Professional Documents
Culture Documents
Getting Prepared For The Microsoft Azure Administrator Certification Exam
Getting Prepared For The Microsoft Azure Administrator Certification Exam
Rick Vanover,
Senior Director, Product Strategy Veeam Software; MVP
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
Getting prepared for the Microsoft Azure Administrator certification exam
As a former Microsoft MVP, I realize the strategic importance of Microsoft Azure. I would go so far as to say
there are fewer things more important in the industry today. The aggregated amount of spend in the hyperscale
public cloud market is staggering. To give you some perspective, Azure revenue is a hypergrowth market
with billions of USD spend per quarter worldwide1. There is effectively nothing more strategic to invest your
career in at the moment.
I don’t need to convince you further that Azure is a safe and strong bet in your career, however I do encourage
Azure professionals to take a holistic look at the new platform. Specifically, there are over 100 Azure
services. I talk to customers of all sizes in my role here at Veeam, and effectively all of the conversations have
at least one angle around the cloud. Azure is frequently in those conversations, but I see many organizations
approaching Azure as a like equivalent to the on-premises operation. This means that not very many more
services are being used besides Azure VMs, Azure Disk Storage or Azure File Storage. Those are good and
likely mainstay services in many scenarios, but there are so many new services in Azure that can power
next-generation applications. This can include Azure-based technologies around mobile apps, IoT solutions
and multimedia solutions.
When I say the sky’s the limit here, it applies no more fittingly than in the Azure cloud.
This Azure certification journey will positively impact your technical acumen, your career potential and more.
At Veeam, we realize the strategic importance of Azure as a top-tier cloud player. We have been incorporating
Azure features for over three years. Whether it is restoring any workload to an Azure VM, leveraging Blob Storage
or even providing free secure file transfer to and from Azure VMs, Veeam has invested in this platform for years
and will continue to do so. This is shown in our most recent product announcement for backing up Azure VMs.
Good luck on your Azure certification journey. We at Veeam hope this resource will aid you in your study
and provide you perspective to achieve the certification.
Rick Vanover
Senior Director, Product Strategy Veeam Software
cloud-region-in-the-middle-east/
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 2
Getting prepared for the Microsoft Azure Administrator certification exam
Table of Contents
Introduction and foreword. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Availability Sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Availability Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
VM scale sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Azure VM management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
VM configuration changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
VM extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Azure Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
User-defined routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 3
Getting prepared for the Microsoft Azure Administrator certification exam
VPN gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Multi-site VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
ExpressRoute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Azure Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Manage identities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Custom domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Hybrid identities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Pass-through authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Password writeback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 4
Getting prepared for the Microsoft Azure Administrator certification exam
This study guide is intended to help you understand the Azure Administrator skills measured in AZ-103,
as well as some of the important topics that will be covered under each of the exam’s study areas.
The five study areas and their relative weights are listed below. You can expect more questions from areas
with higher weights.
Exam tips:
• A user with only account administrator rights cannot access the Azure Management Portal. He/she should
also have service administrator rights assigned to access the portal.
• Only the service administrator can change the association of a subscription with Azure Active Directory.
• The account administrator account can only be changed by contacting Azure Support.
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 5
Getting prepared for the Microsoft Azure Administrator certification exam
Exam tips:
• A resource can be moved across resource groups, but it can exist in only one resource group at any given time.
• You can assign permissions at the resource group level that will be inherited by all resources in the resource group.
• A resource group is created in an Azure location where it stores the metadata of all the resources in it.
However, it can include many types of resources deployed in multiple Azure regions.
• Once created, resource groups cannot be renamed.
• When a resource group is deleted, all the resources in that group are also deleted.
Here is a snippet that shows how you can apply a resource lock from Azure CLI:
{
“id”: “/subscriptions/0ca9bf5b-ye7c-4de0-a0e4-8ab711bd369c/resourceGroups/az103/
providers/Microsoft.Authorization/locks/donotdelete”,“level”: “CanNotDelete”,
“name”: “donotdelete”,
“notes”: null,
“owners”: null,
“resourceGroup”: “az103”,
“type”: “Microsoft.Authorization/locks”
}
Exam tip:
Applying a read-only lock is similar to limiting the permission of all authorized users to the reader role
at the assigned scope.
