Category: Architecture

Study Guide for AZ-305: Part 2 – Design Authentication and Authorization Solutions

Hi Cloud Marathoners!

This is the continuation (Part 2/12) of blog post series to help you get ready for the latest AZ-305 exam. As title says – our focus will be on understanding and designing Authentication and Authorization Solutions in Microsoft Azure.

Feel free to check the previous post (Part 1/12) if you did not look into it yet πŸ™‚

Table of content (blog series)

What is the Authentication and Authorization?

To put it in plain English language, authentication is the process of verifying who someone is, where as authorization is the process of verifying what specific applications, files, and data a user has access to.

To relate these concepts to a real-world scenarious, you may think about your airport access and on-boarding to the plane experience. Thus, when you go through the security in an airport, you are required to show your ID to authenticate your identity. Then, you proceed and arrive at the gate, you present your boarding pass to the flight attendant, so they can authorize you to board your flight and allow access to your assigned seat.

Authentication vs Authorization. Authentication vs. Authorizationβ€” These… | by Frank D'Amico | Medium

WHAT YOU CAN DO WITH Authentication and Authorization?

The authentication and authorization services are part of the Microsoft’s identity platform.

The Authentication sometimes shortened to ‘AuthN’.
The Microsoft identity platform uses the OpenID Connect protocol for handling authentication. On the other hand, Authorization sometimes shortened to ‘AuthZ‘. The Microsoft identity platform uses the OAuth 2.0 protocol for handling authorization.

In Microsoft Azure your authentication and authorization is delegated to Azure Active Directory (Azure AD). By using this centralized identity provider you can enable following secure workflows for your business:

  • Conditional Access policies – that require a user to be in a specific location.
  • The use of multi-factor authentication, which is sometimes called two-factor authentication or 2FA.
  • Enabling a user to sign in once and then be automatically signed in to all of the web apps that share the same centralized directory. This capability is called single sign-on (SSO).
From AD to Azure AD – Your Hybrid Identity Journey - New Signature

Part 2: Designing Authentication and Authorization solutions

The references below are taken from official Microsoft docs and focused on designing Azure Authentication and Authorization solutions. You could also find it helpful to check the Microsoft docs and learning paths with [Tutorials] below πŸ™‚

This collection of links is gathered with a focus on the exam objectives of the AZ-305 certification exam.

Azure identity management security overview
Azure Identity Management and access control security best practices
Five steps to securing your identity infrastructure
What is Azure Active Directory?
Compare Active Directory to Azure Active Directory
Azure Active Directory B2B best practices
Overview: Cross-tenant access with Azure AD External Identities (Preview)
Identity Providers for External Identities
Authentication and Conditional Access for External Identities
What is Azure Active Directory B2C?
Technical and feature overview of Azure Active Directory B2C
What is Conditional Access?
Plan a Conditional Access deployment

[Tutorial]: Secure user sign-in events with Azure AD Multi-Factor Authentication
[Tutorial]: Enable users to unlock their account or reset passwords using Azure AD self-service password reset (SSPR)
[Tutorial]: Enable Azure Active Directory self-service password reset writeback to an on-premises environment

What is Identity Protection?
What is risk?
Azure Active Directory Identity Protection – Security overview
Identity Protection policies
What are Azure AD access reviews?
What are managed identities for Azure resources?
What is identity lifecycle management?

Microsoft Azure Well-Architected Framework – Security
Authenticate apps to Azure services by using service principals and managed identities for Azure resources
Application and service principal objects in Azure AD
Azure Key Vault basic concepts

Best practices for using Azure Key Vault
Azure Key Vault logging
Virtual network service endpoints for Azure Key Vault
Monitoring Key Vault with Azure Event Grid

SUMMARY

Thank you for visiting the AZ-305 Study Guide and checking the Part 2 – Designing Authentication and Authorization Solutions.

The next blog will cover the Part 3: Design a solution to log and monitor Azure resources.

Study Guide for AZ-305: Part 1 – Design a Governance Solution

Hello friends,

As you might already know, a new AZ-305 exam for Azure Architects has been officially released a few days ago!!!

I would like to take this opportunity and help all my students and followers with preparation for this important exam.

My plan is to create a blog post series that cover official and community learning materials in addition to the Microsoft Learn, self-paced learning modules.

