SC-900 Microsoft Security, Compliance, and Identity Fundamentals Study Cram

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
šŸ‘ļøŽ︎ 2 šŸ‘¤ļøŽ︎ u/OperationWarm5215 šŸ“…ļøŽ︎ Mar 28 2021 šŸ—«︎ replies

Ace! Thank you.

I've booked the SC-300 for a couple of weeks time, so been re-watching some of your videos and I will add this to the list.

šŸ‘ļøŽ︎ 2 šŸ‘¤ļøŽ︎ u/D_an1981 šŸ“…ļøŽ︎ Feb 16 2021 šŸ—«︎ replies

Been watching quite a few of your videos. A fair bit of it goes over my head (I'm studying for az900) but they sure help!

Thanks.

šŸ‘ļøŽ︎ 1 šŸ‘¤ļøŽ︎ u/Samyewlski šŸ“…ļøŽ︎ Feb 16 2021 šŸ—«︎ replies

I sat this exam. It wasn't too bad, pretty sure I passed. Working on the SC-200, MS-500, and AZ-500 next

šŸ‘ļøŽ︎ 1 šŸ‘¤ļøŽ︎ u/Quantum_Helix šŸ“…ļøŽ︎ Feb 17 2021 šŸ—«︎ replies

This is priceless, thanks a million John :)

šŸ‘ļøŽ︎ 1 šŸ‘¤ļøŽ︎ u/ShreemBreeze šŸ“…ļøŽ︎ Feb 17 2021 šŸ—«︎ replies

Great stuff John!

I've used all of your videos for the Azure Fundamental certs as a last hour cram lol.

So far so good, as I get some Azure certs under my belt while working on the AWS associate ones.

Will likely take this one Monday.

šŸ‘ļøŽ︎ 1 šŸ‘¤ļøŽ︎ u/TorchBeak šŸ“…ļøŽ︎ Feb 20 2021 šŸ—«︎ replies

So Iā€™m currently working my way in the IT industry from the ground up. Iā€™m scheduled to take the Comptia A+ and Network+ in short order. Iā€™m also working on an AAS in computer information technology, cyber security. I plan on going into the security industry and working with Microsoft is a goal of mine. I currently have a BS in communication and journalism and an MA in digital media production and while I enjoy producing video content, the IT realm is where Iā€™m meant to be.

Taking all that into consideration, do you think taking the SC-900 and eventually the SC-200 and AZ-500 would be beneficial towards my goal of working in cyber security? Thank you I appreciate and insight you provide.

šŸ‘ļøŽ︎ 1 šŸ‘¤ļøŽ︎ u/GolferAg22 šŸ“…ļøŽ︎ Feb 26 2021 šŸ—«︎ replies

Is this exam worth taking if you already have AZ-500?

