SC-900 Microsoft Security, Compliance, and Identity Fundamentals Study Cram
Jun 08, 2021Hello everyone, in this video I really want to provide some tips and advice and an intensive
study
session for the new SC 900. This is the Microsoft Identity, Compliance and Security Fundamentals exam. It is currently in beta version. I took it last week. It's afundamentals
exam, essentially what you're going to get out of this. It's 60 minutes, so it's a short exam and it had 50 questions. Now the actual time it took me to finish was 11 minutes. The questions are one line and are really about knowing which feature to use or what functionality this feature provides. You don't know how to set it up, you don't need to know any kind of depth about these things.
It's super, super broad and the questions are really quick. Hey, this function, what does it do or do I need to do this? What feature should I use? You know, just get a list of features to select from. Hence. It's very, very high level, but it's super broad because the title is Microsoft. So really what that implies is that we're thinking about, well, yeah, it's kind of like Azure AD for the
identity
side. Yes, it's Azure for some of the services, but it's also Microsoft 365. So it's this kind of broad coverage of all those different things.
More Interesting Facts About,
sc 900 microsoft security compliance and identity fundamentals study cram...
Additionally, they have questions about general
compliance
principles and principles related to transparency and trust. So we need to know all those different things, but again, at a very, very high level. Now, the best place to start is if we go to the Microsoft SC900 site and again, if you pass this, you'll get this Identity Fundamentals and Security Compliance certification. And what you want to do is if we go and look at this, then we look at the site and then we can think about it and say, hey, I can program this because it's currently the beta version, it will tell you the measured skills. and it's all about, hey, yeah, the basics of kind ofsecurity
,compliance
,identity
, and then the Microsoft Identity access management solution.
A lot around Azure AD and then that kind of
security
and compliance when they address Azure and Microsoft 365. We can download the skills outline, where they then detail what the different objectives are, the skills objectives, the functional aspects. groups and the individual skills we need to know. So what you want to do is go to this site, look at this list, and make sure you can check it off in your brain. Yes, I know what they are and the key word here is describe everything. I don't have to implement, I don't have to design. I just have to know what the thing does or know what I need to accomplish a certain task.
And as for preparation, they have a free learning path. And honestly, my recommendation would be to follow that learning path and I think that will put you in a very good position and pass the exam again, it's a super simple exam. Really is. It's rapid fire. You can give yourself one minute per question and they are not important questions. It's literally a line. And then it's, hey, what component do I use or this is the component, what does it do? That's really all it will be. Now, I mentioned that there were some kind of general principles in all of them.
And what I want to do here is go over them as a kind of intensive
study
. A lot of people use my type of videos, they watch them right before the exam, maybe at the beginning to tie everything together, like a little review. So the first thing we really want to think about is this whole type of defense. Thoroughly. Now the point here is that I don't want to depend on just one thing, something like an onion. We have all these different layers. I want multiple layers of protection in case something goes wrong. Well, then there is something else that supports that and protects it.Then we think about what I want to protect, things like data. So here we think about a good type of encryption and we think about encryption at rest, that is, in place, encrypting the data in storage. Transit is thought of as it passes through the cable between where you are and what you want to use the data for. Then I can think of the application that uses that data. I want to make sure the application is well written and there are no vulnerabilities. We think about the calculation. So obviously there's some compute service, it could be a virtual machine, it could be a container, or making sure it has built-in protection.
Maybe you're limiting what ports are open, maybe you have a firewall setup, your anti-malware is up to date, all those things to make sure you're as healthy as possible. Then we thought about, well, there's a type of network, and in terms of the network, we thought about maybe segmenting the network. You'll hear things like network security groups and other solutions there. We thought about limiting the types of traffic. We think about the perimeter of the network. So one key thing here that you might think about is distributed denial of service protection. This is where a bad actor has multiple things firing at his public service, simply trying to drag him down and bring him down.
And Azure, for example, has protection against this. There are different levels of that. And Microsoft services, well, that's your responsibility. They have protection against that. And then a huge one is identity. So, in its days, the network was the great security perimeter. As we move towards the cloud, the network is no longer ours. So this really becomes the key security perimeter for us. And then we started to think about all the strength of that identity. A big focus is always MFA and things that can drive that stronger authentication when we're going to access things. And then there is the type of physical security.
Now in the cloud, that is not your responsibility. This is how Microsoft protects physical data centers. But I want all of these things and if I'm responsible for a certain layer, we'll talk later about this kind of change in who's responsible for what. I want to do everything I can now. Sometimes you will see it, even if you are responsible it does not mean that you are alone. Sure, I could be responsible for user accounts, for example, but there are tools to help me make that as secure as possible. Now, when you think about all this security, all this defense in depth, I have all these layers.
In case one fails, there is another layer to protect it. Sometimes you will see this type of CIA. And what that CIA really boils down to is something like this. Confidentiality. So I'm thinking about sensitive data, my encryption. I'm thinking about integrity. So making sure that my data is not manipulated, making sure that that's actually what was intended, what was there originally. Someone hasn't changed that somehow. And then we thought about. Availability. Making sure I can actually get to my service. It is available to those who need it. And these are very important things to consider when I plan my environment because there is a saying that you can be safe and go out of business.
I've worked with some companies that have so much bureaucracy that it makes it so difficult to do anything that, yes, they are safe. But they are not innovative. They can't adopt new features, they can't deliver great features to their business units and really differentiate themselves from the competition because they're just stuck in the Dark Ages. Or I'm going to focus a lot on this one little thing that doesn't really improve your overall security posture, but you're just stuck on it. So there's always this delicate balance between being safe and being able to do business. You want to find that good balance between them.
So I want to think about those kind of three things: the confidentiality, the integrity and the availability of my data. Now when we think about security. You often think about, well, threats, things that can harm our environment. And what are we thinking here? What are those types of threats? Now? I can think of some type of data breach, and this is usually the worst. The idea of a data breach is that our data has been stolen. That can destroy a company. Yes I have. Maybe it's my company's data, my intellectual property. If that is taken by someone else, it's a big problem.
Maybe I have my client's data with his personally identifiable information. That's a big problem too. Then we can think of a threat: someone takes our data. This is where encryption comes in and those strong network defenses, identity defenses to ensure that there are some identity breaches, well then they probably bypass any other protections you have. They could change it and go get the data. So it's not just about encrypting the data. It's, hey, I want a strong network, I want a strong identity to make sure there's no weak link in the chain. Then we thought about things related to a kind of dictionary.
Stroke. So if I think about what this is about, really this data breach is, hey, I'm trying to get data. I'm going through several checks to get to the data. It's about trying to reach identity. And so a dictionary attack is, hey, there's a list of common passwords, I just go to a certain account. Going through that list of passwords and I could substitute like an O for a zero, those very simple and easy things. We'll do that as a kind of brute force attack. I don't really have any intelligence behind this. I'm just hitting this thing trying to attack it and there are things like Azure AD smart blocking, then give me protection against that.
Hey, it would stop those attempts and alert. He'll say, "Hey, there's a risk." I can see this attack occurring. There are things we can do that could be done too. Trying to disable the account by doing all these wrong authentications and again that smart lock would protect my AD account. Now I can also consider it here as a phishing attack. Now, a phishing attack is when an email reaches the user. It's almost like social engineering, but it's still trying to get to the identity. Hey, click this link. I need you to do this real authentication. They are usually quite poorly written, they are obviously bad.
But people click on the link and type in the password and now their identity is compromised. You may also see some sort of sphere. Phishing attack. Now all these are trying to get the identity. Let's clarify that a little. And Spear phishing differs from normal phishing attacks in that it is targeted. A little more effort has been made. They've created a database on the users, maybe they understand who their administrator is, what kind of things they do, and now it's a focused attack. This email will come to you, it looks like it came from your manager.
It looks like it's legit. So, it really increases the chance that they will click on that link and you will get the credential. So the attacker has to put more effort there. But then he will give me access to his identity. And again, if I get the identity I can do many, many other types of things. Now I can also think that there are things like ransomware. That's why we always hear things like wanting to cry. These are attacks that get into the network and then encrypt the data and, hey, pay me this money or I won't decrypt your data.
It disrupts business. And then there were other types of disruptive attacks. For example, it could be some kind of distributed denial of service attack. I don't really get anything out of it other than preventing that company from doing business. So there are all these different types of things that are threats to me, and there are others as well. But these are everywhere and this is the ability to do business, that is, availability. So understand these types of threats and what they're going for, but again, if my identity is compromised, then I can really do a lot of bad things because if I have someone's identity.
