AZ‐500 Microsoft Azure Security Technologies Study Guide_31 - itnett/FTD02H-N GitHub Wiki

Here's a set of important Azure CLI commands that are essential to know, particularly for the AZ-500 certification. Each command is accompanied by an explanation of what it does and how it fits into managing Azure resources. These commands will help you manage security, users, groups, resources, and much more.

💻 Essential Azure CLI Commands for AZ-500

1. Login and Setup

Command:

az login

What it does:

This command logs you into your Azure account via the CLI. If you haven't authenticated, it will open a browser window to complete the login process. It’s the first step before managing any Azure resources.

2. Manage Users

Create a New Azure AD User:

az ad user create --display-name "John Doe" --password "P@ssw0rd123!" --user-principal-name [email protected]

What it does:

Creates a new Azure Active Directory user with the specified name, password, and user principal name (UPN).

List All Azure AD Users:

az ad user list --output table

What it does:

This command lists all Azure AD users in table format, making it easier to view the users in your organization.

Delete an Azure AD User:

az ad user delete --id [email protected]

What it does:

Deletes an Azure AD user by specifying their user principal name or object ID.

3. Manage Groups

Create a New Group:

az ad group create --display-name "Admins" --mail-nickname "Admins"

What it does:

Creates a new security group in Azure Active Directory.

Add a User to a Group:

az ad group member add --group "Admins" --member-id <userObjectID>

What it does:

Adds a user (specified by their object ID) to the specified group.

List Group Members:

az ad group member list --group "Admins" --output table

What it does:

Displays all the members of a group in table format for easy viewing.

4. Role-Based Access Control (RBAC)

Assign a Role to a User or Group:

az role assignment create --assignee <userPrincipalName> --role "Contributor" --scope /subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>

What it does:

Assigns a role (e.g., Contributor) to a user or group for a specific resource group or subscription. This command is critical for managing access control to Azure resources.

List Role Assignments:

az role assignment list --output table

What it does:

Lists all role assignments across your Azure subscription, showing which users and groups have access to specific resources.

5. Manage Resources

Create a Resource Group:

az group create --name MyResourceGroup --location "East US"

What it does:

Creates a new resource group in the specified location. Resource groups are logical containers for managing multiple Azure resources.

Delete a Resource Group:

az group delete --name MyResourceGroup --yes --no-wait

What it does:

Deletes the specified resource group and all its resources. The --no-wait flag ensures the command returns immediately, while the deletion happens asynchronously.

6. Virtual Machines

Create a Virtual Machine:

az vm create --resource-group MyResourceGroup --name MyVM --image UbuntuLTS --admin-username azureuser --generate-ssh-keys

What it does:

Creates a new virtual machine in Azure using the specified resource group and image (in this case, Ubuntu LTS). The SSH keys will be auto-generated for secure access.

Start a Virtual Machine:

az vm start --name MyVM --resource-group MyResourceGroup

What it does:

Starts a stopped virtual machine, bringing it back online.

Stop a Virtual Machine:

az vm stop --name MyVM --resource-group MyResourceGroup

What it does:

Stops a running virtual machine, but it remains allocated (you’ll still be billed for storage).

Delete a Virtual Machine:

az vm delete --resource-group MyResourceGroup --name MyVM --yes

What it does:

Deletes the specified virtual machine and associated resources like disks and network interfaces.

7. Network Security Groups (NSG)

Create a Network Security Group:

az network nsg create --resource-group MyResourceGroup --name MyNSG

What it does:

Creates a new Network Security Group (NSG) to manage inbound and outbound traffic for Azure resources like VMs.

Add an Inbound Security Rule to an NSG:

az network nsg rule create --resource-group MyResourceGroup --nsg-name MyNSG --name MyNSGRule --priority 100 --protocol Tcp --destination-port-ranges 22 --access Allow

What it does:

Adds a rule to allow SSH traffic (port 22) through the NSG. The priority defines the order of rules, with lower numbers taking precedence.

List NSG Rules:

az network nsg rule list --resource-group MyResourceGroup --nsg-name MyNSG --output table

What it does:

Displays all the rules for a specified NSG in a table format.

