Training: Secure cloud resources with Microsoft security technologies (AZ-500)

Ref. AZ-500T00

Download PDF

Duration:

jours

Exam:

Optionnel

Level:

Intermédiaire

Funding:

Eligible

Home > Trainings > IT Pro > Audit and Cybersecurity > Secure cloud resources with Microsoft security technologies (AZ-500)

Secure cloud resources with Microsoft security technologies Training (AZ-500)

The AZ-500 training enables you to master Microsoft Azure security technologies in four days. This official Microsoft course covers identity security with Microsoft Entra ID and conditional access policies, virtual network protection with Azure Firewall and NSGs, data encryption with Azure Key Vault, security posture management with Microsoft Defender for Cloud, and advanced threat detection with Microsoft Sentinel. You acquire the skills to protect your organization’s cloud resources against current cyber threats.

Delivered in Geneva and Lausanne by MCT certified trainers, this AZ-500 training relies on intensive hands-on labs in Microsoft cloud environments. You configure risk-based conditional access policies, deploy Azure Firewall with application rules, manage secrets and certificates in Key Vault, activate Defender protection plans, and create analytics rules in Sentinel. The Azure Security Engineer Associate certification is included and validates your cloud security skills with employers in French-speaking Switzerland.

Participant Profiles

Azure security engineers
Engineers looking to specialize in security delivery for Azure-based digital platforms
Security engineers and administrators
Cloud infrastructure managers
Azure solution architects
Systems and network administrators
IT professionals transitioning to the cloud
Cybersecurity consultants

Objectives

Manage identity and access in Azure using Azure AD and Conditional Access
Implement platform protection including network security and host security
Manage security operations using Microsoft Defender for Cloud and Sentinel
Secure data and applications using encryption, Key Vault, and application security
Configure and manage security policies and compliance with Azure Policy
Implement advanced threat protection for Azure workloads
Investigate and respond to security incidents using Azure security tools

Prerequisites

Having followed the course Microsoft Azure Administrator (AZ-104) or equivalent experience

Course Content

Module 1: Manage security controls for identity and access

Microsoft cloud security benchmark: Identity management and privileged access
What is Microsoft Entra ID?
Secure Microsoft Entra users
Create a new user in Microsoft Entra ID
Secure Microsoft Entra groups
Recommend when to use external identities
Secure external identities
Implement Microsoft Entra Identity Protection
Microsoft Entra Connect
Microsoft Entra Cloud Sync
Authentication options
Password hash synchronization with Microsoft Entra ID
Microsoft Entra pass-through authentication
Federation with Microsoft Entra ID
What is Microsoft Entra authentication?
Implement multifactor authentication (MFA)
Kerberos authentication
New Technology Local Area Network Manager (NTLM)
Passwordless authentication options for Microsoft Entra ID
Implement passwordless authentication
Implement password protection
Microsoft Entra ID single sign-on
Implement single sign-on (SSO)
Integrate single sign-on (SSO) and identity providers
Configure Microsoft Entra Verified ID
Recommend and enforce modern authentication protocols
Azure management groups
Configure Azure role permissions for management groups, subscriptions, resource groups, and resources
Azure role-based access control
Azure built-in roles
Assign Azure role permissions for management groups, subscriptions, resource groups, and resources
Microsoft Entra built-in roles
Assign built-in roles in Microsoft Entra ID
Microsoft Entra role-based access control
Create and assign a custom role in Microsoft Entra ID
Zero Trust security
Microsoft Entra Privileged Identity Management
Configure Privileged Identity Management
Microsoft Entra ID governance
Identity lifecycle management
Lifecycle workflows
Entitlement management
Delegation and roles in entitlement management
Access reviews
Configure role management and access reviews by using Microsoft Entra ID governance
Implement Conditional Access policies for Cloud Resources in Azure
Azure lighthouse overview

Module 2: Manage Microsoft Entra application access

Manage access to enterprise applications in Microsoft Entra ID, including OAuth permission grants
Manage app registrations in Microsoft Entra ID
Configure app registration permission scopes
Manage app registration permission consent
Manage and use service principals
Manage managed identities for Azure resources
Recommend when to use and configure a Microsoft Entra Application Proxy, including authentication

