Microsoft Certified Associate: Azure

Administrator AZ-104
Manage Azure Identities and
Governance
 Learning Objectives

By the end of this lesson, you will be able to:

Manage subscriptions and Azure Resources

Configure Role-Based Access Control (RBAC)

Apply and audit resources with Azure Policy

Configure Azure Active Directory and Administer Identity

 A Day
A Day
in in
thethe
Life
Life
of of
anan
Azure
Azure
Administrator
Architect

You are working for an organization as an Azure Administrator, and as

your company plans to migrate to Azure, you need to decide how to
obtain the subscription and how to effectively manage the cost of
using the Azure Services.

After obtaining the subscription, you need to decide who can access
what types of resources in Azure, so you need to devise an
authentication strategy for Azure.

Once your access is set, then you need to decide how to manage the
infrastructure with the variety of tools available.
Manage Subscriptions and Governance
 Use the Azure Portal

The Azure portal lets the user build, manage, and monitor everything from simple
web apps to complex cloud applications in a single, unified console​.

The user can:

• Manage resources

• Create customized dashboards and

reports

• Access cloud shell

• Receive notifications

• Search resources services and

documentation
Source: https://portal.azure.com/#home
Creating Azure Free Account

Duration: 10 min.

Problem Statement:

You’ve been tasked with creating an Azure free account and taking a quick tour of
the Azure portal.
 Assisted Practice: Guidelines

Steps to create an Azure free account:

1. Go to https://azure.microsoft.com/free
2. Select ‘start free’
3. Sign in with a Microsoft or GitHub account
 Use Azure Cloud Shell

Azure Cloud Shell is an interactive, browser-accessible shell to manage Azure resources. It

provides the flexibility of choosing the shell experience that best suits the way one works.

Azure Cloud Shell:

• Is an interactive, browser-accessible
shell
Welcome to Azure Cloud Shell
• Offers either Bash or PowerShell

• Authenticates automatically

Source: https://portal.azure.com/#home
 Use Azure PowerShell

Features

• Helps to connect to one’s Azure subscription and manage resources

• Adds the Azure-specific commands

• Is available inside a browser via the Azure Cloud Shell

• Is available as a local installation on Linux, macOS, or Windows

New-AzVm `
-ResourceGroupName "myResourceGroup" `
-Name "myVM" `
-Image "UbuntuLTS" `
...​
Configure Azure Powershell

Duration: 10 min.

Problem Statement:

You’ve been assigned the task to install the Azure PowerShell module and create
resources using it.
 Assisted Practice: Guidelines

Steps to configure Azure PowerShell:

1. Install PowerShell Az module

2. Trust the repository
3. Connect to Azure and view your subscription information
4. Create resources
 Use Azure CLI

Azure CLI is a command-line interface to connect to Azure and execute administrative

commands on Azure resources and services.

az vm restart -g MyResourceGroup -n MyVm

Azure CLI

• Is a cross-platform command-line program

• Runs on Linux, macOS, and Windows​

• Can be used interactively or through scripts

Configure Azure CLI

Duration: 10 min.

Problem Statement:

You’ve been assigned the task to install Azure CLI and create resources using it.
 Assisted Practice: Guidelines

Steps to configure Azure CLI:

1. Install Azure CLI

2. Verify the CLI installation
3. Login to Azure
4. Create a resource group
5. Create resources
 Azure Tags

Tags consist of a name-value pair. Applying tags to the Azure resources:

• Provides metadata for the Azure resources

• Logically organizes resources into a taxonomy

• Is very useful to group billing data

Source: https://portal.azure.com/#home
 Azure Tags

Some points to remember for Azure Tags are:

• Tags applied to the resource

• Each resource or resource
the group are not inherited by
group can have maximum
the resources in that
50 tag name or value pairs.
resource group.
 Implement Azure Subscriptions

• An Azure subscription is a unit of Azure services that are linked to an Azure

account.
• Billing for Azure services is done on a per subscription basis.

