Section 6

Identity is the new primary security boundary with the advent of BYOD (Bring your own device), mobile
apps, cloud, and access points outside of a companies physical network.

- Identity layer is more often the target of attack than the network is

Example: Tailwind traders uses Active Directory to secure it’s on-premises network. How can Azure
Active Directory help to consistently secure all of its applications accessed from both intranet and public
networks?

Two fundamental concepts when talking about Identity

- Authentication (AuthN)
- Authorization (AuthZ)

Authentication – The process of establishing the identity of a person or service attempting to access a
resource. Challenges for legitimate credentials and provides basis for creating the security principal for
access control. Establishes if user is who they say they are

Authorization – process of establishing what level of access an authenticated person or service has.
Specifies what data they can access and how much they can control it.

Azure Active Directory (AAD) provides services to enable login (AuthN) and access cloud applications
(AuthZ). AAD supports single sign-on (SSO).

- Microsofts cloud-based identity and access management service

- Controls the identity accounts, ensures this is available globally.
- Helps detect suspicious sign-in attempts such as from unexpected locations or devices

AAD is for:

- IT Admins
- App devs
- Users
- Online service subscribers
o Tenant is a representation of an organization. Typically separated from other tenants
and has its own identity. Examples: ms 365, ms office 365, azure, ms dynamics crm
online

AAD provides:

- Authentication
- SSO
- Application Management (also manages on-premise apps and cloud apps)
- Device management – registration of devices, can restrict access attempts to only known
devices
AAD can be directly connected to Active Directory for consistent identity experience for users, most
commonly with Azure AD Connect

- Syncs user identitys between on-premises and the cloud

o Enables SSO, multifactor auth, self-service password reset for both systems

Multi-factor auth – process where a user is prompted during sign-in for an additional form of
identification. (such as a text message on their phone)

- Increased security by limiting the impact of credential exposure

AAD Multi-factor auth – enables users to choose their method

Services that provide AAD multi-factor auth capabilities:

- AAD
- Multi-factor auth for Office 365

(The free AAD allows multi-factor auth for admins and allows enabling multi-factor auth via the
Microsoft authenticator app)

Conditional Access – used to allow or deny access to resources based on identity signals. Signals include
who the user is, where the user is, what device the user is requesting access from

Conditional Access helps IT Admins:

- Allow users to be productive wherever/whenever

- Protect the organizations assets

Conditional Access provides a more granular level of multi-factor auth such not asking for a second
factor if the user is at a known location/device.

Conditional access is great for:

- Requiring mult-factor auth for a specific application

- Require access to services only through approved client apps
- Require users to access your application only through managed devices
- Block access from untrusted sources
- Comes with a what if tool that helps to plan and troubleshoot conditional access policies

Conditional access is available with AAD premium p1 or p2 license or ms 365 premium license
Section 5 Module 2
Governance – general process of establishing rules and policies and enforcing them

A good governance strategy helps you maintain control over the applications and resources that you
manage in the cloud. Maintaining control ensures compliance with:

- Industry standards like PCI DSS

- Corporate or organizational standard such as ensuring the encryption of network data

Governance is beneficial when you have:

- Multiple engineering teams working in azure

- Multiple subscriptions to manage
- Regulatory requirements that must be enforced
- Standards that must be followed on cloud resources

Note: It is good security practice to grant users only the rights they need to perform their job and only
to relevant resources

Azure enables you to control access through Azure role-based access control (Azure RBAC)

Azure has built-in rules for cloud resources, you can also define your own roles. When you assign
individuals or groups to one or more roles they receive all of the associated access permissions

RBAC is applied to scope which is a resource or set of resources that access applies to.

Scope includes:

- Management group (collection of multiple subscriptions)

- Single subscription
- Resource group
- Single resource

Grating access at a parent scope, permissions are inherited by all child scopes
RBAC is enforced on any action initiated against Azure resource that passes through Azure Resource
Manager (provides a way to organize and secure cloud resources)

RBAC doesn’t enforce permissions at the application or data level.

