Lesson 1Top 5 Azure Policy definitions/initiatives to enforce (detailed list and rationale)Check five main Azure Policy definitions and initiatives to enforce in most setups, understand their reasons, and learn to adjust them to your group's risk shape and rule needs.
Baseline security initiative selectionCritical identity and access policiesData protection and encryption policiesNetwork and exposure control policiesMonitoring and logging requirementsLesson 2Policy 2: require encryption with customer-managed keys where mandated — assignment and exclusionsSet policies needing encryption with customer-managed keys where required, pick right ranges, and plan skips for services or areas where CMK is not possible or needed.
Services supporting customer-managed keysKey vault design and key rotationPolicies requiring CMK for resourcesHandling exclusions and legacy systemsMonitoring CMK usage and failuresLesson 3Policy 5: require diagnostic logs and resource locks for production SQL and storage — assignment and remedial actionsSet policies needing diagnostic logging and resource locks for production SQL and storage, define production ranges, and plan fix steps that avoid breaks while boosting recovery and checkability.
Identifying production SQL and storagePolicies for diagnostic settings enablementRequiring resource locks on critical dataAutomated deployment of logging configsReviewing logs and lock effectivenessLesson 4Microsoft Defender for Cloud: plan selection, pricing tiers, and when to enable workload protectionsUnderstand Defender for Cloud plans and price levels, how to pick guards per task type, and when to turn on advanced plans to balance safety cover, cost save, and rule or business needs.
Overview of Defender for Cloud plansFree vs paid tier capabilitiesEnabling plans per subscription or workspaceCost estimation and chargeback modelsOnboarding new workloads securelyLesson 5Policy 4: enforce NSG and subnet restrictions for workloads and deny public IPs on certain resource typesPut in policies enforcing NSGs, subnet limits, and block public IPs on sensitive resource types. Learn to plan network rails that cut exposure while allowing needed link patterns.
Policies requiring NSGs on subnetsRestricting traffic with NSG rulesDenying public IPs on protected resourcesAllowing approved public endpoints onlyValidating network posture regularlyLesson 6Automated remediation: deployIfNotExists and managed identities for remediation tasksUse deployIfNotExists and managed identities to automate fixes for non-rule-following resources, plan safe fix logic, and check that changes apply steadily across setups.
How deployIfNotExists works in detailCreating remediation tasks and scopesUsing managed identities for changesTesting remediation in lower tiersMonitoring remediation job resultsLesson 7Handling policy exceptions: exemption process, temporary exemptions, justifications, and trackingDefine and handle Azure Policy skips, including approval steps, time-limited skips, and reason needs, while keeping track and cutting long-term risk from accepted changes.
Exemption types and supported scopesDocumenting business justificationsTime-bound and renewable exemptionsReview and approval workflowsReporting on active exemptionsLesson 8Defender for Cloud setup across management groups and subscriptions: workspace integration and central telemetryPlan Defender for Cloud rollout across management groups and subscriptions, link with Log Analytics workspaces, and center telemetry to support cross-tenant view and security ops.
Choosing management group hierarchyConnecting subscriptions to workspacesCentralizing Defender telemetryMulti-tenant and hybrid considerationsAccess control for security teamsLesson 9Policy assignment strategy: management group vs subscription vs resource group and inheritance implicationsLearn to pick the right Azure Policy assignment range using management groups, subscriptions, and resource groups, understand inheritance ways, and plan a growing structure that supports least privilege and clear ownership.
When to assign at management group scopeSubscription-level assignment trade-offsResource group scoping for exceptionsPolicy inheritance and evaluation orderHandling overlapping and conflicting policiesLesson 10Integration with Microsoft Sentinel and Defender alerts forwarding best practicesLearn to send Defender for Cloud alerts to Microsoft Sentinel, plan analytic rules, and use best ways for alert standardizing, removing duplicates, and handling incidents across many setups.
Connecting Defender to Sentinel workspacesConfiguring alert forwarding rulesNormalizing and enriching security alertsCreating Sentinel analytic rulesIncident triage and response workflowsLesson 11Recommended Defender plans: App Service, Storage, SQL, Key Vault, and Virtual Machines – rationale and protective controlsPick suggested Defender for Cloud plans for App Service, Storage, SQL, Key Vault, and Virtual Machines, and understand the guard controls each gives to spot threats and strengthen setups.
Defender for App Service protectionsDefender for Storage threat detectionDefender for SQL and SQL serversDefender for Key Vault access monitoringDefender for Servers and VMsLesson 12Operationalizing posture: risk-based prioritization, alert tuning, and integrating posture findings into sprint backlogTurn posture findings into work processes by ranking risks, tuning loud alerts, and linking fix tasks to agile sprints, ensuring steady improvement and measurable risk cut.
Risk-based prioritization of findingsTuning policies and alert thresholdsCreating remediation backlogs for teamsEmbedding posture tasks into sprintsMetrics and KPIs for posture maturityLesson 13Policy 3: restrict resource deployment to approved regions — management group vs subscription assignmentPut in policies limiting rollouts to approved regions, compare management group vs subscription assignment, and match region plan with data stay, delay, and rule needs.
Defining the list of allowed regionsAssigning region policies at hierarchyHandling global and regionless servicesManaging exceptions for special casesAuditing region usage over timeLesson 14Policy 1: enforce HTTPS-only on App Service and storage static websites — assignment scope and remediation modeLearn to force HTTPS-only for App Service and static sites using Azure Policy, pick the right assignment range, and set fix tasks to auto-correct non-rule resources at scale.
Built-in policies for HTTPS-only enforcementScoping policies to web apps and storageUsing deployIfNotExists for HTTPS settingsHandling legacy HTTP-only applicationsTesting and validating HTTPS enforcementLesson 15Continuous compliance monitoring: using Azure Policy compliance dashboard, scheduled scans, and alertingLook into using Azure Policy compliance views, planned checks, and alerts to keep steady rule-following, spot changes fast, and give proof for checks and rule reports across setups.
Using the Azure Policy compliance dashboardScheduling and triggering policy scansConfiguring compliance alerts and emailsExporting compliance data for auditsTracking drift and remediation progress
