SC-900 Microsoft Security, Compliance, and Identity Fundamentals Study CramJun 08, 2021
hello everyone in this video i really want to provide some sort of hints and tips and crash
studysession for the new s c 900 exam this is
fundamentalsexam uh currently right now its in beta only i took it last week it's a
fundamentalstest essentially what you're going to get with this is 60 minutes so it's a short test and it had 50 questions now the actual time it took me to finish was 11 minutes the questions are stuff from one line and it really comes down to do you know what feature to use or what functionality this feature provides?
You don't know how to set it up. You don't need to know any kind of depth about these things. function what does or do i need to do this which function should i use it will get a list of functions to select from so it's very very high level but it's very broad because the title is Microsoft so really what that implies is we're thinking Well , yeah it's kind of a blue ad for the
identityside, yeah it's blue for some of the services, but it's also Microsoft 365 so it's this kind of broad coverage on all of those different things.
More Interesting Facts About,
sc 900 microsoft security compliance and identity fundamentals study cram...
Also, there are questions about general principles of
complianceand principles around transparency and trust, so we need to know all those different things, but again at a very high level, now the best place to start is if we actually go to the site from
microsoftsc 900 and again if this happens then you're going to get this fundamental
securitycompliance identity certification and what you want to do is if we go and look at this so let's check the site and then we can think about it. it's beta it's going to tell you skills measured and it's talking about the basics of security compliance identity type and then microsoft identity access management solution so blood und azure ad and then security type and compliance as they address azure and microsoft 365. we can download the skills outline where it then goes into more detail about what are all the different goals the skill goals the functional groups and the individual skills we need to know about what you want to do is go to this site look at this list and make sure you can dial in your brain yes i know what they are and the key word here is all is describe i don't know.
I don't have to implement, I don't have to design, I just have to know what the thing does or know what thing I need to accomplish a certain task and in terms of preparation they have a free learning path and honestly my recommendation would be to go. through that learning path and I think that will put you in a good position and pass the exam again it's a super simple exam it's really fast you can give yourself a minute per question and it's not big questions it's literally one line and then it's hey what component do I use or is this the component what it does that's really all it's going to be now I mentioned there's some kind of general principles to all of them and what I want. to do a little bit here is go over those like a kind of full
studya lot of people use my kind of um these videos you'll watch right before the exam maybe at the beginning to tie it all together a little review so the first thing we really want to think about is all this kind of defense in depth now the point here is i don't want to depend on a thing like an onion we have all these different layers i want multiple layers of protection in case something goes wrong then there is something else to back that up and protect it, so we thought about what i want to protect things like data so here we thought about the type of worldwide encryption and we thought about encryption at rest i.e. instead encrypting the data in storage we thought in transit is going through the wire between where it is and what it wants to use the data so i can think of the app that is using that data i want to make sure the app is well written there are no vulnerabilities wesot ros think about compute so obviously there's some compute service that could be a virtual machine it could be a container we'll make sure it has protection built in that maybe it's limiting what ports are open maybe it has a configuration of firewall that is anti-malware. update all of those things to make sure it's as healthy as possible so we thought ok there's a type of network and in terms of the network we thought maybe segment the network you'll hear things like network security groups other solutions there and we think about limiting the types of traffic we think about the network perimeter so one key thing here you might think about distributed denial of service protection this is where a bad actor h as various things trigger your public facing service just trying to flood it and take it down and Azure for example has protection against this there are different levels of that and Microsoft services well that's their responsibility they have protection against that and then a huge one is the identity so in the old days the network was the big security perimeter as we move to the cloud the network is no longer ours so it really becomes the key security perimeter for us and then we started thinking about the full force. of that identity, a big focus is always mfa and things that can drive that stronger authentication when we're going to access things and then there's just one kind of physical security now in the cloud that's not their responsibility, that kind of Microsoft it's to secure the physical data centers but i want all these things and if i'm responsible for a certain layer and we'll talk later about this type of change who is responsible for what i want to do as much as i can now sometimes you'll see that even if you're responsible you won't It means you're just sure I could be responsible for user accounts, for example, but there are tools to help me make it as secure as it is now possible when you think about all this security, all these defenses in depth, I've got all these layers in In case one fails there's another layer to protect it sometimes you'll see this kind of cia and what that cia really comes down to is kind of confidentiality so I'm thinking e n sensitive data, my encryption, I'm thinking about integrity, so I'm making sure my data isn't tampered with, making sure that's really what was intended, what was there originally, hasn't someone changed that in some way and then we think about availability making sure that you can actually access my service, it's available to those who need it and these are very important things to keep in mind when I'm planning my environment because there's a saying that's kind of you. secure e and out of business i have worked with some companies that have so much bureaucracy that makes it so hard to do anything that they are secure but they are not innovative they cannot adopt new features they cannot deliver great features to their business units and they really differentiate themselves from the competition because they're just stuck in the dark ages or am I going to focus too much on this little thing that doesn't really improve their overall security posture, they just get stuck in it so there's always this delicate balance between being secure and being able doing business, you want to find that good balance between them, so I want to think about those three kinds of things, the confidentiality, the integrity and the availability of my data. now when we think about security we often think about threats, things that can cause damage to our environment and what are we thinking about here, what are those types of threats?
Now I can think of some kind of data breach. and this is usually the worst. The idea of a data breach. Data has been stolen that can destroy a business. Yes I have them. Maybe it's my company's data. My intellectual property. My clients data is taken with their personally identifiable information, that's also a big problem, so we can think of a threat, if someone takes our data, this is where encryption and those strong network defenses come into play , the identity defenses to make sure when someone breaches an identity ok then they probably go and circumvent whatever other protection you have they could change it and go get the data so it's not just encrypt the data it's good i want a network strong, I want a strong identity to make sure there isn't a weak link. the string, so we think about things around sort of a dictionary attack, so if I think about what it's really about, this data breach is, well, I'm trying to get data, I'm going through various checks to get the data it's trying to get to the identity and so a dictionary attack is hey there's a list of common passwords I just go to a certain account going through that list of passwords and I could substitute it as one or by a zero, those very simple and easy things, um, let's do that, it's kind of a brute force attack, I don't really have any intelligence behind it, I'm just hammering away at this thing trying to attack it and there's things like blue.
Smart ad blocking, then give me protection against it. Hey, I would stop those attempts. I'm just going to alert. He's going to say: Hey, there's a risk. I can see that this attack is happening. There are things we can do that could also be trying to actually disable the account by doing all these bad authentications and again, that smart lock would protect my ad account. Now I can also think of um here below as a phishing attack. like social engineering but it's still trying to get to the identity hey click this link i need you to do this actual authentication they're normally pretty poorly written obviously bad but people click the link and type the password. and now your identity is compromised you might also see some kind of spear phishing attack now so everyone is trying to get the identity let's clear that up a bit and spear fishing is different from fishing attack regular in which it is directed. a little more effort has been put in they have built a database on the users if they understand who their manager is what kind of things they do and now it's a targeted attack this email will get to them it looks like it came from their manager it looks like it's legit so it really increases the chance that they'll click on that link and you take the credentials so there's more effort for the attacker there but then you'll give me access to your identity and again if i get the identity i can do many other types of things now i can also think there are things like ransomware so we always hear things like wannacry these are attacks that get into the network and then encrypt the data and hey you pay me for this money or I won't decrypt your data it disrupts business and then there are other types of disruptive attacks for example it could be some sort of distributed denial of service attack I'm not really getting anything other than preventing the company can do business, so there are all these different types of things that are threats to me and there are others as well, but these are of some kind and this is kind of an ability to do business.
