Learn how to create and manage a new Azure AD tenant, switch between tenants, assign global administrator roles, choose a domain and region, and understand subscription requirements for resources.

Explore how Azure Active Directory differentiates service principals from system-assigned managed identities, and learn when to use application credentials versus Azure-managed identities to grant access to resources.

Create Azure AD users as members or external guests, use domain names or custom domains, and provision them via bulk CSV or AD Connect synchronization.

Create and manage Azure AD groups to organize thousands of users by assigning teachers and students, adding members and owners, and applying bulk licenses and app access with group-based security.

Configure administrative units to restrict actions to specific groups, like teachers or students. Link groups to helpdesks and note that premium licenses enable these role restrictions.

Discover Azure Active Directory privileged identity management, enabling just-in-time, time-bound access with request, notifications, and auditing; manage active and eligible roles and perform access reviews.

Create and tune Azure AD conditional access policies to evaluate user risk and sign-in risk, enforce MFA, and restrict access across apps and locations.

Use the what-if feature to test conditional access policies. Verify that student logins trigger the expected policies under different risk levels, devices, and MFA requirements.

Explore Azure AD identity protection, including user risk, sign-in risk, and MFA registration policies. Learn how risk-based access controls, reporting, and alerts help block high-risk sign-ins and enforce MFA.

Explore access reviews within identity governance to automate permission management for large directories. Leverage self-selection, manager approvals, and workflows to reconfirm access and balance security with usability through structured cadence.

Learn how single sign-on leverages on-premises active directory and azure ad connect to let users sign in to cloud applications with a synchronized password hash.

Install and configure Azure AD Connect to synchronize the on-premises Active Directory instructors group to the cloud using password hash synchronization, with domain selection and health checks.

Register an application in Azure AD to use it as identity provider, obtaining a client ID and secret and configuring a redirect URI, while distinguishing app registrations from enterprise apps.

Create and assign custom roles in Azure by cloning a built-in reader role, adding storage account permissions, and applying at the subscription level for fine-grained access control.

Design a secure hybrid network in Azure by linking on-premises with site-to-site VPN or ExpressRoute, using a DMZ, Azure Bastion, and an Azure Firewall to control access.

Demonstrate deploying a secure hybrid network with on-premises and Azure virtual networks in a hub-and-spoke model, using site-to-site connectivity, gateways, and Bastion for secure access.

Azure Bastion provides secure, port-free administrative access to virtual machines via a dedicated Bastion subnet and public IP, avoiding open RDP ports like 3389.

Learn how Azure Firewall Manager centralizes policy management across virtual networks and hubs, allowing reuse of global and nested policies across multiple firewalls, with application, network, and NAT rules.

Enable encrypted traffic inspection and intrusion detection and prevention in Azure Firewall premium, with threat intelligence, URL path filtering, and 58,000 rules with 20–40 daily updates.

Azure application gateway delivers layer seven load balancing with path-based routing and ssl termination, routing http requests to back-end pools while supporting health monitoring and the well-architected framework.

Azure Front Door is a fast global front end that uses a single endpoint with CDN and a web application firewall, routing to multi-region back ends.

Discover Azure App Service Environment v3, a dedicated, isolated hosting with its own virtual network, supporting Web apps, containers, functions, and logic apps, with enhanced scale and performance.

Turn off public access and create a private endpoint for a storage account to enable private connectivity. Learn about private link, private DNS zones, and subnet selection for secure access.

Explore how Azure private link service protects back-end resources with a standard load balancer and private endpoints. Configure access using role-based access control, alias-based access, and auto approval options.

Create a private endpoint in the database subnet to connect to the private link service behind a standard load balancer, enabling secure, subnet-level connectivity across virtual networks.

Explore how the basic Azure DDoS protection and the opt-in DDoS protection standard add telemetry and logging, with a protection plan, intelligent profiling, and optional attack investigation support.

Enable endpoint protection on a virtual machine by turning on antivirus like Windows Defender and using Microsoft Defender for Cloud to protect the VM and resources.

Set up update management for an Azure VM by creating an automation account and log analytics workspace, then schedule updates and resolve conflicts by turning off the VM's update service.

Discover how data at rest across Azure storage, SQL Database, and Cosmos DB is encrypted by default, with customer-managed keys via Azure Key Vault and an infrastructure encryption option.

Explore data in transit security, including encryption with SSL/TLS and HTTPS, and how to enable secure transfer for storage accounts, app services, and VPNs, including the nuances of express route.

Explore azure policy for centralized security management, auditing or enforcing rules across management groups, subscriptions, and resource groups. Enforce Defender and TLS policies with remediation and compliance reporting.

Protect real servers and virtual machines with Defender for servers, offering automatic onboarding for Azure, AWS, Google Cloud, and Azure ARC integration for threat protection.

Enable vulnerability scans on your virtual machines with the Qualys extension in Microsoft Defender for Servers, review findings in the portal, patch zero-days, and disable low-value scans under bring-your-own-license.

Enable Defender for Cloud for SQL databases to audit, secure endpoints, and remediate vulnerabilities, with guidance on SQL databases, SQL Server on VM, and other relational databases.

Diagram your environment, including users, web apps, and databases, with the Microsoft threat modeling tool, identify threats using the STRIDE model, and apply mitigations like multi-factor authentication.

Learn to configure security monitoring with Azure Monitor and Log Analytics, set up alert rules to trigger actions via action groups when events like a SQL database deletion occur.

Enable diagnostics on azure resources and send logs to a log analytics workspace. Use azure monitor templates and query language to analyze cpu, deadlocks, timeouts, and create alerts.

Explore how Microsoft Sentinel combines SIEM and SOAR to collect data from log analytics, detect threats, and automate responses using Azure Active Directory logs and threat intelligence.

Configure Microsoft Sentinel data connectors, focusing on Microsoft provider and network security group, enable diagnostics via policy or manual steps, run queries on Azure diagnostics table, and set alerts.