In the MCA Microsoft Certified Associate Azure Security Engineer Study Guide: Exam AZ-500, cybersecurity veteran Shimon Brathwaite walks you through every step you need to take to prepare for the MCA Azure Security Engineer certification exam and a career in Azure cybersecurity. You’ll find coverage of every domain competency tested by the exam, including identity management and access, platform protection implementation, security operations management, and data and application security.
You’ll learn to maintain the security posture of an Azure environment, implement threat protection, and respond to security incident escalations. Readers will also find: - Efficient and accurate coverage of every topic necessary to succeed on the MCA Azure Security Engineer exam - Robust discussions of all the skills you need to hit the ground running at your first - or next - Azure cybersecurity job - Complementary access to online study tools, including hundreds of bonus practice exam questions, electronic flashcards, and a searchable glossary
The MCA Azure Security Engineer AZ-500 exam is a challenging barrier to certification. But you can prepare confidently and quickly with this latest expert resource from Sybex. It’s ideal for anyone preparing for the AZ-500 exam or seeking to step into their next role as an Azure security engineer.
Table of Contents
Introduction xix
Assessment Test xxv
Chapter 1 Introduction to Microsoft Azure 1
What Is Microsoft Azure? 3
Cloud Environment Security Objectives 4
Confidentiality 4
Integrity 4
Availability 5
Nonrepudiation 5
Common Security Issues 5
Principle of Least Privilege 5
Zero- Trust Model 6
Defense in Depth 6
Avoid Security through Obscurity 9
The AAAs of Access Management 9
Encryption 10
End- to- End Encryption 11
Symmetric Key Encryption 11
Asymmetric Key Encryption 11
Network Segmentation 13
Basic Network Configuration 13
Unsegmented Network Example 14
Internal and External Compliance 15
Cybersecurity Considerations for the Cloud Environment 16
Configuration Management 17
Unauthorized Access 17
Insecure Interfaces/APIs 17
Hijacking of Accounts 17
Compliance 18
Lack of Visibility 18
Accurate Logging 18
Cloud Storage 18
Vendor Contracts 19
Link Sharing 19
Major Cybersecurity Threats 19
DDoS 19
Social Engineering 20
Password Attacks 21
Malware 21
Summary 24
Exam Essentials 24
Review Questions 26
Chapter 2 Managing Identity and Access in Microsoft Azure 29
Identity and Access Management 31
Identifying Individuals in a System 31
Identifying and Assigning Roles in a System and to an Individual 32
Assigning Access Levels to Individuals or Groups 33
Adding, Removing, and Updating Individuals and Their Roles in a System 33
Protecting a System’s Sensitive Data and Securing the System 33
Enforcing Accountability 34
IAM in the Microsoft Azure Platform 34
Creating and Managing Azure AD Identities 34
Managing Azure AD Groups 37
Managing Azure Users 39
Adding Users to Your Azure AD 39
Managing External Identities Using Azure AD 40
Managing Secure Access Using Azure Active Directory 42
Implementing Conditional Access Policies, Including MFA 44
Implementing Azure AD Identity Protection 45
Enabling the Policies 47
Implement Passwordless Authentication 50
Configuring an Access Review 52
Managing Application Access 57
Integrating Single Sign- On and Identity Providers for Authentication 57
Creating an App Registration 58
Configuring App Registration Permission Scopes 58
Managing App Registration Permission Consent 59
Managing API Permission to Azure Subscriptions 60
Configuring an Authentication Method for a Service Principal 61
Managing Access Control 62
Interpret Role and Resource Permissions 62
Configuring Azure Role Permissions for Management Groups, Subscriptions, Resource Groups, and Resources 63
Assigning Built- In Azure AD Roles 64
Creating and Assigning Custom Roles, Including Azure Roles and Azure AD Roles 65
Summary 66
Exam Essentials 67
Review Questions 70
Chapter 3 Implementing Platform Protections 73
Implementing Advanced Network Security 75
Securing Connectivity of Hybrid Networks 75
Securing Connectivity of Virtual Networks 77
Creating and Configuring Azure Firewalls 78
Azure Firewall Premium 79
Creating and Configuring Azure Firewall Manager 82
Creating and Configuring Azure Application Gateway 82
Creating and Configuring Azure Front Door 87
Creating and Configuring a Web Application Firewall 91
Configuring Network Isolation for Web Apps and Azure Functions 93
Implementing Azure Service Endpoints 94
Implementing Azure Private Endpoints, Including Integrating with Other Services 97
Implementing Azure Private Link 98
Implementing Azure DDoS Protection 101
Configuring Enhanced Security for Compute 102
Configuring Azure Endpoint Protection for VMs 102
Enabling Update Management in Azure Portal 104
Configuring Security for Container Services 108
Managing Access to the Azure Container Registry 109
Configuring Security for Serverless Compute 109
Microsoft Recommendations 111
Configuring Security for an Azure App Service 112
Exam Essentials 118
Review Questions 122
Chapter 4 Managing Security Operations 125
Configure Centralized Policy Management 126
Configure a Custom Security Policy 126
Create Custom Security Policies 127
Creating a Policy Initiative 128
Configuring Security Settings and Auditing by Using Azure Policy 129
Configuring and Managing Threat Protection 130
Configuring Microsoft Defender for Cloud for Servers (Not Including Microsoft Defender for Endpoint) 131
Configuring Microsoft Defender for SQL 134
Using the Microsoft Threat Modeling Tool 139
Azure Monitor 147
Visualizations in Azure Monitor 148
Configuring and Managing Security Monitoring Solutions 149
Creating and Customizing Alert Rules by Using Azure Monitor 149
Configuring Diagnostic Logging and Retention Using Azure Monitor 157
Monitoring Security Logs Using Azure Monitor 159
Microsoft Sentinel 167
Configuring Connectors in Microsoft Sentinel 170
Evaluating Alerts and Incidents in Microsoft Sentinel 175
Summary 176
Exam Essentials 177
Review Questions 179
Chapter 5 Securing Data and Applications 183
Configuring Security for Storage in Azure 184
Storage Account Access Keys 185
Configuring Access Control for Storage Accounts 185
Configuring Storage Account Access Keys 189
Configuring Azure AD Authentication for Azure Storage and Azure Files 191
Configuring Delegated Access for Storage Accounts 202
Configuring Security for Databases 220
Summary 254
Exam Essentials 255
Review Questions 257
Appendix A An Azure Security Tools Overview 261
Chapter 2, “Managing Identity and Access on Microsoft Azure” 262
Azure Active Directory (AD) 262
Microsoft Authenticator App 265
Azure API Management 265
Chapter 3, “Implementing Platform Protections” 266
Azure Firewall 266
Azure Firewall Manager 267
Azure Application Gateway 269
Azure Front Door 273
Web Application Firewall 273
Azure Service Endpoints 274
Azure Private Links 274
Azure DDoS Protection 275
Microsoft Defender for Cloud 276
Azure Container Registry 277
Azure App Service 278
Chapter 4, “Managing Security Operations” 279
Azure Policy 279
Microsoft Threat Modeling Tool 281
Microsoft Sentinel 287
How Does Microsoft Sentinel Work? 289
Automation 290
Chapter 5, “Securing Data and Applications” 290
Azure Key Vault 299
Appendix B Answers to Review Questions 301
Chapter 1: Introduction to Microsoft Azure 302
Chapter 2: Managing Identity and Access in Microsoft Azure 303
Chapter 3: Implementing Platform Protections 304
Chapter 4: Managing Security Operations 305
Chapter 5: Securing Data and Applications 306
Index 309