Training: Secure cloud resources with Microsoft security technologies (AZ-500)

Ref. AZ-500T00

Download PDF

Duration:

4

days

Exam:

Optionnel

Level:

Intermediate

Funding:

Eligible

Home > Trainings > IT Pro > Audit and Cybersecurity > Secure cloud resources with Microsoft security technologies (AZ-500)

Secure cloud resources with Microsoft security technologies training (AZ-500)

Cloud environment security represents a major strategic challenge for organizations today. With constantly evolving cyber threats, IT professionals must master the most advanced protection technologies. This training enables you to acquire the essential skills to effectively secure your Azure resources.

Protect your cloud infrastructure with Microsoft

Designed for security engineers and IT security professionals, this program covers all critical dimensions. You’ll learn to manage identity and access, protect virtual networks, and secure sensitive data. Each module combines theory and practice for direct application in your professional environments.

Participant Profiles

Azure security engineers
Engineers looking to specialize in security delivery for Azure-based digital platforms
Security engineers and administrators
Cloud infrastructure managers
Azure solution architects
Systems and network administrators
IT professionals transitioning to the cloud
Cybersecurity consultants

Objectives

Manage security controls for identity and access in Microsoft Entra ID
Configure secure access to enterprise applications and manage permissions
Protect public access with Azure Firewall and Application Gateway
Secure compute resources and containerized environments
Configure encryption and access controls for Azure Storage
Implement cloud governance policies with Azure Policy and Key Vault
Manage threat detection with Microsoft Defender for Cloud

Prerequisites

Having followed the course Microsoft Azure Administrator (AZ-104) or equivalent experience

Course Content

Module 1: Manage security controls for identity and access

Microsoft Cloud Security Benchmark: Identity management and privileged access
What is Microsoft Entra ID?
Secure Microsoft Entra users
Create a user in Microsoft Entra ID
Secure Microsoft Entra groups
Recommend when to use external identities
Secure external identities
Implement Microsoft Entra Identity Protection
Microsoft Entra Connect
Microsoft Entra Cloud Sync
Authentication options
Password hash synchronization with Microsoft Entra ID
Microsoft Entra pass-through authentication
Federation with Microsoft Entra ID
What is Microsoft Entra authentication?
Implement multi-factor authentication (MFA)
Kerberos authentication
New Technology LAN Manager (NTLM)
Passwordless authentication options for Microsoft Entra ID
Implement passwordless authentication
Implement password protection
Microsoft Entra ID single sign-on
Implement single sign-on (SSO)
Integrate single sign-on (SSO) and identity providers
Introduction to Microsoft Entra Verified ID
Configure Microsoft Entra Verified ID
Recommend and enforce modern authentication protocols
Azure management groups
Configure Azure role permissions for management groups, subscriptions, resource groups, and resources
Azure role-based access control
Azure built-in roles
Assign Azure role permissions for management groups, subscriptions, resource groups, and resources
Microsoft Entra built-in roles
Assign built-in roles in Microsoft Entra ID
Microsoft Entra role-based access control
Create and assign a custom role in Microsoft Entra ID
Zero Trust security
Microsoft Entra Privileged Identity Management
Configure Privileged Identity Management
Microsoft Entra ID Governance
Identity lifecycle management
Lifecycle workflows
Entitlement management
Delegation and roles in entitlement management
Access reviews
Configure role management and access reviews using Microsoft Entra ID Governance
Implement Conditional Access policies for cloud resources in Azure
Azure Lighthouse overview

Module 2: Manage access to Microsoft Entra applications

Manage access to enterprise applications in Microsoft Entra ID, including OAuth permission grants
Manage application registrations in Microsoft Entra ID
Configure permission scopes for application registration
Manage application registration permission consent
Manage and use service principals
Manage managed identities for Azure resources
Recommend when to use and configure a Microsoft Entra application proxy, including authentication

