=} Introduction to Storage Accounts Cheat sheets, Practice Exams and Flash cards wwrnsexampro.co/az-204 Type General-purpose V2 General-purpose V1 BlockBlobStorage FileStorage BlobStorage Service File, Queue, Table, Disk Blob (block, append) File Blob (Block, append) Performance Tiers Standard, Premium, Standard, Premium, Premium, Premium, Standard Access Tiers Hot, Cool, Archive N/A NA NA Hot, Cool, Archive Replication LRS, GRS, RA-GRS, ZRS, GZRS, RA-GZRS LLRS, GRS, RA-GRS URS, 2RS URS, ZRS LLRS, GRS, RA-GRS Deployment Models Resource Manager Resource Manager Resource Manager Resource Manager Resource ManagerCore Storage Services Cheat sheets, Practice Exams and Flash cards > www.exampro.co/az-204 [ © blot) Services : Se” services P wou ition —~ o as, Disks (asic) Azure has 5 core storage services ‘Azure Blob ‘Armassively scalable SB)SEEBBRS for text and binary data, Also Includes support for big data analytics through Data Lake Storage Gen2 ‘Aaure Files Managed filelshares\for cloud or on-premises deployments Azure Queues A NOSQUSEBEE for schemaless storage of structured data. Azure Tables ‘messaging ROPBor reliable messaging between application components Had dg volumes for Azure VMs=} Performance Tiers (Blob Storage) 1s, Practice Exams and Flash cards a> ww.exampro.co/az-208 Cheat sh There are 2ikypes of performance tiers for storage accounts: Standard and Premium C. | Performance O Standard @ Premium 1OPS stands for Input/Output Operations Per Second ‘The higher the IOPS the faster a drive can read and write Premium Performance + Stored on Solid State Drives (SSDs) + Optimize for low-latency + Higher throughput ‘Standard Performance + Stored on Hard Disk Drives (HDDs) + Varied performance based on access tier (Hot, Cool, Archive) + Use cases: Use cases: + Interactive workloads + Backup and disaster recovery + Analytics + Media content * Alor ML *+ Bulk data processing + Data transformation ‘An HDD has moving parts, an arm that needs to read and write data sequential to a disk. Its very good a writing or reading large amounts of data that is close together ‘An SSD has no moving parts and data is distributed randomly. This is why it can read and write so fast.= Access Tiers (Blob Storage) Cheat sheets, Practice Exams and Flash cards wwrnsexampro.co/az-208 There are BIRYpES of access rs for Standard storage: Cool, Hot and Archive C. Blob access te (etauty © © Cool © Hot Hot Data that’s accessed frequently. Highest storage cost, lowest access cost Cool Data that’s infrequently accessed and stored for at least 30 days. Lower storage cost, higher access cost Archive Data that's rarely accessed and stored for at least 180 days Lowest storage cost, highest access cost Use Case * Data that's in active use or expected to be accessed frequently. * Data that's staged for processing and eventual migration to the cool access tier Use Case + Short-term backup and disaster recovery datasets + Older media content not viewed frequently anymore but is expected to be available immediately when accessed + Lange data sets that need to be stored cost effectively while more data is being gathered for future processing. Use Case + Long-term backup, secondary backup, and archival datasets + Original (raw) data that must be preserved, even after it has been processed into final usable form. + Compliance and archival data that needs to be stored for a long time and is hardly ever accessed.= Access Tiers (Blob Storage) Cheat sheets, Practice Exams and Flash cards a> www.exampro.co/az-208 Account Level Tiering Any blob that doesn't have an explicitly assigned tier infers the tier from the Storage Account access tier setting. Blob-Level Tiering You can upload a blob to the tier of your choice. Changing tiers happens instantly with the exception from moving out of archive Rehydrating a Blob When moving a blob out of archive into another tier it can take several hours. This is known as “rehydrating” Blob Lifecycle Management More than dye a0) You can create rule-based policies to transition data to different tiers Eg. After 30 days move to cool storage Move to cool torage ‘Thre most elle option com iat. More to achive rage Delete te Bi|} Access Tiers (Blob Storage) Cheat sh Practice Exams and Flash cards i> www.exampro.co/s3-204 When a blob is uploaded or moved to another tier It's charged at the new tier’s rate immediately upon tier change. When moving from a cooler tie! & The operation is billed as a HHKI@BESHBE to the destination ter. Where the write operation (per 10,000) and data write (per GB) charges of the destination tier apply. ‘The operation is billed as a read from the source tier Where the Feal@BeratiOn (per 10,000) and data retrieval (per GB) charges of the source tier apply Early deletion charges for any blob moved out of the cool or archive tier may apply as well ) When moving from a hotter tier Cool and archive early deletion Any blob that is moved into the cool tier (GPv2 accounts only) is subject to a cool early deletion period of 30 days. Any blob that is moved into the archive tier is subject to an archive early deletion period of 180 days. This charge is prorated.AZCopy n cards www.exampro.co/a2-204 AZCopy is a €OmMmMand-line Utility that you can use to copy blobs or files to or from a storage account. 1. Its an executable file you download PEED en Ee 3 You gain access either via 1. Azure Active Directory (AO) 2. Shared Access Signature (SAS) 4, Use the Copy command to upload and download 2. You will need to have the level of == authorization via attached roles: To download + Storage Blob Data Reader To upload: + Storage Blob Data Contributor + Storage Blob Data Owner=|} Lifecycle Management cheatsheets, Practice Exams and Flash cards warmexampro.co/az-208 (GRREEREREUNEEEINEINN offers 2 rule-based policy that you can use to transition blob data to the appropriate access tiers or to expire data at the end of the data lifecycle. With the lifecycle management policy, you can: * Transition blobs from cool to hot immediately when they are accessed to optimize for performance. * Transition blobs, blob versions, and blob snapshots to a cooler storage tier if the objects have not been accessed or modified for a period of time to optimize for cost. * Delete blobs, blob versions, and blob snapshots at the end of their lifecycles. * Define rules to be run once per day at the storage account level. * Apply rules to containers or to a subset of blobs, using name prefixes or blob index tags as filters.