A phishing scam is an example of an identity attack.

Common identity attacks

Some of the most common types of security threats that organizations face today are identity attacks. These attacks are designed to steal the credentials used to validate or authenticate that someone or something is who they claim to be. The result is identity theft.

Password-based attacks

Password-based attacks include password spray attacks and brute force attacks. A password spray attack attempts to match a username against a list of weak passwords.

Brute force attacks try many passwords against one or more accounts, sometimes using dictionaries of commonly used passwords. When a user has assigned a weak password to their account, the hacker will find a match, and access that account.

Phishing

A phishing attack is when a hacker sends an email that appears to come from a reputable source. The email contains a credible story, such as a security breach, instructing the user to sign in and change their password. Instead of going to a legitimate website, the user is directed to the scammer’s website where they enter their username and password. The hacker has now captured the user’s identity, and their password.

Although many phishing scam emails are badly written and easy to identify, when users are busy or tired, they make mistakes and are more easily deceived. As hackers become more sophisticated, their phishing emails become more difficult to identify.

Spear phishing

A spear phishing scam is a variant on phishing. Hackers build databases of information about users, which can be used to create highly credible emails. The email may appear to come from someone in your organization who is requesting information. Although careful scrutiny might uncover the fraud, users may not read it carefully enough and send the requested information or login to the website before they realize the fraud. This practice is called spear phishing because it's highly targeted.

To protect against all types of identity attacks, robust identity security and monitoring is needed. Risk detections in Azure AD Identity Protection include any identified suspicious actions related to user accounts.

There are two types of risk: user risk and sign-in risk. User risk represents the probability that a given identity or account is compromised. Sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner.

https://www.microsoft.com/security/blog/2020/07/15/prevent-identity-attacks-azure-active-directory/

Yes - You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

Network security groups

You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

Security rules

A network security group contains zero, or as many rules as desired, within Azure subscription limits. Each rule specifies the following properties:

Network security group security rules are evaluated by priority using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic. You may not create two security rules with the same priority and direction. A flow record is created for existing connections. Communication is allowed or denied based on the connection state of the flow record. The flow record allows a network security group to be stateful. If you specify an outbound security rule to any address over port 80, for example, it's not necessary to specify an inbound security rule for the response to the outbound traffic. You only need to specify an inbound security rule if communication is initiated externally. The opposite is also true. If inbound traffic is allowed over a port, it's not necessary to specify an outbound security rule to respond to traffic over the port.

Existing connections may not be interrupted when you remove a security rule that enabled the flow. Traffic flows are interrupted when connections are stopped and no traffic is flowing in either direction, for at least a few minutes.

There are limits to the number of security rules you can create in a network security group.

https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

Cloud Security Posture Management

Cloud-based systems are continually evolving and changing as companies move away from on-premises to the cloud. This move makes it difficult for any IT department to know if your data, assets, and resources are as fully protected as they used to be. Even a small misconfiguration of a new feature can increase the attack surface available for cybercriminals to exploit.

Cloud security posture management (CSPM) is a relatively new class of tools designed to improve your cloud security management. It assesses your systems and automatically alerts security staff in your IT department when a vulnerability is found. CSPM uses tools and services in your cloud environment to monitor and prioritize security enhancements and features.

CSPM uses a combination of tools and services:

• Zero Trust-based access control: Considers the active threat level during access control decisions.

• Real-time risk scoring: To provide visibility into top risks.

• Threat and vulnerability management (TVM): Establishes a holistic view of the organization's attack surface and risk and integrates it into operations and engineering decision-making.

• Discover sharing risks: To understand the data exposure of enterprise intellectual property, on sanctioned and unsanctioned cloud services.

• Technical policy: Apply guardrails to audit and enforce the organization's standards and policies to technical systems.

• Threat modelling systems and architectures: Used alongside other specific applications.

The main goal for a cloud security team working on posture management is to continuously report on and improve the organization's security posture by focusing on disrupting a potential attacker's return on investment (ROI).

The function of CSPM in your organization might be spread across multiple teams, or there may be a dedicated team. CSPM can be useful to many teams in your organization:

• Threat intelligence team

• Information technology

• Compliance and risk management teams

• Business leaders and SMEs

• Security architecture and operations

• Audit team

Use CSPM to improve your cloud security management by assessing the environment, and automatically alerting security staff for vulnerabilities.

https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-posture-management

No - Evaluations of assigned policies and initiatives happen as the result of various events

https://docs.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data

Azure Policy

Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.

Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. Policy definitions for these common use cases are already available in your Azure environment as built-ins to help you get started.

All Azure Policy data and objects are encrypted at rest. For more information, see Azure data encryption at rest.