So availability so understand these types of threats and what they mean but again if my identity is compromised then I can really do a lot of bad things because if I have someone's identity I can probably go in there and change. other things and modify everything else to be the threats, what can we do against some of those things? So one big thing that you're going to see is this kind of zero trust that's really a big push today and really the whole idea. it's just assuming you don't trust your network is secure you assume even if i'm behind a firewall my network is compromised um i don't trust anything so what i want to do is check everything if i don't trust anything then i want to check everything and i want check explicitly so i think if there are communications between different devices ok what i want to do is kind of auth something about an n auth and then an authorization a z author and we'll talk. more about the difference between those in a moment i want to think about least privilege so i think just in time so just in time means i only get the permissions i need at the time i need them for a limited window not having a privilege all the time I just g And when I have to do things I would go and raise my permissions.
I do the task that requires that elevation permission and then I lose it, so if I'm compromised, they usually won't get anything meaningful they can do with my compromised account. and then we think about kind of admin enough and that means don't make me a global admin don't give me more privileges than I need to do the job give me enough to do the task so I figure out what permissions are required to do the task and I get a role that only has that ability and I combine them to get a role that gives me enough to do the job and I only get that role when I really need to do it so we check everything we use these least privileges and in Actually, we're just assuming a violation, so if we're assuming a violation, we're going to segment the network to segment as many places as we can.I don't have this kind of broad communication.
I'm going to segment I'm going to encrypt in case there's some bad agent something bad on my network I want to be able to detect different types of threats so I'm going to have solutions running that look at the logs, look at the types of interaction using machine learning and generate results from that being able to see different types of threats, so what we'll see is that when we think about these things, we focus on a number of key types of objects to do this and achieve all these different things than in reality pop up for a second. we really focus on achieving this we focus on identity and i can think of identity is kind of a user an app a service the device the devices we use have identities i think about device monitoring i need to be looking at these things so it can detect hey if something goes wrong i want to understand the applications being used i want to think about data classification because ultimately we do all these different things but most of what we care about is the data i want to make sure my data is ok the data important, I mean, it's really fun, everything is encrypted, but I also have things like data loss prevention, I want to make sure that it can't be used in a bad way and then obviously we think about the type of infrastructure, the networks , etc., so there are all these different types of items that I have to think about and protect, now there are some key concept types go and again we're going pretty fast because this is the super bowled quiz we just need to understand these basics now that I've mentioned encryption a bunch of times and one of the things that's important to understand is what are the types of encryption which we're going to use and you can actually think there are really two types of encryption So if I think about encryption you'll hear about symmetric so I think about a symmetric encryption and then you'll hear about asymmetric so you'll see these two types of encryption and really the point is with s ymmetric i can think of hey look i have my data i run it through an algorithm that uses a particular key and then i get sort of this encrypted data on the other end it has been encrypted now to decrypt it i use the same key so actually think if the key goes to the algorithm to create the encrypted version is that exactly the key one i also use the exact same key again to pass the cipher do to the data so it's symmetric this is very efficient for large scale and asymmetric decrypted data encryption type is different now there are two keys you'll often hear the idea of sort of a public key and a private key and, as the name suggests, and these are paired, there is an equivalent public key for the private key private key I keep it for myself public key that everyone can know and the idea of this is that if I had this type of data again, if I wanted to send it to you someone encrypted, I would encrypt them with their public key because everyone knows that, so I would encrypt it with the public key to get some kind of this gibberish, whatever can only be decrypted with the private key that only they have, so they'll get it back again so if i want to send the sync to someone encrypted oh and i don't. i actually have a nice way to exchange the key, which is the symmetric, how do i change the key?
There's a challenge there, so with asymmetric there's a public and private key, so if I want to send something to someone that only they can read, I encrypt it with their public key that everyone knows, but the public key can't be used for decryption something that was encrypted with the public key. integrity i want to make sure that no one has messed with the data i want to make sure that it actually arrives as it was sent so if i think about that it's a little bit of security on the technology security side of protecting the data the other thing that i often do is hey i want t to send a little bit of data and make sure that the person who sees it knows that no one has changed it so now i have a piece of data and what we can do is generate a hash so a hash is really a data digest is a value i get and then what i do is encrypt the data i hash with my private key remember i only have my private key so i can send the person the data type and that encrypted hash value with the private key.
So they get the data and run it with the exact same hash algorithm to get a hash value. Then, because they were encrypted with the private key, they can decrypt this value with the public key and can make sure they match. that results in a hash if they are equal then i know the data was not changed and i can guarantee data integrity because remember the public key can decrypt something encrypted with the private key so with the other if i want to protect encrypt data to someone i encrypt it with their old with their public key if i want to send the sync to someone only they can read encrypt it with their public key so only they can decrypt it with their private key if i want to send something and ensure the integrity of it which no one has messed with so i would create a message digest a hash value encrypt it with my private key and then send the data and that encrypted hash value so now they get the data they run it through the same hash algorithm to get the hash value and make sure it matches the hash value that only I could have encrypted because only I have the private key, so it means it's guaranteed not to be changed in transit this is actually how i can think of using symmetric encryption types to encrypt asymmetric bulk data to send small amounts of data and to check message integrity and what you will see often is they get mixed up if i want to have an encryption continuous large scale i could use the asymmetric to share a symmetric key this is how i can sh securely are that key and then i'm good to move on so that's a type of encryption now the next thing i want talk is I brought up kind of the idea of responsibility and we have this idea that there are shared responsibilities now if I think about there being a lot of layers now I always draw this kind of layered thing but when I start thinking about responsibility from this perspective there are actually more layers than i would normally talk about so i can think well there is kind of a physical data center i can think r in that in that physical data center there is a physical network and then there are physical hosts so these are all kinds of real world objects and then I can think about okay well now I run an operating system I might have a kind of network controls. my nsgs i'm going to talk about those um i have my applications and then there might be some kind of directory and identity infrastructure so let's talk about directory and identification infrastructure and then we get into or this idea on top of that there are accounts and identities, I can think of there are devices and then there's information and data now if I look at that, if I think on-premises then obviously all these things are customer-owned because it's on-premises there's no cloud involved in this so when we start talking about the cloud there are different types of services we think of infrastructure as a service i.e. kind of a virtual machine in the cloud so as soon as you get into any type of as a service this always becomes responsibility of the cloud provider.
