AZ-500 Azure Security Technologies Study Guide
--
I passed my Az-500 exam in January 2020. The exam consisted of around 50 MCQs and 1 case study, and had a time limit of 3 hours. You can find my Azure Security Engineer Badge here :
What follows is the study guide I created based on the exam skills outline to help me prepare. Hope this helps you too. Cheers!
Manage identity and access (30–35%)
Manage Azure Active Directory identities
Configure security for service principals
Manage Azure AD directory groups | Manage Azure AD users
- https://docs.microsoft.com/en-us/learn/modules/manage-users-and-groups-in-aad/
- https://docs.microsoft.com/en-us/learn/modules/create-users-and-groups-in-azure-active-directory/
Configure password writeback
Configure authentication methods including password hash and Pass Through Authentication (PTA), OAuth, and passwordless
- https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
- https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta
- https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-quick-start
- https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs
- https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization
- https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
- https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless
Transfer Azure subscriptions between Azure AD tenants
Configure secure access by using Azure AD
Monitor privileged access for Azure AD Privileged Identity Management (PIM)
- https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user?tabs=new
- https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts?tabs=new
Configure Access Reviews
Activate and configure PIM
- https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-deployment-plan
- https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
Implement Conditional Access policies including Multi-Factor Authentication (MFA)
- https://docs.microsoft.com/en-us/learn/modules/secure-aad-users-with-mfa/
- https://docs.microsoft.com/en-us/learn/modules/allow-users-reset-their-password/
Configure Azure AD identity protection
- https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
- https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies
- https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies
Manage application access
Create App Registration
Configure App Registration permission scopes
- https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-expose-web-apis
- https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis
Manage App Registration permission consent
- https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal
- https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-consent-requests
- https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent
- https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-app-consent-policies
- https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-application-permissions
Manage API access to Azure subscriptions and resources
Manage access control
Configure subscription and resource permissions | configure resource group permissions
- https://docs.microsoft.com/en-us/learn/modules/control-and-organize-with-azure-resource-manager/
- https://docs.microsoft.com/en-us/learn/modules/secure-azure-resources-with-rbac/
- https://docs.microsoft.com/en-us/learn/modules/manage-subscription-access-azure-rbac/
Configure custom RBAC roles
Identify the appropriate role | apply principle of least privilege | interpret permissions
- https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions
- https://docs.microsoft.com/en-us/azure/role-based-access-control/scope-overview
- https://docs.microsoft.com/en-us/azure/role-based-access-control/best-practices
Check access
Implement platform protection (15–20%)
Implement advanced network security
Secure the connectivity of virtual networks (VPN authentication, Express Route encryption)
Configure Network Security Groups (NSGs) and Application Security Groups (ASGs) | Implement Service Endpoints
Create and configure Azure Firewall
Implement Azure Firewall Manager
- https://docs.microsoft.com/en-us/azure/firewall-manager/overview
- https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview
- https://docs.microsoft.com/en-us/azure/firewall-manager/deployment-overview
Configure Azure Front Door service as an Application Gateway
- https://docs.microsoft.com/en-us/azure/frontdoor/front-door-overview
- https://docs.microsoft.com/en-us/azure/frontdoor/quickstart-create-front-door
Configure a Web Application Firewall (WAF) on Azure Application Gateway configure Azure Bastion
- https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal
- https://docs.microsoft.com/en-us/azure/bastion/bastion-overview
- https://docs.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal
Configure a firewall on a storage account, Azure SQL, KeyVault, or App Service
- https://docs.microsoft.com/en-us/azure/key-vault/general/network-security
- https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal
- https://docs.microsoft.com/en-us/azure/azure-sql/database/secure-database-tutorial
Implement DDoS protection
Configure advanced security for compute
Configure endpoint protection
Configure and monitor system updates for VMs
Configure authentication for Azure Container Registry
Configure security for different types of containers
Implement vulnerability management
Configure isolation for AKS
- https://docs.microsoft.com/en-us/learn/modules/intro-to-azure-kubernetes-service/
- https://docs.microsoft.com/en-us/azure/aks/concepts-security
Configure security for container registry
Implement Azure Disk Encryption
Configure authentication and security for Azure App Service
Configure SSL/TLS certs
- https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate
- https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings
Configure authentication for Azure Kubernetes Service
Configure automatic updates
Manage security operations (25–30%)
Monitor security by using Azure Monitor
Create and customize alerts
- https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-overview
- https://docs.microsoft.com/en-us/learn/modules/incident-response-with-alerting-on-azure/
Monitor security logs by using Azure Monitor
Configure diagnostic logging and log retention
Monitor security by using Azure Security Center
Evaluate vulnerability scans from Azure Security Center
Configure Just in Time VM access by using Azure Security Center
Configure centralized policy management by using Azure Security Center
Configure compliance policies and evaluate for compliance by using Azure Security Center
Monitor security by using Azure Sentinel
Create and customize alerts | Configure data sources to Azure Sentinel | Evaluate results from Azure Sentinel
- https://docs.microsoft.com/en-us/learn/modules/intro-to-azure-sentinel/
- https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources
- https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom
Configure workflow automation by using Azure Sentinel
Configure security policies
Configure security settings by using Azure Policy
Configure security settings by using Azure Blueprint
Configure a playbook by using Azure Sentinel
Secure data and applications (20–25%)
Configure security for storage
Configure access control for storage accounts
- https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-data-operations-portal
- https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac-portal?toc=/azure/storage/blobs/toc.json
Configure key management for storage accounts
Configure Azure AD authentication for Azure Storage
Configure Azure AD Domain Services authentication for Azure Files
Create and manage Shared Access Signatures (SAS)
Create a shared access policy for a blob or blob container
Configure Storage Service Encryption
Configure Azure Defender for Storage
Configure security for databases
Enable database authentication
Enable database auditing
Configure Azure Defender for SQL
Configure Azure SQL Database Advanced Threat Protection
Implement database encryption
Implement Azure SQL Database Always Encrypted
Configure and manage Key Vault
Manage access to Key Vault
Manage permissions to secrets, certificates, and keys | Manage certificates | Manage secrets
Configure RBAC usage in Azure Key Vault
Configure key rotation
Backup and restore of Key Vault items
- https://docs.microsoft.com/en-us/azure/key-vault/general/backup
- https://docs.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery?tabs=azure-portal
Configure Azure Defender for Key Vault
