πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901 aws-aif-c01
Guided AZ-120 Domain 4
Domain 4 β€” Module 4 of 7 57%
25 of 28 overall

AZ-120 Study Guide

Domain 1: Migrate SAP Workloads to Azure

  • SAP on Azure: The Big Picture Free
  • Assessing SAP Workloads for Migration Free
  • Migration Strategies: The Decision Framework Free
  • RISE with SAP on Azure Free
  • Migration Execution: DMO, Classical, and Beyond Free
  • HANA System Replication for Migration Free
  • Post-Migration: Validation, Health, and HLI Migration Free

Domain 2: Design and Implement an Infrastructure to Support SAP Workloads

  • SAP-Certified Virtual Machines on Azure
  • Storage Architecture for SAP on Azure
  • Networking for SAP on Azure
  • HANA Architecture on Azure
  • SAP Application Tier on Azure
  • Proximity Placement and Availability Options
  • Azure Center for SAP Solutions (ACSS)
  • SAP Deployment Automation Framework (SDAF)

Domain 3: Design and Implement High Availability and Disaster Recovery

  • High Availability Concepts for SAP
  • High Availability for ASCS/SCS
  • HANA System Replication for HA
  • Shared Storage and Load Balancer Deep Dive
  • Disaster Recovery Strategy for SAP
  • Disaster Recovery Implementation

Domain 4: Maintain SAP Workloads on Azure

  • Azure Monitor for SAP Solutions
  • Backup for SAP HANA
  • Backup for SAP Application Servers
  • Security and Encryption for SAP
  • Microsoft Sentinel for SAP
  • Cost Optimization for SAP on Azure
  • SAP Operations and Lifecycle Management

AZ-120 Study Guide

Domain 1: Migrate SAP Workloads to Azure

  • SAP on Azure: The Big Picture Free
  • Assessing SAP Workloads for Migration Free
  • Migration Strategies: The Decision Framework Free
  • RISE with SAP on Azure Free
  • Migration Execution: DMO, Classical, and Beyond Free
  • HANA System Replication for Migration Free
  • Post-Migration: Validation, Health, and HLI Migration Free

Domain 2: Design and Implement an Infrastructure to Support SAP Workloads

  • SAP-Certified Virtual Machines on Azure
  • Storage Architecture for SAP on Azure
  • Networking for SAP on Azure
  • HANA Architecture on Azure
  • SAP Application Tier on Azure
  • Proximity Placement and Availability Options
  • Azure Center for SAP Solutions (ACSS)
  • SAP Deployment Automation Framework (SDAF)

Domain 3: Design and Implement High Availability and Disaster Recovery

  • High Availability Concepts for SAP
  • High Availability for ASCS/SCS
  • HANA System Replication for HA
  • Shared Storage and Load Balancer Deep Dive
  • Disaster Recovery Strategy for SAP
  • Disaster Recovery Implementation

Domain 4: Maintain SAP Workloads on Azure

  • Azure Monitor for SAP Solutions
  • Backup for SAP HANA
  • Backup for SAP Application Servers
  • Security and Encryption for SAP
  • Microsoft Sentinel for SAP
  • Cost Optimization for SAP on Azure
  • SAP Operations and Lifecycle Management
Domain 4: Maintain SAP Workloads on Azure Premium ⏱ ~12 min read

Security and Encryption for SAP

Secure SAP on Azure with network controls (NSGs, Azure Firewall, Bastion), encryption at rest and in transit (ADE, SSE, CMK, HANA TDE, TLS), identity with Entra ID SSO, RBAC, Azure Policy compliance, and OS patching with Update Manager.

Defense in depth for SAP

πŸ”§ Aisha reviews the security checklist. β€œSAP contains the most sensitive data in any organization β€” financial records, employee data, supplier contracts, manufacturing formulas. At TradeCorp, Carlos says security is job one. We need defense in depth: network controls, encryption, identity management, and continuous compliance.”

Carlos emphasizes. β€œOur industry regulators can audit us at any time. We need to prove that SAP data is protected in transit, at rest, and from unauthorized access.”

β˜• Simple explanation

Think of it like securing a bank vault.

Network security is the outer walls and guards (who gets in the building). Encryption at rest is the vault door (data is scrambled even if someone breaks in). Encryption in transit is the armored truck (data is protected while moving). Identity management is the key card system (only authorized people access specific areas). Compliance is the auditor who checks that all locks work. You need all layers β€” no single layer is enough.

