Preparation guide to Microsoft exam AZ-500 🙂
Even you don’t plan to take the exam, all this content is really interesting to read and understand if you want to discover and improve your knowledge on security on Azure.
Before starting studying, you must know very well what this certification is about and what are the prerequisites.
The topics included in this exam are the following :
Manage identity and access (20-25%)
Implement platform protection (35-40%)
Manage security operations (15-20%)
Secure data and applications (30-35%)
More details :
https://www.microsoft.com/en-us/learning/exam-az-500.aspx
Manage identity and access (20-25%)
— Configure Microsoft Azure Active Directory for workloads —
How to: Use the portal to create an Azure AD application and service principal that can access resources https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
Permissions and consent in the Azure Active Directory v2.0 endpoint https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
Configure Multi-Factor Authentication settings https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings
Enterprise user management documentation – Azure Active Directory https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/
Manage Microsoft Azure AD directory groups Create a basic group and add members using Azure Active Directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal
What is guest user access in Azure Active Directory B2B? https://docs.microsoft.com/en-us/azure/active-directory/b2b/what-is-b2b
— Configure Microsoft Azure AD Privileged Identity Management —
Configure Microsoft Azure AD identity protection
What is Azure Active Directory Identity Protection? https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview
Vulnerabilities detected by Azure Active Directory Identity Protection https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/vulnerabilities
Configure Microsoft Azure AD Privileged Identity Management Monitor privileged access, configure Access Reviews, activate Privileged Identity Management https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-deployment-plan
— Configure Microsoft Azure tenant security —
Transfer Microsoft Azure subscriptions between Microsoft Azure AD tenants, manage API access to Microsoft Azure subscriptions and resources
Transfer ownership of an Azure subscription to another account https://docs.microsoft.com/en-us/azure/billing/billing-subscription-transfer
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-aad https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-api-authentication https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api
Implement platform protection (35-40%)
— Implement network security —
What is Azure Virtual Network? https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
Security Group https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Configure Network Security Groups (NSGs) https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group
Understanding Application Security Groups in the Azure Portal https://www.petri.com/understanding-application-security-groups-in-the-azure-portal
Create and configure application security groups https://azure.microsoft.com/en-gb/blog/applicationsecuritygroups/
Services Tags https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags
What is Azure Firewall ? https://docs.microsoft.com/en-us/azure/firewall/overview
Tutorial: Deploy and configure Azure Firewall using the Azure portal https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal
Configure remote access management – Security management in Azure https://docs.microsoft.com/en-us/azure/security/azure-security-management
Configure baseline – Protect your network resources in Azure Security Center https://docs.microsoft.com/en-us/azure/security-center/security-center-network-recommendations
Configure Azure Storage firewalls and virtual networks https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
Azure SQL Database and SQL Data Warehouse IP firewall rules https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure
— Implement host security —
configure VM Security – Security best practices for IaaS workloads in Azure https://docs.microsoft.com/en-us/azure/security/azure-security-iaas
Manage endpoint protection issues with Azure Security Center https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection
Manage virtual machine access using just-in-time https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time
Manage Windows updates by using Azure Automation https://docs.microsoft.com/en-us/azure/automation/automation-tutorial-update-management
Automate resources in your datacenter or cloud by using Hybrid Runbook Worker https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker
Configure Baseline – Customize OS security configurations in Azure Security Center https://docs.microsoft.com/en-us/azure/security-center/security-center-customize-os-security-config
— Configure container security —
Container Security in Azure https://azure.microsoft.com/mediahandler/files/resourcefiles/container-security-in-microsoft-azure/Open%20Container%20Security%20in%20Microsoft%20Azure.pdf
Configure network – Enable containers to use Azure Virtual Network capabilities https://docs.microsoft.com/en-us/azure/virtual-network/container-networking-overview
Configure authentication – Service principals with Azure Kubernetes Service (AKS) https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal
Secure traffic between pods using network policies in Azure Kubernetes Service (AKS) https://docs.microsoft.com/en-us/azure/aks/use-network-policies
Configure AKS security – Security concepts for applications and clusters in Azure Kubernetes Service (AKS) https://docs.microsoft.com/en-us/azure/aks/concepts-security
Configure container registry https://docs.microsoft.com/en-us/azure/container-registry/
Best practices for Azure Container Registry https://docs.microsoft.com/en-us/azure/container-registry/container-registry-best-practices
Configure container instance security https://docs.microsoft.com/en-us/azure/container-instances/
Implement vulnerability management https://www.aquasec.com/solutions/azure-container-security/
— Implement Microsoft Azure Resource management security —
Create Microsoft Azure resource locks https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources
Manage resource group security with Azure RBAC https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
Built-in roles for Azure resources https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Configure custom RBAC roles https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
Configure Microsoft Azure policies https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage
Configure subscription and resource permissions https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
Manage security operation (15-20%)
— Configure Security Services —
Configure Microsoft Azure Monitor Azure Monitor overview https://docs.microsoft.com/en-us/azure/azure-monitor/overview
Configure Azure Log Analytics for data security https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-security
Configure Azure diagnostic logs https://docs.microsoft.com/en-us/azure/security/azure-log-audit#azure-diagnostics-logs
Configure Microsoft Azure Log Analytics https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-access
Configure diagnostic logging and log retention https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-logs-overview
