Table of Contents
- Module 1: Designing Identity for Azure Solutions
- Module 2: Designing Governance for Azure Solutions
- 2.1 Governing Azure Workloads
- 2.2 Demo: Azure Policy — Enforcing Data Residency
- 2.3 Using Policy Initiatives to Comply with Industry Standards
- 2.4 Demo: Azure Policy Initiative — PCI-DSS Compliance
- 2.5 Balancing Compliance and Agility
- 2.6 Demo: Balancing Compliance and Agility with Scopes and Exemptions
- Module 3: Designing Incident Response and Monitoring for Azure Solutions
- 3.1 Monitoring Azure Resources
- 3.2 Monitoring Azure Infrastructure Using Log Analytics Workspace
- 3.3 Demo: Log Analytics Workspace
- 3.4 Demo: Monitoring Applications with Application Insights
- 3.5 Demo: Alerts and Action Groups
- 3.6 Integrate Governance and Monitoring with Compliance and Incident Response
- Appendix: Custom Role Definition — GloboReader
- Appendix: KQL Queries for Storage Blob Logs
- Reference Links
Module 1: Designing Identity for Azure Solutions
1.1 Authentication Using Microsoft Entra ID Identities
Overview
Microsoft Entra ID is a cloud-based Identity and Access Management (IAM) service. It was formerly called Azure Active Directory (Azure AD). When studying for AZ-305 or working with Azure, keep in mind that Azure Active Directory is now called Microsoft Entra ID — they are the same service.
You can use Microsoft Entra ID identities to authenticate users and workloads.
Authentication vs. Authorization
When a user or workload needs to access an Azure resource, two sequential steps must occur:
- Authentication — Verifies who a user or workload is (proves identity).
- Authorization — Determines what the authenticated identity is allowed to do (e.g., read-only vs. read/write access).
sequenceDiagram
participant User
participant EntraID as Microsoft Entra ID
participant Resource as Azure Resource
User->>EntraID: Provide credentials
EntraID-->>User: Identity verified (Authentication)
User->>Resource: Request access
Resource->>EntraID: Check RBAC assignment
EntraID-->>Resource: Authorization decision
Resource-->>User: Access granted or denied
Credential-Based vs. Identity-Based Access Control
Azure resources support two access control options:
| Approach | Description | Examples |
|---|---|---|
| Credential-based | Use a password, key, or token to access a resource | Storage account access key, SAS token, Cosmos DB access key |
| Identity-based | Grant access to an Entra ID identity (user, group, or managed identity) | App registration, managed identity + RBAC role assignment |
Credential-based examples:
- Azure SQL: Username and password combination to access a SQL database.
- Storage Account access key: Grants full access to the storage account.
- Storage Account SAS token: Grants scoped/limited access to a storage data service.
- Cosmos DB access key: Read and write into a Cosmos DB database.
- Azure Event Hubs access key: Send or receive events from Event Hubs.
- Azure IoT Hub Shared Access Policy: Send IoT Hub telemetry to the IoT Hub.
Identity-based examples (using Entra ID):
- Entra ID app registration or enterprise applications.
- User-assigned or system-assigned managed identities.
- Assign an RBAC role to the identity to authorize it to use the Azure resource.
Microsoft’s recommendation: Use identity-based access control whenever possible. This eliminates the need to safekeep storage account keys, database passwords, and tokens — all you need is an identity, which is more secure.
Types of Entra ID Identities
| Identity Type | Use Case |
|---|---|
| Users | Human accounts, e.g., employees logging into Azure resources |
| Groups | Collections of users; enables scalable permission management |
| App Registrations | Manually created service principal for a workload/application |
| Enterprise Applications | Federated or third-party SaaS apps integrated with Entra ID |
| Managed Identities | Automatically managed service principal for Azure workloads (recommended) |
When to use which identity type:
- Granting access to humans: Use Entra ID users and groups.
- Granting access to workloads (e.g., an Azure Function App reading from Cosmos DB): Use service principals — specifically app registrations, enterprise apps, or managed identities.
Managed Identities
Managed identities eliminate the manual overhead of creating and maintaining app registrations. There are two types:
| Type | Description |
|---|---|
| System-assigned | Tied to the lifecycle of a specific Azure resource. When the resource is deleted, the identity is automatically deleted. |
| User-assigned | An independent identity resource. Can be assigned to multiple Azure resources, making it ideal when multiple resources need the same permissions. |
graph TD
A[Azure App Service] -->|system-assigned identity| B[Entra ID]
B -->|RBAC: Storage Blob Data Contributor| C[Azure Storage Account]
D[User-assigned Managed Identity] -->|assigned to multiple resources| E[Azure Function App]
D -->|assigned to multiple resources| F[Azure VM]
D -->|RBAC role assignment| C
1.2 Demo: Creating Identities in Microsoft Entra ID
This section walks through creating users, groups, app registrations, and managed identities in the Azure portal.
Creating a User
- In the Azure portal, navigate to All services → search for Entra → click Microsoft Entra ID.
- Under Manage, click Users.
- Click + New user → fill in the display name (e.g., Peter Smith).
- Allow Entra ID to auto-generate a password.
- The account is enabled by default; you can enable or disable it as needed.
- Click Review + create → Create.
Creating a Group
- In Entra ID, under Manage, click Groups → All groups.
- Click + New group.
- Set Group type to Security (this type allows permission assignment to Azure resources — Microsoft 365 groups are for collaboration like Teams, email, and SharePoint).
- Enter a group name (e.g., Developers) and optional description.
- Set an owner and optionally add members.