Security for SAP on Azure follows the defense-in-depth model: network segmentation and filtering (NSGs, Azure Firewall, Private Endpoints, Bastion), encryption at rest (Azure Disk Encryption, Server-Side Encryption with customer-managed keys, HANA Transparent Data Encryption), encryption in transit (TLS for all communication), identity and access management (Entra ID SSO via SAML, RBAC for Azure resources), and governance (Azure Policy for compliance enforcement, Update Manager for OS patching). Each layer mitigates different threat vectors.

Network security

NSGs, Azure Firewall, and Private Endpoints

Reviewed in the networking module, now applied as a security discipline:

  • NSGs β€” restrict traffic to known SAP ports (32xx, 33xx, 36xx, 3xx13/15/17) and trusted source IPs
  • Azure Firewall β€” centralized egress filtering in the hub VNet. Block SAP VMs from reaching the internet directly. Allow only required endpoints (SAP support, OS update repos, Azure services)
  • Private endpoints β€” access Azure PaaS services (Storage, Key Vault, Backup) over private IPs. SAP VMs never traverse the public internet to reach Azure services
  • Azure Bastion β€” secure RDP/SSH access to SAP VMs without exposing management ports to the internet. Eliminates the need for jump boxes with public IPs
πŸ’‘ Exam tip: Bastion for management access

If the exam asks how to securely access SAP VMs for administration, Azure Bastion is the answer. It provides browser-based RDP/SSH through the Azure portal without public IPs on the SAP VMs. Jump boxes with public IPs are the legacy approach and not recommended.

Encryption at rest

Encryption at rest options for SAP
MethodWhat it encryptsKey managementSAP awareness
SSE (Server-Side Encryption)Azure Managed Disks β€” all data written to diskPlatform-managed or customer-managed keys (CMK)Transparent to SAP β€” no configuration needed
ADE (Azure Disk Encryption)Entire OS and data disks using BitLocker (Windows) or dm-crypt (Linux)Keys stored in Azure Key VaultTransparent to SAP β€” operates at OS level
HANA TDEHANA data and log files within the databaseHANA internal key management or Azure Key Vault integrationSAP-specific β€” encrypts database content independently of disk encryption
Customer-managed keys (CMK)Used with SSE or ADE for customer-controlled key lifecycleAzure Key Vault with customer-controlled rotationTransparent to SAP β€” key management layer

πŸ”§ Aisha explains. β€œWe use SSE with customer-managed keys as the baseline β€” every disk is encrypted by default. On top of that, HANA TDE encrypts the database content inside HANA. Belt and suspenders.”

When to use which

  • SSE (default) β€” always enabled, platform-managed keys. No configuration needed.
  • SSE + CMK β€” when compliance requires customer-controlled encryption keys with rotation policies
  • ADE β€” when you need OS-level encryption visible in the guest (some compliance frameworks require it)
  • HANA TDE β€” when you need database-level encryption independent of the infrastructure layer (data is encrypted even in HANA memory exports)

Encryption in transit

All SAP communication should be encrypted in transit. Different SAP protocols use different encryption mechanisms:

  • HANA internal communication (data and log replication) β€” HANA’s built-in TLS/SSL encryption configured in HANA parameters
  • SAP GUI connections β€” SNC (Secure Network Communications) for the proprietary DIAG protocol used by SAP GUI and RFC connections. SNC is not TLS β€” it is SAP’s own cryptographic layer for non-HTTP protocols
  • Web Dispatcher to Fiori β€” HTTPS with TLS certificates (standard web encryption)
  • RFC connections between SAP systems β€” SNC encryption (for the SAP-proprietary RFC protocol)
  • HANA client connections β€” TLS on the HANA SQL port
  • Azure Load Balancer passes through encryption β€” it does not terminate TLS or SNC for SAP

Identity and access management

Entra ID SSO for SAP

Microsoft Entra ID (formerly Azure AD) provides single sign-on for SAP applications using SAML:

  • Users authenticate once in Entra ID and access SAP without re-entering credentials
  • Configure SAP as a SAML enterprise application in Entra ID
  • Map Entra ID attributes to SAP user attributes
  • Supports conditional access policies (MFA, device compliance, location-based access)
  • Works with SAP Fiori, SAP GUI for HTML, and SAP Business Technology Platform

RBAC for Azure resources

Azure RBAC controls who can manage SAP infrastructure:

