Welcome to

AZ-500: Microsoft Azure Security Technologies

Cloud Week Day 1

© Copyright Microsoft Corporation. All rights reserved.

 AZ-500: Microsoft Azure Security Technologies Cloud Week Day 1 Agenda
Module Day 1
No.

1 Module: Manage Identity and Access Lessons :

• Manage identities in Microsoft Entra ID
• Manage authentication by using Microsoft Entra ID
• Manage authorization by using Microsoft Entra ID
• Manage application access in Microsoft Entra ID
• Azure AD Privileged Identity Management
• Hybrid Identity

Lab : Role-Based Access Control

Lab : Azure Policy
Lab : Resource Manager Locks
AZ-500T00A:
Microsoft Azure Security
Technologies

© Copyright Microsoft Corporation. All rights reserved. Subtitle or speaker name

Learning Path: Manage identity and access

Manage identities in Microsoft Entra ID

Manage authentication by using Microsoft Entra ID
Manage authorization by using Microsoft Entra ID
Manage application access in Microsoft Entra ID
Module Lab

© Copyright Microsoft Corporation. All rights reserved.

Learning Objectives
After completing this learning path, you will be able to:

Effectively manage identities using Microsoft Entra ID to ensure secure access and
1 identity governance.

Manage authentication processes effectively using Microsoft Entra ID to secure user

2 access and verify identities.

Implement and manage authorization settings using Microsoft Entra ID to control access
3 rights and permissions securely.

Manage and secure application access effectively using Microsoft Entra ID to ensure proper
4 authorization and user authentication.

© Copyright Microsoft Corporation. All rights reserved.

Manage identities in Microsoft
Entra ID

© Copyright Microsoft Corporation. All rights reserved.

 Microsoft Entra ID
• Microsoft Entra ID enables access to both
external (e.g., Microsoft 365, Azure) and
internal resources, offering role-based
benefits for IT admins and app
developers.

• Offers free and paid licenses (P1, P2)

enhancing security, access management,
and supports hybrid user access with
advanced administration features.

• Supports a wide range of features

including application management,
authentication, B2B/B2C interactions,
Conditional Access, and identity
protection.

© Copyright Microsoft Corporation. All rights reserved.

 Microsoft Entra ID – users
• Microsoft Entra ID supports creating
internal members, internal guests,
external members, and external guests,
each with specific access levels.

• Authentication methods differ:

internal users manage passwords
within the tenant, while external users
rely on their home tenant or self-
setup.

• External member access is

authenticated via federation, and
password management is handled by
their home tenant's administrators.

© Copyright Microsoft Corporation. All rights reserved.

 Microsoft Entra ID – Types of users
Type Definition
Internal member These users are most likely full-time employees in your
organization.
Internal guest These users have an account in your tenant but have
guest-level privileges. It's possible they were created
within your tenant prior to the availability of B2B
collaboration.
External member These users authenticate using an external account but
have member access to your tenant.
Note: These types of users are common in multitenant
organizations.
External guest These users are true guests of your tenant who
authenticate using an external method and who have
guest-level privileges.

© Copyright Microsoft Corporation. All rights reserved.

Microsoft Entra ID – Create a new user

Sign in to the Microsoft Entra admin center as at least a User Administrator.

© Copyright Microsoft Corporation. All rights reserved.

 Microsoft Entra ID groups

• Microsoft Entra ID manages

access with groups for
applications, data, and tasks.

• Groups cater to both internal

and external resources, with
various management options.

• Access assignment includes

direct, group, and rule-based
methods, plus dynamic
memberships.

© Copyright Microsoft Corporation. All rights reserved.

 How access management in Microsoft Entra ID works

• Microsoft Entra ID facilitates

access rights assignment to
individual users or entire groups.

• Groups allow for bulk

permission assignments
by resource or directory
owners.

• Management rights can be

delegated for adding or
removing group members.

© Copyright Microsoft Corporation. All rights reserved.

