Module 2: Azure Architecture and Services

Azure Security
Features

Master Multi-Factor Authentication, Microsoft Defender for Cloud, Zero Trust security model, and advanced threat protection capabilities essential for securing your Azure environment.

Multi-Factor Authentication Defender for Cloud Zero Trust Model Threat Protection

Learning Objectives

After completing this session, you'll be ready for Quiz 18 and able to:

Understand MFA factors and implementation methods
Configure Microsoft Defender for Cloud security features
Implement Zero Trust security principles
Deploy conditional access and identity protection
Secure network resources with Azure security services
Manage secrets and keys with Azure Key Vault
Implement advanced threat detection and response
Understand compliance and governance security aspects

Multi-Factor Authentication (MFA) - The Security Foundation

Multi-Factor Authentication is your first line of defense against identity-based attacks. It requires users to provide multiple forms of verification, dramatically improving security beyond just passwords.

🔐 The Three Authentication Factors

🧠 Something You Know

Password, PIN, Security Questions, Passphrase

Knowledge Factor

📱 Something You Have

Phone, Hardware Token, Smart Card, Authenticator App

Possession Factor

👤 Something You Are

Fingerprint, Face Recognition, Voice, Retina Scan

Inherence Factor

MFA Requirement: At least 2 of these 3 factors for enhanced security!

🔑 Azure AD Authentication Methods (Critical for Quiz!)

Traditional MFA Methods
Password + SMS

Less secure, vulnerable to SIM swapping and interception

Microsoft Authenticator App

Time-based one-time passwords (TOTP) and push notifications

Voice Calls

Automated voice calls with verification codes

Passwordless Methods (Most Secure)
Windows Hello for Business

Biometric or PIN-based, device-bound authentication

FIDO2 Security Keys

Hardware-based, phishing-resistant authentication

Phone Sign-in

Microsoft Authenticator passwordless phone sign-in

🎯 Quiz Focus: Security Ranking
Most Secure: Passwordless (FIDO2, Windows Hello, Biometrics) → More Secure: Password + Authenticator App → Less Secure: Password + SMS

🚦 Conditional Access + MFA = Smart Security

Smart MFA Enforcement
  • • Require MFA for administrators
  • • Enforce MFA from untrusted locations
  • • Skip MFA for trusted devices
  • • Risk-based MFA requirements
  • • Application-specific MFA policies
Configuration Examples
IF user is admin THEN require MFA always
IF sign-in from new location THEN require MFA
IF accessing sensitive app THEN require MFA + compliant device

Microsoft Defender for Cloud - Unified Security Management

Microsoft Defender for Cloud (formerly Azure Security Center) provides unified security management and advanced threat protection across your hybrid cloud workloads.

🛡️ Core Security Capabilities

Security Posture Management

  • • Continuous security assessment
  • • Security recommendations
  • • Secure Score tracking
  • • Compliance dashboard
  • • Security baseline comparison

Advanced Threat Protection

  • • Real-time threat detection
  • • Behavioral analytics
  • • Machine learning-based detection
  • • Incident response automation
  • • Threat intelligence integration

📊 Defender for Cloud Plans (Quiz Essential!)

Defender for Cloud Free
Included Features:
  • • Continuous assessment
  • • Secure score
  • • Security recommendations
  • • Basic policy assessments
  • • Asset inventory
Defender for Cloud Premium
Enhanced Features:
  • • Advanced threat protection
  • • Just-in-time VM access
  • • File integrity monitoring
  • • Adaptive network hardening
  • • Security alerts and incidents
🎯 Quiz Key Points
Free: Basic security posture and recommendations • Premium: Advanced threat protection and response capabilities

⏰ Just-in-Time (JIT) VM Access

The Problem
  • • RDP/SSH ports always open
  • • Increased attack surface
  • • Brute force attacks
  • • Difficult to audit access
JIT Solution
  • • Ports closed by default
  • • Time-limited access
  • • Source IP restrictions
  • • Approval workflows
Benefits
  • • Reduced attack surface
  • • Audit trail of access
  • • Controlled admin access
  • • Automated NSG rules

Zero Trust Security Model - Never Trust, Always Verify

Zero Trust is a security framework that assumes no implicit trust and continuously validates every transaction. It's based on the principle "Never trust, always verify."