8. Azure Key Vault

Create a Key Vault:

az keyvault create --name MyKeyVault --resource-group MyResourceGroup --location "East US"

What it does:

Creates a new Azure Key Vault for storing secrets, certificates, and encryption keys securely.

Store a Secret in Key Vault:

az keyvault secret set --vault-name MyKeyVault --name "MySecret" --value "P@ssw0rd!"

What it does:

Stores a new secret in the Key Vault, which can be retrieved securely by applications or services.

Retrieve a Secret from Key Vault:

az keyvault secret show --name "MySecret" --vault-name MyKeyVault

What it does:

Retrieves the value of a stored secret from the Key Vault.

9. Azure Storage

Create a Storage Account:

az storage account create --name mystorageaccount --resource-group MyResourceGroup --location "East US" --sku Standard_LRS

What it does:

Creates a new Azure storage account with locally redundant storage (LRS) in the specified region.

Generate a Shared Access Signature (SAS):

az storage account generate-sas --account-name mystorageaccount --permissions rwdlac --expiry 2023-12-31T00:00:00Z --services b --resource-types sco

What it does:

Generates a shared access signature (SAS) token for the storage account, allowing controlled access to blobs with read, write, delete, list, add, and create permissions.

List Storage Containers:

az storage container list --account-name mystorageaccount --output table

What it does:

Lists all storage containers within the specified storage account in a table format.

10. Monitoring and Alerts

Create an Activity Log Alert:

az monitor activity-log alert create --name "HighCPUAlert" --resource-group MyResourceGroup --scope /subscriptions/<subscription-id> --condition "category=Administrative" --description "Alert on high CPU usage"

What it does:

Creates an activity log alert based on a condition, such as administrative actions or high CPU usage. This is useful for monitoring Azure resources and setting up automatic responses.

🏁 Conclusion

Mastering these Azure CLI commands will significantly improve your ability to manage Azure resources, users, and security configurations. These commands form the backbone of automation and efficient resource management, which is critical for Azure security and operations.

For the AZ-500 exam, it’s important to not only know these commands but also understand the scenarios where they apply, such as setting up RBAC, managing users, securing resources, and monitoring activities.

Here is the continuation for the Next Page of Azure CLI commands relevant to AZ-500 in GitHub Wiki markdown format:

🖥️ Azure CLI Commands for AZ-500 (Continued)

This page continues with more advanced and security-focused Azure CLI commands. These commands cover various aspects like configuring identity protection, managing security policies, configuring virtual networks, and more.

🔑 11. Identity Protection and Conditional Access

Create a Conditional Access Policy:

az ad conditionalaccess policy create --display-name "Require MFA for Admins" \
  --conditions "{'users':{'includeUsers':['all'],'includeGroups':['AdminGroup']}}" \
  --grant-controls "{'builtInControls':['mfa']}"

What it does:

This command creates a Conditional Access Policy that enforces Multi-Factor Authentication (MFA) for all members of the specified group (e.g., AdminGroup). Conditional Access is crucial for securing Azure environments.

List Conditional Access Policies:

az ad conditionalaccess policy list --output table

What it does:

Lists all Conditional Access policies in your Azure Active Directory tenant, showing key details like policy names, user conditions, and access controls.

🔐 12. Security Policies and Compliance

Create a Security Policy with Azure Policy:

az policy assignment create --name "EnforceTagging" --policy "/providers/Microsoft.Authorization/policyDefinitions/Tagging" \
  --scope "/subscriptions/<subscription-id>"

What it does:

This command assigns an existing Azure policy that enforces resource tagging across the specified subscription. Azure Policy ensures compliance with organizational standards by auditing or denying non-compliant resources.

List Policy Definitions:

az policy definition list --output table

What it does:

Displays all policy definitions available in Azure, including built-in and custom policies that help manage and enforce security and compliance across your resources.

🌐 13. Virtual Network Management

Create a Virtual Network (VNet):

az network vnet create --resource-group MyResourceGroup --name MyVnet --address-prefix 10.0.0.0/16 --subnet-name MySubnet --subnet-prefix 10.0.1.0/24

What it does:

Creates a new virtual network (VNet) with a specified address space and a subnet. VNets are crucial for networking Azure resources like virtual machines and databases.

