AZ-500 | Microsoft Azure Security Technologies

Certification Overview:

The Microsoft Azure AZ-500 exam is for the people who want to demonstrate or check their knowledge in deploying, installing, administering, and managing Azure cloud from security standpoint. You will be thoroughly tested for your knowledge and technical skills. It will take quite an effort and time to cover all the required domains of the course outline.

Exam Prerequisites:

If you are planning to attempt the Azure Security Engineer (AZ-500) exam, be sure to complete one of the following exams beforehand, as it will give you enough exposure to Azure services and offerings:

• Azure Fundamentals
• Azure Administrator Associate
• Azure Security Engineer Guide

Official Learning Path:

AZ-500 : Azure Security Engineer Associate

Skills Measured: This exam test you on the following topics:

Domain 1: Manage Identity and Access (30-35%)

1.1 Manage Azure Active Directory (Azure AD) identities

• Create and manage a managed identity for Azure resources (Microsoft Documentation: managed identities for Azure resources)
• manage Azure AD groups (Microsoft Documentation: Manage app & resource access using groups – Azure AD)
• manage Azure AD users (Microsoft Documentation: Quickstart: Add guest users in the Azure portal – Azure AD)
• Manage external identities by using Azure AD (Microsoft Documentation: External Identities in Azure Active Directory)
• manage administrative units (Microsoft Documentation: Administrative units in Azure Active Directory)

1.2 Manage secure access by using Azure AD

• monitor Azure AD Privileged Identity Management (PIM) (Microsoft Documentation: Privileged Identity Management)
• implement Conditional Access policies including Multi-Factor Authentication (MFA) (Microsoft Documentation: Conditional Access – Require MFA for all users – Azure Active Directory)
• configure Azure AD identity protection (Microsoft Documentation: Azure AD Identity Protection)
• Implement passwordless authentication Enable passwordless phone sign-in authentication methods)
• Configure Access Reviews (Microsoft Documentation: Create Access and Review)

1.3 Manage application access

• Integrate single sign-on (SSO) and identity providers for authentication (Microsoft Documentation: single sign-on in Azure Active Directory)
• create App Registration (Microsoft Documentation: Register your app with the Azure AD)
• configure App Registration permission scopes (Microsoft Documentation: Quickstart: Configure an app to access a web API – Microsoft identity platform)
• manage App Registration permission consent (Microsoft Documentation: Managing consent to applications and evaluating consent requests in Azure Active Directory)
• manage API access to Azure subscriptions and resources (Microsoft Documentation: Elevate access to manage all Azure subscriptions and management groups)
• Configure an authentication method for a service principal (Microsoft Documentation: Azure authentication with service principal)

1.4 Manage access control

• Configure Azure role permissions for management groups, subscriptions, resource groups, and resources (Microsoft Documentation: Organize subscriptions into management groups and assign roles to users)
• Interpret role and resource permissions (Microsoft Documentation: Azure role-based access control (Azure RBAC))
• Assign built-in Azure AD roles (Microsoft Documentation: Azure AD built-in roles, Assign Azure AD roles to users)
• Create and assign custom roles, including Azure roles and Azure AD roles (Microsoft Documentation: Create and assign a custom role in Azure Active Directory)

Domain 2: Implement platform protection (15-20%)

2.1 Implement advanced network security

• Secure the connectivity of hybrid networks (Microsoft Documentation: Implement a secure hybrid network)
• Secure the connectivity of virtual networks (Microsoft Documentation: Azure Virtual Network)
• Create and configure Azure Firewall (Microsoft Documentation: Deploy and configure Azure Firewall using the Azure portal)
• Create and configure Azure Firewall Manager (Microsoft Documentation: Azure Firewall Manager deployment overview)
• Create and configure Azure Application Gateway (Microsoft Documentation: Direct web traffic with Azure Application Gateway)
• Create and configure Azure Front Door (Microsoft Documentation: Create a Front Door for a highly available global web application)
• Create and configure Web Application Firewall (WAF) (Microsoft Documentation: Create an application gateway with a Web Application Firewall)
• Configure a resource firewall, including a storage account, Azure SQL, Azure Key Vault, or Azure App Service (Microsoft Documentation: Configure Azure Key Vault firewalls and virtual networks, Virtual network service endpoints for Azure Key Vault)
• Configure network isolation for Web Apps and Azure Functions (Microsoft Documentation: Azure Functions networking options)
• implement Service Endpoints (Microsoft Documentation: Azure virtual network service endpoints)
• Implement Azure Private Endpoints, including integrating with other services (Microsoft Documentation: private endpoint)
• Implement Azure Private Links (Microsoft Documentation: Create a Private Link service by using the Azure portal)
• implement Azure DDoS protection (Microsoft Documentation: Azure DDoS Protection Standard Overview)