Module 3: Plan and implement security for virtual networks

Microsoft Cloud Security Benchmark: Data protection, logging and threat detection, and network security
What is an Azure virtual network?
Azure Virtual Network Manager
Plan and implement network security groups (NSG) and application security groups (ASG)
Plan and implement User-Defined Routes (UDR)
Plan and implement virtual network peering or a virtual network gateway
Plan and implement a virtual wide area network, including a secure virtual hub
Secure VPN connectivity, including point-to-site and site-to-site
Azure encryption
What is Azure virtual network encryption?
Azure ExpressRoute
Implement encryption over ExpressRoute
Configure firewall settings on Azure resources
Monitor network security using Network Watcher

Module 4: Plan and implement security for private access to Azure resources

Plan and implement virtual network service endpoints
Plan and implement private endpoints
Plan and implement Private Link services
Plan and implement network integration for Azure App Service and Azure Functions
Plan and implement network security configurations for App Service Environment (ASE)
Plan and implement network security configurations for an Azure SQL Managed Instance

Module 5: Plan and implement security for public access to Azure resources

Plan and implement Transport Layer Security (TLS) protocol for applications, including Azure App Service and API Management
Plan, implement, and manage Azure Firewall, Azure Firewall Manager, and firewall policies
Plan and implement an Azure Application Gateway
Plan and implement a web application firewall
Plan and implement Azure Front Door, including content delivery network (CDN)
Recommend when to use Azure DDoS Protection Standard

Module 6: Plan and implement advanced security for compute

Plan and implement remote access to public endpoints, Azure Bastion, and just-in-time (JIT) access to virtual machines
What is Azure Kubernetes Service?
Configure network isolation for Azure Kubernetes Service (AKS)
Secure and monitor Azure Kubernetes Service
Configure authentication for Azure Kubernetes Service
Configure security for Azure Container Instances (ACI)
Configure security for Azure Container Apps (ACA)
Manage access to Azure Container Registry (ACR)
Configure disk encryption, Azure Disk Encryption (ADE), encryption at host, and confidential disk encryption
Recommend security configurations for Azure API Management

Module 7: Plan and implement security for storage

Azure Storage
Configure access control for storage accounts
Manage lifecycle for storage account access keys
Select and configure an appropriate method for access to Azure Files
Select and configure an appropriate method for access to Azure Blobs
Select and configure an appropriate method for access to Azure Tables
Select and configure an appropriate method for access to Azure Queues
Select and configure appropriate methods for protection against data security threats, including soft delete, backups, versioning, and immutable storage
Configure Bring Your Own Key (BYOK)
Enable double encryption at the Azure Storage infrastructure level

Module 8: Plan and implement security for Azure SQL Database and Azure SQL Managed Instance

Security for Azure SQL Database and SQL Managed Instance
Enable Microsoft Entra database authentication
Enable and monitor database auditing
Identify use cases for the Microsoft Purview governance portal
Implement sensitive data classification using the Microsoft Purview governance portal
Plan and implement dynamic masking
Implement transparent data encryption
Recommend when to use Azure SQL Database Always Encrypted
Implement an Azure SQL Database firewall

Module 9: Implement and manage enforcement of cloud governance policies

Microsoft Cloud Security Benchmark: access, data, identity, network, endpoint, governance, recovery, incident, and vulnerability management
Azure governance
Create, assign, and interpret security policies and initiatives in Azure Policy
Deploy secure infrastructures using a landing zone
Azure Key Vault
Azure Key Vault security
Azure Key Vault authentication
Create and configure an Azure key vault
Recommend when to use a dedicated hardware security module (HSM)
Configure access to Key Vault, including vault access policies and Azure role-based access control
Manage certificates, secrets, and keys
Configure key rotation
Configure backup and recovery of certificates, secrets, and keys
Implement security controls to protect backups
Implement security controls for resource management

Module 10: Manage security posture using Microsoft Defender for Cloud

Implement Microsoft Defender for Cloud
Identify and remediate security risks using Microsoft Defender for Cloud’s secure score and inventory
Assess compliance with security frameworks and Microsoft Defender for Cloud
Add industry and regulatory standards to Microsoft Defender for Cloud
Add custom initiatives to Microsoft Defender for Cloud
Connect hybrid and multicloud environments to Microsoft Defender for Cloud
Implement and use Microsoft Defender External Attack Surface Management

