Getting prepared for

the Microsoft Azure Administrator

certification exam
Exam AZ-103

Rick Vanover,
Senior Director, Product Strategy Veeam Software; MVP

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
Getting prepared for the Microsoft Azure Administrator certification exam

Introduction and foreword

By reading this content, you are taking a number of very impactful steps in your technical and professional
career. A Microsoft Azure certification is a strategic decision in your future, and at Veeam®, we are happy
to help you prepare for this important step. In this introduction, I will share a few perspectives on this content
and its impact on the emerging technical professional of the future.

As a former Microsoft MVP, I realize the strategic importance of Microsoft Azure. I would go so far as to say
there are fewer things more important in the industry today. The aggregated amount of spend in the hyperscale
public cloud market is staggering. To give you some perspective, Azure revenue is a hypergrowth market
with billions of USD spend per quarter worldwide1. There is effectively nothing more strategic to invest your
career in at the moment.

I don’t need to convince you further that Azure is a safe and strong bet in your career, however I do encourage
Azure professionals to take a holistic look at the new platform. Specifically, there are over 100 Azure
services. I talk to customers of all sizes in my role here at Veeam, and effectively all of the conversations have
at least one angle around the cloud. Azure is frequently in those conversations, but I see many organizations
approaching Azure as a like equivalent to the on-premises operation. This means that not very many more
services are being used besides Azure VMs, Azure Disk Storage or Azure File Storage. Those are good and
likely mainstay services in many scenarios, but there are so many new services in Azure that can power
next-generation applications. This can include Azure-based technologies around mobile apps, IoT solutions
and multimedia solutions.

When I say the sky’s the limit here, it applies no more fittingly than in the Azure cloud.

This Azure certification journey will positively impact your technical acumen, your career potential and more.

At Veeam, we realize the strategic importance of Azure as a top-tier cloud player. We have been incorporating
Azure features for over three years. Whether it is restoring any workload to an Azure VM, leveraging Blob Storage
or even providing free secure file transfer to and from Azure VMs, Veeam has invested in this platform for years
and will continue to do so. This is shown in our most recent product announcement for backing up Azure VMs.

Good luck on your Azure certification journey. We at Veeam hope this resource will aid you in your study
and provide you perspective to achieve the certification.

Best regards and highest Availability,

Rick Vanover
Senior Director, Product Strategy Veeam Software

Source: Venturebeat June 2019: https://venturebeat.com/2019/06/18/microsoft-beats-amazon-and-google-to-opens-its-first-

1

cloud-region-in-the-middle-east/

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 2
Getting prepared for the Microsoft Azure Administrator certification exam

Table of Contents
Introduction and foreword. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Getting prepared for the Microsoft Azure Administrator certification exam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Manage Azure subscriptions and resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Azure subscription management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Azure resource group management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Azure resource locks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Tagging resource groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Moving resources across resource groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Monitoring and alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Azure Cost Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Managed role-based access control (RBAC). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Implement and manage virtual machines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Create and configure a VM for Windows and Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Availability Sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Availability Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

VM scale sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Azure VM management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

VM configuration changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

VM extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Azure Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Azure Site Recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Automated deployment of VMs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Configure and manage virtual networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Create connectivity between virtual networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Assigning public and private IPs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

User-defined routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 3
Getting prepared for the Microsoft Azure Administrator certification exam

Name resolution in Azure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Network security groups (NSGs) for traffic filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Connectivity for hybrid architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

VPN gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Point-to-Site (P2S) VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Site-to-Site (S2S) VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Multi-site VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

ExpressRoute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Implement and manage storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Azure Blob Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Azure Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Azure Queue Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Azure Table storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Import and export data to Azure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Azure Import/Export service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Azure Data Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Azure File Sync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Manage identities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Custom domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Self-Service Password Reset (SSPR). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Hybrid identities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Password hash synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Pass-through authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Integration with ADFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Password writeback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Azure Multi-Factor Authentication (MFA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

About Veeam Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 4
Getting prepared for the Microsoft Azure Administrator certification exam

Getting prepared for the Microsoft Azure

Administrator certification exam
The AZ-103: Microsoft Azure Administrator certification exam measures your skill set in provisioning
and managing an Azure environment with a focus on Azure subscription management, compute, storage,
networking and identity. The AZ-103 exam replaces the AZ-100 and AZ-101 exams, thereby simplifying
your journey to become a certified Azure Administrator Associate.

This study guide is intended to help you understand the Azure Administrator skills measured in AZ-103,
as well as some of the important topics that will be covered under each of the exam’s study areas.

The five study areas and their relative weights are listed below. You can expect more questions from areas
with higher weights.

AZ-103 study areas Weights

Manage Azure subscriptions and resources 15-20%

Implement and manage storage 15-20%

Deploy and manage virtual machines 15-20%

Configure and manage virtual networks 30-35%

Manage identities 15-20%

Manage Azure subscriptions and resources

Azure subscription management
There are three main roles in Azure subscription management: account administrator, service administrator
and co-administrator.
• Account administrator: This role is responsible for subscription billing and has access to the Azure Account
Center. This account also can perform subscription-level activities like create/cancel subscriptions and
change the billing details or the service administrator of subscriptions.
• Service administrator: This role has the same function as the account administrator when the subscription
is initially created. The service administrator can access the Azure portal and manage all resources in it. The
account also has permission to add or remove the co-administrator.
• Co-administrator: This role has permission for all resources in Azure subscription but cannot delete the
service administrator from the Azure Management Portal.

