of the connection architecture that helps you securely access resources within a virtual network
using VPN Gateway.

 The left side of the diagram shows the virtual network and the VPN gateway that you create by using the steps in
this article.

 You can later add different types of connections, as shown on the right side of the diagram. For example, you can
create site-to-site and point-to-site connections. To view different design architectures that you can build,
see VPN gateway design.

 For more information about Azure VPN Gateway, see What is Azure VPN Gateway? If you want to learn more
about the configuration settings used in this tutorial, see About VPN Gateway configuration settings.

In this tutorial, you learn how to:

 Create a virtual network.

 Create an active-active mode zone-redundant VPN gateway.

 View the gateway public IP address.

 Resize a VPN gateway (resize SKU).

  Reset a VPN gateway.

Note The steps in this article use the gateway SKU VpnGw2AZ, which is a SKU that supports Azure availability zones.
Effective May 2025, all regions will accept an AZ SKU, regardless of whether availability zones are supported in that
region. For more information about gateway SKUs, see About gateway SKUs.

Prerequisites You need an Azure account with an active subscription. If you don't have one, create one for free.

Create a virtual network This article uses the Azure portal to create a virtual network. You can also use a different tool or
method to create a virtual network. For more information or steps, see Create a virtual network. For this exercise, the
virtual network doesn't require the configuration of additional services, such as Azure Bastion or DDoS Protection.
However, you can add these services if you want to use them.

Setting Example value

Resource Group TestRG1

Virtual Network Name VNet1

Region East US

IPv4 address space 10.1.0.0/16

Subnet name FrontEnd

Subnet address space 10.1.0.0/24

1. Sign in to the Azure portal.

2. In Search resources, service, and docs (G+/) at the top of the portal page, enter virtual network. Select Virtual
network from the Marketplace search results to open the Virtual network page.

3. On the Virtual network page, select Create to open the Create virtual network page.

4. Fill out the required values for the Basics tab.

5. Select Next or Security to go to the Security tab. For this exercise, leave the default values for all the services on
this page.

6. Select IP Addresses to go to the IP Addresses tab. On the IP Addresses tab, configure the required settings.

7. Review the IP addresses page and remove any address spaces or subnets that you don't need.

8. Select Review + create to validate the virtual network settings.

9. After the settings are validated, select Create to create the virtual network.

Create a gateway subnet Virtual network gateway resources are deployed to a specific subnet named GatewaySubnet.
The gateway subnet is part of the virtual network IP address range that you specify when you configure your virtual
network.

If you don't have a subnet named GatewaySubnet, when you create your VPN gateway, it fails. We recommend that you
create a gateway subnet that uses a /27 (or larger). For example, /27 or /26. For more information, see VPN Gateway
settings - Gateway Subnet.

1. On the page for your virtual network, on the left pane, select Subnets to open the Subnets page.

2. At the top of the page, select + Subnet to open the Add subnet pane.
 3. For Subnet purpose, select Virtual Network Gateway from the dropdown.

4. The name is automatically entered as GatewaySubnet. Adjust starting IP address and size if necessary. For
example, 10.1.255.0/27.

5. Don't adjust the other values on the page. Click Add to add the subnet.

Important NSGs on the gateway subnet aren't supported. Associating a network security group to this subnet might
cause your virtual network gateway (VPN and ExpressRoute gateways) to stop functioning as expected. For more
information about network security groups, see What is a network security group?.
Create a VPN gateway In this section, you create the virtual network gateway (VPN gateway) for your virtual network.
Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU. Use the following steps
to create a VPN gateway. Note that the VPN Gateway Basic SKU is only available in PowerShell or CLI.

1. In Search resources, services, and docs (G+/), enter virtual network gateway. Locate Virtual network
gateway in the Marketplace search results and select it to open the Create virtual network gateway page.
 2. On the Basics tab, fill in the values for Project details and Instance details.

Setting Value

Name Example: VNet1GW

Region The region for the gateway must be the same as the virtual network.

Gateway Select VPN. VPN gateways use the virtual network gateway type VPN.
type

SKU Example: VpnGw2AZ. We recommend that you select a Gateway SKU that ends in AZ if your region
supports availability zones.

Generation Generation 2

Virtual Example: VNet1. If your virtual network isn't available in the dropdown, you need to adjust the region
network you selected.

Subnet Example: 10.1.255.0/27, A subnet named GatewaySubnet is required to create a VPN gateway. If the
gateway subnet doesn't autopopulate, and you don't see the option to create one on this page, go back
to your virtual network page and create the gateway subnet.

3. Specify the values for Public IP address. These settings specify the public IP address object that gets associated
to the VPN gateway. The public IP address is assigned to this object when the VPN gateway is created. The only
time the primary public IP address changes is when the gateway is deleted and re-created.

Setting Value

Public IP address Example: VNet1GWpip1

name

Availability zone This setting is available for AZ SKUs in regions that support availability zones. Example: Zone-redundant.

Enable active- - Select Enabled to take advantage of the benefits of an active-active gateway. An active-active gateway
active mode requires an additional public IP address.
- If you plan to use this gateway for site-to-site connections, verify the active-active design that you want
to use.
- Connections with your on-premises VPN device must be configured specifically to take advantage of
active-active mode.
- Some VPN devices don't support active-active mode. If you're not sure, check with your VPN device
vendor. If you're using a VPN device that doesn't support active-active mode, you can select Disabled for
this setting.

Second public IP Only available for active-active mode gateways. Example: VNet1GWpip2
address name

Availability zone Example: Zone-redundant.

Configure BGP Select Disabled, unless your configuration specifically requires this setting. If you do require this setting,
the default ASN is 65515.

Enable Key Vault Select Disabled unless you have a specific requirement to enable this setting.
Access
 4. Select Review + create to run validation.

5. After validation passes, select Create to deploy the VPN gateway.

You can see the deployment status on the Overview page for your gateway. Once the gateway is created, you can view
the IP address assigned to it by looking at the virtual network in the portal. The gateway appears as a connected device.

View public IP address To view public IP addresses associated to your virtual network gateway, navigate to your gateway
in the portal.

1. On the Virtual network gateway portal page, under Settings, open the Properties page.

2. To view more information about the IP address object, click the associated IP address link.

Resize a gateway SKU There are specific rules for resizing versus changing a gateway SKU. In this section, you resize the
SKU. For more information, see Resize or change gateway SKUs.

1. Go to the Configuration page for your virtual network gateway.

2. On the right side of the page, select the dropdown arrow to show a list of available SKUs. Notice that the list only
populates SKUs that you're able to use to resize your current SKU. If you don't see the SKU you want to use,
instead of resizing, you have to change to a new SKU.

3. Select the SKU from the dropdown list and save your changes.

Reset a gateway Gateway resets behave differently, depending on your gateway configuration. For more information,
see Reset a VPN gateway or a connection.

1. In the portal, go to the virtual network gateway that you want to reset.

2. On the Virtual network gateway page, in the left pane, scroll and locate Help -> Reset.

3. On the Reset page, select Reset. After the command is issued, the current active instance of Azure VPN gateway
is rebooted immediately. Resetting the gateway causes a gap in VPN connectivity and might limit future root
cause analysis of the issue.

Clean up resources If you're not going to continue to use this application or go to the next tutorial, delete these
resources.

1. Enter the name of your resource group in the Search box at the top of the portal and select it from the search
results.

2. Select Delete resource group.

3. Enter your resource group for TYPE THE RESOURCE GROUP NAME and select Delete.

This article helps you configure the necessary VPN Gateway point-to-site (P2S) server settings to let you securely connect
from individual client computers running Windows, Linux, or macOS to an Azure virtual network (VNet). P2S VPN
connections are useful when you want to connect to your virtual network from a remote location, such as when you're
telecommuting from home or a conference. You can also use P2S instead of a site-to-site (S2S) VPN when you have only
a few clients that need to connect to a virtual network.

P2S connections don't require a VPN device or a public-facing IP address. There are various different configuration
options available for P2S. For more information about point-to-site VPN, see About point-to-site VPN.
The steps in this article use the Azure portal to configure your Azure VPN gateway for point-to-site certificate
authentication. P2S Azure certificate authentication connections use the following items:

 A route-based VPN gateway (not policy-based). For more information about VPN type, see VPN Gateway settings.

 The public key (.cer file) for a root certificate, which is uploaded to Azure. Once the certificate is uploaded, it's
considered a trusted certificate and is used for authentication.

 A client certificate that is generated from the root certificate. The client certificate installed on each client computer
that will connect to the VNet. This certificate is used for client authentication.

 VPN client configuration files. The VPN client is configured using VPN client configuration files. These files contain the
necessary information for the client to connect to the VNet. Each client that connects must be configured using the
settings in the configuration files.

Prerequisites This article assumes that you have already created a route-based VPN gateway that's compatible with the
P2S configuration that you want to create, the authentication method that you want to use, and the connecting VPN
clients.

 If you don't yet have a VPN gateway, see Create and manage a VPN gateway, then return to this page to
configure the point-to-site VPN gateway settings.

 To help determine the P2S configuration that you need, see the VPN client table.

 If you have a VPN gateway that uses the Basic SKU, understand that the Basic SKU has P2S limitations and
doesn't support IKEv2 or RADIUS authentication. For more information, see About gateway SKUs.

Generate certificates Certificates are used by Azure to authenticate clients connecting to a virtual network over a point-
to-site VPN connection. Once you obtain a root certificate, you upload the public key information to Azure. The root
certificate is then considered 'trusted' by Azure for connection over P2S to the virtual network.

You also generate client certificates from the trusted root certificate, then install them on each client computer. The
client certificate is used to authenticate the client when it initiates a connection to the virtual network. The root
certificate must be generated and extracted before you configure the point-to-site gateway settings.

Generate a root certificate Obtain the .cer file for the root certificate. You can use either a root certificate that was
generated with an enterprise solution (recommended) or generate a self-signed certificate. After you create the root
certificate, export the public certificate data (not the private key) as a Base64 encoded X.509 .cer file. You upload this file
later to Azure.
  Enterprise certificate: If you're using an enterprise solution, you can use your existing certificate chain. Acquire
the .cer file for the root certificate that you want to use.

 Self-signed root certificate: If you aren't using an enterprise certificate solution, create a self-signed root
certificate. Otherwise, the certificates you create won't be compatible with your P2S connections and clients
receive a connection error when they try to connect. You can use Azure PowerShell, MakeCert, or OpenSSL. The
steps in the following articles describe how to generate a compatible self-signed root certificate:

o PowerShell instructions for Windows 10 or later: These instructions require PowerShell on a computer
running Windows 10 or later. Client certificates that are generated from the root certificate can be
installed on any supported P2S client.

o MakeCert instructions: Use MakeCert to generate certificates if you don't have access to a computer
running Windows 10 or later. Although MakeCert is deprecated, you can still use it to generate
certificates. Client certificates that you generate from the root certificate can be installed on any
supported P2S client.

o Linux - OpenSSL instructions

o Linux - strongSwan instructions

Generate client certificates Each client computer that you connect to a VNet with a point-to-site connection must have a
client certificate installed. You generate it from the root certificate and install it on each client computer. If you don't
install a valid client certificate, authentication will fail when the client tries to connect to the VNet.

You can either generate a unique certificate for each client, or you can use the same certificate for multiple clients. The
advantage to generating unique client certificates is the ability to revoke a single certificate. Otherwise, if multiple clients
use the same client certificate to authenticate and you revoke it, you'll need to generate and install new certificates for
every client that uses that certificate.

You can generate client certificates by using the following methods:

 Enterprise certificate:

o If you're using an enterprise certificate solution, generate a client certificate with the common name
value format [email protected]. Use this format instead of the domain name\username format.

o Make sure the client certificate is based on a user certificate template that has Client
Authentication listed as the first item in the user list. Check the certificate by double-clicking it and
viewing Enhanced Key Usage in the Details tab.

 Self-signed root certificate: Follow the steps in one of the following P2S certificate articles so that the client
certificates you create will be compatible with your P2S connections.

When you generate a client certificate from a self-signed root certificate, it's automatically installed on the computer that
you used to generate it. If you want to install a client certificate on another client computer, export it as a .pfx file, along
with the entire certificate chain. Doing so will create a .pfx file that contains the root certificate information required for
the client to authenticate.

The steps in these articles generate a compatible client certificate, which you can then export and distribute.

o Windows 10 or later PowerShell instructions: These instructions require Windows 10 or later, and
PowerShell to generate certificates. The generated certificates can be installed on any supported P2S
client.
 o MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 or later computer for
generating certificates. Although MakeCert is deprecated, you can still use it to generate certificates. You
can install the generated certificates on any supported P2S client.

o Linux: See strongSwan or OpenSSL instructions.

Add the VPN client address pool The client address pool is a range of private IP addresses that you specify. The clients
that connect over a point-to-site VPN dynamically receive an IP address from this range. Use a private IP address range
that doesn't overlap with the on-premises location that you connect from or the virtual network that you want to
connect to. If you configure multiple protocols and SSTP is one of the protocols, then the configured address pool is split
between the configured protocols equally.

1. In the Azure portal, go to your VPN gateway.

2. On the page for your gateway, in the left pane, select Point-to-site configuration.

3. On the Point-to-site configuration page, click Configure now.

4. On the point-to-site configuration page, you'll see the configuration box for Address pool.

5. In the Address pool box, add the private IP address range that you want to use. For example, if you add the
address range 172.16.201.0/24, connecting VPN clients receive one of the IP addresses from this range. The
minimum subnet mask is 29 bit for active/passive and 28 bit for active/active configuration.

After you add the range, continue to the next sections to configure the rest of the required settings.

Specify the tunnel and authentication type In this section, you specify the tunnel type and the authentication type.
These settings can become complex. You can select options that contain multiple tunnel types from the dropdown, such
as IKEv2 and OpenVPN(SSL) or IKEv2 and SSTP (SSL). Only certain combinations of tunnel types and authentication types
are available.

The tunnel type and the authentication type must correspond to the VPN client software you want use to connect to
Azure. When you have various VPN clients connecting from different operating systems, planning the tunnel type and
authentication type is important. The following table shows available tunnel types and authentication types as they
relate to VPN client software.

VPN client table

Authentication method Tunnel type Client OS VPN client

Certificate

IKEv2, SSTP Windows Native VPN client

IKEv2 macOS Native VPN client

IKEv2 Linux strongSwan

OpenVPN Windows Azure VPN client

OpenVPN client version 2.x
OpenVPN client version 3.x

OpenVPN macOS OpenVPN client

OpenVPN iOS OpenVPN client

OpenVPN Linux Azure VPN Client

Authentication method Tunnel type Client OS VPN client

OpenVPN client

Microsoft Entra ID

OpenVPN Windows Azure VPN client

OpenVPN macOS Azure VPN Client

OpenVPN Linux Azure VPN Client

Note If you don't see tunnel type or authentication type on the Point-to-site configuration page, your gateway is using
the Basic SKU. The Basic SKU doesn't support IKEv2 or RADIUS authentication. If you want to use these settings, you need
to delete and re-create the gateway using a different gateway SKU.

1. For Tunnel type, select the tunnel type that you want to use. For this exercise, from the dropdown, select IKEv2
and OpenVPN(SSL).

2. For Authentication type, from the dropdown, select Azure certificate.

Add another public IP address If you have an active-active mode gateway, you need to specify a third public IP address
to configure point-to-site. In the example, we create the third public IP address using the example value VNet1GWpip3. If
your gateway isn't in active-active mode, you don't need to add another public IP address.
Upload root certificate public key information In this section, you upload public root certificate data to Azure. Once the
public certificate data is uploaded, Azure uses it to authenticate connecting clients. The connecting clients have an
installed client certificate generated from the trusted root certificate.

1. Make sure that you exported the root certificate as a Base-64 encoded X.509 (.CER) file in the previous steps.
You need to export the certificate in this format so you can open the certificate with text editor. You don't need
to export the private key.

2. Open the certificate with a text editor, such as Notepad. When copying the certificate data, make sure that you
copy the text as one continuous line:

3. Go to your Virtual network gateway -> Point-to-site configuration page in the Root certificate section. This
section is only visible if you have selected Azure certificate for the authentication type.

4. In the Root certificate section, you can add up to 20 trusted root certificates.
  Paste the certificate data (copied from notepad as per the image above) into the Public certificate
data field.

 Name the certificate.

5. Additional routes aren't necessary for this exercise. For more information about the custom routing feature,
see Advertise custom routes.

6. Select Save at the top of the page to save all the configuration settings. After the configuration settings
deployment completes, you can generate and download the VPN client configuration package.

Generate VPN client profile configuration files All the necessary configuration settings for the VPN clients are contained
in a VPN client profile configuration zip file. VPN client profile configuration files are specific to the P2S VPN gateway
configuration for the virtual network. If there are any changes to the P2S VPN configuration after you generate the files,
such as changes to the VPN protocol type or authentication type, you need to generate new VPN client profile
configuration files and apply the new configuration to all of the VPN clients that you want to connect. For more
information about P2S connections, see About point-to-site VPN. You can generate client profile configuration files using
PowerShell, or by using the Azure portal. The following examples show both methods. Either method returns the same
zip file.

Azure portal

1. In the Azure portal, go to the virtual network gateway for the virtual network to which you want to connect.

2. On the virtual network gateway page, select Point-to-site configuration to open the Point-to-site configuration
page.

3. At the top of the Point-to-site configuration page, select Download VPN client. This doesn't download VPN
client software, it generates the configuration package used to configure VPN clients. It takes a few minutes for
the client configuration package to generate. During this time, you might not see any indications until the packet
generates.
 4. Once the configuration package is generated, your browser indicates that a client configuration zip file is
available. It's named the same name as your gateway.

5. Unzip the file to view the folders. You'll use some, or all, of these files to configure your VPN client. The files that
are generated correspond to the authentication and tunnel type settings that you configured on the P2S server.

Configure VPN clients and connect to Azure For steps to configure your VPN clients and connect to Azure, see the VPN
client table in the Specify tunnel and authentication type section. The table contains links to articles that provide
detailed steps to configure the VPN client software.

Add or remove trusted root certificates You can add and remove trusted root certificates from Azure. When you remove
a root certificate, clients that have a certificate generated from that root won't be able to authenticate, and as a result,
can't connect. If you want a client to authenticate and connect, you need to install a new client certificate generated
from a root certificate that is trusted (uploaded) to Azure.

You can add up to 20 trusted root certificate .cer files to Azure. For instructions, see the section Upload a trusted root
certificate.

To remove a trusted root certificate:

1. Navigate to the Point-to-site configuration page for your virtual network gateway.

2. In the Root certificate section of the page, locate the certificate that you want to remove.

3. Select the ellipsis next to the certificate, and then select Remove.

Revoke a client certificate You can revoke client certificates. The certificate revocation list allows you to selectively deny
P2S connectivity based on individual client certificates. This is different than removing a trusted root certificate. If you
remove a trusted root certificate .cer from Azure, it revokes the access for all client certificates generated/signed by the
revoked root certificate. When you revoke a client certificate, rather than the root certificate, it allows the other
certificates that were generated from the root certificate to continue to be used for authentication.

The common practice is to use the root certificate to manage access at team or organization levels, while using revoked
client certificates for fine-grained access control on individual users.

You can revoke a client certificate by adding the thumbprint to the revocation list.

1. Retrieve the client certificate thumbprint. For more information, see How to retrieve the Thumbprint of a
Certificate.

2. Copy the information to a text editor and remove all spaces so that it's a continuous string.

3. Navigate to the virtual network gateway Point-to-site-configuration page. This is the same page that you used
to upload a trusted root certificate.

4. In the Revoked certificates section, input a friendly name for the certificate (it doesn't have to be the certificate
CN).
 5. Copy and paste the thumbprint string to the Thumbprint field.

6. The thumbprint validates and is automatically added to the revocation list. A message appears on the screen that
the list is updating.

7. After updating has completed, the certificate can no longer be used to connect. Clients that try to connect using
this certificate receive a message saying that the certificate is no longer valid.

TUTORIAL: CREATE A SITE-TO-SITE VPN CONNECTION IN THE AZURE PORTAL

In this tutorial, you use the Azure portal to create a site-to-site (S2S) VPN gateway connection between your on-premises
network and a virtual network. You can also create this configuration by using Azure PowerShell or the Azure CLI. This
configuration uses a specified pre-shared key for the connection between the Azure VPN gateway and your on-premises
VPN device. You can also configure a site-to-site connection using certificate authentication.

In this tutorial, you:

 Create a virtual network.

 Create a VPN gateway.

 Create a local network gateway.

 Create a VPN connection.

 Verify the connection.

 Connect to a virtual machine.

Prerequisites You need an Azure account with an active subscription. If you don't have one, you can create one for free.

 If you're unfamiliar with the IP address ranges located in your on-premises network configuration, you need to
coordinate with someone who can provide those details for you. When you create this configuration, you must
specify the IP address range prefixes that Azure routes to your on-premises location. None of the subnets of your
on-premises network can overlap with the virtual network subnets that you want to connect to.

 VPN devices:

o Make sure you have a compatible VPN device and someone who can configure it. For more information
about compatible VPN devices and device configuration, see About VPN devices.

o Verify that you have an externally facing public IPv4 address for your VPN device.

o Verify that your VPN device supports active-active mode gateways. This article creates an active-active
mode VPN gateway, which is recommended for highly available connectivity. Active-active mode
specifies that both gateway VM instances are active and uses two public IP addresses, one for each
gateway VM instance. You configure your VPN device to connect to the IP address for each gateway VM
instance. If your VPN device doesn't support this mode, don't enable this mode for your gateway. For
more information, see Design highly available connectivity for cross-premises and VNet-to-VNet
connections and About active-active mode VPN gateways.
Create a virtual network In this section, you create a virtual network by using the following values:

 Resource group: TestRG1

 Name: VNet1

 Region: (US) East US

 IPv4 address space: 10.1.0.0/16

 Subnet name: FrontEnd

 Subnet address space:

Note When you use a virtual network as part of a cross-premises architecture, be sure to coordinate with your on-
premises network administrator to carve out an IP address range that you can use specifically for this virtual network. If a
duplicate address range exists on both sides of the VPN connection, traffic will route in an unexpected way. Additionally,
if you want to connect this virtual network to another virtual network, the address space can't overlap with the other
virtual network. Plan your network configuration accordingly.

1. Sign in to the Azure portal.

2. In Search resources, service, and docs (G+/) at the top of the portal page, enter virtual network. Select Virtual
network from the Marketplace search results to open the Virtual network page.

3. On the Virtual network page, select Create to open the Create virtual network page.

4. On the Basics tab, configure the virtual network settings for Project details and Instance details. You see a green
check mark when the values you enter are validated. You can adjust the values shown in the example according
to the settings that you require.
  Subscription: Verify that the subscription listed is the correct one. You can change subscriptions by using
the dropdown box.

 Resource group: Select an existing resource group or select Create new to create a new one. For more
information about resource groups, see Azure Resource Manager overview.

 Name: Enter the name for your virtual network.

 Region: Select the location for your virtual network. The location determines where the resources that
you deploy to this virtual network will reside.

5. Select Next or Security to go to the Security tab. For this exercise, leave the default values for all the services on
this page.

6. Select IP Addresses to go to the IP Addresses tab. On the IP Addresses tab, configure the settings.

 IPv4 address space: By default, an address space is automatically created. You can select the address
space and adjust it to reflect your own values. You can also add a different address space and remove the
default that was automatically created. For example, you can specify the starting address as 10.1.0.0 and
specify the address space size as /16. Then select Add to add that address space.

 + Add subnet: If you use the default address space, a default subnet is created automatically. If you
change the address space, add a new subnet within that address space. Select + Add subnet to open
the Add subnet window. Configure the following settings, and then select Add at the bottom of the page
to add the values.

o Subnet name: You can use the default, or specify the name. Example: FrontEnd.

o Subnet address range: The address range for this subnet. Examples are 10.1.0.0 and /24.

7. Review the IP addresses page and remove any address spaces or subnets that you don't need.

8. Select Review + create to validate the virtual network settings.

9. After the settings are validated, select Create to create the virtual network.

After you create your virtual network, you can optionally configure Azure DDoS Protection. Azure DDoS Protection is
simple to enable on any new or existing virtual network, and it requires no application or resource changes. For more
information about Azure DDoS Protection, see What is Azure DDoS Protection?.

Create a gateway subnet The virtual network gateway requires a specific subnet named GatewaySubnet. The gateway
subnet is part of the IP address range for your virtual network and contains the IP addresses that the virtual network
gateway resources and services use.

When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The number of
IP addresses needed depends on the VPN gateway configuration that you want to create. Some configurations require
more IP addresses than others. It's best to specify /27 or larger (/26, /25, etc.) for your gateway subnet.

1. On the page for your virtual network, on the left pane, select Subnets to open the Subnets page.

2. At the top of the page, select + Subnet to open the Add subnet pane.

3. For Subnet purpose, select Virtual Network Gateway from the dropdown.

4. The name is automatically entered as GatewaySubnet. Adjust starting IP address and size if necessary. For
example, 10.1.255.0/27.

5. Don't adjust the other values on the page. Click Add to add the subnet.
Important NSGs on the gateway subnet aren't supported. Associating a network security group to this subnet might
cause your virtual network gateway (VPN and ExpressRoute gateways) to stop functioning as expected. For more
information about network security groups, see What is a network security group?.

Create a VPN gateway In this step, you create a virtual network gateway (VPN gateway) for your virtual network.
Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.

Create a VPN gateway Create a virtual network gateway (VPN gateway) by using the following values:

 Name: VNet1GW

 Gateway type: VPN

 SKU: VpnGw2AZ

 Generation: Generation 2

 Virtual network: VNet1

 Gateway subnet address range: 10.1.255.0/27

 Public IP address: Create new

 Public IP address name: VNet1GWpip1

 Public IP address SKU: Standard

 Assignment: Static

 Second Public IP address name: VNet1GWpip2

 Enable active-active mode: Enabled

 Configure BGP: Disabled

1. In Search resources, services, and docs (G+/), enter virtual network gateway. Locate Virtual network
gateway in the Marketplace search results and select it to open the Create virtual network gateway page.

2. On the Basics tab, fill in the values for Project details and Instance details.
 Subscription: Select the subscription you want to use from the dropdown list.

 Resource group: This value is autofilled when you select your virtual network on this page.

 Name: This is the name of the gateway object you're creating. This is different than the gateway subnet
to which gateway resources will be deployed.

 Region: Select the region in which you want to create this resource. The region for the gateway must be
the same as the virtual network.

 Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.

 SKU: From the dropdown list, select a gateway SKU that supports the features you want to use.

o We recommend that you select a SKU that ends in AZ when possible. AZ SKUs
support availability zones.
 o The Basic SKU isn't available in the portal. To configure a Basic SKU gateway, you must
use PowerShell or CLI.

 Generation: Select Generation2 from the dropdown.

 Virtual network: From the dropdown list, select the virtual network to which you want to add this
gateway. If you can't see the virtual network you want to use, make sure you selected the correct
subscription and region in the previous settings.

 Gateway subnet address range or Subnet: The gateway subnet is required to create a VPN gateway.

Currently, this field can show different settings options, depending on the virtual network address space and whether
you already created a subnet named GatewaySubnet for your virtual network.

If you don't have a gateway subnet and you don't see the option to create one on this page, go back to your virtual
network and create the gateway subnet. Then, return to this page and configure the VPN gateway.

3. Specify the values for Public IP address. These settings specify the public IP address objects that will be
associated to the VPN gateway. A public IP address is assigned to each public IP address object when the VPN
gateway is created. The only time the assigned public IP address changes is when the gateway is deleted and re-
created. IP addresses don't change across resizing, resetting, or other internal maintenance/upgrades of your
VPN gateway.

 Public IP address type: If this option appears, select Standard.

 Public IP address: Leave Create new selected.

  Public IP address name: In the text box, enter a name for your public IP address instance.

 Public IP address SKU: Setting is autoselected to Standard SKU.

 Assignment: The assignment is typically autoselected and should be Static.

 Availability zone: This setting is available for AZ gateway SKUs in regions that support availability zones.
Select Zone-redundant, unless you know you want to specify a zone.

 Enable active-active mode: We recommend that you select Enabled to take advantage of the benefits of
an active-active mode gateway. If you plan to use this gateway for a site-to-site connection, take into
consideration the following:

o Verify the active-active design that you want to use. Connections with your on-premises VPN
device must be configured specifically to take advantage of active-active mode.

o Some VPN devices don't support active-active mode. If you're not sure, check with your VPN
device vendor. If you're using a VPN device that doesn't support active-active mode, you can
select Disabled for this setting.

 Second public IP address: Select Create new. This is available only if you selected Enabled for the Enable
active-active mode setting.

 Public IP address name: In the text box, enter a name for your public IP address instance.

 Public IP address SKU: Setting is autoselected to Standard SKU.

 Availability zone: Select Zone-redundant, unless you know you want to specify a zone.

 Configure BGP: Select Disabled unless your configuration specifically requires this setting. If you do
require this setting, the default ASN is 65515, although this value can be changed.

 Enable Key Vault Access: Select Disabled unless your configuration specifically requires this setting.

4. Select Review + create to run validation.

5. After validation passes, select Create to deploy the VPN gateway.

A gateway can take 45 minutes or more to fully create and deploy. You can see the deployment status on
the Overview page for your gateway.

Important NSGs on the gateway subnet aren't supported. Associating a network security group to this subnet might
cause your virtual network gateway (VPN and ExpressRoute gateways) to stop functioning as expected. For more
information about network security groups, see What is a network security group?.

View public IP address To view the IP address associated with each virtual network gateway VM instance, go to your
virtual network gateway in the portal.

1. Go to your virtual network gateway Properties page (not the Overview page). You might need to
expand Settings to see the Properties page in the list.

2. If your gateway in active-passive mode, you'll only see one IP address. If your gateway is in active-active mode,
you'll see two public IP addresses listed, one for each gateway VM instance. When you create a site-to-site
connection, you must specify each IP address when configuring your VPN device because both gateway VMs are
active.

3. To view more information about the IP address object, click the associated IP address link.
Create a local network gateway The local network gateway is a specific object deployed to Azure that represents your
on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to it, and then
specify the IP address of the on-premises VPN device to which you create a connection. You also specify the IP address
prefixes that are routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes
located on your on-premises network. If your on-premises network changes or you need to change the public IP address
for the VPN device, you can easily update the values later. You create a separate local network gateway for each VPN
device that you want to connect to. Some highly available connectivity designs specify multiple on-premises VPN
devices. Create a local network gateway by using the following values:

 Name: Site1

 Resource Group: TestRG1

 Location: East US

Configuration considerations:

 VPN Gateway supports only one IPv4 address for each FQDN. If the domain name resolves to multiple IP
addresses, VPN Gateway uses the first IP address returned by the DNS servers. To eliminate the uncertainty, we
recommend that your FQDN always resolve to a single IPv4 address. IPv6 isn't supported.

 VPN Gateway maintains a DNS cache that's refreshed every 5 minutes. The gateway tries to resolve the FQDNs
for disconnected tunnels only. Resetting the gateway also triggers FQDN resolution.

 Although VPN Gateway supports multiple connections to different local network gateways with different FQDNs,
all FQDNs must resolve to different IP addresses.

1. In the portal, go to Local network gateways and open the Create local network gateway page.

2. On the Basics tab, specify the values for your local network gateway.
 Subscription: Verify that the correct subscription is showing.

 Resource group: Select the resource group that you want to use. You can either create a new resource
group or select one that you've already created.

 Region: Select the region for this object. You might want to select the same location where your virtual
network resides, but you aren't required to do so.

 Name: Specify a name for your local network gateway object.

 Endpoint: Select the endpoint type for the on-premises VPN device as IP address or FQDN (Fully
Qualified Domain Name).

o IP address: If you have a static public IP address allocated from your internet service provider
(ISP) for your VPN device, select the IP address option. Fill in the IP address as shown in the
example. This address is the public IP address of the VPN device that you want Azure VPN
Gateway to connect to. If you don't have the IP address right now, you can use the values shown
in the example. Later, you must go back and replace your placeholder IP address with the public
IP address of your VPN device. Otherwise, Azure can't connect.

o FQDN: If you have a dynamic public IP address that could change after a certain period of time,
often determined by your ISP, you can use a constant DNS name with a Dynamic DNS service to
point to your current public IP address of your VPN device. Your Azure VPN gateway resolves the
FQDN to determine the public IP address to connect to.

 Address space: The address space refers to the address ranges for the network that this local network
represents. You can add multiple address space ranges. Make sure that the ranges you specify here don't
 overlap with ranges of other networks that you want to connect to. Azure routes the address range that
you specify to the on-premises VPN device IP address. Use your own values here if you want to connect
to your on-premises site, not the values shown in the example.

3. On the Advanced tab, you can configure BGP settings, if needed.

4. After you specify the values, select Review + create at the bottom of the page to validate the page.

5. Select Create to create the local network gateway object.

Configure your VPN device Site-to-site connections to an on-premises network require a VPN device. In this step, you
configure your VPN device. When you configure your VPN device, you need the following values:

 Shared key: This shared key is the same one that you specify when you create your site-to-site VPN connection.
In our examples, we use a simple shared key. We recommend that you generate a more complex key to use.

 Public IP addresses of your virtual network gateway instances: Obtain the IP address for each VM instance. If
your gateway is in active-active mode, you'll have an IP address for each gateway VM instance. Be sure to
configure your device with both IP addresses, one for each active gateway VM. Active-standby mode gateways
have only one IP address.

Note For S2S connections with an active-active mode VPN gateway, ensure tunnels are established to each gateway VM
instance. If you establish a tunnel to only one gateway VM instance, the connection will go down during maintenance. If
your VPN device doesn't support this setup, configure your gateway for active-standby mode instead.

Depending on the VPN device that you have, you might be able to download a VPN device configuration script. For more
information, see Download VPN device configuration scripts.

For more configuration information, see the following links:

 For information about compatible VPN devices, see VPN devices.

 Before you configure your VPN device, check for any Known device compatibility issues for the VPN device that
you want to use.

 For links to device configuration settings, see Validated VPN devices. The device configuration links are provided
on a best-effort basis. It's always best to check with your device manufacturer for the latest configuration
information. The list shows the versions we've tested. If your OS isn't on that list, it's still possible that the
version is compatible. Check with your device manufacturer to verify that the OS version for your VPN device is
compatible.

 For an overview of VPN device configuration, see Overview of third-party VPN device configurations.

 For information about editing device configuration samples, see Editing samples.

 For cryptographic requirements, see About cryptographic requirements and Azure VPN gateways.

 For information about IPsec/IKE parameters, see About VPN devices and IPsec/IKE parameters for site-to-site
VPN gateway connections. This link shows information about IKE version, Diffie-Hellman Group, authentication
method, encryption and hashing algorithms, SA lifetime, PFS, and DPD, in addition to other parameter
information that you need to complete your configuration.

 For IPsec/IKE policy configuration steps, see Configure IPsec/IKE policy for site-to-site VPN or VNet-to-VNet
connections.

 To connect multiple policy-based VPN devices, see Connect Azure VPN gateways to multiple on-premises policy-
based VPN devices using PowerShell.
Create VPN connections Create a site-to-site VPN connection between your virtual network gateway and your on-
premises VPN device. If you're using an active-active mode gateway (recommended), each gateway VM instance has a
separate IP address. To properly configure highly available connectivity, you must establish a tunnel between each VM
instance and your VPN device. Both tunnels are part of the same connection.

Create a connection by using the following values:

 Local network gateway name: Site1

 Connection name: VNet1toSite1

 Shared key: For this example, you use abc123. But you can use whatever is compatible with your VPN hardware.
The important thing is that the values match on both sides of the connection.

1. In the portal, go to the virtual network gateway and open it.

2. On the page for the gateway, select Connections.

3. At the top of the Connections page, select + Add to open the Create connection page.
4. On the Create connection page, on the Basics tab, configure the values for your connection:

 Under Project details, select the subscription and the resource group where your resources are located.

 Under Instance details, configure the following settings:

o Connection type: Select Site-to-site (IPSec).

o Name: Name your connection.

o Region: Select the region for this connection.

5. Select the Settings tab and configure the following values:

 Virtual network gateway: Select the virtual network gateway from the dropdown list.

 Local network gateway: Select the local network gateway from the dropdown list.

 Shared key: The value here must match the value that you're using for your local on-premises VPN
device. If this field doesn't appear on your portal page, or you want to later update this key, you can do
so once the connection object is created. Go to the connection object you created (example name:
VNet1toSite1) and update the key on the Authentication page.

 IKE Protocol: Select IKEv2.

 Use Azure Private IP Address: Don't select.

  Enable BGP: Don't select.

 FastPath: Don't select.

 IPsec/IKE policy: Select Default.

 Use policy based traffic selector: Select Disable.

 DPD timeout in seconds: Select 45.

 Connection Mode: Select Default. This setting is used to specify which gateway can initiate the
connection. For more information, see VPN Gateway settings - Connection modes.

6. For NAT Rules Associations, leave both Ingress and Egress as 0 selected.

7. Select Review + create to validate your connection settings.

8. Select Create to create the connection.

9. After the deployment is finished, you can view the connection on the Connections page of the virtual network
gateway. The status changes from Unknown to Connecting and then to Succeeded.

Configure more connection settings (optional) You can configure more settings for your connection, if necessary.
Otherwise, skip this section and leave the defaults in place. For more information, see Configure custom IPsec/IKE
connection policies.

1. Go to your virtual network gateway and select Connections to open the Connections page.

2. Select the name of the connection you want to configure to open the Connection page.

3. On the left side of the Connection page, select Configuration to open the Configuration page. Make any
necessary changes and then select Save.

In the following screenshots, the settings are enabled so that you can see the configuration settings that are available in
the portal. Select the screenshot to see the expanded view. When you configure your connections, only configure the
settings that you require. Otherwise, leave the default settings in place.
Verify the VPN connection In the Azure portal, you can view the connection status of a VPN gateway by going to the
connection. The following steps show one way to go to your connection and verify.
 1. On the Azure portal menu, select All resources or search for and select All resources from any page.

2. Select your virtual network gateway.

3. On the pane for your virtual network gateway, select Connections. You can see the status of each connection.

4. Select the name of the connection that you want to verify to open Essentials. On the Essentials pane, you can
view more information about your connection. The status is Succeeded and Connected after you make a
successful connection.

Optional steps

Reset a gateway Resetting an Azure VPN gateway is helpful if you lose cross-premises VPN connectivity on one or more
site-to-site VPN tunnels. In this situation, your on-premises VPN devices are all working correctly but aren't able to
establish IPsec tunnels with the Azure VPN gateways. If you need to reset an active-active gateway, you can reset both
instances using the portal. You can also use PowerShell or CLI to reset each gateway instance separately using instance
VIPs. For more information, see Reset a connection or a gateway.

1. In the portal, go to the virtual network gateway that you want to reset.

2. On the Virtual network gateway page, in the left pane, scroll and locate Help -> Reset.

3. On the Reset page, select Reset. After the command is issued, the current active instance of Azure VPN gateway
is rebooted immediately. Resetting the gateway causes a gap in VPN connectivity and might limit future root
cause analysis of the issue.

Add another connection A gateway can have multiple connections. If you want to configure connections to multiple on-
premises sites from the same VPN gateway, the address spaces can't overlap between any of the connections.

1. If you're connecting using a site-to-site VPN and you don't have a local network gateway for the site you want to
connect to, create another local network gateway and specify the site details. For more information, see Create a
local network gateway.

2. To add a connection, go to the VPN gateway and then select Connections to open the Connections page.

3. Select + Add to add your connection. Adjust the connection type to reflect either VNet-to-VNet (if connecting to
another virtual network gateway) or site-to-site.

4. Specify the shared key that you want to use and then select OK to create the connection.

Update a connection shared key You can specify a different shared key for your connection.

1. In the portal, go to the connection.

2. Change the shared key on the Authentication page.

3. Save your changes.

4. Update your VPN device with the new shared key as necessary.

Resize or change a gateway SKU You can resize a gateway SKU, or you can change the gateway SKU. There are specific
rules regarding which option is available, depending on the SKU your gateway is currently using. For more information,
see Resize or change gateway SKUs.

More configuration considerations You can customize site-to-site configurations in various ways. For more information,
see the following articles:

 For information about BGP, see the BGP overview and How to configure BGP.
  For information about forced tunneling, see About forced tunneling.

 For information about highly available active-active connections, see Highly available cross-premises and VNet-
to-VNet connectivity.

 For information about how to limit network traffic to resources in a virtual network, see Network security.

 For information about how Azure routes traffic between Azure, on-premises, and internet resources, see Virtual
network traffic routing.

Clean up resources If you're not going to continue to use this application or go to the next tutorial, delete these
resources.

1. Enter the name of your resource group in the Search box at the top of the portal and select it from the search
results.

2. Select Delete resource group.

3. Enter your resource group for TYPE THE RESOURCE GROUP NAME and select Delete.

Next steps

After you configure a site-to-site connection, you can add a point-to-site connection to the same gateway.

BACK UP AND RESTORE ENCRYPTED AZURE VIRTUAL MACHINES

This article describes how to back up and restore Windows or Linux Azure virtual machines (VMs) with encrypted disks
using the Azure Backup service. For more information, see Encryption of Azure VM backups.

Supported scenarios for backup and restore of encrypted Azure VMs

This section describes the supported scenarios for backup and restore of encrypted Azure VMs.

Encryption using platform-managed keys

By default, all the disks in your VMs are automatically encrypted-at-rest using platform-managed keys (PMK) that
use storage service encryption. You can back up these VMs using Azure Backup without any specific actions required to
support encryption on your end. For more information about encryption with platform-managed keys, see this article.

Encryption using customer-managed keys

When you encrypt disks with customer-managed keys (CMK), the key used for encrypting the disks is stored in the Azure
Key Vault and is managed by you. Storage Service Encryption (SSE) using CMK differs from Azure Disk Encryption (ADE)
encryption. ADE uses the encryption tools of the operating system. SSE encrypts data in the storage service, enabling you
to use any OS or images for your VMs.

You don't need to perform any explicit actions for backup or restore of VMs that use customer-managed keys for
encrypting their disks. The backup data for these VMs stored in the vault will be encrypted with the same methods as
the encryption used on the vault.

For more information about encryption of managed disks with customer-managed keys, see this article.

Encryption support using ADE

Azure Backup supports backup of Azure VMs that have their OS/data disks encrypted with Azure Disk Encryption (ADE).
ADE uses BitLocker for encryption of Windows VMs, and the dm-crypt feature for Linux VMs. ADE integrates with Azure
Key Vault to manage disk-encryption keys and secrets. Key Vault Key Encryption Keys (KEKs) can be used to add an
additional layer of security, encrypting encryption secrets before writing them to Key Vault.

Azure Backup can back up and restore Azure VMs using ADE with and without the Microsoft Entra app, as summarized in
the following table.

Expand table

VM disk type ADE (BEK/dm-crypt) ADE and KEK

Unmanaged Yes Yes

Managed Yes Yes

 Learn more about ADE, Key Vault, and KEKs.

 Read the FAQ for Azure VM disk encryption.

Limitations

Before you back up or restore encrypted Azure VNs, review the following limitations:

 You can back up and restore ADE encrypted VMs within the same subscription.

 Azure Backup supports VMs encrypted using standalone keys. Any key that's a part of a certificate used to
encrypt a VM isn't currently supported.

 Azure Backup supports Cross Region Restore of encrypted Azure VMs to the Azure paired regions. For more
information, see support matrix.

 ADE encrypted VMs can’t be recovered at the file/folder level. You need to recover the entire VM to restore files
and folders.

 When restoring a VM, you can't use the replace existing VM option for ADE encrypted VMs. This option is only
supported for unencrypted managed disks.

Before you start

Before you start, do the following:

1. Make sure you have one or more Windows or Linux VMs with ADE enabled.

2. Review the support matrix for Azure VM backup

 3. Create a Recovery Services Backup vault if you don't have one.

4. If you enable encryption for VMs that are already enabled for backup, you simply need to provide Backup with
permissions to access the Key Vault so that backups can continue without disruption. Learn more about assigning
these permissions.

In addition, there are a couple of things that you might need to do in some circumstances:

 Install the VM agent on the VM: Azure Backup backs up Azure VMs by installing an extension to the Azure VM
agent running on the machine. If your VM was created from an Azure Marketplace image, the agent is installed
and running. If you create a custom VM, or you migrate an on-premises machine, you might need to install the
agent manually.

