Azure Security Overview | V S Varma Rudra Raju | Skillshare

Playback Speed

  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Lessons in This Class

15 Lessons (3h 20m)
    • 1. Introduction to Azure Security building blocks

    • 2. Introduction to Azure Active Directory and its capabilities

    • 3. Lab demo - Walkthorugh of the key capabilities of Azure Active Directory

    • 4. Introduction to Azure Role Based Access Control

    • 5. Lab demo - Walkthrough of roles, Custom role creation and assignment

    • 6. Lab demo - Creation of Dynamic group and role assignment

    • 7. Introduction to Conditional Access in AAD

    • 8. Lab demo - Location based conditional access policy

    • 9. Introduction to Azure policies, Initiatives and locks

    • 10. Lab demo - Implement Azure policies and initiatives

    • 11. Introduction to Azure Security Center (ASC)

    • 12. Lab demo - Walkthrough of Azure security centre capabilities using Azure portal

    • 13. Introduction to Azure Key Vault

    • 14. Lab demo - Walkthrough of Azure Key Vault capabilities

    • 15. Lab demo - Retrieve the secret in Azure Key vault from Web app

  • --
  • Beginner level
  • Intermediate level
  • Advanced level
  • All levels
  • Beg/Int level
  • Int/Adv level

Community Generated

The level is determined by a majority opinion of students who have reviewed this class. The teacher's recommendation is shown until at least 5 student responses are collected.





About This Class

The objective of this class is to introduce you to security tools in Azure that you can use to harden your workloads in Azure. This class includes following lectures and lab demonstrations.

  • Introduction to Azure security related services

  • Introduction to Azure active directory and configure user settings.

  • Introduction to Role Based Access Control.

  • Creation of custom roles and dynamic groups.

  • Introduction to conditional based access policies and implement location based conditional access policy.

  • Introduction to Azure policies and implement them.

  • Introduction to Security Centre and implement preventive measures.

  • Introduction to Azure Key vault and access secret securely from Azure web app.

By the end of this class, you should be able to implement security controls in Azure.

Meet Your Teacher

Teacher Profile Image

V S Varma Rudra Raju

TOGAF Certified Enterprise Architect


Class Ratings

Expectations Met?
  • Exceeded!
  • Yes
  • Somewhat
  • Not really
Reviews Archive

In October 2018, we updated our review system to improve the way we collect feedback. Below are the reviews written before that update.

Why Join Skillshare?

Take award-winning Skillshare Original Classes

Each class has short lessons, hands-on projects

Your membership supports Skillshare teachers

Learn From Anywhere

Take classes on the go with the Skillshare app. Stream or download to watch on the plane, the subway, or wherever you learn best.