In this case, Microsoft, you never have access to a physical data center, a physical host, or a physical network which will always be us now, if you think about the kind of responsibilities, then in a vm world you control the operating system you control the network is in your virtual network so in this case it's now the client now it's responsibility again it doesn't mean you're alone there are solutions in azure to help you patch the OS back up the OS replicate the operating system has antimalware network security groups um blue firewall there's everything to help you do it but fundamentally you're responsible for it then you start moving to older solutions so pads as a platform as a service and there are many different types for which gets a bit more confusing at this point now one of the things i can change is essentially these are always the client so they will always be the clients the accounts, the devices, the information data, it's always your responsibility to protect that, again, there are tools to help you, that will always be the client through those, but in the past world, it becomes a change now, I can think well of the operating system in this world. that becomes the cloud on top of all that physical stuff this is always the customer this now becomes sort of a joint responsibility there are aspects that are the customer's responsibility there are aspects that are somewhat shared so here this now becomes a sort of a shared responsibility there are things that the vendor is responsible for there are things that you are responsible for and finally there is software as a service in a software as a service world and i guess i'll pick another color really the line now goes up other layers , you're not responsible for the application or the network, but again the directory infrastructure identity for the sas, now it's all kind of cloud and it's always you, but now this little piece here is shared, the idea of sort of identity directory infrastructure, there's kind of a shared model, but again, the client is always responsible for this part when I think about what to be. doing sas pas is the infrastructure and the data, the devices, the accounts, that's your responsibility, there are services to help you, ultimately you own that, it's important to understand how they change and Essentially as I move from it's to move to sas i'm responsible for less and less as soon as i get out of ios i don't care anymore about patching the os or antivirus on the os or any of that stuff and as i move from peace to sas i don't care anymore the application or the network controls, it's actually about how I use that commercial driving service and there are things like the applications, um, the data, the identity that I'm responsible for, I need to make sure.
I'm using the right tools, the right license, maybe to protect it to the best of my ability, okay, that's kind of general liability and that kind of thing, we've got these different threats, trust, then we started moving towards more about service principles. service specifications and trust now for all these things for all Microsoft services let's go to the 100 there were some of these key principles that really drive and you'll see Microsoft talk about these six key privacy principles you need to know these so there's these six privacy principles you have these principles so the first one is about control so putting the customer in control of their privacy making sure you have the various dials you can use the tools to make decisions about what data you want make it available to others maybe how you want it to be used and then it should be transparent it shouldn't be confusing you shouldn't have to go and search to find out what data is being collected so you can make the right choice where there is data protect it use strong encryption uh , strong security to make sure that if you are entrusting data to Microsoft, they are good custodians of that data and you will listen about sort of strong legal protection now obviously this is an interesting point and you'll see it in the court case you hear somebody goes to a cloud provider and says give us customer data so it comes down to respect the local laws of the country and fight for the privacy of us as humans, this fundamental right that we have the right to privacy to do Do not use the data for targeting i if you have our emails um if you have our chat files do not use any content personal to drive advertising for some other service and make sure there is benefit to you ie we are collecting this data is to benefit you as a customer to improve your experience so those are the six key microsoft privacy principles and, again, know what they are. um why now if we think about that then we really come to this idea of trust I mean it boils down to that so how do we get an idea of the various aspects surrounding all of those things and the biggest one that you're going to to have? start with the service trust portal this is really the place to go and I'm actually going to open this I'm going to take a look at this so if I jump here it's just service trust.microsoft.com and right away you can see where it talks about audit reports sock fedramp iso 2701 pci dss and there are a bunch of these if i click on this link i go to audit reports and i can see a list of documents on all the different types of audit reports a via fedramp and grc and pci iso and you can download these massive amounts of documentation on these various things so this service trust portal is kind of a starting point where you'll want to go so we have all these different types of ports audio now we also have a kind of audio managercompliance, so this allows us to measure and manage our compliance against various kinds of standards and I can go in here and distinguish between the things that I'm responsible for as a customer and the things that Microsoft is responsible for. you can see I'm 75 so it looks like it's going great until I know how the points were achieved so I'm 90 out of 4008 while Microsoft is 12093 out of 12093 so Microsoft is doing significantly better than me but it gives me the things that I can work on to really improve my compliance then it breaks me down by categories and there are various types of types of reviews and I can see the improvement actions but it's giving me that data so this it's a real key place where i can go and manage these things so i can really track what i can assign it really helps me get details there are different kinds of solutions through this here i can see what i need to do i could select this for example i could assign the action someone I could track when I want it to really it's a complete management tool of this now plus we can see look there's all kinds of trust documents there's that s audit reports, there's data protection, other things, it's broken down by industry, so there are particular industries I care about or regions. about document penetration testing and the compliance manager regional industry compliance services the security and compliance center and that that trust center is really huge to go and track ing kind of all those different compliance setups so I i find a lot here in this trust center because this is where you can really go and start to find out so okay compliance for example what are all the different compliance offerings available in azure by the different solutions to be able to see well Microsoft Azure for example here I can see all the different compliance offerings so if I select that and here we go these are all the different compliance offerings out there and I could click on them and go and get all the different details, if im trying to figure it out hey azure or microsoft 365 or dynamics have this i would start at the trusted portal of the serv I start then I go to the trust center and then I can look at hey ones for azure and really dive into this and if there are documents that I really care about I can save them so if we think about if I come back here I can have my library so things that I really care about can go and notice here it's saying g save to the library and then it will always be available to me very easy to access so that's already a lot of things and it's really just the most generic stuff but it's important that you know all those different kinds of main things now once we get to those and understand them then it really breaks down into three main areas that I can think of well there's a blue ad because it remembers the identity and the health of that identity is key and after the blue id we have things like blue and we have microsoft 365 so see they both use a blue ad instance for their identity so that's the next kind of drill down It's a deep foundation that we have to think about, so if we start thinking about the blue ad now for the blue ad as a type of any identity there's really four key pillars that I have to think about I can think about the stewardship pillar, that's say management type I can think about authentication sometimes write auth n I can think about z authorization and then I can think about auditing and it's kind of four key things that we have to think about so again if I think about the admin, well that's admin, authentication is proving who I am, authorization is what I can do and then this. it's pretty cool what I've done so they're all key pillars to that kind of complete solution and I want to dive into them so if I think about management one of the key things you're going to see constantly. it's modern authentication and modern authentication now has to do with the idea that we have a centralized identity provider and i want to be able to use it for multiple services we want to move away from this kind of legacy type authentication that i have this credential just for this service in the which now i think with this modern author i have a token and that token i can use in a variety of services we think about consent i'm going to say hey this service can go and do this on my behalf for me i too will hear about a dock is it possible I might have seen it in some kind of Facebook app where it says "Hey, you're going to access this app" and you log into your Facebook and it says "Hey, I want to do this on behalf of your Facebook data." when we post on your page, you agree that that can work on your behalf, but also as part of this modern authentication, so we have the idea of strong auditing policies, so I think about policy auditing and really the whole idea. to detect risk, drive strong modern authentication.
Now, what is my world of authentication? Now we're used to the idea and again you need to know the basics about this but we're very used to the idea that we have active directory so this is kind of our on-premises active directory domain services and we just have sort of users groups and devices and then we have the idea of azure ad tenant we have an azure ad instance this is not a cloud active directory domain services instance it might look like that w ay its not for nothing all of this is centered around a kind of modern authentication um open id connect our dock 2 um ws feed saml you listen to this modern authentication and what we do is enable a sync of our accounts so now we have this thing called azure ad connect or azure ad cloud sync is the new one, but we'll focus on azure id connect which syncs accounts. i'm accessing services for example that trust a.d or if i'm accessing some cloud service here that trusts azure ad for me it's a very smooth experience and this azure id is really behind the idea of that auth modern, it's a cloud- Idp based identity provider Speak cloud Speak again Open id Connect Speak oauth2 Speak saml Speak all that cloud stuff Now as part of these synchronizations we send the user objects We send the objects from group we can send thin gs as a hash of the user's password hash, so maybe you can improve protection by looking for compromised accounts because the hash of the password hash is up there.
