Sign in Subscribe

Mastering Identity, Governance, Privacy, and Compliance in Microsoft Azure: The AZ-900 Guide from the Trenches

Mastering Identity, Governance, Privacy, and Compliance in Microsoft Azure: The AZ-900 Guide from the Trenches

Introduction & Learning Objectives

Cloud conversations in today’s businesses quickly shift from “What can Azure do?” to “How do I secure, govern, and prove compliance in Azure?”—and with good reason. After all these years digging deep into the world of cloud security, I’ve come to realize one thing: nailing identity, governance, privacy, and compliance is make-or-break for your cloud journey. Picture this stuff as your cloud's roadmap—do it right, and it's smooth sailing; skip it, and you're bound to hit some big bumps and probably get a bit lost. These aren’t just buzzwords; they’re foundational pillars—essential for both the AZ-900 Microsoft Azure Fundamentals exam and real-world deployments.

By the end of this guide, you’ll not only understand but be able to implement and troubleshoot Azure’s identity, governance, and compliance features. Here's what you're gonna get really good at:

  • You'll get a solid grip on Azure identity services, diving into Microsoft Entra ID (which you might know as Azure AD), MFA, Conditional Access, and some of the fancier features.
  • You'll discover how tools like RBAC, policies, resource locks, and the management hierarchy do a fantastic job of keeping things secure, budget-smart, and compliant, no matter the size of your operation.
  • We'll break down the essentials of privacy and compliance, connecting the dots from legal regulations to getting hands-on with Compliance Manager.
  • You’ll find out how Azure’s security features, along with its ace squad—Defender for Cloud, Monitor, and Sentinel—team up to offer you top-notch visibility and quick-fire responses.
  • We’re gonna explore best practices, tackle some troubleshooting brainteasers, and get down to business with practical labs and scenarios, prepping you for the exam and any Azure hurdle you might face.

Let's jump into these topics, wipe out any confusion, and set you up for exam success and real-world victories with some sharp tips and no-nonsense guidance.

Exam Objective Mapping:

  • Let's dive deeper into Azure's identity, governance, privacy, and compliance offerings, hitting on what's covered in AZ-900 Domain 2.
  • We'll break down the essentials of Azure management and governance, as covered in AZ-900 Domain 3.

Azure Identity Services and Access Management

Identity is the cornerstone of cloud security. In Azure, it all pretty much boils down to knowing who can do what and where they can do it—everything from access and monitoring to billing rides on this. Microsoft’s identity platform has evolved significantly, and as of late 2023, Azure Active Directory (Azure AD) has been rebranded as Microsoft Entra ID. You'll spot both names in Microsoft docs and exams, so I'll use both to keep everything crystal clear.

Note: Azure AD is now called Microsoft Entra ID. Documentation and exams may still reference Azure AD, but be aware of this change for future-proofing your knowledge.

Core Concepts: Entra ID (Azure AD) Architecture

Entra ID (Azure AD) is Microsoft’s cloud-based Identity and Access Management (IAM) service. It’s the authentication and authorization backbone for Azure, Microsoft 365, Dynamics, and thousands of SaaS applications.

  • Tenant: Your organization’s dedicated identity instance in Azure
  • Users & Groups: Identities for people, service accounts, and logical groupings for access management
  • Applications & Service Principals: Represent apps, APIs, or automation—allowing fine-grained permissions
  • Managed Identities: Special, managed service principals for Azure resources, simplifying secure service-to-service authentication
  • Devices: Registered endpoints (PCs, phones) that can be used for access decisions

In the Azure AD portal, you’ve got a neat overview of Users, Groups, Applications, and Devices—kind of like a control tower for managing identities and access all in one spot.

Let's chat about Cloud-Only, Hybrid, and Federated Identity Models.

Azure supports multiple identity models to fit your organization’s needs:

  • Cloud-Only: All accounts are native to Entra ID; users authenticate directly to the cloud
  • Hybrid: On-premises Active Directory is synchronized with Entra ID using Azure AD Connect. This setup gives users the sweet convenience of Single Sign-On (SSO), whether they're at the office or chilling at home. You've got options like password hash sync and pass-through authentication at your disposal.
  • Federated: External identity providers (like AD FS, Okta, or Ping) vouch for users; Entra ID trusts their tokens. This setup shines for tricky SSO scenarios or when you’ve got compliance hurdles to jump over.

You'll often find these identity models in diagrams, mapping out the authentication journeys between your on-prem directories, cloud setups, and those external providers—illustrating how the user authentication paths vary.

Lab: Setting up Hybrid Identity

  1. Deploy a Windows Server VM and install the Azure AD Connect tool
  2. Choose Password Hash Sync or Pass-through Authentication during setup
  3. Monitor the sync status in Entra ID (Azure AD) portal under Azure AD Connect Health
  4. Troubleshoot sync errors by reviewing event logs and using the IdFix tool for directory remediation

Authentication vs. Authorization

Authentication = “Who are you?” (verifying identity)
Authorization = “What can you do?” (granting access to resources)

Entra ID covers both—but always remember: being authenticated does not mean being authorized to perform every action!

Let’s delve into Multi-Factor Authentication (MFA) and check out what the latest strategies bring to the table.

MFA adds a crucial security layer by requiring a second proof (e.g., OTP, authenticator app, biometrics) before granting access. Microsoft now recommends enforcing MFA via Conditional Access policies rather than legacy per-user MFA settings.

  1. In the Azure portal, go to Microsoft Entra ID > Security > Conditional Access
  2. Create a new policy: Users: All users; Cloud apps: All; Conditions: Locations, Devices, etc.
  3. Grant: Require multi-factor authentication
  4. Exclude break-glass admin accounts as needed
  5. Enable and monitor the policy in Sign-in logs

A typical Conditional Access policy interface allows you to select users, applications, and conditions, and then enforce MFA as a requirement for access.

Exam Tip: Per-user MFA settings are legacy. Use Conditional Access for granular, scalable enforcement. Lab: Block Legacy Authentication

  1. Create a Conditional Access policy targeting legacy authentication clients
  2. Set Grant: Block access
  3. Test with an IMAP/POP client—verify access is blocked

Conditional Access: Granular Access Policies

Conditional Access (CA) lets you enforce access rules based on:

  • User/group membership
  • Device compliance (Intune registered, Hybrid Azure AD joined, etc.)
  • Location (named locations, e.g., corporate IPs)
  • Sign-in risk (user risk, sign-in risk via Entra ID Identity Protection)
  • Client app, application, or session controls

Example: Require MFA for all users signing in from outside the corporate network, but allow password-only sign-in on-premises.

Figuring out Conditional Access Policies can sometimes feel like you're piecing together a tricky puzzle:

  • Use the What If tool to simulate sign-ins and policy effects before enforcing
  • Review Sign-in logs to analyze why access was granted or denied
  • Make sure that device compliance is being reported correctly if you’re working with conditions based on devices.

Let's talk about Privileged Identity Management (PIM) and how it offers Just-In-Time Access.

Microsoft Entra Privileged Identity Management (PIM) helps you manage, control, and monitor privileged accounts by providing:

  • Just-in-time (JIT) activation for roles like Global Admin or Owner, so folks don't keep constant access they don't need.
  • Approval workflows for elevated access
  • Time-bound access assignments with automatic expiration
  • Audit and alerting for privileged operations

Lab: Enable PIM for Azure Subscription Owners

  1. Navigate to Microsoft Entra ID > Privileged Identity Management
  2. Select Azure resources > Manage resource access
  3. Assign eligible roles and configure approval settings
  4. Test role activation and review audit logs

Real-World Tip: Limit permanently assigned admin roles. Use PIM for all break-glass and high-privilege accounts.

Let’s break down what Managed Identities and Service Principals are all about.

Managed identities provide secure, automated identity for Azure services (VMs, Functions, Logic Apps) to access other Azure resources (like Key Vault, Storage) without managing credentials.