Table of content (blog series)

This exam is focused on designing cloud and hybrid solutions on Microsoft #Azure, and was made with #architects in mind 😏


A list of helpful reference materials that will complement your four Microsoft Learn AZ-305: XXX learning paths on the official learning site are screenshotted below for your references πŸ™‚

What is the Cloud Governance ?

The Cloud Governance is a framework that guides how end users make use of cloud services by defining and creating policies to control costs, minimize security risks, improve efficiency and accelerate deployment. It’s imperative to have good cloud governance because it’s a foundational element to your cloud practice that provides the ability to scale and be successful.

In short, the governance in Azure is one aspect of Azure Management. This includes the tasks and processes required to maintain your business applications and the resources that support them. Azure has many services and tools that work together to provide complete management. 

What you can do with Azure Governance?

  • Enforce and audit your policies for any Azure service
  • Create compliant environments using Azure Blueprints, including resources, policies, and role-access controls
  • Ensure that you’re compliant with external regulations by using built-in compliance controls
  • Monitor spend and encourage accountability across your entire organization

The references below are taken from official Microsoft docs and focused on designing Azure governance solutions.

Build Enterprise Agile Azure Governance Foundation

Part 1: Design a governance solution

The references below are taken from official Microsoft docs and focused on designing Governance solutions in Azure. You could also find it helpful to check the Microsoft docs and learning paths with [Tutorials] belowΒ πŸ™‚

This collection of links is gathered with a focus on the exam objectives of the AZ-305 certification exam.

How to protect your resource hierarchy
Cloud governance guides
What are Azure management groups
Azure subscription and service limits, quotas, and constraints
What is Azure Resource Manager
Lock resources to prevent unexpected changes
Use tags to organize your Azure resources and management hierarchy

Azure Policy
What is Azure Policy?
Azure Policy built-in policy definitions
Azure Policy built-in initiative definitions
What is Azure role-based access control (Azure RBAC)?
Organize and manage multiple Azure subscriptions
Recommended policies for Azure services
What are Azure management groups?
[Tutorial] Describe core Azure architectural components
[Tutorial] Microsoft Cloud Adoption Framework for Azure
Governance in the Microsoft Cloud Adoption Framework for Azure
Define your tagging strategy

Summary

Thank you for visiting the AZ-305 Study Guide and checking the Part 1 – Design a Governance solution.

The next one will be Part 2: Design Authentication and Authorization Solutions.

What is MCAS and why would you need it?

Hello cloud marathoners,

The MCAS (Microsoft Cloud App Security) πŸ›‘οΈπŸ” – helps to identify and combat cyberthreats across all your cloud services. This is a cloud access security broker (CASB) that provides multifunction visibility, control over data travel, and sophisticated analytics.

Here is a high level architecture diagram from Microsoft docs.

What are the main benefits of this cloud service?

Here are the main three benefits ot brings alone:
βœ”οΈ Discovery & Manage your apps
βœ”οΈ Govern access to apps and resources
βœ”οΈ Check compliance on your cloud apps

Check out this detailed level architecture ofΒ #appsecurityΒ inΒ Microsoft Azure β„’Β πŸ‘

MCAS – Microsoft Cloud App Security.


What are the main use cases for your business?

βœ”οΈ Shadow IT Discovery & Control
βœ”οΈ Secure Access
βœ”οΈ Security Poster Management
βœ”οΈ Threat Protection
βœ”οΈ Information Protection
βœ”οΈ User & Entity Behavioral Analytics

Another beauty of above architecture lies in a fact that you could easily integrate this model with third party SaaS apps, all listed on a diagram.

Thank you Matt Soseman for bringing this diagram  #SharingIsCaring❀️️

Fᴏʟʟᴏᴑ ᴍᴇ 🎯 α΄€Ι΄α΄… become α΄€Β #cloudmarathonerΒ β›…πŸƒβ€β™‚οΈπŸƒβ€β™€οΈ – 𝐋𝐄𝐓’𝐒 π‚πŽπππ„π‚π“ πŸ‘

#microsoftazure
#MCAS#securitymanagement
#OAuth#secureaccess #appsec
#threatprotection
#securityengineering
#bestpractices
#continuouslearning

What are the Microsoft Azure’s Multi-Cloud and Cross-Platform Capabilities?