šŸ‘ļøŽ︎ 1 šŸ‘¤ļøŽ︎ u/mworwell šŸ“…ļøŽ︎ Feb 16 2021 šŸ—«︎ replies
šŸ‘ļøŽ︎ 1 šŸ‘¤ļøŽ︎ u/SnooMuffins8992 šŸ“…ļøŽ︎ Jun 10 2021 šŸ—«︎ replies
Captions
hey everyone in this video i really want to provide kind of a hints and tips and a study cram session for the new s c 900 exam this is the microsoft security compliance and identity fundamentals exam uh currently at this time it's in beta i just took it last week it's a fundamentals exam essentially what you're going to get with this it's 60 minutes so it's a short exam and i had 50 questions now the actual time it took me to finish was 11 minutes the questions are one line things and it's really about do you know what feature to use or what functionality this feature provides you don't know how to configure it you don't need to know any kind of depth around these things it's super super broad and the questions are really just rapid fire hey this feature what does it do or i need to do this what feature should i use you'll just get a list of features to select so it is very very high level but it is super broad because the title is microsoft so really what that entails is we are thinking about well yes it's kind of azure ad for the identity side yes it's azure for some of the services but it's also microsoft 365 as well so it's this broad kind of coverage across all of those different things additionally there are questions about just general principles of compliance and principles around transparency and trust so we kind of need to know all of those different things but again at a very very high level now the best place to start is if we actually go to the microsoft sc 900 site and again if you pass this then you're going to kind of get this security compliance identity fundamental certification and what you want to do is if we go and look at this so go through the site and then we can think about it tells you hey i can schedule it for currently it's the beta it's going to tell you the skills measured and it's talking about well hey yeah the core concepts of kind of security compliance identity and then the microsoft identity access management solution so blood around azure ad and then kind of those security and compliance as they broach azure and microsoft 365. we can download the skills outline where then goes into more detail about what are all the different objectives the skills objectives the functional groups and the individual skills we need to know about so what you want to do is kind of go to this site look at this list and make sure you can kind of tick off in your brain yeah i i know what those are and the key word here is everything is describe i don't have to implement i don't have to architect i just have to know what the thing does or know what thing i need to achieve a certain task and in terms of preparation they have a free learning path and honestly my recommendation would be to go through that learning path and i think that will kind of put you in really kind of good stead and to pass the exam again it's a super simple exam it really is it's rapid fire you can kind of give yourself a minute per question and they're not big questions it's literally a line and then it's either hey what component do i use or it's this is the component what does it do that's really all it's going to be now i mentioned there are some kind of general principles across all of them and what i want to do kind of here is to go through those as kind of that study cram a lot of people use my kind of um these videos they'll watch it just before the exam maybe at the start to kind of bring everything together a bit of a revision so the first thing we really want to think about is this whole kind of defense in depth now the whole point here is i don't want to rely on one thing kind of like an onion we have all these different layers i want multiple layers of protection in case one thing fails well then there's something else to kind of back that up and protect it so we think about what i want to protect things like the data so here we think about world kind of encryption and we think about encryption at rest i.e in place encrypting the data on the storage we think about in transit it's going over the wire between where it is and what wants to use the data then i can think about the application that's using that data i want to make sure the application is well written there's no vulnerabilities we think about the compute so obviously there's some compute service could be a virtual machine could be a container we'll make sure i've got protection built into that maybe it's uh limiting what ports are open maybe it's having a firewall config anti-malware is up to date all those things to make sure that's healthy as possible then we think about well there's kind of the network and in terms of the network we think about maybe segmenting the network you'll hear things like network security groups other solutions there and we think about limiting the types of traffic we think about the perimeter of the network so a key thing here you might think about like distributed denial of service protection this is where some bad actor has multiple things firing at your public-facing service just trying to swamp it and take it down and azure for example has protection against this there's different levels of that and the microsoft services well that's their responsibility they have protection against that and then a huge one is the identity so in in the old days the the network was the big security perimeter as we move to the cloud the network is is not ours anymore so this really becomes the key security perimeter for us and so then we start thinking about all the strength of that identity a big focus is always mfa and things that can drive that stronger authentication when we're going to access things and then there's just kind of physical security now in the cloud that's not your responsibility that's kind of microsoft to secure the physical data centers but i want all of these things and if i am responsible for a certain layer and we'll talk later on about kind of these shifting who is responsible for what i want to do everything i can now sometimes you'll see even though you're responsible doesn't mean you're on your own sure i might be responsible for user accounts for example but there are tools there to help me make that as secure as possible now when you think about this whole security all these defense in depth i've got all these layers in case one fails there's another layer to kind of protect it you'll sometimes see this kind of cia and what that cia really boils down to is kind of confidentiality so i'm thinking about sensitive data my encryption i'm thinking about integrity so making sure my data isn't tampered with making sure that that really is what was intended what was there originally someone hasn't changed that in some way and then we think about availability making sure i can actually get to my service it's available to those that need it and these are super important things to consider when i'm planning out my environment because there's a saying it's kind of you can be secure and out of business i've worked with some companies that have so much bureaucracy they make it so hard to do anything that yes they're secure but they're not innovative they can't embrace new features they can't offer great features to their business units and really differentiate themselves from the competition because they're just stuck in the middle ages or i'm going to super focus on this tiny thing that really doesn't improve their overall security posture they just get stuck on it and so there's always this fine balance between being secure and being able to do business you want to find kind of that that good balance between them so i want to think about those kind of three things the confidentiality and the integrity and the availability of my data now when we think about security we're often thinking about well threats things that can do bad things to our environment and what are we thinking about here what are those kind of threats now i can think about kind of a data breach and this is often kind of the worst one the idea of a data breach ir data has been stolen that can destroy a company if i have maybe it's data for my company my intellectual property if that's taken by someone else that's a huge problem maybe i have my customers data with their personally identifiable information is taken that's a huge problem as well so we can think about hey a threat if someone takes our data this is where encryption comes into play and those strong network defenses the identity defenses to make sure when someone breaches an identity well then they probably go and bypass any other protections i have they could change it and go and get the data so it's not just hey encrypt the data it's hey i want strong network i want strong identity to make sure there's no weak link in the chain then we think about things around sort of a dictionary attack so if i think about what this is about really this data breach is hey i'm trying to get data i'm going through various controls to get at the data this is about trying to get to the identity and so a dictionary attack is hey there's a list of common passwords i just go at a certain account going through that list of passwords and i might do substitute in like an o for a zero those very simple easy things um we're going to do that it's kind of a brute force type attack i don't really have any intelligence behind it i'm just hammering this thing trying to attack it and there are things like azure ad smart lockout then give me protection from that hey it would stop those those attempts coming in i'm just gonna alert it's gonna say hey there's a risk i can see this attack happening there are things we can do that also might be trying to actually disable the account by doing all these bad authentications to it and again that smart lockout would protect my ad account now i can also think about um under here like a phishing attack now a phishing attack is where it's an email coming to the user so it's almost like a social engineering but it's still trying to get at the identity hey um click this link um i need you to do this real authentication normally they're pretty badly written they're kind of obviously bad but people click the link and hey type in the password and now their identity is compromised you might also see kind of a spear phishing attack now so all of these are around trying to get the identity let's just clear that up a bit and the spear fishing is different from the regular fishing attack in that it's targeted there's a bit more effort has been made they've built a database about the users if they understand who their manager is um what they type of things they do and it's now a focused attack this email will come to them it looks like hey it came from their manager it looks like it's legitimate so it really increases the chance that they're going to click that link and you take the credentials so there's more effort for the attacker there but then it's going to get me access to their identity and again if i get the identity i can pretty much do many many other types of things now i can also think there's things like ransomware so we always hear about things like wannacry these are attacks that get into the network and then they encrypt the data and they hey you pay me this money or i won't unencrypt your data it disrupts the business and then there are other just types of disruptive attack for example it could be kind of a distributed denial of service attack i'm not really getting anything out of it other than stopping that company being able to do business so there's all these different types of things that are threats to me and there are others as well but these are all around kind of and this is kind of the ability to do business so availability so understand these types of threats and what they get to but again if my identity is compromised then hey i can really do a lot of bad things because if i've got someone's identity i can probably go in and change other things and modify everything else so they're the threats what can we do against some of those things so a big thing you're going to see is this kind of zero trust that's really kind of a big push today and really the whole idea is just to assume compromise you don't trust that your network is secure you assume that even if i'm behind a firewall my network is compromised um i don't trust anything so what i want to do is verify everything if i trust nothing then i want to verify everything and i want to verify explicitly so i think about if there's communications between different devices well what i want to do is kind of an authentication something about an auth n and then an authorization an author z and we'll talk more about the difference between those in a little bit i want to think about least privilege so i think about just in time so just in time means i only get the permissions i need at the time i need it for a limited window i don't have a privilege all the time i only get it when i have to do things i would go and elevate up my permissions i do the task that requires that elevate permission and then i lose it so if i was compromised ordinarily they won't get anything significant they can do with my compromised account and then we think about just enough kind of administration and that means don't make me a global administrator don't give me more privileges than i need to do the job give me just enough to do the task so i work out what are the permissions required to do the task and i get a role that only has that ability and i combine them so i get a role that gives me just enough to do the job and i only get that role when i actually need to do it so we