COVERS FULL EXAM!

SC-900
Updated and
expanded 7/26/21!
EXAM
CRAM
Exam DOMAINS for SC-900
01
02 Describe the Concepts of Security, Compliance, and Identity

02 Describe the capabilities of Microsoft Identity and Access

Management Solutions

03
02 Describe the capabilities of Microsoft Security Solutions

04
02 Describe the Capabilities of Microsoft Compliance Solutions

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
What is an “evergreen” edition?
 What is an “evergreen” edition?
As updates are released for the exam, we
will continuously update with short videos
to cover “what’s new” in the latest update
 What is an “evergreen” edition?
Links to these short video updates will be
added to this video’s Description
Important note!

This list is not definitive or exhaustive.

What can you expect on the
microsoft SC-900 Exam?
Exam DOMAINS for SC-900 It’s a FUNDAMENTALS exam!

01
02 Describe the Concepts of Security, Compliance, and Identity

02 Describe the capabilities of Microsoft Identity and Access

Management Solutions

03
02 Describe the capabilities of Microsoft Security Solutions

04
02 Describe the Capabilities of Microsoft Compliance Solutions

Single line, multiple choice questions, not deeply technical

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
Exam DOMAINS for SC-900
01
02 Describe the Concepts of Security, Compliance, and Identity

02 Describe the capabilities of Microsoft Identity and Access

Management Solutions

03
02 Describe the capabilities of Microsoft Security Solutions

04
02 Describe the Capabilities of Microsoft Compliance Solutions

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
Exam DOMAINS for SC-900
01
02 Describe the Concepts of Security, Compliance, and Identity

02 Describe the capabilities of Microsoft Identity and Access

Management Solutions

03
02 Describe the capabilities of Microsoft Security Solutions

04
02 Describe the Capabilities of Microsoft Compliance Solutions

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
Exam DOMAINS for SC-900
01
02 Describe the Concepts of Security, Compliance, and Identity

02 Describe the capabilities of Microsoft Identity and Access

Management Solutions

03
02 Describe the capabilities of Microsoft Security Solutions

04
02 Describe the Capabilities of Microsoft Compliance Solutions

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
Exam DOMAINS for SC-900
01
02 Describe the Concepts of Security, Compliance, and Identity

02 Describe the capabilities of Microsoft Identity and Access

Management Solutions

03
02 Describe the capabilities of Microsoft Security Solutions

04
02 Describe the Capabilities of Microsoft Compliance Solutions

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
A pdf copy of the presentation is
available in the video description!

Subscribed
SUBSCRIBE
FREE SC-900 practice quiz
NOW AVAILABLE!!!
(link in the video description)
Exam DOMAINS for SC-900
01
02 Describe the Concepts of Security, Compliance, and Identity

02 Describe the capabilities of Microsoft Identity and Access

Management Solutions

03
02 Describe the capabilities of Microsoft Security Solutions

04
02 Describe the Capabilities of Microsoft Compliance Solutions

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
Exam DOMAINS for az-900
02
01
Describe the Concepts of Security,
Compliance, and Identity

1. Describe security methodologies

2. Describe security concepts
3. Describe Microsoft Security and
compliance principles

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
addresses the limitations of the legacy
network perimeter-based security model.
treats user identity as the control plane
Assumes compromise / breach in verifying
every request. no entity is trusted by default

VERIFY MANAGE MANAGE PROTECT

IDENTITY DEVICES APPS DATA
shared responsibility model
100% YOURS
Applications Applications Applications Applications
Data Data Data Data
Runtime Runtime Runtime Runtime
Responsible Middleware Middleware Middleware Middleware

CSP OS OS OS OS

Customer Virtualization Virtualization Virtualization Virtualization

Servers Servers Servers Servers
Storage Storage Storage Storage
Networking Networking Networking Networking

On-premises IaaS PaaS SaaS

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
CLOUD MODELS & SERVICES - IAAS

Applications Applications
Data Data
Runtime Runtime CSP provides building blocks, like
Middleware Middleware
networking, storage and compute
OS OS
Virtualization Virtualization
CSP manages staff, HW, and
Servers Servers
datacenter
Storage Storage
Networking Networking

On-premises IaaS

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
CLOUD MODELS & SERVICES - IAAS

Applications Applications
Data Data
Runtime Runtime
Middleware Middleware
OS OS
Virtualization Virtualization
Servers Servers Azure Virtual Amazon EC2 GCP Compute
Storage Storage Machines Engine
Networking Networking

On-premises IaaS

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
CLOUD MODELS & SERVICES - PAAS

Applications Applications
Data Data
Runtime Runtime Customer is responsible for
Middleware Middleware deployment and management of apps
OS OS
Virtualization Virtualization CSP manages provisioning,
Servers Servers
configuration, hardware, and OS
Storage Storage
Networking Networking

On-premises PaaS

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
CLOUD MODELS & SERVICES - PAAS

Applications Applications
Data Data
Runtime Runtime
Middleware Middleware
OS OS
Virtualization Virtualization
Servers Servers Azure SQL API Azure App
Storage Storage Database Management Service
Networking Networking

On-premises PaaS

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
CLOUD MODELS & SERVICES - SAAS

Applications Applications
Data Data
Runtime Runtime
Middleware Middleware Customer just configures features.
OS OS
Virtualization Virtualization CSP is responsible for management,
Servers Servers
operation, and service availability.
Storage Storage
Networking Networking

On-premises SaaS

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
CLOUD MODELS & SERVICES - SAAS

Applications Applications
Data Data
Runtime Runtime
Middleware Middleware
OS OS
Virtualization Virtualization
Servers Servers
Storage Storage
Networking Networking

On-premises SaaS

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
shared responsibility model
100% YOURS
Applications Applications Applications Applications
Data Data Data Data
Runtime Runtime Runtime Runtime
Responsible Middleware Middleware Middleware Middleware

CSP OS OS OS OS

Customer Virtualization Virtualization Virtualization Virtualization

Servers Servers Servers Servers
Storage Storage Storage Storage
Networking Networking Networking Networking

On-premises IaaS PaaS SaaS

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
Shared responsibility model (2021 edition)

On-premises
SaaS

PaaS

IaaS
RESPONSIBILITY ALWAYS RETAINED BY CUSTOMER

RESPONSIBILITY VARIES BY SERVICE TYPE

RESPONSIBILITY TRANSFERS TO CLOUD PROVIDER

CSP CUSTOMER Image courtesy of Microsoft

Better security in the cloud?