🔒 Zero Trust Core Principles

✅ Verify Explicitly

Authenticate and authorize based on all available data points

User, location, device, service, workload, data classification

🔐 Use Least Privilege Access

Limit user access with Just-In-Time and Just-Enough-Access

Risk-based adaptive policies, data protection

💥 Assume Breach

Minimize blast radius and segment access

Verify end-to-end encryption, analytics for visibility

🏗️ Zero Trust Architecture Components

Identities (Users & Devices)
↓ Verify and secure
Endpoints & Devices
↓ Assess and protect
Applications & Data
↓ Classify and secure
Network Infrastructure
Implementation Technologies
  • • Multi-Factor Authentication
  • • Conditional Access policies
  • • Privileged Identity Management
  • • Microsoft Defender for Identity
  • • Intune device management
Azure Zero Trust Services
  • • Azure AD (Microsoft Entra ID)
  • • Microsoft Defender for Cloud
  • • Azure Firewall & Network Security
  • • Azure Sentinel (SIEM)
  • • Azure Information Protection

⚖️ Zero Trust vs Traditional Security

❌ Traditional "Castle & Moat"
  • • Trust internal network
  • • Perimeter-based security
  • • Static security policies
  • • Limited visibility inside network
  • • Assumption: internal = safe
Problem: Once inside, attackers have free reign
✅ Zero Trust Model
  • • Never trust, always verify
  • • Identity-centric security
  • • Dynamic, risk-based policies
  • • Comprehensive monitoring
  • • Assume breach mentality
Benefit: Continuous verification limits damage

Advanced Threat Protection Services

Azure Sentinel

SIEM & SOAR

Cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution.

Collect data at cloud scale
AI-powered threat detection
Automated incident response
Built-in orchestration & automation

Microsoft Defender for Identity

Identity Protection

Cloud-based security solution that identifies, detects, and investigates advanced threats and compromised identities.

Monitor user behavior
Detect suspicious activities
Provide investigation tools
Clear remediation guidance

🛡️ Network Security Services

🔥 Azure Firewall

Managed, cloud-based network security service

  • • Stateful inspection
  • • Application & network rules
  • • Threat intelligence
  • • High availability

🛡️ Azure DDoS Protection

Protection against distributed denial of service attacks

  • • Basic (free) protection
  • • Standard (enhanced) features
  • • Attack analytics
  • • Cost protection

🚫 Network Security Groups

Network access control using security rules

  • • Subnet-level filtering
  • • VM network interface control
  • • Allow/deny rules
  • • Priority-based evaluation

🔐 Secure Access Solutions

Azure Bastion

Secure RDP/SSH access to VMs without exposing public IP addresses.

  • • Browser-based access
  • • No public IPs on VMs
  • • SSL/TLS encrypted
  • • Integrated with Azure RBAC
Quiz Tip: Provides secure access without public IPs
Azure Key Vault

Centralized cloud service for storing and accessing secrets, keys, and certificates.

  • • Hardware Security Modules (HSM)
  • • API keys & connection strings
  • • SSL/TLS certificates
  • • Cryptographic key management
Quiz Tip: Safeguard cryptographic keys and secrets

Data Protection & Compliance

📄 Azure Information Protection - Classify & Protect

Classification
  • • Automatic classification
  • • Manual labeling
  • • Custom sensitivity labels
  • • Policy-based labeling
Protection
  • • Encryption at rest & in transit
  • • Rights management
  • • Access restrictions
  • • Usage tracking
Monitoring
  • • Document access tracking
  • • Data loss prevention
  • • Audit logs
  • • Compliance reporting

Quiz Focus: Azure Information Protection helps classify and protect documents and emails across on-premises, cloud, and mobile environments

📊 Compliance & Governance Services

Azure Policy

  • • Enforce organizational standards
  • • Built-in security policies
  • • Compliance assessment
  • • Automatic remediation

Microsoft Purview

  • • Compliance manager
  • • Risk assessments
  • • Regulatory templates
  • • Compliance score