verify everything we use these least privilege and and really we just assume breach so if we kind of assume breach we're gonna segment the network so we segment everywhere we can i don't have just kind of this broad communication i'm going to segment i'm going to encrypt in case there's some bad agent some bad thing on my network i want to be able to detect different types of threats so i'm going to have solutions running that are looking at the logs looking at the types of interaction using machine learning and actually generating results from that being able to actually see different types of threats so what we'll see is when we think about these things we focus on a number of key types of objects so to do this to accomplish all of these different things actually come out for a second what we really focus to accomplish this we focus on the identity and i can think about the identity is kind of a user an application a service the device the devices we use have identities i think about device monitoring i need to be looking at these things so i can detect hey if something's going wrong i want to understand the applications being used i want to think about data classification because ultimately we do all these different things but most of what we care about is the data i want to make sure for my data well the important data i mean really funny everything is encrypted but then also i have things like data loss prevention i want to make sure it can't be used in bad ways and then obviously we do think about kind of the infrastructure the networks etc so there's all these kind of different elements that i have to think about and protect now there are some key kind of concepts and again we're going pretty rapid because this is the exam super bowled we just need to understand these core concepts now i've mentioned encryption a bunch of times and one of the things that is important to understand is well what are the types of encryption we're going to use and you can really think there's there's really two types of encryption so if i think about encryption you're going to hear about symmetric so i think about a symmetric encryption and then you'll hear about asymmetric so you're going to see these two types of encryption and really the point of it is with symmetric i can think about hey look i have my data i run it through an algorithm that uses a particular key and then i get kind of this encrypted data on the other end it's been encrypted now to decrypt it i use the same key so i actually think about if the key is going for the algorithm to create the encrypted version it's exactly that was key one i also use exactly the same key key one again to go from the encrypted back to the data so that's symmetric this is very efficient for large scale and kind of encrypt decryptive data asymmetric is different there's now two keys you'll often hear the idea of kind of a public key and a private key and as the name kind of suggests and these are paired together there's an equivalent public key for the private key private key i keep to myself public key everyone can know and the idea about this is if i had kind of this data again if i want to send it to someone encrypted i would encrypt it with their public key because everyone knows it so i would encrypt it with the public key to get kind of this gobbledygook whatever it can only be decrypted with the private key which only they have so then they get it back again so if i want to send sync to someone encrypted oh and i don't really have a good way to exchange the key which is what symmetric how do i exchange the key there's a challenge there so with asymmetric there's a public and private key so if i want to send something to someone that only they can read i encrypt it with their public key that everyone knows but the public key can't be used to decrypt something that was encrypted with the public key i have to use the corresponding key either private which only i have so that would be encryption of the data now sometimes i want integrity i want to make sure no one has messed with the data i want to make sure it really arrives as it was sent so if i think about that is kind of the security in tech security side protecting the data the other thing you'll often do is hey i want to send a bit of data and make sure the person that sees it knows no one has changed it so now i have a piece of data and what we can do is we can generate a hash so a hash is really a digest of the data it's some value that i get and then what i do is i encrypt the data that hash with my private key remember only i have my private key so then i can send to the person kind of that data and that hash value encrypted with the private key so then they get the data and they run it through exactly the same hashing algorithm to get a hash value they then because it was encrypted with the private key they can then decrypt this value with the public key and they can make sure they match so hey that results in hash if they're equal then i know the data was not modified and i can guarantee the integrity of the data because remember the public key can decrypt something encrypted with the private key so with the other so if i want to protect encrypt data to someone i encrypt it with their prior with their public key if i want to send sync to someone only they can read encrypt it with their public key so only they can decrypt it with their private key if i want to send something out and guarantee the integrity of it that no one's messed with it then i would create a message digest a hash value encrypt it with my private key and then send the data and that encrypted hash value so now they get the data they run it through the same hash algorithm to get hash value and make sure it matches the hash value that only i could have encrypted because only i have the private key so it means it's guaranteed it wasn't changed in transit so that's how i can really think about using the types of encryption that symmetric to encrypt bulk data asymmetric to send small amounts of data and to verify message integrity and what you'll often see is them mixed together if i want to have an ongoing large scale encryption i might use the asymmetric to share a symmetric key that's how i can securely share that key and then i'm good going forwards so that's kind of encryption now the next thing i want to talk about is i mentioned kind of this idea of responsibility and we do get this idea that there's shared responsibilities now if i think about there's a huge number of layers now i always draw these kind of number of layers things but when i start to think about responsibility from this perspective there's actually more layers than i would normally talk about so i can think about well there's kind of the physical data center i can think about in that physical data center there is a physical network and then there are physical hosts so these are all kind of real world objects and then i can think about okay well now i run an operating system i might have kind of network controls my nsgs i'm gonna talk about those um i have my applications and then there might be kind of uh an identity and directory infrastructure so let's talk about id and directory infrastructure and then we get into this idea well on top of that there's like accounts and identities i can think there's devices and then there's information and data now if i look at that if i think about on premises then obviously all of these things are the customer because it's on-prem there isn't there's no cloud involved in this so when we start talking about the cloud there are different types of service we think about like infrastructure as a service i.e kind of a vm in the cloud so as soon as you get into any kind of as a service this always becomes the responsibility of the cloud provider i in this case microsoft you never have access to a physical data center or physical host or physical network that's always going to be us now if you think about kind of the responsibilities then in a vm world you control the os you control the network it's on your virtual network so in this case this is now the customer now this is responsibility again doesn't mean you're on your own there are solutions in azure to help you patch the operating system back up the operating system replicate the operating system have anti-malware network security groups um azure firewall there's all things to help you do it but fundamentally you own the responsibility of it then you start moving into past solutions so pads like a platform as a service and there's many many different types so it becomes a bit more muddled at this point now one of the things i can kind of flip on this is essentially these are always the customer so this is always going to be the customers the accounts the devices the information data it's always your responsibility to protect that again there's toolings to help you that's always going to be the customer across those but in the past world there kind of becomes a shift now i can think about the os in this world well that becomes the cloud in addition to all that physical stuff this is always the customer this now becomes kind of a joint responsibility there are aspects that is the customer's responsibility there are aspects that are kind of shared so here this now becomes some kind of shared responsibility there are aspects that hey the vendor is responsible for there are aspects that hey you are responsible for and then finally there's software as a service so in a software as a service world and i guess i'll pick another color really the line now goes other layers up you're not responsible for the app or the network but again the identity of the directory infrastructure for the sas well that's now all kind of the cloud and then that is always you but now this little piece here is shared the idea of kind of the identity directory infrastructure there's kind of a shared model but again the customer is always responsible for this part when i think about no matter what i'm doing sas pas is the infrastructure and data the devices the accounts that's your responsibility there are services to help you you ultimately own that it's important to kind of understand how they shift essentially as i move from is to pass to sas i'm responsible for less and less as soon as i get out of ios i don't care about patching the os anymore or antivirus on the os or any of those things and as i move from paz to sas i don't care about the application or network controls anymore it's really just how do i use that business driving service and there's things like the apps um the data the identity that i'm responsible i need to make sure i'm using the right tooling um the right licensing maybe to protect it as best i can okay so that's kind of the general responsibility and those types of things we've got these different threats the trust then we start to move on into more about principles service trust and service specifics now for all of these things for all of the microsoft services let's go to 100 there were kind of these key principles that they really drive behind and you'll see microsoft talk about kind of these six key privacy principles you need to know these so there are these six privacy you have these principles so the first one is about control so putting the customer in control of your privacy making sure you have the various dials you can use the tools to make choices about what data you want to be made available to others maybe how you want it to be used and then it should be transparent it should not be confusing you shouldn't have to go and dig around to work out what data is collected so you can make the right decision where there is data protect it use strong encryption uh strong security to make sure if you're entrusting data to microsoft they're good custodians of that data and you'll hear about kind of strong legal protection now obviously this is kind of an interesting point and you'll see in the court case that hey someone goes to a cloud provider and says give us the customers data so it's about respecting the local laws of the country and fighting for the privacy of us as humans this fundamental right that we're entitled to privacy don't use the data for targeting i if it has our emails um if it's got our chat files don't use any personal content to drive advertising for some other service and make sure there are benefits to you i.e we're collecting this data is to benefit you as the customer to enhance your experience so those are kind of the six key privacy principles of microsoft and again know what they are um you might get a question about that so know which ones are key principles hopefully that makes kind of sense um why now if we think about that then we really come down to this idea of trust i mean it boils down to that so how do we get insight into the various aspects that surround all of those things and the biggest one you're going to start with is the service trust portal this is really your go-to place and i'm actually going to open this up i'm going to take a look at this so if i jump over here so it's just service trust.microsoft.com and straight away you can kind of see where it talks about audit reports so sock fedramp iso 2701 pci dss and there's a whole bunch of these if i click this link i go to kind of the audit reports and i can see a list of documents about all the different types of audit reports across fedramp and grc and pci iso and you can download these massive amounts of documentation about these various things so this service trust portal is kind of this starting place where you're going to kind of want to go so we have all these different types of audio ports now we also have kind of compliance manager so this enables us to