Intermediate

Azure Security Fundamentals

Defender for Cloud, encryption, Sentinel, Key Vault, DDoS protection and the shared-responsibility model.

Module 1 – Microsoft Defender for Cloud

Definition

  • CNAPP (Cloud Native Application Protection Platform): unified platform for cloud security.
  • Covers Azure, AWS, and GCP (multi-cloud).
  • Two main functions:
    • CSPM (Cloud Security Posture Management): assess and improve security posture.
    • CWP (Cloud Workload Protection): protect workloads (VMs, containers, databases).

Secure Score

  • Score from 0 to 100% representing the security posture.
  • Based on implemented recommendations.
  • Each recommendation has a potential impact (points).
Secure Score: 62/100
  Recommendations:
  ├── [High]   Enable MFA for admin accounts (+15 points)
  ├── [Medium] Encrypt VM disks (+8 points)
  └── [Low]    Enable boot diagnostics (+3 points)

Defender Plan Levels

PlanDescription
Free (Foundational CSPM)Basic recommendations, Secure Score, some policies
Defender CSPMDeep analysis, Attack Path Analysis, Cloud Security Explorer
Workload PlansSpecific protection per service (Servers, Storage, SQL, etc.)

Module 2 – Encryption in Azure

Encryption at Rest

Key concepts:

Data → encrypted with DEK (Data Encryption Key)
DEK  → encrypted with KEK (Key Encryption Key)
KEK  → stored in Azure Key Vault

Key management types:

TypeWho controls the KEKFlexibility
Platform-managed keysMicrosoftNone, automatic
Customer-managed keys (CMK)You (in Key Vault)Rotation, revocation, audit
Customer-provided keysYou (provided at encryption time)Maximum, but complex

Algorithm: AES-256 (industry standard).

Azure Portal → Storage Account → Encryption → Key type
  → Microsoft-managed keys (default)
  → Customer-managed keys → Key Vault + selected Key

Encryption in Transit

TLS/HTTPS:

  • All Azure communications are encrypted via TLS 1.2+.
  • Azure services exposed on HTTPS only (App Service, Functions, etc.).
  • Minimum TLS version: configurable (enforce 1.2 at minimum).

Data link layer encryption:

  • Between Microsoft datacenters: automatic encryption of physical traffic.
  • Protection against physical interception on cables.

Module 3 – Microsoft Sentinel

Definition

  • Cloud-native SIEM (Security Information and Event Management).
  • Collects, analyzes, and responds to security incidents.

Architecture

Data sources                    Microsoft Sentinel
  ├── Microsoft Defender     →  Data Connectors
  ├── Azure Active Directory  →  Log Analytics Workspace
  ├── Office 365             →  Analytics Rules
  ├── AWS/GCP Events         →  Incidents
  └── Third-party (Cisco, Palo) → SOAR (Playbooks → Logic Apps)

Key Components

ComponentDescription
Data ConnectorsPre-built integrations (Microsoft Defender, Azure AD, AWS, etc.)
Analytics RulesRules for detecting threats (anomalies, known patterns)
IncidentsGrouping of correlated alerts into a single incident
HuntingProactive search in logs via KQL
Playbooks (Logic Apps)Automation of incident responses (SOAR)

Playbook Example

Incident "Suspicious Sign-In"
  → Logic App triggered
    ├── Notify security team (email/Teams)
    ├── Block user in Entra ID
    └── Create a ServiceNow ticket

Module 4 – Regulatory Compliance

Azure Policy

  • Azure service to enforce rules and standards on resources.
  • Continuous evaluation → non-compliant resources identified.
  • Can block non-compliant deployments (Deny effect).
Azure Policy → Assign Policy
  Scope: Subscription or Resource Group
  Policy: "Storage accounts should use encryption"
  Effect: Deny (prevents creating unencrypted accounts)

Regulatory Compliance Dashboard

Microsoft Defender for Cloud → Regulatory Compliance
  ├── Microsoft Cloud Security Benchmark (MCSB)
  ├── PCI-DSS 3.2.1
  ├── HIPAA/HITRUST
  ├── NIST SP 800-53
  └── ISO 27001
  • Each standard divided into controls.
  • Each control linked to assessments (compliant or non-compliant resources).
  • Compliance score per standard.

Compliance Manager (Purview)

  • Cross-Microsoft tool (Azure + Microsoft 365 + Dynamics).
  • Compliance actions assignable to individuals.
  • Overall compliance score for the organization.

Summary

ConceptKey Point
Defender for CloudUnified CNAPP, Secure Score, multi-cloud
Secure ScoreMeasure of security posture (0-100%)
Encryption at restDEK encrypted by KEK (CMK for more control)
Encryption in transitTLS 1.2+, HTTPS, inter-datacenter encryption
Microsoft SentinelCloud-native SIEM, detection, hunting, playbooks
Azure PolicyAutomatic compliance, Deny non-compliant
Regulatory complianceMCSB, NIST, HIPAA, PCI-DSS integrated in Defender


Extended Sections – Azure Security Deep Dive


Section A – Microsoft Defender for Cloud (Deep Dive)

Security Posture and Secure Score

The Secure Score is the central measure of security posture in Defender for Cloud. It reflects the percentage of applied recommendations out of the total weighted available.

Secure Score = (Points earned / Maximum possible points) × 100

Example:
  Max points    : 241
  Points earned : 149
  Secure Score  : 61%

Each recommendation belongs to a Security Control. Implementing all recommendations in a control grants that control’s points.