You can probably go in and change other things and modify everything else. So there are the threats. What can we do against some of those things? So a very important thing that you're going to see is this kind of zero trust. That's a really big push nowadays, and really the idea is to just take it on. Commitment. You don't trust your network to be secure. You assume that even if I'm behind a firewall, my network is compromised. I don't trust anything, so what I want to do is verify. All. If I don't trust anything, then I want to verify everything and I want to verify explicitly.
Then I think about whether there are communications between different devices. Well, what I want to do is kind of authenticate on an end and then authorize and author Z and we'll talk more about the difference between them in a moment. I want to think about least privilege. So I think about the right moment. So just in time means that I only get the permissions I need at the time I need them for a limited period. I don't have a privilege all the time. I only understand it when I have to do something. Then I would go and raise my permissions, do the task that requires that raised permission, and then I lose it.
So if I was engaged they usually won't get anything significant. They can do it with my compromised account. And then we think about the type of administration that is sufficient. And that means don't make me a global administrator, don't give me more privileges than I need to do the job, give me just enough to do the task. Then I find out what permissions are needed to perform the task, get a role that only has that ability, andI combine them. So I get a role that gives me enough to do the job, and I only get that role when I really need it.
To do it. So we check everything, use these least privileges and really just assume non-compliance. So, if we assume a default. We'll go to. Segment the network to segment everywhere we can. I don't have this type of extensive communication. I'm going to segment. I'm going to encrypt in case there's some bad agent, something bad on my network that I want to be able to detect. Different types of threats, so I'm going to have solutions running that look at logs and look at interaction types using machine learning. And actually generating results from that, being able to see different types of threats.
So what we'll see is when we think about these things. We focus on a number of key types of objects, so to do this, to accomplish all these different things, we need to step away for a second. What we really focus on. To achieve this. We focus on identity. And I can think of identity as a kind of user and application, a service, the device, the devices we use have identities. I think about device monitoring. I need to observe these things so I can detect if something is wrong. I want to understand the applications that are used.
I want to think about data classification because ultimately we do all these different things. But what matters most to us is the data. I want to make sure that my data, well, important data, I mean, really everything is encrypted. But I also have things like data loss prevention. I want to make sure it can't be used in a bad way. And then obviously we think about the type of infrastructure, the networks, etc. So there are all these different types of elements that I have to think about and protect. Now. There are a few types of key concepts and again, we're going pretty quickly because this is the exam.
Super boring. We just need to understand these basic concepts. Now, I've mentioned encryption many times and one of the things that's important to understand is, well, what are the types of encryption that we're going to use? And you can really think that there are two types of encryption. So if I think about encryption. You're going to hear about it. Symmetrical. So I think about symmetric encryption and then you hear about asymmetric encryption. Then you will see these two types of encryption. And really the point is that with symmetric I can think about that, look, I have my data.
I run it for an algorithm that uses a particular key. And then I get sort of encrypted data on the other end, since it's been encrypted. Now to decrypt it I use the same key. So I really think about whether the key goes to the algorithm to create the encrypted version. That is exactly the key. I also use the exact same key again to go from encryption to data, so it's symmetric. This is very efficient for encrypting and decrypting data on a large scale and of a certain type. Asymmetrical is different. Now there are two keys.
You'll often hear the idea of a kind of public key. And a private key. And as the name suggests, and they appeared together, there is a public key equivalent to the private key. Private key that I keep for myself. Public key that everyone can know. And the idea about this is if I had this data again. If I want to send it to someone. Encryption. You would encrypt it with your public key because everyone knows it. Then I would encrypt it with the click of the public key, something like this mumbo-jumbo, whatever. It can only be decrypted with the private key, which only they have, and then recover it.
So if I want to send sync to someone encrypted and I don't really have a good way to exchange the key, which is symmetric, how do I exchange the key? There is a challenge there. So with asymmetric there is a public key and a private key, so if I want to send something to someone that only they can read, I encrypt it with their public key that everyone knows. But the public key cannot be used to decrypt something that was encrypted with the public key. I have to use the corresponding key, whether private, which I just don't have, which would be the encryption of the data.
Sometimes I want integrity, I want to make sure no one has tampered with the data. I want to make sure it actually arrives as it was shipped. So if I think about it, it's a kind of security integrity that protects the data. The other thing you'll often do is, hey, I want to send a little bit of data and make sure the person receiving it knows that no one has changed it. Now I have a piece of data and what we can do is generate a hash. So a hash is really a summary of the data, it's a value that I get and then what I do is encrypt the data in that hash.
With my private key. Remember, only I have my private key. Then I can send the person to you. Type of that data. And that hash value encrypted with the private key. They then get the data and run it through the exact same hashing algorithm to get a hash value. Then because it was encrypted with the private key. They can then decipher this value. With the public key. And they can make sure they match. Hey, that makes hashish. If they are the same then I know that the data was not modified. I can guarantee the integrity of the data.
Because remember, the public key can decrypt something encrypted with the private key, and also with the other one. So if I want to protect someone's encrypted data, I encrypt it with their private and public key. If I want to send thanks to two people, only they can read it and encrypt it with their public key, so only they can decrypt it with their private key. If I want to send something and guarantee its integrity so that no one modifies it, then I would create a digest of the message, a hash value. Encrypt it with my private key.
And then send the data and that encrypted hash value. So now they get the data, run it through the same hash algorithm to get the hash value, and make sure it matches the hash value that only I could have encrypted, because only I have the private key, which means it's guaranteed that was like that. It didn't change in transit. This is how you could really think about using symmetric encryption types to encrypt massive data and asymmetric to send small amounts of data. And to verify the integrity of the message, what you'll often see is the combination.
If I want to have large scale continuous encryption, I could use asymmetric to share a symmetric key. This is how I can share that key securely and then move on. So that's a kind of encryption. Now, the next thing I want to talk about is I mentioned this idea of responsibility. And we have the idea that there are shared responsibilities. Now, if I think there are a lot of layers, I always draw these kinds of things with layers. But when I start thinking about responsibility from this perspective, there are actually more layers than I would normally talk about.
Then I can think about, well, there is some kind of physical data center. I can think that in that physical data center there is a physical network. And then there are the physical hosts, so these are all real-world objects. And then I can think, well, now I'm running an operating system. It might have some kind of network controls. My NSGS and we'll talk about that. I have my applications. And then there could be some sort of identity and directory infrastructure. So I talk about IID and directory infrastructure. And then we get into this idea while there are also similar accounts.
And the identities. I can think that there are devices. And then there is information and data. Now I look at that. If I think about the place. So obviously all these things. They are the client. Because it is in Prem there, there is no cloud involved in this. When we start talking about the cloud, there are different types of service. We think of infrastructure as a service, that is, a kind of virtual machine in the cloud. So as soon as you enter any type of Azure service, this always happens. The responsibility of the cloud provider. In this case, Microsoft, I never have access to a physical data center or physical hosts or a physical network.
It will always be us. Now if you think about it. So what kind of responsibilities. In a VM world, you control the operating system, you control the network. It's on your virtual network, so in this case this. Now it's the client. Now this is responsibility again, it doesn't mean you are alone. There are solutions in Azure to help you patch OS, backup OS, replicate OS, have anti malware, network security groups, Azure firewall. There are many things that will help you do this, but fundamentally you are responsible for it. Then you start moving to PaaS solutions. So PaaS is like a platform as a service, and there are many different types, so it gets a little more confusing at this point.
Now, one of the things I can highlight is that, essentially, these are always the customer. So it will always be the customers, the accounts, the devices, the information data. So it's your responsibility to protect that. Again, there are tools to help you. That will always be the client. Through them, but in the past world it becomes a kind of change. Now I can think about the operating system. In this world that becomes the cloud. Plus all that physical stuff. This is always the client. This now becomes a kind of joint responsibility. There are aspects that are the responsibility of the client.
There are aspects that are somewhat shared. So here this now. Become a kind of shared responsibility. There are aspects for which the provider is responsible. There are aspects for which hate you are responsible. And finally there is software as a service. So in the world of software as a service, I guess I'll choose another color. Actually the line now goes up other layers. You are not responsible for the application or the network, but rather for the identity of the directory infrastructure for SaaS. Well, that's now. All types of cloud. And then? That's always you. But now this little bit here.
It is shared. The idea of a kind of identity directory infrastructure is a kind of shared model. But I repeat, the client is always responsible. On this side, when I think about whatever you're doing, SaaS, Paas, IaaS, the infrastructure and the data, the device is the accounts. That is your responsibility. There were services to help you, but ultimately, that's up to you. It is important to understand how they change. Basically I go from IaaS to Paas and then to SAS. I am responsible for less and less, so I am leaving IAS. I no longer care about patching the OS, or the antivirus in the OS, or any of that stuff.