Exam tips:
• A user with only account administrator rights cannot access the Azure Management Portal. He/she should
also have service administrator rights assigned to access the portal.
• Only the service administrator can change the association of a subscription with Azure Active Directory.
• The account administrator account can only be changed by contacting Azure Support.

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 5
Getting prepared for the Microsoft Azure Administrator certification exam

Azure resource group management

The Azure Resource Manager (ARM) model offers a consistent layer of management that helps logically group
your Azure resources in Azure resource groups. Multiple interdependent entities, such as virtual machines,
storage accounts, networks, web apps and SQL Servers that make up an environment, can be provisioned
in an Azure resource group so that you can deploy, update or delete them as a single entity.

Exam tips:
• A resource can be moved across resource groups, but it can exist in only one resource group at any given time.
• You can assign permissions at the resource group level that will be inherited by all resources in the resource group.
• A resource group is created in an Azure location where it stores the metadata of all the resources in it.
However, it can include many types of resources deployed in multiple Azure regions.
• Once created, resource groups cannot be renamed.
• When a resource group is deleted, all the resources in that group are also deleted.

Azure resource locks

You should implement Azure resource locks to protect your resources from accidental deletion. Resource
locks can be applied at the subscription, resource group or individual resource level. It is advisable to apply
locks at the resource group level as they will be inherited by all resources in the group. There are two types
of locks: read-only and delete. While read-only locks prevent any changes to resources, delete locks prevent
the deletion of resources.

Here is a snippet that shows how you can apply a resource lock from Azure CLI:

testuser@Azure:~$ az lock create --name donotdelete --resource-group az103 --lock-

type CanNotDelete

Once executed successfully, the results will be displayed as follows:

{
“id”: “/subscriptions/0ca9bf5b-ye7c-4de0-a0e4-8ab711bd369c/resourceGroups/az103/
providers/Microsoft.Authorization/locks/donotdelete”,“level”: “CanNotDelete”,
“name”: “donotdelete”,
“notes”: null,
“owners”: null,
“resourceGroup”: “az103”,
“type”: “Microsoft.Authorization/locks”
}

Exam tip:
Applying a read-only lock is similar to limiting the permission of all authorized users to the reader role
at the assigned scope.

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 6
Getting prepared for the Microsoft Azure Administrator certification exam

Tagging resource groups

Azure tags consist of name-value pairs that help you logically organize resources deployed in multiple
resource groups. This is helpful from a billing perspective as the tags would be reflected in the usages CSV
customers can download from the account center.

Exam tip:
In scenario-based questions where the objective is to find the cost incurred for chargeback by different
departments in an organization, look for options that involve tagging.

Moving resources across resource groups

You can move Azure resources to a new resource group directly from the Azure portal or by using Azure CLI
without any downtime. However, the resources will be locked so that no delete or write activities can happen
during the move, but the resources will remain available. In certain cases, you also need to migrate dependent
resources while moving the parent resource. For example, you should move your virtual network gateways
while migrating virtual networks.

Exam tip:
Review Microsoft’s list of services that can and cannot be moved. Also make note of limitations for the resources
that can be moved.

Monitoring and alerts

Azure Monitor helps collect diagnostics information from multiple sources to keep track of the performance, health
and Availability of your Azure environment. Data is collected from applications, operating systems, Azure resources,
subscriptions, tenants and other sources. The Log Analytics platform can be used for a comprehensive analysis
of data collected from these sources to provide valuable business insights using built-in and custom queries.

Alerts can be created based on metrics from individual resources or from the query results in Log Analytics.
Action groups created in the Azure portal define the notification preferences when an alert is generated. You
can configure action groups to send an SMS or email, call a webhook or invoke an automation runbook, logical
app, function app, etc. when an alert is triggered.

Azure Cost Management

Azure Cost Management helps you keep a tab on the costs incurred by your Azure resources. You can filter
the resources based on resource group, resource name, tag, service name, service tier and other specifications
to view the accumulated cost. Azure Advisor provides recommendations on reducing Azure spend by resizing
or shutting down VMs or by deleting unused virtual network gateways, unprovisioned ExpressRoute circuits,
unused public IPs, etc.

Exam tips:
• For scenario-based questions on finding the unused Azure resources listed above, check for Azure Monitor
in the answer options.
• One action group can be used for multiple alerts. You will see confusing options in questions related
to action groups, so be thorough when learning about their relationship with alerts.

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 7
Getting prepared for the Microsoft Azure Administrator certification exam

Managed role-based access control (RBAC)

Role-based access control in Azure provides fine-grained access control to resources in Azure. Azure has four
main roles and many built-in roles with predefined permissions.

