Compliance & Security Scanning
Compliance & Security Scanning
1h 21m

Microsoft Azure is a robust, feature-rich cloud platform used by a growing number of technology companies. With its vast array of services, a key challenge to administering an Azure environment is security. How can we ensure that our Azure infrastructure meets strict security standards? This course offers the answer.

In three concise units, the student will learn all about compliance and cloud security. The course delves into several key Azure components, including Azure DevOps, Azure Security Center, Desired State Configuration, and Azure Pipelines. After completing the lessons and watching the video demonstrations, the student will be equipped with the knowledge to automate critical security tasks to ensure a thoroughly hardened cloud architecture.

This skill set will serve infrastructure developers working with live environments or seeking to pass certification exams. Most importantly, it will help students understand cloud security in a comprehensive and thorough way.

For feedback, queries, or suggestions relating to this course, please contact us at

Learning Objectives

  • Scan infrastructure using Azure tools to prevent drift leading to compliance violations
  • Automate configuration using Azure Automation and Desired State Configuration
  • Create secure and compliant software pipelines in Azure

Intended Audience

This course is intended for:

  • Those looking to learn more about the security and compliance features in Azure
  • People studying for Microsoft's AZ-400 exam


To get the most from this course, you should already have a basic understanding of Microsoft Azure as well as some knowledge of programming and cloud infrastructure. 


Compliance and security are two critical concepts in the world of cloud software systems. They reinforce each other in important ways, so I would like to start by making sure you understand the distinction early and clearly. Security refers specifically to how well-protected our system is from threats. And by threats we might mean external agents and bad actors like hackers, and also how well protected we are from internal actors like careless employees, any other thing that might compromise our systems. So that's security. Compliance refers to the degree to which our architecture conforms to a specific standard. So we may have defined an amazing security standard to protect for everything. However, our system is not really safe unless it is also compliant with that standard. So by the same token, being compliant is not helpful if our standard is too weak.

I'm going to reiterate this for emphasis 'cause it's important. The state of having a secure software environment comes from both having a solid security standard and ensuring that your system is compliant with that standard. In practice, it's very difficult to ensure security without thinking about compliance. Security just on its own is very abstract and nebulous, am I secure or not? Compliance gives us a framework for defining threats and prioritizing solutions for hardening our systems.

In this first lesson as part of section one, we're going to demonstrate how we can define security standards in Azure and gain confidence that we are compliant with those standards.

So let's start by talking about Azure Security Center and policies. So Azure Security Center, or ASC as we can call it, is Azure's comprehensive platform-wide infrastructure security tool set. ASC is deeply integrated with all Azure services and does not require any additional deployment. It can be used with other clouds or on-prem solutions, it is at its most intuitive, though, in an Azure environment. ASC includes scanning tools for general vulnerability assessment. There's a VM scanning tool for checking Azure instances as well as a newer container image scanner that will identify known vulnerabilities within containers, software containers, in your Azure Registry. Scans occur automatically when containers are uploaded and run continuously on a schedule. Note that these features are part of the standard tier price, not the free tier. So you do have to enable that in your subscription.

A basic construct of Azure Security Center is the policy. ASC policies are what define the security standards used for measuring compliance. ASC includes dozens of pre-defined industry standards such as SOC TSP, ISO 27001, PCI. These standards are widely used and exhaustively studied and audited. They cover things like access control, incident response, encryption, and a host of other security concerns. Some will apply to specific Azure services. ASC also has support for defining custom policies if you have needs specific to your organization.

The ASC dashboard lets us see all of our policies in one place and map them to specific resource groups and subscriptions. Of particular use is the Regulatory Compliance dashboard which lets us see precisely how compliant our system is with industry and org-specific standards. What's more, ASC also gives an overall security score with severity rankings. Thanks to this in practice, you really don't need to spend a lot of time actually creating original policies from scratch and updating them. With the built-in industry security standards, the compliance dashboard, and the security score, you have all the tools you need to lock down your environment just by following Security Center's lead.

Compliance with ASC security policies is tracked automatically over time in the dashboard. We can easily see which subscriptions are covered by specific ASC policies and which resources are compliant. This is all just extremely helpful for auditing purposes, particularly for businesses that are in industries with very strict regulations regarding data security. The dashboard will give us an audit trail should something go wrong and should there be a need for forensic investigation.

So that's basically it for ASC. We will go deeper into the actual dashboard in the demo. In the next lesson, we're gonna talk about drift which is a phenomena of systems that may be compliant but they don't always stay compliant. So we'll see ya there, thanks for listening.


Course Introduction - Security Center Demo - Preventing Drift - ARM, Activity Log & Track Changes Demo - Desired State Configuration (DSC) - Azure Desired State Configuration Demo - Azure Automation State Configuration - VM Agents & Extensions - VM Agents & Extensions Demo - Security & Compliance Pipelines - Azure Pipelines & Gates Demo - Course Summary

About the Author

Jonathan Bethune is a senior technical consultant working with several companies including TopTal, BCG, and Instaclustr. He is an experienced devops specialist, data engineer, and software developer. Jonathan has spent years mastering the art of system automation with a variety of different cloud providers and tools. Before he became an engineer, Jonathan was a musician and teacher in New York City. Jonathan is based in Tokyo where he continues to work in technology and write for various publications in his free time.