1. Introduction to Azure Security building blocks: Hi. Welcome to the selection in this lecture, I'm going to provide you 10 toes and feet You off our security related services that are available in azure. When you think off security generally, first thing that comes into your mind is identity and access management. So I will start with identity and access management. And there, after I will take you through each security related area on Dwan onto services you can use to implement security controls in that particular area. OK, so let's start with identity and access management in identity and access management, argue resource manager place a very, very important role Any access request whether it is from portal power Shell Seelye, etcetera. All of them will come toe jewelry source manager and are your resource manager will trust are your active directory and authenticate the user. Once the authentication is completed, then argue resource manager will pass on the request to the appropriate resource provider. So it is extremely important for you to understand the mechanism behind access management through onto resource manager. In the next lecture, I'm going to take you through in detail how that works, Okay? And the next thing is, are your active directory. It is a multi tenanted cloud directly, very well. Create and manage identities. Not only that, there are a number of capabilities associated with your active directory. Fasting is role based access control. Using rule based access control in on your active directory, you can able to ascend rules to the users applications, service principles, managed entities and so on. On each roll will define what type of permissions are given to that identity. Okay, and generally in any company, there will be some thought party providers who generally provides support in terms off creating and managing resources in azure on behalf of the customer. In that case, you can use our juror B two B and invite this support users has just users in your opinion , and once the guest user is created, you can provide access to different arduous assists. Toe discussed user to manage those resources. Okay, and the next thing is conditional access. This is really, really important these days because earlier, most off the users in a business tend to be located in office. But these days it's all changed. Users can be located in office, can be working from home on you have support users from remote places all those stuff. So it is extremely important for you to control access to the users based on number off things. It can be location. It can be a devise. It can be a risk associated with the signing and so on. Using this conditional access, you can implement all these conditions before access is given to the user. Okay. And the next thing is identity protection. Basically, when you enable identity protection, Microsoft will use machine learning and AI algorithms to calculate a risk score against a signing and also against the user. I'm the using that risk associated with user are signing. You can implement conditional access. So, for example, give the sign and risk is high. Then you can force the user toe go through multi factor authentication. Okay, I will explain this to you in detail in the upcoming lectures and labs, and the next thing is privileged right into the management. Using wage, you can ableto carry access reviews you can ever to protect 80 rolls resource rules and even you can implement it just in time. Access on. We have a dedicated section in this course where I'm going to show you how to implement them. And the next thing is 80 Connect. Using any connect you can able to synchronise your identities in your own promises directly into want your active directory. And there are number off apologies that are supporter, which I will discuss later, and the next thing is application management. In our directive territory, you will be able to register applications and enable our your active military up indication for those applications. There are lots of things that you can do, which I will discuss indeed, a in the respective lectures. And finally, in case if you have an application, particularly Butto C application, where you need to manage millions off custom right into this, then you can use would you be to see OK, so these are all the services that are available in identity and access management, and the next security area is governance, governance. We make sure all the deployments that are happening in Azure and also changes that are happening larger he's consistent and aligned bid your organizational policies. Okay, so the first tool that you can use in governance sees 100 policies using all your policies . You can define a deployment policy and apply that policy I direct management group Louisville subscription level, our resource group level. Basically, you can deploy a policy in such a very any resource deployment happening in a particular subscription should happen in a particular location. For example, North Europe. Similarly, when you are using security center, you have security policies and also guest security conflagration. This is particularly used to monitor and also gain consistency in deploying the right settings at the voice level. Okay, I'm to unwind accidental deletions on modifications. You cannot play locks. OK, so these are all the tools that are available in Azure in terms of governance. Now let's go to each year for sure. He network stories, databases and let's go through what tools that are available in order to implement security controls in those areas. 1st 1 is network secular deer In network security you have do does protection Do those basic tired is automatically enable for you, but if you want some enhancer logging on the access to the information behind their tax, then you can go for dedo standard time. Okay, and you can use our do fight war in order per centrally manage firewall rules. And also our do firewall has lots of capabilities. You can create network firewall rules, application firewall rules, de naturals, Yes, naturals. And so on which I will take you through in detail in the respect to lecture and the next tool that you can use his amnesty, which stands for Network Security Group. And also you can use application security group, okay. And in order to protect the traffic that is happening between your and you're I s Army says are the virtual machines and so on with your pass. And he says, I used to Reza Khan's the applications and so on. If you want to protect traffic between these two types of services, I eat best and I asked what he says. You can use a recent points and policies using service and points and policies. Basically, the traffic will be rerouted. Why are your backboard in that? Where the traffic is never leaving on your periphery. Okay. And finally, in terms of network security, one of the very, very important thing says remote access management. I will show you in the communal lectures and labs administrations. How many days you can provide removed DOC says to argue watchful machines are similar services. Okay on the next security area used storage. Install a security you have to raise 51 using which you can control from which I p addresses on watch Elect works. You want to accept connections to your stories accounts. And also you can use access keys and SAS keys. Toe control access to our data within the stories account Onda Recently the data planes security written stories account. He's integrated with your active directory. Why he There are some operational rules that got introduced, which I will discuss in detail in the upcoming elections. And finally, story service encryption is available on Did. It is automatically enable for all stories accounts. Okay, and the next day is horse security. You can implement the human point protection using Microsoft anti malware, but also you can implement sometime party and point productions also such as semantic and so on. And there is something gold off dead management solution using which you can make sure on the critical patches or updates are happening on all I ask of us. Okay, I will show you in the upcoming labs and lectures how you can implement our debt management solution. And finally, you can use on your disk encryption in conjunction with your keyword who include the disks associated with on your watchful machines. On the next two key security area is data security with respect to data security For our new sequel databases, there is something called and want their data security, which you can enable if you enable that you get lots of capabilities such as data classifications, invulnerability assess men's and once a trick production and so on. Okay, I will show you how to implement all these things in the database security section of this course. Okay, and you can implement. Ahjussi called it of this. Always in tittered, you can configure encryption in transit and rest. And in terms off course, most Eby date Alex store hitched inside security. There are lots of features that are available. It is simply not possible to list them down in a single slide. And finally, if you want to protect your encryption keys, connection strings and any highly confidential information, you can use keywords in our your. This is basically a cloud based haters. Some store where you can use either software based hatches. Um, our hardware based hedge yourself. Okay, we have a dedicated section on your keyboard where I'm going to explain further aboard this on the next Tony's application. Security, as you can imagine you can able to upload as a cell are pls certificates on. Also, you can integrate your application with third party. I didn't really provide us. They can be Facebook, Google, Twitter are you can integrate without your active directory. The beauty off this is you don't need to change anything in your application, because, absolute these authentication happens before that it cost. It goes to your application anyway. Don't worry. If you don't understand, I will explain you in detail in the respective lecture. And also, it is not only about securing your application that is hosted in Azure. It is also securing the deployments that are happening in torture, particularly with respect to core deployment. I will show you in this course how you can securely deploy cord into our Europe service using 100 day wops. Okay, Elliot, it is used to call allows V STS, but now it is called as on your develops. Okay. And finally, we need to monitor all these things asunder. Further purpose on your points. Two key monitoring tools. One is on your monitor reaching Klores matrix activity logs and our Euromonitor longs, etcetera. And you have Security Center, which is a dedicated, centralized monitoring tool where you can configure the data collection and also cover age and one tape off security policies needs to be applied, and it generates a lot sof recommendations based on the security policies, which you can view and implement those recommendations. In addition to all these things, securities under also provide security alerts, which will alert you when any abnormal behaviour is identified by Microsoft. In your resources, we have a dedicated lecture on security center where I'm going to take you through in detail because it is such an important tool. I never seen a module deployment. We told having strong emphasis on security Center because that is where you will get a snapshot off security poster off your solution. Okay, so that's it. These are all the services that are available in azure. In order, be implements security controls to protect your work floors in your in the subsequent electrician lands, I will pick each one off these tools and I will explain the concepts and I will show you how to implement those tools in order to be improved the security portion off your solution . Okay? It's going to be very, very exciting is unique. So join me in this journey off learning Microsoft on your security. 2. Introduction to Azure Active Directory and its capabilities: Hi. Welcome to this lecture. In this lecture, I'm going to provide you and all you off your active directory and its key capabilities are you Active Directory is a leading provider off cloud based identity as a service and provides a broad range of capabilities for enterprise organizations. To put it in a nutshell. Are directed territory is a cloud version of Windows Active Directory and comes with lords off capabilities. So let me take you through some of these capital is now first capability is managing use records. You can able to register the users and provide access to those users for different applications that are located in Entre Mayes Cloud. I thought party applications on the applications located within a George on. Also, you can able to grow this users into groups and provide authorization at a group level, rather individual user level. Generally, in a real world scenario, you define lords off groups of it in your active directory and put users into those groups and provide access to the applications at a group level. Okay, in addition to all those things we did not directed at a tree, you can help my APS panel so basically user can log into the panel on be able to view owned applications for which there admin granted access toe. So, for example, if you logged into office 3 65 then you can see lots off APS. Isn't that you can see one Dr Paul B. I planner and so on. Similar to that when user logged into my haps panel, they can able to see all the haps for which they got access to okay, and second capabilities multi factor authentication these days, If you're logging toe your banking portal, it will ask for user and password on. Also, it will send a court to you. Either they can send the court as an ASEM astri of mobile are to email are a phone call on Sometimes they have their own authenticator, perhaps basically, which will generate court on you to use the combination off user and password and the court in order to log into your respect to application. So to achieve that capability of your active directory has multi factor authentication which you can use toe enable two factor authentication, and the next thing is conditional access. Using this, you can ableto define number off Ruth. One rule can be access to that application should be coming from a space fitness publication on access to that application should be from a manager device on so on. So you can define those rules in our director directory on apply to a group off users. By the conditional access is not a first line defense user will still be able to log in. But once he logged in on your active directory will check what rules are configured on that play those rules. So, for example, if you're logged in from Internet, not from the location you have configured, then Amos is will be displayed to the user that you are not permitted to access application from this network location. Okay, I'm finally identity protection. Using days, you can ableto detect potential vulnerabilities and also automate some actions when the risk is identified. Okay, on. In addition to managing user accounts, you can manage divers also in azure active directory because our director therapy is very closely integrated with insurance, you can able to register the devices Vitina on your active territory and also manage different properties, also said with devices, it is very easy to manage Windows 10 devices because the moment you 80 joint without your active directory that they wants will get automatically register written on your active directory. And also you can manage I wish and Android device identities also OK on. With the combination off conditional access on these device capabilities, you can able to implement conditional access based on the device also. So, for example, you want your users to be logging toe one dry or off history 65 laps from only those devices that are managed by you. You can able to implement that particular conditional access, also using the combination of devices on conditional access. And the next thing is on promises. Identities. In 99% of the case says, you might have only user accounts existing in your windows accurately on When you are trying to my get into the cloud, you can able to synchronise decide entities existing in Windows Active directory in toward your active directory using a reconnect. By doing that, your users can use the same user alien password to log into different applications situated in either In a Jew art. Our party cloud applications are you are on premises applications so That's the beauty off it. Once you synchronized your identities in on premises, Windows Actor directly into azure user can use same user in password, so they don't need to use two different Loggins. Okay, and there is one more couple de Cordova about proxy. This basically enables you to expose your on premises applications. Pull users don't sell your network securely. I'm going to explain about this for about proxy in bit more detail in the subsequent slides and in terms of managing the identities off your PSA players you can use on your B two B. So, for example, you are ideal landscape might be supported by, you know, to Theresa players like Accenture, IBM and all the stuff. In that case, you can use on your be to be in order to provide access to our jewelry sources. So the support users we thought actually creating appropriate in today you'll invite them as a guest. Users on start providing access to those guest users, toe different resources within a jury, and also guest users will have controls in place. They can't ableto, Doe said, then things that normal users can do their very restrictor in that way, you can secure your resource is also okay, and the next capabilities are you will be to see in case if your doll opinion application like Facebook are, you know, sales for something like that, you need to manage identities off millions off users. In that case, you can use on your B to C in order to manage those identities. Now, in a real world scenario, your applications might be existing at different places. Some of the applications might be on premises data center. Some of them might be a SAS application like office 3 65 are dynamics 3 65 Some of the applications might be hosted in on your Absar views on some off them might be hosted on on your virtual machines. Also. Okay, The good thing about what your active directory is it has pre integration with in June. Office 3 65 Dynamics Resist if I and other thousands off sounds applications so you have rebuilt integration toe many of the SAS applications, so you don't need to worry about integrating from scratch and also on your active directory can be integrated with on your past services such as Web applications. AP APS mobile, back and service says, Except up, you'd only could change any chord in those applications for integrating all your active directory. Okay? And finally, our director directory can be integrated with applications on argued watchful missions. Also, and more importantly, you can able to use the mind services off on your active directory in auto mind. Giant virtual machines also, so you don't need to install the mind controllers for this. You can use on your dominant side, he says. So don't mind joined Williams on all other related capabilities. Okay, so this is all aboard on your active directory and its key couple of days. Now let me take you to use recounts. 80. Connect the by proxy in more detail. Firstly, our directive territory can have different types of identities. Generally, when you think off active directly, you might think off users and managing the users. But an identity is not simply a user. It can be user, it can be a managed identity, it can be devices and it can be a group off users also, So let me go through them. Firstly, user, a user can be any individual who can be given access to perhaps app resources based on your comments. So everybody knows about this, OK? And the next thing is managed in Italy. There are two types off managed, an increase that you can create. One is system ascend. Managed identity on the 2nd 1 is user ascent. Manage that in Turkey. So what is this managed identity is all about? It's basically creation off identity for a resource. Vitina Your so, for example, you can create an identity for a watchful machine and provide access to that identity toe different a jury sources. So, for example, you have a virtual machine written on your for that virtual machine you can clear than identity and provide access to argue key ward to that particular identity. So any application running on that watchful machine need not to have use ready and password . It can use this identity in 100 to access on your key world like connections to into secret office. So the beauty off this is you don't need to store any credentials in your system configured weapons or conflict files. Okay. And there are two types of fighting. Please. Either you can create identity when you're creating that we source itself That means that identity is tied to the resource. When the resources delete er that system assigned managed to improve We'll get the little How are you can clear just hand alone identity and provide access to that identity. Different resources. So, for example, if you want to use system user in order to performs and my actions on a different applications for that purpose, you can use this user assigned management identity. Okay, on the next thing is devices devices also. And I didn't PVT nodule and using this device identities, you can ableto conficker device based conditional access. So, for example, you can restrict the user to log into your applications from the devices that I had her to second conflagration. So if the configuration complaints is not there, then user will not be able to access the application. Okay? No. The final money's group A group is basically group of users on. You can assign access to the group which will be inherited by the each user within that group. Okay, let me take you through in big more detail aboard these groups because it is really important. 