The four main roles are:

• Owner: Has full rights over the assigned scope and can also assign permissions for other users
• Contributor: Has the same rights as the owner in terms of resources but cannot add grant rights to other
users
• Reader: Has only view permission at the assigned scope
• User Access Administrator: Allows you to manage user access permissions to Azure resources

Customers can also create custom roles for implementing additional restrictions if they are not provided
by any existing built-in roles. Below is a sample JSON definition file for a custom role:

{
“Name”: “Virtual Machine Operator”,
“IsCustom”: true,
“Description”: “Can monitor and restart virtual machines.”,
“Actions”: [
“Microsoft.Storage/*/read”,
“Microsoft.Network/*/read”,
“Microsoft.Compute/*/read”,
“Microsoft.Compute/virtualMachines/start/action”,
“Microsoft.Compute/virtualMachines/restart/action”,
“Microsoft.Authorization/*/read”,
“Microsoft.ResourceHealth/availabilityStatuses/read”,
“Microsoft.Resources/subscriptions/resourceGroups/read”,
“Microsoft.Insights/alertRules/*”,
“Microsoft.Insights/diagnosticSettings/*”,
“Microsoft.Support/*”
],
“NotActions”: [

],
“AssignableScopes”: [
“/subscriptions/11111111-1111-1111-1111-111111111111”,
“/subscriptions/33333333-3333-3333-3333-333333333333”
]
}
Exam tips:
• In questions related to custom roles, make sure that the IsCustom value is set to true and that
AssignableScopes is set to the correct subscription.
• RBAC uses the approach of least privilege, so if the requirement mentioned in the question is to assign
user permissions, select User Access Administrator role. Owner role permissions would be overkill.

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 8
Getting prepared for the Microsoft Azure Administrator certification exam

Implement and manage virtual machines

Create and configure a VM for Windows and Linux
Virtual machines can be created through Azure portal, Azure CLI, ARM templates, PowerShell and other
automation tools like Terraform. Some of the important aspects to consider when planning for a VM are its
location, VM SKU, network, disk types and operating system. For High Availability, the VMs should be deployed
in either Availability Sets or Availability Zones.

Availability Sets
VMs are automatically placed in fault domains and update domains within the same data center to protect
them from Availability issues. VMs in different fault domains are protected from a single point of failure
in terms of network and power. During planned maintenance, updates are applied in one update domain
at a time in order to ensure that at least one update domain is always available. When two VMs are placed
in an Availability Set, Azure offers 99.95% assured SLA.

Availability Zones
Availability Zones are different physical locations in an Azure region. VMs can be placed in up to three
Availability Zones. Each Availability Zone represents a combination of a fault domain and an update domain.
As the VMs are placed in different data centers, they are also protected from data center failures. When two
VMs are placed in an Availability Zone, Azure offers 99.99% assured SLA.

VM scale sets
VM scale sets allow automated horizontal scaling of VMs based on usage patterns. Multiple VMs are created
using the same image and configuration, and additional VMs are added to the scale set based on metrics
or specified schedules. This helps keep Azure costs lower since additional VMs are added only when required
and are removed when not in use. VM scale sets are automatically integrated with Azure Load Balancer
or Azure Application Gateway for traffic management and distribution to backend VMs.

Exam tips:
• The maximum supported size of an OS disk is 2,048 GB.
• The maximum supported size of a data disk is 32,767 GB.
• The VM SKUs decide the number of data disks that can be attached to the VM.
• For workloads with high performance requirements, select unmanaged premium SSD disks
to be used as data disks.
• For VMs with GPU requirements like graphics rendering, video editing, etc., deploy N-series VMs.
• Not all VMS are available in all Azure regions. Check the availability of the VM SKU in the target region
when planning for the deployment.
• VMs support both managed and unmanaged disks. In managed disks, the underlying storage is managed
by the customer. However, in unmanaged disks, it is managed by the Azure platform.
• Wherever possible, use managed disks in VMs.
• If you are asked to configure for the highest possible SLA, choose Availability Zones.
• VM scale sets support the use of custom VM images, but the maximum number of VMs in a scale set will
be limited to 300. When using Azure Marketplace images, VM scale sets support up to 1,000 Instances.

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 9
Getting prepared for the Microsoft Azure Administrator certification exam

Azure VM management

VM configuration changes
You can make changes to the VM post-deployment based on your application demands. For example, you can
attach additional data disks and NICs to the VM. However, the maximum number of disks, NICs, IOPS throughput,
etc. is dependent on the Azure VM SKU. You can always do a vertical scaling (i.e., change the size of the VM
to a higher SKU if you need additional capacity).

Note that the new SKU should be available in the Azure region, and the scaling could cause a small downtime
to the VM. Hence, the application Availability should be managed through Availability Sets or Availability Zones,
along with load balancers and application gateways.

VM extensions
VM extensions are useful in handling the post-deployment configuration of VMs. You can use VM extensions
to deploy anti-virus, backup, Puppet, Chef or any other extensions available in the Azure Marketplace. In addition
to third-party, vendor-specific VM extensions, you can also use first-party VM extensions like custom script
extension, PowerShell DSC, Microsoft Monitoring Agent and NVIDIA GPU driver extension. VM extensions can
be included in the ARM templates so that they get deployed automatically during VM provisioning.

Azure Backup
Azure Backup a cloud-based backup service that you can leverage to take machine-level backups of your VMs.
The step-by-step process for implementing a backup solution for VMs using Azure Backup is listed below:

1. Create a Recovery Services vault in the same region as the VMs. By default, the vault is created using
geo-redundant storage, where six copies of data will always be available for the purpose of redundancy.
To reduce storage costs, this can be changed to locally redundant storage from properties of the vault
after provisioning and before initiating any backups.

2. Select Azure as the backup source for initiating the VM backup and configure the backup policy for daily,
weekly, monthly and yearly backups. You can configure one scheduled backup a day using the backup policy.