Unique business value

Describe azure network security

A layered (defense in depth) approach that

does not rely on one method to completely
Defense protect your environment.
in-Depth
Common threats

When data is stolen, including personal data (PII).

These are programs with built in dictionaries. They would use all
dictionary words to attempt and find the correct password, in the
hope that a user would have used a standard dictionary word.

This type of attack is attempting to break the password by trying

all possible key combinations and variations.

Password complexity and attacker tools and

compute determine effectiveness
 MOST COMMON ATTACKS

WHAT IS
 MOST COMMON ATTACKS

WHAT IS

infects a target machine and then uses encryption

technology to encrypt documents, spreadsheets,
and other files stored on the system with a key
known only to the malware creator.
 MOST COMMON ATTACKS

WHAT IS

user is then unable to access their files and receives

an ominous pop-up message warning that
the files will be permanently deleted unless a
ransom is paid within a short period of time.
ransomware is a trojan variant
ransomware countermeasures & prevention
There are a number of countermeasures
and prevention techniques:

countermeasures cloud-hosted email

- Back up your computer and file storage ease
- Store backups separately
this process !
- User awareness training

Controlled Folders protects against ransomware!

ransomware countermeasures & prevention
There are a number of countermeasures
and prevention techniques:

Prevention
- Update and patch computers AI-driven cloud
- Use caution with web links services offer
- Use caution with email attachments help with these
- Verify email senders
- Preventative software programs
Common threats these are a class of attacks

is a resource consumption attack

intended to prevent legitimate activity
on a victimized system.

Distributed a DoS attack utilizing multiple

compromised computer systems as
sources of attack traffic.

firewalls, routers, intrusion detection (IDS), disable broadcast

packets entering/leaving, disable echo replies, patching
web application vulnerabilities
used to compromise web front-end and backend databases

SQL injection attacks

Use unexpected input to a web application to gain
unauthorized access to an underlying database.

NOT new and can be prevented

through good code practices

Input validation, use prepared

statements, and limit account privileges.
Common threats
attacks attackers use to exploit poorly written software.

Rootkit (escalation of privilege)

freely available on the internet and exploit known vulnerabilities in
various operating systems enabling attackers to elevate privilege.
keep security patches up-to-date, use anti-malware software
Exploits
Exploits take advantage of vulnerabilities in software.
A vulnerability is like a hole in your software that malware uses to
get onto your device. vulnerability = weakness
Malware exploits these vulnerabilities to bypass your computer's
security safeguards and infect your device.
 TYPES OF VIRUSES

WHAT IS A

a software program that appears good and harmless

but carries a malicious, hidden payload that has the
potential to wreak havoc on a system or network.
good defense? 1) only allow software from
trusted sources. 2) don’t let users install software
 TYPES OF VIRUSES

a type of malware that can copy itself and

often spreads through a network by
exploiting security vulnerabilities.
Spreads thru e-mail, text msg, file sharing, social networking
 ADDITIONAL ATTACKS AND CONCEPTS

an attack that uses a vulnerability that is either

unknown to anyone but the attacker or known
only to a limited group of people.
basic security practices can often prevent!
 ADDITIONAL ATTACKS AND CONCEPTS

an attack that uses a vulnerability that is either

unknown to anyone but the attacker or known
only to a limited group of people.
Today, AI-driven antivirus and
EDR/XDR solutions are common
Describe encryption

FUNDAMENTAL CONCEPTS OF
CONCEPT: Symmetric vs Asymmetric
example - AES
Symmetric

sender and recipient using a single shared key

CONCEPT: Symmetric vs Asymmetric
example – SHA-2
Asymmetric

Each party has a public and (unshared) private key

example: asymmetric cryptography
Franco sends a message to Maria,
requesting her public key

Maria sends her public key to Franco

Franco uses Maria’s public key to encrypt

the message and sends it to her

Maria uses her private key to decrypt

the message
asymmetric key types
Public keys are shared among communicating parties.
Private keys are kept secret.

To encrypt a message: use the recipient’s public key.

To decrypt a message: use your own private key.

To sign a message: use your own private key.

To validate a signature: use the sender’s public key.
each party has both a private key and public key!
digital signatures

A mathematical algorithm routinely used to validate the

authenticity and integrity of a message.
Message could mean an email, a credit card
transaction, or a digital document.
Create a virtual fingerprint that is unique to a person or
entity
Rely on asymmetric (public key) cryptography and
hash functions
hashing vs encryption

Encryption
Encryption is a two-way function; what is encrypted can be decrypted with
the proper key.

Hashing no way to reverse if properly designed

a one-way function that scrambles plain text to produce a unique message
digest.
common uses

Symmetric
Typically used for bulk encryption / encrypting large amounts of data.