- Click Create.
To add a member (e.g., Peter Smith) to the Developers group: Click Developers → Manage → Members → Add member → search for the user → Select.
Creating an App Registration (Service Principal)
- In Entra ID, under Manage, click App registrations.
- Click + New registration → enter a name (e.g., PhotoAlbumApp) → click Register.
- Note the following important values:
- Application (client) ID
- Directory (tenant) ID
- Client secret or certificate
- To create a client secret: click Certificates & secrets → + New client secret → provide a description → choose an expiry date → Add.
Important: Copy the secret value immediately after creation — it will not be shown again. Choose a short expiry date for production resources to reduce risk.
Enabling Managed Identity for an Azure Resource
App registrations require manual management. The recommended approach is managed identities.
Example: Enable managed identity for an App Service so it can access a Storage Account.
- In the Azure portal, navigate to your App Service.
- Under Settings, click Identity.
- Under the System assigned tab, toggle the status to On → Save.
- The App Service now has a system-assigned managed identity that can be given RBAC role assignments.
User-assigned managed identity benefit: Create one identity, grant it permissions, then assign it to multiple resources — no need to configure each resource separately.
1.3 Authorization with RBAC
What is RBAC?
Role-Based Access Control (RBAC) is the authorization system in Microsoft Azure. It enables you to grant fine-grained access to Azure resources.
Authorization answers two questions:
- Which resources does the identity have access to? (e.g., a Blob Storage account or the whole subscription)
- What actions can the identity perform? (e.g., read, write, delete)
RBAC Examples
| Identity | Role | Scope |
|---|---|---|
| User (Reza) | Reader | Customer subscription |
| Web server VM (workload) | Contributor | Photo blob store |
| API Function App | IoT Hub Data Reader | IoT Hub |
| User (John) | Owner | Photo album web app |
RBAC Role Assignment Components
To configure authorization, you create an RBAC role assignment consisting of three elements:
graph LR
A[Assignee<br/>Who: user, group, managed identity] --> D[Role Assignment]
B[Role<br/>What: Reader, Contributor, custom role] --> D
C[Scope<br/>Where: management group, subscription, resource group, resource] --> D
Built-in RBAC Roles
Microsoft provides many built-in roles. Key ones include:
General roles:
| Role | Description |
|---|---|
| Owner | Full access to all resources, including the ability to delegate access to others |
| Contributor | Can create and manage resources but cannot grant access to others |
| Reader | Can view existing resources but cannot make changes |
| User Access Administrator | Can manage user access to Azure resources |
Resource-specific roles (examples):
| Role | Description |
|---|---|
| Storage Blob Data Owner | Full access to Azure Blob storage containers and data |
| Storage Blob Data Contributor | Read, write, and delete Azure Storage containers and blobs |
| IoT Hub Data Reader | Provides full access to IoT Hub data-plane read operations |
Best practice: Use resource-specific RBAC roles whenever possible rather than general roles.
RBAC Scope Hierarchy
RBAC assignments follow a hierarchy. Permissions granted at a higher scope are inherited by child scopes:
graph TD
MG[Management Group<br/>broadest scope] --> SUB[Subscription]
SUB --> RG[Resource Group]
RG --> R[Individual Resource<br/>narrowest scope]
Best practice: Assign access at the lowest scope possible — this is the principle of least privilege.
Custom RBAC Roles
If built-in roles do not satisfy your requirements, you can create a custom RBAC role. You can clone an existing built-in role and modify the permissions.
A custom role definition contains:
- actions: Management operations the role can perform (e.g.,
*/read). - notActions: Management operations excluded from the allowed actions.
- dataActions: Data operations within a resource (e.g., reading blob data).
- notDataActions: Data operations excluded from the allowed data actions.
- assignableScopes: Subscriptions or management groups where this role can be assigned.
1.4 Demo: Authorization with RBAC
Assigning a Role to a User (Subscription Scope)
Goal: Give user Peter Smith Reader access to the entire subscription.
- In the Azure portal, navigate to Subscriptions → click your subscription.
- Click Access control (IAM) → + Add → Add role assignment.
- Under the Role tab, select Reader → click Next.
- Under the Members tab, click + Select members → search for Peter → click Select.
- Click Review + assign → Assign.
- Confirm under Role assignments that Peter has the Reader role.
Peter can now log in and view all resources in the subscription.
Assigning a Role to a Group (Resource Scope)
Goal: Give the Developers group Contributor access to a specific App Service (not the whole resource group).
- Navigate to the App Service → Access control (IAM) → + Add → Add role assignment.
- Select the Contributor role → click Next.
- Click + Select members → search for Developers (the group) → click Select.
- Click Review + assign.
Now all members of the Developers group (including Peter) have Contributor access to that specific web application.
Assigning a Role to a Managed Identity (Workload Authorization)
Goal: Allow an App Service (with managed identity enabled) to read and write blobs in a Storage Account.
Why not use a storage access key? If someone compromises the access key, they have full access to the storage account. Identity-based access is more secure.
- Navigate to the Storage Account → Access control (IAM) → + Add → Add role assignment.
- Search for and select Storage Blob Data Contributor (resource-specific role).
- Click Next → + Select members → search for the App Service name (it appears because managed identity is enabled) → Select.
- Click Review + assign.
The App Service now has secure, identity-based access to the Storage Account without using access keys or SAS tokens.
1.5 Demo: Custom RBAC Roles
Scenario: Create a custom role called GloboReader that has Reader permissions across all resources but also has read/write access to Blob Storage data.