2.2 Configure advanced security for compute

• To begin with, configure endpoint protection for virtual machines (Vms) (Microsoft Documentation:(Microsoft Documentation: Install Endpoint Protection)
• Then, configure and monitor system updates for VMs  (Microsoft Documentation: Azure Security Fundamentals, Automation Update Management)
• Configure security for container services (Microsoft Documentation: Security considerations for Azure Container Instances)
• Manage access to Azure Container Registry (Microsoft Documentation: Azure Container Registry roles and permissions)
• Configure security for serverless compute (Microsoft Documentation: Serverless Functions security)
• Configure security for an Azure App Service (Microsoft Documentation: Security in Azure App Service)
• Configure encryption at rest (Microsoft Documentation: Azure Data Encryption at rest)
• Configure encryption in transit (Microsoft Documentation: Azure encryption overview)

Domain 3: Manage Security Operations (25-30%)

3.1 Configure centralized policy management

• Configure a custom security policy (Microsoft Documentation: Create custom security initiatives and policies)
• Create a policy initiative (Microsoft Documentation: Create and manage policies to enforce compliance)
• Configure security settings and auditing by using Azure Policy (Microsoft Documentation: Manage security policies)

3.2 Configure and manage threat protection

• Configure Microsoft Defender for Servers (not including Microsoft Defender for Endpoint) (Microsoft Documentation: Onboard Windows servers to the Microsoft Defender for Endpoint service)
• Evaluate vulnerability scans from Microsoft Defender for Cloud (Microsoft Documentation: Defender for Cloud’s integrated Qualys vulnerability scanner for Azure and hybrid machines)
• Configure Microsoft Defender for SQL (Microsoft Documentation: Microsoft Defender for SQL)
• Use the Microsoft Threat Modeling Tool (Microsoft Documentation: Microsoft Threat Modeling Tool)

3.3 Configure and manage security monitoring solutions

• Create and customize alert rules by using Azure Monitor (Microsoft Documentation: Create a new alert rule)
• Configure diagnostic logging and log retention by using Azure Monitor (Microsoft Documentation: Diagnostic settings in Azure Monitor)
• Monitor security logs by using Azure Monitor (Microsoft Documentation: Azure Monitor Logs overview)
• Create and customize alert rules in Microsoft Sentinel (Microsoft Documentation: Create custom analytics rules to detect threats)
• Configure connectors in Microsoft Sentinel (Microsoft Documentation: Microsoft Sentinel data connectors)
• Evaluate alerts and incidents in Microsoft Sentinel (Microsoft Documentation: Investigate incidents with Microsoft Sentinel)

Domain 4: Secure Data and Applications (25-30%)

4.1 Configure security for storage

• To begin with, configure access control for storage accounts (Microsoft Documentation: Azure Storage Authentication)
• Configure storage account access keys (Microsoft Documentation: Manage storage account access keys)
• Also, configure Azure AD authentication for Azure Storage and Azure Files (Microsoft Documentation: Create a profile container with Azure Files and Azure Active Directory)
• Configure delegated access