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 6
Getting prepared for the Microsoft Azure Administrator certification exam
Exam tip:
In scenario-based questions where the objective is to find the cost incurred for chargeback by different
departments in an organization, look for options that involve tagging.
Exam tip:
Review Microsoft’s list of services that can and cannot be moved. Also make note of limitations for the resources
that can be moved.
Alerts can be created based on metrics from individual resources or from the query results in Log Analytics.
Action groups created in the Azure portal define the notification preferences when an alert is generated. You
can configure action groups to send an SMS or email, call a webhook or invoke an automation runbook, logical
app, function app, etc. when an alert is triggered.
Exam tips:
• For scenario-based questions on finding the unused Azure resources listed above, check for Azure Monitor
in the answer options.
• One action group can be used for multiple alerts. You will see confusing options in questions related
to action groups, so be thorough when learning about their relationship with alerts.
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 7
Getting prepared for the Microsoft Azure Administrator certification exam
Customers can also create custom roles for implementing additional restrictions if they are not provided
by any existing built-in roles. Below is a sample JSON definition file for a custom role:
{
“Name”: “Virtual Machine Operator”,
“IsCustom”: true,
“Description”: “Can monitor and restart virtual machines.”,
“Actions”: [
“Microsoft.Storage/*/read”,
“Microsoft.Network/*/read”,
“Microsoft.Compute/*/read”,
“Microsoft.Compute/virtualMachines/start/action”,
“Microsoft.Compute/virtualMachines/restart/action”,
“Microsoft.Authorization/*/read”,
“Microsoft.ResourceHealth/availabilityStatuses/read”,
“Microsoft.Resources/subscriptions/resourceGroups/read”,
“Microsoft.Insights/alertRules/*”,
“Microsoft.Insights/diagnosticSettings/*”,
“Microsoft.Support/*”
],
“NotActions”: [
],
“AssignableScopes”: [
“/subscriptions/11111111-1111-1111-1111-111111111111”,
“/subscriptions/33333333-3333-3333-3333-333333333333”
]
}
Exam tips:
• In questions related to custom roles, make sure that the IsCustom value is set to true and that
AssignableScopes is set to the correct subscription.
• RBAC uses the approach of least privilege, so if the requirement mentioned in the question is to assign
user permissions, select User Access Administrator role. Owner role permissions would be overkill.
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 8
Getting prepared for the Microsoft Azure Administrator certification exam
Availability Sets
VMs are automatically placed in fault domains and update domains within the same data center to protect
them from Availability issues. VMs in different fault domains are protected from a single point of failure
in terms of network and power. During planned maintenance, updates are applied in one update domain
at a time in order to ensure that at least one update domain is always available. When two VMs are placed
in an Availability Set, Azure offers 99.95% assured SLA.
Availability Zones
Availability Zones are different physical locations in an Azure region. VMs can be placed in up to three
Availability Zones. Each Availability Zone represents a combination of a fault domain and an update domain.
As the VMs are placed in different data centers, they are also protected from data center failures. When two
VMs are placed in an Availability Zone, Azure offers 99.99% assured SLA.
VM scale sets
VM scale sets allow automated horizontal scaling of VMs based on usage patterns. Multiple VMs are created
using the same image and configuration, and additional VMs are added to the scale set based on metrics
or specified schedules. This helps keep Azure costs lower since additional VMs are added only when required
and are removed when not in use. VM scale sets are automatically integrated with Azure Load Balancer
or Azure Application Gateway for traffic management and distribution to backend VMs.
Exam tips:
• The maximum supported size of an OS disk is 2,048 GB.
• The maximum supported size of a data disk is 32,767 GB.
• The VM SKUs decide the number of data disks that can be attached to the VM.