And as I move from PaaS to SaaS, I no longer care about application or network controls. Really, the question is how do I use that business driving service? And there are things like applications, data. The identity for which I am responsible. We need to make sure I'm using the right tools, the right license maybe to protect it as best I can. OK. So that's something like that. General liability and that kind of thing. We have these different threats, trust, then we start to move towards the principles, trust in the service and the details of the service.
Now, let's look at all these things for all Microsoft services. Let's go 100%. They were kind of the key principles that really drive and you're seeing Microsoft talk about that kind of stuff. Six key privacy principles. You need to know them, so there are these six. Privacy. You have these principles. So the first one has to do with control. So by giving the customer control of their privacy, making sure they have the different dials, they can use the tools to choose what data they want to be available to others, perhaps how they want it to be used.
And then it should be transparent. It shouldn't be confusing. You shouldn't have to search and analyze what data is collected in order to make the right decision. Where data is protected, use strong encryption and strong security to ensure that if you entrust data to Microsoft, they are good custodians of that data. And you will hear about some kind of strong legal protection. Now, obviously this is an interesting point and we're looking at the court case where someone goes to a cloud provider and tells them to give us customer data. So it's about respecting the local laws of the country and fighting for our privacy as human beings, this fundamental right to which we are entitled to privacy.
Don't use the data. to segment, that is, if you have our emails. If you have our chat files. Don't use any personal content to generate advertising for some other service and make sure there are benefits to you. If we collect this data, it is a benefit to you as a customer to improve your experience. Those are Microsoft's six key privacy principles. And again, know what they are. You may receive a question about this. So know what the key principles are. Hopefully that makes some sense. Because? Now if we think about that, we really get to this idea of trust.
I mean, it all comes down to that. So how can we understand the various aspects surrounding all those things? And the most important one that you will start with is this trusted service. Portal. This is really your go to place. In fact, I'm going to open this. I'm going to take a look at this. So if I jump here. Soit's just servicetrust.
microsoft
.com. And right away you can see where they talk about audit reports, for example, sock, Fedramp, ISO 2701, PCI DSS and there are a lot of these if I click on this link. Then I go to audit reports and I can see a list of documents about the different types of audit reports in the Fed ramp and GRC and PCI ISO and they can download these massive amounts of documentation.About these various things. So this trusted service portal is kind of a starting point where you'll want to go. So we have all these different types of audio ports. Now we also have a kind of compliance manager. This allows us to actually go and measure and manage our compliance against various types of standards. And I can come in here and distinguish between the things that I'm responsible for as a customer. And things that Microsoft is responsible for. As you can see, I got 75%, so it seems to be going very well until you realize how the points were achieved.
So I have 90 out of 4008. While Microsoft has 12,093 out of 12,093. So Microsoft is doing significantly better than me, but it gives me the things I can work on to improve my compliance. It gives me them broken down by categories and there are several types of evaluations and I can see the improvement actions, but it is giving me that data. So this is a really key place where I can go and manage these things. So what I can actually track, I can map. It really helps me get details. There are different types of solutions in this regard. Here I can see what I should do.
I could select this, for example, I could assign the action to someone, I could keep track of when I want them to do it. It really is a complete management tool for this. Now, in addition, we can see, hey, look, there are all kinds of trust documents, there are those audit reports, there is data protection and other things. It is broken down by industry. There are industries or regions that particularly interest me. I can see that here. Here we talk about documents, penetration testing and compliance manager, industry compliance services, regional security and compliance center. And that trust center is really huge if we go in and track all of those different compliance settings.
So I find myself here a lot here in this center of trust. Because this is where you can really go and start to find out. So, well, compliance, for example, what are all the different compliance offerings available in Azure? For the different solutions. So you could say OK, Microsoft Azure, for example, over here. I can see the different fulfillment offers. So if I select that. And here we go. These are all different fulfillment offers. That exists and I could click on them and go get all the different details if I'm trying to work out. Hey, does Azure, Microsoft 365 or Dynamics have this?
I would start at the service's trusted portal. Then I go to the trust center. And then I can look at the Azure ones and really dive into this and if there are documents that I'm really interested in, I can save them. So if we think about coming back here, I can have my library. So the things that really matter to me, I can go and notice that here it says save to library and then it will always be available to me, very easy to access. So it's already a lot of things and it's really just the most generic things.
But it's important that you know all those different types of principles. Now, once we get to those and understand them, then it really breaks down into 3 core areas that I can think of. Well, there is Azure AD. Because remember, the identity and the state of that identity are key and then from Azure AD we have things like Azure. And we have Microsoft 365. Obviously they both use an Azure AD instance for their identity, so that's the next guy. Going deeper into the deep dive we have to think about it. If we start thinking about Azure AD. Now for Azure AD.
Like any identity, there are actually four key pillars I have to think about. I can think of the pillar of administration. As for management, I can think of authentication. Sometimes I type AuthN. I can think about authorization. AuthZ and then I can think about the audit. And there are the four key things we have to think about. Again, if I think about administration, well, there's management. Authentication is proving who I am. Authorization. It's what I can do. And then this is like, well, what have I done? Therefore, all of them are key pillars for that type of complete solution.
And I want to dig into that, if I think about management, one of the key things that you're going to see constantly is modern authentication. And modern authentication is now based on the idea that we have a centralized identity provider. And I want to be able to use it in multiple services. We want to move away from this kind of legacy type authentication where I have this credential just for this service. I think now of this modern author. I have a token and that token I can use in a variety of services. We think about consent.
I'm going to say: Hello, this service, you can go and perform it on my behalf. You'll hear about Oauth 2, you may have seen it in some sort of Facebook app. Where it says how you will access this application and log into your Facebook and this is: we want to do this on behalf of your Facebook data, maybe post to your page and you agree that that can work on your behalf. But also as part of this modern authentication, we have the idea of strong policies for all audits. Then I think about politics. Audit. And really, the whole idea of detecting risks drives strong, modern authentication.
Now. What is my authentication world now? We are used to the idea and again, you will need to have the basics about this. But we are very used to the idea that we have an Active Directory. These are our local Active Directory domain services and we have only users, groups and devices. And then we have the idea of the Azure AD tenant, we have an Azure AD instance. This is not an instance of Active Directory Domain Services in the cloud. It might seem like this. It is not at all. All of this is centered around a kind of modern authentication.
Open ID Connect OAuth 2. WS Fed saml you listen to this modern authentication and what we do is enable the synchronization of our accounts. Now we have something called Azure AD Connect or Azure AD Cloud Sync is the new one, but we'll focus on Azure AD Connect that syncs accounts. What it does is give us this single sign-on, this perfect sign-on. So I have an account, and whether or not I access services, for example, that rely on ads, or whether I access some cloud service here that relies on Azure AD, for me it's a seamless experience. And this Azure AD is really behind the idea of that modern authentication.
It is a cloud-based IDP, an identity provider. Talk cloud, talk open ID connection again, talk Oauth 2, talk SAML. Talk about all that cloud stuff. Now, as part of these syncs, we send the user objects, we send the group objects, we can send things like a hash of the users password hash. Then maybe you can do some enhanced protection looking for compromised accounts. Because the password hash is up there, I can find out that it says something bad has happened. Now, in that Azure AD, there are several types of objects. In this Azure AD, we obviously have users.
Now these could be synchronized users and there could be accounts that you create directly in Azure AD. Now they can also be invited. So your guest is also kind of B to B, and that means business to business. And he's someone I collaborate with. It's someone from another organization. It could be someone in a different Azure AD, it could be a Microsoft account, or it could be Gmail. It could be someone completely different. I could use federation, I could use a one-time passcode, but essentially I can make them a known entity to my Azure AD. And then I can have them authenticate at home.
Account and then I can authorize them to do something. So I can have native users, I can have guests. I can also have things like principles of service. So if I register an app. So I have an app, when I sign up, I turn it into a business app. Gets a service principle that represents that application. So when I register applications. You will get a principle of service. I have things like a managed identity. So managed identity is really the idea that I have things that trust this Azure AD. In fact, one of them could be.
Azure. And within my subscription that trusts that particular Azure AD instance. I create some resource. That resource can automatically obtain an identity as only that resource can act, so it uniquely has a particular managed identity. It saves me trying to store the password or something else. It is simply available for it. So I'm going to have managed identities. I can have groups. Groups can now be assigned. So assigned means that I manually say that all these users are in this group or it can be dynamic. As dynamic as the name suggests, I can basically make a query based on the user's attributes.
Hey, you're now a member of this group, so if my department matches this one, I'm in it. If my description matches this, I am in this group. And these are very powerful because from groups I can do things like assign. Applications. I can assign licenses to them. Even roles So in terms of a life cycle, governance groups are very, very powerful. So you could use a dynamic group to add people as they change roles based on their title, their department, and that would automatically give them certain applications, licenses, and roles. And obviously if they leave the group they will lose those things.