Configure a backup policy

To configure a backup policy, follow these steps:

1. If you haven't yet created a Recovery Services backup vault, follow these instructions.

2. Navigate to Backup center and click +Backup from the Overview tab

3. Select Azure Virtual machines as the Datasource type and select the vault you have created, then
click Continue.
4. Select the policy that you want to associate with the vault, then select OK.

 A backup policy specifies when backups are taken, and how long they're stored.

 The details of the default policy are listed under the drop-down menu.

5. If you don't want to use the default policy, select Create New, and create a custom policy.

6. Under Virtual Machines, select Add.

7. Choose the encrypted VMs you want to back up using the select policy, and select OK.

8. If you're using Azure Key Vault, on the vault page, you'll see a message that Azure Backup needs read-only access
to the keys and secrets in the Key Vault.

 If you receive this message, no action is required.

  If you receive this message, you need to set permissions as described in the procedure below.

9. Select Enable Backup to deploy the backup policy in the vault, and enable backup for the selected VMs.

Back up ADE encrypted VMs with RBAC enabled key vaults

To enable backups for ADE encrypted VMs using Azure RBAC enabled key vaults, you need to assign Key Vault
Administrator role to the Backup Management Service Microsoft Entra app by adding a role assignment in Access Control
of key vault.

Note

VM Backup operations use the Backup Management Service app instead of Recovery Services vault Managed Service
Identity (MSI) to access Key Vault. You must grant the necessary Key Vault permissions to this app for backups to
function properly.

Learn about the different available roles. The Key Vault Administrator role can allow permissions to get, list, and back
up both secret and key.

For Azure RBAC enabled key vaults, you can create custom role with the following set of permissions. Learn how to
create custom role.

Expand table

Action Description

Microsoft.KeyVault/vaults/keys/backup/action Creates the backup file of a key.

Microsoft.KeyVault/vaults/secrets/backup/action Creates the backup file of a secret.

Microsoft.KeyVault/vaults/secrets/getSecret/action Gets the value of a secret.

Microsoft.KeyVault/vaults/keys/read List keys in the specified vault or read properties and public
Action Description

materials.

Microsoft.KeyVault/vaults/secrets/readMetadata/action List or view the properties of a secret, but not its values.

JSONCopy

"permissions": [

"actions": [],

"notActions": [],

"dataActions": [

"Microsoft.KeyVault/vaults/keys/backup/action",

"Microsoft.KeyVault/vaults/secrets/backup/action",

"Microsoft.KeyVault/vaults/secrets/getSecret/action",

"Microsoft.KeyVault/vaults/keys/read",

"Microsoft.KeyVault/vaults/secrets/readMetadata/action"

],

"notDataActions": []

Trigger a backup job

The initial backup will run in accordance with the schedule, but you can run it immediately as follows:

1. Navigate to Backup center and select the Backup Instances menu item.
 2. Select Azure Virtual machines as the Datasource type and search for the VM that you have configured for
backup.

3. Right-click the relevant row or select the more icon (…), and click Backup Now.

4. In Backup Now, use the calendar control to select the last day that the recovery point should be retained. Then
select OK.

5. Monitor the portal notifications. To monitor the job progress, go to Backup center > Backup Jobs and filter the
list for In progress jobs. Depending on the size of your VM, creating the initial backup may take a while.

Provide permissions

Azure Backup needs read-only access to back up the keys and secrets, along with the associated VMs.

 Your Key Vault is associated with the Microsoft Entra tenant of the Azure subscription. If you're a Member user,
Azure Backup acquires access to the Key Vault without further action.

 If you're a Guest user, you must provide permissions for Azure Backup to access the key vault. You need to have
access to key vaults to configure Backup for encrypted VMs.

To provide Azure RBAC permissions on Key Vault, see this article.

To set permissions:

1. In the Azure portal, select All services, and search for Key vaults.

2. Select the key vault associated with the encrypted VM you're backing up.

Tip

To identify a VM's associated key vault, use the following PowerShell command. Substitute your resource group name
and VM name:

Get-AzVm -ResourceGroupName "MyResourceGroup001" -VMName "VM001" -Status

Look for the key vault name in this line:

SecretUrl : https://<keyVaultName>.vault.azure.net

3. Select Access policies > Add Access Policy.

4. In Add access policy > Configure from template (optional), select Azure Backup.

 The required permissions are prefilled for Key permissions and Secret permissions.

 If your VM is encrypted using BEK only, remove the selection for Key permissions since you only need
permissions for secrets.
 5. Select Add. Backup Management Service is added to Access policies.

6. Select Save to provide Azure Backup with the permissions.

You can also set the access policy using PowerShell or CLI.

Overview of cloud security

As organizations are increasingly relying on cloud platforms for their storage and computing needs, safe guarding data in
the Cloud is becoming more crucial than ever. In this video, you will explore the importance of Cloud security and how it
is implemented in Microsoft Azure. You will also discover how Azure security features are essential to guard Sam Scoops
Cloud environment against constantly emerging cybersecurity threats. Microsoft Azure is one of the leading Cloud
platforms and it offers robust security measures designed to protect data and ensure the privacy and integrity of its
customers. It's important to understand that Cloud security involves a series of practices, technologies, and policies that
work together to safeguard data stored and processed in the Cloud. Security accompanies cloud infrastructure is
important because it prevents unauthorized access and cyber threats. Businesses should implement measures to defend
themselves against malicious actors attempting to steal sensitive information or disrupt operations. These measures
include authentication protocols, encryption, firewalls, and intrusion detection systems. Azure incorporates a wide array
of security features to ensure data protection. One such feature is Azure Active Directory, which provides robust identity
and access management, allowing administrators to control user permissions and access levels. Additionally, Microsoft
Defender for Cloud, earlier known as Azure Security Center, offers continuous monitoring and threat detection, analyzing
data and providing actionable insights to prevent potential attacks. Furthermore, Azure as compliance certifications, also
strengthen its cloud security. Microsoft Azure adheres to rigorous standards and regulations such as ISO 27001, GDPR,
HIPAA. You will learn more about this in later courses in this program. This compliance ensures that businesses operating
in various sectors can meet industry-specific security requirements. Next, let's explore how Sam Scoops can utilize Azure
Cloud security features. Sam Scoops collects valuable customer data, including payment information and personal
details. I'm maintaining the security and confidentiality of this data is vital for the company's success and reputation as a
reliable company. By migrating their data to Azure, Sam Scoops can leverage the platforms robust security features. They
can protect their customers information from potential breaches and reassure them that their data is safe and secure.
Azures encryption capabilities ensure that sensitive data remains encrypted both during storage and transmission
safeguarding against unauthorized access. Furthermore, Azure's monitoring tools can help Sam Scoops maintain
compliance with data protection regulations. It enables them to monitor access logs, detect unusual activity, and
respond promptly to any security incidents. This proactive approach allows them to address potential vulnerabilities
before they become major threats. By prioritizing Cloud security through Azure, Sam Scoops gained a competitive
advantage. They can promote the trustworthiness of their brand, demonstrating their commitment to protecting
customer data. With data breaches becoming more common, customers appreciate companies that prioritize their
privacy and security needs. In conclusion, Cloud security is of utmost importance in today's digital landscape. As
organizations increasingly rely on Cloud platforms like Microsoft Azure, implementing robust security measures becomes
vital to protect sensitive data and ensure the privacy and integrity of customers. Azure offers a wide range of security
features, such as Azure Active Directory, and Microsoft Defender for Cloud, which provide identity and access
management, continuous monitoring and threat detection capabilities. You've also learned that Cloud security in Azure
goes beyond just protecting data. It also ensures compliance with industry specific security for Sam Scoops, migrating
their data to Azure enables them to leverage the security features and protect their customers valuable information and
what's more by encrypting data during storage and transmission, Sam Scoops can ensure that unauthorized access is
mitigated. Additionally, Azure monitoring tools allow them to monitor access logs and promptly respond to any security
incidents maintaining compliance with data protection regulations.

ADVANCED CLOUD SECURITY

Protecting data in the cloud requires a layered security approach. And that's why Microsoft Azure offers many different
services that work together to protect your cloud infrastructure against a wide range of threats. So far, you've learned
about various Azure security tools in this course, you covered DDoS protection and Azure firewall in depth. And you were
also introduced to elements of Microsoft defend for cloud, such as just in time access. But Microsoft Azure offers even
more features that form part of a comprehensive set of security solutions, designed to help you safeguard your data and
applications. Knowing about all the advanced security features in Azure is important to excel in a career in cybersecurity.
In this video, you will explore some of the more advanced security solutions that Azure offers, let's get started.
 Defen
der for cloud, formerly known as security center, is a unified security management and advanced threat protection
solution. With defender for cloud, you can monitor security across various resources ensuring real time protection. You
will have access to security alerts, threat intelligence and actionable recommendations to stay on top of industry
standards and regulatory requirements.
Next is Microsoft sentinel, previously Azure sentinel, which is a cloud native security information and event
management, or SIEM, and security orchestration automation, and response or SOAR solution. Leveraging advanced
analytics and machine learning, Microsoft sentinel helps you detect and investigate threats across your entire
organization's infrastructure. It can automatically respond to incidents by executing guidelines set out in predefined
playbooks to mitigate potential risks. A playbook is basically a collection of actions that guides response automation,
plus, sentinel seamlessly integrates with third party solutions and other Azure services like Azure active directory.

Anoth
er powerful Azure security tool, Azure active directory or Azure AD, is a cloud based identity and access management
service, it is your ally in protecting your applications, data and users. Can you imagine how complex it becomes To keep
thousands of Azure resources PCI DSS compliant within a large corporation like this?

SSO is part of AAD.

It also allows you to enforce strong password policies and use features like multi-factor authentication, or MFA and
conditional access policies to ensure secure access.

And you already learned about the powerful cloud-based service Azure key vault that provides secure storage and
management of cryptographic keys, certificates and secrets. With Azure key vault, you can protect your cryptographic,
keys and secrets with strong key protection. You can deploy certificates securely and seamlessly across your applications
and infrastructure.

And then there is also Azure information protection, also known as AIP, which is a cloud-based solution that helps you
classify, label and protect your sensitive data wherever it goes. With Azure information protection, you can classify and
label your data based on its sensitivity.

This service allows you to apply rights management policies to control access to your data, ensuring that only authorized
individuals can view and interact with it.

Furthermore, you know about Azure DDoS protection, by now and how it shields your applications and data from
distributed denial of service attacks. With Azure DDoS protection, you receive always on protection against DDoS attacks,
it scales as needed to handle even the largest scale attacks, keeping your applications and data safe. In conclusion,
Microsoft Azure offers a comprehensive set of security solutions that can help you protect your data and applications in
the cloud.

MICROSOFT DEFENDER FOR CLOUD

Microsoft Defender for Cloud is a powerful security service that helps businesses protect their Cloud environments ,
from cyber threats. Earlier, you learned that this unified security management solution enables you to monitor security
across various resources. You will explore its different features, benefits and which Azure services it can monitor and
protect. But which resources does it cover? And how exactly does it work? In this video, you will explore how Microsoft
Defender for Cloud, can benefit small businesses like Sam Scoops.

Microsoft Defender for Cloud offers a range of capabilities including DevSecOps, Cloud
Security Posture
Management or CSPM, and Cloud Workload Protection Platform, or CWPP. These
capabilities collectively contribute to safeguarding applications, data, and infrastructure. Let's discuss each of these in
more detail.
DevSecOps is a practice that integrates security into the software development life cycle, ensuring the code is
secure right from the start. Defender for Cloud provides insights into the security of the development environment from
a single location, giving businesses peace of mind.

CSPM or Cloud Security Posture Management helps businesses identify and fix security
misconfigurations. This reduces the risk of vulnerability is being exploited. With CSPM, Defender for Cloud offers
customizable security conditions, based on industry benchmarks.

CWPP or Cloud Workload Protection Platform helps businesses protect their workloads within the
Cloud environment. It offers a comprehensive set of security controls, safeguarding applications and data. With CWPP,
Defender for Cloud also offers real-time threat detection and response, enabling quick actions to mitigate potential
security incidents.
In addition to these capabilities, Defender for Cloud also offers several other features that can benefit businesses.

Multi-Cloud Coverage protects workloads in multiple Cloud environments, including Azure, amazon Web
Services, and Google Cloud Platform.

Defender for Cloud also offers a range of advanced tools that can help businesses improve their security posture.
Including governance features, regulatory compliance verification, and a Cloud
Security Explorer.

Furthermore, Defender for Cloud gives you data on your security posture to reduce data risks, and respond to data
breaches. It does this by automatically identifying data stores containing sensitive information, and continuously
uncovering risks that might lead to data breaches.
Additionally, it also provides attack path analysis. Defender for cloud models network traffic to identify potential risks,
before implementing any changes in the environment.

Permission Management: Defender for Cloud offers Microsoft Entra permissions management, which
simplifies the task of managing permissions across popular Cloud platforms.

By adopting Microsoft Defender for Cloud, businesses can effectively secure their Cloud environments, optimize their
operational efficiency, and insure regulatory compliance. Here are some specific benefits that Sam Scoops can expect
from using Microsoft Defender for cloud:

By identifying and fixing misconfigurations, it can help Sam Scoops reduce vulnerabilities that could be exploited. It can
help Sam Scoops protect their workloads with a comprehensive set of security controls, safeguarding their applications
and data. It also offers real-time threat detection and response. It can help Sam Scoops quickly identify and respond to
potential threats, mitigating potential security incidents. Furthermore, by automating security tasks, Defender for Cloud
can help Sam Scoops save time and money. Another benefit is a centralized view of security data. Defender for Cloud
provides a centralized view of all security-related data, making it easier for Sam Scoops to identify and respond to
threats. It also improves compliance. Defender for Cloud can help Sam Scoops to comply with industry regulations like,
Health Insurance Portability and Accountability Act, or HIPAA, General Data Protection Regulation, or GDPR and Payment
Card Industry Data Security Standards , or PCI DSS.

Now that you know what Microsoft Defender for Cloud does, let's move on to which Azure resources it protects. It
monitors a vast range of services including, virtual machines and Virtual Machine Scale Sets, as well as other major third
party Cloud services, like those from Amazon and Google. Additionally, it also offers protection for a range of PaaS
services. You might be familiar with many of these PaaS services. For instance, Defender for Cloud protects Azure Cloud
Services, which is a platform for building and deploying Windows, and Linux based applications.

It also secures Azure App Service, a fully managed platform for building and deploying web, mobile and API apps, and
you've learned about Azure Key Vault. Furthermore, Defender for Cloud protects Azure Kubernetes service, which helps
you deploy and manage containerized applications, and it protects Azure load balancer, which distributes traffic across
multiple Azure resources.

Make sure to review the list of PaaS solutions protected by Microsoft Defender for Cloud later in this lesson. Overall,
Microsoft Defender for Cloud is a powerful security platform that can help businesses of all sizes protect their Cloud
environments. By adopting Defender for Cloud, businesses can improve their security posture, reduce risk, and save time
and money.

AZURE SECURITY BEST PRACTICES

Like many companies all over the world, Sam Scoops moved their operations to the cloud because of all of the benefits
Azure holds, such as scalability, flexibility and cost efficiency. However, in doing so, they also face the crucial task of
ensuring the security of their data and applications. Over the next few minutes, you will learn about the best practices
that Sam Scoops should follow to ensure the security their cloud infrastructure.

Firstly, to establish a robust security framework, Sam Scoops must implement a comprehensive identity and access
management strategy within its Azure environment. This involves leveraging Azure Active Directory for user
authentication and employing role based access control, or RBAC, to manage permissions effectively.
Additionally, they should assign appropriate roles to different users based on their responsibilities, granting access only
to authorised individuals.

Further, to ensure secure access, Sam Scoops should implement a multi-factor authentication policy, adding an extra
layer of protection. These practices guarantee that the Azure resources remain accessible only to authorized people.

Following best practices around network security also plays a vital role in safeguarding data during transit and controlling
the flow of traffic within the Azure environment.
Sam Scoops can achieve this by implementing virtual networks, network security groups, or NSGs, and application
gateways. And by applying NSGs to these VNETs, they can have granular control over inbound and outbound traffic,
ensuring that only authorized communication occurs. Furthermore, the implementation of application gateways or a
firewall enables them to securely expose their web applications to the internet, shielding them from potential threats.
These measures significantly minimize the attack surface and reinforce data protection.
Now, let's move on to the next best practice, which is data security, protecting data both at rest and in transit is of
utmost importance. To achieve this, Sam Scoops must utilize various Azure services such as Azure storage service
encryption SSL and TLS certificates and Azure key vault for storing and managing cryptographic keys. Let's explore why.

To ensure data security at rest, Sam Scoops can enable encryption for their Azure storage accounts.

To protect data in transit, they can implement SSL and TLS certificates to establish secure communication channels,
preventing unauthorized access during transit.

By leveraging Azure key vault, they can securely store and manage their cryptographic keys, maintaining the
confidentiality and integrity of their sensitive data.
Lastly, let's discuss the fourth and final best practice monitoring and threat detection. Continuously monitoring the Azure
environment and promptly detecting potential threats are vital aspects of maintaining a secure environment.

Sam Scoops can achieve this by leveraging Microsoft defender for cloud security center and Azure monitor. By utilizing
Microsoft defender for cloud, Sam Scoops can gain valuable insights into their Azure environment security posture. It
helps identify vulnerabilities, misconfigurations and potential threats, allowing them to take proactive measures to
mitigate risks.
Additionally, Azure monitor provides comprehensive monitoring capabilities, enabling them to monitor logs, set up
alerts, and gain real time visibility into their environment security status. These best practices serve as an excellent guide
for Sam Scoops to establish a secure Azure environment. By diligently implementing these measures, they can effectively
protect their data, applications and most importantly, their customers. It is crucial for any organization leveraging Azure
to prioritize security. These best practices lay the foundation for a robust security framework that ensures the resilience
and protection of their digital assets.

AZURE SECURITY IN DEPTH

Introduction When a business uses cloud infrastructure there are many aspects that need protection. These include
controlling access to resources, monitoring and responding to cyberthreats, protecting sensitive data, guarding its
network infrastructure, and providing the means to develop secure applications. Azure Security is a cloud-based security
solution that provides various key features and benefits to meet these security needs. This reading provides you with
some examples of how businesses like Sam’s Scoops can leverage Azure Security as a layered security approach that
protects all aspects of their company.

Identity and access management (IAM) Sam’s Scoops can use Azure Security's IAM features to manage user identities
and access to its resources. For example, it can implement single sign-on (SSO) for employees, allowing them to access
multiple applications with a single set of credentials. This reduces the risk of password-related security breaches.

Azure Security also offers role-based access control (RBAC), which allows Sam’s Scoops to define fine-grained permissions
for users and groups. This ensures that users only have access to resources related to their job roles.

Threat protection Azure Security's threat protection services can help Sam’s Scoops detect and respond to security
threats effectively. For example, Microsoft Sentinel can collect and analyze security data from its Azure resources, such as
Azure Virtual Machines (VMs), Azure Storage, and Azure SQL Database. This data can be used to identify potential
threats, such as malware or ransomware attacks.

Azure Security also offers Microsoft Defender for Endpoint – formerly Azure Advanced Threat Protection (ATP) – which
can help Sam’s Scoops detect and respond to advanced threats, such as compromised identities and malicious insider
actions. Microsoft Defender for Endpoint can also detect and protect against data breaches.

Data protection Azure Security's data protection services can help Sam’s Scoops safeguard its sensitive data. For
example, Azure Key Vault can be used to securely store and manage encryption keys for company data. This can protect
company data from unauthorized access or disclosure.

Azure Data Loss Prevention (DLP) can also help Sam’s Scoops to identify and prevent the accidental sharing of sensitive
data via email or other channels. Additionally, Sam’s Scoops can use DLP to classify and label sensitive data, so that it can
be properly handled and protected.

Network security Azure Security's network security services can help Sam’s Scoops protect its networks from
unauthorized access. For example, Azure Firewall can be used to establish secure perimeters around their cloud
resources. This will ensure that only authorized traffic can access its applications and databases.

Azure Security also offers Azure Virtual Network (VNet), which can be used to create isolated virtual networks within
Azure. This improves network security and compliance.

Cloud security Azure Security provides comprehensive cloud-based security services, which are crucial for the company’s
operations in the cloud. It ensures that Sam’s Scoops’ data, applications, and infrastructure are protected from modern
cyberthreats such as DDoS attacks or unauthorized data access.

Azure Security also offers Defender for Cloud, which can help Sam’s Scoops assess their security posture and identify
potential security risks. Furthermore, it can benefit from Azure Security Center recommendations on security best
practices and remediation steps.
Compliance Sam’s Scoops can leverage Azure Information Protection (AIP) to meet compliance requirements. AIP is part
of Microsoft Purview Information Protection, formerly Microsoft Information Protection or MIP. For example, if they
need to comply with GDPR (General Data Protection Regulation), Azure Information Protection can help classify and label
personal data, ensuring proper handling and protection.

Microsoft Defender for Cloud, formerly Azure Security Center, also helps companies meet compliance requirements. For
instance, it can assist Sam’s Scoops to comply with industry regulations, such as PCI DSS and HIPAA.

DevOps security Azure Security's tools and services, like Azure DevOps and Azure Policy, can support Sam’s Scoops'
DevOps teams in building secure applications and infrastructure. They can integrate security checks into their
development pipelines, automatically scanning for vulnerabilities or misconfigurations.

Azure DevOps can also help Sam’s Scoops to automate the deployment of security updates and patches. This can help to
reduce the risk of security vulnerabilities being exploited.

Conclusion In conclusion, Azure Security provides a comprehensive set of security features and services that can help
Sam’s Scoops protect their data, applications, and infrastructure from a wide range of threats. By using Azure Security,
Sam’s Scoops can benefit from reduced risk of security breaches, improved compliance adherence, increased operational
efficiency, enhanced visibility into their security posture, and ultimately provide a more secure environment for their
customers.

One of the advantages of cloud security is the increased control over data and security in a private or hybrid cloud. This
allows businesses to have more control over their data and implement specific security measures.

Identity Protection is a feature of Azure AD that uses machine learning to analyze user behavior and identify
suspicious activity.

Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service. It
can be used to manage user accounts, passwords, and access to Azure resources.

Azure Security's Threat Protection includes Microsoft Sentinel, a cloud-native security information and
event management (SIEM) solution.

Defender for cloud is a comprehensive solution that provides threat intelligence and security recommendations
to protect Azure resources.

Defender for Cloud

Defender for Cloud provides recommendations, security alerts, and vulnerability assessment for these Azure services:

Service Recommendations free with Foundational Security Vulnerability

CSPM alerts assessment

Azure App Service ✔ ✔ -

Azure Automation account ✔ - -

Azure Batch account ✔ - -

Azure Blob Storage ✔ ✔ -

Azure Cache for Redis ✔ - -

Azure Cloud Services ✔ - -

Service Recommendations free with Foundational Security Vulnerability
CSPM alerts assessment

Azure AI Search ✔ - -

Azure Container Registry ✔ ✔ Defender for

Containers

Azure Cosmos DB* ✔ ✔ -

Azure Data Lake Analytics ✔ - -

Azure Data Lake Storage ✔ ✔ -

Azure Database for MySQL* - ✔ -

Azure Database for PostgreSQL* - ✔ -

Azure Event Hubs namespace ✔ - -

Azure Files ✔ ✔ -

Azure Functions app ✔ - -

Azure Key Vault ✔ ✔ -

Azure Kubernetes Service ✔ ✔ -

Azure Load Balancer ✔ - -

Azure Logic Apps ✔ - -

Azure SQL Database ✔ ✔ Defender for Azure

SQL

Azure SQL Managed Instance ✔ ✔ Defender for Azure

SQL

Azure Service Bus namespace ✔ - -

Azure Service Fabric account ✔ - -

Azure Stream Analytics ✔ - -

Azure Subscription ✔ ** ✔ -

Azure Virtual Network ✔ - -

(incl. subnets, NICs, and network security
groups)

* These features are currently supported in preview. ** Microsoft Entra recommendations are available only for
subscriptions with enhanced security features enabled.

Defender for Cloud depends on the Azure Monitor Agent or the Log Analytics agent. Make sure that your machines are
running one of the supported operating systems as described on the following pages:
  Azure Monitor Agent

o Azure Monitor Agent for Windows supported operating systems

o Azure Monitor Agent for Linux supported operating systems

 Log Analytics agent

o Log Analytics agent for Windows supported operating systems

o Log Analytics agent for Linux supported operating systems

Also ensure your Log Analytics agent is properly configured to send data to Defender for Cloud.

Microsoft Defender for Cloud is a CNAP – Cloud Native Application Protection platform. Monitoring, protection, action
on threats and vulnerabilities – a single pane of glass into a collection of services and applications. Policy-based, and the
policies are created by Microsoft Defender. Defender for Storage, for API, Servers, Containers, App Services, Resource
Manager, Vault, DNS, DevOps, Cosmos DB, etc. Each has its own set of different policies/checks, with different metadata,
including checking compliance with ISO 20007, GDPR, HIPAA, enabling centralized identity management, firewalls,
providing recommendations, discovering threats, changes in behavior, etc.

Enabling Enhanced Security Features provides the real benefits of the

defender plans, installing agents and extensions on cloud resources.
(e.g. on VMs with Defender for Servers). Be aware – costs for Defender
for cloud will scale with the number of resources it protects! Even if you
deploy an empty container, it will still be accruing costs.
Protect workloads

 Defender for Servers

 Defender for Containers
 Defender for Databases
 Defender for Storage
  Defender for DevOps
 Defender for App Service
 Defender for Key Vault
 Defender for Resource Manager

Includes tagging data for sensitivity, integrated defender antivirus, antimalware scanning for storage, scans for
vulnerabilities, exfiltration protection – for about $10 a month.

Microsoft Azure Bastion is part of it – a fully managed service that provides secure and seamless RDP and
SSH access to virtual machines (VMs) in Azure without requiring public IP addresses on those VMs. It functions as a
"jump box" or "jump host" by acting as a secure gateway, allowing users to connect to VMs within a virtual network
directly from the Azure portal. Bastion allows users to connect to VMs without exposing them directly to the internet.
This reduces the attack surface and improves security. No Public IPs are Needed: VMs can be accessed through Bastion
without requiring a public IP address, making them more difficult to find and attack; Seamless RDP/SSH: Bastion supports
RDP (Remote Desktop Protocol) and SSH (Secure Shell Protocol) connections, enabling users to manage and access VMs
as needed; Fully Managed: Bastion is a fully-managed PaaS (Platform as a Service) offering, meaning Microsoft handles
the infrastructure and maintenance, reducing the operational burden for users; Centralized Access: Bastion provides a
single point of control for accessing VMs within a virtual network, simplifying management and auditing; Remote Work:
Bastion supports remote work scenarios, allowing users to access Azure VMs from anywhere with internet connectivity;
Security Features: Bastion offers various security features, including session recording, monitoring, and auditing, to help
protect against potential threats; No Client Software: Bastion doesn't require users to install any client software on their
devices, making it easy to use.

AI security

Security Posture & Compliance

Threat Protection & Response

Microsoft Defender interface

Microsoft Defender for Cloud is a central location for setting and monitoring your organization's security posture. You
can view which solutions adhere to security measures and which systems need to be secured.

In this video, you will learn about the Microsoft Defender for Cloud interface and its main features. Microsoft Defender
for Cloud is a solution for Cloud Security Posture Management, or CSPM, and Cloud Workload Protection, or CWP. It
can help you find weak spots across your Cloud configuration, and it helps strengthen the overall security posture of your
environment and protect workloads across multi-Cloud and hybrid environments from evolving threats.

Let's examine the interface, specifically the main overview page. An overview of security posture,
regulatory compliance, workload protections and inventory can all be seen on the main
overview page. Select the Microsoft Defender for Cloud Security Posture page option, and you can view the security
posture of hybrid Cloud workloads, security alerts coverage, and information.

Defender for Cloud continually assesses Cloud environments for security vulnerabilities and misconfigurations. It then
aggregates the findings into a secure score, in this case, 69%. The higher the score, the lower the identified risk level
is.

Navigate back to the overview page by selecting Microsoft Defender for Cloud Overview in the top left-hand part of the
screen. Then select Recommendations. Defender for Cloud provides recommendations on how to resolve security
issues. As recommendations are implemented, the secure score improves. Organizations often face a high volume of
security recommendations, like the ones listed here on the recommendation dashboard. You can select and expand a
recommendation like this one for internet facing virtual machines.

To help make sense of the recommendations, the intelligent Cloud security graph and attack path analysis prioritize the
most critical risks. The paths shown have a potentially high business impact that attackers can exploit.

This graph shows the attack path nodes representing resources which are found across the top in round circles with all
the potential attacks listed in the graph underneath. In this example, to prevent lateral movement and internet facing
VM needs an NSG to protect the VM. By selecting remediation steps, you can view recommendations to kill the attack
chain.

In this example, there are no unhealthy resources because the samsscoopsweb machine is protected. You can view it by
clicking on "Healthy resources". Let's return to the recommendations to select another one, this time for applying system
updates. By selecting remediation steps and the resource, the task can be assigned to another user to remediate. Step 1,
select the virtual machine. Step 2, select Assign owner. Step 3, fill in the email address or select the Select owner box to
find the user. In this example, it's Jamie. Step 4, select a due date for the task and select Save. It will take a few seconds
to take effect.

To view recommendations associated with a specific resource, you need to navigate back to the overview page. Select
Inventory, and then the virtual machine, samscoopsweb. A list of recommendations for that VM now displays.
Navigate back to the previous menu by selecting Microsoft Defender for Cloud in the top left-hand side of the screen.

For risk hunting and attack surface exploring, select the Cloud Security Explorer from the Overview page. Cloud
Security Explorer equips security admins and power users with query-based tools and starter templates for risk hunting
and resource exploring, enabling users to query the graph for their own findings.

Now select the Overview option from the menu on the left-hand side of the screen and then select Regulatory
Compliance. This function helps you check compliance across industries, thereby streamlining the process of meeting
regulatory compliance requirements in an industry. As recommendations are acted upon, it reduces the environmental
risk factors, so compliance and posture improve. You can select audit reports to view different compliances. For
example, you can select PCI and download the Payment Card Industry Data Security Standard, or PCIDSS, report.
QUICK FIX will automatically remediate discovered vulnerabilities – Deny will prevent the specific
vulnerability from recurring by blocking the creation of noncompliant resources. Different standards can be
used as templates to set up compliance.

Compliance audit reports can be auto-generated and downloaded for each standard set up – to be shared with relevant
stakeholders:
Security Posture recommendations can be assigned to specific owners with
due dates under Governance Rules. This sends weekly emails to the owner and
his or her manager.
Plans (and charges) can be set on or off under the Settings > Defender Plans
page:

Now, select Microsoft Defender for Cloud Overview to return to the Overview page. From there, select Environment
settings. Here you can manage the subscription settings for Defender for Cloud. By selecting your subscription, you can
see the Defender plans that have been enabled.

Click on the three dot menu, select Edit settings, and then from the list displayed, you can switch plans on or off. These
are some of the features you can access via the Microsoft Defender for Cloud interface. Defender for Cloud closely
monitors an enterprise's security posture, enabling you to reduce risks by prioritizing recommendations. It also enables
you to search for risks across the Azure subscription by exploring the attack surface of your resources. This in turn allows
you to improve compliance and implement security governance just by using the Defender for Cloud interface.

Here’s a Microsoft Defender for Cloud walkthrough from Microsoft:

https://mslearn.cloudguides.com/guides/Manage%20your%20cloud%20security%20posture%20with%20Microsoft
%20Defender%20for%20Cloud

Azure Bastion
Server administrators understand that it's efficient to administer and maintain servers in an on-premise datacenter
remotely. With Windows Infrastructure as a Service and virtual machines being deployed in Azure, administrators must
rely solely on remote management to administer and maintain Cloud-based resources.

Thus far, you've learned that you can use JIT access to protect ports during remote access, but they are still exposed for a
configured period of time. How can administrators securely connect to remote Cloud-based VMs without exposing the
management interfaces of those VMs to the Internet? The answer is Azure Bastion, a fully managed Platform as a Service
or PaaS service that allows you to securely connect to Azure VMs remotely by providing secure and seamless RDP and
SSH access to your VMs, thus reducing the attack surface.
In this video, you will learn about this service and how it works. To refresh your memory, the attack surface is the
number of possible points or attack vectors from which an unauthorized user can access a system and extract data. The
smaller the attack surface, the easier it is to protect. Organizations must constantly monitor their attack surface to
identify and block potential threats as quickly as possible.

But it's difficult to neutralize all attack vectors when remote access is needed because by necessity it relies on the
Internet. Let's consider an example. Suppose an organization's network administrator needs to connect to the Azure VMs
remotely. In the past, this app ran on a couple of Windows server computers in your head office datacenter. Whenever
you needed to administer the app, you connected using Remote Desktop Protocol, RDP over TCP port 3389. You also
used Secure Shell or SSH over port 22 to administer the VMs.

Because the app was hosted on a computing resource in a private datacenter, you had no concerns about malicious
hackers gaining access over the Internet. However, the app now runs on VMs hosted in Azure, which are exposed. To
connect to the VMs, you must now expose a public IP address on each VM for your RDP SSH connections. Potential
protocol vulnerabilities make this type of connection undesirable.

As a solution, you
could use a jump box Server VM. A jump box server is an
intermediary between your management console and the target VMs. Network
security policy permits access only to the jump box from remote networks, denying direct
access to the rest of the network in which the jumps server resides. Only by accessing the
jump server can you access other devices on the network.
Jump servers are great, but they have to be managed and maintained, thereby
creating a risk because if the machine isn't updated and maintained, it can be
attacked. If you're using Azure, a better solution would be to use Azure Bastion to
protect access to these remote VMs because it doesn't require management or
maintenance, thus reducing risk.
By implementing Azure Bastion, you can manage the Azure VMs within a
configured Azure virtual network by using either RDP or SSH without needing to
expose those management ports to the public Internet.
Let's examine the architecture of a typical Azure Bastion deployment and the
end-to-end connection process. Azure Bastion is deployed in a VNet that contains
another subnet with several Azure VMs. NSGs protect the subnets and the virtual
network. The NSG protecting the VMs subnet allows RDP and SSH traffic from
the Azure Bastion subnet.
Azure Bastion supports communications only through TCP port 443 from the
Azure portal. The typical connection process in Azure Bastion is as follows: First,
an administrator connects to the Azure portal using any HTML5 browser via
connection secured with TLS. Second, in the portal, the administrators selects the
VM they want to connect to. Third, the portal connects over secured connection
to Azure Bastion through an NSG that's protecting the Virtual Network hosting
the targeted VM. Forth. Azure Bastion initiates a connection to the target VM.
Fifth, the RDP or SSH session opens in the browser on the administrator console.
Azure Bastion streams the session information through custom packages, and
these packages are protected by TLS. By using Azure Bastion, you bypass the
need to directly expose RDP SSH to the Internet on a public IP. Instead, you
connect to Azure Bastion securely with Secure Sockets Layer or SSL, and it
connects to the target VMs using a private IP. Azure Bastion achieves the key
goal of enabling secure remote management of hosted VMs, thereby reducing
the attack surface. As a managed service, you don't need to update Azure
Bastion or manually configure NSGs and related settings. It helps protect your
hosted VMs because it provides the convenience of securely using both RDP, SSH
to manage VMs remotely and avoids exposing ports to the Internet. Azure
Bastion represents the best solution to enabling secure remote management of
Azure hosted VMs.
Bastion and virtual machines
In this video, you will learn how to deploy Azure Bastion from the Azure portal on the Sams Scoops Azure tenant and use
Azure Bastion to protect the SamScoopsWeb VM. You will also learn how Bastion can be combined with JIT access for
better protection.

Let's begin from the Azure portal homepage. Use the search function to find virtual networks and select the Virtual
Networks option. Then select the WebServer virtual network. On the page for the virtual network in the left pane, select
''Bastion'' to open the Bastion page. On the Bastion page, select configure manually. This lets you configure specific
additional settings when deploying Bastion to your VNet.

On the creative Bastion page, configure the settings for the Bastion host. The project details are automatically populated
according to the selected VNet and subscription you are working with. Therefore, the project details already has Azure
Subscription 1, and web server selected.

To configure the Bastion instance details, give it a name. In this case use Sam scoops. Select a region, West Europe, select
a tier, you'll be using standard. Instance count is the setting for host scaling. It's configured in scale unit increments.
Leave it at the default of two.

Configure the virtual network settings by selecting the web server VNet from the drop-down menu. Next, Azure Bastion
needs a subnet named AzureBastionSubnet to configure the AzureBastionSubnet. Select the Managed subnet
configuration. On the add subnet page, create the AzureBastionSubnet using the following values. Leave the other values
as default. The subnet named must be AzureBastionSubnet. The subnet address range for some scoops is 172.16.2.0/24.

The subnet must be at least slash 26 or larger to accommodate features available with the standard SKU. Select ''Save'' at
the bottom of the page to save your values. Navigate back to the Bastion configuration page by selecting Create a Bastion
in the top left-hand side of the screen.
The public IP address section is where you configure the public IP address of the Bastion host resource on which RDP/SSH
will be accessed over port 443. The public IP address must be in the same region as the Bastion resource you are
creating. To create a new IP address, leave it as the default, which is Create New. You can leave the default naming
suggestion.

When you finish specifying the Settings, select, Review plus Create. This validates the values. Once validation passes, you
can deploy Bastion. Select ''Create''. There will be a message letting you know that your deployment is in progress. Status
will display on this page as the resources are created. It takes about 10 minutes for the Bastion resource to be created
and deployed.

Let's now go over the steps to connect Bastion with JIT access. In the Azure portal, select Virtual Machines. Select the
SamScoopsWeb VM. At the top of the page, select Connect. From the IP address drop-down menu, select Private IP
address, and select Request access.

This opens the JIT ports for Bastion to connect to. At the top of the page, select ''Bastion'' to go to the Bastion page.
Select Use Bastion, which will allow you to connect to a Windows computer using RDP and port 3389.

The authentication type is already specified as password. Leave this setting as is. Complete the required authentication
values. In this case, for the SamScoops VM, the username is AZAdmin with the password p@$$@1234567.

To open the VM session in a new browser tab, leave open in a new browser tab selected. Select ''Connect'' to connect to
the VM. The connection to this virtual machine via Bastion will open directly in the Azure portal over HTML 5 using port
443 and the Bastion Service.

In this video, you learned how to configure and deploy Azure Bastion to connect a virtual machine. In this example, Just
in Time access was used with Azure Bastion for extra protection of the management ports.

Exercise: Shield virtual machines using Bastion

Introduction Previously you have protected virtual machines using the Azure Firewall, filtering traffic to only allow
permitted traffic. You have also protected a virtual machine’s management ports using JIT, but management ports are
still exposed when in use. In this exercise, you will reduce the threat exposure to a virtual machine further, by shielding it
with Azure Bastion.

Case study Sam’s Scoops web server is online with an Azure firewall and JIT protection but Sam now wants to protect
this asset further by enabling Azure Bastion. You have been tasked to setup Azure Bastion to protect the Sam Scoops web
server.

Instructions For this exercise to be successful, the exercise Create a Windows virtual machine in the Azure portal from
Week 1 Lesson 2 has to have been completed, and the machine must still be present. If not, please revisit that exercise
first.

Step 1: Setup and configure Azure Bastion for the SamScoopsWeb VM

1. From the Azure portal home page use the search function to find Virtual networks and select it.

2. Select the Web_Server network.

3. On the page for the virtual network, in the left pane, select Bastion to open the Bastion page.

4. On the Bastion page, select I want to configure Azure Bastion on my own.

5. On the Create a Bastion page, configure the settings for the Bastion host.

o To configure the instance details give it a Name, "SamScoops".

o For the Region, select the same region you chose for your SamScoopsWeb VM.
 o For the Tier, select Standard.

o Leave the instance at the default of 2.

1. Configure the virtual network’s settings by selecting the Web_server VNet from the dropdown menu.

2. To configure the AzureBastionSubnet, select Manage subnet configuration.

3. On the subnets page select + Subnet. Create the AzureBastionSubnet subnet using the following values.

o The subnet name must be "AzureBastionSubnet".

o The subnet address range for SamScoops is 172.16.2.0/24.

o Leave the other values as default.

o Select Save at the bottom of the page to save your values.

1. At the top of the subnets page, select Create a Bastion to return to the Bastion configuration page.

2. Select Create new under Public IP address. You can leave the default naming suggestion.

3. When you finish specifying the settings, select Review + Create. This validates the values.

4. Once validation passes, you can deploy Bastion. Select Create.

There will be a message letting you know that your deployment is in process. The status will display on this page as the
resources are created. It takes about 10 minutes for the Bastion resource to be created and deployed.

Step 2: Testing the Azure Bastion connection

1. In the Azure portal, search for and select Virtual machines.

2. Select the SamScoopsWeb VM.

3. At the top of the page, select Connect.

4. From the IP address dropdown select Private IP address.

5. Select Request access. You’ll note a message in the top right corner saying that the request has been approved.

6. At the top of the page, select Bastion to go to the Bastion page.

7. Select Use Bastion.

8. Complete the required authentication values. In this case, for the SamScoops VM, use the username AzAdmin
and P@$$@1234567 as the password.

9. To open the VM session in a new browser tab, leave Open in a new browser tab selected.

10. Click Connect to connect to the VM.

The connection to this virtual machine, via Bastion, will open directly in the Azure portal (over HTML5) using port 443
and the Bastion service.

Clean-up If you are using your own Azure subscription, it is recommended that you follow the clean-up instructions to
stop compute resources after completing each lesson. When you're working in your own subscription, it's also a good
idea at the end of a project to identify whether you still need the resources you created. Resources left running can cost
you money. You can delete resources individually or delete the resource group to delete the entire set of resources.
Please refer to the reading, Clean up resources for instructions on how to delete resources after you've completed the
exercise.

Conclusion You have now successfully configured remote access to the SamScoops web server using Azure Bastion. You
have also tested the remote connection via the Azure portal. Access to the SamScoops management ports is no longer
exposed to the internet and connection to the server can be made through Azure Bastion in the future.

What is Azure Application Gateway?

Azure Application Gateway is a web traffic (OSI layer 7) load balancer that enables you to manage traffic to your web
applications. Traditional load balancers operate at the transport layer (OSI layer 4 - TCP and UDP) and route traffic based
on source IP address and port, to a destination IP address and port.

Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example URI path
or host headers. For example, you can route traffic based on the incoming URL. So if /images is in the incoming URL, you
can route traffic to a specific set of servers (known as a pool) configured for images. If /video is in the URL, that traffic is
routed to another pool that's optimized for videos.

This type of routing is known as application layer (OSI layer 7) load balancing. Azure Application Gateway can do URL-
based routing and more.

Note Azure provides a suite of fully managed load-balancing solutions for your scenarios.

 If you're looking to do DNS based global routing and do not have requirements for Transport Layer Security (TLS)
protocol termination ("SSL offload"), per-HTTP/HTTPS request or application-layer processing, review Traffic
Manager.

 If you need to optimize global routing of your web traffic and optimize top-tier end-user performance and
reliability through quick global failover, see Front Door.
  To do transport layer load balancing, review Load Balancer.

Your end-to-end scenarios may benefit from combining these solutions as needed. For an Azure load-balancing options
comparison, see Overview of load-balancing options in Azure.

Features To learn about Application Gateway features, see Azure Application Gateway features.

Infrastructure To learn about Application Gateway infrastructure, see Azure Application Gateway infrastructure
configuration.

Security

 Protect your applications against L7 layer DDoS protection using WAF. For more information, see Application
DDoS protection.

 Protect your apps from malicious actors with Bot manager rules based on Microsoft’s own Threat Intelligence.

 Secure applications against L3 and L4 DDoS attacks with Azure DDoS Protection plan.

 Privately connect to your backend behind Application Gateway with Private Link and embrace a zero-trust access
model.

 Eliminate risk of data exfiltration and control privacy of communication from within
the virtual network with a fully Private-only Application Gateway deployment.
 Provide a centralized security experience for your application via Azure Policy, Azure Advisor, and Microsoft
Sentinel integration that ensures consistent security features across apps.

Pricing and SLA For Application Gateway pricing information, see Application Gateway pricing.

For Application Gateway SLA information, see Application Gateway SLA.

What's new To learn what's new with Azure Application Gateway, see Azure updates.

Next steps Depending on your requirements and environment, you can create a test Application Gateway using either
the Azure portal, Azure PowerShell, or Azure CLI.

Protect your sensitive data with Microsoft Purview

Licensing for Microsoft 365 Security & Compliance

Implement capabilities from Microsoft Purview Information Protection (formerly Microsoft Information Protection) to
help you discover, classify, and protect sensitive information wherever it lives or travels.