Module 11: Configure and manage threat protection using Microsoft Defender for Cloud

Enable workload protection services in Microsoft Defender for Cloud
Defender for Servers
Defender for Storage
Malware scanning in Defender for Storage
Detect threats to sensitive data
Deploy Microsoft Defender for Storage
Enable configuration of an Azure built-in policy
Configure Microsoft Defender plans for servers, databases, and storage
Implement and manage Microsoft Defender Vulnerability Management
Log Analytics workspace
Manage data retention in a Log Analytics workspace
Deploy the Azure Monitor agent
Collect data with the Azure Monitor agent
Data Collection Rules (DCR) in Azure Monitor
Transformations in Data Collection Rules (DCR)
Monitor network security events and performance data by configuring Data Collection Rules (DCR) in Azure Monitor
Connect your Azure subscriptions
Just-in-time VM access
Enable just-in-time access
Container security in Microsoft Defender for Containers
Managed Kubernetes threat actors
Defender for Containers architecture
Configure Microsoft Defender for Containers components
Microsoft Defender for Cloud DevOps Security
DevOps security support and prerequisites
DevOps environment security posture
Connect your GitHub lab environment to Microsoft Defender for Cloud
Configure the Microsoft Security DevOps GitHub action
AI threat protection in Defender for Cloud
Enable threat protection for AI workloads in Defender for Cloud
Get application and end-user context for AI alerts

Module 12: Configure and manage security monitoring and automation solutions

Manage and respond to security alerts in Microsoft Defender for Cloud
Configure workflow automation using Microsoft Defender for Cloud
Log retention plans in Microsoft Sentinel
Alerts and incidents generated by Microsoft Sentinel
Configure data connectors in Microsoft Sentinel
Enable analytics rules in Microsoft Sentinel
Configure automation in Microsoft Sentinel
Threat response automation with Microsoft Sentinel

Documentation

Accès à Microsoft Learn, la plateforme d’apprentissage en ligne Microsoft, offrant des ressources interactives et des contenus pédagogiques pour approfondir vos connaissances et développer vos compétences techniques.

Lab / Exercises

This course provides you with exclusive access to the official Microsoft lab, enabling you to practice your skills in a professional environment.

Exam

This course prepares you to the AZ-500: Azure Security Engineer Associate

Complementary Courses

Eligible Funding

ITTA is a partner of a continuing education fund dedicated to temporary workers. This fund can subsidize your training, provided that you are subject to the “Service Provision” collective labor agreement (CCT) and meet certain conditions, including having worked at least 88 hours in the past 12 months.

Additional Information

The evolution of threats in cloud environments

The cyberthreat landscape is undergoing a profound transformation with the massive adoption of cloud computing. Attackers now exploit more sophisticated intrusion vectors. They target misconfigurations, compromised identities, and poorly controlled access. This reality demands a rethought Microsoft security approach adapted to distributed infrastructures.

Data breaches cost companies several million dollars on average. A large portion of these incidents stems from preventable configuration errors. Azure security therefore requires an in-depth understanding of services and their settings. Each deployed resource must adhere to the principle of defense in depth.

The Zero Trust model has become the reference standard in protecting digital assets. It relies on systematic verification of every access, with no implicit trust. This philosophy radically transforms how organizations design their cloud security. Strong authentication becomes the norm, never the exception.

Multi-layered security architecture for Azure

Building a resilient infrastructure requires a strategy organized into distinct layers. The first layer concerns identity as the primary security perimeter. Microsoft Entra ID centralizes authentication and authorization for all services. Enabling privileged identity management drastically limits the risks of abuse.

Network segmentation constitutes the second critical line of defense. Virtual networks isolate workloads according to their sensitivity. Network security groups act as distributed virtual firewalls. This granularity enables precise control of traffic between resources.