• For workloads with high performance requirements, select unmanaged premium SSD disks
to be used as data disks.
• For VMs with GPU requirements like graphics rendering, video editing, etc., deploy N-series VMs.
• Not all VMS are available in all Azure regions. Check the availability of the VM SKU in the target region
when planning for the deployment.
• VMs support both managed and unmanaged disks. In managed disks, the underlying storage is managed
by the customer. However, in unmanaged disks, it is managed by the Azure platform.
• Wherever possible, use managed disks in VMs.
• If you are asked to configure for the highest possible SLA, choose Availability Zones.
• VM scale sets support the use of custom VM images, but the maximum number of VMs in a scale set will
be limited to 300. When using Azure Marketplace images, VM scale sets support up to 1,000 Instances.
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 9
Getting prepared for the Microsoft Azure Administrator certification exam
Azure VM management
VM configuration changes
You can make changes to the VM post-deployment based on your application demands. For example, you can
attach additional data disks and NICs to the VM. However, the maximum number of disks, NICs, IOPS throughput,
etc. is dependent on the Azure VM SKU. You can always do a vertical scaling (i.e., change the size of the VM
to a higher SKU if you need additional capacity).
Note that the new SKU should be available in the Azure region, and the scaling could cause a small downtime
to the VM. Hence, the application Availability should be managed through Availability Sets or Availability Zones,
along with load balancers and application gateways.
VM extensions
VM extensions are useful in handling the post-deployment configuration of VMs. You can use VM extensions
to deploy anti-virus, backup, Puppet, Chef or any other extensions available in the Azure Marketplace. In addition
to third-party, vendor-specific VM extensions, you can also use first-party VM extensions like custom script
extension, PowerShell DSC, Microsoft Monitoring Agent and NVIDIA GPU driver extension. VM extensions can
be included in the ARM templates so that they get deployed automatically during VM provisioning.
Azure Backup
Azure Backup a cloud-based backup service that you can leverage to take machine-level backups of your VMs.
The step-by-step process for implementing a backup solution for VMs using Azure Backup is listed below:
1. Create a Recovery Services vault in the same region as the VMs. By default, the vault is created using
geo-redundant storage, where six copies of data will always be available for the purpose of redundancy.
To reduce storage costs, this can be changed to locally redundant storage from properties of the vault
after provisioning and before initiating any backups.
2. Select Azure as the backup source for initiating the VM backup and configure the backup policy for daily,
weekly, monthly and yearly backups. You can configure one scheduled backup a day using the backup policy.
3. Select the VM and initiate the backup. A VM backup extension gets installed in the VM, which transfers
the backup data to the storage associated with the backup vault. Note that this agent will already be present
in VMs provisioned from Azure Marketplace but will need to be installed on VMs created using custom images.
The Azure Backup Instant Restore capability is a recent addition to Azure Backup. With this capability, a default
of two snapshots of the disks are made available in a local storage account for faster restore. This eliminates
the wait time for transferring data from the vault for recovery. The default value of two can be increased
to up to five during backup policy configuration.
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 10
Getting prepared for the Microsoft Azure Administrator certification exam
Exam tips:
• If VM extension installation fails, check for network-level restrictions that are preventing the VM from
downloading the script from the Azure Storage extension repository. Make sure that there are no NSGs
or VM guest firewall configurations preventing access to 168.63.129.16.
• In lab questions that require you to add additional capacity to VMs, select the VM size that supports
the required number of data disks.
• Review the support matrix for Hyper-V/VMware to Azure replication as you can expect scenario-based
questions about supported and unsupported features.
Exam tip:
You can expect questions about the different configuration sections of ARM template (such as storage profile).
The storage profile section in the template defines the image that will be used for the VM deployment.
A sample profile that creates a Windows Server 2016 Datacenter VM is shown below. You can also define
additional data disks to be attached and specify their size in the storage profile.