99.99% of the times you will always use groups within azure active directory. Are you ready? Helps you give access toe organization resources by providing exercise to an entire Are you ready? Group using group lets the resource on her a saint. A set up permissions toe all members of the group in stuff having to provide rights one by one. Okay, so there are four ways you can Assane resource access rights to your user. 1st 1 is you can assign individually. That means you automatically assigning access to the user. Secondly, you convert of group level. So you basically define a static group that miss a fix a number of users within that group and provide access to group members at a group level for a second application. Okay, Talabani's rule based assignment, basically, in this case, resource owner creates a group and uses a rule toe. Define which users are assigned a specific resource and the pool is based on attributes that are assigned to individual users. So, basically, let's say for all managers, I want to create a group Onda for all managers. I want to a sane access to application. How are as part of high to retire process there are many managers that will be going out of the company on. There are many managers that are coming into the company in stuff managing them individually. You can define a rule in such a way Any user with the job title as manager will be included in that specific group. Okay, so that is rule based assignment and finally external with already assignment. Basically, you will define the group, but the access comes from an external source such as on premises directory. I sas up. So if you are having your own identity management solution separate from our director directory, then the access to secondary sources you can define in the island of the management solution on Cascade Indoor director directly using external authority assignment. Okay, now we talked the board, 88 entities and groups. There is some other thing called hybrid and which is very important for you to understand. So let me take you through that in bit more detail. Hi. Predominantly is a common identity for authentication and authorization toe all resources regardless off location. So, basically, you have an identity already existing in your Windows Active directory written on premises Data Center got identity you can synchronize using any conduct in toward your active directory on. Essentially, you are creating a hybrid identity, and that hybrid identity can be able to access resources either in a Europe on 1/3 party application are applications existing within your on premises Data center. They can use the same user and password on use across the board. Okay, and are you really connect? Can be confidently number off this. You can do a password hash organization are you can do Pasto synchronization. Both off them will achieve the same outcome. Basically, User will be able to use same user and password to log into all applications. But the difference between pastor authentication and password hash organization is in past . Through authentication. Users log in credentials will be authenticated against Windows Active Directory that is reciting him on prom ice. OK, but Vera's with partial house synchronization. You're actually synchronizing the hash of the hash of the password. So in that case of your accidentally immediately attended cares, it doesn't need to goto Windows Active directory. Okay, in past throughout indication you are not synchronizing the password hash has any logging it of made by the user we internally will get toe on promises CD in case off past rot indication. And in addition to those two you can use on your radio first on do federation integration on the fourth capability off really is basically synchronizing all this account. And finally, you can also monitor the synchronization status. How it is getting monitored, any issues you face, you can resolve them. Okay, so this is all about hybrid identities and are you really connect? And finally, Bama Proxy. This is one way using which you can able to expose your own from his supplications. Very more client securely. So application proxy is a feature off on you Ready that enables users to access on promises of applications from a remote Klein application. Proxy includes both application proxy service, which ones in the cloud on application Proxy connector, which runs on on premises. Sarah, basically the bait boxes user will access the application through an endpoint, our their point humorous redirect toe. Are you ready signing fish Once the user successfully signed in on your active directory, builder it on a token back to the end user claimed, and that Klein sends the token to application proxies armies Victories, trees Use a principal name on security. Principal name from the token and sensitively closed toe application proxy character on from that application, probably collector. The request will be four more dead to have application. Ah, If you can figure single sign on, then the connector will perform additional authentication required on before for the user and then send the request on from a supplication. And in the end, the responses sent to connector on through application proxy service back to the user. Okay, the big at Monday's off. This is your users can be spread across on. You don't need to have met for connectivity with them. Because network connectivity itself is a big task. I'm. Secondly, you'd only to open any inbound firewall rules. So the request in response will work in our bone fashion. So in this way, you're not punching holes to your inner firewall. Okay, so this is all about a proxy. So that's it for this lecture in this lecture. I have taken you throughout your active directory and its key capabilities. I also taken you to what can defied into these existing are directed directory. How you can do assignment off access levels to users using groups and also a boat high, Better entity. And finally, I have taken you through the back proxy. Next, literally is a lab where I'm going to show you how to our users in tow, your active directory, and also go through some of the key settings, like password reset policy on also default user sittings. The difference between users and guest users. Exeter. So if you have some time, join me in the next lab. 3. Lab demo - Walkthorugh of the key capabilities of Azure Active Directory: Hi. Welcome to this lab in this lab. I'm going to show you how to manage your records, configure user sittings and possible recent policies in on your active directory using all your porter. Okay, So in order to launch a director directory, you need to click on your active directory. Here are typing on your active directory. Okay, on. Once you launch it, you'll be shown this page. This is basically a central window off directo directory. Now, in order to manage, users can use us here. Here you can act two types of users. One is your normal internal users and guest users who are also Caldas External users. Generally you'll use guest users in order to invite your service provider users to manage your of your resources. That's where the Commons and argue that I have seen where I work for cloud implementations . So basically your company will have a number of service providers who is providing I p services to you on. You won't be invited the users from them in order to manage your a jury sources. In that case, you will point guest user access. So the big difference is you're not maintaining the actual information. You are basically only inviting them to access your argue resources. And also by default, any user added in tow Your active directory will have higher access level compared to guest use us. Okay, so first of all, like me are the new user here and user name. I'm going to give something. This is not a really melody. By the way and profile here you can give some personal information and work information also on properties I'm not so sure about this. Why it is used may be our director directory internally. Using it on the next thing is groups. This is very important. You can assign individual user pay a particular group and provide access to different applications at a group level. So in stuff managing the access to individual users your managing access to a group of users in 99.99% of the cases that this is how you do it in real world scenario on the next thing is directly rule. You can help three rules. 1st 1 is user which is basically normal user to which you can provide access to different applications. But you can have a global adminstrator. Also, basically, by giving global and Mr to access, you are giving full control toe all directory sources. Okay, be very careful when you are providing this access because normally you should have one or two individuals who should help noble administrator access. Okay on Then you have a number of limited administrators based on the Bagram. For example, If somebody want to manage the costs off our jewelry sources they can be given building administrator are If somebody wants to manage the identities such as users, then you can. You authentication administrator for device management, you can give cloud device Administrator and so on. In this case, I'm going to leave that as user on you can see here a password is also automatically generator. So let's click on create In order to create this user, see a use a bow tighter. Now let's invite a guest user here. You're not creating the user. You're inviting the user. That means you are not providing any personal information like job title, first name, last name and all the stuff you don't need to provide. And you can invite any user. However, from which door mines you want to invite the users you can control so you can restrict people from inviting the users from a particular demine. Are you? Can a low the users from a particular demine only. So, for example, if your service providers are Accenture, IBM PCs in forces and pro, then you can Vitalize those domains in terms off external user invites access and only invite users from those service providers. Okay. And let's say I want to invite my personal lighting into this active directory in harder to provide access to one off the folders in my one. Right. Okay, let's say that is the use case scenario. Okay, this is too in white to access one dry folder. Okay, lets it and click on. And what? This will send an email. Do my personal email lady. Now, let me go into my personal email. Here you go. And you can see here you are invited. Total Drop Products and Services LTD organization click on it and you can see here. This is to invite to access one dry folders. Okay on you click on get started, and you need to provide your credentials now. So you need to accept. Let's click on, accept and this will generally launch my access panel. It's taking some time. See, in case if you provided access to a number of applications toe this particular user they can see here. Okay, Now, let's say I want to provide access to a one off my one drive folders toe this particular user. Okay, let me go into one drive on. Let's say I want to share this folder to that particular external user. In that case, click on share and then change this to specific people. Apply one type. Intrude. Rodarte were Ma fact hot may not come. That's it. In white unsent. Okay, Now you should be able to see an email. Here. See? You can see here. Click on ahead on you can open it. Okay. That is how you can provide access to your folded in one drive on. Also, you can provide access to a number of applications also. Okay, Now let's go back toward your porter on the next thing is passed for recent policies here, you can define passport recent policy using this policy. Either you can enable password reset self surveys toe. All the members of your organization are only selected members of the organization. So it once you sell it a group only that members of the group can be ableto self service Password reset. OK, on inaudible. Do that password. He said you can define up indication matters also like want authentication. I need to follow. So sometimes you can have two. What indication matters. Sometimes you can have only one. So, for example, if you want to do password reset, you'll request for password reset and email will be sent to your email. Lady, you need to click on that link to pass what we said. Similarly, you can use my by phone also. Okay, on if you go to registration here, if you select yes, here. That means you're users able to silicon authentication method. Whether they want email, our mobile phone, they can able to select in case a password reset what should happen in order to do their password reset. Okay, on def you come down here notifications. Here you can define whether users needs to be notified about past what results are mart on , also from eight mins perspective, when one had been done a password, he said, Whether you want to notify all day admits or not, you can define here. Okay, on you can do for the customization here in stuff just displaying the Macey's cornerback. Your administrator, You can replace the link the custom help this link. Okay, on the next thing is on from Isis integration here you can define whether you want to write back passwords to your on premises that you're not Andi. You can define whether the users ableto unlock the count on to be a password reset Mandatorily. So, for example, if I forgot my password, I want to research. But if by mistake, I'm type in the password wrongly, I want to keep the same password. You can enable them to unlock that corn rather than revisiting the past for itself. OK, so these are all the settings related to password reset policies. Let's close this on. Another important thing is user settings. These are the settings that you can use in order to influence the default access levels. So, for example, here are registrations whether users can by default, can register applications or not. You can define here, buy it before you should put it. No, because I don't think in any circumstances you want users to restore applications and similarly administration. Porter, you can restrict access to our your 80 administration portal to your users. But bear in mind, this access will not extract them to access on your administration. Things Why are partial? Okay, this is only restricting the access toe. Are you ready? Administration Porter? Okay. On dhere. Also in terms off enterprise application settings. You can configure some of them here, but they're very, very straightforward. You can see some of the settings are user can concern toe abs. Accent company did it on their behalf. So, basically, just like I have given access to my photo email I d name tow your active directory to my personal email account. If you want to allow users like that, then you can select Yes, here, basically that we're a load applications to access user data like first name, last name email. I d like that. But in most of the circumstances, you might select no Fred on in the access panel. Further users can add gallery, APs or Mart that you can define here and also generally user tend tohave two kinds off access panels. One is office 3 65 with all those absolute office to 65 on the second access panel is all of the applications like Salesforce Salvi's. Now, if you have given access dynamics 3 65 and so on, if you want to club them everything in there one porter, then you can define here know that means User will be able to see both on 56. Defy abs and also normal laps within a single portal. But if you want to restrict office 3 65 laps, toe office 36 to report on only for your users, then you sell it. Yes, here. Okay, so let's close this. And finally, one other important thing is external users. You do not want extra users to do second things, and also you do not want everybody to invite your external users is under. So using this configuration settings here, you can define whether your guest user permissions are limited or not. I would say yes, always you do that on it means and users in the guest in greater role can invite Yes, as long as the role is assigned properly for user, then only users should be able to invite guest users okay and for the next sittings I selected has no, Because I don't want my use us doing. Might any guess? And also, I don't want any guests to invite father guests. I don't want them to do that. Okay, on. Also, if you want to restrict access for 24 of us, then you can use this feature. And if you come down here, here is where you can able to restrict from water mines. Your admits will be able to invite users from. So if you want to deny, for example, heart, male and Gmail, you can confident here. Okay, Are if you want to l o invitations only toe from Accenture. IBM are you know, some specifics on his provider. You want to invite users from doors domains only you can configure here. Okay. These are all external collaboration related settings. You need to make sure you select rightly here. Otherwise, you're very quickly lose control on your azure active directory in terms off external users access. Okay. Make it as restrictive as possible to start with on slowly. Relax it in case if it is required. So, for example, if some service provider has won a contract in that case, you can invite users from their domain by configuring it here. Okay, so let's close this. And finally access panel. Let's click on here, here, within your access panel, you've been ableto alot the users, in order to register for self service password resets on all of the stuff. So if you select all that means everybody can do that. But if you want to restrict for only few people, then you can select a group here. And also, one more thing is when you select selected are all here user will be able to not only pre just after past what we said. They can also register for my defacto authentication. Okay, so these are all the user settings that you need to configure properly before you start creating accounts in this and also start managing identities. Okay, so that's it for this lab in the slab. I have shown you how toe add a user into azure active directory and also how to add a guest user and taking you through some of the conflagration that you can do in terms of past for recent policies on also default user settings. Okay, I hope you find this lab useful 4. Introduction to Azure Role Based Access Control: Hi. Welcome to this lecture. In this lecture, I'm going to provide you an introduction toe role based access control. Role based access Control is an organization system built on module resource manager that provides fine grained access management off our jewelry sources. So if you are attempting to understand role based access control, you need to understand three dimensions off it and it is the perfect alignment off. All these three dimensions will deliver all based access control. OK, so like we take you through these three dimensions first dimension ease security principle you can call this is identity also, but in a Jew, it's going less security principle. A security principal is an object that represents a user group service principle are managed identity toe which access to resources are a sign a user is basically an individual groupie is basically a group off. Individuals are so these principles also are married indignantly. This also okay, I'm the service principle you will use of his principal whenever you want access to resources from an application. In that case, you'll create a service principle and you will get a client idea and climb secret on using that Your application will start axing our jury sources on the last one. He's managed identity. When you are creating large resources, for example, let's say virtual machine. You can create managed running pretty automatically when you're creating which will machine . And once the manager identity is created, you can provide access to different or jewelry sources so that managed identity on any application that is running on that particular virtual machine toe, which this manage that entities associated with can be able to access our jewelry sources. We told having usually and password. Okay, I will explain about this marriage an entry in bit more detail in the subsequent lab demos , and the second dimension off role based access control is scope. So the school bees set off early. So says that anxious are placed toe. So when you say no rule, you can further limit actions lower by defining the scope. So basically, scope is toe want me so says you're providing access to security principle, okay? And the town dimension is role definition. A rule definition is a collection of permissions. It's sometimes just called as a whole. It basically list down. The operation can be performed on also Italy stones operations that can be performed also. So what role based access control is basically the alignment off all these three dimensions You will define toe whom you want to provide. Access toe on also defines toe Want you need to provide access toe on totally well defined toe what level you want to provide access toe. Okay, So let me take you through these three dimensions in bit more detail because it is extremely important that you understand these dimensions. 