actually go and measure and manage our compliance against various types of standard and i can kind of go into here and it distinguishes between things i'm responsible for as the customer and things microsoft is responsible for so you can see i've got 75 so that seems like it's going really well until you know is how the points were achieved so i have 90 out of 4008 whereas microsoft has 12 093 out of 12 093 so microsoft's doing significantly better than me but it gives me the things that i can work on to actually improve my compliance it gives me then broken down by categories and there's various types of kind of assessments and i can view the improvement actions but it's giving me that data so this is kind of a real key place where i can actually go and manage these things so it actually i can track i can allocate it really helps me get details there are different types of solutions across this here i can see what i should do i could select this for example i could assign the action to someone i could track when i want it done by it really is a complete management tool of this now additionally we can see hey look there's all kind of trust documents there's those audit reports there's data protection other things it's broken down by industry so there's particularly industries i care about or regions i can see that here here we kind of talked about documents penetration tests and the compliance manager industry compliance services regional the security and compliance center and that that trust center really is a huge one for going and tracking kind of all those different compliance settings so i find myself a lot here in this trust center because this is where you can actually go and start finding out so okay well compliance for example what are all the different compliance offerings available in azure by the different solutions so i could see okay microsoft azure for example over here i can see all the different compliance offerings so if i select that and here we go so these are all the different compliance offerings that exist and i could click into these and go and get all the different details if i'm trying to work out hey does azure or microsoft 365 or dynamics have this i would start in the service trust portal then i go to the trust center and then i can see hey ones for azure and really dive into this and if there's documents that i really care about i can kind of save them so if we think about if i go back to here i can have a my library so the things that i really care about i can go and notice here it's saying save to library and then it will always be available to me very easy to access so that's kind of a lot of stuff already and really that's just the more generic things but it's important you do know all of those different kind of principal things now once we hit those and we understand those then it really does kind of break down into three core areas i can think about well there's azure ad because remember identity and the health of that identity is key and then from the azure id we have things like azure and we have microsoft 365. so see both of these use an azure ad instance for its identity so that's the next kind of drill down deep dive we have to kind of think about so if we start thinking about azure ad now for azure ad like kind of any identity there are really four key pillars that i have to think about i can think about the pillar of administration i.e kind of the management i can think about the authentication sometimes write auth n i can think about the authorization of z and then i can think about the audit and they're the kind of four key things that we have to think about so again if i think about administration well that's the management authentication is proving who i am authorization is what i can do and then this is kind of well what have i done and so they're all key pillars to that kind of complete solution and i want to kind of just dive into those so if i think about administration one of the key things you're constantly going to see is modern authentication and modern authentication is all now about the idea that we have a centralized identity provider and i want to be able to use that by multiple services we want to move away from this kind of legacy type authentication that that i have this credential just for this one service i now think about with this modern author i have a token and that token i can use across a range of services we think about consent i'm going to say hey this service you can go and perform this on my behalf for me you'll hear about a wharf too you might have seen it on kind of facebook app where it says hey you're going to access this app and you sign into your facebook and it says hey want to do this on behalf of your facebook data when we post to your page you're consenting that that can work on your behalf but also as part of this modern auth then we do have the idea around kind of strong policies of auditing so i think about policy audit and and really the whole idea of detecting risk they drive a strong modern authentication now what is my authentication world now we're used to the idea and again you need to know the basics around this but we're very much used to the idea that we have an active directory so this is kind of our active directory domain services on-premises and we have just kind of users and groups and devices and then we have the idea of azure ad tenant we have an instance of azure a d this is not an instance of active directory domain services in the cloud it might seem that way it's not at all this is all focused around kind of modern authentication um open id connect our wharf 2 um ws fed saml you hear these modern authentication and what we do is we enable a synchronization of our accounts so now we have this thing called azure ad connect or azure ad cloud sync is the new one but we'll focus on azure id connect that synchronizes the accounts what this does is it gives us this single sign on this seamless sign-on so i have one account and whether or not i'm accessing services for example that trust a.d or if i'm accessing some cloud service up here that trusts azure ad for me it's very much a seamless experience and this azure id is really behind the idea of that modern authentication it is a cloud-based idp an identity provider it speaks cloud it speaks again open id connect it speaks oauth2 it speaks saml it speaks all of those cloud things now as part of these synchronizations we send up the user objects we send up the group objects we can send up things like a hash of the user's password hash so i can maybe do some enhanced protection looking for compromised accounts because the hash of the password hash is up there i can find out if something bad has happened now in that azure ad there's various types of objects in this azure id obviously we have users now these could be synchronized users and they could be accounts i create directly in azure ad now they can also be a guest so a guest is also kind of this b2b and that means business to business and it's someone that i collaborate with it's someone in another organization this could be someone in a different azure ad it could be a microsoft account it could be a gmail it could be just someone else entirely i could use federation i could use a one-time passcode but essentially i can make them a known entity to my azure id and then i can so that they authenticate against their home account and then i can authorize them to actually do something so i can have native users i can have guests i can also have things like service principles so if i register an application so i have some app when i register i make it an enterprise app it gets a service principle that represents that app so when i register applications it's going to get a service principle i think it's like a managed identity so managed identity is really the idea that hey i have things that trust this azure a.d one of them could actually be azure and inside my subscription that trusts that particular azure ad instance i create some resource that resource can automatically get an identity that only that resource can act as so it uniquely has a particular managed identity it saves me trying to store a password or something else it's just available to it so i'm going to have managed identities i can have groups now groups can be assigned so assigned means i manually say all these users are in this group or it can be dynamic so dynamic as the name suggests i can have basically a query based on attributes of the user hey you are now a member of this group so if my department matches this i'm in it if my description matches this i'm in this group and these are very powerful because from groups i can do things like assign applications i can assign them licenses uh even roles so in terms of a life cycle or governance groups are very very powerful so i might use a dynamic group to add people as they change roles based on maybe their title their department and that automatically would give them certain apps and licenses and roles and obviously if they move out of the group they would lose those things so a big thing we'd like to do is grant permissions to groups rather than individual users and then of course i have devices now when i think about devices obviously we've had this idea up here of ad and then azure id so i can think about from azure ad there is really three different models i can have i can have joined so in a joined world this is kind of wind 10. if it's joined i'm going to authenticate with an azure ad account that's probably going to be a corporate device so if i'm going to be joined that's probably kind of a corp device then i can have registered so that's probably going to be personal that's my device now that can be a whole range of different types of devices um from a registered perspective that could be windows 10 ios android um i think mac os they're known to azure ad and i'm going to sign in for personal account and i can also do a hybrid so hybrid is when the device is known to both azure id and active directory domain services and when i authenticate i'm essentially getting tokens for both of those things again that's going to be a corporate account i'm using windows 7 plus windows server 2008 plus i can kind of use that hybrid model so azure id is that identity provider and i can think about all these different types of objects that i can have within there but a key thing is things like guests when i want to collaborate so this that really is the key point of a guest they're people i want to collaborate with now completely separate from that i may have customers and so here there's kind of a separate it's a separate azure id tenant this is called b2c so it's azure a d b to c business to consumer so now these people are my customers and really you've got those things over here but now i can also have things like facebook twitter weeble is there's a whole list of these but now users can bring their social identity to authenticate against the azure adb to see and then i write my app that trusts that azure adb deceived for the authentication so that's how i can think about bringing all of that together now azure id there's a whole bunch of different versions you don't need to know the details of them if i quickly show up the page really it breaks down into this premium skus and there's free and then there's if you have microsoft 365 licenses so what we can kind of see is the free hey i can do a lot of things with the free i've got my device registration i can even do things like mfa but it's very basic mfa with the free basic reports and then with microsoft 365 licenses i can do custom branding self-service password reset for cloud accounts but it's really when i get into the premium we get all these more advanced things like conditional access you'll hear me talk about conditional access i need premium i have a p1 or p2 and they come with other licenses like some of the microsoft 365 e3 and e5 but you'll see you get all these enhanced features when you get those premium licenses and then with p2 that's where you get things like identity protection um previous identity management i just in time access reviews and entitlement management okay so that's really built around kind of that core just thinking of hey all of that was really around kind of the management and what we can do so next thing we start thinking about is okay well if that's the administration side what about the authentication so i'll come over here so remember authentication is the first thing that happens and again we say kind of auth n authentication so this is first after someone has created the account if i go to the azure portal the first thing i have to do is authenticate i have to prove i am who i say i am now how do we do that proof so remember this is all about who i am now we can have a password and generally we don't like that very much just a password on its own very unpopular today we want to move into mfa so remember the whole point of mfa is multi-factor authentication i.e it's something i know something i have something i am so something i know hey a pin a password something i have could be my laptop could be a phone a token something i am is a biometric a 3d facial scan my thumbprint ios one of those things so mfa is obviously much stronger because it's multiple factors a password would be a factor it's something i know so i want to move to is mfa so i can think about really there's there's different types of mfa so one of the things i could do is it could be like an sms message or it could be a call to my phone so that's one aspect i could do with mfa and that's better than nothing but it's not super popular people always worry about hijacking a sim or something like that so we can move