Steps to Create a Custom Role
- Navigate to Subscriptions → your subscription → Access control (IAM) → Roles tab.
- Find the Reader built-in role → click on it → Clone to start from the Reader definition.
- Name the new role (e.g., GloboReader).
- Click Next → Edit to modify the JSON definition.
- Add the necessary
actionsanddataActionsfrom the Storage Blob Data Contributor role. - Click Save → Review + create → Create.
The new custom role now appears in the roles list and can be assigned to users, groups, or managed identities.
Custom Role JSON Definition Example
The following is the complete JSON definition for a GloboReader custom role — it combines Reader permissions with Blob Storage read/write data access:
{
"id": "/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/<role-definition-id>",
"properties": {
"roleName": "GloboReader",
"description": "this role has Reader permissions plus blob read/write data",
"assignableScopes": [
"/subscriptions/<subscription-id>"
],
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
],
"notDataActions": []
}
]
}
}
Key fields explained:
actions: Management plane permissions.*/readgrants read access to all Azure resource types.notActions: Exclusions from theactionslist.dataActions: Data plane permissions — grants the ability to read, write, delete, and move blob objects inside containers.notDataActions: Exclusions from thedataActionslist.assignableScopes: Limits where this role definition can be assigned (here: a specific subscription).
1.6 Identity Best Practices
As a Cloud Architect, you are responsible for designing and implementing identity best practices for Azure resources.
Authentication Best Practices
| Best Practice | Details |
|---|---|
| Do not use user accounts for workloads | Always create a service principal (app registration or managed identity) for workloads such as VMs or function apps |
| Use groups instead of individual users | Makes future permission management far more scalable |
| Enforce passwordless sign-ins | Where supported, eliminate the need for username/password combinations |
| Use Conditional Access policies | Protect resources based on contextual conditions |
| Use Privileged Identity Management (PIM) | Enforce just-in-time access for elevated roles |
| Enforce Multi-Factor Authentication (MFA) | Use MFA and identity protection to guard user accounts |
Microsoft Entra Conditional Access
Conditional Access is a premium feature of Microsoft Entra ID (requires a premium license). Policies are enforced after the user has completed the first-factor authentication (e.g., entered their username and password).
Conditional Access policies allow you to allow or block access based on conditions:
| Example Condition | Action |
|---|---|
| User logging in from an iOS device | Require multi-factor authentication |
| User connecting from outside the United States | Block access |
| Administrator logging in | Require a compliant device |
flowchart TD
A[User enters username and password] --> B{First-factor auth successful?}
B -- No --> Z[Access Denied]
B -- Yes --> C{Conditional Access Policy Check}
C -- Compliant --> D[Access Granted]
C -- Non-compliant --> E{Policy Action}
E -- Require MFA --> F[MFA Challenge]
F -- Pass --> D
F -- Fail --> Z
E -- Block --> Z
Privileged Identity Management (PIM)
PIM is a premium Entra ID feature that provides just-in-time (JIT) access to RBAC roles. The access is removed after an expiry date.
Example workflow:
- Reza is configured as eligible for the Contributor role on the subscription.
- When Reza needs the Contributor role, he requests activation.
- An administrator reviews and approves Reza’s request.
- Reza receives the assignment and becomes a Contributor.
- The role assignment expires after 4 hours (this time is configurable).
Why PIM matters: If someone compromises Reza’s account on a weekend, they cannot use the Contributor permission because the role is not permanently assigned — it must be actively requested and approved.
PIM Capabilities:
| Capability | Description |
|---|---|
| Time-bound RBAC role assignment | Roles expire after a configured period |
| Admin approval required | Activation of sensitive roles requires a human reviewer |
| MFA enforcement | MFA can be required before activating a role |
| Justification required | Users must provide a reason for activating a role (useful for audits) |
| Notification emails | Alerts sent when a role is activated |
| Activation history download | Full audit trail for compliance reviews |
sequenceDiagram
participant User as Reza (Eligible)
participant PIM as PIM / Entra ID
participant Admin as Administrator
User->>PIM: Request role activation (Contributor)
PIM->>Admin: Approval notification
Admin->>PIM: Approve request
PIM-->>User: Role activated (e.g., 4-hour window)
Note over User,PIM: Role expires automatically after 4 hours
Authorization Best Practices
| Best Practice | Details |
|---|---|
| Principle of least privilege | Grant minimum required access at the lowest possible scope |
| Prefer resource-specific RBAC roles | Use Storage Blob Data Contributor instead of Contributor where possible |
| Use custom roles only when necessary | Custom roles increase maintenance overhead |
| Perform regular access reviews | Remove unused access from accounts that no longer need it or have left the company |
| Prefer identity-based access over credential-based | Avoid embedding keys and tokens in code or configuration |
| Use resource locks | Protect critical resources from accidental deletion or modification |
1.7 Demo: Identity Best Practice Tools in the Azure Portal
Identity Governance Features
In the Azure portal, navigate to Entra ID → Manage → Identity Governance to access:
- Access Reviews: Set up automatic, scheduled access reviews for users with elevated permissions. Example: If Peter is an administrator, schedule a review every 6 months — if the reviewer confirms Peter no longer needs access, it is automatically revoked.
- Privileged Identity Management (PIM): Configure time-limited role assignments with approval workflows.
- Conditional Access: Define security policies to allow or block user access based on compliance with conditions.