Module 3: Plan and implement security for virtual networks

Microsoft Cloud Security Benchmark: Data Protection, Logging and Threat Detection, and Network Security
What is an Azure Virtual Network
Azure Virtual Network Manager
Plan and implement Network Security Groups (NSGs) and Application Security Groups (ASGs)
Plan and implement User-Defined Routes (UDRs)
Plan and implement Virtual Network peering or gateway
Plan and implement Virtual Wide Area Network, including secured virtual hub
Secure VPN connectivity, including point-to-site and site-to-site
Azure encryption
What is Azure Virtual Network encryption
Azure ExpressRoute
Implement encryption over ExpressRoute
Configure firewall settings on Azure resources
Monitor network security by using Network Watcher

Module 4: Plan and implement security for private access to Azure resources

Plan and implement virtual network Service Endpoints
Plan and implement Private Endpoints
Plan and implement Private Link services
Plan and implement network integration for Azure App Service and Azure Functions
Plan and implement network security configurations for an App Service Environment (ASE)
Plan and implement network security configurations for an Azure SQL Managed Instance

Module 5: Plan and implement security for public access to Azure resources

Plan and implement Transport Layer Security (TLS) to applications, including Azure App Service and API Management
Plan, implement, and manage an Azure Firewall, Azure Firewall Manager and firewall policies
Plan and implement an Azure Application Gateway
Plan and implement a Web Application Firewall (WAF)
Plan and implement an Azure Front Door, including Content Delivery Network (CDN)
Recommend when to use Azure DDoS Protection Standard

Module 6: Plan and implement advanced security for compute

Plan and implement remote access to public endpoints, Azure Bastion and just-in-time (JIT) virtual machine (VM) access
What is Azure Kubernetes Service?
Configure network isolation for Azure Kubernetes Service (AKS)
Secure and monitor Azure Kubernetes Service
Configure authentication for Azure Kubernetes Service
Configure security for Azure Container Instances (ACIs)
Configure security for Azure Container Apps (ACAs)
Manage access to Azure Container Registry (ACR)
Configure disk encryption, Azure Disk Encryption (ADE), encryption as host, and confidential disk encryption
Recommend security configurations for Azure API Management

Module 7: Plan and implement security for storage

Azure Storage
Configure access control for storage accounts
Manage life cycle for storage account access keys
Select and configure an appropriate method for access to Azure Files
Select and configure an appropriate method for access to Azure Blobs
Select and configure an appropriate method for access to Azure Tables
Select and configure an appropriate method for access to Azure Queues
Select and configure appropriate methods for protecting against data security threats, including soft delete, backups, versioning, and immutable storage
Configure Bring your own key (BYOK)
Enable double encryption at the Azure Storage infrastructure level

Module 8: Plan and implement security for Azure SQL Database and Azure SQL Managed Instance

Azure SQL Database and SQL Managed Instance security
Enable Microsoft Entra database authentication
Enable and monitor database audit
Identify use cases for the Microsoft Purview governance portal
Implement data classification of sensitive information by using the Microsoft Purview governance portal
Plan and implement dynamic mask
Implement transparent data encryption
Recommend when to use Azure SQL Database Always Encrypted
Implement an Azure SQL Database firewall

Module 9: Implement and manage enforcement of cloud governance policies

Microsoft cloud security benchmark: Access, Data, Identity, Network, Endpoint, Governance, Recovery, Incident, and Vulnerability Management
Azure governance
Create, assign, and interpret security policies and initiatives in Azure Policy
Deploy secure infrastructures by using a landing zone
Azure Key Vault
Azure Key Vault security
Azure Key Vault authentication
Create and configure an Azure Key Vault
Recommend when to use a dedicated Hardware Security Module (HSM)
Configure access to Key Vault, including vault access policies and Azure role-based access control
Manage certificates, secrets, and keys
Configure key rotation
Configure backup and recovery of certificates, secrets, and keys
Implement security controls to protect backups
Implement security controls for asset management