Overview

Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. These business rules, described in JSON format, are known as policy definitions. To simplify management, several business rules can be grouped together to form a policy initiative (sometimes called a policySet). Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources. The assignment applies to all resources within the Resource Manager scope of that assignment. Subscopes can be excluded, if necessary. For more information, see Scope in Azure Policy.

Azure Policy uses a JSON format to form the logic the evaluation uses to determine whether a resource is compliant or not. Definitions include metadata and the policy rule. The defined rule can use functions, parameters, logical operators, conditions, and property aliases to match exactly the scenario you want. The policy rule determines which resources in the scope of the assignment get evaluated.

Understand evaluation outcomes

Resources are evaluated at specific times during the resource lifecycle, the policy assignment lifecycle, and for regular ongoing compliance evaluation. The following are the times or events that cause a resource to be evaluated:

• A resource is created, updated, or deleted in a scope with a policy assignment.

• A policy or initiative is newly assigned to a scope.

• A policy or initiative already assigned to a scope is updated.

• During the standard compliance evaluation cycle, which occurs once every 24 hours.

For detailed information about when and how policy evaluation happens, see Evaluation triggers.

Control the response to an evaluation

Business rules for handling non-compliant resources vary widely between organizations. Examples of how an organization wants the platform to respond to a non-compliant resource include:

• Deny the resource change

• Log the change to the resource

• Alter the resource before the change

• Alter the resource after the change

• Deploy related compliant resources

Azure Policy makes each of these business responses possible through the application of effects. Effects are set in the policy rule portion of the policy definition.

Remediate non-compliant resources

While these effects primarily affect a resource when the resource is created or updated, Azure Policy also supports dealing with existing non-compliant resources without needing to alter that resource.

https://youtu.be/dxMaYF2GB7o

https://docs.microsoft.com/en-us/azure/governance/policy/overview

Capabilities like retention policies, retention labels, and records management enable organizations to govern their data.

Know your data, protect your data, and govern your data

Microsoft Information Protection (MIP) discovers, classifies, and protects sensitive and business-critical content throughout its lifecycle across your organization. It provides the tools to know your data, protect your data, and prevent data loss.

Microsoft Information Governance (MIG) manages your content lifecycle using solutions to import, store, and classify business-critical data so you can keep what you need and delete what you don't. It gives organizations the capabilities to govern their data, for compliance or regulatory requirements. Microsoft Information Protection and Microsoft Information Governance work together to classify, protect, and keep your data where it lives, and wherever it goes.

• Know your data: Organizations can understand their data landscape and identify important data across on-premises, cloud, and hybrid environments. Capabilities and tools such as trainable classifiers, activity explorer, and content explorer allow organizations to know their data.

• Protect your data: Organizations can apply flexible protection actions including encryption, access restrictions, and visual markings.

• Prevent data loss: Organizations can detect risky behaviour and prevent accidental oversharing of sensitive information. Capabilities such as data loss prevention policies and endpoint data loss prevention enable organizations to avoid data loss.

• Govern your data: Organizations can automatically keep, delete, and store data and records in a compliant manner. Capabilities like retention policies, retention labels, and records management enable organizations to govern their data.

The following units in this module will describe the capabilities in more detail.

https://docs.microsoft.com/en-us/cloud-app-security/tutorial-dlp

Members of this role group can create and manage Core eDiscovery cases. They can also add and remove members, place an eDiscovery hold on users, create and edit searches, and export content from a Core eDiscovery case.

The purpose of eDiscovery

Sometimes a company may become involved in litigation and need to find electronic information to be used as evidence.

Electronic discovery or eDiscovery tools, can be used to search for content in Exchange Online mailboxes, Microsoft 365 Groups, Microsoft Teams, SharePoint Online and OneDrive for Business sites, Skype for Business conversations, and Yammer teams. You can search across mailboxes and sites in a single eDiscovery search by using the Content Search tool. And you can use Core eDiscovery cases to identify, hold, and export content found in mailboxes and sites.

If your organization has an Office 365 E5 or Microsoft 365 E5 subscription (or related E5 add-on subscriptions), you can further manage custodians and analyze content by using the Advanced eDiscovery solution in Microsoft 365. Microsoft 365 provides the following eDiscovery tools:

• Content Search

• Core eDiscovery

• Advanced eDiscovery

Capabilities of the content search tool

The Content Search eDiscovery tool, accessible from the compliance centre in Office 365 or Microsoft 365, enables search for in-place items such as email, documents, and instant messaging conversations in your organization. Search for items is supported in the following services:

• Exchange Online mailboxes and public folders

• SharePoint Online sites and OneDrive for Business accounts

• Skype for Business conversations

• Microsoft Teams

• Microsoft 365 Groups

• Yammer Groups

To have access to the content search page to run searches and preview and export results, an administrator, compliance officer, or eDiscovery manager must be a member of the eDiscovery Manager role group in the Security and Compliance Centre. For more information, visit Assign eDiscovery permissions.