The most important thing we would like to do is grant permissions to the groups. Instead of individual users. And then, of course, I have devices. Now when I think about devices, obviously we've had this idea of AD. And then Azure AD. So I can think that from Azure AD, there are actually three different models that I can join. So in a joined world, this is kind of a win 10. If it's joined, I'll authenticate with an Azure AD account. It will probably be a corporate device. So if they're going to join me, it's probably some kind of corporate device.
Then I may have registered. So that's probably going to be a personal thing. So that's my device. This can be a wide range of different types of devices. From a registered perspective, it could be Windows 10. IOS, Android. I think Mac OS. Later known as Azure AD. And I'm going to log in to a personal account. And I can also do hybrid. So hybrid is when the device is known to both Azure AD domain services and Active Directory, and when it was syndicated. Basically, I get tokens for both things. And again, it will be a corporate account.
I am using Windows 7 plus, Windows Server 2008 plus. I can use that hybrid model. So Azure ID is that identity provider. And I can think of all these different types of objects that I can have there, but the key is things like guests when I want to collaborate. That's really the key point of a guest. They are people I want to collaborate with now, completely apart from that. You may have clients. And here's sort of a separate Azure AD tenant. This is called B to C, so it's Azure AD B to C, business to consumer. Now these people are my clients.
And really, you have those things here, but now I can also have things like Facebook. Hmm, Twitter. Weibo has a full list of these, but now users can bring their social identity. To authenticate against Azure ADB in C and then write my application. That relies on Azure ADB for authentication. That's how I can think about putting all of that together. Now Azure AD, there are a ton of different versions. You don't need to know the details about them if I quickly appear on the page. It's really divided into premium biases and there's free and then if you have Microsoft 365 licenses.
So what we can see is the free. Hey, I can do a lot of things for free. I have my device registration, I can even do things like MFA, but it's very basic MFA with all three. Basic reports. And then with Microsoft 365 licenses, I can create custom branding, self-service, and reset passwords for cloud accounts. But actually, when I go into the premium version, we get all these more advanced things, like conditional access. You'll hear me talk about conditional access. I need a cousin. I have application one or P2 and they come with other licenses such as some from Microsoft 365, E3 and E5.
But you'll see that you get all of these enhanced features when you get those premium licenses. And then with P2, that's where you get things like identity protection. There is identity management. I have just-in-time access to reviews and rights management. OK. So that's really built around that core just thinking about, hey. That was really all about the type of management and what we can do. So the next thing we start thinking about is, well, if that's the administrative side, what about authentication? So I'll come here. Soso remember that authentication is the first thing that happens and again we say it is all N authentication.
This is the first thing after someone has created the account. If I enter the Azure portal, the first thing I have to do is authenticate. I have to prove that I am who I say I am. Now how do we do that test? So remember this is what it's all about. Who I am? Now we can have a password. And, in general, we don't like that very much. Just a password by itself. Very unpopular nowadays. We want to move on to MFA, so remember the goal of MFA. It is multifactorial. Authentication. THAT IS TO SAY. It is.
Something I know. Something I have. Some think I am. So something I know. Hey, set a password. Something I have could be my laptop. It could be a telephone. A tab. One thing I am is a biometrician. 3D face scan, my fingerprint iris. One of those things. So MFA is obviously much stronger because it's about multiple factors. The password would be a factor. It's something I know. So I want to move on to MFA. So I can think of there are different types of MFA, so one of the things you could do is it could be like an SMS message.
Which could be a call to my phone. That's one aspect that could be improved with MFA, and it's better than nothing. But it is not very popular. People always worry about a SIM being hijacked or something like that. So we can go beyond that and start thinking about things like, well, we have the Authenticator app. And from there you can display a code. We can show a notification and we have some kind of software one-time passcode token or hardware one-time passcode token. So that's MFA. Even then you will go to ID. Even better. As you move on to the idea that there is no password.
You may have heard of hello for business. And the idea of hello for business is that you use the TPM on your laptop. Create a private public key. Remember that cipher earlier? The private key is in that TPM, that trusted platform module. It's a kind of hammer test. You can't attack it with brute force. And now you use it to authenticate yourself. Now you might say, "Okay, that's just the laptop, that's a form of authentication." Something I have, but I still have to use a pin to unlock it. So it's something I know or a biometric to unlock the machine.
And I think so because this shout out to companies is unique to that particular machine. So it's two things. Something I know or need to unlock and it says I have because I'm unlocking that particular device. So this, the absence of a password, is really the utopia we want to try to reach. So yeah, it's things like hello businesses again, now there's things like the Authenticator app. And once again the authenticator app I have to unlock the app. And I have to have my phone so it's still strong authentication. There are two factors. And then there are things like Fido 2 hardware keys.
So this is just authentication. This is just the idea that I'm trying to improve my overall authentication, the strength, we don't like just the password. So if we were here, we would draw a very, very sad face about this. The SMS call is better than nothing. We are somewhat neutral. But then when we get to these, we're kind of happy. No password is best, but if we do an MFA with one of these, it's still great. Thing, but beyond its great :( MFA will be the answer to virtually any question you see. You need to have stronger authentication.
If you see MFA written there, that will be your answer, practically guaranteed Now, very very quickly, we can see this .So if I jump to my Azure Active Directory. And I go to my security. And from here we can see MFA, there were some options and things like fraud alert. So I can turn this on in Sur if a user gets some kind of alert to say "hello". Please confirm your authentication and you didn't ask for an authentication, you can actually indicate that. And then I have the option to say "hello, if the user signals that we automatically block those who report fraud so we can investigate it, we can go and do other things, but it will definitely increase the risk of that user's session type.
You'll know those things. Now, also, if I actually come back here, there are these cloud-based MFA settings and you'll notice that I can choose the verification options. This is so you can call the phone and receive text message notifications via the mobile app verification code from the mobile app. You'll see it too. The idea is good for users. I can do things like enable them. Can. Deactivate. I can enforce this per MFA user. And in general. We're not going to do that. That's not the preferred approach in the way I want to handle MFA. So for all of these things I want to use something called conditional access.
Non-access condition. These are policies and one of the results. The requirements could be DO and MFA. That's how I want to drive these things. I don't want people doing MFA constantly. They will gain muscle memory to accept it all the time. I should run MFA if I am taking a privileged action, if any higher risk is detected. That is the best practice. Now remember this is kind of a P1P2 capability to be able to do that. If I don't have P1P2, I can't use conditional access. So the other option is if I were like Microsoft 365, it gives you MFA and then.
Perform configuration per user. So I could go in and say “hey, you're enabled,” and that will get them to sign up. Once they sign up, they will move into enforcement. That's where I'll look at those kinds of ideas that, hey, I'll enable them and then once they're signed up, they'll proceed to implement them. Now if only I'm free. And really what you have is something called security. Predetermined values. Now, with the security defaults, you can't really choose anything. Again, for P1P2 premium I can register. If I am P2, I can protect the identity to drive registration.
If I'm just M365, yes, I can do that kind of thing per user. If I'm free, it will be the security defaults. So safety is by default if we go and look quickly. Basically what that's going to say is, hey, look. Hmm. Everyone has to register. I'll go back to my Azure AD, I'll go to my properties. Everyone has to register. You can see here below manage security defaults. If I set it to Yes, which I won't because I have conditional access, which is much better, admins would have to use MFA. Users would have to do MFA if it's a new device, a new app with some kind of privileged task.
So if I'm just running free, I don't have anything else. And hey, I can do that. Now, in addition, you'll see things like a sort of self-service password reset. So I come back here if I reset the password. What I can do here is, if users forget passwords, I can set up different methods that they can use to reset their password. So that they can make an application code, an email or a mobile phone, an office phone, security questions were built into security questions. I can add my own security questions. You can choose the ones you want here.
So now, instead of the user having to call support, she can just log in and do this self-service password reset. So if I'm P1 or P2, they can write it back to their regular Active Directory. Then it's about changing the password, resetting passwords. Account unlocking. Also something like that. While we are here, we have the idea of something like that. Simple password lock, so password protection. Once again, if we move on to the issue of security. What can we really? See here with the security option if we have these authentication methods. And I have this password protection.
So I can automatically ban dumb passwords that are easily guessed, like passwords and whatnot, but I can also add custom passwords. So for your business you may have certain passwords, maybe if you're in Texas you don't. People use the word cowboy in their password or in my case Savill. So now it would stop people from using them. And I can even extend this so that local ads cannot be used either. So I have the ability to have some type of relay agent installed on premises. That the Active Directory domain controllers would also connect to be able to have this protection against these very simple passwords.