Asymmetric
Distribution of symmetric bulk encryption keys (shared key)
Identity authentication via digital signatures and certificates
Non-repudiation services and key agreement

Hash functions
Verification of digital signatures
Generation of pseudo-random numbers
Integrity services (data integrity and authenticity)
Microsoft’S PRIVACY principles ETHICAL

1 Control
Enabling you to determine what data is collected and with whom it’s shared.
Transparency
2 Being transparent about data collection and use so that everyone can easily make
informed decisions.
Security
3 Protecting the data that's entrusted to Microsoft by using strong security and encryption.
Strong legal protections
4 Respecting local privacy laws and fighting for legal protection of privacy as a
fundamental human right

5 No content-based targeting
Not using email, chat, files, or other personal content to target advertising
Benefits to you
6 When Microsoft does collect data, it's used to benefit you, the customer, and to make
your experiences better.
Microsoft Security and compliance principles

provides a variety of content, tools, and

Service
other resources about Microsoft security,
Trust Portal privacy, and compliance practices

https://aka.ms/STP

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
identify core azure identity services

Audit reports from ISO, NIST, SOC,

Service FedRAMP, GDPR and more
Trust Portal Data protection resources, like whitepapers, FAQs,
risk assessment tools, and compliance guides
identify core azure identity services
key word is “resources”

Audit reports from ISO, NIST, SOC,

FedRAMP, GDPR and more
Service
Data protection resources, like whitepapers, FAQs,
Trust Portal risk assessment tools, and compliance guides
Azure security and compliance blueprints
(guidance for several industry verticals)

https://aka.ms/STP
Exam DOMAINS for SC-900
01
02 Describe the Concepts of Security, Compliance, and Identity

02 Describe the capabilities of Microsoft Identity and Access

Management Solutions

03
02 Describe the capabilities of Microsoft Security Solutions

04
02 Describe the Capabilities of Microsoft Compliance Solutions

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
Exam DOMAINS for az-900
02
02
Describe the capabilities of Microsoft Identity
and Access Management Solutions

1. Define identity principles/concepts

2. Describe the basic identity services and identity
types of Azure AD
3. Describe the authentication capabilities of Azure AD
4. Describe access management capabilities of Azure AD
5. Describe the identity protection & governance
capabilities of Azure AD

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
 Traditional Architecture Zero Trust Architecture
Cloud mobile workforce
Services (WFH, BYOD)

Untrusted
Trusted Trusted

Network security perimeter Security based on identity,

surrounds the organization not on network perimeter
 Remote Hybrid
Employees Cloud

zero trust Identity

security model Apps &
Data
Personal
Devices

Mobile Vendors &

Devices Contractors
trust must be earned
compliance must be proven
identify core azure identity services

Identity

Authentication (AuthN) is the process of

proving that you are who you say you are.
Authorization (AuthZ) is the act of granting an
AuthN and
authenticated party permission to do something.
AuthZ
Access
identity providers

Creates, maintains, and manages identity

information while providing authentication
services to applications.
Identity When sharing apps and resources with external
Providers users, Azure AD is the default identity provider
identity providers

a set of directory services developed by

Microsoft as part of Windows 2000 for on-
premises domain-based networks.
gives organizations the ability to manage
Active
multiple on-premises infrastructure components
Directory and systems using a single identity per user.
identity providers

a set of directory services developed by

Microsoft as part of Windows 2000 for on-
premises domain-based networks.
gives organizations the ability to manage
multiple on-premises infrastructure components
Active and systems using a single identity per user.
Directory does not natively support mobile devices, SaaS or
LOB apps that require modern authentication.

Forest, domain, LDAP, Kerberos, replication

describe the concept of Federated services
is a collection of domains that have
established trust.
The level of trust may vary, but typically includes authentication and
almost always includes authorization.
Often includes a number of organizations that have established trust for
shared access to a set of resources.

You can federate your on-premises environment with Azure AD and use
this federation for authentication and authorization.
This sign-in method ensures that all user authentication occurs on-
premises.
Allows administrators to implement more rigorous levels of access control.
Certificate authentication, key fob, card token
identity federation (example) may be cloud or on-premises

Twitter Azure AD
idP-A trusts idP-B

idP-B idP-A

User authenticates Website (app or services)

with idP-B authenticates with idP-B

shared access

user website

trust is not always bi-directional

describe common identity attacks
These are programs with built in dictionaries. They would use all dictionary
words to attempt and find the correct password, in the hope that a user
would have used a standard dictionary word.

This type of attack is attempting to break the password by trying all possible
key combinations and variations

attempts to match a username against a list of weak passwords.

Azure AD global banned password list

PHISHING ATTACKS

commonly used to try to trick users into giving up personal information

(such as user accounts and passwords), click a malicious link, or open a
malicious attachment.

Spear phishing targets specific groups of users.

Whaling targets high-level executives.
Vishing uses VoIP technologies.

Best defenses are user education and Defender for O365!

identify core azure identity services

Azure Active Directory (Azure AD) is

Microsoft’s cloud-based identity and
Azure AD access management service….
identify core azure identity services

…which helps your employees sign in and

access resources like:
Internal resources, such as apps on your
corporate network or custom cloud apps
Azure AD
External resources, such as Microsoft 365,
the Azure portal, and many SaaS apps
Describe azure ad identities
User:
a representation of something that's managed by Azure AD. Employees
and guests are represented as users in Azure AD.
Service Principal:
a security identity used by applications or services to access specific
Azure resources.
Managed Identity:
An identity automatically managed in Azure AD.

System-assigned: created for and tied to a specific resource.

User-assigned: as a standalone Azure resource with its own lifecycle.

System-assigned (where supported) is recommended

Describe azure ad identities
Device:
A device is a piece of hardware, such as mobile devices, laptops,
servers, or printer. Can be set up in different ways in Azure AD, including:

Azure AD registered often personal / BYOD devices

devices can be Windows 10, iOS, Android, or macOS devices

Azure AD joined
devices exist only in the cloud. Azure AD joined devices are owned by an organization
and signed in with their account.

