Application Security on Microsoft Azure

Authors: Troy Hunt, Sahil Malik, Peter Mosmans, Reza Salehi, John Savill

Security has become “everyone’s responsibility” and as a developer you are responsible for creating secure applications in the cloud. This path will introduce you to the ways in... Read more


The courses in this section will teach you the fundamentals for implementing authentication, including writing integration code to Azure Active Directory, tokens and certificates, and multi-factor authentication. These topics are the perfect foundation for you to move to the intermediate level.

Microsoft Azure Authentication Scenarios for Developers

by Sahil Malik

Sep 13, 2018 / 2h 52m

2h 52m

Start Course

The importance of Azure AD in Azure Authentication scenarios cannot be overstated. In this course, Microsoft Azure Authentication Scenarios for Developers, you will learn basic application scenarios, as well as MFA, B2C, certificate-based authentication, and SQL Server authentication. First, you will explore Azure Active Directory, and learn how to perform forms-based authentication. Next, you will learn about business to consumer authentication, and Azure Active Directory authentication for an SQL database. Finally, you will discover how to set up multi-factor authentication using Azure Active Directory, as well as setting up a certificate-based authentication. When you are finished with this course, you will have a good understanding of the various authentication scenarios Azure supports and you will feel confident in making the right architectural choices for your applications.

Table of contents
  1. Course Overview1m
  2. Azure Authentication and Azure Active Directory18m
  3. Performing Forms-based Authentication with Azure Active Directory48m
  4. Azure Active Directory Business to Consumer Authentication32m
  5. Azure Active Directory Authentication for SQL Database20m
  6. Multi-factor Authentication Using Azure Active Directory18m
  7. Azure Active Directory Certificate-based Authentication31m


This intermediate courses will introduce you to how to implement access control on Microsoft Azure, including RBAC, and CBAC authorization. Once you fully comprehend the topics in this area, you’ll be ready to move on to the advanced courses.

Managing Azure AD

by John Savill

Apr 28, 2016 / 2h 54m

2h 54m

Start Course

Nearly every organization utilizes cloud services today and Azure AD provides an intuitive way to leverage a single identity to interact with those cloud services. In Managing Azure AD, you'll examine key management activities related to Azure AD to ensure an optimal experience for the organization and its users. First you'll learn user and group management, management using PowerShell and REST, and advanced federation configuration and deployment. Next, you'll learn how to protect privileged accounts. Finally, you'll learn how to use Azure AD with machines and non-Azure AD aware services. When you're finished with this course, you will have the skills and knowledge of managing Azure AD needed to get the most out of your cloud investment.

Table of contents
  1. Course Overview1m
  2. User and Group Management Using the Azure Portal37m
  3. PowerShell and Graph API Management29m
  4. Using Custom Roles and Role Based Access Control20m
  5. Azure AD Privileged Identity Management20m
  6. Advanced Federation Concepts46m
  7. Leveraging Azure AD Join and Azure AD Domain Services19m


In this section, you’ll get the opportunity to explore how to secure your data, how to meet OWASP standards, and how to make sure you are producing secure code that can hold up to threats.

Microsoft Azure Developer: Securing Data

by Reza Salehi

Sep 7, 2018 / 2h 8m

2h 8m

Start Course

At the core of developing applications for Microsoft Azure is a thorough knowledge of securing data. In this course, Microsoft Azure Developer: Securing Data, you’ll learn how to protect your application configuration and data from unauthorized access. First, you’ll learn how to secure your application configuration settings such as database connection strings using Azure Key Vault and Managed Service Identity (MSI). Next, you’ll explore Azure Storage Service encryption for data at rest (SSE), Azure Disk Encryption (ADE) and Azure SQL Database Always Encrypted, to protect data against disk theft, or to comply with security standards. Finally, you’ll discover how to secure client-server communications using SSL/TLS encryption. When you’re finished with this course, you’ll have the necessary knowledge of securing data to help you in leveraging Microsoft Azure's out-of-the-box offerings to develop more secure applications.

