In early 2019, Microsoft created the AZ-900 Microsoft Azure Fundamentals certification. This is a certification for all individuals, IT or non IT background, who want to further their careers and learn how to navigate the Azure cloud platform.
Learn about AZ-900 exam concepts and how to prepare and pass the exam
10. RESPONSIBILITY OF SERVICES
IaaS (Infrastructure as a Service):
• Azure creates virtual machines (VMs) and virtual networks.
PaaS (Platform as a Service):
• Azure is taking care of the operating system and of most
foundational software like database management systems.
SaaS (Software as a Service):
• Organization outsources almost everything.
11. DEFENSE IN DEPTH
Defense in depth is a strategy that employs a
series of mechanisms to slow the advance of an
attack aimed at acquiring unauthorized access
to information.
12. DATA
In almost all cases, attackers are after data:
• Stored in a database
• Stored on disk inside virtual machines
• Stored on a SaaS application such as
Office 365
• Stored in cloud storage
13. APPLICATION
Integrating security into the application development life cycle
will help reduce the number of vulnerabilities introduced in
code.
• Ensure applications are secure and free of vulnerabilities.
• Store sensitive application secrets in a secure storage
medium.
• Make security a design requirement for all application
development.
14. COMPUTE
The focus in this layer is on making sure compute
resources are secure, and that the proper controls are
in place to minimize security issues.
• Secure access to virtual machines.
• Implement endpoint protection and keep systems
patched and current.
15. NETWORKING
The focus is on limiting the network connectivity across all
resources to allow only what is required.
• Limit communication between resources.
• Deny by default.
• Restrict inbound internet access and limit outbound, where
appropriate.
• Implement secure connectivity to on-premises networks.
16. PERIMETER
At the network perimeter, it's about protecting from network-
based attacks against resources.
• Use distributed denial of service (DDoS) protection to
filter large-scale attacks before they can cause a denial of
service for end users.
• Use perimeter firewalls to identify and alert on malicious
attacks against your network.
18. IDENTITY AND ACCESS
The identity and access layer is all about ensuring identities are secure, access
granted is only what is needed, and changes are logged.
Two fundamental concepts when talking about identity and access control:
1. Authentication:
establishing the identity of a person or service looking to access a
resource.
establishes if they are who they say they are.
2. Authorization:
establishing what level of access an authenticated person or service has.
specifies what data they're allowed to access and what they can do with
it.
19. PHYSICAL SECURITY
Physical building security and controlling access to computing
hardware within the data center is the first line of defense.
• Intent is to provide physical safeguards against access to
assets, these safeguards ensure that other layers can't be
bypassed, and loss or theft is handled appropriately.
21. AZURE ACTIVE DIRECTORY
Azure Active Directory (Azure AD)
• Cloud-based identity service
• Backbone/core of identity
management in Azure, built in
support for synchronizing with
your existing on-premises Active
Directory or can be used stand-
alone
• All applications (on-premises,
cloud (including Office 365), or
mobile) can share the same
credentials
22. AZURE ACTIVE DIRECTORY SERVICES
Authentication - verifying identity to access applications and resources, and
providing functionality such as self-service password reset, multi-factor
authentication (MFA), a custom banned password list, and smart lockout
services.
• Self-service password reset: According to Forrester Research, the average
password reset is $70, and the Gartner Group states 20 to 50 percent of
all Help Desk calls are for password resets.
• Multi-factor: Detecting logins from locations that are
physically impossible to reach within a certain time frame.
23. AZURE ACTIVE DIRECTORY SERVICES CONTINUED
• Single-Sign-On (SSO) - enables users to remember only one ID and one password to
access multiple applications.
• Application management - manage cloud and on-premises apps using Azure AD
Application Proxy, SSO, the My apps portal (also referred to as Access panel), and SaaS
apps.
• Business to business (B2B) identity services - manage guest users and external
partners while maintaining control over your own corporate data Business-to-
Customer (B2C) identity services.
• Device Management - Manage how your cloud or on-premises devices access your
corporate data.
24. ENCRYPTION
What is encryption?
Encryption is the process of making data unreadable and unusable to unauthorized viewers.
To use or read the encrypted data, it must be decrypted, which requires the use of a secret
key.
Two top-level types of encryption: symmetric and asymmetric.
