Azure Security

Secure identity and access (15–20%)

Manage security controls for identity and access

• Manage Azure built-in role assignments
• Manage custom roles, including Azure roles and Microsoft Entra roles
• Plan and manage Azure resources in Microsoft Entra Privileged Identity Management, including settings and assignments
• Implement multi-factor authentication (MFA) for access to Azure resources
• Implement Conditional Access policies for cloud resources in Azure

Manage Microsoft Entra application access

• Manage access to enterprise applications in Microsoft Entra ID, including OAuth permission grants
• Manage Microsoft Entra app registrations
• Configure app registration permission scopes
• Manage app registration permission consent
• Manage and use service principals
• Manage managed identities

Secure networking (20–25%)

Plan and implement security for virtual networks

• Plan and implement Network Security Groups (NSGs) and Application Security Groups (ASGs)
• Manage virtual networks by using Azure Virtual Network Manager
• Plan and implement user-defined routes (UDRs)
• Plan and implement Virtual Network peering or VPN gateway
• Plan and implement Virtual WAN, including secured virtual hub
• Secure VPN connectivity, including point-to-site and site-to-site
• Implement encryption over ExpressRoute
• Configure firewall settings on Azure resources
• Monitor network security by using Network Watcher

Plan and implement security for private access to Azure resources

• Plan and implement virtual network Service Endpoints
• Plan and implement Private Endpoints
• Plan and implement Private Link services
• Plan and implement network integration for Azure App Service and Azure Functions
• Plan and implement network security configurations for an App Service Environment (ASE)
• Plan and implement network security configurations for an Azure SQL Managed Instance

Plan and implement security for public access to Azure resources

• Plan and implement Transport Layer Security (TLS) to applications, including Azure App Service and API Management
• Plan, implement, and manage an Azure Firewall, including Azure Firewall Manager and firewall policies
• Plan and implement an Azure Application Gateway
• Plan and implement an Azure Front Door, including Content Delivery Network (CDN)
• Plan and implement a Web Application Firewall (WAF)
• Recommend when to use Azure DDoS Protection Standard

Secure compute, storage, and databases (20–25%))

Plan and implement advanced security for compute

• Plan and implement remote access to virtual machines, including Azure Bastion and just-in-time (JIT)
• Configure network isolation for Azure Kubernetes Service (AKS)
• Secure and monitor AKS
• Configure authentication for AKS
• Configure security monitoring for Azure Container Instances (ACIs)
• Configure security monitoring for Azure Container Apps (ACAs)
• Manage access to Azure Container Registry (ACR)
• Configure disk encryption, including Azure Disk Encryption (ADE), encryption at host, and confidential disk encryption
• Recommend security configurations for Azure API Management

Plan and implement security for storage

• Configure access control for storage accounts
• Manage storage account access keys
• Select and configure an appropriate method for access to Azure Files
• Select and configure an appropriate method for access to Azure Blob Storage
• Select and configure appropriate methods for protecting against data security threats, including soft delete, backups, versioning, and immutable storage
• Configure Bring your own key (BYOK)
• Enable double encryption at the Azure Storage infrastructure level

Plan and implement security for Azure SQL Database and Azure SQL Managed Instance

• Enable Microsoft Entra database authentication
• Enable database auditing
• Plan and implement dynamic masking
• Implement Transparent Data Encryption (TDE)
• Recommend when to use Azure SQL Database Always Encrypted

Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel (30–35%)

Implement and manage enforcement of cloud governance policies

• Create, assign, and interpret policies and initiatives in Azure Policy
• Configure Azure Key Vault network settings
• Configure access to Key Vault, including vault access policies and Azure Role Based Access Control
• Manage certificates, secrets, and keys
• Configure key rotation
• Perform backup and recovery of certificates, secrets, and keys
• Implement security controls to protect backups
• Implement security controls for asset management

Manage security posture by using Microsoft Defender for Cloud

• Identify and remediate security risks by using the Microsoft Defender for Cloud Secure Score and Inventory
• Assess compliance against security frameworks by using Microsoft Defender for Cloud
• Manage compliance standards in Microsoft Defender for Cloud
• Add custom standards to Microsoft Defender for Cloud
• Connect hybrid cloud and multi-cloud environments to Microsoft Defender for Cloud, including Amazon Web Services (AWS) and Google Cloud Platform (GCP)
• Implement and use Microsoft Defender External Attack Surface Management (EASM)

Configure and manage threat protection by using Microsoft Defender for Cloud

• Enable workload protection services in Microsoft Defender for Cloud
• Configure Microsoft Defender for Servers, Microsoft Defender for Databases, and Microsoft Defender for Storage
• Implement and manage agentless scanning for virtual machines in Microsoft Defender for Servers
• Implement and manage Microsoft Defender Vulnerability Management for Azure virtual machines
• Connect to and configure settings in Microsoft Defender for Cloud Devops Security, including GitHub, Azure DevOps, and GitLab

Configure and manage security monitoring and automation solutions

• Manage and respond to security alerts in Microsoft Defender for Cloud
• Configure workflow automation by using Microsoft Defender for Cloud
• Monitor network security events and performance data by configuring data collection rules (DCRs) in Azure Monitor
• Configure data connectors in Microsoft Sentinel
• Enable analytics rules in Microsoft Sentinel
• Configure automation in Microsoft Sentinel