 Ways to assign access rights
• Direct assignment allows
resource owners to assign
users individually to resources.

• Group assignment grants

access to all members of a
Microsoft Entra group, with
managed membership.

• Rule-based and external

authority assignments utilize
user attributes and external
sources for access control.

© Copyright Microsoft Corporation. All rights reserved.

 Microsoft Entra External ID
• Entra External ID allows secure
interactions with external
identities for resource access.

• Includes B2B
collaboration/direct
connect, Azure AD B2C,
and cross-tenant sync.

• Managed in Azure, supports

self-sign-up, and customizable
access/collaboration settings.

© Copyright Microsoft Corporation. All rights reserved.

Recommend when to use external identities

• Microsoft Entra ID B2B collaboration users are

added as guest users to the directory, and
guest permissions in the directory are
restricted by default.

• Your business may need some guest users to

fill higher-privilege roles in your organization.

• To support defining higher-privilege roles,

guest users can be added to any roles you
desire, based on your organization's needs.

© Copyright Microsoft Corporation. All rights reserved.

Secure external identities

© Copyright Microsoft Corporation. All rights reserved.

Implement Microsoft Entra ID identity protection

Automate the detection

and remediation of
identity-based risks

Investigate risks using

data in the portal

Export risk detection data

to third-party utilities for
further analysis

© Copyright Microsoft Corporation. All rights reserved.

Manage authentication by
using Microsoft Entra ID

© Copyright Microsoft Corporation. All rights reserved.

 Microsoft Entra connect
• Microsoft Entra Connect: On-
premises application for hybrid
identity goals; consider cloud-
managed solution Microsoft
Entra Cloud Sync.

• Features: Password hash

sync, pass-through auth,
federation integration,
synchronization, health
monitoring.

• Microsoft Entra Connect Health:

Robust monitoring for on-premises
identity infrastructure, ensuring
reliability for accessing Microsoft
365 and Online Services.

© Copyright Microsoft Corporation. All rights reserved.

 Microsoft Entra cloud sync
• Microsoft Entra Cloud Sync: Hybrid
identity solution, synchronizes
users, groups, and contacts to
Microsoft Entra ID.

• Benefits: Supports multi-forest

environments, simplified
installation, multiple agents for
high availability.

• Different from Entra Connect

Sync: Orchestration in Online
Services, lightweight agent
deployment, configuration
stored in Entra ID.

© Copyright Microsoft Corporation. All rights reserved.

 Authentication options
• Password Hash Synchronization:
• Minimal effort, seamless sign-in.
• Ensures business continuity.
• Considerations for on-premises
account states.

• Pass-through Authentication:
• Lightweight agent deployment.
• Enhanced user experience, enforced
policies.
• Backup authentication method
recommended.

• Federated Authentication:
• Requires external system, complex.
• Flexible user experience, advanced
scenarios.
• High investment, single identity
provider.

© Copyright Microsoft Corporation. All rights reserved.

 Password hash synchronization with Microsoft Entra ID
• Password hash synchronization
simplifies sign-in for hybrid
identity.

• Benefits include improved

productivity, reduced
helpdesk costs, and leaked
credential detection.

• It requires setup with

Microsoft Entra Connect
and configuration of
directory synchronization.

© Copyright Microsoft Corporation. All rights reserved.

 Pass-through authentication

• Password hash synchronization: • Reduces passwords, boosts • Enables leaked credential

Hybrid identity sign-in method. productivity, cuts helpdesk costs. detection, integrates with AD FS.
© Copyright Microsoft Corporation. All rights reserved.
 Federation with Microsoft Entra ID
• Federation: Trust between
domains for authentication
and authorization, vital for
shared resource access
across organizations.

• Federate on-premises with

Microsoft Entra ID for robust
access control, ensuring all
authentication happens locally.

• Microsoft Entra Connect

facilitates federation setup with
AD FS, allowing seamless sign-in
to Entra ID services without
password re-entry.

© Copyright Microsoft Corporation. All rights reserved.