Well, that's all about authentication. Remember that by proving who I am I have that strong authentication now that after I have proven who I am it all comes down to authorization. Then we thought about authentication. So what can I do? And it's actually 2 layers for this. I can think of this role-based access control. These are the roles I have and there are roles in Azure. And your roles in Azure AD and things like Microsoft 365 use these Azure AD roles. Now roles have been created for all of these and I can also add both custom roles so that the built-in roles don't meet my requirements.
I can add a custom role. And we always think about giving someone the role they have to do what they want to do. Don't give them more than they need. So that's what they can do and then we think about this conditional access. And this really refers to, hey, you're trying to access a certain app or do a certain thing. I'll look around for this type of request. And then maybe you have certain requirements. Now, a detailed understanding of conditional access goes far beyond what you need. But if we looked at it super fast. Once again, I can turn to my safety.
We have conditional access. Now, there are things I can do here, like terms of use. The terms of use is just a PDF document and as part of my conditional access, I can choose one of these documents and have them accept it. So here I can have different language versions, I can see the actual document. And here it is. Then they would have to accept this. It is very detailed and very strong wording, obviously, before it is allowed to be used. So I can define these terms of use. I may have a location, so a location could be based on particular public IP addresses, perhaps like the device that faces the Internet for my company and that does network address translation.
Or it could be based on certain geographic locations so you can choose it based on certain countries, things like that. Then I can define them with certainty. Locations. And then what we have is politics itself. If I go to my policies, I'll choose a very simple one. Here we can assign it to particular users, particular groups, we can exclude certain people. We could also choose it based on certain. If you have a certain role in the directory, you could choose it based on whether it's a guest and it could target particular applications. I can even target actions like, hey, I'm logging my security information.
So I'm doing the initial security check-in of my phone numbers, my MFA, my self-service, and my password reset. When I get a user to do that, maybe they want a more secure environment. Maybe they have to be on a joined-up hybrid machine, maybe they have to be on a corporate network. Or I can target particular applications so that these are all known applications in my Azure Active Directory. And then I can think about having conditions, so user risk, login risk. This comes from identity protection. I need a P2 license. I can target particular platforms Android, iOS, Windows Phone and then exclude certain platforms.
I could go ahead and if I have defined locations, I can use them here. It could target certain apps, that's why I have mobile browser apps. You could use things like device status. Again, this can come from things like Intune. And then I have the controls. So now that it's here I can have things like, hey, give them a Mac. I could block access on the one hand, or I can grant access but force them to do MFA. Stronger authentication? Maybe Intune should mark it as supported? Maybe it needs to be joined to hybrid Azure AD?
It's an approved app, I need app protection policies. I make them change their password. Again, I can use things like, hey, maybe I've detected higher-risk identity protection, I'm going to force them to do an MFA, or if I need a password, they'll do an MFA first. Anyway, have them agree to a certain terms of use document and there are things like session controls, session controls could do things like make them log in at a certain interval. You could have things like, hey, if I access SharePoint and it's from grandma's machine, they can read things but it's limited.
They can't save, they can't write. I really can just. Control what they can do. So conditional access is about controlling those various things. Once I've done the authentication, I now want to go and do something. So once you move beyond authorization, we get into the idea of, well, auditing, governance. Obviously, these are verycriticisms I have to make now with Azure AD in terms of full identity lifecycle governance. It doesn't really have it natively. Now what you can do is integrate with some type of HR system. So for example, if I add a workday system, there's an example that it can do things like integrate with Azure AD.
There's a provisioning service and even if I'm using Active Directory, when I go and make those HR requests. There is a special component in Azure AD Connect to Azure ID cloud Sync that would actually allow them to recover to Prem and then replicate the backup to Azure AD so you can use it as part of. If you had an existing HR system, you could take advantage of it. But one big thing you'll do is things as groups. Remember the idea of those dynamic groups? I'll use that. I can create a dynamic group based on user attributes and then from those groups those groups remember the applications, roles and licenses.
So I'm going to focus on that. I can use things like privileged identity management. So PIM gives me the ability to promote into a given role over a finite period of time. But I can also use it to say, hey, you have this role, but you only have it for three months. Again, PIM can boost the role to ensure it is not left behind. I don't keep things I really shouldn't have. We have things like access reviews. Then an access review. It's a feature that allows me to say hello based on maybe this app assignment, this role, or this group membership.
We will review this periodically and may have an administrator do the review. It could be someone delegated to do the review. It could be a self-assessment. I have to go and check, hey, do I still need this? And these are all characteristics of the P2 type. Remember those terms of use? I can use them through conditional access. And there's Azure AD identity protection. To really boost the overall health and protection of the user. But those things can really help govern. Now. All of these, remember, are P2. Nice identity management, access reviews, Azure ID identity protection. There are also some kind of rights packages.
They let me say, for example, "Hey, this SharePoint site and this group membership, I can go and request a certain entertainment package and that's also the AP2 feature." But we have to bring all those things. Of course, there are records. I have all those capabilities. But for a matter of time. OK. So that's really the Azure part, the identity part. Well, then we can think of something outside of Azure AD. Then we have Azure. One of the things I'm passionate about. And obviously we think about the governance side of Azure and that's huge. So we can think from a governance perspective.
That's the first thing we should do. Now in the root of Azure AD and Azure there is an Azure AD tenant. Azure subscriptions trust a certain Azure AD tenant. And then I can build a sort of management group hierarchy under this. There will be a root management group once you enable them. And then I can have a hierarchy of management groups. And then ultimately what I'll get are subscriptions where I create things, so I'll get some subscription. And then within the subscription, I create resource groups. And I can have multiple resource groups, I have many subscriptions and then I create resources and this is really key to the idea.
That governance around my environment. Because for all these things, all these levels, I can have things like role-based access control. So depending on what role you have, I can apply things like policies, what you can do, and I can have budgets of what you can spend. So they drive a lot of the behavior. Now also one of the most important things I can do is block resources. And you will see that there are different types of locks, so there is something called "cannot be removed." And then there is also the read-only option. Now, obviously, as the name suggests, if I can't delete, I can change it, I can change the resource.
But I can't delete it if it is read-only. I can't even change it. So I'm locking the saying exactly in place. And it inherits, so if I put a lock on a resource group or sub, it does everything inside it. An important point of these is at the management level. As an Azure resource administrator, it doesn't affect the data plane, so this was a storage account I can't. If I did just one reading. I can still change the data in there. It's not impacting those behaviors. This is making sure I don't do things on an administrative level.
So I sorted out these cool things and the way we really like to deploy resources. Again, a matter of good governance is that we use an Azure Resource Manager template to be able to define this JSON template. That defines all the resources we have in a very declarative way. And then I apply it so I can change control, version control, that thing. So let's create things. It's immutable, I can run it again, and since it's declarative, I want it to look like this. Just make sure it matches that description. This is how we want to implement things.
And what you'll often hear is the idea that, hey, look, I want to implement a subscription in a very standard way. I want to implement these resources. So what you'll actually hear is what's called flat. And a plane is actually a collection of things. I can define resource groups. I can define access control based on roles or permissions, I can assign policies, and I can assign ARM templates. And with that, when I do that deployment, it has its own set of locks. It doesn't use these locks, it uses its own special types of locks. They are basically based on denying assignments.
But I can say, well, don't close. I'm implementing these sets of things. They can do whatever they want with it. Then they can delete them, do whatever they want. I can say that I did not delete it. Again, they can change the settings, they can't get rid of it or I can say read only. I'm removing this setting but you can't change anything about it. So if I had the idea that I want to be able to set up subscriptions, the answer would be a standard set of configuration blueprints. Because I can create the resource groups where resources are created, I can assign roles, I can assign policies to set the barriers around them.
Then I can deploy the resources with an ARM template. And you can really think of that in terms of an Azure resource. If you ever see the idea that I want to define safety barriers, that's politics. Then I can think about how you can only use these regions. I can only create this type of account. I must have this tag configured. That will always be a policy and I can use it in multiple ways. In fact, I can use it for both applications. Does it have to match that or can I use it just to track compliance?
So maybe I'm not going to block it, but I'll know if it's not in that state. So I have all those different options and of course the role-based access control is I have multiple permissions. Now you can create all these things yourself. But what you will find is that Microsoft has a lot of momentum right now regarding this cloud. Adoption. Structure. And what this cloud adoption framework is is a set of documentation, guidance, best practices, and tools that basically configure these types of best practice configurations for you. And you'll see that there are several phases to this if we actually go and look at this quickly on your site.