Microsoft Entra Admin Center
The Microsoft Entra Admin Center (entra.microsoft.com) provides centralized access to all aspects of Entra ID, including:
- Enterprise apps → Conditional Access policy definitions
- Users and Groups → PIM and access review configuration
- App registrations → Manage service principal identities
- Roles and administrators → Manage role assignments
- Authentication methods → Configure MFA, SMS authentication, Microsoft Authenticator
- Monitoring and health → Sign-in logs, audit logs, and other investigation logs
Licensing note: Conditional Access and PIM are premium Entra ID features. You need Microsoft Entra ID Premium P1 (for Conditional Access) or Premium P2 (for PIM and access reviews) licenses to use these features.
Module 2: Designing Governance for Azure Solutions
2.1 Governing Azure Workloads
Why Governance Matters
Azure governance enables you to control how resources are created and managed. This helps you comply with government, industry, and security standards.
Industry and Government Standards
| Standard / Regulation | Applicability |
|---|---|
| HITRUST | US healthcare organizations handling patient information |
| PCI DSS | Organizations handling financial/payment card information |
| SOC (Service Organization Control) | Security, disaster recovery, and availability best practices |
| GDPR | Applications targeting European Union citizens — ensures personal data stays within EU borders |
| FedRAMP | US government applications — security and monitoring best practices |
Azure Well-Architected Framework
Microsoft Azure bundles best practices and recommendations into the Azure Well-Architected Framework, which has 5 pillars:
graph TD
WAF[Azure Well-Architected Framework] --> R[Reliability<br/>Ensure solution is accessible and reliable]
WAF --> S[Security<br/>Ensure solution is secure]
WAF --> CO[Cost Optimization<br/>Optimize spending]
WAF --> OE[Operational Excellence<br/>Follow operational best practices]
WAF --> PE[Performance Efficiency<br/>Scale efficiently to meet demand]
Azure Policy
Azure Policy is the enforcement tool for Azure governance. At scale — with tens, hundreds, or thousands of resources — you can govern all resources with a few clicks.
Azure Policy Definition Examples:
| Policy | Description |
|---|---|
| Block public network access on storage accounts | Ensures only valid users from valid networks can access storage |
| Require Azure Key Vault service firewall to be enabled | Prevents unauthorized network access to Key Vault |
| Allow resources only in specified regions | Enforces data residency requirements |
| Block GPU virtual machine SKUs | Prevents expensive GPU VMs from being created, saving costs |
Policy Components
graph LR
D[Policy Definition<br/>What rule to enforce] --> PA[Policy Assignment]
S[Scope<br/>Where to enforce] --> PA
P[Parameters<br/>Configuration values] --> PA
E[Effect<br/>What action to take] --> PA
Policy Definition: The rule itself. Microsoft provides hundreds of built-in definitions. You can also create custom ones.
Scope: The resources the policy governs:
- Management group (governs all child subscriptions and their resources)
- Subscription (governs all child resource groups and resources)
- Resource group
- You can create exclusions/exemptions for a subset of resources within a scope.
Policy Effects:
| Effect | Description |
|---|---|
| Audit | Creates a warning and reduces the compliance score. Does not block deployment or enforce the policy. |
| Deny | Blocks the resource deployment if it violates the policy rule. |
| Modify | Adds, updates, or removes properties on resource deployments to bring non-compliant resources into compliance. |
Not all effects are supported by every policy — check each policy definition for its supported effects.
Important: A policy assignment only affects deployments made after the policy is assigned. Existing non-compliant resources continue to exist but will reduce your overall compliance score.
2.2 Demo: Azure Policy — Enforcing Data Residency
Scenario: Globomantics company needs all Azure resources deployed within Canada (Canada Central and Canada East). Resources outside Canada are not allowed.
Steps
- In the Azure portal, navigate to Policy (search “policy” in All services).
- Click Authoring → Definitions to browse available built-in and custom policies.
- Search for “location” → select Allowed locations.
- Click Assign.
- Set the Scope to the entire subscription (or limit to a resource group if needed).
- Click Next → Under Parameters, select the allowed locations: Canada Central and Canada East.
- Click Next → Review + create → Create.
Testing the Policy
- Navigate to Storage accounts → + Create.
- Select a region outside Canada (e.g., Japan East).
- The portal immediately shows a policy violation: Allowed locations — the resource deployment is blocked.
This works because the Allowed locations policy uses the Deny effect.
Key Takeaway
The policy does not delete resources that were deployed before the policy was assigned. Those resources remain but reduce the overall compliance score. Only new deployments are blocked.
2.3 Using Policy Initiatives to Comply with Industry Standards
What is a Policy Initiative?
A policy initiative (also called a policy set) is a bundle of multiple policy definitions grouped together for easier assignment. Rather than assigning tens or hundreds of individual policies, you assign one initiative.
Pre-Built Initiatives
Microsoft provides pre-built initiatives for common compliance standards:
| Initiative | Standard |
|---|---|
| HITRUST/HIPAA | Healthcare data protection |
| PCI DSS (v3.2, v4.0.1) | Payment card industry data security |
| SOC 2 | Security, availability, and confidentiality |
| GDPR | EU personal data protection |
| FedRAMP | US government security requirements |
If no built-in initiative matches your need, you can create a custom initiative.
Initiative Scope
Initiative scopes follow the same hierarchy as policy scopes:
- Management group (recommended for organization-wide standards)
- Subscription
- Resource group
In practice, you typically assign initiatives to a subscription or parent management group to ensure all resources are covered.
The Compliance Requirement
Critical point: Assigning an initiative is not enough to claim compliance. After assigning the initiative:
- Wait for Azure Policy to evaluate all resources (typically up to 24 hours).
- Navigate to the compliance dashboard.
