Lesson 1Top 5 Azure Policy definitions/initiatives to force (detailed list and reason)Check five key Azure Policy definitions and initiatives that should be forced in most places, understand their reason, and learn how to fit them to your group’s risk stand and rule needs.
Base security initiative pickKey identity and entry rulesData guard and encryption rulesNetwork and show control rulesWatching and logging needsLesson 2Policy 2: force encryption with customer-managed keys where needed — task and skipsSet rules that force encryption with customer-managed keys where needed, pick right ranges, and set skips for services or places where CMK is not possible or needed.
Services helping customer-managed keysKey vault setup and key turnRules needing CMK for resourcesHandling skips and old systemsWatching CMK use and failsLesson 3Policy 5: force check logs and resource locks for production SQL and storage — task and fix stepsSet rules that force check logging and resource locks for production SQL and storage, define production ranges, and set fix steps that avoid stops while improving recovery and checkability.
Finding production SQL and storageRules for check settings startNeeding resource locks on key dataAuto rollout of logging setupsChecking logs and lock workLesson 4Microsoft Defender for Cloud: plan pick, price levels, and when to start work guardsUnderstand Defender for Cloud plans and price levels, how to pick guards per work type, and when to start advanced plans to balance security cover, cost best, and rule or business needs.
Overview of Defender for Cloud plansFree vs paid level skillsStarting plans per subscription or workspaceCost guess and chargeback waysStarting new work safelyLesson 5Policy 4: force NSG and subnet limits for work and deny public IPs on certain resource typesMake rules that force NSGs, subnet limits, and deny public IPs on sensitive resource types. Learn to set network rails that cut show while allowing needed link ways.
Rules needing NSGs on subnetsLimiting traffic with NSG rulesDenying public IPs on guarded resourcesAllowing approved public ends onlyChecking network stand regularlyLesson 6Auto fix: deployIfNotExists and managed identities for fix tasksUse deployIfNotExists and managed identities to auto fix non-rule resources, set safe fix logic, and check that changes are used the same across places.
How deployIfNotExists works in detailMaking fix tasks and rangesUsing managed identities for changesTesting fix in lower levelsWatching fix job resultsLesson 7Handling policy skips: skip process, temp skips, reasons, and trackingDefine and handle Azure Policy skips, including approval steps, time-limited skips, and reason needs, while keeping track and cutting long-term risk from accepted turns.
Skip types and helped rangesNoting business reasonsTime-limited and renew skipsCheck and approval stepsReporting on active skipsLesson 8Defender for Cloud setup across management groups and subscriptions: workspace link and central watchingPlan Defender for Cloud rollout across management groups and subscriptions, link with Log Analytics workspaces, and center watching to help cross-tenant see and security work.
Picking management group orderLinking subscriptions to workspacesCentering Defender watchingMulti-tenant and hybrid thoughtsEntry control for security teamsLesson 9Policy task plan: management group vs subscription vs resource group and inherit effectsLearn how to pick the right Azure Policy task range using management groups, subscriptions, and resource groups, understand inherit ways, and set a growing structure that helps minimal rights and clear own.
When to task at management group rangeSubscription-level task trade-offsResource group ranging for skipsPolicy inherit and check orderHandling overlap and fight rulesLesson 10Link with Microsoft Sentinel and Defender warnings forward best waysLearn how to forward Defender for Cloud warnings to Microsoft Sentinel, set analytic rules, and use best ways for warning same, no-dupe, and event handle across many places.
Linking Defender to Sentinel workspacesSetting warning forward rulesSame and rich security warningsMaking Sentinel analytic rulesEvent sort and answer stepsLesson 11Suggested Defender plans: App Service, Storage, SQL, Key Vault, and Virtual Machines – reason and guard rulesFind suggested Defender for Cloud plans for App Service, Storage, SQL, Key Vault, and Virtual Machines, and understand the guard rules each gives to find threats and strengthen setups.
Defender for App Service guardsDefender for Storage threat findDefender for SQL and SQL serversDefender for Key Vault entry watchingDefender for Servers and VMsLesson 12Making stand work: risk-based order, warning tune, and linking stand findings into sprint listTurn stand findings into work steps by ordering risks, tuning noisy warnings, and linking fix tasks into agile sprints, making sure go-on improve and measure risk cut.
Risk-based order of findingsTuning rules and warning limitsMaking fix lists for teamsPutting stand tasks into sprintsMeasures and KPIs for stand growLesson 13Policy 3: limit resource rollout to approved regions — management group vs subscription taskMake rules that limit rollouts to approved regions, compare management group vs subscription task, and fit region plan with data stay, delay, and rule needs.
Defining the list of allowed regionsTasking region rules at orderHandling global and regionless servicesManaging skips for special casesChecking region use over timeLesson 14Policy 1: force HTTPS-only on App Service and storage static sites — task range and fix modeLearn to force HTTPS-only for App Service and static sites using Azure Policy, pick the right task range, and set fix tasks to auto fix non-rule resources at scale.
Built-in rules for HTTPS-only forceRanging rules to web apps and storageUsing deployIfNotExists for HTTPS settingsHandling old HTTP-only appsTesting and checking HTTPS forceLesson 15Go-on rule watching: using Azure Policy rule show, set scans, and warningLook into how to use Azure Policy rule views, set checks, and warning to keep go-on rule, find turn quick, and give proof for checks and rule reporting across places.
Using the Azure Policy rule showSetting and starting policy scansSetting rule warnings and emailsSending out rule data for checksTracking turn and fix go