Hello cloud marathoners,

There are many security and multi-cloud capability services under Microsoft Azure umbrella of services. In this post, I will reference the Microsoft documentation to clarify those capabilities on high-level.
I hope this post will clarify intent and purpose of these capabilities for you.

Important: Please zoom into a infographic – as it is of a high quality and can be very informative in understanding the article.

Microsoft’s cross-platform or cloud security starts with endpoints and cloud visibility and controls: namely Endpoint management and Cloud Security Posture Management (CSPM) that provides insight across your multi-cloud and on-premises datacenter estate as well as Cloud Workload Protection capabilities

Next are the SIEM and XDR Strategy – where Microsoft provides integrated capabilities for the Security Operations / SOC to get the broad and deep visibility needed to rapidly detect, hunt for, and respond/recover to threats across clouds and platforms.

The following capability on the infographic is – Infrastructure Extended Detection and Response (XDR). These capabilities are provided through set of services, namely Azure Defender, Azure Arc, Microsoft 365 Defender with number of features combined under the suit of services.

Next set of capabilities are Identity Enablement and Security – where Azure Active Directory provides comprehensive solutions, including Zero Trust access control that explicitly verifies trustworthiness of devices (via XDR) and users via native UEBA, Threat Intelligence and analytics.

And finally, Information Protection capabilities – utilize the Microsoft Information Protection and Azure Purview services that provide a full lifecycle approach to discovering, classifying, protecting, and monitoring structured and unstructured data as your organization generates and leverages more data. These capabilities provide insights to drive mission completion and competitive advantage.

What would be your approach?
Please, share in the comments section πŸ‘
#SharingIsCaring❀️️

Important: Please zoom into the infographic – as it is of a high quality and can be very informative in understanding this article.

#microsoftazure
#multicloud
#crossplatform
#endpointmanagement
#SOC
#securityengineering
#identityaccessmanagement

Get started with data transformation services in Azure – Global Azure 2021

Azure Global 2021 event in mid-April 2021

Hello friends,
I am back again, this time with another follow-up announcement of a second Global Azure 2021 session in Azure Data focus area, for ALL of you!

I am truly excited to present the following session on April 17th, live from my broadcasting studio in East Cost:)

This session will be a deep dive into different data movement scenarios using first-class tooling in Azure data echo-system and Azure Data Factory (ADF). We will learn about handy new features and data connectors, while copying and transforming datasets from a Data Lake and SQL Relational Database storages. Thus, tune in to learn about latest developments in Microsoft Azure data transformation services.

In my second session, I will share following journey with you:

Abstract of the upcoming session provided below πŸ˜‰

We will learn about what is ETL and ELT stands for in data world, and how Azure Data Factory (ADF) service could help you. Along the way, we will look into inner-workings and fundamentals of a cloud-based ETL and data integration service that allows you to create data-driven workflows for orchestrating data movement and transforming data at scale.

Finally, we will conclude the session with ADF demo and Q&A

TheCloudMarathoner πŸ™‚

Please let me know, what topics are you interested in?

What is a good service to perform data transformation in Azure?πŸ€”

Hello friends and data marathoners!


I am excited to annonce my next Cloud Lunch and Learn tech meetup session with you.

During the previous session, you have learned about how to up-skill existing data and SQL skills with the new Data engineering mindset πŸ‘ŒπŸ‘

Updated: Check out the recorded event session on YouTube: https://youtu.be/h3AaL9AhuXI

I am glad to invite you all – to learn how to get started with Data Transformation services inΒ Microsoft Azure β„’Β 


Thanks you πŸ™ Cloud Lunch and Learn for organizing this session.

Event detail: 24 March @ 18:00 UTC
Open registration πŸ‘‰ https://lnkd.in/dNb5vUr#SharingIsCaring❀️

Fᴏʟʟᴏᴑ ᴍᴇ 🎯 α΄€Ι΄α΄… κœ±α΄›α΄€Κ€α΄› Κα΄α΄œΚ€ α΄„ΚŸα΄α΄œα΄… ☁ α΄Šα΄α΄œΚ€Ι΄α΄‡Κ – 𝐋𝐄𝐓’𝐒 π‚πŽπππ„π‚π“ πŸ‘
#microsoftazure#CloudLunchLearn#azuredata#upskilling#cloud#dataengineering#datatransformation#gettingstarted#continuouslearning

Why “Start small and Expand” approach is good for your company business?