== Lifecycle Management Cheat sheets To manage the lifecycle of our Blobs inside containers, a lifecycle management rule must be created. From Azure Storage Account go to Lifecycle Management, under Blob Service, and Add a Fille. You may apply this rule to all blobs inside the storage account or filter the blobs to have this rule applied in this storage account. Practice Exams and Flash cards a wiww.exampro.co/a2-208 Add a rule== Lifecycle Management CCheat sheets, Practice Exams and Flash cards a warw.exampro.co/az-206 Add a rule You can specify how many days 3 those blobs will be moved to other access tiers if they are not modified.== Setting and Retrieving properties and Metadata Getting Container Properties: az storage container show --account-name $storageAccountName --name $containerName --account-key SaccountKey— Setting and Retrieving properties and Metadata Cheat sheets, Practice Exams and Flash cards a> www.exampro.co/a Setting and Getting Container Metadata, the attention that the update command overwrites the existing container metadata 1. az storage container metadata update ~-account-name SstorageAccountName --name $containerName ~metadata creationType=AzureCli -auth-mode key --account-key SaccountKey 2. az storage container metadata show ~-account-name SstorageAccountName --name ScontainerName ~metadata creationType=AzureCli ~auth-mode key -account-key SaccountKey— Setting and Retrieving properties and Metadata Cheat sheets, Practice Exams and Flash cards 20 ‘exampro.co/a Setting and Getting Blob Metadata, attention that the update command overwrites the isting blob metadata 1. az storage blob metadata update name “Testimage!.png” --account-name $storageAccountName ~-container- name ScontainerName --metadata creationType=azurecli ~auth-mode key ~-account-key $accountkey 2. az storage blob metadata show ~name “Testlmage1.png" ~-account-name SstorageAccountName -- container-name ScontainerName --auth-mode key ~-account-key SaccountKeyCheat sheets, Practice Exams and Flash cards > www.exampro.co/az-204 Azure 7ctive Directory (AD) NZ cloud-based identity and access management service Manage users, Sign-Ins and access to AD-related resources& Introduction to Azure AD Cheat sheets, Practice Exams and Flash cards a> www.exampro.co/az-204 Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access) Management service, which helps your employees sign in and access resources External Resources Internal Resources * Microsoft Office 365 * Applications within your internal networking * Azure Portal * Access to workstations on-premise * SaaS applications Use Azure AD to implement Single-Sign On (SSO) Auure Active Directory comes in four editions 1, Free MFA, SSO, Basic Security and Usage Reports, User Management 2. Office 365 Apps Company Branding, SLA, Two-Sync between On-Premise and Cloud 3. Premium 1 Hybrid Architecture, Advanced Group Access, Conditional Access 4. Premium 2 Identity Protection, Identity Governance<> Azure AD — Use Case Presta a este et rel ca reo Azure AD can SURGES anc SUERERBESES to multiple sources. *. Toyour en-pramisa AD + To your web-application + Allow users to login with their IpD eg. Facebook or Google + To Office 365 or Azure Microsoft On-Premise Web Application | | External Indentites | | Cloud Applications 5g HG |\@& Directory eda Active Directory vs Azure Active Directory Cheat sheets, Practice Exarns and Flash cards www.exampro.co/az-206 organizations the ability to manage multiple on-premises infrastructure components "Windows2000 and systems using a single identity per user. ‘Azure AD takes this approach to the next level by providing organizations with an Identity asa Service (IDaaS) solution forall thet pps See Both versions are still used today 2) Microsoft introduced Active Directory Domain Services in Windows 2000 to give Active Directory mS Azure AD (The GAlpremise version “JP The €l6tid versionActive Directory Terminology Cheat sheets, Practice Exams and Flah cards wwrm.exampro.co/ai-208 Domain ‘A domain is an area of a network organized by a single authentication database An Active Directory domain is a logieallgrouping of AD objects on a network Domain Controller (DC) Adomain controller is a server that authenticates user identities and SuthOHzES their access to resources. Domain Computer A computer that is registered with a central authentication database A domain computer would be an AD Object ‘AD Object An AD Object is the basic element of Active Directory such as Users, Groups, Printers, Computers, Shared folders Group Policy Object (GPO) A virtual collection of policy settings. It controls what AD Objects have access to Organization Units (OU) ‘Asubdivision within an Active Directory into which you can place users, groups, computers, and other organizational units Directory Service A directory service, such as Active Directory Domain Services (AD DS), provides the methods for storing directory data and making this data available to network users and administrators. A Directory service runs on a Domain Controller<> Azore AD — Tenant Cheat sheets, Practice Exams and Flash cards a> www.exampro.co/az-204 A tenant fepresents an organization in Azure Active Directory. <)> Tenant information Atenant is a dedicated Azure AD Service instance. A tenant is automatically created when you sign up for either Yourrole Giobal administrator More info * Microsoft Azure Nice eames Ucense + Microsoft Intune ‘Azure AD for Office 365 * Microsoft 365 Tenant iD mrweeserasersotesee. Bl Each Azure AD tenant is distinct and separate from other Azure Primary doin AD tenants. ” ‘exampro.onmicrosoftcom<)y Azure Active Directory Domain Services (AD DS) Cheat sheets, Practice Exams and Flash cards a> www.exampro.co/az-204 In some cases you'll need to setup your own domain controller(s) When doing a lift-and-shift from on-premise to Microsoft Azure and migrating Active Directory, Azure AD does not support some domain services. Azure Active Directory Domain Services (AD DS) provides Managed domain SeHViCe such as: + Domain joins * Group