Security ControlMax PointsExample Recommendation
Enable MFA10MFA required for all owners
Secure management configurations8Disable open management ports
Apply system updates6Missing OS updates on VMs
Encrypt data in transit4Mandatory HTTPS on App Services
Restrict unauthorized network access4NSG on subnets

CSPM vs CWPP

flowchart LR
    subgraph CSPM["CSPM – Posture Management"]
        A[Configuration assessment] --> B[Recommendations]
        B --> C[Secure Score]
        C --> D[Attack Path Analysis]
    end
    subgraph CWPP["CWPP – Workload Protection"]
        E[Defender for Servers] --> F[Runtime alerts]
        G[Defender for Containers] --> F
        H[Defender for SQL] --> F
        F --> I[Incidents]
    end
    CSPM --> J[Microsoft Defender for Cloud]
    CWPP --> J
DimensionCSPMCWPP
ObjectivePrevent misconfigurationsDetect and respond to active threats
When does it act?Continuously (static assessment)In real-time (runtime)
OutputRecommendations, Secure ScoreSecurity alerts, incidents
TierFree (basic) + Defender CSPM (paid)Paid workload plans

Defender Workload Plans

PlanWhat it protectsKey capabilities
Defender for Servers P1Azure VMs, Arc, AWS, GCPIntegrated MDE, Server Secure Score
Defender for Servers P2Same as P1 + advanced functionsVulnerability assessment, JIT access, File Integrity
Defender for ContainersAKS, registries, nodesImage scanning, K8s runtime detection
Defender for SQLAzure SQL, SQL Server on ArcSQL injection detection, abnormal access
Defender for StorageBlob, Files, ADLS Gen2Malware detection, suspicious access
Defender for App ServiceApp Service PlansWeb attack detection, C2 callbacks
Defender for Key VaultAzure Key VaultSuspicious access, secret extraction
Defender for DNSAzure DNS resolutionDNS tunneling, exfiltration

Alert Suppression and Workflow Automation

Alert suppression: rules to hide known false positives to reduce noise.

Defender for Cloud → Security Alerts
  → Create suppression rule:
    ├── Rule name    : "Test-VM-Pentest"
    ├── Reason       : Planned test/maintenance
    ├── Scope        : Subscription / Resource group
    ├── Target alert : "Suspicious PowerShell cmdlets"
    └── Duration     : 7 days

Workflow automation: integration with Logic Apps to automatically respond to alerts or recommendations.

Trigger: "High" severity alert created
  → Logic App triggered:
    ├── Send email to SOC team
    ├── Post a Teams message
    ├── Create an incident in ServiceNow
    └── Launch an Azure Automation runbook (auto-remediation)

Regulatory Compliance Dashboard

Compliance in Defender for Cloud is assessed continuously. Each standard is broken down into controls, which are in turn linked to resource assessments.

Standard: PCI-DSS 3.2.1
  ├── Control 1.1 – Firewall standards
  │     ├── Assessment: NSG configured ✓
  │     └── Assessment: Unnecessary ports closed ✗
  ├── Control 3.4 – Cardholder data encryption
  │     └── Assessment: SQL encrypted ✓
  └── Control score: 67%

Section B – Microsoft Sentinel (Deep Dive)

Complete SIEM + SOAR Architecture

flowchart TD
    subgraph Sources["Data Sources"]
        A1[Microsoft Defender XDR]
        A2[Microsoft Entra ID]
        A3[Office 365 / M365]
        A4[Azure Activity Log]
        A5[AWS / GCP via connectors]
        A6[Network devices – Cisco, Palo Alto]
        A7[Endpoints – Syslog, CEF]
    end

    subgraph Sentinel["Microsoft Sentinel"]
        B1[Data Connectors]
        B2[Log Analytics Workspace]
        B3[Analytics Rules]
        B4[Incidents & Alerts]
        B5[Workbooks]
        B6[Threat Hunting KQL]
        B7[UEBA]
        B8[Playbooks – Logic Apps]
    end

    Sources --> B1 --> B2
    B2 --> B3 --> B4
    B2 --> B5
    B2 --> B6
    B2 --> B7
    B4 --> B8

Data Connectors

Data connectors ingest logs from various sources using different mechanisms:

MechanismExample Sources
Native Microsoft APIsMicrosoft Defender XDR, Entra ID, Office 365
Azure Monitor Agent (AMA)Windows/Linux VMs, on-prem servers via Arc
Syslog / CEFNetwork devices, firewalls (Cisco ASA, Palo Alto, Fortinet)
REST API / WebhookThird-party sources, business applications
Amazon S3AWS CloudTrail logs, VPC Flow Logs

Analytics Rules – Types

Rule TypeDescriptionUse Case
Microsoft SecurityCreates incidents from Defender alertsQuick Defender → Sentinel integration
ScheduledKQL executed at regular intervalsCustom pattern detection
NRT (Near Real-Time)Near-instant (latency ~1 min)Real-time critical alerts
Anomaly (ML)ML-based anomaly detectionUnusual behaviors
FusionAutomatic multi-source correlationAPTs, multi-stage attacks
Threat IntelligenceComparison with IOCs (IPs, domains)Known compromise indicators

KQL Rule Example – Suspicious Sign-ins

SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType != "0"  // Sign-in failures
| summarize FailedAttempts = count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 5m)
| where FailedAttempts > 10
| project TimeGenerated, UserPrincipalName, IPAddress, FailedAttempts
| order by FailedAttempts desc

Incidents and Severity

Incident: "Multiple failed sign-ins followed by successful login"
  ├── Severity    : High
  ├── Status      : Active
  ├── Alerts      : 3 correlated alerts
  ├── Entities    : User: j.doe@contoso.com, IP: 192.168.x.x
  ├── Tasks       : Review post-login activities
  └── Assigned to : SOC Analyst Tier 2

UEBA – User and Entity Behavior Analytics

The UEBA module builds behavior profiles for each user and entity (machine, application). It detects abnormal deviations.

