Azure Security – Service Endpoints and Securing Storage

Scenario
You have been asked to create a proof of concept to demonstrate securing Azure file shares. Specifically, you want to:

• Create a storage endpoint so traffic destined to Azure Storage always stays within the Azure backbone network.
• Configure the storage endpoint so only resources from a specific subnet can access the storage.
• Confirm that resources outside of the specific subnet cannot access the storage.

Exercise 1: Service endpoints and security storage
Task 1: Create a virtual network
1. Sign-in to the Azure portal https://portal.azure.com/.

2. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Virtual networks and press the Enter key.

3. On the Virtual Networks blade, click + New.

4. On the Basics tab of the Create virtual network blade, specify the following settings (leave others with their default values) and click Next: IP Addresses:

Setting	Value
Subscription	the name of the Azure subscription you are using in this lab
Resource group	click Create new and type the name AZ500LAB12
Name	myVirtualNetwork
Region	(US) East US

5. On the IP addresses tab of the Create virtual network blade, set the IPv4 address space to 10.0.0.0/16, in the Subnet name column, click default and, on the Edit subnet blade, specify the following settings and click Save:

Setting	Value
Subnet name	Public
Subnet address range	10.0.0.0/24

6. Back on the IP addresses tab of the Create virtual network blade, click Review + create.

7. On the Review + create tab of the Create virtual network blade, click Create.

Task 2: Add a subnet to the virtual network and configure a storage endpoint
1. In the Azure portal, navigate back to the Virtual Networks blade.

2. On the Virtual networks blade, click the myVirtualNetwork entry.

3. On the myVirtualNetwork blade, in the Settings section, click Subnets.

4. On the myVirtualNetwork | Subnets blade, click + Subnet.

5. On the Add subnet blade, specify the following settings (leave others with their default values):

Setting	Value
Subnet name	Private
Subnet address range	10.0.1.0/24
Service endpoints	Microsoft.Storage

6. On the Add subnet blade, click Save to add the new subnet.
Note: The virtual network now has two subnets: Public and Private.

Task 3: Configure a network security group to restrict access to the subnet
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Network security groups and press the Enter key.

2. On the Network security groups blade, click + Add.

3. On the Basics tab of the Create network security group blade, specify the following settings:

Setting	Value
Subscription	the name of the Azure subscription you are using in this lab
Resource group	AZ500LAB12
Name	myNsgPrivate
Region	East US

4. Click Review + create and then click Create.
Note: In the next steps, you will create an outbound security rule that allows communication to the Azure Storage service.

5. In the Azure portal, navigate back to the Network security groups blade and click the myNsgPrivate entry.

6. On the myNsgPrivate blade, in the Settings section, click Outbound security rules.

7. On the myNsgPrivate | Outbound security rules blade, click + Add.

8. On the Add outbound security rule blade, specify the following settings to explicitly allow outbound traffic to Azure Storage (leave all other values with their default settings):

Setting	Value
Source	VirtualNetwork
Source port ranges	*
Destination	in the drop-down list, select Service Tag and then click Storage
Destination port ranges	*
Protocol	Any
Action	Allow
Priority	1000
Name	Allow-Storage-All

9. On the Add outbound security rule blade, click Add to create the new outbound rule.

10. On the myNsgPrivate blade, in the Settings section, click Outbound security rules, and then click + Add.

11. On the Add outbound security rule blade, specify the following settings to explicitly deny outbound traffic to Internet (leave all other values with their default settings):

Setting	Value
Source	VirtualNetwork
Source port ranges	*
Destination	in the drop-down list, select Service Tag and then click Internet
Destination port ranges	*
Protocol	Any
Action	Deny
Priority	1100
Name	Deny-Internet-All

12. On the Add outbound security rule blade, click Add to create the new outbound rule.
Note:
– This rule overrides a default rule in all network security groups that allows outbound internet communication.
– In the next steps, you will create an inbound security rule that allows Remote Desktop Protocol (RDP) traffic to the subnet. The rule overrides a default security rule that denies all inbound traffic from the internet. Remote Desktop connections are allowed to the subnet so that connectivity can be tested in a later step.

13. On the myNsgPrivate | Outbound security rules blade, in the Settings section, click Inbound security rules and then click + Add.

14. On the Add inbound security rule blade, specify the following settings (leave all other values with their default values):

Setting	Value
Source	Any
Source port ranges	*
Destination	VirtualNetwork
Destination port ranges	3389
Protocol	TCP
Action	Allow
Priority	1200
Name	Allow-RDP-All

15. On the Add inbound security rule blade, click Add to create the new inbound rule.
Note: Now you will associate the network security group with the Private subnet.

16. On the Subnets blade, select + Associate and specify the following settings in the Associate subnet section and then click OK:

Setting	Value
Virtual network	myVirtualNetwork
Subnet	Private

Task 4: Create a storage account with a file share
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Storage accounts and press the Enter key.

2. On the Storage accounts blade, click + New.

3. On the Basics tab of the Create storage account blade, specify the following settings (leave others with their default values):

Setting	Value
Subscription	the name of the Azure subscription you are using in this lab
Resource group	AZ500LAB12
Storage account name	any globally unique name between 3 and 24 in length consisting of letters and digits
Location	(US) EastUS
Performance	Standard
Account kind	StorageV2 (general purpose v2)
Replication	Locally redundant storage (LRS)

4. On the Basics tab of the Create storage account blade, click Review + Create, wait for the validation process to complete, and click Create.
Note: Wait for the Storage account to be created. This should take about 2 minutes.

5. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Resource groups and press the Enter key.

6. On the Resource groups blade, in the list of resource group, click the AZ500LAB12 entry.

7. On the AZ500LAB12 resource group blade, in the list of resources, click the entry representing the newly created storage account.

8. On the storage account blade, in the File service section, File shares and then, click + File Share.

9. On the New file share blade, specify the following settings:

Setting	Value
Name	my-file-share
Quota	10

10. On the New file share blade, click Create.
Note: Now, retrieve and record the PowerShell script that creates a drive mapping to the Azure file share.

11. On the storage account blade, in the list of file shares, click my-file-share.

12. On the my-file-share blade, click Connect.

13. On the Connect blade, on the Windows tab, copy the PowerShell script that creates a Z drive mapping to the file share.
Note: Record this script. You will need this in a later in this lab in order to map the file share from the Azure virtual machine on the Private subnet.

14. Navigate back to the storage account blade, then in the Settings section, click Networking.

15. Select the Selected networks option and click the + Add existing virtual network link.

16. On the Add networks blade, specify the following settings:

Setting	Value
Subscription	the name of the Azure subscription you are using in this lab
Virtual networks	myVirtualNetwork
Subnets	Private

17. On the Add networks blade, click Enable and then click Add.

18. Back on the storage account blade, click Save.
Note: At this point in the lab you have configured a virtual network, a network security group, and a storage account with a file share.

Task 5: Deploy virtual machines into the designated subnets
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Virtual machines and press the Enter key.

2. On the Virtual machines blade, click + Add and, in the dropdown list, click + Virtual machine.

3. On the Basics tab of the Create a virtual machine blade, specify the following settings (leave others with their default values):

Setting	Value
Subscription	the name of the Azure subscription you will be using in this lab
Resource group	AZ500LAB12
Virtual machine name	myVmPrivate
Region	(US)East US
Image	Windows Server 2019 Datacenter Gen 1
Username	localadmin
Password	Pa55w.rd1234
Public inbound ports	None
Already have a Windows Server license	No

Note: For public inbound ports, we will rely on the precreated NSG.

4. Click Next: Disks > and, on the Disks tab of the Create a virtual machine blade, set the OS disk type to Standard HDD and click Next: Networking >.

5. Click Next: Networking >, on the Networking tab of the Create a virtual machine blade, specify the following settings (leave others with their default values):

Setting	Value
Virtual network	myVirtualNetwork
Subnet	Private (10.0.1.0/24)
Public IP	(new)myVmPrivate-ip
NIC network security group	None

6. Click Next: Management >, on the Management tab of the Create a virtual machine blade, accept the default settings and click Review + create.

7. Click Review + create, on the Review + create blade, ensure that validation was successful andf click Create.
Note: The second virtual machine will be connected to the Public subnet.

8. On the Virtual machines blade, click + Add and, in the dropdown list, click + Virtual machine.

9. On the Basics tab of the Create a virtual machine blade, specify the following settings (leave others with their default values):

Setting	Value
Subscription	the name of the Azure subscription you will be using in this lab
Resource group	AZ500LAB12
Virtual machine name	myVmPublic
Region	(US)East US
Image	Windows Server 2019 Datacenter Gen 1
Username	localadmin
Password	Pa55w.rd1234
Public inbound ports	None
Already have a Windows Server license	No

Note: For public inbound ports, we will rely on the precreated NSG.

10. Click Next: Disks > and, on the Disks tab of the Create a virtual machine blade, set the OS disk type to Standard HDD and click Next: Networking >.

11. Click Next: Networking >, on the Networking tab of the Create a virtual machine blade, specify the following settings (leave others with their default values):

Setting	Value
Virtual network	myVirtualNetwork
Subnet	Public (10.0.0.0/24)
Public IP	(new)myVmPublic-ip
NIC network security group	None

12. Click Next: Management >, on the Management tab of the Create a virtual machine blade, accept the default settings and click Review + create.

13. Click Review + create, on the Review + create blade, ensure that validation was successful and click Create.
Note: You can continue to the next task once the deployment of the myVMPrivate Azure VM is completed.

Task 6: Test the storage connection from the private subnet to confirm that access is allowed
1. Navigate back to the Virtual machines blade.

2. On the Virtual machines blade, click the myVMPrivate entry.

3. On the myVMPrivate blade, click Connect and, in the drop down menu, click RDP.

4. Click Download RDP File and use it to connect to the myVMPrivate Azure VM via Remote Desktop. When prompted to authenticate, provide the following credentials:

Setting	Value
User name	localadmin
Password	Pa55w.rd1234

Note:
– Wait for the Remote Desktop session to open and Server Manager to load.
– You will now map drive Z to an Azure File share within the Remote Desktop session to a Windows Server 2019 computer

5. Within the Remote Desktop session to myVMPrivate, click Start and then click Windows PowerShell ISE.

6. Within the Windows PowerShell ISE window, open the Script pane, then paste and run the PowerShell script that you recorded earlier in this lab. The script has the following format:

$connectTestResult = Test-NetConnection -ComputerName <storage_account_name>.file.core.windows.net -Port 445
if ($connectTestResult.TcpTestSucceeded) {
   # Save the password so the drive will persist on reboot
   cmd.exe /C "cmdkey /add:`"<storage_account_name>.file.core.windows.net`" /user:`"Azure\<storage_account_name>`"  /pass:`"<storage_account_key>`""
   # Mount the drive
   New-PSDrive -Name Z -PSProvider FileSystem -Root "\\<storage_account_name>.file.core.windows.net\my-file-share" -Persist
} else {
   Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
}

Note: The <storage-account-name> placeholder represents the name of the storage account hosting the file share and <storage_account_name> one its primary key

7. Start File Explorer and verify that the Z: drive mapping has been successfully created.

8. Next, from the console pane of the Windows PowerShell ISE console, run the following to verify that the virtual machine has no outbound connectivity to the internet:

Test-NetConnection -ComputerName www.bing.com -Port 80

Note: The test will fail because the network security group associated with the Private subnet does not allow outbound access to the internet.

9. Terminate the Remote Desktop session to the myVMPrivate Azure VM.
Note: At this point, you have confirmed that the virtual machine in the Private subnet can access the storage account.

Task 7: Test the storage connection from the public subnet to confirm that access is denied
1. Navigate back to the Virtual machines blade.

