Module 4: Lab 14: Azure Security Center - UI Change

Ex 1 Task 1 Step 10: "Use another workspace" should be "Connect Azure VMs to a different workspace"
Ex 1 Task 1 Step 11: at end add "and when prompted, select Existing and new VMs, and then select Apply again"

Module 1: Lab 2: Azure Policy

Ex 1 Task 1 Step 2: Cloudshell storage may already exist from previous lab. Continue.
Ex 1 Task 2 Step 9: Resource group has already been set by the Scope setting above.
Ex 1 Task 3 Step 5 and 6 should be one step.
Ex 1 Task 3 Step 8: If the Create Virtual Network blade is no longer open, repeat the steps at the beginning of the task, changing the Region to (Europe) UK South, and then continue.
 

Module 1: Lab 5 - Azure AD Privileged Identity Management

Ex 1 Task 3 Step 7: Permanently eligible option not available. Default is 1 year. Continue.
Ex 3 Task 2 Step 4: May have to select Azure AD Roles to see the Overview page.

Module: AZ500

Lab: 12

Task: 5

Step: 9

Description of issue

For the creation of myVmPublic, you specify : Public inbound ports : None

So there is no way to RDP into it at a later stage.

either let the default option or create an appropriate nsg

Repro steps:

Module: 00

Lab/Demo: 04

Task: 01

Step: 09-10

Description of issue: All of the current participants of the AZ500 microsoft led training could not deploy the template+parameters file as they are in this repository as they do not pass validation.

The solution is to edit the template az-500-04_azuredeploy.json file and modify the vmSize block to

"vmSize": {
    "type": "string",
    "defaultValue": "Standard_D2s_v3",
    "metadata": {
        "description": "Virtual machine size"
    }
},

Repro steps:

1. Follow steps in task 1 of lab 04 error will appear in steps 9-10.

Lab: 09

Exercise: 01

Task: 07

Step: 2

In the editor pane, scroll down to line 21 and replace the placeholder with the ACR name.

Solution: The line number should be 24 (not 21 as mentioned above).

There is a huge demand for:

• Azure security engineer expert skillsets
• Azure security architect expert skillsets

How to reach Microsoft to propose creating the above two Azure security expert-level certifications?

Module: 01

Lab/Demo: 04

Exercise: 4

Task: 4

Step: 00

Description of issue
The note at the beginning of task 4 references "Exercise 0" but there is no exercise 0. It's meant to refer to "Exercise 1"

Before you start this task, ensure that the template deployment you started in Exercise 0 has completed. The deployment includes an Azure VM named az500-04-vm1.

Module: 02

Lab/Demo: 09

Task: 05

Step: 07

Mod 2 Lab 9 Task 5 step 7
Description of issue

The following code is presented and appears to be expected output from the previous steps. Students are trying to execute the code from the command line and it produces an error (see attached file).

deployment.apps/nginxexternal created
service/nginxexternal created

The text should indicate more clearly the contents in the command box are not to be executed but observed from the previous instruction.

Repro steps:

1. Execute the commands above in the Bash Cloudshell
   

Module 4: Lab 13: Azure Monitor

Ex 1 Task 5 Step 4: The default is to show the Resource Type : Log Analytics. Click the X to show all the resource types on the left, then scroll down, and then select Virtual machine to show example queries for that resource type.

Lab: 10

Exercise: 1

Task: 1

Step: 10

Following line needs to be modified:
"Click the I agree to the terms and conditions stated above checkbox, and click Purchase."

Modified line should be:
"Click Review + Create and then click Create."

The structure of the labs in this repo compared to the previous one is a lot different. Each lab was in it's own module folder, this makes things a lot cleaner and easier to navigate in my opinion. Is this going to be changed?

Ex 4 Task 2 Step 4: Assign access to: should be "user, group, or service principal"

Module: AZ-500

Lab/Demo: Lab-06

Task: Task 2: Use an ARM template to deploy an Azure VM hosting an Active Directory domain controller

Step: 05

Description of issue

Populating 'DNS Prefix', that is a mandatory parameter, seems to be missing in the instructions

Repro steps:

Lab 4
Exercise 0
Task 1
Step 10

Following line needs to be modified:
"Click the I agree to the terms and conditions stated above checkbox, and click Purchase."

Modified line should be:
"Click Review + Create and then click Create."