- You must achieve a 100% compliance score before claiming compliance to that standard.
flowchart LR
A[Assign Initiative] --> B[Wait for Policy Evaluation]
B --> C{Compliance Score?}
C -- Less than 100% --> D[Fix non-compliant resources]
D --> B
C -- 100% --> E[Compliance Claimed]
E --> F[Present to Auditors for Certification]
2.4 Demo: Azure Policy Initiative — PCI-DSS Compliance
Scenario: Globomantics is handling customer financial information (credit card numbers, bank account information) and must become PCI DSS compliant.
Steps
- In the Azure portal, navigate to Policy → Authoring → Definitions.
- Search for “PCI” — three options appear: PCI DSS v4, v4.0.1, and v3.2.
- Select PCI DSS v4.0.1 → click Assign.
- Set the Scope to the subscription.
- Click Next → Review and fill in required parameters (varies by initiative type).
- Optionally set a custom non-compliance message.
- Click Create.
Reviewing Compliance
- Navigate to Policy → Compliance.
- Find PCI DSS v4 in the list.
- The compliance score shows the percentage of compliant resources.
- Click the initiative to see:
- Which resources are non-compliant.
- The reason for non-compliance.
- Remediation suggestions.
Example: The PCI DSS v4.0.1 initiative consists of 213 individual policies covering resources such as Cosmos DB, Azure AI Services, Storage Accounts, and more. If a service is not present in the subscription, that policy is skipped.
Disclaimer: A 100% compliance score on the initiative does not automatically mean you are PCI certified. You still need to engage auditors, present the initiative and compliance score, and go through the official certification process.
2.5 Balancing Compliance and Agility
As a Cloud Architect, you must find the right balance between compliance and development agility.
The Trade-off
graph LR
A[Strong Enforcement<br/>More policies, stricter rules] -->|Results in| B[Higher Compliance Score]
A -->|Results in| C[Lower Development Agility<br/>More guardrails for developers]
D[Weak Enforcement<br/>Fewer policies, loose rules] -->|Results in| E[Lower Compliance Score]
D -->|Results in| F[Higher Development Agility<br/>Developers move faster]
| Environment | Recommended Approach |
|---|---|
| Production (real customer data) | High compliance enforcement — failing to comply with GDPR, PCI DSS, or HIPAA can result in heavy fines, data loss, and customer attrition |
| Pre-production | Moderate enforcement |
| Test | Lower enforcement, more agility |
| Development | Minimal restrictive policies — let the team set up quickly |
Recommendations for Balancing Compliance and Agility
- Create separate subscriptions or resource groups for each environment (dev, test, pre-prod, prod). This lets you assign different policies per environment.
- Minimize restrictive policies in early development phases so the team can quickly set up the project.
- Use policy exemptions to ease guardrails for development environments or edge cases — but ensure exemptions have expiry dates where applicable.
2.6 Demo: Balancing Compliance and Agility with Scopes and Exemptions
Scenario: A policy requiring a createdBy tag on all resources is assigned to the subscription. The dev resource group is exempted so developers can work freely without tagging every resource.
Assigning a Tag Policy
- Navigate to Policy → Authoring → Definitions.
- Search for “Require a tag on resources” → select it (effect: Deny).
- Click Assign → set Scope to the subscription.
- Under Parameters, enter the tag name:
createdBy. - Click Review + create → Create.
Creating a Policy Exemption for the Dev Resource Group
- Navigate to Policy → Assignments → find the tag policy assignment.
- Click Create exemption.
- Under Exemption scope, select the dev resource group → click Select.
- Enter a descriptive name (e.g., Do not require a tag on dev resources).
- Set the Exemption category:
- Waiver: Accepting the risk.
- Mitigated: You have already addressed the risk through other means.
- Optionally set an expiration date for the exemption.
- Click Create.
Result
- Production resource group: Creating a storage account without a
createdBytag is blocked by the policy. - Dev resource group: Creating a storage account without a
createdBytag is allowed — the exemption bypasses the policy effect.
Architect’s note: The decision on which policies to exempt in which environments is yours to make based on your project, organization, and jurisdiction. The goal is to enable development speed while protecting production data.
Module 3: Designing Incident Response and Monitoring for Azure Solutions
3.1 Monitoring Azure Resources
Why Monitor?
Effective monitoring of Azure resources provides:
- Early detection of anomalies and issues, often before end users notice them.
- Faster issue resolution thanks to detailed, high-quality logs.
- Proactive optimization by detecting misconfigurations before they become problems.
- Visibility into system performance, security posture, and cost.
Azure Monitor Overview
Azure Monitor is a comprehensive group of services for collecting monitoring data from Azure and on-premises environments. Using Azure Monitor services, you can collect:
- Metrics — Numerical time-series data (e.g., CPU percentage, request count)
- Logs — Structured records of events
- Diagnostics — Detailed resource diagnostic information
- Activity logs — Who did what, when, on which Azure resource
- Telemetry — Application-level data from applications and operating systems
graph TD
R1[Azure Resources] --> AM[Azure Monitor]
R2[Applications] --> AM
R3[Operating Systems] --> AM
R4[On-premises Resources] --> AM
AM --> LAW[Log Analytics Workspace<br/>Query and analyze]
AM --> SA[Storage Account<br/>Long-term retention / archival]
AM --> EH[Event Hubs<br/>Real-time event processing]
Log Destinations
You configure where logs are sent using Diagnostic Settings — a per-resource configuration that defines what logs and metrics are sent to which destination(s).
| Destination | Use Case |
|---|---|
| Log Analytics Workspace | Query and analyze logs using KQL; near-real-time investigation |
| Storage Account | Long-term retention (years) at lower cost using cool/cold/archive tiers |
| Event Hubs | Trigger automated responses via Azure Functions, Logic Apps, or event processors |
A single resource can be configured to send logs to multiple destinations simultaneously.