These information protection capabilities give you the tools to know your data, protect your data, and prevent data loss.
Use the following sections to learn more about the available capabilities and how to get started with each one. However,
if you're looking for a guided deployment, see Deploy an information protection solution with Microsoft Purview.

For information about governing your data for compliance or regulatory requirements, see Govern your data with
Microsoft Purview.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview
capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview
trials hub. Learn details about signing up and trial terms.

Know your data

To understand your data landscape and identify sensitive data across your hybrid environment, use the following
capabilities:

Expand table

Capability What problems does it solve? Get started

Sensitive Identifies sensitive data by using built-in or custom regular expressions or a Customize a built-in
information function. Corroborative evidence includes keywords, confidence levels, and sensitive information
types proximity. type

Trainable Identifies sensitive data by using examples of the data you're interested in rather Get started with
classifiers than identifying elements in the item (pattern matching). You can use built-in trainable classifiers
classifiers or train a classifier with your own content.

Data A graphical identification of items in your organization that have a sensitivity label, Get started with
classification a retention label, or have been classified. You can also use this information to gain content explorer
insights into the actions that your users are taking on these items.
Get started with
activity explorer
Protect your data

To apply flexible protection actions that include encryption, access restrictions, and visual markings, use the following
capabilities:

Expand table

Capability What problems does it solve? Get started

Sensitivity labels A single labeling solution across apps, services, and devices to protect Get started with sensitivity
your data as it travels inside and outside your organization. labels

Example scenarios:
- Manage sensitivity labels for Office apps
- Encrypt documents and emails
- Protect calendar items, Teams meetings, and chat

For a comprehensive list of supported scenarios for sensitivity labels,

see the Get started documentation.

Microsoft Purview For Windows computers, extends labeling to File Explorer and Extend sensitivity labeling on
Information PowerShell Windows
Protection client

Double Key Under all circumstances, only your organization can ever decrypt Deploy Double Key
Encryption protected content or for regulatory requirements, you must hold Encryption
encryption keys within a geographical boundary.

Message Encryption Encrypts email messages and attached documents that are sent to any Set up Message Encryption
user on any device, so only authorized recipients can read emailed
information.

Example scenario: Revoke email encrypted by Advanced Message

Encryption

Service encryption Protects against viewing of data by unauthorized systems or personnel, Set up Customer Key
with Customer Key and complements BitLocker disk encryption in Microsoft datacenters.

SharePoint Protects SharePoint lists and libraries so that when a user checks out a Set up Information Rights
Information Rights document, the downloaded file is protected so that only authorized Management (IRM) in
Management (IRM) people can view and use the file according to policies that you specify. SharePoint admin center

Rights Management Protection-only for existing on-premises deployments that use Exchange Steps to deploy the RMS
connector or SharePoint Server, or file servers that run Windows Server and File connector
Classification Infrastructure (FCI).

Information Discovers, labels, and protects sensitive information that resides in data Configuring and installing the
protection scanner stores that are on premises. information protection
scanner

Microsoft Defender Discovers, labels, and protects sensitive information that resides in data Discover, classify, label, and
for Cloud Apps stores that are in the cloud. protect regulated and
sensitive data stored in the
cloud
Capability What problems does it solve? Get started

Microsoft Purview Identifies sensitive data and applies automatic labeling to content in Labeling in Microsoft Purview
Data Map Microsoft Purview Data Map assets. These include files in storage such Data Map
as Azure Data Lake and Azure Files, and schematized data such as
columns in Azure SQL DB and Azure Cosmos DB.

Microsoft Extends sensitivity labels to third-party apps and services. Microsoft Information
Information Protection (MIP) SDK setup
Protection SDK Example scenario: Set and get a sensitivity label (C++) and configuration

Prevent data loss

To help prevent accidental oversharing of sensitive information, use the following capabilities:

Expand table

Capability What problems does it solve? Get started

Microsoft Purview Data Loss Helps prevent unintentional sharing of sensitive items. Learn about data loss prevention
Prevention

Endpoint data loss prevention Extends DLP capabilities to items that are used and Get started with Endpoint data
shared on Windows 10 computers. loss prevention

Microsoft Purview extension for Extends DLP capabilities to the Chrome browser Get started with the Microsoft
Chrome Purview extension for Chrome

Microsoft Purview data loss Extends DLP monitoring of file activities and protective Get started with Microsoft
prevention on-premises actions for those files to on-premises file shares and Purview data loss prevention on-
repositories SharePoint folders and document libraries. premises repositories

Protect sensitive information in Extends some DLP functionality to Teams chat and Learn about the default data loss
Microsoft Teams chat and channel messages prevention policy in Microsoft
channel messages Teams

Licensing requirements

License requirements to protect your sensitive data depend on the scenarios and features you use. Rather than set
licensing requirements for each capability listed on this page, for more information, see the Microsoft 365 guidance for
security & compliance and the related PDF download for feature-level licensing requirements.

Zero Trust is a security strategy comprising three principles:

 Verify explicitly
 Use least privilege access
 Assume breach
FIPS compliance means a product, system, or solution adheres to the Federal Information Processing Standards
(FIPS) defined by the US government, specifically for protecting sensitive data. This typically involves using FIPS-validated
cryptographic modules and algorithms to encrypt and secure data, ensuring robustness and alignment with national and
international security practices.

ZERO TRUST IMPLEMENTATION Documentation Helps you... Roles

Adoption framework for phase and step guidance Apply Zero Trust protections from the Security architects, IT teams,
for key business solutions and outcomes C-suite to the IT implementation. and project managers

Assessment and progress tracking resource Assess your infrastructure's readiness Security architects, IT teams,
and track your progress. and project managers

Zero Trust partner kit Co-branded tracking resources, Partners and security architects
workshop, and architecture
illustrations

Deployment for technology pillars for conceptual Apply Zero Trust protections aligned IT teams and security staff
information and deployment objectives with typical IT technology areas.

Zero Trust for small businesses Apply Zero Trust principles to small Customers and partners
business customers. working with Microsoft 365 for
business

Zero Trust for Microsoft Copilots for stepped and Apply Zero Trust protections to IT teams and security staff
detailed design and deployment guidance Microsoft Copilots.

Zero Trust deployment plan with Microsoft 365 for Apply Zero Trust protections to your IT teams and security staff
stepped and detailed design and deployment Microsoft 365 organization.
guidance

Incident response with XDR and integrated SIEM Set XDR tools and integrate these with IT teams and security staff
Microsoft Sentinel

Zero Trust for Azure services for stepped and Apply Zero Trust protections to Azure IT teams and security staff
detailed design and deployment guidance workloads and services.

Partner integration with Zero Trust for design Apply Zero Trust protections to partner Partner developers, IT teams,
guidance for technology areas and specializations Microsoft cloud solutions. and security staff

Develop using Zero Trust principles for application Apply Zero Trust protections to your Application developers
development design guidance and best practices application.

US Government guidance for CISA, DoD, and Prescriptive recommendations for US IT Architects and IT teams
the Memorandum for Zero Trust architecture Government requirements

Secure score in Defender for Cloud

 Article
  03/12/2025

 11 contributors

Feedback

In this article

1. View the secure score

2. Explore your security posture

3. Calculation of the secure score

4. Score calculation equations

Show 3 more

The secure score in Microsoft Defender for Cloud can help you to improve your cloud security posture. The secure score
aggregates security findings into a single score so that you can assess, at a glance, your current security situation. The
higher the score, the lower the identified risk level is.

When you turn on Defender for Cloud in a subscription, the Microsoft cloud security benchmark (MCSB) standard is
applied by default in the subscription. Assessment of resources in scope against the MCSB standard begins.

The MCSB issues recommendations based on assessment findings. Only built-in recommendations from the MCSB affect
the secure score. Currently, risk prioritization doesn't affect the secure score.

Note

Recommendations flagged as Preview aren't included in secure score calculations. You should still remediate these
recommendations wherever possible, so that when the preview period ends, they'll contribute toward your score.
Preview recommendations are marked with an icon: .

View the secure score

When you view the Defender for Cloud Overview dashboard, you can view the secure score for all of your environments.
The dashboard shows the secure score as a percentage value and includes the underlying values.
The Azure mobile app shows the secure score as a percentage value. Tap it to see details that explain the score.
Explore your security posture

The Security posture page in Defender for Cloud shows the secure score for your environments overall and for each
environment separately.

On this page, you can see the subscriptions, accounts, and projects that affect your overall score, information about
unhealthy resources, and relevant recommendations. You can filter by environment, such as Azure, Amazon Web
Services (AWS), Google Cloud Platform (GCP), and Azure DevOps. You can then drill down into each Azure subscription,
AWS account, and GCP project.
Calculation of the secure score

On the Recommendations page in Defender for Cloud, the Secure score recommendations tab shows how compliance
controls within the MCSB contribute toward the overall security score.

Defender for Cloud calculates each control every eight hours for each Azure subscription or for each AWS or GCP cloud
connector.

Important Recommendations within a control are updated more often than the control itself. You might find
discrepancies between the resource count on the recommendations and the resource count on the control.

Example scores for a control The following example focuses on secure score recommendations for Remediate
vulnerabilities.
This example illustrates the following fields in the recommendations.

Expand table

Field Details

Remediate A grouping of recommendations for discovering and resolving known vulnerabilities.

vulnerabilities

Max score The maximum number of points that you can gain by completing all recommendations within a
control.

The maximum score for a control indicates the relative significance of that control and is fixed for
every environment.

Use the values in this column to determine which issues to work on first.

Current score The current score for this control.

Current score = [Score per resource] * [Number of healthy resources]

Each control contributes to the total score. In this example, the control is contributing 3.33 points to
current total score.

Potential score The remaining points available to you within the control. If you remediate all the recommendations in
increase this control, your score increases by 4%.

Potential score increase = [Score per resource] * [Number of unhealthy resources]

Insights Extra details for each recommendation, such as:

- Preview recommendation: This recommendation affects the secure score only when it's generally
available.
Field Details

- Fix: Resolve this issue.

- Enforce: Automatically deploy a policy to fix this issue whenever someone creates a
noncompliant resource.

- Deny: Prevent new resources from being created with this issue.

Score calculation equations

Here's how scores are calculated.

Security control

The equation for determining the score for a security control is:

The current score for each control is a measure of the status of the resources within the control. Each individual security
control contributes toward the secure score. Each resource that's affected by a recommendation within the control
contributes toward the control's current score. The secure score doesn't include resources found in preview
recommendations.

In the following example, the maximum score of 6 is divided by 78 because that's the sum of the healthy and unhealthy
resources. So, 6 / 78 = 0.0769. Multiplying that by the number of healthy resources (4) results in the current score:
0.0769 * 4 = 0.31.

Single subscription or connector

The equation for determining the secure score for a single subscription or connector is:

In the following example, there's a single subscription or connector with all security controls available (a potential
maximum score of 60 points). The score shows 29 points out of a possible 60. The remaining 31 points are reflected in
the Potential score increase figures of the security controls.
This equation is the same equation for a connector, with just the word subscription replaced by the word connector.

Multiple subscriptions and connectors

The equation for determining the secure score for multiple subscriptions and connectors is:

The combined score for multiple subscriptions and connectors includes a weight for each subscription and connector.
Defender for Cloud determines the relative weights for your subscriptions and connectors based on factors such as the
number of resources. The current score for each subscription and connector is calculated in the same way as for a single
subscription or connector, but then the weight is applied as shown in the equation.

When you view multiple subscriptions and connectors, the secure score evaluates all resources within all enabled
policies and groups them. Grouping them shows how, together, they affect each security control's maximum score.
The combined score is not an average. Rather, it's the evaluated posture of the status of all resources across all
subscriptions and connectors. If you go to the Recommendations page and add up the potential points available, you
find that it's the difference between the current score (22) and the maximum score available (58).

Improve a secure score

The MCSB consists of a series of compliance controls. Each control is a logical group of related security recommendations
and reflects your vulnerable attack surfaces.

To see how well your organization is securing each individual attack surface, review the scores for each security control.
Your score improves only when you remediate all of the recommendations.

To get all the possible points for a security control, all of your resources must comply with all of the security
recommendations within the security control. For example, Defender for Cloud has multiple recommendations for how
to secure your management ports. You need to remediate them all to make a difference in your secure score.

You can improve your secure score by using either of these methods:

 Remediate security recommendations from your recommendations list. You can remediate each
recommendation manually for each resource, or use the Fix option (when available) to resolve an issue on
multiple resources quickly.

 Enforce or deny recommendations to improve your score, and to make sure that your users don't create
resources that negatively affect your score.

Secure score controls

The following table lists the security controls in Microsoft Defender for Cloud. For each control, you can see the
maximum number of points that you can add to your secure score if you remediate all of the recommendations listed in
the control, for all of your resources.

Expand table

Secure Security control

score

10 Enable MFA: Defender for Cloud places a high value on MFA. Use these recommendations to help secure the users
of your subscriptions.

There are three ways to enable MFA and be compliant with the recommendations: security defaults, per-user
assignment, and conditional access policy.

8 Secure management ports: Brute force attacks often target management ports. Use these recommendations to
reduce your exposure with tools like just-in-time VM access and network security groups.
Secure Security control
score

6 Apply system updates: Not applying updates leaves unpatched vulnerabilities and results in environments that are
susceptible to attacks. Use these recommendations to maintain operational efficiency, reduce security
vulnerabilities, and provide a more stable environment for your users. To deploy system updates, you can use
the Azure Update Manager to manage patches and updates for your machines.

6 Remediate vulnerabilities: When your vulnerability assessment tool reports vulnerabilities to Defender for Cloud,
Defender for Cloud presents the findings and related information as recommendations. Use these
recommendations to remediate identified vulnerabilities.

4 Remediate security configurations: Misconfigured IT assets have a higher risk of being attacked. Use these
recommendations to harden the identified misconfigurations across your infrastructure.

4 Manage access and permissions: A core part of a security program is ensuring that your users have just the
necessary access to do their jobs: the least privilege access model. Use these recommendations to manage your
identity and access requirements.

4 Enable encryption at rest: Use these recommendations to ensure that you mitigate misconfigurations around the
protection of your stored data.

4 Encrypt data in transit: Use these recommendations to help secure data that's moving between components,
locations, or programs. Such data is susceptible to man-in-the-middle attacks, eavesdropping, and session hijacking.

4 Restrict unauthorized network access: Azure offers a suite of tools that help you provide high security standards for
access across your network.

Use these recommendations to manage adaptive network hardening in Defender for Cloud, ensure that you
configured Azure Private Link for all relevant platform as a service (PaaS) services, enable Azure Firewall on virtual
networks, and more.

3 Apply adaptive application control: is an intelligent, automated, end-to-end solution to control which applications
can run on your machines. It also helps to harden your machines against malware.

2 Protect applications against DDoS attacks: Advanced networking security solutions in Azure include Azure DDoS
Protection, Azure Web Application Firewall, and the Azure Policy add-on for Kubernetes. Use these
recommendations to help protect your applications with these tools and others.

2 Enable endpoint protection: Defender for Cloud checks your organization's endpoints for active threat detection
and response solutions, such as Microsoft Defender for Endpoint or any of the major solutions shown in this list.

If no endpoint detection and response (EDR) solution is enabled, use these recommendations to deploy Microsoft
Defender for Endpoint. Defender for Endpoint is included in the Defender for Servers plan.

Other recommendations in this control help you deploy agents and configure file integrity monitoring.

1 Enable auditing and logging: Detailed logs are a crucial part of incident investigations and many other
troubleshooting operations. The recommendations in this control focus on ensuring that you enabled diagnostic
logs wherever they're relevant.

0 Enable enhanced security features: Use these recommendations to enable any Defender for Cloud plans.

0 Implement security best practices: This collection of recommendations is important for your organizational security
Secure Security control
score

but doesn't affect your secure score.

Next steps

INTRODUCTION TO AZURE POLICIES

In the modern business world, policies are like compasses, keeping companies on track with rules and guidelines to
ensure consistency and compliance. Many of these rules and procedures are enforced on companies by industry
standards or even requirements set by the state where companies are based. But many companies also need to enforce
their own rules to ensure secure business operations and efficient spending. Such company policies are essential to
control which resources are used in the Azure environment and their costs.

In this video, you will learn how Azure policy can be used to enforce rules about the use of Azure resources. Imagine a
scenario where Sam's Scoops grows so large that it is entirely migrated to the Azure Cloud environment using many
Azure services across the business. But imagine their revenues start slowing down, due to factors out of their control. To
reduce costs, management could ask the IT team to apply more granular control over the resources deployed in the
Azure environment.

The IT team's first step will be to deploy the Azure policy to create, assign, and manage policy definitions. Policy
definitions impose different rules and actions on resources like VMs so that those resources comply with corporate
standards and service level agreements, or SLAs. Policies focus on both the properties of new resources during
deployment and those of existing resources. It assesses resources, checking those that do not conform to policy
definitions.

Sam's Scoops IT team would generally use these policies to address compliance, control, or scale needs. Policy definitions
enable them to govern resource consistency, regulatory compliance, security, and costs. In fact, with Azure policy, they
can specify configuration requirements for any resources that are created and take one of these actions, identify
resources that are out of compliance, block the resources from being created, add the required configuration.

There are three main pillars in the functionalities of Azure policy:

 enforcement and compliance

 applying policies at scale
 remediation

Let's explore each concept briefly. The first pillar is about real-time enforcement and compliance assessment. For
example, the IT team can use Azure policy to control costs by restricting the SKUs of VMs. They can also limit the
deployment of VMs to less expensive regions and control which solutions are used from the Azure marketplace. Each
policy also provides compliance assessment of all existing resources. This data then powers the compliance overview,
aggregating results across all applied policies. This is an example from the Policy Overview Dashboard within the Azure
Portal, and it indicates that this environment has a compliance score of 100%.

The second pillar of Azure Policy is applying policies at scale by leveraging management groups. By assigning a policy to a
management group, you can impact hundreds of subscriptions and all their resources through a single policy agreement.
Two concepts are important here: policy initiatives and exclusions. Policy initiatives allow you to group policies to view
the aggregated compliance result. This example within the Policy Definition Dashboard demonstrates that you can create
an initiative definition and add multiple policies to that definition.

At the initiative level, there's also a concept called exclusions, where one can exclude either the child management
group, subscription, resource group, or resources from the policy assignment. When assigning a policy, you can specify
exclusions for the subscription as seen in this example.
Policies will make changes to your virtual environment, so make sure to test everything before creating them. Validate
your policy syntax, the actions that will be taken, and the scope in use. The scope of a policy definition typically includes
the affected management groups, subscriptions and resource groups, as well as the inclusions, exclusions, and
exemptions.

The third pillar of your policy is remediation. A remediation policy will automatically remediate noncompliant resources,
so your environment stays compliant. Note that existing resources will only be flagged as noncompliant, but they won't
automatically be changed, since changing them can impact your environment. For these cases, you can create a
remediation task to make these resources compliant. Then you can use the Azure Policies Compliance Dashboard to
check the results of your policy assignments. In this example, the subscription is only 50% compliant, so more work is
needed to meet the compliance goals.

In this video, you learned that Azure policy can help companies control costs, compliance, security, and management
across Azure. Sam's Scoops IT team can reduce cloud infrastructure costs by creating compliance rules and implementing
them on a large scale across the company through management groups. Fortunately, this will not automatically affect
existing resources, thereby minimizing the impact on their cloud environment. Azure policy will only flag noncompliant
existing resources and not automatically change them. The IT team can create separate remediation tasks to make these
existing resources compliant. There is still a lot to learn at how Azure policy helps companies enforce policies and
standards, and you will explore all its features during the rest of this lesson.

MANAGING AZURE POLICIES

Introduction Now that you know how powerful Azure Policy is for controlling compliance in a virtual environment, you
are ready to learn how this works practically. In this reading, you will investigate how to use Azure Policy and
Management Groups to implement compliance measures. You will specifically explore different policy actions, including
assigning policies, implementing custom policies, creating and assigning initiative definitions, and checking for
compliance.

Management groups Organizations using multiple subscriptions need a way to efficiently manage access, policies, and
compliance, and Azure management groups are the perfect solution, providing a level of scope and control over
subscriptions. Management groups are like containers for multiple subscriptions from where you can centrally manage
access, policy, and compliance.

Consider the following characteristics of Azure Management Groups:

 By default, all new subscriptions are placed under the top-level management group or root group.

 All subscriptions within a management group automatically inherit the conditions applied to that management
group.

 A management group tree can support a hierarchy of up to six levels.

 Azure role-based access control authorization for management group operations isn't enabled by default.

The following diagram demonstrates how Azure management groups enables you to apply one policy to an entire
hierarchy of subscriptions. In this scenario, the organization has a single top-level management group and uses a unified
policy for every directory under the root group.
You should consider the following factors when using management groups:

 Custom hierarchies and groups: It’s best practice to use custom hierarchies and grouping to align Azure
subscriptions to a company's organizational structure and business scenario. In this way, Management groups
can be used to manage budgets and implement target policies across subscriptions.

 Policy inheritance: Control the hierarchical inheritance of access and privileges in policy definitions. All
subscriptions within a management group inherit the conditions applied to the management group. For instance,
policies can be applied to a management group to limit the available regions for creating virtual machines (VMs).
But the policy can also be applied to specific management groups, subscriptions, and resources under the initial
management group to ensure VMs are created only in the specified regions.

 Compliance rules: Organize subscriptions into management groups to help meet compliance rules for individual
departments and teams.

 Cost reporting: Use management groups to do cost reporting by department or for specific business scenarios.
Management groups can be used to report on budget details across subscriptions.

The screenshot below indicates the Management groups screen in the Azure portal. When creating a management
group, you need to give it a directory unique identifier (ID) and a display name. The ID is used to submit commands to
the management group. Take note that the ID value can't be changed after it's created because it's used throughout the
Azure system to identify the management group. The display name for the management group is optional and can be
changed at any time.
Create Azure policies Azure Administrators use Azure Policy to create policies that define conventions for resources.
A policy definition describes the compliance conditions for a resource, and the actions to complete when the conditions
are met. One or more policy definitions are grouped into an initiative definition to control the scope of policies and
evaluate the compliance of resources.

There are four basic steps to create and work with policy definitions in Azure Policy.

Step 1: Create policy definition A policy definition expresses a condition and the actions to perform when the
condition is met. Policy definitions can be created or chosen from built-in definitions in Azure Policy. For instance,
policy definitions can be created to prevent VMs in an organization from being deployed if they're exposed to a public
IP address.

Step 2: Create an initiative definition An initiative definition is a set of policy definitions that help track the state of
resource compliance to meet a company’s overall goal. Initiative definitions can be created, or you can use the built-in
definitions in Azure. For instance, a policy initiative definition can be used to ensure resources are compliant with
security regulations.

Step 3: Set the scope of the initiative definition The scope of an initiative definition can be limited to specific
management groups, subscriptions, or resource groups. For example, an organization can have a number of departments
and users and each of these departments can have a number of different definitions assigned to them based on their
functions. For example, a finance department will need different definitions than the IT department. A scope will
determine the range of departments that the definition applies to.

Step 4: Determine compliance After you assign an initiative definition, you can evaluate the state of compliance for all
your resources. You can exempt individual resources, resource groups, and subscriptions within a scope from policy
rules. Exclusions are handled individually for each assignment.

Conclusion Azure Policy is a service in Azure that enables the creation, assignment, and management of policies. Azure
Policy enables businesses to define and implement a governance strategy by using policies to control and audit
resources. In the following reading you will explore the steps of creating and working with policies in further detail.

WORKING WITH POLICY DEFINITIONS IN AZURE

Introduction You now know the basic steps of how to use management groups and Azure Policy to implement
compliance measures. In this reading, you will expand on these steps in more detail. You will specifically explore different
policy actions, including assigning policies, implementing custom policies, creating and assigning initiative definitions,
and checking for compliance.

Create policy definitions Azure Policy offers built-in policy definitions to help quickly configure control conditions for
resources. In addition to the built-in policies, definitions can be created or imported from other sources. The list of built-
in definitions can be sorted by category to search for policies that meet business needs.

If you don't find a built-in policy to meet a business need, a new definition can be created by selecting the + Policy
definition button and adding the necessary specifications as demonstrated in the images below.
Create an initiative definition After determining policy definitions, the next step is to create an initiative definition for
policies. An initiative definition has one or more policy definitions. One example for using initiative definitions is to
ensure resources are compliant with security regulations.

The screenshot below demonstrates how to create a new initiative definition in the Azure portal. Note that you can
choose between creating a new initiative definition or using an existing one from a list of built-in initiative definitions.
The built-in initiatives can be sorted by category to search for definitions of an organization.
Some examples of built-in initiative definitions are:

 Audit machines with insecure password security settings: Use this initiative to deploy an audit policy to
specified resources in an organization. The definition evaluates the resources to check for insecure password
settings. This initiative is located in the Guest Configuration category.

 Configure Windows machines to run Azure Monitor Agent and associate them to a Data Collection Rule: Use
this initiative to monitor and secure Windows VMs. The definition deploys the Azure Monitor Agent extension
and associates the resources with a specified Data Collection Rule. This initiative is located in the Monitoring
category.

 Configure Azure Defender to be enabled on SQL servers: Enable Azure Defender on Azure SQL Servers to detect
anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. This
initiative is located in the SQL category.

Set the scope for the initiative definition After creating the initiative definition, the next step is to assign the initiative to
establish the scope for the policies. The scope determines what resources or grouping of resources are affected by the
conditions of the policies. The following screenshot shows how to configure a scope assignment:
Determine compliance Once you’ve defined policies, created initiative definitions, and assigned policies to affected
resources, the last step is to evaluate the state of compliance for scoped resources. The following screenshot indicates
how you can use the Compliance feature to find non-compliant initiatives, policies, and resources. Policy conditions are
evaluated against existing scoped resources. Although the Azure portal doesn't show the evaluation logic, the
compliance state results are shown. The compliance state result is either compliant or non-compliant.
Creating exceptions At times an exception to the policies will be needed. In the example below, Trent Baker, a
virtualization specialist, was doing some required work that was denied because of a policy called Get Secure. So, an
exception needs to be created to allow him to continue his work. To create an exception select Compliance, on the left-
hand side of the Azure Policy page. Next, select the Get Secure policy initiative. On this page, there's an increase in
the Deny count for blocked resources under the events tab.

1. Select Assignments under Authoring on the left-hand side of the Azure Policy page.

2. Browse through all policy assignments and open the Get Secure policy assignment.

3. Set the Exclusion by selecting the ellipsis and selecting the resource group to exclude. In this example, it’s
LocationsExcluded. Select Add to Selected Scope and then select Save.

1. Select Review + save and then select Save.

By creating an exclusion on a single resource group, Trent Baker now has access and can continue his work.

Conclusion In this reading, you explored how to implement Azure policy definitions and initiatives for different corporate
departments. You discovered how to create management groups to target specific policies and spending budgets. And
lastly, you reviewed how Azure policies can be scoped to meet compliance regulations.
Azure Blueprints

So far you've learned how Azure policies can be used to govern resource creation across subscriptions, but you might
have realized that it will take a lot of effort to create and maintain policies for all the processes and resource types of a
business using Azure. How can you ensure consistency, limit human error, and empower teams by only allowing secure
and regulated deployment of Azure resources? That's where Azure Blueprints come in.

In this video, you will learn how it helps streamline and scale a company's governance in a consistent and compliant way.
Consider how an architect sketches a project’s design parameters using a blueprint. In the same way ,
Azure
Blueprints enables a business to define a repeatable set of Azure resources that
implements and adheres to the company's standards, patterns, and
requirements. Let's revisit the scenario where Sam’s Scoops grows into a large-scale cooperation fully migrated to
Azure. When dealing with payment data, they must comply with the Payment Card Industry Data Security Standards, or
PCI DSS. Can you imagine how complex it will become to keep thousands of Azure resources PCIDSS compliant within a
large corporation like this? By using Azure Blueprints, the various development teams across the company can build new
environments rapidly with the assurance that they're staying within PCI DSS requirements.

Blueprints use built-in components like networking to speed up development and delivery. You can think about Azure
Blueprints as a package used to deploy and deliver governance. Blueprints are composed of the following: Azure
Artifacts, role assignments, policy assignments, resource groups, and Azure Resource Manager templates or ARM.

ARM templates are JavaScript Object Notation (JSON) files that define the infrastructure and configuration for your
deployment. More information on ARM can be found in the additional resources. These artifacts are embedded into the
blueprint or package, which can then be composed, versioned, and assigned to a management group containing multiple
subscriptions or it can be assigned directly to a single subscription.

Once assigned, the package will start the deployment of roles, policies, templates, or resource groups against the
management group or the chosen subscription. A significant advantage of using Azure Blueprints is that it offers several
built-in blueprints for various regulations. Sam’s Scoops can use a pre-built blueprint for PCI DSS compliance, and apply it
to its management group. Can you imagine how much time this will save them?
What's more, Microsoft keeps adding blueprints to Azure across many different industries and countries. Various types of
organizations across the world use these pre-built blueprints to speed up the deployment of compliant environments.

In conclusion, by using Azure Blueprints, organizations can easily create resources, but also keep compliant at the same
time, and instead of developing their own rules and standards, companies can save development time by using
Microsoft's pre-built blueprints. By applying pre-built blueprints to their management group, Sam’s Scoops can be
assured that all resources that developers create will align with the selected compliance rules.

TYPES OF POLICIES
Introduction Azure Policy is used all over the world by organizations to govern resource consistency, compliance,
security, cost, and management. But creating and implementing policies can be time-consuming. That’s why Azure Policy
has over 70 categories of built-in policies to support organizations in the governance of their Azure resources. In this
reading, you will discover these different types of built-in policies in Azure.

Azure policy categories When a company wants to control its cloud costs, there are a few typical actions that it can
consider, such as:

 Specify the resource types that may be deployed.

 Prohibit the creation of certain resources.

 Restrict access to certain services.

 Specify which virtual machine SKUs can be deployed.

 Restrict which locations can be selected for resource deployment.

 Audit if Azure Backup service is enabled for all virtual machines. NOTE: Azure Backup service is not automatically set
up for newly-deployed VMs. You need to explicitly enable backup for your VMs using the Azure Backup service or by
utilizing Azure Policy. Once enabled, backups will run according to the configured schedule and retention policy.
Here's a more detailed explanation: Manual Enablement: You need to navigate to the VM's settings in the Azure
portal, select "Backup," and then enable backup for the VM. THERE IS AN ADDITIONAL CHARGE FOR THIS SERVICE.

Azure Policy: You can use Azure Policy to automatically configure backup settings for VMs within a specific scope,
ensuring that newly created VMs are automatically protected.

Backup Extension: Azure Backup installs a backup extension on the VM to coordinate the backup process, either
application-consistent or crash-consistent.

Backup Policies: You define backup policies that specify the backup schedule, retention, and other settings for your
VMs.

Initial Backup: After enabling backup, an initial backup run will occur according to your configured schedule.

To help organizations speed up their policy enforcement, Azure offers built-in policy definitions for all these common use
cases, for instance:

 Allowed Storage Account SKUs (Deny): This policy definition determines if a storage account is deployed within
the allowed SKU sizes. The applied action or effect of this definition is to deny all storage accounts that don't
adhere to the set of defined SKU sizes.

 Allowed Resource Type (Deny): Organizations can use this policy definition to define which resource types may
be deployed. The definition’s effect is to deny all resources that aren't part of this defined list.

 Allowed Locations (Deny): This policy definition restricts the available locations for new resources. Its effect is to
enforce geo-compliance requirements.
  Allowed Virtual Machine SKUs (Deny): With this policy definition, organizations can specify a set of virtual
machine SKUs that may be deployed.

 Not allowed resource types (Deny): Organizations can use this policy definition to prevent a list of resource
types from being deployed.

These are just a few examples of built-in policy definitions within Azure Policy. The following screenshot of the Policy
page on the Azure portal gives you an idea of how definitions are placed into categories covering a wide range of topics
that can be selected.

The table below includes some examples of categories and the type of rule definitions they include, and their effects.

Category Definition name Description Effect

Azure Active Azure Active Directory Domain Use TLS 1.2 only mode for your managed domains. Audit, Deny,
Directory Services managed domains should use Disabled
TLS 1.2 only mode

Compute Allowed virtual machine size SKUs This policy enables you to specify a set of virtual machine size Deny
SKUs that your organization can deploy.

General Allowed locations This policy enables you to restrict the locations your organization Deny
can specify when deploying resources. Use to enforce your geo-
compliance requirements.

Key Vault Certificates should have the specified Manage your organizational compliance requirements by Audit, Deny,
maximum validity period specifying the maximum time a certificate can be valid within Disabled
your key vault.

Each of these built-in categories can contain hundreds of policy definitions within that particular category. A full list can
be found in the Additional resources at the end of this lesson. But even with categories, it can be hard to find the right
policies for a specific use case. For instance, the compliance category is one of the largest and most used categories. So,
to simplify finding the relevant compliance definitions, it's more effective to filter this category by initiative rather than
policy. Do this by choosing initiative as the definition type, as illustrated in the screenshot below.

Azure initiatives simplify the management of policies by grouping policies related to a specific goal. For example, the
screenshot below indicates that the PCI-DSS built-in initiative has over 277 policy definitions. Consider the time it
would take to find and implement each of the 277 policies individually!

Azure Policy evaluation Azure evaluates resources at specific times during the resource lifecycle. This includes the policy
assignment lifecycle, but resources also need to be checked for compliance on an ongoing basis. A resource might be
evaluated at the following events:

 When you update or create a resource in a scope with a policy assignment.

 When you assign a policy or initiative to a scope.

When you update an existing policy or initiative already assigned to a scope.

 During the standard compliance evaluation cycle, which occurs once every 24 hours.
Business rules for handling non-compliant resources vary widely between organizations. Examples of how organizations
can let the platform respond to a non-compliant resource include:

 Deny the resource change.

 Log the change to the resource.

 Alter the resource before the change.

 Alter the resource after the change.

 Deploy related compliant resources.

 Block actions on resources.

Azure Policy makes each of these business responses possible by applying effects. Effects are set in the policy
rule portion of the policy definition. While these effects primarily affect a resource when the resource is created or
updated, Azure Policy also supports dealing with existing non-compliant resources without needing to alter that
resource.

Conclusion Using Azure Policy helps with governance within an organization’s Azure deployment to control resource
consistency, regulatory compliance, security, cost, and management. However, this governance can slow down critical
deployments. By using the pre-built policies in Azure Policy, organizations can speed up the governance process.
Categories can be used to find relevant policies, but some of these categories can be very large. Using policy initiatives
can save a lot of time.

The different options that can be used with these rules are known as effects, which give organizations many options for
dealing with non-compliant resources. This helps organizations keep existing resources compliant and ensure that newly
created resources comply with business standards.

SIEMs

Previously, you learned that continuous monitoring of an on-premise network helps to track and mitigate any potential
threats to a network. The more information you can gather from different sources, the better. This is no different when a
network is in the Cloud.
Security Information and Event Management, or SIEM for short, is a solution that helps organizations detect, analyze,
and respond to security threats before they harm business operations.

In this video, you will learn about SIEM and how it is used to diagnose issues. SIEM combines both security information
management and security event management into one security management system. SIEM technology collects event
log data from a range of sources, identifies activity that deviates from the norm with real-time analysis, and takes
appropriate action. It gives organizations insight into activity within their network so they can meet compliance
requirements and respond swiftly to potential cyber attacks. SIEM
tools collect, aggregate, and
analyze volumes of data from an organization's applications, devices, servers,
and users in real-time so security teams can detect and block attacks. The tools use
predetermined rules to help security teams define threats and generate alerts.

SIEM is part of Microsoft Sentinel. It can gather data across the whole Microsoft Azure Cloud using all the different
possible sources, including the Microsoft Defender offerings. SIEM systems can mitigate cyber risks with a range of use
cases, such as detecting suspicious user activity, monitoring user behavior, limiting access attempts, and generating
compliance reports. These systems vary in their capabilities but generally offer these core functions.

 First is log management. SIEM systems gather vast amounts of data in one place, organize it, and then determine
if it shows signs of a threat, attack, or breach.
 Second is event correlation. The data is sorted to identify relationships and patterns to quickly detect and
respond to potential threats.
 Third is incident monitoring and response. SIEM technology monitors security incidents across an organization's
network and provides alerts and audits of all activity related to an incident.

With the introduction of AI and machine learning, SIEM tools are also becoming more powerful. With so many potential
incoming risks, it's hard for security teams to separate the legitimate risks and attacks could slip through unnoticed. AI
can be used to sift through millions of data points and algorithms to help produce a condensed list of threats and
vulnerabilities to the cyber security worker, thereby reducing workload.
SIEM tools offer many benefits that can help strengthen an organization's overall security posture. These benefits include
a central view of potential threats, real-time threat identification and response, and advanced threat intelligence, as well
as regulatory compliance, auditing and reporting, and greater transparency, monitoring users' applications and devices.

Just like an on-premise network, SIEM collects data and logs from as many sources as possible to detect threats.
Organizations of all sizes use SIEM solutions to mitigate cyber security risks and meet regulatory compliance standards.
It's an important part of an organization's cyber security ecosystem when collecting data across the Cloud. SIEM gives
security teams essential place to collect, aggregate, and analyze volumes of data across an enterprise, effectively
streamlining security workflows. It also delivers operational capabilities such as compliance reporting and incident
management on dashboards that prioritize threat activity.

Microsoft Sentinel

Previously, you learned about SIEM and that it's used to monitor Cloud solutions and On-premise network devices. The
monitoring is performed by collecting data from many different sources across the on-premise networks or the Cloud. As
you now know, Microsoft Sentinel is Microsoft's SIEM offering. In this video, you will learn about Sentinel and how it is
deployed.

Microsoft Sentinel is a Cloud-native SIEM and SOAR system that a security operations team can use to collect data from
virtually any source and get security insights across the enterprise, detect and investigate threats quickly by using built-in
machine learning and Microsoft Threat Intelligence, and automate threat responses by using playbooks and by
integrating Azure Logic Apps.

Unlike with traditional SIEM solutions, you don't need to install any servers either on-premise or in the Cloud to run
Microsoft Sentinel. Rather, Microsoft Sentinel is a service that you deploy in Azure. You can get up and running with
Sentinel in just a few minutes in the Azure Portal.

Sentinel is tightly integrated with other cloud services. Not only can you quickly ingest logs, but you can also use other
Cloud tools like authorization and automation in their native environments. Microsoft Sentinel enables end-to-end
security operations including collection, detection, investigation, and response.

To store the data for Microsoft Sentinel, a Log Analytics workspace is needed. It's a unique environment for log data from
Azure Monitor and other Azure services, such as Microsoft Sentinel and Microsoft Defender for Cloud. Each workspace
has its own data repository and configuration but might combine data from multiple services. More information can be
found in additional resources.

Now, let's go through the steps needed to deploy Microsoft Sentinel. To deploy Microsoft Sentinel, first sign into the
Azure portal. Next, search for and select Microsoft Sentinel. Once on the Microsoft Sentinel page, select Create Microsoft
Sentinel from the bottom middle of the dashboard. Microsoft Sentinel needs a workspace for data collection and
storage. This is a Log Analytics workspace. If a workspace already exists, this can be selected. But in this example, more
will need to be created.

To do this, select, create a new workspace. On that create Log Analytics workspace page, select the resource group
where the workspace will reside. In this example, the RG_web_server, give the instance a name, in this example,
Scoop_Sentinel, and select a region that the data will reside in. In this example, usually use the same region as the
selected resource group, West US. Next, select Review plus Create and select Create. Once the workspace has been
created, an add button will appear at the bottom of the page.

Select Add to add Microsoft Sentinel to the Scoops central workspace. Once added, the Microsoft Sentinel free trial is
activated for 31 days before billing for the service commences. Select Okay. Microsoft Sentinel has now been deployed.
The next step will be to add data sources, which you will learn more about in the rest of this lesson.

In this video, you learned more about Microsoft Sentinel, a service that is set up from within the Azure portal. When
deploying it, a workspace has to be created where the collected data can reside and this also determines the region for
that data to be stored in. Once the workspace has been created, Microsoft Sentinel can be added and then you're ready
to add data sources.

Microsoft Sentinel data connectors

Previously in this lesson, you learned about Microsoft Sentinel and how it is deployed. Sentinel delivers intelligent
security, analytics and threat intelligence across the enterprise, but it can only do this when provided with data. This data
is provided by a number of different sources, and in this video you will not just learn about the sources, but also the
supported data formats.

Let's consider a scenario where Sam Scoop's business operations have expanded significantly. Its security operations, or
SecOps team, may be overwhelmed by a high volume of alerts, which would mean that they may spend far too much
time on tasks like infrastructure setup and maintenance. As a result, many legitimate threats may go unnoticed.

Security analysts like this team face the huge task of triage by assessing alerts and determining how urgent they are.
They not only have to sift through a sea of alerts, but also manually correlate alerts from different products or using a
traditional correlation engine. But there's an easier way to handle this task: if they use Microsoft Sentinel, it will do triage
for them. And what's more, Sentinel offers nearly limitless cloud scale, so it can quickly address security concerns.

The first step for the team would be to integrate Sentinel across their organization. To onboard Microsoft Sentinel, the
security team first needs to connect to security sources. These data sources, which can be hardware devices or virtual
machines, can be connected using different data types and formats.

The first is an inbuilt data connector, like the ones in this screenshot.

Microsoft Sentinel comes with several inbuilt connectors for Microsoft solutions providing real-time integration for
services. These services include Microsoft Threat Protection, Microsoft 365 sources, Azure AA, Azure ATP and Microsoft
Cloud App Security and more.
Using the inbuilt connectors will increase deployment speed, but the store may have lots of appliances like on-premise
firewalls that don't have built-in connectors yet. To remedy this, the security team can use syslog, common event format
(or CEF), or REST-API to connect data sources to Microsoft Sentinel.

Syslog is an event logging protocol common to Linux. CEF is an industry standard format on top of Syslog messages used
by many security vendors to allow event interoperability among different platforms. And REST-API
is an
application programming interface that two computer systems use to exchange
information securely over the Internet.

An agent is needed to translate the data before it's sent to Microsoft Sentinel to connect the data sources that can
perform real time log streaming using the Syslog protocol. An agent is a computer program that performs various actions
continuously and autonomously, in this case translation. Depending on the appliance type, the agent is installed either
directly on the appliance or on a dedicated Linux server. If there's no vendor-provided connector, you can use the generic
CEF or Syslog connector.

Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. To connect
the data sources, the Microsoft Sentinel agent, which is based on the log analytics agent, converts Syslog format logs into
a format that can be ingested by log analytics. The agent must be deployed on a VM to support the communication
between the appliance and Sentinel.

You can deploy the agent automatically or manually. Automatic deployment is only available if your dedicated machine is
a new VM you created in Azure. Here, a VM that has been installed in Azure is running the log analytics agent, which is
receiving the Syslog data from on-premise sources before passing it on to Microsoft Sentinel.

Some data sources are connected using APIs. Typically, most security technologies provide a set of APIs through which
event logs can be retrieved. The APIs connect to Microsoft Sentinel and gather specific data types and send them to
Azure log analytics. Using Syslog and APIs works great when you are dealing with appliances that don't have inbuilt
connectors, but both options involve extra work, like installing a virtual machine with an agent for translation or building
your own connector via REST-API.

Where possible, using the built-in connectors for Microsoft products is much easier, because it's just a matter of
switching them on. There are also built in connectors to the broader security ecosystem for non-Microsoft solutions.
These are known as vendor connectors, and they can reduce setup time. These connectors primarily use the CEF and
Syslog connector as their foundation.
In this video, you learned that once Microsoft Sentinel has been deployed in an environment, the next step is to connect
it to data sources. Many Microsoft products have built in connectors, and connecting to these sources is simple. For
other vendors without inbuilt connectors and on premise equipment, Syslog or APIs can be used to connect data sources
to Microsoft Sentinel.

Additionally, some third party vendors have also created their own connectors to help make a security analyst
deployment of Microsoft Sentinel an easier task. In conclusion, data connectors serve as critical links that enable
seamless integration with a wide array of data sources.

Expanding on Sentinel
Introduction Traditional security information and event management (SIEM) systems typically take a long time to set up
and configure. They're also not necessarily designed with cloud workloads in mind. Microsoft Sentinel enables you to
quickly get valuable security insights from your cloud and on-premises data. In this reading, you will learn about the
functionalities of SIEM tools within Microsoft Sentinel.