May I ask about when will update the Lab Demo Recording for AZ-500?

https://github.com/MicrosoftLearning/Lab-Demo-Recordings/blob/master/AZ-500.md

Thank you

Module: 09

Exercise: 01

Task: 08

Step: 04

This line should be modified:
"replace the <internal_IP> placeholder with the name you identified in the previous task"
modified line is:
"replace the <internal_IP> placeholder with the private IP address you identified in the previous task"

Step: 05
"Close the Cloud Shell pane."
Should be modified with the following due to use of curl in earlier step showing a Nginx html file:

"Type exit and then close the Cloud Shell pane".

Lab: 09

Task: 07

Step: 07

Description of issue
The external IP stays pending. This is caused with the lack of Contributor role for AKS Managed ID to access the VNET.
Additional step would be required to resolve this issue.

Error message when creating internal loadbalancer(stucking with status)

sodo@Azure:~$ kubectl describe svc/nginxinternal
Name:                     nginxinternal
Namespace:                default
Labels:                   <none>
Annotations:              service.beta.kubernetes.io/azure-load-balancer-internal: true
Selector:                 app=nginxinternal
Type:                     LoadBalancer
IP Families:              <none>
IP:                       10.0.246.225
IPs:                      <none>
Port:                     <unset>  80/TCP
TargetPort:               80/TCP
NodePort:                 <unset>  30775/TCP
Endpoints:                10.240.0.6:80
Session Affinity:         None
External Traffic Policy:  Cluster
Events:
  Type     Reason                  Age              From                Message
  ----     ------                  ----             ----                -------
  Normal   EnsuringLoadBalancer    3s (x2 over 9s)  service-controller  Ensuring load balancer
  Warning  SyncLoadBalancerFailed  3s (x2 over 8s)  service-controller  Error syncing load balancer: failed to ensure load balancer: Retriable: false, RetryAfter: 0s, HTTPStatusCode: 403, RawError: Retriable: false, RetryAfter: 0s, HTTPS
tatusCode: 403, RawError: {"error":{"code":"AuthorizationFailed","message":"The client 'ae6fff2d-3a9d-4910-97ad-c60ddcd7497d' with object id 'ae6fff2d-3a9d-4910-97ad-c60ddcd7497d' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/read' over scope '/subscriptions/b066c990-6d46-403b-9543-26a9d8a8841e/resourceGroups/AZ500LAB09/providers/Microsoft.Network/virtualNetworks/AZ500LAB09vnet332/subnets/default' or the scope is invalid. If access was recently granted, please refresh your credentials."}}

Proposed steps to solve this issue:

1. After Task04, we need to execute additional steps to add a Contributor role for AKS Managed ID.

RG_AKS=AZ500LAB09
AKS_VNET_NAME=AZ500LAB09-vnet
AKS_CLUSTER_NAME=MyKubernetesCluster
AKS_VNET_ID=$(az network vnet show --name $AKS_VNET_NAME --resource-group $RG_AKS --query id -o tsv)
AKS_MANAGED_ID=$(az aks show --name $AKS_CLUSTER_NAME --resource-group $RG_AKS --query identity.principalId -o tsv)
az role assignment create --assignee $AKS_MANAGED_ID --role "Contributor" --scope $AKS_VNET_ID

This is confirmed in the VNET/IAM screen by the proper AKS ManagedID to be shown.
And with these commands we can create internal loadbalancer without any errors.

Your review would be appreciated.
Thank you.

Tetsuya

Module: 07

Exercise: 01

Task: 01

Step: 08

Step 8 is repeated (same as step 7). Kindly remove it.

Lab: 11

Exercise: 1

Task: 01

Step: 08

This line needs to be modified:
"Click the I agree to the terms and conditions stated above checkbox, and click Purchase."

Modified line should be:
"Click Review + Create and then click Create."

Lab: 11

Exercise: 1

Task: 01

Step: 06

Following line should be removed as there is no parameters file uploaded so there is no "Edit parameters" option to save.

"On the Edit parameters blade, click Save."

Module 04 - Manage security operations
Lab/Demo: LAB_13_Azure Monitor
Task 5: View and query collected data
Step: 4 On the Example queries pane, click Virtual machine

Description of issue
After clicking the get started button, the predefined queries are displayed directly and there is no virtual machine icon displayed.

