Microsoft Azure Security Technologies Certification and Beyond Gain practical skills to secure your Azure environment and pass the AZ-500 exam David Okeyode BIRMINGHAM—MUMBAI Microsoft Azure Security Technologies Certification and Beyond Copyright © 2021 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Group Product Manager: Wilson Dsouza Publishing Product Manager: Vijin Boricha Senior Editor: Athikho Sapuni Rishana Content Development Editor: Sayali Pingale Technical Editor: Shruthi Shetty Copy Editor: Safis Editing Project Coordinator: Neil Dmello Proofreader: Safis Editing Indexer: Tejal Daruwale Soni Production Designer: Nilesh Mohite First published: September 2021 Production reference: 1070921 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. 978-1-80056-265-3 www.packt.com I am grateful to many people who have helped and supported me through the process of writing this book. To my wife and best friend, Brenda Tao. To my parents, who taught me everything I know (Jacob and Hope Okeyode). And to the three best sisters and encouragers in the world (Pemi, Elizabeth, and Esther). I love you all. – David Okeyode Contributors About the author David Okeyode is a cloud security architect at the Prisma cloud speedboat at Palo Alto Networks. Before that, he was an independent consultant helping companies secure their cloud environments through private expert-level training and assessments. He holds 15 professional certifications across the Azure and AWS platforms, including the Azure Security Engineer, Azure DevOps, and AWS Security Specialist certifications. He has also authored two cloud computing courses for the popular cybersecurity training platform Cybrary. David has over a decade of experience in cybersecurity (consultancy, design, and implementation) and over 6 years of experience as a trainer. He has worked with organizations of different sizes, from start-ups to major enterprises to government organizations. David has developed multiple vulnerable-by-design automation templates that can be used to practice cloud penetration testing techniques. He regularly speaks about cloud security at major industry events, such as Microsoft Future Decoded and the European Information Security Summit. David is married to a lovely girl who makes the best banana cake in the world. They love traveling the world together and intend to do missions in Asia very soon! About the reviewers Dharam Chhatbar is a seasoned information security professional who has more than 11 years of experience in various verticals of InfoSec, delivering impactful and high-quality risk-reduction work. He has helped secure many banks and retail firms and is currently working at a top Fortune 500 company. He holds a master's degree, is a fervent learner, and has earned several global certifications, such as CISSP, GSLC (GIAC), CCSP, CSSLP, GMOB, and some related to the cloud, such as Azure (AZ500), GCP (PCSE), and AWS (SAA). His key competencies include vulnerability management, application security, cloud security, VA/PT, and managing teams/vendors. He has also reviewed the book CISSP (ISC)² Certification Practice Exams and Tests by Ted Jordan. I would like to thank my parents, Bina and Jagdish; my wife, Chaital; and my sister, Hina, for their continued support and encouragement with everything that I do and for motivating me to always achieve my ambitions. Rod Trent is a security CSA for Microsoft and an Azure Sentinel global SME helping customers migrate from existing SIEMs to Azure Sentinel to achieve the promise of better security through improved efficiency without compromise. Rod is a husband, dad, and recently a first-time grandfather. He spends his spare time (if such a thing does truly exist) simultaneously watching episodes of The Six Million Dollar Man and writing KQL queries. Table of Contents Preface Section 1: Implement Identity and Access Security for Azure 1 Introduction to Azure Security Technical requirements 4 Summary 11 Shared responsibility model 4 Questions 12 Setting up a practice environment 6 Further reading 12 Create a free trial Azure subscription 7 2 Understanding Azure AD What Azure AD is not Azure AD editions 24 (what is Azure AD?) 14 Hands-on exercise – sign up for an Azure AD versus on-premises AD 14 Azure AD Premium P2 trial 25 Azure AD – an identity provider for Azure AD object management 28 Microsoft cloud services 14 Azure AD users 28 Azure AD – an identity provider for modern applications 16 Azure AD groups 29 Azure AD and Azure RBAC roles 30 Modern authentication protocols 17 Service principals 31 Hands-on exercise – review your Azure Hands-on exercise – Azure AD user AD tenant 18 creation and group management 31 Hands-on exercise – add a custom Hands-on exercise – Azure AD domain to Azure AD (optional) 21 role assignment 39 viii Table of Contents Summary 44 Further reading 45 Questions 44 3 Azure AD Hybrid Identity Technical requirements 48 Selecting a hybrid identity Implementing Azure AD authentication method 65 hybrid identity 48 Federation 67 Azure AD Connect 48 Pass-Through Authentication (PTA) 69 Preparing for Azure AD Connect Azure AD Connect deployment options 70 installation 49 Hands-on exercise – deploying Azure Hands-on exercise – deploying an AD Connect PHS 71 Azure VM hosting an AD domain Implementing password controller 50 writeback 85 Hands-on exercise – preparing for Azure AD Connect deployment 59 Summary 86 Questions 86 Further reading 87 4 Azure AD Identity Security Technical requirements 90 Implementing conditional Implementing Azure AD access policies 108 Password Protection 90 Conditional access – How policies are evaluated 111 Hands-on exercise – Configuring the custom banned password list feature Conditional access best practices 112 of Azure AD Password Protection 93 Hands-on exercise – Implementing conditional access 113 Securing Azure AD users with multi-factor Protecting identities with Azure authentication (MFA) 101 AD Identity Protection 122 Hands-on exercise – Enabling MFA Identity protection – risk categories 122 by changing user state 102 Identity protection – detection types 125 Identity protection – risk levels 125 Identity protection – policies 126 Table of Contents ix Exercise – Implementing Azure AD Question 137 Identity Protection 128 Further reading 137 Summary 137 5 Azure AD Identity Governance Technical requirements 140 Configuring PIM access reviews 154 Protecting privileged access Exercise – Create an access review using Azure AD Privileged and review PIM auditing features 155 Identity Management (PIM) 140 Summary 162 What is Azure AD PIM? 140 Questions 163 How does Azure AD PIM work? 141 Further reading 163 Exercise – Azure AD Privileged Identity Management 142 Section 2: Implement Azure Platform Protection 6 Implementing Perimeter Security Technical requirements 168 Hands-on exercise – implementing Azure Firewall 184 Securing the Azure virtual network perimeter 168 Implementing a Web Implementing Azure Application Firewall (WAF) Distributed Denial of Service in Azure 200 (DDoS) Protection 169 Application Gateway WAF 200 Hands-on exercise – provisioning Front Door WAF 201 resources for the exercises in Hands-on exercise – configuring Chapters 6 and 7 171 a WAF on Azure Application Gateway 202 Hands-on exercise – implementing the Azure DDoS protection Standard 178 Summary 214 Questions 214 Implementing Azure Firewall 183 Further reading 215