MicrosoftDocs
diff --git a/‎learn-pr/wwl-azure/describe-azure-identity-access-security/10-knowledge-check.yml‎
Lines changed: 63 additions & 52 deletions b/‎learn-pr/wwl-azure/describe-azure-identity-access-security/10-knowledge-check.yml‎
Lines changed: 63 additions & 52 deletions
diff --git a/‎learn-pr/wwl-azure/describe-azure-identity-access-security/9a-describe-encryption-key-management.yml‎
Lines changed: 15 additions & 0 deletions b/‎learn-pr/wwl-azure/describe-azure-identity-access-security/9a-describe-encryption-key-management.yml‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎learn-pr/wwl-azure/describe-azure-identity-access-security/includes/1-introduction.md‎
Lines changed: 2 additions & 1 deletion b/‎learn-pr/wwl-azure/describe-azure-identity-access-security/includes/1-introduction.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎learn-pr/wwl-azure/describe-azure-identity-access-security/includes/11-summary.md‎
Lines changed: 13 additions & 1 deletion b/‎learn-pr/wwl-azure/describe-azure-identity-access-security/includes/11-summary.md‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎learn-pr/wwl-azure/describe-azure-identity-access-security/includes/2-directory-services.md‎
Lines changed: 17 additions & 14 deletions b/‎learn-pr/wwl-azure/describe-azure-identity-access-security/includes/2-directory-services.md‎
Lines changed: 17 additions & 14 deletions
@@ -1,52 +1,63 @@
-### YamlMime:ModuleUnit
-uid: learn.wwl.describe-azure-identity-access-security.knowledge-check
-title: Module assessment
-metadata:
-  title: Module assessment
-  description: "Knowledge check"
-  ms.date: 10/03/2024
-  author: wwlpublish
-  ms.author: robbarefoot
-  ms.topic: unit
-  ms.custom:
-  - N/A
-  module_assessment: true
-durationInMinutes: 4
-content: |
-  [!include[](includes/10-knowledge-check.md)]
-quiz:
-  title: "Check your knowledge"
-  questions:
-  - content: "Which Microsoft Entra tool can vary the credentials needed to log in based on signals, such as where the user is located?"
-    choices:
-    - content: "Conditional Access"
-      isCorrect: true
-      explanation: "Conditional Access is a tool that Microsoft Entra ID uses to allow (or deny) access to resources based on identity signals. Conditional Access might challenge you for a second authentication factor if your sign-in signals are unusual or from an unexpected location."
-    - content: "Guest access"
-      isCorrect: false
-      explanation: "Guest access is an access method that helps enable collaboration across organizational boundaries, but isn’t an authentication method or a tool to help with authentication."
-    - content: "Passwordless"
-      isCorrect: false
-      explanation: "Passwordless is an authentication method that relies on something you have; plus something you are or something you know. For example, Windows Hello is a passwordless authentication method."
-  - content: "Which security model assumes the worst-case security scenario, and protects resources accordingly?"
-    choices:
-    - content: "Zero Trust"
-      isCorrect: true
-      explanation: "Zero Trust is a security model that assumes the worst case scenario and protects resources with that expectation."
-    - content: "Defense-in-depth"
-      isCorrect: false
-      explanation: "Defense-in-depth is focused on setting up a system that prevents access to information by unauthorized parties. It’s a proactive model and builds layer upon layer to protect information."
-    - content: "Role-based access control"
-      isCorrect: false
-      explanation: "Role-based access control provides the ability to grant or deny access based on a user or services assigned role."
-  - content: "A user is simultaneously assigned multiple roles that use role-based access control. What are their actual permissions? The role permissions are: Role 1 - read || Role 2 - write || Role 3 - read and write."
-    choices:
-    - content: "Read only"
-      isCorrect: false
-      explanation: "Role-based access control works on an allow model, so they wouldn’t be limited to the permissions of only one role."
-    - content: "Write only"
-      isCorrect: false
-      explanation: "Role-based access control works on an allow model, so they wouldn’t be limited to the permissions of only one role."
-    - content: "Read and write"
-      isCorrect: true
-      explanation: "Role-based access control, using an allow model, grants all of the permissions assigned in all of the assigned roles."
+### YamlMime:ModuleUnit
+uid: learn.wwl.describe-azure-identity-access-security.knowledge-check
+title: Module assessment
+metadata:
+  title: Module assessment
+  description: "Knowledge check"
+  ms.date: 10/03/2024
+  author: wwlpublish
+  ms.author: robbarefoot