Module 4: Lab 15: Azure Sentinel

Ex 1 Task 1 Step 4: "click Add Azure Sentinel." should be "click Add.". May take a while to register.
Ex 1 Task 2 Step 3: May have to scroll right to see the Configure Azure Activity logs link.
Ex 1 Task 2 Step 7: May have to wait for data received to display. Try refresh of browser.
Ex 1 Task 3 Step 3: May have to scroll right and scroll down to see the Create rule option.
Ex 1 Task 4 Step 6: Select Review+create and then select Create.

Module: 01

Lab/Demo: 05

Task: 03

Step: 07

By default, Assignment type is eligible. --> Review the Assignment type and select Active as an assignment type and click Assign.

Add also a justification for an active assignment.

Or do you mean to give a permanten eligible role in this step?

Lab/Demo: 13

Task: 4

Step: 4-8

The steps no longer match what is in Azure. You now have to go to Agents Configuration on the left menu of your workspace and select the appropriate data option.

Module 1: Lab 6 - Implement Directory Synchronization

Ex 1 Task 1 Step 2: Cloudshell storage may already exist from previous lab. Continue.
Ex 2 Task 3 Step 3: Need to click Create to create user.

Module: 06

Exercise: 01

Task: 02

Step: 06

This line needs to be modified:
"On the Create an Azure VM with a new AD Forest blade, click the checkbox I agree to the terms and conditions above and click Purchase."

Modified line should be:
"On Create an Azure VM with a new AD Forest blade, click Create + Review and then click Create."

Module: 3

Lab: 10

Exercise 3

Task: 5

Step: 2

Description of issue
The lab is not clear that the public address needs to be added into the firewall rule. If we follow the instructions it informs us that we need to create a firewall rule without a start and end IP address. Can you please indicate which IP address to enter for the start IP and end IP in the rule.

Repro steps:

Hi Team,

The Lab Demo Recording video for AZ-500 still does not updated since 2 months ago.

AZ-500 Lab Demo Recording

any ideas when will release the Lab Demo Recording videos?

Thank you.

Module 4: Lab 14: Azure Security Center

Ex 1 Task 1 Step 4: "On the Security Center | Getting started blade, click Pricing & settings." should be "On the Security Center resource menu, select Pricing & settings."
Ex 1 Task 1 Step 7: "On the Settings blade, click Data Collection." should be "On the Settings blade, click Auto Provisioning."
Ex 1 Task 1 Step 8: "On the Settings | Data Collection blade, set Auto provisioning to On." should be "On the Settings | Auto provisioning blade, set Log Analytics agent for Azure VMs to On and then select Edit Configuration."
Ex 1 Task 1 Step 9: "Use another workspace" should be "Connect Azure VMs to a different workspace"
Ex 1 Task 1 Step 9: at end add "then select Apply, and when prompted, select Existing and new VMs, and then select Apply again"
Ex 1 Task 1 Step 10: "On the Settings | Data Collection blade, click Save." should be "On the Settings | Auto provisioning blade, click Save."
Ex 1 Task 2 Step 2: "On the Security Center | Overview blade, in the POLICY & COMPLIANCE section, click Secure Score." should be "On the Security Center resource menu, in the Cloud security section, click Secure Score."
Ex 1 Task 2 Step 3: "On the Cloud Security | Secure Score blade, click on your subscription." should be "On the Secure Score blade, scroll down and click on your subscription."
Ex 1 Task 2 Step 5: May have to wait for myVM to appear in the list. Try refresh of browser.
Ex 1 Task 3 Step 2: May have to wait for myVM to appear in the list. Try refresh of browser.

Module: AZ500-AzureSecurityTechnologies

Lab/Demo: LAB_05_PIM.md

Excercise 2: Activate PIM roles with and without approval

Task:Task 1: Activate a role that does not require approval.

Step: 7 to 11

Description of issue
Steps 7 to 11 seems to be redundant as I was able to see my activated role in assigned role without having to address any warning or to refresh the logged in session.

Lab: 14

Exercise: 1

Task: 02

Following line needs to be modified:
"Task 2: Implement the Security Center recommendation to install guest configuration extension"

Modified line should be:
"Task 2: Implement Security Center recommendation to install end point protection solution."

Lab: 09

Task: 7

Step: 7

The external IP stays pending. Is this supposed to happen? Are we supposed to use the internal IP instead?