• Symmetric encryption uses the same key to encrypt and decrypt the data.
• Asymmetric encryption uses a public key and private key pair. Either key can encrypt
but a single key can't decrypt its own encrypted data. To decrypt, you need the paired
key.
25. ENCRYPTION AT REST
Encryption of data at rest ensures that the stored data is unreadable without the
keys and secrets needed to decrypt it.
26. ENCRYPTION IN TRANSIT
Encrypting data in transit protects the data from
outside observers and provides a mechanism to
transmit data while limiting risk of exposure.
Data in transit is the data actively moving from one
location to another, such as across the internet or
through a private network.
27. AZURE ENCRYPTION ACROSS SERVICES
Azure Storage Service Encryption for data at rest helps protect data to meet
organizational security and compliance commitments. Raw storage encryption.
Azure Disk Encryption is a capability that helps encrypt Windows and Linux IaaS
virtual machine disks.
Transparent data encryption (TDE) helps protect Azure SQL Database and
Azure Data Warehouse against the threat of malicious activity. Database
encryption.
Encrypt secrets
Azure Key Vault is a centralized cloud service for storing your application secrets.
28. HOW TO PROTECT YOUR NETWORK
Azure has a layered approach to network security.
• Reduces risk of exposure through network-based attacks.
• Combine multiple Azure networking and security services to manage network security and
provide increased layered protection.
29. NETWORK SECURITY GROUPS
Contains security rules that allow or deny inbound network traffic to, or outbound network traffic from,
several types of Azure resources.
For each rule, you can specify:
Source
Destination
Port
Protocol
31. PROTECT YOUR SHARED DOCUMENTS
Microsoft Azure Information Protection (sometimes referred to as AIP) is a cloud-
based solution that helps organizations classify and optionally protect documents and
emails by applying labels.
32. AZURE ATP
Azure Advanced Threat Protection (Azure ATP) is a cloud-based security solution that identifies,
detects, and helps you investigate advanced threats, compromised identities, and malicious insider
actions directed at your organization.
Components include:
• Azure ATP portal
o Monitor and respond to suspicious activity.
• Azure ATP sensor
o Monitors domain controller traffic without requiring a dedicated server or configuring port
mirroring.
• Azure ATP cloud service
o Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the United
States, Europe, and Asia.
33. MICROSOFT SECURITY DEVELOPMENT LIFECYCLE (SDL)
• Define security requirements
• Define metrics and compliance reporting
• Perform threat modeling
• Establish design requirements
• Define and use cryptography standards
• Manage security risks from using third-party components
• Use approved tools
• Perform Static Analysis Security Testing
• Perform Dynamic Analysis Security
Testing
• Perform penetration testing
• Establish a standard incident response
process
The Microsoft Security Development Lifecycle (SDL) introduces security and privacy considerations,
guidance, best practices, tools, and processes throughout all phases of the development process and helps
developers build highly secure software, address security compliance requirements, and reduce
development costs.
34. SECURITY SUMMARY
Azure Security Center centralizes much of the help Azure has to offer.
• Provides a single dashboard, with a view into many of your services, and helps make
sure organizations are following best practices.
• Continuously updated machine learning algorithms help identify whether the latest
threats are aimed at users resources and helps mitigate threats.
37. AZURE MANAGEMENT GROUPS
Azure Management groups are containers for managing access, policies, and compliance across
multiple Azure subscriptions.
38. GOVERNANCE FOR THE CLOUD
Management Group
Define
organizational
hierarchy
Hierarchy
Policy
Real-time
enforcement,
compliance
assessment and
remediation
Control
Cost Management
Monitor cloud
spend and
optimize resources
Consumption
NEWNEW
Blueprints
Deploy and update
cloud environments
in a repeatable
manner using
composable artifacts
Environment
NEW
Resource Graph
Query, explore &
analyze cloud
resources at scale
Visibility
39. WHAT IS AZURE POLICY?
Azure Policy is a service you can use to create, assign, and manage policies.
• Policies apply and enforce rules that your resources need to follow.
• Policies can enforce these rules when resources are created, and can be evaluated against
existing resources to give visibility into compliance.
Policies can enforce things such as only allowing specific types of resources to be created, or
only allowing resources in specific Azure regions.
• Enforce naming conventions across your Azure environment.
• Enforce that specific tags are applied to resources.
