Glossary
Search Azure terms
Open a clear definition, then continue into exam context, architecture, commands, operational examples, common mistakes, and related concepts.
Search all
Commands
Learning guides
Concept graph
Compare
Search-first Azure knowledge base
Term results
Search for a term or click a category. Results render only after you ask for them, so the glossary does not dump every available term on first load. Each result includes Quick peek and Open full term page actions.
Start with a search or a category.
Try managed identity , resource group , az group , private endpoint , or click Databases to load all database-related terms.
Showing 26 security terms.
Security
premium
Analytic rule
An analytic rule is a Microsoft Sentinel detection rule that turns scheduled, near-real-time, Microsoft security, machine learning, or threat intelligence logic into alerts and incidents.
Microsoft Sentinel
intermediate
3 commands
Aliases: No aliases yet
Quick peek
Open full term page
Security
premium
Application Gateway WAF policy
An Application Gateway WAF policy stores Web Application Firewall configuration for Application Gateway v2. It includes managed rules, custom rules, exclusions, and policy settings, and can be associated globally, with a listener, or with a path-based rule for targeted web request inspection.
Web application firewall
intermediate
4 commands
Aliases: Application Gateway WAF policy, WAF policy for Application Gateway, Azure WAF policy, regional WAF policy
Quick peek
Open full term page
Security
premium
Certificate
A certificate is an X.509 object used for TLS, authentication, or cryptographic operations.
Secrets and keys
fundamentals
2 commands
Aliases: No aliases yet
Quick peek
Open full term page
Security
premium
Customer-managed key rotation
Customer-managed key rotation is the planned creation and adoption of new versions of a customer-managed encryption key while Azure services keep accessing protected data safely.
Key management
advanced
4 commands
Aliases: Customer-managed key rotation
Quick peek
Open full term page
Security
premium
Data classification tag
A tag or catalog label that marks the sensitivity, owner, regulatory handling, or business classification of an Azure resource or dataset.
Data protection and governance
Intermediate
4 commands
Aliases: classification tag, sensitivity tag, data sensitivity tag, confidentiality tag
Quick peek
Open full term page
Security
premium
Data exfiltration control
A set of Azure controls that restrict, inspect, or approve where sensitive data can leave a workload, workspace, network, or tenant boundary.
Network and data protection
Intermediate
4 commands
Aliases: egress control, data exfiltration protection, approved outbound data boundary
Quick peek
Open full term page
Security
premium
Incident
Incident is a security or operational case that groups alerts, entities, evidence, investigation notes, and response actions around a potential issue.
SIEM and SOAR
fundamentals
5 commands
Aliases: Incident, incident
Quick peek
Open full term page
Security
premium
Just-in-time VM access
Just-in-time VM access is the Microsoft Defender for Cloud control that locks down VM management ports and opens approved inbound access only for a limited time.
Defender for Cloud
intermediate
5 commands
Aliases: JIT VM access, Defender for Cloud JIT, just in time access, JIT network access policy
Quick peek
Open full term page
Security
premium
Key
Key controls how protected workloads use cryptographic material for encryption, signing, key wrapping, customer-managed keys, and regulated data protection. Teams see it in key vault keys, managed hsm keys. It is not a password, secret value, certificate, storage account key, shared access signature, or application configuration setting; confusing them can create failed encryption operations, accidental key deletion. Use the term when reviewing access, monitoring, cost, recovery, or performance. It keeps architects, operators, security reviewers, and support teams focused on the same setting, resource, or behavior.
Secrets and cryptography
Fundamentals
5 commands
Aliases: Azure Key Vault key, cryptographic key, key object, encryption key
Quick peek
Open full term page
Security
premium
Key Vault
Azure Key Vault is a cloud service for storing and controlling access to secrets, keys, and certificates. It helps applications, administrators, and automation protect sensitive values with encryption, access control, logging, purge protection, private networking, and managed integration across Azure workloads.