It really explains what these key phrases are, so you'll see. First of all, there is a strategy. Once you've strategized, you'll have some planning. Then you'll be ready to put these things to work. Then you are going to adopt. And adopt includes migration and innovation. And if you actually click on a different link, you'll be able to see it in a prettier image. Here we go. As you can see, the idea of the life cycle is all about defining the strategic plan. You're ready and then you adopt and of course all these things are kind of governance and management.
And they will help drive all those kinds of different things through this cloud adoption framework. OK. So that has all those kinds of tools as part of it. Now what I'm thinking about is kind of security and compliance, we think about network, data, all those different things. There are several types of key constructs in Azure. So if I'm thinking about the network. And data. The third thing is that obviously we define this virtual network, so we have the idea of virtual network and the way we control access we segment it, that is, we have the concept.
A network security group and the network security group is based on IP addresses, ports and protocol. So, the destination and source IP, the destination and source port and the TCP, UDP protocol. So I define these rules and then I say allow or deny and I create a set of these rules and apply it to a subnet. I can also apply it to a Nic. Normally that is not done. So I create these rules and they help me segment. If you think about a virtual network, there are multiple subnets, parts of IP space, but also things that go in and out of the virtual network, maybe going to other virtual networks that have appeared, maybe networks that are connected via an Express route. or a site to site VPN.
That helps me block it. You might see something called Application Security, Application Security Groups. That's really a label. In the network interface I can use instead of the IP address. So it's a kind of IP address or A tag. There are also built-in ones. And then you might think about that when you have public IP addresses. It could have distributed denial of service protection. And this is giving me a kind of standard and basic. Basic offers everyone this real-time mitigation of common attacks. With the standard I can fine-tune it further by monitoring traffic. Through machine learning I can have custom policies.
I can also have things like Azure Firewall. Now Azure Firewall is a device that lives inside my virtual network and with Azure Firewall I can do that. It is a managed network virtual device. It will automatically scale based on the amount of traffic, but it has native high availability that I can filter. On things like the IP address but also the fully qualified domain name, so the names of the services you're trying to communicate with can do outbound source network address translation. So hide the internals and do things like DNAT with threat intelligence. Yes, I have services that I offer to the Internet.
Well, many times I can be resourceful. And if it's like HTTP, HTTPS based or maybe I'm using Azure gateway, you'll see things like web application firewall. Therefore, the web application firewall provides protection against common vulnerabilities. There is a set of basic rules that this protects me against, but things like App Gateway, Content Delivery Network, and Azure Gateway can connect to this web application firewall. It's like a SQL injection attack. It's going to give me protection against those things. Now you may want to access resources within the virtual network. And again, the point of this is that a high level knows what these things do.
So maybe I have some kind of virtual machine? I want to get to maybe it's RDP if it's Windows or SSH, it's Linux on a secure git. Then we have a service called Azure Bastion. And the Azure Bastion service leaves me from the Azure portal. So I'm in the portal, I can see my VM, I can press connect, select Bastion and it goes through the bastion. To give me an RDP or SSH connection to my virtual machine, I don't have to worry about opening firewall ports or configuration or any of that stuff. It gives me access to resources within my virtual network or to virtual networks now connected.
So that seems right on the network side and protecting the network. Network security groups must have an Azure firewall again. I can do more advanced filtering and fully qualified domain names that offer Internet services, distributed denial of service protection, web application firewalls. like App Gateway, the gateway to the content delivery network if I want to be able to access resources. Bastion offers me a great way to do this. Now on the data side, we often have things like storage accounts. And storage accounts can have blobs, queues, tables, and files. Well, we thought about encryption at rest.
So let's encrypt that. And it could be a platform-managed key where Microsoft stores the key, takes care of it, and rotates it, or it could be things like a customer-managed key. Here we use things like Key Vault and I have a customer managed key that is used for that type of data encryption key protection. Um, also if it was a virtual machine. There are things like Azure Disk Encryption that uses things like BitLocker or DM Crypt within the OS running inside the VM to do that encryption as well. Things like SQL have transparent data encryption and the keystore isa super powerful build.
I may have secrets, which are data that I can write to a statement, perhaps like a password or token. I can have keys. That means that I generate in its import. In it, but I can't get it out again. But I can perform cryptographic operations within the keystore using that key. And then certificates, which are really just packaged keys, but can manage the whole kind of life cycle around that. Now, within my Azure world, there are all these different components. And in terms of security, there are different solutions here, but really the most important one will be Azure.
Security. Center. So Azure Security Center is this cloud security posture management, a CSPM. It's about knowing my environment and what I want to improve. Therefore, the ASC has a series of fundamental questions. It has a secure score. This is built by using things like Azure Policy to get compliance status for a series of built-in things. He really cares and lets me know what I should really be aiming for if we jump in and look at an environment. If I really get as close as possible to these things. If I just go and look at the front and center of my security center, we'll see my security score.
I have things like different regulatory compliance, things that I might be interested in so I can manage the compliance policies that I'm interested in and I can, hey, I'll choose my developer subscription. In fact, I can see that there are all these other ones that I have like Azure security benchmark, PCI DSS, but I can add more than they have natively. But also, I have that basic security score and this basically gives me things that I should be interested in. It will then order them in terms of priority. So enabling MFA is the biggest improvement I could have on my score.
So it gives me starting points to really help improve my overall security posture. So it is giving me the basis of security. I can receive alerts. It has things like a network map to know what's going on in my environment. So I can see everything there. I can see different security alerts that I have in my environment. And then we have things as a defender. So Defender has deep protection and broad protection. We can see here that there are different types of defenders available, but in my subscription. I can actually activate Azure Defender. And then it shows me the difference between, hey, when it's off and I just have the basic Azure security center, and then when I turn it on, it shows up, hey, just in time, VM access, application controls, compliance, all. these other things.
And then I have these broad and deep protections so I can turn on protection for the application service, SQL storage, Kubernetes, and then these broad protections on things like resource manager and DNS. So I can pick and turn on these things, but obviously there's a price I pay for them, but I can have continuous things. Explore other solutions and maybe another SIM tool. So I have these capabilities, but because just-in-time protection is where normally the ports are closed to the virtual machine, but it will activate when you need it. So it adds these various components from all my Azure services.
I can send data through these various solutions. Now, the next solution you'll commonly see is yes, we think about Azure Security Center and Azure security. In all this about hey, what's my type of compliance? So he'll tell me, hey, what's my compliance status? He'll tell me things like, hey, I want to protect myself here. And then you'll hear about something called Sentinel. And Sentinel is based on a log analysis workspace, so in the background, we sensationalize the log analysis workspace that essentially has connectors. Now, these connectors can be used for many different things. They could be from Azure AD to Microsoft 365.
Again, Azure resources can be sent to this thing and the sensor that is then added on top of that is getting the logs of things on its own, it's pretty useless. I'm going to receive an avalanche of different data. So Azure Sentinel adds things like, yeah, you have the registry, you add all these different types of connectors, and then you add things like machine learning on top. From the records to give me an analysis. It is a kind of SIM solution, a security incident and event management solution. I can also orchestrate an automated response to a source solution, and what that will give me is the ability to actually respond.
And recover. And if you think about this, it is generating alerts. Or you can send them here so Sentinel can build on top of that if I jump again. Super fast. And if now I search. Sentinel. Because I have a basic central workspace and it really gives me the ability to go hunting. I can query various types of things to find various types of attacks. Based on the logs in that log analysis workspace, I can look at the different incidents. I can see kind of the overall health of my environment and any malicious events that are happening.
So it's about looking at the records and then drawing good conclusions from them. Then we have these types of data connectors. And we have this ability. To connect to all these different types of systems, including Azure AD, Azure AD identity protection, but we'll also look at things like Microsoft 365. Defender. Office 365. So we can take all of that and integrate it to allow Sentinel to really give us protection for all of those different types of things. And when we talk about Microsoft 365, let's move on to that. So that's the last piece that is Microsoft 365. Now, the most important initial piece that we think about of that protection is the defender.
And there are actually four different parts of the defender. You will see that there is an identity of defender four. Now, this really takes what was kind of Azure's advanced threat protection, Azure ATP. And now he is this defender of identity. So what this looks at is essentially my local Active Directory domain controllers. It receives signals from them, sends them to the cloud, and then detects attacks and threats on my Prem domain controllers. So these kinds of things would go alongside things like identity protection. That's looking at my Azure AD health status. Well, at that point my entire setup failed.
I guess he's telling me to hurry up. Taking too much time, we'll call it that anyway. So after the identity part, which actually has to do with local domain controllers, the next part is the final point. Now, if we think about the fact that there is already a kind of defender, just normal anti-malware protection. So what this does is add additional detection and prevention. Analyze things like what the entry point of an attack is and what happened. It went from this user to that user and gives me all that forensic analysis. Analysis capacity of that. This used to be the defending ATP, but it's really about getting that full tracking and that's for Windows, Android, Linux, and Mac OS.