 Microsoft Entra authentication

• Microsoft Entra ID enhances security through

multifactor authentication, passwordless sign-
in, and self-service password reset.

• Hybrid integration ensures password

changes and protection policies are
applied both on-premises and in the cloud.

• Aims to reduce help desk calls and improve

user experience by enabling users to
manage their credentials independently.

© Copyright Microsoft Corporation. All rights reserved.

Implement multi-factor authentication (MFA)
Perform the following tasks to implement MFA:

© Copyright Microsoft Corporation. All rights reserved.

 Passwordless authentication options for Microsoft Entra ID

• MFA enhances security; • Microsoft Azure offers four passwordless • Each method provides seamless,
passwordless options methods: Hello, Authenticator, FIDO2 keys, secure access without traditional
reduce user frustration. Certificate-based authentication. passwords.

© Copyright Microsoft Corporation. All rights reserved.

 Implement passwordless authentication
• Microsoft offers passwordless
options: Authenticator, Hello,
FIDO2 keys, Certificate-based
authentication.

• Passwordless methods
enhance security, mitigate
password attack risks.

• Deployment includes
planning, pilot, user
registration, and managing
through Microsoft Entra
admin center.

© Copyright Microsoft Corporation. All rights reserved.

Implement password protection
The on-premises Microsoft Entra ID Password Protection components work as follows:

© Copyright Microsoft Corporation. All rights reserved.

 Single sign-on
• SSO allows one set of credentials
for multiple systems, simplifying
user access across applications.

• Options for SSO include

federation protocols, password-
based, linked-based, or disabling
SSO based on application needs.

• Planning SSO deployment is

crucial, considering application
hosting and access requirements
for seamless integration.

© Copyright Microsoft Corporation. All rights reserved.

 Implement single sign-on (SSO)
Implementing single sign-on (SSO) in Microsoft Entra ID entails:

© Copyright Microsoft Corporation. All rights reserved.

Integrate single sign-on and identity providers

© Copyright Microsoft Corporation. All rights reserved.

Introduction to Microsoft Entra Verified ID
Microsoft Entra Verified ID is a part of the Entra suite of identity and access management
solutions. It's focused on establishing and managing decentralized identities.

© Copyright Microsoft Corporation. All rights reserved.

Configure Microsoft Entra Verified ID verifier
Complete the following steps to present and verify your Microsoft Entra Verified ID for a sample
application:

© Copyright Microsoft Corporation. All rights reserved.

Recommend and enforce modern authentication protocols
Microsoft recommends the following passwordless authentication protocols.

Primary Secondary
Method Security Usability Availability
authentication authentication
Windows Hello for Business High High High Yes MFA*
Microsoft Authenticator app High High High Yes MFA and SSPR
FIDO2 security key High High High Yes MFA

* Windows Hello for Business can serve as a step-up MFA credential by being used in FIDO2 authentication.

© Copyright Microsoft Corporation. All rights reserved.

Manage authorization by
using Microsoft Entra ID

© Copyright Microsoft Corporation. All rights reserved.

 Azure management groups

• Management groups organize • Policies applied at management • Supports up to 10,000 groups, six
Azure subscriptions for scalable group level cascade to all levels deep hierarchy, ensuring
governance and policy compliance. subscriptions and resources within. centralized access and policy
management.
© Copyright Microsoft Corporation. All rights reserved.
 Configure Azure role permissions for management groups,
subscriptions, resource groups, and resources
To configure Azure role permissions, you have the following options:

• Azure management groups • Management groups can be renamed • Subscriptions inherit access and
organize subscriptions for or deleted via portal, PowerShell, or policies when moved to a
centralized governance and Azure CLI with specific permissions. management group; audit with
automatic policy inheritance. Azure Activity Log.

© Copyright Microsoft Corporation. All rights reserved.

Azure role-based access control

• Azure RBAC controls access to resources

through role assignments based on security
principal, role definition, and scope.