Hybrid Azure AD joined can exist on-prem or in the cloud

devices can be Windows 7, 8.1, or 10, or Windows Server 2008, or newer. are owned by
an organization and signed in with an Active Directory Domain Services account.
Describe Hybrid identity
Identity sync (users, groups, contacts)

Azure AD Connect

On-premises
Active Directory Office 365

Apps Azure AD

Get familiar with

Users & Devices
Azure AD Connect cloud sync
external identity types
Two types of external identities
work (Azure AD) accounts
allows you to share your org’s applications and services with guest
users from other orgs, while maintaining control over your own data.
uses an invitation and redemption process, allowing external users
to access your resources with their credentials.

Social (personal) identities

Azure AD B2C is a customer identity access management solution.
allows external users to sign in with their preferred social, enterprise,
or local account identities to get single sign-on to your applications.
core azure identity services

Single Sign- Conditional

on (SSO) MFA Access
core azure identity services

Azure RBAC helps you manage who has

access to Azure resources, what they
can do with those resources, and which
Azure RBAC resources/areas they have access to.
core azure identity services

Built on Azure Resource Manager and

provides fine-grained access
management of Azure resources.
Azure RBAC

one element of implementing “least privilege”

Describe Self-service password reset
A feature of Azure AD that allows users to change or reset their
password, without administrator or help desk involvement.

Password change
when a user knows their password but wants
to change it to something new.
Password reset
when a user can't sign in, such as when they
forget the password, and want to reset it.
Azure AD
Password unlock
SSPR when a user can't sign in because their
account is locked out.
saves time and money, improves productivity and security
 A Z U R E A D PASSWORD PROTECTION & MANAGEMENT

reduces the risk of users setting weak passwords by detecting

and blocking known weak passwords and their variants

Global banned password list

list with known weak passwords is automatically updated and enforced by Microsoft
(maintained by the Azure AD Identity Protection team).
Custom banned password lists
banned password list prohibits passwords such as the organization name or
location. should be focused on org-specific terms
Protects against password spray
blocks all known weak passwords likely to be used in password spray attacks, based
on real-world security telemetry data from Azure AD.
Provides hybrid security
can integrate Azure AD Password Protection with an on-premises ADDS environment.
identify core azure identity services

Single sign-on means a user doesn't have

to sign into every application they use.
The user logs in once and that credential is
used for multiple apps.
Single Sign-
on (SSO) Single sign-on based authentication systems
are often called "modern authentication".
identify core azure identity services

Azure AD MFA works by requiring

two or more of the following
authentication methods:
MFA
identify core azure identity services

Something you know (pin or password)

Something you have (trusted device)
Something you are (biometric)
MFA

Authenticator app Voice call SMS (text msg) OATH HW token

Describe windows hello for business
An authentication feature built into Windows 10, replaces passwords with
strong two-factor authentication on PCs and mobile devices.

Allows users authenticate to:

– A Microsoft account
– An Active Directory account
– An Azure Active Directory account

Hello for – Identity Provider Services OR

Business – Relying Party Services that support Fast ID Online

(FIDO) v2.0 authentication

Windows Hello is for personal devices Windows Hello for Business always uses key-
and uses a pin or biometric gesture based or certificate-based authentication
identify core azure identity services

Used by Azure Active Directory to bring

signals together, to make decisions, and
Conditional enforce organizational policies
Access

Improves security by enforcing conditions of access

azure ad conditional access

image credit: Microsoft

Benefits of azure ad roles

Control permissions to manage Azure

AD resources
Supports built-in and custom roles
Azure AD Enable enforcement of least privilege
Roles
custom roles requires Azure AD Premium P1 or P2 license
 Which users should have access
to which resources?

What are those users doing with

What is identity that access?
governance? Are there effective organizational
controls for managing access?
Addresses 4
key questions Can auditors verify that the
controls are working?
Describe Entitlement management

An identity governance feature that

enables organizations to manage identity
and access lifecycle at scale.
Entitlement Automates access request workflows, access
Management assignments, reviews, and expiration.
Describe Entitlement management

Add resources, like groups, teams, apps,

and SharePoint sites to an access package.

Entitlement Then, specify permissions for each resource

Management by selecting a role from the drop-down list.

related resources and access packages are stored in a “catalog”

Describe access reviews

Ensure that only the right people have

access to resources.
Eliminate excessive rights due to changes
Access in job roles, project status, etc.
Reviews Create access reviews for teams or group
IN AZURE AD
membership, as well as application access
Do not confuse this with access reviews in PIM
Describe PRIVILEGED IDENTITY MANAGEMENT

What is Privileged Identity Management (PIM)?

a service in Azure Active Directory (Azure AD) that enables

you to manage, control, and monitor role access.
includes resources in Azure AD, Azure, and other Microsoft
online services such as Microsoft 365 or Microsoft Intune.
mitigates the risks of excessive, unnecessary, or misused
access permission by requiring justification of role activation

Privileged Identity Management requires Azure AD Premium P2

Describe PRIVILEGED IDENTITY MANAGEMENT

What functionality does PIM provide?

Just in time access, providing access through privileged roles

only when needed, and not before.
Time-bound access, by assigning start and end dates that
indicate when a user can access resources.
Approval-based access, requiring specific approval to activate
privileges.
Visible, sending notifications when privileged roles are activated.
Auditable, allowing a full access history to be downloaded.
Describe azure ad identity protection

A tool that allows organizations to

accomplish three key tasks:
Automate the detection and remediation
of identity-based risks
AAD Identity Investigate risks using data in the portal
Protection Export risk detection data to third-party
utilities for further analysis

Enables consideration of risk in Azure AD Conditional Access

Describe azure ad identity protection

Uses the following signals to calculate risk:

– Atypical travel
– Anonymous IP address
– Unfamiliar sign-in properties
AAD Identity – Sign-in from malware linked IP
Protection – Leaked credentials
– Password spray
– Azure AD threat intelligence
Requires Azure AD Premium P2
azure ad conditional access

image credit: Microsoft

Azure AD Identity Protection
Exam DOMAINS for SC-900
01
02 Describe the Concepts of Security, Compliance, and Identity

02 Describe the capabilities of Microsoft Identity and Access

Management Solutions

03
02 Describe the capabilities of Microsoft Security Solutions

04
02 Describe the Capabilities of Microsoft Compliance Solutions

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
Exam DOMAINS for az-900
02
03
Describe the capabilities of
Microsoft Security Solutions

1. Describe basic security capabilities in Azure

2. Describe security management capabilities of Azure
3. Describe security capabilities of Azure Sentinel
4. Describe threat protection with Microsoft 365 Defender
(formerly Microsoft Threat Protection)
5. Describe security management capabilities of Microsoft 365
6. Describe endpoint security with Microsoft Intune

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
Describe azure network security

Contains security rules that allow or deny

inbound network traffic to, or outbound network
traffic from, several types of Azure resources.
Network For each rule, you can specify source and
Security Group destination port and protocol.
Describe azure network security

Contains security rules that allow or deny

inbound network traffic to, or outbound network
traffic from, several types of Azure resources.

For each rule, you can specify source and

Network
destination port and protocol.
Security Group
Can be applied to a subnet or network adapter
NIC
Describe azure network security

Standard tier provides enhanced DDoS mitigation

features to defend against DDoS attacks.
Azure DDoS
Describe azure network security

Standard tier provides enhanced DDoS mitigation

features to defend against DDoS attacks.

Azure DDoS Also includes logging, alerting, and telemetry not

included in the free Basic tier present by default.
Describe azure firewall

A managed, cloud-based network security

service that protects your Azure Virtual
Network resources.

Azure It's a fully stateful firewall as a service with

Firewall built-in high availability and unrestricted
cloud scalability.

Azure Firewall Manager enables central management of multiple

Azure Firewall instances, across Azure regions and subscriptions.
Describe azure Bastian

a fully managed PaaS service that provides

seamless RDP and SSH access to your VMs
directly through the Azure Portal.
Azure
Bastion It requires no public IP and no RDP client
Describe azure web application firewall
Provides centralized protection of your web
applications from common exploits and
vulnerabilities.

WAF on Application Gateway is based on Core

Rule Set (CRS) 3.1, 3.0, or 2.2.9 from the Open
Web App Web Application Security Project (OWASP).
Firewall
The WAF automatically updates to include
protection against new vulnerabilities, with no
additional configuration needed.
Protects against common attacks like SQL injection and cross-site scripting
Describe the ways azure encrypts data
How does Azure encrypt different types of data?

Azure Storage Service Encryption encrypted by default

helps protect data at rest by automatically encrypting before persisting it to
Azure-managed disks, Azure Blob Storage, Azure Files, or Azure Queue Storage.
Azure Disk Encryption
helps you encrypt Windows and Linux IaaS VMs disks using BitLocker
(Windows) and dm-crypt feature of Linux to encrypt OS and data disks.
Transparent data encryption (TDE)
Helps protect Azure SQL Database and Azure Data Warehouse against threat
of malicious activity with real-time encryption and decryption of database,
backups, and transaction log files at rest without requiring app changes.
Describe the ways azure encrypts data

A cloud service for centralized secure storage

and access for application secrets

A secret is anything that you want to tightly

Key Vault control access to, such as API keys, passwords,
certificates, tokens, or cryptographic keys
Describe azure security features

A unified infrastructure security management

system that strengthens the security posture
of your data centers (cloud and on-premises)
Azure Security Provides security guidance for compute, data,
Center network, storage, app, and other services
Describe azure secure score
Analytics tool that answers the question “how secure is my workload?’

Main goals of Secure score:

Visualization of the security posture
Fast triage and suggestions to provide
Secure meaningful action to increase security posture
Score Measurement of the workload security over time

Focused on cloud infrastructure (shown in Security Center)

Describe azure secure score
Analytics tool that answers the question “how secure is my workload?’

constantly reviews your active recommendations

and calculates your secure score based on them
score of a recommendation is derived from its
severity and security best practices
Secure
is calculated based on the ratio between your
Score healthy resources and your total resources
to improve your secure score, implement recommendations !
security baselines for azure

A baseline is the implementation of the benchmark on

the individual Azure service.
Developed by Microsoft's cybersecurity group and
the Center for Internet Security (CIS)

Focuses on cloud-centric control areas including:

network security, identity management, posture and
vulnerability management, and endpoint security

appears under ‘regulatory compliance’ in Azure Security Center

security baselines for azure
a high-level description of a feature or activity
that needs to be addressed and is not specific
to a technology or implementation.
Is expressed as

contains security recommendations for a

specific technology, such as Azure.

and implemented thru

is the implementation of the benchmark on

the individual Azure service.
azure defender
two pillars of Azure Security Center functionality:

Cloud security posture management (CSPM) Free tier

includes CSPM features such as secure score, detection of security
misconfigurations in your Azure workloads, asset inventory.

cloud workload protection platform (CWPP) Standard tier

brings a range of security features for advanced, intelligent,
protection of your Azure and hybrid resources and workloads
azure defender (CWPP) Standard tier functionality

Protects the following azure workloads

-Servers -ACR
-App Service -Key Vault
-Storage -Resource Manager
-SQL -DNS
-Kubernetes -Open-source Azure DB

You can also add regulatory standards, like NIST, Azure CIS, and others
for a more customized view of your compliance.
SIEM and SOAR uses AI, ML, and threat intelligence

system that collects data from many other

sources within the network.
Security Information
provides real-time monitoring, analysis,
Event Management correlation & notification of potential attacks.

centralized alert and response automation

with threat-specific playbooks.
Security Orchestration response may be fully automated or
Automation, & Response single-click.