40. AZURE SUBSCRIPTIONS
Azure subscription provides you with authenticated and authorized access to Azure products
and services and allows you to provision resources on Azure.
It is a logical unit of Azure services that links to an Azure account.
41. WHAT IS A RESOURCE GROUP?
A resource group is a container that
holds related resources for an Azure
solution.
Each resource in Azure must
belong to a resource group.
42. RESOURCE GROUP BEST PRACTICES
Logical grouping
• Resource groups exist to help manage and organize your Azure resources. By placing resources of
similar usage, type, or location, you can provide some order and organization to resources you create
in Azure.
Life cycle
• If you delete a resource group, all resources contained within are also deleted. Resource groups make
it easy to remove a set of resources at once.
Authorization
• Resource groups are also a scope for applying role-based access control (RBAC) permissions. By
applying RBAC permissions to a resource group, you can ease administration and limit access to
allow only what is needed.
43. WHAT ARE TAGS?
Tags allow organizations to associate custom details about their resource, in addition to the standard Azure
properties a resource has:
• Department (like finance, marketing, and more)
• Environment (prod, test, dev),
• Cost center
• Life cycle and automation (like shutdown and startup of virtual machines)
Tags are name/value pairs of text data that you can apply to resources and resource groups.
• Can have up to 50 tags.
• Name is limited to 512 characters for all types of resources except storage accounts, which have a
limit of 128 characters.
• Value is limited to 256 characters for all types of resources.
44. RESOURCES
A manageable item that is available through Azure.
Examples:
Virtual machines
Storage accounts
Web apps
Databases
Virtual networks
Resource groups, subscriptions, management groups, and tags
45. HOW DO WE PROTECT THOSE RESOURCES ONCE THEY ARE
DEPLOYED?
Answer:
Role-based access control (core service and is included with all subscription levels at no
cost)
Allow one user to manage VMs in a subscription, and another user to manage
virtual networks.
Allow a database administrator (DBA) group to manage SQL databases in a
subscription.
Allow a user to manage all resources in a resource group, such as VMs, websites,
and virtual subnets.
Allow an application to access all resources in a resource group.
46. WHAT ARE RESOURCE LOCKS?
Resource locks are a setting that can be applied to any resource to block modification or
deletion.
Resource locks can set to either Delete or Read-only:
• Delete will allow all operations against the resource but block the ability to delete it.
• Read-only will only allow read activities to be performed against it, blocking any
modification or deletion of the resource.
Resource locks can be applied to subscriptions, resource groups, and to individual
resources, and are inherited when applied at higher levels.
We have a lot to cover and may not get to live questions at the end. Please send your questions to Sami, and I will get back to you after the webinar. Provided is my contact information and reach out any time. I do provide half day and full day workshops for this course. The workshops are more hands on and we do more live demos within the product. Something to note if interested.
Once again, here is the exam layout. In part three of our three part series, we will be focusing on understanding security, privacy, compliance, and, trust which is 25-30% of the exam.
As mentioned in part 1, I used 2 resources and spent around $16 combined for those resources. The exam itself is $99.
This is the same study plan I used for the AZ-900 exam:
Microsoft Learn Platform
Whizlabs
If you want to learn more about these and how I leveraged them for the exam, request part 1 of the webinar series from Sami.
Every system, architecture, and application needs to be designed with security in mind. Before we begin better understanding Azure Security, let’s look back at some of the biggest data breaches of the 21st century.
From 2014-2018, a data breach impacted over 500 million Marriott customers. The breach actually occurred on systems supporting Starwood hotel brands starting in 2014. The attackers remained in the system after Marriott acquired Starwood in 2016 and were not discovered until September 2018.
From 2013 to 2014, 3 billion user Yahoo accounts were breached. In September 2016, while in negotiations to sell itself to Verizon, it announced it had been the victim of the biggest data breach in history, likely by “a state-sponsored actor,” in 2014. The attack compromised the real names, email addresses, dates of birth and telephone numbers of 3 billion users.
The breaches knocked an estimated $350 million off Yahoo’s sale price. Verizon eventually paid $4.48 billion for Yahoo’s core Internet business.
Let’s first discuss how we secure our data center.
Physical security – who can access the building and touch server racks.
Microsoft invests heavily in protecting Azure’s infrastructure with walls and security cameras, security personnel, and strict procedures for employees.
