Preventing Drift
Start course
1h 21m

Microsoft Azure is a robust, feature-rich cloud platform used by a growing number of technology companies. With its vast array of services, a key challenge to administering an Azure environment is security. How can we ensure that our Azure infrastructure meets strict security standards? This course offers the answer.

In three concise units, the student will learn all about compliance and cloud security. The course delves into several key Azure components, including Azure DevOps, Azure Security Center, Desired State Configuration, and Azure Pipelines. After completing the lessons and watching the video demonstrations, the student will be equipped with the knowledge to automate critical security tasks to ensure a thoroughly hardened cloud architecture.

This skill set will serve infrastructure developers working with live environments or seeking to pass certification exams. Most importantly, it will help students understand cloud security in a comprehensive and thorough way.

For feedback, queries, or suggestions relating to this course, please contact us at

Learning Objectives

  • Scan infrastructure using Azure tools to prevent drift leading to compliance violations
  • Automate configuration using Azure Automation and Desired State Configuration
  • Create secure and compliant software pipelines in Azure

Intended Audience

This course is intended for:

  • Those looking to learn more about the security and compliance features in Azure
  • People studying for Microsoft's AZ-400 exam


To get the most from this course, you should already have a basic understanding of Microsoft Azure as well as some knowledge of programming and cloud infrastructure. 


Now that you are grounded in Azure's toolset for getting your systems compliant, we now are going to learn how to keep them that way. Drift is the bane of many a systems engineer. By drift we mean configuration drift, not the cool racing technique. The reality of drift, the reality that over time software systems tend to become less compliant and more chaotic. Now this happens a thousand different ways. A hotfix will get deployed and it updates a yaml file but doesn't put the change into version control. Or a firewall is opened up during a maintenance window but the port and protocol rules are not returned to their strict settings afterward. Or a server gets rebooted, blowing away some critical in-memory credential. The older our infrastructure is, the more likely we will have all sorts of lore and history and drift building up and making it less stable. Configuration drift is a very serious security threat.

Fortunately Azure gives us some helpful tools for detecting drift in our configuration. Now your first line of defense is the Azure Resource Manager or ARM. This is the logical grouping of resources in Azure, and it's frankly one of the most helpful features when compared to other cloud providers. ARM deployment templates allow you to define a discrete set of resources, as well as their configuration in one easy to monitor, monitor and update place. These templates can be treated as infrastructure as code and checked into version control. The infrastructure as code is a really important concept.

If you've ever worked with Terraform or Cloudformation, you may be familiar with the concept already. But the basic idea of infrastructure as code is that you don't want to make any ad hoc changes to your environment, by clicking around in the web console or manually running scripts. You don't wanna do arbitrary changes this way. As systems engineers, we're often tempted to just SSH to a server, edit some file, restart the service and then be on our way, right? It fixes the problem, right? Wrong, it creates technical debt. We absolutely must avoid this type of approach. Using our resource manager, and ARM templates, every change can be version controlled, public, transparent, and easily undone.

Now the second line of defense is the activity log. This is your one stop shop in Azure for seeing changes to Azure resources. Now, this won't catch everything necessarily, if you SSH to a server, but most changes whether it's done with a CLI tool or script or using the console. If anyone has made that change to Azure resources, that change should be reflected in the activity log. It's a good idea to backup these logs and to audit them regularly.

Now, your third line of defense is at the VM level, the level of virtual machines and it's a nifty little tool called change tracking. And this is a slightly newer feature. And it works with Windows hosts and many Linux distributions, but not all. See the documentation link for the full list of supported Linux distros.

Now, you enable this feature by turning on inventory and change tracking from your Azure automation account, or from the virtual machine UI in the web. The video demo we'll go over will show you how to do it. Once it's enabled, Azure will identify changes to running software, such as Linux daemons and Windows services. And what's really cool there's also a built in FIM, File Integrity Monitoring, FIM solution, and this FIM solution lets you define specific files that you want to track for changes as well as the content of the files themselves. So you can see if some config file or credential has been changed and you can even see a diff of those changes.

So our goal in this section was detecting drift, and to maintain compliance with security policies. I hope you've got some good ideas. Now we went through our main lines of defense. In section two we'll go one better and learn how to prevent drift by using a really cool service known as Desired State Configuration or DSC. Be sure to check out the video demos to lock in your understanding of compliance and ASC before moving on to the next section where we will learn how to automate much of that cumbersome compliance and security policy work. See you there!


Course Introduction - Compliance & Security Scanning - Security Center Demo - ARM, Activity Log & Track Changes Demo - Desired State Configuration (DSC) - Azure Desired State Configuration Demo - Azure Automation State Configuration - VM Agents & Extensions - VM Agents & Extensions Demo - Security & Compliance Pipelines - Azure Pipelines & Gates Demo - Course Summary

About the Author

Jonathan Bethune is a senior technical consultant working with several companies including TopTal, BCG, and Instaclustr. He is an experienced devops specialist, data engineer, and software developer. Jonathan has spent years mastering the art of system automation with a variety of different cloud providers and tools. Before he became an engineer, Jonathan was a musician and teacher in New York City. Jonathan is based in Tokyo where he continues to work in technology and write for various publications in his free time.