Pass Your Microsoft Azure Security AZ-500 Exam Easy!

Microsoft AZ-500 Microsoft Azure Security Technologies exam dumps vce, practice test questions, study guide & video training course to study and pass quickly and easily. Microsoft AZ-500 Microsoft Azure Security Technologies exam dumps & practice test questions and answers. You need avanset vce exam simulator in order to study the Microsoft Azure Security AZ-500 certification exam dumps & Microsoft Azure Security AZ-500 practice test questions in vce format.

Azure Active Directory for Workloads

10. Lecture: Service Principals

One of the major difficulties with any IT organisation is how we control access, particularly when we have services that want to access Azure and do things. We might have developers that need certain rights. One of the answers to that is the service principle. A service principle is analogous to historically and legacy Active Directory. You had service accounts for SQL, etc. And it had the authority to do various things. And the way it works in Azure is a little bit different. Essentially, first of all, we have to have a user with permissions in Azure AD that can create an application. So first of all, they create an Azure AD application registration, first of all.So it could be for my particular webapplication; I'll create an app registration for that. Then I'll create a key for that application that I'm ultimately going to use later on to authenticate against Azure AD. And I'll also sign that application for a job. And this is really the concept behind a service principle. And you'll see that in the upcoming demo. After I've created the application, I create a service principle that allows that application to access Azure Active Directory. Then what I can do is use that service. I can take that service principle, and the service might be something like Octopus Deploy Visual Studio TeamServices, and I can now allow it to login as the application using that service principle. And now it can execute tasks. Deploy VMs, for example, could deploy entire Arm templates that I've created, which deploy a slew of infrastructure and where we go. But all of this can be done within the context of the service principle context.I don't have to sort of give a user's permission to the application every single time. The application can authenticate itself.

11. Demo: Create a Service Principal

The first thing we need to do is register the new application, for which we use the new Azure RM ad application command. But before we can do that, we do need to store a password, which we use for that. So we'll put in a dollar password. Obviously, I'm just going to use something basic here, which I'm going to remove. So, skylines p one.And now I'm going to go about creating my new application. I'm going to store it as a variable right away. So, dollar app equals PowerShell command new app. Azure RMAD application. Now I need to give the application a display name. So we'll call the skyline Zap. It asks for a home page as well. So we'll define that, followed by an identifier URI. So we'll use the same URI for that. And finally, we need to pass in our password, and that will go off now and register that application. If we type in our variable, we can see there it is: Skyline Zap," and we have an application ID there associated with it. And now we need that because we need to create our service principle. So our service principle will be stored in the variable SPN. This is essentially our service account now. And we use another PowerShell command: new AzureRMAD service principle followed by the application ID. So we always register these against an application. And in my case, I've already stored the variable "Dolarapp." So I'll use the Dollarapp Application ID and hit Enter, and we can check that it was created successfully. That's our service principle. Now, it's not any good yet because we haven't assigned it a role. So we can choose from the various roles, and you'll hear about custom roles and the built-in roles in an upcoming lesson. but for now, let's go ahead and do a new role assignment. So you would create a new Azure RM role assignment, followed by the role definition name. And I'm just going to use the built-in contributor role, followed by our service principle name, because this is the account we want to assign the role to. And we use the Dollarapp application. ID again. It takes a second, it's complete, and now our Skylines application has the contributor role assigned to it. So.