policies + Lightweight directory access protocol (LDAP) * and Kerberos / NTLM authentication. You use can these domain services without the need to: deploy, manage, and patch domain controllers (DCs) in the cloudad Azure AD Connect Cheat sh Practice Exams and Flash cards af www.exampro.co/a2-204 Azure AD Connect is a hybrid service to connect your on-premise Active Directory to your Azure Account Azure AD Connect allows for seamless Single Sign On from your on-premise workstation to Microsoft Azure Azure AD Connect has the following features: Password hash synchronization — sign-in method, synchronizes a hash of a users on-premises AD password with Azure AD Pass-through authentication — sign-in method, allows users to use the same password on-premises and in the cloud Federation integration — hybrid environment using an on-premises AD FS infrastructure, for certificate renewal Synchronization — Responsible for creating users, groups, and other objects, ensures on-prem and cloud data matches Health Monitoring — robust monitoring and provide a central location in the Azure portal to view this activity ( ‘Azure AD Connect Health& Active Directory - Users Practice Exams and Flash cards a www.exampro.co/s3-204 Users represent an idhitity foF aiperson or employeein your domain. Auser has login credentials and can use them to log into the Azure Portal eat sh andrew@exampro.co You can assign roles and administrative roles to users ser Signi You can add users to groups “ You can enforce authentication methods such as (MFA) Multi-Factor Authentication ° You can track users sign ins ° Track devices user’s login from and allow or deny devices. hod) Ma S96 So Assign Microsoft licenses, Azure AD has two kinds of users: + Users — A user belongs to your organization, + Guest Users — A guest user belongs to another organization We'll cover Azure AD roles in the roles section of course.Azure AD - Groups CCheat sheets, Practice Exams and Flash cards i> ww.exampro.co/23-204 Groups lets the resource owner (or Azure AD directory owner), assign a set of access permissions to all the members of the group, instead of having to provide the rights one-by-one. rence © nas Groups contai * Owners — Has permissions to add an remove members + Members — Have permissions to do things une esate Assignment oe od sacs v8 + You can assign roles directly to a group bon OQ am sous nine + You can assign applications directly to a group — a s ‘acompey se ttc 8 teem 7 ae as Of ae aera Ficenegrue se veces Request to Join Groups The group owner can let users find their own groups to join, instead of assigning them. The owner can also set up the group to automatically accept all users that join or to require approval.2% Azvre AD — Assign Access Rights Cheat sheets, Practice Exams and Flash cards a www.exampro.co/az-206 There are four ways to [i OURURUIRIIIIE to your users: Direct assignment. The resource owner directly assigns the user to the resource. Group assignment. The resource owner assigns an Azure AD group to the resource, which automatically gives all of the group members access to the resource Rule-based assignment. The resource owner creates a group and uses a rule to. define which users are assigned to a specific resource. External authority assignment. Access comes from an external source, such as an on-premises directory or a SaaS app.Azure AD — External Identities Cheat sheets, Practice Exams and Flash cards af www.exampro.co/az-206 External Identities in Azure AD, allow people outside your organization to access your apps and resources, while letting them sign in using whatever identity they prefer. Your partners, distributors, suppliers, vendors, and other guest users can ‘Supports Logins from Google and Facebook G Ei ‘+ Share apps with external users (B28 collaboration). + Develop apps intended for other Azure AD tenants (single-tenant or multi-tenant) + Develop white-labeled apps for consumers and customers (Azure AD B2C)Azore Active Directory CheatSheet om Cheat sheets, Practice Exams and Flash cards wornsexampro.co/az-208 Active Directory (AD) i Microsoft's HRT SEES MSEAESERUERT Helps your employees sign in and access resources, Azure Active Directory (Azure AD) is Microsoft's cloud-based version of AD identity as a Service (IDaaS) Aaure tiv Directory comes in editions: 1. Free MPA, 550, Base Security and Usage Reports, User Management 2. Office 365 apps Company Branding, SLA, Two-Sync between On Pet 3. Premium 1 (P1) Hybrid Architecture, Advanced Group Access, Condi 4. Premium 2(P2) identity Protection, Identity Governance ‘Azure AD can ord BURRERERAES to matte sources S55 pur oops AD it Rae stone + To yourwebapplation via App Registrations {lew users totogin wit ther IpD ce Facebook or Google va External Ment « fpomee 365 or Aru Micesat sctive Ditecory Terminology 1 Soran dota arr of tvork ona ya snl ahaa doabane + An Active Drectory domains 2 HIRI A objets ons network + Domain Controller (Oc) A domain controler sa server that RURHBARAREE user dertties and RURRBABBE their access to resources. + Domain Computer A computer tet i ragbtered with ceil uthenteton énabase A domain computer would be on AD Oboc {AD Object AnAD Objects the bas element of Active Directory such as: Users, Groups, Printers, computes, shored fldes 3 Group Pally Object cc) A ual Seaion ot poly seringy, Waar whe etfs hava ane + Orpcteaton Units (OU) A subdivision within an AD into which you can lace users, groups, computers, and other organizational units * Directory Service A directory service, such as Active Directory Domain Services (AD DS), provides the methods for storing directory data id nung is dat able ts tatu uses and ainstiatons A Okesaty cian vs on 8 Daria CoolerAzore Active Directory CheatSheet om Cheat sheets, Practice Exams and Flash cards wornsexampro.co/aa-208 tenant [IINIIMINNIRINIIRRRN incre Active Directory. tenant isa dedicated Azure AD Servic instance tenants automaticly created when you signup for elfier: Micteoft Arve, Mcrosof inane, Microsoft 355 Each Azure AD tenant distinct and separate from other Azure AD tenants. ‘chon tenn lan 0 A ses, onto xia ecm entree yee toe SS {Aur Active Directory Domain Services (AD DS) provides AHaBGAMGIAIRGERIAH features such '* Domain joins, Group policies, Lightweight