2. On the Virtual machines blade, click the myVMPublic entry.

3. On the myVMPublic blade, click Connect and, in the drop down menu, click RDP.

4. Click Download RDP File and use it to connect to the myVMPublic Azure VM via Remote Desktop. When prompted to authenticate, provide the following credntials:

Setting	Value
User name	localadmin
Password	Pa55w.rd1234

Note:
– Wait for the Remote Desktop session to open and Server Manager to load.
– You will now map drive Z to an Azure File share within the Remote Desktop session to a Windows Server 2019 computer

5. Within the Remote Desktop session to myVMPublic, click Start and then click Windows PowerShell ISE.

6. Within the Windows PowerShell ISE window, open the Script pane, then paste and run the same PowerShell script that you ran within the Remote Desktop session to the myVMPrivate Azure VM.
Note:
– This time, you will receive the New-PSDrive : Access is denied error.
– Access is denied because the myVmPublic virtual machine is deployed in the Public subnet. The Public subnet does not have a service endpoint enabled for the Azure Storage. The storage account only allows network access from the Private subnet.

7. Next, from the console pane of the Windows PowerShell ISE console, run the following to verify that the virtual machine has outbound connectivity to the internet:

Test-NetConnection -ComputerName www.bing.com -Port 80

8. Terminate the Remote Desktop session to the myVMPublic Azure VM.
Note: At this point, you have confirmed that the virtual machine in the Public subnet cannot access the storage account, but has access to the internet.

Clean up resources
1. Open the Cloud Shell by clicking the first icon in the top right of the Azure Portal. If prompted, select PowerShell and Create storage.

2. Ensure PowerShell is selected in the drop-down menu in the upper-left corner of the Cloud Shell pane.

3. In the PowerShell session within the Cloud Shell pane, run the following to remove the resource group you created in this lab:

Remove-AzResourceGroup -Name "AZ500LAB12" -Force -AsJob

4. Close the Cloud Shell pane.

Azure Security – Securing Azure SQL Database

Scenario
You have been asked to review security features for Azure SQL database. Specifically, you are interested in:
– Protection against attacks such as SQL injection and data exfiltration.
– Ability to discover and classify database information into categories such as Confidential.
– Ability to audit database server and database queries and log events.

Exercise 1: Implement SQL Database security features
Task 1: Deploy an Azure SQL Database
1. Sign-in to the Azure portal https://portal.azure.com/.

2. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Deploy a custom template and press the Enter key.

3. On the Custom deployment blade, click the Build your own template in the editor option.

4. On the Edit template blade, click Load file, locate the \Allfiles\Labs\11\azuredeploy.json file and click Open.
Note: Review the content of the template and note that it deploys an Azure SQL database.

5. On the Edit template blade, click Save.

6. On the Custom deployment blade, ensure that the following settings are configured (leave any others with their default values):

Setting	Value
Subscription	the name of the Azure subscription you will be using in this lab
Resource group	click Create new and type the name AZ500LAB11
Location	(US) East US

7. Click Review + Create and then click Create.
Note: Wait for the deployment to complete.

Task 2: Configure Advanced Data Protection
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Resource groups and press the Enter key.

2. On the Resource groups blade, in the list of resource group, click the AZ500LAB11 entry.

3. On the AZ500LAB11 blade, click the entry representing the newly created SQL Server.

4. On the server blade, in the Security section, click Security Center.

5. Set the AZURE DEFENDER FOR SQL switch to ON.
Note: Wait until enabling Azure Defender for SQL takes effect.

6. In the Azure Defender for SQL: Enabled at the server-level (Configure) parameter, click (configure).

7. On the Server Settings blade, review the information about pricing and the trial period, VULNERABILITY ASSESSMENT SETTINGS and ADVANCED THREAT PROTECTION SETTINGS.

8. Back to Security Center blade, review Recommandations and Security incidents and alerts.
Note: It may take 10-15 minutes for recommendations to appear on the Security Center blade. Rather than waiting, proceed to the next task but consider returning to this blade once you complete all the remaining tasks.

Task 3: Configure Data Classification
1. On the server blade, in the Settings section, click SQL Databases.

2. In the list of databases, select the AZ500LabDb entry.

3. On the AZ500LabDb SQL database blade, in the Security section, click Data Discovery & Classification.

4. On the Data Discovery & Classification blade, click the Classification tab.
Note: The classification engine scans your database for columns containing potentially sensitive data and provides a list of recommended column classifications.

5. Click the text message We have found 15 columns with classification recommendations displayed on blue bar at the top of the blade.

6. Review the listed columns and the recommended sensitivity label.

7. Enable the Select all checkbox and then click Accept Selected Recommendations.
Note:
– Alternatively, you could select only certain columns and dismiss others.
– You have the option to change the information type and sensitivity label.

8. Once you have completed your review click Save.
Note: This will complete the classification and persistently label the database columns with the new classification metadata.

9. Back on the Data Discovery & Classification blade, note that it has been updated to account for the latest classification information.

Task 4: Configure auditing
1. In the Azure portal, navigate back to the SQL Server blade.

2. On the SQL Server blade, in the Security section, click Auditing.
Note: This is server level auditing. The default auditing settings include all the queries and stored procedures executed against the database, as well as successful and failed logins.

3. Set the Auditing switch to ON to enable auditing.

4. Select the Storage checkbox and click Configure.

5. On the Storage settings blade, click Storage account.

6. On the Create storage account blade, in the Name box, type a globally unique name consisting of between 3 and 24 lower case letters and digits, click OK,

7. Back on the Storage settings blade, set Retention (days) to 5 and click OK.

8. Back on the Auditing blade, click Save to save the auditing settings.
Note: If you receive an error message regarding invalid storage container path then the storage account may not have have been provisioned yet. Wait a few minutes, click Storage account, on the Choose storage account blade, select the newly created storage account and back on the Auditing blade, click Save.

9. On the server blade, in the Settings section, click SQL Databases.

10. In the list of databases, select the AZ500LabDb entry.

11. On the AZ500LabDb SQL database blade, in the Security section, click Auditing.
Note:
– This is database level auditing. Server-level auditing is already enabled.
– Audits can be written to an Azure storage account, to a Log Analytics workspace, or to the Event Hub. You can configure any combination of these options.
– If storage-based auditing is enabled on the server, it will always apply to the database, regardless of the database settings.

12. Click View Audit Logs.

13. On the Audit records blade, note that you can switch between Server audit and Database audit.
Note: Since this SQL server and database were created recently, it is unlikely that any events will be available at this point.
Results: You have created a SQL server and database, configured data classification, and auditing.

Clean up resources
1. In the Azure portal, open the Cloud Shell by clicking the first icon in the top right of the Azure Portal. If prompted, click PowerShell and Create storage.

2. Ensure PowerShell is selected in the drop-down menu in the upper-left corner of the Cloud Shell pane.

3. In the PowerShell session within the Cloud Shell pane, run the following to remove the resource group you created in this lab:

Remove-AzResourceGroup -Name "AZ500LAB11" -Force -AsJob

4. Close the Cloud Shell pane.

Azure Security – Key Vault (Implementing Secure Data by setting up Always Encrypted)

Scenario
You have been asked to create a proof of concept application that makes use of the Azure SQL Database support for Always Encrypted functionality. All of the secrets and keys used in this scenario should be stored in Key Vault. The application should be registered in Azure Active Directory (Azure AD) in order to enhance its security posture. To accomplish these objectives, the proof of concept should include:
– Creating an Azure Key Vault and storing keys and secrets in the vault.
– Create a SQL Database and encrypting content of columns in database tables by using Always Encrypted.
To keep the focus on the security aspects of Azure, related to building this proof of concept, you will start from an automated ARM template deployment, setting up a Virtual Machine with Visual Studio 2019 and SQL Server Management Studio 2018.

Exercise 1: Deploy the base infrastructure from an ARM template
Task 1: Deploy an Azure VM and an Azure SQL database
1. Sign-in to the Azure portal https://portal.azure.com/.

2. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Deploy a custom template and press the Enter key.

3. On the Custom deployment blade, click the Build your own template in the editor option.

4. On the Edit template blade, click Load file, locate the \Allfiles\Labs\10\az-500-10_azuredeploy.json file and click Open.

5. On the Edit template blade, click Save.

6. On the Custom deployment blade, under Deployment Scope ensure that the following settings are configured (leave any others with their default values):

Setting	Value
Subscription	the name of the Azure subscription you will be using in this lab
Resource group	click Create new and type the name AZ500LAB10
Location	(US) East US
Admin Username	Student
Admin Password	Pa55w.rd1234

Note:
– While you can change the administrative credentials used for logging on to the Virtual Machine, you don’t have to.
– To identify Azure regions where you can provision Azure VMs, refer to https://azure.microsoft.com/en-us/regions/offers/

7. Click the Review and Create button, and confirm the deployment by clicking the Create button.
Note:
– This initiates the deployment of the Azure VM and Azure SQL Database required for this lab.
– Do not wait for the ARM template deployment to be completed, but instead continue to the next exercise. The deployment might take between 20-25 minutes.

Exercise 2: Configure the Key Vault resource with a key and a secret
Task 1: Create and configure a Key Vault
1. Open the Cloud Shell by clicking the first icon (next to the search bar) at the top right of the Azure portal. If prompted, select PowerShell and Create storage.

2. Ensure PowerShell is selected in the drop-down menu in the upper-left corner of the Cloud Shell pane.

3. In the PowerShell session within the Cloud Shell pane, run the following to create an Azure Key Vault in the resource group AZ500LAB10. (If you chose another name for this lab’s Resource Group out of Task 1, use that name for this task as well). The Key Vault name must be unique. Remember the name you have chosen. You will need it throughout this lab.

$kvName = 'az500kv' + $(Get-Random)

$location = (Get-AzResourceGroup -ResourceGroupName 'AZ500LAB10').Location

New-AzKeyVault -VaultName $kvName -ResourceGroupName 'AZ500LAB10' -Location $location

Note: The output of the last command will display the vault name and the vault URI. The vault URI is in the format https://<vault_name>.vault.azure.net/

4. Close the Cloud Shell pane.

5. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Resource groups and press the Enter key.

6. On the Resource groups blade, in the list of resource group, click the AZ500LAB10 (or other name you chose earlier for the resource group) entry.

7. On the Resource Group blade, click the entry representing the newly created Key Vault.

8. On the Key Vault blade, in the Settings section, click Access Policies and then click + Add Access Policy.

9. On the Add access policy blade, specify the following settings (leave all others with their default values):

Setting	Value
Configure from template (optional)	Key, Secret, & Certificate Management
Key permissions	click Select all resulting in 16 selected permissions
Secret permissions	click Select all resulting in total of 8 selected permissions
Certification permissions	click Select all resulting in total of 16 selected permissions
Select principal	click None selected, on the Principal blade, select your user account, and click Select

10. Back on the Add access policy blade, click Add to add the access policy and, back on the access policies blade of the Key Vault, click Save to your changes.

Task 2: Add a key to Key Vault
1. In the Azure portal, open a PowerShell session in the Cloud Shell pane.

2. Ensure PowerShell is selected in the upper-left drop-down menu of the Cloud Shell pane.

3. In the PowerShell session within the Cloud Shell pane, run the following to add a software-protected key to the Key Vault:

$kv = Get-AzKeyVault -ResourceGroupName 'AZ500LAB10'

$key = Add-AZKeyVaultKey -VaultName $kv.VaultName -Name 'MyLabKey' -Destination 'Software'

Note: The name of the key is MyLabKey

4. In the PowerShell session within the Cloud Shell pane, run the following to verify the key was created:

Get-AZKeyVaultKey -VaultName $kv.VaultName

5. In the PowerShell session within the Cloud Shell pane, run the following to display the key identifier:

$key.key.kid

6. Minimize the Cloud Shell pane.

7. Back in the Azure portal, on the Key Vault blade, in the Settings section, click Keys.

8. In the list of keys, click the MyLabKey entry and then, on the MyLabKey blade, click the entry representing the current version of the key.
Note:
– Examine the information about the key you created.
– You can reference any key by using the key identifier. To get the most current version, reference https://<key_vault_name>.vault.azure.net/keys/MyLabKey or get the specific version with: https://<key_vault_name>.vault.azure.net/keys/MyLabKey/<key_version>

Task 3: Add a Secret to Key Vault
1. Switch back to the Cloud Shell pane.