Microsoft delivers these capabilities together in Azure Sentinel

 Leverages AI, ML,
Extended detection and response and threat intelligence

Integrates security visibility across an

organization’s entire infrastructure
Provides
Providesvisibility
visibilityinto
intoendpoints,
endpoints,cloud
cloud
eXtended Detection infrastructure,
infrastructure,mobile
mobiledevices,
devices,apps.
apps.etc.
etc.
and Response Supports proactive threat hunting an also
respond automatically to identified threats.

EDR is focused on protecting the endpoint, providing in-depth visibility

and threat prevention for a particular device.
XDR takes a wider view, integrating security across endpoints, cloud
computing, email, and other solutions.
 Leverages AI, ML,
Extended detection and response and threat intelligence

Refers to the scope and context of investigation and hunting

Identity Endpoints Apps Infra Data

Provides visibility into endpoints, cloud

infrastructure, mobile devices, apps. etc. ?
Microsoft 365 Defender and Azure Defender
integrated threat protection

SIEM and SOAR

Provides visibility and context across

silos, including applications, identities,
Azure endpoints, and data
Sentinel

provides greater context into the scope of the security incident

Describe Microsoft 365 defender services

Identity Apps
MS Defender MS Cloud App
for Identity Security

Endpoints Email/Collab
MS Defender MS Defender
for Endpoint for Office 365
Describe Microsoft defender for identity

formerly Azure Advanced Threat Protection (ATP)

a cloud-based security solution that leverages
your on-premises Active Directory signals
Identity identifies, detects, and investigates advanced
threats, compromised identities, and malicious
MS Defender
insider actions
for Identity

Requires on-premises Active Directory !

Describe Microsoft defender for office 365

formerly Office 365 Advanced Threat Protection

safeguards your org against malicious threats in
email, links (URLs), and collaboration tools
Email/Collab Includes Safe Links and Safe Attachments for
MS Defender detonation of potentially malicious email content
for Office 365 Anti-phishing protection and attack simulation
Describe Microsoft defender for endpoint

formerly Microsoft Defender Advanced Threat

Protection (MDATP)
an enterprise endpoint security platform designed
to help enterprise networks prevent, detect,
Endpoints investigate, and respond to advanced threats

MS Defender Includes EDR, attack surface reduction, automated

for Endpoint investigations, and advanced hunting

Sensor is built-in to Windows 10

Describe Microsoft defender 365 services

A Cloud Access Security Broker (CASB) designed to

detect and stop shadow IT
Provides visibility over data travel and analytics to
identify threats over MS and 3rd party cloud services
Apps
Natively integrates with multiple other Microsoft
MS Cloud App
services and solutions
Security

shadow IT
Describe Microsoft 365 security center

It is the new home for monitoring and managing security

across your Microsoft identities, data, devices, and apps.
You can view the security health of your organization

New Experience
New experience brings Defender for Endpoint, Defender
for Office 365, Microsoft 365 Defender, and MCAS data
into the Microsoft 365 security center

https://security.microsoft.com
How to use Microsoft secure score
Purpose is to help orgs improve security
posture for Microsoft 365 services

Focuses on three distinct categories

– Identity (Azure AD accounts and roles)
– Devices (MS Defender for Endpoint)
Secure – Apps (email and cloud apps, including
Score Office 365 and MCAS)

recommendations are sorted by potential impact to your score

security reports and dashboards

Reports section shows cards with these

categories:
– Identities. user accounts and credentials
– Data. email and document contents
Reports and – Devices. computers, mobile phones, and
Dashboards other devices
– Apps. programs and attached online
services
incident management in m365 security center
Incident management capabilities in Microsoft 365

Incidents
Incidents are a collection of correlated alerts created when a
suspicious event is found.
Alerts are generated from different device, user, and mailbox
entities, and can come from many different domains.
Provides a comprehensive view and context of an attack.
Incident management
You can manage incidents on devices, users accounts, and
mailboxes from the incident queue.
Incidents are auto-assigned and named but can be updated.
what is Microsoft intune?

A cloud-based service that focuses on mobile

device management (MDM) and mobile
Microsoft application management (MAM).
Intune
what is Microsoft intune

A cloud-based service that focuses on mobile

device management (MDM) and mobile
application management (MAM).
Microsoft
Intune Manage iOS/iPadOS, Android, Windows, and
macOS devices securely
what is Microsoft intune

A cloud-based service that focuses on mobile

device management (MDM) and mobile
application management (MAM).

Manage iOS/iPadOS, Android, Windows, and

Microsoft macOS devices securely
Intune
MAM policies enable app-centric protection on
personal devices in BYOD scenarios
endpoint security with intune

Manage devices
Manage security baselines
Use endpoint security policies
Endpoint Use device compliance policy
Security Device and app-based Conditional Access
Defender for Endpoint integration
Microsoft endpoint manager admin center
combines services, including Microsoft Intune, Configuration Manager,
Desktop Analytics, co-management, and Windows Autopilot.

Essentially the same user experience, but

with all functionality in a single portal.