“storageProfile”: {
“imageReference”: {
“publisher”: “MicrosoftWindowsServer”,
“offer”: “WindowsServer”,
“sku”: “2016-Datacenter”,”,
“version”: “latest”
},
“osDisk”: {
“createOption”: “FromImage”
},
“dataDisks”: [
{
“diskSizeGB”: 2048,
“lun”: 0,
“createOption”: “Empty”
}
]
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 11
Getting prepared for the Microsoft Azure Administrator certification exam
Exam tips:
• You can expect questions about communication between VMs in peered VNets. Note that the relationship is
not transitive unless an NVA is implemented in hub.
• Check for overlapping IP address ranges in questions related to VNet peering. Peering cannot be established
between two VNets that have an overlapping IP range. The solution is to modify the IP range and then
establish the peering.
• Peering is not established unless it is configured in both of the participating VNets.
Public IP addresses allow external communication from Azure networks and can be assigned to internet-facing
interfaces of virtual machines, load balancers, VPN gateways and application gateways. There are two SKUs
of public IP addresses: basic and standard. The major differences between them are shown below.
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 12
Getting prepared for the Microsoft Azure Administrator certification exam
Network security groups are not mandatory, Network security groups are mandatory as the connections
and the connections are open by default are closed by default for inbound traffic
Exam tips:
• Azure supports both IPv6 and IPv4 addresses. IPv6 can only be assigned through dynamic allocation.
• Azure recommends standard load balancers for all new deployments because they offer the highest
redundancy and only standard SKU IPs are supported in them. You can expect scenario-based questions
asking you to select the right SKU for load balancers/public IPs.
User-defined routes
When a virtual network is created, all devices connected to the subnets in the virtual network can communicate
with each other by default. This is accomplished through system routes automatically assigned to the subnets
of VNets. Although system routes cannot be modified, you can create custom routes or user-defined routes
(UDR) to override them. UDR can be used to set the next hop type of traffic as virtual network gateway, virtual
network, internet or virtual appliance. If the next hop type is set as none for a network, the traffic to that
network or IP will be dropped.
Exam tips:
• UDR cannot be used to route traffic to/from ExpressRoute gateways. This should be done through BGP.
• Azure uses the longest prefix match algorithm to select the route for the traffic. If there are multiple routes
to the destination, first priority is given to user-defined routes, followed by BGP routes and then system routes.
• UDRs do not accept VNet peering or virtual network service endpoints as next hop type.
• The default route for traffic targeting routes other than those defined in the route tables is sent to the internet
using the route created by Azure with the 0.0.0.0/0 address prefix and next hop type as internet.
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 13
Getting prepared for the Microsoft Azure Administrator certification exam
Exam tips:
• To delegate the management of customer-owned public DNS domains to Azure DNS, update the NS records
in the domain registrar’s DNS management page to use Azure DNS servers.
• You cannot purchase DNS domains through Azure DNS PowerShell command to create an Azure private DNS zone
and set the registration VNet.
• Sample PowerShell command to create a private DNS zone and set the registration virtual network given below:
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 14
Getting prepared for the Microsoft Azure Administrator certification exam
Exam tips:
• For VMs, NSGs can be applied at the subnet or NIC card level. When rules are applied to both the subnet and NIC
card, the least permissive permissions prevail.
• For lab and scenario-based questions, check for requirements to restrict traffic to multiple virtual machines. In that
case, it is advisable to apply rules at the subnet level.
VPN gateway
A VPN gateway is a virtual network gateway connected to a gateway subnet that allows encrypted traffic to be sent
between Azure Virtual Network and an on-premises location. It is the basic prerequisite for establishing any kind
of VPN connectivity to Azure. Gateways can be route-based or policy-based, depending on the type of architecture
to be implemented and the configuration of the on-premises device. While a policy-based VPN gateway uses
a network prefix based on traffic encryption, a route-based VPN uses wild card traffic selectors for encryption
and traffic routing. Policy-based VPN gateways are commonly used when on-premises devices support only IKEv1.
In all other scenarios, it is recommended to use route-based VPN gateways.