Microsoft Sentinel As you've already learned, Microsoft Sentinel helps enable end-to-end security operations. This can
be broken into four categories:

 Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in
multiple clouds.

 Detect previously uncovered threats and minimize false positives using analytics and unparalleled threat
intelligence.

 Investigate threats with artificial intelligence (AI) and hunt suspicious activities at scale, tapping into decades of
cybersecurity work at Microsoft.

 Respond to incidents rapidly with built-in orchestration and automation of common security tasks.

The following diagram illustrates the end-to-end functionality of Microsoft Sentinel across these four categories.
Collect As you now know, Microsoft Sentinel can use a mix of data connectors for data collection. After it's been
collected into Microsoft Sentinel by a data connector, data is stored using Log Analytics, as illustrated below.

The benefits of using Log Analytics include the ability to use the Kusto Query Language (KQL) to query data. KQL is a rich
query language that can help you dive into and gain insights from your data. Another benefit is that after connecting data
sources to Microsoft Sentinel, security analysts can monitor the data using the Microsoft Sentinel integration with Azure
Monitor Workbooks. A canvas for data analysis and the creation of rich visual reports can be viewed within the Azure
portal. Through the integration with Monitor Workbooks, Sentinel allows the creation of custom workbooks across the
data. It also comes with built-in workbook templates that allow quick insights across data as soon as the data source is
connected. You can examine an example of that collection of data in a workbook below, providing an overview of
activities over time.

Detect Microsoft Sentinel uses analytics to correlate alerts into incidents. Incidents are groups of related alerts that
together create an actionable possible threat that can be investigated and resolved. With analytics in Microsoft Sentinel,
the built-in correlation rules can be used as is, or an organization can use them as a starting point to build their own.
Microsoft Sentinel also provides machine learning rules to map network behavior and then search for anomalies across
resources. These analytics connect the dots by combining low fidelity alerts about different entities into potential high-
fidelity security incidents. Below is an example of the rules classed by severity.

Microsoft Sentinel's powerful hunting search-and-query tools are based on the MITRE framework (a global database of
adversary tactics and techniques). It can be used to proactively hunt for security threats across an organization’s data
sources, before an alert is triggered. After discovering which hunting query provides high-value insights into possible
attacks, organizations can also create custom detection rules based on a query. They can then surface those insights as
alerts to security incident responders. While hunting, bookmarks can be created for interesting events. Bookmarking
events lets organizations return to them later, share them with others, and group them with other correlating events to
create a compelling incident for investigation. Below is an example of the Hunting dashboard where you can search and
use query tools.

Investigate Once collection and detection have been set up within Microsoft Sentinel, it’s only a matter of time before an
incident occurs and some investigation is needed. An incident is created when an enabled alert is triggered. In Microsoft
Sentinel, standard incident management tasks like changing status or assigning incidents to individuals for investigation
can be achieved through the portal. Sentinel also has investigation functionality, so organizations can visually investigate
incidents by mapping entities across log data along a timeline like in the screenshot below.
Response With the ability to respond to incidents automatically, automation of some security operations can make an
organization’s security analysts more productive. Microsoft Sentinel allows the creation of automated workflows,
or playbooks, in response to events. This functionality can be used for incident management, enrichment, investigation,
or remediation. These capabilities are often referred to as security orchestration, automation, and response (SOAR).
You can find these capabilities on the Automation page as demonstrated below.

You will learn more about SOAR in the rest of the lesson.

Conclusion Microsoft Sentinel relies on data, so linking data sources via data connectors is critical before anything else
can happen. Once data is collected, it is stored using log analytics and workbooks are used to display the data in logical
graphical format. Analytics can then be used to search through the data, correlating alerts into incidents to help provide
detection. Threat hunting can also be used by security professionals to search for threats. Once Sentinel detects
incidents from these searches, security professionals can manage them from the dashboards within Azure and move on
to responding to them.

Introducing SOAR
Previously, you learned about Microsoft Sentinel SIEM capabilities and how it collects, detects, and investigates threats,
and then responds to them. Sentinel supports security teams by centralizing alerts. But teams can still easily get
overwhelmed by the volume of security alerts and incidents. Luckily, Sentinel has other capabilities that can help Security
Teams deal with this.

In this video, you will learn about Sentinel security orchestration, automation, and response or SOAR capabilities. Let's
imagine Sam’s Scoops’ business operations have grown so large that they need to deploy Microsoft Sentinel to improve
their security posture.

Sentinel is great at identifying security alerts and incidents that had previously gone unnoticed. But a high volume of
alerts and incidents may leave the available personnel feeling overwhelmed, which means many of these alerts are
ignored. This leaves the business vulnerable to attack. Let's investigate how they can address this vulnerability.
Microsoft Sentinel, in addition to being a Security Information and Event Management or SIEM system, is also a platform
for security orchestration, automation, and response or SOAR.

The main goal of SOAR is to collect threat-related data and automate threat responses. By doing so, it frees up the
precious time of the security team. Automation takes a few different forms in Microsoft Sentinel. For example, there are
automation rules that centrally manage the automation of incident handling and response, and playbooks that run
predetermined sequences of actions to provide powerful and flexible advanced automation to your threat response
tasks.

Let's first examine rules more closely. Besides letting you assign Playbooks to incidents and alerts, automation rules also
allow you to automate responses from multiple analytic roles at once, automatically tagging, assigning or closing
incidents. Sam's Scoops can use this automation to assign specific incidents to security analysts. In this way, incidents are
captured instead of being missed.

Automation rules are made up of AND or OR statements looking to match specific alerts or incidents. In this example, if
Microsoft Sentinel detects a multi-stage attack involving the IP address of 172.16.1.1, the rule automatically assigns an
owner to the incident.
Automation rules also allow you to apply automation when an incident is created and updated. This capability further
streamlines automation use in Microsoft Sentinel and enables retail businesses to simplify complex workflows for
incident orchestration processes.

Now let's move on to Playbooks. A Playbook is a collection of response and remediation actions and logic that can be run
from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response. It can
integrate with other systems, both internal and external, and when triggered by an analytics or automation rule, it can
be configured to run automatically in response to specific alerts or incidents.

A Playbook can also be run manually and on-demand, responding to incidence page alerts. This would enable Sam's
Scoops to take off some of the pressure on their security team by automatically dealing with many of the alerts and
incidents. For example, the business may receive a large volume of alerts with recurring patterns, which can be
processed or investigators, because it's so time-consuming and intensive. Using real-time automation, the security team
can significantly reduce their workload by fully automating the routine responses to recurring types of alerts. Here is an
example where, based on the user input, the playbook can change the status of the alert. The control action intercepts
the user input. If the expression is evaluated to be a true statement, the Playbook changes the status of the alert. In case
the control action evaluates the expression to be false, the Playbook can run other activities such as sending an email.
In conclusion, Microsoft Sentinel SIEM is great at collecting data, investigating threats, and generating alerts.

But in larger organizations, the volume of alerts and incidents can be overwhelming. Even though Microsoft Sentinel
gives you one place to access all this information, responding to every alert and incident is time-consuming. SOAR can
help to automate some of these responses, by using rule automation and Playbooks. Rule automation can help us sign,
close or even send alerts and incidents to Playbooks for further response and remediation. This automation frees up a lot
of the security team’s valuable time.

SIEM and SOAR use case

Introduction You have learned about SIEM and SOAR and that these security services are combined in Microsoft
Sentinel. SIEM provides centralized security information and event management (SIEM) and SOAR provides security
orchestration, automation, and response. But why use both and what exactly are the differences between the two? In
this reading you will learn about the differences between the two, and how Microsoft Sentinel uses them together to
improve security operations.

SIEM versus SOAR Both SIEM and SOAR collect a lot of data from various sources. SIEM ingests log and event data from
many different sources, including traditional on-premise infrastructure. SOAR uses mostly information from intelligence
feeds to get a good picture of the security landscape it’s working in. When SIEM provides alerts, it is a manual task for
administrators to decide how the alerts will be dealt with. In contrast, SOAR can automate the investigation and apply
any remediation processes.

SIEM tools are great at dealing with compliance as organizations can monitor network access and transaction logs. This
helps verify that there is no unauthorized access to customer data. Security compliance is a legal concern for
organizations in many industries. By demonstrating security compliance, enterprises are better able to mitigate the risk
of data breaches and avoid costly regulatory fines. With the scale of data collection provided by SIEM, it’s also great to
use when investigating incidents to determine what software and systems were effected. Additionally, the amount of
evidence provided helps with vulnerability management as it can assess a vast array of events and possible weaknesses.
But, SIEMdoesn’t intervene, or perform remediation, which means it requires
input from security personnel. In other words, it doesn’t necessarily help with workload.
SOAR, on the other hand, can automate processes and help with optimization in
a security team. It can also take on some of the workload by providing incident
response using playbooks and machine learning. With the ability to add internal
and external threat intelligence feeds, threat investigation and hunting are a lot
easier when using SOAR.
Combining SIEM and SOAR makes sense as they are complimentary: SIEM
collects data and gathers evidence while SOAR provides automation and
intelligence.
Microsoft Sentinel Security operations center (SOC) teams use SIEM and SOAR solutions to protect their increasingly
decentralized digital estates. While legacy SIEMs can maintain good coverage of on-premises assets, on-premises
architectures may have insufficient coverage for cloud assets, such as Azure, Microsoft 365, AWS, or Google Cloud
Platform (GCP). In contrast, Microsoft
Sentinel can ingest data from both on-premises and
cloud assets, ensuring coverage of the entire estate.
By combining SIEM and SOAR into one service, organizations are better equipped to deal with a vast array of threats
without placing a heavy burden on security teams. Once data connectors are configured, Sentinel starts processing that
data, using SIEM to generate any incidents and alerts.

Incident management Incident management in Microsoft Sentinel begins on the Overview page, like in the image below.
Here you can review the current Microsoft Sentinel environment. The Overview page includes a list of the most recent
incidents, along with other important Sentinel information. You can use this page to understand the general security
situation before investigating incidents. On this page you can see the main dashboard split into three areas:

1. An overview of the last 24 hours with the number of new, active, and closed incidents.

2. A graph that breaks up the incident status by creation time, in four-hour intervals.

3. Recent incidents organized by severity.

Incident evidence consists of security event information and related Microsoft Sentinel assets that identify threats in the
Sentinel environment. Evidence demonstrates how Sentinel has identified a threat and links back to specific resources
that can increase your awareness of incident details. Events link back to one or more specific events from the Log
Analytics workspace associated with Microsoft Sentinel. Microsoft Sentinel Analytics provides several functionalities that
can be used to implement security for an organization’s data. You can analyze historical data collected from your
workstations, servers, networking devices, firewalls, intrusion prevention, sensors, and so on.

Microsoft Sentinel Analytics analyzes data from various sources to identify correlations and anomalies. By using analytics
rules, you can trigger alerts based on the attack techniques that are used by known malicious actors. You can set up
these rules to help ensure security analysts are alerted to potential security incidents in your environment in a timely
fashion. On their own, these workspaces typically contain thousands of events, too many to analyze manually. If a query
attached to a Microsoft Sentinel analytics rule returns events, it attaches the events to the generated incident for
potential further review. You can use these events to understand the scope and frequency of the incident before you
investigate further.

Investigation Taking the data from the workspaces you can create analytic rules from the Analytics home page. The
Analytics home page has three main parts:

1. The header bar contains information on the number of the rules that are currently in use.
2. The list of rules and templates contains all the rule templates that Microsoft has preloaded from the Microsoft
Sentinel GitHub repository.
3. The details pane contains additional information that explains each template and rule that you can use in
detection.

You can use the search and query tools in Microsoft Sentinel to hunt for security threats and tactics throughout your
environment. These tools let you filter through large amounts of events and security data sources to identify potential
threats or track down known or expected threats.
The Hunting page in Microsoft Sentinel has built-in queries that can guide your hunting process and help you pursue the
appropriate hunting paths to uncover issues in your environment. Hunting queries can expose issues that aren't
significant enough on their own to generate an alert but have happened often enough over time to warrant
investigation. Below is an image of the Hunting page to give you an idea of the information you can access through this
function.

1. Queries running within the Sentinel dashboard.

2. A list of built in queries that can guide you on the hunting process.

3. Details of selected query, with the option to run or view results of that query.

Response You have previously learned about SOAR automation tools within Sentinel that use automation rules and
playbooks. You can create and manage automation rules from different points in the Microsoft Sentinel service,
depending on your particular need and use case, but it also has its own page like in the screenshot below.
1. You can view how many automation rules there are and how many are enabled, as well as how many playbooks are
enabled.

2. In the screenshot, only one playbook is enabled, as shown in the list.

Automation rules and playbooks can be used to automate the response to the incident and threat hunting processes.

Conclusion The SIEM capabilities of Microsoft Sentinel enable an organization to collect and analyze huge volumes of
data, presenting the data in a logical graphical platform. This data collection allows Sentinel to detect threats using
analytics and threat hunting, which in turn create incidents. These incidents can be manually investigated, or you can use
Sentinel’s SOAR capabilities to respond to the incidents using automation through rules or playbooks.

Question 1 What are the four security operation areas of Microsoft Sentinel?

Collect, Detect, Investigate and Respond

That's correct! Microsoft Sentinel collects data that is used to detect alerts and threats, which can then be investigated
before a response is needed.

Question 2 Once Microsoft Sentinel has been deployed, what needs to be configured next?

Data collection using data connectors

That's correct! Microsoft Sentinel uses data connectors to collect data ready for analysis.

Question 3 True or false: To use Microsoft Sentinel, a virtual machine needs to be deployed within Azure.

False

That's correct! Microsoft Sentinel is a service that you deploy within Azure. No virtual machines are needed.

Question 4 Microsoft Sentinel combines both SIEM and SOAR. What two features form part of SOAR?

Playbooks

That's correct! Microsoft Sentinel uses playbooks to automate responses and remediate incidents.

Automation rules

That's correct! Microsoft Sentinel uses automation rules to help automate some of the simple security response tasks.

Question 5 What is used to convert syslog data before it is sent to Microsoft Sentinel?

Log analytics agent

That's correct! The log analytics agent can be installed on a VM to convert syslog data from different sources to Microsoft
Sentinel.

Question 6 You are responsible for implementing a Security Orchestration, Automation, and Response (SOAR) solution
using Microsoft Sentinel. Which of the following options accurately describes how Sentinel can be utilized for SOAR?

Sentinel combines centralized security data collection and analysis with automation and response capabilities, making it
an ideal choice for implementing SOAR.

That's correct! Microsoft Sentinel integrates with various data sources to collect and analyze security events, logs, and
telemetry from across the organization. Sentinel also offers automation and response capabilities, allowing security
teams to orchestrate actions and automate responses to detected threats.
AZURE BLUEPRINTS
These are architecting templates that automatically configure resources within the subscription(s) of a management
group.
Module summary: Security management in Azure
Lesson 1: In this lesson, you learned that security management of a company’s cloud infrastructure is vital because it
prevents unauthorized access and protects against cyber threats. Azure has several services that help businesses to
implement defensive measures against cyber threats. One such service is Microsoft Defender for Cloud, which offers
continuous monitoring and threat detection, analysis of data, and actionable insights to prevent potential attacks.

You explored how Microsoft Defender for Cloud can benefit businesses. It offers a range of capabilities
including DevSecOps, Cloud Security Posture Management or CSPM, and Cloud Workload
Protection Platform, or CWPP. These capabilities collectively contribute to safeguarding applications, data,
and infrastructure.

Except for specific services offered by Microsoft, there are also best practices that a business like Sam's Scoops can
follow to ensure the security of their cloud infrastructure. For example, protecting data both at rest and
in transit is critical. To do so, Sam's scoops can enable encryption for their Azure storage
accounts, implement SSL and TLS certificates and leverage Azure Key Vault to
securely store and manage cryptographic keys. Sam's Scoops DevOps teams can
use Azure DevOps and Azure Policy to build secure applications and
infrastructure. Azure DevOps can also help the business automate the
deployment of security updates and patches, reducing the risk of security
vulnerabilities being exploited.
Lesson 2: you explored virtual security solutions, primarily how Azure Bastion can reduce the attack
surface. But first, you learned how to use the Microsoft for Defender Cloud interface and how the service can help
strengthen the security posture of a cloud environment. Then you move down to the specifics of how Azure Bastion
works. Bastion
is a fully managed platform as a service or PaaS service that allows
you to connect to Azure VMs remotely by providing secure and seamless RDP and
SSH access to your VMs, thus reducing the attack surface (using https on port 443
to connect via a browser to RDP or SSH services to a VM server. Very importantly, in this
lesson's practical exercise, you learned how to deploy Azure Bastion to shield virtual machines.

Lesson 3: you learned about Azure standards and policies and how Azure
policy can ensure compliance
with industry rules and guidelines by creating, assigning, and managing policy
definitions. Policy definitions impose different rules and actions on resources like
VMs so that those resources comply with corporate standards and service level
agreements or SLAs. Policies focuses on both the properties of new resources
during deployment and those of existing resources. Here you also learned about
the three pillars of Azure policy, which are enforcement and compliance,
applying policies at scale, and remediation. An initiative definition is a set of
policy definitions that help track the state of resource compliance to meet the
company's overall goal. Initiative definitions can be created or you can use the
built-in definitions in Azure. After creating initiative definitions, you must assign
policies to affected resources and then evaluate the state of compliance for
scoped resources. You also learned how Azure management groups enable you
to apply one policy to an entire hierarchy of subscriptions. Azure policy has over
70 categories of built-in policies to support organizations in the governance of
their Azure resources.
On a more practical note, you learned how to use Azure policy to create and implement a custom definition across the
business to help manage costs. Specifically, the demonstration showed how to create a new custom policy for Sam's
Scoops that prevents the creation of more expensive virtual machines from the G series.

In this part of the course, you

learned about Azure Blueprints and how the service can
help streamline and scale accompanies governance in a consistent and compliant
way. Blueprints is like a package you can use to deploy and deliver governance.
And they are composed of Azure Artifacts which include role assignments, policy
assignments, resource groups, and Azure Resource Manager templates or ARM.
These artifacts are imbedded into the blueprint or package, which can then be
composed, versioned, and assigned to a management group containing multiple
subscriptions, or it can be assigned directly to a single subscription.
Lesson 4: SIEMand SOAR. Security Information and Event Management, or SIEM for
short, is a solution that helps organizations detect, analyze, and respond to
security threats before they harm business operations. Next, you learned about
Microsoft Sentinel Security Orchestration, Automation and Response or SOAR
capabilities. The main goal of SOAR is to collect threat related data and
automate threat responses. By doing so, it frees up the precious time of security
teams. Automation takes a few different forms in Microsoft Sentinel, for
example, there are automation rules that centrally manage the automation of
incident handling and response, and playbooks that run predetermined
sequences of actions to provide powerful and flexible advanced automation to
your threat response tasks. Rule automation can help assign, close, or even send
alerts and incidents to playbooks for further response and remediation. Now you
know that Microsoft Sentinel is a cloud-native SIEM and SOAR system that a security
operations team can use to get security insights across the enterprise by
collecting data from virtually any source that is stored using log analytics. Detect
and investigate threats quickly by using built-in machine learning and Microsoft
Threat Intelligence and automate threat responses by using playbooks and by
integrating Azure Logic Apps. You also learned about Sentinel data connectors.
Microsoft Sentinel delivers intelligent security analytics and threat intelligence
across the enterprise, but it can only do this when provided with data via
connectors. Sentinel comes with a number of inbuilt connectors from Microsoft
solutions, providing real-time integration for services. Ultimately, combining
SIEM and SOAR makes sense because they are complimentary. SIEM collects data
and gathers evidence while SOAR provides automation and intelligence.
Design strategy Your design should always start with a single workspace to reduce the complexity of managing multiple
workspaces and in querying data from them. There are no performance limitations from the amount of data in your
workspace. Multiple services and data sources can send data to the same workspace. As you identify criteria to create
more workspaces, your design should use the fewest number of workspace to meet your requirements.

Designing a workspace configuration includes evaluation of multiple criteria. But some of the criteria might be in conflict.
For example, you might be able to reduce egress charges by creating a separate workspace in each Azure region.
Consolidating into a single workspace might allow you to reduce charges even more with a commitment tier. Evaluate
each of the criteria independently. Consider your requirements and priorities to determine which design is most effective
for your environment.

Design criteria The following table presents criteria to consider when you design your workspace architecture. The
sections that follow describe the criteria.

Expand table

Criteria Description

Operational and You may choose to combine operational data from Azure Monitor in the same workspace as security data
security data from Microsoft Sentinel or separate each into their own workspace. Combining them gives you better
visibility across all your data, while your security standards might require separating them so that your
security team has a dedicated workspace. You may also have cost implications to each strategy.

Azure tenants If you have multiple Azure tenants, you'll usually create a workspace in each one. Several data sources can
only send monitoring data to a workspace in the same Azure tenant.

Azure regions Each workspace resides in a particular Azure region. You might have regulatory or compliance
requirements to store data in specific locations.

Data ownership You might choose to create separate workspaces to define data ownership. For example, you might create
workspaces by subsidiaries or affiliated companies.

Split billing By placing workspaces in separate subscriptions, they can be billed to different parties.

Data retention You can set different retention settings for each workspace and each table in a workspace. You need a
separate workspace if you require different retention settings for different resources that send data to the
same tables.
Criteria Description

Commitment Commitment tiers allow you to reduce your ingestion cost by committing to a minimum amount of daily
tiers data in a single workspace.

Legacy agent Legacy virtual machine agents have limitations on the number of workspaces they can connect to.
limitations

Data access Configure access to the workspace and to different tables and data from different resources.
control

Resilience To ensure that data in your workspace is available in the event of a region failure, you can ingest data into
multiple workspaces in different regions.

Operational and security data The decision whether to combine your operational data from Azure Monitor in the same
workspace as security data from Microsoft Sentinel or separate each into their own workspace depends on your security
requirements and the potential cost implications for your environment.

Dedicated workspaces Creating dedicated workspaces for Azure Monitor and Microsoft Sentinel will allow you to
segregate ownership of data between operational and security teams. This approach may also help to optimize costs
since when Microsoft Sentinel is enabled in a workspace, all data in that workspace is subject to Microsoft Sentinel
pricing even if it's operational data collected by Azure Monitor.

A workspace with Microsoft Sentinel gets three months of free data retention instead of 31 days. This scenario typically
results in higher costs for operational data in a workspace without Microsoft Sentinel. See Azure Monitor Logs pricing
details.

Combined workspace Combining your data from Azure Monitor and Microsoft Sentinel in the same workspace gives you
better visibility across all of your data allowing you to easily combine both in queries and workbooks. If access to the
security data should be limited to a particular team, you can use table level RBAC to block particular users from tables
with security data or limit users to accessing the workspace using resource-context.

 If you use both Azure Monitor and Microsoft Sentinel: Consider separating each in a dedicated workspace if
required by your security team or if it results in a cost savings. Consider combining the two for better visibility of
your combined monitoring data or if it helps you reach a commitment tier.

 If you use both Microsoft Sentinel and Microsoft Defender for Cloud: Consider using the same workspace for
both solutions to keep security data in one place.

As a Security Information and Event Management (SIEM) service, Microsoft Sentinel is responsible for detecting security
threats to your organization. It does this by analyzing the massive volumes of data generated by all of your systems' logs.

In this tutorial, you'll learn how to set up a Microsoft Sentinel analytics rule from a template to search for exploits of the
Apache Log4j vulnerability across your environment. The rule will frame user accounts and IP addresses found in your
logs as trackable entities, surface notable pieces of information in the alerts generated by the rules, and package alerts
as incidents to be investigated.

When you complete this tutorial, you'll be able to:

 Create an analytics rule from a template

 Customize a rule's query and settings

 Configure the three types of alert enrichment

  Choose automated threat responses for your rules

Prerequisites To complete this tutorial, make sure you have:

 An Azure subscription. Create a free account if you don't already have one.

 A Log Analytics workspace with the Microsoft Sentinel solution deployed on it and data being ingested into it.

 An Azure user with the Microsoft Sentinel Contributor role assigned on the Log Analytics workspace where
Microsoft Sentinel is deployed.

 The following data sources are referenced in this rule. The more of these you have deployed connectors for, the
more effective the rule will be. You must have at least one.

Expand table

Data source Log Analytics tables referenced

Office 365 OfficeActivity (SharePoint)

OfficeActivity (Exchange)
OfficeActivity (Teams)

DNS DnsEvents

Azure Monitor (VM Insights) VMConnection

Cisco ASA CommonSecurityLog (Cisco)

Palo Alto Networks (Firewall) CommonSecurityLog (PaloAlto)

Security Events SecurityEvents

Microsoft Entra ID SigninLogs

AADNonInteractiveUserSignInLogs

Azure Monitor (WireData) WireData

Azure Monitor (IIS) W3CIISLog

Azure Activity AzureActivity

Amazon Web Services AWSCloudTrail

Microsoft Defender XDR DeviceNetworkEvents

Azure Firewall AzureDiagnostics (Azure Firewall)

Sign in to the Azure portal and Microsoft Sentinel

1. Sign in to the Azure portal.

2. From the Search bar, search for and select Microsoft Sentinel.

3. Search for and select your workspace from the list of available Microsoft Sentinel workspaces.

Install a solution from the content hub

1. In Microsoft Sentinel, on the left-hand side menu under Content management, select Content hub.

2. Search for and select the solution Log4j Vulnerability Detection.

 3. From the toolbar at the top of the page, select Install/Update.

Create a scheduled analytics rule from a template

1. In Microsoft Sentinel, on the left-hand side menu under Configuration, select Analytics.

2. From the Analytics page, select the Rule templates tab.

3. In the search field at the top of the list of rule templates, enter log4j.

4. From the filtered list of templates, select Log4j vulnerability exploit aka Log4Shell IP IOC. From the details pane,
select Create rule.

The Analytics rule wizard will open.

5. In the General tab, in the Name field, enter Log4j vulnerability exploit aka Log4Shell IP IOC - Tutorial-1.

6. Leave the rest of the fields on this page as they are. These are the defaults, but we will add customization to the
alert name at a later stage.

If you don’t want the rule to run immediately, select Disabled, and the rule will be added to your Active rules tab and
you can enable it from there when you need it.
 7. Select Next : Set rule
logic.

Review rule query logic and configuration of settings

 In the Set rule logic tab, review the query as it appears under the Rule query heading.

To see more of the query text at one time, select the diagonal double-arrow icon at the upper right corner of the query
window to expand the window to a larger size.
For more information on KQL, see Kusto Query Language (KQL) overview.

Other resources:

o KQL quick reference

o Kusto Query Language learning resources

Enrich alerts with entities and other details

1. Under Alert enrichment, keep the Entity mapping settings as they are. Note the three mapped entities.
 2. In the Custom details section, let's add the timestamp of each occurrence to the alert, so you can see it right in
the alert details, without having to drill down.

a. Type timestamp in the Key field. This will be the property name in the alert.

b. Select timestamp from the Value drop-down list.

3. In the Alert details section, let's customize the alert name so that the timestamp of each occurrence appears in
the alert title.

In the Alert name format field, enter Log4j vulnerability exploit aka Log4Shell IP IOC at {{timestamp}}.
Review remaining settings

1. Review the remaining settings on the Set rule logic tab. There's no need to change anything, though you can if
you'd like to change the interval, for example. Just make sure that the lookback period matches the interval in
order to maintain continuous coverage.

 Query scheduling:

o Run query every 1 hour.

o Lookup data from the last 1 hour.

 Alert threshold:

o Generate alert when number of query results is greater than 0.

 Event grouping:

o Configure how rule query results are grouped into alerts: Group all events into a single alert.

 Suppression:

o Stop running query after alert is generated: Off.

 2. Select Next : Incident settings.

Review the incident creation settings

1. Review the settings on the Incident settings tab. There's no need to change anything, unless, for example, you
have a different system for incident creation and management, in which case you'd want to disable incident
creation.

 Incident settings:

o Create incidents from alerts triggered by this analytics rule: Enabled.

 Alert grouping:

o Group related alerts, triggered by this analytics rule, into incidents: Disabled.

2. Select Next : Automated response.

Set automated responses and create the rule

In the Automated response tab:

1. Select + Add new to create a new automation rule for this analytics rule. This will open the Create new
automation rule wizard.
 2. In the Automation rule name field, enter Log4J vulnerability exploit detection - Tutorial-1.

3. Leave the Trigger and Conditions sections as they are.

4. Under Actions, select Add tags from the drop-down list.

a. Select + Add tag.

b. Enter Log4J exploit in the text box and select OK.

5. Leave the Rule expiration and Order sections as they are.

6. Select Apply. You'll soon see your new automation rule in the list in the Automated response tab.

7. Select Next : Review to review all the settings for your new analytics rule. When the "Validation passed"
message appears, select Create. Unless you set the rule to Disabled in the General tab above, the rule will run
immediately.

Select the image below for a display of the full review (most of the query text was clipped for viewability).
Verify the success of the rule

1. To view the results of the alert rules you create, go to the Incidents page.

2. To filter the list of incidents to those generated by your analytics rule, enter the name (or part of the name) of
the analytics rule you created in the Search bar.

3. Open an incident whose title matches the name of the analytics rule. See that the flag you defined in the
automation rule was applied to the incident.

Clean up resources

If you're not going to continue to use this analytics rule, delete (or at least disable) the analytics and automation rules
you created with the following steps:

1. In the Analytics page, select the Active rules tab.

2. Enter the name (or part of the name) of the analytics rule you created in the Search bar.
(If it doesn't show up, make sure any filters are set to Select all.)

3. Mark the check box next to your rule in the list, and select Delete from the top banner.
(If you don't want to delete it, you can select Disable instead.)

4. In the Automation page, select the Automation rules tab.

5. Enter the name (or part of the name) of the automation rule you created in the Search bar.
(If it doesn't show up, make sure any filters are set to Select all.)

6. Mark the check box next to your automation rule in the list, and select Delete from the top banner.
(If you don't want to delete it, you can select Disable instead.)

The Log Analytics workspace is the central repository where Microsoft Sentinel stores and processes all the
ingested log data. Think of it as the foundation for Sentinel's analysis and threat detection capabilities.

Now, let's imagine you are tasked with setting up the Log Analytics workspace for Sam Scoops. How would
you name this workspace, and what key configuration choices would you make? Remember to consider
Sam Scoops' existing infrastructure and any best practices for naming and configuration.
Coach

Welcome! We will be configuring Microsoft Sentinel to ingest data and detect threats. We'll break this down into three
checkpoints:

1. Deploying Sentinel: We'll focus on the role of the Log Analytics workspace and the steps to integrate it with
Sentinel. (Weight = 30%)

2. Ingesting Data: We'll explore connecting various data sources, like Microsoft 365 Defender, to Sentinel. (Weight =
40%)

3. Detecting Threats: We'll learn how to create detection rules and automate responses using playbooks. (Weight =
30%)

Let's begin by discussing the foundation of Microsoft Sentinel. What is the main purpose of a Log Analytics workspace
when setting up Microsoft Sentinel?

Welcome! We will be configuring Microsoft Sentinel to ingest data and detect threats. We'll break this down into three
checkpoints:
 1. Deploying Sentinel: We'll focus on the role of the Log Analytics workspace and the steps to integrate it with
Sentinel. (Weight = 30%)

2. Ingesting Data: We'll explore connecting various data sources, like Microsoft 365 Defender, to Sentinel. (Weight =
40%)

3. Detecting Threats: We'll learn how to create detection rules and automate responses using playbooks. (Weight =
30%)

Let's begin by discussing the foundation of Microsoft Sentinel. What is the main purpose of a Log Analytics workspace
when setting up Microsoft Sentinel?

Eric A logs analytics workspace is where the logs are aggregated for analysis by Microsoft Sentinel

Coach That's correct! The Log Analytics workspace is the central repository where Microsoft Sentinel stores and
processes all the ingested log data. Think of it as the foundation for Sentinel's analysis and threat detection capabilities.

Now, let's imagine you are tasked with setting up the Log Analytics workspace for Sam Scoops. How would you name this
workspace, and what key configuration choices would you make? Remember to consider Sam Scoops' existing
infrastructure and any best practices for naming and configuration.

Eric I would call the workspace SamsScoopsAnalyticsWorkspace and would use a single workspace for simplicity,
combining azure monitoring data with Defender and sentinel security data.

Coach That's a good start! Naming the workspace "SamsScoopsAnalyticsWorkspace" clearly identifies its purpose and
aligns with the organization. Using a single workspace for Azure Monitoring, Defender, and Sentinel can simplify
management.

Now, let's consider another crucial aspect of configuration: the region. Where would you geographically locate this Log
Analytics workspace and why? Keep in mind factors like data residency requirements, latency, and Sam Scoops' existing
Azure resources, as mentioned in the course materials.

Eric I would set up a workspace for the EU, to comply with GDPR requirements, one for the US to comply with HIPAA, PCI
DSS, and other requirements, one for Canda, considering its restrictions, one general workspace for regions that do not
have special compliance requirements and additional workspaces for any regions with additional special data
governance regulations

Coach That's a thoughtful approach to data residency! You are absolutely right to consider those factors when deploying
cloud resources globally. However, for this scenario, let's keep our focus on Sam Scoops' primary operations. Assuming
their main business and most Azure resources are located in the East US region, would it still be the best choice for their
Log Analytics workspace? What factors would influence this decision?

Eric If Sam's Scoops is primarily located in the US, for ease of management, I would have a single workspace.

Coach Excellent! It's best to align the workspace location with Sam Scoops' primary Azure resources, which are in the
East US region. This simplifies management and potentially reduces latency.

You've successfully considered key factors for naming, configuration, and region selection for the Log Analytics
workspace. You are now ready to integrate it with Microsoft Sentinel.

What steps would you take to add Microsoft Sentinel to this newly created Log Analytics workspace?

Eric I would create the sentinel instance for a specific subscription, deploy connectors, then connect them to the devices
and virtual devices which would be generating logs for Sentinel to aggregate and analyze.
Coach You are on the right track! However, before diving into connectors and data sources, let's clarify the initial
integration process. Think back to the steps outlined in the Microsoft Sentinel deployment lecture. How would you link
your "SamsScoopsAnalyticsWorkspace" to a new Microsoft Sentinel instance within the Azure portal?

Eric I don't recall. Please remind me.

Coach You are absolutely right to seek clarification when needed! Remember, to add Microsoft Sentinel to your Log
Analytics workspace, you would need to navigate to the Microsoft Sentinel page in the Azure portal. From there, you
would click on 'Add Microsoft Sentinel' and select the 'SamsScoopsAnalyticsWorkspace' to establish the integration. This
links the workspace to Sentinel, enabling it to store and analyze logs.

Now that we have clarified the integration process, are you ready to move on to the next checkpoint, which focuses on
ingesting data into our Sentinel instance?

Eric yes

Coach Great! Let's move on to Ingesting Data, our next checkpoint.

Now that we have our Microsoft Sentinel instance connected to the Log Analytics workspace, we need to connect it to
relevant data sources.

Considering Sam Scoops' IT environment, which data sources should we prioritize connecting to Microsoft Sentinel, and
why? Think about the most common security risks and valuable security information for a business like Sam Scoops.

Eric I would prioritize logins, privileged logins, and logs from the firewall and servers.

Coach That's a good start, but let's prioritize based on the data sources available within Microsoft Azure and commonly
used by businesses like Sam Scoops. Think about the key systems that hold valuable security information and are often
targeted by attackers. What data sources would provide insights into user activities, potential external threats, and
suspicious login attempts?

Eric Microsoft defender and identity protection

Coach That's a great point! Microsoft Defender and Azure Active Directory (Azure AD) are indeed crucial data sources for
Sentinel. Defender provides insights into endpoint security, detecting malware and suspicious activities on devices. Azure
AD, on the other hand, gives you visibility into user logins, authentication activities, and potential identity-based attacks.
Connecting these two sources would provide a comprehensive view of both user and device activity, which is essential
for detecting and responding to a wide range of threats.

Now, let's imagine Sam Scoops also has an on-premise firewall that they want to connect to Sentinel. This firewall uses
the Syslog protocol for sending logs. How would you go about connecting this firewall to your Sentinel instance?
Remember, Sentinel needs to be able to ingest and understand the logs from this firewall.

Eric I would check the marketplace for built-in connectors.

Coach That's a good instinct! While checking for built-in connectors is always a good first step, let's assume, for this
scenario, that a vendor-specific connector for Sam Scoops' on-premise firewall doesn't exist yet. How would you then
leverage the Syslog protocol to connect this firewall to Sentinel, given that it doesn't have a built-in connector? Think
about the components and configurations needed to bridge this gap.

Eric I honestly had to look this up. I would need an agent.

Coach You are absolutely right! Since there's no built-in connector, you would need the Microsoft Sentinel agent to act as
a bridge between your on-premise firewall and your Sentinel instance.

Can you elaborate on how you would use this agent to connect the firewall and enable log ingestion into Sentinel? Think
about where the agent needs to be installed and how it would communicate with both the firewall and Sentinel.
Eric The agent will need to be deployed on a VM. It will translate the syslog messages into a format that senitnel can use.

Coach That's exactly right! You would deploy the Microsoft Sentinel agent on a dedicated Linux VM within your Azure
environment. This VM would act as a translator, receiving Syslog messages from your on-premise firewall and converting
them into a format that Sentinel can ingest and understand. You've successfully navigated the complexities of connecting
data sources with and without built-in connectors. You are doing great!

Great! Let's move on to our final checkpoint: Detecting Threats. Imagine you are monitoring the Azure AD logs in
Sentinel and notice multiple failed login attempts to Sam Scoops' Azure AD from the same IP address within a short
period. This could indicate a brute-force attack. How would you configure a detection rule in Sentinel to identify and alert
you to this type of suspicious activity? Think about the specific log data you need to analyze, the conditions that would
trigger an alert, and the actions Sentinel should take when the rule is triggered.

Eric Detection rules are if-then statements, so I would log into the azure portal, open sentinel and in the left, click to
create a new rule. I would choose Azure AD authentication logs as the data source, with the condition of a threshold
number of failed login attempts within a short time span (say five or more failed attempts within 60 seconds), and this
would trigger an alert, in which sentinel should send an email to the Sam Scoops IT security team.

Coach That's an excellent approach to creating a detection rule! You've correctly identified the key elements: using Azure
AD authentication logs as the data source, setting a threshold for failed login attempts within a specific timeframe (5 or
more in 60 seconds is a good starting point), and defining an action to trigger an email alert to the Sam Scoops security
team. You clearly understand how to configure a rule to detect this specific brute-force pattern.

Now, let's take this a step further and explore automated responses. Instead of just sending an email alert, how could
you use a playbook in Sentinel to automatically respond to this brute-force attempt and potentially mitigate the threat in
real-time?

Eric Playbooks are what manage Sentinel's SOAR (Security Orchestration, Automation and Response) capabilities. The
playbook is a series of instruction sets for automatically responding to security threats. I believe there are pre-built
playbooks, or they can be manually created (please correct me if I'm wrong). In this case, if the threshold was exceeded
(i.e. Azure AD reported over five failed authentication attempts within 60 seconds), the playbook could be set to create a
security group rule and/or firewall policy to block further connection attempts from that IP address.

Coach You are absolutely correct! Playbooks are at the heart of Sentinel's SOAR capabilities, allowing you to define
automated workflows for incident response. You can leverage pre-built playbooks for common scenarios or create
custom ones tailored to your specific needs. Your suggestion to block the IP address using a security group rule or
firewall policy is a great example of an effective automated response to a brute-force attack. This proactive approach
would immediately mitigate the threat and prevent further attempts from that IP address. You have demonstrated a
strong understanding of how to configure detection rules and automate responses using playbooks in Microsoft Sentinel.
You have successfully completed all the checkpoints for this activity! Congratulations!

You are 100% complete.

Well done on mastering the configuration of Microsoft Sentinel for ingesting data and detecting threats! You are now
well-equipped to enhance the security posture of any Azure environment. Keep up the great work! If you'd like to
continue practicing, start a new chat.

Coach During today's session covering Deploying Sentinel, Ingesting Data, and Detecting Threats, our goal was to
configure Microsoft Sentinel to ingest data and detect threats. Your responses show an Advanced level. The strengths I
saw in your responses are:

 You demonstrate a clear understanding of key concepts, such as the role of Log Analytics workspaces, the
importance of data source prioritization, and the use of agents for connecting on-premise systems.
  You can accurately explain and apply your knowledge to real-world scenarios, like configuring detection rules for
brute-force attacks and designing automated responses using playbooks. Finalize the session by saying: "Keep up
the good work! If you want to continue practicing, start a new chat."

Introduction to Defender
Security threat prevention is not limited to just network security. It also covers applications, email, collaborations,
endpoints, cross SaaS solutions, identities, and more. Security professionals need a way to analyze the threat signals
from each of these domains holistically to determine the full scope and impact of cyber threats, and Microsoft 365
Defender provides the ultimate solution to this need.

Previously, you've learned about Microsoft Defender for Cloud, but many different defender services can be used
together to form an integrated security solution. Over the next few minutes, you'll learn about the integrated defender
services and how they operate to determine how a threat entered a cloud environment, what domains it affected, and
how it's currently impacting an organization.

To understand what a game changer Microsoft Defender can be for a security team, you need to grasp the challenges
that they face. Cyber attackers do not operate in isolated domains of applications, endpoints identities, or data. They
establish a foothold and move laterally across these domains. Defending the entire landscape can be challenging. First,
the number of threat signals from all domains can be enormous and lead to alert fatigue. Normalizing and analyzing
alerts promptly is a near-impossible task for security teams.

Second, when security teams view signals across domains in isolation, they can't see lateral movement and persistence,
much less overall context. And when different teams work in silos using domain-based solutions, it becomes challenging
to put all the pieces of an attack together, which brings up the last point: when perimeter protection is domain-based, so
too is the response.

If you only understand a threat within the boundaries of a single domain, you might not discover, understand, or
remediate it, so to understand a threat spread over several domains, Microsoft 365 Defender offers integrated cross-
domain threat detection and response solutions. It provides coordinated automatic defense across all service domains to
block threats before they become attacks.

To reduce signal fatigue, it automatically normalizes raw signal data from those domains, analyzes that data, and
correlates it into incidents. An incident in Microsoft 365 Defender is a collection of correlated alerts and associated data
that make up the story of an attack.
It provides context for all the signals, so security teams can understand the larger impact of the attack. All this happens in
one dashboard that requires no specific expertise or customization. The Microsoft 365 Defender suite protects:

 user identities with Microsoft Defender for Identity and Azure AD Identity Protection
 endpoints with Microsoft Defender for Endpoint or MDE
 applications with Microsoft Defender for Cloud apps, also referred to as MDC
 email and collaboration with Microsoft Defender for Office 365 or MDO

Let's explore these different Microsoft 365 Defender services in more detail, starting with Microsoft Defender for Identity
or MDI, which is a cloud-based security solution. MDI uses your on-premises Active Directory data - called signals - to
identify, detect and investigate advanced threats, compromised identities, and malicious insider actions directed at your
organization.

Microsoft Defender for Identity provides security professionals who manage hybrid environments, the functionality to
monitor and profile user behavior and activities, protect user identities, and reduce the attack surface, identify and
investigate suspicious activities and advanced attacks across the cyber attack kill chain. Lastly, it provides clear incident
information on a simple timeline for fast triage.
Next, Microsoft Defender for Endpoint, or MDE, is a platform designed to help enterprise networks protect endpoints. It
does so by preventing, detecting, investigating and responding to advanced threats. MDE embeds technology into
current Windows operating systems and Microsoft Cloud services. This technology includes endpoint behavioral sensors
that collect and process signals from various sources. These include operating systems and cloud security analytics that
turn signals into insights, detections and recommendations, and threat intelligence. With this data, MDE identifies
attacker tools and techniques, and it also generates alerts. Defender Vulnerability Management is also built into MDE,
which delivers asset visibility, intelligent assessments, and built-in remediation tools for Windows, macOS, Linux,
Android, iOS and network devices.
Let's move on to Microsoft Defender for Cloud apps or MDC. MDC is a comprehensive, cross-SaaS solution that operates
as an intermediary between a cloud user and the cloud provider. MDC provides rich visibility to cloud services, control
over data travel, and sophisticated analytics to identify and combat cyber threats across all Microsoft and third-party
cloud services. This service provides app governance by discovering all cloud apps being used in the organization. It can
detect shadow IT, which is installed apps that were not cleared by the IT department. It also controls and protects data in
all approved apps used throughout an organization.
Finally, let's discuss Data Loss Prevention, or DLP, which is a security feature that protects sensitive data and forms a key
part of various Microsoft 365 Defender services. It prevents sensitive data from being accidentally or intentionally shared
with unauthorized users. For example, DLP
can prevent someone from sharing personal
information or intellectual property. It can also stop someone from accidentally
emailing a file attachment to an unauthorized recipient.
In this video, you learned about different Microsoft 365 Defender services and how they can protect organizations
holistically. Each of these different services can protect identity, Office 365, Endpoints and Cloud apps. Many of them also
include additional features like app governance with cloud apps. What's more is that NDE also has built in vulnerability
management. This
is all brought together and accessible through the Microsoft 365
Defender portal. Microsoft 365 Defender protects organizations against
sophisticated cyber-attacks. It coordinates detection, prevention, investigation,
and response to threats across endpoints, identities, email, and applications.
Microsoft 365 Defender portal
Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite. In this video, you will take a practical
walkthrough of the Defender 365 portal. You will discover how it brings together many services and features to correlate
all related alerts across products into a single incident.