  • Analyzes sign-in logs, Azure AD activities, resource access.
  • Assigns an investigation priority score to each user.
  • Identifies compromised accounts, malicious insiders, lateral movements.
User: alice@contoso.com
  Investigation Priority Score: 87/100 (High)
  Detected anomalies:
    ├── Login from unusual country (Russia)
    ├── Abnormal download volume (+500% vs baseline)
    └── Access to sensitive resources never accessed before

Workbooks

Sentinel workbooks are interactive dashboards built on Azure Monitor Workbooks. They allow visualizing:

  • Incident trends over time
  • Geolocation of sign-ins
  • Data connector status
  • Threat hunting results

Threat Hunting

Threat hunting is a proactive approach: the analyst formulates a hypothesis and searches logs for evidence of compromise before an alert is triggered.

Hypothesis: "An attacker is exfiltrating data via DNS"
  KQL Query:
    DnsEvents
    | where Name endswith ".ru" or Name endswith ".xyz"
    | summarize count() by Name, ClientIP
    | where count_ > 100
    | order by count_ desc

Playbooks (Logic Apps)

Playbooks automate responses (SOAR). They are triggered on alerts or incidents.

Playbook: "Auto-Block-Suspicious-IP"
  Trigger  : Sentinel incident created (severity ≥ Medium)
  Actions  :
    1. Extract the IP from the incriminated entity
    2. Call Azure Firewall API → add blocking rule
    3. Send Teams notification to SOC
    4. Add comment to Sentinel incident
    5. Change incident status → "In Progress"

Section C – Azure Key Vault (Deep Dive)

Types of Managed Objects

flowchart LR
    KV[Azure Key Vault] --> S[Secrets]
    KV --> K[Keys]
    KV --> C[Certificates]

    S --> S1[DB connection strings]
    S --> S2[Passwords, API keys]
    S --> S3[OAuth tokens]

    K --> K1[RSA 2048/3072/4096]
    K --> K2[EC P-256/P-384]
    K --> K3[AES symmetric keys]

    C --> C1[X.509 Certificates]
    C --> C2[DigiCert / GlobalSign integration]
    C --> C3[Automatic renewal]
TypeDescriptionExample Usage
SecretsArbitrary sensitive data (string)Connection strings, passwords, API keys
KeysCryptographic keys (RSA, EC)CMK encryption, digital signatures
CertificatesFull X.509 certificatesTLS/SSL for App Service, API Management

Access Policies vs RBAC

Two access control models for Key Vault:

DimensionAccess Policies (legacy model)Azure RBAC (recommended)
GranularityPer entire vaultPer individual object (secret/key/cert)
Inherits scopeNoYes (MG → Sub → RG → Vault → Object)
AuditLimitedComplete via Azure Activity Log
Role separationDifficultDedicated built-in roles (Key Vault Officer, Reader…)
Recommended by MicrosoftNo (progressively deprecated)Yes

Key Vault Built-in RBAC Roles:

RoleCan read secrets?Can manage policies?
Key Vault AdministratorYesYes
Key Vault Secrets OfficerYesNo
Key Vault Secrets UserYes (value only)No
Key Vault ReaderMetadata onlyNo
Key Vault Crypto OfficerKeys onlyNo

Soft Delete and Purge Protection

  • Soft Delete: logical deletion — objects are retained 7 to 90 days (default: 90 days) before permanent deletion. Enabled by default since 2021.
  • Purge Protection: prevents permanent purging during the retention period. Critical for CMK (if the key is purged, data is unrecoverable).
az keyvault update \
  --name myVault \
  --enable-soft-delete true \
  --enable-purge-protection true \
  --retention-days 90

Managed HSM

Azure Managed HSM is a fully managed, single-tenant (dedicated), FIPS 140-2 Level 3 compliant service for high-security use cases.

DimensionKey Vault Standard/PremiumManaged HSM
Multi-tenantYesNo (dedicated)
FIPS 140-2Level 1/2 (Premium = Level 2)Level 3
HSM controlMicrosoftShared customer/Microsoft
PriceLess expensiveMore expensive
Use caseMajority of workloadsStrict regulations, finance, healthcare

Key Vault References in App Service and Functions

Key Vault References allow applications to access secrets without storing the value in the application configuration.

# Application Setting in App Service
ConnectionString = @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/DBConn/version)

# Or with the current version (no fixed version)
ConnectionString = @Microsoft.KeyVault(VaultName=myvault;SecretName=DBConn)

The application must have a Managed Identity with the Key Vault Secrets User role.

Private Endpoints for Key Vault

By default, Key Vault is accessible via the Internet (with authentication). For strictly private access:

Key Vault → Networking → Private endpoint connections
  → Create a private endpoint
    ├── VNet: production-vnet
    ├── Subnet: private-endpoints-subnet
    └── DNS integration: privatelink.vaultcore.azure.net

Then: Key Vault → Networking → Firewalls
  → "Allow trusted Microsoft services": Yes
  → "Public network access": Disabled

Section D – Azure DDoS Protection

Basic vs Standard

DimensionDDoS Protection Basic (free)DDoS Protection Standard
ActivationAutomatic for any Azure public IPManual, at VNet level
Protection againstCommon volumetric attacksVolumetric + protocol + application layer attacks
Adaptive tuningNoYes – baselines per public IP
AlertsNoYes – Azure Monitor metrics
Attack reportsNoYes – post-attack analytics
Attack simulationNoYes – via approved partners
SLA / Cost guaranteeNoYes – credit if unnecessary scale-out
DDoS rapid response supportNoYes

Adaptive Tuning

Adaptive tuning automatically builds normal traffic profiles for each protected public IP. Mitigation thresholds are dynamically adjusted.