12. Demo: App Registration

In the previous lecture, you learned about service principles, but in this case, I'm now going to show you what an application registration looks like from the Azure Active Directory point of view. One thing to keep in mind is that the service principle is instantiated when an application needs permission to do something. You can have an application registration and a service principal in one directory, and then perhaps another directory needs to use that application registration, in which case an SPN or service principle will be created or instantiated at that time. And Microsoft does have some documentation on it, which is linked in the study guides. I highly recommend you just take a look at that and understand the difference. But I'm going to show it to you from a Portal perspective now so you can understand what application registrations look like. So in the Azure Portal, the first thing you need to do is go over to Azure Active Directory. So, if we click Azure Active Directory or search for it from all services, and I go in here and scroll down, you'll see I have app registrations. Now, if you followed on with the previous demo, where we did it all in PowerShell and created what's called an SPN, you would basically see your app registration created as part of that process. But in my case, I'm going to create a brand new one in this demo just from the portal. So you can see what an app registration looks like. So I begin by clicking "New Registration." And this is where I define my application. So I'm going to give it a name. I'm going to call this Azapp registration. And you can see here who can use this application or access this API. And I can say that accounts are only in this organisational directory only.only an easy exam only.This is a single tenant. Or I can choose multi-tenant options along with the option to include personal accounts as well. But in my case, I'm just going to choose this directory by clicking Register. As you can see, I've registered for a new AZ app. I'm actually in there. Now if I go back a tab here, you can see I've got two app registrations: a Skylines test, one I created earlier, and an AZ app registration. So if I go into this registration, which you can see, it has a unique client ID. So if I click this one here, and you can also see that client ID right here, this is the application ID. This is my directory ID, the tenant I'm in, and then I've got an object ID as well. Scrolling down on the left side, we can see that certificates and secrets have been updated. And I can go in here and upload a certificate. So certificates can be used as secrets to prove the application's identity, or I can give it a client secret like a password that I can use. I have the option of certificate authentication and secrets as an authentication mechanism there as well. The other thing to look at are the API permissions here. So if we scroll in here, you can see I can add permissions, I can click this, and basically these are application authorizations to call APIs when they are granted permissions by user admins as part of the consent process. So if we go down to the bottom here, this is where I grant admin consent for the AZ Exam. We'll do that in a second. But first, I'm going to add a permission, and by default, you can see it's got the user read permission for Microsoft Graph, but I can click Add a Permission and you'll see a whole bunch of Microsoft services here. Microsoft Graph is obviously the main service there, where everything from an organisational standpoint comes in. So all the Azure ads microsoft graph. But I can go in here. I've got Azure, DevOps, keyVault, Service, Management, etc. for all the way down to additional APIs that I can give it access to. So if I go into, say, management, go backup to Azure Service Management, we can choose User Impersonation and add that permission, and then that basically adds that permission change right there. So I can say that User Impersonation is prohibited, and you can see that Admin Consent is required. No admin consent displayed Name Description: user display name, user consent description, and if I want to remove that permission, I can just remove it from the top there. But let's scroll down because you can see "grant consent." Again, as an administrator, you can grant consent on behalf of all users in the directory. And granting admin consent for all users means that end users will not be shown a consent screen when they want to use this application. so I can grant admin consent. Do you want to grant consent for the requested permissions for all accounts in the AC Exam? This will update existing admin consent records. This application already has to match what is listed below, I can choose yes, and I've successfully granted consent. And you can see here on the right, it isgranted for AZ Exam and granted for AZ Exam. It has permission to basically do these things, and it can be impersonated on behalf of a user. Now, some things to keep in mind. One, you must once again ensure that you have configured all of the permissions that this application requires in order to function properly. When the application wants to do something, it's available to do it there. Going back to the concept of SPN and role-based access control to resources, I can still go over to say my subscription and say I want to give that application access, say full rights or read/write access to the subscription itself. I can go in here and just like in-role-based access controls, which, again, if you haven't learned about them yet, you will later on. I can select IAM and assign a role here. And if I click roll assignment, I can click Add to add a role assignment. And if I type in here for the role I want to give it, I want to give it read access to this subscription; that's "reader," and again, I can assign access to an ad, a user group, or a service principal. So if I type in a Zap, I should see that registration, and I can then give that app registration reader permissions to the subscription itself.

13. Lecture: Identity Protection

First of all, the majority of attacks takeplace when a user account is compromised. You probably heard me say this over and over, but this is the new attack plane that everybody is going after. It is essential to protect all identities, regardless of the access level. So that means even basic user accounts—accounts that are global admins—should be protected. The goal is to prevent compromised identities from being abused. Now, ultimately, identity protection generates reports and alerts based on adaptive machine learning algorithms. So Microsoft is looking at identities and seeing how they behave normally. Do they normally log in at this time? Are they usually logging in from another country? Or did somebody just go on vacation and log in from there? Those are the kind of things that identity protection is really focused on. and ultimately they divide it into three main capabilities. One: detect vulnerabilities and risky accounts. So this is about providing custom recommendations to improve your overall security posture, calculating what's called sign-in risk levels, and calculating user risk levels based on behavior. Again, you can use identity protection to investigate risk events in the accounts. This is about sending notifications for risk events and investigating risk events using contextual information. It's kind of piecing together the puzzle for you. And it also has things like workflows and remediation actions that you can use as well. And last but not least, we have risk-based conditional access policies. So you'll see more about conditional access in one of the demos we do, but this is around setting policy to mitigate risky signing. So you can sort of say, "Hey, you can access this, providing your account isn't at a certain risk level, or you can elevate your permissions, provided that you authenticate again using multifactor authentication." So it's all about time, risk, and the identity protection capabilities we have to create policies around what you can do based on how risky you are at any given time. Now, before we sort of jump into the demo, one thing you need to know is the different identity protection roles that exist. So, for starters, a global administrator has full access to identity protection and canonboard people to it. There's also the role of security administrator in Azure AD. They have full access to identity protection. So again, for somebody that's in the security department, this is a good thing for them to be aware of as part of operations as well. And what they cannot do is those onboard identity protections, so that's still the Azure AD; global admins can do that, and they cannot reset passwords for Azure just because they're in this role. You also then have a security reader, and this is somebody who has read-only access to identity protection. So they cannot onboard, they cannot remediate users, they cannot configure policies, or they cannot reset passwords. Then we're somebody that just needs to be able to have visibility into what's going on with identity protection. So these are the key roles that exist out of the box. And we'll take a look at how to configure this in the upcoming demo. Bye.

14. Demo: Configure Identity Protection

Now we have a good understanding of what identity protection is. Let's go to the Azure Portal to get it configured. So I'm in the portal here, I'm logged in as one of my accounts, and I'm going to go ahead and create a new resource from the Marketplace and then search for Identity Entity Protection. Once that pops up, I can go ahead and click Create, and it will bring up the blade, and you can see that it will choose a directory. I've got Skylines Academy here, and if you didn't have a P2 licence already there, you would get a warning. So you do need to have an Azure AdP Two Premium licence for this to work. If you don't, you can get an AED or temporarily pay for one. Just make sure the licences are assigned from Azure AD. So I'll go ahead and click Create Here, and that will start creating that for us. And if we go over to Azure Active Directory in the meanwhile, I'm just going to show you the licenses. So if I scroll down and select licenses, you can see that I have all products and that I have that Azure Active Directory Premium PTwo license, which I've assigned. I have 99 available 99.I'm basically using the trial here right now. But with that, let's go to All Services and go ahead and type in Identity Protection. Click "Azure ad identity protection." And this will bring up the Azure identity protection overview. and you can see how it's configured here. We've got our general section with an overview. So this is about users flagged for risk and any risky events. This will pop up again. It's learning about your users by seeing what they're doing. And then you've got your "Investigate" section. So users flagged risk events and vulnerabilities, and you can see I have an example of a risk event right now that is already closed out. It was earlier in June. If I click Risk Events, I can see that event. It was a medium-sized sign from an unfamiliar location. And then I can basically click in here, see more details about the user and what they did, and take some action or potentially block them temporarily. What I do is ultimately up to me. I can configure things like MFA registration directly from here as well. So I can say, like, all users have control; select the control here; and require Azure MFA registration. So that's multi-factor authentication. just to recap on that and choose to enforce the policy there. The alternative, though, is that I can do a lot of this from Azure ActiveDirectory through what's called Conditional Access. So I'm going to go over there, click Azure ActiveDirectory, and this is where I can set policy. Microsoft provides some baseline policies in preview. Now we'll talk about those in a second. But on the left hand side, you can see our named locations, custom controls, which are in preview right now, terms of use, VPN connectivity, and some classic policies. The first two I'd like to highlight are named locations. So this is about me defining locations that I know are good places for people to log in from. So maybe my remote offices, maybe people's homes, things like that. I can name them and define them so that they don't get flagged incorrectly as much. And then the Terms of Use are all about putting a document together. So for clicking on new terms, I can go into Microsoft Word, and I could have my legal department type up a document around what the conditions are for accessing the system. I save that document as a PDF, and then I can choose to require users to expand the Terms of Use Consent. Every time they log in on a new device, that's basically around saying, "Okay, I'm logging in; accept the terms, and then you can log into the system." So as a condition of you accessingour system, you're accepting our terms. So that's what those are all about. But let me go back again because I do want to show you what the policies are all about. So if I click policies here, let's just look at the baseline policy that's included as an example, which we have enabled because it's common sense. And this is basically saying that multifactor authentication is required for the following directory roles. Think about all the user admins, theglobal admins, obviously exchange admins, security admins. We're saying, "Hey, these people have rights that are particularly powerful, so we want to make sure that they are who they are when they authenticate in." So we're saying OK, you're required to have multifactor authentication configured before you can log into the system. And that's one of the default policies a lot of people enable. Now, if you want to see what happens if I go in here, type in someone's name, choose a user, Nick@skylinesacademy.com, click select, and basically see what happens if I just click it right here? I can do other configuration and say, "Hey, I'm logging in from this IP; what's going to happen?" et cetera. But you can see at the bottom, it will just tell me: "These are the policies that will apply," and "These are the policies that will not apply." But if I want to go ahead and create my own policies again, I'll go back out here and click New Policy. This is where I can get really specific. So I can choose to assign specific user policies, and I can choose specific cloud apps or actions as well. I can name all cloud apps or user actions that take effect, and then I can choose the conditions that basically apply here. So, as you can see, this is where I really wanted to get back to the identity protection side. Hey, if you're Nick Calia and your sign-in risk is "hi," then require or deny access based on these things. If you're coming in from a location, choose this one, and I will configure the location. Choose yes. So all trusted locations are probably okay. I'm going to say, "Okay, if you're coming in from all trusted locations and go back to that sign-in risk and I say yes, your sign-in risk is low, then I'm okay granting you access to the controls." At this point, I'm fine with granting access and possibly requiring multifactor authentication. So it's all about determining the conditions under which access will be granted and utilising a combination of identity protection. So, back to that sign-in risk piece we just had. In fact, I'm going to come out of retirement. Yeah, I'm going to go back to the conditions here. Not all of these pieces are available. So if I choose sign-in risk, you'll see where it says that you acquire that Azure Ad Premium P-2 license. That's because it's using identity protection to determine your sign-in risk. And that's why I'm allowed to use it as a condition here. So, again, go back to policies. Try to keep this simple here. Conditional access is all around policy of what arethe conditions that you need to meet to beallowed access and what are you allowed to access. And I can also simulate here. I can name locations that I know are good. I can put terms of use in there that people need to accept. And at the same time as allowing access based on identity protection, I can go into identity protection that we looked at earlier and look at all my events and get that machine learning intelligence that Microsoft is putting behind identity to determine: are any users at risk? Are there risky events going on in my environment?

Go to testing centre with ease on our mind when you use Microsoft Azure Security AZ-500 vce exam dumps, practice test questions and answers. Microsoft AZ-500 Microsoft Azure Security Technologies certification practice test questions and answers, study guide, exam dumps and video training course in vce format to help you study with ease. Prepare with confidence and study using Microsoft Azure Security AZ-500 exam dumps & practice test questions and answers vce from ExamCollection.