1st 1 is security principle. Security principle can be a user. A user is basically an individual who has a profile in our director directly on you can assign rules to use us in other tenants. Also, I have shown you in the previous labs and lectures how you can add guest users. Guest users are possible because of the B two b capability off on your active directory. Okay, on the next one is Group group is basically a set off users created in our directive directory. When you ascend roll group, all the users of eating that group will have a troll. And by the way, I just want to stress one point when I say set off users. It can be a set off service principles. Also, it can be a set off. Managed identity is also okay. Need not to be users only on the next thing you service principle. Yes, sir, this principle is basically a security identity. Used by applications are services to access Pacific or jewelry sources. So you can think like a user NT because even said his principal will have a client ready and climb secret, which is basically equal, and to use a name and password on also, you can have certificate also. Okay, I'm finally managed an entity. It is an identity, not your active directory that is automatically managed players You. You typically use managed identities when developing close applications to manage the credentials for authenticating to argue services. Has he explained, Elio. The best example is watching machine. When you are creating a virtual machine in a Jew, you can specify during the creation itself. You would like to create a man is that in today. In that way, module will automatically create a managed, an intuitive for that watchful machine on DCU. That managed identity you can provide access to different argue resources. Don't worry if you don't understand it in one of the lab the most. I'm going to show you how to create this manager in today for white access to it and also access our jewelry sources using this managed identity. Okay. And the next thing is role definition, a role definition list, the operations that can be performed such as a read, write and delay. It can also list the operations that can be performed. Also, our operations related to underlying data. Okay, so basically a role definition will contain two things. Fasting is management operations. So what you can do on a condo at a management level. And the second thing is data operations. So basically want you that can do and condo with respect to the data within that on jewelry source. By the way, this data is very new. It is currently in preview, but I thought it will be useful for you to understand that you can put data actions and no actions also in the role definition. So what? Constituent management operations and data are patients like me take an example of stories a con with stories account. You can manage the stories, account and containers using management actions and no actions. But with respect to their data operations, you can control what users can do within the data in the blob by defining a proper road. Okay. And the next thing I would like to take you through his role types, there are two lower types. Forced monies are back. Rose, are you sure? Are back in close was 70 billion rows. However, there are four key once that you need to understand first when his owner 2nd 1 is contributor and thought. When is Frida the difference between owner and contributor trees? If you get assigned with owner, you can a same rules to other users also. But with contributor, you can only manage that resource. But you can't delegate access to somebody are a sane access to somebody else. Okay, on good reader, you get only read only access. Finally, there's something all user access administrator Using days, you can ableto build custom roles. Also, in order to build custom rose, a particular user should be assigned with pools. Either of the two rows one his owner on the 2nd 1 is user access Administrator. Okay, remember that that might be an example ship on. The second thing is, are you ready? Administrative laws Are you ready? Administer. The rules are used to manage our to really sources. In a directory such as creator relit users assign administrator rules to other users, reset passwords, manage user licences and manage the mines. Exeter. So there are a lot off administrative rules. Also, for example, building administrator using which you can update payment information for subscription on so on. I will take you through in the next lamb where you can set days are already administrator role for a particular user. Okay, on the final dimension off role based access control is cope a school be set off. Resource is that access our place toe and when you have seen a role, you can father limit actions alone by defining a school. So basically a school be set off resources ir jewelry sources on. By assigning the role, you can limit what a user can do and condo under particular set off resources. Okay, Andi nodule. You can specify a Scoppetta number off levels. You can send your role to a particular user at a management group level on a subscription level resource group level art of the source living on all schools are structured in a parent child relationship. One that means when you provided access to a particular user by assigning a role to management group, then all the resources under that management group I, in other words, on the subscriptions, resource groups and resources under that management group will inherit that access. So, for example, let's say I have provided country boot or access to a subscription to a particular user. Then that particular user will have contributor access to all this those groups and we so says within their subscription. Okay, don't worry. If you don't understand that, I'm going to show that to you in the next lab demonstration and everything will become clear to you. And finally, all these three dimensions. 1st 1 is security principal, second on his school. On the part of it is the very definition. All these three things should come together to assign access to resource their particular user at a particular level that is called a whole assignment. It rule assignment is basically convergence off all these three dimensions. Okay, so in definition, a rule assignment is a process off, attaching your role definition to a user. Our group, our service principle, are managed an entity at a particular school for the purpose off granting access. So always, you'll provide access to our jewelry sources by creating a rule assignment. And also, you can revoke access by deleting that whole assignment. Okay, I hope you've got a good understand enough rule based access control. So that's it for this lecture. Next lecture is allowed where I'm going to take you through different rules that you can assign in a Jew. And also, I'm going to a senior role, play a particular user like a subscription level. And I'm going to show you how that accesses inherited toe own the resource groups and resources within their subscription. And finally, I'm going to show you how to create a custom rule on a play. That custom role to one of the resource is a particular user. Okay, so it's going to be interesting. Lab. If you have some time, join me in the next line 5. Lab demo - Walkthrough of roles, Custom role creation and assignment: Hi. Welcome to this lab in this lab. I'm going to show you number off things. Firstly, I give a walk trough building roles available, not your active directory. Secondly, I'm going to show you how to do roll assignment at a subscription level. And also, we'll show you how it we get in every day to resource groups and resources. We think that subscription and finally I'm going to create a custom role and a sign that custom role to one of the users on Validate that custom road. Okay, so, firstly, let me take you through building rules. In order to do that, let's go and have your photo on. Click on on your active directory. And if you click on users on select one Off the Users, let's say this one. And then if you go into directory role, this is where you can assign a directory role. So if you click on add role here, then you can see different directory rules that are available. Most of them are limited administrator rules, but you can assign a user rule. Our global administrator rule are limited. Administrator role. Okay, when I say limited Agnes Trudeau basically that role will contain can find amount off activities related to a particular purpose. So, for example, building administrator can update payment information to later to the subscription. Okay, Similar to don't you have other administrative rules and also you don't need to assign it here. When you are creating a new user, you can assign a directly road. So here you can see use a global administrator on If you select limited administrator, you can see different roles. OK, these are one type off rules. Second type is if you go to a resource group and click on resource group goto this access control, By the way, this access control will be there for a very azure resource. Okay, so generally you see access control here for a video jury source and if you click on access control and here you can see rules. Some of these rules are common for all resources. So, for example, owner, contributor and reader is common for a very resource in azure. How the other rules you see here, hospice fictive resource So far, resource group. You can see these kind of rules, but if you go toe storage account within that resource group click on Aid and click on Access Control. And if you plea controls, then you can see different types of rules. So, for example, stories I can't contributor. Okay. Sorry. You can't able to see properly. Let me drag disappeared and come down. You can see stories. Icon Contributor. This is basically a specific role for stories account. Okay, now I want to add a whole assignment. Not for this. I want to go into subscription and click on subscriptions going dodgy trainings. Click on Access Control on, then left. Sounded role assignment here because I want to show you how this role assignment will get inherited by all chilled resources within this subscription. Okay, so let's say I want a sign contributor. Rule Andi. I want assigned to the new user that we created earlier, which is what more dot will drive. Withdraw nine dot com and you can click on save here. By the way, when you are carrying out roll assignment, the role assignment need not to be user. It can be to the group of users, and it can be to the service principle also. Okay, so click on save Now. The rule assignment has been successfully and er. So if you click on role assignments here now, you can see to use us. Got access. When is a service principle and Germany's a user? Okay, now, if you go to resource groups under this subscription, click on it and click on the Resource group Gobi Access Control. Click on Role Assigned Man's and you can see this user that we added at a subscription level because we added this rollers, I'm under subscription level. It got inherit dead by the resource group within that subscription. And also, if you want toe view a resource, let's click on it. Here on Click on the story is a corn. This is a resource written. That resource group belongs to the subscription toe, which we have a signed roll. Okay, so if you click on access control, control, Ascend Man's even every source also inherited from the subscription, this particular role assignment Okay, I want to show you this. No, it's time to create a custom role and a sign that custom role to a practical user on if you want to get accustomed role you have to use on your poor shell are juicy. Ally. It is not yet available in Azure portal. Okay, so let me go into windows Stand device and then let me close this launch windows polish. L on going to launch it as administrator. You don't need to do that, but I just want to do it now. We need to can pay on your account before we start creating custom role. So let me type in the command. Look, let me provide my user name and password. Now, I have successfully Longden on when you're planning to create a custom role. Generally, the approaches to download a role definition, often inbuilt role model for you and create a custom door. So rather than working from scratch, use the existing rules and modified out According to your comment, in this case, I'm going to use Tor is a con contributor rule and modify it in such a way I will block access toe, delete the stories account. So basically, stories account can be managed. But I don't want my users toe delete stories account. Okay, that kind of privilege I don't want to give so let's create a custom roll with that kind off access control. OK, in order to do this First of all, I need to get that role definition off stories, occult contributor. So let's get that on. I'm going to put this content off the role definition into adjacent file so that we can really did and created new custom roll. Okay, - I am basically out putting this Jason file into documents folder. Okay, Okay. So let's see whether this command will work or not. It successfully word. So let's go into documents folder. And this is the Jason file. Right? Click on it. And open with not bad. Here. You can see what actions that user can do on condo. So you can do a lot of factions and also from stories icon prospective, he or she can do everything. Okay, But my requirement is I want my user, Tobu. Everything related to stories accounts from the perspective of management. But I want to block that deletion of the stories account. So let me copy this and paste it here, and I'm going to say delete here. So basically it is not actions on. I'm putting deleting there by what you are doing. Not I'm basically blocking the user from deleting stories. Account okay on before you start creating custom role. You need to believe this. I d here. And also the name. This is Custom Raid. So I'm going to put custom here except deletion here on these custom. It is true, actually. So I'm going to change this. Okay, so that's it. We have changed everything. But in case if you want this custom role to be in a particular subscription, you can assign a school appear so you can make this role visible only in a particular subscription. And in this case, I want this role to be created in my cardio training subscription. Okay, so let me get the idea off our your training subscription. Okay, Click on it here and type in the command learned. Get a zit subscription. Sorry. It's a spelling mistake. I have to subscriptions now. I'm going to copy the I D off your training's OK. And then going to Jason file here. Type in subscriptions and paste. I d off. How do training Subscription. Okay, that's it. So what? We made changes. We have changed the name and also ease custom flag. We made it as true description. We changed on. We have added an action. Sorry, not action in order to actually stick the user from deleting the stories accounts. And finally we ascend the scope of this role, play a particular subscription. Okay, Hopefully should work. Otherwise meals is all that here. Okay, so now I'm going to type in in orderto create custom role. - Sorry , let me type in there than copying. - So that's it. Look me just a little bit, okay? Lets Endo no more custom role, which is custom stories. A cone contributor has been successfully created. So let's go back toward your portal and see that that it is reflected in the azure portal or not. Let's close days Next click wanted here on click on access Control and check roars. My gut feeling is it might not reflected yet, but you know he had it's reflected, So that's great. So if you like this a little bit, you can see here. And also you can see the difference between a standard role and accustomed role in terms off icon. Also. Okay, Now I won't they assign this custom rule toe one off the users on validate that rule. Basically, that rubble should not allow the user to believe the stories that come. Okay, so click on add had a role assignment on typing custom. Okay. And I wont be assigned this role the war more, doctor, draw at Rotherham nine dot com and click on Save. Okay. Now I have ordered rule assignment. And if you click on role assignments, I have three Now, I have contributor. I have the same user with contributor rule on the custom stories account contributor role and also have service principle with contributed role. Now, in order took test this custom stories a com contributor role. I need to delete this rule assignment. Okay, so click on and ankle Condi late. Oh, inherited. This is a good thing, actually, inherited rule assignments cannot bury more. Okay, let me go into subscription, then speak on it. Click on the subscription, go to access control, and then click on it. Here on dilated. Okay. Now, if you go to stories account, you should see only one rule assignment from the prospect off user. Still not reflector. I think seeing more of it is reflected. Okay. Now user has only one roll, which is a custom role. OK, now I'm going to log off and signing with that user on DSI whether our custom role is working properly or not. Now let me June in a bid. Okay, Click on Resource says you might not see the resource groups because this user doesn't have access. I could resource group level. So click on stories accounts. See, you can see stories account here, click on it and let's try toe Billick. Once user tries to delayed before custom role is working properly, then he or she should get out. Okay, so let's click on delete. See is getting it up because the organization is not there to perform the traction. Okay, so that's it for this lab in this lab. I have shown you where you can see directly rules and also our back rules. And I have shown you hope to do a roll assignment at a subscription level aunt, how that role assignment will inherited by resource groups and resources meeting that subscription. And finally, I have shown you home to create a custom rule assigned that their stories account and also test that role. OK, I hope you find Islam very useful 6. Lab demo - Creation of Dynamic group and role assignment: Hi. Welcome to the slab in this lab. I'm going to show you how to create an enemy group and provide access to that dynamite group to one of the stories accounts. I'll also take this opportunity in order to take you through. Some of the group will enter settings. Okay, So in order to kickstart everything that's going Dodger Porter, I'll click on on your active directory and click on groups. And let's sell it one group in order to go to some of the things. And here you can see members. So members are basically the members of the group. It can be users are it can be service principle. Also Okay, on donors is somebody who can manage this group. So basically, administrator can include some owners here on the who knows can start managing the members in the group I dragged members are delete members. Okay. And if you click on group memberships here, you can specify in which groups you want this group part off. So basically, you can create Nestor groups. A bunch of groups can be part off another group. Okay? And the next thing is applications. Here, you can see owned applications toe, which the members will get access. So in this case, I have one application which is application proxies. Sample on that application can be accessed by any member of this group. OK, and here you can see licenses and also you can say licenses at a group level. Okay? Generally, when you're working in a corporate environment, you manage license a set of group level Onda. As soon as you put a member into that group, this license will get applied on the next thing is on jewelry sources. Basically, here you can see all the resources toe which this group members have access toe. Okay. And in terms of monitoring, you can view access reviews on also, you can see all the gloves. So these are all the settings related to the group. Okay, Now, the next thing I want to show you is how to create a dynamic group in order to do that. First of all, let me go into user on and search for model drama. Basically, in order to create dynamic group, I'm going to change job title off one off the users and use that as a rule within the dynamic group. Okay? you'll get to know in a minute why I'm doing this. So click on it Here on. Did pro Fi come down? I'm going to change the job title last stories administered. Okay, let's see. Okay. And let's see and let me copy this. Now, let's start creating Dynamic group. Click on groups. Click on. Add on the glue pipe is going to be security group. Name is storage administrators, Okay. And membership type is dynamic user. You can clear dynamic device also, but in this case, I'm using dynamic user on you can addict dynamic quality. Basically, a Cory can contain rules based on that rules and conditions you specify written that rules the membership of the user to be part of this group will be deter mined. Okay, so in this case, the rule I'm going to specify years. If the job title is equal to stories Administrator, we want that particular user to be part of this group. OK, so and uses very rare job. I do equals stories, Administrator. Okay, I'm very simple. Either you can specify like this are you can click on advanced rule and specifying the text format. Okay, So adequate e Actually country it now our group has been successfully creator. So let's go into the group. Click on stories, administrators and here you can see membership status. See, processing status is not yet update er on a membership. Last updated. Also not yet updated. So you need to give a minute or two in order to get this completar. So I'm going to pass this video and come back once this membership evaluation is completed . Now, membership evaluation has been completed on you can see one of the members sees Barbara dropped. Okay, Now I'm going to show you how to provide access to this particular group to a store is account. So let's go to stories, accounts, and then click on it and then pick on access control on the Lexx Adul assignment. Click on country with a role andan sage for that particular group that we created. It starts with storage. Okay. And if you come down here, you can see stories, administrators, salad, that one and save. Okay, that's him. Now we're going to test this assignment to check whether the user off that particular group able to access this tour is account or not. Okay, so let me log old and the log back in with this particular use. Really? Basically. Now go to stories accounts on the user should be able to see on. You can click on it and use it Will be able to see all the management stuff here. Okay, so that's it for this lab in this lab. I have shown you how to create a dynamic group on provider role assigned Mento the dynamic group to one of the stories that comes, and I finally validated the access. Okay, I hope you find this lab useful. 