Professional Documents
Culture Documents
Administrator AZ-104
Manage Azure Identities and
Governance
Learning Objectives
After obtaining the subscription, you need to decide who can access
what types of resources in Azure, so you need to devise an
authentication strategy for Azure.
Once your access is set, then you need to decide how to manage the
infrastructure with the variety of tools available.
Manage Subscriptions and Governance
Use the Azure Portal
The Azure portal lets the user build, manage, and monitor everything from simple
web apps to complex cloud applications in a single, unified console.
• Manage resources
• Receive notifications
Duration: 10 min.
Problem Statement:
You’ve been tasked with creating an Azure free account and taking a quick tour of
the Azure portal.
Assisted Practice: Guidelines
1. Go to https://azure.microsoft.com/free
2. Select ‘start free’
3. Sign in with a Microsoft or GitHub account
Use Azure Cloud Shell
• Is an interactive, browser-accessible
shell
Welcome to Azure Cloud Shell
• Offers either Bash or PowerShell
• Authenticates automatically
Source: https://portal.azure.com/#home
Use Azure PowerShell
Features
New-AzVm `
-ResourceGroupName "myResourceGroup" `
-Name "myVM" `
-Image "UbuntuLTS" `
...
Configure Azure Powershell
Duration: 10 min.
Problem Statement:
You’ve been assigned the task to install the Azure PowerShell module and create
resources using it.
Assisted Practice: Guidelines
Azure CLI
Duration: 10 min.
Problem Statement:
You’ve been assigned the task to install Azure CLI and create resources using it.
Assisted Practice: Guidelines
Source: https://portal.azure.com/#home
Azure Tags
Source: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview
Obtain a Subscription
• Enterprise Agreement: Customers pay upfront and consume services throughout the year
• Resellers: Users can buy Azure through an open licensing program which provides a simple, flexible
way to purchase cloud services
• Partners: Users can design and implement their Azure cloud solution
Subscription Usage
Includes a $200 credit for the first 30 days, free limited access for 12
Free
months
Cost management displays organizational cost and usage patterns with advanced analytics.
Source: https://docs.microsoft.com/en-us/azure/?product=popular
Resource Manager
Azure Resource Manager is Azure’s deployment and management service. It enables the user to create,
update, and delete resources in their Azure account.
Benefits
Source: https://docs.microsoft.com/en-us/azure/?product=popular
Azure Resource Terminology
• Resource: It is a single service instance in Azure, such as Azure Virtual Machines, virtual
networks, and storage accounts.
• Resource group: It is a logical container that the user uses to group related resources in a
subscription. Each resource can exist in only one resource group.
• Management groups: It refers to the Logical containers that one uses for one or more
subscriptions.
• Azure account: The email address that the user provides when they create an Azure
subscription is the Azure account for the subscription.
Azure Resource Terminology
• Azure Active Directory (Azure AD): It is a Microsoft cloud-based identity and access
management service. Azure AD allows a user’s employees to sign in and access resources.
• Azure AD tenant: It is a dedicated and trusted instance of Azure AD. An Azure AD tenant is
automatically created when an organization signs up for a Microsoft cloud service
subscription. It represents a single organization.
• Azure AD directory: Each Azure AD tenant has a single, dedicated, and trusted directory.
The directory includes the tenant's users, groups, and applications.
Resource Groups
A resource group is a container that holds related resources for an Azure solution.
Features
Source: https://docs.microsoft.com/en-us/azure/?product=popular
Reorganize Azure Resources
• When moving resources, the source group and the target group are locked.
• The services that cannot be moved are Azure AD Domain Services, ExpressRoute, and Site
Recovery.
Source: https://docs.microsoft.com/en-us/azure/?product=popular
Determine Resource Limits
• This is helpful to track current usage and plan for future use.
Source: https://portal.azure.com/#home
Determine Resource Limits
Source: https://portal.azure.com/#home
Remove Resources and Resource Groups
• Remove Azure resources that are no longer used, to ensure no unexpected charges
An Azure Resource Manager (ARM) template defines all the Resource Manager resources in a deployment.
An ARM Template:
• Improves consistency
• Promotes reuse
Source: https://docs.microsoft.com/en-us/azure/?product=popular
ARM Template Schema
Azure Resource Manager template schema presents the different sections of a template:
"parameters": {
Parameters specify which values are
"adminUsername": {
configurable when the template runs.
"type": "string",
"metadata": {
"description": "Username for the VM." The example below has two parameters:
}
}, • For a VM’s username (adminUsername)
"adminPassword": {
"type": "securestring", • For its password (adminPassword)
"metadata": {
"description": "Password for the VM."
}
}
}
Quick Start Templates
• https://azure.microsoft.com/en-us/resources/
templates/
Source: https://azure.microsoft.com/en-in/resources/templates/
Configure Resources with ARM Templates
Duration: 10 min.
Problem Statement:
You’ve been tasked to create various Azure Resources using the ARM Templates.
Assisted Practice: Guidelines
• Azure Hybrid Benefits: Employ Windows server and SQL server on-premises licenses with
software assurance
• Azure Credits: Monthly credit benefit that allows one to experiment with, develop, and test new
solutions on Azure
• Pricing Calculator: Provides estimates in all areas of Azure including compute, networking,
storage, web, and databases
Manage Role-Based Access Control (RBAC)
Create Management Groups
• Help in targeting policies and spending budgets across subscriptions and inheritance
down the hierarchies
Source: https://docs.microsoft.com/en-us/azure/governance/azure-management
Create Management Groups
Source: https://docs.microsoft.com/en-us/azure/governance/azure-management
Implement Azure Policies
Azure Policy is a service to create, assign, and manage policies that evaluate and
scan for non-compliant resources.
