Peter Selch Dahl, profile picture
Uploaded byPeter Selch Dahl
PPTX, PDF589 views

Introduction to basic governance in Azure - #GABDK

This document discusses basic governance in Azure, including Azure AD PIM, Azure Locks, and Azure AD Access Review. It provides an overview of Azure Sentinel for security information and event management. It also discusses managing secrets with Azure Key Vault and using managed identities for Azure resources.

Technology
Related topics:
Microsoft Azure
Downloaded 30 times
Introduction to basic governance in Azure Peter Selch Dahl – Azure MVP – I’m ALL Cloud First  - Taking back control of your Azure Subscription with light-weight governance and logging
Microsoft MCSA: Cloud Platform - Certified 2018, Microsoft MCSA: Office 365 - Certified 2018, Microsoft MCSE: Cloud Platform and Infrastructure - Certified 2018 Microsoft MCSA: 2016 Windows Server 2016, Microsoft MCSA: 2012 Windows Server 2012, Microsoft MCITP: 2008 Server and Enterprise Administrator, Microsoft MCSA: 2008 Windows Server 2008, Microsoft MCSA/MCSE : 2003 Security, Microsoft MCSA/MCSE : 2000 Security, VMWare Certified Professional VI3/VI4/VI5, CompTIA A+, Network+, EC-Council: Certified Ethical Hacker (CEH v7), And more Peter Selch Dahl Cloud Architect, Azure MVP Twitter: @PeterSelchDahl www: www.peterdahl.net Blog : http://blog.peterdahl.net Mail : psd@apento.com
• Azure AD PIM • Azure Locks • Azure AD Access Review • And more 
Got Hacked! Not Fake News :O
Got Hacked! Not Fake News :O
https://azure.microsoft.com/da-dk/blog/managing-azure-secrets-on-github-repositories/
https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-1.8.0
Conditions Allow access or Block access Actions Enforce MFA per user/per app User, Group, App sensitivity Device state LocationUser NOTIFICATIONS, ANALYSIS, REMEDIATION, RISK-BASED POLICIES CLOUD APP DISCOVERY PRIVILEGED IDENTITY MANAGEMENT MFA IDENTITY PROTECTION Risk CLOUD-POWERED PROTECTION
Azure AD Privileged Identity Management (PIM) Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization. This includes access to resources in Azure AD, Azure resources, and other Microsoft Online Services like Office 365 or Microsoft Intune. • Provide just-in-time privileged access to Azure AD and Azure resources • Assign time-bound access to resources using start and end dates • Require approval to activate privileged roles • Enforce multi-factor authentication to activate any role • Use justification to understand why users activate • Get notifications when privileged roles are activated • Conduct access reviews to ensure users still need roles • Download audit history for internal or external audit
Azure Active Directory – Access Review
Azure Subscription – Access Review
Azure Active Directory – Access Review
Managed identities for Azure resources
Protect your keys and secrets!
Protect your keys and secrets! In-code passwords Azure KeyVault MSI  BAD Better BEST
Managed identities for Azure resources  Automatically managed service principals in Azure Active Directory, exclusively dedicated for Azure services instances.  They enable Azure workloads to authenticate to cloud services*, without needing credentials in code.
Analogy Keys Built-in garage door opener Hand-held garage door opener Virtual Machine App Services Functions Etc. Azure Storage, Key Vault, Resource Manager, etc. Keys SAS Keys, username and password, etc. Built-in garage door opener System assigned managed identity Hand-held garage door opener User assigned managed identity One resourceShared between multiple resource
The bigger picture… Application / script Azure Active Directory MSI Endpoint / Id Object Azure VM, App Service, Function, etc. Get token
The bigger picture…
Managed identity provisioning (ExampleusingVM) 1. Azure Resource Manager is the orchestrator. Supported via: Portal, PowerShell, CLI, Template, REST and Azure SDKs. 2. Service Principal gets created in Azure AD. These are treated as special service principals, which belong to a Managed Identity. 3. Service Principal details are given to Compute Resource Provider. Resource is created/updated with the identity details. 4. Managed Identity (service principal) can be granted permissions via RBAC. 5. Code running inside the VM can request tokens via IMDS. 6. Managed Identity sub-system requests the actual token from Azure AD.
The bigger picture…
Access patterns using managed identities 1. Services that support Azure AD authentication  Azure Resource Manager  Azure Key Vault  Azure Data Lake  Azure SQL  Azure Event Hubs  Azure Service Bus  Azure Storage  Azure AD Graph API 2. Services that depend on Access Keys for authentication  Access keys stored in: Azure Key Vault or Azure Resource Manager
Azure Locks • CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource. • ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Azure Locks https://github.com/apento/PowerShell/tree/master/Azure%20Subscription/Governance
Azure Sentinel - Videohttps://azure.microsoft.com/da-dk/resources/videos/introducing-microsoft-azure-sentinel/ Azure Sentinel
Azure Sentinel Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
Azure Active Directory Activity logs in Azure Log Analytics Microsoft provides some great tools for auditing and insights into the data that have been logged. Most of these tools depend on extra configuration and licensing to give you the insight that is needed. How would you lookup data that older than 100 days? • https://docs.microsoft.com/en-us/azure/active- directory/reports-monitoring/reference-reports-data- retention • https://docs.microsoft.com/en- us/office365/securitycompliance/search-the-audit-log-in- security-and-compliance#before-you-begin
T: +45 82 32 32 32 F: +45 82 32 32 22 M: info@proactive.dk W: www.proactive.dk
Azure Customer Story: From Hybrid to Native Cloud https://www.youtube.com/watch?v=TVcdYNmUkfQ&t=16s
A shift in IT focus…..
Conditions Allow access or Block access Actions Enforce MFA per user/per app User, Group, App sensitivity Device state LocationUser NOTIFICATIONS, ANALYSIS, REMEDIATION, RISK-BASED POLICIES CLOUD APP DISCOVERY PRIVILEGED IDENTITY MANAGEMENT MFA IDENTITY PROTECTION Risk CLOUD-POWERED PROTECTION