directory access protocol (LDAP), and Kerberos / NTLM authentication. saure AD Connect haste folloming atures: + password hash synchronization ~ signin method, synchronizes 2 hash of users on-premises AD password with Azure AD * ‘nan encyaltinenbantea -pcaconeall sir sorexa ue a:sun eames pacourass incised = Beevers rd enna lor enererdons AD Fs etree Rr cea ea = dyuchsucaion — persist anaiigeaen grea:sne ethers js-comeo ergracrans oneidoier nto = Heel cnfiorng— tous monloorng asl pov a outrallcition the Azur port bie ts avy Users reprezent 2n SEI, your domain. A user has login credentials and can use them to log into the Azure total asa ae ea 2 ey — char ng eerste Boa loser “h guetsau lelongsnennestar orgie ag Eu en aT arc A OCA, ie ¥ LT SCO aR WAU Gi aN RUT having to prone the rights one by-one. Groups conti 2 oneness parniaas mrad an earenearanart *Mamnbers — Have permission todo things Assignment ou aan Naga CSR a {Yeucan asin applications dvcty ta groupAzore Active Directory CheatSheet om Cheat sheets, Practice Exams and Flash cards a www.exampro.co/az-204 Request to oin Groups The group owner can let uses thelr own groups to join instead of assigning them. The owner cn aso setup the {roup to automatcaly szep el users that join ote require apprvel Sere ae four weys © RIESE co your ser: 1" Oct exigent, Th rerouos Guar GFer8iy sgn the user to the resource. = Groce TM Retr RE an a AD Wo Tals ean A MRE AAT Py acces tothe resource ‘+ Rule-based assignment. The resource owner creates a group and uses a rule to define which users are assigned to a specific resource. {extemal auhorty assignment. ecss comes rom an extemal saute, such as an onpremivesdtetor of Saas spp,Types of Azure roles Cheat sheets, Practice Exams and Flash cards a> www.exampro.co/az-204 Roles can be confusing because Azure has three types of roles that can serve same purpose 1. Classic subscription administrator roles The is the original role system. 2. Azure roles This is an authorization system is known as Role-Based Access Controls (RBAC) and is built on top of Azure Resource Manager 3, Azure Active Directory (Azure AD) roles Azure AD roles are used to manage Azure AD resources in a directory& Access Controls (IAM) Cheat sheets, Practice Exams and Flash cards i> www.exampro.co/a2-204 Identity Access Management (IAM) allows you to create and assign roles to users ‘Azure Roles (RBAC system) Roles restrict access to resource actions (also known as operations). There are two types of roles: 1. BuiltinRole ~ Managed Microsoft roles are read only pre-created roles for you to use 2. CustomRole — A role created by you with your own custom logic Role Assignment Downed eames © rats © cette? Is when you apply a role toa & genice principle Cede Raeesigments les Oerraignmens Cascada + (user) group Art teen aceon perio Yuh te bes oyun cut your om cones eon roe + user oan Ota ve co Ser Pecos Deny Assignments o 1 « ‘ block users from performing specific ° . ° actions even if a role assignment grants ° ° ° them access. The only way to apply Deny Se Moveee nace ° ° ° assignments is through Azure BluePrints Se Petronas oolo0& Classic Administrators Cheat sheet , Practice Exams and Flash cards wwwexampro,co/az-204 Classic Administrators is the 6figinallFolé system. You should use the new RBAC system when possible + nad Connied espns © pets Roles Denytsgnmaerts Cate administrators Caan aon ted if ou ae sti sng Ae cls pens OC name 1 Role t. 06 2. Senne adrstrator Classic Administrators have three types of roles: 1. Account Administrator The billing owner of the subscription. Has no access to the Azure portal. 2. Service Administrator same access of a user assigned the Owner role at subscription scope. Full access to the Azure portal. 3. Co-Administrator same access of a user who is assigned the Owner role at the subscription scopeAzure Role-Based Access Control (RBAC) Cheat sheets, Practice Exams and Flash cards wwrnsexampro.co/az-208 Azure role-based access control (Azure RBAC) helps you manage Who has access to\Azure) what they can do with those resources, and what areas they have access to. Role Assignments the way you control access to resources A Role Assignment is consists of these three elements 1. security principal 2. role definition 3. scope There are four fundamental Azure roles Azure RBAC includes over 70 built-in rolesAzore Role- Based Access Control (RBAC) Cheat sheets 1 Exams and Flash cards a> www.exampro.co/az-204 A Security Principal represents the identities requesting access to an Azure resource such as: USEF An individual who has a profile in Azure Active Directory GPOUD A set of users created in Azure Active Directory. SERNGEREHGE A security identity used by applications or services to access specific Azure resources. Managed identity An identity in Azure Active Directory that is automatically managed by Azure.Azure Role-Based Access Control (RBAC) Cheat sheets, Practice Exams and Flash cards wwrnsexampro.co/az-204 Scope is the Set of resources that access for the Role Assignment applies to. Scope Access Controls at the Management, Subscription or Resource Group level. (x) Management Group L@ eaeriptore Le) resanee coupeAzure Role-Based Access Control (RBAC) Cheat sheets, Practice Exams and Flash cards wwrncexampro.co/az-208 A Role Definition is a collection of permissions. Arole definition lists the operations that can be performed, such as Roles can be high-level, like owner, or specific, like virtual machine reader. Azure has built-in roles and you can define custom roles [mead [an [ome Un, a] om a Reader. vara ‘These are the four fundamental built-in roleAzure AD Roles Cheat sheets, Practice Exams and Flash cards www.exampro.co/a2-208 Azure AD roles are used to manage Azure AD resources in a directory such as: * create or edit users + assign administrative roles to others * reset user passwords + manage user licenses * manage domains. ee (g, Exampro Training Inc | Roles and administrators Ove coe ‘A few important Built-In Azure AD roles you should know: + Global Administrator Full access to everything + User Administrator Full access to create and manage users + Billing Administrator Make purchases, manage subscriptions and support tickets owen OS rehire ss 1 eit Decent You can create custom