Public IP: 52.x.x.x (Application Gateway)
  Normal baseline:
    ├── Packets/s  : ~50,000 pps
    ├── Bps       : ~200 Mbps
    └── Connections: ~5,000 CPS

  During a DDoS attack:
    ├── Detected traffic: 2,000,000 pps (× 40 baseline)
    ├── Mitigation automatically activated
    └── Legitimate traffic: uninterrupted pass-through

DDoS Metrics and Alerts

Azure Monitor → Metrics → Public IP address
  Available metrics under DDoS Protection Standard:
    ├── Under DDoS attack or not          (0/1 – critical alert)
    ├── Inbound packets dropped DDoS      (blocked packets)
    ├── Inbound packets forwarded DDoS    (legitimate traffic passed)
    ├── Inbound bytes DDoS                (total volume)
    └── TCP bytes dropped DDoS

Protected Attack Layers

flowchart TD
    A[Incoming DDoS attack] --> B{OSI Layer}
    B --> C[L3/L4 – Volumetric\nEx: UDP flood, ICMP flood]
    B --> D[L4 – Protocol\nEx: SYN flood, Smurf attack]
    B --> E[L7 – Application\nEx: HTTP flood, Slowloris]

    C --> F[DDoS Standard – Automatic protection]
    D --> F
    E --> G[DDoS Standard + WAF\nAzure Application Gateway / Front Door]

DDoS Attack Simulation

Microsoft allows DDoS testing via approved partners (BreakingPoint Cloud, Red Button). The request must be submitted before the test.

Microsoft-approved partners for DDoS testing:
  ├── BreakingPoint Cloud – https://breakingpoint.cloud
  └── Red Button          – https://red-button.net

Process:
  1. Contact the partner
  2. Define the target IP and attack type
  3. Test → observe Azure Monitor metrics
  4. Analyze the post-test attack report

Section E – Microsoft Entra ID (Azure Active Directory)

Fundamental Concepts

flowchart TD
    T[Entra ID Tenant\ncontoso.onmicrosoft.com] --> U[Users]
    T --> G[Groups]
    T --> A[App Registrations]
    T --> SP[Service Principals]
    T --> MI[Managed Identities]

    U --> U1[Members – internal]
    U --> U2[Guests – B2B]

    G --> G1[Security]
    G --> G2[Microsoft 365]
    G --> G3[Dynamic – auto rules]

    A --> SP
    MI --> MI1[System-assigned identity]
    MI --> MI2[User-assigned identity]

Users and Groups

TypeDescriptionUse Case
MemberInternal account to the organizationEmployees, service accounts
Guest (B2B)User from another organizationPartners, external consultants
Security groupGrouping to assign permissionsAzure RBAC, policies, licenses
M365 groupIncludes mailbox, Teams, SharePointCollaboration
Dynamic groupMembers added via attribute ruleAutomation based on title, dept.

App Registrations and Service Principals

  • App Registration: the application’s registration in Entra ID. Defines the app’s identity (client ID, API permissions).
  • Service Principal: the instance of the application in a specific tenant. This is the object that receives RBAC permissions.
App Registration: "MyApp"
  Client ID  : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  Permissions: Microsoft Graph – User.Read

  → Service Principal automatically created in the tenant
    → Can receive Azure RBAC roles (e.g.: Contributor on a RG)

Managed Identities

Managed Identities allow an Azure resource to authenticate with other services without storing credentials in code.

TypeDescriptionManagement
System-assignedTied to the resource lifecycleDeleted if the resource is deleted
User-assignedStandalone reusable resourceCan be assigned to multiple resources
# Example: VM accessing Key Vault without a password
  1. Enable Managed Identity on the VM (system-assigned)
  2. Grant the "Key Vault Secrets User" role to the identity
  3. In the VM's code:
     credential = ManagedIdentityCredential()
     client = SecretClient(vault_url, credential)
     secret = client.get_secret("DBPassword")
  → No credentials stored in code or config

Conditional Access

Conditional Access is Entra ID’s access decision engine. It evaluates signals to grant or block access.

flowchart LR
    Signals[Input signals] --> CA[Conditional Access Engine]
    CA --> Decision{Decision}
    Decision --> Allow[Allow]
    Decision --> MFA[Require MFA]
    Decision --> Block[Block]
    Decision --> Compliant[Require compliant device]

    Signals --> S1[User / Group]
    Signals --> S2[Location / IP]
    Signals --> S3[Platform / Device]
    Signals --> S4[Target application]
    Signals --> S5[Entra ID Protection risk score]

Conditional Access policy examples:

PolicyConditionAction
MFA for adminsUser in “Global Admins” groupRequire MFA
Block high-risk countriesLocation: blocked countries listBlock
Require compliant deviceAccess to Office 365Intune-compliant device required
MFA outside corporate networkIP outside enterprise rangesRequire MFA
Block legacy authPOP3, IMAP, SMTP auth protocolsBlock

MFA – Multi-Factor Authentication

MFA adds an authentication layer beyond the password.

MFA MethodSecurityUX
Authenticator App (push)HighExcellent
FIDO2 / PasskeyVery high (phishing-resistant)Excellent
Windows HelloVery highBuilt into Windows
SMS / Voice callLow (SIM swapping)Average
TOTP (6-digit code)MediumGood

Privileged Identity Management (PIM)

PIM enables Just-In-Time (JIT) access: administrators only have elevated rights when they need them, for a limited duration.

Without PIM:
  alice@contoso.com → "Global Administrator" role (permanent)

With PIM:
  alice@contoso.com → "Global Administrator" role (eligible)
    → JIT Activation:
        ├── Max duration: 4 hours
        ├── Required justification: "Planned maintenance"
        ├── Approval required: manager
        └── MFA required at activation

Section F – Identity and Access – Core Principles

Least Privilege

The principle of least privilege states that a user, service, or system should only have the permissions strictly necessary to accomplish their task.

❌ Bad practice:
  Developer → "Owner" role on the subscription

✓ Good practice:
  Developer → "Contributor" role on their Resource Group only
  CI/CD pipeline → "Contributor" role on the target RG only
  App Service → Managed Identity with "Key Vault Secrets User" only

Zero Trust – Zero Trust Model

Zero Trust is based on the principle: “Never trust, always verify”.

PrincipleDescriptionAzure Mechanisms
Verify explicitlyAlways authenticate and authorize, on all available signalsMFA, Conditional Access, Continuous Access Evaluation
Least privilege accessLimit user access via JIT, JEA, risk-based policiesPIM, RBAC, Conditional Access
Assume breachMinimize blast radius, segment access, encrypt everythingNetwork: NSG/Firewall, Encryption, Sentinel

Identity Governance

FeatureDescription
Access ReviewsPeriodic review of access (who still needs access?)
Entitlement ManagementAccess packages with approval, duration, access policy
Lifecycle WorkflowsOnboarding/offboarding automation (joiners, movers, leavers)
Terms of UseTerms to accept before accessing resources
Access Review:
  Resource  : "Finance-Admins" group
  Frequency : Quarterly
  Reviewers : Members' managers
  If no response: access automatically revoked

Section G – Encryption in Azure (Deep Dive)

Encryption at Rest – Key Hierarchy

flowchart TD
    Data[Data\nBlob, Disk, SQL...] -->|Encrypted with| DEK[DEK\nData Encryption Key\nAES-256]
    DEK -->|Encrypted with| KEK[KEK\nKey Encryption Key\nRSA-2048+]
    KEK -->|Stored in| KV[Azure Key Vault\nor Managed HSM]
    KV -->|Controlled by| Customer[Customer\nCMK]
    KV -.->|Alternative| Microsoft[Microsoft\nPMK]

Storage Service Encryption (SSE) is enabled by default on all Azure storage accounts. AES-256, transparent, no performance impact.

Azure Disk Encryption (ADE) encrypts the OS and data disks of VMs.

  • Windows: uses BitLocker.
  • Linux: uses DM-Crypt.
  • Keys stored in Azure Key Vault.
az vm encryption enable \
  --resource-group myRG \
  --name myVM \
  --disk-encryption-keyvault myVault \
  --volume-type All

Encryption in Transit – Protocols and Standards

flowchart LR
    Client[Client Browser\nMobile App] -->|TLS 1.2 / 1.3\nHTTPS| AppGW[Application Gateway\nFront Door]
    AppGW -->|TLS backend\nHTTPS| AppSvc[App Service\nAKS\nVMs]
    AppSvc -->|TLS 1.2+\nSMB 3.x| Storage[Azure Storage\nAzure SQL\nKey Vault]
    DC1[Azure Datacenter A] -->|Data Link Encryption\nMACsec| DC2[Azure Datacenter B]
ProtocolUse CaseStandard
TLS 1.2 / 1.3HTTPS, API calls, SQL TDSIndustry standard
SMB 3.xAzure Files (file shares)End-to-end SMB encryption
SSHLinux VM admin accessRSA/Ed25519 keys
RDP with TLSWindows VM admin accessNLA + TLS
MACsec / Data LinkInter-datacenter physical trafficIEEE 802.1AE

Minimum TLS configuration on App Service:

Azure Portal → App Service → TLS/SSL settings
  → Minimum TLS Version : 1.2 (recommended)
  → HTTPS Only          : On (HTTP → HTTPS redirect)
  → Client Certificate  : Optional / Required (mTLS)

Azure Confidential Computing

Confidential Computing protects data in use, meaning during processing in memory. Uses hardware Trusted Execution Environments (TEE).

DimensionAt RestIn TransitIn Use
MechanismSSE / ADE / CMKTLS / MACsecConfidential Computing (SGX/SEV)
Protects againstDisk / backup theftNetwork interceptionMalicious memory access (even cloud operator)

Section H – Azure RBAC (Deep Dive)

Scope Hierarchy

flowchart TD
    MG[Management Group] --> Sub[Subscription]
    Sub --> RG[Resource Group]
    RG --> R[Individual Resource]

    MG -.->|Role assigned here\ninherited in cascade| Sub
    Sub -.->|Inheritance| RG
    RG -.->|Inheritance| R

Role assignments propagate downward in the hierarchy. A role assigned at the Management Group level applies to all subscriptions, resource groups, and resources below.

Main Built-in Roles

RoleReadCreate/ModifyDeleteManage access
Owner
Contributor
Reader
User Access Administrator

Common specialized roles:

RoleTypical ScopeUsage
Virtual Machine ContributorRG / SubManage VMs without network/storage access
Storage Blob Data ContributorStorage AccountRead/write blobs (data plane)
Key Vault Secrets UserKey VaultRead secrets (data plane)
AcrPullContainer RegistryPull images (CI/CD, AKS)
Monitoring ReaderSub / RGView metrics and logs
Network ContributorRGManage network resources

Custom Roles

When built-in roles are too broad, create a custom role with exactly the needed permissions.