More Related Content

PDF
Azure governance v4.0
byMarcos Oikawa
 
PDF
[Azure Governance] Lesson 3 : Azure Tags
by☁ Hicham KADIRI ☁
 
PDF
[Azure Governance] Lesson 4 : Azure Policy
by☁ Hicham KADIRI ☁
 
PPTX
Azure Governance
byBenjamin Hüpeden
 
PPTX
Govern your Azure environment through Azure Policy
byMicrosoft Tech Community
 
PDF
Building an Enterprise-Grade Azure Governance Model
byKarl Ots
 
PDF
CloudBrew 2018 - Azure Governance
byTom Janetscheck
 
PPTX
Stephane Lapointe: Governance in Azure, keep control of your environments
byMSDEVMTL
 
Azure governance v4.0
byMarcos Oikawa
 
[Azure Governance] Lesson 3 : Azure Tags
by☁ Hicham KADIRI ☁
 
[Azure Governance] Lesson 4 : Azure Policy
by☁ Hicham KADIRI ☁
 
Azure Governance
byBenjamin Hüpeden
 
Govern your Azure environment through Azure Policy
byMicrosoft Tech Community
 
Building an Enterprise-Grade Azure Governance Model
byKarl Ots
 
CloudBrew 2018 - Azure Governance
byTom Janetscheck
 
Stephane Lapointe: Governance in Azure, keep control of your environments
byMSDEVMTL
 

What's hot

PDF
Introduction to Azure
byRobert Crane
 
PDF
AWS Control Tower
byCloudHesive
 
PPTX
Azure Compute, Networking and Storage Overview
byAzure Riyadh User Group
 
PPTX
Hybrid computing Azure with Azure Stack by Atcetera // Azure Multi-Cloud
byKumton Suttiraksiri
 
PDF
Innovation morning agenda+azure arc
byClaudia Angelelli
 
PDF
[Azure Governance] Lesson 2 : Azure Locks
by☁ Hicham KADIRI ☁
 
PPTX
Introduction to Azure Blueprints
byCheah Eng Soon
 
PPTX
Azure Overview Arc
byrajramab
 
PPTX
Azure governance
bygirish goudar
 
PDF
Azure Active Directory
bySovelto
 
PPTX
Azure Cloud Governance
byJonathan Wade
 
PPTX
Azure governance
byUdaiappa Ramachandran
 
PDF
[Azure Governance] Lesson 1 : Azure Naming Convention
by☁ Hicham KADIRI ☁
 
PDF
Best practices for azure governance
byCoreStack
 
PDF
TechDays Finland 2020: Azuren tietoturva haltuun!
byKarl Ots
 
PPTX
How to secure and audit O365(Azure AD) by K.Suttipan (MVP) & K.Wisanu // Azur...
byKumton Suttiraksiri
 
PPTX
EWUG - Something about the Cloud - Unit IT - January 14, 2020
byPeter Selch Dahl
 