beyond that and we start thinking about things like well we have the authenticator app and from there we can kind of show a code we can show a notification and we have kind of software one-time passcode tokens or hardware one-time passcode tokens so that's mfa you'll even then shift onto id even better is you move to the idea that there is no password you might hear of hello for business and the whole idea of hello for business is it uses the tpm in your laptop it creates a private public key remember that encryption earlier the private key is in that tpm that trusted platform module it's kind of hammer proof you can't brute force attack it and now it uses that to authenticate now you might say okay that's just the laptop that's one form of authentication something i have but i still have to use a pin to unlock it so it's something i know or a biometric to unlock the machine then i think i have because this hello for business is unique to that particular machine so it's two things something i know all that i am to unlock it and then saying i have because i'm unlocking that particular device um so this the no password is really the utopian what we want to try and get to so yes there's things like hello for business again there are things like the authenticator app now and once again the authenticate app i have to unlock the app and i have to have my phone so it's still strong authentication it's two factors and also there's things like hardware fido two keys so this is just authentication this is just the idea that hey i'm trying to improve my overall authentication the strength we don't like just password so if we were over here we kind of draw a very very sad face um for this the sms call it's better than nothing we're kind of neutral but then when we get to these ones we're kind of happy no password is the best but if we do an mfa with one of these that's still a great thing but password on its own big friendly face mfa is going to be the answer to pretty much any question you see about you need to have strong authentication if you see mfa written there that's going to be your answer pretty much guaranteed now just really really quickly we can kind of see these so if i jump over to my azure active directory and i go to my security and from here we can see mfa there are some options there's things like ford alert so i can turn this on so if a user gets kind of an alert to say hey um please confirm your authentication and they didn't request an authentication they can actually signal that and then i have the choice to say hey if this user signals that automatically block them who report a fraud so we can go and dig into it we can go and do other things but it will definitely enhance the risk of that user's kind of session it will know those things now additionally if i actually go back over here to these cloud-based mfa settings and you'll notice i can pick the verification options so these are so i can call to phone text message notification through mobile app verification code from mobile app you'll also see the idea that hey for users i can do things like enable them i can disable i can enforce this is per user mfa and generally we are not going to do that that is not the preferred approach the way i want to drive mfa so for all of these things i want to use something called conditional access condition not access so these are policies and one of the outputs the requirements could be do an mfa that's how i want to drive these things i don't want to make people mfa constantly they'll get muscle memory to just accept it all the time i should drive mfa if i'm doing a privileged action if there's some higher risk detected that's the best practice now remember this is kind of a p1p2 capability to be able to do that if i don't have p1 p2 then i can't use conditional access so then the other option is if i was like microsoft 365 it gives you mfa and then i can do the per user configuration so i could go in and say hey you're enabled so it'll make them register once they register they will then go to enforce so that's where i'll see those kind of ideas that hey i'll enable them and then once they register they will move to enforce now if i'm just free really what you have is something called security defaults now security defaults you really don't get to pick anything so again for premium p1p2 i can drive the registration if i'm p2 i can actually do identity protection to drive the registration if i'm just m365 yes i can do that kind of per user thing if i'm the free there is security default so security defaults if we go and look quickly basically what that's going to say is hey look um everyone has to register if i go back to my azure id go to my properties everyone has to register you can see here down the bottom manage security defaults if i set it to yes which i'm not going to do because i have conditional access which is much better admins would have to use mfa users would have to do mfa if it's a new device a new app or some kind of privileged task so that's if i'm just running the free i don't have anything else and hey i can do that now additionally you'll see things like kind of self-service password reset so back over here if i do password reset what i can do here is hey if passwords maybe forget users forget their password i can set different methods they can use to reset their password so they can do an app code an email a mobile phone and office phone security questions they were built in security questions i can add my own security questions you can pick the ones you want over here so now rather than the user having to call the help desk they can just go in and do this self-service password reset also if i'm p1 or p2 they can actually write that back to their regular active directory so this is all about changing password resetting passwords unlocking the account also kind of while we're here we have the idea of kind of blocking simple passwords so password protection so once again if we jump over to security what we can actually see within here with the security option is we have kind of these authentication methods and i have this password protection so i can automatically ban silly easily guessed passwords like password and other stuff but i can also add custom passwords so for your company you may have certain passwords maybe if you're in texas hey don't people use the word cowboy in their password or in my case savile so that would stop people using these and i can even extend this so they can't be used on premises a d either so i have this ability to have kind of this uh relay agent installed on premises that the active directory domain controllers would then hook into as well so i can have this protection from these very simple passwords okay so that's all about the authentication remember proving who i am having that strong authentication now after i have proved who i am then it gets down to authorization so you think about the auth z so what can i do and there's really two layers to this i can think about this role-based access control so this is what what roles do i have and there are roles in both azure and their roles in azure ad and things like microsoft 365 use these azure ad roles now there are built-in roles for all of these and i can also add for both of these custom roles so if the built-in roles don't meet my requirements i can add a custom role and we always think about giving someone the role that is just enough to do what they want to don't give them more than what they need so that's about hey what they can do and then we think about this conditional access and this is really talking about hey you're trying to access a certain app or do a certain thing i'm going to look at the surroundings of kind of this request and then maybe have certain requirements now a detailed knowledge of conditional access is way beyond what you need but if we just looked at it super fast again i can kind of go over to my security we have conditional access now there are things i can do in here like terms of use a terms of use is just a pdf document and as part of my conditional access i can pick one of these documents and make them accept it so here i can have different language versions i can see the actual document and here it is so they would have to kind of accept this it's very detailed and very strong wording obviously and before they'd be allowed to use it so i can define these terms of use i can have locations so a location could be based on particular public ip addresses maybe like the the device that faces the internet for my company that does the network address translation or it could be based on certain geographic locations so i can actually pick it based on certain countries things like that so i can define these certain locations and then what we have is the policy itself if i just go to my policies and i just i'll pick a very simple one here we can assign it to particular users particular groups we can exclude certain people we could also pick it based on certain if you have a certain directory role i could pick it based on if it's a guest i could target particular applications i can even target actions like hey i'm registering my security information so i'm going through that initial security registration of my phone numbers my mfa my self-service password reset when i get a user to do that maybe i want a more secure environment maybe they have to be on a a hybrid joined machine maybe they have to be on a corporate network or i can target particular applications these are all of the applications known to my azure active directory and then i can think about having conditions so the user risk the sign in risk this comes from identity protection i need a p2 license i can target particular platforms android ios windows phone and then exclude certain platforms i could go ahead and if i've defined locations i can use those here i could target certain apps so i've got browser mobile apps i could use things like device state again this can come from things like intune and then i have the controls so notice here i can have things like hey give a mac i could block access for one thing or i can grant access but make them do an mfa a stronger authentication maybe it has to be marked as compliant by intune maybe it has to be hybrid azure adjoined it's an approved app i need app protection policies i make them change their password again i can use things like hey maybe i've detected higher risk from identity protection i'm going to make them do an mfa or if i require password it will make them do an mfa first anyway make them accept a certain terms of use document and there are things like session controls session controls could do things like make them sign in at a certain interval i could have things like hey if i'm accessing sharepoint and it's from grandma's machine they can read stuff but it's limited they can't save a way they can't write i can really just control what they can do so conditional access is all about actually controlling those various things once i've done the authentication now i actually want to go and do something so once you move past the authorization then we get into the idea of well the auditing the governance these are obviously very critical things that i have to do now azure ad in terms of an all-up identity lifecycle governance does not really have natively now what it can do is it can integrate with kind of hr systems so for example if i had a workday system as an example it can do things like integrate to azure ad there's a provisioning service and even if i'm using active directory when i go and make those hr requests there's a special component in azure id connect to azure id cloud sync that would actually enable those to bounce back onto on-prem and then replicate back up to azure id so i i can use that as part of if i had an existing hr system i can leverage that but a big thing you'll do is things like groups so remember the idea about those dynamic groups i'll use that i can build a dynamic group based off the attributes of the user and then from those groups those groups have remember the apps the roles the licenses so i'm going to focus on that i can use things like privileged identity management so pm gives me the ability to elevate up to a certain role for a finite amount of time but i can also use it to say hey you have this role but you only have it for three months so again pim can drive the role to make sure it's not left behind i don't keep things that i really shouldn't have we have things like access reviews so an access review is a feature that lets me say hey um based on maybe this app assignment or this role or this group membership we're going to review this periodically and that could be an administrator does the review it could be someone's delegated to do the review it could be a self review i have to go and check hey do i still need this thing and all of these are kind of p2 features remember those terms of use i can use those for conditional access there's azure ad identity protection to really drive the overall health and protection of the user but those things can really help govern now all of these remember our p2 producer identity management access reviews azure id identity protection there's also kind of entitlement packages they let me say for example hey this sharepoint site and this group membership i can go and request a certain entitlement package and that's also a p2 feature we've got to bring all of those various things of course there's loggings i i have all of those capabilities in the interest of time okay so that's really kind of the the azure part the identity part well then we can think about well outside of azure id then we have azure kind of one of the things i'm super passionate about