Service principals are identities used by apps, automation, or external integrations. They're quite flexible, but you do need to keep an eye on them for key or certificate rotation and regular access reviews.

Comparison Table:

FeatureManaged IdentityService Principal
Credential ManagementAutomatic (Azure-managed)Manual (rotate keys/certs)
ScopeAzure resourcesApps/scripts, 3rd party tools
LifecycleTied to resourceManual; must be cleaned up
Use CaseVM to Key Vault, Function to StorageCI/CD pipelines, external apps

Lab: Enable Managed Identity for a VM

  1. Go to Virtual Machines > [Your VM] > Identity
  2. Enable System assigned managed identity
  3. To let your VM tap into a Key Vault, you’ll wanna give it access, which you can manage using Access Policies or RBAC.
  4. Try using Azure CLI or PowerShell to check if the resource access is doing what it should.

Access Management Protocols: OAuth2, SAML, OpenID Connect

Azure supports several authentication/authorization protocols:

ProtocolUse CaseStrengthsLimitations
OAuth 2.0 APIs, delegated access Modern, flexible, widely supported No built-in user authentication
Let's touch on OpenID Connect (OIDC). Web/mobile SSO OAuth2 + user authentication Newer, not always supported by legacy apps
SAML 2.0 SSO for enterprise SaaS Legacy/enterprise compatibility XML-based, less flexible

Lab: Integrate Salesforce with Azure AD (SAML SSO)

  1. In Azure portal, go to Enterprise Applications > New application > Salesforce
  2. Follow the Salesforce guide to set up the SAML settings—stuff like the Identifier and Reply URL.
  3. Assign the users or groups, take the SSO for a test spin, and if it all goes sideways, dive into the SAML trace logs to sort it out.

Troubleshooting SSO: Common issues include mismatched claims, clock skew, or incorrect Reply URLs. Use Azure’s SSO error reports for diagnostics.

Identity Protection and B2B/B2C Scenarios

Microsoft Entra ID Identity Protection enables risk-based Conditional Access—automatically requiring MFA or blocking access when suspicious activity is detected.
B2B (Business-to-Business): Invite external users with their own identity (e.g., Gmail, Microsoft account) and manage their access via Entra ID.
B2C (Business-to-Consumer): Support sign-in for external customers to your apps, using social or local accounts.

Lab: Configure B2B Guest Access

  1. Go to Microsoft Entra ID > Users > New guest user
  2. Send invitation, assign RBAC role or group access
  3. Monitor guest access via Sign-in logs

Azure Governance Framework

Identity tells you who; governance tells you what, where, and how. Azure’s governance tools let you sort out your resources, control who gets in, keep rules enforced, and steer clear of any accidental or sneaky changes.

Management Hierarchy: Management Groups, Subscriptions, Resource Groups, Resources

Azure uses a hierarchical model for organizing and controlling resources:

  • Management Groups: Highest level, used for organizational units or departments
  • Subscriptions: Containers for billing, quotas, and access boundaries
  • Resource Groups: Logical groupings of resources for lifecycle management
  • Resources: Actual services—VMs, databases, storage, etc.

Think of the Azure governance hierarchy as a tree: top-level management groups hold the subscriptions, which hold the resource groups, and those nestle the resources. This whole setup lets policies and access controls trickle down the hierarchy, making things way easier to manage.

Quick Reference: Policies, RBAC, and management settings flow “down” the hierarchy. Scoping is critical! Flowchart: Where Should I Apply Controls?

  • Organization-wide policy? Management Group
  • Project or cost center? Subscription
  • App lifecycle? Resource Group
  • Individual resource? Resource

Lab: Organize Resources with Management Groups

  1. Go to Management Groups in Azure portal
  2. Create a hierarchy (e.g., “Corp” → “Production” / “DevTest”)
  3. Assign subscriptions to groups and apply a policy at the group level

Role-Based Access Control (RBAC) is all about using Built-In and Custom Roles.

