activating/configuring PIM, 43-45
administering MFA users, 54-60
account lockout settings, 57
blocking/unblocking users, 58
fraud alert settings, 58
OATH tokens, 59
phone call settings, 59
reporting utilization, 60
API management policies, 73
registering applications, 64-66
best practices, 81
conditional access policies, 46-54
configuring identity protection, 60-63
identifying roles, 81
interpreting permissions, 84
monitoring privileged access, 38-40
principle of least privilege, 81
RBAC roles
levels of, 244
list of, 245
resource group permissions, 79-80
subscription and resource permissions, 74-79
viewing user resource permissions, 84-85
for VMs (virtual machines), 155
accessing
Azure Activity Log, 182
Azure AD administrative console, 6
access keys for storage accounts, 247
account lockout settings for MFA, 57
ACR (Azure Container Registry)
security configuration, 167-168
vulnerability management, 164-165
action groups for Azure Monitor alerts, 185-186
Active Directory Federation Services (AD FS) in Azure AD Connect, 28
activity logs in Azure Monitor, 180
accessing, 182
Add-AzKeyVaultCertificate cmdlet, 293
Add-AzKeyVaultCertificateContact cmdlet, 293
Add-AzKeyVaultKey cmdlet, 300
Add-AzRouteConfig cmdlet, 97
Add-AzureADDirectoryRoleMember cmdlet, 79
Add-AzureADGroupMember cmdlet, 8
Add-AzureADGroupOwner cmdlet, 8
Add-AzVirtualNetworkPeering cmdlet, 99
adding
certificates to Azure Key Vault, 289-293
compliance standards to Regulatory Compliance dashboard, 210-211
group members, 10
ADE (Azure Disk Encryption), 168-169
ad hoc SAS, 251
administrative console (Azure AD), accessing, 6
ADS (Advanced Data Security), 199
Advanced Threat Protection (ATP) for Azure Storage, 267-268
AKS (Azure Kubernetes Service)
isolation configuration, 166-167
security configuration, 161-164
alerts
in Azure Monitor
viewing/changing, 188
in Azure Sentinel, creating/customizing, 217-224
analytics in Azure Sentinel, 213
API management policies, 73
API management policies, 73
registering applications, 64-66
Application Administrator role, 75
Application Developer role, 75
application gateways
capabilities, 126
topology, 127
WAF (Web Application Firewall) configuration, 133-135
application objects, 2
application permissions, 71
application rules, creating, 120-122
applications
application security groups (ASGs), 114-117
app passwords, 32
ArcDelete ACR role, 167
ArcImageSigner ACR role, 167
ArcPull ACR role, 167
ArcPush ACR role, 167
ASGs (application security groups), 114-117
assigning
permissions to service principals, 3-6
ATP (Advanced Threat Protection) for Azure Storage, 267-268
in Azure App Service, configuring, 174-176
file and folder permissions, 260
share-level permissions, 259
certificate-based, 33
MFA (multifactor authentication), 49, 54
Authentication Administrator role, 75
authorization in Azure App Service, configuring, 174-176
Azure Active Directory (Azure AD)
activating/configuring PIM, 43-45
administering MFA users, 54-60
best practices, 81
conditional access policies, 46-54
configuring identity protection, 60-63
identifying roles, 81
interpreting permissions, 84
monitoring privileged access, 38-40
principle of least privilege, 81
resource group permissions, 79-80
subscription and resource permissions, 74-79
viewing user resource permissions, 84-85
administrative console, accessing, 6
API management policies, 73
registering applications, 64-66
applications, registering, 2
certificate-based, 33
container authentication, 159-161
identities
configuring identity protection, 60-63
types of, 1
enabling self-service password reset, 28-30
installing/configuring Azure AD Connect, 15-28
transferring subscriptions, 36-37
Azure Active Directory Connect, 15-28
connectivity requirements, 16
deployment account requirements, 17
SQL Server requirements, 16-17
UPN suffixes and nonroutable domains, 25-27
Azure Active Directory Domain Services (Azure AD DS), authentication for Azure Files, 256-261
file and folder permissions, 260
share-level permissions, 259
Azure Active Directory logs in Azure Monitor, 181
Azure Activity Log, accessing, 182
Azure App Service
security configuration, 170-176
software updates, 176
Azure Application Gateway
as load balancer, 126
WAF (Web Application Firewall) configuration, 133-135
Azure Automation Update Management, 156-159
Azure Blueprint security settings, configuring, 236-240
Azure Container Registry (ACR)
security configuration, 167-168
vulnerability management, 164-165
Azure Disk Encryption (ADE), 168-169
Azure Files authentication, 256-261
file and folder permissions, 260
share-level permissions, 259
Azure Firewall
capabilities, 126
topology, 127
WAF (Web Application Firewall) integration, 133
Azure Key Vault
with ADE (Azure Disk Encryption), 168
certificate management, 288-296
permissions management, 285-287
storage account encryption keys, 264
Azure Kubernetes Service (AKS)
isolation configuration, 166-167
security configuration, 161-164
Azure Logic Apps playbooks, configuring, 224-228
activity logs, 180
alerts
viewing/changing, 188
Azure Active Directory logs, 181
enabling, 179
log collecting
searching events in Log Analytics workspace, 195-196
Security and Audit solution, 194-195
resource (diagnostic) logs, 180
resources in, 181
Azure Policy
centralized policy management in Azure Security Center, 206-209
security settings, configuring, 232-236
Azure Resources layer (Azure Monitor), 180
Azure Security Center, 196-211
for AKS (Azure Kubernetes Service), 163-164
Azure App Service security recommendations in, 171-172
centralized policy management, 206-209
JIT (Just In Time) VM access, 201-205
Regulatory Compliance dashboard, 209-211
viewing endpoint protection, 151-154
vulnerability assessment, 196-200
vulnerability management, 164-165
alerts, creating/customizing, 217-224
data connectors, configuring, 213-217
playbooks, configuring, 224-228
Azure SQL Database Advanced Threat Protection, 273-276
Azure SQL databases. See databases
Azure Storage. See storage accounts
Azure Subscription layer (Azure Monitor), 180
Azure Tenant layer (Azure Monitor), 181
backing up Azure Key Vault items, 303-307
Backup-AzKeyVaultCertificate cmdlet, 293
Backup-AzKeyVaultKey cmdlet, 300
Backup-AzKeyVaultSecret cmdlet, 297
Backup-AzureKeyVaultCertificate cmdlet, 306
Backup-AzureKeyVaultKey cmdlet, 306
Backup-AzureKeyVaultSecret cmdlet, 306
best practices
access control, 81
for SAS (Shared Access Signatures), 251-252
Billing Administrator role, 75
blobs
encryption, viewing status, 262-263
stored access policies, 255
BlobStorage accounts, 244
BlockBlobStorage accounts, 244
blocking MFA users, 58
BYOK (Bring Your Own Key), 276
cases in Azure Sentinel, 212
CDS (Common Data Service), 176
centralized policy management in Azure Security Center, 206-209
certificate authorities for Azure Key Vault, 289-292
certificate policies, elements of, 288-289
certificate-based authentication, 33
certificates
in Azure Key Vault
permissions, 286
contacts information, 289
changing Azure Monitor alerts, 188
Cloud Application Administrator role, 75
Cloud Device Administrator role, 75
Common Data Service (CDS), 176
Community page in Azure Sentinel, 213
Compliance Administrator role, 75
compliance policies in Azure Security Center, 209-211
compute security
for ACR (Azure Container Registry), 167-168
authentication for containers, 159-161
for Azure App Service, 170-176
system updates for VMs, 156-159
vulnerability management, 164-165
Conditional Access Administrator role, 75
conditional access policies, 46-54
Connect-AzAccount cmdlet, 95
connectivity requirements for Azure AD Connect, 16
connectors. See data connectors
containers
isolation configuration, 166-167
security configuration, 161-164
Contributor ACR role, 167
Contributor role, 77
Customer Lockbox access approver role, 75
custom routes, creating, 97
dashboards in Azure Sentinel, 212
databases
Azure SQL Database Advanced Threat Protection, 273-276
encryption
TDE (transparent data encryption), 276-279
data connectors in Azure Sentinel, 213-217
data plane for Key Vault access control, 282
data plane logs, 192
DDoS (distributed denial of service) protection, 147-151
Debug-AzStorageAccountAuth cmdlet, 259
delegated permissions, 71
deleting
group members, 10
