Lesson 1Top 5 Azure Policy definitions/initiatives to enforce (detailed list and rationale)Review five essential Azure Policy definitions and initiatives to enforce in most setups, understand their reasons, and adapt them to your organisation’s risk profile and compliance needs in Namibia.
Baseline security initiative selectionCritical identity and access policiesData protection and encryption policiesNetwork and exposure control policiesMonitoring and logging requirementsLesson 2Policy 2: require encryption with customer-managed keys where mandated — assignment and exclusionsSet up policies requiring encryption with customer-managed keys where needed, select scopes, and plan exclusions for services or environments where CMK is not practical or required in Namibian contexts.
Services supporting customer-managed keysKey vault design and key rotationPolicies requiring CMK for resourcesHandling exclusions and legacy systemsMonitoring CMK usage and failuresLesson 3Policy 5: require diagnostic logs and resource locks for production SQL and storage — assignment and remedial actionsSet up policies requiring diagnostic logging and resource locks for production SQL and storage, define production scopes, and plan remediation steps avoiding outages while boosting recoverability and auditability in Namibia.
Identifying production SQL and storagePolicies for diagnostic settings enablementRequiring resource locks on critical dataAutomated deployment of logging configsReviewing logs and lock effectivenessLesson 4Microsoft Defender for Cloud: plan selection, pricing tiers, and when to enable workload protectionsUnderstand Defender for Cloud plans and pricing tiers, select protections per workload, and enable advanced plans to balance security, cost, regulatory or business needs for Namibian deployments.
Overview of Defender for Cloud plansFree vs paid tier capabilitiesEnabling plans per subscription or workspaceCost estimation and chargeback modelsOnboarding new workloads securelyLesson 5Policy 4: enforce NSG and subnet restrictions for workloads and deny public IPs on certain resource typesApply policies enforcing NSGs, subnet limits, deny public IPs on sensitive resources. Plan network guardrails reducing exposure while permitting necessary connectivity in Namibian network setups.
Policies requiring NSGs on subnetsRestricting traffic with NSG rulesDenying public IPs on protected resourcesAllowing approved public endpoints onlyValidating network posture regularlyLesson 6Automated remediation: deployIfNotExists and managed identities for remediation tasksUse deployIfNotExists and managed identities to automate fixes for noncompliant resources, plan safe remediation logic, validate changes applied consistently across environments in Namibia.
How deployIfNotExists works in detailCreating remediation tasks and scopesUsing managed identities for changesTesting remediation in lower tiersMonitoring remediation job resultsLesson 7Handling policy exceptions: exemption process, temporary exemptions, justifications, and trackingDefine and manage Azure Policy exemptions, including approval workflows, time-bound exceptions, justification needs, while keeping traceability and minimising long-term risk from deviations in Namibian policies.
Exemption types and supported scopesDocumenting business justificationsTime-bound and renewable exemptionsReview and approval workflowsReporting on active exemptionsLesson 8Defender for Cloud setup across management groups and subscriptions: workspace integration and central telemetryPlan Defender for Cloud deployment across management groups and subscriptions, integrate with Log Analytics workspaces, centralise telemetry for cross-tenant visibility and security operations in Namibia.
Choosing management group hierarchyConnecting subscriptions to workspacesCentralizing Defender telemetryMulti-tenant and hybrid considerationsAccess control for security teamsLesson 9Policy assignment strategy: management group vs subscription vs resource group and inheritance implicationsLearn to choose right Azure Policy assignment scope using management groups, subscriptions, resource groups, understand inheritance, design scalable structure supporting least privilege and ownership in Namibian hierarchies.
When to assign at management group scopeSubscription-level assignment trade-offsResource group scoping for exceptionsPolicy inheritance and evaluation orderHandling overlapping and conflicting policiesLesson 10Integration with Microsoft Sentinel and Defender alerts forwarding best practicesLearn to forward Defender for Cloud alerts to Microsoft Sentinel, plan analytic rules, apply best practices for alert normalisation, deduplication, incident handling across environments in Namibian SOCs.
Connecting Defender to Sentinel workspacesConfiguring alert forwarding rulesNormalizing and enriching security alertsCreating Sentinel analytic rulesIncident triage and response workflowsLesson 11Recommended Defender plans: App Service, Storage, SQL, Key Vault, and Virtual Machines – rationale and protective controlsIdentify recommended Defender for Cloud plans for App Service, Storage, SQL, Key Vault, Virtual Machines, understand protective controls detecting threats and hardening configurations for Namibian workloads.
Defender for App Service protectionsDefender for Storage threat detectionDefender for SQL and SQL serversDefender for Key Vault access monitoringDefender for Servers and VMsLesson 12Operationalizing posture: risk-based prioritization, alert tuning, and integrating posture findings into sprint backlogTurn posture findings into operational processes by prioritising risks, tuning noisy alerts, integrating remediation into agile sprints, ensuring continuous improvement and risk reduction in Namibian teams.
Risk-based prioritization of findingsTuning policies and alert thresholdsCreating remediation backlogs for teamsEmbedding posture tasks into sprintsMetrics and KPIs for posture maturityLesson 13Policy 3: restrict resource deployment to approved regions — management group vs subscription assignmentApply policies restricting deployments to approved regions, compare management group vs subscription assignment, align region strategy with data residency, latency, regulatory needs in Namibia.
Defining the list of allowed regionsAssigning region policies at hierarchyHandling global and regionless servicesManaging exceptions for special casesAuditing region usage over timeLesson 14Policy 1: enforce HTTPS-only on App Service and storage static websites — assignment scope and remediation modeLearn to enforce HTTPS-only for App Service and static websites using Azure Policy, choose assignment scope, configure remediation to fix noncompliant resources at scale in Namibian web apps.
Built-in policies for HTTPS-only enforcementScoping policies to web apps and storageUsing deployIfNotExists for HTTPS settingsHandling legacy HTTP-only applicationsTesting and validating HTTPS enforcementLesson 15Continuous compliance monitoring: using Azure Policy compliance dashboard, scheduled scans, and alertingExplore using Azure Policy compliance views, scheduled evaluations, alerting to maintain continuous compliance, detect drift, provide audit evidence across environments in Namibian compliance efforts.
Using the Azure Policy compliance dashboardScheduling and triggering policy scansConfiguring compliance alerts and emailsExporting compliance data for auditsTracking drift and remediation progress