I can find out if something wrong has happened now in that blue ad that there are various types of objects in this blue id obviously we have users now these could be synced users and they could be accounts I create directly in the blue ad now they can be invited as well , so a guest is also sort of b2b and that means business to business and it's someone I collaborate with it's someone in another organization it could be someone in a different blue ad it could be a microsoft account it could be a gmail it could be just someone else could use federation they could use a one time passcode but essentially I can make them a known entity to my Azure ID and then I can authenticate them to their home account and then I can authorize them to do something so I can have native users.
I can have gu You might also have things like service principles so if I register an application I have some application when I register I convert it to an enterprise application you get a service principle that represents that application so when you register applications you will get a service principle. I think it's like a managed identity, so managed identity is really the idea that I have things that trust this blue and one of them might be blue and within my subscription that trusts that particular blue ad instance, I create some resource that the resource can automatically get an identity that only that resource can act on, so that I have a particular managed identity, it saves me from having to store a password or something else, it's only available, so I'll have managed identities, i can have groups now groups can be assigned so assigned means i manually say all these users are in this group or it can be dynamic as dynamic as the name suggests i can basically have a query based on the attributes of t the user hey , you're now a member of this group, so if my department matches this, I'm in it.
If my description matches this, I'm in this group and these are very powerful because from the groups I can do things like assign apps. assign them licenses even roles so in terms of a lifecycle or governance groups they are very very powerful so you could use a dynamic group to add people as they change roles based on maybe their title , their department and that would automatically give them certain apps and licenses and roles and obviously if they move out of the group they would lose those things so one big thing we'd like to do is give permissions to groups instead of individual users and then of course now i have devices when i think of devices obviously we've had this idea here of ad and then azure id so i can think of azure ad there's really three different models i can have i may have joined so in a world joined this is kind of wind 10. if it's joined I'm going to authenticate with an azure ad account which will probably be a corporate device so if I'm going to join it's probably some kind of dis positive corporate so i may have registered so probably personal that's my device now that can be a whole range of different types of devices um from a registered perspective that could be windows 10 ios android um i think mac os are known to azure ad and i'm going to sign in for a personal account and i can also do a hybrid so hybrid is when the device is known to both azure id and active directory domain services and when i authenticate i basically get tokens for both things again it will be a corporate account I'm using Windows 7 plus Windows Server 2008 plus I can use that hybrid model so Azure id is that identity provider and I can think of all these different types of objects that I can have there but one key thing is things like guests when i want to collaborate so this is really the k and the point of a guest is people i want to collaborate with work now completely separate from which I can have clients so here's kind of separate it's a separate blue id tenant this is called b2c so it's blue a d b a c business to consumer so now these people are my clients and they actually have those things here but now I can also have things like facebook twitter weeble there's a whole list of these but now users can bring their social identity to authenticate against adb blue to view then write my app which is relying on azure adb tricked for authentication this is how i can think of putting all that together now azure id there are a bunch of different versions you don't need to know the details of them if i quickly pop on the page it really breaks down into these skus premium and there's free and then there's if you have microsoft 365 licenses so what we can see is the free hey I can do a lot of things with the free that I have. i have my device registration i can even do things like mfa but it's very basic mfa with the free basic reports and then with microsoft 365 licenses i can do a custom branded self service password reset for cloud accounts but that's really when i go in in the premium we get all these more advanced things like conditional access you'll hear me talk about conditional access i need premium i have a p1 or p2 and they come with other licenses like some of the microsoft 365 e3 and e5 but you'll see you get all these enhanced features when you get those premium licenses and then with p2 that's where you get things like identity protection um identity management above i just in time access reviews and rights management ok that really builds on that core just thinking hey all that it was really about the type of management and what we can do, so the next thing we started to think ok well if that's the administration side what about authentication so i'll come here so remember that authentication is the first thing that happens and again we say authentication type and authentication so this is the first thing after someone has created the account.
If I go to the blue portal, the first thing I have to do is authenticate. who do i say i am now how do we do that test so remember this is all about who i am now we can have a password and in general we don't like it very much just a password on its own very unpopular today we want to move into mfa so remember that the goal of mfa is multi-factor authentication i.e. it's something i know something i have something ii am so something i know hey a pin a password something i have could be my laptop could be a phone a token something i am is a biometric a 3d face scan my fingerprint ios one of those things so mfa is obviously a lot stronger because it's multiple factors a password would be a factor it's something I know so I want to move to mfa so I can really think there are different types of mf So one of the things I could do is it could be like an SMS message or it could be a call to my phone, so that's one aspect I could do with mfa and that's better than nothing, but it's not very popular.
People always worry about kidnapping. a sim or something so we can go beyond that and start thinking about things like well we have the authenticator app and from there we can display a code we can display a notification and we have some kind of software one time passcode tokens or hardware one time passcode tokens so it's mfa even then it will change to id even better if you move to the idea that there is no password you can hear hello for business and the general idea of hello to business is that you use the tpm on your laptop create a private public key remember the above encryption the private key is in that tpm that trusted platform module is kind of hammer proof you can't attack it for brute force and now use that to authenticate now i might say ok thats just the laptop which is a form of authentication something i have but i still have to use a pin to unlock it so its al go I know or a biometric to unlock the machine then I think I have because this hello for business is unique to that particular machine so it's two things something I know all I have to unlock and then I say I have because I'm unlocking that particular device um so this no password is really the utopia we want to try and get to so yeah there's things like hello for business again there's things like authenticator app now and once again the authenticator app i have to unlock the app and i have to have my phone so it's still strong authentication it's two factor and there's also things like hardware fido two keys so this is just authentication this is just the idea that i'm trying to improve my general authentication the force that we don't like just password so if we were here we draw a very very sad face um for this the call from sms is better than nothing we're kinda neutral but then when we get to these we're happy no password is the best but if we d or a mfa with one of these it's still a great thing but the password on your own big friendly face mfa will be the answer to almost any question you see about needing to have strong authentication if you see mfa written in there that's going to be your answer pretty much guaranteed now just very very quick we can see this so if I jump into my blue active directory and go to my security and from here we can see mfa there are a few options there are things like ford alert so I can turn this on so if a user gets sort of an alert to say hello please confirm their authentication and it didn't ask for an authentication, they can actually point that out and then I have the option to say hello if this user automatically points it out. block fraud reporters so we can go and dig into it we can go and do other things, but it will definitely increase the risk of that user's session type.
You'll know those things now, plus if I actually go back here to these cloud based mfa setup and you'll notice that I can choose the verification options so that you can call the phone text message notification via the mobile app verification code from the mobile app you'll also see the idea that hey for users I can do things like enable them I can disable them I can enforce this is per user mfa and generally we're not going to do that that's not the preferred approach of the way i want to conduct mfa so for all these things i want to use something called conditional the access condition is not access so these are policies and one of the results the requirements could be to do an mfa this is how i want to handle these things, i don't want people to have mfa constantly, they will gain muscle memory to accept it all the time. it's time i should drive mfa if i'm doing a privileged action if any major risk is detected that's the best practice now remember this is kind of a p1p2 capability so i can do that if i don't have p1 p2 then i can't use conditional access so the other option is if I were like microsoft 365 it gives you mfa and then I can do the per-user configuration so I can go in and say it's enabled so they'll sign up once they sign up and then they'll go enforce so that's where i'll look at those kind of ideas hey i'll enable them and then once they're registered they'll move to enforce now if i'm free really what you have is something called security defaults now security defaults really no i can choose nothing so again for premium p1p2 i can control the log if i am p2.