nested groups, 12
users, 14
deployment account requirements for Azure AD Connect, 17
Destination Network Address Translation (DNAT), 118
detection mode (WAF on Application Gateway), 134
deterministic encryption, 279
Device Administrators role, 75
diagnostic logs in Azure Monitor, 180
Directory Readers role, 75
Directory Synchronization Accounts role, 75
Directory Writers role, 75
distributed denial of service (DDoS) protection, 147-151
DNAT (Destination Network Address Translation), 118
dynamic group membership, 7
Dynamics 365 Administrator/CRM Administrator role, 75
email addresses for authentication, 32
email scope (application access), 71
enabling
Azure AD DS authentication, 260-261
Azure Monitor, 179
database authentication, 268-269
MFA (multifactor authentication), 50-54
passwordless authentication, 34-35
self-service password reset, 28-30
encryption
of databases
TDE (transparent data encryption), 276-279
infrastructure encryption, 264
for VMs (virtual machines), 156
endpoint security within VMs, 151-156
evaluating results in Azure Sentinel, 228-232
events, searching in Log Analytics workspace (Azure Monitor), 195-196
Exchange Administrator role, 76
external connectors in Azure Sentinel, 214
FIDO2 Security keys, 34
file and folder permissions, 260
FileStorage accounts, 244
firewalls
Azure Firewall
in Azure SQL databases, 140-142
WAF (Web Application Firewall)
Azure Front Door integration, 133
configuring on Azure Application Gateway, 133-135
inbound HTTP/S protection, 118, 122
fraud alert settings for MFA, 58
Front Door. See Azure Front Door
General-Purpose V2 accounts, 244
Get-ADOrganizationalUnit cmdlet, 258
Get-AdUser cmdlet, 257
Get-AzAdServicePrincipal cmdlet, 3
Get-AzKeyVaultCertificate cmdlet, 293
Get-AzKeyVaultCertificateContact cmdlet, 293
Get-AzKeyVaultCertificateIssuer cmdlet, 293
Get-AzKeyVaultCertificateOperation cmdlet, 293
Get-AzKeyVaultCertificatePolicy cmdlet, 293
Get-AzKeyVaultKey cmdlet, 300
Get-AzKeyVaultSecret cmdlet, 297
Get-AzRouteTable cmdlet, 97
Get-AzureADDirectoryRole cmdlet, 78
Get-AzureADDirectoryRoleMember cmdlet, 78
Get-AzureADGroup cmdlet, 8
Get-AzureKeyVaultSecret cmdlet, 296
Get-AzVirtualNetworkGatewayConnectionSharedKey cmdlet, 105
Get-AzVmDiskEncryptionStatus cmdlet, 169
Global Administrator/Company Administrator role, 76
adding/removing members, 10
assigning application access, 67-70
assigning roles to, 244
dynamic membership, 7
naming, 9
Guest Inviter role, 76
HSM (hardware secure module) key protection, 299
hunting in Azure Sentinel, 212, 231-232
IaaS (Infrastructure as a Service) VM security logs, collecting with Azure Monitor, 192-194
identities
configuring identity protection, 60-63
adding/removing members, 10
dynamic membership, 7
naming, 9
components of, 3
creating, 3
viewing list of, 3
types of, 1
deleting, 14
recovering, 14
identity providers for Azure App Service, 176
Import-AzKeyVaultCertificate cmdlet, 293
importing certificates to Azure Key Vault, 289-293
inbound rules for NSGs (network security groups), 110
incidents in Azure Sentinel, 230-231
Information Protection Administrator role, 76
Infrastructure as a Service (IaaS) VM security logs, collecting with Azure Monitor, 192-194
infrastructure encryption, 264
installing Azure AD Connect, 17-25
Intune Administrator role, 76
IPSec encryption, 107
JIT (Just In Time) VM access, 201-205
key management for storage accounts, 247. See also Azure Key Vault
Key Vault. See Azure Key Vault
Key Vault Administrator role, 288
Key Vault Certificates Officer role, 288
Key Vault Contributor role, 288
Key Vault Crypto Officer role, 288
Key Vault Crypto Service Encryption role, 288
Key Vault Crypto User role, 288
Key Vault Reader role, 288
Key Vault Secrets Officer role, 288
Key Vault Secrets User role, 288
keys in Azure Key Vault
permissions, 286
KQL (Kusto Query Language), 125
Kubernetes. See AKS (Azure Kubernetes Service)
layers in Azure Monitor, 180-181
least privilege, principle of, 81, 155, 166
License Administrator role, 76
license requirements, PIM (Privileged Identity Management), 45
load balancers, Azure Application Gateway as, 126