7. Introduction to Conditional Access in AAD: Hi. Welcome to this lecture. In this lecture, I'm going to provide you an introduction to conditional access in case if you are implementing identity and access management solution using that your active directory, it is really important for you to understand about this in detail. Conditional access is a capability off your active directory. Using beach, you can implement automated access control additions for accessing your cloud abs that are based on conditions. So in a real world scenario, a user can access the information in number of rest. So firstly, in terms of devices, they can use different types of devices. So, for example, phone laptop this top had Exeter. Secondly, user can use different types of client ups also, So if you take an example of one dry, you can access information in one drive using either browser. Our mobile app are they stop okay, and currently the information can be accessible user from different locations. It can be or all fees are home or Internet. So basically able companies providing massive flexibility to use us in terms off axing the information. How are it poses a significant risk in terms off confidentiality of the information or the safety of the information. So, for example, if you have a sense to documents told in one drive user, can don't Lord that documents from anywhere, isn't it? But how can you restrict user accessing certain applications based on the devices client, perhaps, and locations? So if you want to implement a solution in order to restrict the users from accessing applications from a safe 10 devices are sitting types of client tabs are from setting types off locations. Then you can use conditional access capability. So basically you will define a condition access policy, which will include six key things. Firstly, you need to define the scope of the conditional access policy. I toe what group off users you want to play the policy and also toe what application you want. A play. The policy. Okay, that's the first thing. So you need to define which users you want. Apply the policy on which cloud applications you want up there, the policy and they're after You need to define from one devices. You want to restrict access. So, for example, you want to restrict access to the information from an unmanaged device. Let's say users personal laptop. You want to restrict access from that personal laptop into your one drive. Okay, Are another policy condition you can defend based on the location. So, for example, you don't want people to access on your hotel from whom you want them to access from only office. Okay, I'm currently you can use client application also. So, for example, you don't want users axing one dry from Broza. You want them to access information on Lee from mobile app on this topic? Okay, that's one example and finally sign and risk. If you are using, are you right into the protection? It will continuously monitor the signings, Andi, to light into fighter problems, some signings and give the score like low, medium, high, very high. And based on the sign in this culture, you can define the access control in such a way. Either toe blocked access are Togo for further authentications. So, for example, enforcing multi factor authentication. Okay, so in somebody, firstly, you will define the scope of your condition access policy, that is users to which you want to play. And also the cloud application toe which you on top like Okay, those are the two that define the scope of the conditional access on. We have four, which really define why I want you want to restrict access. So, for example, devices, locations, claimed applications and signing risk Once you define the condition, then you need to define access controls. So if any user satisfying this condition, you can either ello, access or block access are you can ask for further indication, I you can ask users to use my defect with Indication. So, for example, let's say you want toe alone the users to access one dry from their homes also. But you want to have another layer off authentication, which is basically two factor authentication. Okay, in that way, also, you can do so. There are a lot off. Yes, you can implement conditional access. However, you need to be extremely careful when you are defining this conditional access policies, because there is a danger that you can block the entire organization by defining one policy , including yourself. Basically, you can block yourself also from accessing of your portal. Once you defined the wrong policy that blocks everybody, there is no way you can revert it unless you contact Microsoft Rise a supporter. Coolest Onda relaxed the policy. Okay, so we ever have access to these conditional access policies to define the moment in them, they need to be extremely careful. And you should be very carefully giving permissions to configure this. Okay, So let me take you through some of the key points related to conditional access. You need to understand how conditional access are applied. So basically all policies are enforced in two phases. In the first phase on, policies are evaluated, and all access controls that I'm satisfied are collected. One thing you need to remember is a particular group Off users can fall into multiple policies so you can define multiple conditional access policies on the same user can fall into different conditional access policies. Scope. Okay, So what are directed directly will do is it will evaluate all the policies at the same time , the car applicable to that particular user on all on the access controls that on satisfied are collector. And in the second phase, you're prompted to satisfy the requirements you haven't met because you can request users to meet for the at indication. In that way, you can prompt the user toe. Let's say, for example, toe. Do a multi factor authentication. Okay, if anyone off the policies are blocking access, then user will be blocked and not prompted to satisfy other policy controls. So, for example, you have three policies. Okay, In one policy, user is a load access. But in another policy based on the Satanic idea block with access in the Tora policy very user in the school, it to last for further authentication. But if you logically consider on three policies together because there is a block access condition is satisfied that user will not be alone. Access all day. According to other policy access is allowed under in fortune multi factor authentication. But because one off the policies were user fall into the scope is blocking the access, the user ultimately will be brought access. Okay. And as I said earlier, you need to be very careful about confident, conditional access policies because if you let's say, implement one conditional access policy that is applied for all users on cloud apps and if you put a access control such of a block access are required complained device article, I don't mind join. In that case, you are actually blocking the entire organization using block access are your blocking the user before the use of gets the device itself. Generally, when users joined organisations, faster use reckon will get created and little, they will be given a laptop. But if you are asking for required complained, device user will not be able to log in tow any off the registration portals where he need to provide use really personal information. Onda also payroll information such as address etcetera. So basically, you need to be very, very careful when you're confident. Conditional access policies because it is so really important. You need to plan for the deployment of conditional access policies carefully, So let me take you through a few points related to that. Also, in planning your conditional access deployment, fasting is unit or draft policies. Do not do directly, not your active charity Taken Excel sheet on start defining what should be your response to an access condition. So if somebody is logging in tow, one dry from a personal laptop are from a hole, then what is the response? It should be OK in such a way, you need to define a very conditional access policy you want to implement using this planning model. And the next thing is of what outcomes You want a cheap you can either block access are you can from the user toe go through for the organization are you can say you need to require managed access are required A poor claimed taps, are you? In other words, you know you can access them only from browser our mobile app or to stop. Okay. And finally just policies. Once you define a policy in an excel shit. Now start confiscating the condition. Access policy. Vitina, your active directory. But in terms off, user Scoob, provide the scope toe a few years or so only. Okay? And verify how would be here. Okay. Number. Implement the conditional access to all groups. Okay. It will block the entire organization. If you do anything wrongly, so faster fall confident that conditional access policy play the policy to a small set off users and then slowly propagate the policy for the other users. Okay, on one more final thing I want to discuss is what if tool you can use what if tool In order to evaluate your conditional access policy, we thought actually implementing it and testing it on a real world scenario on the real level users you can use, what if tool to understand how your condition access policy, real effort. A group off users. Okay, so that's it for this lecture. In this lecture, I have taken you through conditional access capability off your active directory on different types of conditions that you can define in a conditional access policy and also different types off access controls that you can define in conditional access policy. Next lecture is a lap where I'm going to show you hope, toe confident, conditional access policies in our your active territory. Initially, we will do a condition access policy based on network location. Okay. On dancer, I complete the device management lecture. I will also show you how you can implement conditional access policy based on the device state also. Okay, so it's going to be very interesting if you have some time, join me in the next lab 8. Lab demo - Location based conditional access policy: Hi. Welcome to the slab in this lab. I'm going to show you hoping. Implement location based, conditional access policy. Before we start days. I want you to remember one very important point. Condition. Access policy is not the first line of defense. First Line of Defense is user authenticating with our director directory once that is part of successfully, then azure active territory Bill, Identify Own the conditional based access policies applied to the user. Evaluate them. And if the old come off any condition access policy is blocking access to the user. Then user will be presented with access to night page so faster for users will be able to successfully long and endured your active directory. Then only conditional access policies are applied. Okay, so it is very important for you to remember condition. Access policy is not a first line of defense. Okay, Now let me go in. Dodger portal in under two conflict at this location based condition Access policy one Dodger portal Goto on your active directory on. Come down here. You can see conditional access here. Click on it on before I start creating a policy. I want to create a name, location because we are going to create location based, conditional access policy. We can use this name, location in the policy. Okay, So click on new location on going to politicize home based location on There are two types of locations that you can configure won his i p. Address. Strange. And also, you can define from which countries you want to block. Access also. Okay, so in this case, I'm going to use my appearing just on. I'm going to paste Mari who might be okay and click on, create on the second thing that you can do within name. Location is con figuring am affair trusted? I please. So, for example, you don't want your users toe go through my defected indication when they're accessing particular app from Internet. So, basically, if they are located in a secure location within your office, why do you want oh, taken through multi factor authentication? In that case, you can click on it here and then you can confident I beer justice here. Okay, so let me close this. And now let's define a policy. In order to do that, click on policies on click on New Policy. I'm going to call this as a location based policies. Okay. And now we need to define the scope of this condition. Access policy School can be defined in terms off to which users and groups you want. Apply the policy on also toe which application access. You want to apply this policy. Okay, so let me select the use or now either you can include users into the policy, Aren't you? Can exclude also. Okay, but there will be a lot of confusion when you're using this. You have to be extremely careful when you're defending it. And make sure you completely understand it on one. Very good thing you can do is play for a very small group of users on see how it goes. And also, I would advise toe always use include to start it. Okay. So Salek users and groups, users and groups click on select In this case, I'm going to select individual user what you can select group also Okay. Selling the user andan selected. Okay, Done. So we have defined a specific user Now we need to define toe which app We want to play this condition access policy. Okay, so let's click on upload app Andi, I want to select a nap again. You can exclude or include also here. But I would say always use Include because it will be more clear when you're using this. If you use exclude, that means it will be applied for other absolute under. So I would not suggest to use exclude. Actually, I'm goingto play this condition Access policy for Microsoft planner. So let's sell it these I'll take on done. And now you need to define conditions. You can have several types of conditions. It can be a device based can be location based. It can be client that based on it can be signing best. Okay, so pecan conditions and you can see a sign in risk inaudibly you signing rest unit toe have on you right into the production. I don't have at this moment of time, so I'm not going to configure that on. You can use device platforms whether it is I. Oh, yes, android. All those stuff on you can use location based configuration on so you can use client. Perhaps, but it is a mobile lab roser and you can use the my state whether it is 80 demined joint but they did a complaint device or not, Exeter. So click on each of them on view What kind of configuration? You can go. But in this case, I'm going to configure location based conditional policy. So, yes, I want to configure. Include on then I'm going to select my home. Might be okay. So basically, what I'm going to do is I'm going to restrict access to myself to the planet Application from my home, maybe. Okay, click Condon, and I'm not going to call for the any of the rest. But in the subsequent lab, I'm going to show you how you can configure conditional based access policy using device dead. Because in real world scenario, most probably you might be using location based on device based. Okay. So clear. Condon. No, What I want to do in terms off access control, I want to deny access because my access is from my home. Okay, so in this case here, I'm going to block access. But you can grant access subject to some conditions. Also, for example, grand taxes. But every time you need toe, go to multi factor authentication. Ah, you'll require device to be market as complaint and sworn. But in this case, I'm going to block access on que con select and session control. Don't worry about that at this moment of time, because there are only two applications that support sessions. So at this moment of time, leave it as it is on. Before I start applying the policy, I just want to show you that I can access plan. And now Sorry. Let me go into office. Click on planner. See, now I can access planner But once I apply the conditional access policy, I will not be able to access planner because I'm logging in from my home and using my home i p address. Okay, so let me go in tow of your porter on enable that policy. Okay, if you country Yet that said the policy has been successfully enable. Now let me a lot of gold from this. And also planner, I'm just going to Crewe me in order to launch planner because to avoid cashing and all the stuff. So now let me go into office dot com Okay, on the planner It is asking for password. Let me give that. See? You can't access this right now. because the location, because the conditional access policy I justified is blocking access. So that's it for this snap in the slab. I have shown you how to define location based, conditional access policy on deny access to Microsoft Planner if user access plan or from a particular type location. 9. Introduction to Azure policies, Initiatives and locks: Hi. Welcome to this lecture. In this lecture, I'm going to provide you an introduction toe your policies. If your plane is requesting you to implement corporate governance on top of Azure, then the first thing should come into your mind is on your policies because our jewel policies is one of the fundamental governance tools that are available in Azure. There are other governments tools also such as blueprint, but they are currently in produced it. So what is this on your policies is all about? Let me take you through that. Are your policy is a service in azure that you used to create a saint and manage policies these policies enforced. Different rules and effects were you are resources. So those resources stay complained with corporate standards on service level agreements. So what you can do using on your policy is you can implement sit and rules and the feds What existing resources are any new resource diplomats? So, for example, let's say your company has a business unit located in Europe and got particular business unit has number of subscriptions, but because of the year regulations, you want all know that resource deployments within that subscription should be located in Europe. So to enforce that rule off standard, you can define our your policy with that rule. So basically, any resource deployments happening in that subscription should happen in Europe only. Okay, that kind off rule you can enforce in resource the planets on a sign that policy at a subscription liver, our management group level. All right, the resource group limit. Okay, Once he has saying this policy, when you are trying to deploy new resources as part of the validation, these rules will be checked and appropriately, effectively takes place. You can't effort can be denying. Creating the access are you can happen. Also, I think you through these rules and efforts in big more detail in the next line and in terms off. Comparacion between role based access control and larger policy. Sees what role based access control controls user actions at different scopes. So what users can do our condo with respect to a resource. So, for example, start and stop virtual mission. But when it comes to policies, it's a blanket rule. I mean to say it's not applicable per user basis. It will be enforced throughout the scope. The respect of the user logging in okay. And also, once you have same policy, it will enforce the rules on the resource properties during deployment on for existing resources. So basically, this rules will chicken minister resource property. If the resource location is so and so deny creation of the resource. For example, art of the resource doesn't have any tags that you enforced as a rule. Then either you can deny access. Are you can append resource in such a way include a new bag. Okay, so it's really important that you understand but mean role based access control on guard your policies Role based access control is more related toe identity and access management , whereas on your policies is a governor stool at a corporate level. Okay, No, When you are trying to implement on your policies, you generally follow a four step process. Let me take you through those steps Fasting unit to do when you are trying to implement on your policies, create a policy definition, basically policy definition. We have conditions under which it is enforced, and also it has a defined effect that takes place if the conditions are met. So, for example, if the resource location is equal to so and so then the night creation of that resource. That's one effect. There can be another effect also, but I'll take you through those effects in the subsequent slides. Once you're defined policy, you do a sign that policy at a particular school. It can be a management group, our subscription More resource group also. And when you are saying a policy at the management group level, all the subscriptions and resource groups will in here. That policy assignment okay on the tall when he's evaluate evaluations off Assigned policies on Initiate does happen as a result off various events, so evaluation can happen at different points based on the vent. It can happen when the resource is being deployed on. If you're ascending policy to an existing resource group of subscription, which contains resource, is only then it will be a one were dead. Whenever you're saying the policy, okay, and I think there is a periodic evaluation also, but evaluate is basically checking those conditions against resource properties, and if any condition is not met, taken action. Dr. Action is basically the immediate. Each policy definition in not your policy has a single effort, Dr Fred will deter mine. What happens when the policy rule is evaluated to match so the effort can be number off things. I have a dedicated slide further purpose. So I'm going to take you through those efforts in detail in the subsequent slides. Okay, so when you are trying to implement policies, you need to remember four steps faster for you need to create a policy definition. Secondly, assigned that policy definition at a school, which can be management group subscription resource groups. ONDA. As soon as you ascend a policy generally vetting 30 minutes, the evaluation will happen on Also, the evaluation can happen when you are trying to deploy resource. Finally, you can come forget an effect. Are you deaf? It can be deny access at planned and swan. Okay, Now let me take you through this policy definition in bit more detail. What exactly contains within that policy definition? Basically, you'll use Jason to create a policy definition on a policy. Deflation contained falling Jason animals. 