4.2 Configure security for databases

• Enable database authentication by using Azure AD (Microsoft Documentation: Configure and manage Azure AD authentication with Azure SQL)
• Enable database auditing (Microsoft Documentation: SQL Database Auditing)
• Configure dynamic masking on SQL workloads (Microsoft Documentation: Dynamic data masking)
• Implement database encryption for Azure SQL Database (Microsoft Documentation: Transparent data encryption for SQL Database)
• Implement network isolation for data solutions, including Azure Synapse Analytics and Azure Cosmos DB (Microsoft Documentation: Azure Synapse Link for Azure Cosmos DB)

4.3 Configure and manage Key Vault

• Create and configure Key Vault (Microsoft Documentation: Create a key vault using the Azure portal)
• Configure access to Key Vault (Microsoft Documentation: Assign a Key Vault access policy)
• Manage certificates, secrets, and keys (Microsoft Documentation: Azure Key Vault keys, secrets and certificates overview)
• Configure key rotation (Microsoft Documentation: Configure cryptographic key auto-rotation in Azure Key Vault)
• Configure backup and recovery of certificates, secrets, and keys (Microsoft Documentation: Azure Key Vault backup and restore)

Recommendations:

I would recommend a very good knowledge and hands on experience on the Azure cloud especially from the IAM perspective. It will help you a lot in understanding the requirements and needs asked in the exam questions.

Practice, Practice, Practice!! This will save you.

Take it easy, read the question slowly (2-3 times, if required) and understand the specific need.

This exam is not that easy when it is compared with other Azure exams, but you will sail through it; if you are focused and pay enough attention towards the requirements in the exam questions. 

I hope this will be helpful and encouraging!!

Best of luck!!

AZ-700 Designing and Implementing Microsoft Azure Networking Solutions

 Certification Overview:

Azure Network Engineer (AZ-700) is an associate-level exam that validates the skills and expertise of subject matter experts working with networking, security, and infrastructure access controls in Azure Cloud.

Exam Prerequisites:

If you are planning to attempt the Azure Network Engineer exam, be sure to complete one of the following exams beforehand, as it will give you enough exposure to Azure services and offerings:

• Azure Administrator Associate
• Azure Developer Associate
• Azure Security Engineer Guide

Official Learning Path:

AZ-700 : Official Learning Path

Skills Measured: This exam test you on the following topics:

Design, Implement, and Manage Hybrid Networking (10–15%)

Design, implement, and manage a site-to-site VPN connection

·         Design a site-to-site VPN connection for high availability

·         Highly Available cross-premises and VNet-to-VNet connectivity

·         VPN Gateway design

·         About zone-redundant virtual network gateways in Azure Availability Zones

·         Select an appropriate virtual network (VNet) gateway SKU

·         What is VPN Gateway?

·         Identify when to use policy-based VPN versus route-based VPN

·         VPN Gateway FAQ

·         Create and configure a local network gateway

·         Tutorial: Create a Site-to-Site connection in the Azure portal

·         Create and configure an IPsec/IKE policy

·         Configure IPsec/IKE policy for site-to-site VPN connections

·         Create and configure a virtual network gateway

·         Tutorial: Create and manage a VPN gateway using Azure portal

·         Diagnose and resolve VPN gateway connectivity issues

·         Troubleshoot VPN Gateway

·         Troubleshoot Azure VPN Gateway using diagnostic logs

Design, implement, and manage a point-to-site VPN connection

·         Select an appropriate virtual network gateway SKU

·         What is VPN Gateway?

·         Plan and configure RADIUS authentication

·         Configure a Point-to-Site connection to a VNet using RADIUS authentication: PowerShell

·         Plan and configure certificate-based authentication

·         Configure a Point-to-Site VPN connection using Azure certificate authentication: Azure portal

·         Plan and configure OpenVPN authentication

·         Configure OpenVPN for Point-to-Site VPN gateways

·         OpenVPN support in Azure VPN gateways

·         Plan and configure Azure Active Directory (Azure AD) authentication

·         Create an Azure Active Directory tenant for P2S OpenVPN protocol connections

·         Configure a Point-to-Site VPN connection to a VNet using multiple authentication types: Azure portal

·         Implement a VPN client configuration file

·         Create and install VPN client configuration files for P2S RADIUS authentication

·         Diagnose and resolve client-side and authentication issues

·         Troubleshoot an Azure AD authentication VPN client

Design, implement, and manage Azure ExpressRoute

·         Choose between provider and direct model (ExpressRoute Direct)

·         What is Azure ExpressRoute?