Along with using RBAC for users or groups you can use it for service principals and managed identities

RBAC is managed through Access Control (IAM) pane in Azure portal

Resource lock prevents resources from being accidentally deleted or changed

- Managed from azure portal, powershell, azure cli, or Azure Resource Manager template.
- Lock levels are CanNotDelete (modify but not delete) and ReadOnly

Resource locks apply regardless of RBAC permissions, even if you are the owner of a resource you must
remove the lock to perform the blocked activity

You can even protect against accidentally removed resource locks with Azure Blueprints – enabling you
to define the set of standard azure resources that your organization requires. Blueprints can
automatically replace a lock if a lock is removed

Organize related Azure resources using Tags. An alternative to using subscriptions or resource groups

- Tags provide extra information (metadata) about your resources. Useful for:
o Resource management – locate and act on resources associated with different areas of
your business (workloads, environments, business units, owners)
o Cost management and optimization – report on costs and allocate cost centers, track
budgets, forecast cost.
o Operations management – manage SLAs and organize by criticality
o Security – data security level
o Governance and regulatory compliance – resources that align with governance and
compliance
o Workload optimization and automation – visualize resources that are part of complex
deployments

You can manage tags with the usual ways, or through Azure Policy which allows a resource to inherit the
same tags as its parent resource group and to enforce tagging rules and conventions

Azure Policy – allows you to define individual policies and groups of related policies known as initiatives.
Evaluates and highlights resources that aren’t compliant with policies that have been created. Can even
prevent non-compliant resources from being created.

Azure Policy comes built in for Storage, Networking, Compute, Security Center, and Monitoring.

Creating a policy involves three tasks:

- Create a policy definition

- Assign the definition to resources
- Review the evaluation results
Azure Policy Initiatives – initiative definition contains all policy definitions to help track compliance state
for a larger goal

Azure Blueprint – define a repeatable set of governance tools and standard Azure resources that your
organization requires. Development teams can then rapidly build and deploy new environments with
knowledge they’re building within compliance.

Azure blueprint orchestrates deployment of various resource templates and other artifacts such as:

- Role assignments
- Policy assignments
- Azure resource manager templates
- Resource groups

Implementation involves 3 steps:

- Create an Azure blueprint

- Assign the blueprint
- Track the blueprint assignments

The relationship between the blueprint definition (what should be) and the blueprint assignment what
is) is preserved. Azure creates a record that associates a resource with the blueprint that defines it, you
can use this connection to track and audit deployments.

Blueprints are also versioned to track changes

Each component in the blueprint definition is known as an artifact. It’s possible for artifacts to have no
additional configurations.

Cloud Adoption Framework

Provides you with proven guidance to help on a cloud adoption journey. Helps create and implement
business and technology strategies needed to succeed in the cloud. Consists of tools, documentation,
and proven practices. Includes these stages:

- Define your strategy

- Make a plan
- Ready your organization
- Adopt the cloud
- Govern and manage your cloud environments
You can refer back to the Cloud Adoption Framework for recommended guidance as you build your
cloud governance strategy.

To help build a strategy it breaks out each stage into further exercises and steps

Define Your Strategy:

- Define and document your motivations

- Document business outcomes
- Evaluate financial considerations
- Understand technical considerations

Make a Plan

- Digital estate (inventory of digital assets and workloads to migrate)

- Initial organization alignment (ensure the right people are involved)
- Skills readiness plan (upskill individuals for cloud operation)
- Cloud adoption plan (a comprehensive plan for the deployment, operations, and business
teams)

Ready your organization

- Azure setup guide

- Azure landing zone (build the subscriptions to support the major areas of business)
- Expand the landing zone (refine the landing zone to meet operational, governance, and security
needs)
- Best practices

Adopt the cloud

- Migrate your first workload

 - Migration Scenarios
- Best practices
- Process improvements (scale the migration while requiring less effort)

Innovate

- Business value consensus

- Azure innovation guide (MVP)
- Best practices
- Feedback loops (verify you’re building what is needed)

Govern and manage your cloud

- Methodology (consider end state and define how to get there)

- Benchmark (assess current state and future state)
- Initial governance foundation (mvp for governance)
- Improve governance foundation

Manage

- Establish a management baseline (minimum commitment for operations management)

- Define business commitments
- Expand the management baseline
- Advanced operations and design principles

Subscription Governance Strategy

There are three main aspects to consider when creating and managing subscriptions

Billing

Access Control

Subscriptions