In fact, I can protect the identity to control the registration if I am only m365. Yes, I can do that kind of thing per user if I am. In the free version there is default security so security is default if we go and look quickly basically what it's going to say is hey look everyone has to sign in if I go back to my azure id go to my properties , everyone has to register, you can see it here. at the bottom manage security defaults if i set it to yes which i am n I won't because I have conditional access which is much better.
Administrators would have to use mfa. Users would have to do mfa if it's a new device, a new app, or some kind of privileged task. I don't have anything else and hey I can do that now plus you'll see things like a kind of self service password reset so come back here if I reset the password what I can do here is hey if the passwords maybe forgotten , users forget their password I can set different methods they can use to reset their password so they can make an application code an email a mobile phone and office phone security questions were integrated security questions I can add my own security questions security you can choose the ones you want here so now instead of the user having to call the help desk they can just walk in and do this self service password reset also if I'm p1 or p2 they can actually come back to write that to your usual active directory, so this is it. about changing password reset pass words unlock account too while we're here we got the idea to lock simple passwords so password protection once again if we jump into security what we can really see here with the security option is we have kind of these authentication methods and I have this password protection so I can automatically ban dumb easy to guess passwords like password and whatnot but I can also add custom passwords for your business to have certain passwords, maybe if you're in Texas, no. people use the word cowboy in their password or in my case savile so I would prevent people from using them and I can even extend this so they can't be used on-premises and either so I have the ability to have this type of relay agent. installed on premises where active directory domain controllers would also connect so you can have this protection against these very simple passwords ok that's all about authentication remember to prove who i am. ing that strong auth now having proven who i am then it comes down to authorization so think z auth so what can i do and is there really two layers to this I can think of this role based access control so this is what roles I have and there are roles both in azure and their roles in azure ad and things like microsoft 365 use these azure ad roles now there are built in roles for all of these and I can also add for both custom roles, so if the built-in roles don't meet my requirements, I can add a custom role and we always think of giving someone the role that is enough to do what they want, not giving them more than they want. need so it's about what they can do and then we think about this conditional access and this is really talking about it's trying to access a certain application or do a certain thing.
The session controls could do things like make them log in at a certain interval. share int and it's from grandma's machine they can read stuff but it's limited they can't save a form they can't write I can really control what they can do so conditional access is all about really controlling those various things once i have done the authentication now i really want to go and do something so once the authorization passes we have the idea to audit the government obviously these are very critical things i have to do now blue ad on In terms of an all-up Identity Lifecycle Governance doesn't really have it natively now what you can do is integrate with types of HR systems, so for example if you had a working time system as an example you can do things like integrate to azure and there's a provisioning service and even if i'm using active directory when i go and do those hr requests there's a special component in azure id connect to az ure id cloud sync that would actually allow them to recover on premises and then replicate a backup to azur and id so I can use it as part of if I had an existing HR system I can take advantage of that but a big thing thatyou'll be doing is things like groups so remember the idea about those dynamic groups I'm going to use that I can build a dynamic group based on user attributes and then out of those groups those groups remember the applications, the roles, the licenses so I'm going to focus on that I can use things like privileged identity management, so pm gives me the ability to elevate myself to a given role for a finite amount of time, but I can also use it to say, "Hey, you have this role, but just you've got him for three months, so pim can re-manage the role to make sure he doesn't get left behind.
It's not affecting those behaviors. This is to make sure that you don't do things on the admin plane. So I've got all this cool stuff and the way we really like to implement resources again. use an Azure Resource Manager template so I can define this json tem plate that defines all the resources that we have in a very declarative way and then I apply that so I can change the version control control that thing so we're going to create things that they're immutable i can re-run it and because it's declarative i what i want it to look like i just make sure it matches that description that's how we want to implement things and what you'll hear often is the idea that look, I want to implement a subscription in a very standard way, I want to implement these resources, so what you'll actually hear is something called a blueprint, and a blueprint is really a collection of things.
I can define resource groups. I can define role based access control. I can assign permissions. templates and with that, when I do that implementation, it has its own set of locks, it doesn't use these locks, it uses its own special types of locks, they're basically based on denying assignments, but I can say that I don't lock i'm implementing these sets of things they can do with it what they want afterwards they can delete it do what they want I can say don't delete again they can change the setting they can't get rid of it or I can say just read I'm stamping this setting but you can't change anything about it so if I had the idea that I want to be able to set subscriptions uh a standard set of configuration blueprints will be the answer because I can create the resource groups where the resources are created I can assign roles I can assign a policy to set the railings around it then i can deploy the resources with an arm template and you can really think of that in terms of u n blue resource if you ever see the idea that Hey I want to define the railings that's the policy so I can think hey you can only use these regions I can only create this type of account I must have this tag set, that will always be a policy and i can use that in various ways i can use that t both for the app i.e. it has to match that or i can use it just to track compliance so maybe it won't block it but I'll know if it's not in that state so I have all these different options and of course the role based access control is this I have these various permissions now you can go and create all these things yourself but what you'll find is that Microsoft has this big push right now about this cloud adoption framework and what this cloud adoption framework is a set of documentation and guidance and best practices and tools that basically set up this type of configuration. best practice ations for you and you'll see there's several phases to this if we really go and break this down quickly on your site it really explains what these key phases are so you'll see first there's a strategy once you've done the strategy then it's going to have some planning and then it's ready to really get this stuff up and running so you're going to adopt and adopt includes migration and innovation and if I actually click on a different link you can see this in a nicer picture here we go for that you can see what the lifecycle idea is about define the strategy plan that's ready and then adopt and of course all these things are kind of governance and management and will help drive all those different kinds of things through of this cloud adoption framework, okay, so it's got all that kind of tooling stuff as part of it now, when I'm thinking about the kind of security and the cu Compliance, we think about network, data, all of these different things, there are a number of key construct types in azure, so if I'm thinking about network and data, the first thing is obviously we define this virtual network, so that we have the idea of a virtual network and the way we control access we segment, that is, we have the concept of a network security group, a network security group i It is based on IP addresses, ports and protocol , so the destination and source ip, destination and source port, and tcp udp protocol, so I define these rules and then say allow or deny and create a set of these rules and apply it to a subnet , I can also apply it to a NIC which is not usually done so I create these rules and it helps me segment if you think of a virtual network that has various subnetted parts of the IP space but also things going in and out of the network virtual maybe go to other virtual networks that will appear ron maybe networks that are connected via an express route or site-to-site vpn which helps me block it you might see something called application security application security groups which is actually a label in the interface of network that I can use instead of the IP address so it's kind of an IP address or a label that's also built in and then that's what I might think about when I have public IP addresses that I might have distributed denial to be protection against vices and there is kind of basic and standard this is giving me basic gives everyone this real time mitigation of common attacks um with the standard i can fine tune it more through monitoring traffic through machine learning i can have custom policies also i can have stuff like Azure Firewall Now Azure Firewall is a device that lives inside my virtual network and with Azure Firewall I can do that.
