Course
digicode: SC500
Implement End‑to‑End Security Controls for Cloud and AI Workloads – Intensive Training (SC-500)
SC-500
Course facts
Download as PDF- Strengthening identity security by enforcing multi-factor, passwordless authentication, and Privileged Identity Management (PIM) to remove standing access
- Adopting defense-in-depth across cloud assets, including Key Vault, storage, and SQL databases, to secure data and manage secrets
- Enforcing governance and compliance using policies and resource locks to prevent non-compliant deployments across hybrid environments
- Implementing layered network controls by segmenting workloads and replacing VPNs with Zero Trust application-level access
- Securing AI workloads by addressing specific attack surfaces with dedicated identity management and real-time runtime protection
- Hardening infrastructure by applying security baselines to virtual machines and containers, using encryption and vulnerability scanning
- Maintaining a comprehensive security posture via Microsoft Defender for Cloud to ensure unified visibility and effective risk remediation
- Building automated response architectures by centralizing data in Microsoft Sentinel and leveraging Security Copilot for incident management
1 Secure access to resources by using Microsoft Entra
Controlling who can access what, and under what conditions, is one of the most consequential responsibilities in cloud security. A misconfigured authentication policy, an overprivileged account left unreviewed, or a poorly secured AI agent can each become the foothold an attacker needs to move laterally through your environment.
In this module, you build the skills to close those gaps. You start by designing and deploying secure authentication in Microsoft Entra ID, including configuring multifactor authentication. Next, you configure Conditional Access policies, passwordless options, and self-service password reset for hybrid environments. You then move into privileged access, where you implement Just-in-Time access for Microsoft Entra roles and Azure resources using Privileged Identity Management (PIM). Just-in-Time access eliminates standing permissions that create unnecessary risk. Finally, you apply these identity and access principles to a modern challenge: securing AI-powered applications and declarative agents that use API plugins to act on behalf of users.
By the end of this module, you have a practical, defense-in-depth approach to access security, spanning credential hardening, privileged access governance, and identity-aware AI application design.
2 Secure Azure Key Vault with defense in depth for the cloud and AI workloads
Implement a defense-in-depth security strategy for Azure Key Vault. In this module, you apply security-hardened vault configuration, enforce least-privilege access with just-in-time activation, manage the full lifecycle of keys, secrets, and certificates, and use Microsoft Defender for Cloud to detect exposed credentials and malicious access patterns targeting your vaults.
3 Enforce security governance and regulatory compliance
Enforce security governance and regulatory compliance across Azure environments. Configure Azure Policy and resource locks to block noncompliant deployments. Then manage security standards and remediate recommendations in Defender for Cloud, evaluate regulatory compliance posture, govern RBAC role assignments at scale, protect backup data against ransomware and deletion, and embed security controls into Bicep pipelines before resources reach production.
4 Implement security for Azure Storage for the cloud and AI security engineer
Implement a defense-in-depth security strategy for Azure Storage. In this module, you harden storage accounts against common attack vectors, and govern access with Microsoft Entra ID managed identities and stored access policies. Next you configure network perimeter controls using firewall rules and private endpoints, and enable Microsoft Defender for Storage to detect threats including malicious file uploads and compromised AI agent credentials.
5 Implement security for Azure SQL databases
Implement end-to-end security for Azure SQL Database and SQL Managed Instance. Configure Entra ID authentication with managed identity access, deploy private endpoints, and apply encryption and access controls to protect sensitive financial data. Establish compliant audit trails and enable Microsoft Defender for Databases to detect SQL injection, anomalous access, and vulnerability exposures.
6 Implement network security controls in Azure
Implement defense-in-depth network security controls in Azure. Segment workloads and enforce least-privilege access using NSGs, ASGs, and Azure Virtual Network Manager. Inspect and control traffic centrally with Azure Firewall. Harden remote and hybrid connectivity and replace broad VPN access with Zero Trust application-level access using Microsoft Entra Private Access. Eliminate public exposure of PaaS and AI services using private endpoints and Azure Private Link.
7 Implement security for AI
AI workloads introduce new attack surfaces across identity, data, and runtime layers that traditional security controls don't fully address. In this module, you implement layered AI security controls across the Microsoft security platform.
You start by discovering and assessing AI data risks using Microsoft Purview Data Security Posture Management (DSPM). Next you secure agent identities using Microsoft Entra Agent ID and Conditional Access, and analyze AI identity blast radius and attack paths in Microsoft Defender XDR. From there, you configure real-time runtime protection for Copilot Studio agents using Microsoft Defender for Cloud Apps, and secure AI model traffic using AI Gateway in Microsoft Foundry. Finally, you configure guardrails in Microsoft Foundry, protect AI workloads using Microsoft Defender for Cloud, and govern deployed agents using Microsoft Agent 365.