• Supports fine-grained access

management, allowing specific
permissions for users, groups, service
principals, or managed identities.

• Role assignments and deny

assignments determine access,
globally stored to ensure resource
accessibility regardless of region.

© Copyright Microsoft Corporation. All rights reserved.

 Azure built-in roles
General
Built-in role Description
Contributor Grants full access to manage all resources but does not allow
you to assign roles in Azure RBAC, manage assignments in
Azure Blueprints, or share image galleries.
Owner Grants full access to manage all resources, including the ability
to assign roles in Azure RBAC.
Reader View all resources but does not allow you to make any changes.
Role Based Access Control Administrator Manage access to Azure resources by assigning roles using
Azure RBAC. This role does not allow you to manage access
using other ways, such as Azure Policy.
User Access Administrator Enables you to manage user access to Azure resources.

• Azure RBAC provides built-in roles • Role assignments manage • Custom roles cater to specific organizational
for users, groups, and identities. access to Azure resources. requirements if built-in roles are insufficient.

© Copyright Microsoft Corporation. All rights reserved.

 Assign Azure role permissions for management groups,
subscriptions, resource groups, and resources
To assign Azure roles, complete the following high-level steps:

• Identify who needs access: user, • Select appropriate role; built- • Assign role at determined scope
group, service principal, or in or custom, based on via Azure portal, PowerShell, CLI,
managed identity. specific actions required. SDKs, or REST APIs.

© Copyright Microsoft Corporation. All rights reserved.

 Microsoft Entra built-in roles
Built-in role Description
Application Administrator Privileged role allows application registration, consent, and
owner status for assigned users.
Attribute Assignment Administrator Role allows assigning custom security attributes to Microsoft
Entra objects; not included in default admin roles.
Attribute Log Administrator Attribute Log Reader role: access audit logs for custom
security attributes; not granted in default admin roles.
Authentication Administrator Authentication Administrator role: manage authentication
methods, reset passwords, and perform sensitive actions;
limitations apply.
Authentication Policy Administrator Authentication Policy Administrator: configure policies,
manage credentials, tickets; limitations apply.

• Assign Microsoft Entra roles • Roles grant permissions • Permissions include password
for resource management. like user management. resets and license management.

© Copyright Microsoft Corporation. All rights reserved.

 Create and assign custom roles, including Azure roles and
Microsoft Entra ID roles
• Access Azure's RBAC settings
via Azure portal or Azure CLI.

• Assign appropriate roles (e.g.,

Owner, Contributor, Reader) to
management groups, subscriptions,
and resource groups.

• Fine-tune permissions for specific

resources within resource groups as
required, ensuring comprehensive
access control across the Azure
environment.

© Copyright Microsoft Corporation. All rights reserved.

 Microsoft Entra permissions management
• Entra permissions management
enhances cloud security across
Azure, AWS, GCP with visibility
and control.

• Automates permission right-

sizing, addresses over-privileged
identities, supports Zero Trust
with least privilege access.

• Offers discovery, remediation,

monitoring phases to manage
permissions, reduce attack surface,
ensure compliance.

© Copyright Microsoft Corporation. All rights reserved.

Implement and manage Microsoft Entra Permissions Management

Enable Microsoft Entra Permissions Management on Microsoft Entra ID tenant

• In your browser, go to Entra services and sign into Microsoft Entra ID.
• In the Microsoft Entra ID portal, select Permissions Management, and then
purchase a license or begin a trial.
• Permissions Management launches with the Data Collectors dashboard.

Configure data collection settings

• Use the Data Collectors dashboard in Permissions Management to configure data
collection settings for your authorization system.
• Select the authorization system: Amazon Web Services (AWS), Azure, or Google
Cloud Platform (GCP).

© Copyright Microsoft Corporation. All rights reserved.

Zero Trust security

© Copyright Microsoft Corporation. All rights reserved.

 Microsoft Entra Privileged Identity Management
• PIM manages, controls, and
monitors access to key resources
across Microsoft services, requiring
licenses.