Create a Virtual Network Peering:

az network vnet peering create --name Vnet1ToVnet2 --resource-group MyResourceGroup --vnet-name Vnet1 --remote-vnet /subscriptions/<sub-id>/resourceGroups/OtherResourceGroup/providers/Microsoft.Network/virtualNetworks/Vnet2 --allow-vnet-access

What it does:

Creates peering between two virtual networks (VNet1 and VNet2), allowing them to communicate with each other securely. This is commonly used to connect resources across different VNets.

List Virtual Networks:

az network vnet list --output table

What it does:

Lists all virtual networks within the specified resource group or subscription in a table format for easy viewing.

🔐 14. Azure Firewall and Network Security

Create an Azure Firewall:

az network firewall create --name MyFirewall --resource-group MyResourceGroup --location "East US"

What it does:

Creates an Azure Firewall, a managed cloud-based network security service that protects Azure Virtual Network resources.

Configure a Firewall Rule:

az network firewall rule create --firewall-name MyFirewall --resource-group MyResourceGroup --collection-name "AllowSSH" --rule-name "AllowSSH" --priority 100 \
  --rule-type NetworkRule --action Allow --protocols "TCP" --source-addresses "*" --destination-addresses "10.0.1.0/24" --destination-ports 22

What it does:

Creates a network rule in the Azure Firewall to allow SSH traffic (port 22) to a specific subnet (10.0.1.0/24). Network rules in Azure Firewall are used to control inbound and outbound traffic.

List Firewall Rules:

az network firewall rule list --firewall-name MyFirewall --resource-group MyResourceGroup --output table

What it does:

Lists all firewall rules configured for the specified Azure Firewall.

🔍 15. Security Monitoring with Azure Sentinel

Onboard Azure Sentinel:

az sentinel workspace create --resource-group MyResourceGroup --name MySentinelWorkspace --location "East US"

What it does:

Creates an Azure Sentinel workspace for security event monitoring. Sentinel integrates with various data sources to provide a centralized view of security operations.

Connect a Data Source to Azure Sentinel:

az sentinel data-connector create --workspace-name MySentinelWorkspace --resource-group MyResourceGroup --kind AzureActiveDirectory --name "AADConnector"

What it does:

Adds a data connector (such as Azure Active Directory) to Azure Sentinel, allowing it to collect security-related logs and events for monitoring.

Create an Alert Rule in Sentinel:

az sentinel alert-rule create --resource-group MyResourceGroup --workspace-name MySentinelWorkspace --name "HighCPUAlert" --query "SearchQuery" --severity "High" --enabled true

What it does:

Creates a custom alert rule in Azure Sentinel that triggers when specific conditions (e.g., high CPU usage) are met. This allows automated monitoring and alerting.

🔒 16. Azure Security Center

Enable Azure Security Center Standard Tier:

az security pricing create --name default --tier Standard

What it does:

Enables the Standard tier of Azure Security Center, which provides advanced threat detection, vulnerability assessments, and just-in-time VM access.

List Security Recommendations:

az security assessment list --output table

What it does:

Lists all security recommendations provided by Azure Security Center, such as enabling multi-factor authentication (MFA) or updating outdated configurations.

Configure Just-in-Time (JIT) VM Access:

az security jit-policy create --resource-group MyResourceGroup --name MyVM --ports '[{"number":22,"protocol":"*","allowedSourceAddressPrefix":"*","maxRequestAccessDuration":"PT3H"}]'

What it does:

Configures Just-in-Time access for an Azure VM. In this example, it allows SSH (port 22) access for a maximum of 3 hours.

💾 17. Backup and Restore

Enable Backup for a Virtual Machine:

az backup protection enable-for-vm --resource-group MyResourceGroup --vault-name MyRecoveryVault --vm MyVM

What it does:

Enables Azure Backup for a specified virtual machine, automatically backing up its state for future recovery.

Trigger a Backup Job:

az backup protection backup-now --resource-group MyResourceGroup --vault-name MyRecoveryVault --container-name MyVM --item-name MyVMItem --retain-until 2023-12-31

What it does:

Manually triggers a backup job for the specified VM, with the backup retention set until the specified date.