PPTX
K8s monitoring with prometheus
byKasun Rajapakse
 
PDF
Azure In The Enterprise - Governance & Organization
byAdwait Ullal
 
PPTX
Building Azure ARM Templates Lesson 1
byJonathan Wade
 
Introduction to Azure
byRobert Crane
 
AWS Control Tower
byCloudHesive
 
Azure Compute, Networking and Storage Overview
byAzure Riyadh User Group
 
Hybrid computing Azure with Azure Stack by Atcetera // Azure Multi-Cloud
byKumton Suttiraksiri
 
Innovation morning agenda+azure arc
byClaudia Angelelli
 
[Azure Governance] Lesson 2 : Azure Locks
by☁ Hicham KADIRI ☁
 
Introduction to Azure Blueprints
byCheah Eng Soon
 
Azure Overview Arc
byrajramab
 
Azure governance
bygirish goudar
 
Azure Active Directory
bySovelto
 
Azure Cloud Governance
byJonathan Wade
 
Azure governance
byUdaiappa Ramachandran
 
[Azure Governance] Lesson 1 : Azure Naming Convention
by☁ Hicham KADIRI ☁
 
Best practices for azure governance
byCoreStack
 
TechDays Finland 2020: Azuren tietoturva haltuun!
byKarl Ots
 
How to secure and audit O365(Azure AD) by K.Suttipan (MVP) & K.Wisanu // Azur...
byKumton Suttiraksiri
 
EWUG - Something about the Cloud - Unit IT - January 14, 2020
byPeter Selch Dahl
 
K8s monitoring with prometheus
byKasun Rajapakse
 
Azure In The Enterprise - Governance & Organization
byAdwait Ullal
 
Building Azure ARM Templates Lesson 1
byJonathan Wade
 

Similar to Introduction to basic governance in Azure - #GABDK

PPTX
Securing your Azure Identity Infrastructure
byVignesh Ganesan I Microsoft MVP
 
PPTX
Azure Day 1.pptx
bymasbulosoke
 
PPTX
Zero Credential Development with Managed Identities for Azure resources
byJoonas Westlin
 
PPTX
3 Modern Security - Secure identities to reach zero trust with AAD
byAndrew Bettany
 
PPTX
Enter The Matrix Securing Azure’s Assets
byBizTalk360
 
PPTX
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
byFredBrandonAuthorMCP
 
PPTX
Zero Credential Development with Managed Identities
byJoonas Westlin
 
PPTX
Azure Community Tour 2019 - AZUGDK
byPeter Selch Dahl
 
PDF
GlobalLogic .NET Webinar #2 “Azure RBAC and Managed Identity”
byGlobalLogic Ukraine
 
PDF
O365Con18 - A Lap Around Monitoring, Auditing and Securing Microsoft Azure - ...
byNCCOMMS
 
PPTX
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
byTom Kerkhove
 
PPTX
Azure Fundamentals Part 3
byCCG
 
PPTX
Module2jxcnckvjzdxcnvkzjxnvkdsnfkvzsdf.pptx
bytrainingdecorpo
 
PDF
Azure Incident Response Cheat Sheet.pdf
byChristopher Doman
 
PPTX
Zero credential development with managed identities
byJoonas Westlin
 
PPTX
Zero Credential Development with Managed Identities
byJoonas Westlin
 
PPTX
SecureAzureServicesUsingADAuthentication.pptx
byUdaiappa Ramachandran
 
PDF
FAUG #9: Azure security architecture and stories from the trenches
byKarl Ots
 
PDF
CSS17: Houston - Azure Shared Security Model Overview
byAlert Logic
 
PPTX
[PU&D] - Securing IT Against Modern Threats with Microsoft Cloud Security Tools
byTomasz Poszytek
 
Securing your Azure Identity Infrastructure
byVignesh Ganesan I Microsoft MVP
 
Azure Day 1.pptx
bymasbulosoke
 
Zero Credential Development with Managed Identities for Azure resources
byJoonas Westlin
 
3 Modern Security - Secure identities to reach zero trust with AAD
byAndrew Bettany
 
Enter The Matrix Securing Azure’s Assets
byBizTalk360
 
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
byFredBrandonAuthorMCP
 
Zero Credential Development with Managed Identities
byJoonas Westlin
 
Azure Community Tour 2019 - AZUGDK
byPeter Selch Dahl
 
GlobalLogic .NET Webinar #2 “Azure RBAC and Managed Identity”
byGlobalLogic Ukraine
 