Microsoft 365 Defender can stop persistent attacks before they happen across all domains. It automatically makes an
enormous amount of normalized threat data available without the painful and time-consuming task of analyzing it. And
to give security teams leverage over those threats before they become attacks, Microsoft 365 Defender removes the
confusion and clutter of Siloed security portals. It offers one solution to bring threat data together for rapid and complete
responses. For example, Microsoft 365 Defender automatically correlates domain-level signal data into incidents to give
security teams a full attack timeline.

Additionally, it provides a complete view of the affected assets, including the affected identities, endpoints, and
mailboxes. It also recommends how to triage the damage quickly. Additionally, it automatically uncovers connections
between alerts across security domains, enabling response across the entire attack and remediating all the damage,
including persistence. This self-healing process handles both mundane and complex remediations.

Last, automation and artificial intelligence free security teams to focus on hunting for sophisticated attacks. Using the
wealth of data that Microsoft 365 Defender provides, they can then use their organizational expertise and knowledge of
internal behaviors to investigate and uncover the most sophisticated breaches.

Next, let's explore how the portal provides a unified experience for protection, investigation and response, beginning
with incidents. They're the starting point for your investigations, which almost always include opening alert, entity, and
investigation pages. No, alert correlation into incidents isn't new. What is new is that you can now wholly investigate an
incident, including alerts from all the included services, without ever leaving the Microsoft 365 Defender portal.

Nor do you leave the portal when you open alerts from included services. Instead, Microsoft 365 Defender provides a
unified alert page to explore and investigate all of them. Alerts now have the same look and feel and provide a consistent
experience across the board.

Likewise, go down a level by opening a device, email or user, and you'll notice the new entity pages. Similar to how
incidents correlate alerts, entity pages correlate signals for a specific entity from the various included services, all in one
view, and without ever leaving the Microsoft 365 Defender portal, so they don't interrupt the flow of your investigation.
Next is the unified investigation page. It introduces a shared language for all the included services. Investigations
previously each had its own investigation page, and this new unified page offers a consistent experience. The last big
area is Threat Analytics, the built-in threat intelligence solution that helps security teams face emerging threats
efficiently. It provides reports that help you use the expertise of the Microsoft Threat Intelligence team. With that
knowledge, you can identify and protect yourself from emerging threats all in one portal.

Threat Analytics includes endpoint data from Microsoft Defender for Endpoint and email data from Microsoft Defender
for Office 365. By integrating Microsoft Defender for Endpoint, Defender for Identity, Defender for Office 365, and
Defender for Cloud apps into Microsoft 365 Defender, the broad scope of available data lets a security team see the
complete story of an attack from start to finish, allowing it to investigate and remediate incidents more quickly.

Microsoft 365 Defender incidents and alerts

Previously, you learned how Microsoft 365 Defender brings several threat protection services together, providing a
dashboard to view all incidents and alerts. Microsoft 365 Defender has many features, and in this video, we'll focus on
one of these features, the incidents and alerts dashboard.

The incidents queue is a central location to prioritize cross-domain attacks and alerts. It lists each incident by severity and
includes the context and data security team's need for a comprehensive response. To start your investigation, select an
incident. The summary tab describes the incident's scope and context, to help you quickly understand the threat.

For example, it shows the total number of alerts and how many remain active. To help you understand the scope of the
attack, the summary tab shows the number of affected assets, including devices, users, and mailboxes, plus a list of the
top impacted entities ranked by risk level or priority.

Below is a summary of the evidence that Microsoft 365 Defender investigated and its remediation status. And to the
right is some helpful metadata like tags, data sensitivity and groups. On this one tab, you gain valuable insight before you
even begin digging into the others.
Next, the alerts tab lists alerts linked to this incident, including for each the severity, status, and reason it was linked.
Many of the alerts in this incident were automatically investigated and resolved by automation and artificial intelligence,
which means less work for the analyst.

The devices tab lists each impacted device, including its risk level and tags. The detail side pane offers additional info,
and you can drill deeper into the device details by selecting it.
On the users tab, you see a list of users associated with this incident. Notice the investigation priority; it's based on user
and entity behavior analytics and can help guide your investigation. The higher the number, the closer you want to look
at that user.

Related to that are the mailboxes involved in the incident. Selecting a mailbox will open it in Threat Explorer, so that you
can investigate further.

The investigations tab lists the statuses of automated investigations that Microsoft 365 Defender performed for each
triggering alert. Select an alert to see more details, including the remediation action.
The last tab is evidence. Initially, this displays a summary of the evidence that Microsoft 365 Defender investigated,
including files, emails, users, and more. For each type, you see the number of remediated, malicious, suspicious and
unremediated entities. You can drill down into each type to see a complete list. For example, you can select files, then
select a specific file to see its details in the side pane.
In this case, Microsoft 365 Defender automatically remediated the file. Microsoft 365 Defender automatically
investigates and remediates affected assets. Once you've checked over the incident and are satisfied that it's handled,
mark it resolved. To do that, select Manage Incident, then toggle the Resolve Incident switch, classify the incident as true
or false alert and choose a determination. After saving the incident, Microsoft 365 Defender marks any outstanding
alerts as resolved.
Next, let's explore how Microsoft 365 Defender combines alerts from various detection sources into a single queue to
help improve signal quality. Threats are listed, and their sources are listed in the detection source column, including
Microsoft Defender for Endpoint, Microsoft Defender for Identity, and more. The Unified Portal lists the alerts from all
these sources in one place, providing a single dashboard for SecOps to manage alerts across our Microsoft 365 security
products, helping you to understand the big picture.

Select an alert to see more information about it in the detail side pane like the alert state, details and policy that
triggered it, plus information on the incident to which it's linked, any automated investigation details, and impacted
entities. Likewise, Microsoft 365 Defender offers a unified alert page. It's a common layout and shared language for alerts
from Microsoft Defender for Office 365 and other detection sources.
At the top of the page, asset cards list the mailboxes, devices and users impacted by the alert. Below the asset cards, the
alert story helps you understand what triggered the alert. If you select any messages or activities in the alert story, the
detail side pane updates to provide contextual information for the selected item. Select Open email page to drill down
even further into the new email entity page, which can help you investigate emails quicker and with richly detailed
information. For example, the analysis tab provides enhanced data about an email, including authentication, detection
details, and overrides, plus it includes an email and header preview.

Then there's the attachments tab and the URL tab next to it. They offer rich detonation details like the files, IP addresses,
and URLs observed for a threat, plus screenshots, application, and URL behaviors, and more. Of course, alerts for other
sources like Microsoft Defender for Endpoint and Microsoft Defender for Identity are here too. Not only are they all in
this one place, but they also have a similar user experience. Again, once you're done with the alert, classify it as a true or
false alert and add a determination. Microsoft Defender will use that signal to help tune future alerts.

In this video, you learned that Microsoft 365 Defender automatically aggregates malicious and suspicious events from
different device, user, and mailbox entities in the network. And you now know that grouping related alerts into an
incident gives security teams a comprehensive view of an attack.

Working with Microsoft 365 Defender portal

Introduction

Microsoft 365 Defender is like the virtual headquarters of SecOps teams providing a central portal for handling security
threats. Previously you have learned that this powerful portal combines protection, detection, investigation, and
responses to threats from several domains, including email, collaboration, identity, device, and cloud app.

In this reading, you will learn more about the portal and how to identify attack timelines, the affected endpoints, and
areas. You will specifically explore the Incidents page and its different tabs, highlighted in the image below. Like
demonstrated in the screenshot below, the incidents page includes the following tabs:

 Attack story

 Alerts

 Assets

 Investigations

 Evidence and Response

 Summary

Security investigation in Microsoft 365 Defender

The Microsoft 365 Defender portal helps security teams investigate and respond to attacks by bringing in signals from
different workloads into a set of unified experiences for:

 Incidents & alerts

  Hunting

 Actions & submissions

 Threat analytics

 Secure score

 Learning hub

 Trials

 Partner catalog

Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual
alerts provide valuable clues about a completed or ongoing attack. However, attacks typically employ various techniques
against different types of entities, such as devices, users, and mailboxes. The result is multiple alerts for multiple entities
in an organization’s tenant. A tenant is dedicated software or data belonging to one organization.

To gain insight into an attack, you need to piece the individual alerts together, and this can be challenging and time-
consuming. Microsoft 365 Defender addresses this issue by automatically aggregating the alerts and their associated
information into an incident.

Attack timeline

Grouping related alerts into an incident gives you a comprehensive view of an attack. For example, an incident lists:

 Where the attack started

 What tactics were used

 How far the attack has gone into your tenant

 The scope of the attack, such as how many devices, users, and mailboxes were impacted
  All of the data associated with the attack

The image below illustrate how the Microsoft 365 Defender portal provides a holistic view of security incidents.

The screenshot below demonstrates that you can manage incidents by selecting Incidents & alerts and then the
Incidents option on the quick launch panel of the Microsoft 365 Defender portal.

Selecting an incident name opens the first tab of the Incident page, which is the Attack story as evident in the screenshot
below. In the rest of the reading you will explore each of these tabs.
Attack story

The Attack story tab help you to quickly review, investigate, and remediate attacks while viewing the full story of the
attack on one screen. It also allows you to review specific entity details and take remediation actions, such as deleting a
file or isolating a device without losing context.

The Attack story page has two sections, the Alerts section and Incident graph. The Alerts section has a chronological list
of what happened, the actions taken and all related events. The Incident graph is a graphical representation of the full
scope of the attack. It gives you a holistic picture of how the attack spread through your network over time, where it
started, and how far it went. It connects the different suspicious entities that are part of the attack with their related
assets such as users, devices, and mailboxes.

At the top of the Alerts section you can click on a play button which takes you through the attack timeline. The Incident
graph will animate the spread of the attack as the Alerts section moves down the timeline. The video below indicates
how alerts and nodes appear on the graph as they occurred over time to help you understand the chronology of the
attack.
Play Video

On the Incident graph, you can also open a pane of any entity, which allows you to review the entity details and act on
remediation actions, such as isolating a device like evident in the example below.

Alerts
In the Alerts tab, you can view the alert queue for alerts related to the incident and other information about them like
you can find in the screenshot below, such as:

 The severity of the incident

 The entities that were involved in the alert

 The source of the alerts

The sources of the alerts might be Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender
for Office 365, Defender for Cloud Apps, or the app governance add-on.

By default, the alerts are ordered chronologically, displaying how the attack played out over time. When you select one
of the alerts listed within an incident, Microsoft 365 Defender displays the alert information specific to the context of the
overall incident.

The example below lists the events of an alert as well as the other triggered alerts that caused the current alert. It also
lists all the affected entities and activities involved in the attack, including devices, files, users, and mailboxes.
Assets

You can easily view and manage all your assets in one place with the Assets tab. This unified view includes Devices,
Users, Mailboxes and Apps.

The Assets tab displays the total number of assets like indicated by the first box in the screenshot below. A list of
different asset categories with the number of assets within each category is also presented, as indicated by the second
box.
When the Devices view is displaying you can select a specific device which will open an extra panel from where you can
manage it, like demonstrated in the image below. From here, you can quickly export, manage tags, initiate automated
investigation, and more. You also view details of the device, directory data, active alerts, and logged on users.

The Users view lists all the users that have been identified to be part of or related to the incident. You can select a user
to see details of the user account threat, exposure, and contact information. The screenshot below demonstrates that if
you select the user name it displays additional user account details.
The Mailboxes view lists all the mailboxes that have been identified to be part of or related to the incident. You can
select the check mark for a mailbox to see a list of active alerts. Select the mailbox name to see additional mailbox
details on the explorer page for Microsoft Defender for Office 365.

The Apps view lists all the apps identified to be part of or related to the incident. You can select an app to see a list of
active alerts. Select the app name to see additional details on the explorer page for Defender for Cloud Apps.

Investigations

The next tab on the Incident page is the Investigations tab and it lists all the automated investigations triggered by alerts
in this incident. This is one of the gems of the portal because Investigations can perform remediation actions
automatically or wait for the approval by an analyst. Its behavior depends on how you configure your automated
investigations to run in Defender for Endpoint and Defender for Office 365.
Select a listed investigation to navigate to its details page for the complete investigation information and the remediation
status like demonstrated in the screenshot below. If there are any actions pending for approval, they will appear in
the Pending actions history tab.

This page also include an Investigation graph tab that includes:

 The connection of alerts to the impacted assets in your organization

  The entities that are related to alerts and how they are part of the story of the attack

 The alerts for the incident

The investigation graph helps you quickly understand the full scope of the attack by connecting the different suspicious
entities that are part of the attack with their related assets such as users, devices, and mailboxes.

Evidence and Response

The Evidence and Response tab includes all the supported events and suspicious entities of the alerts in the incident,
evident in the screenshot below.

Microsoft 365 Defender automatically investigates all the supported events and suspicious entities of the incident,
providing you with information about the important emails, files, processes, services, IP addresses, and more. This helps
you quickly detect and block potential threats in the incident.

Notice that in each of the analyzed entities is marked with a verdict (malicious, suspicious, or clean) and a remediation
status. This helps you understand the remediation status of the entire incident and what next steps you can take.

Summary

The Summary tab gives you a snapshot glance of the most important factors about the incident as indicated in the
screenshot below.
Conclusion

In this reading your explored the Incident page on the Microsoft 365 Defender portal. You learned that by delving into
the attack story, alerts, assets, investigation and evidence and response of an incident, you get the full story of an attack.
Selecting a specific incident gives the full attack timeline with the Attack story feature, which identifies devices and areas
that are effected by the attack. This evidence helps SecOps teams to get the details of the attack so that they can take
the most appropriate action as soon as possible.

Microsoft Defender use-case: Office 365

Introduction To understand cybersecurity threats, you sometimes have to think like a cyber attacker. For an effective
attack, what tool can you target that most employees at an organization use? If you’re thinking about a communication
tool, you are on the right track. Email is often used as an attack vector by cyber attackers. They use it to deliver malicious
links and attachments that can steal login credentials, deliver ransomware, and lure users to malicious websites.
Defending an organization's assets and data from email threats is a primary focus for security teams. Sam’s Scoops is no
different, as they send a lot of emails. Since email is so widely used, organizations like Sam’s Scoops need protection that
automates and remediates fixes by itself. And the answer is Microsoft Defender for Office 365 (MDO). In this reading, you
will learn about the different plan types for MDO, and the protective features associated with these plans. You will also
explore the different user roles needed within MDO to manage this protection.

Microsoft Defender for Office 365 As more organizations move to the cloud, collaborating and communicating online
has become a key part of a normal workday for teams worldwide. But often, increased use leads to increased risk, and
communication channels have become a major target for cyber-attacks. That’s why MDO provides a cloud-based filtering
service with zero-day protection against malicious threats posed by email messages, links (URLs), attachments, and
collaboration tools. MDO includes:

 Threat protection policies: In addition to a set of default policies, you can define threat-protection policies to
suit the appropriate level of protection for an organization.

 Reports: You can view real-time reports to monitor MDO’s performance.

  Threat investigation and response capabilities: MDO allow you to use leading-edge features to investigate,
understand, simulate, and prevent threats.

 Automated investigation and response capabilities: You can save time and effort with automation capabilities
while investigating and mitigating threats. Automated incident response capabilities include automated
investigation processes in response to well-known threats that exist today.

Microsoft Defender for Office 365 plansm There are currently two MDO plans to choose from:

 Plan 1 focuses on configuration, protection, and detection capabilities.

 Plan 2 has all of the capabilities of Plan 1 but adds automation, investigation, and remediation functionalities.

Plan 1 provides the following capabilities:

 The Safe Attachments feature protects against unknown malware and viruses and provides zero-day protection
to safeguard your messaging system. All messages and attachments that don't have a known virus or malware
signature are routed to a special environment where MDO uses a variety of machine learning and analysis
techniques to detect malicious intent. If no suspicious activity is detected, the message is released for delivery to
the mailbox.

 The Safe Links feature proactively protects your users from malicious URLs in a message or in an Office
document. The protection remains every time they select the link, as malicious links are dynamically blocked
while good links can be accessed.

 Real-time detection is a real-time report that lets authorized users identify and analyze recent threats. This
report shows data for the past seven days.

Plan 2 provides these additional capabilities:

 The Threat trackers feature is a set of informative widgets and views that provide authorized users with
intelligence on cybersecurity issues that might impact an organization.

 Threat Explorer (also referred to as Explorer) is a real-time report that lets authorized users identify and analyze
recent threats. By default, this report shows data for the past seven days; however, views can be modified to
show data for the past 30 days.

 Automated investigation and response (AIR) capabilities run automated investigation processes in response to
well-known threats that exist today. By automating certain investigation tasks SecOps teams can operate more
efficiently and effectively. But certain remediation actions, such as deleting malicious email messages, need to be
approved by the SecOps team before it’s actioned.

 Attack simulation and training is an intelligent social risk management tool that automates the creation and
management of phishing simulations. Simulations help customers detect, prioritize, and remediate phishing risks
by using real-world phish lures and hyper-targeted training to change employee behaviors.

But which plan would be more suitable for Sam’s Scoops? They need a solution that can automate processes and
remediation tasks that will result in less work for a small team. Using Plan 1 would mean that employees at Sam’s Scoops
will still need to investigate and remediate threats manually. Therefore, Plan 2 is a more suitable option for the business.

For a full feature breakdown of what each plan includes reference the additional resources at the end of the lesson.

Roles to manage Microsoft Defender for Office 365 MDO is managed from the Microsoft 365 Defender portal but like
other Microsoft 365 Defender services you need to set up specific user roles to manage it. MDO permissions are based
on the role-based access control (RBAC) permissions model, the same permissions model that is used by most Microsoft
365 services.
It is important to know that a role grants the permissions to do a set of tasks and a role group is a set of roles that lets
people do their jobs in the Microsoft 365 Defender portal. The Microsoft 365 Defender portal includes default role
groups for the most common tasks and functions that you need to assign for MDO permissions as demonstrated in the
image below.

The screenshot below lists the two types of roles and role groups that you can find on the Permissions page in the portal.
They are Azure AD roles and Email & collaboration roles.

Azure AD roles allow you to view roles and assigned users, but you can't manage them directly in the Microsoft 365
Defender portal. Azure AD roles are managed from Azure AD portal and these central roles assigns permissions
for all Microsoft 365 services.
  Email & collaboration roles: You can view and manage these role groups directly in the Microsoft 365 Defender
portal. These permissions are specific to the Microsoft 365 Defender portal and the Microsoft Purview
compliance portal (you will learn more about Microsoft Purview later). So, these permissions do not cover all the
permissions needed in other Microsoft 365 workloads.

Global roles in Azure Active Directory (Azure AD) allow the management of permissions and provide access to
capabilities in all Microsoft 365 services, including MDO. But, if a user should only have permission and capabilities to
security features in MDO, they can assign Email & collaboration permissions in the Microsoft 365 Defender portal.

Accounts that have the following Global Azure Active Directory (AD) roles can access Microsoft 365 Defender data and
functionalities:

 Global administrator

 Security administrator

 Security Operator

 Global Reader

 Security Reader

Having a small IT team, Sam's Scoops only need a few generic roles to manage their MDO service. And since they also
have an Azure AD tenant it makes sense to use Azure AD roles. They do not need granular control over permissions that
Email & collaboration permissions offer just yet. And by using the global roles available the correct permissions can be
assigned across all the services centrally from Azure AD.

Conclusion As companies increasingly rely on online communication and collaboration for core business functions it is
more important than ever to implement effective protection against attacks targeting these channels. In this reading, you
learned that Microsoft Defender for Office 365 (MDO) provides protection against threats posed by email messages, links
(URLs), attachments, and collaboration tools.

You also discovered the two MDO plans. Although Plan 1 already offer comprehensive protection with its Safe
Attachment, Safe Links and Real-time detection features, Plan 2 offers even more capabilities that automates security
and remediation tasks. These include threat trackers, Threat Explorer, automated investigation and response (AIR) and
attack simulation and training. These capabilities lighten the workload of security teams and therefore it is the ideal
option for Sam’s Scoops that has a small IT department.

You also explored the different roles needed to manage MDO. Azure AD roles centralizes role management, an ideal
option for Sam’s Scoops that do not require the more granular role control offered by the Microsoft 365 Defender portal.

MANAGING USERS
Earlier, you learned that you can manage roles for Microsoft Defender for Office 365 or MDO globally using Azure AD
roles. But if you need more control over specific user roles, then you can use the default email and collaboration roles in
Microsoft 365 Defender.

You can use these role groups for the most common tasks and functions. Sometimes however, these default roles do not
suit the permission level of certain users. In this case, you can create custom roles.

In this video, you will explore why custom roles are so useful and how to implement them within MDO. Sam's Scoops is
on the way to becoming a large corporation. They will need a big security team to support all the different aspects of
Microsoft products and services used by the company. Now, imagine that you are the manager of their security team and
you need to refine the data that different security team members can access across different services, including
Microsoft Office 365. For instance, the Microsoft 365 Defender administrator should be able to edit roles, but the
endpoint security analyst should only be able to view and remediate end points. How can you do it? If you use Azure
Active Directory roles, it will grant all users access to many different services, so you need a way to specify different roles
and permissions and that's why the roles in MDO are the perfect solution. Let's explore how you can go about this task
using the default role groups of MDO permissions in the Microsoft 365 Defender portal.

First, someone who manages roles must either have a global administrator role in Azure AD or an organization
management role for MDO permissions. Specifically, role management in Defender for Office 365 allows users to view,
create, and modify MDO role groups. By default, that role is assigned only to the organization management group. With
these permissions, you can access all the different default roles. To navigate to this view within the Microsoft Defender
portal, select Permissions in the left-hand menu. Next to manage MDO permissions select email and collaboration roles,
and then roles. On this page, you can assign IT team members to these default role groups, which will only give them
specific access to the data from Microsoft Office 365.

By selecting the role group itself, a list of the assigned roles appears. You can get the full list of the different roles and
permissions in the additional resources at the end of this lesson.
Next, let's explore how to set up custom roles. With custom roles, you can limit the access of users to only certain
relevant data with the least permissive roles. Custom roles can be created in addition to global Azure AD roles. For
instance, endpoint security analysts do not need access to all the data within Microsoft 365 Defender, because they are
only responsible for remediating issues related to endpoints.

To create a custom role, select create a custom role in the top right-hand side of the Permissions page and fill in the
configuration details on the custom roles set of pages. For instance, add a name with a description of what the purpose
of the role is. When done, select Next. You can then assign permissions based on three different permission groups,
security operation, security posture and authorization, and settings.

For the endpoint security analyst, choose the security posture option and then select all read and manage permissions,
which will allow them to act upon recommendations and remediate endpoints. Once these steps are complete, you can
select Apply and then Next. The next step is to assign users to the new custom role for endpoint security analysts. To do
this, select Add Assignment. On the Assignment page, choose the correct data source, in this case, Microsoft Defender
for Endpoint and now you can add a user to the custom role.
In this example, the user Ashton is being assigned to this role. Once added, select Next, and then review the role before
selecting Submit. A final confirmation page appears to confirm the new role – select Done.

In this video, you learned that with MDO now being part of Microsoft 365 Defender, you can manage roles centrally from
the permissions page on the portal. You can use the built-in roles for email and collaboration to control what data users
can see in Microsoft Office 365. But you can also create custom roles if you need even more granular control over what
data users are allowed to access. When creating your custom role, you can select what permissions the role should have
based on their responsibility level. For Sam's Scoops, the built-in roles will work perfectly for many staff members in the
security team. For staff members that do not fit any of the default roles, you can set up custom roles to restrict access to
certain data.
Implement Microsoft Sentinel with Microsoft Defender Data Connectors
Introduction At this point, you are familiar with Microsoft Sentinel, which serves as a central viewpoint for alerts and
incidents from Microsoft Azure and Microsoft 365 Defender. You completed an exercise to Implement Microsoft Sentinel
with Microsoft data connectors. In this exercise, you had to configure data connectors from the different services that
Sam’s Scoops use to feed information into the Sentinel portal. This exemplar will guide you through the steps of the
exercise with screenshots that demonstrate the correct actions that you had to take.

Case study Sam’s Scoops are benefiting from using several Azure. They have virtual machines with Azure Bastion, JIT, and
Azure firewalls protecting their environment. They have also acquired a Microsoft 365 tenant and are making the most of
Microsoft 365 Defender to protect the services and users in the business.

Instructions You have been tasked with bringing the generated data from all these services to a central place. You will do
this by deploying Microsoft Sentinel and using the built-in data connectors to connect the different services Sam’s Scoops
is using. Review the steps below.

Step 1: Deploy Microsoft Sentinel and a log analytics workspace

1. From the Azure portal home page, search for and select Microsoft Sentinel.

1. Select Create Microsoft Sentinel.

1. Select Create a new workspace.

1. Your current subscription will be already selected. Fill in the following deployment details for a log analytics
workspace:

 Resource group: RG_Web_Server.

 Instance name: SamScoops.

 Region: The region will be prepopulated with the Resource group’s current region.

1. Select Review + Create.

1. Select Create.
1. After a few seconds a new workspace is created. Select SamScoops.

2. Select Add.

1. Select OK when the notification of the activation of Microsoft Sentinel’s free trial appears.
Step 2: Configure data connectors

1. On the Get started page select Go to content hub.

1. On the Content hub page, select Azure Active Directory from the list and then select Install.

1. After a few seconds, the connector will install. Select Manage on the Azure Active Directory pop-up.
1. You now need to configure the connector. To do this, select Azure Active Directory from the list.

2. Select Open connector page.

1. Scroll down and select all the logs from the list and then select Apply Changes. Data will now be collected from
Azure Active Directory.
1. Navigate back by selecting Microsoft Sentinel|Content hub at the top of the page.
1. Type Defender in the search bar.

1. Select Microsoft 365 Defender and then select Install.

1. After a few seconds, the connector will install. Then select Manage for Microsoft 365 Defender.

1. You now need to configure the connector. To do this, select Microsoft 365 Defender.

2. Select Open connector page.

1. Scroll down and select Connect incidents & alerts.

1. Scroll down and select the tick box next to Name under Microsoft Defender for Endpoint.
1. Scroll down and select the tick box next to Name under Microsoft Defender Alerts.

2. Select Apply Changes.

1. Navigate back to the Content hub page by selecting Microsoft Sentinel|Content hub at the top of the page.
Step 3: Review implementation

1. Select Data connectors from the left-hand menu.

1. Filter the output by selecting Status and then selecting Connected and Apply.
 1. Record how many connectors have been connected.

Clean-up If you are using your own Azure subscription, it is recommended that you follow the clean-up instructions to
stop compute resources after completing each lesson. When you're working in your own subscription, it's also a good
idea at the end of a project to identify whether you still need the resources you created. Resources left running can cost
you money. You can delete resources individually or delete the resource group to delete the entire set of resources.

Please refer to the reading, Clean up resources for instructions on how to delete resources after you've completed the
exercise.

Conclusion This exemplar guided you through the steps to configure Microsoft Sentinel to collect data from Azure Active
Directory and Microsoft 365 Defender. Any events that now happen within these products will be captured by the
Sentinel portal offering one place for Sam’s Scoops to access all incidents and alerts.

Microsoft Defender XDR

Pilot and deploy Microsoft Defender XDR

This series of articles steps you through the entire process of piloting the components of Microsoft Defender XDR in your
production tenant so you can evaluate their features and capabilities and then completing the deployment across your
organization.

An eXtended detection and response (XDR) solution is a step forward in cyber security because it takes the threat data
from systems that were once isolated and unifies them so that you can see patterns and act on suspected cyberattacks
faster.

Microsoft Defender XDR:

 Is an XDR solution that combines the information on cyberattacks for identities, endpoints, email, and cloud apps
in one place. It leverages artificial intelligence (AI) and automation to automatically stop some types of attacks
and remediate affected assets to a safe state.
  Is a cloud-based, unified, pre- and post-breach enterprise defense suite. It coordinates prevention, detection,
investigation, and response across identities, endpoints, email, cloud apps, and their data.

 Contributes to a strong Zero Trust architecture by providing threat protection and detection. It helps prevent or
reduce business damage from a breach. For more information, see the Implement threat protection and
XDR business scenario in the Microsoft Zero Trust adoption framework.

Microsoft Defender XDR components and architecture

This table lists the components of Microsoft Defender XDR.

Expand table

Component Description For more

information

Microsoft Uses signals from your on-premises Active Directory Domain Services (AD DS) and What is Microsoft
Defender for Active Directory Federation Services (AD FS) to identify, detect, and investigate Defender for
Identity advanced threats, compromised identities, and malicious insider actions directed at Identity?
your organization.

Exchange Online The native cloud-based SMTP relay and filtering service that helps protect your Exchange Online
Protection organization against spam and malware. Protection (EOP)
overview - Office
365

Microsoft Safeguards your organization against malicious threats posed by email messages, links Microsoft Defender
Defender for (URLs) and collaboration tools. for Office 365 -
Office 365 Office 365

Microsoft A unified platform for device protection, post-breach detection, automated Microsoft Defender
Defender for investigation, and recommended response. for Endpoint -
Endpoint Windows security

Microsoft A comprehensive cross-SaaS solution bringing deep visibility, strong data controls, and What is Defender for
Defender for enhanced threat protection to your cloud apps. Cloud Apps?
Cloud Apps

Microsoft Entra Evaluates risk data from billions of sign-in attempts and uses this data to evaluate the What is Identity
ID Protection risk of each sign-in to your tenant. This data is used by Microsoft Entra ID to allow or Protection?
prevent account access, depending on how Conditional Access policies are configured.
Microsoft Entra ID Protection is separate from Microsoft Defender XDR and is included
with Microsoft Entra ID P2 licenses.

This illustration shows the architecture and integration of Microsoft Defender XDR components.

In this illustration:

 Microsoft Defender XDR combines the signals from all of the Defender components to provide XDR across
domains. This includes a unified incident queue, automated response to stop attacks, self-healing (for
compromised devices, user identities, and mailboxes), cross-threat hunting, and threat analytics.
  Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email
messages, links (URLs), and collaboration tools. It shares signals resulting from these activities with Microsoft
Defender XDR. Exchange Online Protection (EOP) is integrated to provide end-to-end protection for incoming
email and attachments.

 Microsoft Defender for Identity gathers signals from AD DS domain controllers and servers running AD FS and AD
CS. It uses these signals to protect your hybrid identity environment, including protecting against hackers that
use compromised accounts to move laterally across workstations in the on-premises environment.

 Microsoft Defender for Endpoint gathers signals from and protects devices managed by your organization.

 Microsoft Defender for Cloud Apps gathers signals from your organization's use of cloud apps and protects data
flowing between your IT environment and these apps, including both sanctioned and unsanctioned cloud apps.

 Microsoft Entra ID Protection evaluates risk data from billions of sign-in attempts and uses this data to evaluate
the risk of each sign-in to your tenant. This data is used by Microsoft Entra ID to allow or prevent account access
based on the conditions and restrictions of your Conditional Access policies. Microsoft Entra ID Protection is
separate from Microsoft Defender XDR and is included with Microsoft Entra ID P2 licenses.

Microsoft Defender XDR components and SIEM integration

You can integrate Microsoft Defender XDR components with Microsoft Sentinel or a generic security information and
event management (SIEM) service to enable centralized monitoring of alerts and activities from connected apps.

Microsoft Sentinel is a cloud-native solution that provides SIEM and security orchestration, automation, and response
(SOAR) capabilities. Together, Microsoft Sentinel and Microsoft Defender XDR components provide a comprehensive
solution to help organizations defend against modern attacks.

Microsoft Sentinel includes connectors for Microsoft Defender components. This allows you to not only gain visibility into
your cloud apps but to also get sophisticated analytics to identify and combat cyberthreats and to control how your data
travels. For more information, see Overview of Microsoft Defender XDR and Microsoft Sentinel
integration and Integration steps for Microsoft Sentinel and Microsoft Defender XDR.

For more information about SOAR in Microsoft Sentinel (including links to playbooks in the Microsoft Sentinel GitHub
Repository), see Automate threat response with playbooks in Microsoft Sentinel.

For information about integration with third-party SIEM systems, see Generic SIEM integration.

Microsoft Defender XDR and an example cyber security attack

This diagram shows a common cyber-attack and the components of Microsoft Defender XDR that help detect and
remediate it.

The cyber-attack starts with a phishing email that arrives at the Inbox of an employee in your organization, who
unknowingly opens the email attachment. This attachment installs malware, which can lead to a chain of attack attempts
that can result in the theft of sensitive data.

In the illustration:

 Exchange Online Protection, part of Microsoft Defender for Office 365, can detect the phishing email and use
mail flow rules (also known as transport rules) to make certain it never arrives in a user's Inbox.

 Defender for Office 365 uses Safe Attachments to test the attachment and determine that it's harmful, so the
mail that arrives either isn't actionable by the user, or policies prevent the mail from arriving at all.

 Defender for Endpoint detects device and network vulnerabilities that might otherwise be exploited for devices
managed by your organization.
  Defender for Identity takes note of sudden on-premises user account changes like privilege escalation or high-
risk lateral movement. It also reports on easily exploited identity issues like unconstrained Kerberos delegation,
for correction by your security team.

 Microsoft Defender for Cloud Apps detects anomalous behavior such as impossible-travel, credential access,
and unusual downloading, file sharing, or mail forwarding activity and reports these to your security team.

The pilot and deploy process for Microsoft Defender XDR

Microsoft recommends enabling the components of Microsoft 365 Defender in the following order.

Expand table

Phase Link

A. Start the pilot Start the pilot

B. Pilot and deploy Microsoft Defender XDR components - Pilot and deploy Defender for Identity

- Pilot and deploy Defender for Office 365

- Pilot and deploy Defender for Endpoint

- Pilot and deploy Microsoft Defender for Cloud Apps

C. Investigate and respond to threats Practice incident investigation and response

This order is designed to leverage the value of the capabilities quickly based on how much effort is typically required to
deploy and configure the capabilities. For example, Defender for Office 365 can be configured in less time than it takes to
enroll devices in Defender for Endpoint. Prioritize the components to meet your business needs.

Start the pilot

Microsoft recommends you start your pilot in your existing production subscription of Microsoft 365 to gain real-world
insights immediately and you can tune settings to work against current threats in your Microsoft 365 tenant. After you've
gained experience and are comfortable with the platform, simply expand the use of each component, one at a time, to
full deployment.

An alternative is to Set up your Microsoft Defender XDR trial lab environment. However, this environment won't show
any real cybersecurity information such as threats or attacks on your production Microsoft 365 tenant while you are
piloting and you won't be able to move security settings from this environment to your production tenant.

Using Microsoft 365 E5 trial licenses

If you do not have Microsoft 365 E5 and want to advantage of Microsoft 365 E5 trial licenses for your pilot:

1. Sign in to your existing Microsoft 365 tenant administration portal.

2. Select Purchase Services from the navigation menu.

3. From the Office 365 section select Details under Office 365 E5 license.
 4. Select Start free trial.

5. Confirm your request and select Try now.

Your pilot using Microsoft 365 E5 trial licenses in your existing production tenant will let you keep any security settings
and methods when the trial expires and you purchase equivalent licenses.

Turn on Microsoft Defender XDR

Microsoft Defender XDR unifies your incident response process by integrating key capabilities across Microsoft Defender
for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity.
This unified experience adds powerful features you can access in the Microsoft Defender portal. Microsoft Defender XDR
automatically turns on when eligible customers with the required permissions visit Microsoft Defender portal. Read this
article to understand various prerequisites and how Microsoft Defender XDR is provisioned.
Check license eligibility and required permissions A license to a Microsoft 365 security product generally entitles you to
use Microsoft Defender XDR without additional licensing cost. We do recommend getting a Microsoft 365 E5, E5 Security,
A5, or A5 Security license or a valid combination of licenses that provides access to all supported services. For detailed
licensing information, read the licensing requirements.

Check your role You must be one of the following roles to turn on Microsoft Defender XDR:

 Global Administrator

 Security Administrator

 Security Operator

 Global Reader

 Security Reader

 Compliance Administrator

 Compliance Data Administrator

 Application Administrator

 Cloud Application Administrator

Configure your network firewall Configuring your network firewall ensures a smooth experience while navigating the
Microsoft Defender portal https://security.microsoft.com.

Add to your firewall's allow list the outbound IP addresses in the following page:

 IP addresses used by Azure Monitor

In addition, ensure that other Defender services are properly configured. You can refer to the following pages for
configuration information:

 Enable access to Microsoft Defender for Endpoint service in the proxy server

 Get started with Microsoft Defender for Office 365

 Configure endpoint proxy and internet connectivity settings for Microsoft Defender for Identity

 Ensure portal access for Microsoft Defender for Cloud Apps

Supported services Microsoft Defender XDR aggregates data from the various supported services that you've already
deployed. It will process and store data centrally to identify new insights and make centralized response workflows
possible. It does this without affecting existing deployments, settings, or data associated with the integrated services.

To get the best protection and optimize Microsoft Defender XDR, we recommend deploying all applicable supported
services on your network. For more information, read about deploying supported services.

Onboard to the service Onboarding to Microsoft Defender XDR is simple.

From the navigation menu, select any item, such as Incidents &
alerts, Hunting, Action center, or Threat analytics to initiate the
onboarding process.
Data center location Microsoft Defender XDR will store and process data in the same location used by Microsoft
Defender for Endpoint. If you don't have Microsoft Defender for Endpoint, a new data center location is automatically
selected based on the location of active Microsoft 365 security services. The selected data center location is shown in the
screen. Select Need help? in the Microsoft Defender portal to contact Microsoft support about provisioning Microsoft
Defender XDR in a different data center location.

Note In the past, Microsoft Defender for Endpoint automatically provisioned in European Union (EU) data centers when
turned on through Microsoft Defender for Cloud. Microsoft Defender XDR will automatically provision in the same EU
data center for customers who have provisioned Defender for Endpoint in this manner in the past.

Confirm that the service is on

Once the service is provisioned, it adds:

 Incidents management

 Alerts queue

 An action center for managing automated investigation and response

 Advanced hunting capabilities

 Threat analytics

Microsoft Defender portal with incidents management and other capabilities

Getting Microsoft Defender for Identity data To enable the integration with Microsoft Defender for Cloud Apps, you'll
need to log in to the Microsoft Defender for Cloud Apps at least once.

Get assistance To get answers to the most commonly asked questions about turning on Microsoft Defender XDR, read
the FAQ.
Microsoft support staff can help provision or deprovision the service and related
resources on your tenant. For assistance, select Need help? in the Microsoft
Defender portal. When contacting support, mention Microsoft Defender XDR.
Introduction to endpoint security
You now know that Microsoft Defender Services have been merged together under one portal known as Microsoft 365
Defender. These services include Defender for Office 365, Identity, Cloud apps, and end point. In this video, you will learn
more about Microsoft Defender for Endpoint or MDE, and how it helps to secure endpoints against the latest threats and
risks.

Imagine a retail organization like Sam Scoops expanding. There would be many devices across multiple locations and Sam
Scoops would need a solution to help protect the organization's devices that aren't always connected. Can Microsoft
Defender for Endpoint, help look after the many endpoints? Let's investigate.

Unprotected or misconfigured devices can pose a risk to organizations. For a retail organization to protect itself, it has to
ensure that all its devices are protected. Many organizations have suffered reputational and financial loss at the hands of
attackers. Attackers can take advantage and do damage to devices or data. That means that an organization's security
posture has to be as secure as possible given that malicious actors regularly attempt attacks. How can Microsoft
Defender for Endpoint reduce vulnerabilities in its setup?

Earlier, you learned that MDE is an endpoint security solution that offers vulnerability management, endpoint protection,
detection and response, mobile threat defense and managed services in a single unified platform. It enables you to
prevent, detect, investigate, and respond to security threats and risks across Windows, Windows Server, MacOS, Linux,
Android, and iOS devices. This is great for a retail organization because it has a variety of devices.

Microsoft Defender for Endpoint takes advantage of technologies including endpoint behavioral sensors. The sensors
gather and process behavioral signals and activities on the end points and share this information with an MDE Cloud
instance. This is a great benefit for a security team at a retail business as endpoints are widely dispersed across different
sites, and so tracking these behaviors locally is impossible. Cloud security analytics translate these behavioral signals into
insights, detailed detections, and then recommends actions to respond to advanced threats. It does this using tools such
as on-device machine learning, big data and Cloud-based machine-learning.

Microsoft also uses its unique visibility into activity across other products, such as Microsoft 365 and it's Windows
ecosystem. Threat intelligence from Microsoft security teams and partners provide information that allows Microsoft
Defender for Endpoint to identify tools, procedures, and techniques used by attackers. Microsoft Defender for Endpoint
then generates alerts when any threats are identified in the sensor data that it has collected.

MDE provides protection through several capabilities. These include core Defender Vulnerability Management, attack
surface reduction, next-generation protection, endpoint detection and response, automated investigation and
remediation. Microsoft Threat Experts, centralized configuration and administration and APIs. Let's examine these a bit
closer.

Vulnerability management in Defender for Endpoint provides risk-based discovery, prioritization, and remediation of
misconfigurations and vulnerabilities across endpoints. Defender vulnerability management's built in and agentless
scanners continuously monitor and detect risk in your organization even when devices aren't connected to the corporate
network.

Next, attack surface reduction resists attacks and exploitation by applying mitigation techniques and ensuring
configuration settings are set properly. It provides protections such as application control, network protection on web
protection to regulate access to applications, domains, IP addresses on more. There is also next-generation protection,
which protects against emerging threats through behavior-based antivirus protection and cloud delivered protection.

Endpoint detection and response enables an organization to detect, investigate, and respond appropriately to even
advanced threats that might have succeeded in evading the attack surface reduction and threat and vulnerability
components. It also allows advanced hunting through a query-based hunting tool to proactively identify breaches and
use custom detections.

Next is automated investigation and remediation, which enables sophisticated automatic investigation and remediation
capabilities to efficiently and consistently respond to threats at scale. Microsoft Threat Experts takes advantage of expert
level monitoring analysis and access to experts on demand for critical threats specific to your environment. There's also
centralized management through Microsoft 365 defender, which helps the organization access everything that is
happening all on one portal.
Finally, with APIs, different tools such as Group Policy and non-Microsoft tools can be used for device management.
Microsoft Defender for Endpoint comes with a built-in API that can be used to automate workflows and extend its
capabilities using custom apps. Additionally, MDE integrates directly with several Microsoft solutions, including Microsoft
Endpoint Manager, Microsoft Sentinel, Microsoft Defender for cloud, and more.

To summarize, Microsoft Defender for Endpoint protects devices first by finding and detecting them before checking
their configurations. It can then remediate any misconfigurations and close any vulnerabilities. By handling these
misconfigurations and vulnerabilities, it helps to reduce the potential attack surface. Learning typical behaviors also
allows Microsoft Defender for Endpoint to identify any anomalies further protecting endpoints. All of this can be
managed through the central management of Microsoft 365 Defender.

Endpoint modernization
As organizations shift more and more of their workload to the Cloud, it paves the way for employees to work from
virtually anywhere and on any device. Thus, organizations need solutions that ensure the security of all their endpoints
while keeping their employees devices current and giving them a consistent and personalized experience.

Microsoft, as both a cloud provider and operating system provider, has built comprehensive cloud computer
management solutions. These solutions provide IT departments with remote computer configurations and simplified
endpoint management tools.

In this video, you'll explore how Microsoft's endpoint management solutions such as Windows Autopilot, Microsoft
Intune, and Configuration Manager deliver endpoint modernization. You'll also discover the differences between
Windows 365 and Azure Virtual Desktop, and how device management differs between the two solutions.