It is a managed network virtual appliance. It will automatically scale based on the amount of traffic, but it has native high availability. it can filter out things like the IP address, but also the fully qualified domain name, so the names of the services are trying to communicate with it. I have services that I offer on the internet, I'm often going to have resources and if it's like http https based um or maybe I'm using Azure Front Door, you'll see these things. like web application firewall so web application firewall provides protection against common vulnerabilities there's a set of basic rules that this gives me protection against but things like application gateway delivery network of content the blue front door can connect to this web application firewall it's like a sql injection attack it's going to give me protection against those things now maybe i want to get resources inside the virtual network and again the point of this is just a high level to know what these things do so maybe i have some kind of virtual machine i want to get to maybe it's rdp if it's windows or ssh is it linux i want to get there safely send me after a service called blue bastion and the bastian service blue allows me from the blue portal so i'm in the portal i can see my virtual machine.
I can press connect, select bastion and it goes through the bastion to give me an rdp or ssh connection to my virtual machine. I don't have to worry about opening firewall ports or configuration or any of those. it gives me access to resources inside my virtual network or virtual networks now connected so let's think network side and protect network security groups or do i have to have a blue firewall again. I can do more advanced filtering and FQDNs um I offer internet services distributed denial of service protection web application firewalls on things like application gateway content delivery network gateway if I want being able to access resources hey bastian gives me a great way to do it now on the data side we often have things like storage accounts and storage accounts can have blobs and queues and tables and files well we think about encryption at rest so we're going to encrypt it and it could be a platform managed key where Microsoft stores the key and takes care of the key and rotates it or it could be things like a customer managed key so here we use things like key vault and i have a customer managed key that is used for that kind of protect the data encryption key um also if it was a virtual machine there is thing s like blue disk encryption which uses things like bitlocker or dm crypt within the OS running within the VM to do that encryption also things like sql to have transparent data encryption and this kevol is a super powerful build I can have secrets, which is a piece of data that I can write to an extract, maybe as a password or a token, I can have keys, that means I generate there import there, but I can't get it back, but I can do crypto operations inside the vault of keys using that key and then looking for certificates that are really just wrapped keys but you can manage the whole kind of lifecycle around that now within my blue world there are all these different components and in terms of security there are different solutions here but really the most important one is going to be this blue security center so the blue security center is this c security posture management strong a cspm is about knowing my environment and what i want to improve so the asc has a number of core things it has a safe score so it is built using things like the blue policy to go and get a compliant state of a number of integrated things that really matter to youand it lets me know what i should be really targeting so if we jump in and look at an environment if i really go let's close some of these things if i just go and look in my security center front and center you'll see my secure score .
I have things like different compliance things that I can care about, so I can manage the compliance policies that I care about and I can, hey, I'll choose my development subscription. Look hey there's all these other ones I have azure security benchmark pci dss but I can add more than they have natively but I also only have that basic secure score and this is basically giving me stuff that I should care about . It's I'm going to sort them in terms of priority as well as enable mfa that's the biggest improvement it could have on my score so it gives me places to start to really help improve my overall security posture so it gives me the security baseline i can have alerting it has things like a network map to know what's going on in my environment so i can see everything there i can see different security alerts i have in my environment and then we have things like defender so defender has deep and broad protection and We can see here that there are different types of defenders available but in my subscription I can turn on Azure Defender and then it shows me the difference between hey when it's off and I just have the basic Azure Security Center and then when I turn it on . in i get paid just in time vm access app handles regulatory compliance all this other stuff and then i have these deep and broad protections so i can turn on protection for sql sto rage kubernetes app service and then there are broad protections on stuff like dns and resource manager so i can choose and activate these things but obviously there is a price i pay for this but i can have things like continuous export to other solutions and maybe another sim tool to have these capabilities but due which i adjust to time guard is where usually the ports are closed to the vm but it will turn on when i need it so it adds these various components so i can send data to all my azure services .
Through these various solutions, now the next solution that you'll commonly see is yes, we think about Azure Security Center and Azure Security Center is about, what is my compliance type? So you will tell me, what is my compliance status? tell me things like hey i want to do my protection here and then you'll hear something called sentinel and sentinel is based on a log parsing workspace so under sentinels we parse the ics workspace log which essentially has connectors now those connectors can be for a lot of different things that could be for Azure ad for Microsoft 365 again Azure resources can send to this thing and what Sentinel then adds on top of that is getting the logs for things on its own is pretty useless.
I'm going to get a deluge of different data, so Azure Central adds things like yeah, it has the log, adds all these different types of connectors, and then adds things like machine learning on top of the logs. to really give me an analysis, so it's kind of a simulation solution, a security incident and event management solution, I can also orchestrate an automated response to a source solution and so what it will give me is the ability to really respond and recover and if you think about this it's raising alerts or it can send them here so Sentinel can build on that so if I jump back super fast and if I now search for Sentinel we can see I have a basic CE. ntral workspace and it really gives me the ability to go hunting I can run queries for various types of things to find various types of attacks based on the logs in that log analysis workspace I can see the different incidents um I can see a general kind of health status of my environment any malicious events that are occurring so you're looking at the logs and then drawing like good conclusions from them so we have these types of data connectors and we have this ability to connect to all these different types of systems, including azure id azure d identity protection, but we'll also look at things like hey look microsoft 365. um defender office 365. so we can take all of that and build it to allow Sentinel to really give us protection for all those different types of things and so when we talk about microsoft 365 let's move on to that so that last piece is kind of Microsoft 36 5.
Now the biggest starting piece that we think of for protection is Defender and there are actually four different parts of Defender. You will see that there is Defender for identity. It was kind of Azure Advanced Threat Protection, Azure ATP and now it's this identity defender, so what you're seeing is essentially my on-premises Active Directory domain controllers getting signals from whoever they are. they send to the cloud and then detect attacks. and threats on my on-premises domain controllers so this kind of thing would sit along with things like identity protection looking at my azure aed health ok ok at that point all my config got locked i guess you're telling me to hurry you up.
I'm taking too long to record this so anyway after the identity piece which is actually about local domain controllers the next piece is the full stop now if we think about there's kind of an advocate already just anti regular. protection against malware so what this does is add additional detection and prevention by looking at things like what is the entry point for an attack and what happened it got from this user to that user it gives me all of that forensic capability of that this used to be atp defender but it's really about getting that full trace and that's for windows, android, linux, mac os so there's kind of cloud application security.
What applications are talked about from my corporation? It helps me track things like bringing in your own IT department where people are using apps that I as a company may not have authorized, so this can be about discovery and also if I do things. For example, I manage the integration with Conditional Access, for example, if I have proxies, I can control how they can use those various services, as well as if I suddenly see someone copying a bunch of documents like data exfiltration, I can stop them and then there's sort of a defender for office 365. and you may have seen the idea of where you get the safe attachments that the safe links give me.