2. In the PowerShell session within the Cloud Shell pane, run the following to create a variable with a secure string value:

$secretvalue = ConvertTo-SecureString 'Pa55w.rd1234' -AsPlainText -Force

3. In the PowerShell session within the Cloud Shell pane, run the following to add the secret to the vault:

$secret = Set-AZKeyVaultSecret -VaultName $kv.VaultName -Name 'SQLPassword' -SecretValue $secretvalue

Note: The name of the secret is SQLPassword.

4. In the PowerShell session within the Cloud Shell pane, run the following to verify the secret was created.

Get-AZKeyVaultSecret -VaultName $kv.VaultName

5. Minimize the Cloud Shell pane.

6. In the Azure portal, navigate back to the Key Vault blade, in the Settings section, click Secrets.

7. In the list of secrets, click the SQLPassword entry and then, on the SQLPassword blade, click the entry representing the current version of the secret.
Note:
– Examine the information about the secret you created.
– To get the most current version of a secret, reference https://<key_vault_name>.vault.azure.net/secrets/<secret_name> or get a specific version, reference https://<key_vault_name>.vault.azure.net/secrets/<secret_name>/<secret_version>

Exercise 3: Configure an Azure SQL database and a data-driven application
Task 1: Enable a client application to access the Azure SQL Database service.
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type App Registrations and press the Enter key.

2. On the App Registrations blade, click + New registration.

3. On the Register an application blade, specify the following settings (leave all others with their default values):

Setting	Value
Name	sqlApp
Redirect URI (optional)	Web and https://sqlapp

4. On the Register an application blade, click Register.
Note: Once the registration is completed, the browser will automatically redirect you to sqlApp blade.

5. On the sqlApp blade, identify the value of Application (client) ID.
Note: Record this value. You will need it in the next task.

6. On the sqlApp blade, in the Manage section, click Certificates & secrets.

7. On the sqlApp | Certificates & secrets blade / Client Secrets section, click + New client secret

8. In the Add a client secret pane, specify the following settings:

Setting	Value
Description	Key1
Expires	in 1 year

9. Click Add to update the application credentials.

10. On the sqlApp | Certificates & secrets blade, identify the value of Key1.
Note:
– Record this value. You will need it in the next task.
– Make sure to copy the value before you navigate away from the blade. Once you do, it is no longer possible to retrieve its clear text value.

Task 2: Create a policy allowing the application access to the Key Vault.
1. In the Azure portal, open a PowerShell session in the Cloud Shell pane.

2. Ensure PowerShell is selected in the upper-left drop-down menu of the Cloud Shell pane.

3. In the PowerShell session within the Cloud Shell pane, run the following to create a variable storing the Application (client) ID you recorded in the previous task (replace the <Azure_AD_Application_ID> placeholder with the value of the Application (client) ID):

$applicationId = '<Azure_AD_Application_ID>'

4. In the PowerShell session within the Cloud Shell pane, run the following to create a variable storing the Key Vault name.

$kvName = (Get-AzKeyVault -ResourceGroupName 'AZ500LAB10').VaultName

$kvName

5. In the PowerShell session within the Cloud Shell pane, run the following to grant permissions on the Key Vault to the application you registered in the previous task:

Set-AZKeyVaultAccessPolicy -VaultName $kvName -ResourceGroupName AZ500LAB10 -ServicePrincipalName $applicationId -PermissionsToKeys get,wrapKey,unwrapKey,sign,verify,list

6. Close the Cloud Shell pane.

Task 3: Retrieve SQL Azure database ADO.NET Connection String
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type SQL databases and press the Enter key.

2. In the list of SQL databases, click the medical() entry.
Note: If the database cannot be found, this likely means the deployment you initiated in Exercise 1 has not completed yet. You can validate this by browsing to the Azure Resource Group “AZ500LAB10” (or the name you chose), and selecting Deployments from the Settings pane.

3. On the SQL database blade, in the Settings section, click Connection strings.
Note: The interface includes connection strings for ADO.NET, JDBC, ODBC, PHP, and Go.

4. Record the ADO.NET Connection String. You will need it later.
Note: When you use the connection string, make sure to replace the {your_password} placeholder with Pa55w.rd1234.

Task 4: Log on to the Azure VM running Visual Studio 2019 and SQL Management Studio 2018
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type virtual machines and press the Enter key.

2. In the list of Virtual Machines shown, select the az500-10-vm1 entry. On the az500-10-vm1 blade, on the Essentials pane, take note of the Public IP address. You will use this later.

Task 5: Create a table in the SQL Database and select data columns for encryption
1. In the Azure portal, navigate to the blade of the medical SQL database, in the Essentials section, identify the server name, and then, in the toolbar, click Set server firewall.
Note: Record the server name. You will need the server name later in this task.

2. On the Firewall settings blade, scroll down to Rule Name, and specify the following settings:

Setting	Value
Rule Name	Allow Mgmt VM
Start IP	the Public IP Address of the az500-10-vm1
End IP	the Public IP Address of the az500-10-vm1

3. Click Save and OK to save the change and close the confirmation pane.
Note: This modifies the server firewall settings, allowing connections to the medical database from the Azure VM’s public IP address you deployed in this lab.

4. Navigate back to the az500-10-vm1 blade, click Overview, next click Connect and, in the drop down menu, click RDP.

5. Click Download RDP File and use it to connect to the az500-10-vm1 Azure VM via Remote Desktop. When prompted to authenticate, provide the following credntials:

Setting	Value
User name	Student
Password	Pa55w.rd1234

Note:
– Wait for the Remote Desktop session and Server Manager to load. Close Server Manager.
– The remaining steps in this lab are performed within the Remote Desktop session to the az500-10-vm1 Azure VM.

6. Click Start, in the Start menu, expand the Microsoft SQL Server Tools 18 folder, and click the Micosoft SQL Server Management Studio menu item.

7. In the Connect to Server dialog box, specify the following settings:

Setting	Value
Server Type	Database Engine
Server Name	the server name you identified earlier in this task
Authentication	SQL Server Authentication
Login	Student
Password	Pa55w.rd1234

8. In the Connect to Server dialog box, click Connect.

9. Within the SQL Server Management Studio console, in the Object Explorer pane, expand the Databases folder.

10. In the Object Explorer pane, right-click the medical database and click New Query.

11. Paste the following code into the query window and click Execute. This will create a Patients table.

CREATE TABLE [dbo].[Patients](
   [PatientId] [int] IDENTITY(1,1),
   [SSN] [char](11) NOT NULL,
   [FirstName] [nvarchar](50) NULL,
   [LastName] [nvarchar](50) NULL,
   [MiddleName] [nvarchar](50) NULL,
   [StreetAddress] [nvarchar](50) NULL,
   [City] [nvarchar](50) NULL,
   [ZipCode] [char](5) NULL,
   [State] [char](2) NULL,
   [BirthDate] [date] NOT NULL 
PRIMARY KEY CLUSTERED ([PatientId] ASC) ON [PRIMARY] );

12. After the table is created successfully, in the Object Explorer pane, expand the medical database node, the tables node, right-click the dbo.Patients node, and click Encrypt Columns.
Note: This will initiate the Always Encrypted wizard.

13. On the Introduction page, click Next.

14. On the Column Selection page, select the SSN and Birthdate columnts, set the Encryption Type of the SSN column to Deterministic and of the Birthdate column to Randomized, and click Next.

15. On the Master Key Configuration page, select Azure Key Vault, click Sign in, when prompted, authenticate by using the same user account you used to provision the Azure Key Vault instance earlier in this lab, ensure that that Key Vault appears in the Select an Azure Key Vault drop down list, and click Next.

16. On the Run Settings page, click Next.

17. On the Summary page, click Finish to proceed with the encryption. When prompted, sign in again by using the same user account you used to provision the Azure Key Vault instance earlier in this lab.

18. Once the encryption process is complete, on the Results page, click Close.

19. In the SQL Server Management Studio console, in the Object Explorer pane, under the medical node, expand the Security and Always Encrypted Keys subnodes.
Note: The Always Encrypted Keys subnode contains the Column Master Keys and Column Encryption Keys subfolders.

Exercise 4: Demonstrate the use of Azure Key Vault in encrypting the Azure SQL database
Task 1: Run a data-driven application to demonstrate the use of Azure Key Vault in encrypting the Azure SQL database
1. From the RDP session to the az500-10-vm1, launch Visual Studio 2019 from the Start menu.

2. Switch to the window displaying Visual Studio 2019 welcome message, click the Sign in button and, when prompted, provide the credntials you used to authenticate to the Azure subscription you are using in this lab.

3. On the Get started page, click Create a new project.

4. In the list of project templates, search for Console App (.NET Framework), in the list of results, click Console App (.NET Framework) for C#, and click Next.

5. On the Configure your new project page, specify the following settings (leave other settings with their default values):

Setting	Value
Project name	OpsEncrypt
Solution name	OpsEncrypt
Framework	.NET Framework 4.7.2.

6. In the Visual Studio console, click the Tools menu, in the drop down menu, click NuGet Package Manager, and, in the cascading menu, click Package Manager Console.

7. In the Package Manager Console pane, run the following to install the first required NuGet package:

Install-Package Microsoft.SqlServer.Management.AlwaysEncrypted.AzureKeyVaultProvider

8. In the Package Manager Console pane, run the following to install the second required NuGet package:

Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory

9. Navigate to \Allfiles\Labs\10\program.cs, open it in Notepad, and copy its content into Clipboard.

10. Switch to the Visual Studio console, in the Solution Explorer window, click Program.cs and replace its content with the code you copied into Clipboard.

11. In the Visual Studio window, in the Program.cs pane, in line 15, replace the <connection string noted earlier> placeholder with the Azure SQL database ADO.NET connection string you recorded earlier in the lab. In the connection string, replace the {your_password} placehodler, with Pa55w.rd1234.

12. In the Visual Studio window, in the Program.cs pane, in line 16, replace the <client id noted earlier> placeholder with the value of Application (client) ID of the registered app you recorded earlier in the lab.

13. In the Visual Studio window, in the Program.cs pane, in line 17, replace the <key value noted earlier> placeholder with the the value of Key1 of the registered app you recorded earlier in the lab.

14. In the Visual Studio console, click the Start button to initiate the build of the console application and start it.

15. The application will start a Command Prompt window. When prompted for password, type Pa55w.rd1234 to connect to Azure SQL Database.

16. Leave the console app running and switch to the SQL Management Studio console.

17. In the Object Explorer pane, right-click the medical database and, in the right-click menu, click New Query.

18. From the query window, run the following query to verify that the data that loaded into the database from the console app is encrypted.

SELECT FirstName, LastName, SSN, BirthDate FROM Patients;

19. Switch back to the console application where you are prompted to enter a valid SSN. This will query the encrypted column for the data. At the Command Prompt, type the following and press the Enter key:

999-99-0003

Note: Verify that the data returned by the query is not encrypted.