1st 1 is more Richard deter mines. Victory source types will be evaluated for the policy. Currently, this more can be on our indexed. Generally, you'll threat on because you want to apply for all the source types. But there are instances where you might want to apply this for only particularly source types. So, for example, databases In that case you will change the mood type. OK, on the second thing is parameters. Parameters help simplify your policy management by reducing number of policy definitions. So, for example, if you are implementing location based policy, so you want to implement a policy for all subscriptions located in Europe to make sure all the resource deployments under their subscriptions happening in Europe only similarly, you might want to create another policy for us. For all the subscriptions in us in such a way on the resource deployments in U. S. Subscriptions happening in us only in that case you don't need to create to policy definitions you'll cleared only one policy definition. And when you're assigning policy definition to the school at that time, you can pass on the parameter. I hate the location value. Okay, so in that way, number of policies that you need to write will get reduced on subsequently, your policy management will before this simplified okay, on the next thing is display name and description. They're very self explanatory, and the next thing is policy rule. Policy Rule is where you will put conditions on effects. The condition is basically the matching condition. For example, if the resource location is not equal to something, then deny access. Are you the resource doesn't have a particular tag? Deny creation often resource something like that. And finally, the effect. The effort is a very critical thing when you are defining the policies, it's basically defines what you would like to do when a condition is matched. So let me take you through these effects in bit more detail. There are currently six affects that are supported in a policy definition. Okay, what kind off a friend should happen when a condition is met for stone is happened. Happened is usedto. Add additional fields to the request resource during creation or update so, using append effect, you can achieve some sort of automation also. So, for example, in stuff your user manually adding tanks to each and every resource, you can define a policy and make sure all the resources deployed should have a cost centre attack. Let's say so. Basically, you're not denying resource deployment. Why in the resource is getting deployed, you are a pending the resource property boom cleared attack. Okay, that is 1st 1 on. The second thing is ordered. What? It is used to create a warning event in the activity law when evaluating unknown complaint resource. But it doesn't stop the request. So then user tryingto create a resource in azure. If the resource is getting deployed is known complaint with one of the policies you will still alot. The resource gets deploy but you learned of warning even in the activity log on. What you can do is you can define an alert in the activity log to shoot off email to, for example, an architect. Honest is to make you stand up okay on the part of unease ordered, if not exist hearted, if not exist any balls on leading on the resources that match the condition but doesn't have competent specified in the details off, then condition. So basically it goes to the next level. So what you can do is you can look into the properties off the resource. Andi, If that particular resource doesn't have associative key property, then you can clear the warning urine. So, for example, if sequel somebody's deployed with a lawyer version, you still want to get it deployed. But because the version number is not up to the mark, according to the policy, then you can create a warning even into the activity log. Okay, so that's one bit on four threes. Delight. So basically deny is used to prevent every source request that doesn't match with the defined standards through a policy definition and feels the request. So I'm going to show you in the next line how the resource deployment we get validated and get fail because off a policy we implement based on the location. Okay and finally deployed, if not exist, similar to audit, if not exist, deploy if not exist, exhibitors a template deployment when the condition is met. So, for example, according to your corporate standards, a virtual machine you deploy in agile should have a specific extension. If that extension is not there, you want a deploy straight of it. For that purpose, you can use this basic 11. The resources getting deployed. You can define a rule in the policy in search of it. You can deploy owned extensions if they are not at install under particular watchful machine. Okay, so you might be seeing some sort off automation. Also, you can achieve using policies at the same time implementing your corporate standards. Okay? And finally, you have disabled. In case if you want to disable policy for any reasons, you can put that. OK, so these are the effects that are supported by policy definition. Now, one final thing that I would like to take you through his initiatives. An initiative definition is a collection of policy definitions that are Tyler towards achieving a single overarching goal initiative. Definitions simplify managing and assigning policy definition. So basically, using initiative dares, you can have hierarchy. So an initial you can contain four free policies related to a particular standard. So, for example, you have multiple business units in your company on each business unit has multiple management groups and subscriptions, and each business unit might want to create an issue dio and put on the policy definitions to later to that business unit. Under that, that's one way of doing Yet there are other ways. Also, in case if you want to put on the date of its governance related policies, in the one in issue. Do you can do that? Similarly, Whose for computer. So there are a number of permutations and combinations using which you can create initiative this on, Just like a policy assignment. An initiative assignment is an initiative Definition The same day, specific school. Initially the same. Mansour reduced the need to make several initiative definitions for each school. Okay. So basically similar to policies, part at a higher level and in issue to can contain multiple policies and the same time in issue. Do will have a definition on you, Will assigning the she do at the particular school whether it is management group subscription or resource group. Okay, so that's it for this lecture in this lecture have provided you an introduction toe on your policies. Four steps that are involved in implementing are your policies on what policy definition will contain on also what kindof affects you can implement. And finally, I have taken you through at a very high level initiatives. Okay, Next lecture is a lab where I'm going to show you how to create multiple policies on put those policies under a initiate you on a sign that initiative toe one off my subscriptions and show you how the creation of the resource will get denied when one off the conditions in one of the policies are Mick. Okay, so it's going to be interesting lab. If you have some time, join me in the next lamb. 10. Lab demo - Implement Azure policies and initiatives: Hi. Welcome to this lab. In the previous labs and lectures, I have shown you how to implement 80 authentication on how to implement location based on device based conditional access policies and also hope implement role based access controls in this lab. I'm going to show you old implement or do policies. Okay, In order to do that, let's going toe on your porter. Andi, I've been policy here and click on policy here in the war Your skin. You can see overall resource complaints and also you can see non complaint. Initiate Dave's noncompliant policies. Known complaint. Also says ex cetera, this is the world complaints. But if you want to do specific complaints related to a subscription, then you can pick on here and sell it. Dodger trainings are select. All the subscriptions here are If you want to go deep that even their particular resource group, then you can select here. Basically, by selecting the scope, you can see the complaints person days at that particular scope level. Okay, so cancel this, and the next thing I want to show you is how to create policy definition. So let's click on definitions and click on policy definition, and you can define where this definition should be located. So, for example, if it is located in a particular subscription, you can ascend this policy within the resource groups are to that particular subscription only. Okay, so click on it. Here, choose the subscription, argue trainings and select. OK, now I'm going to call this subscription as withdraw tax policy. Okay? Because I want to make sure a very resource deployed into my subscription should have a cost centre tag. Let's say okay on category, you can create your own category are selected existing category. This is basically group and manage policies in a bit of it. So I'm going to use an existing one if you come down here. I don't know. The custom one that I created is not existing. So let me create a new one, okay? With drug custom policies. Okay. Now I want to implement a policy definition in orderto check every resource within that subscription to make sure there is a backcourt cost centre. A centre. Okay, I got a positive mission from one of the Microsoft Documentations, so let me show that do you hear? He had the first policy definition is I have in order to validate the tax. So basically, I'm applying for all the source times a rule. It should have a tag. Basically, we can pass the tag name as a parameter. And if it is false, then I would like to happen that resource in order to include attack and also tagged value . Okay, so that is what I'm doing. And I'm putting some meta data for the parameters that I'm including in this policy definition. I hope you understand this basically very simple policy definition. If every resource deployed into that particular school doesn't have a tag with the costs and the name, then that resource will be appended to include the tag. Okay. Both the tag, name and tagged value will be passed. Is a parameters at a policy assignment level when you are a setting the policy. Okay. So let me copy this on basted here. Okay? That's it. I'll see. We have created one policy definition. Now, if you want to view their policy, go here and sell it custom. Then you can see here. Otherwise you can type the name also, if you have too many policies now, I'm going to create another policy definition on it is also at the module trainings level, and the name is going to be withdrawn. Locations policy. Okay. In this case, I'm defining a policy in order to make sure every resource my users are creating in that subscription should create in North Europe only. Okay, so come down here, use existing calm down. You can see the drug custom policies selected, and then I'm going to replace this with the one I got. I got already scripturally, actually, you can use that also because the de for escape is related to locations only, but a neavitt Okay, lets copy on basted here. So basically here also more is indexed on the policy rule. If the field location is not in their lower locations, then the creation will be denied. The effect is deny here. But if you see the effect in the a Lear policy definition, I have created difficulties, admin nor deny. Okay, keeping note off it. I know. Let's see if this now I have created to policy definitions. Now it's time to create initiative definition and include these two policies under that initiative. Okay, so technically, corn here and then I'm going toe given name. We'll draw initiative. Okay, on. Come down here. Let's select the category. And now we need doing group policies into this initiative. Okay, So I'm going to type in, withdraw here on I'm going to include from drug tax policy on rudra Locations policy. And now you can see here I need to provide value to the tag name. You don't need to do that. Actually, you can have parameters. That initiative will also, but in this case, I'm going to type this house Cost centre intact values training. Because I am using this to our play. It are your training subscription scope. OK, so that's it. Now for the rudra location. Let me show you how you can pass parameter at Initiate a little. Also here, in stuff said value, sell it to use initiative barometer. Okay, click on it. Andi. Here, you can see list off a load locations. Okay. Now I'm going to end uh, north. You go into that alone locations on a clear concept. So basically, this will save this initiative definition on that, the next thing we can assign the same ratio. I don't want your training, subscription, living okay. I hope you understood everything related to parameters and passing the values to the parameters and so on. It's quite easy, actually. So that's it. We have created an issue toe. Now it's time to apply, You know, don't play this initiative are sorry. Assigned this initial do at the particular scope level, click on assignments and then click on a signing issue. Do now The school peas are your training's. I'm going to leave that as it is. But if you want toe plate, the resource group level also, you can do that. Okay, so you can sell it here. But I'm going to leave that as it is on exclusions. In case if you want to have selected resource. Is Toby excluded from this policy assignment? Then you can select here. You can sell it The Resource Group. Also, I think, yeah, you can select a resource group are the source and initiative definition. Let's selective. So this is the one that the creator. So let's select this Onda load locations only not Europe anywhere, and I'm not going to clear manage that entity. This is mainly used if you are using their free time deploy if not exist because you want to deploy when something is not right. In that case, you need an identity toe. Deploy that resource. Okay, Father purpose. You need to create identity in our directive directory and provide appropriate credentials . Okay, so now I'm going to click on a sign. Now we have assigned. How would it might take up to 30 minutes in order to have this on your policy applied And also and while retail against existing resources. Okay, so if you go to complains, you can see two of them. Now, Now, you can see here with dryness shadow click on it, and it's not yet started. So just wait for 30 minutes and you can see here some evaluation happen on you might see known complaints resources. Okay, food. Once you are prayed, a policy policy will be immediately applicable when you are deploying the resources. Okay, Not for existing resources, but any new resource deployments. So let me create a resource to show you how the resource deployment will get validator against the policy. Okay, Now I'm going to create to really account selling the stories account Conte aid. Now the subscription I'm going to select argue trainings, resource loopy security artists on going to provide something like the artist? No, in terms off location. I'm not going to sell it. Not Europe. I'm going to say let's say you came Vest. Okay. Their location is only not Europe, but I'm selecting UK vest. That means this deployment should get failed at a validation states. Okay, the policies will get validated at our jewel resource manager level, not at the provider level. Okay, How are some of the policies might get a play that every source provided? Little also because it all depends upon the effect of the policy. Whether you deny access happened, if not exist or deploy if not exist. So based on the foot type, either your policy will get evaluator at the A arm level. Do resource management level are our jewelry source provided level. Okay, so next week or next, next next relegation past should not get I'm a bit surprised, actually. Okay. I think I might be wrong. Maybe it will take some time to get this policy applied at all your training subscription level. So I'm going to pass this video for a few minutes and come back and try to create this resource once again, OK? No, I have a kid for five minutes. So let me start creating a stories. Akon on that. Let's see whether validation will get failed or not. We can storage account country eight and I'm going to leave the subscription and resource group as it is because at that subscription, little only we have a signed the initiative. Okay? And I'm going to provide store is a common name. IUs rudra test 123 Something like that on location. The only location that we're allowing is not Europe, But I want to select something else so that I can show you how the validation we get failed . Okay, so let me select West Central U S on. I'm going to leave everything as it is Onda we can create. This is where the validation we could fail. See, it got failed on If you click on view details there is a policy that is restricting creation off the stories account in any location other than not Europe. Okay, so this particular deployment failed because off one off the policy definitions in our initiative there is another policy definition in other initiatives related to tax in the policy definition defect is not to deny access but happened. Okay, so I just want to show you that example also so close this goto previous goto previous, previous andan select the right location this time which is not Europe Next I'm not providing any. Thanks here. Okay, because the effect off policy definition is eman a tag delicate automatically out there. So this story is a condom. So let's create this on. I'll show you that we can create now our resource has been successfully deployed. Let's go to the resource. And if you click on tax, we should be able to see a bag C call center and training. So this particular attack is automatically added. I really like this because there is an element off automation and also there is an element off governance within our jewel policies. Okay, so that's it for this lamb in the slam. I have shown you how to create to policy definitions 14 and load locations. Second when his tanks and I have shown you how to group this policy definition under one initiate dio and finally, a sign that initial guilt tow one of the subscriptions and have shown you how the resource deployment request will get denied because the location is only not Europe. Anything other than that, basically, it will get denied. And also, I have shown you how you can automatically included tag in a very resource, getting deployed in a particular subscription, using one of the policy definition. With that in effect. Okay, I hope you find the slap very useful. 11. Introduction to Azure Security Center (ASC): Hi. Welcome to this lecture. In this lecture, I'm going to provide you an introduction to our new security center. And its capabilities are your security center is a very, very important tool when it comes to security management. So it is very important for you to understand it's capable. It is in detail. So let me take you through that. On your security center is a unified infrastructure security management system that strengthens the security posture off your data centers and provides. And once with threat production across your hybrid war, close in the cloud and as well as on prices. So basically using not your security center, you can view security posture off your data centers in a single pain off gloss. Okay, And it doesn't matter where the workloads are located. They can be located in on prom ise azure. Are any other cloud providers location Also, Okay, andare do Security center comes with a lot of features, but let me take you through some of the important ones now, in terms of features, the first important one is Manny's security policy and complaints. Basically, a security policy will define the desire conflagration off your world close and helps insure complaints with company Our rig lately, security requirements. What this meaning is are your security center has lot off in bill security policies, Onda against our security policies. Your workloads will be a moderator and based on the evaluation reserves, a set off recommendations were generated. Okay. And you can implement those recommendations has proven to measures and the next important feature is continuous assessments generally in any big company. Most of the time there are a number of projects are on going on and sparked off those projects. People, we add new resources into larger on a monthly basis. And whenever a new resource is added the beauty off security centuries, it will automatically discovered those new resources and assess whether they are configured according to security best practices or not. Okay, so you don't need to manually. Every time I had a new on jury source into security center, it will automatically detect any new resource that got handed in the subscriptions under the school bus Security Sango Okay, you need to make sure you have added the subscription under security center coverage. Okay. And the next important feature, which I like the most, is recommendations, basically, based on the security policy evaluation against your workloads Security Center will create recommendations. So, for example, for a storage account, secure transfer is required. If in case by mistake, if somebody disabled secure transfer for stories account, then the recommendation will get generated automatically based on the security policy. Of course. Sometimes you might want to disable the security policy on Dwight. Some recommendations being generated. You can also do that which I will show you in the next lap. And the next feature is secure. Score. This is also one very good thing. Based on the security portion off, your solution is secure. Score will get 100. Basically, what will happen is your work lords will get evaluated against the security policy aan den . A set off recommendations will get generator and eat. The commendation will have a school associated with it on the secure score is basically amalgamation