AZ-500 Azure Security: Identity, Platform Protection, and Security Operations

Entra ID (formerly Azure Active Directory) is the identity foundation for AZ-500. Privileged Identity Management (PIM): just-in-time privileged access — eligible assignments require activation (MFA, justification, approval), time-limited role assignments, access reviews audit who still needs elevated roles. Conditional Access: policy engine that evaluates sign-in signals (identity, location, device, application, risk level) and enforces access requirements (block, allow, require MFA, require compliant device). Named locations allow/block sign-ins from specific IP ranges or countries. Risk-based Conditional Access: uses Entra ID Protection risk detections (anonymous IP, atypical travel, password spray, leaked credentials) to trigger step-up authentication or block access automatically. Identity Protection generates user risk scores and sign-in risk scores — policies automatically remediate risky sign-ins. Passwordless authentication: Windows Hello for Business (biometric), FIDO2 security keys, Microsoft Authenticator app (phone sign-in) — eliminates password spray and phishing risk.

AZ-500 network security starts with segmentation. Network Security Groups (NSGs): stateful firewall rules attached to subnets or NICs — priority-ordered, lowest number wins, explicit deny-all-inbound by default, explicit allow-all-outbound default. Application Security Groups (ASGs): group VMs by workload role (web tier, app tier, DB tier) and reference the group in NSG rules — no more rule sprawl from individual IP management. Azure Firewall: managed stateful firewall service (not NSG — supports FQDN filtering, threat intelligence feeds, TLS inspection). Azure Firewall Premium adds: IDPS (Intrusion Detection and Prevention System), TLS termination, URL filtering, web categories. Azure DDoS Protection Standard: automatic mitigation of volumetric and protocol attacks, DDoS rapid response team access, attack analytics and mitigation reports. Azure Bastion: managed jump server deployed in your VNet — RDP/SSH to VMs via HTTPS in the Azure portal, no public IPs required on target VMs. Just-in-time (JIT) VM access: locks down management ports (22, 3389) until explicitly requested — access is time-limited and IP-restricted.

Key Vault is central to AZ-500 data security. Store secrets (connection strings, passwords, API keys), keys (RSA/EC for encryption and signing — software or HSM-protected), and certificates (X.509 certificates with auto-renewal from integrated CAs). Access policies vs Azure RBAC: the modern approach is RBAC roles (Key Vault Administrator, Key Vault Secrets Officer, Key Vault Reader) — grants individual permissions to secrets, keys, or certificates. Soft delete and purge protection: soft delete retains deleted objects for 7-90 days, purge protection prevents permanent deletion during the retention period — required for CMEK compliance. Azure Disk Encryption: encrypts OS and data disks using BitLocker (Windows) or dm-crypt (Linux) with keys stored in Key Vault. Storage Service Encryption: AES-256 encryption at rest for Azure Storage — always on, cannot be disabled. Customer-Managed Keys (CMK): you control the encryption key — if you rotate or revoke the key, the data becomes inaccessible. Double encryption: infrastructure encryption (Azure-managed key) layered with CMK for maximum compliance.

Defender for Cloud (formerly Azure Security Center + Azure Defender) provides unified security management and threat protection. Secure Score: quantified measure of your security posture — each recommendation has a score impact, addressing high-impact recommendations raises the score fastest. Security recommendations categorised by MCSB (Microsoft Cloud Security Benchmark): the standard Azure aligns to for security posture. Defender plans: Defender for Servers (vulnerability assessment, EDR integration with Defender for Endpoint, file integrity monitoring, JIT VM access), Defender for SQL (advanced threat protection, vulnerability assessment for Azure SQL and SQL on VMs), Defender for Storage (detect suspicious access patterns, malware scanning for blob uploads), Defender for Containers (GKE and EKS support, image scanning, Kubernetes threat detection), Defender for App Service (detects web app attacks). CSPM (Cloud Security Posture Management): Foundational CSPM is free (basic recommendations), Defender CSPM adds governance rules, attack path analysis, and agentless scanning.

Microsoft Sentinel is Azure's cloud-native SIEM and SOAR platform. Data connectors ingest signals from Microsoft 365, Azure, Entra ID, Defender products, and 200+ third-party sources. Analytics rules: scheduled query rules (KQL queries run on a schedule, create incidents when conditions are met), near-real-time rules (high-frequency alerting), Microsoft Security rules (promote alerts from Defender products to Sentinel incidents). KQL (Kusto Query Language) is the query language for Sentinel — AZ-500 expects basic KQL for writing and interpreting analytics rules. Workbooks: Sentinel dashboards for visualising security data — built-in templates for Common Events, Azure Activity, and Defender products. Incidents: aggregated alerts with entity mapping (user, host, IP, URL) — analysts triage, investigate, and close incidents. Automation rules: trigger on incident creation/update, assign, tag, run playbooks. Playbooks: Logic Apps workflows triggered by Sentinel — automate response (block IP in firewall, disable user account, send Teams notification). UEBA (User and Entity Behaviour Analytics): Sentinel builds behavioural baselines and surfaces anomalies.