20. To terminate the console app, press the Enter key.

Clean up resources

1. In the Azure portal, open the Cloud Shell by clicking the first icon in the top right of the Azure portal.
2. In the upper-left drop-down menu of the Cloud Shell pane, select PowerShell and, when prompted, click Confirm.
3. In the PowerShell session within the Cloud Shell pane, run the following to remove the resource groups you created in this lab:

Remove-AzResourceGroup -Name "AZ500LAB10" -Force -AsJob

4. Close the Cloud Shell pane.

Azure Security – Configuring and Securing ACR and AKS

Scenario
You have been asked to deploy a proof of concept with Azure Container Registry and Azure Kubernetes Service. Specifically, the proof of concept should demonstrate:
– Using Dockerfile to build an image.
– Using Azure Container Registry to store images.
– Configuring an Azure Kubernetes Service.
– Securing and accessing container applications both internally and externally.
NOTE: For all the resources in this lab, we are using East US region.

Exercise 1: Configuring and Securing ACR and AKS
Task 1: Create an Azure Container Registry
1. Sign-in to the Azure portal https://portal.azure.com/.

2. In the Azure portal, open the Cloud Shell by clicking the first icon in the top right of the Azure Portal. If prompted, click Bash and Create storage.

3. Ensure Bash is selected in the drop-down menu in the upper-left corner of the Cloud Shell pane.

4. In the Bash session within the Cloud Shell pane, run the following to create a new resource group for this lab:

az group create --name AZ500LAB09 --location eastus

5. In the Bash session within the Cloud Shell pane, run the following to verify the resource group was created:

az group list --query "[?name=='AZ500LAB09']" -o table

6. In the Bash session within the Cloud Shell pane, run the following to create a new Azure Container Registry (ACR) instance (The name of the ACR must be globally unique):

az acr create --resource-group AZ500LAB09 --name az500$RANDOM$RANDOM --sku Basic

7. In the Bash session within the Cloud Shell pane, run the following to confirm that the new ACR was created:

az acr list --resource-group AZ500LAB09

Task 2: Create a Dockerfile, build a container and push it to Azure Container Registry
1. In the Bash session within the Cloud Shell pane, run the following to create a Dockerfile to create an Nginx-based image:

echo FROM nginx > Dockerfile

2. In the Bash session within the Cloud Shell pane, run the following to build an image from the Dockerfile and push the image to the new ACR.
NOTE: The trailing period at the end of the command line is required. It designates the current directory as the location of Dockerfile.

ACRNAME=$(az acr list --resource-group AZ500LAB09 --query '[].{Name:name}' --output tsv)

az acr build --image sample/nginx:v1 --registry $ACRNAME --file Dockerfile .

NOTE: Wait for the command to successfully complete. This might take about 2 minutes.

3. Close the Cloud Shell pane.

4. In the Azure portal, navigate to the AZ500Lab09 resource group and, in the list of resources, click the entry representing the Azure Container Registry instance you provisioned in the previous task.

5. On the Container registry blade, in the Services section, click Repositories.

6. Verify that the list of repositories includes the new container image named sample/nginx.

7. Click the sample/nginx entry and verify presence of the v1 tag that identifies the image version.

8. Click the v1 entry to view the image manifest.
NOTE: The manifest includes the sha256 digest, manifest creation date, and platform entries.

Task 3: Create an Azure Kubernetes Service cluster
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Kubernetes services and press the Enter key.

2. On the Kubernetes services blade, click + Add and, in the drop-down menu, click + Add Kubernetes cluster

3. On the Basics tab of the Create Kubernetes cluster blade, specify the following settings (leave others with their default values):

Setting	Value
Subscription	the name of the Azure subscription you are using in this lab
Resource group	AZ500LAB09
Kubernetes cluster name	MyKubernetesCluster
Region	(US) East US
Availability zones	None
Node count	1

4. Click Next: Node Pools > and, on the Node Pools tab of the Create Kubernetes cluster blade, specify the following settings (leave others with their default values):

Setting	Value
Enable virtual nodes	cleared checkbox
VM scale sets	cleared checkbox

5. Click Next: Authentication >, on the Authentication tab of the Create Kubernetes cluster blade, accept the defaults, and click Next: Networking >.

6. On the Networking tab of the Create Kubernetes cluster blade, specify the following settings (leave others with their default values):

Setting	Value
Network configuration	Azure CNI
DNS name prefix	any valid, globally unique DNS host name

NOTE: AKS can be configured as a private cluster. This assigns a private IP to the API server to ensure network traffic between your API server and your node pools remains on the private network only. For more information, visit Create a private Azure Kubernetes Service cluster page.

7. Click Next: Integrations > and, on the Integrations tab of the Create Kubernetes cluster blade, set Container monitoring to Disabled.
NOTE: In production scenarios, you would want to enable monitoring. Monitoring is disabled in this case since it is not covered in the lab.

8. Click Review + Create and then click Create.
NOTE: Wait for the deployment to complete. This might take about 10 minutes.

9. Once the deployment completes, in the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Resource groups and press the Enter key.

10. On the Resource groups blade, in the listing of resource groups, note a new resource group named MC_AZ500LAB09_MyKubernetesCluster_eastus that holds components of the AKS Nodes. Review resources in this resource group.

11. Navigate back to the Resource groups blade and click the AZ500LAB09 entry.
NOTE: In the list of resources, note the AKS Cluster and the corresponding virtual network.

12. In the Azure portal, open a Bash session in the Cloud Shell.
NOTE: Ensure Bash is selected in the drop-down menu in the upper-left corner of the Cloud Shell pane.

13. In the Bash session within the Cloud Shell pane, run the following to connect to the Kubernetes cluster:

az aks get-credentials --resource-group AZ500LAB09 --name MyKubernetesCluster

14. In the Bash session within the Cloud Shell pane, run the following to list nodes of the Kubenetes cluster:

kubectl get nodes

NOTE: Verify that the Status of the cluster node is listed as Ready.

Task 4: Grant the AKS cluster permissions to access the ACR and manage its virtual network
1. In the Bash session within the Cloud Shell pane, run the following to configure the AKS cluster to use the Azure Container Registry instance you created earlier in this lab.

ACRNAME=$(az acr list --resource-group AZ500LAB09 --query '[].{Name:name}' --output tsv)

az aks update -n MyKubernetesCluster -g AZ500LAB09 --attach-acr $ACRNAME

NOTE:
– This command grants the ‘acrpull’ role assignment to the ACR.
– It may take a few minutes for this command to complete.

2. In the Bash session within the Cloud Shell pane, run the following to grant the AKS cluster the Contributor role to its virtual network.

RG_AKS=AZ500LAB09

AKS_VNET_NAME=AZ500LAB09-vnet

AKS_CLUSTER_NAME=MyKubernetesCluster

AKS_VNET_ID=$(az network vnet show --name $AKS_VNET_NAME --resource-group $RG_AKS --query id -o tsv)

AKS_MANAGED_ID=$(az aks show --name $AKS_CLUSTER_NAME --resource-group $RG_AKS --query identity.principalId -o tsv)

az role assignment create --assignee $AKS_MANAGED_ID --role "Contributor" --scope $AKS_VNET_ID

Task 5: Deploy an external service to AKS
1. In the Bash session within the Cloud Shell pane, click the Upload/Download files icon, in the drop-down menu, click Upload, in the Open dialog box, naviate to the location where you downloaded the lab files, select \Allfiles\Labs\09\nginxexternal.yaml click Open. Next, select \Allfiles\Labs\09\nginxinternal.yaml, and click Open.

2. In the Bash session within the Cloud Shell pane, run the following to identify the name of the Azure Container Registry instance:

echo $ACRNAME

NOTE: Record the Azure Container Registry instance name. You will need it later in this task.

3. In the Bash session within the Cloud Shell pane, run the following to open the nginxexternal.yaml file, so you can edit its content.

code ./nginxexternal.yaml

NOTE: This is the external yaml file.

4. In the editor pane, scroll down to line 24 and replace the <ACRUniquename> placeholder with the ACR name.

5. In the editor pane, in the upper right corner, click the ellipses icon, click Save and then click Close editor.

6. In the Bash session within the Cloud Shell pane, run the following to apply the change to the cluster:

kubectl apply -f nginxexternal.yaml

7. In the Bash session within the Cloud Shell pane, review the output of the command you run in the previous task to verify that the deployment and the corresponding service have been created.

deployment.apps/nginxexternal created
service/nginxexternal created

Task 6: Verify the you can access an external AKS-hosted service
1. In the Bash session within the Cloud Shell pane, run the following to retrieve information about the nginxexternal service including name, type, IP addresses, and ports.

kubectl get service nginxexternal

2. In the Bash session within the Cloud Shell pane, review the output and record the value in the External-IP column. You will need it in the next step.

3. Open Internet Explorer and browse to the IP address you identified in the previous step.

4. Ensure the Welcome to nginx! page displays.

Task 7: Deploy an internal service to AKS
1. In the Bash session within the Cloud Shell pane, run the following to open the nginxintenal.yaml file, so you can edit its content.

code ./nginxinternal.yaml

NOTE: This is the internal yaml file.

2. In the editor pane, scroll down to the line containing the reference to the container image and replace the <ACRUniquename> placeholder with the ACR name.

3. In the editor pane, in the upper right corner, click the ellipses icon, click Save and then click Close editor.

4. In the Bash session within the Cloud Shell pane, run the following to apply the change to the cluster:

kubectl apply -f nginxinternal.yaml

5. In the Bash session within the Cloud Shell pane, review the output to verify your deployment and the service have been created:

deployment.apps/nginxinternal created
service/nginxinternal created

6. In the Bash session within the Cloud Shell pane, run the following to retrieve information about the nginxinternal service including name, type, IP addresses, and ports.

kubectl get service nginxinternal

7. In the Bash session within the Cloud Shell pane, review the output. The External-IP is, in this case, a private IP address.
NOTE:
– Record this IP address. You will need it in the next task.
– To access the internal service endpoint, you will connect interactively to one of the pods running in the cluster.
– Alternatively you could use the CLUSTER-IP address.

Task 8: Verify the you can access an internal AKS-hosted service
1. In the Bash session within the Cloud Shell pane, run the following to list the pods in the default namespace on the AKS cluster:

kubectl get pods

2. In the listing of the pods, copy the first entry in the NAME column.
NOTE: This is the pod you will use in the subsequent steps.

3. In the Bash session within the Cloud Shell pane, run the following to connect interactively to the first pod (replace the <pod_name> placeholder with the name you copied in the previous step):

kubectl exec -it <pod_name> -- /bin/bash

4. In the Bash session within the Cloud Shell pane, run the following to verify that the nginx web site is available via the private IP address of the service (replace the <internal_IP> placeholder with the IP address you recorded in the previous task):

curl http://<internal_IP>

5.Close the Cloud Shell pane.
RESULT: You have configured and secured ACR and AKS.

Clean up resources
1. In the Azure portal, open the Cloud Shell by clicking the first icon in the top right of the Azure Portal.

2. In the upper-left drop-down menu of the Cloud Shell pane, select PowerShell and, when prompted, click Confirm.

3. In the PowerShell session within the Cloud Shell pane, run the following to remove the resource groups you created in this lab:

Remove-AzResourceGroup -Name "AZ500LAB09" -Force -AsJob

4. Close the Cloud Shell pane.

Azure Security – Azure Firewall

Scenario
You have been asked to install Azure Firewall. This will help your organization control inbound and outbound network access which is an important part of an overall network security plan. Specifically, you would like to create and test the following infrastructure components:
– A virtual network with a workload subnet and a jump host subnet.
– A virtual machine is each subnet.
– A custom route that ensures all outbound workload traffic from the workload subnet must use the firewall.
– Firewall Application rules that only allow outbound traffic to www.bing.com.
– Firewall Network rules that allow external DNS server lookups.

