Table Of ContentMicrosoft Azure
Security Technologies
Certification and
Beyond
Gain practical skills to secure your Azure
environment and pass the AZ-500 exam
David Okeyode
BIRMINGHAM—MUMBAI
Microsoft Azure Security Technologies
Certification and Beyond
Copyright © 2021 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system,
or transmitted in any form or by any means, without the prior written permission of the
publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the
information presented. However, the information contained in this book is sold without
warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and
distributors, will be held liable for any damages caused or alleged to have been caused directly
or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies
and products mentioned in this book by the appropriate use of capitals. However, Packt
Publishing cannot guarantee the accuracy of this information.
Group Product Manager: Wilson Dsouza
Publishing Product Manager: Vijin Boricha
Senior Editor: Athikho Sapuni Rishana
Content Development Editor: Sayali Pingale
Technical Editor: Shruthi Shetty
Copy Editor: Safis Editing
Project Coordinator: Neil Dmello
Proofreader: Safis Editing
Indexer: Tejal Daruwale Soni
Production Designer: Nilesh Mohite
First published: September 2021
Production reference: 1070921
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
978-1-80056-265-3
www.packt.com
I am grateful to many people who have helped and supported me through
the process of writing this book. To my wife and best friend, Brenda Tao. To
my parents, who taught me everything I know (Jacob and Hope Okeyode).
And to the three best sisters and encouragers in the world (Pemi, Elizabeth,
and Esther). I love you all.
– David Okeyode
Contributors
About the author
David Okeyode is a cloud security architect at the Prisma cloud speedboat at Palo Alto
Networks. Before that, he was an independent consultant helping companies secure
their cloud environments through private expert-level training and assessments. He
holds 15 professional certifications across the Azure and AWS platforms, including the
Azure Security Engineer, Azure DevOps, and AWS Security Specialist certifications. He
has also authored two cloud computing courses for the popular cybersecurity training
platform Cybrary.
David has over a decade of experience in cybersecurity (consultancy, design, and
implementation) and over 6 years of experience as a trainer. He has worked with
organizations of different sizes, from start-ups to major enterprises to government
organizations.
David has developed multiple vulnerable-by-design automation templates that can be
used to practice cloud penetration testing techniques. He regularly speaks about cloud
security at major industry events, such as Microsoft Future Decoded and the European
Information Security Summit.
David is married to a lovely girl who makes the best banana cake in the world. They love
traveling the world together and intend to do missions in Asia very soon!
About the reviewers
Dharam Chhatbar is a seasoned information security professional who has more than 11
years of experience in various verticals of InfoSec, delivering impactful and high-quality
risk-reduction work. He has helped secure many banks and retail firms and is currently
working at a top Fortune 500 company. He holds a master's degree, is a fervent learner,
and has earned several global certifications, such as CISSP, GSLC (GIAC), CCSP, CSSLP,
GMOB, and some related to the cloud, such as Azure (AZ500), GCP (PCSE), and AWS
(SAA). His key competencies include vulnerability management, application security,
cloud security, VA/PT, and managing teams/vendors. He has also reviewed the book
CISSP (ISC)² Certification Practice Exams and Tests by Ted Jordan.
I would like to thank my parents, Bina and Jagdish; my wife, Chaital;
and my sister, Hina, for their continued support and encouragement with
everything that I do and for motivating me to always achieve my ambitions.
Rod Trent is a security CSA for Microsoft and an Azure Sentinel global SME helping
customers migrate from existing SIEMs to Azure Sentinel to achieve the promise of better
security through improved efficiency without compromise.
Rod is a husband, dad, and recently a first-time grandfather. He spends his spare time
(if such a thing does truly exist) simultaneously watching episodes of The Six Million
Dollar Man and writing KQL queries.
Table of Contents
Preface
Section 1: Implement Identity and Access
Security for Azure
1
Introduction to Azure Security
Technical requirements 4 Summary 11
Shared responsibility model 4 Questions 12
Setting up a practice environment 6 Further reading 12
Create a free trial Azure subscription 7
2
Understanding Azure AD
What Azure AD is not Azure AD editions 24
(what is Azure AD?) 14
Hands-on exercise – sign up for an
Azure AD versus on-premises AD 14 Azure AD Premium P2 trial 25
Azure AD – an identity provider for
Azure AD object management 28
Microsoft cloud services 14
Azure AD users 28
Azure AD – an identity provider for
modern applications 16 Azure AD groups 29
Azure AD and Azure RBAC roles 30
Modern authentication protocols 17
Service principals 31
Hands-on exercise – review your Azure Hands-on exercise – Azure AD user
AD tenant 18 creation and group management 31
Hands-on exercise – add a custom Hands-on exercise – Azure AD
domain to Azure AD (optional) 21 role assignment 39
viii Table of Contents
Summary 44 Further reading 45
Questions 44
3
Azure AD Hybrid Identity
Technical requirements 48 Selecting a hybrid identity
Implementing Azure AD authentication method 65
hybrid identity 48 Federation 67
Azure AD Connect 48 Pass-Through Authentication (PTA) 69
Preparing for Azure AD Connect Azure AD Connect deployment options 70
installation 49 Hands-on exercise – deploying Azure
Hands-on exercise – deploying an AD Connect PHS 71
Azure VM hosting an AD domain
Implementing password
controller 50
writeback 85
Hands-on exercise – preparing for
Azure AD Connect deployment 59 Summary 86
Questions 86
Further reading 87
4
Azure AD Identity Security
Technical requirements 90 Implementing conditional
Implementing Azure AD access policies 108
Password Protection 90 Conditional access – How policies
are evaluated 111
Hands-on exercise – Configuring the
custom banned password list feature Conditional access best practices 112
of Azure AD Password Protection 93 Hands-on exercise – Implementing
conditional access 113
Securing Azure AD users
with multi-factor Protecting identities with Azure
authentication (MFA) 101 AD Identity Protection 122
Hands-on exercise – Enabling MFA Identity protection – risk categories 122
by changing user state 102 Identity protection – detection types 125
Identity protection – risk levels 125
Identity protection – policies 126
Table of Contents ix
Exercise – Implementing Azure AD Question 137
Identity Protection 128 Further reading 137
Summary 137
5
Azure AD Identity Governance
Technical requirements 140 Configuring PIM access reviews 154
Protecting privileged access Exercise – Create an access review
using Azure AD Privileged and review PIM auditing features 155
Identity Management (PIM) 140
Summary 162
What is Azure AD PIM? 140
Questions 163
How does Azure AD PIM work? 141
Further reading 163
Exercise – Azure AD Privileged
Identity Management 142
Section 2: Implement Azure Platform
Protection
6
Implementing Perimeter Security
Technical requirements 168 Hands-on exercise – implementing
Azure Firewall 184
Securing the Azure virtual
network perimeter 168
Implementing a Web
Implementing Azure Application Firewall (WAF)
Distributed Denial of Service in Azure 200
(DDoS) Protection 169
Application Gateway WAF 200
Hands-on exercise – provisioning Front Door WAF 201
resources for the exercises in Hands-on exercise – configuring
Chapters 6 and 7 171 a WAF on Azure Application Gateway 202
Hands-on exercise – implementing the
Azure DDoS protection Standard 178 Summary 214
Questions 214
Implementing Azure Firewall 183
Further reading 215