locks in Azure Blueprint, 240
Log Analytics workspace (Azure Monitor), searching events, 195-196
Log Analytics workspace (Azure Sentinel), 228-229
log collecting with Azure Monitor
searching events in Log Analytics workspace, 195-196
Security and Audit solution, 194-195
log retention in Azure Monitor, configuring, 189-192
logging in Azure Firewall, 123-125
logical isolation, 166
Logic Apps. See Azure Logic Apps
management plane for Key Vault access control, 282
Message Center Reader role, 76
metrics in Azure Monitor, 181-183
creating alerts from, 184
MFA (multifactor authentication), 49-60
account lockout settings, 57
blocking/unblocking users, 58
fraud alert settings, 58
OATH tokens, 59
phone call settings, 59
reporting utilization, 60
for VPN gateways, 105
Microsoft Authenticator app, 32-34
Microsoft incident creation rules in Azure Sentinel, 217, 223-224
Microsoft Threat Intelligence, 119
mobile phone numbers for authentication, 32
Monitor. See Azure Monitor
monitoring privileged access, 38-40
multifactor authentication. See MFA (multifactor authentication)
multi-site VPNs, 104
naming groups, 9
NAT (network address translation), 100-103
NAT Gateway
billing, 101
network access for Azure Key Vault, 282-285
NAT (network address translation), 100-103
subnets, 91
virtual network gateways, 91
VNets (virtual networks), configuring, 90-95
network rules, creating, 122-123
network security
ASGs (application security groups), 114-117
DDoS (distributed denial of service) protection, 147-151
NSGs (network security groups), 91, 109-114, 201
ExpressRoute encryption, 106-107
site-to-site (S2S), 108
types of, 104
WAF (Web Application Firewall), 133-135
network security groups (NSGs), 91, 109-114, 201
New-AzADServicePrincipal cmdlet, 3
New-AzFirewallApplicationRule cmdlet, 122
New-AzFirewall cmdlet, 120
New-AzFirewallNetworkRule cmdlet, 123
New-AzKeyVaultCertificateOrganizationDetail cmdlet, 294
New-AzKeyVaultCertificatePolicy cmdlet, 294
New-AzNatGateway cmdlet, 104
New-AzNetworkSecurityGroup cmdlet, 112
New-AzNetworkSecurityRuleConfig cmdlet, 114
New-AzRoleAssignment cmdlet, 5
New-AzRouteTable cmdlet, 97
New-AzureADGroup cmdlet, 8
New-AzVaultCertificateAdministratorDetail cmdlet, 294
New-AzVirtualNetwork cmdlet, 95
New-AzVM cmdlet, 95
nonroutable domains, UPN suffixes and, 25-27
notebooks in Azure Sentinel, 213
OATH tokens, 32
for MFA users, 59
OAuth, 32
offline access scope (application access), 71
open scope (application access), 71
operating systems supported on VMs, 197
outbound rules for NSGs (network security groups), 111
Owner ACR role, 167
Owner role, 77
P2S (point-to-site) VPNs, 104, 107-108
pass-through authentication in Azure AD Connect, 27-28
Password Administrator/Helpdesk Administrator role, 76
password authentication, 31
passwordless authentication, 33-36
password synchronization in Azure AD Connect, 27
connectivity requirements, 16
deployment account requirements, 17
SQL Server requirements, 16-17
UPN suffixes and nonroutable domains, 25-27
enabling self-service password reset, 28-30
peering virtual networks, 97-100
permission consent for application access, 71-73
permission scopes for application access, 70-71
assigning to service principals, 3-6
file and folder, 260
identifying roles, 81
interpreting, 84
principle of least privilege, 81
resource group permissions, 79-80
share-level, 259
subscription and resource permissions, 74-79
viewing user resource permissions, 84-85
phone call settings for MFA, 59
physical isolation, 167
PIM (Privileged Identity Management)
license requirements, 45
viewing resource audit history, 38-40
playbooks in Azure Sentinel, 213
point-to-site (P2S) VPNs, 104, 107-108
policies
blueprints versus, 236
centralized policy management in Azure Security Center, 206-209
policy definitions, 206
policy effect, 206
policy enforcement, configuring
Power BI Administrator role, 76
prevention mode (WAF on Application Gateway), 135
pricing tiers, ACR (Azure Container Registry), 167
principle of least privilege, 81, 155, 166
private endpoint connections for Azure Key Vault, 284
privileged access, monitoring, 38-40
