icon icon

Windows Server Hybrid Core Infrastructure + Azure Local Course (scope aligned with Microsoft AZ-800)

icon

Training process

Training needs analysis

If you have specific requirements regarding the training programme, we will carry out a training needs analysis for you. This will guide us on which aspects of the programme should receive greater emphasis, so that the training programme meets your specific needs.

What will you gain?

icon

Register apps the right way - You will learn how to create App Registrations in Entra ID, choose between single-tenant and multi-tenant models, and configure redirect URIs, tokens, and the app manifest correctly.

icon

Expose APIs securely - You will learn how to define scopes, roles, and api:// identifiers so you can publish APIs in a structured way, reduce excessive permissions, and keep client access under control.

icon

Choose the right auth flow - You will clearly distinguish Authorization Code with PKCE, Client Credentials, OBO, and Device Code Flow, so you can match a secure authentication model to each app scenario.

icon

Protect API endpoints - You will practice validating issuer, audience, scopes, roles, and azp or appid claims, then apply implementation patterns that enforce permissions at the level of individual endpoints.

icon

Remove secrets from apps - You will see how to use Managed Identity in App Service, Functions, AKS, and virtual machines to replace client secrets, simplify Azure access, and lower the risk of credential exposure.

icon

Manage user access efficiently - You will learn how to configure Enterprise Applications, assign users, groups, and roles, and implement SCIM provisioning to organize access and automate account handling across systems.

icon

Build modern customer sign-in - You will explore Microsoft External ID and user flows for sign-up, sign-in, and self-service, so you can design a secure and consistent experience for external users and customers.

icon

Plan governance and monitoring - You will learn how to run Access Reviews, read audit logs, and monitor consent grants across multi-service architectures, giving you stronger control over permissions and compliance.

Training programme

1. App Registration – registration and configuration of the application

  • creating App Registration in Azure Entra ID:
    • application and tenant structure,
    • single-tenant vs multi-tenant,
  • application manifest configuration:
    • editing properties and usage scenarios,
  • Redirect URIs:
    • configuration for SPA, web apps, mobile,
  • certificates vs secrets:
    • differences and application,
    • rotation of secrets and certificates,
    • security best practices,
  • token configuration:
    • token versions (v1 vs v2),
    • optional claims,
    • token lifetime,
  • Expose an API:
    • defining scope’s,
    • api:// identifiers,
  • API Permissions:
    • delegated vs application permissions,
    • the least privilege principle,
    • usage scenarios.

2. Enterprise Application – access management

  • creation and configuration of Enterprise Applications,
  • assigning users and groups:
    • User assignment required,
  • App Roles:
    • defining roles in the manifest,
    • assigning roles to users and groups,
  • API access control:
    • access per role and group,
    • a scenario of multiple applications consuming the API,
  • User provisioning (SCIM):
    • automatic synchronization of users,
    • integration with external systems.

3. Authentication flows

  • Authorization Code + PKCE:
    • application for SPA and mobile applications,
  • Client Credentials:
    • service-to-service communication,
    • daemon-type applications,
  • On-Behalf-Of (OBO):
    • identity propagation between services,
  • Device Code Flow:
    • CLI and IoT scenarios,
  • selection of the appropriate flow:
    • decision matrix,
    • most common errors,
    • security threats.

4. Managed Identity

  • Managed Identity types:
    • system-assigned,
    • user-assigned,
  • configuration in Azure:
    • App Service,
    • Azure Functions,
    • AKS,
    • Virtual Machines,
  • granting permissions to resources:
    • Key Vault,
    • Storage,
    • SQL,
    • Microsoft Graph,
  • elimination of secrets:
    • migration from client secret to Managed Identity,
  • limitations and fallback:
    • no cross-tenant,
    • no on-prem support,
    • DefaultAzureCredential.

5. Securing API endpoints

  • token validation:
    • issuer,
    • audience,
    • scopes,
    • roles,
    • azp / appid,
  • Delegated vs Application permissions in API:
    • scp vs roles,
    • access control at the endpoint level,
  • security threats:
    • over-permissioning,
    • lack of scope validation,
    • consent phishing,
  • implementation patterns:
    • validating middleware,
    • [RequiredScope],
    • [Authorize(Roles=...)],
  • Best practices:
    • separate frontend/backend registrations,
    • minimum permission scope,
    • admin consent workflow.

6. Microsoft External ID (CIAM)

  • differences compared to standard Entra ID:
  • User flows:
    • registration,
    • sign-in,
    • self-service,
  • Custom authentication extensions,
  • branding and customization of the user experience.

7. Multi-service access architecture

  • API Publisher / API Consumer model,
  • Central API:
    • definition of scopes and roles,
  • integration of multiple applications (Enterprise Apps):
    • assignment of groups and roles,
  • access management:
    • who has access to what (role/scope),
  • Governance and monitoring:
    • Access Reviews,
    • audit logs,
    • monitoring of consent grants.

What are the prerequisites for participating in the training?

icon

Azure and Entra ID basics - You should be familiar with core Azure and Entra ID concepts such as tenant, subscription, user, group, and application so you can navigate the service configuration with ease.

icon

Authentication fundamentals - You should understand the basics of application sign-in and token handling so concepts like scopes, roles, redirect URIs, and user consent will be easier to work with in practice.

icon

Administrative experience - You should have hands-on experience with the Azure portal or Microsoft 365 administration so you can perform configuration tasks independently and review security settings.

icon

API basics - You should know the fundamentals of web applications and APIs so you can understand service-to-service communication, application permissions, and endpoint protection scenarios.