3.2 Monitoring Azure Infrastructure Using Log Analytics Workspace
What is Log Analytics Workspace?
Azure Log Analytics Workspace is the most common destination for Azure Monitor logs. Think of it as a database for logs. Multiple Azure resources across a subscription can send their logs to a single workspace.
graph TD
WA[Web Application] -->|Diagnostic Settings| LAW[Log Analytics Workspace]
VM[Virtual Machine] -->|Diagnostic Settings| LAW
SA[Storage Account] -->|Diagnostic Settings| LAW
CDB[Cosmos DB] -->|Diagnostic Settings| LAW
LAW --> T1[Table: AppTraces]
LAW --> T2[Table: StorageBlobLogs]
LAW --> T3[Table: AzureMetrics]
LAW --> T4[Table: AzureActivity]
Key points:
- Multiple resources can send logs to a single Log Analytics Workspace.
- Logs from different resources may go into the same or different tables within the workspace.
- Consult resource documentation to find which tables contain the logs you need.
Architecture Best Practices for Log Analytics
| Best Practice | Details |
|---|---|
| Separate workspaces per environment | Create dedicated workspaces for DEV, TEST, and PROD to segregate logs |
| Use KQL for investigation | Kusto Query Language is the powerful query language for Log Analytics |
| Adjust data retention | Set retention periods appropriate to your needs — logs are deleted after the retention period |
| Use Storage Account for long-term archival | Send logs to a Storage Account for retention beyond Log Analytics pricing tiers |
| Set daily ingestion caps for non-production | Limit costs by capping log ingestion in dev/test; do NOT cap production |
Cost Considerations
Log Analytics Workspace is not free. Costs are incurred for:
- Data ingestion — the volume of logs ingested per day.
- Data retention — how long logs are stored.
Cost optimization strategies:
- Set a daily cap for non-production workspaces (e.g., 1 GB/day).
- Adjust retention periods — default is 30 days; logs are auto-deleted afterward.
- Export logs to Azure Storage Account (cool/cold/archive tiers) for long-term, cheaper storage.
- Configure retention at the table level for granular control.
3.3 Demo: Log Analytics Workspace
Creating a Log Analytics Workspace
- In the Azure portal, navigate to All services → search for “log analytics” → click Log Analytics Workspace.
- Click + Create.
- Select a resource group, enter a name, choose a region.
- Click Review + create → Create.
Configuring Diagnostic Settings on a Storage Account
- Navigate to Storage accounts → select a storage account.
- Under Monitoring, click Diagnostic settings.
- Click on the blob service diagnostic settings.
- Click + Add diagnostic setting.
- Select the logs you want to send (e.g., StorageLogs, Transaction logs).
- Check Send to Log Analytics workspace → select your workspace.
- Click Save.
You can create multiple diagnostic settings on a single resource to send different logs to different destinations (e.g., one to Log Analytics for querying, another to a storage account for archival).
Querying Logs with KQL
Navigate to your Log Analytics Workspace → Logs to run KQL queries.
Query 1: List distinct operations performed on the Storage Account
StorageBlobLogs
| distinct OperationName
Sample results: ListContainers, ListBlobs, PutBlob, GetBlob
Query 2: List all new blob uploads in the last 24 hours
StorageBlobLogs
| where OperationName == 'PutBlob'
Query 3: Get details for blob uploads (IP, file name, auth type)
StorageBlobLogs
| project CallerIpAddress, ObjectKey, AuthenticationType, Category, _ResourceId, OperationName
| where OperationName == 'PutBlob'
Query 4: Find the most common errors in the last 3 days
// Most common errors
// List 10 most common errors over the last 3 days.
StorageBlobLogs
| where TimeGenerated > ago(3d) and StatusText !contains "Success"
| summarize count() by StatusText
| top 10 by count_ desc
Workspace scope vs. resource scope: Running a query directly from a storage account shows logs only for that resource. Running the same query from the Log Analytics Workspace shows logs from all resources sending data to that workspace.
Managing Costs in Log Analytics
- In your Log Analytics Workspace, click Usage and estimated costs.
- Set a daily cap: Click Daily cap → configure a maximum ingestion limit (e.g., 1 GB/day). Logs beyond the cap for that day will not be ingested. Do not use this for production workspaces.
- Change retention period: Click Data Retention → modify the global retention (default: 30 days).
- Table-level retention: Under Tables, configure retention independently per table.
3.4 Demo: Monitoring Applications with Application Insights
What is Application Insights?
Application Insights is a member of the Azure Monitor Insights family. It uses Azure Monitor Logs plus custom telemetry from your application to monitor the availability, performance, and usage of cloud or on-premises applications.
