SC-300 - Lab 16 - 20
Security-focused Cloud & Automation Engineer with a Master’s in Computer Science and 6+ years of experience automating and supporting enterprise IT environments across multi-site corporate and operational infrastructures. Proficient in Python scripting, Azure infrastructure, Windows Server, and identity management. Skilled in integrating third-party platforms, securing configurations, and streamlining operations. Currently pursuing the Cybersecurity Architect Expert certification with a strong focus on cloud security and automation.
I’m Amir Rouhanipoor, an IT Consultant specializing in Azure and cloud solutions. I help organizations streamline their IT and drive growth through secure, efficient cloud technologies.
Lab 16 - Using Azure Key Vault for Managed Identities
Lab 17 - Defender for Cloud Apps application discovery and enforcing restrictions
Microsoft Defender for Cloud Apps uses network traffic logs to identify which applications users are accessing. Logs from on-premises firewalls provide a snapshot of the most commonly used applications and the users interacting with them. Traffic from managed devices is also sent to the Defender for Cloud Apps Discovery Overview Dashboard, offering centralized visibility into app usage.
For defender for cloud apps discovery sign in to security.microsoft.com using global administrator account > Cloud Apps > Cloud App Catalog >and in brows by category select Cloud Storage> and in the list of apps note the Risk score next to the app name.
Open dropbox on another browser and you can open it
Return to the Defender for Cloud Apps screen, and select the three-dot to the right of Dropbox and choose Unsanctioned and then the Next button .
After 5 mins try to open dropbox and you can see you cannot open dropbox anymore
it only applys on any client device that is onboarded to Microsoft Defender for Endpoint (MDE) and integrated with Microsoft Defender for Cloud Apps.
Questions that remained unanswered for this lab
How to check if we have MDE licenses on azure (What are the options)
How to enable MDE licenses
18 - Defender for Cloud Apps Access and Session Policies
Login type = Microsoft 365 admin
Exercise 1 - Create and test the Conditional Access App Contol policy
- First ask user to login to forms.microsoft.com, the user should have unconditional access to Forms then configure Entra ID to work with Defender for Cloud Apps
Navigate to Entra ID > Identity > Protection > Conditional Access > Create new policy > Enter policy name: “Monitor the user using Forms“ > select the user > add Microsoft Forms on target resources> under Access Control select Session and select use conditional access app control and leave the default of Monitor only selected and then enable the policy
Ask the user to login to forms.microsoft.com again, user will get a pop up message “Your company is monitoring the usage of this application.“
Exercise 2 - Setup alerts in Microsoft Defender for Cloud Apps
Task 1 - Access Microsoft Defender for Cloud Apps(security.microsoft.com) and create Conditional Access App Control
Registering your application creates a trust relationship with the Microsoft identity platform. This trust is one-way—your app trusts the Microsoft identity platform, but not vice versa.
Navigate to Microsoft Defender for Cloud Apps via https://security.microsoft.com using a Global Administrator account.
Go to Cloud Apps > Policies > Policy Management > + Create policy > Select Access policy. Enter policy name: “Monitor Microsoft Forms access” and Leave Category as Access control.
Under Activities matching all of the following, open the filter for Intune compliant, Microsoft Entra Hybrid joined, and unselect Microsoft Entra Hybrid joined. Also choose select apps > Choose Microsoft Forms. Leave Actions set to Test.
Under Alerts, leave Create an alert… checked and select Send alert as email. Enter the lab admin email address, then press Enter. Click Create to finalize the access policy.
- Now if user logs in to the forms.microsoft.com again he will get this message
Your company is monitoring the usage of this application.
- Return to the browser running Defender for Cloud Apps and refresh the page then navigate to Investigate > Activity log and use the App filter to select Microsoft Forms. Review the sign-in records of the user.
Lab 19 - Register an application
Login type = Microsoft 365 admin
Exercise 1 - Register an application
Task 1 - App registration:
- Entra ID\> Identity > Applications > App registrations > + New registration.
Enter the application name: Demo app. Leave all other fields as default (Redirect URI not required).
Click Register.