3. Select the VM and initiate the backup. A VM backup extension gets installed in the VM, which transfers
the backup data to the storage associated with the backup vault. Note that this agent will already be present
in VMs provisioned from Azure Marketplace but will need to be installed on VMs created using custom images.

The Azure Backup Instant Restore capability is a recent addition to Azure Backup. With this capability, a default
of two snapshots of the disks are made available in a local storage account for faster restore. This eliminates
the wait time for transferring data from the vault for recovery. The default value of two can be increased
to up to five during backup policy configuration.

Azure Site Recovery

Azure Site Recovery helps implement real-time replication and DR protection for your workloads on premises,
as well as in Azure. You can enable replication of VMs through Azure Site Recovery for Azure VMs, physical
servers, Azure Stack VMs and VMs hosted in Hyper-V or VMware. For replicating Hyper-V VMs to Azure,
install the Azure Site Recovery provider in the host machines or VM. It can be downloaded from Azure portal.
For VMware replication, download the OVF file from Azure portal and deploy the configuration server
in your VMware environment.

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 10
Getting prepared for the Microsoft Azure Administrator certification exam

Exam tips:
• If VM extension installation fails, check for network-level restrictions that are preventing the VM from
downloading the script from the Azure Storage extension repository. Make sure that there are no NSGs
or VM guest firewall configurations preventing access to 168.63.129.16.
• In lab questions that require you to add additional capacity to VMs, select the VM size that supports
the required number of data disks.
• Review the support matrix for Hyper-V/VMware to Azure replication as you can expect scenario-based
questions about supported and unsupported features.

Automated deployment of VMs

Azure Resource Manager (ARM) templates help you automate the deployment of VMs and dependent
resources using a declarative JSON template. ARM templates can be deployed from Azure portal, PowerShell
or Azure CLI, or through an Azure DevOps pipeline. Click here for a reference template for VM deployment.
You can also export the template from an existing resource group setting so that the same configuration can
be deployed consistently across multiple environments.

Exam tip:
You can expect questions about the different configuration sections of ARM template (such as storage profile).
The storage profile section in the template defines the image that will be used for the VM deployment.
A sample profile that creates a Windows Server 2016 Datacenter VM is shown below. You can also define
additional data disks to be attached and specify their size in the storage profile.

“storageProfile”: {
“imageReference”: {
“publisher”: “MicrosoftWindowsServer”,
“offer”: “WindowsServer”,
“sku”: “2016-Datacenter”,”,
“version”: “latest”
},
“osDisk”: {
“createOption”: “FromImage”
},
“dataDisks”: [
{
“diskSizeGB”: 2048,
“lun”: 0,
“createOption”: “Empty”
}
]

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 11
Getting prepared for the Microsoft Azure Administrator certification exam

Configure and manage virtual networks

Create connectivity between virtual networks
Virtual network peering enables connections between two Azure VMs through the Azure backbone network
without using a VPN gateway. Peering can be done between VNets in the same region or in different regions
(Global VNet Peering).

Below are some of the features of VNet peering:

• VNet peering allows a low-latency, high bandwidth connection without incurring the additional charges
of a VPN gateway.
• VNet peering is commonly used on hub and spoke architectures, where the hub VNet hosts all shared
services, and spoke VNets are peered to it.
• While using hub and spoke topology, you can connect to on premises through a peered network by enabling
gateway transit in the hub network. The spoke VNet should also be configured to use a remote gateway.
• VNet peering is a non-transitive relationship. That means that by default, there is no communication
between two spokes connected to the same hub VNet unless it is implemented by deploying an NVA
in the hub network with a user-defined route (UDR) for routing traffic between the spokes through the NVA.
• VNet peering can be established between networks in different subscriptions associated with the same
or different AD tenants.

Exam tips:
• You can expect questions about communication between VMs in peered VNets. Note that the relationship is
not transitive unless an NVA is implemented in hub.
• Check for overlapping IP address ranges in questions related to VNet peering. Peering cannot be established
between two VNets that have an overlapping IP range. The solution is to modify the IP range and then
establish the peering.
• Peering is not established unless it is configured in both of the participating VNets.

Assigning public and private IPs

Private IPs are used for communication within a virtual network or with on-premises networks connected
using VPN or ExpressRoute. They can be associated with virtual machines, internal load balancers or application
gateways. Private IPs can be assigned dynamically from a subnet IP range or can be configured as static. When
a VM is assigned a dynamic IP, it can change when the machine is powered off or when the network interface
is deleted. A static IP address, on the other hand, remains attached to the network interface even if the machine
is switched off. It gets deleted only when the NIC card is deleted.

Public IP addresses allow external communication from Azure networks and can be assigned to internet-facing
interfaces of virtual machines, load balancers, VPN gateways and application gateways. There are two SKUs
of public IP addresses: basic and standard. The major differences between them are shown below.

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 12
Getting prepared for the Microsoft Azure Administrator certification exam

Basic SKU Standard SKU

Can be statically or dynamically allocated Support dynamic allocation only

Network security groups are not mandatory, Network security groups are mandatory as the connections
and the connections are open by default are closed by default for inbound traffic

Not supported in standard load balancers Supported in standard load balancers

Support Availability Zones and can be deployed as zone

Do not support Availability Zones
redundant by default or as zonal

Manage identities 15-20%

Exam tips:
• Azure supports both IPv6 and IPv4 addresses. IPv6 can only be assigned through dynamic allocation.
• Azure recommends standard load balancers for all new deployments because they offer the highest
redundancy and only standard SKU IPs are supported in them. You can expect scenario-based questions
asking you to select the right SKU for load balancers/public IPs.