Exercise 1: Deploy and test an Azure Firewall
Task 1: Use a template to deploy the lab environment.
1. Sign-in to the Azure portal https://portal.azure.com/.

2. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Deploy a custom template and press the Enter key.

3. On the Custom deployment blade, click the Build your own template in the editor option.

4. On the Edit template blade, click Load file, locate the \Allfiles\Labs\08\template.json file and click Open.
NOTE: Review the content of the template and note that it deploys an Azure VM hosting Windows Server 2019 Datacenter.

5. On the Edit template blade, click Save.

6. On the Custom deployment blade, ensure that the following settings are configured (leave any others with their default values):

Setting	Value
Subscription	the name of the Azure subscription you will be using in this lab
Resource group	click Create new and type the name AZ500LAB08
Location	(US) East US

NOTE: To identify Azure regions where you can provision Azure VMs, refer to https://azure.microsoft.com/en-us/regions/offers/

7. Click Review + create, and then click Create.
NOTE:  Wait for the deployment to complete. This should take about 2 minutes.

Task 2: Deploy the Azure firewall
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Firewalls and press the Enter key.

2. On the Firewalls blade, click + Add.

3. On the Basics tab of the Create a firewall blade, specify the following settings (leave others with their default values):

Setting	Value
Resource group	AZ500LAB08
Name	Test-FW01
Region	(US) East US
Firewall management	Use Firewall rules (classic) to manage this firewall
Choose a virtual network	click the Use existing option and, in the drop-down list, select Test-FW-VN
Public IP address	clck Add new and type the name TEST-FW-PIP and click OK

4. Click Review + create and then click Create.
NOTE: Wait for the deployment to complete. This should take about 5 minutes.

5. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Resource groups and press the Enter key.

6. On the Resource groups blade, in the list of resource group, click the AZ500LAB08 entry.
NOTE: On the AZ500LAB08 resource group blade, review the list of resources. You can sort by Type.

7. In the list of resources, click the entry representing the Test-FW01 firewall.

8. On the Test-FW01 blade, identify the Private IP address that was assigned to the firewall.
NOTE: You will need this information in the next task.

Task 3: Create a default route
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Route tables and press the Enter key.

2.On the Route tables blade, click + Add.

3. On the Create route table blade, specify the following settings:

Setting	Value
Name	Firewall-route
Resource group	AZ500LAB08
Region	East US

4. Click Review + create, then click Create, and wait for the provisioning to complete.

5. On the Route tables blade, click Refresh, and, in the list of route tables, click the Firewall-route entry.

6. On the Firewall-route blade, in the Settings section, click Subnets and then, on the Firewall-route | Subnets blade, click + Associate.

7. On the Associate subnet blade, specify the following settings:

Setting	Value
Virtual network	Test-FW-VN
Subnet	Workload-SN

NOTE: Ensure the Workload-SN subnet is selected for this route, otherwise the firewall won’t work correctly.

8. Click OK to associate the firewall to the virtual network subnet.

9. Back on the Firewall-route blade, in the Settings section, click Routes and then click + Add.

10. On the Add route blade, specify the following settings:

Setting	Value
Route name	FW-DG
Address prefix	0.0.0.0/0
Next hop type	Virtual appliance
Next hop address	the private IP address of the firewall that you identified in the previous task

NOTE: Azure Firewall is actually a managed service, but virtual appliance works in this situation.

11. Click OK to add the route.

Task 4: Configure an application rule
1. In the Azure portal, navigate back to the Test-FW01 firewall.

2. On the Test-FW01 blade, in the Settings section, click Rules.

3. On the Test-FW01 | Rules blade, click the Application rule collection tab, and then click + Add application rule collection.

4. On the Add application rule collection blade, specify the following settings (leave others with their default values):

Setting	Value
Name	App-Coll01
Priority	200
Action	200

5. On the Add application rule collection blade, create a new entry in the Target FQDNs section with the following settings (leave others with their default values):

Setting	Value
name	AllowGH
Source type	IP Address
Source	10.0.2.0/24
Protocol port	http:80, https:443
Target FQDNS	www.bing.com

6. Click Add to add the Target FQDNs-based application rule.
NOTE: Azure Firewall includes a built-in rule collection for infrastructure FQDNs that are allowed by default. These FQDNs are specific for the platform and can’t be used for other purposes.

Task 5: Configure a network rule
1. In the Azure portal, navigate back to the Test-FW01 | Rules blade.

2. On the Test-FW01 | Rules blade, click the Network rule collection tab and then click + Add network rule collection.

3. On the Add network rule collection blade, specify the following settings (leave others with their default values):

Setting	Value
Name	Net-Coll01
Priority	200
Action	Allow

4. On the Add network rule collection blade, create a new entry in the IP Addresses section with the following settings (leave others with their default values):

Setting	Value
Name	AllowDNS
Protocol	UDP
Source type	IP address
Source Addresses	10.0.2.0/24
Destination type	IP address
Destination Address	209.244.0.3,209.244.0.4
Destination Ports	53

5. Click Add to add the network rule.
NOTE: The destination addresses used in this case are known public DNS servers.

Task 6: Configure the virtual machine DNS servers
1. In the Azure portal, navigate back to the AZ500LAB08 resource group.

2. On the AZ500LAB08 blade, in the list of resources, click the Srv-Work virtual machine.

3. On the Srv-Work blade, in the Settings section, click Networking.

4. On the Srv-Work | Networking blade, click the link next to the Network interface entry.

5. On the network interface blade, in the Settings section, click DNS servers, select the Custom option, add the two DNS servers referenced in the network rule: 209.244.0.3 and 209.244.0.4, and click Save to save the change.

6. Return to the Srv-Work virtual machine page.
NOTE:
– Wait for the update to complete.
– Updating the DNS servers for a network interface will automatically restart the virtual machine to which that interface is attached, and if applicable, any other virtual machines in the same availability set.

Task 7: Test the firewall
1. In the Azure portal, navigate back to the AZ500LAB08 resource group.

2. On the AZ500LAB08 blade, in the list of resources, click the Srv-Jump virtual machine.

3. On the Srv-Jump blade, click Connect and, in the drop down menu, click RDP.

4. Click Download RDP File and use it to connect to the Srv-Jump Azure VM via Remote Desktop. When prompted to authenticate, provide the following credntials:

Setting	Value
User name	localadmin
Password	Pa55w.rd1234

NOTE:
– The following steps are performed in the Remote Desktop session to the Srv-Jump Azure VM.
– You will connect to the Srv-Work virtual machine. This is being done so we can test the ability to access the bing.com website.

5. Within the Remote Desktop session to Srv-Jump, right-click Start, in the right-click menu, click Run, and, from the Run dialog box, run the following to connect to Srv-Work.

mstsc /v:Srv-Work

6. When prompted to authenticate, provide the following credentials:

Setting	Value
User name	localadmin
Password	Pa55w.rd1234

NOTE: Wait for the Remote Desktop session to be established and the Server Manager interface to load.

7. Within the Remote Desktop session to Srv-Work, in Server Manager, click Local Server and then click IE Enhanced Security Configuration.

8. In the Internet Explorer Enhanced Security Configuration dialog box, set both options to Off and click OK.

9. Within the Remote Desktop session to Srv-Work, start Internet Explorer and browse to https://www.bing.com.
NOTE: The website should successfully display. The firewall allows you access.

10. Browse to http://www.microsoft.com/
NOTE: Within the browser page, you should receive a message with text resembling the following: HTTP request from 10.0.2.4:xxxxx to microsoft.com:80. Action: Deny. No rule matched. Proceeding with default action. This is expected, since the firewall blocks access to this website.

11. Terminate both Remote Desktop sessions.
RESULT: You have successfully configured and tested the Azure Firewall.

Clean up resources
1. In the Azure portal, open the Cloud Shell by clicking the first icon in the top right of the Azure Portal. If prompted, click PowerShell and Create storage.

2. Ensure PowerShell is selected in the drop-down menu in the upper-left corner of the Cloud Shell pane.

3. In the PowerShell session within the Cloud Shell pane, run the following to remove the resource group you created in this lab:

Remove-AzResourceGroup -Name "AZ500LAB08" -Force -AsJob

4. Close the Cloud Shell pane.

Azure Security – Network Security Groups and Application Security Groups

Scenario
You have been asked to implement your organization’s virtual networking infrastructure and test to ensure it is working correctly. In particular:
– The organization has two groups of servers: Web Servers and Management Servers.
– Each group of servers should be in its own Application Security Group.
– You should be able to RDP into the Management Servers, but not the Web Servers.
– The Web Servers should display the IIS web page when accessed from the internet.
– Network security group rules should be used to control network access.

Exercise 1: Create the virtual networking infrastructure
Task 1: Create a virtual network
1. Sign-in to the Azure portal https://portal.azure.com/.

2. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Virtual networks and press the Enter key.

3. On the Virtual networks blade, click + Add.

4. On the Basics tab of the Create virtual network blade, specify the following settings (leave others with their default values) and click Next: IP Addresses:

Setting	Value
Subscription	the name of the Azure subscription you are using in this lab
Resource group	click Create new and type the name AZ500LAB07
Name	myVirtualNetwork
Region	East US

5. On the IP addresses tab of the Create virtual network blade, set the IPv4 address space to 10.0.0.0/16, and, if needed, in the Subnet name column, click default, on the Edit subnet blade, specify the following settings and click Save:

Setting	Value
Subnet name	default
Subnet address range	10.0.0.0/24

6. Back on the IP addresses tab of the Create virtual network blade, click Review + create.

7. On the Review + create tab of the Create virtual network blade, click Create.

Task 2: Create application security groups
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Application security groups and press the Enter key.

2. On the Application security groups blade, click + Add.

3. On the Basics tab of the Create an application security group blade, specify the following settings:

Setting	Value
Resource group	AZ500LAB07
Name	myAsgWebServers
Region	East US

4. Click Review + create and then click Create.

5. Navigate back to the Application security groups blade and click + Add.

6. On the Basics tab of the Create an application security group blade, specify the following settings:

Setting	Value
Resource group	AZ500LAB07
Name	myAsgMgmtServers
Region	East US

7. Click Review + create and then click Create.

Task 3: Create a network security group and associate the NSG to the subnet
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Network security groups and press the Enter key.

2. On the Network security groups blade, click + Add.

3. On the Basics tab of the Create network security group blade, specify the following settings:

Setting	Value
Subscription	the name of the Azure subscription you are using in this lab
Resource group	AZ500LAB07
Name	myNsg
Region	East US

4. Click Review + create and then click Create.

5. In the Azure portal, navigate back to the Network security groups blade and click the myNsg entry.

6. On the myNsg blade, in the Settings section, click Subnets and then click + Associate.

7. On the Associate subnet blade, specify the following settings and click OK:

Setting	Value
Virtual network	myVirtualNetwork
Subnet	default

Task 4: Create inbound NSG security rules to all traffic to web servers and RDP to the management servers.
1. On the myNsg blade, in the Settings section, click Inbound security rules.

2. Review the default inbound security rules and then click + Add.

3. On the Add inbound security rule blade, specify the following settings to allow TCP ports 80 and 443 to the myAsgWebServers application security group (leave all other values with their default values):

Setting	Value
Destination	in the drop-down list, select Application security group and then click myAsgWebServers
Destination port ranges	80,443
Protocol	TCP
Priority	100
Name	Allow-Web-All

4. On the Add inbound security rule blade, click Add to create the new inbound rule.

5. On the myNsg blade, in the Settings section, click Inbound security rules, and then click + Add.

6. On the Add inbound security rule blade, specify the following settings to allow the RDP port (TCP 3389) to the myAsgMgmtServers application security group (leave all other values with their default values):

Setting	Value
Destination	in the drop-down list, select Application security group and then click myAsgMgmtServers
Destination port ranges	3389
Protocol	TCP
Priority	110
Name	Allow-RDP-All

7. On the Add inbound security rule blade, click Add to create the new inbound rule.
RESULT: You have deployed a virtual network, network security with inbound security rules, and two application security groups.