Module 10: Manage security posture by using Microsoft Defender for Cloud

Implement Microsoft Defender for Cloud
Identify and remediate security risks by using the Microsoft Defender for Cloud Secure Score and Inventory
Assess compliance against security frameworks and Microsoft Defender for Cloud
Add industry and regulatory standards to Microsoft Defender for Cloud
Add custom initiatives to Microsoft Defender for Cloud
Connect hybrid cloud and multicloud environments to Microsoft Defender for Cloud
Implement and use Microsoft Defender External Attack Surface Management

Module 11: Configure and manage threat protection by using Microsoft Defender for Cloud

Enable workload protection services in Microsoft Defender for Cloud
Defender for Servers
Defender for Storage
Malware scanning in Defender for Storage
Detect threats to sensitive data
Deploy Microsoft Defender for Storage
Enable configure Azure built-in policy
Configure Microsoft Defender plans for Servers, Databases, and Storage
Implement and manage Microsoft Defender Vulnerability Management
Log Analytics workspace
Manage data retention in a Log Analytics workspace
Deploy the Azure Monitor Agent
Collect data with Azure Monitor Agent
Data collection rules (DCRs) in Azure Monitor
Transformations in data collection rules (DCRs)
Monitor network security events and performance data by configuring data collection rules (DCRs) in Azure Monitor
Connect your Azure subscriptions
Just-in-time machine access
Enable just-in-time access
Container security in Microsoft Defender for Containers
Managed Kubernetes threat factors
Defender for Containers architecture
Configure Microsoft Defender for Containers components
Microsoft Defender for Cloud DevOps Security
DevOps Security support and prerequisites
DevOps environment security posture
Connect your GitHub lab environment to Microsoft Defender for Cloud
Configure the Microsoft Security DevOps GitHub action
Defender for Cloud AI threat protection
Enable threat protection for AI workloads in Defender for Cloud
Gain application and end-user context for AI alerts

Module 12: Configure and manage security monitoring and automation solutions

Manage and respond to security alerts in Microsoft Defender for Cloud
Configure workflow automation by using Microsoft Defender for Cloud
Log retention plans in Microsoft Sentinel
Alerts and Incidents from Microsoft Sentinel
Configure data connectors in Microsoft Sentinel
Enable analytics rules in Microsoft Sentinel
Configure automation in Microsoft Sentinel
Automating Threat Response with Microsoft Sentinel

Documentation

Accès à Microsoft Learn, la plateforme d’apprentissage en ligne Microsoft, offrant des ressources interactives et des contenus pédagogiques pour approfondir vos connaissances et développer vos compétences techniques.

Lab / Exercises

This course provides you with exclusive access to the official Microsoft lab, enabling you to practice your skills in a professional environment.

Exam

This course prepares you to the AZ-500: Azure Security Engineer Associate exam.

Complementary Courses

Eligible Funding

ITTA is a partner of a continuing education fund dedicated to temporary workers. This fund can subsidize your training, provided that you are subject to the “Service Provision” collective labor agreement (CCT) and meet certain conditions, including having worked at least 88 hours in the past 12 months.

Additional Information

AZ-500 Training: Secure Cloud Resources with Microsoft Technologies

Cloud security has become the absolute priority for companies migrating to Azure. Cyber threats constantly evolve, hybrid architectures multiply attack surfaces, and Swiss regulatory requirements impose strict controls on data protection. Azure offers a comprehensive arsenal of security services that, when properly configured, provide enterprise-grade protection.

The AZ-500 training gives you the skills to secure identities, networks, data, and applications on Microsoft Azure in four days in Geneva or Lausanne. This official Microsoft course (MOC AZ-500) is designed for security engineers and Azure administrators who want to specialize in cloud environment protection.

Identity Security with Microsoft Entra ID and the Zero Trust Model

Microsoft Entra ID constitutes the first line of defense in Azure. The AZ-500 training covers in depth the configuration of multi-factor authentication (MFA), risk-based conditional access policies, identity protection with Identity Protection, and privileged identity management with PIM (Privileged Identity Management). You learn to implement the Zero Trust model that continuously validates every access.