·         About ExpressRoute Direct

·         Azure Hybrid Architectures

·         Design and implement Azure cross-region connectivity between multiple ExpressRoute locations

·         Cross-network connectivity

·         Designing for disaster recovery with ExpressRoute private peering

·         Select an appropriate ExpressRoute SKU and tier

·         About ExpressRoute virtual network gateways

·         Design and implement ExpressRoute Global Reach

·         Configure ExpressRoute Global Reach

·         Design and implement ExpressRoute FastPath

·         About ExpressRoute FastPath

·         Choose between private peering only, Microsoft peering only, or both

·         ExpressRoute circuits and peering

·         Configure private peering

·         Tutorial: Create and modify peering for an ExpressRoute circuit using the Azure portal

·         Configure Microsoft peering

·         Tutorial: Configure route filters for Microsoft peering using the Azure portal

·         Create and configure an ExpressRoute gateway

·         Tutorial: Configure a virtual network gateway for ExpressRoute using the Azure portal

·         Connect a virtual network to an ExpressRoute circuit

·         Tutorial: Connect a virtual network to an ExpressRoute circuit using the portal

·         Recommend a route advertisement configuration

·         ExpressRoute routing requirements

·         Configure encryption over ExpressRoute

·         ExpressRoute encryption: IPsec over ExpressRoute for Virtual WAN

·         Implement Bidirectional Forwarding Detection

·         Configure BFD over ExpressRoute

·         Diagnose and resolve ExpressRoute connection issues

·         Verifying ExpressRoute connectivity

·         Troubleshooting network performance

·         Reset a failed ExpressRoute circuit

Design and Implement Core Networking Infrastructure (20–25%)

Design and implement private IP addressing for VNets

·         Create a VNet

·         Quickstart: Create a virtual network using the Azure portal

·         Plan and configure subnetting for services, including VNet gateways, private endpoints, firewalls, application gateways, and VNet-integrated platform services

·         Azure networking services overview

·         Azure Networking architecture documentation

·         Azure for network engineers

·         Choosing between Azure VNet Peering and VNet Gateways

·         What is VPN Gateway?

·         What is Azure Private Endpoint?

·         Add, change, or delete a virtual network subnet

·         Plan and configure subnet delegation

·         Add or remove a subnet delegation

Design and implement name resolution

·         Design public DNS zones

·         What is Azure DNS?

·         Quickstart: Create an Azure DNS zone and record using the Azure portal

·         Design private DNS zones

·         What is Azure Private DNS?

·         Quickstart: Create an Azure private DNS zone using the Azure portal

·         Design name resolution inside a VNet

·         Name resolution for resources in Azure virtual networks

·         Configure a public or private DNS zone

·         Quickstart: Create an Azure DNS zone and record using the Azure portal

·         Quickstart: Create an Azure private DNS zone using the Azure portal

·         Link a private DNS zone to a VNet

·         What is a virtual network link?

Design and implement cross-VNet connectivity

·         Design service chaining, including gateway transit

·         Configure VPN gateway transit for virtual network peering

·         Design VPN connectivity between VNets

·         Configure a VNet-to-VNet VPN gateway connection by using the Azure portal

·         Implement VNet peering

·         Virtual network peering

·         Create, change, or delete a virtual network peering

Design and implement an Azure Virtual WAN architecture

·         Design an Azure Virtual WAN architecture, including selecting SKUs and services

·         What is Azure Virtual WAN?