Features
• Allowed locations
• Determine compliance
Source: https://portal.azure.com/#home
1. Create Policy Definitions
There are many built-in policy definitions. The user can ‘Sort by Category’ to choose any.
Source: https://portal.azure.com/#home
2. Create Initiative Definitions
Once the user determines which Policy Definitions they need, they can create an initiative definition.
• Require Planning
Source: https://portal.azure.com/#home
3. Scope the Initiative Definitions
Once the Initiative Definition is created, the user can assign the definition
to a scope
• The user can select the subscription and optionally the resource group.
Source: https://portal.azure.com/#home
4. Determine Compliance
Source: https://portal.azure.com/#home
Implementing Azure Policy
Duration: 20 min.
Problem Statement:
Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained
access management of Azure resources.
• Allows one user to manage virtual machines in a subscription and another user to
manage virtual networks
• Allows a user to manage all resources in a resource group, for example, virtual
machines, websites, and subnets
Concepts
• Security principal: Object that represents something that is requesting access to resources
• Role definition: Collection of permissions that lists the operations that can be performed
Source: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
Create a Role Definition
Contributor
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action"
],
"dataActions": [],
"notDataActions": []
Source: https://docs.microsoft.com/en-us/azure/?product=popular
Create a Role Assignment
Role assignment is the process of binding a role definition to a user, group, or service principal at a
scope for the purpose of granting access. The example below depicts the creation of a role assignment.
{
“Actions": [
"*"
],
“NotActions": [
“Auth/*/Delete"
,
“Auth/*/Write",
“Auth/elevate“
],
Source: https://docs.microsoft.com/en-us/azure/?product=popular
Compare Azure RBAC Roles to Azure AD Roles
Role information can be accessed in the Azure portal, Role information can be found in Azure portal,
Azure CLI, Azure PowerShell, Azure Resource Microsoft 365 admin portal, Microsoft Graph, Azure
Manager templates, REST API Active Directory PowerShell for Graph
Apply RBAC Authentication
Illustration to show the differences in roles between Azure AD Admin and Azure RBAC:
Source: https://portal.azure.com/#home
Create and Assign Roles
Duration: 20 min.
Problem Statement:
User Access It manages user access to This applies to managing access, rather than
Administrator Azure resources to managing resources
Resource Manager Locks
Features of locks:
Types of locks:
Source: https://docs.microsoft.com/en-us/azure/?product=popular
Create Locks on resources
Duration: 10 min.
Problem Statement:
1. Go to Azure portal
2. Create a Resource group
3. From the Settings blade, select and add locks
Administer Identity
Azure Active Directory
• Azure Active Directory Is a cloud-based suite of identity management capabilities that enable
securely manage access to Azure services and resources for the users.
Source: https://docs.microsoft.com/en-us/azure/?product=popular
Azure AD Concepts
Concept Description
An identity created through Azure AD or another Microsoft cloud service, such as Microsoft
Azure AD account 365. Identities are stored in Azure AD and accessible to your organization's cloud service
subscriptions. This account is also sometimes called a Work or school account.
Azure AD tenant or
An identity created through Azure AD or another Microsoft cloud service
directory
• It can be queried using the REST API over HTTP and HTTPS. Instead of LDAP.
• Azure AD uses HTTP and HTTPS protocols, such as SAML, WS-Federation, and OpenID Connect
for authentication (and OAuth for authorization) instead of Kerberos.
• Azure Ad users and groups are created in a flat structure, and there are no Organizational
Units (OUs) or Group Policy Objects (GPOs).
Compare AD DS to Azure Active Directory
Below table depicts the difference between Azure AD and Azure Active Directory:
Queried over HTTP and HTTPS protocol Queried over LDAP protocol
Includes federation and third-party services Does not include any federated or third-party
(like Twitter, LinkedIn) providers
Directory Objects 500,000 objects No object limit No object limit No object limit
Source:https://portal.azure.com/#home
Implement Self-Service Password Reset
• Choose the number of authentication methods required and the methods available
(email, phone, questions)
Source:https://portal.azure.com/#home
Implement Self-Service Password Reset
Source:https://portal.azure.com/#home
Create User Accounts
Highlights:
Source:https://portal.azure.com/#home
Manage User Accounts
Source:https://portal.azure.com/#home
Create Bulk User Accounts
• Azure AD supports bulk user create and delete operations and downloading lists
Source:https://portal.azure.com/#home
Create Group Accounts
Create Group Accounts Azure AD allows to define two types of groups (listed on left) and
the ways to assign the access rights (on right)
Source:https://portal.azure.com/#home
Create Users and Groups Account
Duration: 10 min.
Problem Statement:
You have to create users and group accounts in Azure so that a newly added
member in an organization can have access to the resources. Assigning them to a
group will mean assigning them specific permissions.
Assisted Practice: Guidelines
Duration: 10 min.
Problem Statement:
You have to add guest users to Azure Active Directory to collaborate with some
external vendors till the time vendors are part of an organization.
Assisted Practice: Guidelines
Source: https://portal.azure.com/#home
Create Administrative Unit
Duration: 05 min.
Problem Statement:
You’ve been tasked to create an Administrative Unit in Azure that would let you
divide your organization into many sub-organizations. Then, you can manage
permission specific to that sub-unit.
Assisted Practice: Guidelines
Azure Active Directory is being used to manage all the users and
group creations.
Implementing Azure Directory and Assign Permissions
Description: You have been given a project to create Azure AD users in the
subscriptions. Once the users have been created, you need to assign
permissions to these users.