Multi-site VPN
When connectivity should be established from an Azure network to multiple on-premises data centers, these
connections can be terminated on the same virtual network gateway. This configuration is possible only if the VPN
gateway is route-based. You need to add separate local network gateways for each site with shared keys used
by the gateways while configuring the connections. Multi-site VPNs can be configured for networks that already
have an existing P2S, S2S or VNet-to-VNet connection.
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 15
Getting prepared for the Microsoft Azure Administrator certification exam
ExpressRoute
ExpressRoute offers the most secure Layer 3 connectivity to Azure through a private connection to an Azure data
center via a third-party service provider. The ExpressRoute gateway type is used here to initiate the connection.
ExpressRoute connections are redundant where two connections will be established to Microsoft Enterprise
edge routers from the network connectivity service provider edge device. An ExpressRoute connection to one
of the peering locations enables connectivity to all regions in that geopolitical region. To establish connectivity
across geopolitical regions, enable the ExpressRoute premium add-on.
There are two main routing domains, private peering and Microsoft peering, that are associated with an ExpressRoute
circuit. Private peering allows direct connectivity to services deployed in Azure virtual networks (virtual machines,
storage, app services, etc.) over private IPs. Microsoft services like Office 365, Dynamics 365 and other PaaS services
that do not have a private IP address can be accessed through a secure channel over Microsoft peering. Public
peering is the legacy peering option used previously for PaaS services like Azure SQL and Storage. It was available
only over public IPs. Now this connectivity is also routed through Microsoft peering.
Exam tips:
• For lab questions where you are required to create a gateway subnet, create the subnet with a CIDR of /27.
This is considered the most optimal option.
• In scenario-based questions where both ExpressRoute and VPN are given as options, select VPN for connectivity
over the internet and ExpressRoute when a dedicated connection is required.
• VPN can also be created between two VNets, but select this option only when VNet peering cannot be configured.
VNet peering is the preferred approach for connecting two VNets as it does not involve VPN gateway charges
and the traffic remains within Azure backbone.
Azure Files
This is a fully managed cloud-based file share service that can be accessed like traditional file shares by clients
supporting SMB protocol. Unlike on-premises file shares, Azure Files can be accessed by machines hosted on premises,
as well as in the cloud, provided the SMB port is open. Authentication to file shares is done using shared access
signature (SAS) tokens or through the storage access keys where the file shares are created. Azure File shares can
be simultaneously accessed by many VMs for read/write access.
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 16
Getting prepared for the Microsoft Azure Administrator certification exam
There are different types of storage accounts available in Azure. General-purpose v2 accounts can be used to create
blobs, queues, tables and files. The legacy version General-purpose v1 accounts also support all storage types.
However, v2 accounts are recommended for new deployments as they are most economical and efficient. Block Blob
Storage accounts and Blob Storage accounts as their names indicate, are used for storing blobs. General-purpose
v2 storage accounts are recommended in place of Blob Storage accounts for most use cases. Block Blob Storage
accounts should be used when high transaction, low latency, premium storage is required.
The two main components used for this are the Azure Import/Export service (available in Azure portal)and
the WAImportExport tool, which helps prepare the disks and copy over the data to them. There are two versions
of the WAImportExport tool available: version 1 and version 2. Version 1 should be used for transferring data to Azure
Blob Storage, while version 2 should be used for Azure Files. You also need disk drives (SSD or HDD) that should
be shipped to an Azure data center.
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 17
Getting prepared for the Microsoft Azure Administrator certification exam
Exam tips:
• You can expect drag-and-drop questions about the correct order of setting up Import/Export and Azure File Sync.
• Import/Export supports only Azure Storage and File Share as target locations.
• In closed networks, the SMB port (445) should be open in the firewall to allow on-premises users to map Azure File shares.
• In lab questions that require you to create storage, use General-purpose v2 accounts wherever possible as this
is the recommended storage type for new deployments.