• Enables just-in-time privileged

access and oversight for user
operations in Azure and Microsoft
services.

• Offers role management,

activation, and approval
processes, with email
notifications for assignment
changes.

© Copyright Microsoft Corporation. All rights reserved.

Configure Microsoft Entra Privileged Identity Management (PIM)
Time-based and approval-based role activation for privileged users

Just-in-time privileged access to Azure Justification to understand why users activate

Time-bound access to resources Notifications when privileged roles are activated

Approval to activate privileged roles Access reviews to ensure users still need roles

Multi-factor authentication to activate any role Audit history for internal or external audit

© Copyright Microsoft Corporation. All rights reserved.

 Microsoft Entra ID governance
• Boosts productivity, security, and compliance
with automated identity/access management
and governance.

• Addresses critical access questions,

automates identity/access lifecycle, and
secures privileged administration

• Automates provisioning from HR

sources, manages identity changes,
and controls guest access.

• Enforces policies, integrates applications, and

ensures continuous access review and
privileged access governance.

© Copyright Microsoft Corporation. All rights reserved.

 Entitlement management
• Automates management of
identity/access across organizations,
improving efficiency and security.

• Eases access for internal/external

users, addressing dynamic
requirements and collaboration
challenges.

• Offers control via access

packages, multi-stage approvals,
and automatic role assignments
based on user properties.

• Facilitates delegated management,

enabling non-admins to create
access packages and policies for
resource access.

© Copyright Microsoft Corporation. All rights reserved.

 Access reviews
• Manage group memberships, app access,
and roles with Microsoft Entra ID; ensure
only authorized access.

• Review access for internal/external users,

adjusting for roles changes or
departures to maintain security.

• Use access reviews for over-privileged

roles, automation limits, new group
purposes, and critical data access
compliance.

• Create reviews in access reviews, Microsoft

Entra apps, PIM, or entitlement
management, depending on the resource.

© Copyright Microsoft Corporation. All rights reserved.

Access reviews (continued)
• Create access reviews in access reviews, Microsoft Entra, PIM, or entitlement management based on review needs

Access rights of users Reviewers can be Review created in Reviewer experience

Specified reviewers
Security group members access reviews
Group owners Access panel
Office group members Microsoft Entra groups
Self-review
access reviews
Specified reviewers
Assigned to a connected app Microsoft Entra enterprise Access panel
Self-review
apps
Specified reviewers Privileged Identity Microsoft Entra Admin
Microsoft Entra role
Self-review Management Center

Specified reviewers Privileged Identity Microsoft Entra Admin

Azure resource role
Self-review Management Center

Specified reviewers
Access package assignments Group members entitlement management Access panel
Self-review

© Copyright Microsoft Corporation. All rights reserved.

Configure role management and access reviews by using
Microsoft Entra ID Governance
Enable organizations to re-certify group memberships, application access, and privileged role
assignments.

Included with Microsoft cloud subscriptions (Azure, 365)

Entra ID P1 available standalone or with 365

E3/Business Premium

Entra ID P2 available standalone or with 365 E5

Entra ID Governance enhances P1/P2 with advanced

identity governance

© Copyright Microsoft Corporation. All rights reserved.

 Microsoft Entra conditional access
• Security now includes
user/device identity; Microsoft
Entra integrates signals for
access control.

• Conditional Access enforces

policies based on user,
device, application signals
for resource access.

• Aims: empower productivity,

protect assets, using
multifactor authentication
and specific access controls.

© Copyright Microsoft Corporation. All rights reserved.

Implement Conditional Access policies

• Exclude emergency access and • Administrators can exclude • Option to deploy MFA policies
service accounts from MFA to certain applications from MFA via direct steps or Conditional
prevent lockouts and ensure access. policies based on security needs. Access templates for flexibility.
© Copyright Microsoft Corporation. All rights reserved.
Manage application access
in Microsoft Entra ID

© Copyright Microsoft Corporation. All rights reserved.

