Course Summary

This course provides IT Security Professionals with the knowledge and skills needed to implement security controls, maintain an organization’s security posture, and identify and remediate security vulnerabilities. This course includes security for identity and access, platform protection, data and applications, and security operations.

Manage identity and access (25–30%)
Manage Microsoft Entra identities
Secure Microsoft Entra users

Secure Microsoft Entra groups

Recommend when to use external identities

Secure external identities

Implement Microsoft Entra ID Protection

Manage Microsoft Entra authentication
Configure Microsoft Entra Verified ID

Implement multi-factor authentication (MFA)

Implement passwordless authentication

Implement password protection

Implement single sign-on (SSO)

Integrate single sign on (SSO) and identity providers

Recommend and enforce modern authentication protocols

Manage Microsoft Entra authorization
Configure Azure role permissions for management groups, subscriptions, resource groups, and resources

Assign Microsoft Entra built-in roles

Assign Azure built-in roles

Create and assign custom roles, including Azure roles and Microsoft Entra roles

Implement and manage Microsoft Entra Permissions Management

Configure Microsoft Entra Privileged Identity Management

Configure role management and access reviews in Microsoft Entra

Implement Conditional Access policies

Manage Microsoft Entra application access
Manage access to enterprise applications in Microsoft Entra ID, including OAuth permission grants

Manage Microsoft Entra app registrations

Configure app registration permission scopes

Manage app registration permission consent

Manage and use service principals

Manage managed identities for Azure resources

Recommend when to use and configure an Microsoft Entra Application Proxy, including authentication

Secure networking (20–25%)
Plan and implement security for virtual networks
Plan and implement Network Security Groups (NSGs) and Application Security Groups (ASGs)

Plan and implement user-defined routes (UDRs)

Plan and implement Virtual Network peering or VPN gateway

Plan and implement Virtual WAN, including secured virtual hub

Secure VPN connectivity, including point-to-site and site-to-site

Implement encryption over ExpressRoute

Configure firewall settings on PaaS resources

Monitor network security by using Network Watcher, including NSG flow logging

Plan and implement security for private access to Azure resources
Plan and implement virtual network Service Endpoints

Plan and implement Private Endpoints

Plan and implement Private Link services

Plan and implement network integration for Azure App Service and Azure Functions

Plan and implement network security configurations for an App Service Environment (ASE)

Plan and implement network security configurations for an Azure SQL Managed Instance

Plan and implement security for public access to Azure resources
Plan and implement Transport Layer Security (TLS) to applications, including Azure App Service and API Management

Plan, implement, and manage an Azure Firewall, including Azure Firewall Manager and firewall policies

Plan and implement an Azure Application Gateway

Plan and implement an Azure Front Door, including Content Delivery Network (CDN)

Plan and implement a Web Application Firewall (WAF)

Recommend when to use Azure DDoS Protection Standard

Secure compute, storage, and databases (20–25%)
Plan and implement advanced security for compute
Plan and implement remote access to public endpoints, including Azure Bastion and just-in-time (JIT) virtual machine (VM) access

Configure network isolation for Azure Kubernetes Service (AKS)

Secure and monitor AKS

Configure authentication for AKS

Configure security monitoring for Azure Container Instances (ACIs)

Configure security monitoring for Azure Container Apps (ACAs)

Manage access to Azure Container Registry (ACR)

Configure disk encryption, including Azure Disk Encryption (ADE), encryption as host, and confidential disk encryption

Recommend security configurations for Azure API Management

Plan and implement security for storage
Configure access control for storage accounts

Manage life cycle for storage account access keys

Select and configure an appropriate method for access to Azure Files

Select and configure an appropriate method for access to Azure Blob Storage

Select and configure an appropriate method for access to Azure Tables

Select and configure an appropriate method for access to Azure Queues

Select and configure appropriate methods for protecting against data security threats, including soft delete, backups, versioning, and immutable storage

Configure Bring your own key (BYOK)

Enable double encryption at the Azure Storage infrastructure level

Plan and implement security for Azure SQL Database and Azure SQL Managed Instance
Enable Microsoft Entra database authentication

Enable database auditing

Identify use cases for the Microsoft Purview governance portal

Implement data classification of sensitive information by using the Microsoft Purview governance portal

Plan and implement dynamic masking

Implement Transparent Database Encryption (TDE)

Recommend when to use Azure SQL Database Always Encrypted

Manage security operations (25–30%)
Plan, implement, and manage governance for security
Create, assign, and interpret security policies and initiatives in Azure Policy

Configure security settings by using Azure Blueprints

Deploy secure infrastructures by using a landing zone

Create and configure an Azure Key Vault

Recommend when to use a dedicated Hardware Security Module (HSM)

Configure access to Key Vault, including vault access policies and Azure Role Based Access Control

Manage certificates, secrets, and keys

Configure key rotation

Configure backup and recovery of certificates, secrets, and keys

Manage security posture by using Microsoft Defender for Cloud
Identify and remediate security risks by using the Microsoft Defender for Cloud Secure Score and Inventory

Assess compliance against security frameworks and Microsoft Defender for Cloud

Add industry and regulatory standards to Microsoft Defender for Cloud

Add custom initiatives to Microsoft Defender for Cloud

Connect hybrid cloud and multi-cloud environments to Microsoft Defender for Cloud

Identify and monitor external assets by using Microsoft Defender External Attack Surface Management

Configure and manage threat protection by using Microsoft Defender for Cloud
Enable workload protection services in Microsoft Defender for Cloud, including Microsoft Defender for Storage, Databases, Containers, App Service, Key Vault, Resource Manager, and DNS

Configure Microsoft Defender for Servers

Configure Microsoft Defender for Azure SQL Database

Manage and respond to security alerts in Microsoft Defender for Cloud

Configure workflow automation by using Microsoft Defender for Cloud

Evaluate vulnerability scans from Microsoft Defender for Server

Configure and manage security monitoring and automation solutions
Monitor security events by using Azure Monitor

Configure data connectors in Microsoft Sentinel

Create and customize analytics rules in Microsoft Sentinel

Evaluate alerts and incidents in Microsoft Sentinel

Configure automation in Microsoft Sentinel

Successful learners will have prior knowledge and understanding of: Security best practices and industry security requirements such as defense in depth, least privileged access, role-based access control, multi-factor authentication, shared responsibility, and zero trust model. Be familiar with security protocols such as Virtual Private Networks (VPN), Internet Security Protocol (IPSec), Secure Socket Layer (SSL), disk and data encryption methods. Have some experience deploying Azure workloads. This course does not cover the basics of Azure administration, instead the course content builds on that knowledge by adding security specific information. Have experience with Windows and Linux operating systems and scripting languages. Course labs may use PowerShell and the CLI.

Manage identity and access (25–30%) Secure networking (20–25%) Secure compute, storage, and databases (20–25%) Manage security operations (25–30%)

Following your booking, a confirmation message will be sent to all participants, ensuring you're well-informed of your successful enrollment. Calendar placeholders will also be dispatched to assist you in scheduling your commitments around the course. Rest assured, all course materials and access to necessary labs or platforms will be provided no later than one week before the course begins, allowing you ample time to prepare and engage fully with the learning experience ahead.

Our comprehensive training package includes all the necessary materials and resources to facilitate a full learning experience. Enrollees will be provided with detailed course content, encompassing a wide array of topics to ensure a thorough understanding of the subject matter. Additionally, participants will receive a certificate of completion to recognize their dedication and hard work. It's important to note that while the course fee covers all training materials and experiences, the examination fee for certification is not included but can be purchased separately.

Questions About This Course?