Privileged Identity Management (PIM)
license requirements, 45
viewing resource audit history, 38-40
Privileged Role Administrator role, 76
profile scope (application access), 71
protocols for P2S (point-to-site) VPNs, 108
queue storage authentication, 255-256
randomized encryption, 279
RBAC (role-based access control)
configuring, 77
container authentication, 159-161
identifying roles, 81
interpreting permissions, 84
principle of least privilege, 81
resource group permissions, 79-80
roles
for blob and queue storage, 256
levels of, 244
list of, 245
subscription and resource permissions, 74-79
viewing user resource permissions, 84-85
Reader ACR role, 167
Reader role, 77
recovering users, 14
registering applications, 2, 64-66
Regulatory Compliance dashboard (Azure Security Center), 209-211
Remove-AzKeyVaultCertificate cmdlet, 294
Remove-AzKeyVaultCertificateContact cmdlet, 294
Remove-AzKeyVaultCertificateIssuer cmdlet, 294
Remove-AzKeyVaultCertificateOperation cmdlet, 294
Remove-AzKeyVaultKey cmdlet, 300
Remove-AzKeyVaultSecret cmdlet, 297
Remove-AzureADDirectoryRoleMember cmdlet, 79
Remove-AzureADGroup cmdlet, 8
Remove-AzureADGroupMember cmdlet, 8
Remove-AzureADGroupOwner cmdlet, 8
Remove-AzureKeyVaultSecret cmdlet, 296
removing
group members, 10
nested groups, 12
users, 14
reports, MFA utilization, 60
Reports Reader role, 76
requirements
Azure AD Connect
connectivity requirements, 16
deployment account requirements, 17
SQL Server requirements, 16-17
certificate-based authentication, 33
PIM (Privileged Identity Management), license requirements, 45
resource audit history, viewing, 38-40
in Azure SQL databases, 140-142
resource group permissions, 79-80
resource logs in Azure Monitor, 180
resources in Azure Monitor, 181
Restore-AzKeyVaultCertificate cmdlet, 294
Restore-AzKeyVaultKey cmdlet, 300
Restore-AzKeyVaultSecret cmdlet, 297
Restore-AzureKeyVaultCertificate cmdlet, 306
Restore-AzureKeyVaultKey cmdlet, 306
Restore-AzureKeyVaultSecret cmdlet, 306
restoring Azure Key Vault items, 303-307
results, evaluating in Azure Sentinel, 228-232
revoking user delegation SAS, 252-253
role-based access control. See RBAC (role-based access control)
roles
assigning
defined, 74
identifying, 81
RBAC
for blob and queue storage, 256
levels of, 244
list of, 245
rotating
keys in Azure Key Vault, 298-303
secrets in Azure Key Vault, 302-303
storage account access keys, 247-250
rule of least privilege, 244
rules, creating
S2S (site-to-site) VPNs, 104, 108
SAS (Shared Access Signatures), 251-254
types of, 251
scheduled query rules in Azure Sentinel, 217-223
scope
for permissions, 74
for storage account encryption, 264-267
searching events in Log Analytics workspace (Azure Monitor), 195-196
secrets in Azure Key Vault
permissions, 286
security
compute security
for ACR (Azure Container Registry), 167-168
authentication for containers, 159-161
for Azure App Service, 170-176
system updates for VMs, 156-159
vulnerability management, 164-165
network security
ASGs (application security groups), 114-117
DDoS (distributed denial of service) protection, 147-151
NSGs (network security groups), 91, 109-114, 201
WAF (Web Application Firewall), 133-135
Security Administrator role, 76
Security and Audit solution (Azure Monitor), 194-195
Security Center. See Azure Security Center
Security Information and Event Management (SIEM), 212
security key sign-in, 34
Security Orchestration, Automation, and Response (SOAR), 212
Security Reader role, 76
security services configuration. See Azure Monitor
security settings, configuring
self-service password reset (SSPR), 15
service principal objects, 2
components of, 3
creating, 3
viewing list of, 3
service SAS, 251
Service Support Administrator role, 76
Set-ACL cmdlet, 260
Set-AzDiagnosticSetting cmdlet, 125
Set-AzKeyVaultAccessPolicy cmdlet, 286
Set-AzKeyVaultCertificateIssuer cmdlet, 294
Set-AzKeyVaultCertificatePolicy cmdlet, 294
Set-AzKeyVaultSecret cmdlet, 296, 298
Set-AzRouteTable cmdlet, 97
Set-AzStorageAccount cmdlet, 261
Set-AzureADGroup cmdlet, 8
Set-AzVirtualNetwork cmdlet, 97
Set-AzVirtualNetworkGatewayConnectionSharedKey cmdlet, 105