As cloud☁️ journey matures, each company 🏨 knows that service
requirements and needs will be changing. As cloud providers add new features and products, the new market opportunities and possibilities will rise.

There are several reasons why you would want to pursue the cloud landing zones. Using the start small and expand landing zone, you could get started with cloud adoption at a low-risk pace, and build up the security, governance, and regulatory policies over time.

As a benefit, with “start small and expand” you can use Azure Resource Manager templates and Azure Policy to create a CI/CD pipelines for subscriptions with Azure Blueprints.

As an ongoing improvement effort, you could expand and improve the landing zone with the Cloud Adoption Framework enterprise-scale design guidelines from Microsoft Azure β„’

Get started by learning “What is an Azure landing zone?” πŸ‘‰ https://lnkd.in/eD7xtWV #SharingIsCaring❀️

Fᴏʟʟᴏᴑ 🎯 theΒ #cloudmarathonerΒ β›…πŸƒβ€β™‚οΈπŸƒβ€β™€οΈ on LinkedIn α΄€Ι΄α΄… 𝐋𝐄𝐓’𝐒 π‚πŽπππ„π‚π“ πŸ‘

Journey 2 RE-certification: AZURE SOLUTIONS ARCHITECT EXPERT

Over the weekend, I had a scheduled proctored exam AZ-301 Microsoft Azure Architect Design. Passing it would re-certify my credentials in Microsoft Certified: Azure Solutions Architect Expert, but most importantly up-skill my knowledge in recent changes of Microsoft Azure.

Actually, the first pre-requisite Expert Architect Technologies exam which I had, earlier in May, was not easy at all. The content of exam is quite BIG, in comparison what it used to be 2 years ago. It turned out to be true underestimate from me, when i failed my first attempt. The good or bad thing about this failed exam was the score – 679. I missed it with just one correct answer. Ah…

Anyway, repetition is the mother of perfection. If there is true perfection, it’s about getting ready, and doing something over and over again. Well, on the second attempt I was able to pass AZ-300 Microsoft Azure Architect Technologies much easier… If you curious about the score, it was in upper 900’s (where max is 1000).

Overall, Microsoft Expert exams are much harder (probably 3x times) to get prepared than the Associate one. Thus, I was pretty excited and nervous while going for the next exam Architect Design πŸ™‚ It turned out well this time, as I used those skills in my day-2-day work, so no surprises there…

By the way, the Microsoft also announced new exams (AZ-303 and AZ-304) for the Azure Solutions Architect certification. They are all in beta for now and there are no online training material yet. You can check these exams here Microsoft official post.

Earning the Azure Solutions Architect Expert certification demonstrates skills and knowledge to advise stakeholders and translate business requirements into secure, scalable, and reliable solutions. Candidates have advanced experience and knowledge across various aspects of IT operations, including networking, virtualization, identity, security, business continuity, disaster recovery, data management, budgeting, and governance – managing how decisions in each area affects an overall solution.

Microsoft Learn

There is an informative blog post by Chris Pietschmann, about the state of the current Microsoft Expert exams and how they are structured, if you are new to the Microsoft role based certifications i would recommend to have a look.

There is an informative blog post by Chris Pietschmann, about the state of the current Microsoft Expert exams and how they are structured, if you are new to the Microsoft role based certifications i would recommend to have a look.

Turning attention back to current Azure Architect exams, with a small detour, there are multiple overlapping topics between those two Expert exams. Completing one of them greatly help with the second one, as they share certain exam objectives.

Now, the list my study guides consisted from the followings:

Congrats to everyone, who already got the Azure Solutions Architect Expert badge and certifications! This is a good thing to accomplish.

For those who are planning to go with Azure Architect pass, I wish good luck in preparing and getting it done. It is going to be an interesting journey, a lot to learn, much more to practice and up-skill yourself to be better prepared for your next challenge!

Hopefully, my journey will be a tiny encouragement wave to start your own.

  • Feel free to comment on what exam preparation approach do you follow?
  • What challenges are you facing or already overcome?
  • What helped and what did not – in setting up yourself for a journey?

Thank you and May The 4TH Be With You!