2.13 Azure Security Services
Key Takeaways
- Microsoft Defender for Cloud delivers Cloud Security Posture Management (Secure Score, recommendations, compliance) and Cloud Workload Protection across Azure, on-premises, AWS, and GCP.
- Azure Firewall is a managed, stateful, Layer 3-7 network firewall (FQDN filtering, threat intelligence) with a 99.95% SLA; NSGs are free Layer 3/4 packet filters at the subnet or NIC level.
- Azure DDoS Protection (Network Protection and IP Protection tiers) provides always-on monitoring and automatic mitigation of volumetric attacks.
- Azure Key Vault centralizes secrets, keys, and certificates; the Premium tier and Managed HSM use FIPS 140-3 Level 3 validated hardware security modules.
- Microsoft Sentinel is a cloud-native SIEM + SOAR that collects, detects, investigates, and automates response with playbooks built on Logic Apps.
Quick Answer: Match the service to the job: Defender for Cloud = posture + threat protection (Secure Score). Azure Firewall = managed Layer 3-7 network firewall. NSG = free Layer 3/4 packet filter. DDoS Protection = anti-DDoS. Key Vault = secrets, keys, certificates. Microsoft Sentinel = SIEM + SOAR.
AZ-900 rarely asks for deep configuration; it asks which service solves this scenario. The skill below is pattern-matching keywords to services.
Microsoft Defender for Cloud
Microsoft Defender for Cloud is the central security-management service and does two distinct jobs:
1. Cloud Security Posture Management (CSPM) — free tier
- Secure Score — a single percentage (0-100%) summarizing how securely your environment is configured; higher is better.
- Security recommendations — prioritized, actionable fixes (e.g., "enable disk encryption").
- Regulatory compliance — dashboards mapped to PCI DSS, HIPAA, ISO 27001, and others.
- Multicloud — assesses Azure, AWS, and GCP from one console.
2. Cloud Workload Protection (CWP) — paid Defender plans
- Threat detection alerts for VMs, containers, SQL, storage, and Key Vault.
- Vulnerability assessment scanning.
- Just-in-time (JIT) VM access — open management ports only on request, for set users, for a limited time.
On the Exam: "A single number showing overall security posture" = Secure Score in Defender for Cloud.
Azure Firewall vs. Network Security Groups
Both filter traffic, but they operate very differently — a heavily tested comparison:
| Feature | Network Security Group (NSG) | Azure Firewall |
|---|---|---|
| OSI layers | 3/4 (network/transport) | 3/4/7 (adds application) |
| Scope | Subnet or NIC | Entire VNet (central) |
| FQDN filtering | No | Yes (e.g., allow only *.microsoft.com) |
| Threat intelligence | No | Yes (block known-malicious IPs/domains) |
| State | Stateful (basic 5-tuple rules) | Fully stateful, with DNAT/SNAT |
| Cost | Free | Hourly + data-processing charges |
| SLA | n/a | 99.95% with built-in high availability |
On the Exam: If the scenario needs FQDN filtering, threat intelligence, or centralized VNet-wide control, choose Azure Firewall. For simple, free, per-subnet IP/port rules, choose an NSG.
Azure DDoS Protection
Azure DDoS Protection defends against volumetric Distributed Denial of Service attacks. Note that Basic protection is always on for the Azure platform at no cost; the paid tiers add tuning and reporting:
| Tier | What it adds | Pricing model |
|---|---|---|
| DDoS Network Protection | Adaptive tuning, attack metrics/alerts, cost-protection credits, DDoS rapid-response team | Monthly fee per protection plan, covers many VNet resources |
| DDoS IP Protection | Same core mitigation, scoped to individual public IPs | Per-protected-IP fee |
Capabilities: always-on monitoring, automatic mitigation (attack traffic is scrubbed before reaching your app), adaptive tuning to your normal traffic baseline, and detailed attack analytics.