Then there's sort of cloud application security. This is a cloud application security agent solution from Casbia. This allows me to actually keep track of which apps are talking to. From my corporation, it helps me track things like bringing in your own IT department where people are using applications that I, as a company, may not have authorized. So this may have to do with discovery and also whether I do things like I manage. Integration of suggestions with conditional access. For example, if I have powers, I can control them. How can you use those various services as well as if you suddenly saw someone?
When copying a large number of documents, such as data leaks, I can stop them. And in this kind of defender for Office 365. And you may have seen the idea that you get safe attachments, that safe links give me anti-phishing protection for collaborations like OneDrive and SharePoint and teams. There are different levels of functionality, but it's really about giving me that ability to protect my users who use Office 365. Again for the blast cameras. How to get an attachment? You can go and put it in this isolated chamber, run it, make sure it's not doing something wrong by crawling all those links.
Now, we always think of layers that maintain defense in depth. So I can think from a lawyer's perspective, obviously there is some kind of identity. I can think of. There is the device. And there is the data, obviously the identity, we talk about Azure AD or the elements of that. So I really want to focus on the data behind my office, my Microsoft 365, my Office 365. And then the device. Now we saw the idea, inside Azure there is a security center. So for Microsoft 365. There is also that. A security center. And like Azure, it has several different elements.
It has its own type of secure punctuation. Which again gives me the points that I need to focus on to have the biggest impact, the biggest payoff, if you will, where I need to prioritize. But there are all kinds of portability and incidents and much more. So if we jump in, let's take a look at this. So this is our new starting point. For Microsoft 365 and we can see that it guides us. We have this whole wizard that we could go through. But it showed me things like, hey look, here's my safe score. 35.6, which is obviously terrible, but I can see it historically.
I can see well what has changed around that safe score. In fact, he could see things well. How can I improve my score and notice again that shows me, hey, what's the impact on the score? And again mfas you will see some common things, both Azure and Microsoft 365 obviously use Azure AD, so the identity things will be common but then they will be forked. In Azure we'll talk about things like networks and devices, office, we'll talk about, hey, look, I can do cloud, application security, customer lockbox, and other types of things. So I can look at this to quickly get an idea of what I care about.
Good. Then also from this kind of Microsoft 365 Security Center I can see if there are any particular incidents that I might be interested in in my environment. I can see, hey, if there are alerts and again we can turn on Microsoft 365 defender. We have sort of threat analysis search centers and then you'll see a bunch of other things like auditing, reporting and health. Several different aspects that we will return to in a moment. But before we really dive into that level of detail. I want to quickly go back to the device area. Now, in an on-premises world, we had Active Directory, we have group policy, we might have a system center configuration manager, those patches, applications, and inventory.
In a modern work environment, we think about joining Azure AD, well, there is no group policy. So what we get from here is that we have Intune. Now, Intune does several different things that I can think of. Well, I have politics. I can get the health status. I can handle many other aspects of this. Now I can think about this on many, many different platforms. Well, Windows is obvious, but I also have things like Mac OS. I can think of Android. And something like iOS and saves the iPad operating system. In reality it is the end customer's device.
This is not for servers, this is for the client end device. And there are actually two types of ways that Intune can work. Now there are many more aspects, but for all we care, I have these devices and I can think about MDM. And the key point here is the device. I can spell mobile device management, which means I'm basically registering the device. So does that mean what Intune can do? Is there something about that whole device? I can think about configuring the device, I can do device policies, I can send certificates to the device, VPN configurations, I'm enrolling the device.
So this will be typical for the type of corporate assets? Where it is good that as a company do that complete management and then the other. It's a lady. And the key point here is the application. So I won't enroll the device in this. It's just particular applications and usually based on how they go and talk to a corporate source, I can push just one application policy. Now I'm thinking about application policy: I can't apply things at the entire device level. But when they start the application that connects to a corporate data source, being like the Outlook client talking to exchange online, then I can say, hey, you're talking to a corporate mailbox and then you have to have this policy.
I might have to make a pin. In fact, I can write. Enterprise apps are in their own little sandbox, so this is my device, not my company's. As a corporation, I can wipe corporate managed apps, but I can't wipe the entire device, which I could do in this kind of MDM world. So there's kind of an important distinction between mobile device management, mobile app management, andagain the corporate device and my personal device. We talked about these policies, and these policies can have things like requirements and maybe no jailbreak if it's a mobile device, antivirus versions and various other types of things.
I can have security baselines if it's a Windows 10 device. So think of Intune as a policy engine. Typically Azure Active Directory will be used. There is no group policy. This is how I can also push things like applications. Uh, both custom. And from a kind of market I can do those things. So I wanted to touch on that kind of important point. Now, if we talk about the security center, then we think, okay, great, that's security. Then we started to worry. Compliance. And just as you'd expect, there's also a fulfillment center of sorts. So if we jump up to here.
Now, once again, we can see that this type of compliance management solution exists. This is a comprehensive solution that allows me to track my overall Microsoft 365 compliance form. You can see again that there is a compliance score of sorts. I can see where I get different points about the things that matter to me. Again, I can go and assign and keep track of the dates where it should be done by who should do it. I have kind of complete control of all those different things. Also, we have something like show everything. There are a ton of different solutions that audit content search, data loss prevention, data theme, e-discovery, and I'm going to talk about that.
And these various aspects, but the key point of the type of fulfillment center can be seen, look at the compliance manager, look at the catalog to start identifying the risk and again if I go into that compliance manager. However, it will show me things that I am responsible for and that I am doing a terrible job of. And the thing is that Microsoft and their good management work have done everything possible to make me look bad. And the things that I should really try to focus on to be successful now that you're seeing here we have kind of an audit.
Now, the point here is that in this auditing I can go in and look for various types of things. I can see that all these different types of activities are available to me. You could ping certain users at certain data start and end times and actually perform that search. There are now audit retention policies as well. So you could create a policy based on, well, a duration, meaning actually up to 10 years. And for what types of data? So I have controls over exactly what I care about. Now, when I search this audit, it's important to note that not everything will appear right away.
Something takes 30 minutes. Something can take up to a day to be able to dig deeper. And we can see in the documentation that it distinguishes, hey, things that take 30 minutes and things that take 24 hours. We can see that here. So if you're interested, the documentation is reviewed, hey, depending on the source, how long will it really take to be able to perform the search? So that's just the regular audit that I can do from this. Again, there's also this advanced audit that I can do for forensic compliance investigations. And again, we get one year for the exchange, SharePoint, Azure AD, but it will be 10 years with some additional licenses.
Now the next part is. That's the data, so remember what we talked about, so overall compliance is great. We have a solution there and we had this whole idea of data. So Intune does the device, the identity, we know it's all those Azure AD types of things. Well then we have the data. Now the data. There are many different aspects to this, but often we may not know what data we have, so there is often the idea that we have to classify it. The data. And then once we classify the data, we can protect it. Now protecting can mean many different things.
Protecting can mean things like encrypting. It can be things like data loss prevention. This might prevent me from doing anything with it, I might put a watermark on it, but I can do it. Based on those ciphers, I can push certain types of policies. And again, this all comes from that compliance page. So if we come back here. Notice we have below the solutions. Actually, go home for a second. We have data classification. Now there are different types of classification. I can think of classification in terms of types of sensitive information. So PII, credit card numbers, Social Security numbers, driver's licenses, there are a large number of them integrated.
That's one way to classify data: sensitive information. That there is a huge number. These are based on searching for certain words, searching for certain combinations of characters. They are trainable classifiers, so once again there are several of them built in. Things like I'm looking for resumes, looking for source code, looking for harassment, looking for profanity, looking for threats. Or I can create my own. I can create trainable. Um, classifiers. Based on what matters to me. Now, with these sensitive labels, I can assign a label to the documents and then once I've done those types of classifications.
Well, I can do things to protect him. You'll see things like data loss prevention, so you can do things related to encryption. I can do things related to rights management and data loss protection, so I can have things like restrict the ability to share. I can have things like adding a watermark. Furthermore, there is also the aspect that can be managed. There's classification that drives protection, but it could also be retention from Dr. I need to keep my data, so here you could have things like don't delete. I have to keep it for a certain amount of time, or maybe it's just the opposite.
Maybe it's delete? Get rid of this after a certain period of time. Sometimes they can be equally important to the overall solution. Now, a lot of these can be built around the idea that I have this type of discovery E. Mixing cases in there. Where it looks, I need to find it, so I have to find the content. And then I'm doing something with it. Maybe you're exporting it, maybe you're doing research on it, but then there's some kind of action from that eDiscovery and there's actually three different solutions that we have as part of Microsoft 365.