Source: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview
 Obtain a Subscription

The ways to get an Azure subscription are:

• Enterprise Agreement: Customers pay upfront and consume services throughout the year

• Resellers: Users can buy Azure through an open licensing program which provides a simple, flexible
way to purchase cloud services

• Partners: Users can design and implement their Azure cloud solution

• Personal free account: Users can start right away

Enterprise Resellers Partners Personal

Image Source : https://docs.microsoft.com/en-us/azure/?product=popular

 Identify Subscription Usage

Below table depicts the different subscriptions and their usage:

Subscription Usage

Includes a $200 credit for the first 30 days, free limited access for 12
Free
months

Pay-As-You-Go Charges monthly

Agreement with possible discounts through a Microsoft Cloud Solutions

CSP
provider partner usually for small to medium businesses

A single agreement, with discounts for new licenses and Software

Enterprise
Assurance – targeted at enterprise-scale organizations

Student Includes $100 for 12 months – must verify student access

 Implement Cost Management

Cost management displays organizational cost and usage patterns with advanced analytics.

Cost Management helps to:

• Conduct cost analysis to explore and analyze

organizational costs

• Create a budget that helps to prevent cost

thresholds or limits from being surpassed

• Review recommendations to identify idle and

underutilized resources

• Export the data used by the external systems

to access or review cost management data

Source: https://docs.microsoft.com/en-us/azure/?product=popular
 Resource Manager

Azure Resource Manager is Azure’s deployment and management service. It enables the user to create,
update, and delete resources in their Azure account.

Benefits

• Provides a consistent management layer

• Enables the user to work with

the resources in a solution as a group

• Allows the user to deploy, update, or delete

in a single, coordinated operation​

• Provides security, auditing, and tagging

features​

Source: https://docs.microsoft.com/en-us/azure/?product=popular
 Azure Resource Terminology

Below are the Azure resource terminologies:

• Resource: It is a single service instance in Azure, such as Azure Virtual Machines, virtual
networks, and storage accounts.

• Subscription: It is a logical container for one’s resources. Each Azure resource is

associated with only one subscription.

• Resource group: It is a logical container that the user uses to group related resources in a
subscription. Each resource can exist in only one resource group.

• Management groups: It refers to the Logical containers that one uses for one or more
subscriptions.

• Azure account: The email address that the user provides when they create an Azure
subscription is the Azure account for the subscription.
 Azure Resource Terminology

Below are the Azure resource terminologies:

• Region: It is a set of Azure datacenters deployed inside a latency-defined perimeter. The

datacenters are connected through a dedicated, regional, low-latency network.

• Azure Active Directory (Azure AD): It is a Microsoft cloud-based identity and access
management service. Azure AD allows a user’s employees to sign in and access resources.

• Azure AD tenant: It is a dedicated and trusted instance of Azure AD. An Azure AD tenant is
automatically created when an organization signs up for a Microsoft cloud service
subscription. It represents a single organization.

• Azure AD directory: Each Azure AD tenant has a single, dedicated, and trusted directory.
The directory includes the tenant's users, groups, and applications.
 Resource Groups

A resource group is a container that holds related resources for an Azure solution.

Features

• Resources can only exist in one resource group.

• Groups can have resources of many different

types (services) and from many different
regions.

• Groups cannot be renamed.

• Groups cannot be nested.

Source: https://docs.microsoft.com/en-us/azure/?product=popular
 Reorganize Azure Resources

• When moving resources, the source group and the target group are locked.

• The services that cannot be moved are Azure AD Domain Services, ExpressRoute, and Site
Recovery.

Source: https://docs.microsoft.com/en-us/azure/?product=popular
 Determine Resource Limits

Azure lets the user view resource usage against limits.

About Resource Limits:

• Resources have a default limit or quota.

• This is helpful to track current usage and plan for future use.