Should be noted, Microsoft has the most cloud certifications from outside vendors among all cloud vendors to date.
Digital Security – who can connect to your systems and data over the network
Azure is a network of large data center throughout the world.
There are real security threats when companies deploy compute resources like VMs that run company applications and services in the cloud as well as data stored in the cloud and data traveling outside of Azure and across the public internet.
There are security threats at each endpoint, for example user devices or computers, that consume data or services.
It is very important to note, Microsoft provides the tools that help mitigate the threats, but the user must use these tools to protect the resources they use.
To assist with security, Microsoft provides two-factor authentication and role-based access control to authorized users. Data encryption is avaible, which provides a second layer of security in case of a breach.
Users can monitor login failures, login attempts from suspicious locations, etc.
Microsoft provides automatic denial of service protection, real-time telemetry to see where requests are coming from, firewalls to block malicious traffic.
As previously mentioned, Azure has over 90 compliance offerings and some are displayed here. Now you do not need to know all these, but there will be a few exam questions around compliance offerings. For example, I had four matching questions where I needed to properly match NIST, ISO, GDPR, and SOC to their appropriate groupings.
Let’s start with:
ISO - The International Organization for Standardization is an international standard-setting body composed of representatives from various national standards organizations
NIST - The National Institute of Standards and Technology is a physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce.
GDPR - The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area.
I found this image very impactful. The important thing to note here is the shift in commodity responsibilities to the provider. The question becomes, how will you allocate your employees, time, resources to other challenges now that the commodity responsibilities have been shifted to the provider?
Before we begin responsibility of services, you should note that regardless of the deployment type, you always retain responsibility for the following items:
Data
Endpoints
Accounts
Access management
IaaS (Infrastructure as a Service):
Organization responsibility to patch and secure operating systems and software, as well as configure network to be secure.
Security advantage of having outsourced concern over protecting the physical parts of the network.
PaaS (Platform as a Service):
Azure is taking care of the operating system and of most foundational software like database management systems.
Everything is updated with the latest security patches and can be integrated with Azure Active Directory for access controls.
“Point and click" within the Azure portal or run automated scripts to bring complex, secured systems up and down, and scale them as needed.
SaaS (Software as a Service):
Organization outsources almost everything.
The code is controlled by the Microsoft Azure but configured to be used by the organization.
Well I am a visual learner, what does this look like: Show chart.
Lets discuss defending our information.
Defense in Depth:
If one layer is breached, a subsequent layer is already in place to prevent further exposure.
Microsoft applies a layered approach to security, both in physical data centers and across Azure services.
The objective is to protect and prevent information from being stolen by individuals who are not authorized to access it.
Now we will discuss these layers in more detail.
It's the responsibility of those storing and controlling access to data to ensure that it's properly secured.
Before bullets: Malware, unpatched systems, and improperly secured systems open environment to attacks. So you want to Secure access to virtual machines.
Implement endpoint protection and keep systems patched and current.
Before bullets: By limiting this communication, the organization reduces the risk of lateral movement throughout the network.
Limit communication between resources.
Deny by default.
Restrict inbound internet access and limit outbound, where appropriate.
Implement secure connectivity to on-premises networks.
Before bullets: Identifying these attacks, eliminating their impact, and alerting the org when they happen are important ways to keep the organizations network secure.
Use distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users.
Use perimeter firewalls to identify and alert on malicious attacks against your network.
If you remember from Part 2 of our Azure series, a distributed denial-of-service (DDoS) attack is one of the most powerful weapons on the internet. When you hear about a website being “brought down by hackers,” it generally means it has become a victim of a DDoS attack. In short, this means that hackers have attempted to make a website or computer unavailable by flooding or crashing the website with too much traffic.
There are motion sensors, 24x7 protected access, biometric access systems, video surveillance, security breach alarms, and I am sure some other pretty formidable things unknown to most.
Identity management provides authentication, privileges, authorization, and roles of the enterprise boundaries. The main purpose is to upgrade security and productivity by decreasing the total cost, repetitive tasks, and system downtime.
If you have O365, you have Azure AD.
Administrators and developers can control access to internal and external data and applications using centralized rules and policies.