roles but you need to purchase either: 1 tetycomee De ncn ener + Azure AD Premium P1 or P2 1 eng DS maessmrarerAnatomy of an Azore Role xams and www.exampro.co/az-204 ‘Azure Role document syntax of the property names will change whether its Azure PowerShell or Azure CLI Name (roleName) The display name of the custom role Id (name) The unique ID of the custom role. This is autogenerated for you lsCustom (roleType) Indicates whether ths is a custom role. (true or false) Description (description) The description of the custom role ‘Actions (actions) An array of strings that specifies the management, ‘operations thatthe role allows to be performed. NotActions (notActions) An array of strings that specifies the ‘management operations that are excluded from the allowed Actions DataActions (dataActions) An array of strings that specifies data ‘operations the role is allowed perform to your data within that object. "NotDataActions (notOataActions) An array of strings that specifies the data operations that are excluded from the allowed DataActions AssignableScopes (assignableScopes) An array of strings that specifies ‘the scopes thatthe custom role is availabe for assignment. You can only Gefine one management group in AssignableScopes of a custom role.Anatomy of an Azore Role xams and www.exampro.co/az-204 Wildcard perr Actions, NotActions, DataActions, and NotDataActions support wildcards (*) ‘Awildcard allows you to apply to match ears’ Microsoft e Esc): Azore Policies vs (*) Azure Roles (RBAC) Cheat sheets, Practice Exams and Flash cards wwrnexampro,co/az-204 & Azure Policies Azure Roles They are used to EESESEIIBIWERIof resource. They are used to KERRIER Azure resources Evaluates state by examining properties on resources Focuses managing user actions at different scopes that are represented in Resource Manager and Properties of some Resource Provider doesn't restrict actions (also called operations) ensures that resource state is compliant to your business rules without concern for who made the change or who has permission to make a change Even if an individual has access to perform an action, if the result is a non-compliant resource, Azure Policy still blocks the create or update<> Azure AD Roles vs (i) Azure Roles (RBAC) Practice Exams and Flash cards if www.exampro.co/a2-204 Azure AD Roles Azure Roles They are used to Eontrollaccessiof AD resources They are used to EBtFOlBECESS!to Azure resources ‘AD resources being Azure resources being: + Users + Virtual Machines + Groups + Databases + Billing aca + Cloud Storage + Licensing “ + Cloud Networking + Application Registration é + te + Ete. Aeze AD les Aarerdes + By default, Azure roles and Azure AD roles do not span Azure and Azure AD + By default, the Global Administrator doesn't have access to Azure resources. + Global Administrator can gain access to Azure resource if granted the User Access Administrator role (an Azure role)Azore Roles CheatSheet Exam od Cheat sheets, Practice Exams and Flash cards i www.exampro.co/az-204 Within Azure there are 3 kinds of roles: 1. Classic subscription administrator roles The is the original role system. 2. Ature roles known as Role-Based Access Controls (RBAC), built on top of Azure Resource Manager 3. Azure Active Directory (Azure AD) roles Azure AD roles are used to manage Azure AD resources in a directory Identity Access Management (1AM) allows you to create and assign Azure (RBAC system) roles to users Roles restrict access to resource actions (also known as operations). There are 2 types of roles: 1. BuiltinRole- Managed Microsoft roles are read only pre-created roles for you to use 2. CustomRole ~ A role created by you with your own custom logic Role assignment is when you apply a role to user. A role assignment is composed of a a Security Principle, Role Definition and Scope. Azure's 4 builtin roles are: Owner, Contributor, Reader, User Access Administrator Classic Administrators have three types of rol 1, Account Administrator The billing owner of the subscription. Has no access to the Azure portal 2. Service Administrator same access of a user assigned the Owner role at subscription scope. Full access to the Azure portal. 3. Co-Administrator same access of a user who is assigned the Owner role at the subscription scope Important Azure AD Roles + Global Administrator Full access to everything + User Administrator Full access to create and manage users + Billing Administrator Make purchases, manage subscriptions and support tickets You can create custom Azure AD Roles roles but you need to purchase either: Azure AD Premium Pl or P2Introduction to Azure Key Vault Cheat sheets, Practice Exams and Flash cards af ww.exampro.co/az-206 @® Azure Key Vault helps you Safeguard cryptographic keys and other secrets used by cloud apps and services. Azure Key Vault focuses on three things 1. sate Management easily provision, manage, and deploy public and private SSL certificates for use with Azure and internal connected resources. 2. Key Management create and control the eneryption keys used to encrypt your data 3, Secrets Management store and tightly control access to tokens, passwords, certificates, API keys, and other secrets Certificates contain key pair (key and secret), not to be confused with Key Management and Secrets ManagementHSM and FIPS Practice Exams and Flash cards if www.exampro.co/a2-204 ———— Se An HSM is a Hardware Security Module. Its a piece of hardware designed to store encryption keys. Federal Information Processing Standard (FIPS) US and Canadian government standard that specifies the security requirements for cryptographic modules that protect sensitive information. HSM's that are multi-tenant are IBS: Leela CORBI (multiple customers virtually isolated on an HSM) HSM’s that are single-tenant are (single customer on a dedicated HSM)Azure Key Vault — Vault Cheat sheets, Practice Exams and Flash cards a wwww.exampro.co/a2-204 ‘A Vault stores secrets and keys can be protected either by software or FIPS 140-2 Level 2 validated HSMs Azure Key Vaults provides two types of containers: + Vaults — supports, software and HSM backed keys + HSM pools — only supports HSM backed keys * Toactivate your HSM, you will need: * provide a minimum of three RSA key-pairs (up to a maximum