• A free support case increases limits to published maximums.

Source: https://portal.azure.com/#home
 Determine Resource Limits

Below image depicts the way of determining resource limits:

Source: https://portal.azure.com/#home
 Remove Resources and Resource Groups

• Remove Azure resources that are no longer used, to ensure no unexpected charges

• Remove individual resources or the resource group

Use caution when deleting a resource group.

Image Source : https://portal.azure.com/#home

 ARM Templates

An Azure Resource Manager (ARM) template defines all the Resource Manager resources in a deployment.

An ARM Template:

• Improves consistency

• Expresses complex deployments

• Reduces manual, error-prone tasks

• Expresses requirements through code

• Promotes reuse

• Is modular and can be linked

Source: https://docs.microsoft.com/en-us/azure/?product=popular
 ARM Template Schema

Azure Resource Manager template schema presents the different sections of a template:

An ARM Template defines all the Resource manager

{ resources in deployment, and:
"$schema":
"http://schema.management. • Is written in JSON
azure.com/schemas/2019-04-
01/deploymentTemplate.json#", • Is a collection of key-value pairs
"contentVersion": "",
• Each key is a string
"parameters": {},
"variables": {}, • Each value can be a string, number, Boolean
"functions": [], expression, list of values, objects
"resources": [],
"outputs": {}
}
 ARM Template Parameters

"parameters": {
Parameters specify which values are
"adminUsername": {
configurable when the template runs.
"type": "string",
"metadata": {
"description": "Username for the VM." The example below has two parameters:
}
}, • For a VM’s username (adminUsername)
"adminPassword": {
"type": "securestring", • For its password (adminPassword)
"metadata": {
"description": "Password for the VM."
}
}
}
 Quick Start Templates

• The Azure community provides the Resource

Manager templates.

• These templates provide everything required to

deploy solution or serves as a starting point
for the template.

• https://azure.microsoft.com/en-us/resources/
templates/

Source: https://azure.microsoft.com/en-in/resources/templates/
Configure Resources with ARM Templates

Duration: 10 min.

Problem Statement:

You’ve been tasked to create various Azure Resources using the ARM Templates.
 Assisted Practice: Guidelines

Create a storage account using the ARM template

1. Go to quick-start templates gallery

2. Search for storage account ARM template
3. Deploy the template into the resource group
4. Verify the template deployed
 Azure Cost Savings

Methods of Cost Saving:

• Azure Reservations: Help users save money by pre-paying for services

• Azure Hybrid Benefits: Employ Windows server and SQL server on-premises licenses with
software assurance

• Azure Credits: Monthly credit benefit that allows one to experiment with, develop, and test new
solutions on Azure

• Regions: Choose low-cost locations and regions

• Budgets: Help plan for and drive organizational accountability

• Pricing Calculator: Provides estimates in all areas of Azure including compute, networking,
storage, web, and databases
Manage Role-Based Access Control (RBAC)
 Create Management Groups

If the user has several subscriptions, Azure Management groups:

• Provide a level of scope above subscriptions

• Help in targeting policies and spending budgets across subscriptions and inheritance
down the hierarchies

• Provide Compliance and cost reporting by the organization (business/teams)

Source: https://docs.microsoft.com/en-us/azure/governance/azure-management
 Create Management Groups

The steps for creating a governance hierarchy are as follows:

Source: https://docs.microsoft.com/en-us/azure/governance/azure-management
 Implement Azure Policies

Azure Policy is a service to create, assign, and manage policies that evaluate and
scan for non-compliant resources.

Features

• Enforcement and compliance

• Application of policies at scale
• Remediation
 Implement Azure Policies

These are the use cases for implementing Azure policies:

• Allowed resource types

• Allowed virtual machine SKUs

• Allowed locations

• Required tag and its value

• Allowed Backup for virtual machines

 Implement Azure Policies

To implement Azure Policies, follow these steps:

• Create policy definitions

• Create initiative definitions

• Scope the initiative definition

• Determine compliance

Source: https://portal.azure.com/#home
 1. Create Policy Definitions

There are many built-in policy definitions. The user can ‘Sort by Category’ to choose any.