Task 2 - Configure platform settings
Settings for each application type, including redirect URIs, are configured in Platform configurations in the Azure portal. Some platforms, like Web and Single-page applications, require you to manually specify a redirect URI. For other platforms, like mobile and desktop, you can select from redirect URIs generated for you when you configure their other settings.
- Entra ID \> Identity > Application > App registrations \> Select your application > Manage > select Authentication > Platform configurations > + Add a platform > Select Web as the platform > In Redirect URI, enter: https://localhost > Click Configure to save the platform settings.
| Platform | Configuration settings |
| Web | Enter a Redirect URI for your app, the location where Microsoft identity platform redirects a user's client and sends security tokens after authentication. Select this platform for standard web applications that run on a server. |
| Single-page application | Enter a Redirect URI for your app, the location where Microsoft identity platform redirects a user's client and sends security tokens after authentication. Select this platform if you're building a client-side web app in JavaScript or with a framework like Angular, Vue.js, React.js, or Blazor WebAssembly. |
| iOS/macOS | Enter the app Bundle ID, found in XCode in Info.plist or Build Settings. A redirect URI is generated for you when you specify a Bundle ID. |
| Android | Enter the app Package name, which you can find in the AndroidManifest.xml file, and generate and enter the Signature hash. A redirect URI is generated for you when you specify these settings. |
| Mobile and desktop applications | Select one of the Suggested redirect URIs or specify a Custom redirect URI. For desktop applications, we recommend: https://login.microsoftonline.com/common/oauth2/nativeclient. Select this platform for mobile applications that aren't using the latest Microsoft Authentication Library (MSAL) or are not using a broker. Also select this platform for desktop applications. |
Task 3 - Add credentials, certificate and client secret
Credentials are used by confidential client applications that access a web API. Examples of confidential clients include web apps, other web APIs, and service-type and daemon-type applications. Credentials allow your application to authenticate as itself, requiring no interaction from a user at runtime.
You can add both certificates and client secrets (a string) as credentials to your confidential client app registration.
Note: Sometimes called a public key, certificates are the recommended credential type, because as they provide a higher level of assurance than a client secret. When using a trusted public certificate, you can add the certificate using the Certificates & secrets feature. Your certificate must be one of the following file types: .cer, .pem, .crt.
Note: The client secret, also known as an application password, is a string value your app can use in place of a certificate to identity itself. It's the easier of the two credential types to use. It's often used during development, but is considered less secure than a certificate. You should use certificates in your applications running in production.
- Azure portal > App registrations > Select your application > Select Certificates & secrets > Click + New client secret. > Enter description: SC300 lab secret > Set duration: 90 days (3 months) > Click Add\> Save the secret's value in notepad for use in your client application code; The Certificate & Secrets page will display the new secret value. It's important you copy this value as it's only shown this one time; if you refresh your page and come back, it will only show as a masked value.
With your web App registered, you're ready to add the scopes that your API's code can use to provide granular permission to consumers of your API.
Task 5 - Add a scope
The code in a client application requests permission to perform operations defined by your web API by passing an access token along with its requests to the protected resource (the web API). Your web API then performs the requested operation only if the access token it receives contains the scopes (also known as application permissions) required for the operation.
First, follow these steps to create an example scope named Employees.Read.All:
Applications > App registrations > Select your API’s app registration.
Select Expose an API > Click + Add a scope\> Set the Application ID URI to: api://DemoAppAPI > Click Save and continue > In Add a scope, fill in the scope details (use “Value” column info in the table below) > Set State to Enabled > Click Add scope.
| Field | Description | Value |
| Scope name | The name of your scope. A common scope naming convention is resource.operation.constraint. | Employees.Read.All |
| Who can consent | Whether this scope can be consented to by users or if admin consent is required. Select Admins only for higher-privileged permissions. | Admins and users |
| Admin consent display name | A short description of the scope's purpose that only admins will see. | Read-only access to employee records |
| Admin consent description | A more detailed description of the permission granted by the scope that only admins will see. | Allow the application to have read-only access to all employee data. |
| User consent display name | A short description of the scope's purpose. Shown to users only if you set Who can consent to Admins and users. | Read-only access to your employee records |
| User consent description | A more detailed description of the permission granted by the scope. Shown to users only if you set Who can consent to Admins and users. | Allow the application to have read-only access to your employee data. |
Note - The App ID URI acts as the prefix for the scopes you'll reference in your API's code, and it must be globally unique. You can use the default value provided, which is in the form api://<application-client-id>, or specify a more readable URI like
https://contoso.com/api.