User-defined routes
When a virtual network is created, all devices connected to the subnets in the virtual network can communicate
with each other by default. This is accomplished through system routes automatically assigned to the subnets
of VNets. Although system routes cannot be modified, you can create custom routes or user-defined routes
(UDR) to override them. UDR can be used to set the next hop type of traffic as virtual network gateway, virtual
network, internet or virtual appliance. If the next hop type is set as none for a network, the traffic to that
network or IP will be dropped.

User-defined routes are helpful in the following scenarios:

• Redirect traffic to network virtual appliances (NVAs) in hub and spoke topologies.
• Set next hop of the traffic to devices hosted on premises when networks are connected to Azure through VPN.
This traffic redirection could be for inspection of the packages, using a single proxy for internet access, etc.
• Drop traffic targeting specific outbound addresses or to the internet.
• Route traffic to Azure services and keep it within the Azure backbone network.

Exam tips:
• UDR cannot be used to route traffic to/from ExpressRoute gateways. This should be done through BGP.
• Azure uses the longest prefix match algorithm to select the route for the traffic. If there are multiple routes
to the destination, first priority is given to user-defined routes, followed by BGP routes and then system routes.
• UDRs do not accept VNet peering or virtual network service endpoints as next hop type.
• The default route for traffic targeting routes other than those defined in the route tables is sent to the internet
using the route created by Azure with the 0.0.0.0/0 address prefix and next hop type as internet.

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 13
Getting prepared for the Microsoft Azure Administrator certification exam

Name resolution in Azure

There are different options for setting up name resolution for services hosted in Azure networks:
• For VMs in the same virtual network, Azure automatically provides name resolution using host names. However,
you cannot manually register DNS entries or modify the DNS suffix.
• For a VNet, the DNS IP can be set to an IP of a virtual machine within the network (for example, Windows Servers
with DNS or Active Directory Domain Service installed).
• Azure App Services like web app, functions, bots, etc. can be configured for name resolution through user-defined
DNS servers by using the virtual network integration feature.
• Azure Private DNS, which is currently in public preview mode, allows customers to create their own private DNS
zones with custom domain names and attach them to a VNet.
• Azure Private DNS auto-registration service enables the automatic registration of virtual machines in that VNet
to the custom private DNS zone.
• Azure Private DNS forward DNS registration feature allows DNS resolution across multiple VNets connected
to the same private zone.
• The Azure DNS service allows you to host the DNS domains owned by customers in Azure infrastructure and use
Azure’s network of global DNS servers for name resolution.

Exam tips:
• To delegate the management of customer-owned public DNS domains to Azure DNS, update the NS records
in the domain registrar’s DNS management page to use Azure DNS servers.
• You cannot purchase DNS domains through Azure DNS PowerShell command to create an Azure private DNS zone
and set the registration VNet.
• Sample PowerShell command to create a private DNS zone and set the registration virtual network given below:

New-AzureRmDnsZone -Name “<zonename>.com” -ResourceGroupName “<resourcegroupname>”

-ZoneType Private -RegistrationVirtualNetwork <VNetname>

Network security groups (NSGs) for traffic filtering

Network security groups allow traffic filtering through inbound/outbound rules using 5-tuple information
about source, source port, destination, destination port and protocol.

Below are some important facts about network security groups:

• Each rule is assigned a priority number (the lower number has the highest priority).
• The source or destination can be an address block, specific IP address, service tag or application security group (ASG).
• Connections enabled by network security groups are stateful. For example, if you have a rule to enable an inbound
connection to an application over port 8080, a rule for enabling outbound traffic for the same connection is not required.
• Service tags represent Azure services like virtual network, Azure Datacenter IP addresses (Azure cloud), Azure
Storage, Azure SQL Database and Cosmos DB, and also traffic to and from the internet. They enable easier
classification of services, thereby reducing complexity in NSG rules.
• An ASG allows grouping of virtual machines based on application logic, which eliminates the need for mentioning explicit
IP addresses in network security groups. Instead, the ASG can be used as a service tag in inbound/outbound rules.

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 14
Getting prepared for the Microsoft Azure Administrator certification exam

Exam tips:
• For VMs, NSGs can be applied at the subnet or NIC card level. When rules are applied to both the subnet and NIC
card, the least permissive permissions prevail.
• For lab and scenario-based questions, check for requirements to restrict traffic to multiple virtual machines. In that
case, it is advisable to apply rules at the subnet level.

Connectivity for hybrid architecture

Connectivity from an Azure network to on premises can be established either through VPN or ExpressRoute
connections. While VPN enables an encrypted tunnel over the internet, ExpressRoute is a dedicated connection
from an Azure data center to an on-premises network that does not traverse through the internet.

VPN gateway
A VPN gateway is a virtual network gateway connected to a gateway subnet that allows encrypted traffic to be sent
between Azure Virtual Network and an on-premises location. It is the basic prerequisite for establishing any kind
of VPN connectivity to Azure. Gateways can be route-based or policy-based, depending on the type of architecture
to be implemented and the configuration of the on-premises device. While a policy-based VPN gateway uses
a network prefix based on traffic encryption, a route-based VPN uses wild card traffic selectors for encryption
and traffic routing. Policy-based VPN gateways are commonly used when on-premises devices support only IKEv1.
In all other scenarios, it is recommended to use route-based VPN gateways.