There's a very basic content search. . Then there is a more advanced core. And discovery. Now, the core of e-discovery is based on the idea of. Well, I can create a case and then from the case I can do things like retain the data to make sure no one deletes it. Then I can search and export. Then there is an advanced. And discovery. And that's really based on the idea. So if this is about, hey, I have a case. And from the case I can do a search. Press and hold and there may be an export. This builds on that and adds things like much richer research pool data custodians.
So if we jump again. If we go and look at the content search. You will see. In fact, we dive into well, this is just the ability to do this kind of basic search. I can type data and I can search things, but then we have this e-discovery down here. What is this richer set of capabilities? Then we have the discovery of the quarry, so we create the case. And then once we create the case, I can keep the data search here and optionally export. We all have advanced discovery, so if I were to use advanced e-discovery again, I would now go and create a case.
But then I would go and add these data custodians. For example, the persons of interest, maybe they have a mailbox, maybe they own a SharePoint site that they can then sell, they want to preserve the data, collect it, pre-print it, process it, review it, and then export it. Now when I add custodians to this, it will try to find their property data. Then we'll go find your mailboxes and you'll find your OneDrive. Or I can add additional things like SharePoint and Microsoft Teams sites, etc. So we have this kind of three main tools available to us.
And for all of these things, it can actually take up to 24 hours. So if I think about all these withholdings. That hold can take 24 hours to take effect, and there are several roles such as eDiscovery administrators to manage and create cases. There are PowerShell scripts for more advanced searches. So there are all these different things. So this refers to all the data. Again, identity, Azure AD, device, Intune and I can use it. Things like conditional access can verify that health data and classify it. So I know what I have. Most companies don't know what they have, so you could protect it, which is encryption, you could do DLP, maybe there's things around retention.
I want to be able to find the data that interests me. And finally, perhaps from a compliance perspective and more, there are other things that we care about. So I want to think about. Hmm. Well-informed person. Risk. Management. So within risk management there is a solution that really deals with malicious people internally. I want to be able to detect risk. I want to be able to act on those risky malicious actions. For example, they are trying to share data or obtain a large amount of data so that we can have policies based on a template that I may have activated.
And when they trigger, based on the things I've defined, an alert will be created. It is based on conditions, generates an alert and could then be classified. They alert me that there is a need to review and then I can investigate and then take some action. It could be a notification, it could be more. So it's about. So again, you need to know the solution and what it's for within risk management, it's to help detect and. Prevent. Malicious actions for insiders. Then I can think well. Communication. Compliance. So it comes down to the idea that I have acceptable communication policies in my company.
Maybe on teams, for example, or in an email. So this is all about compliance communication, saying look, I'm going to implement policies, maybe without bad language, about how we treat each other. And now, if people violate those policies, I can label the message, I can notify users, and I can monitor overall compliance. So this is really about ongoing communications. I have standards for my company for how my employees should treat each other. I can detect that, so label messages, notify users, and stop those types of communications. So we have. Information. Barrier. So it's a name that really suggests that this could be the idea that I have different groups of users in my company.
And they shouldn't talk, for example, in teams. They should not chat with those people or share files with those people. So I can really think about this. This can occur on things like computers. SharePoint. Hmm, what about OneDrive? So if I can say this solution, look at these groups of people, maybe for legal reasons, whatever it is, I don't want them to communicate directly. So if I see a question, it is necessary to prevent these groups within the company from being able to communicate in teams or share documents; well, that will be the solution to the information barrier.
Now I mentioned PIM for Azure AD Privileged Identity Management. So Microsoft 365 has Pam. So privileged. Access. Management. So if you think about PIM, it's about giving me a role for a certain period of time, long enough. Pam is actually a level down. It's a homework. So Pam is about giving me a certain task. In a certain scope, as I request, there is a full ability to have permissions and authorization as part of that, but it allows me to get just this smaller set of capabilities. So as a user, I can request to say hello, I need this particular task and you can grant it to me.
So it's really a level lower than PIM. And then? There is a kind of client. Safety box. And this is all really about Microsoft. Help desk engineer type person. Then I make a call to Microsoft. They need to access my service to help me. They submitted a request to Microsoft management for approval. You, as the customer, will then need to approve it to allow you access to your service. And there is a whole flow around this. In fact, we have opened the site. In fact, we can see, hey, in Office 365. So, obviously, this is your data, you care about this, you talk about the flow.
Hey, look, you're having trouble with your mailbox, you open a ticket, the support engineer wants to see it, so he raises it through the customer lockbox. Hey, I want to access this. Your manager has to approve it. And then you as a customer log in and then approve it. And then they, the engineer, can go and do that work and you can track it, remember all the actions are in the audit logs. In fact,you can go and check out exactly what they did. So this gives you as a customer full access to what they are doing within my subscription.
What do we cover? I mean a huge number of things. Obviously. The key point here is that you don't need to know details about any of this. You need to understand, hey, look, what are the key concepts about defense in depth? What are the key types of threats? Are they attacking data? Are they attacking identity and our ability to do business? Zero trust means what are the kind of shared responsibilities we have for types of service? What do we focus on? What is the type of encryption? Hey look, if I want to send someone a protected message, what do I need?
Well, you would need your public key. Hey, if I want to digitally sign a message then I need my private key and then they would need my public key to be able to access the key. The point is that your private key never leaves you. There is no scenario where you give that to someone else. Symmetrical and asymmetrical, what are the six privacy principles you need to understand what they are? The entire Trusted Portal of that service will be your reference place and from there we will be able to access all the different types of data.
So come and look around. Azure and Microsoft 365 use Azure ID. We think about administration, authentication. Authentication always happens first. Who I'm demonstrating that authorization to, what I can audit or what you did, I keep track of those things. We believe that modern authentication and really MFA is about giving me strong authentication. That's what we want to do. So I think about MFA, I can do a phone call or a text or I can use better, more powerful things like tokens and the app. Like a list of passwords completely. It is important to understand the types of objects we have in Azure ID.
If someone I'm collaborating with, as a company, I want to collaborate with this person, it will be a guest in B2B. If I'm writing a consumer app, I'll use B to C. If I have an app, it will have a service principle. If it's an Azure resource that I want to be able to use for other things, I can have a managed identity, assigned and dynamic groups. Very powerful. It helps me do a lot of the lifecycle because based on group membership, I can assign apps, licenses, and roles. My devices can join, register or be hybrid, so I have a lot of different things there.
Hey, we talked about authorization, that is, things like role-based access control. There are roles in Azure and Azure AD and then we have conditional access. On the identity side. Things like just-in-time privileged identity management, access to a role, access to reviews to keep track of what you have. Do you still need that app or that group membership or that role can be yourself? It can be delegated to someone. Identity Protection to detect risks to drive things like MFA registration and I can use Identity Protection as part of Conditional Access to detect risky signatures or users. And then you move on.
For current overall Azure governance, these different levels. We have policy budgets, RBAC, blueprints that can reduce configurations. The cloud adoption framework is a kind of pre-package that has several phases. Network. Different layers of protection? Network. Data Security Center encryption, Sentinel and then Microsoft 365 the types of defender I do with the device. I achieved this with Intune to register the device's MDM or simply with the Mam app. Classify the data that we have those trainable things for if it's sensitive data. Other types of data we want to know once we classify them. I can encrypt it, I can prevent data loss, I can use retention rules, I can use ediscovery in different modes to look for things.
And various compliance solutions. So we covered a huge amount. Again, it's just silly, you don't need to detail any of this stuff, but you should know, hey, remember it's multiple choice. They will give you a list of solutions, you just have to know what the right solution is. We are going to tell you a solution. You have to know what it does. There is nothing complicated in the appointment. If you just look at the compliance, they are not trying to trick you. There's no one at Microsoft who wants you to have some. What does this? The logical names?
If I see a question, hey, I want to restrict communication between these groups of people, well, that sounds like a barrier. So choose the one that best suits you. Remember things like service, trust. That's where I'll go to find out about audit reports and all that other stuff. So think about it logically. Always try each question. There is no such thing as losing points for doing it wrong. Often some of the answers is it made of cheese? And that's why it's definitely not cheese? You can eliminate some obviously incorrect questions, but do your best. And again, don't panic about things.
It's just an exam if you don't pass it the first time. You will receive a score report that will tell you where you are weakest. Then you can go and redouble your efforts. Focus on those. And you'll get it next time. So that was it. I really hope this was helpful again. Like, subscribe, comment and share. And good luck.
If you have any copyright issue, please Contact