Azure Key Vault
Azure Key Vault centralizes three kinds of secret material so they never live in code or config files:
| Object | Examples |
|---|---|
| Secrets | Connection strings, API keys, passwords |
| Keys | RSA/EC encryption keys for encrypt/decrypt/sign |
| Certificates | TLS/SSL certificates with auto-renewal |
Tiers and hardware backing:
| Tier | HSM backing |
|---|---|
| Standard | Software-protected keys |
| Premium | Hardware Security Module (HSM) keys; the current HSM platform is FIPS 140-3 Level 3 validated (older platform was FIPS 140-2 Level 2) |
| Managed HSM | Single-tenant, fully managed FIPS 140-3 Level 3 HSM pool |
Key Vault logs every access for auditing and integrates with App Service, Functions, VMs, and managed identities so apps fetch secrets at runtime instead of storing them.
On the Exam: "Store and centrally manage secrets, encryption keys, or certificates securely" = Azure Key Vault. Never hardcode secrets in source code.
Microsoft Sentinel
Microsoft Sentinel is the cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) service. Its four-step lifecycle:
| Step | What it does |
|---|---|
| Collect | Ingests logs from Azure, on-premises, other clouds, and Microsoft 365 |
| Detect | Surfaces threats using analytics rules, AI, and Microsoft threat intelligence |
| Investigate | Correlates alerts into incidents and supports threat hunting |
| Respond | Runs automated playbooks (built on Azure Logic Apps) to remediate |
Because it is cloud-native, there are no servers to deploy — a contrast the exam likes versus legacy on-premises SIEMs.
On the Exam: "Collect security data org-wide, detect threats with AI, and automate response" = Microsoft Sentinel (SIEM + SOAR).
Service-Matching Cheat Sheet
Because AZ-900 tests recognition rather than configuration, train yourself on the keyword-to-service mapping below. Most security questions in the exam can be answered in seconds once these triggers are memorized:
| Scenario keyword | Correct service |
|---|---|
| Secure Score, posture, recommendations, compliance | Microsoft Defender for Cloud |
| FQDN filtering, central VNet firewall, threat intelligence | Azure Firewall |
| Free Layer 3/4 subnet/NIC traffic rules | Network Security Group (NSG) |
| Mitigate volumetric flood attacks | Azure DDoS Protection |
| Store secrets, keys, certificates | Azure Key Vault |
| Org-wide SIEM + SOAR, playbook automation | Microsoft Sentinel |
| Open VM ports only on demand | JIT VM access (Defender for Cloud) |
Common Traps
- NSG vs. Azure Firewall: an NSG is free and per-subnet; Azure Firewall is a billed, centralized, application-aware service. Picking the NSG for an FQDN-filtering requirement is the classic wrong answer.
- Defender for Cloud vs. Sentinel: Defender measures and improves posture (Secure Score) and protects workloads; Sentinel is the SIEM/SOAR that aggregates and correlates events org-wide. They complement each other.
- Key Vault is not a firewall and not a SIEM — it only safeguards secret material; don't pick it for network or detection scenarios.
Why It Matters for AZ-900
These services anchor the security portion of the AZ-900 exam (about 40-60 questions, 700/1000 to pass, a 45-minute answering window, around USD 99). You will not configure firewall rules or write Sentinel queries; you will identify the right service for a described need. Lock in the cheat-sheet mappings above and the security questions become near-automatic.
Quick Recall Checklist
- Defender for Cloud = Secure Score + threat protection (CSPM + CWP).
- Azure Firewall = managed Layer 3-7, FQDN + threat intel, 99.95% SLA.
- NSG = free Layer 3/4 filtering at subnet/NIC.
- Key Vault Premium / Managed HSM = FIPS 140-3 Level 3 HSM-backed.
- Sentinel = cloud-native SIEM + SOAR with Logic Apps playbooks.
Which Azure service provides Secure Score, a single percentage summarizing your overall security posture, plus prioritized hardening recommendations?
A solution must filter outbound traffic by fully qualified domain name (such as allowing only *.microsoft.com) and block known-malicious IPs using threat intelligence. Which service should you choose?
Where should an application store database connection strings, API keys, and TLS certificates in Azure?
What category of solution is Microsoft Sentinel?