off all these recommended scores. Okay, I will show that to you practically. You will understand more when I actually show that to you in your portal. And when you see only these matures, most of them are prevent images. You are doing something toe unwind a security incident, but you can't a wide security instance onto with it. It doesn't matter how much secure you want here and there. Some security breaches will happen and you want to get a loaded when a breach occurred in your solution are in your workload. That's exactly what your security center will do it for you. It will continuously more the your workloads. And if it thinks there is a breach happen immediately, a security alert we get rised on. You can configure in such a way an email will be sent to security administrator with security alert. Information. OK, Andi, if you are getting security loads on a particular area to achieve a particular outcome, then a security incident will get surprised. So basically security instantly. God Creator only when all their loads for a resource that Elaine with kill chain patterns are you. In other words, if the attack is happening in a particular order to achieve a particular hold, come then that will that converter increased security incident. If you want to understand more about this kitchen patterns, aunt, how in instantly get created based on the old they alert size. I will provide a link in the resource section of this lecture, please click on it and go to it. Okay. On Intelligent. On these features, there are some and wanted features. Also, that comes V eight securities. Under standard time. I big pull off them, which are very critical. So let me take you through those two critical features. First, when he's Justin fame access using on your security center standard time, you can able to use a jet VM access to long down in bone traffic toe on your Williams while providing easy access. Toe cannot toe Williams when needed. Basically, what will happen is in general, when you want to conduct a watchful machine, you have an inborn port open in order to a low rdp collections and most of the time that port will remain open. Okay, although you might have secure the connectivity from a jumbo box on from on your firewall, but still the port is open. That means there is an inherent risk and that that can happen on the board in stuff continuously opening a port. You can use security center just in time access, which will basically will create an unless you roll toe, deny all the in bond profit and of another user want to access a particular Veum, they can submit a request and specify how much training they want. Access Father Time Only Security Center will create a rule alone. Access on. As soon as the time is over, it will block the port again by creating an issue. So to explain this, simply the port will be open only during the time that user requested by mining time. The poor feeder closed. That's what is all aboard just in time access, and the second advance will feature is a lock to application controls and after application control, is an intelligent, automated and growing application bike listing solution from our your security center. So, for example, you have an application that is continuously running on your workload, and you know that application is running on. You don't want unnecessary security alerts to get rised whenever that application is triggered. Okay, In that case, you convey lightly. Some of the processes are applications that are running on the particular watchful machine . So whenever people krieger that particular process, our application security center will not place security alert because you have specifically whitely stared those applications using a lab toe application controls. Okay, so these are on the key features off on your security center, but there are other features also, but I picked these things because they are more critical than others, in my view. Okay, so now you know all these features, but where to start? Once you'll start using your security center from what point I need to start what will be the process off using are your security center in order to implement even to measures, Let's say, let me take you through the process soft prevent to monitoring and humiliation using your security center when you start using security center for the first time. First thing you need to do is to bring the subscriptions and management groups under the covers off security center. You can either partially cover. That means you can use security center. Basic time are you can fully cover using securities and just hunger type, and also you can deep ties to the resources also because once you enable standard time, the pricing will depend upon the North and also stories, accounts and also other parameters so you can actually drill down to the lawyer level down resource group Andi either enable additional controls are not. Don't worry. If you don't understand in the next line, I'll show you how to cherry pick the things when you are playing standard. I'm okay. And once you bring the subscriptions under the scope of Security Center, the second thing is policies and conflagrations. Security sender comes with building policies, and it'll automatically assigns its policies on each subscription that is on border. And there is a choice you might want. Toby's able some of the security policies because your organization's security doesn't need them. Let's say, in that case, you can goto on your policy and disable those specific policies also. Okay, I'm going to show you hope to Bullard in the next lap. And in addition to policies and conflagrations, you can also implement advance workload defenses. So, for example, as a Sedalia you can use just in time access and after application controls etcetera on this, come with standard there only okay, and the next appease implementing the recommendations the moment you bring the subscriptions under the scope off on your security center are your security center will start evaluating your workloads again. It's the security policies and come up with recommendations. So what you need to do is go to each the commendation and see whether it is a valued recommendation for you are not because some off the recommendations might incur some costs to you. Okay, but there are lot of recommendations that are to secure its and that produces which are really valued. And you can use them too hard on the security portion off your solution. And I demand goal off normal. These things used to improve the overall secure score. By implementing each of these recommendations, you are actually contributing to the secure school and make sure you're sick. Your school is as high as possible. Okay, so these are the steps that you need to follow if you're doing pretty into monitoring and remediation using on your security center. Hohler, it doesn't matter how Maney prevented my juicy put. There will be some reactive stuff that you need to claim. Idiot. Okay, let's see what you can do for reactor monitoring and humiliation. Using our new security center in terms off reactive monitoring and humiliation. Want security center? Do is people wanted to the traffic between the world floors by particularly Vitina Jude. And secondly, it will collect all the logs for analysis, and it will unless the data in those loss. So, for example, let's say Windows security even long it will analyze the information and try to identify any breaches Are threats Onda as soon as it threat desiring fired a security alert verbalized on using that security alert, you can automate solve the stuff also. So, for example, as soon as a security alert is rise, you can run a playbook. Playbook is nothing but larger cap. By triggering that logic camp, you can create an incident. Our case, Witten Service. No, let's say, for example, Okay, I'm based on the city's off security alert on a particular resource. If the fall of second patter, then the incident we get rised by are your security center on. Also, he had a lot off reports with respect of viewing this security alerts and incidents. Okay, so these are the things that will be done by security center. On also what you can configure using security center with respect to react to monitoring on remediation. Okay, so that's it for this, like shirt in this lecture have taken you through in detail security center features and also what process you should follow in orderto carry or prevent do monitoring and remediation and also want. Audu Security Center does in a reactive monitoring on what you can configure in the mediation process. Next lecture is a lab where I'm going to show you how to carry out, even to monitoring and remediation using on your security center. It's going to be a very interesting lab, so if you have some time, join me in the next lab. 12. Lab demo - Walkthrough of Azure security centre capabilities using Azure portal: Hi. Welcome to this lab in this lab. I'm going to show you how to carry out prevent to monitoring and humiliation using our new security center. Basically, I'm going to show you how to carry out four activities firstly, bringing subscriptions and management groups under the covers off Security center. Secondly, how to configure some off the sittings related to policies and configurations tartly, probably implement of humiliations, thereby improving the overall secure school. Okay, so let's go indoors your portal in order to kickstart everything. And if you come down here, click on security center. Fasting use bringing the subscriptions under the covers off security center. Okay, so click on coverage. Here. You can see all subscriptions that are under security center. How are you? Indoor view. If you put the filter here, then you will not be able to view the subscriptions that is excluded in this subscription fader. So if you click on it here, I have other subscription, but I haven't selected it hands. I can see that in coverage. Okay. And secondly, you might have noticed How do training subscription is partially covered, So if you want to fully cover, basically click on edit plan on celeb standard. By then it will be fully covered. But at this moment of time, I don't need standard. And also, one more thing is if you come down here, you can select the pricing tire by resource type also, So you can un select are you disable it for virtual machines on, Let's Say, a sequel servers and sworn Okay, so you can drill down up to the resource type also. Okay, so let's close this. And the next thing is Quan figuring some off the security policy later settings in order to boot actually con security policy, and click on the subscription that we want to configure for here. In terms of data collection, you can specify. I'm whether MME. I am Microsoft Monitoring Agent needs to be installed on a levy ums in your subscription automatically. If you see chart days, then it won't be provisioned automatically. But why do you want to do that? Okay. And the second thing is, security center will use its own workspace. But if you want to force security center to use another workspace, then you can use another workspace and select OK, but I want to use default workspace only. And if you come down here in case if you are having standard type, then you can configure at what level with no security. Van's needs to be collected and stored. Okay, on the next thing is threat detection. Basically, you can integrate security center with other Microsoft's R V says, such as Windows Defender and wants of tech production. And Microsoft crowed up security Ex Central on the Town of Unease email notifications. When a security alert is rised, you can configure here to whom you want a notification to be sent. Okay, this is where you can configure multiple emailer justice also. And in case if you want any mean to be saying to the subscription or not also recalling their lords, then you can switch on here, okay? And the next thing is pricing time. In case if you want to upgrade from free to standard, you can boot out here also and finally aided security conflagrations from security policies . Prospective. You helped holdings in Security center. One is security policies at the AR Jew level, and security conflagration had a guest always level. Basically, you can define always configuration that needs to be a sensitive by security center and uploaded conflagration here. And based on this security conflagration recommendations, we got generator for aureus level configurations also. Okay, It is a very good concept, but bear in mind, this is getting my greater intellectual policies by end of July. So if you want to configure these, you need to configure just conflagration policies within our your policies. Okay, on this setting is related to security configurations, but you might want to disable some of the security policies. Let's sit. Okay for that, you need to goto policies, actually, click on the policy. And if you click on assignment, you should be able to see a CD for basically of your security center default assignment. This assignment is made by Security Center to apply on the building policies that came up with security sender. So here you can see the school, which is subscription, and also you can see different policies that are in school in this assignment, so you can see lots of policies here and in case if you want to disable some off this policies because your organization don't want recommendations from that particular area, let's see. Then you can disable here so the recommendations will not get generator because that particular policy will not get evaluator against your module workloads. Okay, so this is where you can configure security policies. But if you want to configure security conflagrations at this moment of time, you can do that from security center. But after July, you need to come here and view the policies. So, for example, you can see the one starting get guest is a guest. Always conflagration. You can use that to apply the conflagrations on what your missions. Okay, so let's go back to security center now recovered toe recovered the coverage and we call the security policy related settings. The targeting is the commendations. Recommendations are basically generated after evaluating your work laws against security policies, and you need to view all the recommendations and resolve them as much as possible in order to improve the oil secure score. OK on you can your recommendations holistically by going here and clicking on the commendations. And if you want recommendations by computer labs, you can click on them and see only those recommendations related toe that similarly I want to help and resources networking, storage all those stuff. But in this case, let's get contract commendations and view some of the recommendations we have. 1st 1 is enable network security group. Basically, I have a watchful machine on which Saudi? One minute I haven't anybody energy on a particular subject. Okay, so that's a recommendation. If I enabled MSG on submits, then my secure school will get increases by 20 points. Okay? And also similarly, if I re mediate, won their abilities in security conflagration, that will increase my secure points by 30. Okay, but this is a very, very tedious task because it is a guest. Always conflagration level. You need to go and update it. So I'm going to pick the easy ones Bt's neck for security groups on subjects and also requires secure transfer. Your stool is a car inaudibly. Implement these recommendations. You can simply call it and then come down here, click on the submit, downhill the resource, and then click on the network security group on then salad energy and then see as simple as that for some of the recommendations by the bill. Some of them are easy. Some of the motivated tough. Okay, close this one. So basically, I have resolved one recommendation, but it will take a lot of time to get it reflected in security center. I think it is a 24 hours. The security policies who will get the evaluator on the new school will get calculated. Okay. At that time, you will see a difference in your secure school. Okay, so this is one humiliation that we have done, and the next thing he's require Secure transfer two stories ago. Let's click on it on. Come down here. You should be able to see young healthy resource here. Let's click on it and configuration and secure transport required. Enable this and save it. Okay, then close it down. Close it down. I am pretty sure nothing will change at this moment of time because it is going to take up to 24 hours toward the Flanders Humiliations Onda New secure score. Get calculated. Okay, so go back to argue. I think it will be still one. Identify only anywhere. We need to wait for 24 hours. But this is how you can implement recommendations that are suggested by a security center. So that's it for the slam in this lab. I've shown you how to carry your food activities within other security center. 1st 1 Discovery's second money's security policy related configuration tall when is implementing recommendation, thereby improving your secure score. 13. Introduction to Azure Key Vault: Hi. Welcome to this lecture. In this lecture, I'm going to take you through on your key world and its capabilities in the A, Lear Labs and lectures. I slightly touched upon off your keyword when I'm explaining. Managed identities are dual disk encryption, etcetera. But I never taken you through in detail off your keyboard hands. I will take you through that. Now are your key warned is a service for securely managing keys, secrets, certificates and any other critical confidential information in earlier days when you need to store some confidential information. So, for example, if you are the application need to access equal it ofhis the credentials are connection strengths related to secret of it we used to store in web dot conflict file applications are conflict file and so on, isn't it? But those days are gone. Now. We can keep those credential related information in a service like on your key ward, and we can configure in such a way your application can come toe jokey ward at one time and Fitch the connection strings and use that information in order to connect to sequel did office. In that way, you are putting very tight control on the credential. Informations that are stolen are jokey world. Okay, There are four capable days off your keyword. Firstly, secret management, you can securely store and tightly control access toe Brookins passwords, certificates ap a keys on any other secrets as long as it is a text information such as X similar. Jessel you can store that information securely with in order Key World. Second thing he is key management. Using key management, you can create and control encryption keys that and keep your data. So if you have be way Okay, I e. In other words, bring your own key. You can put that king toward your keyword and use that key in order to include your discs within your Okay. So in stuff using Microsoft Manager Kiss, you can use your own kiss, put it into key Ward and conficker in such a way, our jury at one time will use this case Either pull, encrypt, decrypt the data okay and that the whole important capability is certificate management Using the s, you can provisioned, manage and deploy publican privet SSL are peerless certificates for use not only vittles your but also Internet connected resource is the beauty off your key or days you can able to procure certificate from desert our global sign From those kind of certificate authorities, you can directly procure the certificate and loaded into on your keyboard when I say this you're certificated never leaves on two key world. In other words, generally in the past, what used to happen is in terms of procurement off certificates resubmit. Request toe certificate authority like global sign in their porter at a cost for certificate. And they will do all the checks and provide the certificate. Waas. So either David mailers are providing a secure area. And then once we got that certificate, we need to store it somewhere and uploading to application also. So if you carefully observed Sedevic, it is a very, very critical information and you are exchanging that information, using email on also putting it somewhere Els and so on. All these activities has an inherent risk associated with them. But with our jerky want, you can directly procure the certificate from the key world itself. Okay, then when you are getting the certificate certificate will be placed in your cable directly . Okay? That's the beauty off key world I hope you understand this. And the final thing is you can use either software. Are your fight beers? 