of 10) * specify the minimum number of keys required to decrypt the security domain (called a quorum) ‘You do not choose the container on creation, you just choose between Standard and Premium. ‘When you choose Premium and create enough RSA key pairs you will begin to use HSM pools.pg allowing you to perform operations such as: Azure Key Vault — Key Vault API Cheat sheets, Practice Exams and Flash cards i www.exampro.co/az-204 ‘apy. Azure Key Vault Rest APIs used for programmatically miafaging Azure KEV VaUIEFESOUFCES, —— Anveey aut @) + Create a key or secret aaa + Import a key or secret + Revoke a key or secret + Delete a key or secret Authorize user or apps to access its keys or secrets Monitor and manage key usage ‘Azure Key Vault Rest API supports three different types of authentication: ‘+ Managed Identities — Identity managed by Azure AD (recommended as best practice) + Service Principal and Certificate — uses a certificate + Service Principal and Secret — user and secret keyAzure Key Vault — Recovery Options Cheat sheets, Practice Exams and Flash cards a www.exampro.co/a2-204 Soft Delete allows you to recover or permanently delete a key vault and secrets for the duration of the retention period. (its enabled by default on creation) Sof-dlte bles ancatory vated plod and SS reins prevents the permanent deletion of | Fuvesrotecion © (© vate purge protection tw ky vat and objets tobe purged ring ‘meno peta) key vaults or secrets prior to the tenbinpurpcacon ec mdr ton poder etd retention period elapsing ® . ‘ vs and vat object) Purge protection when enabled, prevents secrets to be purged by users or by Microsoft.Cheat she Azure has two pricing tiers: 3 pring ter* + Standard + Premium + Allows for both software and HSM-protected keys RSA 2048-bit keys Advanced key type eg. RSA 3072-bit RSA 4096-bit Elliptic-Curve Cryptography (ECC) keys Azure Key Vault — Pricing Practice Exams and Flash cards df wwwexampro.co/s3-204 Standard Standard Premium (includes support for HSM backed keys) Software-protected keys HSM-protected keys $0.03/10,000 transactions $1 per key per month + $0.03/10,000 transactions per key per month: + $5 —First 250 keys From + $2.50 — 251-1500 keys + $0.90 —1501 - 4000 keys + $0.40 — 4001+ keys + $0.15/10,000 transactions $0.15/10,000 transactions Secrets operations — $0.03/10,000 transactions Certificate Renewal— $3 per renewal request. Managed Azure Storage account key rotation — $1 per renewal Managed HSM Pools — $3.20 / hourAzure Key Vault - Keys Cheat sheets, Practice Exams and Flash cards > www.exampro.co/az-204 When creating a key there are three options: For keys generated by Azure you can use either RSA or EC. © Generate: .Aaite Wil eenstate tte Rey RSA (Rivest-Shamir-Adleman): _EC (Elliptic-curve cryptography): + Import — Import an existing RSA key + 2048,3072,4096 + P-256, P-384,0-521,P-256K + Restore Backup — Restore a key from backup For keys generated by Azure you can —— an : set an Activation and Expiration date coe s ¢ Mykey You can create new You can download backups of keys. versions of keys Backups can only be restored within the same Azure subscription and within Azure Key Vault ++ Newerion (Reeth i] Oxte Dowload tahip = Rottion poly een)Azoure Key Vault - Keys Cheat sheets, Practice Exams and Flash cards > www.exampro.co/az-204 When you have a Premium Vault you'll key options for HSM: Generate a RSA or EC for HSM Import an RSA key for HSMAzure Key Vault - Keys Cheat sheets, Practice Exams and Flash cards > www.exampro.co/az-204 Microsoft Managed Key (MMK) are keys managed by Encryption type © * (CO) Microsoft-managed keys (MMK) Microsoft. They do not appear in your vault and in most cases are used by default for many azure services. © customer-managed keys (CMK) Customer Managed Key (CMK) are keys you create in Azure Key Vault. | encryption ey Bs © secs ay vst sndey You need to select a key from a vault for various services. —_— O tnerteytomunt Sometimes “customer managed” means that the soymondiey* syne an 00 customer has imported cryptographic material. Key Mykey Generated or imported keys are considered CMK in Azure. In order to use a key an Azure service needs an identity (within Y*s"=isned cersty © | set on ier ‘Azure AD) for permission to access the key from the vault 77 Infrastructure encryption is sometimes an option By default, Azure encrypts storage account data at rest. 1 ~ Infrastructure encryption adds a second layer of encryption to Enable niestructuremeypton OA your storage account's dataAzore Key Vault — Double Encryption Cheat sheets, Practice Exams and Flash cards > www.exampro.co/az-204 MEE Storage Accounts — Infrastructure Encryption ———35 | Enabieinfrstrcture encryption © SSS 8 default, Azure encrypts storage account data at rest. Infrastructure encryption adds a second layer of encryption to your storage account's data 3 Azure Disks — Double Encryption pion yoe* ey atts crtion st-eat with platonn-naged key Disk eneyptin st Encypion wert a cutomer manage key Double encryption wh latorn-managed ard customer-managed keys Double encryption is where two or more independent layers of encryption are enabled to protect against compromises of any one layer of encryption. Using two layers of encryption mitigates threats that come with encrypting data.Azore Key Vault — Double Encryption Cheat sheets, Practice Exams and Flash cards a www.exampro.co/az-206 Microsoft has a two layered approach each for Data At-Rest and In-Transit Data-at-Rest 1. Disk encryption using customer-managed keys 2. Infrastructure encryption using platform-managed keys Data-in-Transit, 1. Transit encryption using Transport Layer Security (TLS) 1.2 2. Additional layer of encryption provided at the infrastructure layerAzure Key Vault — Secrets Cheat sheets, Practice Exams and Flash cards wwrm.exampro.co/az-208 ‘Azure Key Vault Secrets provides Secure storage Ofgeneriesecrets, |... = such as passwords and database connection strings. ma ao + Key Vault APIs accept and return secret values as strings + Internally, Key Vault stores and manages secrets: * as sequences of octets (8-bit bytes), + with a maximum size of 25k bytes each + Key Vault service doesn't provide semantics for secrets accepts the data, encrypts it, stores it, and returns a secret