The highlights are:

• Many policy definitions are available

• Users can import policies from GitHub

• Policy definitions have a specific JSON

format

• Users can create custom policy definitions

Source: https://portal.azure.com/#home
 2. Create Initiative Definitions

Once the user determines which Policy Definitions they need, they can create an initiative definition.

Group policy definitions:

• Include one or more policies

• Require Planning

Source: https://portal.azure.com/#home
 3. Scope the Initiative Definitions

Once the Initiative Definition is created, the user can assign the definition
to a scope

• The scope enforces the policy.

• The user can select the subscription and optionally the resource group.

Source: https://portal.azure.com/#home
 4. Determine Compliance

Use the Compliance blade to review:

• Non-compliant initiatives
• Non-compliant policies
• Non-compliant resources

Source: https://portal.azure.com/#home
Implementing Azure Policy

Duration: 20 min.

Problem Statement:

You’ve been tasked to create and assign Azure Policy.

 Assisted Practice: Guidelines

Steps to create and assign Azure Policy:

1. Sign in to Azure Portal

2. Select Policy, create a policy
3. Assign a Policy
4. Create and assign an initiative definition
5. Check for compliance
 Implement Role-Based Access Control

Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained
access management of Azure resources.

What can a user do with Azure RBAC?

• Allows one user to manage virtual machines in a subscription and another user to
manage virtual networks

• Allows a DBA group to manage SQL databases in a subscription

• Allows a user to manage all resources in a resource group, for example, virtual
machines, websites, and subnets

• Allows an application to access all resources in a resource group

 Implement Role-Based Access Control

Concepts

• Security principal: Object that represents something that is requesting access to resources

• Role definition: Collection of permissions that lists the operations that can be performed​

• Scope: Boundary for the level of access that is requested​

• Assignment: Attaching a role definition to a security principal at a particular scope

Source: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
 Create a Role Definition

It is a collection of permissions listing the operations that can be performed. Below is an

example of a definition.

Contributor
{
"actions": [
"*"
],
"notActions": [

"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",

"Microsoft.Authorization/elevateAccess/Action",

"Microsoft.Blueprint/blueprintAssignments/write",

"Microsoft.Blueprint/blueprintAssignments/delete",

"Microsoft.Compute/galleries/share/action"
],
"dataActions": [],
"notDataActions": []

Source: https://docs.microsoft.com/en-us/azure/?product=popular
 Create a Role Assignment

Role assignment is the process of binding a role definition to a user, group, or service principal at a
scope for the purpose of granting access. The example below depicts the creation of a role assignment.

{
“Actions": [
"*"
],
“NotActions": [
“Auth/*/Delete"
,
“Auth/*/Write",
“Auth/elevate“
],

Source: https://docs.microsoft.com/en-us/azure/?product=popular
 Compare Azure RBAC Roles to Azure AD Roles

Azure and Azure AD offer two types of roles:

Azure RBAC roles Azure AD roles

Manage access to Azure resources Manage access to Azure AD objects

Scope can be specified at multiple levels Scope is at the tenant level

Role information can be accessed in the Azure portal, Role information can be found in Azure portal,
Azure CLI, Azure PowerShell, Azure Resource Microsoft 365 admin portal, Microsoft Graph, Azure
Manager templates, REST API Active Directory PowerShell for Graph
 Apply RBAC Authentication

Illustration to show the differences in roles between Azure AD Admin and Azure RBAC:

Source: https://portal.azure.com/#home
Create and Assign Roles

Duration: 20 min.

Problem Statement:

You’ve been tasked to create and assign Roles.

 Assisted Practice: Guidelines

Steps to create and assign roles:

1. Sign in to Azure Portal

2. Locate the Access Control blade
3. Review role permissions
4. Add a role assignment
 Determine Azure RBAC Roles

RBAC Roles and Permissions in Azure:

RBAC role in Azure Permissions Notes

The Service Administrator and

It has full access to all
Co-Administrators are assigned the
Owner resources and can delegate
Owner role at the subscription scope.
access to others
This applies to all resource types

It creates and manages all

Contributor types of Azure resources but This applies to all resource types
cannot grant access to others

Reader It views Azure resources This applies to all resource types

User Access It manages user access to This applies to managing access, rather than
Administrator Azure resources to managing resources
 Resource Manager Locks

Features of locks:

• The locks can be associated with a subscription,

resource group, or resource

• Locks are inherited by child resources

Types of locks:

• Read-only locks prevent any changes to the

resource

• Delete locks prevent deletion

Source: https://docs.microsoft.com/en-us/azure/?product=popular
Create Locks on resources

Duration: 10 min.

Problem Statement:

You’ve been assigned the task to create locks on Azure resources.

 Assisted Practice: Guidelines

Steps to configure Resource Manager locks:

1. Go to Azure portal
2. Create a Resource group
3. From the Settings blade, select and add locks
Administer Identity
 Azure Active Directory

Features of Azure Active Directory:

• Azure Active Directory Is a cloud-based suite of identity management capabilities that enable
securely manage access to Azure services and resources for the users.

• It provides application management, authentication, device management, and hybrid identity.

Source: https://docs.microsoft.com/en-us/azure/?product=popular
 Azure AD Concepts

Concept Description

Identity An object that can be authenticated

Account An identity that has data associated with it

An identity created through Azure AD or another Microsoft cloud service, such as Microsoft
Azure AD account 365. Identities are stored in Azure AD and accessible to your organization's cloud service
subscriptions. This account is also sometimes called a Work or school account.

Azure AD tenant or
An identity created through Azure AD or another Microsoft cloud service
directory

Azure subscription Used to pay for Azure cloud services

 Azure AD Concepts

• Azure AD is an identity solution designed for HTTP and HTTPS communications.

• It can be queried using the REST API over HTTP and HTTPS. Instead of LDAP.

• Azure AD uses HTTP and HTTPS protocols, such as SAML, WS-Federation, and OpenID Connect
for authentication (and OAuth for authorization) instead of Kerberos.

• It includes federation services, and many third-party services (such as Facebook).

• Azure Ad users and groups are created in a flat structure, and there are no Organizational
Units (OUs) or Group Policy Objects (GPOs).
 Compare AD DS to Azure Active Directory
Below table depicts the difference between Azure AD and Azure Active Directory:

Azure AD Azure Active Directory

Azure AD is primarily an identity solution for AD DS is an identity solution for on-prem

cloud-based Applications application

Queried over HTTP and HTTPS protocol Queried over LDAP protocol

Includes federation and third-party services Does not include any federated or third-party
(like Twitter, LinkedIn) providers

OAuth or OpenID connect-based protocols Kerberos and NTLM protocols

Azure Ad resources are organized in a flat AD DS resources will be divided into

structure Organizational units or Group Policy objects
 Azure Active Directory Editions
Azure Active Directory comes in four editions: Free, Office 365 apps, Premium P1, and Premium P2.

Feature Free Microsoft 365 Apps Premium P1 Premium P2

Directory Objects 500,000 objects No object limit No object limit No object limit

Single Sign-On Unlimited Unlimited Unlimited Unlimited

Core Identity and Access
B2B Collaboration
Identity & Access for O365
Premium Features
Hybrid Identities
Advanced Group Access
Conditional Access
Identity Protection
Identity Governance
X X X X
X X X X
X X X
X X
X X
X X
X X
X
X
 Implement Azure AD Join

Benefits of Azure AD include:

• Single Sign-on to Azure managed SaaS apps and

services

• Enterprise state roaming of user settings across

joined devices

• Access to Microsoft Store for Business

• Windows hello support

• Restriction of access to apps from only compliant

devices

• Seamless access to on-premises resources

Source:https://portal.azure.com/#home
 Implement Self-Service Password Reset

By enabling SSPR, users can:

• Determine who can use a self-service password reset

• Choose the number of authentication methods required and the methods available
(email, phone, questions)

• Require users to register for SSPR (same process as MFA)

Source:https://portal.azure.com/#home
 Implement Self-Service Password Reset

Below image shows the password reset properties:

Source:https://portal.azure.com/#home
 Create User Accounts

Highlights:

• All users must have an account

• The account is used for authentication and authorization

• Each user account has additional properties

Source:https://portal.azure.com/#home
 Manage User Accounts

Things to consider when managing users:

• Must be a global administrator or a user administrator to manage users

• User profile (picture, job, contact info) is optional

• Deleted users can be restored for 30 days

• Sign in and audit log information is available

Source:https://portal.azure.com/#home
 Create Bulk User Accounts

• Azure AD supports bulk user create and delete operations and downloading lists

• The comma-separated values (CSV) can be created from a template

downloadable from the portal

• It requires a sign in as a Global administrator or a User administrator

Source:https://portal.azure.com/#home
 Create Group Accounts

Create Group Accounts Azure AD allows to define two types of groups (listed on left) and
the ways to assign the access rights (on right)

Group Types: Assignment Types:

• Security groups • Assigned
• Microsoft 365 groups • Dynamic User
• Dynamic Device (Security groups only)

Source:https://portal.azure.com/#home
Create Users and Groups Account

Duration: 10 min.

Problem Statement:

You have to create users and group accounts in Azure so that a newly added
member in an organization can have access to the resources. Assigning them to a
group will mean assigning them specific permissions.
 Assisted Practice: Guidelines

Steps to create users and groups account:

1. Sign in to the Azure Portal

2. Locate the Active Directory blade
3. Add users
4. Create Groups and assign users to Group
Add Guest Users to Directory

Duration: 10 min.

Problem Statement:

You have to add guest users to Azure Active Directory to collaborate with some
external vendors till the time vendors are part of an organization.
 Assisted Practice: Guidelines

Steps to create users and groups account:

1. Sign in to the Azure Portal

2. Locate the Active Directory blade
3. Add users and groups
 Create Administrative Units

A Central administrator can:

• Create an administrative unit

• Populate the administrative unit with Azure AD users or groups

• Create a role with appropriate permissions scoped to the

administrative unit

• Add IT members to the role

Source: https://portal.azure.com/#home
Create Administrative Unit

Duration: 05 min.

Problem Statement:

You’ve been tasked to create an Administrative Unit in Azure that would let you
divide your organization into many sub-organizations. Then, you can manage
permission specific to that sub-unit.
 Assisted Practice: Guidelines

Steps to create an administrative unit:

1. Sign in to the Azure Portal

2. Locate the Active Directory blade
3. Create Administrative Unit
 Key Takeaways

An ARM template is an IAC tool to create and version Azure

Services.

Azure Resource Manager is the single interface for managing

all Azure resources.

Azure resources can be managed by a variety of tools like Portal,

CLI, or PowerShell.

With the Azure Role-Based access control we can secure access

to our azure services.
 Key Takeaways

Azure Policy can be used to meet regulatory and compliance

standards for the organization.

Azure cost management is the unified dashboard to manage

all the cost and billing-related tasks.

Azure Active Directory is being used to manage all the users and
group creations.
Implementing Azure Directory and Assign Permissions

Project agenda: To implement Azure Active Directory, add and remove

users from Azure AD and implement RBAC

Description: You have been given a project to create Azure AD users in the
subscriptions. Once the users have been created, you need to assign
permissions to these users.

Perform the following:

Create users in Active Directory and assign the application administrator
permission to the newly created users