Lesson 1Top 5 Azure Policy definitions/initiatives to enforce (detailed list and rationale)Go through five key Azure Policy definitions and initiatives that should be enforced in most setups, understand why they matter, and learn how to adjust them to your organisation's risk profile and compliance needs.
Baseline security initiative selectionCritical identity and access policiesData protection and encryption policiesNetwork and exposure control policiesMonitoring and logging requirementsLesson 2Policy 2: require encryption with customer-managed keys where mandated — assignment and exclusionsSet up policies that require encryption with customer-managed keys where needed, choose proper scopes, and plan exclusions for services or setups where CMK isn't practical or necessary.
Services supporting customer-managed keysKey vault design and key rotationPolicies requiring CMK for resourcesHandling exclusions and legacy systemsMonitoring CMK usage and failuresLesson 3Policy 5: require diagnostic logs and resource locks for production SQL and storage — assignment and remedial actionsSet up policies that require diagnostic logging and resource locks for production SQL and storage, define production scopes, and plan remediation steps that avoid disruptions while improving recoverability and auditability.
Identifying production SQL and storagePolicies for diagnostic settings enablementRequiring resource locks on critical dataAutomated deployment of logging configsReviewing logs and lock effectivenessLesson 4Microsoft Defender for Cloud: plan selection, pricing tiers, and when to enable workload protectionsUnderstand Defender for Cloud plans and pricing tiers, how to pick protections per workload type, and when to turn on advanced plans to balance security coverage, cost savings, and regulatory or business requirements.
Overview of Defender for Cloud plansFree vs paid tier capabilitiesEnabling plans per subscription or workspaceCost estimation and chargeback modelsOnboarding new workloads securelyLesson 5Policy 4: enforce NSG and subnet restrictions for workloads and deny public IPs on certain resource typesPut in place policies that enforce NSGs, subnet restrictions, and block public IPs on sensitive resource types. Learn to design network guardrails that cut exposure while allowing necessary connectivity patterns.
Policies requiring NSGs on subnetsRestricting traffic with NSG rulesDenying public IPs on protected resourcesAllowing approved public endpoints onlyValidating network posture regularlyLesson 6Automated remediation: deployIfNotExists and managed identities for remediation tasksUse deployIfNotExists and managed identities to automate fixing of noncompliant resources, design safe remediation logic, and confirm that changes are applied consistently across setups.
How deployIfNotExists works in detailCreating remediation tasks and scopesUsing managed identities for changesTesting remediation in lower tiersMonitoring remediation job resultsLesson 7Handling policy exceptions: exemption process, temporary exemptions, justifications, and trackingDefine and manage Azure Policy exemptions, including approval workflows, time-bound exceptions, and justification requirements, while keeping track and minimising long-term risk from accepted deviations.
Exemption types and supported scopesDocumenting business justificationsTime-bound and renewable exemptionsReview and approval workflowsReporting on active exemptionsLesson 8Defender for Cloud setup across management groups and subscriptions: workspace integration and central telemetryPlan Defender for Cloud deployment across management groups and subscriptions, connect with Log Analytics workspaces, and centralise telemetry to support cross-tenant visibility and security operations.
Choosing management group hierarchyConnecting subscriptions to workspacesCentralizing Defender telemetryMulti-tenant and hybrid considerationsAccess control for security teamsLesson 9Policy assignment strategy: management group vs subscription vs resource group and inheritance implicationsLearn how to choose the right Azure Policy assignment scope using management groups, subscriptions, and resource groups, understand inheritance behaviour, and design a scalable structure that supports least privilege and clear ownership.
When to assign at management group scopeSubscription-level assignment trade-offsResource group scoping for exceptionsPolicy inheritance and evaluation orderHandling overlapping and conflicting policiesLesson 10Integration with Microsoft Sentinel and Defender alerts forwarding best practicesLearn how to forward Defender for Cloud alerts to Microsoft Sentinel, design analytic rules, and apply best practices for alert normalisation, deduplication, and incident handling across multiple setups.
Connecting Defender to Sentinel workspacesConfiguring alert forwarding rulesNormalizing and enriching security alertsCreating Sentinel analytic rulesIncident triage and response workflowsLesson 11Recommended Defender plans: App Service, Storage, SQL, Key Vault, and Virtual Machines – rationale and protective controlsIdentify recommended Defender for Cloud plans for App Service, Storage, SQL, Key Vault, and Virtual Machines, and understand the protective controls each provides to detect threats and strengthen configurations.
Defender for App Service protectionsDefender for Storage threat detectionDefender for SQL and SQL serversDefender for Key Vault access monitoringDefender for Servers and VMsLesson 12Operationalizing posture: risk-based prioritization, alert tuning, and integrating posture findings into sprint backlogTurn posture findings into operational processes by prioritising risks, tuning noisy alerts, and integrating remediation tasks into agile sprints, ensuring continuous improvement and measurable risk reduction.
Risk-based prioritization of findingsTuning policies and alert thresholdsCreating remediation backlogs for teamsEmbedding posture tasks into sprintsMetrics and KPIs for posture maturityLesson 13Policy 3: restrict resource deployment to approved regions — management group vs subscription assignmentImplement policies that restrict deployments to approved regions, compare management group versus subscription assignment, and align region strategy with data residency, latency, and regulatory requirements.
Defining the list of allowed regionsAssigning region policies at hierarchyHandling global and regionless servicesManaging exceptions for special casesAuditing region usage over timeLesson 14Policy 1: enforce HTTPS-only on App Service and storage static websites — assignment scope and remediation modeLearn to enforce HTTPS-only for App Service and static websites using Azure Policy, choose the correct assignment scope, and configure remediation tasks to automatically fix noncompliant resources at scale.
Built-in policies for HTTPS-only enforcementScoping policies to web apps and storageUsing deployIfNotExists for HTTPS settingsHandling legacy HTTP-only applicationsTesting and validating HTTPS enforcementLesson 15Continuous compliance monitoring: using Azure Policy compliance dashboard, scheduled scans, and alertingExplore how to use Azure Policy compliance views, scheduled evaluations, and alerting to maintain continuous compliance, detect drift quickly, and provide evidence for audits and regulatory reporting across setups.
Using the Azure Policy compliance dashboardScheduling and triggering policy scansConfiguring compliance alerts and emailsExporting compliance data for auditsTracking drift and remediation progress
