Microsoft Certified Cybersecurity Architect Expert (1科混合雲保安) 國際認可證書課程
課程簡稱：Microsoft Cybersecurity Training Course

Microsoft 已更改產品 “Azure AD” 的名稱至新的名稱 “Entra ID” 以統一旗下產品的稱號。“Azure AD” 現有的理論、功能、角色、使用方法、應用程式開發介面 (API) 及指令集 (PowerShell cmdlets) 等等，將於新名稱 “Entra ID” 下保持不變。您於本課程學習 “Azure AD” 技術，將可以繼續於 “Entra ID” 下全數使用於日常工作並應考本課程相關的考試。Microsoft 亦有提及如果您的機構內已部署及正在使用 “Azure AD”，就算產品名稱被改成 “Entra ID”，您亦不需要採取任何行動，您的 I.T. 系統將會繼續運作，並會照樣地獲得與 “Azure AD” 相同的服務水準 (SLA，Service Level Agreement)。

資料來源:
https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/azure-ad-is-becoming-microsoft-entra-id/ba-p/2520436

本中心是 Microsoft 認可的合作夥伴 (Microsoft Certified Partner)。

Preface

The Microsoft Cybersecurity Architect proactively secures Microsoft 365, Microsoft Azure Cloud and Hybrid on-premises enterprise environments, responds to threats, performs investigations, and enforces data governance.

The Microsoft Cybersecurity Architect has subject matter expertise in designing and evolving the cybersecurity strategy to protect an organization's mission and business processes across all aspects of the enterprise architecture.

Microsoft's cybersecurity capabilities

The Cybersecurity Architect designs a Zero Trust strategy and architecture, including security strategies for data, applications, access management, identity, and infrastructure.

The Cybersecurity Architect also evaluates Governance Risk Compliance (GRC) technical strategies and security operations strategies.

The Cybersecurity Architect continuously collaborates with leaders and practitioners in IT security, privacy, and other roles across an organization to plan and implement a cybersecurity strategy that meets the business needs of an organization.

About Microsoft 365's Security services and certification

Microsoft 365 provides the following Security Capabilities which would be mentioned throughout our Cloud-focused Cybersecurity Architect Expert-level training course:

• Azure AD authentication and Hybrid Active Directory deployment
• Azure AD Multi-Factor Authentication (MFA) and Windows Hello
• Conditional Access and Role Based Access Control
• Privileged Identity Management (PIM) & Azure AD Identity Protection
• Microsoft Defender for Identity and Microsoft Defender for Endpoint
• Microsoft Defender Application Guard and Application Control
• Microsoft Defender and Attack Simulator
• Windows and Non-Windows Device Encryption
• Azure Sentinel
• Sensitivity Labels and Policies
• Data Loss Prevention (DLP)
• Microsoft Cloud App Security
• Governance and Compliance features in Microsoft 365
• Microsoft Endpoint Manager Admin Center and Microsoft Defender for Endpoint
• Microsoft 365 Security Center
• eDiscovery, investigation tools and Auditing
• Data privacy regulation compliance with GDPR

About Microsoft Azure's Security services and certification

Microsoft Azure Cloud provides the following Security Capabilities which would be mentioned throughout our Cloud-focused Cybersecurity Architect Expert-level training course:

• Advanced Threat Detection and AnalyticsAzure Logging and AuditingAzure Network Security including NSG (Network Security Group) and Firewall virtual appliancesAzure Serverless Platform SecurityAzure AKS (Azure Kubernetes Services) and Container SecurityOperational Security, Microsoft Defender for Cloud and AdvisorAzure Tenant Level Isolation and Role Based Access Control
• Secure Hybrid Networking

Microsoft Certified Cybersecurity Architect Expert

"Microsoft Certified Cybersecurity Architect Expert" is a top-up certification, it complements the relevant associate-level certification.

About the course

Our training course will guide you through carefully selected examination topics, along with real-life examples, practical demonstration and business cases of implementing, verifying and maintaining various Microsoft 365, Microsoft Azure Cloud and Hybrid environment Security features with the latest operating systems.

Evaluations, Pros and Cons and may be comparisons of different Microsoft Security products would be verbally provided throughout the training course.

As Microsoft has been partnering with multiple third party vendors and built Cybersecurity ecosystems, it is inevitable that a small portion of the course time would be spent on briefly discussing popular partner security solutions and integrating them into Microsoft's cloud environments.