1 40 hyphen tool level to validate a hedge ISMs, toe product secrets and kiss. Generally, when you are working with their government agencies like, you know, police, military, they generally have their own Hutchison modules on in order to maintain those ages and more yours, they generally spend a lot of money because hatches, um, infrastructure is a very costly infrastructure, but with larger, you can able to store see clears backer by hitch ISMs. But there is a pricing difference, but being software and hardware hatch ISMs, so you need to keep that in mind. But compatible one for my citizens. The cost off on your keyword hater. Sam is very, very low in my view. Okay, so these are all the full models you can say that are available in azure in order to manage your secrets. Keys, certificates securely. So what's the approach in using on your keyword? Let me take you through that. Firstly, your administrator, they can be global administrator. Our subscription owner will create on your key What? Okay. And they will place on the certificates, keys and secrets into that off your key world. And whenever you upload these confidential information such as keys, a very key or secret will have associated you I that you are, you can provide $2 per our application off course whether it is application are user. First of all, they need to authenticate with your active directory on they should have proper authorization in place in order to access that particular key Our secret using the associative Urs. Okay, find in terms off monitoring you can able to see you says logging for kids in Agile. Basically, you can integrate keys analytical information into Log Analytics and be able to view uses off keys and secrets in the locks. How were you might be thinking? You know the application are dollop er, first of all, need to authenticate with azure active directory, isn't it? So you might be thinking that means I need to store usually and password are service principal use ready our password within the application that brought conflict file. Our application conflict file isn't there that also we pose some risk to you to wear that we can use managed training. Today's in conjunction with keyword. Okay? I only explained the world managed. I didn't. It is. But let me provide it quick. Somebody off it in terms off using on your keyboard the best practices using managed dating to this. Okay, so in using managed an empty is generally what you do is you will enable manage that into dio on a particular resource. That means a service principle to represent that particular resource will be created in our directive directly. That particular resource can be on your absolute, these virtual machine and other supported services. Okay. So fast. Appease any blue management in today on the supported resource. And that will create a service principle in our your active directory. Onda. Once the Saudis principle is creator, you need to provide access to that service principle. Two keys that are stolen on your keyword. Okay, they can, because they can be secrets. And when you are running the cold on on Europe's Avi's are module watchful machine that called using a specific you are can authenticate itself with your active directory. We thought any credentials? As long as the court is running, beating the context off your watchful machine art, you're absolutely. He's our any other supporters service. The code doesn't require any contentious. They just need to use a particular you are in order to authenticate itself without your active directory. Get it talking back on the use the token toe access keys are secrets stolen Key one, for example. Let's say the secret is sequel collection stream. Get their collections thing from our your keyword and use the connections to to access daytime of your sequel. Okay, I hope you going this understanding. This is how you can totally secure your solution on on your using a midget and introduce and on your keyboard, okay. And finally, how we can secure on your keyword itself. You know how to secure Who can access with your key world aunt, how they will access their data meeting on your keyboard and so on. So let me take you through that First of all, management plan security. You can use a directive directly and create role assignments toe on your keyboard to administer the key word. Basically, user will be able to create key walls, delete walls. They can also read cable properties Malley's access policies on sore so basically added Mr deliver second thing you can control. With respect on your key, more security is access to its data. In order to control access to data, you will use keyword access policies. Basically, you will define a policy on grand permissions to key secrets Are certificates using that policy and a sign that policy to a security principal. That security principle can be a user group off users. Surveys principle are managed identity. Don't worry. If you don't understand this in the next lab and even I'm going to show this to you, it's good to see the information to understand more, then listening to an explanation about it. Okay, on the tower control that you can have on key more security is network access. You can reduce exposure off your world by specifying which I peer discuss how access to them. Okay, so basically, you can specify. I peered, just change. And also which will networks service in points and finally, anything that is happening on a jokey world in terms off changing the access policies, changing some of the properties or accessing the keys. You know how many times a particular he has been accessed? Who is accessing it All these information will get long. And you will have complete logging information that is at your disposal in order to analyze the uses patterns and also arise some security alerts. Okay, so that's it for this lecture. In this lecture, I have taken you through key capabilities off your keyword, how to use it. And also, what is the best practice in terms off using on your keyword and finally, how you can say Q around your key one. Both added Mr Deliver data level, network level. Next lecture is a lab where I'm going to show you how to create are your key world. And also I'll show you how to care Keesee craves and how you can create and manage access policies. Okay, it's going to be interesting lab. So if you have some time, join me in the next lab. 14. Lab demo - Walkthrough of Azure Key Vault capabilities: Hi. Welcome to the slam in this lab. I'm going to show you how to create and manage keyword using on your portal. And then I am taking you through secrets in our your keyword. I'm going to create a secret to hold secret database connection String. And I will show you in the next lab how you can customize your application to access the connection strings told in keyword securely. Okay, so foster phone, let me create agile keyword in order to boudin. Let's going towards reporter. Click on create a resource and type in a keyword ficken cleared. Let's give it a name drunk. He want the more and subscription. I'm going to leave the capacities resource group. I already created one. Let's select dirt location on going to leave that as it is. And there are two pricing times that are available. One is standard and other monies premium premium is basically provides Hit. Just some back the keys. Okay, basically, you can store keys in such a way. It will never leave hedges. Um okay. So basically, if you click on here, then you can sell it. Premium here. But please know you have a cost associated with it, okay? And access policies using access policies you can control who can access the data between our jokey world and toe What level also So for example, you can provide read only access list access, and so on, which I will take you through in a minute anyway. And the next thing is what your network access here. While creating a jokey ward you can control from which watchful networks, you want to accept connections to your keyword. Okay, so click on create. Generally, it is pretty quick. So I'm going to wait for its creation toe complete. No, are your key warrant has been successfully created. So let's go to resource and in terms off controlling at a management plan security level, you can use access control. I'm not going to take you through that now because I'm pretty sure you already know and I have taken you through many, many times. Second thing, these keys here, you can ableto gender. The kids are important case. Generally, you'll use this module in orderto create our import encryption case. Okay, so if you click on generator import here, you can import, you can restore back up generators swan, But let me create a key. I'm going to call this as encryption key for a sequel. Let's say on key type. Either you can create artist type are easy type, and you can also select key size. And you can set activation date from which date disc E will be valued. And also expression date by what time it will get expired. Okay, click on Create. Now our key has been successfully created. Let's click on it, Aunt. Click on it. Here, you can see the end point that your application can use in order to retrieve the value off this key. Okay, so when you are providing access to somebody else some application, basically, you will provide this you are okay on in case if you want to change the activation days are expected. It's later than you can do that. You can add tagging also. And most importantly, you can able to control the permitted operations. Okay, So for example, you can you know, until this on glass on, say, and nobody will be able to do very fair operation. Okay, so it let's close this And the next thing I want to assure you is secrets again. You can generate or import and you might be seeing this restored back up. When you click on it, you can able to export this case on at a later point of time. You can able to import it. Okay, But you need to be very careful when you're doing that. The whole point off key warranties, encryption keys are secrets are so difficult. Never leave key world. That's the whole idea off that isn't there. Okay, click on John Greater import. And again, you have a manual option manually. Create the secret are if it is certificate, then you can upload the certificate also. So if you select certificate, then you can oppose a difficult, but I want to create a manually a secret I'm going to call. This has sequel connection String. OK, and I'm going toe open in another tab and try to locate the Sequels that were that I created a Leo go to secret ofhis goto collection strings. Let's copy this and then go back here on pace to to Okay, that's the value on Canton type. In case if you are storing some Jason string or XML stream, then you can specify here. And also, if you want to specify an activation date on exploration there, you can specify here. Okay, so let's click on Create No, my Secret God Creator. Let's click on it. Click on dispersion again. You can create a new washing also, but I will let you explore on the stuff again. If your application or your dollop er new to access that secret value, they need to use this particular endpoint. Okay. And if you come down here, you can able to view the secret value. Also change the content type and so on. But I'm not going to do that now. So let's close this on another important thing, which I like the most. East certificates the beauty off using are your key want days You can able to procure the certificate from the key world itself. So select, generate rather than import Onda, select the integrated. See it there are only two indicated CS At the moment I think it is a disease third and global sign. Let me select it and see that here. Click on and certificate authority on the provider. If you see busy certain global sign. Okay. Once you added the certificate authority here. From that moment onwards, you can generate the certificate from here itself. That means your certificate is never leaving the territory off on your key world. That's what I like the most. Because, General, even your Proculus certificates, some senior person like security officer will get that centered or email are stored in a secure place and so on. But all of them will have an inherent risk associated with it. But with on your key ward, because the certificate is never leaving the territory off a jerky would it is much more secure than procuring the certificate outside and try to upload into keyword. Okay, I'm not going to purchase one. But if you want to procure the certificate, then this is how you can do that. Okay? And the next thing is access policies. This is where you will control who got access to the data in your key world and also at water level. So, for example, let's stick on our new here. You can select a security principal. Our security principle can be user groups, service principle, or manage that in today. Okay. And also, to make matters easy for you, there are some time periods available in case if you want to create an access policy for our your backup, then you can use the heart. You can use Sequels, interconnector, certificate management. All these things are not mandatory. But, you know, if it makes your life easy, try to use template. Okay on. Basically, once you select the camp late, there are some permissions that will get auto selector. That's tidy off template, but I don't want complete here. So sorry it got stuck. Looks like so far this it seems to be reloading everything. Let me German again. Okay, click on add new on. Then you can select a service principle. So a security principal Beit User are through parts of his principal and so on. But I'm going to select myself. Let's hear. And then let's say I want to give permission to get kiss on the list case, okay? And in terms off, secrets I want to give, get nor set our punch on list likes him. Okay on. I don't want to provide any significant permissions, so I'm going to leave that as it is. And one more thing I want to tell you is if you are selecting principle as a user. Then you can select entrees application in case if you register your application in on your active directory, then you can specify an application that can access these keys and secrets on behalf of the user. Generally, this might happen in mobile applications because in mobile applications are even bob applications. Also, there are quite a bit of functionality on sunder uses context. Okay, In that case, your application generally access different argue services on behalf of the user on one of those. Are you saying, he says can be on your key world? Notable. Achieve that you have to con figure an access policy and specify what is the address of the application that can access your keys and secrets in Key warned on behalf of the user. OK, so I'm going to select. Okay, that said, under another thing, I want to tell you he is advanced access policies in case if you are using our your disk encryption than you need to click on this on, let's say inaugural resource manager deployment comm players you want to securely access some information from module key. Want Andi used art in the camp let's, then you need to click on this. Similarly, this one also okay, I only show knew the disk encryption. Anyway, at that time I have enabled this access. If you refer to that lab, then you'll understand what I'm telling. So I'm going to leave those settings, as it is, frankly conceal on the next thing is firewalls and watch. Will networks here you can define from which I beer dissents you want, except connections to your key ward. And also watch your networks from here you want except conscience. This is pretty common these days. For most of the ah jewelry sources, there will be a fire. Walton What? Roland books. Okay, so that's it for this lab in this lab. I have shown you how to create on your key world. And also, I have shown you how to create and manage secrets, keys, certificates, access, policies on firewalls and much for networks in the next lab. I'm going to show you how to access secret value that we created in this lab. So if you go to secret recreated one secret right sequel connection stream on, we provided up value. If you see, that's the value I'm going to show you in the next lab how you can customize your application in order to relieve this connection string and canto sequel it of this at run time. Okay, so if you have some time, join me in the next lab. 15. Lab demo - Retrieve the secret in Azure Key vault from Web app: Hi. Welcome to this lab in this lab. I'm going to show you how to access secret that I created in previous lab in order Key one from on your Web. In order to achieve these, I'm going to follow Microsoft recommended best practice, which is using manager right in two days. So, basically, I'm going to create our Juve bob and enabling my major identity for it and provide access to that. Manage that entity, toe your keywords Secrets on. Finally, I'm going to create an application with a particular snippet off court toe access secret in keyword using you. Are I other particular secret? Okay, I know you might be getting confused, but follow my steps very carefully, and in the end, everything will become clear. Okay, so let's going toward your photo click on Create a resource. Find typing, Bob, Bob, click on, create and select the resource group as existing one and instance name. I'm going to call the size it'll draw. He warned the move. Okay. And run things tag. I'm going to select dot net co 2.2. Location, not Europe. Earning bombs are pricing plan. I'm going to change sides to free frankly, con review and cleared click on Create on This is going to take one minute. So I'm going to pass this video until this Web he successfully cleared it known the map has been successfully created, so let's go to the resource. Next thing I'm going to do is to enable manage that entity. Click on Identity on Take on Here. Frankly, concept. Now we have completed two steps. The next step is provide access to decide into d toe are jokey, Want secrets? Okay, in order to do that going toe dashboard I pinned this here in the key won't go to access policies and we need to create access policy and the principal we're going to select He's a work you old This is the one click on select and in terms of permissions, I am goingto provide permissions to this web app Identity toe the secrets off This are your key world. Okay, so we only select one operation that is Get that's it. Click on OK and click on See All done from the conflagration perspective. Now we need to publish an application with a snippet off court toe access the secret from our Juve about. So let's do that. Going to result Studio, click on Fire. New Project. So I bit slow. Actually, click on fine new project A speed dotnet called Web application on. I'm not changing the name. You can leave that ass it is. And click on Web application and click on. OK, No, our web application has been successfully created. Next thing I'm going to do is tow and a steep it off the court in one, off the pages. Okay. In this case, I'm going to choose a botas html on. I'm going to click on core behind. And in this function, generally, the missus displayed in this particular places your application description bait. Okay on. I'm going to change this to secret value. Okay, I already returned a snippet off court. It's very simple, actually. First thing is, you need to create an instance off on your service talk and provider does the 1st 1 And by creating this instance off our new service talking provider, you're basically validating the managed Identity Week on your active directory. Once it is successfully validator, then you can create a key world client bypassing keyboard bhokin and finally use that keyword client toe. Get the secret value. Okay, so this is the you are that you are going toe use and you can get that you are l from your key world Goto secrets Click on the secret Click on the version and here you can see then point. Okay, Copy this and paste it here in case if you are trying to do this lamp for practice Ok, so first of all, let me company scored and based it here. I know I'm going to get some errors because we haven't imported in a good packages. Click on managing a good packages. Click on browse Fasting We need to import is key one Sorry. Let me give a space here. But let's select this and install Pick on. I accept. Ok, all done. Next thing meaning to important have authentication click on it. And could Cornyn stop now? This one is also completed. So let's go back and see whether errors got disappeared. No, because we haven't included them. Let me include on the next thing we need to include Is Apatow indication that said on the last one because we have obeyed. We need to make this function. I think. Sorry. Not this one. This is a variable, this one. So let me type in. I think mosque. And here, I think. Okay, that's it. That's a bit of this. My bill is completed. Now, before I publish this, just want to take you through the court again. Sorry. The system is being very slow today. Anyway, So fasting is I am creating an instance off on your service. Talking provider by what you are creating it itself. You are authenticating your manage that entity off onto of a bab with our your active directory, and you are creating your instance off keyword client. On the passing down are your service talk and provide a token toe this key world plant and using the token and also the you are a off the particular secret. You're fetching the secret value. Okay, One thing if you carefully observed we haven't provided any use ready password are anything like that in the conflagration file on? We are not fetching from the conflagration, for that's the beauty off. Manage that in today's because you're not mentioning anywhere. These credential informations your security attack surface. It er quarter producer tremendously is under Howard in case if you want Toby about this locally, it won't work because this particular court will work only on that particular or Juve Bob, because it is using managed identity off that Weber. Okay, so the only thing you can do is to remotely debug, not locally debug this. Okay, so let's publish this for map, if you can hear Selective a bob and publisher. Sorry. Let me do that again and click on. OK, this is going to publish this application in tow a Juve bob. So I'm going to pass this video for a few minutes on Come back once the publishes successfully completed. No, the publish has been successfully completed, and also the application has been launched. And you know that this move application currently is running on the particular on Julia Bob . OK, it's not launch locally. It is launched on the edge of a BAP itself. Okay, You need to keep in order off it and click on a boat. Now we should be able to see secret values. See, this is the secret value. Okay? Generally, it is going to be displayed as if you come down here. Generally, it is displayed as your application description. Pace. That's the message. Generally, it will get displayed here, but we changed the cold. A big to display the secret value. Okay. No, I hope you got a complete understanding. One reason I like this most is because we are not providing any credential information written above application. We are storing them securely in our jerky ward, and we are using my knees identity feature off Jura Bob in order to retrieve cable secrets . Okay, so that's it for this lab in this lab. I have shown you how to create Bob Bob and enable manage that entity for that web. Secondly, provide access stood up, manage it in today to all of your keywords. Secrets? Totally. How? Toe dollop A simple application. Desta access off are your keywords secret value from the application court? I hope you find this lab very useful.