Other members of the Azure Monitor Insights family:
- Azure VM Insights
- Azure Container Insights
- Network Insights
- Storage Insights
- Cosmos DB Insights
- Key Vault Insights
- Data Explorer Insights
graph TD
AM[Azure Monitor] --> Insights[Azure Monitor Insights]
Insights --> AI[Application Insights<br/>App availability, perf, usage]
Insights --> VMI[VM Insights<br/>VM performance and health]
Insights --> CI[Container Insights<br/>AKS and containers]
Insights --> NI[Network Insights<br/>Network performance]
Insights --> SI[Storage Insights]
Insights --> KVI[Key Vault Insights]
Application Insights Capabilities
| Capability | Description |
|---|---|
| Uptime monitoring | Track application availability |
| Response time tracking | Measure server response latency |
| Error and failure rate tracking | Identify failing requests |
| End-to-end transaction tracking | Trace individual requests through the entire call chain |
| Code-level issue identification | Pinpoint performance problems at the code level |
| User and session analytics | Understand how end users interact with the application |
| Live metrics stream | Real-time view of incoming/outgoing requests and application health |
Supported frameworks and platforms:
- .NET / ASP.NET Core
- Java
- Python
- Node.js
- Azure Kubernetes Service (AKS)
- API Management
Cost Optimization for Application Insights
Similar to Log Analytics Workspace, Application Insights charges for data ingestion and storage. Strategies to reduce cost:
- Enable data sampling: Reduces the volume of telemetry sent from the Application Insights SDK to the service (statistically representative subset rather than all events).
- Set data volume caps: Limit ingestion for non-production environments.
Using Application Insights in the Azure Portal
- Navigate to your App Service → under Monitoring, click Application Insights.
- Enable the integration — this creates a new Application Insights resource linked to the web app.
- Click the Application Insights resource to access the dashboard.
Dashboard overview:
- Failed requests — count of HTTP 5xx/4xx errors.
- Server response time — average latency.
- Server requests — total request volume.
- Application availability — uptime percentage from availability tests.
Investigation features:
| Feature | Purpose |
|---|---|
| Live Metrics | Real-time stream of incoming requests, outgoing requests, and failures |
| Transaction search | Browse all request and response transactions over a time window; drill into specific transactions |
| Availability | Create HTTP tests to monitor uptime — Application Insights pings a URL at a set interval from multiple global locations |
| Failures | Drill into failed requests and exceptions |
| Performance | Analyze latency; identify slow operations and dependencies |
| Users and Sessions | Understand individual user sessions and event funnels |
3.5 Demo: Alerts and Action Groups
What are Azure Monitor Alerts?
Alerts are triggered when something goes wrong with your Azure resources or hosted applications. Alerts enable you to detect and respond to issues proactively.
You can create alert rules for:
- Metrics — e.g., if average CPU on an App Service in the last 5 minutes exceeds 65%.
- Logs — e.g., if a KQL query returns at least one row (indicating an anomaly).
Action Groups
When an alert triggers, you can respond using an Action Group — a collection of actions to perform. Common action types:
| Action Type | Examples |
|---|---|
| Notification | Send email, SMS, push notification, or voice call to an administrator |
| Webhook | Call an external web service or REST API |
| ITSM integration | Create a ticket in an external ticketing tool (e.g., ServiceNow) |
| Azure Function | Invoke a serverless function to perform custom logic |
| Logic App | Trigger an automated workflow |
| Automation Runbook | Run an Azure Automation runbook |
| Event Hub | Post an event to Event Hubs for downstream processing |
Example automated response: If a CPU high alert fires for your cluster, a Logic App can automatically add a new instance to scale out.
Alert fatigue warning: Receiving tens or hundreds of alerts per day causes operators to ignore them. Tune your alert rules carefully to reduce noise and focus on meaningful events.
flowchart TD
R[Azure Resource / Application] -->|Metric or Log event| AR[Alert Rule]
AR -->|Condition met| A[Alert Triggered]
A --> AG[Action Group]
AG --> E[Email/SMS to Admin]
AG --> WH[Webhook call]
AG --> FA[Azure Function<br/>Custom automation]
AG --> LA[Logic App<br/>Orchestrated workflow]
AG --> RB[Automation Runbook]
AG --> IT[ITSM Ticket]
Creating an Alert Rule for HTTP Server Errors
Goal: Receive an email whenever an App Service reports an HTTP 500 server error.
- Navigate to your App Service → under Monitoring, click Metrics.
- Select the metric HTTP Server Errors.
- Click New alert rule.
- Configure the condition:
- Aggregation type: Total
- Operator: Greater than or equal to
- Threshold value: 1
- Check every: 5 minutes
- Lookback period: 5 minutes
- Click Actions → + Create action group.
- Enter the action group name (e.g., email-admin) and select the resource group.
- Under Notifications tab: select Email/SMS message/Push/Voice → enter the administrator’s email address.
- Optionally configure Actions (Azure Function, Runbook, ITSM ticket, etc.).
- Click Create for the action group.
- Back in the alert rule, set the Severity (e.g., Error = Sev 2).
- Click Review + create → Create.
From this point on, every time the App Service throws an HTTP 500 error, the administrator receives an email alert within ~5 minutes.
3.6 Integrate Governance and Monitoring with Compliance and Incident Response
Monitoring Best Practices
| Best Practice | Details |
|---|---|
| Enable monitoring for all resources | Especially production resources — use Azure Policies to enforce monitoring |
| Use Logic Apps and Functions in action groups | Automate alert responses to improve mean time to recovery (MTTR) |
| Create alerts and action groups | Get notified of issues proactively (e.g., email when CPU is high) |
| Periodically review alerts and policies | Remove stale alerts, update thresholds, ensure policies remain relevant |
| Integrate with Microsoft Sentinel | For advanced threat detection and automated response |
Microsoft Sentinel
Microsoft Sentinel is an Azure-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution. It uses AI to provide threat detection, investigation, and automated response.