Secrets and keys
Fundamentals
5 commands
Aliases: Key Vault, Azure Key Vault, vault, secrets store, certificate vault, secure secrets store, key vault resource
Quick peek
Open full term page
Security
premium
Key Vault access policy
Key Vault access policy controls which identities can read, write, list, delete, recover, sign, unwrap, or manage Key Vault objects when the vault uses policy-based access. Teams see it in key vault access policies blade, secret permissions. It is not Azure RBAC for Key Vault, a network firewall rule, a secret value, a certificate policy, or an application setting; confusing them can create overprivileged identities, broken secret retrieval. Use the term when reviewing access, monitoring, cost, recovery, or performance. It keeps architects, operators, security reviewers, and support teams focused on the same setting, resource, or behavior.
Secrets and keys
Intermediate
5 commands
Aliases: access policy, vault access policy, Key Vault policy permissions, data-plane access policy
Quick peek
Open full term page
Security
premium
Managed identity for data access
Managed identity for data access is the pattern of using a managed identity to let a workload read or write data without embedded secrets. Teams use it when pipelines, applications, jobs, or analytics services need secure access to storage, databases, or other data services. In plain English, it gives operators a named control for least-privilege data access, reduced secret exposure, and cleaner audit trails instead of leaving the decision hidden in a portal setting, script, or deployment file. Treat it as production-ready only when the owner, dependencies, permission boundary, monitoring signal, and rollback evidence are clear.
Data access security
intermediate
3 commands
Aliases: Managed identity for data access, Microsoft Entra ID, Data access security
Quick peek
Open full term page
Security
premium
Secret
A secret is sensitive data that Azure Key Vault stores and controls, such as a password, API key, token, or connection string. Secrets have names, values, versions, metadata, and access controls, and Key Vault encrypts them at rest through audited operations.
Secrets and keys
fundamentals
5 commands
Aliases: Azure secret, Key Vault secret, secret value, application secret, stored credential
Quick peek
Open full term page
Security
premium
Secure Score
Secure Score in Microsoft Defender for Cloud is a risk-based measurement of cloud security posture. It summarizes progress against security recommendations and controls so teams can prioritize remediation, track improvement, and communicate posture across Azure and multicloud environments over time.
Cloud security posture
fundamentals
5 commands
Aliases: secure score, Defender for Cloud secure score, cloud secure score, security posture score, Microsoft Defender secure score
Quick peek
Open full term page
Security
field-manual-complete
Infrastructure encryption
Infrastructure encryption controls whether supported Azure services apply an extra platform encryption layer for workloads that require stronger data-at-rest protection. Teams see it in storage accounts, encryption scopes. It is not customer-managed keys, transparent data encryption, transport encryption, or a backup retention policy; confusing them can create noncompliant storage designs, irreversible creation-time gaps. Use the term when reviewing access, monitoring, cost, recovery, or performance. It keeps architects, operators, security reviewers, and support teams focused on the same setting, resource, or behavior.
Data Protection
Intermediate
5 commands
Aliases: double encryption, platform infrastructure encryption, second encryption layer, infrastructure-level encryption
Quick peek
Open full term page
Security
field-manual-complete
Least privilege
Least privilege means granting identities only the permissions required to perform their tasks, and no broader access than necessary. Microsoft Learn guidance applies this principle across Azure RBAC, data-plane permissions, privileged access, managed identities, and operational reviews to reduce attack surface and limit blast radius.
Security architecture
fundamentals
2 commands
Aliases: No aliases yet
Quick peek
Open full term page
Security
field-manual-complete
Least privilege data access
Microsoft Learn describes least privilege as granting users and applications only the data and operations required to do their jobs. In Azure data access, that means scoped roles, managed identities, limited secrets, network controls, and reviewable permissions instead of broad owner-style access.