and obviously let's think about the governance side of azure and that's huge so we we can think about from a governance perspective that's that's kind of the first thing we we ever need to do now at the root of an azure and azure is there's an azure ad tenant azure subscriptions trust a certain azure id tenant and then i can build kind of a management group hierarchy under this there's going to be a route management group once i enable them now i can have a hierarchy of kind of management groups and then ultimately what i'll get is subscriptions where i create things so i'm going to get some subscription and then inside the subscription i create resource groups and i can have multiple resource groups i have lots of subscriptions and then i actually create resources and this is really key to the idea of that the governance around my environment because to all of these things all of these levels i can have things like role-based access control so a certain role you have i can apply things like policy what you can do and i can have budgets uh what you can spend so they drive a lot of the behavior now also one of the big things i can do is i can do locking on resources and you'll see there's different types of lock so there's something called can not delete and then there's also a read only now obviously as the name suggests if i do a cannot delete i can change it i could change the resource but i can't delete it if it's read only i can't even change it so i'm locking sync exactly in place and it does inherit so if i put a lock on a resource group or a sub it does everything inside it an important point of these this is at the management plane i the azure resource manager it does not impact the data plane so this was a storage account i can't if i did a read only i can still change the data inside there it's not impacting those behaviors this is making sure i don't do things on the management plane so i have all of these great things and the way we really like to deploy resources again a good governance thing is we use an azure resource manager template so i can define this json template that defines kind of all of the resources we have in a very declarative fashion and then i apply it so i can change control version control that thing so we're going to create things that's immutable i can rerun it and because it's declarative i what i want it to look like it just makes sure it matches that description so that's how we want to deploy things and what you'll often hear about is the idea that hey look i want to deploy to a subscription in a very standard way i want to deploy these resources so what you'll actually hear about is something called a blueprint and a blueprint is really a collection of things i can define resource groups i can define role-based access control either permissions i can assign policy and i can assign arm templates and with that when i do that deployment it has its own set of locks it does not use these locks it uses its own special types of locks they're basically based on deny assignments but i can say well don't lock i i'm deploying these sets of things they can do what they want with it afterwards they can delete them do anything they want i can say do not delete i again they can change the config they can't get rid of it or i can say read only i'm stamping down this configuration but you can't change anything about it so if i had the idea that hey i want to be able to lay down to subscriptions uh a standard set of config blueprints going to be the answer because i can create the resource groups where resources are created i can assign roles i can assign policy to set the guard rails around it then i can actually deploy the resources with an arm template and you can really think about that in terms of an azure resource if you ever see the idea that hey i want to define guard rails that's policy so i can think about hey you can only use these regions i'm only allowed to create this type of account i must have this tag configured that's always going to be policy and i can use that in multiple ways i can actually use that for both enforcement i.e it has to match that or i can actually use it just for tracking compliance so i'm not maybe going to lock it down but i'll know if it's not in that state so i have all of those different options and of course role-based access control is this i have these various permissions now you can absolutely go and kind of create all of these things yourself but what you'll find is microsoft has this big push right now about this cloud adoption framework and what this cloud adoption framework is it's a set of documentation and guidance and best practices and tools that basically set up these kind of best practice configurations things for you and you'll see there's various phases to this if we actually go and look at this quickly on their site it really walks through what these key phases are so you'll see firstly there's a strategy once you've done the strategy then you're kind of um you'll have some planning then you're kind of ready to actually get these things up and running then you're going to adopt and adopt includes migration and innovation and if i actually click on a different link you can kind of see this in a nicer picture here we go so you can see the idea of the life cycle is all about define the strategy plan you're ready and then you adopt and of course all of these things is kind of the governance and the management and they're going to help drive all of those kind of different things through this cloud adoption framework okay so that has all of those kind of tooling things as part of it now when i'm thinking about kind of the security and the compliance we think about the network the data all of those different things there are a number of kind of key constructs in azure so if i'm thinking about network and data the first thing is obviously we define this virtual network so we have the idea of a virtual network and the way we control access we segment that is we have the concept of a network security group a network security group is based around the ip addresses the ports and the protocol so the destination and source ip the destination and source port and the protocol tcp udp so i define these rules and then say allow or deny and i create a set of these rules and i apply it to a subnet i can apply it to a nic as well that's not typically done so i create these rules and it helps me segment if you think about a virtual network has multiple subnets portions of the ip space but also things coming in and out of the virtual network maybe going to other virtual networks that appeared maybe networks that are connected via express route or site-to-site vpn so that helps me lock it down you might see something called app security application security groups that's really a tag on the network interface that i can use in place of the ip address so it's kind of an ip address or a tag there's built-in ones as well and then around that i might think about when i have public ip addresses i might have distributed denial of service protection and there's kind of both a basic and a standard this is giving me basic gives everyone this real-time mitigation of common attacks um with the standard i can tune it more through traffic monitoring through machine learning i can have custom policies i can also have things like azure firewall now azure firewall is an appliance that lives inside kind of my virtual network and with azure firewall i can do it's a managed network virtual appliance it's going to auto scale based on the amount of traffic but it has native high availability i can filter on things like ip address but also fully qualified domain name so the names of services is trying to talk to it can do outbound source network address translation and so kind of hide the eye internal and do things like dna with fret intelligence if i'm have services i'm offering out to the internet well often i'm gonna have resources and if it's like http https based um or maybe i'm using azure front door you'll see this things like web application firewall so web application firewall provides protection from common exploits there's a core rule set that this is giving me protection from but things like app gateway the content delivery network the azure front door can all hook into this web application firewall it's like a sql injection attack it's going to give me protection from those things now maybe i want to get to resources inside the virtual network and again the point of this is just a high level know what these things do so maybe i've got kind of a virtual machine i want to get to maybe it's rdp if it's windows or ssh it's linux i want to securely get to it send me after a service called the azure bastion and the azure bastian service lets me from the azure portal so i'm in the portal i can see my vm i can hit connect select bastion and it goes by the bastion to give me an rdp or ssh connection to my virtual machine i don't have to worry about opening up firewall ports or configuration or any of those things it gives me access to the resources inside my virtual network or now connected virtual networks so let's think about on the network side and protecting the network network security groups or must have azure firewall again i can do more advanced filtering and fully qualified domain names um offering services out to the internet distributed denial of service protection web application firewalls on things like the app gateway content delivery network front door if i want to be able to get to resources hey bastian gives me a great way to do that now on the data side often we have things like storage accounts and the storage accounts can have blobs and queues and tables and files well we think about encryption at rest so we're going to encrypt that and it could be a platform managed key where microsoft store the key and take care of the key and rotate the key or it can be things like a customer managed key so here we use things like key vault and i have a customer managed key that is used for that kind of to protect the data encryption key um also if it was a virtual machine there's things like azure disk encryption that uses things like bitlocker or dm crypt inside the os running inside the vm to do that encryption as well things like sql have transparent data encryption and this kevol is a super powerful construct i can have secrets which is a piece of data that i can write to an extract back out maybe like a password or a token i can have keys so that's saying i generate in there import in there but i can't get it back out but i can perform cryptographic operations inside the key vault using that key and then search certificates which are really just wrapped keys but it can manage the whole kind of life cycle around that now within my azure world there's all these different components and in terms of the security that there's different solutions here but really the big one is going to be kind of this azure security center so the azure security center is this cloud security posture management a cspm it's about knowing about my environment and what i want to improve and so the asc has a number of core things it has a secure score so this is built up by using things like azure policy to go and get compliant state of a number of built-in things it really cares about and lets me know what what should i really be targeting so if we jump over and look at an environment if i actually go let's close some of this stuff down if i just go and look at my security center front and center will see my secure score i have things like different regulatory compliance things i can care about so i can actually manage the compliance policies that i care about and i can hey i'll pick my dev subscription i can actually see hey there is all these other ones that i've got azure security benchmark pci dss but i can add more from ones that they have natively but also i just have that basic secure score and this is basically giving me things i should care about so it's going to order them in terms of priority so like enable mfa that's the biggest improvement i could have to my score so it gives me places to start to really help improve my overall security posture so it's giving me the security baseline i can have alerting it has things like a network map to know what's going on in my environment so i can see everything there i can see different security alerts that i have going on in my environment and then we have things like defender so defender has both deep protection and broad protection and we can see right here is there's different types of defender available but on my subscription i can actually turn on azure defender and then it shows me the difference between hey when it's off and i just have the basic azure security center and then when i turn it on i get paid just in time vm access app controls regulatory compliance all these other things and then i have these deep and broad protections so i can turn on protection for app service sql storage kubernetes and then there's broad protections about things like resource manager and dns so i can pick and turn these things on but obviously there's a price i pay for these but i can have things like continuous export out to other solutions and maybe another sim tool so i have these capabilities but because i adjust in time protection is where hey normally the ports are closed to the virtual machine but it's going to turn on when i need it so it adds these various components so for all of my azure services i can send data through these various solutions now the next solution you'll commonly see is yes we think about azure security center and azure security center is all about hey what is my kind of compliance so