{
  "Name": "VM Start/Stop Operator",
  "Description": "Can start and stop VMs only",
  "Actions": [
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/deallocate/action",
    "Microsoft.Compute/virtualMachines/read"
  ],
  "NotActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscriptionId}"
  ]
}

Control Plane vs Data Plane Difference

DimensionControl PlaneData Plane
ConcernsResource management (ARM)Access to contained data
Storage exampleCreate/delete a storage accountRead/write blobs
Key Vault exampleCreate/delete the vaultRead secrets
RBAC roleContributor, ReaderStorage Blob Data Contributor, KV Secrets User

Section I – Azure Policy (Deep Dive)

Azure Policy Components

flowchart TD
    PD[Policy Definition\nSingle JSON rule] --> I[Initiative\nInitiative Definition\nGrouping of Policy Definitions]
    I --> A[Assignment\nAssignment to a scope]
    A --> E[Evaluation\nResource assessment]
    E --> CR[Compliance Report]
    E --> RT[Remediation Task\nAutomatic remediation]

Policy Effects

EffectWhen it actsDescription
DenyAt creation/modificationBlocks non-compliant resources
AuditContinuouslyMarks as non-compliant but doesn’t block
AuditIfNotExistsContinuouslyAudit if a child resource doesn’t exist
DeployIfNotExistsAt creationDeploys a missing resource
AppendAt creation/modificationAdds fields to the request
ModifyAt creation/modificationAdds/modifies/removes tags or properties
DisabledNeverTemporarily disables the policy

Common Policy Examples

Policy: "Storage accounts should use TLS 1.2"
  Type  : Built-in
  Effect: Deny
  Scope : Subscription
  Action: Blocks creating a storage account with TLS < 1.2

Policy: "Deploy Log Analytics agent for VMs"
  Type  : Built-in
  Effect: DeployIfNotExists
  Action: Automatically deploys the agent if missing

Policy: "Allowed locations"
  Type     : Built-in
  Effect   : Deny
  Parameter: ["eastus", "westeurope", "canadacentral"]
  Action   : Blocks deployment outside authorized regions

Initiatives (Policy Sets)

An initiative groups multiple policy definitions to achieve a common goal.

InitiativeNumber of policiesObjective
Azure Security Benchmark~200+Microsoft global security benchmark
NIST SP 800-53 R5~700+Federal NIST compliance
PCI DSS 3.2.1~400+Payment compliance
HIPAA HITRUST~600+Healthcare compliance
CIS Microsoft Azure Foundations~100+CIS best practices

Remediation Tasks

Some policies with DeployIfNotExists or Modify effects can trigger remediation tasks on existing non-compliant resources.

Azure Portal → Policy → Remediation
  → Create a remediation task:
    ├── Policy     : "Deploy Defender for SQL on SQL VMs"
    ├── Scope      : Subscription
    ├── Locations  : All
    └── Re-evaluate compliance: Yes

  → Result:
    ├── Resources evaluated : 47
    ├── Resources remediated : 12
    └── Resources failed     : 2 (permission error)

Section J – Shared Responsibility Model

Responsibility Matrix

Responsibility LayerOn-PremisesIaaSPaaSSaaS
Data & accessCustomerCustomerCustomerCustomer
ApplicationsCustomerCustomerCustomerMicrosoft
RuntimeCustomerCustomerMicrosoftMicrosoft
MiddlewareCustomerCustomerMicrosoftMicrosoft
OSCustomerCustomerMicrosoftMicrosoft
VirtualizationCustomerMicrosoftMicrosoftMicrosoft
Servers (hardware)CustomerMicrosoftMicrosoftMicrosoft
Physical storageCustomerMicrosoftMicrosoftMicrosoft
Physical networkCustomerMicrosoftMicrosoftMicrosoft
DatacenterCustomerMicrosoftMicrosoftMicrosoft

Reading the table:

  • IaaS (e.g.: Azure VM): Microsoft manages hardware and virtualization. The customer manages the OS, runtime, application, and data.
  • PaaS (e.g.: App Service, Azure SQL): Microsoft manages up to the OS and runtime. The customer focuses on application and data.
  • SaaS (e.g.: Microsoft 365, Dynamics): Microsoft manages everything except customer data and user access management.

Practical Implications

Scenario: SQL database exposed on the Internet
  Microsoft layer: Secure network infrastructure ✓
  Customer layer : SQL firewall not configured ✗
                   Default admin password ✗
  → Breach = CUSTOMER responsibility

Scenario: CMK encryption key accidentally deleted
  Microsoft layer: Key Vault available ✓
  Customer layer : Purge protection not enabled ✗
                   Data unrecoverable
  → Data loss = CUSTOMER responsibility

Section K – Zero Trust Architecture

Core Principles

Zero Trust does not trust any network or user by default, even inside the enterprise perimeter.

flowchart TD
    subgraph ZeroTrust["Zero Trust – Three Pillars"]
        V[Verify Explicitly]
        LP[Least Privilege Access]
        AB[Assume Breach]
    end

    subgraph Signals["Evaluation Signals"]
        U[User identity\nEntra ID + MFA]
        D[Device health\nIntune Compliance]
        L[Location\nIP / Country]
        A[Target application\nData classification]
        R[Risk Score\nEntra ID Protection]
    end

    subgraph Controls["Applied Controls"]
        CA[Conditional Access]
        PIM2[PIM – JIT Access]
        NSG2[Network segmentation\nNSG / Firewall]
        ENC[End-to-end encryption]
        MON[Continuous monitoring\nSentinel + Defender]
    end

    Signals --> ZeroTrust
    ZeroTrust --> Controls

Traditional Model vs Zero Trust

DimensionPerimeter Model (Castle & Moat)Zero Trust
Internal network trustImplicitNon-existent
AuthenticationOnce at VPN connectionContinuous, at each access
AuthorizationNetwork-basedIdentity + context-based
Lateral movementEasy if perimeter breachedDifficult – microsegmentation
Internal encryptionOptionalMandatory
VisibilityLimited to perimeterContinuous across all layers

Zero Trust Implementation in Azure

Identity Layer:
  ├── Entra ID + MFA (phishing-resistant FIDO2)
  ├── Conditional Access – all applications
  └── PIM – privileged access JIT only

Network Layer:
  ├── Microsegmentation – NSG per subnet
  ├── Azure Firewall – inbound/outbound traffic inspection
  └── Private Endpoints – PaaS services on private network

Application Layer:
  ├── WAF (Application Gateway / Front Door)
  ├── API Management – authentication, rate limiting
  └── Managed Identities – no credentials in code

Data Layer:
  ├── Encryption at rest – CMK for sensitive data
  ├── Encryption in transit – TLS 1.2+ everywhere
  └── Purview – data classification and protection

Monitoring Layer:
  ├── Microsoft Defender for Cloud – posture + alerts
  ├── Microsoft Sentinel – SIEM/SOAR
  └── Azure Monitor + Log Analytics – centralized logs

Section L – Review Questions

Multiple Choice Questions

Question 1: Which score measures overall security posture in Microsoft Defender for Cloud?