The Azure Active Directory (Azure AD) enterprise identity service provides single sign-on and multi-factor authentication to help protect your users from 99.9 percent of cybersecurity attacks.
Multi-factor example:
You have a user who logs in from Los Angeles. 20 minutes later that same user logs in from Tokyo. Using this method, the second login attempt would be forced to provide a secondary means of authentication.
Something you know
Something you possess
Something you are
Application Management: Access Panel is a web based portal that allows users to reset their own passwords, and it provides a list of all the groups users can join within the organization.
B2B identity services: Customize and control how users sign up, sign in, and manage their profiles when using your apps with services.
Symmetric Example: Consider a desktop password manager application. You enter your passwords and they are encrypted with your own personal key (your key is often derived from your master password). When the data needs to be retrieved, the same key is used, and the data is decrypted.
Asymmetric Example: Used for things like Transport Layer Security (TLS) (used in HTTPS) and data signing.
Both symmetric and asymmetric encryption play a role in properly securing data and Encryption is typically approached in two ways: Encryption at rest and Encryption in transit. Lets discuss those a little more.
The actual data that is encrypted could vary in its content, usage, and importance to the organization.
2. Data at rest is the data that has been stored on a physical medium, stored on the disk of a server, data stored in a database, or data stored in a storage account.
Encryption of Data Example: If an attacker was to obtain a hard drive with encrypted data and did not have access to the encryption keys, the attacker would not compromise the data without great difficulty.
In the Graphic: This financial information could be critical to the business, intellectual property that has been developed by the business, personal data about customers or employees that the business stores, and even the keys and secrets used for the encryption of the data itself.
Encrypting the Data Example: HTTPS = application layer in transit encryption.
In the graphic, Customer data is encrypted as it's sent over the network. Only the receiver has the secret key that can decrypt the data to a usable form.
Key Vault helps control applications' secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities.
Azure has a layered approach to network security.
Reduces risk of exposure through network-based attacks.
Several available services and capabilities to secure your internet-facing resource, internal resources, and communication between on-premises networks.
Combine multiple Azure networking and security services to manage network security and provide increased layered protection.
Example: use Azure Firewall to protect inbound and outbound traffic to the Internet, and Network Security Groups to limit traffic to resources inside virtual networks.
Azure creates the following default rules in each network security group that you create:
You cannot remove the default rules, but you can override them by creating rules with higher priorities.
Name:
A unique name within the network security group.
Priority:
A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops.
Source or destination:
Any, or an individual IP address, (CIDR) block (10.0.0.0/24, for example), service tag, or application security group.
If you specify an address for an Azure resource, specify the private IP address assigned to the resource.
Protocol:
TCP, UDP, ICMP or Any.
Direction:
Whether the rule applies to inbound, or outbound traffic.
Port range:
You can specify an individual or range of ports. For example, you could specify 80 or 10000-10005. Specifying ranges enables you to create fewer security rules.
Action:
Allow or deny
Highlighting port further, you will likely see port 80 or port 443 on the exam within examples. A little background information, port 80 was chosen as the default HTTP port and 443 as the default HTTPS port.
HTTPS (443) is HTTP with encryption. The only difference between the two protocols is that HTTPS (443) uses TLS (SSL) to encrypt normal HTTP (80) requests and responses. As a result, HTTPS is far more secure than HTTP. A website that uses HTTP has http:// in its URL, while a website that uses HTTPS has https://
Microsoft Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that helps organizations classify and optionally protect documents and emails by applying labels.
Labels can be applied automatically based on rules and conditions.
Labels can also be applied manually.
Guide users to choose recommended labels with a combination of automatic and manual steps.
Here is an example of AIP in action on a user's computer. The administrator has configured a label with rules that detect sensitive data. When a user saves a Microsoft Word document containing a credit card number, a custom tooltip is displayed. This label is configured by the administrator. Using this label classifies the document and protects it.
Analyze data flows to gain insight into your business
Detect risky behaviors and take corrective measures
Track access to documents
Prevent data leakage or misuse of confidential information
Last image: Installed directly on your domain controllers, the Azure ATP sensor accesses the event logs it requires directly from the domain controller. After the logs and network traffic are parsed by the sensor, Azure ATP sends only the parsed information to the Azure ATP cloud service (only a percentage of the logs are sent).