it's going to tell me hey what is my compliance state it's going to tell me things like hey i want to do my protection within here and then you'll hear about something called sentinel and sentinel is built on a log analytics workspace so we underneath sentinels log analytics workspace that essentially has connectors now those connectors can be to a whole number of different things they could be to azure ad to microsoft 365 again azure resources can send into this thing and what sentinel then adds on top of that is getting the logs from things on its own is pretty useless i'm going to get a deluge of different data so what azure central adds is things like yes it's got the logging it adds all these different types of connectors then it adds things like machine learning on top of the logs to actually give me analysis so it's kind of a sim solution a security incident and event management solution i can also orchestrate an automated response to a source solution and so what that's going to give me is the ability to actually respond and recover and if you think about this is generating alerts or it can send them into here so then sentinel can build on that so if i jump over again super quickly and if i now search for sentinel we can see i've got a basic central workspace and and really it gives me the ability to go and hunt i can run queries for various types of things to find various types of attack based on the logs in that log analytics workspace i can look at the different incidents um i can see an overall kind of health status of my environment any malicious events that are happening so it's looking at the logs and then drawing like good conclusions out of them then we have these kind of data connectors and we have this ability to connect to all these different types of systems including azure id azure d identity protection but also we'll see things like hey look microsoft 365. um defender office 365. so we can take all of those and build it in to let sentinel actually give us protection for all those different types of things and so when we talk about microsoft 365 so let's move on to that so that's kind of that last piece is kind of the microsoft 365. now the biggest initial piece we think about from the protection is defender and there's really four different parts of defender you'll see there's defender for identity now this is really taking what was kind of the azure advanced threat protection the azure atp and now it's this defender for identity so what this is looking at is essentially my on-premises active directory domain controllers is getting signals from those sending them up to the cloud and then detecting attacks and threats on my on-prem domain controllers so this kind of would sit side by side with things like identity protection as looking at my azure aed health state okay so just then my whole setup crashed i guess you're telling me to hurry up you're taking too long recording this uh so anyway so after the identity piece which is really all about the on-premises domain controllers um the next piece of that is the end point now if we think about there's already kind of defender just regular anti-malware protection so what this does is this adds additional detection and prevention looking at things like what's the entry point for an attack and what happened it went from this user to that user gives me that whole forensic analysis capability of that this used to be defender atp but it's really about getting that complete tracking and that's for windows android linux mac os then there's kind of uh cloud app security this is a casper cloud app security broker solution this enables me to really track what are the applications being spoken to from my corporation it helps me track things like kind of bring your own i.t department where people are using applications that i as a company have maybe not authorized so this can be all about discovery and also if i do things like i manage the integration with conditional access for example if i have proxies i can then actually control how they can use those various services as well like if i suddenly see someone copying a whole bunch of documents like data exfiltration i can actually stop them and then there's kind of the defender for office 365. and you may have seen the idea where you get kind of the the safe attachments that the safe links gives me anti-phishing protection and for collaboration like onedrive and sharepoint and teams there's different levels of functionality but it's really all about giving me that ability to protect my users that are using office 365 again for those detonation chambers how get an attachment you can go and put it in this isolated chamber run it make sure it's not doing something bad tracking all those links now we do always think about layers that hold defense in depth so i can think about from a layer perspective obviously there's kind of the identity i can think about there's the device and there's the data obviously the identity we talked about with the azure id or the elements of that so i already want to focus on kind of the data behind my office my microsoft 365 my office 365 and then the device now we saw the idea within azure there is security center so for microsoft 365 there is also a security center and just like with azure it has a number of different elements it has its own kind of secure score which again gives me the points where things i should focus on to have the most impact the most bang for the buck so to speak where i should prioritize but there's all kind of reporting and incidents and kind of much more so if we jump over let's take a look at this so here kind of this is our new starting point for the the microsoft 365. and we can see it guides us through we have this whole wizard we could walk through but it showed me things like hey look here's my secure score uh 35.6 which is obviously terrible but i can see it historically i can see well what's changed around that secure score i could actually look at things well how can i improve my score and notice again it's showing me hey what's the score impact and again mfa you'll see some common things both azure and microsoft 365 obviously use azure ad so the identity things will be common but then they'll branch off azure we'll talk about things like networks and appliances office we'll talk about hey look i can do cloud app security customer lock box other types of things so i can look at this to very quickly get an idea of what do i care about then also from this kind of microsoft 365 security center i can see hey look are there any particular incidents and that maybe i i care about through my environment i can see hey if there's alerts and again we can turn on the microsoft 365 defender we have kind of threat analytics search centers and then you'll see a whole bunch of other things like auditing reporting health uh various different aspects which we'll actually come back to in a little bit but before we really dive into that level of detail i do want to pivot back quickly to kind of the device area now on an on-premises world we had active directory we have group policy we might have system center configuration manager there's patching and app and inventory in a modern work place environment we think about azure ad joined well there's no group policy so what we kind of come off of from here is we have intune now intune does a number of different things i can think about well i have policy i can get health status i can drive many other aspects of this now this is across many many different platforms i can think about well windows is an obvious one but i also have things like well mac os i can think about um android and kind of ios and stash the ipad os so really it's about the end client device this is not for servers this is about the client end device and there's really two kind of modes in which intune uh can work now there's many more aspects to it but from what we care about i have these devices and i can think about m d m and the key point here is device if i can spell so mobile device management so this means i'm basically enrolling the device so that means what intune can do is anything about that whole device i can think about doing configuration of the device i can do policy of the device i can push certificates to the device vpn configurations i am enrolling the device so this is going to be typically for kind of corporate assets where it's okay that as a company i'm doing that complete management then the other one is mam and the key point here is application so i'm not enrolling the device in this this is just particular apps and typically based on hey they go and talk to a corporate source i can then push just an app policy so now i'm thinking app policy i can't enforce things at the entire device level but when they launch the app that connects to a corporate data source thinking like the outlook client talking to exchange online then i can say hey you're talking to a corporate mailbox then you have to have this policy maybe i have to do a pin when i actually type in the enterprise apps are in their own little sandbox so this is kind of my device not my corporation's device as a corporation i can wipe the corporate managed applications but i can't wipe the entire device which i could do in this kind of mdm world so there's kind of an important distinction between those mobile device management mobile application management again corporate device probably my personal device we talked about these policies and these policies can have things like requirements and like maybe they're not jailbroken if it's a mobile device anti-virus versions various other types of things i can have security baselines if it's a windows 10 device so think about intune as the policy engine that's typically going to go with azure active directory there is no group policy this is how i can also push things like applications both custom and from kind of the marketplace i can do those things so i did want to just kind of touch on that kind of important point now if we talk about the security center well then we kind of think about okay great that's security then we start caring about compliance and so just as you would expect there is a sort of compliance center as well so if we jump over to here now once again we can see there's well we have this kind of compliance manager solution this is a end to end solution to actually let me track my overall compliance for microsoft 365. you can see once again there's kind of a compliance score i can see where i'm getting the various points about things that i care about once again i can go and assign and track dates to where it should be done by who should be doing it i have kind of that complete control of all those different things in addition we do have kind of if we do a show all there's a whole bunch of kind of different solutions auditing content search data loss prevention data subject e-discovery and i'm going to kind of talk through these various aspects but a key point of kind of this compliance center you can see hey look at the compliance manager look at the catalog to start identifying risk and again if i go into that compliance manager it's going to show me that hey things i'm responsible for which i'm doing a terrible job and the things microsoft are managing good job on them they've done everything just making me look bad and the things i should really try and focus around to be successful now you're seeing here we have kind of auditing now the whole point here is in this auditing i can go in and actually search for various types of things i can see all these different types of activities that are available to me i could ping for certain users on certain data start end times and actually perform that search now there's also kind of audit retention policies so i could create a policy based around well a duration so actually up to 10 years and for what types of data so i do have controls around exactly what i care about now when i perform a search of this audit it is important to note not everything is going to show up straight away some things take 30 minutes some things can take up to a day we can actually drill down and we can see in the documentation it does distinguish hey things that take 30 minutes and things that take 24 hours we can kind of see that here so if you are interested the documentation does go through hey based on the source how long will it actually take to be able to actually search so that's kind of just the the regular auditing i can do from this again there's this advanced auditing as well that i can do for forensic for compliance investigations and again we kind of get one year for the exchange sharepoint azure id but it is going to 10 years with some additional licensing now the next part is that the data so remember we talked about so that's overall compliance that's kind of great we have a solution there and we had this whole idea of the data so in tune does the device the identity we kind of know that's all those kind of azure ad things well then we have the data now for the data there's many different aspects to this but often we we may not know what data we have so there's often this idea of well we have to classify the data and then once we classify the data we can kind of protect now protect can mean many different things protect can mean things like encrypt it can be things like data loss prevention this could be stopping me doing sync with it it could be watermarking it but i can based on those encryptions i can drive certain types of policy and again this all comes from kind of that compliance page so if we go back over here notice we have under the solutions if i actually just go home for a second we have data classification now there's