Configure vulnerability scanning https://docs.microsoft.com/en-us/azure/security-center/security-center-vulnerability-assessment-recommendations
— Configure Security Policies —
Working with security policies https://docs.microsoft.com/en-us/azure/security-center/tutorial-security-policy
Azure security policies monitored by Security Center https://docs.microsoft.com/en-us/azure/security-center/security-center-policy-definitions
Configure centralized policy management by using Microsoft Azure Security Center https://docs.microsoft.com/en-us/azure/security-center/tutorial-security-policy
Configure Just in Time VM access by using Microsoft Azure Security Center https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time
— Managed Security Alerts —
Create and customize alerts Custom Alert Rules in Azure Security Center (Preview) https://docs.microsoft.com/en-us/azure/security-center/security-center-custom-alert
Review and respond to alerts and recommendations https://docs.microsoft.com/en-us/azure/security-center/security-center-managing-and-responding-alerts https://docs.microsoft.com/en-us/azure/security-center/security-center-recommendations
Configure a playbook for a security event by using Microsoft Azure Security Center https://docs.microsoft.com/en-us/azure/security-center/security-center-playbooks
Investigate escalated security incidents https://docs.microsoft.com/en-us/azure/security-center/security-center-investigation
Secure Data and Applications (30-35%)
— Configure security policies to manage data —
Achieving Compliant Data Residency and Security with Azure https://azure.microsoft.com/mediahandler/files/resourcefiles/achieving-compliant-data-residency-and-security-with-azure/Achieving_Compliant_Data_Residency_and_Security_with_Azure.pdf
Configure data sovereignty using Azure Policy https://docs.microsoft.com/en-us/azure/governance/policy/samples/allowed-locations
Configure Data Retention https://www.microsoft.com/en-us/trustcenter/privacy/data-management
Configure data retention (Storage Analytics) https://docs.microsoft.com/en-us/rest/api/storageservices/setting-a-storage-analytics-data-retention-policy
Azure Data Explorer (Retention) https://docs.microsoft.com/en-us/azure/kusto/management/retention-policy https://docs.microsoft.com/en-us/azure/kusto/concepts/retentionpolicy
Configure data classification https://docs.microsoft.com/en-us/azure/information-protection/infoprotect-settings-tutorial
— Configure security for data infrastructure —
Enable database authentication https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication
Configure and manage Azure Active Directory authentication with SQL https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure
Get started with SQL database auditing https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing
Azure SQL Database threat detection for single or pooled databases https://docs.microsoft.com/en-us/azure/sql-database/sql-database-threat-detection
Azure Storage security guide https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide
Configure key management for storage accounts https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption-customer-managed-keys
Create and manage Shared Access Signatures (SAS) https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1
An introduction to Apache Hadoop security with Enterprise Security Package https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-introduction
Configure security for HDInsights https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-configure-using-azure-adds
Security in Azure Cosmos DB – overview https://docs.microsoft.com/en-us/azure/cosmos-db/database-security
Secure access to data in Azure Cosmos DB https://docs.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data
Data encryption in Azure Cosmos DB https://docs.microsoft.com/en-us/azure/cosmos-db/database-encryption-at-rest
High availability with Azure Cosmos DB https://docs.microsoft.com/en-us/azure/cosmos-db/high-availability
Online backup and on-demand data restore in Azure Cosmos DB https://docs.microsoft.com/en-us/azure/cosmos-db/online-backup-and-restore
Configure security for Microsoft Azure Data Lake https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-network-security https://docs.microsoft.com/en-us/azure/storage/common/storage-data-lake-storage-security-guide
— Configure encryption for data at rest —-
Implement Microsoft Azure SQL Database Always Encrypted https://docs.microsoft.com/en-us/azure/sql-database/sql-database-always-encrypted https://docs.microsoft.com/en-us/azure/sql-database/sql-database-always-encrypted-azure-key-vault
Implement database encryption https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-2017
Transparent data encryption for SQL Database and Data Warehouse https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-azure-sql?view=sql-server-2017
Azure SQL Transparent Data Encryption with customer-managed keys in Azure Key Vault: Bring Your Own Key support https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-byok-azure-sql?view=sql-server-2017
How to use Key Vault soft-delete with PowerShell https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-powershell
Azure Storage Service Encryption for data at rest https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
Storage Service Encryption using customer-managed keys in Azure Key Vault https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption-customer-managed-keys
Azure Disk Encryption for IaaS VMs https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview
Implement backup encryption https://docs.microsoft.com/en-us/azure/backup/backup-azure-backup-faq#encryption
— Implement security for application delivery —
Securing PaaS deployments https://docs.microsoft.com/en-us/azure/security/security-paas-deployments
Monitor availability and responsiveness of any web site https://docs.microsoft.com/en-us/azure/azure-monitor/app/monitor-web-app-availability
—- Configure application security —
App Service and Functions hosted apps can now update TLS versions! https://blogs.msdn.microsoft.com/appserviceteam/2018/04/17/app-service-and-functions-hosted-apps-can-now-update-tls-versions/
Configure SSL/TLS certs https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl
Tutorial: Bind an existing custom SSL certificate to Azure App Service https://docs.microsoft.com/fr-fr/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-1112
Configure Microsoft Azure services to protect web apps https://docs.microsoft.com/en-us/azure/application-gateway/create-web-app
Create an application security baseline https://docs.microsoft.com/en-us/azure/security/security-paas-deployments
— Configure and manage Key Vault —
About keys, secrets, and certificates https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates
Secure access to a key vault https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault
Manage certificates, manage secrets, configure key rotation https://docs.microsoft.com/en-us/azure/key-vault/key-vault-key-rotation-log-monitoring
Azure Storage account key management https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates#azure-storage-account-key-management
Azure Key Vault managed storage account – CLI https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-storage-keys
Azure Storage Account Keys Automatic Rotation http://www.wahidsaleemi.com/2017/08/azure-storage-account-keys-automatic-rotation/
Don’t forget to spend time on http://microsoft.com/learn where you can find additional materials to prepare your certification.