Exercise 2: Deploy virtual machines and test network filters
Task 1: Create a virtual machine to use as a web server.
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Virtual machines and press the Enter key.

2. On the Virtual machines blade, click + Add and, in the dropdown list, click + Virtual machine.

3. On the Basics tab of the Create a virtual machine blade, specify the following settings (leave others with their default values):

Setting	Value
Subscription	the name of the Azure subscription you will be using in this lab
Resource group	AZ500LAB07
Virtual machine name	myVmWeb
Region	(US)East US
Image	Windows Server 2019 Datacenter Gen 1
Size	Standard D2s v3
Username	Student
Password	Pa55w.rd1234
Public inbound ports	None
Already have a Windows Server license	No

NOTE: For public inbound ports, we will rely on the precreated NSG.

4. Click Next: Disks > and, on the Disks tab of the Create a virtual machine blade, set the OS disk type to Standard HDD and click Next: Networking >.

5. On the Networking tab of the Create a virtual machine blade, select the previously created network myVirtualNetwork.

6. Under NIC network security group select None.

7. Click Next: Management >, on the Management tab of the Create a virtual machine blade, specify the following settings

Setting	Value
Boot diagnostics	Enabled with managed storage account (recommended)
Diagnostics storage account	the default value

8. Click Review + create, on the Review + create blade, ensure that validation was successful and click Create.

Task 2: Create a virtual machine to use as a management server.
1. In the Azure portal, navigate back to the Virtual machines blade, click + Add, and, in the dropdown list, click + Virtual machine.

2. On the Basics tab of the Create a virtual machine blade, specify the following settings (leave others with their default values):

Setting	Value
Subscription	the name of the Azure subscription you will be using in this lab
Resource group	AZ500LAB07
Virtual machine name	myVMMgmt
Region	(US)East US
Image	Windows Server 2019 Datacenter Gen 1
Size	Standard D2s v3
Username	Student
Password	Pa55w.rd1234
Public inbound ports	None
Already have a Windows Server license	No

NOTE: For public inbound ports, we will rely on the precreated NSG.

3. Click Next: Disks > and, on the Disks tab of the Create a virtual machine blade, set the OS disk type to Standard HDD and click Next: Networking >.

4. On the Networking tab of the Create a virtual machine blade, select the previously created network myVirtualNetwork.

5. Under NIC network security group select None.

6. Click Next: Management >, on the Management tab of the Create a virtual machine blade, specify the following settings

Setting	Value
Boot diagnostics	Enabled with managed storage account (recommended)
Diagnostics storage account	the default value

7. Click Review + create, on the Review + create blade, ensure that validation was successful and click Create.
NOTE: Wait for both virtual machines to be provisioned before continuing.

Task 3: Associate each virtual machines network interface to its application security group.
1. In the Azure portal, navigate back to the Virtual machines blade and verify that both virtual machines are listed with the Running status.

2. In the list of virtual machines, click the myVMWeb entry.

3. On the myVMWeb blade, in the Settings section, click Networking and then, on the myVMWeb | Networking blade, click the Application security groups tab.

4. Click Configure the application security groups, in the Application security group drop-down list, select myAsgWebServers, and then click Save.

5. Navigate back to the Virtual machines blade and in the list of virtual machines, click the myVMMgmt entry.

7. On the myVMMgmt blade, in the Settings section, click Networking and then, on the myVMMgmt | Networking blade, click the Application security groups tab.

Task 4: Test the network traffic filtering
1. Navigate back to the myVMMgmt virtual machine blade.

2. On the myVMMgmt blade, click Connect and, in the drop down menu, click RDP.

3. Click Download RDP File and use it to connect to the myVMMgmt Azure VM via Remote Desktop. When prompted to authenticate, provide the following credntials:

Setting	Value
User name	Student
Password	Pa55w.rd1234

NOTE: Verify that the Remote Desktop connection was successful. At this point you have confirmed you can connect via Remote Desktop to myVMMgmt.

4. In the Azure portal, navigate to the myVMWeb virtual machine blade.

5. On the myVMWeb blade, in the Operations section, click Run command and then click RunPowerShellScript.

6. On the Run Command Script pane, run the following to install the Web server role on myVmWeb:

Install-WindowsFeature -name Web-Server -IncludeManagementTools

NOTE: Wait for the installation to complete. This might take a couple of minutes. At that point, you can verify that myVMWeb can be accessed via HTTP/HTTPS.

7. In the Azure portal, navigate back to the myVMWeb blade.

8. On the myVMWeb blade, identify the Public IP address of the myVmWeb Azure VM.

9. Open another browser tab and navigate to IP address you identified in the previous step.
NOTE: The browser page should display the default IIS welcome page because port 80 is allowed inbound from the internet based on the setting of the myAsgWebServers application security group. The network interface of the myVMWeb Azure VM is associated with that application security group.
RESULT: You have validated that the NSG and ASG configuration is working and traffic is being correctly managed.

Clean up resources
1. Open the Cloud Shell by clicking the first icon in the top right of the Azure Portal. If prompted, select PowerShell and Create storage.

2. Ensure PowerShell is selected in the drop-down menu in the upper-left corner of the Cloud Shell pane.

3. In the PowerShell session within the Cloud Shell pane, run the following to remove the resource group you created in this lab:

Remove-AzResourceGroup -Name "AZ500LAB07" -Force -AsJob

4. Close the Cloud Shell pane.

Setup Linux VM in Azure Portal

Setting up Linux VM in Azure
1. Go to Azure portal > click on Create a resource > Under the Categories select Compute > select Ubuntu Server 20.04 LTS

2. Fill in your Project details and Instance details such as Subscription, Resource group, Virtual machine name, Region, Image and Size.

3. Fill in Administrator account such as Username, Password and Confirm password, and select Authentication type as Password.

4. For Inbound port rules, select Allow selected ports for Public inbound ports and HTTP(80) and SSH(22) for inbound ports.

5. Go to Management to set up Auto-shutdown time.

6. Click on Review + create button and click on Create button.

7. After finish deployment, Go to Connect and select SSH.

8. Go to Cloud Shell in Top bar in Azure and and select PowerShell.

9. Type the following command with your vm IP address and enter your vm password.

10. Install ubuntu desktop in vm and select Y when running second command.

12. Create a Downloads folder under your home directory, and go to Downloads folder.

13. Install RDP support by installing the xrdp project on the VM.

14. Install azure-cli with following command and select Y.

14. Login to Azure with following command and click on the URL provided for device login and paste the code to authenticate.

15. Type the following command for a new Inbound security rule to open port 3389.

16. Download RDP File from Step 7 and connect your VM. Enter username and password that you previously in Step 3 created and click OK.

17. You will see the Ubuntu Desktop in your VM.

Azure Security – Implement Directory Synchronization

Scenario
You have been asked to create a proof of concept demonstrating how to integrate on-premises Active Directory Domain Services (AD DS) environment with an Azure Active Directory (Azure AD) tenant. Specifically, you want to:
– Implement a single-domain AD DS forest by deploying an Azure VM hosting an AD DS domain controller
– Create and configure an Azure AD tenant
– Synchronize the AD DS forest with the Azure AD tenant

Exercise 1: Deploy an Azure VM hosting an Active Directory domain controller
Task 1: Identify an available DNS name for an Azure VM deployment
1. Sign-in to the Azure portal https://portal.azure.com/.

2. Open the Cloud Shell by clicking the first icon in the top right of the Azure Portal. If prompted, click PowerShell and Create storage.

3. Ensure PowerShell is selected in the drop-down menu in the upper-left corner of the Cloud Shell pane.

4. In the PowerShell session within the Cloud Shell pane, run the following to identify an available DNS name you can use for an Azure VM deployment in the next task of this exercise:

Test-AzDnsAvailability -DomainNameLabel <custom-label> -Location '<location>'

NOTE:
– Replace the <custom-label> placeholder with a valid DNS name that is likely to be globlly unique. Replace the <location> placeholder with the name of the region into which you want to deploy the Azure VM that will host the Active Directory domain controller you will use in this lab.

– To identify Azure regions where you can provision Azure VMs, refer to https://azure.microsoft.com/en-us/regions/offers/

5. Verify that the command returned True. If not, rerun the same command with a different value of the <custom-label> until the command returns True.

6. Record the value of the <custom-label> that resulted in the successful outcome. You will need it in the next task.

7. Close the Cloud Shell.

Task 2: Use an ARM template to deploy an Azure VM hosting an Active Directory domain controller
1. Open another browser tab in the same browser window and navigate to the https://github.com/Azure/azure-quickstart-templates/tree/master/active-directory-new-domain.

2. On the Create a new Windows VM and create a new AD Forest, Domain and DC page, click Deploy to Azure. This will automatically redirect the browser to the Create an Azure VM with a new AD Forest blade in the Azure portal.

3. On the Create an Azure VM with a new AD Forest blade, click Edit parameters.

4. On the Edit parameters blade, click Load file, in the Open dialog box, click \\AllFiles\Labs\06\active-directory-new-domain\azuredeploy.parameters.json, click Open, and then click Save.

5. On the Create an Azure VM with a new AD Forest blade, specify the following settings (leave others with their existing values):

Setting	Value
Subscription	the name of you Azure subscription
Resource group	click Create new and type the name AZ500LAB06
Region	the Azure region you identified in the previous task
Admin Username	Student
Admin Password	Pa55w.rd1234
Domain Name	adatum.com
Dns Prefix	the DNS hostname you identified in the previous task
VM Size	Standard_D2s_v3

6. On the Create an Azure VM with a new AD Forest blade, click Review + create, and then click Create.
NOTE: Do not wait for the deployment to complete but instead proceed to the next exercise. The deployment might take about 15 minutes. You will use the virtual machine deployed in this task in the third exercise of this lab.
RESULT: After you completed this exercise, you have initiated deployment of an Azure VM that will host an Active Directory domain controller by using an Azure Resource Manager template

Exercise 2: Create and configure an Azure Active Directory tenant
Task 1: Create an Azure Active Directory (AD) tenant
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Azure Active Directory and press the Enter key.

2. On the blade displaying Overview of your current Azure AD tenant, click + Create a tenant.

3. On the Basics tab of the Create a directory blade, ensure that the option Azure Active Directory is selected and click Next: Configuration >.

4. On the Configuration tab of the Create a directory blade, specify the following settings:

Setting	Value
Organization name	AdatumSync
Initial domain name	a unique name consisting of a combination of letters and digits
Country or region	United States

NOTE:
– Record the initial domain name. You will need it later in this lab.
– The green check mark in the Initial domain name text box will indicate whether the domain name you typed in is valid and unique. (Record your initial domain name for later use).

5. Click Review + create and then click Create.
NOTE: Wait for the new tenant to be created. Use the Notification icon to monitor the deployment status.

Task 2: Add a custom DNS name to the new Azure AD tenant
1.In the Azure portal, in the toolbar, click the Directory + subscription icon, located to the right of the Cloud Shell icon.

2. In the Directory + subscription blade, click the newly created tenant, AdatumSync.
NOTE: You may need to refresh the browser window if the AdatumSync entry does not appear in the Directory + subscription filter list.