  • SAP Basis admins get Contributor role on SAP resource groups (manage VMs, disks, networking)
  • Security team gets Reader + security-specific roles
  • Developers get restricted access to dev/test resources only
  • Use custom roles to limit dangerous operations (e.g., prevent VM deletion)

SAP BTP integration

SAP Business Technology Platform (BTP) can integrate with Azure services:

  • Principal propagation from Entra ID to SAP BTP for unified identity
  • Azure Private Link for secure connectivity between Azure and BTP
  • Not heavily tested on AZ-120 but know it exists as an integration point

Compliance with Azure Policy

Azure Policy enforces organizational standards on SAP resources:

  • Require encryption on all managed disks
  • Enforce specific VM sizes (only SAP-certified SKUs)
  • Require NSGs on all subnets
  • Deny public IP addresses on SAP VMs
  • Require tags on all resources (cost center, environment, SID)
  • Audit compliance status for security reviews

OS patching with Update Manager

Azure Update Manager (formerly Update Management) automates OS patching:

  • Schedule maintenance windows for SAP VMs
  • Coordinate patching with SAP maintenance calendar
  • Patch non-production first, then production after validation
  • Supports both Linux (SLES, RHEL) and Windows
  • Integration with Azure Automation for pre/post scripts (stop/start SAP services)
Question

What is the difference between SSE and ADE for SAP disk encryption?

Click or press Enter to reveal answer

Answer

SSE (Server-Side Encryption) encrypts managed disks at the storage service level β€” transparent, always on. ADE (Azure Disk Encryption) encrypts at the OS level using BitLocker or dm-crypt β€” visible in the guest OS. Both protect data at rest. SSE is the default. ADE adds guest-visible encryption for specific compliance requirements.

Click to flip back
Question

How does Entra ID SSO work with SAP?

Click or press Enter to reveal answer

Answer

Entra ID acts as the identity provider using SAML. SAP applications are configured as SAML enterprise applications. Users authenticate in Entra ID and receive a SAML token that SAP accepts β€” no separate SAP login needed. Conditional access policies (MFA, device compliance) apply to SAP access through Entra ID.

Click to flip back
Question

What is HANA TDE and how does it differ from disk encryption?

Click or press Enter to reveal answer

Answer

HANA Transparent Data Encryption encrypts data and log files within the HANA database itself. Even if someone accesses the raw disk (bypassing Azure encryption), the HANA data is still encrypted. Disk encryption (SSE/ADE) protects the storage layer. TDE protects the database layer. Both can be used together for defense in depth.

Click to flip back
Question

How does Azure Bastion secure SAP VM access?

Click or press Enter to reveal answer

Answer

Azure Bastion provides browser-based RDP/SSH through the Azure portal without public IPs on SAP VMs. Management traffic goes through Bastion (which is in a dedicated subnet), eliminating exposure of RDP/SSH ports to the internet. No jump boxes with public IPs needed.

Click to flip back
Question

What does Azure Update Manager do for SAP?

Click or press Enter to reveal answer

Answer

Update Manager automates OS patching for SAP VMs. It schedules maintenance windows, coordinates with SAP calendar, supports Linux (SLES, RHEL) and Windows, and integrates with Azure Automation for pre/post scripts (stop/start SAP before/after patching). Patch non-production first, then production.

Click to flip back

Knowledge check

Knowledge Check

TradeCorp's compliance team requires customer-controlled encryption keys for all SAP disks. What should Aisha configure?
Knowledge Check

Carlos needs to provide SAP Fiori users with single sign-on using their corporate credentials. What should Aisha configure?
Knowledge Check

Aisha needs to securely access SAP VMs for troubleshooting without exposing RDP/SSH ports to the internet. What should she use?

Summary

You now understand the complete security stack for SAP on Azure: network controls (NSGs, Firewall, Private Endpoints, Bastion), encryption at rest (SSE, ADE, CMK, HANA TDE) and in transit (TLS for HTTP/HTTPS, SNC for SAP GUI/RFC, HANA internal encryption), identity (Entra ID SSO with SAML, RBAC), compliance (Azure Policy), and patching (Update Manager). Defense in depth means no single layer is trusted alone.

Next, we add a security layer specifically designed for SAP: Microsoft Sentinel for SAP threat detection.

🎬 Video coming soon

← Previous

Backup for SAP Application Servers

Next β†’

Microsoft Sentinel for SAP

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.