Point-to-Site (P2S) VPN

This VPN configuration should be used in scenarios where mobile users or telecommuters want to connect to resources
hosted in Azure from a public network through a secure channel. Point-to-Site VPNs and Site-to-Site VPNs can
co-exist in a VNet, provided the gateway is created as route-based. P2S VPNs support the following three protocols:
OpenVPN, Secure Socket Tunneling Protocol (SSTP) and IKEv2 VPN. VPN clients are available for Windows, Linux
and Mac operating systems. P2S VPNs support Azure certificate-based authentication, as well as RADIUS server-based
authentication that connects with an on-premises AD server.

Site-to-Site (S2S) VPN

This VPN configuration is used to extend your on-premises network to Azure by connecting the Azure VPN gateway
to an on-premises perimeter VPN device over IPsec/IKE (IKEv1 or IKEv2). Unlike a P2S connection, this requires a VPN
device with a non-natted public IP. The gateway subnet to which the VPN gateway is deployed should be created
with a CIDR of /27 or /28. You should also create a local network gateway, specifying the IP of the on-premises VPN
device and the private IP range of the on-premises network to which the connectivity should be established. A shared
secret key is used for encrypting the tunnel between Azure and the on-premises environment, and the same value
should be configured in the Azure VPN gateway and the on-premises VPN device for the connectivity to be successful.

Multi-site VPN
When connectivity should be established from an Azure network to multiple on-premises data centers, these
connections can be terminated on the same virtual network gateway. This configuration is possible only if the VPN
gateway is route-based. You need to add separate local network gateways for each site with shared keys used
by the gateways while configuring the connections. Multi-site VPNs can be configured for networks that already
have an existing P2S, S2S or VNet-to-VNet connection.

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 15
Getting prepared for the Microsoft Azure Administrator certification exam

ExpressRoute
ExpressRoute offers the most secure Layer 3 connectivity to Azure through a private connection to an Azure data
center via a third-party service provider. The ExpressRoute gateway type is used here to initiate the connection.
ExpressRoute connections are redundant where two connections will be established to Microsoft Enterprise
edge routers from the network connectivity service provider edge device. An ExpressRoute connection to one
of the peering locations enables connectivity to all regions in that geopolitical region. To establish connectivity
across geopolitical regions, enable the ExpressRoute premium add-on.

There are two main routing domains, private peering and Microsoft peering, that are associated with an ExpressRoute
circuit. Private peering allows direct connectivity to services deployed in Azure virtual networks (virtual machines,
storage, app services, etc.) over private IPs. Microsoft services like Office 365, Dynamics 365 and other PaaS services
that do not have a private IP address can be accessed through a secure channel over Microsoft peering. Public
peering is the legacy peering option used previously for PaaS services like Azure SQL and Storage. It was available
only over public IPs. Now this connectivity is also routed through Microsoft peering.

Exam tips:
• For lab questions where you are required to create a gateway subnet, create the subnet with a CIDR of /27.
This is considered the most optimal option.
• In scenario-based questions where both ExpressRoute and VPN are given as options, select VPN for connectivity
over the internet and ExpressRoute when a dedicated connection is required.
• VPN can also be created between two VNets, but select this option only when VNet peering cannot be configured.
VNet peering is the preferred approach for connecting two VNets as it does not involve VPN gateway charges
and the traffic remains within Azure backbone.

Implement and manage storage

The following data services are included in Azure Storage:

Azure Blob Storage

This is used for storing object storage in the cloud and catering to large amounts of unstructured data. This storage
type is commonly used for archival data, huge audio and video files, bid data files for analysis and more. Files in Blob
Storage can be accessed over HTTP/HTTPS through API calls, via Azure PowerShell or CLI, or through storage client
libraries available in all leading development platforms, including Java.net, Node.js and Ruby.

Azure Files
This is a fully managed cloud-based file share service that can be accessed like traditional file shares by clients
supporting SMB protocol. Unlike on-premises file shares, Azure Files can be accessed by machines hosted on premises,
as well as in the cloud, provided the SMB port is open. Authentication to file shares is done using shared access
signature (SAS) tokens or through the storage access keys where the file shares are created. Azure File shares can
be simultaneously accessed by many VMs for read/write access.

Azure Queue Storage

This service is used by applications for storing and exchanging messages, as well as asynchronous processing of data
or exchanging messages between different services in an application. The maximum size of the message in a queue
is 64 KB, and a queue storage can hold millions of such messages.

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 16
Getting prepared for the Microsoft Azure Administrator certification exam

Azure Table storage

This service provides a key-attribute-based schemaless store for NoSQL data and can be used to store TBs
of structured non-relational data. As the table does not enforce a schema, it can contain data with different
properties or name-value attributes.

There are different types of storage accounts available in Azure. General-purpose v2 accounts can be used to create
blobs, queues, tables and files. The legacy version General-purpose v1 accounts also support all storage types.
However, v2 accounts are recommended for new deployments as they are most economical and efficient. Block Blob
Storage accounts and Blob Storage accounts as their names indicate, are used for storing blobs. General-purpose
v2 storage accounts are recommended in place of Blob Storage accounts for most use cases. Block Blob Storage
accounts should be used when high transaction, low latency, premium storage is required.