MEM Admin https://endpoint.microsoft.com

Center
Exam DOMAINS for SC-900
01
02 Describe the Concepts of Security, Compliance, and Identity

02 Describe the capabilities of Microsoft Identity and Access

Management Solutions

03
02 Describe the capabilities of Microsoft Security Solutions

04
02 Describe the Capabilities of Microsoft Compliance Solutions

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
Exam DOMAINS for az-900
02
04
Describe the Capabilities of
Microsoft Compliance Solutions

1. Describe the compliance management capabilities in Microsoft 365

2. Describe information protection and governance capabilities of
Microsoft 365
3. Describe insider risk capabilities in Microsoft 365
4. Describe the eDiscovery capabilities of Microsoft 365
5. Describe the audit capabilities in Microsoft 365
6. Describe resource governance capabilities in Azure

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
Compliance Center

integrated solutions for information

protection, information governance, insider
Compliance risk management, discovery, and more
Center

https://compliance.microsoft.com
Compliance manager

Measures your progress in completing

actions that help reduce risks around data
protection and regulatory standards.

Compliance Includes hundreds of baselines for regulatory

Manager standards called “assessment templates”.
GDPR, HIPAA, FINRA, NIST 800-53, and more

https://compliance.microsoft.com/compliancemanager
Compliance score

Provides a rollup of compliance based on

the assessment items within the template
Score shows org versus Microsoft
responsibilities (MSFT defaults help)
Compliance
Score Improvement actions categorized as
technical and operational items

assessments include hundreds of items, so

remediation may take many weeks or months
Compliance score

Compliance
Score
data classification

Admins can identify and protect sensitive

information types.

Dozens of built-in sensitive information

types based on patterns defined in regular
expression (regex) or a function.
Data
Classification Trainable classifiers use artificial
intelligence and machine learning to
intelligently classify your data.

used with forms, like contracts and invoices

content explorer & activity explorer
shows a current snapshot of items that have
a sensitivity or retention label or have been
classified as a sensitive information type
What has been labeled / classified?

allows you to monitor what's being done with

your labeled content through a historical view
of activities on your labeled content.
What is being done with labeled content?

appears under ‘Data classification’ in Microsoft 365 Compliance

sensitivity labels

Enable the labeling and protection of content,

without affecting productivity and collaboration.

Organizations can decide on labels to apply to

content such as emails and documents.
Data
Sensitivity labels are much like different stamps
Classification you can apply to physical documents.

Sensitivity labels implement data classification. Label policies

apply protection to documents with a specific labels.
Retention Polices and Retention Labels
used to assign the same retention settings
to content at a site level or mailbox level.
a single policy can be applied to multiple
locations, or to specific locations or users.

used to assign retention settings at an item

level, such as a folder, document, or email.
an email or document can have only a single
retention label assigned to it at a time.

Retention labels and policies help organizations to manage and govern information
by ensuring content is kept only for a required time, and then permanently deleted.
Records Management often tied to a regulatory requirement

What is a record? (record characteristics)

Records are often considered synonymous with documents, but they

include one important characteristic that makes them unique:
Records include evidence of a particular business activity, requiring
them to be stored and retained over an extended period.
This means specifying a retention period AND a disposition

Records management in Microsoft 365 supports disposition reviews,

notifications and reminders, so you can confirm deletion is appropriate.
describe Data Loss Prevention (DLP)

is a way to protect sensitive information

and prevent its inadvertent disclosure.

can Identify, monitor, and automatically

protect sensitive information across
Microsoft 365.
Data Loss
Prevention DLP reports showing content that matches
the organization's DLP policies

policies can be applied to Exchange, SharePoint, OneDrive, etc.

 Content is
changes may result in a temp created or
difference between AIP and DLP changed

DLP policies Search

take action crawls new
on any or changed
How DLP policy results content

evaluation works

DLP policies
Search
query the
index is
search
updated
index
Compliance in Microsoft 365

Insider Risk Management

Communication Compliance
Information Barrier
Privileged Access Management (PAM)
Customer Lockbox
insider risk management solution
A solution in Microsoft 365 that helps minimize internal risks by enabling an
organization to detect, investigate, and act on risky and malicious activities.

Can help detect illegal, inappropriate, unauthorized, Insider risk case

or unethical behavior and actions within an org

Policies Alerts Triage Investigate Action

Helps organizations to identify, Collaboration

investigate, and address internal risks Compliance, HR, Legal, Security
describe communication compliance

helps minimize communication risks by

enabling organizations to detect, capture,
and take remediation actions for
Communication inappropriate messages
Compliance

ensures employees are treating one another properly

describe information barriers

Enables administrators to define policies

to allow or prevent communications
between groups of users within the org
Information Teams, SharePoint Online, and OneDrive
Barriers for Business support information barriers.

helpful in restricting communications that may result

in a conflict of interest or regulatory breach

describe privileged access management

allows granular access control over

privileged admin tasks in Microsoft 365.

Prevents breaches that use existing

Privileged Access privileged admin accounts with standing
Management access to sensitive data and settings

implemented through a ‘privileged access policy’

PIM vs PAM

Focuses on privileged roles in Azure

Privileged Identity and Azure AD
Management

Focuses on privileged admin tasks in

Privileged Access Microsoft 365.
Management

Both provide time-limited elevation and access just-in-time

What is Office 365 Customer Lockbox?
 Customer Lockbox Flow

Microsoft
Creates Creates receives Microsoft Customer
support support approval approves approves
ticket ticket request request request

Customer Microsoft Lockbox Microsoft Customer Microsoft

Engineer system Manager Engineer

Customer grants access to content!

 Lockbox Data Access Flow

Access is granted for a limited duration

Customer Lockbox Data Access Flow

All access and activities are logged

Purpose of e-discovery
the process of identifying and delivering electronic information
that can be used as evidence in legal cases.