The Microsoft SDL became an integral part of the software development process at Microsoft in 2004. The development, implementation, and constant improvement of the SDL represents a strategic investment to the security effort. This is an evolution in the way that software is designed, developed, and tested, and has now matured into a well-defined methodology.
Now, over a decade later, the Microsoft SDL continues to be fundamental to how Microsoft develops products and services. With the rise of mobile, cloud computing, Internet of Things, artificial intelligence, and other new technologies, Microsoft continues to evolve the practices.
Note: This is highly introductory. Security is a deep and complex topic, so whatever your cloud approach, an ongoing security education is necessary.
he Azure Resource Manager service is designed for resiliency and continuous availability.
Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. You use management features, like access control, locks, and tags, to secure and organize your resources after deployment.
We are going to drill down into these further.
Graphic: When a user sends a request from any of the Azure tools, APIs, or SDKs, Resource Manager receives the request. It authenticates and authorizes the request. Resource Manager sends the request to the Azure service, which takes the requested action.
Because all requests are handled through the same API, you see consistent results and capabilities in all the different tools.
The following image shows the role Azure Resource Manager plays in handling Azure requests.
Graphic:
You apply management settings at any of these levels of scope. The level you select determines how widely the setting is applied. Lower levels inherit settings from higher levels. For example, when you apply a policy to the subscription, the policy is applied to all resource groups and resources in your subscription. When you apply a policy on the resource group, that policy is applied the resource group and all its resources. However, another resource group doesn't have that policy assignment.
Lets discuss these levels in more detail.
In the early days, subscriptions had limits and those limits helped decide whether your subscriptions needed to sprawl. This was mostly based on whether or not you were supporting customer or breaking up your subscriptions across different departments. The biggest issue with this sprawl was how to manage it, both from a security and policies standpoint. Then Azure management groups entered the picture. When I say sprawl or Data sprawl, it refers to the overwhelming amount and variety of data produced by enterprises every day. With the growing number of operating systems, data warehouses, various BYOD (Bring Your Own Device) devices, and enterprise and mobile applications, it’s no wonder that the proliferation of data is becoming a problem.
Azure management groups provide a way for an organization to control and manage access, compliance, and policies for their subscription within their tenant.
Management groups allow you to order your Azure resources hierarchically into collections, which provide a further level of classification beyond subscriptions.
Azure governance consists of 5 capabilities (Policy, Blueprints, Resource Graph, Management Group, Cost Management) to ensure you will have the right tools for your applications or workload teams, so they can use cloud resources in an accountable & responsible fashion.
It serves as a single billing unit for Azure resources in that services used in Azure are billed to a subscription.
An Azure subscription is linked to a single account, the one that was used to create the subscription and is used for billing purposes. ... Free Azure accounts can be converted to pay-as-you-go accounts.
Azure offers free and paid subscription options to suit different needs and requirements. An account can have one subscription or multiple subscriptions that have different billing models, and to which you apply different access-management policies.
The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. You decide how you want to allocate resources to resource groups based on what makes the most sense for your organization. Generally, add resources that share the same lifecycle to the same resource group so you can easily deploy, update, and delete them as a group.
The resource group stores metadata about the resources. Therefore, when you specify a location for the resource group, you are specifying where that metadata is stored. For compliance reasons, you may need to ensure that your data is stored in a particular region.
Resource groups are a logical container for resources deployed on Azure and are anything created in a Azure subscription like Virtual machines, Application Gateways, CosmosDB.
And here is what the tags look like in the portal.
RBAC provides fine-grained access management for Azure resources, enabling organizations to grant users the specific rights they need to perform their jobs.
Using RBAC, you can:
Further protection, how can we protect or how can administrators protect themselves from doing something they may not have intended to do.
And important to note, even if you are an owner of the resource, you must still remove the lock before you'll actually be able to perform the blocked activity.
A. User Defined Routes. You can create custom, or user defined routes in Azure to override Azures default system routes or add additional routes to a subnets route tables.
A. Yes. Authentication methods of both multi factor and self service password reset are the usage, SMS (short message service) is the authentication method.
B. No. Support also for components like Azure SQL and Storage services.
A. Azure key vault. You can import or generate keys.
That concludes part three of our three part series. Thank you for all those who attended todays session and the previous sessions. I wish you the best of luck on your pursuit of AZ-900 and other Azure certs. Over to Sami.