Microsoft has integrated Microsoft Sentinel with Microsoft Defender XDR. Sentinel features are accessible through the Microsoft Defender portal.
graph TD
subgraph DataSources [Data Sources]
M365[Microsoft 365]
EID[Entra ID]
ASC[Azure Security Center]
MDF[Microsoft Defender]
SAAS[SaaS Apps: SAP, Okta, ServiceNow]
WL[Windows / Linux Machines]
FW[Firewalls: Palo Alto, Cisco, Fortinet, CheckPoint]
AWS[AWS / Google Cloud]
API[Custom: REST APIs, syslog]
end
LAW[Log Analytics Workspace] --> Sentinel[Microsoft Sentinel]
DataSources --> Sentinel
Sentinel --> SIEM[SIEM: Centralized log analytics<br/>Threat detection]
Sentinel --> SOAR[SOAR: Automated threat response]
Sentinel --> Hunt[Threat Hunting:<br/>KQL, Workbooks, Jupyter Notebooks]
Sentinel --> AI[AI-Powered Threat Intelligence:<br/>Anomaly detection, advanced threats]
Microsoft Sentinel Capabilities:
| Capability | Description |
|---|---|
| SIEM | Centralizes log collection and analytics to detect threats |
| SOAR | Automates responses to detected threats using playbooks |
| AI-powered threat intelligence | Detects anomalies and advanced threats using machine learning |
| Investigation and hunting | Built-in KQL queries, workbooks, and Jupyter Notebooks for threat hunting |
| Data connectors | Ingests logs from Azure, Microsoft 365, third-party SaaS, firewalls, on-premises, and multi-cloud |
Sentinel Data Sources:
| Category | Examples |
|---|---|
| Microsoft services | Microsoft 365, Entra ID, Azure Security Center, Microsoft Defender |
| SaaS applications | SAP, Okta, ServiceNow |
| Operating systems | Windows and Linux machines |
| Custom sources | RESTful APIs, syslog agents |
| Firewalls | Palo Alto, Cisco, Fortinet, Check Point |
| Multi-cloud | AWS, Google Cloud |
Architecture note: Microsoft Sentinel sits on top of Log Analytics Workspace to access Azure platform logs, and extends ingestion further through data connectors for non-Azure sources.
graph TD
AzureResources[Azure Resources] -->|Diagnostic Settings| LAW[Log Analytics Workspace]
ExternalSources[External Sources<br/>M365, Firewalls, SaaS, AWS] -->|Data Connectors| Sentinel[Microsoft Sentinel]
LAW -->|Foundation| Sentinel
Sentinel -->|Threat Detected| Playbook[Automated Playbook / SOAR]
Playbook --> Block[Block IP / Disable Account]
Playbook --> Notify[Notify Security Team]
Playbook --> Ticket[Create Incident Ticket]
Appendix: Custom Role Definition — GloboReader
The following is the complete custom RBAC role JSON definition used in the demos. This role grants Reader access across all resources plus read/write/delete access to Azure Blob Storage data:
{
"id": "/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/<role-definition-id>",
"properties": {
"roleName": "GloboReader",
"description": "this role has Reader permissions plus blob read/write data",
"assignableScopes": [
"/subscriptions/<subscription-id>"
],
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
],
"notDataActions": []
}
]
}
}
How to apply this role definition using Azure CLI:
az role definition create --role-definition @GloboReader.json
How to assign this custom role to a user:
az role assignment create \
--role "GloboReader" \
--assignee "peter@yourtenant.onmicrosoft.com" \
--scope "/subscriptions/<subscription-id>"
Appendix: KQL Queries for Storage Blob Logs
The following KQL (Kusto Query Language) queries can be used in Log Analytics Workspace to investigate Azure Blob Storage activity.
List all distinct operation names on the storage account:
StorageBlobLogs
| distinct OperationName
List all blob upload (PutBlob) operations:
StorageBlobLogs
| where OperationName == 'PutBlob'
Get details for blob uploads (IP address, file name, authentication type):
StorageBlobLogs
| project CallerIpAddress, ObjectKey, AuthenticationType, Category, _ResourceId, OperationName
| where OperationName == 'PutBlob'
Find the 10 most common errors in the last 3 days:
// Most common errors
// List 10 most common errors over the last 3 days.
StorageBlobLogs
| where TimeGenerated > ago(3d) and StatusText !contains "Success"
| summarize count() by StatusText
| top 10 by count_ desc
Reference Links
Identity and Access Management
| Topic | URL |
|---|---|
| Microsoft Entra ID Governance licensing fundamentals | https://learn.microsoft.com/en-us/entra/id-governance/licensing-fundamentals |
| What is Microsoft Entra? | https://learn.microsoft.com/en-us/entra/fundamentals/what-is-entra |
| What is managed identities for Azure resources? | https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview |
| Azure services supporting managed identities | https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-status |
| What is Azure role-based access control (Azure RBAC)? | https://learn.microsoft.com/en-us/azure/role-based-access-control/overview |
| Azure built-in roles | https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles |
| Azure custom roles | https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles |
Governance
| Topic | URL |
|---|---|
| Azure Management Groups — Govern | https://learn.microsoft.com/en-us/azure/governance/management-groups/azure-management#govern |
| What is Azure Policy? | https://learn.microsoft.com/en-us/azure/governance/policy/overview |
| Azure Policy definitions effect basics | https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-basics |
| Azure Policy built-in policy definitions | https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies |
| Azure Policy built-in initiative definitions | https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-initiatives |
| Azure Policy initiative definition structure | https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure |
Monitoring and Incident Response
Search Terms
az-305 · identity · governance · monitoring · azure · architect · microsoft · policy · rbac · compliance · log · role · analytics · application · authorization · custom · entra · insights · assigning · identities · scope · workspace · access · agility