Lesson 1Top 5 Azure Policy definitions/initiatives to enforce (detailed list and rationale)Review five key Azure Policy definitions and initiatives that should be enforced in most environments, understand their rationale, and learn how to adapt them to your organization’s risk profile and compliance needs.
Baseline security initiative selectionCritical identity and access policiesData protection and encryption policiesNetwork and exposure control policiesMonitoring and logging requirementsLesson 2Policy 2: require encryption with customer-managed keys where mandated — assignment and exclusionsConfigure policies that require encryption with customer-managed keys where mandated, choose appropriate scopes, and design exclusions for services or environments where CMK is not feasible or necessary.
Services supporting customer-managed keysKey vault design and key rotationPolicies requiring CMK for resourcesHandling exclusions and legacy systemsMonitoring CMK usage and failuresLesson 3Policy 5: require diagnostic logs and resource locks for production SQL and storage — assignment and remedial actionsConfigure policies that require diagnostic logging and resource locks for production SQL and storage, define production scopes, and design remediation steps that avoid outages while improving recoverability and auditability.
Identifying production SQL and storagePolicies for diagnostic settings enablementRequiring resource locks on critical dataAutomated deployment of logging configsReviewing logs and lock effectivenessLesson 4Microsoft Defender for Cloud: plan selection, pricing tiers, and when to enable workload protectionsUnderstand Defender for Cloud plans and pricing tiers, how to select protections per workload type, and when to enable advanced plans to balance security coverage, cost optimization, and regulatory or business requirements.
Overview of Defender for Cloud plansFree vs paid tier capabilitiesEnabling plans per subscription or workspaceCost estimation and chargeback modelsOnboarding new workloads securelyLesson 5Policy 4: enforce NSG and subnet restrictions for workloads and deny public IPs on certain resource typesImplement policies that enforce NSGs, subnet restrictions, and deny public IPs on sensitive resource types. Learn to design network guardrails that reduce exposure while allowing necessary connectivity patterns.
Policies requiring NSGs on subnetsRestricting traffic with NSG rulesDenying public IPs on protected resourcesAllowing approved public endpoints onlyValidating network posture regularlyLesson 6Automated remediation: deployIfNotExists and managed identities for remediation tasksUse deployIfNotExists and managed identities to automate remediation of noncompliant resources, design safe remediation logic, and validate that changes are applied consistently across environments.
How deployIfNotExists works in detailCreating remediation tasks and scopesUsing managed identities for changesTesting remediation in lower tiersMonitoring remediation job resultsLesson 7Handling policy exceptions: exemption process, temporary exemptions, justifications, and trackingDefine and manage Azure Policy exemptions, including approval workflows, time-bound exceptions, and justification requirements, while maintaining traceability and minimizing long-term risk from accepted deviations.
Exemption types and supported scopesDocumenting business justificationsTime-bound and renewable exemptionsReview and approval workflowsReporting on active exemptionsLesson 8Defender for Cloud setup across management groups and subscriptions: workspace integration and central telemetryPlan Defender for Cloud deployment across management groups and subscriptions, integrate with Log Analytics workspaces, and centralize telemetry to support cross-tenant visibility and security operations.
Choosing management group hierarchyConnecting subscriptions to workspacesCentralizing Defender telemetryMulti-tenant and hybrid considerationsAccess control for security teamsLesson 9Policy assignment strategy: management group vs subscription vs resource group and inheritance implicationsLearn how to choose the right Azure Policy assignment scope using management groups, subscriptions, and resource groups, understand inheritance behaviour, and design a scalable structure that supports least privilege and clear ownership.
When to assign at management group scopeSubscription-level assignment trade-offsResource group scoping for exceptionsPolicy inheritance and evaluation orderHandling overlapping and conflicting policiesLesson 10Integration with Microsoft Sentinel and Defender alerts forwarding best practicesLearn how to forward Defender for Cloud alerts to Microsoft Sentinel, design analytic rules, and apply best practices for alert normalization, deduplication, and incident handling across multiple environments.
Connecting Defender to Sentinel workspacesConfiguring alert forwarding rulesNormalizing and enriching security alertsCreating Sentinel analytic rulesIncident triage and response workflowsLesson 11Recommended Defender plans: App Service, Storage, SQL, Key Vault, and Virtual Machines – rationale and protective controlsIdentify recommended Defender for Cloud plans for App Service, Storage, SQL, Key Vault, and Virtual Machines, and understand the protective controls each provides to detect threats and harden configurations.
Defender for App Service protectionsDefender for Storage threat detectionDefender for SQL and SQL serversDefender for Key Vault access monitoringDefender for Servers and VMsLesson 12Operationalizing posture: risk-based prioritization, alert tuning, and integrating posture findings into sprint backlogTranslate posture findings into operational processes by prioritizing risks, tuning noisy alerts, and integrating remediation tasks into agile sprints, ensuring continuous improvement and measurable risk reduction.
Risk-based prioritization of findingsTuning policies and alert thresholdsCreating remediation backlogs for teamsEmbedding posture tasks into sprintsMetrics and KPIs for posture maturityLesson 13Policy 3: restrict resource deployment to approved regions — management group vs subscription assignmentImplement policies that restrict deployments to approved regions, compare management group versus subscription assignment, and align region strategy with data residency, latency, and regulatory requirements.
Defining the list of allowed regionsAssigning region policies at hierarchyHandling global and regionless servicesManaging exceptions for special casesAuditing region usage over timeLesson 14Policy 1: enforce HTTPS-only on App Service and storage static websites — assignment scope and remediation modeLearn to enforce HTTPS-only for App Service and static websites using Azure Policy, choose the correct assignment scope, and configure remediation tasks to automatically fix noncompliant resources at scale.
Built-in policies for HTTPS-only enforcementScoping policies to web apps and storageUsing deployIfNotExists for HTTPS settingsHandling legacy HTTP-only applicationsTesting and validating HTTPS enforcementLesson 15Continuous compliance monitoring: using Azure Policy compliance dashboard, scheduled scans, and alertingExplore how to use Azure Policy compliance views, scheduled evaluations, and alerting to maintain continuous compliance, detect drift quickly, and provide evidence for audits and regulatory reporting across environments.
Using the Azure Policy compliance dashboardScheduling and triggering policy scansConfiguring compliance alerts and emailsExporting compliance data for auditsTracking drift and remediation progress