Restore a Virtual Machine from Backup:

az backup restore restore-disks --resource-group MyResourceGroup --vault-name MyRecoveryVault --container-name MyVM --item-name MyVMItem --restore-to-staging-storage-account MyStorageAccount

What it does:

Restores a VM from an existing backup, placing the restored VM disks into a specified storage account for recovery.

🛡️ 18. Azure DDoS Protection

Enable DDoS Protection for a VNet:

az network vnet update --name MyVNet --resource-group MyResourceGroup --ddos-protection true --ddos-protection-plan /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/ddosProtectionPlans/<plan-name>

What it does:

Enables DDoS Protection for a virtual network, safeguarding it against Distributed Denial of Service attacks.

List DDoS Protection Plans:

az network ddos-protection list --output table

What it does:

Lists all DDoS Protection plans configured in the Azure environment.

🏁 Conclusion

This extended set of Azure CLI commands is critical for managing security, resources, and identity in Azure environments. As you study for the AZ-500 certification, mastering these commands will help you manage your infrastructure efficiently and securely.

Feel free to continue practicing with these commands in a lab environment to gain the practical experience needed for the exam!

This next page expands your Azure CLI toolkit with more advanced, security-focused commands, ideal for mastering the skills needed for the AZ-500 exam.

Ansvarsfraskrivelse:

Innholdet på denne wikisiden er generert helt eller delvis av kunstig intelligens (AI) og er ikke ment for informasjonsformål. Forfatteren fraskriver seg ethvert ansvar for nøyaktigheten, fullstendigheten eller påliteligheten av innholdet. Enhver handling du tar basert på informasjonen på denne siden er på eget ansvar og risiko.

Forfatteren fraskriver seg også ethvert ansvar for eventuelle likheter eller antydninger til likhet med annet publisert materiale. Enhver slik likhet er utilsiktet og uten ansvar. Det er leserens ansvar å gjennomføre plagiatkontroll og sikre at all bruk av innholdet fra denne siden er i samsvar med gjeldende regler og retningslinjer for opphavsrett og plagiering.

Det gis ingen garantier for at informasjonen på denne siden er i samsvar med gjeldende lover, regler eller retningslinjer. Leseren er selv ansvarlig for å verifisere nøyaktigheten og relevansen av informasjonen, og for å sikre korrekt kreditering av originale kilder.

Bruk av informasjonen på denne siden, inkludert risiko for plagiat eller brudd på opphavsrett, er på egen risiko.

Disklaimer 2

Alt innhold på denne plattformen er et resultat av en kreativ prosess som involverer både menneskelig input og generativ kunstig intelligens (AI). Tekstene er basert på bearbeidede prompts, og representerer en sammenslåing av publisistens tanker, ideer og AI-ens evne til å generere tekst.

Eventuelle likheter i rekkefølge, struktur, innhold, emnevalg, tematikk, avgrensninger eller oppstilling med annet materiale, enten kreditert eller ikke kreditert, publisert eller upublisert, er utilsiktet og tilfeldig.

Innholdet på denne plattformen er ikke ment å være en kilde til informasjon eller fakta, og skal ikke brukes som sådan. Dette er et eksperiment for å utforske potensialet og begrensningene ved generativ AI, både positive og negative, fordelaktige og ufordelaktige.

Vi oppfordrer leserne til å være kritiske og vurdere informasjonen i lys av dette. Vi tar ikke ansvar for eventuelle feil, unøyaktigheter eller misforståelser som kan oppstå som følge av bruk av innholdet på denne plattformen.

Disclaimer:

The information on this wiki page is generated entirely or partially by artificial intelligence (AI) and is not intended for informational purposes. The author disclaims any responsibility for the accuracy, completeness, or reliability of the content. Any action you take based on the information on this page is at your own responsibility and risk.

The author also disclaims any liability for any similarities or suggestions of similarity to other published material. Any such resemblance is unintentional and without liability. It is the reader's responsibility to conduct plagiarism checks and ensure that any use of the content from this page complies with applicable copyright and plagiarism rules and guidelines.

No guarantees are provided that the information on this page complies with applicable laws, rules, or guidelines. The reader is responsible for verifying the accuracy and relevance of the information and for ensuring proper crediting of original sources.

Use of the information on this page, including the risk of plagiarism or copyright infringement, is at your own risk.

⚠️ **GitHub.com Fallback** ⚠️