Manage access to enterprise applications in Microsoft Entra
ID, including OAuth permission grants

© Copyright Microsoft Corporation. All rights reserved.

Manage app registrations in Microsoft Entra ID
Creating a Microsoft Entra application and service principal that can access resources entails
the following steps:

© Copyright Microsoft Corporation. All rights reserved.

 Configure app registration permission scopes
• Microsoft identity platform
manages access for registered
apps only, including web/mobile
apps and web APIs.

• Registration creates a one-way

trust where your app trusts
the platform, not vice versa.

• Once registered, the application

object is fixed to its tenant and
cannot be moved.

© Copyright Microsoft Corporation. All rights reserved.

 Manage and use service principals
• Registering an app with Microsoft Entra ID
creates an identity configuration, enabling
integration and choosing between single or
multi-tenant setups.

• Completed registrations yield a unique app

instance and ID, allowing for secrets,
certificates, scopes, and customized
branding.

• Registration automatically generates an

application object and a service principal in
your home tenant, with service principal
creation being separate when using
Microsoft Graph APIs.

© Copyright Microsoft Corporation. All rights reserved.

Relationship between application objects and service principals
• The application object is a global template for
an app across all tenants, while service
principals are its tenant-specific instances.

• Service principals are needed in each tenant

for app sign-in/access, with single-tenant
apps having one, and multi-tenant apps
having multiple.

• Modifying or deleting the application object

affects its service principal in the home
tenant; deletion is permanent without
restoring service principal.

© Copyright Microsoft Corporation. All rights reserved.

 Managed identities for Azure resources – system assigned
• Managed identities simplify
authentication by eliminating code-
based credentials, using Microsoft Entra
tokens for Azure resource access.

• Azure automatically manages these

identities, freeing users from manual
identity management tasks.

• Two variants are available: system-

assigned identities, linked to resource
lifecycles, and user-assigned identities,
adaptable across multiple resources.

Example: Creating a system-assigned managed identity for a virtual machine.

© Copyright Microsoft Corporation. All rights reserved.

 Managed identities for Azure resources – user assigned
• User-assigned managed identities are
standalone Azure resources assignable
to multiple Azure resources.

• A special type of service principal is

created in Microsoft Entra ID, managed
separately from its associated resources.

• These identities enable authorization

for access to one or more services,
enhancing flexibility and security.

Example: Creating a user-assigned managed identity resource.

© Copyright Microsoft Corporation. All rights reserved.
Learning Path Recap
In this learning path, we:

We have mastered managing identities, ensuring optimal user and group control within Microsoft
Entra ID.
We now skillfully navigate through Microsoft Entra ID, employing advanced authentication and
authorization methods to reinforce security.
We have acquired expertise in managing application access, enabling streamlined and secure user
interactions within Microsoft Entra ID applications.

© Copyright Microsoft Corporation. All rights reserved.

 HOMEWORK Day 1
(Module: Manage Identity and access)

1 Lab : MFA, Conditional Access and AAD Identity Protection

2 Lab : Azure AD Privileged Identity Management

3 Lab : Implement Directory Synchronization

End of presentation

© Copyright Microsoft Corporation. All rights reserved.

Knowledge check
1 Your organization is considering multifactor authentication in Azure. Your manager asks
about secondary verification methods. Which of the following options could serve as
secondary verification method?
⃣ Automated phone call.
⃣ Emailed link to verification website.
⃣ Microsoft account verification code.

2 Your organization has implemented multifactor authentication in Azure. Your goal is to provide a
status report by user account. Which of the following values could be used to provide a valid MFA
status?
⃣ Enrolled
⃣ Enforced
⃣ Required

3 Which of the following options can be used when configuring multifactor authentication in Azure?
⃣ Block a user if stolen password is suspected.
⃣ Configure IP addresses outside the company intranet that should be blocked.
⃣ Configure a one-time bypass to allow a user to authenticate a single time without performing MFA.

© Copyright Microsoft Corporation. All rights reserved.