Set-AzVirtualNetworkSubnetConfig cmdlet, 97
Set-AzVmDiskEncryptionExtensions cmdlet, 169
Shared Access Signatures (SAS), 251-254
types of, 251
shared responsibility model, 89
share-level permissions, 259
SharePoint Administrator role, 76
SIEM (Security Information and Event Management), 212
sign-in options in Azure AD Connect, 27-28
single sign-on, 15
site-to-site (S2S) VPNs, 104, 108
Skype for Business/Lync Administrator role, 76
SOAR (Security Orchestration, Automation, and Response), 212
software-protected keys, 299
software updates in Azure App Service, 176
SQL databases. See databases
SQL Server requirements, Azure AD Connect, 16-17
SQL Servers, vulnerability assessment, 199-200
SSL/TLS certificates, configuring, 172-174
SSPR (self-service password reset), 15
Stop-AzKeyVaultCertificateOperation cmdlet, 294
Storage account Contributor role, 245
Storage account Key Operator Service Role, 245
storage accounts
ATP (Advanced Threat Protection) for Azure Storage, 267-268
authentication with Azure AD, 255-256
Azure Files authentication, 256-261
infrastructure encryption, 264
key management, 247
RBAC roles
levels of, 244
list of, 245
SAS (Shared Access Signatures), 251-254
types of, 251
stored access policies, 255
types of, 244
Storage Blob Data Contributor role, 245, 256
Storage Blob Data Owner role, 245, 256
Storage Blob Data Reader role, 245, 256
Storage Blob Delegator role, 245, 256
Storage File Data SMB Share Contributor role, 259
Storage File Data SMB Share Elevated Contributor role, 245, 259
Storage File Data SMB Share Reader role, 245, 259
Storage File SMB Share Contributor role, 245
Storage Queue Data Contributor role, 245, 256
Storage Queue Data Message Processor role, 245, 256
Storage Queue Data Message Sender role, 245, 256
Storage Queue Data Reader role, 245, 256
stored access policies
for blob containers, 255
with service SAS, 251
subnets, 91
subscription permissions, 74-79
subscriptions (Azure), transferring, 36-37
TDE (transparent data encryption), 276-279
Teams Administrator role, 76
Teams Communications Administrator role, 76
Teams Communications Support Engineer role, 76
Teams Communications Support Specialist role, 76
templates for scheduled query rules in Azure Sentinel, 222-223
tenants (Azure), transferring subscriptions, 36-37
threat detection for VMs (virtual machines), 155-156
threat hunting in Azure Sentinel, 231-232
threat protection for SQL, 199
traffic interruptions, 91
transferring subscriptions (Azure), 36-37
transparent data encryption (TDE), 276-279
troubleshooting JIT (Just In Time) VM access, 205
unblocking MFA users, 58
Undo-AzKeyVaultCertificateRemoval cmdlet, 294
Undo-AzKeyVaultKeyRemoval cmdlet, 300
Undo-AzKeyVaultSecretRemoval cmdlet, 298
Update-AzKeyVaultCertificate cmdlet, 294
Update-AzKeyVaultKey cmdlet, 300
Update-AzKeyVaultSecret cmdlet, 298
Update-AzStorageAccountADOjbectPassword cmdlet, 259
Update-AzStorageAccountNetworkRuleSet cmdlet, 140
Update-AzureKeyVaultSecret cmdlet, 296
Update Management (in Azure Automation), 156-159
updates
software updates in Azure App Service, 176
system updates for VMs, 156-159
UPN suffixes, nonroutable domains and, 25-27
User Access Administrator role, 77
User Account Administrator role, 76
user principal objects, 2
user resource permissions, viewing, 84-85
assigning application access, 67-70
deleting, 14
recovering, 14
viewing
Azure Monitor alerts, 188
blob encryption status, 262-263
service principal list, 3
storage account access keys, 248-249
user resource permissions, 84-85
virtual network gateways, 91, 104-108
ExpressRoute encryption, 106-107
site-to-site (S2S), 108
types of, 104
VMs (virtual machines)
VNets (virtual networks)
NAT (network address translation), 100-103
VNet-to-VNet VPNs, 104
ExpressRoute encryption, 106-107
site-to-site (S2S), 108
types of, 104
vulnerability assessment with Azure Security Center, 196-200
WAF (Web Application Firewall)
Azure Front Door integration, 133
configuring on Azure Application Gateway, 133-135
inbound HTTP/S protection, 118, 122
Windows Hello for Business, 34
workbooks in Azure Sentinel, 229-230
workspaces in Azure Sentinel, 213