  • A) Compliance Score
  • B) Security Index
  • C) Secure Score
  • D) Risk Score

Question 2: What is the main difference between CSPM and CWPP in Defender for Cloud?

  • A) CSPM protects workloads, CWPP assesses posture
  • B) CSPM assesses and improves security posture, CWPP protects workloads in real time
  • C) They are two names for the same service
  • D) CSPM is free, CWPP is always paid

Question 3: In Azure Key Vault, which feature prevents the permanent deletion of a key during the retention period?

  • A) Soft Delete only
  • B) Purge Protection
  • C) Private Endpoint
  • D) RBAC

Question 4: An App Service application needs to access a Key Vault secret without storing credentials in the code. What is the best approach?

  • A) Store the secret in environment variables
  • B) Use an App Registration with a client certificate
  • C) Enable a Managed Identity and use a Key Vault Reference
  • D) Base64-encode the secret in the code

Question 5: What encryption mechanism is used between Microsoft datacenters for physical network traffic?

  • A) TLS 1.3
  • B) IPSec VPN
  • C) Data Link Layer Encryption (MACsec)
  • D) SMB 3.0

Question 6: In the shared responsibility model, who is responsible for configuring the firewall of an Azure VM (IaaS)?

  • A) Microsoft
  • B) The customer
  • C) Both share this responsibility
  • D) Nobody – it’s automatic

Question 7: Which Microsoft Sentinel feature detects abnormal user behaviors based on their historical habits?

  • A) KQL Analytics Rules
  • B) UEBA (User and Entity Behavior Analytics)
  • C) Data Connectors
  • D) Workbooks

Question 8: What is the difference between DDoS Protection Basic and Standard?

  • A) Basic is paid, Standard is free
  • B) Basic only protects VMs
  • C) Standard offers adaptive tuning, alerts, attack reports, and an SLA; Basic is automatic and limited
  • D) There is no functional difference

Question 9: In PIM (Privileged Identity Management), what does “eligible” access mean?

  • A) The user has the role permanently
  • B) The user can temporarily activate the role via a JIT request
  • C) The user is awaiting permanent approval
  • D) The role is disabled

Question 10: Which Azure Policy effect automatically deploys a missing resource when a parent resource is created?

  • A) Audit
  • B) Deny
  • C) DeployIfNotExists
  • D) Append

Question 11: An Azure Key Vault secret was accidentally deleted. Soft Delete is enabled with 90 days retention. What happens?

  • A) The secret is permanently lost
  • B) The secret is recoverable only if Purge Protection is enabled
  • C) The secret is in a “soft-deleted” state and can be restored for 90 days
  • D) The secret is automatically restored after 24 hours

Question 12: In the Zero Trust model, which principle corresponds to “minimize the blast radius by assuming an attack may occur”?

  • A) Verify explicitly
  • B) Least privilege
  • C) Assume Breach
  • D) Defense in depth

General Summary – Azure Security Synthesis Table

Service / ConceptPrimary ObjectiveTier / CostKey Use Case
Defender for Cloud – FreeSecure Score, basic recommendationsFreeAll subscriptions
Defender CSPMAttack Path Analysis, advanced DSPMPaidComplex multi-cloud environments
Defender for Servers P2VM protection + vulnerability scanPaid / VMAll production VMs
Microsoft SentinelCloud-native SIEM + SOARPaid (per GB ingested)SOC, incident detection
Azure Key VaultSecrets, keys, certificatesPaid (operations)Any application with sensitive data
Managed HSMDedicated FIPS 140-2 L3 HSMPaid (hour)Finance, healthcare, strict regulations
DDoS StandardAdvanced DDoS protectionPaid (per VNet)Critical public services
Entra ID P1Conditional Access, PIM, SSPRPaid / userEnterprises
Entra ID P2PIM, Identity Protection, Access ReviewsPaid / userSensitive environments
Azure PolicyAutomatic compliance and governanceFree (policies)Any organization
Azure RBACFine-grained access control to resourcesFreeRequired everywhere
Confidential ComputingIn-memory data protection (TEE)Paid (DCsv3 VMs)Ultra-sensitive data

Advanced Section – Review Questions and Glossary

Review Questions – Azure Security


Question 1 What is the difference between Microsoft Defender for Cloud (Free) and Microsoft Defender CSPM (paid)?

  • A) The Free version does not monitor VMs; CSPM monitors them
  • B) The Free version provides Secure Score and basic recommendations; CSPM adds Attack Path Analysis, DSPM, and advanced multi-cloud connectors
  • C) CSPM is for Azure only; the Free version is multi-cloud
  • D) There is no functional difference

Answer: B — The Free version offers Secure Score and basic security recommendations. Defender CSPM (paid) adds attack path analysis, data security posture management (DSPM), and advanced AWS/GCP connectors.


Question 2 Your SOC team needs to correlate security alerts from multiple Azure services, detect threats, and automate responses. Which Azure service is designed for this use case?

  • A) Microsoft Defender for Cloud
  • B) Azure Policy
  • C) Microsoft Sentinel
  • D) Azure Key Vault

Answer: CMicrosoft Sentinel is the Azure cloud-native SIEM + SOAR. It ingests logs from multiple sources, correlates alerts, detects threats with ML, and can automate responses via Logic Apps playbooks.