Content search
Consists of searches and exports, but not holds
Core eDiscovery
You can add sources, create holds and queries, export case
results, and manage the life cycle of your case
Advanced eDiscovery
Add custodians, automate notifications, view jobs, additional settings
describe content search tool

Search for in-place content such as email,

documents, and instant messaging
conversations in your organization.

Use to search for content in Exchange

Content
Online, SharePoint, OneDrive, Teams, M365
Search Tool groups, and Yammer groups

you’ll also see mentions of ‘Content search eDiscovery tool’

core eDiscovery workflow
After you create an eDiscovery case…

1 2 3

create Export and

Search for
eDiscovery download
content
holds search results
Advanced eDiscovery workflow
1 2
Create an
eDiscovery case Add custodians Search custodial
to a case data sources

5 4 3
Export and Review and analyze Add data to
download case data data in review set review set
Data governance

a unified data governance service that helps you

manage and govern on-premises, multi-cloud, and
software-as-a-service (SaaS) data.
Azure Purview
Data governance

a unified data governance service that helps you

manage and govern on-premises, multi-cloud, and
software-as-a-service (SaaS) data.

create a holistic, up-to-date map of your data

Azure Purview landscape with automated data discovery, sensitive
data classification, and end-to-end data lineage.

data origin, what happens to it and where it moves over time.

describe the core audit capabilities of M365

allows organizations to view user and admin

activity through a unified audit log.

supports the search of many users and/or

Core Audit
admin activities across Microsoft 365 services:
Capabilities

Supports Dynamics 365, Microsoft Power Apps, Microsoft

Power Automate, Power BI, Azure Active Directory, and more
describe value of Advanced Auditing

Use to conduct forensic and compliance

investigations by increasing audit log retention

Increasing log retention provides access to crucial

events that help determine the scope of compromise
Advanced
Also provides faster access to Office 365
Auditing Management Activity API.

Advanced audit capabilities require a Microsoft 365 E5 license

Describe azure resource governance capabilities

Governance provides mechanisms and processes

to maintain control over your resources in Azure.
For the exam, know the capabilities of Azure
Resource resource locks, Azure Blueprints, and Azure policy
Governance

just to be safe, we will discuss initiatives,

tags, and management groups as well!
Describe azure resource governance capabilities

Prevent other users in your organization

from accidentally deleting or modifying
Resource critical resources.
Locks
Describe azure resource governance capabilities

Prevent other users in your organization

from accidentally deleting or modifying
critical resources.
Resource
The lock overrides any permissions the
Locks
user might have.
Guidance designed to help you create and
implement the business and technology
strategies to succeed in Azure
 design, implementation

Adapt
Define Plan Ready
Strategy

Cloud Adoption Migrate

Framework
Innovate
enforce standards, ongoing admin

Govern Manage
cloud governance

Policy Initiative Blueprint

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
cloud governance

Policy Initiative Blueprint

The definition of the conditions which you

want to control/govern.

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
cloud governance

Policy Initiative Blueprint

A collection of Azure policy definitions that

are grouped together towards a specific goal

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
cloud governance

Policy Initiative Blueprint

A container for composing sets of standards,
patterns, and requirements for implementation
of Azure cloud services, security, and design

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
cloud governance

Policy Initiative Blueprint

Often used in the same sentence as the
phrase “new environments”

For more exam prep and Azure tutorials, follow us on Youtube at https://bit.ly/azurevideos
describe azure governance features

A name and a value pair used to to

logically organize Azure resources,
resource groups, and subscriptions into
Tags a logical taxonomy
describe azure governance features

Tags can be the basis for applying

business policies or tracking costs
Tags
describe azure governance features

Tags can be the basis for applying

business policies or tracking costs
You can also enforce tagging rules
Tags with Azure policies
Describe core architecture components
Scope of governance
and RBAC configuration

Management Subscriptions
Groups

Resources
Resource
Groups
Describe core architecture components
Management
Groups

Subscriptions

Resource
Groups

Resources
Describe core architecture components

Management Subscriptions
Groups

Resources
Resource
Groups
Describe core architecture components

Management groups provide a level of

scope above subscriptions
Management
Groups
Describe core architecture components

Management groups provide a level of

scope above subscriptions
Each directory is given a single top-level
Management
management group called the "Root"
Groups
Describe core architecture components

Subscription is a logical container used to

provision resources in Azure.
Subscriptions
Describe core architecture components

Why would I create multiple

subscriptions?
Subscriptions
Describe core architecture components

Why would I create multiple

subscriptions?
✓ when subscription limits are
reached
Subscriptions
Describe core architecture components

✓ when subscription limits are

reached
✓ to use different payment methods
Subscriptions
Describe core architecture components

✓ when subscription limits are

reached
✓ to use different payment methods
Subscriptions ✓ to isolate resources between
departments, projects, etc
Describe core architecture components

A container that holds related

resources for an Azure solution.

Resource Used to group resources that share

Groups a common resource lifecycle.
Describe core architecture components

An entity managed by Azure, like

a virtual machine, virtual network, or
Resources storage account.
Describe core architecture components
Management Group

Can be used to aggregate policy and

initiative assignments via Azure Policy

Can contain multiple subscriptions

All new subscription will be placed under

the root management group by default
Describe core architecture components
Management Group

Subscriptions

Are a unit of management, billing, and scale

within Azure.

Serve as a management boundary for assigning

Azure policies, governance, and isolation
Describe core architecture components
Management Group

Subscriptions

Resource Groups

A container that holds for

resources with a common lifecycle
Describe core architecture components
Management Group

Subscriptions

Resource Groups

Resources
Describe core architecture components
Management Group
scope
Subscriptions

Resource Groups

Resources
INSIDE CLOUD

THANKS
F O R W A T C H I N G!