RBAC enables fine-grained permission management. Assign built-in roles (Reader, Contributor, Owner) or custom roles (defined via JSON) to users, groups, managed identities, or service principals at any scope.

Classic administrators (Service Administrator, Co-Administrator) still exist for backward compatibility but should be phased out in favor of RBAC.

Why don’t we take a stroll through the steps to create and hand out a Custom RBAC Role?

  1. Go to Subscriptions > Access control (IAM) > Roles > + Add custom role
  2. Define allowed actions (e.g., "Microsoft.Storage/*/read")
  3. Assign to a group or managed identity at the resource group level

Troubleshooting: If access fails, check role assignment scope and inherited permissions. Use Access Review and Effective Permissions tools for diagnostics.

Exam Tip: The wider the scope (e.g., subscription), the more power the user gets—always apply least privilege! Practice Question:
If a user is assigned the Owner role at the Resource Group level, can they delete that group? Yes. Can they delete resources in other groups? No.

Azure Policy: Effects and Real-World Examples

Azure Policy enforces organizational standards and compliance by evaluating resources for compliance and taking action. Policy effects include:

  • Deny: Block non-compliant resources
  • Audit: Flag but allow non-compliant resources
  • Append: Add extra settings/tags to resources
  • Modify: Alter resource properties during deployment
  • DeployIfNotExists: Automatically deploy required resources (e.g., a monitoring agent)

Example: Require a Specific Tag

 { "if": { "field": "tags['environment']", "exists": "false" }, "then": { "effect": "deny" } }

Note: For production, use Microsoft’s policy definitions from the official documentation, which provides sample policies for enforcing tags and other requirements. Lab: Enforce Allowed Locations via Policy

  1. Go to Azure Policy > Definitions > + Policy definition
  2. Use the “Allowed locations” built-in policy
  3. Assign at subscription or management group level and test resource creation in different regions

Troubleshooting: If resources are not compliant, check assignment scope and policy evaluation status. Use the Compliance blade to see which resources are out of policy.

Azure Blueprints: Deprecated Feature Notice

Azure Blueprints allowed bundling of policies, role assignments, and ARM templates for rapid, compliant environment creation. But, as of 2023, Blueprints is being deprecated. Microsoft recommends using Azure Policy, Template Specs, and Infrastructure as Code (ARM, Bicep, Terraform) for standardized deployments going forward.

Migration Guidance: Review your use of Blueprints and plan to transition to policy-driven and IaC approaches. Microsoft's official documentation provides details on the Blueprints deprecation and guidance for migration.

Resource Locks: Your guardrails against accidental changes.

Resource Locks (CanNotDelete, ReadOnly) safeguard critical resources from accidental deletion or modification—even if the user is an Owner.

Lab: Apply a Delete Lock

  1. Go to Resource Groups > [Your RG] > Locks
  2. Add a CanNotDelete lock
  3. Attempt to delete the resource group—Azure will block the action

Troubleshooting: If you can’t delete or modify a resource, check for active locks in the portal.

Azure Lighthouse: Cross-Tenant Management

Azure Lighthouse allows service providers and large organizations to manage resources across multiple tenants securely, with delegated access and governance controls.

Use Case: Managed Service Providers (MSPs) can administer customer environments without creating shadow admin accounts.

Cost Management, Billing, and Privacy

Azure’s Cost Management + Billing integrates with RBAC and policy to manage spending and control access to billing data. Only authorized users (e.g., Billing Reader, Cost Management Contributor) can access sensitive billing information, supporting privacy and compliance requirements.

Privacy Note: Billing data may contain identifiable information. Configure access thoughtfully to avoid exposure.

Privacy and Compliance in Azure

Regulatory compliance isn’t just about passing audits—it’s about protecting data, enabling trust, and mapping cloud controls to legal requirements. Azure provides deep, auditable privacy and compliance features.

Shared Responsibility Model

Security and compliance in the cloud are a shared responsibility:

  • Microsoft: Physical security, hypervisor, core services, platform patching
  • Customer: Data classification, access control, encryption configuration, application security
LayerMicrosoft ResponsibilityCustomer Responsibility
IaaS Physical, host OS, storage, networking VM OS, applications, data, access
PaaS Platform, managed runtime, scaling App code, data, user access
SaaS Everything (infrastructure, app) User data, identity, device

Case Study: For an IaaS workload (VMs), Microsoft secures the hypervisor, but you must patch the guest OS and configure encryption.

Microsoft Trust Center and Compliance Manager

The Microsoft Trust Center is your hub for security, privacy, and compliance documentation, including audit reports and data privacy statements.

Compliance Manager in Microsoft Purview provides:

  • Compliance Score: Your alignment with frameworks (GDPR, HIPAA, ISO 27001)
  • Assessment management: Map controls to Azure resources, track progress
  • Detailed implementation guidance: Remediation steps, documentation links

A Compliance Manager dashboard typically displays compliance score, recommended actions, and assessment progress, helping organizations track and improve their regulatory posture.

Lab: GDPR Assessment Walkthrough

  1. Go to Microsoft Purview > Compliance Manager
  2. Select GDPR assessment
  3. Review pending actions (e.g., enable encryption, configure DSR process)
  4. Mark controls as implemented, attach evidence, export compliance reports for auditors

Troubleshooting: If compliance score drops, review failed controls, check for missing resource assignments, and verify Azure Policy deployment.

Data Residency, Sovereignty, and Privacy Controls

Azure lets you choose data residency (selecting the region where data is stored) and provides transparency on data sovereignty (who can access your data and under what circumstances).

  • Example: For GDPR, keep EU customer data in EU regions.
  • Privacy Notices: Available for every Azure service in the Trust Center.

Data Subject Requests (DSR) and Regulatory Response

Azure services enable you to respond to Data Subject Requests (right to access, erase, or correct data) under regulations like GDPR.

  • Use Azure Portal, PowerShell, or REST APIs to export, delete, or update user data
  • Microsoft's official documentation provides service-specific instructions for GDPR DSR processes.

Security Baselines and CIS Benchmarks

Azure offers Security Baselines and supports CIS Benchmarks—predefined sets of controls mapped to regulatory frameworks and best practices.

  • Baseline policies are available as Azure Policy initiative definitions
  • Monitor compliance with baselines via Defender for Cloud and Compliance Manager

Data Protection: Encryption and DLP

Encryption: Azure encrypts data at rest and in transit for most core services by default. For sensitive workloads, enable customer-managed keys (CMK) using Azure Key Vault and configure double encryption where required.
Note: Some legacy or niche Azure services require explicit configuration for encryption at rest—always verify service documentation.

Lab: Enable Customer-Managed Key Encryption for Azure SQL

  1. Create an Azure Key Vault and generate a key
  2. Assign proper access policy to your SQL Server’s managed identity
  3. Configure Transparent Data Encryption (TDE) with the CMK in the Azure SQL settings
  4. Validate encryption status and key rotation process

Data Loss Prevention (DLP): For Azure data sources, DLP is primarily managed through Microsoft Purview (formerly Azure Information Protection). Create DLP policies to monitor, classify, and prevent leakage of sensitive info (e.g., credit cards, PHI) across Azure Storage, SQL, and 365 workloads.

Exporting and Auditing Compliance Reports

Use Compliance Manager to export evidence of compliance for auditors. Azure Activity Logs and Diagnostic Logs provide auditable records of user and system activity.

Lab: Export Audit Logs

  1. Go to Azure Monitor > Activity Log
  2. Filter by timeframe, user, or resource
  3. Download logs in CSV or send to Log Analytics for further analysis
  4. Automate log export to SIEM tools like Microsoft Sentinel for centralized compliance monitoring

Security Features and Monitoring Tools

Security in Azure is more than passwords and firewalls—it’s about visibility, proactive defense, and orchestration of response.

Microsoft Defender for Cloud (formerly Security Center)

Defender for Cloud provides:

  • Cloud Security Posture Management (CSPM): surface misconfigurations and recommend fixes
  • Threat Protection: real-time detection of attacks (e.g., brute-force, malware, suspicious activity)
  • Security recommendations and benchmarks (e.g., CIS, PCI DSS, Azure Baseline)
  • Integration with automation (Logic Apps) for rapid response
  • Support for Azure, AWS, GCP, and on-premises workloads

Plans: Free (basic recommendations and CSPM) vs. Standard (threat protection, advanced integrations, regulatory compliance management) Lab: Responding to a Security Alert

  1. Go to Defender for Cloud > Security alerts
  2. Select an alert (e.g., “VM with exposed RDP port”)
  3. Review alert details, severity, and recommended actions
  4. Remediate (close port with NSG, patch OS, update policies)
  5. Document actions for compliance/audit purposes

A Defender for Cloud alert detail typically displays the affected resource, risk level, and recommended remediation steps, providing actionable insights for security teams.

Exam Tip: Defender for Cloud integrates with Azure Policy and RBAC. Only permitted users can dismiss alerts or trigger automation.

Azure Monitor: Logging, Alerts, and SIEM Integration

Azure Monitor is the core platform for:

  • Activity Logs: All management-plane events (who changed what, when)
  • Diagnostic Logs: Resource-specific logs (e.g., network traffic, authentication attempts)
  • Metrics and Alerts: Proactive notification of suspicious or non-compliant activity
  • Integration with Microsoft Sentinel (SIEM) or third-party SIEMs (Splunk, QRadar) via Event Hubs, Logic Apps, or REST APIs

Lab: Forward Activity Logs to Sentinel

  1. Go to Azure Monitor > Diagnostic settings
  2. Select target logs and send to a Log Analytics workspace
  3. Connect Log Analytics to Microsoft Sentinel for advanced correlation rules and incident response workflows

Network Security: NSGs, Firewalls, and VNet Security

Network Security Groups (NSGs) control inbound/outbound traffic at the subnet or NIC level.
Azure Firewall and Web Application Firewall (WAF) provide centralized, managed protection for complex workloads. Always combine identity controls with strong perimeter security!

Lab: Apply NSG Rules for Best Practice Security

  1. Go to Virtual Networks > Subnets > NSG
  2. Add rules to allow traffic only from trusted IPs for admin ports (e.g., RDP, SSH)
  3. Verify traffic flow with Azure Network Watcher

Best Practices, Troubleshooting, and Real-World Scenarios

Experience teaches that most incidents stem from weak governance or identity shortcuts (“just give temp access” or “skip policy for now”). Here are proven strategies, troubleshooting guides, and case studies.

Principle of Least Privilege and Access Reviews

Always assign the minimum required permissions. Use RBAC with groups, and regularly perform Access Reviews to remove stale access.

Lab: Perform an Access Review

  1. Go to Microsoft Entra ID > Identity Governance > Access reviews
  2. Create a new review for a sensitive role/group
  3. Review results and remediate as needed

Governance at Scale: Automation and Policy as Code

For large environments, automate RBAC assignments using Azure AD groups and automate policy deployment via Azure DevOps/GitHub Actions (Policy as Code).

Optimization Tips:

  • Use dynamic groups for automatic access assignment/removal
  • Version and review policies in source control
  • Automate compliance checks with Logic Apps and Azure Monitor Alerts

Case Studies and Scenarios

  • Healthcare (HIPAA): Used policy initiatives to require encryption, logging, and RBAC. Compliance Manager tracked controls, Defender for Cloud flagged open ports. Auditor review was streamlined via exported reports and policy compliance evidence.
  • Finance (SOX): Implemented PIM for privileged users, blocked legacy authentication, and enforced tagging for cost tracking. Detected and remediated an unauthorized role escalation using Activity Log and Sentinel integration.
  • Troubleshooting Scenario: User cannot access a storage account. Steps: (1) Check RBAC on resource group; (2) Verify Azure Policy isn’t denying the request; (3) Look for resource locks; (4) Review Activity Log for recent changes.