Data operations
intermediate
5 commands
Aliases: No aliases yet
Quick peek
Open full term page
Security
field-manual-complete
Private Link for data services
Private Link for data services means your applications connect to databases, storage, and analytics services through private endpoints instead of public endpoints.
Data operations
intermediate
5 commands
Aliases: No aliases yet
Quick peek
Open full term page
Security
verified
Purge protection
Purge protection is a safety lock for Azure Key Vault.
Secrets and keys
fundamentals
5 commands
Aliases: No aliases yet
Quick peek
Open full term page
Security
verified
Regulatory compliance
Regulatory compliance is the view that translates cloud security findings into standards, controls, and audit language. Instead of only saying “this storage account is misconfigured,” Defender for Cloud can show how that issue affects a benchmark or regulatory framework. For operators, it
Compliance
fundamentals
5 commands
Aliases: Defender for Cloud regulatory compliance, compliance dashboard, compliance standards, regulatory compliance standards
Quick peek
Open full term page
Security
field-manual-complete
Security recommendation
A security recommendation is a prioritized instruction from Microsoft Defender for Cloud that says, in effect, this resource has a security problem worth reviewing.
Cloud security posture
fundamentals
4 commands
Aliases: Defender for Cloud recommendation, cloud security recommendation, security assessment
Quick peek
Open full term page
Security
verified
Watchlist
A Microsoft Sentinel watchlist is a named set of reference data, usually uploaded from CSV or storage, that analysts use in KQL queries, analytics rules, hunting, workbooks, notebooks, and investigations to enrich, filter, correlate, or prioritize security events at scale.
SIEM and SOAR
fundamentals
5 commands
Aliases: Microsoft Sentinel watchlist, Sentinel reference data list, watchlist alias, KQL watchlist lookup
Quick peek
Open full term page
Security
verified
Zero Trust
Zero Trust is a security strategy that assumes breach, verifies every access request explicitly, and uses least privilege to reduce blast radius. In Azure, it is implemented through identity, device, network, data, application, monitoring, governance, and threat-detection controls across environments.
Security architecture
fundamentals
5 commands
Aliases: Zero Trust architecture, Never trust always verify, Assume breach, Verify explicitly
Quick peek
Open full term page
Security
complete
Defender for Cloud
Microsoft Defender for Cloud is a cloud-native application protection platform that provides security posture management, recommendations, regulatory insights, and workload protection across Azure, multicloud, and DevOps environments.
Cloud security posture
beginner
4 commands
Aliases: Microsoft Defender for Cloud, Azure Defender for Cloud, MDC
Quick peek
Open full term page
Security
premium field-manual
Managed HSM
Managed HSM is a fully managed, single-tenant hardware security module service for storing and using cryptographic keys. Teams use it when regulated workloads require hardware-backed keys, strong isolation, controlled key operations, and auditable administration. In plain English, it gives operators a named control for stronger key governance, compliance evidence, and separation of duties for cryptographic operations instead of leaving the decision hidden in a portal setting, script, or deployment file. Treat it as production-ready only when the owner, dependencies, permission boundary, monitoring signal, and rollback evidence are clear.
Key management
intermediate
3 commands
Aliases: Managed HSM, Azure Key Vault Managed HSM, Key management
Quick peek
Open full term page
Security
top-250-pre130-priority-upgraded
Microsoft Sentinel
Microsoft Sentinel means Microsoft cloud SIEM and SOAR service for collecting security signals, detecting threats, investigating incidents, and automating response. Teams should manage it with clear ownership, monitoring, rollback evidence, and production change discipline.
SIEM and SOAR
fundamentals
4 commands
Aliases: Sentinel, Azure Sentinel, Microsoft Sentinel SIEM
Quick peek
Open full term page
No glossary terms matched that search.
Try a service name, acronym, command group, or category such as RBAC , az group , App Service , Application Insights , Databases , or Azure AI Search .
Clear filters and show matches
Reset search