Protection i-phishing and for collaboration like onedrive and sharepoint and teams there are different levels of functionality but it's really about giving me that ability to protect my users who are using office 365 again for those detonation cameras how to get an attachment that can go and put in this isolated chamber run it to make sure it's not doing something wrong tracing all those links now we always think about layers that keep defense in depth so you can think from a layer's perspective obviously there's some kind of identity which I can think of there's the device and there's the data obviously the identity we're talking about with the Azure ID or elements of that so now I want to focus on the data guy behind my office my microsoft 365, my office 365 and then the device, now we saw the idea. within azure there is a security center so for microsoft 365 there is also a security center and just like with azure it has a number of different elements it has its own type of security The score which again gives me the points on the what should i focus to have the biggest impact so to speak where should i prioritize but there are all kinds of reports and incidents and so much more so if we jump let's take a look at this so this is our new starting point for the microsoft 365. and we can see it walks us through all this wizard that we could go through but it showed me things like hey look here is my safe score uh 35.6 which is obviously terrible but i can see it historically i can see well what has changed around that sure score actually i might see things right how can i improve my score and notice again it's showing me hey what's the score impact and again mfa You'll see some common things in both azure and e n Microsoft 365.
Obviously use Azure Ad, so the identity stuff will be common, but then it'll branch out into Azure. We'll talk about things like networks and devices. they can do cloud app security client lockbox other kinds of things so i can see this to get a really quick idea of what i care about then also from this kind of microsoft 365 security center i can see hey see if there is any incident in particular and that maybe I care through my environment. I can see if there are alerts and again we can turn on Microsoft 365 defender. We have kind of threat analysis lookup hubs and then you'll see a lot of other things like auditing the status of reports. several different aspects that we'll come back to in a moment, but before we really dive into that level of detail, I want to quickly go back to the device area now in a local world that we had Active Directory we have a group policy we may have a system center configuration manager there's patches and apps and inventory in a modern workplace environment we think azure ad ok there's no group policy so what we get out of it e is we have intune now intune does a number of different things that i can think of ok i have a policy i can get health status i can push a lot of other aspects of this now this is across a lot of different platforms i can think of ok windows is a one obvious but i also have things like ok mac os i can think of um android and ios type and hide the ipad os so it really comes down to the end customer device est o it's not for servers it's about the end client device and there's really two kinds of ways that intune uh can work now there's a lot more aspects but as far as we're concerned I have these devices and I can think of m d m and the key point here is the device if I can spell mobile device management then this means Basically I'm enrolling the device which means what Intune can do is anything about the whole device.
I can think of doing device configuration. I can do device policy. I can send certificates to the device. the device so this will typically be for the type of corporate assets where it's okay as a business to be doing that full management so the other is mam and the key point here is the app so I'm not enrolling the device on this is just particular apps and usually based on them going and talking to a corporate source then I can push just one app policy so now I'm thinking about app policy I can't enforce the device level stuff but when they launch the app connecting to a corporate data source thinking like the outlook client talking to the online exchange then i can tell it's talking to a corporate mailbox then you should have this policy i might have to pin when i actually type business apps are in their own little sandbox so this is my device or, not my corporation's device as a corporation I can wipe company managed apps but I can't wipe the entire device which I might do in this kind of mdm world so there's sort of an important im distinction between the mobile device management mobile app management new corporate device probably my personal device we talk about these policies and these policies may have things like requirements and maybe not jailbroken if it's antivirus versions of a mobile device various other types of things that i can have security baselines if it's a windows 10 device so think of intune as the policy engine you'll typically go with azure active directory there's no group policy that's how too i can push things like both custom and marketplace type apps i can do those things so i wanted to make that kind of point o important now, if we talk about the security center, well, then we think about, okay, that's security, then we start to worry about compliance and so on. just as you'd expect, there's also kind of a fulfillment center, so if we jump in here now one more time, we can see that there's well, we've got this It's kind of a compliance manager solution.
This is an all-in-one solution that allows me to track my overall compliance for Microsoft 365. You can see once again that there's kind of a compliance score. I can see where I get the various points about the things I care about once again. I can go and assign andkeep track of the dates it needs to be done by who should do it. I have that complete control of all those different things. Also, we have something like we do a show all. there are a lot of different types of solutions that audit content search data loss prevention data subject e-discovery and I'm going to talk about these various aspects but one key point of this type of compliance center you can see hey look at the admin The compliance manager looks at the catalog to start identifying the risk and again if I go into that compliance manager it will show me that hey things that I'm responsible for, I'm doing a terrible job and the things that Microsoft is doing a good work.
They have done everything just to make me look bad and the things that I should really try to focus on to be successful. Now that you come here, we have some kind of audit. search for various types of things I can see all these different types of activities that are available to me I could ping certain users at certain data start times and actually perform that search now there is also type of audit retention policies to be able to create a policy based on a good duration so actually up to 10 years and for what types of data so I have controls over exactly what matters to me now when I do a search for this audit it's important to note that I don't everything will show up Right away some things take 30 minutes some things can take up to a day we can break it down and we can see in the documentation that it distinguishes things that take 30 minutes and things that take 24 hours we can see that here so if you're interested, the documentation is reviewed, depending on the source, how long will it really take to be able to search?
That's just the regular audit I can do from this. There's also this advanced audit. what can i do for forensics for compliance investigations and again we get a year for exchange sharepoint azure id but it goes to 10 years with some additional licenses now the next part is that the data so remember we talked about so that's general compliance that's great we have a solution there and we had this whole idea of the data so in tune the device has the identity we know that's all that kind of blue ad stuff ok so we have the data now to the data there are many different aspects to this but often we may not know what data we have so there is often the idea that we have to classify the data and then once we classify the data we can protect it now protect can mean many different things protect can mean things like encryption it can be things like data loss prevention this could prevent me from syncing onizing with it might be a watermark but I can build off of those ciphers I can push certain types of policies and again all of this is coming from that compliance page so if we come back here let's notice we have the solutions if actually I'm going to home for a second we have data classification now there are different types of classification I can think of classification in terms of types of sensitive information so pii credit card numbers social security numbers driver's licenses there is a whole number of those built in so that's one way to classify data is sensitive because there's a lot of these are based on looking up certain words looking for certain combinations of characters and then classifiers can be trained so once again there's multiple of them built into things like i'm looking for resumes looking for source code looking for harassment looking for profanity looking for threats or I can create my own I can create trainable classifiers based on what matters to me now with these sensitive tags I can assign a tag to documents and then once I've done those sorts of classifications well I can do things to protect it you'll see things like data loss prevention so i can do things around encryption i can do things around rights management that data loss protection so i can have things like restrict sharing i can have things like add a watermark plus, there's also the aspect maybe, look, since there's the classification that drives protection, but it could also drive retention.
