Azure Security Engineer — Complete Learning Package
Beginner Labs (1–15)
- Enable MFA for all users
- Conditional Access: require MFA
- PIM setup for Security Admin
- Create break-glass accounts
- Key Vault with RBAC + secret access
- Enable soft delete + purge protection
- Private Endpoint for Key Vault
- NSG: deny all inbound, allow specific
- Deploy Azure Firewall
- Enable Defender for Cloud
- Configure JIT VM access
- WAF in Prevention mode
- Diagnostic logs to Log Analytics
- Policy: deny public endpoints
- SQL firewall VNet-only access
Intermediate Labs (16–35)
- Conditional Access policies (MFA, geo, device)
- Identity Protection policies
- PIM for all privileged roles
- Access Reviews setup
- Azure Firewall Premium (TLS + IDPS)
- Firewall DNS proxy
- WAF custom rules
- Zero-trust network with Private Endpoints
- DDoS Protection Standard
- Microsoft Sentinel setup
- Sentinel playbooks (block IP, disable user)
- Customer-managed keys (CMK)
- SQL Always Encrypted
- Dynamic Data Masking
- Policy initiative for security baseline
- Defender alerts + email notifications
- Secure Score improvement plan
- Policy enforcement (encryption, tags, endpoints)
- Lighthouse cross-tenant security
Advanced Labs (36–50)
- Full zero-trust architecture
- Complete SOC with Sentinel
- Identity governance system
- HIPAA compliance architecture
- Confidential computing deployment
- Threat hunting with MITRE mapping
- Automated incident response
- Privileged Access Workstations (PAW)
- Azure Managed HSM deployment
- Security baseline automation
- Multi-cloud security posture
- Data Loss Prevention (Purview)
- Security architecture review process
- Security metrics dashboard
- Full security transformation
Major Projects
Core Security Architecture
- Zero-trust implementation
- Azure Firewall Premium deployment
- WAF across applications
- DDoS protection architecture
- Private Link architecture
Identity & Governance
- PIM + Access Reviews + Entitlement Management
- Conditional Access framework
- Break-glass account system
- Service principal governance
- Certificate lifecycle management
Compliance & Monitoring
- HIPAA / PCI DSS / SOC2 / ISO 27001
- Security monitoring dashboard
- Sentinel SOC implementation
- Threat hunting program
- Compliance automation
Gotchas & Common Mistakes
- Conditional Access report-only ≠ enforcement
- PIM eligible ≠ active role
- RBAC preferred over Key Vault access policies
- Private Endpoint DNS is critical
- WAF needs tuning to avoid false positives
- Defender free vs paid plans confusion
- JIT requires Defender for Servers
- Sentinel costs depend on ingestion
- CMK rotation doesn’t re-encrypt old data
- Managed Identity cannot cross tenants
- Azure Policy not retroactive
- Key Vault dependency can break SQL if unavailable
- Security defaults are all-or-nothing
- Sentinel retention >90 days costs extra
- Security is continuous, not one-time
Security Incident Response Process
- Detect: Alerts from Defender/Sentinel
- Triage: Assess severity and impact
- Contain: Block access, isolate systems
- Investigate: Analyze logs and activity
- Remediate: Fix vulnerabilities
- Recover: Restore services
- Post-Incident: RCA + improvements
Monthly Security Review Checklist
- Secure Score improvement
- PIM assignment review
- Access review completion
- Secret & certificate expiry check
- Sentinel rule tuning
- WAF log review
- Policy compliance check
- Defender alerts review
Conditional Access Rollout Plan
- Enable security defaults
- Create report-only policies
- Review impact
- Block legacy authentication
- Enable MFA for all users
- Enable MFA for Azure management
- Geo and device-based policies
- Enable Identity Protection policies