identifier ("id") S For highly sensitive data, clients should consider additional layers of protection for data. Encrypting data using a separate protection key prior to storage in Key Vault is one example. Key Vault also supports a contentType field for secrets Clients may specify the content type of a secret to assist in interpreting the secret data when it's retrieved + maximum length of this field is 255 charactersAzore Key Vault — Secrets Cheat sheets, Practice Exams and Flash cards a> www.exampro.co/a2-204 Ail secrets in your Key Vault are stored encrypted. Key Vault encrypts secrets at rest with a hierarchy of encryption keys *+ all keys in that hierarchy are protected by modules that are FIPS 140-2 compliant * The encryption leaf key of the key hierarchy is unique to each key vault * encryption root key of the key hierarchy is unique to the security world ‘+ protection level varies between regions + Eg. China uses FIPS 140-2 Level 1 and all other regions use Level 2 or hgiher Secret Attributes + exp — expiration time, after which the secret data should not be retrieved + Nbf — not before (default value is now) the time before which the secret data should not be retrieved + enabled — whether the secret data can be retrieved, (default true) ‘There are also read-only attributes for created and updateaur Be Vout Secrets www.exampro.co/az-204 In order to access secrets within your application code, you can would use the ste ah) or you can use the 1 Uri tts i Saat) ete) ae)X.509 Certificates Cheat sheets, Practice Exams and Flash cards f+ wwrn.exampro.co/az-204 What is Public key infrastructure (PKI)? PKI isa set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption What is a x.509 certificate? X.509 certificates are used in many Internet protocol: + SSL/TLS and HTTPS + Signed and encrypted email + Code Signing and Document Signing A certificate contains + An identity — hostname, organization or individual + Apublic key — RSA, DSA, ECDA ete. What is a Certificate Authority (CA)? an entity that issues digital certificates ACA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate.Xx: 504 Certificates — Chain of Trust n cards df www.exampro.co/a2-204 A certificate authority can issue multiple certificates in the form a tree structure (a chain of trust): Root Cer icate Authority (Root CA) Peers a self-signed certificate, and its private key is used to sign other certificates Its important that the private key of root are protected Intermediate Certificate Authority (ICA) + Intermediate Certificates are signed by the root private key Ez peeaceereery and act as entities that can issue certificates asian They protect the root certificate because the root certificate does not have to sign every issued certificate End Entity Certificate + Acertificate issued by the ICA used by the end entity The entity in the case is an SSL certificate for a websiteXx. 504 Certifi cates— Certificate Format n cards df www.exampro.co/a2-204 A certificate contains a metadata about: + Version Number: the version of X.509 standard + Serial Number: a unique serial number assigned to the certificate by the CA. ‘+ Signature Algorithm ID: algorithm used to sign the certificate eg. RSA or DSA, + Issuer: name of the Certificate Authority that issued this certificate, + Validity Period: start and end datetime during that the certificate is valid * Subject: the identifier for the individual or organisation cert was issued to + Subject Public Key: the public key that is meant to be authenticated by this certificate This field also names the algorithm used for public-key generation. + Issuer Unique Identifier: allows multiple CA's to operate as logically a single CA. + Subject Unique Identifier: allows multiple cert holders to act as a single logical entity. *+ Extensions: allows @ CA to associate additional private information to a certificate All of the metadata publicly readable (anyone can view it)X.509 Certificates— Certificate Format Cheat sheets, Practice Exams and Flash cards a> www.exampro.co/az-204 Version Number All of the certificate public metadata is “hashed” Serial Number Signature Algorithm ID ‘The hash is signed by a private Issuer key producing a signature Validity Period Subject Subject Public Key Issuer Unique Identifier Subject Unique Identifier Certificate ‘The data, signature and public key are is what makes up a certificate. Extensions Certificate Metadata e Public KeyX.509 Certificates— CER vs PFX vs PEM Cheat sheets, Practice Exams and Flash cards wwm.exampro.co/az-204 Digital Certificate can end with a variety of extensions eg. crt, .cer, .pem, .der Privacy Enhanced Mail (PEM) Distinguished Encoding Rules (DER) 35064 ASCIL * binary encoding the most common format for X.509 certificates, CSRs, * Used for both X.509 certificates and private keys. and cryptographic keys *+ DER normally have the following exten: ler, cer PEMs normally have the following extensions: crt, pem, cer, and .key (for private keys) Certificate File (CER/CRT) Personal Information Exchange (PFX) 7 ome + This Microsoft's certificate format + CER and CRT are interchangeable extensions * BRGS 2 bite successor to Pt + Either .cer or ert, these are generic files extensions + PFX will normally use the extension .pfx + PKCS #12 will use either .p12 or .pfx 2 Certificate extensions and various formats are generally confusing due to lack of standardized use of extensions.X.509 Certificates— Certificate Signing Request Cheat sheets, Practice sxams and Flash c ss > worn.exampro.co/22-204 A Certificate Signing Request (CSR) is a message sent from an application to a registration (certificate) authority of a PKI in order to apply for a digital Identity certificate Retpe When you an SSL/TLS certificate for your website you need to submit a CSR to a CA ACSR contains a + Public Key + Applications Information + Eg. Fully Qualified Domain Name (FQDN) + eg. www.exampro.co csr Application Information ae Public Key CSR Request Certificate cA ‘sue ——+[_ Certificate CertificateAzure Key Vault - Certificates Cheat sheets, Practice Exams and Flash cards wornsexampro.co/az-204 Azure Key Vault allows you to ii ners il nial a KISDScePUTCRRS Mato of Coit Creation Generate f v Key Vault partners with certificate issuer providers | type