·         Connect a VNet gateway to Azure Virtual WAN

·         Connect a VPN Gateway (virtual network gateway) to Virtual WAN

·         Create a hub in Virtual WAN

·         Tutorial: Create a Site-to-Site connection using Azure Virtual WAN

·         Create a network virtual appliance (NVA) in a virtual hub

·         How to create a Network Virtual Appliance in an Azure Virtual WAN hub

·         Configure virtual hub routing

·         How to configure virtual hub routing

·         Create a connection unit

·         Virtual WAN FAQ

Design and Implement Routing (25–30%)

Design, implement, and manage VNet routing

·         Design and implement user-defined routes (UDRs)

·         Virtual network traffic routing

·         Tutorial: Route network traffic with a route table using the Azure portal

·         Associate a route table with a subnet

·         Create, change, or delete a route table

·         Configure forced tunneling

·         Configure forced tunneling

·         Diagnose and resolve routing issues

·         Diagnose a virtual machine routing problem

·         Troubleshoot VPN Gateway

Design and implement an Azure Load Balancer

·         Choose an Azure Load Balancer SKU (Basic versus Standard)

·         Azure Load Balancer SKUs

·         Choose between public and internal

·         What is Azure Load Balancer?

·         Create and configure an Azure Load Balancer (including cross-region)

·         Quickstart: Create a public load balancer to load balance VMs using the Azure portal

·         Tutorial: Create a cross-region Azure Load Balancer using the Azure portal

·         Implement a load balancing rule

·         Outbound rules Azure Load Balancer

·         Create and configure inbound NAT rules

·         Tutorial: Configure port forwarding in Azure Load Balancer using the portal

·         Create explicit outbound rules for a load balancer

·         Outbound-only load balancer configuration

Design and implement Azure Application Gateway

·         Recommend Azure Application Gateway deployment options

·         Application Gateway configuration overview

·         Azure Application Gateway features

·         Choose between manual and autoscale

·         Autoscaling and Zone-redundant Application Gateway v2

·         Create a back-end pool

·         Application gateway components

·         Configure health probes

·         Application Gateway health monitoring overview

·         Configure listeners

·         Application Gateway listener configuration

·         Configure routing rules

·         Application Gateway request routing rules

·         Configure HTTP settings

·         Application Gateway HTTP settings configuration

·         Configure Transport Layer Security (TLS)

·         Overview of TLS termination and end to end TLS with Application Gateway

·         Configure rewrite policies

·         Rewrite HTTP headers and URL with Application Gateway

Implement Azure Front Door

·         Choose an Azure Front Door SKU

·         Overview of Azure Front Door Standard/Premium SKU (Preview)

·         Configure health probes, including customization of HTTP response codes

·         Azure Front Door Standard/Premium (Preview) Health probe monitoring

·         Configure SSL termination and end-to-end SSL encryption

·         Frequently asked questions for Azure Front Door

·         Configure multisite listeners

·         Application Gateway listener configuration

·         Configure back-end targets

·         Backends and backend pools in Azure Front Door

·         Configure routing rules, including redirection rules

·         URL redirect and URL rewrite with Azure Front Door Standard/Premium (Preview)

Implement an Azure Traffic Manager profile

·         Configure a routing method (mode)

·         Traffic Manager routing methods

·         Configure endpoints

·         Add, disable, enable, or delete endpoints

·         Create HTTP settings

·         Verify Traffic Manager settings

Design and implement an Azure Virtual Network NAT

·         Choose when to use a Virtual Network NAT

·         What is Virtual Network NAT?

·         Allocate public IP or public IP prefixes for a NAT gateway

·         Designing virtual networks with NAT gateway resources

·         Associate a Virtual Network NAT with a subnet

·         Tutorial: Create a NAT gateway using the Azure portal

Secure and Monitor Networks (15–20%)

Design, implement, and manage an Azure Firewall deployment

·         Design an Azure Firewall deployment

·         What is Azure Firewall?