Module 3: Lab 12: Service Endpoints and Securing Storage

Ex 1 Task 3 Step 11: Need to click Add to add the second OutBound Rule.
Ex 1 Task 5 Step 2: "On the Virtual machines blade, click + Add." should be "On the Virtual machines blade, click + Add, and then select Virtual machine
Ex 1 Task 5 Step 3: "Windows Server 2019 Datacenter" should be " Windows Server 2019 Datacenter - Gen 1"
Ex 1 Task 5 Step 6: Boot diagnostics set to "Enable with managed storage account (Recommended)"
Ex 1 Task 5 Step 8: "On the Virtual machines blade, click + Add." should be "On the Virtual machines blade, click + Add, and then select Virtual machine
Ex 1 Task 5 Step 9: "Windows Server 2019 Datacenter" should be " Windows Server 2019 Datacenter - Gen 1"
Ex 1 Task 5 Step 12: Boot diagnostics set to "Enable with managed storage account (Recommended)"

Module: AZ500-AzureSecurityTechnologies
Lab/Demo: LAB_10_KeyVaultImplementingSecureDatabysettingupAlwaysEncrypted
Exercise 2: Create an application to demonstrate using the key vault for encryption
Task 4: Create a table in the SQL Database and select data columns for encryption
Step 2: On the Firewall settings blade, click + Add client IP, next click Save and then click OK.

Description of issue
Better to request the user to login to the azure portal using the VM which is created for SSMS and Visual Studio components as the SQL DB connection is required for these components. The workaround for configuring the correct Client IP becomes cumbersome if it is not configured correctly in the initial step.

I'm at Lab 04 MFA, Conditional Access and AAD Identity Protection
Exercise 2: Implement Azure MFA
Task 4: Assign Azure AD Premium P2 licenses to Azure AD users
Step 5.
https://github.com/MicrosoftLearning/AZ500-AzureSecurityTechnologies/blob/master/Instructions/Labs/LAB_04_MFAConditionalAccessandAADIdentityProtection.md

The instructions says "select the Azure Active Directory Premium P2 checkbox, and click + Assign.
But I don't see that in the blade.

Module: 08

Exercise: 01

Task: 01

Step: 07

Following line needs to be modified as follows:

7. Click Review + Create and then Create.

Module: AZ500-AzureSecurityTechnologies

Lab/Demo: LAB_06_ImplementDirectorySynchronization

Task: Exercise 3, Task 3

Step: 02

Description of issue
On the Users | All users blade, note that the list of user objects includes the aduser1 account, with the Windows Server AD appearing in the Source column.

It should be
On the Users | All users blade, note that the list of user objects includes the aduser1 account, Click on the aduser1 account under the Profile --> Identity , note the Source attribute is Windows Server AD.

Module 1: Lab 3: Resource Manager Locks

Ex 1 Task 1 Step 2: Cloudshell storage may already exist from previous lab. Continue.
Ex 1 Task 5 Step 4 and 5: Error message now displayed by Azure portal before proceeding.

Module 2: Lab 8: Azure Firewall

Ex 1 Task 3 Step 4: "Create" should be "Review+create, then click Create"

Module 2: Lab 7: Network Security Groups and Application Security Groups

Ex 2 Task 1 Step 2: "On the Virtual machines blade, click + Add." should be "On the Virtual machines blade, click + Add, and then select Virtual machine.
Ex 2 Task 1 Step 3: " Windows Server 2019 Datacenter" should be " Windows Server 2019 Datacenter Gen 1"
Ex 2 Task 2 Step 1: "On the Virtual machines blade, click + Add." should be "On the Virtual machines blade, click + Add, and then select Virtual machine.
Ex 2 Task 2 Step 2: " Windows Server 2019 Datacenter" should be " Windows Server 2019 Datacenter Gen 1"

Module 1: Lab 4: MFA, Conditional Access and AAD Identity Protection

Ex 2 Task 3 Step 3: Need to click Create to create user.
Ex 2 Task 3 Step 5: Need to click Create to create user.
Ex 2 Task 4 Step 3: the new users may be set to United States already.
Ex 2 Task 4 Step 6: "Users and Groups" should be "Users"
Ex 2 Task 5 Step 8: "Enforced" should be "Enforce"
Ex 2 Task 6 Step 4: May have to click "I want to setup a different method" and then select Phone and then Confirm.
Ex 2 Task 6 Step 7: May have to restart the Azure portal in the InPrivate browser window first and then login again as aaduser1
Ex 4 Task 5: aaduser3 only appears under Risk detections report

Lab: 11

Exercise: 01

Task: 01

Step: 04

This line needs to be modified:
"Note: Review the content of the template and note that it deploys an Azure VM hosting Windows Server 2019 Datacenter."