O365Con18 - A Lap Around Monitoring, Auditing and Securing Microsoft Azure - ...
byNCCOMMS
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
byTom Kerkhove
 
Azure Fundamentals Part 3
byCCG
 
Module2jxcnckvjzdxcnvkzjxnvkdsnfkvzsdf.pptx
bytrainingdecorpo
 
Azure Incident Response Cheat Sheet.pdf
byChristopher Doman
 
Zero credential development with managed identities
byJoonas Westlin
 
Zero Credential Development with Managed Identities
byJoonas Westlin
 
SecureAzureServicesUsingADAuthentication.pptx
byUdaiappa Ramachandran
 
FAUG #9: Azure security architecture and stories from the trenches
byKarl Ots
 
CSS17: Houston - Azure Shared Security Model Overview
byAlert Logic
 
[PU&D] - Securing IT Against Modern Threats with Microsoft Cloud Security Tools
byTomasz Poszytek
 

More from Peter Selch Dahl

PPTX
Managing enterprise applications, permissions, and consent in Azure Active Di...
byPeter Selch Dahl
 
PPTX
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
byPeter Selch Dahl
 
PPTX
2018 November - AZUGDK - Azure AD
byPeter Selch Dahl
 
PPTX
EWUG - Bridging the legacy gap in modern workplaces
byPeter Selch Dahl
 
PPTX
EWUG 2018 February the journey continues.....
byPeter Selch Dahl
 
PPTX
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
byPeter Selch Dahl
 
PDF
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
byPeter Selch Dahl
 
PPTX
Global Azure Bootcamp 2018 Aarhus Denmark - Kickoff
byPeter Selch Dahl
 
PPTX
Global azure bootcamp 2018 aarhus denmark - kickoff
byPeter Selch Dahl
 
PDF
Customer story - NAC - The journey from Microsoft hybrid cloud to Microsoft n...
byPeter Selch Dahl
 
PPTX
Global Azure Bootcamp 2017 - Aarhus, Denmark - Keynote
byPeter Selch Dahl
 
PPTX
Global Azure Bootcamp 2019 - Aarhus
byPeter Selch Dahl
 
Managing enterprise applications, permissions, and consent in Azure Active Di...
byPeter Selch Dahl
 
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
byPeter Selch Dahl
 
2018 November - AZUGDK - Azure AD
byPeter Selch Dahl
 
EWUG - Bridging the legacy gap in modern workplaces
byPeter Selch Dahl
 
EWUG 2018 February the journey continues.....
byPeter Selch Dahl
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
byPeter Selch Dahl
 
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
byPeter Selch Dahl
 
Global Azure Bootcamp 2018 Aarhus Denmark - Kickoff
byPeter Selch Dahl
 
Global azure bootcamp 2018 aarhus denmark - kickoff
byPeter Selch Dahl
 
Customer story - NAC - The journey from Microsoft hybrid cloud to Microsoft n...
byPeter Selch Dahl
 
Global Azure Bootcamp 2017 - Aarhus, Denmark - Keynote
byPeter Selch Dahl
 
Global Azure Bootcamp 2019 - Aarhus
byPeter Selch Dahl
 

Recently uploaded

PDF
How Tridens DevSecOps Ensures Compliance, Security, and Agility
byTridens
 
PDF
PDF Security Intelligence Platform | Cybersecurity Project by Ashish Patil
byAshishPatil495087
 
PPTX
2025 - AI terms & Meanings for Marketers
byashishav29
 
PDF
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
PDF
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PDF
MathML Core in WebKit
byIgalia
 
PDF
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
PDF
A Complete Beginner's Guide to Internet of Things 2025.pdf
bySecuodsoft
 
PPTX
Your First Deep Learning project With CNN (workshop).pptx
byMuhammad Fahad Bashir
 
PDF
Virtualization and Container Technologies in Cloud Security - ISC2 Certificate
byVICTOR MAESTRE RAMIREZ
 
PPTX
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
PDF
Transform Your Online Store with AltiusNxt AI Enriched data
byAltiusNxt Technologies
 
PDF
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
PPTX
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
PPTX
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
PDF
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
How Tridens DevSecOps Ensures Compliance, Security, and Agility
byTridens
 
PDF Security Intelligence Platform | Cybersecurity Project by Ashish Patil
byAshishPatil495087
 
2025 - AI terms & Meanings for Marketers
byashishav29
 
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
WebXR in Android and Linux with OpenXR
byIgalia
 
MathML Core in WebKit
byIgalia
 
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
A Complete Beginner's Guide to Internet of Things 2025.pdf
bySecuodsoft
 
Your First Deep Learning project With CNN (workshop).pptx
byMuhammad Fahad Bashir
 
Virtualization and Container Technologies in Cloud Security - ISC2 Certificate
byVICTOR MAESTRE RAMIREZ
 
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
Transform Your Online Store with AltiusNxt AI Enriched data
byAltiusNxt Technologies
 
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 

Introduction to basic governance in Azure - #GABDK

  • 1.
    Introduction to basicgovernance in Azure Peter Selch Dahl – Azure MVP – I’m ALL Cloud First  - Taking back control of your Azure Subscription with light-weight governance and logging
  • 2.
    Microsoft MCSA: CloudPlatform - Certified 2018, Microsoft MCSA: Office 365 - Certified 2018, Microsoft MCSE: Cloud Platform and Infrastructure - Certified 2018 Microsoft MCSA: 2016 Windows Server 2016, Microsoft MCSA: 2012 Windows Server 2012, Microsoft MCITP: 2008 Server and Enterprise Administrator, Microsoft MCSA: 2008 Windows Server 2008, Microsoft MCSA/MCSE : 2003 Security, Microsoft MCSA/MCSE : 2000 Security, VMWare Certified Professional VI3/VI4/VI5, CompTIA A+, Network+, EC-Council: Certified Ethical Hacker (CEH v7), And more Peter Selch Dahl Cloud Architect, Azure MVP Twitter: @PeterSelchDahl www: www.peterdahl.net Blog : http://blog.peterdahl.net Mail : [email protected]
  • 3.
    • Azure ADPIM • Azure Locks • Azure AD Access Review • And more 
  • 5.
    Got Hacked! NotFake News :O
  • 6.
    Got Hacked! NotFake News :O
  • 7.
  • 8.
  • 9.
    Conditions Allow access or Blockaccess Actions Enforce MFA per user/per app User, Group, App sensitivity Device state LocationUser NOTIFICATIONS, ANALYSIS, REMEDIATION, RISK-BASED POLICIES CLOUD APP DISCOVERY PRIVILEGED IDENTITY MANAGEMENT MFA IDENTITY PROTECTION Risk CLOUD-POWERED PROTECTION
  • 11.
    Azure AD PrivilegedIdentity Management (PIM) Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization. This includes access to resources in Azure AD, Azure resources, and other Microsoft Online Services like Office 365 or Microsoft Intune. • Provide just-in-time privileged access to Azure AD and Azure resources • Assign time-bound access to resources using start and end dates • Require approval to activate privileged roles • Enforce multi-factor authentication to activate any role • Use justification to understand why users activate • Get notifications when privileged roles are activated • Conduct access reviews to ensure users still need roles • Download audit history for internal or external audit
  • 15.
    Azure Active Directory– Access Review
  • 16.
  • 17.
    Azure Active Directory– Access Review
  • 18.
    Managed identities forAzure resources
  • 19.
    Protect your keysand secrets!
  • 20.
    Protect your keysand secrets! In-code passwords Azure KeyVault MSI  BAD Better BEST
  • 21.
    Managed identities forAzure resources  Automatically managed service principals in Azure Active Directory, exclusively dedicated for Azure services instances.  They enable Azure workloads to authenticate to cloud services*, without needing credentials in code.
  • 22.
    Analogy Keys Built-in garage dooropener Hand-held garage door opener Virtual Machine App Services Functions Etc. Azure Storage, Key Vault, Resource Manager, etc. Keys SAS Keys, username and password, etc. Built-in garage door opener System assigned managed identity Hand-held garage door opener User assigned managed identity One resourceShared between multiple resource
  • 23.
    The bigger picture… Application/ script Azure Active Directory MSI Endpoint / Id Object Azure VM, App Service, Function, etc. Get token
  • 24.
  • 25.
    Managed identity provisioning(ExampleusingVM) 1. Azure Resource Manager is the orchestrator. Supported via: Portal, PowerShell, CLI, Template, REST and Azure SDKs. 2. Service Principal gets created in Azure AD. These are treated as special service principals, which belong to a Managed Identity. 3. Service Principal details are given to Compute Resource Provider. Resource is created/updated with the identity details. 4. Managed Identity (service principal) can be granted permissions via RBAC. 5. Code running inside the VM can request tokens via IMDS. 6. Managed Identity sub-system requests the actual token from Azure AD.
  • 26.
  • 27.
    Access patterns usingmanaged identities 1. Services that support Azure AD authentication  Azure Resource Manager  Azure Key Vault  Azure Data Lake  Azure SQL  Azure Event Hubs  Azure Service Bus  Azure Storage  Azure AD Graph API 2. Services that depend on Access Keys for authentication  Access keys stored in: Azure Key Vault or Azure Resource Manager
  • 29.
    Azure Locks • CanNotDeletemeans authorized users can still read and modify a resource, but they can't delete the resource. • ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
  • 30.
  • 32.
    Azure Sentinel -Videohttps://azure.microsoft.com/da-dk/resources/videos/introducing-microsoft-azure-sentinel/ Azure Sentinel
  • 33.
    Azure Sentinel Microsoft AzureSentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
  • 34.
    Azure Active DirectoryActivity logs in Azure Log Analytics Microsoft provides some great tools for auditing and insights into the data that have been logged. Most of these tools depend on extra configuration and licensing to give you the insight that is needed. How would you lookup data that older than 100 days? • https://docs.microsoft.com/en-us/azure/active- directory/reports-monitoring/reference-reports-data- retention • https://docs.microsoft.com/en- us/office365/securitycompliance/search-the-audit-log-in- security-and-compliance#before-you-begin
  • 35.
    T: +45 8232 32 32 F: +45 82 32 32 22 M: [email protected] W: www.proactive.dk
  • 36.
    Azure Customer Story:From Hybrid to Native Cloud https://www.youtube.com/watch?v=TVcdYNmUkfQ&t=16s
  • 37.
    A shift inIT focus…..
  • 38.
    Conditions Allow access or Blockaccess Actions Enforce MFA per user/per app User, Group, App sensitivity Device state LocationUser NOTIFICATIONS, ANALYSIS, REMEDIATION, RISK-BASED POLICIES CLOUD APP DISCOVERY PRIVILEGED IDENTITY MANAGEMENT MFA IDENTITY PROTECTION Risk CLOUD-POWERED PROTECTION

Editor's Notes

  • #8 https://azure.microsoft.com/en-us/blog/managing-azure-secrets-on-github-repositories/
  • #9 https://azure.microsoft.com/en-us/blog/managing-azure-secrets-on-github-repositories/
  • #13 Back in our global administrators portal, we can track the changes in privileged role assignments and role activation history. CLICK STEP(S) On the Manage privileged roles blade, click Audit history.
  • #14 Point out: the business justification entered above, which is displayed in the Reasoning column. The admin can see Isaiah requested access as a Global Administrator and the reasoning given. This information can be critical for auditing and forensic investigations. Closing remarks: With Azure Active Directory Privileged Identity Management, you can manage, control, and monitor access within your organization. This includes access to resources in Azure AD and other Microsoft online services like Office 365 or Microsoft Intune. Organizations want to minimize the number of people who have access to secure information or resources, because that reduces the chance of a malicious user getting that access. However, users still need to carry out privileged operations in Azure, Office 365, or SaaS apps. Organizations give users privileged access in Azure AD without monitoring what those users are doing with their admin privileges. Azure AD Privileged Identity Management helps to resolve this risk. Azure AD Privileged Identity Management helps you: See which users are Azure AD administrators Enable on-demand, "just in time" administrative access to Microsoft Online Services like Office 365 and Intune Get reports about administrator access history and changes in administrator assignments Get alerts about access to a privileged role CLICK STEP(S) Click anywhere on the slide to end the presentation.
  • #20 https://azure.microsoft.com/en-us/blog/managing-azure-secrets-on-github-repositories/
  • #21 https://azure.microsoft.com/en-us/blog/managing-azure-secrets-on-github-repositories/
  • #23 https://jwt.ms/
  • #24 https://jwt.ms/
  • #25 https://jwt.ms/
  • #26 https://jwt.ms/
  • #27 https://jwt.ms/
  • #28 https://jwt.ms/
  • #30 https://azure.microsoft.com/da-dk/resources/videos/introducing-microsoft-azure-sentinel/
  • #31 https://azure.microsoft.com/da-dk/resources/videos/introducing-microsoft-azure-sentinel/
  • #33 https://azure.microsoft.com/da-dk/resources/videos/introducing-microsoft-azure-sentinel/
  • #34 https://azure.microsoft.com/da-dk/resources/videos/introducing-microsoft-azure-sentinel/
  • #38 Adoption of new features each quarter of the year….. continuous adoption