Question 3 You need to store a database connection secret used by an Azure Function. What is the best practice?

  • A) Hardcode the secret in the Function code
  • B) Put the secret in an unencrypted environment variable
  • C) Store the secret in Azure Key Vault, access via Managed Identity
  • D) Put the secret in a configuration file in Azure Blob Storage

Answer: C — The best practice is to store secrets in Azure Key Vault and use a Managed Identity to access it with no hardcoded credentials. This follows the Zero Trust principle and eliminates manual secret rotation.


Question 4 Which Azure Key Vault feature allows encrypting Azure SQL Database data with a key that only your organization controls, and whose revocation makes the database immediately inaccessible?

  • A) Transparent Data Encryption (TDE) with Microsoft-managed key
  • B) TDE with Customer-Managed Key (CMK) via Azure Key Vault
  • C) Always Encrypted
  • D) Dynamic Data Masking

Answer: BTDE with CMK (BYOK - Bring Your Own Key) allows your organization to fully control the encryption key in Key Vault. If you revoke access to the key, the SQL database becomes immediately inaccessible.


Question 5 An attacker launches a volumetric DDoS attack on your Azure public web application. What is the minimal native DDoS protection provided for free by Azure?

  • A) No protection — you must buy DDoS Standard
  • B) Azure DDoS Protection Basic — protection for shared Azure infrastructure
  • C) Azure Firewall DDoS mode
  • D) Network Security Groups with anti-DDoS rules

Answer: BAzure DDoS Protection Basic is included free for all Azure customers. It protects Azure’s shared infrastructure against common volumetric attacks. For dedicated protection with financial SLA and advanced telemetry, DDoS Standard (paid per VNet) is available.


Question 6 In the Zero Trust model, what is the difference from the traditional perimeter security model?

  • A) Zero Trust doesn’t use firewalls; the traditional model does
  • B) In the traditional model, internal resources are implicitly trusted; Zero Trust never trusts by default and explicitly verifies each access regardless of location
  • C) Zero Trust is exclusively for cloud; the traditional model for on-premises
  • D) There is no conceptual difference

Answer: B — The traditional perimeter model trusts everything “behind the firewall” (intranet = trusted). Zero Trust assumes compromise is possible everywhere: “Never trust, always verify” — every access is authenticated, authorized, and audited.


Question 7 You need to ensure that TLS certificates for your Azure web applications are automatically renewed before expiration. Which Azure service manages the certificate lifecycle?

  • A) Azure Policy
  • B) Microsoft Defender for Cloud
  • C) Azure Key Vault (with Let’s Encrypt or DigiCert integration)
  • D) Azure App Service (without Key Vault)

Answer: CAzure Key Vault supports the full certificate lifecycle: issuance, secure storage, automatic renewal (via integration with Let’s Encrypt, DigiCert, GlobalSign), and expiration notification.


Glossary – Azure Security

TermDefinition
Zero TrustSecurity model: never trust, always verify
Defense in depthLayered security controls (Physical → Identity → Perimeter → Network → Compute → App → Data)
Defender for CloudCSPM + CWP for Azure, multicloud, and on-premises
Secure Score0-100% score representing security posture in Defender for Cloud
CSPMCloud Security Posture Management — cloud security posture management
CWPCloud Workload Protection — protection of workloads (VMs, containers, etc.)
Microsoft SentinelAzure cloud-native SIEM + SOAR
SIEMSecurity Information and Event Management — security event correlation
SOARSecurity Orchestration Automated Response — response automation
KQLKusto Query Language — query language for Log Analytics and Sentinel
Azure Key VaultVault for secrets, cryptographic keys, and certificates
Managed HSMDedicated FIPS 140-2 Level 3 Hardware Security Module
CMKCustomer-Managed Key — encryption key controlled by the customer
BYOKBring Your Own Key — bring your own key into Key Vault
Managed IdentityAzure AD identity for Azure services, without stored credentials
TDETransparent Data Encryption — encryption of database files at rest
Always EncryptedClient-side SQL Server encryption — server never sees data in plaintext
DDMDynamic Data Masking — mask sensitive data in query results
DDoSDistributed Denial of Service — volumetric attack to saturate a service
DDoS BasicAzure infrastructure DDoS protection, included free
DDoS StandardDedicated DDoS protection per VNet, with financial SLA and telemetry
Attack Path AnalysisCSPM feature: visualize possible attack paths in the infrastructure
PIMPrivileged Identity Management — Just-in-Time access to privileged roles
Conditional AccessRisk-based access policies (Entra ID P1)
Identity ProtectionML-based sign-in risk detection (Entra ID P2)
MFAMulti-Factor Authentication
FIDO2Passwordless authentication standard (physical security keys)
Confidential ComputingProtection of data being processed in a TEE (Trusted Execution Environment)
NSGNetwork Security Group — Azure stateless firewall at subnet/NIC level
Azure FirewallManaged stateful firewall, Layer 3/4/7, with Threat Intelligence
Private EndpointPrivate connection via VNet to access PaaS services without going through the Internet
JIT VM AccessJust-in-Time Access — open SSH/RDP ports only on demand
Vulnerability AssessmentVulnerability scanning on VMs via Defender for Servers
PlaybookIncident response automation via Logic Apps in Sentinel
Data ConnectorConnector to ingest logs from external sources into Sentinel
WorkspaceLog Analytics Workspace — storage and query space for logs

Search Terms

azure · security · fundamentals · core · infrastructure · microsoft · deep · dive · encryption · policy · compliance · defender · questions · trust · zero · access · architecture · ddos · identity · managed · model · regulatory · vault · analytics

Interested in this course?

Contact us to book it or get a custom training plan for your team.