I need to keep my data so here I could have things like ok not delete. or maybe it's the opposite maybe it's delete get rid of this after a certain period of time sometimes they can be just as important to the overall solution now a lot of these can act Will be based on the idea that I have this kind of e-discovery mixing cases there ok look i need to find so i have to find the content and then i'll do it something with that um maybe i'm exporting it maybe i'm digging but then there's some kind of action of that eDiscovery and there's actually three different solutions that we have as part of Microsoft 365, it says very basic content search, then there's a more advanced core eDiscovery now core eDiscovery is based on the idea that I can create a case and then from the case I can do things like retain the data to make sure someone doesn't delete it then I can search and I can export then there is advanced ediscovery and stuff really builds on the idea so if this is about hey I have a case and from the case I can do a lookup hold and there can be an export this builds on that and adds things like data custodians much richer research sets so if we jump back if we go and look at content search you'll see that we really dive into well this is just the ability to do this kind of basic search that I can type in data and I can go and find stuff but then we have this electronic discovery down here which is this richer set of capabilities so we have quarry discovery so we build the case and then once we build the case I can go and keep data search here and optionally export or we have the advanced so if advanced eDiscovery one more time now I would go and create a case but then I would go and add to these data custodians for example are persons of interest maybe they have a mailbox maybe they have a sharepoint site i can say i want to keep the data collect the data pre-pro press pre-process the data a review then export now when i add custodians to this actually it's going to try to find the data that they own so we'll go and find their mailboxes and it'll find their single drive or I can add additional things like Sharepoint sites and Microsoft Teams etc so we've got these sorts of three main tools um really available for us and for all these things it can actually take up to 24 hours so if I think about all these holds it can take 24 hours to kick in and there are various roles like eDiscovery administrators to manage and create cases there are PowerShell scripts for more advanced searches so there are all these different things so this is all around the data so again ident check azure id the device in tune and i can use things like conditional access i can check that health data classify it to know what i have most companies dont know what they have so i could protect it whats the encryption i could do dlp such Maybe there are retention-related things that I want to be able to find the data that I'm interested in and then finally, from a compliance perspective and more, there are other things that matter to us, so I want to think about internal risk management so, within risk management there is a solution that really deals with malicious people internally.
I want to be able to detect risk. I want to be able to act on those risky malicious actions, for example. they are trying to share data or get a lot of data so i can have policies based on a template that i may have triggered and when they trigger based on things that i have defined it will create an alert based on the conditions it generates an alert and then that could be analyzed i alerts that need to be reviewed then i can investigate and then take some action it could be a notification it could be more so that's about it so again you need to know the solution and what's there for risk management internals is about helping to detect and prevent malicious actions by insiders, then I can think about communication compliance, so it's all about the idea that I have acceptable communication policies in my company, maybe in teams, for example, in email so this is about communication compliance I mean look I'm going to put policies maybe it's not profanity how we treat each other s to others, so now if people circumvent those policies, you could tag the message and you could notify us.
I can monitor overall compliance, so it's really ongoing communications. I have standards for my company on how my employees should treat each other. I can detect that. Label the messages. Notify users. information barrier, so the name really suggests that this could be the idea that I have different groups of users in my company and they shouldn't talk, for example, in teams, they shouldn't chat with those people or share files with those people , so i can really think about this this can be through things like sharepoint um and onedrive teams so with this solution i can say look at these groups of people maybe for legal compliance reasons whatever, i don't want them to communicate directly so if i see a question hey you need to prevent these groups in the company from being able to communicate in teams or share documents ok that will be the information barrier solution now i mentioned pim for azure id produced identity management so microsoft 365 has pam so privileged access management so if you think about pim it's all about giving me a role for a certain amount of time or, just enough, pam is actually a lower level, it's a task, so pam is about giving me a certain task in a certain scope when I request it and there's full ability to have permissions and authorization as part of that, but it allows me to get just this smaller set of capabilities so that as a user I can request to say hello I need this particular task and it can be given to me so it's really one level lower than pim and then there's kind of a box customer security and this is really a microsoft help desk engineer type person so i make a call with microsoft they need to access my service to help they sent me a request that the manager at microsoft has to approve , then it's up to you as a customer to approve to allow them to access your service, there's a whole flow around this if I actually open the site we can see hey in Office 365.
So obviously this is their data you. He cares about this. Talk about the flow. So, look, you're having problems with your mailbox. Open a ticket. The sports engineer wants to see it. hey i want to access this your manager has to approve it and then you as a customer log in and then you approve it and then the engineer can go and do that work and can track it remember all actions are in the logs audit that you can actually go and review exactly what they did so this gives you full access as a customer what they're doing within my subscription what we cover i mean a lot of things obviously the point key here is that it is not necessary. know the details of any of these things you need to understand hey look at what are the key concepts about defense in depth what are the key types of threats if they attack data they attack identity and they attack our ability to do business what to do is zero trust it means what are the kind of shared responsibilities we have over the types of service we focus on what is the type of encryption look if i want to send someone a protected message what do i need well i need their public key hey if i want to digitally sign a message then i need my private key and then they would need my public key so they can get to the key point: your private key never leaves you, no scenario, you give that to someone else symmetric and asymmetric.
What are the six privacy principles you need to understand what they are? All the trust that the service trust portal will be your go-to place and from there we can access all the different types of data, so go ahead and look around. that blue id is used by azure and microsoft 365. we think admin authentication authentication always comes first who am i testing that authorization what can i do audit well what did you keep track of those things we think modern authentication and really mfa is all about giving me an authentication solid that's what we want to do so i think hey mfa i can make a phone call text i can wear thingsbetter and stronger like tokens and app or could password this completely important to understand the types of objects we have in azure id if someone I'm collaborating with hey as a company I want to collaborate with this person is going to be a guest on b2b if I'm writing a consumer app i'm going to use b2c if i have an app it will have a service principle if it's a blue resource i want to be able to use other things i can have a managed identity assigned in dynamic groups very powerful it helps me do a lot of lifecycle because based on group membership I can assign apps and licenses and roles my devices can join or register or be hybrid so there's a lot of different things um we talk about authorization it's things like access control based on roles, there are roles in azure and azure ad and when we have conditional access on the identity side, things like produce identity management for ac give just in time to a role access reviews to track what you have, do you still need that app for that group membership or can that role be yourself?
Someone could delegate identity protection to detect risk to drive things like mfa logging and I can use identity protection as part of conditional access to detect risky logins or risky users and then move on to actual general governance and then blue these different levels we have policy budgets are back blueprints can seal configurations cloud adoption framework is kind of this pre-package that has several phases the network different layers of protection sentinel data security center network encryption and then microsoft 365 defender types what i do with the device i manage with intune involves the mdm device or just the mam app classifies the data for which we have those trainable things whether it's sensitive data or other types of data we want to know once we classify them i can encrypt them i can do data loss prevention data on it I can use retention rules I can use e-discovery in different modes to go and find things and various compliance solutions so we covered a lot again it's just breadth you don't need to know the details of any of these things but you should know, um, remember, it's multiple choice, they'll give you a list of solutions that you only have. to know what is the correct solution or they are going to tell you a solution you have to know what it does there is nothing complicated in the name if you just look at compliance they are not trying to trick you no one at microsoft wants you to have some what does this do with logical names? if i see a question hey i want to restrict communication between these groups of people ok it sounds like a barrier so pick the one that sounds the closest i remember things like service. trust that where do i go to find out about audit reports and all that other stuff so think about it logically always try every question there is no such thing as losing points for doing it wrong often some of the answers it says are made of cheese and that's why it's definitely not cheese you can delete some obviously wrong questions but do your best and again don't freak out about things it's just an exam if you don't pass the first time you'll get a score report which will tell you where you are weakest then you can go and redouble your efforts focus on that and you will get it next time um so that was it really hope this was helpful again please subscribe , comment and share and good luck. your
If you have any copyright issue, please Contact