Overview
This goes through the MS Learn channels with labs. https://learn.microsoft.com/en-us/training/paths/manage-identity-access/?source=docs
https://learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/az-500
Labs
https://microsoftlearning.github.io/AZ500-AzureSecurityTechnologies/
Module 1: Manage Identity and Access
Secure Azure Solutions with Entra ID
https://learn.microsoft.com/en-us/training/modules/azure-active-directory/
Active Directory Based Solutions
- Entra ID
- Active Directory Domain Services - AD DS - connected through AD Connect
- Entra Domain Services
Roles
- Entra ID specific roles - User administrator, Application Administrator
- service specific roles - SharePoint Administrator
- Cross service roles - Global Administrator
Reference Table:
Deployment
Deployment of Entra Domain services includes replicasets of managed DCs. You can create multiple replica sets for geo-redundant HA.
Built in Roles: https://learn.microsoft.com/en-us/training/modules/azure-active-directory/7-azure-active-directory-built-in-roles
Developer E5 acct might be useful. https://developer.microsoft.com/en-us/microsoft-365/dev-program
2 levels of roles: Privileged and normal.
Built in roles such as Global Admin, Security Admin, Billing Admin, Global Reader.
450 different Role Assignments
Constrained vs non-constrained - look this up.
Azure AD domain services:
Users: B2B is business to business collaboration Need to be a User Administrator or Global Administrator
Administrative units: Close to OUs but not OUs.
Implement Hybrid Identity
https://learn.microsoft.com/en-us/training/modules/hybrid-identity/
Azure AD Connect
Google difference between Azure AD connect and AD Cloud Sync
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/cloud-sync/what-is-cloud-sync
Federation
Risky Events
Lab 04
Conditional Access
When this condition is met, then do then do this.
MFA
A uthentication A uthorizaztion A udit
Don't enable MFA on the break glass accounts
Access Reviews
Configuring Microsoft Entra Privileged Identity Management
https://learn.microsoft.com/en-us/training/modules/azure-ad-privileged-identity-management/
Zero Trust Model
Explore the zero trust model - https://learn.microsoft.com/en-us/training/modules/azure-ad-privileged-identity-management/2-microsofts-zero-trust-model/?source=docs&ns-enrollment-type=learningpath&ns-enrollment-id=learn.wwl.manage-identity-access
Identity Management Evolution
PIM
Microsoft Purview might be a good place for auditing.
Lab 05
Microsoft Graph
I have always thought of Graph as the nervous system of Azure. It links it all together and lets everything intercommunicate.
Implement Perimiter Security
https://learn.microsoft.com/en-us/training/modules/perimeter-security/
Bastion is used instead of opening ports.