ot cerieate Authority (CA) Seiigned ere z for TLS/SSL certificates ‘SeFsigned cerfcate + Digicert oO @® —_= Cerca sued by a integrated CA + Globalsign ONS Names es digicert —iobaisign. Cette sued by a nomintegated A + You can generate self-signed or through a certificate authority + No need to manage the security of the private key, Key Vault takes care of it for you + Allows a certificate owner to create a policy that directs Key Vault to manage the life-cycle of a certificate. * Allows certificate owners to provide contact info for notification about life-cycle events of expiration/renewal of certificate. + Supports automatic renewal with selected issuers - Key Vault partner X509 certificate providers / certificate authoritiesAzore Key Vault - Composition of a Certificate Cheat sheets, Practice Exams and Flash cards wwrm.exampro.co/az-208 ‘ewe tny vou @) ‘When you create a certificate within key vault the following is created: + Key Vault key — allows key operations + Key Vault secret — allows retrieval of the certificate value as a secret + Certificate metadata — public x.509 certificate data I 9Beaedabe0e6446e9914387263befId7 # oie DownleadincERormat Download in PPUPEM format Certificate be downloaded in either: Remember that PEM can be use .cer so f : + CER format (Ascii?) ene format offerte fers is contising PEM/PFX Format (binary?) PEM/PFX content is based on | the content type you chose | conten type PKCS ATE when you generate the cert apAzure Key Vault — Certificate Policy Cheat sheets, Practice Exams and Flash cards > www.exampro.co/az-204 Issuance Policy Certificate Policy allows you to set and ean ear Cena see X ert rg ‘Advanced Policy Configuration * The content type = mone [oon * The lifetime of the certification ‘nina sacusenin — | sennomtagneus + They key type mesic sean IER + They key size = = | sty as + And other various options. “= ae (Zan ¥ Issuance policies only affect certificates that will be issued in the future. Modifying this issuance policy will not affect any existing certificatesAzure App Configuration Cheat sheets, Practice Exams and Flash cards wurmexampro.co/az-208 Azure App Configuration is an Azure service that allows you to centralize all your app settings in one location. It is ideal for multi-environment and multi-geography applications because it provides a dynamic way to change application settings without having to restart them. ® It also integrates with Azure Key Vault, which stores application secrets, Azure App Configuration main benefits: + Afully managed service that can be set up in minutes “popular frameworks”: + Flexible key representations and mappings + NET Core and ASP.NET Core + Tagging with labels + NET Framework and ASP.NET + Point-in-time replay of settings + Java Spring + Dedicated UI for feature flag management + Other + Comparison of two sets of configurations on custom-defined dimensions + JavaScript/Nodels + Enhanced security through Azure-managed identities + Python * Encryption of sensitive information at rest and in transit ‘+ Azure Functions .NET Core + Native integration with “popular frameworks”Azure App Configuration — Tiers Cheat sheets, Practice Exams and Flash cards i www.exampro.co/az-204 Free Resources per subscription 1 Storage per resource 10 MB Revision history 7 days Requests quota 1,000 per day sta None Security functionality + Encryption with Microsoft-managed keys + HMAC or AAD authentication + RBAC support + Managed identity + Service tags cost Free Soft delete is not supported for stores in the free pricing tier. Standard Unlimited 168 30 Days 30,000 per hour 99.99% availability All Free tier functionality plus: ‘+ Encryption with customer-managed keys ‘+ Private Link support $1.20 per resource $0.06 per 10,000 requests 200,000 requests are included in the daily chargeAzure App Configuration — Configuration Explorer Cheat sheets, Practice Exams and Flash cards wwrnsexampro.co/az-208 The Configuration Explorer allows see what data is stored in your App Configuration + Create VC Refresh @} Manage view v © Values | Feedback [Authentication method: Accesskeys (Sulich to Azure AD) Date:Select date Keys: Selecthey Labels: Select label Loaded 1 keyvaues wih 1 unique keys key 1 value Label Last modied Content ype Helo (iden valve) (Wo abe 2022-05-08, 64654 pm You can create either a: + Key-value ~ add a key/value pair Key Vault reference — reference a secret stored within a vaultAzure Ape Confi ete — Feature Manager n cards www.exampro.co/a2-204 What is a Feature Flag? A feature flag provides an alternative to maintaining multiple feature branches in source code. A condition within the code enables or disables a feature during runtime. This makes it easier to rollback or do A/B testing for new functionality. ‘Azure App Configuration Feature Manager allows you add Feature Flags, which can the be accessed via codeAzure App Configuration — Feature Manager Cheat sheets, Practice Exams and Flash cards > www.exampro.co/az-208 Feature Filters allows advanced filtering of features A Feature filter consistently evaluates the state of a feature flag. tes are Hem © | A feature flag supports three types of built-in fiers: Tpeng 1. Targeting Tie window 2. TimeWindow Custom filters can also be created based on different factors, O aastom 3. Percentage ‘such as device used, types, geographic location, etc. O Neer © eatom (UTC at Te USMicrosoft Graph API Cheat sheets, Practice Exams and Flash cards wwrm.exampro.co/az-208 Microsoft Graph API exposes REST/APIS {aiid SDK to access data for the following Microsoft cloud services: Microsoft 365 core services: Enterprise Mobility and Security services: + Bookings + Advanced Threat Analytics + Calendar + Advanced Threat Protection + Delve * Azure Active Directory + Excel + Identity Manager + Microsoft 365 compliance eDiscovery + Intune + Microsoft Search + OneDrive Dynamics 365 Business Central + OneNote + Outlook/Exchange Windies 40 services > People + Activities + Devices ¢ (eanner * Notifications + SharePoint areal Bi + Universal Print. + Teams + ToDo + Workplace Analytics. Supported SDKs + Android + ios + Angular + ASP.NET + Go + Javascript + Nodes + Java + PHP + Powershell + Python Ruby el This data is accessible via the unified endpoint: https://graph.microsoft.com