(Optional) To suppress prompting for consent by users of your app to the scopes you've defined, you can pre-authorize the client application to access your web API. Pre-authorize only those client applications you trust since your users won't have the opportunity to decline consent.
Under Exposed an API > Authorized client applications \> click Add a client application\> Enter the Application (client) ID of the trusted client app (you can dind app id on overview tab) > Select the authorized scopes checkmark > Click Add application.
If you followed this optional step, the client app is now a pre-authorized client app (PCA), and users won't be prompted for their consent when signing into it.
Task 6 - Add a scope requiring admin consent
Next, add another example scope named Employees.Write.All that only admins can consent to. Scopes that require admin consent are typically used for providing access to higher-privileged operations, often by client applications that run as backend services or daemons that don't sign in a user interactively.
- Follow the above steps to add a new scope named Employee.Write.All, enable it, and click Add scope to save.
| Field | Example value |
| Scope name | Employees.Write.All |
| Who can consent | Admins only |
| Admin consent display name | Write access to employee records |
| Admin consent description | Allow the application to have write access to all employee data. |
| User consent display name | None (leave empty) |
| User consent description | None (leave empty) |
As shown in the image, a scope's full string is the concatenation of your web API's Application ID URI and the scope's Scope name.
Note: For example, if your web API's application ID URI is https://contoso.com/api and the scope name is Employees.Read.All, the full scope is: https://contoso.com/api/Employees.Read.All
Note: Next, you will configure a client app's registration with access to your web API and the scopes you defined by following the steps above. Once a client app registration is granted permission to access your web API, the client can be issued an OAuth 2.0 access token by the Microsoft identity platform. When the client calls the web API, it presents an access token whose scope (scp) claim is set to the permissions you've specified in the client's app registration. You can expose additional scopes later as necessary. Consider that your web API can expose multiple scopes associated with several operations. Your resource can control access to the web API at runtime by evaluating the scope (scp) claim(s) in the OAuth 2.0 access token it receives.
Exercise 2 - Manage app registration with a custom role
Task 1 - Create a new custom role to grant access to manage app registrations
- Entra ID > Identity > Roles and admins > + New custom role > Basics tab > enter the role name: My custom app role > Click Next > Permissions tab > search for credentials > Select Manage permissions from the results > Click Next twice > Review the settings and click Create.
microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials - Manage password single sign-on credentials or service principals. microsoft.directory/servicePrincipals/synchronizationCredentials/manage - Manage application provisioning secrets and credentials.
Why pick those two - For application provisionsing these two items are the bare minimum permissions needed to enable and enforce single sign-on for the application or service principal being created; and be able to assign the enterise application to a set of users or groups. Other permissions could also be granted. You can get a full list of available permissions at https://docs.microsoft.com/azure/active-directory/roles/custom-enterprise-app-permissions.
Lab 20 - Implement access management for apps
Login type = Microsoft 365 admin
Your organization requires that only specific users or groups have access to enterprise applications. You must assign a user to a specific application.
Task 1 - Add an app to your Microsoft Entra tenant
Identity > Applications > Enterprise applications > + New application > Browse Microsoft Entra Gallery page > search for GitHub > Select GitHub Enterprise Cloud – Enterprise Account from the results > Review the settings and click Create.
(Once created, you’ll be redirected to the GitHub Enterprise Cloud – Enterprise Account page.)
Task 2 - Assign users to an app
On the GitHub Enterprise Cloud – Enterprise Account page, go to Overview > Getting Started > 1. Assign users and groups( Or, go to Manage > Users and groups in the left menu.) > Click + Add user/group.
In the Add Assignment page, click None selected under Users and groups.
Select Adele Vance and your MOD administrator account > Click Select >Select Assign
