Skip to main content
FluentFlash

Azure Fundamentals Security: Complete Study Guide

·

Azure Fundamentals security is essential for the AZ-900 certification exam. It covers identity and access management, data protection, network security, and compliance frameworks that protect cloud infrastructure.

This topic matters because security is foundational for anyone working in cloud environments. Mastering these concepts helps you design and maintain secure Azure deployments.

Flashcards work perfectly for security topics. You need to memorize specific tools, services, and their functions. Active recall practice strengthens retention and builds exam confidence.

Whether you're studying for certification or building cloud knowledge, understanding Azure security ensures you can deploy solutions confidently.

Azure fundamentals security - study with AI flashcards and spaced repetition

Core Azure Security Services and Tools

Azure offers a comprehensive security suite protecting cloud infrastructure across multiple layers. These services work together to create a strong defense-in-depth strategy.

Azure Defender and Security Center

Azure Defender is a unified security management platform that detects and responds to threats. It covers virtual machines, databases, containers, and IoT devices across Azure, on-premises systems, and multi-cloud environments.

Azure Security Center serves as your central hub for security management. It provides vulnerability assessments, compliance monitoring, and actionable recommendations for improving your security posture.

Key Security Services

Azure provides specialized tools for different security needs:

  • Azure Key Vault manages cryptographic keys and secrets centrally
  • Azure Firewall provides network-level protection with threat intelligence
  • Azure DDoS Protection defends against distributed denial-of-service attacks
  • Network Security Groups (NSGs) act as virtual firewalls controlling traffic

Defense-in-Depth Strategy

Each service addresses specific security domains: perimeter security, application security, data protection, and threat detection. Understanding how they integrate creates comprehensive protection.

For the AZ-900 exam, focus on what each service does and when to use it. Deep technical implementation details are less important than understanding overall security contributions.

Identity and Access Management in Azure

Strong identity management is the foundation of cloud security. Azure provides multiple tools to verify who users are and what they can access.

Azure Active Directory (Azure AD)

Azure AD is the foundational identity service managing user access and authentication. It enables single sign-on (SSO), allowing users to access multiple applications with one set of credentials.

Azure AD connects users to applications securely and enables organizations to manage access from any location or device.

Role-Based Access Control (RBAC)

RBAC is the authorization mechanism determining what authenticated users can do. It uses three key components:

  1. Security principals (users, groups, service principals) request access
  2. Role definitions (collections of permissions) specify what actions are allowed
  3. Scope (subscription, resource group, or resource) determines where permissions apply

Azure implements the principle of least privilege, granting users only minimum necessary permissions.

Authentication vs. Authorization

Authentication verifies who you are. Authorization determines what you can access. Multi-Factor Authentication (MFA) adds security layers beyond passwords. Conditional Access policies enforce requirements based on location, device health, or risk assessment.

These concepts form the backbone of secure identity management in Azure environments.

Data Protection and Encryption Strategies

Data protection operates across three states: at rest (stored), in transit (moving between systems), and in use (being processed). Azure encrypts data automatically in most services.

Encryption at Rest

Azure Storage Service Encryption automatically encrypts data using 256-bit AES encryption before writing to disk. Transparent Data Encryption (TDE) for Azure SQL Database encrypts database files without requiring code changes.

Azure Disk Encryption uses BitLocker technology to encrypt virtual machine disks. This protects data if disks are stolen or unauthorized access is attempted.

Encryption in Transit

Azure uses industry-standard TLS/SSL protocols to encrypt communication between clients and services. Data moving between Azure services is also encrypted automatically.

Key Management

Azure Key Vault centralizes encryption key and secret management. It supports:

  • Automatic key rotation policies
  • Access logging for audit trails
  • Hardware security module (HSM) support for premium protection

Additional Protection

Data Loss Prevention (DLP) policies identify and protect sensitive information like credit card numbers or personally identifiable information. Azure provides built-in compliance with HIPAA, GDPR, and SOC 2 through encryption and access controls.

Study the layered approach to data protection. Encryption is automatic in many services, reducing your implementation burden.

Network Security and Perimeter Defense

Network security involves multiple protection layers working together to create a secure perimeter around cloud resources. These tools prevent unauthorized traffic from entering your infrastructure.

Azure Firewall

Azure Firewall is a managed, cloud-native firewall protecting Azure Virtual Network resources. It supports both Layer 3-4 and Layer 7 filtering, allowing organizations to allow or deny traffic based on:

  • IP protocols and ports
  • Fully qualified domain names (FQDNs)
  • Application-layer protocols

Network Security Groups (NSGs)

NSGs function as distributed firewalls at the network and subnet level. They use inbound and outbound security rules to filter traffic granularly. NSGs provide lightweight protection close to resources.

Additional Network Defenses

Virtual Network (VNet) segmentation divides network resources into logical subnets. This limits lateral movement if a breach occurs and implements zero-trust security principles.

DDoS Protection Standard provides automated attack detection and mitigation against distributed denial-of-service attacks. Azure Web Application Firewall (WAF) protects web applications from attacks like SQL injection and cross-site scripting.

VPN Gateway creates encrypted connections between on-premises networks and Azure. ExpressRoute provides dedicated private connections with more consistent performance.

For AZ-900, understand how Network Security Groups and Azure Firewall work together. Recognize that network security is one layer of comprehensive Azure security architecture.

