Microsoft Security 虛擬培訓日筆記


Lession 1

Zero-trust methodology

Defense in depth

Defense in depth uses a layered approach to security

  • Physical
  • Identity and access
  • Perimeter
  • Network
  • Compute
  • Application
  • Data

The shared responsibility model

The responsibilities vary based on where the workload is hosted:

  • Software as a Service
  • Platform as a Service
  • Infrastructure as a Service
  • On-premises datacenter (On-prem)

Confidentiality, Integrity, Availablity (CIA)

CIA – A way to think about security trade-offs.

  • Confidentiality refers to the need to keep confidential sensitive data such as customer information, passwords, or financial data.
  • Integrity
  • Availability

Common threats

  • Data breach
    • Phishing
    • Spear phishing
    • Tech support scams
    • SQL injection
    • Malware designed to steal passwords or bank details
  • Dictionary attack
  • Ransomeware
  • Disruptive attacks


Encrption is the process of making data unreadable and unusable to unauthorized viewers.

Two top-level types of enctryption:

  • Symmetric
  • Asymmetric


Hashing uses an algorithm to cobert the original text to a unique fixed-lenghth hash value.

Microsoft Cloud Adoption Framework

Consisits of documentation,implementation guidance, & best practices that support increases security and compliance

Lession 2

Common identity attacks

Types of security threats

  • Password-based attacks
  • Phishing
  • Spear phishing

Identity as the primary security perimeter

Identity has become the new security perimeter that enables organizations to secure their assets.

An identtity is how someone or so,ething can be verified and authenticated and may be associated with:

  • User
  • Application
  • Device
  • Other

Four pillars of identity:

  • Administration
  • Authentication
  • Authorization
  • Auditing

Modern authentication and the role of the identity provider

Modern authentication is an umbrella term for authentication and authorization methods between a client and a server.

  • identity provider (IdP)

The concept of Federated Services


  1. The website uses the authentication services of IdP-A
  2. The user authenticates with IdP-B

The concept of directory services and Active Directory

  • A directory is a hierarchical structure that stores information about objects on the network
  • A directory service stores directory data and makes it available to network users, administrators
  • The best-known service of this kind is Active Directory Domain Service (AD DS), a central component

Module Summary

  • Learned about some important security concepts and methodologies.
  • Learned about some import identity concepts


由 Micosoft 365 專家進行問答

What is authorization and authentication with example?

舉個簡單的例子,當你刷badge進入辦公室 確認你的身分的過程就是驗證authentication,當你的公司人資可以造訪你的每月薪資條,就是一種授權他可以閱讀員工薪資條的過程也就是authorization,兩者的差異主要是這樣喔

Azure Active Directory

Azure AD is Microsoft’s cloud-based identity and access management service. Capabilities of Azure AD

Azure AD identity types

  • User
  • Service principal
  • Managed identity
  • Device

Authentication methods of Azure AD


  • something you know
  • something you have
  • something you are

Multi-factor authentication (MFA) in Azure AD

Different authentication methods that can be used with MFA

  • Passwords
  • Password & additional verification
    • Phone (voice or SMS)
    • Microsoft Authenticator
    • Open Authentication (OATH) with software or hardware tokens

Windows Hello for Business

Self-service password reset (SSPR) in Azure AD

  • Benefits of Self-service password reset
  • Self-service password reset works in the following scenarious
  • Authentication method of SSPR

Lession 3

Conditional Access

Conditional Access signals

  • User or group membership
  • Named location information
  • Device
  • Application
  • Real-time sign-in risk detection
  • Cloud apps or actions
  • User risk

Access controls

  • Block access
  • Grant access
  • Require one or more conditions to be met before granting access

Azure AD role-based access control (RBAC)

  • Built-in roles
  • Custom roles
  • Azure AD role-based access control
  • Only grant the access users need


Identity governance in Azure AD

The tasks of Azure AD identity governance

  • Govern the identity llifecycle
  • Govern access lifecycle
  • Secure privileged access for administration

Identity lifecycle

  • Join: A new digital identity is created
  • Move: Update access authorizations
  • Leave: Access may need to be removed

Entitlement management and access reviews

  • Entitlement management
  • Access reviews
  • Terms of use

Privileged Identity Management (PIM)

PIM enables toy to manage, control, and monitor access to important resources in your organization.

Azure Network Security groups

Network securrity groups (NSG) let you allow or deny network traffic to and from Azure resources that exist in your Azure Virtual Network.

Azure Resource Manager locks

Azure Resource Manager locks

  • Prevent resources from being accidentally deleted or changed.

Azure Policy

Azure Defender

Scope of Azure Defender

  • Servers
  • Kubernetes
  • App Service
  • Container registries
  • Storage
  • Key Bault SQL



collect data from accrss the whole estate

Sentinel provides integrated threat protection

  • Collect
  • Detect
  • Investigate
  • Respond

Back To Top
error: 內容被保護 !!