As visibility into risks and ability to address third party risks are becoming more and more important, impactful, and influential to the world of connected businesses, multiple Governance and Risk Compliance (GRC) standards and technical strategies will be discussed throughout the course, this enables you and your organization to reliably achieve security objectives, address uncertainties and act with integrity.

Our senior instructor Mr. Larry Chan would give you advise, tricks and tips on various cloud security-related products.

本中心為Microsoft指定的考試試場。報考時請致電本中心，登記欲報考之科目考試編號、考試日期及時間 (最快可即日報考)。臨考試前要出示身份證及繳付每科HK$943之考試費。

考試題目由澳洲考試中心傳送到你要應考的電腦，考試時以電腦作答。所有考試題目均為英文，而大多數的考試題目為單項及多項選擇題，其餘則為實戰題。

考試合格後會收到來自Microsoft的作實電郵，並進入該電郵內的連結，登入 Microsoft Credentials Dashboard 下載您的證書。

考試不合格便可重新報考，不限次數。欲知道作答時間、題目總數、合格分數等詳細考試資料，可瀏覽本中心網頁 "各科考試分數資料"。

1. Design a Zero Trust strategy and architecture
1.1 What is a Cybersecurity Architect
1.2 An Overview to Zero Trust
1.2.1 Guiding principles of Zero Trust
1.2.2 Technology pillars of Zero Trust
1.3 Develop Integration points in an architecture
1.3.1 Using the MCRA
1.4 Develop security requirements based on business goals
1.4.1 Cloud Adoption Framework overview
1.4.2 Define your strategy
1.4.3 Make a plan
1.4.4 Ready your organization
1.4.5 Secure
1.5 Translate security requirements into technical capabilities
1.5.1 Security design principles
1.5.2 Plan resources and how to harden them
1.5.3 Automate and use least privilege
1.5.4 Classify and encrypt data
1.5.5 Monitor system security, plan incident response
1.5.6 Identify and protect endpoints
1.5.7 Protect against code-level vulnerabilities
1.5.8 Model and test against potential threats
1.6 Design security for a resiliency strategy
1.7 Design a security strategy for hybrid and multi-tenant environments
1.7.1 Implement a secure hybrid identity environment
1.7.2 Implement a secure hybrid network
1.7.3 Architecting for multitenant scenarios
1.7.4 Tenancy models
1.7.5 Tenant isolation
1.7.6 Manage hybrid environments at scale with Azure Arc
1.7.7 Onboarding Azure ARC Enabled Servers
1.7.8 Generate installation script
1.7.9 Install the agent using the script
1.7.10 Onboarding ARC Enabled Servers at Scale
1.8 Manage hybrid environments at scale with Azure Policy
1.8.1 Design technical and governance strategies for traffic filtering and segmentation
1.8.2 Logically segment subnets
1.8.3 Azure Micro-Segmentation Application Security Groups (ASGs)
1.8.4 Filtering East-West traffic
1.8.5 Filtering north-south traffic
1.8.6 Deploy perimeter networks for security zones
1.8.7 Implementing Azure Firewall
1.8.8 Creating Subnets for Azure Firewall deployment
1.8.9 Create two more Subnets within the increased address space 10.0.0.0/16
1.8.10 Creating the Jump Virtual machine
1.8.11 Deploying Azure Firewall
1.8.12 Creating a NVA-based default route to redirect traffic
1.8.13 Creating a network rule
1.8.14 Change the primary and secondary DNS address for the Workload’s network interface
1.8.15 Testing the Azure Firewall
1.8.16 Using FQDN Tags in Azure Firewall Rule
1.8.17 Avoid exposure to the internet with dedicated WAN links
1.8.18 Use virtual network appliances