different types of classification i can think about classification in terms of sensitive information types so pii credit card numbers social security numbers driving licenses there's a whole number of those built in so that's one way to classify data is sensitive information because there's a huge number these are built on looking for certain words looking for certain combinations of characters then there are trainable classifiers so once again there's a number of them built in things like i'm looking for resumes looking for source code looking for harassment looking for profanity looking for threats or i can create my own i can create trainable classifiers based on what i care about now with these sensitive labels i can assign a label to documents and then once i have those kind of classifications done well i can do things about protecting it you'll see things like data loss prevention so i can do things around encryption i can do things around rights management that data loss protection so i can have things like restricting ability to share i can have things like adding a watermark additionally there is also the aspect maybe hey look as there's the classification that drives protection but i might also drive retention i need to keep my data so here i might have things like well do not delete i have to keep it for a certain amount of time or maybe it's the opposite maybe it is delete get rid of this after a certain amount of time sometimes they can be um equally important to the overall solution now a lot of these can actually be built around the idea of i have this kind of e-discovery mixing cases there well hey look i need to find so i have to find the content and then i i'm doing something with it um maybe it's exporting it out maybe it's doing an investigation around it but then there's some kind of action from that e-discovery and there's actually three different solutions that we have as part of microsoft 365 says very basic content search then there's a more advanced core e-discovery now the core e discovery is built around the idea of well i can create a case and then from the case i can do things like a hold on the data to make sure someone doesn't delete it then i can search and i can export then there's an advanced ediscovery and that really builds on the idea so if this one is all about hey i have a case and from the case i can do a search hold and there may be an export this builds on that and adds things like data custodians much richer sets of investigation so if we jump back over if we go and look at content search you'll see we actually dive into well hey this is just the ability to do this this kind of basic search i can type in data and i can go and find stuff but then we have this e discovery down here which is this richer set of capability so we have the quarry discovery so we create the case and then once we create the case then i can actually go and hold data search here and optionally export or we have the advanced so if the advanced ediscovery once again i would now go and create a case but then i would actually go and add to this data custodians for example they're the people of interest maybe they own a mailbox maybe they own a sharepoint site i can then say i want to preserve the data collect the data pre-pro press pre process the data a review then export now when i add custodians to this it will actually try and find data they own so we'll go and find their mailboxes and it will find their one drive or i can add additional things like sharepoint sites and microsoft teams etc so we have these kind of three core tools um actually available to us and for all of these things uh it can actually take up to 24 hours so if i think about all of these holds that hold can take 24 hours to actually take effect and there's various roles as like e-discovery managers to manage and create cases there's powershell scripts for more advanced searches so there's all these various different things so this is all around the the data so again identity azure id the device in tune and i can use that things like conditional access can check on that health data classify it so i know what i have most companies don't know what they have then i could protect it which is encryption i might do dlp maybe there's things around retention i want to be able to find the data i care about and then finally from a maybe a compliance perspective and more there's other things we care about so i want to think about insider risk management so inside of risk management is a solution that's really all about malicious people internally i want to be able to detect the risk i want to be able to act on those risky malicious actions for example they're trying to share data or get a whole bunch of data so i can have policies based on a template that i can have triggered and when they trigger based on those things i've defined it will create an alert it's based on the conditions it generates an alert and then that could be triarched i alerts that have to be reviewed then i can investigate and then perform some action it could be a notification it could be more so this is about so again you have to know the solution and what it's there for insider risk management is about helping detect and prevent malicious actions for insider people then i can think about well communication compliance so this is all about the idea that i have acceptable communication policies in my company um maybe on teams for example on email so this is all about communication compliance is saying look i'm going to put in policies maybe no profanity how we treat each other and so now if people go around those policies i could tag the message i could notify users i can monitor the overall compliance so this is really about hey the communications going on i have standards for my company about how my employees should treat each other i can detect that so tag the messages notify users actually halt those types of communications then we have information barrier so as the name really suggests that this could be the idea that i have different groups of users in my company and they shouldn't talk for example on teams they shouldn't chat with those people or share files with those people so i can really think about this this can be across things like teams sharepoint um and onedrive so with this solution i can say look these groups of people maybe for legal reasons compliance whatever that might be i don't want them to communicate directly so if i see a question hey you need to stop these groups in the company being able to communicate on teams or share documents well that's going to be the information barrier solution now i mentioned pim for azure id produced identity management so microsoft 365 has pam so privileged access management so if you think about pim is all about giving me a role for a certain amount of time just enough pam is actually a lower level it's a task so pam is about giving me a certain task at a certain scope as i request it and there's a full ability to have permissions and authorization as part of that but it lets me get just this smaller set of capabilities so as a user i can request say hey i need this particular task and it can be granted to me so it's really a lower level than pim and then there's kind of customer lock box and this is all about really a microsoft help desk engineer type person so i raise a call with microsoft they need to access my service to help me they put in a request the manager at microsoft has to approve it then it goes to you as the customer to approve to let them get access to your service there's a whole flow around this if i actually open up the site we can actually see hey in office 365. so obviously this is your data you care about this it talks about the flow so hey look you've got issues with your mailbox you open up a ticket the sport engineer wants to see it so they raised by a customer lock box hey i want to access this their manager has to approve it and then you as the customer sign in and then you approve it and then they the engineer can go and do that work and you can actually track remember all actions are in the audit logs you can actually go and review exactly what they did so this is giving you kind of full access as the customer what are they doing within my subscription what do we cover i mean a massive amount of stuff obviously the key point here is you do not need to know details about any of this stuff you need to understand hey look what are kind of the key concepts about defense in depth what are the key types of threat are they attacking data they are attacking the identity and they are attacking our ability to do business what does zero trust mean what are the kind of shared responsibilities we have over the types of service do we focus on what is the type of encryption hey look if i want to send someone a protected message what do i need well i would need their public key hey if i want to digitally sign a message well then i need my private key and then they would need my public key to be able to the key point is your private key never leaves you there's no scenario you give that to someone else symmetric and asymmetric what are the six privacy principles you need to understand what they are the whole trust that service trust portal is going to be your go-to place and from there we can get to all different types of data so go and look around that azure id is used by azure and microsoft 365. we think about the administration the authentication authentication always happens first who i am proving that authorization what i can do audit well what did you do i track those things we think modern authentication and really mfa is all about giving me a strong authentication that's what we want to do so i think about hey mfa i can do a phone call a text message i can use stronger better things like tokens and the app or i could password this completely important to understand the types of objects we have in azure id if someone i'm collaborating with hey as a company i want to collaborate with this person it's going to be a guest at b2b if i'm writing an app for consumers i'm going to use b2c if i have an application it's going to have a service principle if it's an azure resource that i want to be able to use other things i can have a managed identity assigned in dynamic groups very powerful it helps me do a lot of life cycle because based on the group membership i can assign apps and licenses and roles my devices can join or be registered or be hybrid so lots of different things there um we talk about authorization is things like role-based access control there are roles in azure and azure ad and then we have conditional access on the identity side things like produce identity management for just in time access to a role access reviews to track what you have do you still need that app for that group membership or that role can be self someone could be delegated identity protection to detect risk to drive things like mfa registration and i can use identity protection as part of conditional access to detect risky sign-ins or risky users and then you kind of move on to the actual then azure overall governance these different levels we have policy budgets are back blueprints can stamp down configurations cloud adoption framework is kind of this pre package which has various phases to it the network different layers of protection the network encryption of the data security center sentinel and then microsoft 365 the types of defender what i do with the device i manage that with intune involve the device mdm or just the app mam classify the data we have those trainable things to if it's sensitive data um other types of data we want to know once we classify it i can encrypt it i can do data loss prevention on it i can use retention rules i can use e-discovery in different modes to go and find things and various compliance solutions so we covered a huge amount again it's just breadth you don't need to know the detail of any of these things but you should just know um hey remember it's multiple choice they're going to give you a list of solutions you just have to know which one is the right solution or they're going to tell you a solution you have to know what it does there's nothing complicated about the naming if you just look at like compliance they're not trying to trick you there's no one at microsoft that wants you to have some what does this do the logical names if i see a question hey i want to restrict communication between these groups of people well it sounds like a barrier so pick the one that sounds most like it i remember things like service trust that's where i'm going to go to find out about audit reports all those other things so just think of it logically always attempt every question there's no such thing as losing points for getting it wrong often some of the answers it says is it made of cheese and is that why it's definitely not cheese you can eliminate some obviously wrong questions but just give it your best and again don't panic over things it's just an exam if you don't pass the first time you'll get a score report that will kind of tell you where you're weaker you can then go and redouble your efforts focus on those and you'll get it next time um so that was it i really hope this was useful again please like subscribe comment and share and good luck you
Info
Channel: John Savill's Technical Training
Views: 55,229
Rating: undefined out of 5
Keywords: azure, azure cloud, sc-900, microsoft security, compliance, fundamentals, study, SC900, microsoft 365, azure ad, azure security center, study guide, exam cram
Id: Bz-8jM3jg-8
Channel Id: undefined
Length: 124min 36sec (7476 seconds)
Published: Tue Feb 16 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.