Modified line should be:
"Note: Review the content of the template and note that it deploys Microsoft SQL Server."

Module: 00

Lab/Demo: 00

Task: 00

Step: 00

Description of issue
am unable to load this json file for creation of azure key vault on this step
https://github.com/MicrosoftLearning/AZ500-AzureSecurityTechnologies/blob/master/Instructions/Labs/LAB_10_KeyVaultImplementingSecureDatabysettingupAlwaysEncrypted.md

"On the Edit template blade, click Load file, locate the \Allfiles\Labs\10\az-500-10_azuredeploy.json file and click Open."
this gave me , an error while cliked on the save button :
"

Error parsing template. Please ensure template is valid JSON. Invalid symbol at position 5. Invalid symbol at position 15. Invalid symbol at position 21. Invalid symbol at position 27. Invalid symbol at position 36. Invalid symbol at position 40. Invalid symbol at position 51. Invalid symbol at position 57. End of file expected at position 65.
"

below is the first section of the json file:

this is the json file, i wanna upload and save it. This gave me an error.
please help, how to resolve this and proceed with creating a azure key vault

Repro steps:

Lab 14
Exercise 1
tAsk 2
Step 5

Following line mentions a recommendation. This mentioned recommendation is NOT listed so I can't pick it..

5. "On the myvm blade, in the Recommendations list section, on the Recommendations tab, review the recommendations and click the Guest configuration extension should be installed on Windows virtual machines entry."

Solution: I used another recommendation from list to do the lab.

Module: AZ500-AzureSecurityTechnologies

Lab/Demo: LAB_05_PIM.md

Task: 01

Step: 11

Description of issue
Step 11 is redundant as the as aaduser2 is already visible in the assignments blade after completion of Step 10.

Repro steps:

1. Sign-in to the Azure portal https://portal.azure.com/.

Note: Ensure that you are signed-in to the AdatumLab500-04 Azure AD tenant. You can use the Directory + subscription filter to switch between Azure AD tenants. Ensure you are signed in as a user with the Global Administrator role.

2.In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Azure AD Privileged Identity Management and press the Enter key.

3.On the Azure AD Privileged Identity Management blade, in the Manage section, click Azure AD roles.

4.On the AdatumLab500-04 | Quick start blade, in the Manage section, click Roles.

5.On the AdatumLab500-04 | Roles blade, click + Add assignments.

6.On the Add assignments blade, in the Select a role drop-down, select Billing Administrator.

7. Click the No member selected link, on the Select a member blade, click aaduser2, and then click Select.

8. Back on the Add assignments blade, click Next.

9. Ensure the Assignment type is set to Eligible, review the eligible duration settings, and click Assign.

10. Back on the AdatumLab500-04 | Roles blade, in the Manage section, click Assignments.

11. On the AdatumLab500-04 | Assignments blade, click Member filter, on the Select a member blade, click aaduser2, and click Select.

Back on the AdatumLab500-04 | Assignments blade, note the tabs for Eligible assignments, Active assignments, and Expired assignments.

Verify on the Eligible assignments tab that aaduser2 is shown as a Billing administrator.

Module 2: Lab 9: Configuring and Securing ACR and AKS

Ex 1 Task 5 Step 1: Make sure both files are uploaded. May have to do two separate uploads.

Hello 😀

I have an issue the TrainerHandbook VS the slides
The slides are not updated on the book
Thanks

Module 3: Lab 12: Service Endpoints and Securing Storage - UI change

Ex 1 Task 4 Step 14: "click Firewalls and virtual networks" should be "click Networking"

Module: Module 01 - Manage Identity and Access

Lab/Demo: LAB_06_ImplementDirectorySynchronization

Task: Clean up resources

Step: 14

Description of issue
14. Navigate to the AdatumSync - Overview blade of the Azure AD tenant, click Delete tenant, on the Delete directory 'AdatumSync' blade, click the Get permission to delete Azure resources link, on the Properties blade of Azure Active Directory, set Access management for Azure resources to Yes and click Save

In the above step the property 'Access Management for Azure resources' never gets set to Yes , even the change is made and saved successfully on relogin the property value is set to No and this is inturn stopping the directory dle