2. Design a security operations strategy
2.1 Security Operations strategy overview
2.2 Understand security operations frameworks, processes, and procedures
2.2.1 Security operations functions
2.2.2 Interactions between SecOps and business leadership
2.2.3 People and process
2.2.4 Metrics
2.2.5 SecOps modernization
2.2.6 The MITRE ATT&CK framework
2.3 Design a logging and auditing security strategy
2.3.1 Recommendations
2.3.2 Review the cyber kill chain
2.3.3 Types of logs in Azure
2.3.4 Logging and auditing issues with common cloud services
2.4 Develop security operations for hybrid and multi-cloud environments
2.4.1 Unified operations
2.4.2 Common governance processes
2.4.3 Common operations management processes (tasks)
2.4.4 Azure Security Operation services
2.4.5 Azure management services
2.4.6 Example security architecture for hybrid and multi-cloud
2.4.7 Components and workflow
2.5 Design a strategy for Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR)
2.5.1 Visibility, automation, and orchestration Zero Trust deployment objectives
2.5.2 Establish visibility
2.5.3 Enable automation
2.5.4 Link Microsoft Purview Data Connectors and relevant third-party products to Microsoft Sentinel
2.5.5 Link threat intelligence data to Microsoft Sentinel
2.5.6 Enable additional protection and detection controls
2.5.7 Security operations best practices for SIEM and SOAR
2.5.8 Prevent, detect, and respond to threats
2.5.9 Monitor end-to-end scenario-based network monitoring
2.5.10 Monitor Azure AD risk reports
2.6 Evaluate security workflows
2.6.1 General incident response workflow
2.6.2 Incident response best practices
2.6.3 Recovery best practices
2.7 Review security strategies for incident management
2.7.1 Responding to security incidents
2.7.2 Incident management process
2.7.3 Preparation
2.7.4 Detection and analysis
2.7.5 Containment, eradication, and recovery
2.7.6 Post-Incident Activity
2.7.7 Continuous Improvement
2.8 Evaluate security operations for technical threat intelligence
2.8.1 Microsoft's threat intelligence strategy
2.8.2 The state of cybercrime
2.8.3 Nation state threats
2.8.4 Actionable Insights
2.9 Monitor sources for insights on threats and mitigations
2.9.1 Threat Intelligence in Microsoft Sentinel
2.9.2 Threat Intelligence in Defender for Endpoint
2.9.3 Alert definitions
2.9.4 Indicators of compromise (IOC)
2.9.5 Relationship between alert definitions and IOCs
2.9.6 Threat Intelligence in Defender for IoT
2.9.7 Threat Intelligence in Defender for Cloud
2.9.8 Threat Intelligence in Microsoft 365 Defender

3. Design an identity security strategy
3.1 Overview
3.2 Secure access to cloud resources
3.2.1 Identity Zero Trust deployment objectives
3.2.2 Identity Zero Trust deployment guide
3.2.3 Conditional Access policies gate access and provide remediation activities
3.2.4 Analytics improve visibility
3.2.5 Identities and access privileges are managed with identity governance
3.2.6 User, device, location, and behavior are analyzed in real time to determine risk and deliver ongoing protection
3.2.7 Integrate threat signals from other security solutions to improve detection, protection, and response
3.3 Recommend an identity store for security
3.3.1 Azure Active Directory
3.3.2 Enable single sign-on and publisher verification
3.3.3 Integrate user provisioning
3.3.4 Azure Active Directory B2C
3.3.5 Integrate with RESTful endpoints
3.4 Recommend secure authentication and security authorization strategies
3.4.1 Secure Authentication methods
3.4.2 Azure AD password hash synchronization
3.4.3 Azure AD Pass-through Authentication
3.4.4 Federated authentication
3.4.5 Architecture diagrams
3.4.6 Comparing Authentication Methods
3.4.7 Secure Authorization Methods
3.4.8 Authorization Methods
3.5 Secure conditional access
3.5.1 Requirements
3.5.2 Conditional Access as a Zero Trust policy engine
3.5.3 Conditional access Zero Trust architecture
3.5.4 Design conditional access personas
3.5.5 Suggested conditional access personas from Microsoft
3.5.6 Access template cards
3.5.7 Conditional access framework and policies
3.6 Design a strategy for role assignment and delegation
3.6.1 Why assign roles to groups?
3.6.2 Use PIM to make a group eligible for a role assignment
3.6.3 Manage to least privilege
3.6.4 Use Privileged Identity Management to grant just-in-time access
3.6.5 Turn on multifactor authentication (MFA) for all administrator accounts
3.6.6 Configure recurring access reviews to revoke unneeded permissions over time
3.6.7 Limit the number of global administrators to less than five
3.6.8 Use groups for Azure AD role assignments and delegate the role assignment
3.6.9 Activate multiple roles at once using privileged access groups
3.6.10 Use cloud native accounts for Azure AD roles
3.6.11 Why enforce delegation?
3.7 Define Identity governance for access reviews and entitlement management
3.7.1 Create and perform an access review for users
3.7.2 Manage guest access with Azure AD access reviews
3.7.3 Create and perform an access review for guests
3.7.4 Manage entitlement
3.8 Design a security strategy for privileged role access to infrastructure
3.8.1 Securing privileged access
3.8.2 Develop a roadmap
3.9 Design a security strategy for privileged activities
3.9.1 Privileged Access should be the top security priority
3.9.2 Building your privileged access strategy
3.9.3 Building the recommended strategy
3.9.4 Lay foundations for successful privileged identity strategy
3.9.5 Security rapid modernization plan
3.9.6 Execute critical strategic initiatives for privileged activity management

4. Evaluate Governance Risk Compliance (GRC) technical strategies and security operations strategies
4.1 Interpret compliance requirements and their technical capabilities
4.1.1 Establish a compliance strategy
4.1.2 Compliance considerations
4.2 Evaluate infrastructure compliance by using Microsoft Defender for Cloud
4.3 Interpret compliance scores and recommend actions to resolve issues or improve security
4.3.1 Resolve compliance recommendations
4.4 Design and validate implementation of Azure Policy
4.4.1 Set guardrails
4.4.2 Control Costs
4.4.3 Azure Policy and Azure Resources
4.4.4 Validating New Policy
4.4.5 Tightly define your policy
4.4.6 Audit existing resources
4.4.7 Audit new or updated resources
4.4.8 Deploy your policy to resources
4.4.9 Monitor your policy and compliance
4.5 Design for data residency requirements
4.5.1 Data Sovereignty
4.5.2 Personal Data
4.5.3 Consider Azure Policy
4.5.4 Consider Azure Blueprints
4.6 Translate privacy requirements into requirements for security solutions
4.6.1 Leverage Azure Policy
4.6.2 Azure's secure foundation
4.6.3 State of the data
4.6.4 Azure resource providers encryption model support
4.6.5 Data classification
4.6.6 Identity protection

5. Evaluate security posture and recommend technical strategies to manage risk
5.1 Evaluate security postures by using benchmarks
5.1.1 Posture management and the Security operating model
5.1.2 Evaluating security posture in Azure workloads
5.2 Evaluate security postures by using Microsoft Defender for Cloud
5.3 Evaluate security hygiene of cloud workloads
5.4 Design security for an Azure Landing Zone
5.4.1 Design security review
5.4.2 Security design considerations
5.4.3 Security in the Azure landing zone accelerator
5.4.4 Interpret technical threat intelligence and recommend risk mitigations
5.4.5 Identify technical threat intelligence
5.4.6 Risk mitigations
5.5 Evaluate security postures by using secure scores
5.6 Recommend security capabilities or controls to mitigate identified risks

6. Design a strategy for securing server and client endpoints
6.1 Specify security baselines for server and client endpoints
6.1.1 What are security baselines?
6.1.2 Baselines principles
6.1.3 Selecting the appropriate baseline
6.2 Specify security requirements for servers
6.2.1 Analyze security configuration
6.2.2 Secure Servers (Domain Members)
6.2.3 Azure Security Benchmark
6.3 Specify security requirements for mobile devices and clients
6.3.1 App isolation and control
6.3.2 Device settings
6.3.3 Client requirements
6.4 Specify requirements for securing Active Directory Domain Services
6.4.1 General introduction
6.4.2 Securing Domain Controllers Against Attack
6.4.3 Microsoft Defender for Identity
6.5 Design a strategy to manage secrets, keys, and certificates
6.5.1 Manage access to secrets, certificates, and keys
6.5.2 Authentication
6.5.3 Authorization
6.5.4 Restrict network access
6.5.5 Manage certificate
6.6 Design a strategy for secure remote access

7. Design a strategy for securing PaaS, IaaS, and SaaS services
7.1 Specify security baselines for PaaS services
7.2 Specify security baselines for IaaS services
7.2.1 Exercise on Implementing Azure Disk Encryption: Key Vault Access Policy
7.2.2 Enable encryption on existing or running IaaS Windows VMs
7.3 Specify security baselines for SaaS services
7.4 Specify security requirements for IoT workloads
7.5 Specify security requirements for data workloads
7.5.1 Security posture management for data
7.5.2 Databases
7.6 Specify security requirements for web workloads
7.6.1 Security posture management for App Service
7.7 Specify security requirements for storage workloads
7.7.1 Security posture management for storage
7.8 Specify security requirements for containers
7.9 Specify security requirements for container orchestration

8. Design a strategy for data and applications
8.1 Understand application threat modeling
8.1.1 Gather information about the basic security controls
8.1.2 Evaluate the application design progressively
8.1.3 Mitigate the identified threats
8.1.4 Microsoft Threat Modeling Tool mitigations
8.2 Specify priorities for mitigating threats to applications
8.2.1 Identify and classify applications
8.3 Specify a security standard for onboarding a new application
8.3.1 Specify a security strategy for applications and APIs
8.3.2 Deploy the DevOps and the application lifecycle
8.3.3 Enforcing Security for DevOps
8.4 DevSecOps tools
8.4.1 Secure your code and software supply chain
8.4.2 Strengthen CI/CD delivery of container images
8.4.3 Perform container-image scanning
8.4.4 Run apps more securely on Azure Kubernetes Service (AKS)
8.4.5 Manage your keys and secrets
8.4.6 Govern user authentication throughout your application
8.4.7 Collect live telemetry data and monitor your systems
8.4.8 DevSecOps infrastructure in Azure
8.5 Specify a security strategy for applications and APIs
8.5.1 Onboarding New Applications
8.5.2 Security Standards for Onboarding applications

9. Network-based threats and mitigations
9.1 Describe the different types of networks
9.1.1 Connect to your network
9.1.2 The client-server topology
9.2 Describe how data moves around a network
9.2.1 The datagram or packet
9.2.2 IP addresses
9.2.3 DNS
9.2.4 Routing
9.3 Describe threats to network security
9.3.1 Common network attacks
9.3.2 Common DNS attack
9.3.3 Common wireless attacks
9.3.4 Bluetooth attack
9.4 Protect your network
9.4.1 How a firewall protects your network
9.4.2 Maintaining a healthy network using antivirus
9.4.3 Improve authentication using network access control
9.4.4 Split your network into parts
9.4.5 Secure connections using a virtual private network
9.4.6 Encrypt your wireless network
9.5 Protecting DNS traffic
9.5.1 Create the zone “fabrikam.com”
9.5.2 Configure the cache DNS server WS2
9.5.3 Reconfigure DNS Client to use Cache DNS Server
9.6 Configuring and testing DNSSEC
9.6.1 Query unsigned zones without DNSSEC validation requirement
9.6.2 Signing a zone by DNSSEC
9.6.3 To distribute Trust Anchor Manually
9.6.4 Querying a Signed-Zone without Validation requirement
9.6.5 Configuring DNS Client to perform DNSSEC validation
9.6.6 Querying a Signed-zone with Validation required
9.6.7 Situation when Validation Failed
9.6.8 Situation when the attacker uses a Fake signature
9.7 More about using DNSSEC for Public Internet Domains

10. Customer Case – a Local Insurance Company
10.1 The environment and problem statement
10.1.1 Existing Environment
10.1.2 Compliance Environment and Problem Statement
10.1.3 Development, Deployment, Security and Multi-cloud requirements
10.2 The Solutions
10.2.1 Dynamic Data Masking in Azure SQL
10.2.2 Azure Virtual Desktop as a Jump Host
10.2.3 Custom RBAC Roles
10.2.4 Defender for Servers and Microsoft Sentinel in a Multi-cloud environment
10.2.5 Enforcing HIPAA HITRUST Compliance via Blueprint with Azure Policy
10.2.6 Scanning Application Code with GitHub Enterprise plan
10.2.7 Deploy Vulnerability Assessment via Defender for Endpoint in a Multi-cloud environment

11. Customer Case – a Global Financial Services company
11.1 The Hybrid environment and Requirement statement
11.2 Solutions to its changes and requirements
11.2.1 Azure Web App Virtual Network Integration and Private Endpoint
11.2.2 ExpressRoute
11.2.3 Defender for Cloud Apps and Azure AD Conditional Access
11.2.4 Securing Identities
11.2.5 Azure Lighthouse
11.2.6 Delegated Management of Azure AD with Administrative Units
11.2.7 Forced Tunneling with Azure Firewall