Table of contents
  1. Course Overview1m
  2. Getting Started15m
  3. Protecting Application Keys and Secrets with Azure Key Vault and MSI40m
  4. Encrypting and Decrypting Data at Rest29m
  5. Encrypting Data with Always Encrypted27m
  6. Implementing SSL/TLS Communications15m

Hack Yourself First: How to go on the Cyber-Offense

by Troy Hunt

Aug 30, 2013 / 9h 25m

9h 25m

Start Course

The prevalence of online attacks against websites has accelerated quickly in recent years and the same risks continue to be readily exploited. However, these are very often easily identified directly within the browser; it's just a matter of understanding the vulnerable patterns to look for. This course comes at security from the view of the attacker in that their entry point is typically the browser. They have a website they want to probe for security risks – this is how they go about it. This approach is more reflective of the real online threat than reviewing source code is and it empowers developers to begin immediately assessing their applications even when they're running in a live environment without access to the source. After all, that's what online attackers are doing.

Table of contents
  1. Introduction25m
  2. Transport Layer Protection1h 8m
  3. Cross Site Scripting (XSS)57m
  4. Cookies45m
  5. Internal Implementation Disclosure1h 9m
  6. Parameter Tampering1h 31m
  7. SQL Injection1h 16m
  8. Cross Site Attacks1h 0m
  9. Account Management1h 10m

Web Security and the OWASP Top 10: The Big Picture

by Troy Hunt

Mar 18, 2014 / 2h 3m

2h 3m

Start Course

Security on the web is becoming an increasingly important topic for organisations to grasp. Recent years have seen the emergence of the hacktivist movement, the increasing sophistication of online career criminals and now the very real threat posed by nation states compromising personal and corporate security. The Open Web Application Security Project gives us the OWASP Top 10 to help guide the secure development of online applications and defend against these threats. This course takes you through a very well-structured, evidence-based prioritisation of risks and most importantly, how organisations building software for the web can protect against them.

Table of contents
  1. Introduction7m
  2. Injection14m
  3. Broken Authentication and Session Management14m
  4. Cross-Site Scripting (XSS)12m
  5. Insecure Direct Object References11m
  6. Security Misconfiguration9m
  7. Sensitive Data Exposure12m
  8. Missing Function Level Access Control11m
  9. Cross-Site Request Forgery (CSRF)11m
  10. Using Components with Known Vulnerabilities9m
  11. Unvalidated Redirects and Forwards9m

Secure Coding: Preventing Insecure Deserialization

by Peter Mosmans

Mar 21, 2018 / 1h 2m

1h 2m

Start Course

As a developer, it is important to be familiar with common vulnerabilities that are often encountered in web application. Insecure deserialization is one of those vulnerabilities, ranking 8th in the OWASP Top 10 2017. In this course, Secure Coding: Preventing Insecure Deserialization, you will learn how to properly defend yourself against that particular vulnerability First, you will learn about the basics of serialization and deserialization, and about the various serialization file formats. Next, you will discover what insecure deserialization actually is, and how it can be exploited: In order to fix the problem, you need to know what can go wrong. Finally you will explore how to properly prevent insecure deserialization in any development language or framework. By the end of this course, you will have the secure coding skills and knowledge needed to prevent insecure deserialization vulnerabilities from creeping into your application.

Table of contents
  1. Course Overview1m
  2. What Is Serialization and Deserialization?23m
  3. Deserialization: How It Can Be Exploited8m
  4. Insecure Patterns for Deserialization 13m
  5. How to Securely Implement Deserialization15m

Secure Coding: Preventing Insufficient Logging and Monitoring

by Peter Mosmans

Jul 25, 2018 / 1h 23m

1h 23m

Start Course

It is extremely important for the security of your company to know what's currently happening to your application. This can be achieved by proper application logging and monitoring. In this course, Secure Coding: Preventing Insufficient Logging & Monitoring, you will learn what to think of when setting up logging and monitoring for applications. First, You will learn what is meant with the risk of insufficient logging and monitoring. Next, you'll explore what your application should and shouldn't log. Finally, you'll discover how to ensure and improve the quality of log files. When you're finished with this course, you'll have all the application logging and monitoring skills and knowledge needed to detect (future) security incidents on time.

Table of contents
  1. Course Overview1m
  2. Understanding Insufficient Logging and Monitoring24m
  3. Determining What Applications Should and Should Not Log22m
  4. Improving and Ensuring the Quality of Logfiles18m
  5. Applying an Effective Monitoring Strategy16m

What you will learn

  • How to implement authentication
  • How to implement access control
  • How to secure your application data
  • How to write code that meets OWASP standards


This path is intended for beginners, and no prerequisites are required for this path.