+  ms.topic: unit
+  ms.custom:
+  - N/A
+  module_assessment: true
+durationInMinutes: 4
+content: |
+  [!include[](includes/10-knowledge-check.md)]
+quiz:
+  title: "Check your knowledge"
+  questions:
+  - content: "Which Microsoft Entra tool can vary the credentials needed to log in based on signals, such as where the user is located?"
+    choices:
+    - content: "Conditional Access"
+      isCorrect: true
+      explanation: "Conditional Access is a tool that Microsoft Entra ID uses to allow (or deny) access to resources based on identity signals. Conditional Access might challenge you for a second authentication factor if your sign-in signals are unusual or from an unexpected location."
+    - content: "Guest access"
+      isCorrect: false
+      explanation: "Guest access is an access method that helps enable collaboration across organizational boundaries, but isn’t an authentication method or a tool to help with authentication."
+    - content: "Passwordless"
+      isCorrect: false
+      explanation: "Passwordless is an authentication method that relies on something you have; plus something you are or something you know. For example, Windows Hello is a passwordless authentication method."
+  - content: "Which security model assumes the worst-case security scenario, and protects resources accordingly?"
+    choices:
+    - content: "Zero Trust"
+      isCorrect: true
+      explanation: "Zero Trust is a security model that assumes the worst case scenario and protects resources with that expectation."
+    - content: "Defense-in-depth"
+      isCorrect: false
+      explanation: "Defense-in-depth is focused on setting up a system that prevents access to information by unauthorized parties. It’s a proactive model and builds layer upon layer to protect information."
+    - content: "Role-based access control"
+      isCorrect: false
+      explanation: "Role-based access control provides the ability to grant or deny access based on a user or services assigned role."
+  - content: "A user is simultaneously assigned multiple roles that use role-based access control. What are their actual permissions? The role permissions are: Role 1 - read || Role 2 - write || Role 3 - read and write."
+    choices:
+    - content: "Read only"
+      isCorrect: false
+      explanation: "Role-based access control works on an allow model, so they wouldn’t be limited to the permissions of only one role."
+    - content: "Write only"
+      isCorrect: false
+      explanation: "Role-based access control works on an allow model, so they wouldn’t be limited to the permissions of only one role."
+    - content: "Read and write"
+      isCorrect: true
+      explanation: "Role-based access control, using an allow model, grants all of the permissions assigned in all of the assigned roles."
+  - content: "Which Azure service is designed to securely store secrets, certificates, and encryption keys for your applications?"
+    choices:
+    - content: "Azure Key Vault"
+      isCorrect: true
+      explanation: "Azure Key Vault is used to securely store and manage secrets, certificates, and keys."
+    - content: "Azure Policy"
+      isCorrect: false
+      explanation: "Azure Policy helps enforce governance rules, but it doesn't store application secrets or encryption keys."
+    - content: "Azure Monitor"
+      isCorrect: false
+      explanation: "Azure Monitor provides telemetry and observability, not key and secret storage."
@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.describe-azure-identity-access-security.describe-encryption-key-management
+title: Describe encryption and key management in Azure
+metadata:
+  title: Describe encryption and key management in Azure
+  description: "Describe encryption and key management in Azure"
+  ms.date: 03/06/2026
+  author: wwlpublish
+  ms.author: robbarefoot
+  ms.topic: unit
+  ms.custom:
+  - N/A
+durationInMinutes: 4
+content: |
+  [!include[](includes/9a-describe-encryption-key-management.md)]
@@ -1,4 +1,4 @@
-In this module, you’ll be introduced to the Azure identity, access, and security services and tools. You’ll learn about directory services in Azure, authentication methods, and access control. You’ll also cover things like Zero Trust and defense in depth, and how they keep your cloud safer. You’ll wrap up with an introduction to Microsoft Defender for Cloud.
+In this module, you'll be introduced to the Azure identity, access, and security services and tools. You'll learn about directory services in Azure, authentication methods, and access control. You'll also cover Zero Trust, defense in depth, and how they keep your cloud safer. Finally, you'll review encryption concepts, key management with Azure Key Vault, and Microsoft Defender for Cloud.
 