·         Azure Firewall features

·         Azure Firewall Premium Preview features

·         Create and implement an Azure Firewall deployment

·         Deploy and configure Azure Firewall using Azure PowerShell

·         Tutorial: Deploy and configure Azure Firewall and policy using the Azure portal

·         Configure Azure Firewall rules

·         Use FQDN filtering in network rules

·         Configure Azure Firewall application rules with SQL FQDNs

·         Create and implement Azure Firewall Manager policies

·         Azure Firewall Manager policy overview

·         Tutorial: Secure your virtual hub using Azure Firewall Manager

·         Create a secure hub by deploying Azure Firewall inside an Azure Virtual WAN hub

·         Tutorial: Secure your virtual hub using Azure Firewall Manager

·         Integrate an Azure Virtual WAN hub with a third-party NVA

·         About Network Virtual Appliance in an Azure Virtual WAN hub

Implement and manage network security groups (NSGs)

·         Create an NSG

·         Create, change, or delete a network security group

·         Associate an NSG to a resource

·         Create, change, or delete a network security group

·         Create an application security group (ASG)

·         Application security groups

·         Associate an ASG to a NIC

·         Application security groups

·         Create and configure NSG rules

·         Network security groups

·         Interpret NSG flow logs

·         Tutorial: Log network traffic to and from a virtual machine using the Azure portal

·         Validate NSG flow rules

·         Introduction to flow logging for network security groups

·         Verify IP flow

·         Introduction to flow logging for network security groups

Implement a Web Application Firewall (WAF) deployment

·         Configure detection or prevention mode

·         What is Azure Web Application Firewall on Azure Application Gateway?

·         Create Web Application Firewall policies for Application Gateway

·         Configure rule sets for Azure Front Door, including Microsoft managed and user defined

·         Azure Web Application Firewall on Azure Front Door

·         Configure a Web Application Firewall policy using Azure PowerShell

·         Configure rule sets for Application Gateway, including Microsoft managed and user defined

·         Custom rules for Web Application Firewall v2 on Azure Application Gateway

·         Implement a WAF policy

·         Create Web Application Firewall policies for Application Gateway

·         Associate a WAF policy

·         Create Web Application Firewall policies for Application Gateway

Monitor networks

·         Configure network health alerts and logging by using Azure Monitor

·         Azure Monitor Network Insights

·         Create and configure a Connection Monitor instance

·         Create a monitor in Connection Monitor by using the Azure portal

·         Configure and use Traffic Analytics

·         Traffic Analytics

·         Configure NSG flow logs

·         Introduction to flow logging for network security groups

·         Enable and configure diagnostic logging

·         Resource logging for a network security group

·         Configure Azure Network Watcher

·         What is Azure Network Watcher?

·         Create an Azure Network Watcher instance

Design and Implement Private Access to Azure Services (10–15%)

Design and implement Azure Private Link service and Azure Private Endpoint

·         Create a Private Link service

·         What is Azure Private Link service?

·         Plan private endpoints

·         What is Azure Private Endpoint?

·         Create private endpoints

·         Manage a Private Endpoint connection

·         Configure access to private endpoints

·         Using private endpoints for Azure App Configuration

·         Integrate Private Link with DNS

·         Private Link and DNS integration at scale

·         Azure Private Endpoint DNS configuration

·         Integrate a Private Link service with on-premises clients

·         What is Azure Private Link service?

Design and implement service endpoints

·         Create service endpoints

·         Create, change, or delete service endpoint policy using the Azure portal

·         Configure service endpoint policies

·         Create, change, or delete service endpoint policy using the Azure portal

·         Configure service tags

·         Virtual network service tags

·         Configure access to service endpoints

·         Virtual Network service endpoints

Configure VNet integration for dedicated platform as a service (PaaS) services

·         Configure App Service for regional VNet integration

·         Integrate your app with an Azure virtual network

·         Configure Azure Kubernetes Service (AKS) for regional VNet integration

·         Create a private Azure Kubernetes Service cluster

·         Configure clients to access App Service Environment

·         Configuring an App Service Environment v1

·         Network Architecture Overview of App Service Environments

Final Words:

I would recommend a very good knowledge and hands on experience on the Azure cloud of at least AZ-104 level before appearing for the AZ-700 exam. It will help you a lot in understanding the requirements and needs asked in the exam questions.

Take it easy, read the question slowly (2-3 times, if required) and understand the specific need.

This exam is not that easy when it is compared with other Azure exams, but you will sail through it; if you are focused and pay enough attention towards the requirements in the exam questions.

 

I hope this will be helpful and encouraging!!

Best of luck!!