Import and export data to Azure

Azure Import/Export service

Azure Import/Export service should be used in cases where large amounts of data need to be transferred to Azure
Storage and the customer has an unreliable or restrictive network bandwidth. Customers can transfer the data to disk
drives and ship them to Azure data centers, where the data will be imported to Azure Blob or Azure Files.

The two main components used for this are the Azure Import/Export service (available in Azure portal)and
the WAImportExport tool, which helps prepare the disks and copy over the data to them. There are two versions
of the WAImportExport tool available: version 1 and version 2. Version 1 should be used for transferring data to Azure
Blob Storage, while version 2 should be used for Azure Files. You also need disk drives (SSD or HDD) that should
be shipped to an Azure data center.

High-level steps needed to import/export data include:

• Copy data to the disk drive using the WAImportExport tool and encrypt it using BitLocker.
• In Azure portal, create the import job and upload the drive journal files.
• Ship the disks to the Azure data center.
• Update the delivery tracking number in the import job.
• Data is then uploaded to Azure Storage/Files, and disks are shipped back to the return address.

Azure Data Box

Azure Data Box is another service that can be leveraged to import data from on-premises data centers to Azure.
In this service, you can order one to five SSD drives to be shipped to you for copying over the data. The service can
support up to 35 TB of data.

The workflow for using Azure Data Box is as follows:

• Order the Azure Data Box device from Azure portal. You will be asked to provide shipping information and storage
account details.
• Encrypted disks will be shipped to the provided address.
• Once you receive them, unlock the disks and copy over the data.
• Ship the disks back to the Azure data center.

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 17
Getting prepared for the Microsoft Azure Administrator certification exam

Azure File Sync

Azure File Sync Service is used in association with Azure File shares. It enables syncing Azure Files to a share in a local
Azure File server. This allows users to access these files locally through SMB, NFS and FTPS protocols. Although
not supported in Azure Files yet, Azure File Sync supports access control lists (ACLs) on the local copy of the Azure
File share. If the server with the local copy of the data crashes, another server can be configured for File Sync,
and the data can be synchronized back and made available to users from the new server.

High-level steps for deploying Azure File Sync include:

• Create a Storage Sync Service in the Azure portal. Each on-premises server can be synced to only one Storage Sync Service.
• Install the File Sync agent on the target server.
• Register the server with Storage Sync Services using Azure credentials to establish a trust relationship.
• Create a sync group that establishes a link between one cloud endpoint (Azure File share) and a server endpoint
(registered server).
• Add a server endpoint to the newly created sync group by selecting the registered server and the path of the server
to which the data will be synchronized.

Exam tips:
• You can expect drag-and-drop questions about the correct order of setting up Import/Export and Azure File Sync.
• Import/Export supports only Azure Storage and File Share as target locations.
• In closed networks, the SMB port (445) should be open in the firewall to allow on-premises users to map Azure File shares.
• In lab questions that require you to create storage, use General-purpose v2 accounts wherever possible as this
is the recommended storage type for new deployments.

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 18
Getting prepared for the Microsoft Azure Administrator certification exam

Manage identities
Azure AD is an Identity as a Service (IDaaS) offering from Azure that allows identity and access management to internal
corporate resources, as well as to cloud resources like Office 365, Dynamics CRM or other IaaS/SaaS/PaaS applications.
Azure AD comes with built-in advanced capabilities like multi-factor authentication, privileged identity management,
auditing, application usage monitoring and alerting.

An Azure AD tenant is automatically provisioned when an organization purchases Microsoft Azure cloud, Intune,
Office 365 or other services. This AD tenant represents the organization. When services in only one tenant are used
by the organization, it is called single tenant. If services from other organizations are being accessed, it is called
multi-tenant. Each tenant will have a dedicated Azure AD assigned to it to handle the management of objects like
users, groups and apps.

The features available in Azure AD are dependent on the licenses associated with the AD Instance.

Azure AD license Features

Azure Active Directory Free • User and app management

• Synchronizes with on-premises AD
• Single sign-on
• Azure AD device join
• Limited to 500,000 objects per Instance
• Azure AD B2B collaboration
• Basic usage reports

Azure Active Directory Basic All features of Free version, plus:

• Cloud-centric application access
• Group-based access provisioning and management
• Self-service password reset
• Company branding for log-on pages and access panel
• Azure application proxy
• No limit on the number of objects

Azure Active Directory Premium P1 All features of Free and Basic versions, plus:
• Dynamic groups
• Self-service group management
• Microsoft Identity Manager (MIM)
• Self-service password reset for on-premises users
through cloud write-back
• Device write-back for two-way device synchronization
• Conditional access based on device, group and location
• Cloud App Security integration

Azure Active Directory Premium P2 All features of Free, Basic and Premium 1 versions, plus:
• Azure AD Identity Protection
• Privileged Identity Management Protection

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 19
Getting prepared for the Microsoft Azure Administrator certification exam

Custom domains
When provisioned, an Azure AD has a default directory assigned to it in a <domainname>.onmicrosoft.com
format. This can be updated later to a custom domain owned by the organization.

High-level steps for creating a custom domain for Azure AD include:

• Log in to Azure subscription with an account that has owner permissions.
• In the Azure AD “Custom domain names” setting, add a new custom domain.
• Create a TXT or MX record in your domain registrar using the information from the custom domain creation page.
• Verify the domain after creating the TXT/MX record.