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 18
Getting prepared for the Microsoft Azure Administrator certification exam
Manage identities
Azure AD is an Identity as a Service (IDaaS) offering from Azure that allows identity and access management to internal
corporate resources, as well as to cloud resources like Office 365, Dynamics CRM or other IaaS/SaaS/PaaS applications.
Azure AD comes with built-in advanced capabilities like multi-factor authentication, privileged identity management,
auditing, application usage monitoring and alerting.
An Azure AD tenant is automatically provisioned when an organization purchases Microsoft Azure cloud, Intune,
Office 365 or other services. This AD tenant represents the organization. When services in only one tenant are used
by the organization, it is called single tenant. If services from other organizations are being accessed, it is called
multi-tenant. Each tenant will have a dedicated Azure AD assigned to it to handle the management of objects like
users, groups and apps.
The features available in Azure AD are dependent on the licenses associated with the AD Instance.
Azure Active Directory Premium P1 All features of Free and Basic versions, plus:
• Dynamic groups
• Self-service group management
• Microsoft Identity Manager (MIM)
• Self-service password reset for on-premises users
through cloud write-back
• Device write-back for two-way device synchronization
• Conditional access based on device, group and location
• Cloud App Security integration
Azure Active Directory Premium P2 All features of Free, Basic and Premium 1 versions, plus:
• Azure AD Identity Protection
• Privileged Identity Management Protection
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 19
Getting prepared for the Microsoft Azure Administrator certification exam
Custom domains
When provisioned, an Azure AD has a default directory assigned to it in a <domainname>.onmicrosoft.com
format. This can be updated later to a custom domain owned by the organization.
Hybrid identities
Azure allows integration of identities with on-premises identity management solutions so that customers can access
both corporate and cloud resources using the same credentials. Azure AD Connect is used for this integration. This
tool synchronizes the identities from your on-premises Active Directory to Azure AD. The users, groups and password
hashes (if enabled) are synchronized from on-premises Windows Active Directory to Azure so that the details
are available in the cloud.
Azure AD Connect offers multiple features to enable hybrid identity. Some of the key features that can be enabled
through Azure AD Connect are listed below:
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 20
Getting prepared for the Microsoft Azure Administrator certification exam
Pass-through authentication
This feature also allows users to use their on-premises AD password in the cloud, but does not require them
to synchronize the password hash to Azure AD. Rather, the authentication requests are forwarded for authentication
to the on-premises AD. This works using a method similar to AD federation, but without the need for deploying
AD Federation Services infrastructure. The method requires an additional pass-through agent installation on the server
where AD Connect is installed.
Password writeback
This feature in Azure AD Connect enables all password changes in Azure AD to be written back to an on-premises
AD in real time. It can be used in environments configured for ADFS, password hash synchronization and pass-through
authentication. This feature does not require any additional firewall rules to be configured as all communications
are outbound over port 443. It can be used to enforce Active Directory password filtering policies, such as age,
complexity, history, etc. when the user changes their password.
Administrators can enable one of several methods (see below) for additional authentication while using MFA.
It is recommended to configure more than one authentication method in case the primary authentication fails.
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 21
Getting prepared for the Microsoft Azure Administrator certification exam
Exam tips:
• Expect multiple choice questions comparing the options available for MFA and SSPR.
• The custom domain verification can be done using both MX and TX records.
• To restrict access to critical business resources from approved networks, configure MFA.
• To switch between Azure AD tenants during login, change the directory from the Azure portal.
Summary
This guide covers the major study areas for the AZ-103 Microsoft Azure Administrator Certification exam,
but candidates should review Azure documentation for a more in-depth understanding. Time management
is important during the exam, so make sure you spend time judiciously on lab sessions. It is also recommended
to review the exam’s official practice test and/or any other online practice tests as this will help you understand
the exam model, evaluate your knowledge level and improve weak areas.
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 22
Getting prepared for the Microsoft Azure Administrator certification exam
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 23
Getting prepared for the Microsoft Azure Administrator certification exam
Cloud Data
Backup for what’s next
5 Stages of Cloud Data Management —
start your journey today!
© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners. 24