Run a search

To start using the Content Search tool, you must choose content locations to search and configure a keyword query to find specific items. Or the user can just leave the query blank and return all items in the target locations. Examples of some of the capabilities for running a search include:

• Build search queries and use conditions to narrow your search.

• Configure search permissions filtering so that an eDiscovery manager can only search for a subset of mailboxes or sites in your organization.

• Run an ID list search to search for specific mailbox email messages and other mailbox items using a list of Exchange IDs.

• Search for Teams chat data across on-premises users.

• View keyword statistics for the results of a search and then refine the query if necessary.

• Search for third-party data that your organization has imported to Microsoft 365.

• Preserve Bcc recipients to follow regulatory compliance and eDiscovery requirements that may require organizations to preserve mailbox content, including the ability to search for and reproduce details about all recipients of a message, not just those on the "to" and "cc" list.

Complete actions on content

After you run a search and refine it as necessary, the next step is to do something with the results returned by the search. You can export and download the results to your local computer or, if there is an email-based attack, you can delete the results of a search from user mailboxes. You can also use scripts for advanced scenarios. Sometimes you have to do more advanced, complex, and repetitive content search tasks. To help make this easier, Microsoft has created a number of Security and Compliance Centre PowerShell scripts to help complete complex content search-related tasks. Some of these scripts include:

• Search-specific mailbox and site folders (called a targeted collection) when you're confident that items responsive to a case are located in that folder.

• Search the mailbox and OneDrive location for a list of users.

• Create, report on, and delete multiple searches to quickly and efficiently identify, and cull search data.

• Clone a content search and quickly compare the results of different keyword search queries run on the same content locations; or use the script to save time by not having to reenter a large number of content locations when you create a new search.

https://docs.microsoft.com/en-us/microsoft-365/compliance/search-for-content

Azure AD identity types

Azure AD manages different types of identities: users, service principals, managed identities, and devices.

User

A user identity is a representation of something that's managed by Azure AD. Employees and guests are represented as users in Azure AD. If you have several users with the same access needs, you can create a group. You use groups to give access permissions to all members of the group, instead of having to assign access rights individually.

Azure AD business-to-business (B2B) collaboration, a feature within External Identities, includes the capability to add guest users. With B2B collaboration, an organization can securely share applications and services with guest users from another organization.

Interactive guide

In the following interactive guide, you'll add a new user to Azure Active Directory.

https://edxinteractivepage.blob.core.windows.net/edxpages/Security%20fundamentals/LP02M02%20-%20Create%20a%20New%20User%20in%20Azure%20Active%20Directory/index.html

Service principal

A service principal is a security identity used by applications or services to access specific Azure resources. You can think of it as an identity for an application.

For an application to delegate its identity and access functions to Azure AD, the application must first be registered with Azure AD. The process of registering creates a globally unique app object that's stored in your home tenant or directory. A service principal is created in each tenant where the application is used and references the globally unique app object. The service principal defines what the app does in the tenant, such as who accesses the app, and what resources the app can access.

Managed identity

A managed identity is automatically managed in Azure AD. Managed identities are typically used to manage the credentials for authenticating a cloud application with an Azure service.

There are several benefits to using managed identities, including:

• Application developers can authenticate to services that support managed identities for Azure resources. For a complete list of services, refer to Azure Services that support managed identities.

• Any Azure service that supports Azure AD authentication can use managed identities to authenticate to another Azure service; for example, accessing Azure Key Vault.

• Managed identities can be used without any extra cost.

There are two types of managed identities: system-assigned and user-assigned.

System-assigned. Some Azure services allow you to enable a managed identity directly on a service instance. When you enable a system-assigned managed identity, an identity is created in Azure AD that's tied to the lifecycle of that service instance. When the resource is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Azure AD.

User-assigned. You may also create a managed identity as a standalone Azure resource. A user-assigned managed identity is assigned to one or more instances of an Azure service. You can create a user-assigned managed identity and assign it to one or more instances of an Azure service. With user-assigned managed identities, the identity is managed separately from the resources that use it.

The following table summarizes the differences between system-assigned and user-assigned managed identities:

Device

A device is a piece of hardware, such as mobile devices, laptops, servers, or printer. Device identities can be set up in different ways in Azure AD, to determine properties such as who owns the device. Managing devices in Azure AD allows an organization to protect its assets by using tools such as Microsoft Intune to ensure standards for security and compliance. Azure AD also enables single sign-on to devices, apps, and services from anywhere through these devices.

There are multiple options for getting devices into Azure AD:

• Azure AD registered devices can be Windows 10, iOS, Android, or macOS devices. Devices that are Azure AD registered are typically owned personally, rather than by the organization. They're signed in with a personal Microsoft account or another local account.