Compliance, Governance, and Monitoring

Organizations must meet regulatory requirements while maintaining consistent security policies across cloud environments. Azure provides frameworks and tools supporting compliance and governance.

Policy Enforcement

Azure Policy allows administrators to create rules enforcing organizational standards. Examples include requiring encryption on storage accounts or restricting resource locations to specific regions.

Policies can automatically remediate non-compliant resources or prevent non-compliant deployments entirely.

Standards and Assessments

Azure Blueprints enable organizations to define repeatable sets of Azure resources that comply with standards. This accelerates deployment of secure, compliant environments.

Azure Compliance Manager (now part of Microsoft 365) provides assessments against global regulations:

  • HIPAA (healthcare)
  • GDPR (data privacy)
  • ISO 27001 (information security)
  • FedRAMP (government compliance)

Monitoring and Response

Azure Monitor collects telemetry from Azure resources and sends it to Log Analytics. This enables detailed analysis of security events and system performance.

Azure Sentinel is a Security Information and Event Management (SIEM) solution that correlates security events across the enterprise. It detects threats through machine learning and orchestrates automated responses.

Resource Manager Activity Logs track all administrative activities, creating audit trails essential for compliance verification.

Shared Responsibility

The shared responsibility model means Azure secures the infrastructure while customers secure their data, configurations, and access controls. Understanding compliance requirements and knowing which Azure services support them is crucial for AZ-900 success.

Master Azure Fundamentals Security with Flashcards

Flashcards are ideal for Azure security because they enable active recall practice of services, tools, and security concepts. Our flashcard system reinforces memory through spaced repetition, helping you retain security principles, acronyms, and distinctions between services like RBAC vs. ABAC, or NSGs vs. Azure Firewall. Create custom decks targeting weak areas, track your progress toward AZ-900 readiness, and study efficiently on any device.

Create Free Flashcards

Frequently Asked Questions

What is the difference between Azure Security Center and Azure Defender?

Azure Security Center is the central hub for security management and recommendations. Azure Defender is the cloud workload protection platform component focused on threat protection.

In current terminology, these are integrated under the Security Center umbrella. Security Center provides vulnerability assessments, compliance monitoring, and recommendations for improving your security posture.

Azure Defender extends this with advanced threat protection, detecting suspicious activities and enabling incident response. Think of Security Center as your security dashboard and assessment tool. Defender focuses on threat detection and response.

Both components are essential parts of comprehensive Azure security management.

How does Role-Based Access Control (RBAC) work in Azure?

RBAC determines what authenticated users can do with Azure resources through a three-component system.

First, a security principal (user, group, or service principal) requests access. Second, a role definition specifies a set of permissions showing what actions are allowed. Third, a scope defines where those permissions apply: resource, resource group, or subscription level.

Example: You assign the 'Virtual Machine Contributor' role to a user at the resource group level. This allows them to create, modify, and delete VMs in that group but not other resources.

Azure includes built-in roles like Owner, Contributor, and Reader, plus custom roles for specific needs. RBAC follows the principle of least privilege by granting only necessary permissions. This granular access control is fundamental to cloud security.

Why should I use Azure Key Vault instead of storing secrets in code or configuration files?

Storing secrets in code or configuration files creates massive security risks. They become visible in version control systems, backups, and to anyone with file access.

Azure Key Vault centralizes secret management with strong protections:

  • Encryption of all stored secrets
  • Access logging showing who accessed what and when
  • Automated secret rotation policies
  • Hardware security module (HSM) support for enhanced protection
  • Seamless integration with Azure services for automatic authentication

You can revoke access instantly without code changes. Applications retrieve secrets dynamically only when needed. You can grant different permissions to different services and users.

This approach is essential for production security and regulatory compliance.

What is the shared responsibility model in Azure security?

The shared responsibility model clarifies that security is jointly managed between Microsoft (Azure provider) and the customer.

Microsoft secures:

  • Physical data centers
  • Network infrastructure
  • Hypervisors
  • Foundational cloud services

Customers are responsible for:

  • Securing their data
  • Access controls and authentication
  • Operating systems
  • Applications and configurations they deploy

The division varies by service type. For infrastructure-as-a-service (IaaS), customers manage more components like OS security. For platform-as-a-service (PaaS), Microsoft manages more underlying infrastructure. For software-as-a-service (SaaS), Microsoft manages most components.

Understanding this model prevents security gaps where both parties assume the other is handling something. This is critical for AZ-900 because many questions test whether you understand where responsibilities lie.

How do Network Security Groups differ from Azure Firewall?

Both control traffic but operate at different levels and with different capabilities.

Network Security Groups (NSGs) are stateful firewalls operating at Layer 3-4 (IP/Transport layers). They filter traffic based on source/destination IP, ports, and protocols. NSGs are implemented at the subnet and network interface level, providing distributed protection across your virtual network.

Azure Firewall is a centralized, managed firewall service that can inspect traffic up to Layer 7 (Application layer). It allows inspection of fully qualified domain names (FQDNs) and application protocols. Firewall can be deployed in hub-and-spoke network architectures for centralized traffic control.

NSGs are more granular and lightweight, while Firewall provides stronger threat protection and easier policy management. Organizations typically use both: NSGs for internal network segmentation and Firewall for perimeter defense.