 ## Learning objectives
 
@@ -11,4 +11,5 @@ After completing this module, you’ll be able to:
  -  Describe Azure Role Based Access Control (RBAC).
  -  Describe the concept of Zero Trust.
  -  Describe the purpose of the defense in depth model.
+ -  Describe encryption concepts and key management options in Azure.
  -  Describe the purpose of Microsoft Defender for Cloud.
@@ -1,4 +1,4 @@
-In this module, you learned about Azure identity, access, and security services and tools. You covered authentication methods, including which ones are more secure. You learned about restricting access based on a role to help create a more secure environment. And, you learned about the Defense In Depth and Zero Trust models.
+In this module, you learned about Azure identity, access, and security services and tools. You covered authentication methods, including which ones are more secure. You learned about restricting access based on a role to help create a more secure environment. You also reviewed encryption concepts and key management options in Azure. And, you learned about the Defense In Depth and Zero Trust models.
 
 ## Learning objectives
 
@@ -11,8 +11,20 @@ You should now be able to:
  -  Describe Azure Role Based Access Control (RBAC).
  -  Describe the concept of Zero Trust.
  -  Describe the purpose of the defense in depth model.
+ -  Describe encryption concepts and key management options in Azure.
  -  Describe the purpose of Microsoft Defender for Cloud.
 
 ## Additional resources
 
 The following resources provide more information on topics in this module or related to this module.<br>[Microsoft Certified: Security, Compliance, and Identity Fundamentals](/learn/certifications/security-compliance-and-identity-fundamentals/) is an entire certification, with associated training, dedicated to helping you better understand and manage Security, Compliance, and identity.
+
+## Explore with Copilot
+
+> [!TIP]
+> Try one of these prompts in Copilot Chat:
+>
+> - "Use one end-to-end scenario to show how SSO, MFA, Conditional Access, and RBAC work together in a Zero Trust design."
+> - "Explain the difference between Microsoft Entra ID, Microsoft Entra Domain Services, and external identities with practical examples."
+> - "Simulate a security incident and show how encryption, key management, defense in depth, and Microsoft Defender for Cloud reduce risk."
+
+
@@ -1,14 +1,14 @@
-Microsoft Entra ID is a directory service that enables you to sign in and access both Microsoft cloud applications and cloud applications that you develop. Microsoft Entra ID can also help you maintain your on-premises Active Directory deployment.
+Microsoft Entra ID is Microsoft's cloud-based identity and access management service. It lets you sign in and access both Microsoft cloud applications and cloud applications that you develop.
 
-For on-premises environments, Active Directory running on Windows Server provides an identity and access management service that's managed by your organization. Microsoft Entra ID is Microsoft's cloud-based identity and access management service. With Microsoft Entra ID, you control the identity accounts, but Microsoft ensures that the service is available globally. If you've worked with Active Directory, Microsoft Entra ID will be familiar to you.
+If you've worked with on-premises Active Directory, Microsoft Entra ID will feel familiar. The key difference is that you control the identity accounts while Microsoft ensures the service is available globally.
 
-When you secure identities on-premises with Active Directory, Microsoft doesn't monitor sign-in attempts. When you connect Active Directory with Microsoft Entra ID, Microsoft can help protect you by detecting suspicious sign-in attempts at no extra cost. For example, Microsoft Entra ID can detect sign-in attempts from unexpected locations or unknown devices.
+Connecting the two unlocks extra protection. On its own, on-premises Active Directory doesn't monitor sign-in behavior. Once connected to Microsoft Entra ID, Microsoft can detect suspicious sign-in attempts at no extra cost — for example, sign-ins from unexpected locations or unknown devices.
 
 ## Who uses Microsoft Entra ID?
 
 Microsoft Entra ID is for:
 
- -  **IT administrators**. Administrators can use Microsoft Entra ID to control access to applications and resources based on their business requirements.
+ -  **IT administrators**. Administrators can use Microsoft Entra ID to control access to applications and resources based on workload and security requirements.
  -  **App developers**. Developers can use Microsoft Entra ID to provide a standards-based approach for adding functionality to applications that they build, such as adding SSO functionality to an app or enabling an app to work with a user's existing credentials.
  -  **Users**. Users can manage their identities and take maintenance actions like self-service password reset.
  -  **Online service subscribers**. Microsoft 365, Microsoft Office 365, Azure, and Microsoft Dynamics CRM Online subscribers are already using Microsoft Entra ID to authenticate into their account.
@@ -17,24 +17,26 @@ Microsoft Entra ID is for:
 
 Microsoft Entra ID provides services such as:
 