3. On the AdatumSync blade, in the Manage section, click Custom domain names.

4. On the AdatumSync | Custom domain names blade, click + Add custom domain.

5. On the Custom domain name blade, in the Custom domain name text box, type adatum.com and click Add Domain.

6. On the adatum.com blade, review the information necessary to perform verification of the Azure AD domain name.
NOTE: You will not be able to complete the validation process because you do not own the adatum.com DNS domain name. This will not prevent you from synchronizing the adatum.com AD DS domain with the Azure AD tenant. You will use for this purpose the initial DNS name of the Azure AD tenant (the name ending with the onmicrosoft.com suffix), which you identified in the previous task. However, keep in mind that, as a result, the DNS domain name of the AD DS domain and the DNS name of the Azure AD tenant will differ. This means that Adatum users will need to use different names when signing in to the AD DS domain and when signing in to Azure AD tenant.

Task 3: Create an Azure AD user with the Global Administrator role
1. On the AdatumSync Azure AD tenant blade, in the Manage section, click Users.

2. On the Users | All users blade, click + New User.

3. On the New user blade, ensure that the Create user option is selected, specify the following settings (leave all others with their default values) and click Create:

Setting	Value
User name	syncadmin
Name	syncadmin
Password	ensure that the option Auto-generate password is selected and click Show Password
Groups	0 groups selected
Roles	click User, then click Global administrator, and click Select
Usage Location	United States

NOTE:
– Record the full user name. You can copy its value by clicking the Copy to clipboard button on the right hand side of the drop-down list displaying the domain name.
– Record the user’s password. You will need this later in this lab.
– An Azure AD user with the Global Administrator role is required in order to implement Azure AD Connect.

4. Open an InPrivate browser window.

5. Navigate to the Azure portal and sign in using the syncadmin user account. When prompted, change the password you recorded earlier in this task to Pa55w.rd1234.
NOTE: o sign in you will need to provide a fully qualified name of the syncadmin user account, including the Azure AD tenant DNS domain name, which you recorded earlier in this task. This user name is in the format syncadmin@<your_tenant_name>.onmicrosoft.com, where <your_tenant_name> is the placeholder representing your unique Azure AD tenant name.

6. Sign out as syncadmin and close the InPrivate browser window.
RESULT: After you completed this exercise, you have created an Azure AD tenant, added a custom DNS name to the new Azure AD tenant, and created an Azure AD user with the Global Administrator role.

Exercise 3: Synchronize Active Directory forest with an Azure Active Directory tenant
Task 1: Task 1: Prepare AD DS for directory synchronization
1. In the Azure portal, set the Directory + subscription filter to the the Azure AD tenant associated with the Azure subscription into which you deployed the Azure VM in the first exercise of this lab.

2. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Virtual machines and press the Enter key.

3. On the Virtual machines blade, click the adVM entry.

4. On the adVM blade, click Connect and, in the drop down menu, click RDP.

5. In the IP address parameter, select Load balancer public IP address, then click Download RDP File and use it to connect to the adVM Azure VM via Remote Desktop. When prompted to authenticate, provide the following credntials:

Setting	Value
User name	Student
Password	Pa55w.rd1234

NOTE:
– Wait for the Remote Desktop session and Server Manager to load.
– The following steps are performed in the Remote Desktop session to the adVM Azure VM.

6. In Server Manager, click Local Server and then click IE Enhanced Security Configuration.

7. In the Internet Explorer Enhanced Security Configuration dialog box, set both options to Off and click OK.

8. In Server Manager, click Tools and, in the drop-down menu, click Active Directory Administrative Center.

9. In Active Directory Administrative Center, click adatum (local), in the Tasks pane, click New, and, in the cascading menu, click Organizational Unit.

10. In the Create Organizational Unit window, in the Name text box, type ToSync and click OK.

11. Double-click the newly crated ToSync organizational unit such that its content appears in the details pane of the Active Directory Administrative Center console.

12. In the Tasks pane, within the ToSync section, click New, and, in the cascading menu, click User.

13. In the Create User window, create a new user account with the following settings (leave others with their existing values) and click OK:

Setting	Value
Full Name	aduser1
User UPN logon	aduser1
User SamAccountName logon	aduser1
Password	Pa55w.rd1234
Other password options	Password never expires

Task 2: Install Azure AD Connect
1. Within the Remote Desktop session to adVM, start Internet Explorer, navigate to the Azure portal, and sign in by using the syncadmin user account you created the previous exercise. When prompted, specify the full user name you recorded and the Pa55w.rd1234 password.

2. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Azure Active Directory and press the Enter key.

3. In the Azure portal, on the AdatumSync | Overview blade, click Azure AD Connect.

4. On the AdatumSync | Azure AD Connect blade, click the Download Azure AD Connect link. You will be redirected to the Microsoft Azure Active Directory Connect download page.

5. On the Microsoft Azure Active Directory Connect download page, click Download.

6. When prompted, click Run to start the Microsoft Azure Active Directory Connect wizard.

7. On the Welcome to Azure AD Connect page of the Microsoft Azure Active Directory Connect wizard, click the checkbox I agree to the license terms and privacy notice and click Continue.

8. On the Express Settings page of the Microsoft Azure Active Directory Connect wizard, click the Customize option.

9. On the Install required components page, leave all optional configuration options deselected and click Install.

10. On the User sign-in page, ensure that only the Password Hash Synchronization is enabled and click Next.

11. On the Connect to Azure AD page, authenticate by using the credentials of the syncadmin user account you created in the previous exercise and click Next.

12. On the Connect your directories page, click the Add Directory button to the right of the adatum.com forest entry.

13. In the AD forest account window, ensure that the option to Create new AD account is selected, specify the following credentials, and click OK:

Setting	Value
User Name	ADATUM\Student
Password	Pa55w.rd1234

14. Back on the Connect your directories page, ensure that the adatum.com entry appears as a configured directory and click Next

15. On the Azure AD sign-in configuration page, note the warning stating Users will not be able to sign-in to Azure AD with on-premises credentials if the UPN suffix does not match a verified domain name, enable the checkbox Continue without matching all UPN suffixes to verified domain, and click Next.
NOTE: As explained earlier, this is expected, since you could not verify the custom Azure AD DNS domain adatum.com.

16. On the Domain and OU filtering page, click the option Sync selected domains and OUs, clear all checkboxes, click only the checkbox next to the ToSync OU, and click Next.

17. On the Uniquely identifying your users page, accept the default settings, and click Next.

18. On the Filter users and devices page, accept the default settings, and click Next.

19. On the Optional features page, accept the default settings, and click Next.

20. On the Ready to configure page, ensure that the Start the synchronization process when configuration completes checkbox is selected and click Install.
NOTE: Installation should take about 2 minutes.

21. Review the information on the Configuration complete page and click Exit to close the Microsoft Azure Active Directory Connect window.

Task 3: Verify directory synchronization
1. Within the Remote Desktop session to adVM, in the Internet Explorer window displaying the Azure portal, navigate to the Users – All users blade of the Adatum Lab Azure AD tenant.

2. On the Users | All users blade, note that the list of user objects includes the aduser1 account.

3. Select the aduser1 account and, in the Profile > Identity section, note that the Source attribute is set to Windows Server AD.
NOTE: You might have to wait a few minutes and select Refresh for the aduser1 user account to appear.

4. On the Users | All users blade, select the aduser1 entry.

5. On the aduser1 | Profile blade, in the Job info section, note that the Department attribute is not set.

6. Within the Remote Desktop session to adVM, switch to Active Directory Administrative Center, select the aduser1 entry in the list of objects in the ToSync OU, and, in the Tasks pane, in the ToSync section, select Properties.

7. In the aduser1 window, in the Organization section, in the Department text box, type Sales, and select OK.

8. Within the Remote Desktop session to adVM, start Windows PowerShell.

9. Within the Remote Desktop session to adVM, start Windows PowerShell.

Import-Module -Name 'C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\ADSync.psd1'

Start-ADSyncSyncCycle -PolicyType Delta

10. Switch to the Internet Explorer window displaying the aduser1 | Profile blade, refresh the page and note that the Department property is set to Sales.
NOTE: You might need to wait for another minute and refresh the page again if the Department attribute remains not set.
RESULTS: After you completed this exercise, you have prepared AD DS for directory synchronization, installed Azure AD Connect, and verified directory synchronization.

Clean up resources
1. Within the Remote Desktop session to adVM, start Windows PowerShell as Administrator.

2. From the Windows PowerShell console, install the MsOnline PowerShell module by running the following (when prompted, in the NuGet provider is required to continue dialog box, type Yes and hit Enter.):

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Install-Module MsOnline -Force

3. From the Windows PowerShell console, connect to the AdatumSync Azure AD tenant by running the following (when prompted, sign in with the syncadmin credentials):

Connect-MsolService

4. From the Windows PowerShell console, disable the Azure AD Connect synchronization by running the following:

Set-MsolDirSyncEnabled -EnableDirSync $false -Force

5. From the Windows PowerShell console, verify that the operation was successful by running the following:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

NOTE:
– The result should be False. If that is not the case, wait a minute and re-run the command
– Next, remove the Azure resources

6. In the Azure portal, set the Directory + subscription filter to the the Azure AD tenant associated with the Azure subscription into which you deployed the adVM Azure VM.

7. In the Azure portal, open the Cloud Shell by clicking the first icon in the top right of the Azure Portal.

8. In the drop-down menu in the upper-left corner of the Cloud Shell pane, select PowerShell, and, when prompted, click Confirm.

9. In the PowerShell session within the Cloud Shell pane, run the following to remove the resource group you created in this lab:

Remove-AzResourceGroup -Name "AZ500LAB06" -Force -AsJob

10. Close the Cloud Shell pane.
NOTE: Finally, remove the Azure AD tenant

11. Back in the Azure portal, use the Directory + subscription filter to switch to the AdatumSync Azure Active Directory tenant.

12. In the Azure portal, navigate to the Users – All users blade, click the entry representing the syncadmin user account, on the syncadmin – Profile blade click Delete, and, when prompted to confirm, click OK.

13. Repeat the same sequence of steps to delete the aduser1 user account.

14. Navigate to the AdatumSync – Overview blade of the Azure AD tenant, click Delete tenant, on the Delete directory ‘AdatumSync’ blade, click the Get permission to delete Azure resources link, on the Properties blade of Azure Active Directory, set Access management for Azure resources to Yes and click Save.

15. Sign out from the Azure portal and sign in back.

16. Navigate back to the Delete directory ‘AdatumSync’ blade and click Delete.

Get Artifact from other project

Scenario
I have Project A and B. I would like to get Artifact from Project A and put in Project B release pipeline.

Solution
1. Go to Project Settings of the Project A

2. Go to Pipelines > Settings.

3. In General, just disable Limit job authorization scope to current project for non-release pipelines and Limit job authorization scope to current project for release pipelines

4. Go to General > Permissions > Build Administrators

5. Go to Members > Add > Search your Project B Build Service (organization name) > Save, then you will see the Project C Build Service team in Members.

Azure Security – Azure AD Privileged Identity Management

Scenario
You have been asked to create a proof of concept that uses Azure Privileged Identity Management (PIM) to enable just-in-time administration and control the number of users who can perform privileged operations. The specific requirements are:
– Create a permanent assignment of the aaduser2 Azure AD user to the Security Administrator role.
– Configure the aaduser2 Azure AD user to be eligible for the Billing Administrator and Global Reader roles.
– Configure the Global Reader role activation to require an approval of the aaduser3 Azure AD user
– Configure an access review of the Global Reader role and review auditing capabilities.

Exercise 1 – Configure PIM users and roles
Task 1: Make a user eligible for a role
1. Sign-in to the Azure portal https://portal.azure.com/.

2. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Azure AD Privileged Identity Management and press the Enter key.