• Azure AD joined devices exist only in the cloud. Azure AD joined devices are owned by an organization and signed in with their account. Users sign in to their devices with their Azure AD or synced Active Directory work or school accounts. You can configure Azure AD joined devices for all Windows 10 devices (except Windows 10 Home).

• Hybrid Azure AD joined devices can be Windows 7, 8.1, or 10, or Windows Server 2008, or newer. Devices that are hybrid Azure AD joined are owned by an organization and signed in with an Active Directory Domain Services account belonging to that organization. They exist in the cloud and on-premises.

IT admins can use tools like Microsoft Intune, a mobile device management (MDM) solution, to manage devices.

https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune

No - Access to Windows Server VMs by Azure Bastion does not require an RDS CAL when used solely for administrative purposes.

Azure Bastion

Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal. The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. When you connect via Azure Bastion, your virtual machines do not need a public IP address, agent, or special client software.

Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.

https://docs.microsoft.com/en-us/azure/bastion/bastion-overview

Yes - Azure Defender provides security alerts and advanced threat protection for virtual machines, SQL databases, containers, web applications, your network, your storage, and more

Azure Defender

Azure Security Centre's features cover the two broad pillars of cloud security:

• Cloud security posture management (CSPM) - Security Centre is available for free to all Azure users. The free experience includes CSPM features such as secure score, detection of security misconfigurations in your Azure machines, asset inventory, and more. Use these CSPM features to strengthen your hybrid cloud posture and track compliance with the built-in policies.

• Cloud workload protection (CWP) - Security Centre's integrated cloud workload protection platform (CWPP), Azure Defender, brings advanced, intelligent, protection of your Azure and hybrid resources and workloads. Enabling Azure Defender brings a range of additional security features as described on this page. In addition to the built-in policies, when you've enabled any Azure Defender plan, you can add custom policies and initiatives. You can add regulatory standards - such as NIST and Azure CIS - as well as the Azure Security Benchmark for a truly customized view of your compliance.

The Azure Defender dashboard in Security Centre provides visibility and control of the CWP features for your environment:

What resource types can Azure Defender secure?

Azure Defender provides security alerts and advanced threat protection for virtual machines, SQL databases, containers, web applications, your network, and more.

When you enable Azure Defender from the Pricing and settings area of Azure Security Centre, the following Defender plans are all enabled simultaneously and provide comprehensive defenses for the compute, data, and service layers of your environment:

• Azure Defender for servers

• Azure Defender for App Service

• Azure Defender for Storage

• Azure Defender for SQL

• Azure Defender for Kubernetes

• Azure Defender for container registries

• Azure Defender for Key Vault

• Azure Defender for Resource Manager

• Azure Defender for DNS

• Azure Defender for open-source relational databases

Each of these plans is explained separately in the Security Centre documentation.

https://docs.microsoft.com/en-us/azure/security-center/azure-defender

Yes – It is feasible to use Azure Firewall to protect the organizations virtual networks. Azure Firewall is a managed, cloud-based network security service that protects your Azure virtual network (VNet) resources from attackers.

Azure Firewall

Azure Firewall is a managed, cloud-based network security service that protects your Azure virtual network (VNet) resources from attackers. You can deploy Azure Firewall on any virtual network, but the best approach is to use it on a centralized virtual network. All your other virtual and on-premises networks will then route through it. The advantage of this model is the ability to centrally exert control of network traffic for all your VNets across different subscriptions.

With Azure Firewall, you can scale up the usage to accommodate changing network traffic flows, so you don't need to budget for peak traffic. Network traffic is subjected to the configured firewall rules when you route it to the firewall as the subnet default gateway.

Key features of Azure Firewall

Azure Firewall comes with many features, including but not limited to:

• Built-in high availability and availability zones: High availability is built in so there's nothing to configure. Also, Azure Firewall can be configured to span multiple availability zones for increased availability.

• Network and application level filtering: Use IP address, port, and protocol to support fully qualified domain name filtering for outbound HTTP(s) traffic and network filtering controls.

• Outbound SNAT and inbound DNAT to communicate with internet resources: Translates the private IP address of network resources to an Azure public IP address (source network address translation) to identify and allow traffic originating from the virtual network to internet destinations. Similarly, inbound internet traffic to the firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses of resources on the virtual network.

• Multiple public IP addresses: These addresses can be associated with Azure Firewall.

• Threat intelligence: Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains.

• Integration with Azure Monitor: Integrated with Azure Monitor to enable collecting, analyzing, and acting on telemetry from Azure Firewall logs.

Use Azure Firewall to help protect the Azure resources you've connected to Azure Virtual Networks.

https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/4-describe-what-azure-firewall