8 Implement security for servers and virtual machines
Implement layered security controls across Azure virtual machines and Arc-enabled hybrid servers. Configure disk encryption options including encryption at host with customer-managed keys and confidential disk encryption. Enable Trusted Launch security features—Secure Boot, vTPM, and integrity monitoring—to protect against boot-level threats. Eliminate public RDP and SSH exposure with Azure Bastion. Extend Azure security governance to on-premises and multicloud servers using Azure Arc. Deploy Microsoft Defender for Servers for vulnerability scanning, endpoint detection, agentless machine scanning, and File Integrity Monitoring. Enforce just-in-time VM access to eliminate permanently open management ports. Apply Azure Machine Configuration to audit and enforce OS security baselines across your entire server estate.
9 Secure Azure application platform services for the cloud and AI security engineer
Implement security controls across Azure application platform services—from container workloads to the API layer. Configure Microsoft Defender for Containers to detect risks in AKS and ACR, enforce AKS security baselines, harden container registries and runtime environments. Then apply authentication, network access, and policy controls across Azure Function apps, Logic apps, App Services, Web Application Firewall, and Azure API Management.
10 Manage security posture by using Microsoft Defender for Cloud
Learn to build and maintain a strong security posture across your hybrid and multicloud estate using Microsoft Defender for Cloud. You start by connecting on-premises, AWS, and GCP environments to establish unified visibility. You then identify and prioritize security risks using Cloud Security Posture Management (CSPM)—including Secure Score, attack path analysis, and Cloud Security Explorer. You extend that posture view outside-in with Microsoft Defender External Attack Surface Management (EASM) to discover unknown internet-facing assets and surface exploitable exposure. You assess your organization's compliance posture against regulatory frameworks and generate audit-ready reports. Finally, you enable Cloud Workload Protection Platform (CWPP) plans to defend servers, storage, databases, and AI workloads against active threats. Then configure Microsoft Defender Vulnerability Management to scan and remediate vulnerabilities on Azure VMs.
11 Implement activity and event collection in Microsoft Sentinel
Build a complete event collection and response architecture in Microsoft Sentinel. In this module, you set up and secure a Microsoft Sentinel workspace, deploy Content Hub solutions, and connect Azure resource data. Then you collect Linux and Windows security events with data collection rules, and implement automated response workflows with Logic Apps playbooks. The final stage is to manage data retention and audit log access to meet compliance requirements.
12 Deploy and operate Microsoft Security Copilot
In this final module, you build a working foundation with Microsoft Security Copilot and advance to enterprise-grade deployment and day-to-day operations. You start by exploring core concepts, how Security Copilot processes natural language prompts, the elements of an effective prompt, and the steps to enable the solution for your organization. You then plan and configure workspaces with the right Security Compute Units, data residency settings, and role assignments to support enterprise segmentation requirements. Finally, you govern plugin access and manage the full lifecycle of both Microsoft-built and partner-built agents to keep your deployment running smoothly and securely.
As a candidate for this course, you’re a security engineer who protects organizational systems and data across cloud and hybrid environments by implementing comprehensive security controls that prevent unauthorized access and mitigate risks proactively. This role spans multiple security domains including identity, network, application, data, and compute. This role also ensures that platforms, data, identities, and infrastructure used by AI workloads are securely implemented and monitored. You work closely with architects, administrators, engineers, analysts, and developers responsible for Azure, Microsoft 365, identity and access, information protection, security operations, devops, application development, database platforms, and networks. You should have practical experience in administration of Microsoft Azure and hybrid environments, including compute, network, and storage. You should have strong familiarity with Microsoft Entra ID and familiarity with Microsoft 365 administration. Your responsibilities for this role include:
- Securing access to resources by using Microsoft Entra ID and Azure Key Vault
- Enforcing security and regulatory compliance
- Securing storage, databases, and networking
- Securing compute
- Securing AI solutions
- Managing and monitoring security posture
- Familiarity with Microsoft Entra ID concepts, including users, groups, and directory roles
- Understanding of Azure role-based access control (RBAC), including role assignments and the Azure scope hierarchy (management group, subscription, resource group, resource)
- Basic experience navigating the Azure portal and the Microsoft Entra admin center
- Familiarity with Zero Trust security principles, including least privilege and assume breach
- Awareness of Microsoft Entra ID P2 or Microsoft Entra ID Governance licensing requirements
This intensive training prepares you for: