Principes

fondamentaux de la
sécurité, de la
conformité et de
l’identité Microsoft
SC-900

Concepts

Pascal Sauliere, CSA

https://aka.ms/sc900academy
 Agenda
 Save the date
 Introduction
 Security and compliance concepts &
methodologies
 Identity concepts
 Ressources

https://aka.ms/sc900academy
 Save the date
Date  Thème

23 janvier 2023 (12h00)  Concepts

25 janvier 2023 (12h00)
Cliquez ici pour participer à la réunion  Identité et gestion des accès
27 janvier 2023 (12h00)
Cliquez ici pour participer à la réunion  Solutions de sécurité Microsoft 365
30 janvier 2023 (12h00)
Cliquez ici pour participer à la réunion  Solutions de sécurité Azure
1er février 2023 (12h00)
Cliquez ici pour participer à la réunion  Solutions de conformité
3 février 2023 (12h00)
Cliquez ici pour participer à la réunion  Dry Run et Q&A

https://aka.ms/sc900academy
Overview of Microsoft Certified: Get started at
Security, Compliance, and Identity Fundamentals aka.ms/SecurityCerts_Fundamentals

Exam details Certification

À qui s’adresse cette
certification ? Products featured
SC-900: Pass certification exam SC-900
Cette certification Microsoft Security, Compliance, and Ident to earn this certification • Azure Active Directory

s’adresse à ceux qui ity Fundamentals

• Azure Sentinel

cherchent à se Skills measured: • Azure Secure Score

familiariser avec les • Concepts of Security, Compliance, and Identity • Microsoft 365 Defender
• Capabilities of Microsoft Identity and Access
principes fondamentaux Management Solutions
• Microsoft Security Score
Microsoft Certified: • Microsoft Compliance
de la sécurité, de la • Capabilities of Microsoft Security Solutions Security, Compliance, and Identity Fund Manager
conformité et de • Capabilities of Microsoft Compliance Solutions
amentals
• Microsoft Intune
l’identité (SCI) dans les Knowledge and experience:
• And more…

services Microsoft basés Candidates should be familiar with Microsoft Azure

sur le cloud et associés. and Microsoft 365 and understand how Microsoft
security, compliance, and identity solutions can
Il s’agit d’un large public span across these solution areas to provide a
holistic and end-to-end solution.
qui peut inclure des
parties prenantes de
l’entreprise, des
professionnels de
l’informatique nouveaux
ou existants ou ©des
2021 Microsoft Corporation. All rights reserved.

étudiants qui  Find a Learning Partner

The journey to Microsoft Certified:
Get started at
Security, Compliance, and Identity Fundamentals aka.ms/SecurityCerts_Fundamentals

Start here
Decide if this is the right Upskill with recommended Pass required exam to
certification for you training and experience earn your certification

This certification is targeted to those Skills outline guide Exam SC-900

looking to familiarize themselves with the Microsoft
• SC-900
fundamentals of security, compliance, and Security, Compliance, and Identity F
identity (SCI) across cloud-based and undamentals
related Microsoft services.

Self-paced online learning Microsoft Certified:

Microsoft Learn Security, Compliance, and Identity
Fundamentals

Additional resources
• Microsoft Docs

First, make sure your skills are up to date.

Need to update your skills in

security, compliance, and identity?
Security, Compliance, and Identit
y Fundamentals
training on Microsoft Learn.

© 2021 Microsoft Corporation. All rights reserved.

 Find a Learning Partner
Learning path for Microsoft Certified:

Security, Compliance, and Identity Fundamentals

This certification is targeted to those looking to familiarize themselves with the fundamentals of security, compliance, and identity (SCI) across cloud-based and related Microsoft services. This is a
broad audience that may include business stakeholders, new or existing IT professionals, or students who have an interest in Microsoft security, compliance, and identity solutions.

Describe the concepts of security, Describe the capabilities of Exam SC-900

compliance, and identity Microsoft security solutions
Microsoft Security, Compliance,
2 modules 6 modules and Identity Fundamentals
Pass certification exam
Self-paced online SC-900 to earn this
training on certification
Microsoft Learn Describe the capabilities of M Describe the capabilities of Mic
icrosoft Identity and access m rosoft compliance solutions
anagement solutions Microsoft Certified:
5 modules
4 modules Security, Compliance, and Id
entity Fundamentals

© 2021 Microsoft Corporation. All rights reserved.

 Find a Learning Partner
 L’examen SC-900
 Microsoft Security, Compliance, and Identity Fundamentals
 60 minutes, ~50 questions très générales

 Sujets :
 Describe the concepts of security, compliance, and identity (10-15%)
 Describe the capabilities of Microsoft Azure Active Directory (Azure AD), part of Microsoft
Entra (25–30%)
 Describe the capabilities of Microsoft security solutions (25-30%)
 Describe the capabilities of Microsoft compliance solutions (25-30%)

https://docs.microsoft.com/en-us/learn/certifications/exams/sc-900
 Describe the Concepts of Security, Compliance, and Identity (10-15%)

 Describe security and  Define identity concepts

compliance concepts &  Define identity as the primary security
perimeter
methodologies  Define authentication
 Describe the shared responsibility model
 Define authorization
 Describe defense in depth
 Describe identity providers
 Describe the Zero-Trust model
 Describe Active Directory
 Describe encryption and hashing
 Describe the concept of Federation
 Describe compliance concepts

Learning path: https://docs.microsoft.com/en-us/learn/paths/describe-concepts-of-security-compliance-identity/

Defense in depth
 Physical security such as limiting access to a datacenter to only
authorized personnel.
 Identity and access security controlling access to infrastructure and
change control.
 Perimeter security including distributed denial of service (DDoS)
protection to filter large-scale attacks before they can cause a denial
of service for users.
 Network security can limit communication between resources using
segmentation and access controls.
 The compute layer can secure access to virtual machines either on-
premises or in the cloud by closing certain ports.
 Application layer security ensures that applications are secure and
free of security vulnerabilities.
 Data layer security controls access to business and customer data,
and encryption to protect data.
Confidentiality, Integrity, Availability (CIA)
 Confidentiality refers to the need to keep confidential sensitive data such as
customer information, passwords, or financial data. You can encrypt data to
keep it confidential, but then you also need to keep the encryption keys
confidential. Confidentiality is the most visible part of security; we can clearly
see need for sensitive data, keys, passwords, and other secrets to be kept
confidential.
 Integrity refers to keeping data or messages correct. When you send an email
message, you want to be sure that the message received is the same as the
message you sent. When you store data in a database, you want to be sure that
the data you retrieve is the same as the data you stored. Encrypting data keeps
it confidential, but you must then be able to decrypt it so that it's the same as
before it was encrypted. Integrity is about having confidence that data hasn't
been tampered with or altered.
 Availability refers to making data available to those who need it. It's important
to the organization to keep customer data secure, but at the same time it must
also be available to employees who deal with customers. While it might be
more secure to store the data in an encrypted format, employees need access
to decrypted data.
Traditional Model

Users, devices, apps,

and data protected
behind a DMZ/firewall

Corporate
network
Today’s Model
Identity perimeter complements network perimeter

Home office
Cloud services

IoT devices

Employees Partners
Corporate
network

SaaS apps

Customers

Mobile devices Personal devices

 How the world changed

94
% of organizations
using cloud2
7B
internet-
connected devices

5.2
in use worldwide1

mobile business apps

accessed daily by
employees3

60 %
of organizations
currently have a formal
BYOD program in place3
 Old World vs. New World

Users are employees Employees, partners, customers, bots

Corporate managed devices Bring your own devices and IoT

On-premises apps Explosion of cloud apps

Monolithic apps Composite apps & public restful APIs

Corp network and firewall Expanding Perimeters

Local packet tracking and logs Explosion of signal

A new reality needs new principles

Verify explicitly Use least privilege access Assume breach

Microsoft Zero Trust
An integrated approach to securing Secure access at
access with adaptive controls and the resource
continuous verification across your
entire digital estate
Zero Trust across the digital estate

Identity Devices Apps Infrastructure Networking Data

Zero Trust Architecture
Policy
Optimization
Governance
Compliance
Security Posture Assess.
Productivity Optimization
Identities Data
Classify, label,
Emails & documents
Human
encrypt
Non-human Structured data
Strong
authentication Zero Trust
Policy Apps
Network
Request Evaluation Traffic filtering Adaptive
SaaS Apps
Public
Enhancement & segmentation Access
Enforcement
Private On-premises Apps
Device
compliance

Infrastructure
Risk
Endpoints

Containers

Serverless
assessment

Int. Sites
Runtime

PaaS
IaaS
Threat
Corporate control
Protection
Personal JIT and Version Control
Continuous Assessment

Threat Intelligence

Forensics

Response Automation
Telemetry/analytics/assessment
Encryption, hashing, signing
 Symmetric encryption
 same key to encrypt and decrypt
 good performance, can encrypt big volumes

 Asymmetric encryption
 key pair: private key, public key
 encrypt with one key, decrypt with the other
 not efficient for big volumes, used for encrypting a symmetric key or a hash (signature)

 Encryption at rest: confidentiality at rest

 Encryption in transit : confidentiality in transit
 Hashing: integrity
 Signing: integrity + authentication + non-repudiation
Compliance concepts
 Data residency
 lieux physiques où les données peuvent être stockées
 transferts, traitements, accès internationaux

 Data sovereignty
 lois qui s’appliquent en fonction du peys de collecte / stockage / traitement des données

 Data privacy
 collecte, traitement, utilisation et partage de données personnelles.
Knowledge check
Common identity attacks
 Password-based attacks
 Password spray
 Brute force

 Phishing
 Spear phishing
Identity as the primary security perimeter
 Four pillars of identity
 Administration: creation and management
of identities for users, devices, and
services
 Authentication (AuthN)
 Authorization (AuthZ)
 Auditing: tracking who does what, when,
where, and how
Modern authentication and the identity provider

idp K

name, pw

token

client server
token
claims:
sub, nbf, exp, aud...
Federated services
Directory services and Active Directory
 AD (AD DS): directory service, developped for Windows 2000
 Directory (LDAP) – users, devices, groups
 Authentication (Kerberos)
 Management (OU, GPO)
 On premises
 No support for mobile devices, SaaS applications, modern authentication

 Azure AD is the next evolution of identity and access management

solutions
Ressources
Les ressources

Acronyms: https://aka.ms/MSAcronyms

Virtual Instructor Trainings :

https://partner.microsoft.com/en-us/training/assets/collection/microsoft-security-compliance-and-identity-funda
mentals-sc-900#/

John Savill SC-900 Study Cram : https://www.youtube.com/watch?v=Bz-8jM3jg-8

Inscription à l’examen : https://learn.microsoft.com/en-us/certifications/exams/sc-900/

 https://aka.ms/sc900academy

© Copyright Microsoft Corporation. All rights reserved.