In today's workplace, IT departments support different devices configured in different ways. Organizations might use
Android and iOS mobile phones, Windows and macOS PCs, and custom devices employees bring to work. Microsoft
provides the tools and services to enable you to simplify the management of all these devices through their endpoint
management solutions.

Now, let's examine those tools and services a little closer. First up is Windows Autopilot. Windows Autopilot, a cloud
native service, sets up and preconfigures new devices to prepare them for use. It also resets, repurposes and recovers
devices, and it aims to simplify the lifecycle of Windows devices, serving both IT and end users from the initial
deployment to the end-of-life stage. Autopilot can preconfigure devices, automatically join devices to Azure Active
Directory, enroll devices in Intune, and customize the out-of-box experience. It can also integrate with the Configuration
Manager.
There is also Microsoft Intune, a cloud-based endpoint management solution used to manage user access and simplify
app and device management across many devices. This includes mobile devices, desktop computers and virtual
endpoints. Microsoft Intune protects access and data on organization-owned and users' personal devices. It supports
Android, Android Open Source Project or AOSP, iOS/iPadOS, macOS and Windows Client devices. It also integrates with
other services, including Azure Active Directory.
INTUNE:

(AOSP = Andriod Open Source Project)

Next is Configuration Manager, an on-premises management solution used to manage desktops, servers, and laptops
that are Internet-based or on a network. Configuration Manager can manage data centers, apps, software updates and
operating systems. It can be cloud-enabled to integrate with Intune, Azure Active Directory, Microsoft 365 Defender and
other cloud services.

Additionally, a tool called Comanagement is available, that combines the existing on-premises Configuration Manager
with the cloud-based features in Intune, including using the Web-based Endpoint Manager Admin Center.

Comanagement helps unlock more cloud-powered capabilities like conditional access. Ultimately, it enables
organizations to concurrently manage Windows 10 or later devices, by using both Configuration Manager and Microsoft
Intune.
Next, let's move on to virtual desktop solutions. Windows 365 and Azure Virtual Desktop Services are both virtual
desktop solutions, also known as Desktop as a Service, or DaaS. But there are several important differences between the
services. Let's explore some of these now.

Windows 365 is a cloud-based service that automatically creates a new

type of Windows virtual machine known as a Cloud PC for end users.
Windows 365 securely streams the full Windows experience, including
apps, data and settings from the Microsoft Cloud to any personal or
corporate device, and Windows manages the whole service for you.
Azure Virtual Desktop, or AVD, on the other hand, allows users to
connect to a Windows desktop running in the Cloud directly instead of
streaming it. The desktops are virtual machines in the customer's Azure
Tenant. Customers build virtual machines within their Azure Tenant and
can customize the service using Azure Cloud features like load
balancing. The customer has more control with this service, and they
can use features like host pools, a collection of one or more identical
virtual machines (VMs) within Azure virtual desktop environments. Each
host pool can contain an app group that users can interact with as they
would on a physical desktop. The customer can then control the
resources published to users through these app groups.
In conclusion, device modernization can be applied to various types of devices, including smartphones, tablets, laptops,
desktop computers and IoT devices. It often involves a combination of software updates and company policies to bring
devices up to date, enhance device security, and improve user experience. Microsoft endpoint management solutions
make this task easier for IT administrators by providing tools that can manage this process through easy-to-use
management portals.

Windows 365 securely streams a personalized Windows experience including all the apps, content and settings to any
device. And Azure Virtual Desktop allows organizations to quickly deploy virtual desktops and apps to enable secure
remote work. These solutions enable organizations to meet their device management security needs while providing a
streamlined user experience in a changing workforce.
Deployment methods for WaaS and Microsoft 365 Apps
You have learned about the different Microsoft tools that can be used to deploy a device's operating system. These tools
can also manage applications and device policy. But to keep both the devices and applications secure, they also need to
be kept up to date. In this video, you will learn about how device updates can be controlled and managed by using
Windows as a service or WaaS and Microsoft 365 Apps deployment and update channels.

Windows as a service is a modern approach to operating system deployment and management that allows organizations
to receive regular updates and feature enhancements. It eliminates the traditional upgrade cycle, enabling a more agile
and continuous delivery of Windows updates. There are two release types for updates: Type 1 are feature updates,
which add new functionality and are released twice a year. Type 2 are quality updates, which provide security and
reliability fixes and are released once a month. Type 2 updates are issued as non-security releases or combined security
plus non-security releases. In addition, a cumulative update is released which includes all previous updates.

Non-security releases allow IT admins to do an early validation of content. There are three types of deployment models.
Modern, dynamic, and traditional. The Modern deployment model emphasizes simplicity and agility. It allows for quick
updates and feature releases enabling organizations to stay up to date with the latest enhancements. This method
ensures minimal disruption during the update process, making it ideal for businesses that require seamless transitions.

The dynamic deployment model focuses on providing more control over updates and allows organizations to choose the
timing and pace of feature releases, giving them the flexibility to test and validate updates before deployment. This
method suits enterprises with complex IT environments and strict change management processes.

The traditional deployment model offers a more conservative approach to updates. It allows organizations to control
when and how updates are applied, ensuring stability and compatibility with existing systems. This model is suitable for
industries with strict compliance requirements or highly regulated environments.

Now let's move on to discussing the deployment methods and update channels for Microsoft 365 apps. Users can install
Microsoft 365 apps individually, but managing updates and deploying customized app selections ensures all users have
necessary apps. Different deployment methods exist from using Configuration Manager to self-installing from the Cloud.

More information on this can be found in additional resources. One of the benefits of Microsoft 365 apps is that
Microsoft regularly provides new and updated features for Office apps. For example, adding improved translation
capabilities to Word or adding support for 3D animations in PowerPoint.

Specifying the update channel allows you to control how often the users in your organization get these new features.
There are three options: current, monthly enterprise, and semiannual enterprise channels. Let's examine these more
closely.
The current channel receives feature updates as soon as they're ready, but there's no set schedule. This channel also
receives security and non-security updates around two or three times a month. Microsoft recommends this channel
because it provides users with the newest Office features as soon as they're ready.

The monthly enterprise channel receives feature updates once a month on the second Tuesday of the month. This
monthly update can include feature, security, and non-security updates. Microsoft recommends this channel if you want
to provide your users with new offers features once a month on a predictable release schedule.

The semiannual enterprise channel receives feature updates every six months in January and July, on the second Tuesday
of the month. Like with the previous channel, this update can include features, security, and non-security updates.
Microsoft recommends this channel only for those select devices in your organization where extensive testing is needed
before rolling out new Office features.

Microsoft 365 apps regularly check for updates and they're downloaded and installed automatically according to the
channel used. There aren't separate downloads for feature, security, or non-security updates. The updates are
cumulative, so the most current update includes all the updates that have been previously released for that update
channel.

While updates are being downloaded, your users can continue to use Office apps. After they're downloaded, all the
available updates for that update channel will install at the same time. If any Office apps are open, your users will be
prompted to save their work and close the apps so that the updates can finish installing.

Microsoft offers various deployment and update models to ensure the security and efficiency of devices and applications.
Windows as a service, WaaS, allies from regular updates and feature enhancements with three deployment methods
catering to different organizational needs, and Microsoft 365 apps provide customizable deployment options and offer
different update channels, allowing organizations to control the frequency and timing of feature releases. These models
and channels enable businesses to keep their systems up to date while ensuring stability and compatibility.

Defender portal for endpoint capabilities and services

You now know that Microsoft Defender for Endpoint can offer vulnerability management and endpoint detection. It also
offers many other features that can all be managed from the Microsoft 365 Defender portal. In this video, you will learn
about how one such feature that Microsoft Defender for endpoint services, and capabilities has been built into the
Microsoft 365 Defender portal.

Let's do this by exploring high Sam's Scoops would use the endpoint feature in the Microsoft 365 Defender portal. But
first, let's delve into how a tenant works.

The first step of using Defender for Endpoint is to onboard it. This is when a Microsoft Defender for Endpoint tenant is
provisioned for Sam's Scoops. Tenants are isolated from other tenants. This means Sam's Scoops’ data is never shared
with other tenants, and it's only accessible to that particular organization. Additionally, all access is audited to ensure
data remains protected.

A tenant relies on its own components, including a built-in dictionary, and custom sandboxes. Each tenant comes with a
built-in dictionary that defines behavioral rules, and anomaly detection algorithms to detect suspicious events when
gathering sensor data from devices. A tenant also enables the creation of sandbox environments so that suspicious files
can be uploaded and investigated, and detailed reports about those files can be generated based on the findings of the
investigations.

Next, let's discuss the Microsoft 365 Defender portal through which you can access the defender for endpoint features.
You can access and manage your tenant from the Microsoft 365 Defender portal. From here, Sam's Scoops can manage
the security of the devices that are part of the tenant. This is where they can use all the capabilities they need to manage
and protect the endpoints, such as threat and vulnerability management, endpoint detection and response, automated
investigation, and remediation.
As you've learned, the Microsoft 365 Defender portal can be accessed through a web portal using an Internet browser.
The portal can be used to view and monitor devices and perform investigation and device remediation from Microsoft
Defender for Endpoint.

Let's catch up with Sam's Scoops to assess how Microsoft Defender for Endpoint can help with its needs. The business
has expanded to a number of ice cream shops and also has a warehouse to supply them. This means that its endpoints
are spread out across many locations, so what can Microsoft Defender for Endpoint do for Sam's Scoops to protect these
disbursed end points? Let's find out.

To make the most of Microsoft Defender for Endpoint, sensors need to be installed on Sam's Scoops devices to gather
security-related information on each device. This information is sent to the Sam's Scoops Microsoft Defender for
Endpoint tenant. Sensors make it possible to detect breaches, investigate events, collect information for security
analytics, and more. They also enable Sam's Scoops to trigger actions on devices, such as gathering suspicious files or
isolating devices from the network. This is great for the business, because these devices can now be managed remotely.

Sam's Scoops can use Microsoft Defender for Endpoint to perform device discovery and improve visibility of all the
devices in the network. Endpoints that have already been onboarded with an endpoint sensor can then be used to
actively probe devices on the Sam's Scoops network to enrich collected data. This gives them much better visibility over
all the devices coming onto the network and helps track vulnerabilities.

Once devices have been discovered and onboarded, the security team can view the current exposure of the organization
through the vulnerability management dashboard. Microsoft Defender for Endpoint can help Sam's Scoops discover
vulnerabilities, and misconfigurations in real-time based on sensors without the need for agents or periodic scans.

It prioritizes issues based on many factors. Those factors include the threat landscape, detections within the network,
sensitive information on vulnerable devices, and the business context. Another useful endpoint feature available through
the portal is built-in threat and vulnerability management. This feature is real-time Cloud powered and fully integrated
with the Microsoft endpoint security stack. It can create a security task or ticket to integrate with Microsoft Intune,
providing Sam's Scoops with a complete endpoint management system. Microsoft Defender for Endpoint provides real-
time threat intelligence by continuously monitoring endpoints for suspicious activities, analyzing behaviors, and
identifying potential threats.
Ultimately, effectively identifying, assessing, and remediating endpoint weaknesses is pivotal to running a healthy
security program and reducing organizational risk. Threat and vulnerability management serves as an infrastructure for
reducing organization exposure, hardening endpoints, and increasing organizational resilience. Defender for Endpoint
provides Sam's Scoops with the tools and services needed to remotely protect the many different sites and devices and
monitoring devices as they come onto the network.

Defender services in depth

Introduction Earlier, you learned that Microsoft Defender for Endpoint is a comprehensive endpoint security solution
that provides advanced threat protection, preventive measures, and centralized management for endpoints within an
organization. It offers real-time protection against various types of attacks, such as malware, exploits, and fileless threats,
leveraging a combination of machine learning, behavior-based analytics, and threat intelligence.

This reading covers the in-depth capabilities of Microsoft Defender for Endpoint and explores how it complements and
enhances the security framework of Microsoft 365.

Real-time threat detection and prevention One of the key strengths of

Microsoft Defender for Endpoint lies in its ability to detect and prevent
threats in real time. Leveraging machine learning and behavioral
analytics, it continuously monitors endpoint devices, network traffic,
and user behavior to identify indicators of compromise. By employing a
vast array of built-in and cloud-based sensors, it can detect malicious
activities and potential vulnerabilities across the entire attack chain.
The platform uses advanced heuristics, file reputation, and cloud-based
machine learning models to identify and block known malware.
Additionally, it employs sophisticated behavioral analytics to detect
suspicious activities and anomalies that may indicate the presence of
previously unknown or zero-day threats. By leveraging the power of
cloud intelligence, Microsoft Defender for Endpoint can rapidly respond
to emerging threats and deploy real-time protection updates across all
endpoints. Microsoft Defender for Endpoint offers robust endpoint detection and response (EDR) capabilities,
empowering security teams with advanced tools to investigate and respond to security incidents. The EDR capabilities
enable security professionals to identify the root cause of an incident, analyze the scope and impact, and implement
mitigation measures. Microsoft Defender for Endpoint integrates seamlessly with the Microsoft 365 Defender portal,
facilitating a holistic security approach. The portal offers a comprehensive view of security across the organization,
consolidating data from various Microsoft security solutions. These solutions include Microsoft Defender for Endpoint,
Microsoft Defender for Office 365, and Microsoft Cloud App Security. These solutions provide a comprehensive overview
of an attack chain that facilitates a complete understanding of the threat. That enables a complete understanding of the
threat, and enables you to remediate and protect your organization from future attacks. Below, in the graphic of a
sample attack chain, it’s clear that the attacker activity is visible to each Microsoft 365 Defender product.

Together, the Microsoft services correlate security events from multiple sources, such as endpoints, emails, identities,
and cloud applications, to provide a unified view of the attack chain. This contextual information enables security
analysts to prioritize and respond to incidents more effectively, reducing response time and minimizing the impact of
attacks.

Automation and remediation The Microsoft 365 Defender portal leverages AI and machine learning algorithms to
generate actionable threat intelligence and automate investigations. It correlates security events from multiple sources,
such as endpoints, emails, identities, and cloud applications, to provide a unified view of the attack chain. This contextual
information enables security analysts to prioritize and respond to incidents more effectively, reducing response time and
minimizing the impact of attacks.

Another notable capability of Microsoft Defender for Endpoint is its ability to automate response and remediation
actions. Through the Microsoft Defender for Endpoint APIs and integration with other Microsoft security solutions,
security teams can orchestrate automated responses to security incidents.

When a potential threat is detected, Microsoft Defender for Endpoints can automatically isolate affected devices from
the network, apply necessary remediation actions, and initiate an investigation. This capability significantly reduces the
manual effort required to respond to incidents, allowing security teams to focus on more critical tasks.

The infographic below depicts a scenario where Microsoft Defender for Endpoint detects a malicious payload, which
could come from any source, including personal email or a USB drive.

The victim receives a malicious email on a personal email account that’s not protected by Microsoft Defender for Office
365 and opens the attachment. Or they insert an unsecured USB drive into their computer. Once the attachment is
opened or the USB connects to the computer, the malware infects the computer. The user is unaware that an attack has
taken place. But Microsoft Defender for Endpoints detects this attack, raises an alert to security operations, and provides
details about the threat to the security team.

Following this, Microsoft Defender for Endpoint communicates to Intune that risk level on this endpoint has changed,
disabling user access from the device while infected as demonstrated by the infographic below. Intune marks the
account in Azure Active Directory as noncompliant with the organization’s policy, and Conditional Access blocks user
access based on that. Microsoft Defender for Endpoint remediates the threat – either via automated remediation,
security analyst approval of automated remediation, or manual investigation of the threat by an analyst.
Microsoft Defender for Endpoint also remediates the threat across the enterprise and across other Microsoft customers
by adding information on this attack to the Microsoft Threat Intelligence system. Once the infected devices have been
remediated, Microsoft Defender for Endpoint signals Intune to change the device risk status and Azure AD Conditional
Access then allows access to enterprise resources.

Conclusion Microsoft Defender for Endpoint is a robust and sophisticated security platform that offers organizations a
comprehensive defense against evolving cyberthreats. With its real-time threat detection, advanced EDR capabilities and
integration with the Microsoft 365 Defender portal, it provides a powerful security solution for organizations of all sizes.
By leveraging the power of AI, machine learning, and cloud intelligence, Microsoft Defender for Endpoint empowers
security teams to proactively detect, investigate, and respond to security incidents.

Threat technologies
Microsoft Defender for Endpoint and the full Microsoft 365 Defender Suite employ a range of cutting edge threat
technologies, including machine learning, big data analysis, in-depth threat research, behavior monitoring, threat
hunting, built-in sandboxes, automated investigations, and expert guidance. Microsoft 365 Defender seamlessly
integrates these technologies and leverages the power of a unified manager.
In this video, you will learn how these different technologies are used to help better protect organizations, and
effectively prevent cyber attacks.

First, let's examine machine learning, which lies at the core of Microsoft Defender for Endpoint ability to detect
cyberattacks. Machine learning enables the system to recognize patterns, anomalies, and indicators of compromise
across vast amounts of data. By constantly learning from real-world threats and adapting to new attack vectors, machine-
learning algorithms power the detection capabilities of the platform. These algorithms identify and analyze potentially
malicious files, URLs, and email attachments, significantly reducing response time to emerging threats.

Next, let's move on to big data analysis. Harnessing the power of big data analysis, Microsoft Defender for Endpoint
processes and correlates massive volumes of security-related data from various sources, this includes information from
endpoints, networks, and Cloud environments. By consolidating and analyzing this data, the system gains invaluable
insights into attack patterns, indicators of compromise and emerging trends. This holistic view enables proactive threat
detection and empowers security teams to stay one step ahead of cybercriminals.

Staying one step ahead of cyber attackers also means doing your research. Luckily, Microsoft takes care of this for you as
well. Microsoft's dedicated team of threat researchers works tirelessly to uncover new threats and vulnerabilities.
Through continuous analysis of the threat landscape, they identify attack techniques and develop countermeasures to
safeguard against them. Their research enhances the accuracy of threat detection algorithms and ensures that Microsoft
Defender for Endpoint is armed with the latest threat intelligence.

Having the latest threat intelligence is crucial, and this is where behavior monitoring can help. Behavior monitoring forms
a critical component of Microsoft Defender for Endpoint Defense strategy. By monitoring and analyzing the behavior of
processes, applications, and users, the system can identify suspicious activities indicative of a potential cyberattack. This
real-time analysis helps prevent the execution of malicious code and provides security teams with immediate visibility
into threats, enabling rapid response and containment.

Threat technologies are also used to proactively seek out hidden threats that may have evaded initial detection – this is
called threat hunting. Highly skilled security professionals leverage their expertise and advanced tools to search for and
investigate indicators of compromise within an organization's environment. This proactive approach enables the
discovery of stealthy threats, enhancing overall security posture; but what happens when a threat is detected and its
files need to be executed safely and its behavior needs to be analyzed?

For this, Microsoft Defender for Endpoint employs isolated environments in the form of built-in sandboxes. By running
potentially malicious code in a controlled environment, the system can assess its impact without the risk of
compromising the company environment. Sandboxing enables the identification of previously unknown malware and
provides valuable insights into their behavior, facilitating better protection against future threats.

Other threat technologies like automated investigations are used to accelerate incident response processes. When a
potential threat is detected, the system automatically gathers and analyzes relevant data, identifies the scope of the
incident, and provides actionable recommendations for containment and remediation. By automating time-consuming
investigative tasks, security teams can respond swiftly to threats, minimizing the impact of attacks.

While the aforementioned technologies and techniques form the backbone of Microsoft Defender for Endpoint, the
expertise of threat specialists is invaluable in the fight against cyberattacks. Microsoft security professionals possess a
deep understanding of the threat landscape and bring a human touch to the platform. They provide additional context,
conduct in-depth investigations, and fine-tune detection algorithms to ensure the highest level of protection against
emerging threats. In conclusion, as the digital landscape evolves, cyber criminals continue to devise sophisticated attack
techniques. Microsoft Defender for Endpoint rises to the challenge by harnessing the power of threat technologies.
Machine learning, big data analysis, in-depth threat research, behavior monitoring, threat hunting, built-in sandboxes,
automated investigations, and the expertise of threat experts collectively form a formidable defense against cyber
threats. By leveraging these technologies, organizations can safeguard their environments, detect threats in real-time,
and respond swiftly to mitigate the impact of cyber attacks.
Next gen antivirus and endpoint response
Introduction Traditional antivirus software that merely detects known threats and remove them are no longer sufficient
in today’s cyber landscape. This is where Microsoft Defender, a next-generation antivirus (NGAV) and endpoint detection
and response (EDR) solution, truly shines. This reading explores how Microsoft Defender addresses modern cyberthreats
and its distinct features that set it apart in the cybersecurity realm.

Next-generation antivirus (NGAV) Microsoft Defender is classified as a next-generation antivirus (or NGAV) that not only
protect against viruses, but also an array of threats, including ransomware, phishing attempts, and zero-day exploits. It
does so by blending classic antivirus functionality with a range of modern features. These features include advanced
methods like artificial intelligence and machine learning, behavior analysis, and real-time threat intelligence feeds to
identify and respond to threats. In contrast with traditional antivirus software that primarily depends on signature-
based detection, NGAV solutions are capable of detecting and mitigating novel, previously unseen threats.

AI and machine learning are key to this capability. By leveraging these technologies, Microsoft Defender is able to
learn from vast amounts of data on known threats and develop models to predict and identify new threats. This
advanced detection extends to fileless and script-based attacks, which often evade traditional signature-based
antivirus solutions. But AI and machine learning aren’t the only technologies used by Microsoft Defender, it also relies
on the power of the cloud to analyze security data and detect threats.

By gathering and processing threat intelligence from millions of devices globally, it can quickly recognize emerging
threats and respond in real-time. Its vast, interconnected data network, along with the speed and accuracy of
detection it provides, are only possible with cloud-based technology. Cloud protection works together with Microsoft
Defender Antivirus to deliver accurate, real-time, and intelligent protection. You can refer to the following infographic
to give you an idea of how comprehensive cloud protection in Microsoft Defender is.
Real-time protection An important feature of NGAV solutions like Microsoft Defender is real-time protection. This
component continually scans for malware, viruses, and security vulnerabilities, allowing it to stop threats before they can
do damage. The screenshot below presents a scan result where 22,585 files were scanned and no threats were found.

Coupled with automatic updates, this real-time protection ensures that devices are always armed with the latest security
measures.

EDR solutions Complementing the NGAV capabilities, Microsoft Defender also provides endpoint detection and response
(or EDR) solutions. EDR is a cyber security approach focused on detecting, investigating, and mitigating suspicious
activities on hosts and endpoints. Essentially, it provides a continuous monitoring and response mechanism that aims to
stop cyberattacks in their tracks. In Microsoft Defender, EDR is made up of multiple components, including threat and
vulnerability management, automated investigation and remediation, and advanced hunting features. Let’s examine
them a bit closer.

Threat and vulnerability management Threat and vulnerability management provides real-time insights into the overall
security posture of an organization's devices. It identifies vulnerabilities and misconfigurations, helping prioritize actions
based on the threat landscape and risk context. This informed prioritization allows for efficient allocation of resources,
ensuring that the most pressing threats are addressed first.

Automated investigation and remediation In the event of a detected threat, Microsoft Defender's EDR capabilities can
automatically initiate an investigation into the scope of the threat, its origins, and its impact. Automated remediation
actions can then be taken, such as isolating affected devices, removing malicious files, or reversing actions carried out by
threats. This not only minimizes response time but also reduces the burden on IT staff.
Advanced hunting features Microsoft Defender’s EDR also offers an advanced hunting feature, which allows security
analysts to proactively hunt for threats across their organization's endpoints. Analysts can use custom queries to sift
through vast amounts of data, identifying patterns and anomalies that might indicate a threat.

Conclusion To summarize, the rise of NGAV and EDR technologies marks a significant evolution in antivirus solutions,
taking cybersecurity beyond simple virus detection and removal. When combined, NGAV and EDR components within
Microsoft Defender form a powerful, modern antivirus system that offers layered protection against a wide range of
threats. It not only provides real-time protection, but also continuously learns from global threat intelligence and
previous encounters, honing its defenses over time. Furthermore, by providing automated responses and insightful
analytics, it allows organizations to act swiftly, confidently, and intelligently in the face of ever evolving cyberthreats.
Microsoft Defender exemplifies the new era of antivirus software, providing a comprehensive, dynamic, and adaptive
solution for today’s complex cyber threat landscape.

Endpoint encryption
In today's digital age, with the surge of remote workers and Cloud-based storage usage, the importance of data
encryption is undeniable. This video explores various types of endpoints encryption offered by Microsoft, its
management through Microsoft Defender for Endpoint, and its significance in securing data. Let's get started with why
endpoint encryption is so important.

As companies have rapidly transitioned to remote work environments, the number of disbursed endpoints has increased
dramatically. Each of these devices, whether they are at an office or an employee's home, host potentially sensitive
company data. Without appropriate security measures, these endpoints can become entry points for cybercriminals.

Encryption provides a critical line of defense by rendering data unreadable to anyone without the decryption key; even if
a device is lost, stolen, or breached, encrypted data remains secure. This measure is especially crucial for remote workers
who often use personal networks and storage devices that may not have the same security levels as corporate networks.

Similarly, Cloud storage, which has become an integral part of many businesses, requires robust encryption to protect
data. With Microsoft's Cloud encryption, data is safe, guarded at rest and in transit, ensuring protection against a wide
range of threats.

Now, let's examine the different types of endpoints encryption. First is device encryption, a hardware-based encryption
solution that is built into the Windows operating system. This type of encryption secures the entire device by encrypting
the contents of its internal storage. When a device is encrypted, unauthorized parties cannot access the store data
without the necessary decryption key, even if they physically remove the device's hard drive.

Next is full disk encryption or FDE, a software-based security measure incorporated into Microsoft BitLocker. As the name
suggests, FDE encrypts all the data on a computer's hard drive by default. it uses the Advanced Encryption Standard or
AES encryption algorithm in Cipher Block Chaining.

It can also use Zack's tweakable block cipher texts dealing or XTS mode with 128 bit or 256 bit keys. Bitlocker prevents
hackers from accessing the system files your computer uses to boot up or from running a software hacking tool while
your computer is locked or off.

There is also file and folder encryption, which offer a more granular level of control compared to device or full disk
encryption. Microsoft's encrypting file system, or EFS, provides this feature by encrypting individual files or folders. With
EFS, you can protect specific sensitive data while leaving other less critical files unencrypted.

For removable storage device encryption, Microsoft solution is BitLocker To Go. Similar to BitLocker, it utilizes AES
encryption to protect data on devices like USB drives, ensuring the safe transit of information between devices and
locations.
Last is Cloud encryption, which has become necessary with the proliferation of cloud services. Azure Storage Service
Encryption automatically encrypts data before storing it in the Cloud and decrypts it upon retrieval. Azure Storage uses
server side encryption or SSE to automatically encrypt data when it is persisted to the Cloud.

This process ensures that all data stored in the Cloud is always protected from unauthorized access. You might be
wondering how all these types of encryption are managed. The answer is Microsoft Defender for Endpoint dashboard.

Using the intuitive dashboard, IT administrators can monitor the BitLocker status of each device, which makes it possible
to ensure that full disk and device encryption is consistently maintained. In this example, Defender for Endpoint flags
that BitLocker is not turned on and so it recommends that it is turned on on all devices.

This can be remediated by sending a request to Microsoft Intune. The dashboard integrates with other Microsoft security
solutions, providing a comprehensive approach to endpoint encryption. In conclusion, Microsoft's encryption offerings
provide comprehensive solutions to secure data across devices, disks, files, removable media, and the Cloud. With
Microsoft Defender for Endpoint, managing these encryption services becomes significantly easier, enabling businesses
to maintain a robust security posture in an increasingly digital and distributed world.
As a network administrator, you've just installed Microsoft Defender for Endpoint. What protections can you now
expect?

Firewall and antivirus software only

Password management and two-factor authentication

Threat detection, response capabilities, and prevention strategies Correct

That's correct! Microsoft Defender for Endpoint provides comprehensive protection including threat detection, response
capabilities, and prevention strategies.

Question 2 Which of the following are ways in which MS Defender for Endpoint protects endpoints? Select all that apply.

Installation of third-party antivirus software

Behavior-based, machine learning-driven threat detection Correct

That's correct! Microsoft Defender for Endpoint uses behavior-based, machine learning-driven threat detection to
protect endpoints.

Decryption of all network traffic

Automated security alerts and incident response Correct

That's correct! Automated security alerts and incident response are key features of Microsoft Defender for Endpoint.

Question 3 If a device is lost or stolen, which Microsoft endpoint encryption technology can help prevent unauthorized
access to the stored data?

File and folder encryption

RSA encryption

BitLocker Correct

Elliptic curve cryptography

That's correct! BitLocker encryption can help protect data stored on the device and prevent unauthorized access.

Question 4 Which capability of the Microsoft Defender for Endpoint portal would be most useful if a security analyst
wants to access an overview of their organizational exposure score?

Advanced threat hunting dashboard

Automated investigation dashboard

Vulnerability management dashboard Correct

That's correct! The vulnerability management dashboard provides an exposure score and shows the collective security
configuration posture.

Question 5 True or false: Microsoft Intune is an endpoint management solution for mobile and desktop systems.

True Correct

False

That's correct! Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile
application management (MAM).
Describe the endpoint management capabilities of Microsoft 365
In today’s hybrid and remote workplace organizations are challenged with managing a variety of devices configured in
different ways that need access to their resources. Your organization might have Android and iOS mobile phones,
Windows and macOS PCs, and custom devices your employees bring to work. Employees need to collaborate and
securely access and connect to these resources from anywhere. IT departments need to manage end user access and
protect data all while supporting employees from wherever they work. Microsoft provides the tools and services to
enable you to simplify the management of these devices through their endpoint management solutions.

Microsoft Intune is a family of products and services that offer a cloud-based unified endpoint management solution.
The Intune family includes Microsoft Intune service, Configuration Manager, co-management, Endpoint Analytics,
Windows Autopilot and Intune admin center. These solutions can help manage, protect and monitor all your
organization's endpoints.

Note: Endpoints are physical devices, such as mobile devices, desktop computers, virtual machines, embedded devices,
and servers that connect to and exchange information with a computer network.

These solutions support data protection on both company-owned and personal devices using non-intrusive app
management. It champions a Zero Trust security model through data protection and endpoint compliance while
enhancing IT efficiency and improving both admin and end user experiences in hybrid work settings.

Note: Zero Trust is a security model consisting of three guiding principles: Verify explicitly, use least privilege access, and
assume breach. To learn more about Zero Trust, visit Zero Trust implementation guidance.

Let's explore how the Microsoft Intune family enables IT to configure and protect endpoints for better hybrid work
experiences.

Microsoft Intune
Microsoft Intune is a cloud-based endpoint management solution that manages user access to organizational resources
and simplifies app and device management across your many devices, including mobile devices, desktop computers, and
virtual endpoints. Some of the key features and benefits of Intune include:

 Allows management of users and devices (both organizational and personal) across platforms like Android, AOSP,
iOS/iPadOS, macOS, and Windows, enabling secure access to organization resources through user-defined
policies.

 Intune streamlines app management, offering in-built deployment, updates, and removal capabilities, integration
with private app stores, Microsoft 365 app support, Win32 app deployment, and tools for app protection policies
and data access control.

 Intune automates policy deployment for apps, security, device configuration, compliance, conditional access and
more.

 The Company Portal app provides self-service features for employees and students, such as PIN/password resets,
app installations, and more.

 Intune partners with mobile threat defense tools, including Microsoft Defender for Endpoint and third-party
services, to emphasize endpoint security, enabling policies for real-time threat response and automated
remediation.

 Intune's web-based admin center emphasizes endpoint management and data-driven reporting, allowing admins
to sign in from any device with internet access.
Configuration Manager
Configuration Manager is an on-premises management solution to manage desktops, Windows servers, and laptops that
are on your network or internet-based. Configuration Manager boosts IT productivity by reducing manual tasks and
letting you focus on high-value projects. Configuration Manager enhances IT services by securely deploying applications
and updates at scale, facilitating real-time actions on devices, offering cloud-driven analytics for both on-site and online
devices, managing compliance settings, and providing thorough oversight of servers and computers. Configuration
Manager collaborates with numerous Microsoft technologies. You can cloud-attach your Configuration Manager
environment allowing you to modernize and streamline your management solution.

Tip: If you need to manage a combination of both cloud and on-premises endpoints, you can use cloud attach to use
both Intune and Configuration Manager.Cloud attach allows you to connect your on-premises Configuration Manager to
the cloud without having to worry about disruption or risk. A Configuration Manager environment is considered cloud
attached when it uses at least one of the three primary cloud attach features which consist of co-management, tenant
attach, and Endpoint analytics. You can enable these three features in any order you wish, or all at once.

Co-management
Co-management is one of the primary ways to attach your existing Configuration Manager deployment to the Microsoft
365 cloud, enhancing capabilities like conditional access. It allows simultaneous management of Windows 10 or later
devices through both Configuration Manager and Microsoft Intune, enhancing your Configuration Manager's functions.
Devices with the Configuration Manager client enrolled in Intune benefit from both services. The authority to shift
specific workloads from Configuration Manager to Intune is in your control, while Configuration Manager retains
authority over other workloads.

Note: Conditional access allows organizations to implement policies that control and restrict access to their resources
based on certain conditions and criteria.

Tenant-attach
Tenant attach allows your device records to be in the cloud, enabling you to act on these devices from a cloud console. It
provides real-time data from Configuration Manager clients, including those online. It also lets you manage endpoint
security for both Windows Servers and Client devices from the Intune admin center, including antivirus status and
malware reports.

Endpoint Analytics
Endpoint Analytics is a cloud-native service that provides metrics and recommendations on the health and performance
of your Windows client devices. Endpoint Analytics is part of the Microsoft Adoption Score. These analytics give you
insights for measuring how your organization is working and the quality of the experience you're delivering to your users.
Endpoint analytics can help identify policies or hardware issues that might be slowing down devices and help you
proactively make improvements before end-users generate a help desk ticket. You can use Endpoint Analytics on devices
that are managed with Intune or Configuration Manager connected to the cloud.

Windows Autopilot
Windows Autopilot is a cloud-native service that sets up and pre-configures new devices, getting them ready for use.
You can also use Windows Autopilot to reset, repurpose, and recover devices. It's designed to simplify the lifecycle of
Windows devices, for both IT and end-users, from initial deployment through end of life. You can use Autopilot to
preconfigure devices, automatically join devices to Microsoft Entra ID (formally known as Azure Active Directory or Azure
AD) or enroll devices in Intune, customize out of box experience and more. You can also integrate Autopilot with
Configuration Manager and co-management for more device configurations.

Note: Microsoft Entra ID (formally known as Azure Active Directory or Azure AD) is a cloud-native service that is used by
Intune to manage the identities of users, devices, and groups. The Intune policies you create are assigned to these users,
devices, and groups. When devices are enrolled in Intune, your users sign into their devices with their Microsoft Entra ID
accounts. To learn more about Microsoft Entra ID, see Microsoft Entra ID documentation - Microsoft Entra | Microsoft
Learn.

Windows Autopatch
Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and
Microsoft Teams updates to improve security and productivity across your organization. The goal of Windows Autopatch
is to deliver software updates to registered devices; the service frees up IT and minimizes disruptions to your end users.
Once a device is registered with the service and depending on your subscription, you have access to a variety of features
through the Microsoft Intune admin center such as update rings, autopatch groups, hotpatch updates, driver and
firmware updates and more.

Intune admin center

The Intune admin center is a one-stop web site to add users and groups, create and manage policies, and monitor your
policies using report data. If you use Configuration Manager tenant-attach or co-management, you can see your on-
premises devices and run some actions on these devices.

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks
prevent, detect, investigate, and respond to advanced threats. Example endpoints include laptops, phones, tablets, PCs,
access points, routers, and firewalls.

Microsoft Defender for Endpoint is a core part of Microsoft Defender 365, which includes Microsoft Defender for
Endpoint , Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps:

Tip: Microsoft Defender for Endpoint is available in two plans, Defender for Endpoint Plan 1 and Plan 2. A new Microsoft
Defender Vulnerability Management add-on is now available for Plan 2.

For more information on the features and capabilities included in each plan, including the Defender Vulnerability
Management add-on, see Microsoft 365 guidance for security & compliance.

Watch the following video to learn more about Defender for Endpoint:
Asset Discovery discovers devices to within the Enterprise network, scans them for vulnerabilities, assesses them for risk,
then makes security recommendations for onboarding them into Defender for Endpoint:
Threat and Vulnerability Management assesses risks to onboarded devices and provides a means of sending remediation
requests to the asset owners:
Attack Surface Reduction reduces risks without limiting user productivity – limiting the running of risky scripts or visiting
dangerous websites, as well as other services:

Next Generation Protection is Microsoft’s AI- assisted antivirus protection that uses behavior monitoring to detect and
block malicious file-based and fileless threats:

Endpoint Detection and Response searches for hidden threats on endpoints, continuously monitoring user and device
behaviors and generating reports and alerts for security teams:
It analyzes and summarizes attack chain-like behavior and suggests next steps:
It also collects six months of threat detection data for each enpoint and provides a dash for Threat Hunting:

It also includes a built-in sandbox, where suspicious files can be safely tested, and outputs a full report of the results.

Auto investigation and remediation leverages AI to recreate the procedures a human security analyst would use to
AUTOMATICALLY investigate and remediate threats. It’s additionally active continuously, 24/7:
Lastly, Microsoft Threat Experts provides targeted attack notifications and provides threat experts on demand that can
provide consultations

Lastly, Microsoft for Defender’s APIs enable integration with other services,
including integration with customers’ already existing infrastructure using
Microsoft Graph API – connecting to SIEM or existing ticketing solutions, etc:
Lastly, Endpoint Manager allows the configuration of security settings for managed endpoints:
Defender for Endpoint uses the following combination of technology built into Windows 10 and Microsoft's robust cloud
service:

 Endpoint behavioral sensors: Embedded in Windows 10, these sensors

collect and process behavioral signals from the operating system and send
this sensor data to your private, isolated, cloud instance of Microsoft
Defender for Endpoint.
 Cloud security analytics: Using big data, device learning, and unique
Microsoft optics across the Windows ecosystem, enterprise cloud products
(such as Office 365), and online assets, behavioral signals are translated into
insights, detections, and recommended responses to advanced threats.
 Threat intelligence: Generated by Microsoft hunters, security teams, and
augmented by threat intelligence provided by partners, threat intelligence
enables Defender for Endpoint to identify attacker tools, techniques, and
procedures, and generate alerts when observed in collected sensor data.
Microsoft Defender for Endpoint

Important: The capabilities on non-Windows platforms may be different from the ones for Windows. For more
information on what capabilities are available for non-Windows platforms, see Microsoft Defender for Endpoint for non-
Windows platforms.

Core Defender Vulnerability Management Built-in core vulnerability management capabilities use a modern risk-based
approach to the discovery, assessment, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
To further enhance your ability to assess your security posture and reduce risk, a new Defender Vulnerability
Management add-on for Plan 2 is available. For more information on the different vulnerability management capabilities
available to you, see Compare Microsoft Defender Vulnerability Management offerings.

Attack surface reduction The attack surface reduction set of capabilities provides the first line of defense in the stack. By
ensuring configuration settings are properly set and exploit mitigation techniques are applied, the capabilities resist
attacks and exploitation. This set of capabilities also includes network protection and web protection, which regulate
access to malicious IP addresses, domains, and URLs.

Next-generation protection To further reinforce the security perimeter of your network, Microsoft Defender for
Endpoint uses next-generation protection designed to catch all types of emerging threats.

Endpoint detection and response Endpoint detection and response capabilities are put in place to detect, investigate,
and respond to advanced threats that might have made it past the first two security pillars. Advanced hunting provides a
query-based threat-hunting tool that lets you proactively find breaches and create custom detections.

Automated investigation and remediation In conjunction with being able to quickly respond to advanced attacks,
Microsoft Defender for Endpoint offers automatic investigation and remediation capabilities that help reduce the volume
of alerts in minutes at scale.

Microsoft Secure Score for Devices Defender for Endpoint includes Microsoft
Secure Score for Devices to help you dynamically assess the security state of your
enterprise network, identify unprotected systems, and take recommended
actions to improve the overall security of your organization.
Microsoft Threat Experts Microsoft Defender for Endpoint's new managed threat hunting service provides proactive
hunting, prioritization, and more context and insights that further empower Security operation centers (SOCs) to identify
and respond to threats quickly and accurately.

Important: Defender for Endpoint customers need to apply for the Microsoft
Threat Experts managed threat hunting service to get proactive Targeted Attack
Notifications and to collaborate with experts on demand. Experts on Demand is
an add-on service. Targeted Attack Notifications are always included after you
have been accepted into Microsoft Threat Experts managed threat hunting
service.
If you aren't enrolled yet and would like to experience its benefits, go
to Settings > General > Advanced features > Microsoft Threat Experts to apply.
Once accepted, you'll get the benefits of Targeted Attack Notifications, and start
a 90-day trial of Experts on Demand. Contact your Microsoft representative to
get a full Experts on Demand subscription.
Centralized configuration and administration, APIs Integrate Microsoft Defender for Endpoint into your existing
workflows.

Integration with Microsoft solutions Defender for Endpoint directly integrates with various Microsoft solutions,
including: Microsoft Defender for Cloud, Microsoft Sentinel, Intune, Microsoft Defender for Cloud Apps, Microsoft
Defender for Identity, Microsoft Defender for Office, Skype for Business

Microsoft Defender XDR With Microsoft Defender XDR, Defender for Endpoint, and various Microsoft security solutions,
you have a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email,
and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.

Describe the endpoint management capabilities of Microsoft 365: In today’s hybrid and remote workplace,
organizations are challenged with managing a variety of devices configured in different ways that need access to their
resources. Your organization might have Android and iOS mobile phones, Windows and macOS PCs, and custom devices
your employees bring to work. Employees need to collaborate and securely access and connect to these resources from
anywhere. IT departments need to manage end user access and protect data all while supporting employees from
wherever they work. Microsoft provides the tools and services to enable you to simplify the management of these
devices through their endpoint management solutions.

Microsoft Intune is a family of products and services that offer a cloud-based unified endpoint
management solution. The Intune family includes Microsoft Intune service, Configuration
Manager, co-management, Endpoint Analytics, Windows Autopilot and Intune admin
center. These solutions can help manage, protect and monitor all your
organization's endpoints.
 Note: Endpoints are physical devices, such as mobile devices, desktop computers, virtual machines, embedded devices,
and servers that connect to and exchange information with a computer network. These solutions support data
protection on both company-owned and personal devices using non-intrusive app management. It champions a Zero
Trust security model through data protection and endpoint compliance while enhancing IT efficiency and improving both
admin and end user experiences in hybrid work settings.

Note: Zero Trust is a security model consisting of three guiding principles: Verify
explicitly, use least privilege access, and assume breach. To learn more about Zero
Trust, visit Zero Trust implementation guidance.
Let's explore how the Microsoft Intune family enables IT to configure and protect endpoints for better hybrid work
experiences.

Microsoft Intune is a cloud-based endpoint management solution that manages user access to organizational resources
and simplifies app and device management across your many devices, including mobile devices, desktop computers, and
virtual endpoints. Some of the key features and benefits of Intune include:

 Allows management of users and devices (both organizational and personal) across platforms like Android, AOSP,
iOS/iPadOS, macOS, and Windows, enabling secure access to organization resources through user-defined
policies.

 Intune streamlines app management, offering in-built deployment, updates, and removal capabilities, integration
with private app stores, Microsoft 365 app support, Win32 app deployment, and tools for app protection policies
and data access control.

 Intune automates policy deployment for apps, security, device configuration, compliance, conditional access and
more.

 The Company Portal app provides self-service features for employees and students, such as PIN/password resets,
app installations, and more.

 Intune partners with mobile threat defense tools, including Microsoft Defender for Endpoint and third-party
services, to emphasize endpoint security, enabling policies for real-time threat response and automated
remediation.

 Intune's web-based admin center emphasizes endpoint management and data-driven reporting, allowing admins
to sign in from any device with internet access.

Configuration Manager is an on-premises management solution, while Intune is a cloud-based management solution
to manage desktops, Windows servers, and laptops that are on your network or internet-based. Configuration Manager
boosts IT productivity by reducing manual tasks and letting you focus on high-value projects. Configuration Manager
enhances IT services by securely deploying applications and updates at scale, facilitating real-time actions on devices,
offering cloud-driven analytics for both on-site and online devices, managing compliance settings, and providing
thorough oversight of servers and computers. Configuration Manager collaborates with numerous Microsoft
technologies. You can cloud-attach your Configuration Manager environment, allowing you to modernize and streamline
your management solution.

Tip: If you need to manage a combination of both cloud and on-premises endpoints, you can use cloud attach to use
both Intune and Configuration Manager. Cloud attach allows you to connect your on-premises Configuration Manager
to the cloud without having to worry about disruption or risk. A Configuration Manager environment is considered cloud
attached when it uses at least one of the three primary cloud attach features which consist of co-management, tenant
attach, and Endpoint analytics. You can enable these three features in any order you wish, or all at once.
Co-management is one of the primary ways to attach your existing Configuration Manager
deployment to the Microsoft 365 cloud, enhancing capabilities like conditional access. It
allows simultaneous management of Windows 10 or later devices through both Configuration
Manager and Microsoft Intune, enhancing your Configuration Manager's functions. Devices
with the Configuration Manager client enrolled in Intune benefit from both services. The
authority to shift specific workloads from Configuration Manager to Intune is in your control,
while Configuration Manager retains authority over other workloads.
Note: Conditional access allows organizations to implement policies that control and restrict access to their resources
based on certain conditions and criteria.

Tenant attach allows your device records to be in the cloud, enabling you to act on these devices from a cloud console. It
provides real-time data from Configuration Manager clients, including those online. It also lets you manage endpoint
security for both Windows Servers and Client devices from the Intune admin center, including antivirus status and
malware reports.

Endpoint Analytics is a cloud-native service that provides metrics and recommendations on the health and performance
of your Windows client devices. Endpoint Analytics is part of the Microsoft Adoption Score. These analytics give you
insights for measuring how your organization is working and the quality of the experience you're delivering to your users.
Endpoint analytics can help identify policies or hardware issues that might be slowing down devices and help you
proactively make improvements before end-users generate a help desk ticket. You can use Endpoint Analytics on devices
that are managed with Intune or Configuration Manager connected to the cloud.

Windows Autopilot is a cloud-native service that sets up and pre-configures new devices, getting them ready for use.
You can also use Windows Autopilot to reset, repurpose, and recover devices. It's designed to simplify the lifecycle of
Windows devices, for both IT and end-users, from initial deployment through end of life. You can use Autopilot to
preconfigure devices, automatically join devices to Microsoft Entra ID (formally known as Azure Active Directory or Azure
AD) or enroll devices in Intune, customize out of box experience and more. You can also integrate Autopilot with
Configuration Manager and co-management for more device configurations.

Note: Microsoft Entra ID (formally known as Azure Active Directory or Azure AD) is a cloud-native service that is used by
Intune to manage the identities of users, devices, and groups. The Intune policies you create are assigned to these users,
devices, and groups. When devices are enrolled in Intune, your users sign into their devices with their Microsoft Entra ID
accounts. To learn more about Microsoft Entra ID, see Microsoft Entra ID documentation - Microsoft Entra | Microsoft
Learn.

Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and
Microsoft Teams updates to improve security and productivity across your organization. The goal of Windows Autopatch
is to deliver software updates to registered devices; the service frees up IT and minimizes disruptions to your end users.
Once a device is registered with the service and depending on your subscription, you have access to a variety of features
through the Microsoft Intune admin center such as update rings, autopatch groups, hotpatch updates, driver and
firmware updates and more.

The Intune admin center is a one-stop web site to add users and groups, create and manage policies, and monitor your
policies using report data. If you use Configuration Manager tenant-attach or co-management, you can see your on-
premises devices and run some actions on these devices.

Compare the differences of Windows 365 and Azure Virtual Desktop

As organizations move towards remote work, cloud-based solutions such as Windows 365 and Azure Virtual Desktop
(AVD) have become powerful tools for improving productivity and granting remote access to applications and data.
Windows 365 and AVD services are both virtual desktop solutions, also known as Desktop-as-a-Service. Both these
solutions allow you to experience Microsoft’s client operating system (OS), Windows.

Windows 11 is the current version and is built on the same foundation as Windows 10 but offers further enhancements
such as universal search, accessibility features, desktop personalization, PC and phone syncing and much more. One
enhancement that will be available for Windows 11 editions is Microsoft Copilot in Windows, a centralized AI assistant.
You can ask Copilot in Windows a range of questions, to rewrite, summarize, explain content, or help personalize your PC
to get more done across all your apps and more. Windows 365 and AVD allow your end users to experience all these
features of Windows from anywhere with internet connection and a compatible device. While these solutions offer
similar functionality there are some differences. Lets dive deeper into each solution.

Important: The information on Microsoft Copilot in Windows only applies to the Windows Insider Preview Dev Channel.
Details are subject to change. If you are interested in joining the Windows Insider Program, learn how the program works
here: The Windows Insider Program (microsoft.com).

To learn more about Windows and its features, see Experience the Power of Windows 11 OS, Computers, & Apps |
Microsoft.

Windows 365 is a cloud-based service that automatically creates a new type of Windows virtual machine (VM), known
as Cloud PCs, for your end users. Windows 365 introduces a new way to experience Windows client to organizations of
all sizes. Securely stream the full Windows experience via a browser, including apps, data, and settings, from the
Microsoft cloud to any personal or corporate device.

Note: A virtual machine (VM) is a virtual computer or software-defined computer with a physical server, existing only as
code. To learn more about what a virtual machine is, see What Is a Virtual Machine and How Does It Work | Microsoft
Azure.

Here's what you can do with Windows 365:

 Stream your apps, data, content, and settings from the Microsoft cloud to any device and pick up where you left
off.

 Personalized Windows 365 Cloud PCs available across devices.

 Dedicated to a single user.

 Simple to deploy and manage from a single console.

 Easily set up and scale Cloud PCs to fit your needs and securely support changing workforce needs and new
business scenarios.

 Assign a license to a user and Windows 365 is automatically provisioned for that user.

 Azure computing and storage are managed by Microsoft with a fixed cost.

Windows 365 is available in two editions: Windows 365 Business and Windows 365 Enterprise. To learn more about
these editions, see Compare Windows 365 Business and Enterprise. To learn more about the requirements for Windows
365, see Windows 365 requirements | Microsoft Learn.

Azure Virtual Desktop (AVD) is a modern and secure desktop and app virtualization solution that runs on the cloud. AVD
allows users to connect to a Windows desktop running in the cloud. It's the only solution that delivers multi-session on
Windows. AVD gives you the ability to access your desktop and applications from virtually anywhere.

Here's what you can do with Azure Virtual Desktop:

 Set up a multi-session Windows Client deployment that delivers a full Windows experience with scalability.
  Dedicated to a single user or used by multiple users, using FSLogix technology.

 Present Microsoft 365 Apps for Enterprise and optimize it to run in multi-user virtual scenarios.

 Bring your existing Remote Desktop Services (RDS) and Windows Server desktops and apps to any computer.

 Virtualize both desktops and apps.

 Manage desktops and apps from different Windows and Windows Server operating systems with a unified
management experience.

 Azure computing and storage are customer managed with consumption-based costs.

Note: Azure Virtual Desktop on Surface lets you run Virtual Desktop Infrastructure (VDI) on a Surface device. AVD on
Surface blurs the lines between the local desktop experience and the virtual desktop, where touch, pen, ink, and
biometric authentication span both physical and virtual environments. To learn more, see Azure Virtual Desktop on
Surface. To help you choose the right option for your hybrid work needs, see Windows 365 Cloud PC and Azure Virtual
Desktop.

Identify deployment methods and update channels for Microsoft 365 Apps

Deployment methods: Microsoft 365 Apps can be installed individually by users on their devices. But it's often beneficial
to manage updates and deploy a customized selection of apps to users’ devices to ensure that all users have the apps
they need. The following list explains the different methods you can use to deploy Microsoft 365 Apps:

 Deploy from a local source with Configuration Manager. Manage your deployment with Configuration Manager,
and download and deploy Office from distribution points on your network.

 Deploy from the cloud with the Office Deployment Tool (ODT). Manage your deployment with the ODT and
install Office on client devices directly from the Office Content Delivery Network (CDN). The deployment tool is
run from the command line and uses a configuration file to determine what settings to apply when deploying
Office. Microsoft recommends using the Office Customization Tool to create a configuration file.

 Deploy from a local source with the Office Deployment Tool (ODT). Manage your deployment with the ODT, and
download and deploy Office from a local source on your network.

 Self-install from the cloud. Manage your deployment from the Office portal and have your users install Office on
their client devices directly from the portal.

Deploy Microsoft 365 interactive guide: In this interactive guide, you'll explore three methods for deploying Office 365
to your organization. The techniques remain the same for Microsoft 365 Apps.

Update channels: One of the benefits of Microsoft 365 Apps is that Microsoft provides new and updated features for
Office apps regularly. For example, adding improved translation capabilities to Word or adding support for 3D animations
in PowerPoint. You can control how often the users in your organization get these new features by specifying the update
channel. As needed, Microsoft also provides each update channel with two other types of updates that are released
every month:

 Security updates, are updates that help keep Office protected from potential malicious attacks.

 Non-security updates (quality updates), are updates that provide stability or performance improvements for
Office.

Here are the three primary update channels for Microsoft 365 Apps:
  Current Channel receives feature updates as soon as they're ready, but there's no set schedule. This channel also
receives security and non-security updates around two or three times a month. Microsoft recommends this
channel because it provides users with the newest Office features as soon as they’re ready.

 Monthly Enterprise Channel receives feature updates once a month, on the second Tuesday of the month. This
monthly update can include feature, security, and non-security updates. Microsoft recommends this channel if
you want to provide your users with new Office features once a month on a predictable release schedule.

 Semi-Annual Enterprise Channel receives feature updates every six months, in January and July on the second
Tuesday of the month. This update can include feature, security, and non-security updates. Microsoft
recommends this channel only for those select devices in your organization where extensive testing is needed
before rolling out new Office features.

The update channel of Microsoft 365 Apps you deploy to the users in your organization can depend on several factors,
such as application compatibility testing and user readiness. Not all users in your organization need to be on the same
update channel. For example, you can provide your training department with current channel so they can start learning
about the new Office features, while the rest of your organization is on semi-annual enterprise channel.

How updates are installed for Microsoft 365 Apps Microsoft 365 Apps checks for updates regularly, and they're
downloaded and installed automatically. There aren’t separate downloads for feature, security, or non-security updates.
The updates are cumulative, so the most current update includes all the updates that have been previously released for
that update channel. While updates are being downloaded, your users can continue to use Office apps. After they're
downloaded, all the available updates for that update channel will install at the same time. If any Office apps are open,
your users will be prompted to save their work and close the apps, so that the updates can finish installing.

Introduction to identity defense

In today's interconnected world, where organizations rely heavily on digital platforms and data-driven processes,
protecting identities has become paramount. Cybercriminals constantly evolve their tactics, employing various identity-
based threats to breach organizational defenses and compromise sensitive information.

This video delves into the realm of identity-based threats, exploring prominent attack vectors such as phishing, password
spraying, and identity spoofing. Furthermore, it emphasizes the critical importance of identity defense in safeguarding
organizations and highlights the range of solutions available to mitigate these threats.

Let's start by exploring phishing attacks. These attacks involve tricking individuals into divulging sensitive information,
such as login credentials or financial data. By impersonating a trusted entity, attackers use cleverly crafted emails to lure
victims to click on a link to a fraudulent website to trick victims into revealing their identities. The attacker can then
collect the details from the phishing website and use it to access the actual website. Sophisticated phishing techniques
like spear-phishing and whaling specifically target high-value individuals within organizations. These attacks exploit
human vulnerabilities, relying on unsuspecting users to inadvertently disclose critical information.

Next is password spraying, which is a type of brute-force attack where attackers systematically test commonly used
passwords against multiple user accounts. Instead of targeting a specific user, this attack seeks to exploit weak or reused
passwords across multiple accounts. For example, an attacker might gain access by testing a common pass123 password
against a number of accounts. By leveraging automation tools, attackers can scale their efforts and increase their chances
of success. Once they gain access to a single account, they often move laterally within the organization to further
compromise identities.

Another common type of identity-based threat is spoofing. Spoofing refers to the act of assuming another person's
identity to gain unauthorized access to systems or sensitive data. Attackers can exploit weak or misconfigured
authentication mechanisms to impersonate trusted users, systems, or devices. This technique often involves the use of
stolen or forged credentials, such as compromised usernames and passwords, or falsified digital certificates. By
mimicking legitimate identities, attackers can bypass security measures and gain unauthorized access to critical
resources.

By now, you might have realized that protecting organizational identities is crucial for maintaining data integrity,
preserving user trust, and preventing devastating breaches. By investing in robust identity defense strategies,
organizations can fortify their security posture and mitigate the risks associated with identity-based threats. For instance,
by implementing multi-factor authentication, or MFA mechanisms, organizations can add an extra layer of security
beyond traditional usernames and passwords. MFA requires users to provide multiple forms of identification, such as
biometrics or hardware tokens, significantly reducing the likelihood of unauthorized access.

Identity defense solutions also provide mechanisms to detect and respond to stolen credentials effectively. By employing
technologies like adaptive authentication and behavior analytics, organizations can detect anomalous login activities and
suspicious behavior patterns. This enables proactive measures, such as step-up authentication or account lockdowns,
preventing attackers from exploiting compromised credentials. By implementing granular access controls and identity
governance policies, organizations can enforce the principle of least privilege, ensuring that users only have access to the
resources necessary for their roles. Additionally, these solutions enable continuous monitoring and auditing of user
activities, enabling the detection of unauthorized data exfiltration attempts or fraudulent activities.

With this background information about identity theft methods and the importance of identity defense, let's explore
some of these defense solutions. Identity and access management, or IAM, solutions provide a centralized framework for
managing user identities, access privileges, and authentication mechanisms. These solutions enable organizations to
enforce strong password policies, implement MFA, and streamline user provisioning processes. IAM systems also
facilitate identity federation, allowing secure access across multiple systems and applications.

User and entity behavior analytics, or UEBA solutions, leverage machine learning algorithms to analyze user behavior and
identify anomalies that may indicate potential threats. By establishing baseline behavior patterns, UEBA tools can detect
suspicious activities, such as unusual login times or access attempts from unfamiliar locations. This proactive approach
helps organizations identify compromised accounts or insider threats quickly.

Another identity defense solution is privileged access management, or PAM. This solution focuses on securing privileged
accounts which have elevated access privileges within an organization. By implementing strict controls and monitoring
mechanisms, PAM solutions ensure that privileged credentials are properly managed, regularly rotated, and only granted
when necessary. This reduces the risk of unauthorized access and minimizes the potential damage from insider threats
or external attackers.

As identity-based threats continue to evolve and pose significant risks to organizations, robust identity defense measures
have become imperative. By understanding the various attack vectors such as phishing, password spraying, and identity
spoofing, organizations can enhance their security strategies to protect against these threats. Implementing identity
defence solutions like IAM, UEBA and PAM can fortify an organization's security posture, safeguard identities, and
mitigate the potential impact of breaches. By prioritizing identity defense, organizations can ensure the integrity of their
data, maintain user trust, and effectively counter the ever evolving landscape of cyber threats.

Password spraying is the opposite of brute force attacks – instead of using multiple passwords against a single account,
password spraying uses a single weak password against multiple accounts to try and gain access.

Zero Trust is a security model with three principles:

1. Verify explicitly
2. Use least privilege access
3. Assume breach.
Microsoft Purview
In the digital age, businesses are generating vast amounts of data every day. Take a pharmacy, for instance; from the
moment a customer walks through the door to the time they receive their prescription an abundance of information is
collected. This includes sensitive data, such as patient records containing personal details and their history of medication
lists, and prescriptions which hold vital information such as dosage instructions and warnings. But the pharmacy also
stores inventory data, tracking stock levels, expiration dates, and batch numbers. Furthermore, they also manage
financial data, including medical aid claims and billing records.

With this explosion of data comes the need for effective management and governance to ensure compliance, security,
and organizational efficiency. Microsoft
purview is a powerful data governance solution
that enables businesses like the pharmacy to gain insights into their data assets,
protect sensitive data, and maintain compliance with data regulations.
In this video, you will explore the key capabilities of Microsoft purview and how it can help you know, protect, and
govern your data. One of the fundamental challenges organizations face is understanding the data they possess.
Microsoft purview addresses this challenge by providing a unified view of an organization's data estate. It automatically
discovers and catalogs data from various sources, both on premises and in the Cloud, allowing businesses to gain insights
into their data assets.

The compliance portal in purview offers robust data classification capabilities, empowering businesses to identify and
categorize sensitive information effectively. It leverages machine learning algorithms to automatically classify data based
on predefined patterns, rules, and metadata. For example, the pharmacy can use purview to automatically identify and
label patient records as sensitive based on predefined rules or patterns. And it can classify prescriptions as confidential
or restricted, and inventory data as internal use only. The compliance portal supports both built-in and custom classifiers,
providing flexibility to tailor the classification process according to specific business needs. This classification helps
organizations like the pharmacy to understand the sensitivity of their data and take appropriate measures to secure it,
which is the next function of Microsoft purview, you'll explore.

To protect data, Microsoft purview uses sensitivity labels and sensitivity policies. Sensitivity labels enable organizations
to classify data based on its level of sensitivity. Sensitivity policies then apply appropriate protection measures based on
these labels. Sensitivity labels can be applied manually or automatically based on predefined rules. Sensitivity policies
enforce encryption and access control measures, ensuring that sensitive information remains protected throughout its
lifecycle.
This example from Microsoft Excel displays an applied sensitivity label from the window bar. You can easily change the
label by using the sensitivity bar that's available with the latest versions of Office. The labels are also available from the
Sensitivity button on the Home tab of the ribbon.

Sensitivity policies also play a role in data loss prevention or DLP, which is another critical aspect of protecting sensitive
information from unauthorized disclosure or misuse. It allows businesses like the pharmacy to define policies that
automatically detect and prevent the accidental or intentional sharing of sensitive data. DLP policies can be customized
to match specific regulatory requirements or business needs, providing granular control over data protection. For
instance, if a staff member tries to e-mail patient records or prescriptions to an external recipient, Purview can enforce
policies to block the transmission or encrypt the data.

The third pillar of Microsoft Purview helps organizations govern their data. It does this with effective data retention and
records management capabilities. It's focused on data retention first. Organizations can utilize retention policies and
retention labels to manage data retention effectively.
Retention policies define the duration for
which data should be retained, ensuring compliance with legal, regulatory, and
business requirements. Purview applies retention labels to data assets to enforce
these policies. And with purview's integration with Microsoft 365 and other data
repositories, businesses like the pharmacy can automate the enforcement of
retention policies.
Lastly, efficient records management is crucial for organizations to maintain compliance, streamline business processes,
and mitigate legal risks. Purview can assist the pharmacy in effectively managing records by providing a centralized
view of data assets. It can also help create a searchable catalog of records, making it easier to locate and retrieve
specific patient records or prescriptions. With purview, organizations can ensure that important records are properly
managed throughout their life cycle, from creation to disposal in a compliant and efficient manner.
In the age of big data, effective data governance is imperative for organizations across industries. Microsoft purview
offers a comprehensive suite of capabilities to address the challenges of data management, protection, and governance.
With its data classification capabilities, sensitivity labels, and policies, data loss
prevention, retention policies, and records management features, Microsoft
purview empowers businesses like pharmacies to gain insights into their data,
protect sensitive information, and maintain data compliance.
Azure Active Directory Identity Protection
Earlier, you learned that organizations worldwide face rising identity-based threats and attacks. Protecting user identities
and ensuring secure access to resources is crucial for maintaining a robust security posture. Azure Active Directory
Identity Protection can help organizations safeguard against identity-based threats.

This video explores the key features of Azure Active Directory Identity Protection, or Azure AD Identity Protection. You
will also explore risk-based conditional access and Azure AD Privileged Identity Management. Azure AD Identity
Protection leverages advanced analytics and machine learning to detect and mitigate identity related risks. It
continuously monitors user activities, login attempts, and authentication patterns to identify suspicious behavior or
potential vulnerabilities.

Let's explore key features of Azure AD Identity Protection, starting with user risk policies. These policies enable
organizations to define rules and actions based on the level of risk associated with a user. For example, if a user's risk
score exceeds a certain threshold, Azure AD can enforce multi-factor authentication or block access until the risk is
mitigated.

Another key feature of Azure AD Identity Protection is sign-in risk policies. Organizations can configure policies that
assess the risk associated with each sign-in attempt. Unusual signing locations, multiple failed login attempts, or
suspicious IP addresses can trigger policy actions such as requiring additional verification steps or blocking access.

Next is risk events and reports. Azure AD Identity Protection provides detailed reports on alerts on identity related risk
events, enabling organizations to investigate and respond promptly to potential threats. It offers insights into risky sign-
ins, compromised identities, and user behavior anomalies.

Lastly, Azure AD Identity Protection offers automated remediation. When it detects a high-risk event or a compromised
account, it can automatically take remediation actions such as forcing a password reset, or blocking access until the issue
is resolved. This proactive approach minimizes the impact of identity-based threats.

Next, let's focus on risk-based conditional access, which is a powerful feature that enhances security by analyzing user
behavior on the risk associated with each access attempt. By evaluating multiple factors such as user location, device
health, and behavioral patterns, Azure AD can determine the level of risk associated with a user's access request.

Through risk-based conditional access policies, organizations can implement dynamic access controls. Say a user
attempts to access sensitive data from an unfamiliar location or using an untrusted device. Azure AD can prompt for
additional authentication factors or deny access altogether. This adaptive approach ensures access policies adapt to the
changing risk landscape, providing a solid defense against identity-based attacks.

Let's move on to another powerful feature, which is Azure AD Privileged Identity Management. Privileged accounts such
as administrator or service accounts pose significant security risks if compromised. Azure AD Privileged Identity
Management, or PIM, helps organizations effectively manage and control privileged access to critical resources. It
reduces the attack surface by limiting privileged access to only when necessary, and incorporating Just-in-Time access, as
well as approval workflows.

Let's explore these features in more detail, starting with Just-in-time or JIT access. Rather than granting continuous
privileged access, Azure AD PIM allows organizations to implement JIT access, providing elevated privileges only for a
limited duration when needed. This minimizes the exposure of privileged credentials and reduces the risk of misuse.

Azure AD PIM enforces approval workflows for granting privileged access, authorize approvers, review and approve
access requests, ensuring accountability and oversight. What's more, organizations can track and monitor privileged
access through comprehensive auditing and reporting capabilities. This enables organizations to monitor privileged
activities and identify unauthorized or suspicious actions.
Finally, Azure AD PIM helps organizations identify and manage privileged accounts across their environment. Privileged
identity discovery functionalities provide insights into existing privileged roles, identify potential security gaps, and assist
in establishing a strong privileged access management strategy.

In this video, you've learned that Azure Active Directory Identity Protection offers robust features to protect against
identity-based threats and attacks. By leveraging risk-based conditional access on Azure AD Privileged Identity
Management, organizations can strengthen their security posture and mitigate the risks associated with compromised
identities. Implementing these features enables organizations to adopt a proactive approach to security, constantly
monitoring and responding to identity-related risks. Azure AD Identity Protection helps organizations safeguard critical
resources from unauthorized access and data breaches by analyzing user behavior, detecting anomalies, and enforcing
access controls. In an era where identity-based attacks are on the rise, Azure Active Directory Identity Protection is a
valuable tool for organizations seeking to fortify their defenses and protect their digital assets.

AAD Identity Protection includes risk-based conditional access, which allows organizations to define access policies based
on risk levels. It evaluates various risk factors, such as user location, device health, and sign-in behavior, to determine if
additional security measures or restrictions are necessary.

Microsoft Defender for Identity

Securing user identities and monitoring their behavior and activities are crucial aspects of maintaining a robust
cybersecurity posture. Earlier, you learned that Microsoft Defender for Identity is one of the powerful Microsoft 365
defender services that focuses on precisely these areas. It offers organizations a comprehensive solution to protect user
identities and credentials stored in Active Directory. By leveraging learning-based analytics, this advanced security
offering detects suspicious user activities and helps identify and investigate potential threats.

In this video, you will explore the importance of monitoring user behavior and activities, the capabilities of Microsoft
Defender for Identity, and how it simplifies incident response with clear incident information on a simple timeline. User
behavior monitoring plays a pivotal role in modern cybersecurity strategies. Hackers and malicious actors often exploit
compromised user accounts to gain unauthorized access to sensitive information and resources. By monitoring user
behavior and activities, organizations can establish a baseline of normal behavior patterns, enabling them to identify
anomalies and potentially malicious activities. This proactive approach allows for the timely detection of security
breaches and advanced attacks, reducing the impact and mitigating potential damage.

Microsoft Defender for Identity employs learning-based analytics to provide organizations with a robust defense against
evolving cyber threats. But what does this mean? By continually analyzing user activities and behaviors, the system
learns what constitutes normal behavior within an organization. Leveraging this knowledge, Defender for Identity can
detect suspicious activities, anomalous behaviors and potential indicators of advanced attacks. These learning-based
analytics leverage machine learning algorithms that evaluate a wide range of factors such as user access patterns,
authentication attempts, network traffic and historical data. By comparing current activities against the established
baseline, the system identifies deviations and highlights potentially risky actions. In this way, organizations stay one step
ahead of attackers by detecting threats before they can cause significant harm.

Microsoft Defender for Identity also analyzes authentication protocols and monitors privileged account usage to guard
user identities and credentials in Azure Active Directory. It continuously monitors Azure AD for suspicious activities such
as password spraying, brute-force attacks and attempts to elevate privileges. In the event of a security incident, swift
identification and investigation are crucial to minimize damage and prevent further compromise. Microsoft Defender for
Identity streamlines this process by providing clear incident information on a simple timeline. This timeline highlights key
events, including suspicious activities, authentication attempts and privilege escalations, allowing security teams to
quickly triage and respond to potential threats. The incident information provided by Defender for Identity includes
relevant details such as affected users, affected machines and the context surrounding the incident. Security analysts can
access this information through a user-friendly interface, enabling efficient investigation and timely response.
In conclusion, Microsoft Defender for Identity offers organizations a comprehensive solution for protecting user identities
and credentials stored in Active Directory. By monitoring user behavior and activities, leveraging learning-based
analytics, and providing clear incident information, Defender for Identity equips security teams with powerful tools to
detect suspicious activities, identify advanced attacks, and respond swiftly to potential threats. As cyber threats continue
to evolve, solutions like Microsoft Defender for Identity become indispensable in safeguarding organizational security
and maintaining the trust of users and stakeholders.

Deploy Microsoft Defender for Identity with Microsoft 365

Defender - Preparation
Earlier, you learned that Microsoft Defender for Identity, or MDI, offers a powerful defense against identity-based attacks.
However, to ensure MDI is deployed successfully, it is crucial to define and enforce prerequisites, plan capacity, configure
essential components, and establish authentication policies.

In this video, you will delve into these proprietary steps and explore how they contribute to securing identities and data.
Before deploying MDI, it is essential to establish and enforce certain prerequisites to ensure a smooth implementation
process.
1.) First, ensure that an on-premises Active Directory or AD environment is in place.

In this example, MDI leverages data from the AD environment to detect suspicious activities and potential threats. 2.)
You also need to install and configure Azure AD Connect to synchronize identities between your on-premises AD and
Azure AD. This synchronization enables MDI to provide comprehensive threat detection and protection across both
environments.

Next, let's focus on planning for capacity for MDI deployment, a vital step to ensure optimal performance and scalability.
The following aspects are critical when planning capacity: 3.) determine the number of users in your organization and
the expected growth rate. This information helps in determining the appropriate resources and licensing requirements
for MDI and is called user load. 4.) You also need to analyze the network traffic patterns to understand the volume of
data flowing between your AD infrastructure and Azure. This analysis aids in selecting the appropriate deployment
model and network bandwidth. 5.) you need to estimate the amount of storage needed to store security related data
generated by MDI. This includes considering factors such as retention periods and compliance requirements.

6.) The next important aspect affecting successful deployment is the configuration of essential components, including
the configuration of Windows Event Collection, or WEC, on dedicated servers. This is for collecting security-related
events from your domain controllers. 7.) It's also important to set up event subscriptions to forward security related
events from domain controllers to the WEC servers. Additionally, ensure that the appropriate event channels such as
security, audit success and audit failure are selected.
This step confirms that MDI receives the required data for threat detection and analysis. You should also regularly
validate the event collection process to ensure that it's successfully forwarded to the WEC servers. 8.) To enable
advanced detection capabilities, you have to configure remote calls to the Security Account Manager or SAM database
on your domain controllers.

9.) To enable remote SAM access, you need to modify the appropriate group policy settings. This modification enables
MDI to access and analyze security-related information stored in the SAM database. 10.) It's advisable to regularly test
the connectivity and access permissions to ensure seamless communication between MDI and the SAM database.

Let's move on to the next important step to enhance security and manage access control effectively. 11.) Organizations
should create dedicated directory service accounts and configure role groups within MDI. Assigning appropriate
permissions to these dedicated service accounts is essential for collecting security-related data from domain
controllers. Creating a service account with the necessary permissions is a necessary step in deploying Microsoft
Defender for Identity. The service account is used to authenticate and connect Microsoft Defender for Identity to
Active Directory Domain Services (AD DS).

By establishing role groups within MDI, you can manage access and assign specific responsibilities to users. For
instance, you can configure roles such as administrators, analysts and auditors, defining their privileges and limitations
based on the organization's security requirements.

12.) Lastly, authentication policies should be leveraged by organizations to strengthen identity and data security
during MDI deployment. It is essential to define conditional access policies within Azure AD to enforce MFA, enforce
location-based access restrictions, and implement other access control measures. These policies will help protect
against unauthorized access attempts and strengthen overall security posture.

Additionally, it is important to implement strong password policies that enforce complexity requirements, password
expiration, and password history. Encourage users to utilize unique passwords and educate them about best practices
to mitigate password-related risks.

In this video, you learned that there are a number of essential steps to take in preparation for MDI deployment. These
include defining and enforcing prerequisites, planning capacity, configuring essential components like Windows Event
Collection and remote SAM access, creating directory service accounts, configuring role groups, and setting up
authentication policies. By taking these steps, organizations can establish a robust security foundation for the successful
deployment of MDI.
Deploy Microsoft Defender for Identity with Microsoft 365
Defender - Deployment
Introduction You should now know how Microsoft Defender for Identity (MDI) can protect user identities for Active
Directory. You have also learned about the preparations you need to set in place before deploying this solution. This
reading will provide a step-by-step guide on how to deploy MDI within the Microsoft 365 Defender portal. Sign in To
begin the deployment, sign in to the Microsoft 365 Defender portal. From the navigation menu, select any item, such
as Incidents & alerts, Hunting, Actions & submissions, or Threat intelligence to initiate the onboarding process.

You'll then get the option to deploy supported services, including MDI. When you go to the MDI settings, the required
cloud components will be auto-provisioned.

Step 1: Download the Microsoft Defender for Identity sensor

1. In the portal, go to Settings and then Identities.

1. Select the Sensors page, which displays all of your MDI sensors.

1. Select Add sensor.

1. A pane will open, providing you with a button to download the sensor installer and a generated access key.

1. Select Download installer to save the package locally. The zip file includes the following files:

 MDI sensor installer

 Configuration setting file with the required information to connect to the MDI cloud service.

1. Also copy the Access key. The access key is required for the MDI sensor to connect to your MDI instance, and
you will use it in a later step. The access key is a one-time password for sensor deployment, after which all
communication is performed using certificates for authentication and TLS encryption.
 2. Use the Regenerate key button if you ever need to regenerate the new access key. It won't affect any previously-
deployed sensors because it's only used for initial registration of the sensor.

3. Next, copy the package to the dedicated server or domain controller onto which you're installing the MDI sensor.

Step 2: Install the Microsoft Defender for Identity sensor

Perform the following steps on the domain controller or AD FS server.

1. Verify that the machine has connectivity to the relevant MDI cloud service endpoints.

2. Extract the installation files from the zip file. Take note that installing directly from the zip file will fail.

3. Run Azure ATP sensor setup.exe with elevated privileges. In other words, run as administrator and follow the
setup wizard.

4. On the Welcome page, select your language and select Next.

1. The installation wizard automatically checks if the server is a domain controller, an AD FS server or a dedicated
server. If it's a domain controller or AD FS server, the MDI sensor will install. If it's a dedicated server, the MDI
standalone sensor will install. For example, for an MDI sensor, the following screen will display to let you know
that an MDI sensor is installed on your dedicated server. Select Next on this screen.
 1. Under Configure the sensor, enter the installation path and the access key that you copied from the previous
step, based on your environment. The installation path is the location where the MDI sensor is installed. By
default the path is %programfiles%\Azure Advanced Threat Protection sensor. Leave the default value. The
access key was retrieved from the Microsoft 365 Defender portal in the previous step. Select Install.

Step 3: Manage Action accounts MDI allows you to take remediation actions targeting on-premises Active Directory
accounts in the event that an identity is compromised. To take these actions, MDI needs to have the required
permissions to do so.

1. On a domain controller in your domain, create a new gMSA account.

2. Assign the Log on as a service right to the gMSA account on each domain controller that runs the MDI sensor.

3. Grant the required permissions to the gMSA account.

4. Open Active Directory Users and Computers.

5. Right-click the relevant domain or OU and select Properties.

1. Go the Security tab and select Advanced.

2. Select Add.

3. Choose Select principal.

1. Make sure Service Accounts is marked in Object Types.

 1. Enter the name of the gMSA account in the Enter the object name to select box and select OK.

2. Select Descendant User objects in the Applies to field, leave the existing settings, and add the following
permissions and properties:

Permissions to enable force password reset:

 Reset password

Properties:

 Read pwdLastSet

 Write pwdLastSet

Properties to disable user:

 Read userAccountControl

 Write userAccountControl

1. Select Descendant Group objects in the Applies to field and set the following properties:

 Read members

 Write members

1. Select OK.

Step 4: Add the gMSA account in the Microsoft 365 Defender portal

1. Go to the Microsoft 365 Defender portal.

2. Go to Settings and then Identities.

3. Under Microsoft Defender for Identity, select Manage action accounts.

 4. Select + Create new account to add your gMSA account.

5. Provide the account name and domain, and select Save.

6. Your action account will be listed on the Manage action accounts page.

Step 5: View and configure sensor settings

After the MDI sensor is installed, do the following to view and configure MDI sensor settings.

1. In Microsoft 365 Defender, go to Settings and then Identities.

1. Select the Sensors page, which displays all your MDI sensors. For each sensor, it will list:

 Sensor name

 Domain membership

 Version number

 If updates should be delayed

 Service status

 Sensor status

 Health status

 The number of health issues

 When the sensor was created

1. If you select Filters, you can choose which filters will be available. Then with each filter, you can choose which
sensors to display.

1. If you select one of the sensors, a pane will display with information about the sensor and its health status.

1. If you select Manage sensor, a pane will open where you can configure the sensor details.
 1. On the Sensors page, you can export your list of sensors to a .csv file by selecting Export.

Conclusion Deploying Microsoft MDI with Microsoft 365 Defender provides organizations with a powerful security
solution to detect and respond to identity-based threats effectively. By integrating these two platforms, organizations can
gain a holistic view of their security posture and leverage advanced analytics to detect and investigate suspicious
activities. By following the step-by-step guide outlined in this article, organizations can enhance their security defenses
and protect their valuable assets from evolving cyber threats.

Identity theft
Meet Jack, a software engineer and avid gamer. With countless online profiles, open shopping carts, gaming avatars and
work accounts, he is the modern-day treasure trove for identity thieves. Enter cypher, our antagonist; she is infamous on
the Dark Web for her uncanny ability to infiltrate networks, steal identities and sell them to the highest bidder.

One day, as Jack was engrossed in his work, his digital shadow was being stalked by Cypher. Cypher planned to infiltrate
Jack's personal network, to get her hands on sensitive information to impersonate him and profit from his digital
treasure. What Cypher didn't anticipate was the silent protector guarding Jack's digital life: Microsoft Defender for
Identity. This high-tech security system uses advanced AI algorithms to monitor a user's online footprint, detecting and
blocking any unusual activity that might indicate a security breach.

As Cypher began her infiltration, she first tried a classic phishing attack, aiming at tricking Jack into revealing his
passwords. What she didn't know was that Microsoft Defender for Identity was already watching. The AI detected the
anomalous behavior and immediately alerted Jack of a potential phishing attempt.

Confused, Jack dismissed the suspicious email and changed his passwords to more complex ones, but this was just the
beginning. Undeterred, Cypher tried another trick up her sleeve: a brute force attack. She hoped to crack Jack's
passwords by trying multiple combinations in rapid succession, but Defender for Identity wasn't about to be outwitted. It
quickly detected the unusual login attempts, blocked the IP address from where the attack was coming from, and again
alerted Jack.

Feeling a little worried now, Jack realized he was under attack. To be safe, he took additional precautions, enabling multi-
factor authentication on his accounts. Cypher, in the meanwhile, grew desperate. She decided to take a riskier approach,
attempting to inject a malicious script into Jack's network, a move that could grant her administrative access, but
Microsoft Defender for Identity's powerful analytics were a step ahead. It noticed the inbound malicious script, isolated
it, and thwarted the attack even before it could make an impact.

Like a seasoned chess player, Microsoft Defender was defending Jack's network, so that it was an impenetrable fortress.
Discouraged, Cypher retreated into the shadows of the digital world. She had met her match in the form of an AI-driven
security system that refused to be outsmarted. This encounter served as a wakeup call for Jack, who realized how much
his digital life meant to him, and how important it was to protect it.

In this digital age, where we live a significant part of our lives online, cybersecurity tools like Microsoft Defender for
Identity act as the shield we need. They stand ready to fend off attacks and keep us secure, giving us the freedom to
enjoy our digital lives without fear. So, here's to safe browsing, secure transactions and fearlessly living our best digital
lives.

Identity Protection in Microsoft 365

Introduction In the current digital landscape, safeguarding digital identities is not merely a priority—it's an imperative.
With the surge of cyber threats and attacks, businesses need comprehensive tools to protect their digital assets. So far,
you’ve learned that Microsoft 365 offers an integrated suite of robust services that focus on identity protection, notably
Azure AD Identity Protection, Azure AD Privileged Identity Management, and Azure AD Identity Governance. This reading
provides a compact summary of these interconnected services and how they work together to protect against identity-
based threats. You will also gain valuable guidance on best practices for implementing identity protection in a Microsoft
365 environment.

Azure AD Identity Protection Earlier you learned that Azure AD Identity Protection is an advanced threat protection tool
that employs machine learning and heuristic rules to detect suspicious activities linked to user identities. It identifies and
mitigates potential vulnerabilities by providing both user risk and sign-in risk policies.

User risk policy identifies users who may have been compromised and applies adaptive remediation actions, such as
password resets or multi-factor authentication challenges. Sign-in risk policy, on the other hand, detects anomalies
during sign-ins and applies risk mitigation steps at the point of access. The image below indicates how user risk and sign-
in policies are applied in Azure AD Identity Protection.
Azure AD Privileged Identity Management You learned about Azure AD Privileged Identity Management (PIM), which
targets the reduction of threats associated with privileged accounts. These accounts, due to their elevated permissions,
can pose significant security risks if compromised. PIM provides just-in-time privileged access, enabling temporary
elevation of user rights instead of maintaining persistent administrative privileges. This approach reduces the surface
area for attacks. Moreover, PIM ensures comprehensive oversight through approval workflows, access reviews, and audit
history. This helps organizations maintain control over who has access, why, when, and what actions they perform.

Azure AD Identity Governance Azure AD Identity Governance aids in managing identity lifecycle and access across the
organization. It provides comprehensive solutions for access reviews, access packages, privileged access, and entitlement
management. Access reviews ensure that only the right people have the right access to resources. Access packages
simplify the process of requesting, approving, and managing access to groups, apps, and sites. Privileged access ensures
roles are only assigned for a certain period and require approval. Entitlement management automates access request
workflows, minimizing the manual workload and ensuring consistent decision-making.

Integration of services These services in Microsoft 365 are not standalone entities, but work in a tightly-integrated
manner. Azure AD Identity Protection is the first line of defense, detecting and mitigating potential identity threats. It
feeds risk information to Azure AD Privileged Identity Management, which then manages and audits privileged access
based on identified risks. Azure AD Identity Governance uses this data to manage and regulate access rights, ensuring a
closed-loop system for identity and access management.

Best practices for implementing Identity Protection To optimize these services in a Microsoft 365 environment, consider
the following best practices:

Implement comprehensive risk policies: Enable both user and sign-in risk policies in Azure AD Identity Protection to
cover all potential risk scenarios.

Apply the principle of least privilege (PoLP): Use Azure AD PIM to implement a just-in-time and just-enough-access
principle. Provide administrative privileges only when necessary and only for the required duration and access level.

Perform regular access reviews: Use Azure AD Identity Governance to conduct regular access reviews and remove
unnecessary entitlements promptly.

Enable multi-factor authentication: To enhance protection against identity compromise, ensure multi-factor
authentication is enforced throughout your organization.

Educate users: Regularly train your users on security awareness, as human error can often lead to identity compromise.

Monitor and act: Regularly review audit logs and risk events. Take swift action on suspicious activities.

Conclusion Microsoft 365 offers a comprehensive, integrated solution for identity protection with Azure AD Identity
Protection, Azure AD Privileged Identity Management, and Azure AD Identity Governance. By understanding these tools,
implementing them effectively, and following best practices, organizations can significantly enhance their defense against
identity-based threats and attacks, ensuring a secure digital environment.

A summary video of the module:

https://www.coursera.org/learn/cybersecurity-solutions-and-microsoft-defender/lecture/9CAT7/module-summary-
microsoft-365-defender-threat-protection

Implementing Microsoft 365 Defender Threat Protection Services for Sam's Scoops
Coach: Let's get started! I am the Coursera Coach, and I'm here to help you sharpen your understanding of
Microsoft 365 Defender and how it can be used to address security incidents like the ones Sam's Scoops is
facing. We will be working through a few checkpoints to test your knowledge.

Checkpoints:
 1. Microsoft 365 Defender Overview (Weight = 25%)
2. Configuring Microsoft 365 Defender Services (Weight = 50%)
3. Incident Management (Weight = 25%)

You can pause at any time and ask about your progress. Let me know when you are ready to start.
Eric: Let's get started
Coach: Sam's Scoops is facing several security challenges, including failed login attempts, a potential
malware attack via email, and the use of unapproved cloud apps. How can Microsoft 365 Defender help
Sam's Scoops address these security concerns in a unified manner?

Eric: Microsoft 365 Defender includes Azure AD Identity Protection, which will alert security teams about the
failed login attempts and require MFA or password resets, if high risk. Additionally, Password self-reset can
be enabled if the failed login attempts are from legitimate users. Part of Defender also includes AI and
Machine learning to detect phishing attempts, to remove malicious attachments, and to block dangerous
URLs that may be included in phishing attempts. Shadow IT protection includes setting policies that only
allow approved applications to be installed on end user devices, and alerts security teams when attempts
are made to circumvent those policies.

Coach: That's a great start! You've correctly identified some key components of Microsoft 365 Defender and
how they can address Sam's Scoops' challenges. You mentioned Azure AD Identity Protection for handling
the failed login attempts, and the use of AI and Machine Learning to combat phishing. Also, you correctly
identified Shadow IT protection policies as a way to prevent the use of unapproved applications.

Now, let's dive a little deeper into the specific services offered within Microsoft 365 Defender. Can you name
the specific services that could be used to address each of the three security issues faced by Sam's Scoops,
and briefly explain what each service does?
Eric: I believe Azure AD Protection and conditional access policies deal with the failed login attempts,
Defender for Exchange deals with the phishing. I don't recall which service deals with Shadow IT, however.

Coach: You are very close! You are correct that Azure AD Identity Protection, along with features like
conditional access policies, would be the right tool to handle those failed login attempts. And you are on the
right track with Defender for email security, but the actual name is Microsoft Defender for Office 365, which
handles a broader range of threats beyond just Exchange. Think about the services we discussed earlier.
Which one focuses on discovering and controlling the use of cloud applications, including those not
sanctioned by Sam's Scoops' IT department? This service plays a crucial role in tackling the shadow IT
problem.

Eric: That would be defender for cloud

Coach: You are very close! It's not Defender for Cloud, but you are thinking along the right lines. Remember,
we are looking for a service that specifically focuses on applications used in the cloud. Which Defender
service fits that description?

Eric: Microsoft Defender for Cloud Applications.

Coach: Excellent! You've identified the correct service: Microsoft Defender for Cloud Apps (MDC). MDC is
specifically designed to help organizations like Sam's Scoops discover, manage, and control the use of
cloud applications – including those unsanctioned ones that constitute shadow IT. You've successfully
navigated the first checkpoint by demonstrating a good understanding of the different Microsoft 365
Defender services and their roles. In the next checkpoint where we'll explore how to configure these
services.

Coach: Let's dive into the configuration of these services. Imagine you are tasked with setting up Microsoft
Defender for Endpoint (MDE) to protect Sam's Scoops' devices. What specific actions would you take within
MDE to detect and remediate malware effectively?

Eric: To be honest, I don't recall the steps. I believe the Core services includes an Advanced protection
antivirus.

Coach: That's alright, it's completely fine to need a refresher! While you are right that next-generation
protection is a component of MDE, simply relying on the built-in antivirus isn't enough. Think about a multi-
layered approach to security. What other features or configurations within MDE, beyond just the antivirus,
would be crucial for detecting and dealing with malware in a real-world scenario like Sam's Scoops? For
example, how can you make sure MDE is actively monitoring for threats, and what about dealing with
vulnerabilities that malware might exploit?

Eric: There needs to be sensors on each endpoint, reporting to Defender

Coach: That's a crucial point! You are correct, deploying endpoint sensors to all of Sam's Scoops' devices is
essential. These sensors are what allow MDE to monitor activity, collect data, and detect suspicious
behaviors that might indicate malware. Now, let's think about what happens after MDE detects potential
malware. What steps can you take to ensure that MDE can effectively neutralize threats and keep Sam's
Scoops' systems safe? Remember, we want to minimize the impact of any malware infection.

Eric: Policies would again be necessary here that provide alerts and isolate any infected endpoints. I believe
there is a part of Defender that bocks unauthorized access to memory blocks. An infected endpoint needs to
be isolated, and the malicious Services stopped. The malware can then be run in a sandboxed environment
to determine what it does. The timeline of the attack can also be examined.

Coach: You are doing great! You are highlighting some important steps in handling a malware incident.
Isolating an infected endpoint is definitely crucial to prevent the spread of the infection. And you are right,
analyzing the malware's behavior in a safe, sandboxed environment is essential for understanding the
threat and developing countermeasures. Now, let's bring it all together within the context of MDE. You
mentioned policies - think about what specific types of policies or configurations within MDE can help
automate some of these actions, like isolating devices or taking action against threats. This will be key for
Sam's Scoops to respond quickly and efficiently, even if they don't have a large security team.

Eric: Adaptive application control, file integrity monitoring, and Defender for Endpoints will assist with
these.
Coach: You are getting warmer! Adaptive application control and file integrity monitoring are indeed
valuable security features, but they are not directly managed within Microsoft Defender for Endpoint. These
are typically handled through other tools like Microsoft Intune or Group Policy. Think about specific features
or settings within MDE that can automate responses to threats. We've already talked about one key aspect:
isolating infected devices. What other automated actions can MDE take to neutralize malware?

Also, you mentioned "Defender for Endpoints." Remember, the service is called "Microsoft Defender for
Endpoint" (singular, not plural). Paying attention to these details is important for clear communication and
understanding in cybersecurity.
Eric: Adaptive application control should be applied; antimalware installed, security groups and file
integrity monitoring enabled.

Coach: You are mentioning some important security practices, but remember, we are focusing specifically
on configurations within Microsoft Defender for Endpoint (MDE) to automate responses to malware. While
adaptive application control, antimalware software, security groups, and file integrity monitoring are all
valuable components of a comprehensive security strategy, they are not all directly managed or configured
within the MDE service itself. Think about this: when MDE detects a threat, what actions can it take
automatically without needing manual intervention from Sam's Scoops' IT team? We've already touched
upon isolating infected devices. What other automated remediation actions can MDE perform to neutralize
malware quickly and effectively?

Eric: I don't remember. Please tell me.

Coach: One crucial feature within MDE that enables automated response is Automated Remediation. This
feature allows MDE to take predefined actions, such as terminating malicious processes, quarantining
suspicious files, or even rolling back changes made by malware, all without requiring manual intervention.
This immediate response is crucial for containing threats and minimizing their impact on Sam's Scoops'
systems. Additionally, MDE offers Attack Surface Reduction Rules. These rules help proactively reduce the
attack surface by blocking common malware entry points and risky behaviors. For example, you can
configure rules to prevent execution of files from known malicious locations or block untrusted processes
from tampering with sensitive system components. By combining automated remediation with attack
surface reduction rules, Sam's Scoops can significantly enhance its ability to detect, respond to, and even
prevent malware infections on its endpoints. Are you ready to move on to configuring Microsoft Defender for
Office 365 to address the phishing email challenge?

Eric: Thank you for the response. I am taking notes for later review.

Eric: ok please do

Coach: Sam's Scoops is also facing a phishing challenge. Let's shift our focus to Microsoft Defender for Office
365 (MDO). What steps would you take within MDO to block phishing attempts and malicious email
attachments, ensuring that employees don't fall victim to these threats?

Eric: I would implement Automated Investigation and Response (AIR) capabilities and attack simulation and
training.

Coach: While Automated Investigation and Response (AIR) and attack simulation training are valuable
features of Microsoft 365 Defender, they are not the primary tools for directly blocking phishing attempts
and malicious attachments within Microsoft Defender for Office 365 (MDO). Think about the core functions
of email security. How can MDO be configured to examine and filter emails before they even reach
employees' inboxes? What specific features within MDO can help achieve this?

Eric: Using Microsoft Defender XDR will automate the protection of email accounts.

Coach: Microsoft Defender XDR is a powerful tool, but it's not directly involved in the initial filtering of
emails within Microsoft Defender for Office 365 (MDO). Think about features that specifically target
malicious links and attachments in emails. What can MDO do to neutralize these threats before they even
have a chance to reach users' inboxes and potentially cause harm?

Eric: antiphishing policies can be set

Coach: That's one piece of the puzzle! You are right, configuring anti-phishing policies in MDO is crucial.
These policies help identify and block emails that exhibit common phishing characteristics, such as
suspicious sender addresses or spoofed domains. Now, let's think about those malicious links and
attachments that phishers often use. What specific features within MDO can neutralize these threats,
ensuring that even if a phishing email slips through the anti-phishing net, the dangerous content is rendered
harmless?

Eric: Safe Links & Safe Attachments can be enabled to scan email attachments before delivery and
Mailbox Intelligence and Advanced Phishing Thresholds can also be implemented.

Coach: Excellent! You've hit the nail on the head. Safe Links and Safe Attachments are two essential
features within Microsoft Defender for Office 365 that directly address malicious links and attachments.

 Safe Attachments: Scans email attachments in a safe, sandboxed environment before delivering
them to users. If malicious content is detected, the attachment is blocked or quarantined.
 Safe Links: Rewrites links in emails to pass through a real-time scanning service. If a link is deemed
malicious when clicked, the user is blocked from accessing the dangerous website.

You've successfully identified the key configurations within MDO to combat phishing emails. By
implementing anti-phishing policies, Safe Links, and Safe Attachments, Sam's Scoops can significantly
reduce the risk of employees falling victim to these threats.

In the final checkpoint where we'll tackle incident management using Microsoft 365 Defender?
Coach: Let's move on to incident management. Imagine Sam's Scoops' security team observes a pattern of
suspicious activity: a few employees report receiving a suspicious email with an attachment, and shortly
after, there's a spike in failed login attempts to Azure AD. How would you use Microsoft 365 Defender to
manage and investigate this incident effectively? What specific actions would you take, and why?

Eric: I would use Threat Explorer in Microsoft Defender for Office 365 to analyze the email, and check for
malicious attachments or links, then determine if the malicious emails were delivered to other employees.

I would then check the sender’s IP address and domain reputation to determine if this is a known threat.

If the email is indeed malicious, I'd use Automated Investigation & Response (AIR) to quarantine or delete
the message in all the affected mailboxes.
Coach: That's a great start! You're thinking like a true security analyst. Using Threat Explorer in Microsoft
Defender for Office 365 is an excellent first step to analyze the suspicious email. Examining the
attachment, checking for other recipients, and investigating the sender's reputation are all crucial steps in
understanding the scope and nature of the threat. And you are absolutely right, leveraging Automated
Investigation & Response (AIR) can help streamline the process of containing the threat by quarantining or
deleting the malicious email from affected mailboxes. Now, let's not forget about those failed login
attempts. How would you use Microsoft 365 Defender to investigate whether they are connected to the
suspicious email and take appropriate action? Remember, Microsoft 365 Defender excels at correlating
events across different services.

Eric: I would look in Incidents & Alerts within Microsoft Defender XDR, searching specifically for an
incident which includes failed login attempts. Advanced Hunting can be used to check logs for affected
accounts. I would examine sign-in logs in Microsoft Entra ID for failed attempts, and look for multiple
failed attempts from an unknown IP or strange location. Lastly, I would use Risky Sign-ins & Identity
Protection to determine if any accounts have been compromised.

Coach: You are on the right track! You correctly identified several key actions and tools within Microsoft 365
Defender to investigate the failed login attempts. Checking Incidents & Alerts in Microsoft 365 Defender
(you mentioned XDR, but remember it's part of the broader 365 Defender suite) is crucial for spotting
correlated events. Examining sign-in logs in Azure AD (formerly Microsoft Entra ID) for unusual patterns,
like multiple failed attempts from suspicious locations or IPs, is also essential. And you're right, Azure AD
Identity Protection, with features like Risky Sign-ins, can help determine if any accounts have been
compromised. You've successfully connected the dots between the suspicious email and the failed login
attempts, demonstrating a good understanding of how to use Microsoft 365 Defender for incident
management. By correlating events, investigating suspicious activities, and leveraging automated
responses, Sam's Scoops can effectively handle security incidents and protect its systems and data.

Course Recap: Security solutions

You've almost reached the end of the cybersecurity solutions and Microsoft Defender course. What's left now is to
demonstrate the skills you've learned in this course, in a course project comprised of setting up protection for a virtual
machine in Azure using Git, Azure Bastion, Azure standard firewall, as well as Microsoft Sentinel. Then you will complete
the final graded assessment quiz. This gives you the opportunity to demonstrate that you have a solid understanding of
cloud-based security concepts, security Information and event management or SIEM, security orchestration automation
and response, or SOAR, and the various capabilities of Microsoft 365 defender.
But before you get to that, let's recap what you have learned up to this point to help orientate you for the final project
and quiz. In Module 1, you learned about the built-in security measures of Azure and best practices for protecting Azure
resources. This included measures to protect against distributed denial of service or DDoS attacks, firewall breaches, and
unauthorized access. Specifically, you covered the steps on requirements for creating and configuring the two types of
Azure DDoS protection, DDoS IP protection, and DDoS network protection. You also gained valuable exposure to
navigating the Azure portal and completed an exercise in which you learned how to create a virtual machine in the Azure
portal.
The next section was about Azure Firewall protection. You discovered the purpose of Azure Firewall on its role in
providing cloud-based network security. Can you recall the difference between the basic standard and premium Azure
Firewall SKUs? You also gained practical experience in setting up different types of firewall rules.
You then went deeper into Just in Time or JIT access and encryption. JIT is a security feature that allows administrators
to control and limit access to VMs by enabling temporary on-demand access for authorized users.

Lastly, you learned about various data encryption best practices and techniques for data at rest and data in transit. After
this, you moved onto Module 2, which was all about Cloud security and its importance. You were introduced to
advanced Azure security features like defender for Cloud and Azure Bastion. Microsoft Defender for Cloud offers
continuous monitoring and threat detection and analysis of data and actionable insights to prevent potential attacks.
You also now know that Bastion is a fully managed platform as a service or PaaS service. It allows you to securely
connect to Azure VMs remotely using Remote Desktop Protocol or RDP and Secure Shell or SSH, thus reducing the attack
surface.

Moving on to Lesson 3, you learned about Azure standards and policies and how Azure policy can ensure compliance
with industry rules and guidelines by creating, assigning and managing policy definitions.
You learned about policy initiatives encompassing multiple policy definitions and how to apply them to an entire
hierarchy of subscriptions with Azure Management Groups. You also now know how to use the built-in policies and how
to create custom policy definitions.

Next, you were introduced to SIEM and SOAR. SEAM is a solution that helps organizations detect, analyze, and respond
to security threats before they harm business operations. The main goal of SOAR is to collect a threat related data and
automate threat responses. You learned how SIEM and SOAR technologies like Microsoft Sentinel can detect, respond
to, and remediate security incidents and threats.
After this, you took a deep dive into Microsoft 365 Defender Threat Protection in the next module. This was important
because security professionals need a way to analyze threat signals from different infrastructure domains holistically to
determine the full scope and impact of cyber threats. Microsoft 365 Defender provides the ultimate solution to this
need. You covered the different features of the Microsoft Defender portal. Specifically the incidents page that acts as a
central location for cross-domain attacks and alerts, listing each incident by severity and providing the necessary context
for a comprehensive response.

You also explored how to set up default roles and create new custom roles in the portal to manage Defender services. As
part of this lesson, you completed a practical exercise in which you connected different data connectors to Microsoft
Sentinel to create a central viewpoint for all incidents across an environment.
Moving on to Lesson 2, you learned how Microsoft Defender for Endpoint helps to secure endpoints against the latest
threats and risks. With features such as real-time threat detection and prevention, it continuously monitors endpoint
devices, network traffic, and user behavior to identify indicators of compromise.

Lastly, you covered identity defense in Lesson 3, you examined identity-based threats and attack vectors organizations
are vulnerable to the importance of identity defense and the different identity defense solutions available.

You've covered a lot in this course. This might only be the start of your journey toward becoming a cybersecurity
analysts but you can be very proud of yourself for how much you've already learned and accomplished. Now, you're
ready to tackle the course project on graded assessment. Good luck!

Final project and assessment: Cybersecurity Solutions and

Microsoft Defender
In this course, you will be assessed in two ways: a course project with a self-review quiz, and a final graded quiz.
The purpose of the assessments: The primary purpose of the assessments is to check your knowledge and
understanding of the key learning objectives of the course. Most importantly, they help you establish which topics you
have mastered, and which topics require further study before completing the course. Ultimately, the graded
assessments are designed to help you make sure that you can apply what you have learned.

What to expect from the graded quiz: The quiz tests only the topics covered throughout the course so there shouldn’t
be any surprises. It will take about 1 hour and 30 minutes to complete and you need to score 80% to pass. You can take
the quiz more than once if you don’t achieve this score but note that the questions will vary each time. Review the
feedback on your answers and where necessary go back and work through the topics that you feel require your further
attention.

What to expect from the course project: You have encountered exercises, knowledge checks, in-video questions and
other assessments throughout this course. Nothing in the final course project will be outside of the scope of what you
have already learned, so you should be well-placed to succeed. The following scenario will be used in the course
project:
A small business that provides IT services to other businesses has a number of systems hosted in Microsoft Azure. The
backend systems are hosted on Azure virtual machines, and they need to be securely configured and protected from
threats.

You have been hired as a security engineer to put together a testing environment using the many different Microsoft
security services. This testing environment will form the basis for how production VMs will be protected in the future for
this IT services provider.

The company would like you to set up protection for a virtual machine in Azure using JIT, Azure Bastion, and Azure
Standard Firewall. Once this has been set up, they would also like you to configure Microsoft Sentinel to monitor the
testing environment before it is deployed on the production network.

How to prepare for the final assessment

This final graded quiz will test you on the topics covered throughout this course, which include the following:
 Cloud-based security concepts and the built-in security measures in Azure like Azure DDoS Protection, Azure
Firewalls, Defender for Cloud, and Azure Bastion.
 Security information and event management (SIEM) and security orchestration, automation, and response
(SOAR), capabilities of Microsoft Sentinel.
 Microsoft 365 Defender capabilities, specifically Endpoint and Identity defense functionalities and the Alert and
Incidence page in the Microsoft 365 Defender portal.

To prepare for the final assessment and course project, here are some tips to guide you:

Revisit key learning material: Review the course materials, including videos, readings, and resources, to reinforce your
understanding of the concepts covered.

Review knowledge checks and module quizzes: Take the time to revisit the knowledge checks and module quizzes you
completed throughout the course. Focus on areas where you may have struggled or need further clarification and use
the feedback provided to identify areas that require additional attention.
 Azure: Basic security capabilities Knowledge Check: Distributed Denial of Service (DDoS) Protection Knowledge
Check: Azure Firewall Protection Knowledge Check: Just-in-time access and encryption Module quiz: Azure basic
security capabilities
 Security management in Azure Knowledge check: Introduction to cloud security Knowledge Check: Virtual
security solutions Knowledge check: Azure Standards and policies Module quiz: Security management in Azure
 Microsoft 365 Defender Threat Protection Knowledge check: Defender services Knowledge check: Endpoints and
cloud apps security Knowledge check: Identity defense Module quiz: Microsoft 365 Defender threat protection

Review exercises: Take advantage of the hands-on exercises you’ve completed and review the exemplary material. This
can help inform your application of key skills in the final course project.
 Spinning up a virtual machine Exercise Exemplar
 Resource group and VNet creation Activity
 Configure Azure Firewall Exercise Exemplar
 Secure ports with JIT Exercise Exemplar
 Shield virtual machines using Bastion Exercise Exemplar
 Implement Microsoft Sentinel with Microsoft Defender data connectors Exercise Exemplar
Azure User Interface: Given the dynamic nature of Microsoft Cloud tools, you might experience changes in the Azure
User Interface (UI) that have taken place after the development of this training content. As a result, the screenshots in
the videos, readings, or exercises might not align exactly with how you experience the UI. However, please note that
these changes do not impact the functionalities of the UI. Hence, you will still be able to perform all the steps shown in
that video, reading, or exercise. Good luck with the project and the course quiz!
Create a Windows virtual machine in the Azure portal
Case study: In this exercise you had to create a Windows virtual machine in Azure to host a new website for Sam’s
Scoops. You deployed the virtual machine for the Sam’s Scoops web server using the virtual network Web_Server on a
172.16.1.0 subnet. This virtual machine was named "SamScoopsWeb". This exemplar will guide you through the steps
of the exercise with screenshots that demonstrate the correct actions that you had to take.

Azure User Interface : Given the dynamic nature of Microsoft Cloud tools, you might experience changes in the Azure
User Interface (UI) that have taken place after the development of this training content. As a result, the screenshots in
the videos, readings, or exercises might not align exactly with how you experience the UI. However, please note that
these changes do not impact the functionalities of the UI. Hence, you will still be able to perform all the steps shown in
that video, reading, or exercise.

Create the network and resource group

Step 1 Sign into the Azure portal with your credentials.
Step 2 In the Azure portal menu, select the Create a resource button located on the left-hand side of the screen.

Step 3 Next, search for "Virtual network" in the search bar, select Virtual network from the results and select Create.
Step 4: In the Basics tab of the Create a virtual network wizard, fill out the following information:
1. Subscription: the subscription that you want to use.
2. Resource group: Create new and enter "RG_Web_Server" as the name of the new resource group.
3. Name: Enter "Web_Server" as the name of the virtual network.
4. Region: the region that is closest to you.
Step 5: Select IP addresses.

1. Delete the default address space by selecting the dots (...) next to Add a Subnet and select Delete Address
Space.
2. There is a warning: You must add at least one address space to the virtual network.
3. Select Add an Address Space.
4. Fill in starting address: 172.16.1.0
5. Fill in address space size: /24 (256 Addresses).
6. Select Add.

Step 6: Now, a Subnet has to be added.

1. Select + Add a subnet.
2. Leave the details as default and select Add.
Step 7: Select the Review+ create button to review the settings.

Step 8: Select the Create button to create the virtual network.

At this stage there should be a notification that says Deployment in progress. When the deployment is completed it
should say Your deployment is complete.

Once the virtual network is created, you can proceed with creating the virtual machine for the Sam’s Scoops web server.
Create the virtual machine
Step 1: Sign in to the Azure portal with your credentials.
Step 2: In the Azure portal menu, select the Create a resource button located on the left-hand side of the screen.

Step 3: Search for "Windows Server" in the search bar and select Windows Server from the results.
 1. Select the Create and select Windows Server 2022 Datacenter: Azure Edition.

Step 4: In the Basics tab of the Create a virtual machine wizard, fill out the following information:
1. Subscription: The subscription that you want to use.
2. Resource group: The existing resource group, RG_Web_Server.
3. Virtual machine name: Enter "SamScoopsWeb".
4. Region: The region that is closest to you.
5. Image: Windows Server 2022 Datacenter –x64 Gen2.
6. Size: An appropriate size for your virtual machine. It will be good idea to cheapest option for this exercise.
7. Username: AzAdmin
8. Password: P@$$@1234567
9. Confirm Password: P@$$@1234567
Step 5: Select the Next: Disks button to proceed to the Disks tab.
Step 6: Leave the default settings for OS disk and select the Next: Networking button to proceed to the Networking tab.
Step 7: In the Networking tab, select the following settings:
1. Virtual network: Web_Server.
2. Subnet: default.
3. Public IP: Create new and enter a name for the new public IP address.
4. NIC network security group: Leave the default setting.
Step 8: Select the Next: Management button to proceed to the Management tab.
Step 9: In the Management tab, leave the default settings and select the Next: Monitoring button to proceed to the
Monitoring tab. Leave everything as default. Then select the Next: Advanced button to proceed to the Advanced tab.

Step 10: In the Advanced tab, leave the default settings and select the Review + create button.
Step 11: Review settings for your virtual machine and click the Create button to create the VM - wait for deployment.
Step 12: Wait for the deployment to complete.

Well done. The virtual machine is now deployed. You are now ready for the next phase where you need to connect to
the virtual machine.
Connect to virtual machine
Step 1: Once the deployment is complete, select the Go to resource button to navigate to the virtual machine page.

Step 2: On the virtual machine page, select the Connect button.

Step 3: Select RDP from the options menu to download the RDP file. Select Download RDP file.
Step 4: Open the downloaded RDP file and connect by using the credentials you have set while creating the virtual
machine to connect to the virtual machine.

You have now created a Windows virtual machine in the Azure portal for SamScoopsWeb. You should be presented with
the desktop of the Windows server.

Clean-up: If you are using your own Azure subscription, it is recommended that you follow the clean-up instructions to
stop compute resources after completing each lesson. When you're working in your own subscription, it's also a good
idea at the end of a project to identify whether you still need the resources you created. Resources left running can cost
you money. You can delete resources individually or delete the resource group to delete the entire set of resources.
Please refer to the reading, Clean up resources for instructions on how to delete resources after you've completed the
exercise.
Activity: Resource group & VNet creation
Introduction: In an earlier exercise, you built a virtual machine(VM) within Microsoft Azure for the Sam’s Scoops
webserver. But this virtual machine needs to be protected from cybersecurity threats. By now, you should know that
deploying the Azure Firewall is the best way to offer this protection since it acts as a shield for Azure Virtual Networks
(VNets) and all resources in them.

Earlier you learned that when adding resources on Azure, it is good practice to create resource groups for similar
resources to keep them separate from others. So, when configuring security devices in Azure, it’s best to add them to a
separate resource group. In this way, you can keep them separate from the virtual machine that you created earlier.
Before you learn how to deploy the Azure Firewall in a later exercise, this activity will guide you in creating an additional
resource group and virtual network (VNet). You will follow a different method of doing this than in the previous
exercise.

During this lesson you also learned that it is important to centralize key devices such as a Firewall in a hub VNet. So, by
creating the additional VNet you will be extending the Sam’s Scoops’ network to a hub-spoke network and will therefore
have to set up VNet peering too. Let’s get started.

Case Study: Now that Sam’s Scoops has a VM that will run the web server, it needs to be protected by a firewall. But this
means that the network needs to extend to a hub-spoke topology to position the firewall centrally, offering protection
to other services and spokes that might be added to the network later. You are tasked to configure this required
network setup.

Instructions: For this exercise to be successful the exercise Create a Windows virtual machine in the Azure portal from
Lesson 2 has to have been completed and the machine still needs to be present. If not, please revisit that exercise first.

Step 1: Create a resource group: Create a resource group called "Firewall". This resource group will be used to store
anything to do with the Sam’s Scoops firewall like VNets and centralized Azure security services.
1. Sign in to your Azure subscription.
2. On the Azure home page, select the Resource Groups service.
3. Click Create.
4. Give the resource group the name "Firewall" and choose a Region near you.
5. Click on Review + create, and then on Create.
Tip: If you need help with this step, this Microsoft guide on how to create a resource group will be helpful.

Step 2: Create a VNet: As discussed earlier, firewalls should protect many areas of the network so placing them in a
separate VNet at the hub of the network is a good idea. Add a new VNet called "Firewall-Hub" and create a 192.168.1.0
subnet.
1. On the Azure home page, select the Virtual Networks service.
2. Select Resource group Firewall created in Step 1.
3. Name the VNet "Firewall-Hub".
4. Choose the same region as your resource group.
5. Select Next and Next again.
6. Select on Add an IP address space and fill in the following details: For the address space select IPv4; For the
starting address enter 192.168.1.0 and for the address space size enter /24 and then click Add.
7. Delete any other address spaces.
8. Select Add subnet and use the name "AzureFirewallSubnet" and click Save.
And if you need additional help, use this Microsoft guide on how to create a VNet.
Step 3: VNet peering: The Sam’s Scoops Azure network now has a Hub VNet and a spoke VNet containing the virtual
machine for the web server. You need to set up VNet peering to allow the two VNets to communicate with each other.
1. Select Virtual networks from the Azure services bar.
2. Select the Firewall-Hub VNet.
3. Select Peerings either on the left or on the middle of the page.
4. Select Add to add a new peering.
5. Name the peering "Hub-Web".
6. Leave the default settings and under Remote virtual network - peering link name type "Web-Hub".
7. Under the Virtual network dropdown, select Web_Server.
8. Select Add and the network peering will be setup.

Clean-up: If you are using your own Azure subscription, it is recommended that you follow the clean-up instructions to
stop compute resources after completing each lesson. When you're working in your own subscription, it's also a good
idea at the end of a project to identify whether you still need the resources you created. Resources left running can cost
you money. You can delete resources individually or delete the resource group to delete the entire set of resources.
Please refer to the reading, Clean up resources for instructions on how to delete resources after you've completed the
activity.
Exemplar: Configure Azure Firewall
Introduction: In the exercise Configure Azure Firewall you were tasked to configure and deploy an Azure Standard
Firewall to protect the Sam’s Scoops network. You also had to enable remote access to their virtual machine where the
webserver will be installed and set up firewall rules to allow DNS traffic and access to the Google website. Lastly you had
to allow advanced threat protection by enabling alert and deny rules.
This exemplar serves as a solution to the exercise and includes screenshots that demonstrates the steps you had to take.

Case study: Earlier you deployed a virtual machine for the Sam’s Scoops webserver and also set up a hub-spoke network
topology. The next step was to ensure the network is protected centrally by installing an Azure Standard Firewall. You
also had to allow an external web developer to set up the webserver by providing remote access to the VM, as well as
access to additional protocols.

Instructions
Step 1: Firewall deployment
Traffic on the Sam’ Scoops network will fluctuate since demand for its products will most likely increase over weekends,
holidays and hot weather. That’s why an Azure Standard Firewall is the best fit for the business. To deploy the Azure
Standard Firewall on the Firewall-Hub 192.168.1.0 subnet follow these steps:
1. Sign into your Azure subscription from the Azure portal.

1. On the Azure home page select Firewalls under the Azure services bar.

1. Select Create Firewall.

1. Subscription: Select your subscription.
2. For the resource group, select the Firewall resource group from the dropdown, created in the earlier activity.
3. Give the firewall instance the name "ScoopsFirewall".
4. For the region, select the same location that you have used previously.
5. For the Firewall SKU, select Standard from the Firewall SKU selection boxes.
6. For Firewall management, select Use Firewall rules (classic) to manage this firewall.
7. For Choose a virtual network, select Use existing and select the Firewall-Hub network for the virtual network
created in a previous activity.
8. For the Public IP address, select Add new and give it the name "FirewallScoops", select OK.
1. Select Review + create then create. The firewall will now be deployed.
Step 2: Firewall application rules creation
The web server will need access to Google once it is set up, so you need to set up an application rule to allow outbound
access. To do this, follow these steps:
1. From the Azure services bar select Resource groups.
1. Open the Firewall resource group, and select the ScoopsFirewall firewall.

1. On the ScoopsFirewall page, under Settings, select Rules (classic).

1. Select the Application rule collection tab.

1. Select Add application rule collection.

2. For Name, type "AppRule1".
3. For Priority, type "200".
4. For Action, select Allow.
5. Under Rules, Target FQDNs, for Name, type "Allow-Google".
6. For Source type, select IP address.
 7. Type 172.16.1.0/24 for the source.
8. For Protocol:port, type "http, https".
9. For Target FQDNS, type "www.google.com".

1. Select Add and after a short time the rule will be created.

Step 3: Firewall network rule creation

The web server will also need to use DNS to resolve IP addresses so you need to create a network rule to allow this.
Follow these steps to do this:
1. Select the Network rule collection tab.
2. Select Add network rule collection.

1. For Name, type "Net-Rule1".

2. For Priority, type "200".
3. For Action, select Allow.
4. Under Rules, IP addresses, for Name, type "Allow-DNS".
5. For Protocol, select UDP.
6. For Source type, select IP address.
7. Type 172.16.1.0/24 for the Source.
8. For Destination type select IP address.
9. For Destination address, type 209.244.0.3,209.244.0.4 (These are public DNS servers operated by Level3).
10. For Destination Ports, type "53".
 1. Select Add.

Step 4: Firewall NAT rules creation

To allow the web developer to set up the web server you need to provide remote access to the VM. Follow these steps
to create a destination NAT rule for RDP:
1. Select the NAT rule collection tab.
2. Select Add NAT rule collection.
1. For Name, type " rdp".
2. For Priority, type "200".
3. Under Rules, for Name, type "rdp-nat2".
4. For Protocol, select TCP.
5. For Source type, select IP address.
6. Type "*.(* = anything)" for the Source.
7. For Destination address, type the firewall public IP address.
8. For Destination Ports, type "3389".
9. For Translated address, type the SamScoopsWeb virtual machines private IP address.
10. For Translated port, type "3389".
 1. Select Add.

Step 5: Advanced threat protection

Earlier you learned that one of the great advantages of using the Azure Standard Firewall is that you can create rules
automatically for threat using Threat Intelligence. By by default the firewall is set to only create threat alerts. Follow
these steps to enable the alert and deny option.
1. On the ScoopsFirewall page, under Settings, select Threat intelligence.
 1. For Threat intel mode select Alert and deny.

1. Select Save.
Clean-up:
Note: Once you have finished with this exercise please delete the Standard Firewall as it cannot be powered off and you
will continue being charged if it stays active. If you are using your own Azure subscription, it is recommended that you
follow the clean-up instructions to stop compute resources after completing each lesson. Please refer to the reading,
Clean up resources for instructions on how to delete resources after you've completed the exercise.
Exemplar: Secure ports with JIT
Introduction: You have previously configured an Azure standard firewall to protect a virtual network hosting a virtual
machine. You have also learned that some ports are still exposed so that virtual machines can be managed remotely
within Azure. JIT can help reduce this exposure and in this exercise you implemented JIT so that SSH and RDP sessions
can be used to manage a virtual machine.

Case study: Now that the Azure firewall is protecting the Sam Scoops web server, the server is nearly ready to be
handed over to the website developers. However the management ports needed to develop the server are exposed
24/7 and your manager has tasked you to reducing this exposure using JIT.

Instructions: For this exercise to be successful the exercise Create a Windows virtual machine in the Azure portal from
Lesson 2 has to have been completed and the machine needs to still be present. If not please revisit that exercise first.
Step 1: Enable Azure Defender for cloud
This is a free 30-day trial that converts to a paid for subscription after the 30 days.
1. From the Azure home page, search for and select Virtual machines.

2. Select the SamScoopsWeb virtual machine.

3. Select Configuration from the left-hand side menu.

4. Select Upgrade your Microsoft Defender for Cloud subscription to enable a just-in-time access.
5. Select Upgrade on the Microsoft Defender for Cloud page.

6. Select continue without installing agents on the right-hand side.

Step 2: Enable JIT access
1. From the Azure homepage, search for and select Virtual machines.

2. Select the SamScoopsWeb virtual machine.

3. In the left-hand menu, select Configuration.

4. Select Enable just-in-time.

Step 3: Configure JIT policies for SSH and RDP from Microsoft Defender for Cloud
1. From the SamScoopsWeb Configuration page select Open Microsoft Defender for Cloud.

2. From the Configured tab, right-click on the VM to which you want to add a port, and select edit.
3. To add SSH select Add and add the port number for SSH which is 22.

4. Select TCP and leave the defaults.

5. Select OK.
Step 4: Test remote access
1. Select Microsoft Azure at the top of the page to take you back to the portal home page.
2. Search for and select Virtual machines.

3. Select the SamScoopsWeb virtual machine.

4. Select Start to power on virtual machine from top of page.

5. Select Connect from the left-hand menu.

6. Select Request access.

7. Select Download RDP file.

8. Select the downloaded RDP file from your downloads folder.
9. Select Connect.

10. Enter the username AzAdmin and the password P@$$@1234567 and select OK.
You have now connected to the webserver using JIT access and you should see a window like the one below.

Clean-up
Exemplar: Shield virtual machines using Bastion
Introduction: Previously you have protected virtual machines using the Azure firewall filtering traffic to only allow
permitted traffic. You have also protected a virtual machine’s management ports using JIT, but the management ports
were still exposed when in use. In this exercise, you reduced the threat exposure to a virtual machine further, by
shielding it with Azure Bastion.

Case study: Sam’s Scoops web server is online with an Azure firewall and JIT protection but Sam now wants to protect
this asset further by enabling Azure Bastion. You have been tasked to setup Azure Bastion to product the Sam’s Scoops
web server.

Instructions: For this exercise to be successful the exercise Create a Windows virtual machine in the Azure portal from
Week 1, Lesson 2 has to have been completed and the machine must still be present. If not, please revisit that exercise
first.
Step 1: Set up and configure Azure Bastion for the SamScoopsWeb VM
1. From the Azure portal home page use the search function to find Virtual networks and select it.

1. Select the Web_Server network.

1. On the page for the virtual network, in the left pane, select Bastion to open the Bastion page.

1. On the Bastion page, select I want to configure Azure Bastion on my own.

1. On the Create a Bastion page, configure the settings for the Bastion host. To configure the instance details give
the instance a Name, "SamScoops". For the Region, select the same region you chose for your SamScoopsWeb
VM. For the Tier, select Standard. Leave the instance at the default of 2.

1. Configure the virtual networks settings by selecting the Web_server VNet from the dropdown menu.
2. To configure the AzureBastionSubnet, select Manage subnet configuration.
1. On the subnets page select +Subnet. Create the AzureBastionSubnet subnet using the following values. The
subnet name must be "AzureBastionSubnet". The subnet address range for SamScoops is 172.16.2.0/24. Leave
the other values as default. Select Save at the bottom of the page to save your values.

1. At the top of the Subnets page, select Create a Bastion to return to the Bastion configuration page.
1. Select Create new under Public IP address You can leave the default naming suggestion.
2. When you finish specifying the settings, select Review + Create. This validates the values.

1. Once validation passes, you can deploy Bastion. Select Create.

There will be a message letting you know that your deployment is in process. The status will display on this page as the
resources are created. It takes about 10 minutes for the Bastion resource to be created and deployed.

Step 2: Testing the Azure Bastion connection

1. In the Azure portal, search and select Virtual machines.
1. Select the SamScoopsWeb VM.

1. At the top of the page, select Connect.

1. From the IP address drop down select Private IP address.

1. Select Request access.

You’ll note a message in the top right corner saying that the request has been approved.

1. At the top of the page, select Bastion to go to the Bastion page.

2. Select Use Bastion.
 1. Complete the required authentication values. In this case, for the SamScoops VM the username is AzAdmin and
P@$$@1234567 is the password.
2. To open the VM session in a new browser tab, leave Open in a new browser tab selected.
3. Click Connect to connect to the VM.

The connection to this virtual machine, via Bastion, will open directly in the Azure portal (over HTML5) using port 443
and the Bastion service.
Clean-up
Exemplar: Microsoft Sentinel with Microsoft Defender data connectors
Introduction: At this point, you are familiar with Microsoft Sentinel, which serves as a central viewpoint for alerts and
incidents from Microsoft Azure and Microsoft 365 Defender. You completed an exercise to Implement Microsoft Sentinel
with Microsoft data connectors. In this exercise, you had to configure data connectors from the different services that
Sam’s Scoops use to feed information into the Sentinel portal. This exemplar will guide you through the steps of the
exercise with screenshots that demonstrate the correct actions that you had to take.

Case study: Sam’s Scoops are benefiting from using several Azure. They have virtual machines with Azure Bastion, JIT,
and Azure firewalls protecting their environment. They have also acquired a Microsoft 365 tenant and are making the
most of Microsoft 365 Defender to protect the services and users in the business.

Instructions: You have been tasked with bringing the generated data from all these services to a central place. You will
do this by deploying Microsoft Sentinel and using the built-in data connectors to connect the different services Sam’s
Scoops is using. Review the steps below.
Step 1: Deploy Microsoft Sentinel and a log analytics workspace
1. From the Azure portal home page, search for and select Microsoft Sentinel.

1. Select Create Microsoft Sentinel.

1. Select Create a new workspace.

1. Your current subscription will be already selected. Fill in the following deployment details for a log analytics
workspace:
 Resource group: RG_Web_Server.
 Instance name: SamScoops.
 Region: The region will be prepopulated with the Resource group’s current region.
1. Select Review + Create.
1. Select Create.

1. After a few seconds a new workspace is created. Select SamScoops.

2. Select Add.
 1. Select OK when the notification of the activation of Microsoft Sentinel’s free trial appears.

Step 2: Configure data connectors

1. On the Get started page select Go to content hub.
1. On the Content hub page, select Azure Active Directory from the list and then select Install.

1. After a few seconds, the connector will install. Select Manage on the Azure Active Directory pop-up.
1. You now need to configure the connector. To do this, select Azure Active Directory from the list.
2. Select Open connector page.

1. Scroll down and select all the logs from the list and then select Apply Changes. Data will now be collected from
Azure Active Directory.
1. Navigate back by selecting Microsoft Sentinel|Content hub at the top of the page.
1. Type Defender in the search bar.

1. Select Microsoft 365 Defender and then select Install.

1. After a few seconds, the connector will install. Then select Manage for Microsoft 365 Defender.

1. You now need to configure the connector. To do this, select Microsoft 365 Defender.
2. Select Open connector page.
1. Scroll down and select Connect incidents & alerts.

1. Scroll down and select the tick box next to Name under Microsoft Defender for Endpoint.
1. Scroll down and select the tick box next to Name under Microsoft Defender Alerts.
2. Select Apply Changes.

1. Navigate back to the Content hub page by selecting Microsoft Sentinel|Content hub at the top of the page.
Step 3: Review implementation
1. Select Data connectors from the left-hand menu.

1. Filter the output by selecting Status and then selecting Connected and Apply.
 1. Record how many connectors have been connected.
Clean-up: If you are using your own Azure subscription, it is recommended that you follow the clean-up instructions to
stop compute resources after completing each lesson. When you're working in your own subscription, it's also a good
idea at the end of a project to identify whether you still need the resources you created. Resources left running can cost
you money. You can delete resources individually or delete the resource group to delete the entire set of resources.
Please refer to the reading, Clean up resources for instructions on how to delete resources after you've completed the
exercise.

Conclusion: This exemplar guided you through the steps to configure Microsoft Sentinel to collect data from Azure
Active Directory and Microsoft 365 Defender. Any events that now happen within these products will be captured by the
Sentinel portal offering one place for Sam’s Scoops to access all incidents and alerts.
Exercise: Securing virtual machines
Introduction: Thus far, you have learned how to build and protect a virtual machine hosted within Microsoft Azure using
different services like Azure Firewall, Bastion, and Microsoft 365 Defender. You also learned about Microsoft Sentinel, an
infrastructure monitoring solution as well as other Microsoft Defender products for Cloud, Endpoint, Identity, and Office
365, and how they can be used to protect different aspects of a network using the Microsoft 365 Defender portal.
During the course you have joined Sam’s Scoops in exploring some of these services that can protect a virtual machine
running web services for Sam’s Scoops. You completed a number of exercises that would help protect the Sam’s Scoops
web VM; this included firewall protection, JIT and Bastion. You are now required to put this knowledge to the test by
performing a number of tasks to protect another small business.

Case study: A small business that provides IT services has a number of systems hosted in Microsoft Azure. The backend
systems are hosted on Azure virtual machines, and they need to be securely configured and protected from threats.
You have been hired as a security engineer to put together a testing environment using the many different Microsoft
security services. This testing environment will form the basis for how production VMs will be protected in the future for
this IT services provider.
Your employer would like you to setup protection for a virtual machine in Azure using JIT, Azure Bastion, and Azure
Standard Firewall. Once this has been setup, they would also like you to configure Microsoft Sentinel to monitor the
testing environment before it is deployed on the production network.

Instructions
Step 1: Virtual machine setup
To start building a testing environment, a virtual machine is needed first. Deploy a virtual machine in a new resource
group using the provided details in the table below. No public IP will be needed for this VM as Azure Bastion will be used
for remote access. Revisit the video about Spinning up a virtual machine for a reminder on how to create virtual
machines.
Resource Group name Services_Test
Region Choose A region near you
VNet Services_Test_Network
Network 172.16.0.0/16
Subnet name VMs
Subnet range 172.16.1.0/24
Virtual Machine name ServicesVM
Image Windows server 2022 Datacenter
Size Standard_DS1_v2
Username AzAdmin
Password P@$$@1234567
All other settings can be left as default. Once deployed, power on the machine.

Step 2: Hub network with VNet peering

Create a hub network with VNet peering to the Service_Test_Network, all inside a new resource group, ready for an
Azure Standard Firewall deployment. Use the following table for the configuration details. The activity about Resource
group and VNet creation will help you to remember how to create a hub and perform VNet peering.
 Resource Group name Services_Security
Region Same region you chose in step 1
Hub VNet name Services_Hub
Subnet 192.168.1.0/26
Subnet Template AzureFirewall
VNet Peering Name Hub_Test
Remote Virtual network peering link name Test_Hub
All other settings can be left as default. Once deployed, power on the machine.

Step 3: Azure Standard Firewall deployment

Deploy an Azure Standard Firewall within the hub network using the following configuration details. Refer back to the
video Azure Firewall deployment to remind you of all the necessary steps that need to be performed when deploying a
firewall.
Resource Group name Services_Security
Region Same region you chose in step 1
Firewall Name ServicesFirewall
Firewall SKU Standard
Firewall Management Use firewall rules (classic) to manage this firewall
Virtual network name Services_Secruity_Network
Public IP Add new
Public IP name Services
All other settings can be left as default.

Step 4: Just in Time Access (JIT)setup

Enable JIT access on the ServicesVM. RDP access is enabled by default. To remind you of the steps for enabling JIT access
refer back to the video Implementing just-in-time access.

Step 5: Azure Bastion configuration

Configure Azure Bastion for the ServicesVM. Refer back to the video Bastion and virtual machines for a reminder of the
steps. Refer to the table below for configuration details.
Instance Name Services_Bastion
Region Same region you chose in step 1
Tier Standard
VNet Services_Test_Network
Subnet AzureBastionSubnet
Subnet Range 172.16.2.0
All other settings can be left as default.
Step 6: Testing remote connectivity
Use Azure Bastion with JIT and connect to the Services VM using RDP to confirm that the deployment is working. Refer
back to the video Bastion and virtual machines for a reminder of the steps.

Step 7: Implement Microsoft Sentinel

Implement Microsoft Sentinel so you’re ready for testing and training. If you need a reminder of the steps to do so, refer
back to the video Microsoft Sentinel. Use the following table for the configuration details.
Workspace Instance name ServiceSentinel
Resource group Services_Test

Clean-up: If you are using your own Azure subscription, it is recommended that you follow the clean-up instructions to
stop compute resources after completing each lesson. When you're working in your own subscription, it's also a good
idea at the end of a project to identify whether you still need the resources you created. Resources left running can cost
you money. You can delete resources individually or delete the resource group to delete the entire set of resources.
Please refer to the reading, Clean up resources for instructions on how to delete resources after you’ve completed the
exercise. Remember to also delete the Standard Firewall as it cannot be powered off and you will continue being
charged if it stays active.