Data protection represents the core of any effective security strategy. Encryption is applied systematically, both at rest and in transit. Azure offers native mechanisms to automate these protections. Cryptographic keys are managed centrally through dedicated and secured vaults.

Automation and continuous threat monitoring

Early anomaly detection distinguishes prepared organizations from potential victims. Behavioral analysis tools identify suspicious patterns in real time. Microsoft Defender for Cloud continuously monitors the entire Azure infrastructure. Alerts enable rapid response to security incidents.

Automation significantly reduces threat response times. Playbooks execute corrective actions without human intervention. This orchestration becomes essential given the growing volume of alerts. Teams can thus focus on truly critical threats.

Vulnerability management requires a structured and recurring process. Regular scans reveal weaknesses before malicious exploitation. Azure provides integrated tools to assess overall security posture. Prioritized recommendations guide remediation efforts.

Regulatory compliance and access governance

Legal requirements for data protection are multiplying internationally. GDPR in Europe imposes strict constraints on personal information processing. Other sector-specific regulations add their own obligations. Azure security must integrate these dimensions from the design phase.

Azure Policy transforms compliance requirements into automatically applied technical rules. These policies prevent the deployment of non-compliant resources. Continuous auditing ensures maintenance of defined standards. Compliance reports facilitate demonstrations to auditors.

Action traceability constitutes a pillar of effective governance. Every operation on Azure resources generates detailed logs. These traces enable reconstruction of the timeline of events during investigations. Appropriate log retention satisfies legal archiving obligations.

Hybrid identity management and federation

Most enterprises operate in complex hybrid environments. Identities must be synchronized between on-premises systems and the cloud. Microsoft Entra Connect facilitates this bidirectional integration. Security policy consistency thus extends across the entire infrastructure.

Single sign-on significantly improves user experience while strengthening security. Employees access all their applications with a single authentication. This simplification reduces fatigue associated with multiple passwords. Compromise risks decrease proportionally.

Identity federation enables secure collaboration with external partners. Users retain their original identities while accessing shared resources. This approach avoids account proliferation and simplifies management. Trust relationships are configured according to recognized standard protocols.

Securing modern workloads

Microservices and containerized architectures dominate current developments. Kubernetes has become the reference orchestration platform for these environments. Azure Kubernetes Service integrates essential native security features. Container isolation prevents lateral propagation of compromises.

APIs now constitute the primary attack surface for many applications. Their direct exposure on the internet multiplies exploitation risks. Azure API Management offers centralized and consistent security controls. Access policies limit requests according to multiple criteria.

DevSecOps integrates security from the earliest development phases. This approach detects vulnerabilities before their deployment to production. Continuous integration pipelines include automated security analyses. The cost of fixing flaws decreases drastically with this anticipation.

FAQ

What certification do you obtain after this training?

This training prepares you for the Microsoft certification exam for Azure security engineers. It covers all the skills assessed during the official exam. Participants develop expertise recognized in the market. The certification formally validates knowledge in Microsoft security.

How do you prioritize security actions in an existing Azure environment?

The security score provided by Microsoft Defender establishes an objective baseline. Recommendations appear ranked according to their potential impact on overall protection. You should start by securing high-privilege identities. Network segmentation and sensitive data encryption logically follow.

What are the differences between Azure security and traditional infrastructure security?

The cloud introduces a shared responsibility model between the provider and the client. Microsoft secures the physical infrastructure while organizations protect their data and applications. This distribution requires a clear understanding of respective perimeters. Cloud security tools offer visibility and automation impossible locally.

How do you effectively manage secrets and keys in cloud applications?

Azure Key Vault centralizes secure storage of all sensitive elements. Applications retrieve secrets dynamically without hardcoding them. This approach facilitates regular rotation of cryptographic keys. Complete access auditing strengthens traceability and compliance.

What is the importance of the principle of least privilege in Azure?

This principle limits each identity to the permissions strictly necessary for its functions. Rigorous application significantly reduces the potential impact of a compromise. Role-based access control facilitates granular implementation. Periodic reviews ensure ongoing adequacy of assigned rights.