Self-Service Password Reset (SSPR)

Azure AD’s SSPR feature allows users to reset their passwords or unlock user accounts without assistance from
an administrator. This service can be enabled only by an account that has global administrator rights assigned to it. SSPR
rights can be assigned only to an AD group. The users allowed to initiate a password reset should be added to this group.

The methods of password reset currently available are:

• Mobile app notification (preview)
• Mobile app code (preview)
• Email
• Mobile phone
• Office phone
• Security questions

Hybrid identities
Azure allows integration of identities with on-premises identity management solutions so that customers can access
both corporate and cloud resources using the same credentials. Azure AD Connect is used for this integration. This
tool synchronizes the identities from your on-premises Active Directory to Azure AD. The users, groups and password
hashes (if enabled) are synchronized from on-premises Windows Active Directory to Azure so that the details
are available in the cloud.

Azure AD Connect offers multiple features to enable hybrid identity. Some of the key features that can be enabled
through Azure AD Connect are listed below:

Password hash synchronization

This method allows users to use their on-premises AD password to log in to cloud services like Office 365 so that
they do not have to remember multiple passwords. A hash of users’ passwords is synchronized from the on-premises
Active Directory to Azure AD, and authentication is done by Azure AD using this hash.

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 20
Getting prepared for the Microsoft Azure Administrator certification exam

Pass-through authentication
This feature also allows users to use their on-premises AD password in the cloud, but does not require them
to synchronize the password hash to Azure AD. Rather, the authentication requests are forwarded for authentication
to the on-premises AD. This works using a method similar to AD federation, but without the need for deploying
AD Federation Services infrastructure. The method requires an additional pass-through agent installation on the server
where AD Connect is installed.

Integration with ADFS

If customers have an existing ADFS installation on premises, Azure AD Connect can establish a trust between
the ADFS farm and Azure AD so that the authentication is handled by the on-premises AD. You can use an existing
ADFS farm, or deploy a new one, to enable this configuration.

Password writeback
This feature in Azure AD Connect enables all password changes in Azure AD to be written back to an on-premises
AD in real time. It can be used in environments configured for ADFS, password hash synchronization and pass-through
authentication. This feature does not require any additional firewall rules to be configured as all communications
are outbound over port 443. It can be used to enforce Active Directory password filtering policies, such as age,
complexity, history, etc. when the user changes their password.

Azure Multi-Factor Authentication (MFA)

Azure Multi-Factor Authentication enables a second layer of security, in addition to password-based authentication,
for cloud-based and hybrid applications. MFA is enabled via a conditional access policy, which enforces a second layer
of authentication when a set of defined conditions are met.

These conditions include:

• All users, guests, specific users and users part of a group or assigned a role
• Device-specific information like platform, state of the device or compliance
• Network location from which the login is attempted
• IP address of devices
• Client applications
• Sign-in risk configuration when used along with Azure Identity Protection
• Hybrid Azure AD domain-joined device

Administrators can enable one of several methods (see below) for additional authentication while using MFA.
It is recommended to configure more than one authentication method in case the primary authentication fails.

Possible authentication methods include:

• A push notification sent to the Microsoft Authenticator app, which should be approved by the user
• Entering the verification code from Microsoft Authenticator
• A voice call to the user’s phone, which the user should answer and press the # key to complete the authentication
• A verification code sent as a text message to the user’s phone, which the user should enter into a sign-in interface

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 21
Getting prepared for the Microsoft Azure Administrator certification exam

Exam tips:
• Expect multiple choice questions comparing the options available for MFA and SSPR.
• The custom domain verification can be done using both MX and TX records.
• To restrict access to critical business resources from approved networks, configure MFA.
• To switch between Azure AD tenants during login, change the directory from the Azure portal.

Summary
This guide covers the major study areas for the AZ-103 Microsoft Azure Administrator Certification exam,
but candidates should review Azure documentation for a more in-depth understanding. Time management
is important during the exam, so make sure you spend time judiciously on lab sessions. It is also recommended
to review the exam’s official practice test and/or any other online practice tests as this will help you understand
the exam model, evaluate your knowledge level and improve weak areas.

Happy learning and best of luck!

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 22
Getting prepared for the Microsoft Azure Administrator certification exam

About the Author

Rick Vanover (MVP, vExpert, Cisco Champion) is the director of Technical
Product Marketing & Evangelism for Veeam Software based in Columbus,
Ohio. Rick’s IT experience includes system administration and IT management;
with virtualization being the central theme of his career recently.

Follow Rick on Twitter @RickVanover or @Veeam.

About Veeam Software

Veeam® is the global leader in Cloud Data Management. Veeam Availability Platform™ is the most complete
solution to help customers on the journey to automating data management and ensuring the Availability
of data. With more than 330,000 customers worldwide, including 82 percent of the Fortune 500 and
58 percent of the Global 2000, Veeam’s customer satisfaction scores, at 3.5X the industry average, are
the highest in the industry. The Veeam global ecosystem includes thousands of active channel partners,
and Cisco, HPE, Lenovo and NetApp as exclusive resellers, as well as 21,700 cloud and service providers.
Headquartered in Baar, Switzerland, Veeam has offices in more than 30 countries. To learn more, visit
https://www.veeam.com​ or follow Veeam on Twitter @veeam.​

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 23
 Getting prepared for the Microsoft Azure Administrator certification exam

Cloud Data
Backup for what’s next
5 Stages of Cloud Data Management —
start your journey today!

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 24