Troubleshooting Checklists

  • Conditional Access: Use the “What If” tool, check policy assignments, verify user/device state, check sign-in logs.
  • Policy Compliance: Confirm assignment scope, wait for evaluation, check for “Audit” vs. “Deny” effects, review remediation tasks.
  • Managed Identities: Ensure identity is enabled, correct RBAC assigned, and resource can reach target service.
  • SIEM Integration: Validate log pipeline (Diagnostic Settings → Log Analytics → Sentinel/Splunk), check for dropped events.

Performance & Optimization Tips

  • Use nested Azure AD groups for scalable RBAC
  • Policy initiatives group related policies together for simplified assignment and compliance tracking
  • Audit role assignments and resource locks regularly to avoid privilege creep

Exam Quick Review & Memory Aids

  • Hierarchy: Management Group > Subscription > Resource Group > Resource (MSGR mnemonic)
  • Authentication vs. Authorization: Prove who you are vs. what you can do
  • Conditional Access: Always use for MFA and legacy auth blocking
  • PIM: Just-in-time admin access, never assign permanent Global Admin
  • Resource Locks: CanNotDelete and ReadOnly safeguard critical assets

Practice Question: What Azure tool do you use to automate security posture management and threat detection across multi-cloud resources?
Answer: Microsoft Defender for Cloud

Summary & Next Steps

You’ve now covered the essential topics for Azure identity, governance, privacy, and compliance, mapped directly to the AZ-900 exam domains—and you’re ready for hands-on implementation in production.

  • Identity: Entra ID (Azure AD), MFA, Conditional Access, PIM, managed identities, service principals
  • Governance: RBAC, Policy (with effects), management hierarchy, resource locks, Lighthouse, Blueprints (deprecated)
  • Privacy & Compliance: Shared responsibility, Trust Center, Compliance Manager, DSR, security baselines
  • Security: Defender for Cloud, Monitor, Sentinel, NSGs, firewalls, DLP (via Purview), encryption

Continue your journey by:

  • Exploring the Azure portal and configuring policies in a sandbox environment
  • Assigning (and removing) RBAC roles, testing Conditional Access, and simulating security incidents
  • Exporting compliance and activity logs for review
  • Practicing case studies and troubleshooting scenarios
  • Reviewing Microsoft docs for the latest updates (especially on Entra ID and Blueprints deprecation)

Remember—cloud security and compliance are living processes. Stay curious, experiment, and don’t be afraid to ask questions or engage the Azure community. Best of luck on your AZ-900 exam and your real-world Azure adventure!

Appendix: Practice Questions and Exam Preparation

  1. Which Azure identity security feature enables just-in-time admin access?
    a) Conditional Access
    b) Privileged Identity Management (PIM)
    c) Resource Locks
    d) Azure Policy
    Answer: b) Privileged Identity Management (PIM)
  2. What is the recommended method for enforcing MFA in Azure?
    a) Per-user MFA settings
    b) Conditional Access policy
    c) Enabling MFA through PowerShell only
    d) Using Azure Blueprints
    Answer: b) Conditional Access policy
  3. How can you prevent accidental deletion of a critical resource group?
    a) Assign Reader role
    b) Apply a CanNotDelete resource lock
    c) Use Azure Policy with Audit effect
    d) Remove all role assignments
    Answer: b) Apply a CanNotDelete resource lock
  4. Which Azure tool provides regulatory compliance scorecards and control mappings?
    a) Azure Monitor
    b) Microsoft Defender for Cloud
    c) Compliance Manager
    d) Azure Policy
    Answer: c) Compliance Manager
  5. Which protocol is best for modern web SSO with Azure AD?
    a) SAML
    b) OAuth 2.0
    c) OpenID Connect
    d) LDAP
    Answer: c) OpenID Connect

Exam Day Tips:

  • Read each question carefully—watch for scope (user, group, resource) and effect (Deny vs. Audit)
  • Remember recent terminology changes (Azure AD → Entra ID, Security Center → Defender for Cloud)
  • If in doubt, choose the option that aligns with least privilege and automation