3. On the Azure AD Privileged Identity Management blade, in the Manage section, click Azure AD roles.

4. On the AdatumLab500-04 | Quick start blade, in the Manage section, click Roles.

5. On the AdatumLab500-04 | Roles blade, click + Add assignments.

6. On the Add assignments blade, in the Select a role drop-down, select Billing Administrator.

7. Click the No member selected link, on the Select a member blade, click aaduser2, and then click Select.

8. Back on the Add assignments blade, click Next.

9. Ensure the Assignment type is set to Eligible and click Assign.

10. Back on the AdatumLab500-04 | Roles blade, in the Manage section, click Assignments.

11. Back on the AdatumLab500-04 | Assignments blade, note the tabs for Eligible assignments, Active assignments, and Expired assignments.

12. Verify on the Eligible assignments tab that aaduser2 is shown as a Billing administrator.

Task 2: Configure a role to require approval to activate and add an eligible member
1. In the Azure Portal, navigate back to the Azure AD Privileged Identity Management blade and click Azure AD roles.

2. On the AdatumLab500-04 | Quick start blade, in the Manage section, click Roles.

3. On the AdatumLab500-04 | Roles blade, click the Global reader role entry.

4. On the Global Reader | Assignments blade, click Settings icon in the toolbar of the blade and review configuration settings for the role, including Azure Multi-Factor Authentication requirements.

5. Click Edit.

6. On the Activation tab, enable the Require approval to activate check box.

7. Click Select approvers(s), on the Select a member blade, click aaduser3, and then click Select.

8. Click Next:Assignment.

9. Clear the Allow permanent eligible assignment check box, leaving all other settings with their default values.

10. Click Next:Notification.

11. On the Edit role setting – Global Reader blade, review the settings and click Update.
NOTE: Anyone trying to use the Global Reader role will now need approval from aaduser3.

12. On the Global Reader | Assignments blade, click + Add assignments.

13. On the Add assignments blade, click No member selected, on the Select a member blade, click aaduser2, and then click Select.

14. Click Next.

15. Ensure the Assignment type is Eligible and review the eligible duration settings.

16. Click Assign.
NOTE: User aaduser2 is eligible for the Global Reader role.

Task 3: Give a user permanent assignment to a role.
1. In the Azure Portal, navigate back to the Azure AD Privileged Identity Management blade and click Azure AD roles.

2. On the AdatumLab500-04 | Quick start blade, in the Manage section, click Roles.

3. On the AdatumLab500-04 | Roles blade, click + Add assignments.

4. On the Add assignments blade, in the Select role drop-down, select Security Administrator.

5. On the Add assignments blade, click the No member selected, on the Select a member blade, click aaduser2, and then click Select.

6. Click Next.

7. Review the Assignment type settings and click Assign.
NOTE: User aaduser2 is now permanently assigned the Security Administrator role.

Exercise 2 – Activate PIM roles with and without approval
Task 1: Activate a role that does not require approval.
1. Open an InPrivate browser window.

2. In the InPrivate browser window, navigate to the Azure portal and sign in using the aaduser2 user account.
NOTE: To sign in you will need to provide a fully qualified name of the aaduser2 user account, including the Azure AD tenant DNS domain name, which you recorded earlier in this lab. This user name is in the format aaduser2@<your_tenant_name>.onmicrosoft.com, where <your_tenant_name> is the placeholder representing your unique Azure AD tenant name.

3. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Azure AD Privileged Identity Management and press the Enter key.

4. On the Azure AD Privileged Identity Management blade, in the Tasks section, click My roles.

5. You should see three Eligible roles for aaduser2: Global Reader, Security Administrator, and Billing Administrator.

6. In the row displaying the Billing Administrator role entry, click Activate.

7. If needed, click the warning Additional verification required. Click to continue and follow the instructions to verify your identity.

8. On the Activate – Billing Administrator blade, in the Reason text box, type a text providing justification for the activation, and then click Activate.
NOTE:
– When you activate a role in PIM, it can take up to 10 minutes for the activation to take effect.
– This role does not require approval, so you will be able to sign out and log back in to begin using the activated role.

9. Sign out and sign back into the Azure portal by using the aaduser2 user account.

10. Navigate back to the Azure AD Privileged Identity Management blade and, in the Tasks section, click My roles.

11. On the My roles | Azure AD roles blade, switch to the Active assignments tab. Notice the Billing Administrator role is Activated.
NOTE:
– Once a role has been activated, it automatically deactivates when its time limit under End time(eligible duration) is reached.
– If you complete your administrator tasks early, you can deactivate a role manually.

12. In the list of Active Assignments, in the row representing the Billing Administrator role, click the Deactivate link.

13. On the Deactivate – Billing Administrator blade, click Deactivate again to confirm the your intent.

Task 2: Activate a role that requires approval.
1. In the InPrivate browser window, in the Azure portal, while signed in as the aaduser2 user, navigate back to the Privileged Identity Management | Quick start blade.

2. On the Privileged Identity Management | Quick start blade, in the Tasks section, click My roles.

3. On the My roles | Azure AD roles blade, in the list of Eligible assignments, in the row displaying the Global Reader role, click Activate.

4. On the Activate – Global Reader blade, in the Reason text box, type a text providing justification for the activation, and then click Activate.

5. Click the Notifications icon in the toolbar of the Azure portal and view the notification informing that your request is pending approval.
NOTE: As the Privileged role administrator you can review and cancel requests at any time.

6. On the My roles | Azure AD roles blade, locate the Security Administrator role, and click Activate.

7. Click the warning Additional verification required. Click to continue.

8. Follow the instructions to verify your identity.
NOTE: You only have to authenticate once per session.

9. Once you are back in the Azure Portal interface, on the Activate – Security Administrator blade, in the Reason text box, type a text providing justification for the activation, and then click Activate.
NOTE: The auto approval process should complete.

10. Back on the My roles | Azure AD roles blade, click the Active assignments tab and notice that the listing of active assignments includes Security Administrator but not the Global Reader role.
NOTE: You will now approve the Global Reader role.

11. Sign out of the Azure portal as aaduser2.

12. Sign into the Azure portal as aaduser3.
NOTE: If you run into problems with authenticating by using any of the user accounts, you can sign in to the Azure AD tenant by using your user account to reset their passwords or reconfigure their sign-in options.

13. In the Azure portal, navigate to Azure AD Privileged Identity Management.

14. On the Privileged Identity Management | Quick start blade, in the Tasks section, click Approve requests.

15. On the Approve requests | Azure AD roles blade, in the Requests for role activations section, select the checkbox for the entry representing the role activation request to the Global Reader role by aaduser2.

16. Click Approve. On the Approve Request blade, in the Justification text box, type a reason for activation, note the start and end times, and then click Confirm.
NOTE: You also have the option of denying requests.

17. Sign out of the Azure portal as aaduser3.

18. Sign into the Azure portal as aaduser2

19. In the Azure portal, navigate to Azure AD Privileged Identity Management.

20. On the Privileged Identity Management | Quick start blade, in the Tasks section, click My roles.

21. On the My roles | Azure AD roles blade, click the Active Assignments tab and verify that the Global Reader role is now active.
NOTE: You might have to refresh the page to view the updated list of active assignments.

22. Sign out and close the InPrivate browser window.
RESULT: You have practiced activating PIM roles with and without approval.

Exercise 3: Create an Access Review and review PIM auditing features
Task 1: Configure security alerts for Azure AD directory roles in PIM
1. Sign-in to the Azure portal https://portal.azure.com/ using your account.

2. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Azure AD Privileged Identity Management and press the Enter key.

3. Navigate to the Azure AD Privileged Identity Management blade.

4. On the Privileged Identity Management | Quick start blade, in the Manage section, click Azure AD Roles.

5. On the AdatumLab500-04 | Quick start blade, in the Manage section, click Access reviews.

6. On the AdatumLab500-04 | Access reviews blade, click New:

7. On the Create an access review blade, specify the following settings (leave others with their default values):

Setting	Value
Review name	Global Reader Review
Start Date	today’s date
Frequency	One time
End Date	end of the current month
Review role membership	Global Reader
Reviewers	Selected users
Select reviewers	your account

Task 2: Review PIM alerts, summary information, and detailed audit information.
1. Navigate back to the Azure AD Privileged Identity Management blade and, in the Manage section, click Azure AD roles.

2. On the AdatumLab500-04 | Quick start blade, in the Manage section, click Alerts, and then click Setting.

3. On the Alert settings blade, review the preconfigured alerts and risk levels. Click on any of them for more detailed information.

4. Return to the AdatumLab500-04 | Quick start blade and click Overview.

5. On the AdatumLab500-04 | Overview blade, review summary information about role activations, PIM activities, alerts, and role assignments.

6. On the AdatumLab500-04 | Overview blade, in the Activity section, click Resource audit.
NOTE: Audit history is available for all privileged role assignments and activations within the past 30 days.

7. Notice you can retrieve detailed information, including Time, Requestor, Action, Resource name, Scope and Subject.
RESULT: You have configured an access review and reviewed audit information.

8. On the Create an access review blade, click Start:
NOTE: It will take about a minute for the review to deploy and appear on the AdatumLab500-04 | Access reviews blade. You might have to refresh the web page. The review status will be Active.

9. On the AdatumLab500-04 | Access reviews blade, under the Global Admin Review header, click the Global Reader entry.

10. On the Global Reader Review blade, examine the Overview page and note that the Progress charts shows a single users in the Not reviewed category.

11. On the Global Reader Review blade, in the Manage section, click Results. Note that aaduser2 is listed as having access to this role.

12. Click aaduser2 to view a detailed audit log with entries representing PIM activities that involve that user.

13. Navigate back to the AdatumLab500-04 | Access reviews blade.

14. On the the AdatumLab500-04 | Access reviews blade, in the Tasks section, click Review access and then, click the Global Reader Review entry.

15. On the Global Reader Review blade, click the aaduser2 entry.

16. In the Reason text box, type a rationale for approval and then click either Approve to maintain the current role membership or Deny to revoke it.

17. Navigate back to the Azure AD Privileged Identity Management blade and, in the Manage section, click Azure AD roles.

18. On the AdatumLab500-04 | Quick start blade, in the Manage section, click Access reviews.

19. Select the entry representing the Global Reader review. Note that the Progress chart has been updated to show your review.

Clean up resources
1. In the Azure portal, set the Directory + subscription filter to the the Azure AD tenant associated with the Azure subscription into which you deployed the az500-04-vm1 Azure VM.

2. In the Azure portal, open the Cloud Shell by clicking the first icon in the top right of the Azure Portal. If prompted, click PowerShell and Create storage.

3. Ensure PowerShell is selected in the drop-down menu in the upper-left corner of the Cloud Shell pane.

4. In the PowerShell session within the Cloud Shell pane, run the following to remove the resource group you created in this lab:

Remove-AzResourceGroup -Name "AZ500LAB04" -Force -AsJob

5. Close the Cloud Shell pane.

6. Back in the Azure portal, use the Directory + subscription filter to switch to the AdatumLab500-04 Azure Active Directory tenant.

7. Navigate to the Azure Active Directory Premium P2 – Licensed users blade, select the user accounts to which you assigned licenses, click Remove license, and, when prompted to confirm, click OK.

8. In the Azure portal, navigate to the Users – All users blade, click the entry representing the aaduser1 user account, on the aaduser1 – Profile blade click Delete, and, when prompted to confirm, select Yes.

9. Repeat the same sequence of steps to delete the remaining user accounts you created.

10. Navigate to the AdatumLab500-04 – Overview blade of the Azure AD tenant, click Delete tenant, on the Delete directory ‘AdatumLab500-04’ blade, click the Get permission to delete Azure resources link, on the Properties blade of Azure Active Directory, set Access management for Azure resources to Yes and click Save.

11. Sign out from the Azure portal and sign in back.

12. Navigate back to the Delete directory ‘AdatumLab500-04’ blade and click Delete.