Lesson 1Top 5 Azure Policy definitions/initiatives to force (detailed list and reason)Check five key Azure Policy definitions and initiatives that should be forced in most places, know their reason, and learn to fit them to your group's risk stand and rule needs.
Base security initiative pickKey identity and access policiesData guard and encryption policiesNetwork and show control policiesWatching and logging needsLesson 2Policy 2: force encryption with customer-managed keys where needed — task and skipsSet policies that force encryption with customer-managed keys where needed, pick right ranges, and set skips for services or places where CMK is not possible or needed.
Services supporting customer-managed keysKey vault setup and key turnPolicies needing CMK for resourcesHandling skips and old systemsWatching CMK use and failsLesson 3Policy 5: force check logs and resource locks for live SQL and storage — task and fix actionsSet policies that force check logging and resource locks for live SQL and storage, define live ranges, and set fix steps that avoid stops while improving recovery and check ability.
Finding live SQL and storagePolicies for check settings startNeeding resource locks on key dataAuto setup of logging setupsChecking logs and lock workLesson 4Microsoft Defender for Cloud: plan pick, price levels, and when to start workload guardsKnow Defender for Cloud plans and price levels, how to pick guards per workload type, and when to start advanced plans to balance security cover, cost save, and rule or business needs.
Overview of Defender for Cloud plansFree vs paid level abilitiesStarting plans per subscription or workspaceCost guess and chargeback modelsStarting new workloads safeLesson 5Policy 4: force NSG and subnet limits for workloads and deny public IPs on certain resource typesSet policies that force NSGs, subnet limits, and deny public IPs on sensitive resource types. Learn to set network rails that cut show while allowing needed connect ways.
Policies needing NSGs on subnetsLimiting traffic with NSG rulesDenying public IPs on guarded resourcesAllowing approved public ends onlyChecking network stand regularlyLesson 6Auto fix: deployIfNotExists and managed IDs for fix tasksUse deployIfNotExists and managed IDs to auto fix non-follow resources, set safe fix logic, and check that changes are used steady across places.
How deployIfNotExists works in detailMaking fix tasks and rangesUsing managed IDs for changesTesting fix in lower levelsWatching fix job resultsLesson 7Handling policy skips: skip process, temp skips, reasons, and trackingDefine and handle Azure Policy skips, including approval flows, time-bound skips, and reason needs, while keeping track and cutting long-term risk from accepted turns.
Skip types and supported rangesNoting business reasonsTime-bound and renew skipsCheck and approval flowsReporting on active skipsLesson 8Defender for Cloud setup across management groups and subscriptions: workspace mix and central watchPlan Defender for Cloud setup across management groups and subscriptions, mix with Log Analytics workspaces, and center watch to support cross-tenant see and security work.
Picking management group orderConnecting subscriptions to workspacesCentering Defender watchMulti-tenant and hybrid thoughtsAccess control for security teamsLesson 9Policy task plan: management group vs subscription vs resource group and inherit effectsLearn how to pick the right Azure Policy task range using management groups, subscriptions, and resource groups, know inherit way, and set a growing structure that supports minimal privilege and clear own.
When to task at management group rangeSubscription-level task trade-offsResource group range for skipsPolicy inherit and check orderHandling overlap and conflict policiesLesson 10Mix with Microsoft Sentinel and Defender alerts forward best waysLearn how to forward Defender for Cloud alerts to Microsoft Sentinel, set analytic rules, and use best ways for alert normal, no double, and event handle across many places.
Connecting Defender to Sentinel workspacesSetting alert forward rulesNormal and rich security alertsMaking Sentinel analytic rulesEvent sort and answer flowsLesson 11Suggested Defender plans: App Service, Storage, SQL, Key Vault, and Virtual Machines – reason and guard controlsFind suggested Defender for Cloud plans for App Service, Storage, SQL, Key Vault, and Virtual Machines, and know the guard controls each gives to find threats and strengthen setups.
Defender for App Service guardsDefender for Storage threat findDefender for SQL and SQL serversDefender for Key Vault access watchDefender for Servers and VMsLesson 12Making posture work: risk-based order, alert tune, and mix posture findings into sprint listTurn posture findings into work processes by ordering risks, tuning noisy alerts, and mix fix tasks into agile sprints, making sure steady improve and measure risk cut.
Risk-based order of findingsTuning policies and alert limitsMaking fix lists for teamsPutting posture tasks into sprintsMeasures and KPIs for posture growLesson 13Policy 3: limit resource setup to approved areas — management group vs subscription taskSet policies that limit setups to approved areas, compare management group versus subscription task, and fit area plan with data stay, delay, and rule needs.
Defining the list of allowed areasTasking area policies at orderHandling global and arealeess servicesManaging skips for special casesChecking area use over timeLesson 14Policy 1: force HTTPS-only on App Service and storage static sites — task range and fix modeLearn to force HTTPS-only for App Service and static sites using Azure Policy, pick the right task range, and set fix tasks to auto fix non-follow resources at big scale.
Built-in policies for HTTPS-only forceRanging policies to web apps and storageUsing deployIfNotExists for HTTPS settingsHandling old HTTP-only appsTesting and checking HTTPS forceLesson 15Steady follow watching: using Azure Policy follow board, set scans, and alertingLook into how to use Azure Policy follow views, set checks, and alerting to keep steady follow, find drift fast, and give proof for checks and rule reports across places.
Using the Azure Policy follow boardSetting and starting policy scansSetting follow alerts and emailsExporting follow data for checksTracking drift and fix go