Workload identity management (managed identities, service principals) secures communication between Azure services without storing secrets in code. Entra ID Governance automates the identity lifecycle, access reviews, and entitlement management. These mechanisms are essential for organizations in French-speaking Switzerland that must balance agility and compliance.

Network Security and Sensitive Data Protection

Azure network security relies on a defense-in-depth architecture. Network security groups (NSGs) filter traffic at the subnet and interface levels. Azure Firewall inspects and controls outbound and east-west traffic. Azure DDoS Protection defends against volumetric attacks. Private Link and private endpoints isolate PaaS service access from the public network.

Data protection relies on Azure Key Vault for centralized management of secrets, certificates, and encryption keys. Encryption at rest (Storage Service Encryption, Transparent Data Encryption) and in transit (TLS) protects data at every stage. Data Loss Prevention (DLP) policies and Azure Information Protection classify and protect sensitive information according to their confidentiality level.

Microsoft Defender for Cloud and Security Operations with Sentinel

Microsoft Defender for Cloud provides a unified view of the security posture of your Azure, hybrid, and multi-cloud resources. The training covers activating protection plans (Defender for Servers, Defender for Storage, Defender for SQL), analyzing Secure Score, remediating recommendations, and configuring compliance policies aligned with ISO 27001, SOC 2, and Swiss regulations.

Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) that collects, correlates, and analyzes security logs from all your sources. You learn to configure data connectors, create analytics rules to detect suspicious behavior, automate incident response with playbooks (Logic Apps), and investigate threats using hunting queries in KQL. This combination of Defender and Sentinel forms a comprehensive Security Operations Center (SOC) accessible to companies of all sizes.

Azure Security Engineer Associate Certification: AZ-500 Exam

The AZ-500 exam (Microsoft Azure Security Technologies) validates the Azure Security Engineer Associate title. It contains between 40 and 60 questions (multiple choice, scenarios, case studies, and labs) and lasts approximately 120 minutes. The passing score is 700 out of 1000. The certification is valid for one year and can be renewed free of charge via Microsoft Learn.

In Switzerland, where data protection and compliance are strategic priorities, this certification is highly sought after. Targeted roles include Azure security engineer, cloud security analyst, information security architect, and cybersecurity consultant. The financial, healthcare, and international organization sectors in Geneva and Lausanne particularly value this profile.

At ITTA, a Microsoft Learning Partner in Switzerland MCT certified trainers guide you through hands-on labs on real Microsoft cloud environments and official course materials (MOC). Sessions are held in-person in Geneva and Lausanne or via virtual classroom.

FAQ

What are the prerequisites for the AZ-500 training?

Experience in Azure administration (AZ-104 level) is recommended. You should be familiar with virtual networks, storage, identity management, and Azure governance concepts. Basic knowledge of cybersecurity is a plus but not mandatory.

Is this training suitable for system administrators without a security background?

Yes, provided you have Azure administration experience. The course progressively builds security skills from fundamental concepts to advanced configurations. Many administrators take this training to add a security specialization to their profile.

Does the training cover Microsoft Sentinel in detail?

Yes. You learn to configure data connectors, create analytics rules, automate incident response with playbooks, and use KQL hunting queries. The labs provide a complete practical experience of Sentinel.

Is the certification recognized for cybersecurity positions in Switzerland?

Yes. The Azure Security Engineer Associate certification is recognized and valued in Switzerland for cloud security, SecOps, and compliance positions. It complements certifications like CompTIA Security+ and CISSP with Azure-specific expertise.

Is the training available as a virtual classroom?

Yes. ITTA offers the AZ-500 training in-person in Geneva and Lausanne as well as via virtual classroom with the same content, the same labs, and the same MCT trainer.

What is the difference between AZ-500 and SC-200?

AZ-500 covers Azure security broadly (identities, networks, data, platforms). SC-200 focuses specifically on security operations with Microsoft Defender and Sentinel. The two certifications are complementary for security professionals.

Does the training cover compliance with Swiss regulations?

The training covers compliance tools (Azure Policy, Regulatory Compliance in Defender for Cloud) applicable to Swiss requirements. Specific Swiss regulations (FINMA, LPD/nLPD) are discussed in the context of Azure compliance policies.