AZ-900 Exam Prep
The course is part of this learning path
This short course covers some additional topics you should review before taking the Microsoft AZ-900 exam.
Congratulations on making it all the way through this learning path. If you’re preparing to write the Microsoft AZ-900 exam, bear in mind that although we’ve covered all of the major topics in the exam guide, there are a few details that weren’t covered. I’ll go over them briefly here.
Even though Azure virtual networks already had a firewall-like feature called network security groups, Microsoft released a new service called Azure Firewall. The advantage of using Azure Firewall is that it’s more feature-rich. For example, you can tell it to allow outbound traffic only to certain domain names. NSGs can’t do that. They only allow you to specify IP addresses, not entire domains. An Azure Firewall is centralized, so it works across virtual networks and even across subscriptions.
Sometimes firewalls aren’t enough, such as when your application gets hit by a distributed denial of service, or DDoS, attack. This is when a large number of computers send requests to your servers simultaneously with the intention of taking down your application. To help combat these attacks, Microsoft offers Azure DDoS Protection in two tiers. The Basic tier is enabled automatically. It mitigates common DDoS attacks using the same technology that protects Microsoft’s own online services. The Standard tier provides protection against additional types of DDoS attacks, but there is a monthly charge for it.
Unlike DDoS attacks, most hacker attacks are intended to get inside your systems rather than take them down. One service you can use to help deal with these attacks is Azure Advanced Threat Protection or ATP. Azure ATP monitors user activities and looks for anomalies. For example, if an attacker seizes control of a user account, they’ll probably try to gain access to internal resources or other accounts. This sort of activity can often be spotted by ATP, which will send an alert to your administrators. It can also inform administrators of potential weaknesses in your account security before you’re compromised by an attacker.
Even if you do a good job of protecting your systems from attackers, your legitimate users might accidentally reveal confidential information. Azure Information Protection, or AIP, can help with that. AIP lets you label information as confidential, either manually or using rules you create. This, alone, will help keep people from inadvertently sending confidential information outside of the organization, but you can also configure AIP to actually prevent it from happening. For example, if someone attaches a confidential document to an email and then tries to send that email to a person outside of the company, AIP can stop the email from being sent.
To enforce a wide variety of governance policies, you can use the Azure Policy service. For example, suppose your company has a European division that is legally required to store its data only in European data centers. You could create a policy that only allows SQL Database instances to be created in European regions and assign that policy to the resource group for that division of the company. You’d also need to create similar policies for other data storage services, such as SQL Data Warehouse and Data Lake Storage.
Now suppose you need to assign the same policies to a number of different resource groups or subscriptions. To make it easier, you can group related policies into what’s called an initiative and then assign that initiative to various subscriptions, resource groups, and management groups.
Since security, privacy, compliance, and trust are responsibilities that your organization shares with its service providers, Microsoft provides lots of resources to help you understand how they take care of their side of the arrangement.
The Microsoft Privacy Statement “explains the personal data Microsoft processes, how Microsoft processes it, and for what purposes.” This actually applies to all of Microsoft’s services, not just Azure. To save you some typing, I put all of the links from this video in the transcript below.
The Trust Center contains a collection of links to resources about how Microsoft handles security, privacy, compliance, and transparency.
The Service Trust Portal is focused specifically on compliance. For example, it has links to Azure audit reports for regulatory standards like SOC, FedRAMP, and ISO27001. These will be helpful if your organization is going through these compliance audits. There’s also a link to a site called “Compliance Manager”.
This is a great tool that helps you achieve compliance. It creates assessments for different Microsoft services. It shows how compliant your organization is and how compliant Microsoft is for a particular area. For example, here’s a GDPR assessment for Office 365. You’ll notice that Microsoft Managed Actions is at 100%, which is always the case. In this example, Customer Managed Actions is at 0%. To find out how to move your organization into compliance, you can click on the assessment, and it will bring up a list of steps to complete. In most cases, you’ll need to upload evidence of your compliance. The main value of the Compliance Manager is that it helps you organize and track your compliance efforts.
If you’re involved in cloud solutions for the US government, then be aware that Microsoft provides Azure Government services that are in physically isolated data centers and networks. Azure Government is available to US government agencies at the federal, state, and local levels, as well as to their partners. To use these services, your organization has to meet eligibility requirements.
That’s it for additional topics for the AZ-900 exam. If you have any questions or comments, please let us know.
Thanks and good luck on the exam!
Microsoft Privacy Statement: https://privacy.microsoft.com/privacystatement
Microsoft Trust Center: https://www.microsoft.com/trust-center
Microsoft Service Trust Portal: https://servicetrust.microsoft.com/
Guy launched his first training website in 1995 and he's been helping people learn IT technologies ever since. He has been a sysadmin, instructor, sales engineer, IT manager, and entrepreneur. In his most recent venture, he founded and led a cloud-based training infrastructure company that provided virtual labs for some of the largest software vendors in the world. Guy’s passion is making complex technology easy to understand. His activities outside of work have included riding an elephant and skydiving (although not at the same time).