- -  **Authentication**: This includes verifying identity to access applications and resources. It also includes providing functionality such as self-service password reset, multifactor authentication, a custom list of banned passwords, and smart lockout services.
- -  **Single sign-on**: Single sign-on (SSO) enables you to remember only one username and one password to access multiple applications. A single identity is tied to a user, which simplifies the security model. As users change roles or leave an organization, access modifications are tied to that identity, which greatly reduces the effort needed to change or disable accounts.
- -  **Application management**: You can manage your cloud and on-premises apps by using Microsoft Entra ID. Features like Application Proxy, SaaS apps, the My Apps portal, and single sign-on provide a better user experience.
- -  **Device management**: Along with accounts for individual people, Microsoft Entra ID supports the registration of devices. Registration enables devices to be managed through tools like Microsoft Intune. It also allows for device-based Conditional Access policies to restrict access attempts to only those coming from known devices, regardless of the requesting user account.
+ -  **Authentication** — Verifies identity before granting access. Includes self-service password reset, multifactor authentication, banned password lists, and smart lockout.
+ -  **Single sign-on (SSO)** — Lets one identity access multiple applications. SSO benefits and behavior are covered in the authentication methods unit.
+ -  **Application management** — Manages cloud and on-premises apps through features like Application Proxy, SaaS app integration, and the My Apps portal.
+ -  **Device management** — Supports device registration and management through tools like Microsoft Intune. Enables device-based Conditional Access policies that restrict access to known devices.
+
+:::image type="content" source="../media/directory-services-option-entra-capabilities-hub.png" alt-text="Diagram showing Microsoft Entra ID at the center with spokes connecting to Authentication, Single Sign-On, App Management, and Device Management capabilities.":::
 
 ## Can I connect my on-premises AD with Microsoft Entra ID?
 
-If you had an on-premises environment running Active Directory and a cloud deployment using Microsoft Entra ID, you would need to maintain two identity sets. However, you can connect Active Directory with Microsoft Entra ID, enabling a consistent identity experience between cloud and on-premises.
+Without a connection, an on-premises Active Directory deployment and a cloud Microsoft Entra ID deployment require you to maintain two separate identity sets. Microsoft Entra Connect bridges that gap.
 
-One method of connecting Microsoft Entra ID with your on-premises AD is using Microsoft Entra Connect. Microsoft Entra Connect synchronizes user identities between on-premises Active Directory and Microsoft Entra ID. Microsoft Entra Connect synchronizes changes between both identity systems, so you can use features like SSO, multifactor authentication, and self-service password reset under both systems.
+Microsoft Entra Connect synchronizes user identities between on-premises Active Directory and Microsoft Entra ID. Because changes flow between both systems, users get a consistent experience — including SSO, multifactor authentication, and self-service password reset — whether they're accessing on-premises or cloud resources.
 
 ## What is Microsoft Entra Domain Services?
 
-Microsoft Entra Domain Services is a service that provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. Just like Microsoft Entra ID lets you use directory services without having to maintain the infrastructure supporting it, with Microsoft Entra Domain Services, you get the benefit of domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.
+Microsoft Entra Domain Services provides managed domain services — domain join, group policy, LDAP, and Kerberos/NTLM authentication — without requiring you to deploy or maintain domain controllers in the cloud.
 
-A Microsoft Entra Domain Services managed domain lets you run legacy applications in the cloud that can't use modern authentication methods, or where you don't want directory lookups to always go back to an on-premises AD DS environment. You can lift and shift those legacy applications from your on-premises environment into a managed domain, without needing to manage the AD DS environment in the cloud.
+This is especially useful for legacy applications that can't use modern authentication. You can lift and shift those applications from on-premises into a managed domain without managing an AD DS environment in the cloud.
 
-Microsoft Entra Domain Services integrates with your existing Microsoft Entra tenant. This integration lets users sign into services and applications connected to the managed domain using their existing credentials. You can also use existing groups and user accounts to secure access to resources. These features provide a smoother lift-and-shift of on-premises resources to Azure.
+Because Microsoft Entra Domain Services integrates with your existing Microsoft Entra tenant, users can sign in to the managed domain with their existing credentials. Existing groups and user accounts also carry over, providing a smoother migration path.
 
 ### How does Microsoft Entra Domain Services work?
 
@@ -46,7 +48,8 @@ You don't need to manage, configure, or update these DCs. The Azure platform han
 
 A managed domain is configured to perform a one-way synchronization from Microsoft Entra ID to Microsoft Entra Domain Services. You can create resources directly in the managed domain, but they aren't synchronized back to Microsoft Entra ID. In a hybrid environment with an on-premises AD DS environment, Microsoft Entra Connect synchronizes identity information with Microsoft Entra ID, which is then synchronized to the managed domain.
 
-:::image type="content" source="../media/azure-active-directory-sync-topology-7359f2b8-427db2d4.png" alt-text="Diagram of Microsoft Entra Connect Sync synchronizing information back to the Microsoft Entra tenant from on-premises AD.":::
+:::image type="content" source="../media/directory-services-option-sync-architecture.png" alt-text="Diagram showing the identity sync flow from on-premises Active Directory through Microsoft Entra Connect to Microsoft Entra ID and Domain Services.":::
 
 
 Applications, services, and VMs in Azure that connect to the managed domain can then use common Microsoft Entra Domain Services features such as domain join, group policy, LDAP, and Kerberos/NTLM authentication.
+