Data Loss Prevention

  • • Detect sensitive data
  • • Prevent data exfiltration
  • • Policy enforcement
  • • Incident reporting

🔒 Encryption & Security Defaults

Azure Storage Encryption
  • Default: AES-256 encryption at rest
  • Key Management: Microsoft or customer-managed
  • In Transit: HTTPS/TLS encryption
  • Integration: Azure Key Vault for keys
Quiz Key: Encryption enabled by default for all Azure Storage
Security Defaults
  • MFA: Required for all users
  • Legacy Auth: Blocked by default
  • Admin Protection: Enhanced for privileged users
  • Risk Detection: Basic protection enabled
Quiz Key: Provides basic security protection for new tenants

Managed Identity & Advanced Security Features

🤖 Azure Managed Identity - Eliminate Credentials in Code

The Problem
  • • Hard-coded credentials in applications
  • • Secret management complexity
  • • Credential rotation challenges
  • • Security risks from exposed secrets
Managed Identity Solution
  • • Azure automatically manages identity
  • • No credentials in code
  • • Automatic token acquisition
  • • Azure RBAC integration
Types of Managed Identity
System-assigned
  • • Tied to Azure resource lifecycle
  • • 1:1 relationship with resource
  • • Deleted when resource is deleted
User-assigned
  • • Standalone Azure resource
  • • Can be shared across resources
  • • Independent lifecycle

Quiz Tip: Managed Identity eliminates need to manage credentials in application code

Microsoft Defender for Office 365

Email Security

Protects against email threats, unsafe attachments, and malicious links in Office 365 applications.

Safe Attachments scanning
Safe Links protection
Anti-phishing policies
Real-time threat intelligence

Azure AD Seamless SSO

Single Sign-On

Automatically signs in users when they're on their corporate devices connected to the corporate network.

Domain-joined device auto sign-in
No additional components needed
Works with modern authentication
Improves user experience

🧠 Get Ready for Quiz 18 - Sample Questions

Here are example questions similar to what you'll see in Quiz 18. Master these security concepts for AZ-900 success!

Sample Question 1:

"Which authentication method is considered the most secure for Azure AD?"

  • A) Password + SMS
  • B) Password + Authenticator app
  • C) Passwordless authentication ✅
  • D) Password only

Sample Question 2:

"What is the Zero Trust security model based on?"

  • A) Trust but verify
  • B) Never trust, always verify ✅
  • C) Trust internal users
  • D) Trust based on location

📝 Quiz 18 Topics: MFA factors, Defender for Cloud, Zero Trust, conditional access, Key Vault, threat protection, compliance, managed identity

Take Quiz 18 Now

Session 18 Summary

🎯 Key Takeaways - Everything You Need for Quiz 18

🔐 Multi-Factor Authentication:

  • Three Factors: Something you know/have/are
  • Methods: SMS < Authenticator App < Passwordless
  • Most Secure: Windows Hello, FIDO2, Biometrics

🛡️ Microsoft Defender for Cloud:

  • Free: Security posture & recommendations
  • Premium: Advanced threat protection & JIT access
  • JIT Access: Time-limited VM access for security

🔒 Zero Trust & Advanced Security:

  • Zero Trust: Never trust, always verify
  • Azure Sentinel: Cloud SIEM & SOAR solution
  • Azure Bastion: Secure RDP/SSH without public IPs

🔑 Data Protection & Compliance:

  • Key Vault: Secure key & secret management
  • Encryption: AES-256 by default for storage
  • Managed Identity: No credentials in code

🎉 Azure Security Expert!

You now understand comprehensive Azure security including Multi-Factor Authentication, Microsoft Defender for Cloud, Zero Trust principles, and advanced threat protection. You're ready to secure any Azure environment!

MFA Implementation ✓ Defender for Cloud ✓ Zero Trust Model ✓ Threat Protection ✓ Data Security ✓ Compliance ✓

🚀 Ready for Quiz 18?

Perfect! You've mastered Azure security features from multi-factor authentication to advanced threat protection. Now test your knowledge with Quiz 18, covering all the essential security topics for AZ-900 certification.

Take Quiz 18 - Security Features Continue to Session 19: Module 2 Summary