Lesson 1Top 5 Azure Policy definitions/initiatives to push (detailed list and reasons)Go over five key Azure Policy definitions and initiatives that should be pushed in most areas, know their reasons, and learn how to fit them to your group's risk shape and rule needs.
Base security initiative pickKey identity and access policiesData guard and encryption policiesNetwork and show control policiesWatching and logging needsLesson 2Policy 2: need encryption with customer-managed keys where required — giving and skipsSet policies that need encryption with customer-managed keys where required, pick right reaches, and plan skips for services or areas where CMK is not possible or needed.
Services helping customer-managed keysKey vault plan and key changePolicies needing CMK for toolsHandling skips and old systemsWatching CMK use and failsLesson 3Policy 5: need check logs and resource locks for work SQL and storage — giving and fix stepsSet policies that need check logging and resource locks for work SQL and storage, define work reaches, and plan fix steps that skip stops while bettering fix and check ability.
Finding work SQL and storagePolicies for check settings startNeeding resource locks on key dataAuto setup of logging setupsChecking logs and lock workLesson 4Microsoft Defender for Cloud: plan pick, price levels, and when to start work guardsKnow Defender for Cloud plans and price levels, how to pick guards per work kind, and when to start advanced plans to balance safety cover, cost better, and rule or business needs.
Overview of Defender for Cloud plansFree vs paid level abilitiesStarting plans per subscription or work areaCost guess and bill back waysSafe start of new worksLesson 5Policy 4: push NSG and subnet limits for works and deny public IPs on some resource kindsMake policies that push NSGs, subnet limits, and deny public IPs on sensitive resource kinds. Learn to plan network rails that cut show while letting needed link ways.
Policies needing NSGs on subnetsLimiting traffic with NSG rulesDenying public IPs on guarded toolsLetting approved public ends onlyRegular check of network stateLesson 6Auto fix: deployIfNotExists and managed identities for fix tasksUse deployIfNotExists and managed identities to auto fix non-rule tools, plan safe fix logic, and check that changes are put the same across areas.
How deployIfNotExists works in detailMaking fix tasks and reachesUsing managed identities for changesTesting fix in lower levelsWatching fix job resultsLesson 7Handling policy skips: skip process, short skips, reasons, and trackingDefine and handle Azure Policy skips, including approval steps, time-limited skips, and reason needs, while keeping track and cutting long-term risk from okayed changes.
Skip kinds and helped reachesNoting business reasonsTime-limited and renew skipsCheck and approval stepsReporting on active skipsLesson 8Defender for Cloud setup across management groups and subscriptions: work area link and central measuresPlan Defender for Cloud setup across management groups and subscriptions, link with Log Analytics work areas, and center measures to help cross-tenant see and security work.
Picking management group orderLinking subscriptions to work areasCentering Defender measuresMany-tenant and mixed thoughtsAccess control for security teamsLesson 9Policy giving plan: management group vs subscription vs resource group and inherit effectsLearn how to pick the right Azure Policy giving reach using management groups, subscriptions, and resource groups, know inherit ways, and plan a growing setup that helps minimal power and clear own.
When to give at management group reachSubscription-level giving gains and lossesResource group reach for skipsPolicy inherit and check orderHandling overlap and fight policiesLesson 10Link with Microsoft Sentinel and Defender alerts send best waysLearn how to send Defender for Cloud alerts to Microsoft Sentinel, plan analytic rules, and use best ways for alert same, no-dupe, and incident handle across many areas.
Linking Defender to Sentinel work areasSetting alert send rulesSame and rich security alertsMaking Sentinel analytic rulesIncident sort and answer stepsLesson 11Suggested Defender plans: App Service, Storage, SQL, Key Vault, and Virtual Machines – reasons and guard controlsFind suggested Defender for Cloud plans for App Service, Storage, SQL, Key Vault, and Virtual Machines, and know the guard controls each gives to find threats and strengthen setups.
Defender for App Service guardsDefender for Storage threat findDefender for SQL and SQL serversDefender for Key Vault access watchDefender for Servers and VMsLesson 12Making state work: risk-based order, alert tune, and linking state findings to sprint listTurn state findings into work steps by ordering risks, tuning loud alerts, and linking fix tasks to agile sprints, making sure steady better and measure risk cut.
Risk-based order of findingsTuning policies and alert limitsMaking fix lists for teamsPutting state tasks into sprintsMeasures and KPIs for state growLesson 13Policy 3: limit resource setup to approved areas — management group vs subscription givingMake policies that limit setups to approved areas, compare management group vs subscription giving, and fit area plan with data stay, delay, and rule needs.
Defining list of allowed areasGiving area policies at orderHandling global and no-area servicesManaging skips for special casesChecking area use over timeLesson 14Policy 1: push HTTPS-only on App Service and storage static sites — giving reach and fix modeLearn to push HTTPS-only for App Service and static sites using Azure Policy, pick the right giving reach, and set fix tasks to auto right non-rule tools at big scale.
Ready policies for HTTPS-only pushReach policies to web apps and storageUsing deployIfNotExists for HTTPS settingsHandling old HTTP-only appsTesting and checking HTTPS pushLesson 15Ongoing rule watch: using Azure Policy rule board, set scans, and alertingLook into how to use Azure Policy rule views, set checks, and alerting to keep ongoing rule, find shift fast, and give proof for checks and rule reports across areas.
Using the Azure Policy rule boardSetting and starting policy scansSetting rule alerts and emailsSending out rule data for checksTracking shift and fix go
