1.0 Manage Azure Subscription and Resources
What is the Service Administrator limit?
1 per Azure subscription
What are the 3 required properties for a resource manager template?
1. $schema 2. contentversion 3. resources
What are the components of alert rules on the Azure cloud?
1. A name and description of the alert rule 2. The severity of the alert rule 3. A target source 4. A signal emitted by the target 5. An action group
Once an alert is generated, Where endpoints can you send it to?
1. Email 2. SMS 3. Push 4. Voice 5. Azure function 6. Logic App 7. Webhook 8. ITSM 9. Automation runbook
What are the four scopes at which RBAC can be applied to?
1. Management Group- Highest scope 2. Subscriptions- Fall under Management group 3. Resource Group- Fall under Subscription 4. Resource- Falls under Resource Groups
What 3 scopes are supported in Azure Policy?
1. Management Policy 2. Subscription 3. Resource Group
What are 4 foundation roles in Azure?
1. Owner 2. Contributor 3. Reader 4. User Access Administrator
What pieces of information are needed when assigning roles?
1. Sign-in name 2. Name of the role 3. Scope at which you are making the role assignment
What is a important consideration when it comes to a resource group?
A resource group is created in a location. Th location of a resource group specifies where the metadata for the resource group is stored. IF you have compliance constraints, this is an important consideration
Which lock prevents accidental resource deletion, but does not prevent resource updates?
CanNotDelete
What are resource groups?
Logical grouping of resources, or those single service instances
Cmdlet to remove a lock?
REmove-AzResourceLock-LockID "nameoflock"
When it comes to Azure RBAC roles, what kind of permissions does the "Reader" have?
View Azure Resources
Using the REST API, how can I validate the move operation?
"validatemoveresources"
What cmdlet would you use to retrieve resources with a specific tag?
(Get-AzResource -Tag @{ owner="[email protected]""}).Name
What cmdlet would you use to retrieve resources based on a tag name, and not a specific tag value?
(Get-AzResource -TagName Costcode).Name
When it comes to tags, What is the maximum number of characters for tag value?
256
What port is required for the Azure Log Analytics (OMS) agent to work properly?
443
When filtering alerts, how many subscriptions can you filter by max?
5
For machines to report telemetry to Log Analytics, they must be running what?
Azure Log Analytics (OMS) agent
Which Azure service provides an entry point to interact with metrics and logs?
Azure Monitor
What tools can you use to provide a lock?
Azure Portal, Azure PowerShell, Azure CLI, Resource Management template, or REST API
What tools can you use to deploy resource manager template?
Azure Portal, Azure Powershell, Azure CLI, and REST API
What tools can I use to manage role assignments?
Azure portal, Azure CLI, Azure powershell, Azure SDKs, or resource manager REST APIs
What are budgets in Azure?
Budgets are a monitoring mechanism only, allowing users to create a budget with set thresholds and notification rules
What is the difference between chargeback and showback?
Chargeback- Bill the department for their Azure consumption. Chowback- Help the department understand their spend in Azure
When evaluating a web application, what type of charts might you want?
Chart for Visualization response times (in miliseconds) and response size (in kilobytes)
Between co-administrator, service administrator, and account administrator, which role cannot change the association of subscriptions to Azure directories?
Co-Administrator
Describe the built-in role "Contributor" in Azure
Contributors can create and manage resources, but they don't have the ability to manage access rights to resources. Think of write/read permission in NTFS
Where can I manage my costs?
Cost Management
What two specialized roles can be used to grant principles access to Cost Management data?
Cost Management Contributor and Cost Management Reader
Under "Resource group" scope, what type of permission is required to view data when it comes to Cost Management?
Cost Management Reader (or Reader)
Under "Subscription" scope, what type of permission is required to view data when it comes to Cost Management?
Cost Management Reader (or Reader)
Under the "Management Group" scope, what type of permission is required to view data when it comes to Cost Management?
Cost Management Reader (or reader)
Which section of Azure Advisor displays recommendations related to overall Azure spending by identifying ideal resources?
Cost section
How can I prevent a virtual machine that are not in a series?
Create Azure policy to deny the VMs that are not in compliance
When it comes to Azure RBAC roles, what kind of permissions does the "Contributor" have?
Create and manage all of types of Azure resources and cannot grant access to others
Under the "Department" scope, what type of permission is required to view data when it comes to Cost Management?
Department Admin
What does the "DeployIfNotExists" effect do when generating a policy?
Deploys a resource if it doesn't already exist
What type of log helps you to collect additional telemetry from every Azure resource?
Diagnostic Log
What does the "What does the "Disabled" effect do when generating a policy?" effect do when generating a policy?
Doesn't evaluate resources for compliance to the policy rule
What does the "AuditIfNotExists" effect do when generating a policy?
Enables auditing if a resource doesn't exist
When would you make a user a co administrator?
If the needed to manage Classic resources. Otherwise, RBAC should be used to grant access to the appropriate scope
What is policyrule when it comes to policies?
If this, then that. The if block defines one or more condition with logical operators available for when more then one condition is required. The "then" block defines the effect if the conditions are fulfilled
What is Azure policy?
Is an Azure service that can be used to create, assign, and manage policies that enforce governance in your Azure environment
What happens when a policy is applied to a subscription group?
It applies to all the resource groups and resources in the subscription
What form do resource templates take?
JSON
What is the query language used by Log Analytics called?
Kusto
A resource group is created in a ________ that specifies where the metadata information for the resource group is stored
Location
When it comes to Azure RBAC roles, what kind of permissions does the "User Access Administrator" have?
Manage user access to Azure resources
For diagnostics logs, what does a retention period of "zero" days mean?
Means the logs will be retained forever
What is the key differentiators between metrics and logs when it comes to "Data Availability"?
Metrics are gathered over time (like once a minute) and available for immediate query. Logs are often gathered after being triggered by an event (such as an event is written to an application log) and can take time to process before they are available for query. While both offer near real-time query capabilities, metrics will typically be used for fast alerts, and logs used for more complex analysis.
Whats the difference between metrics and logs?
Metrics are numerical values such as performance counters, while logs can be either numerical data or text
What is the key differentiators between metrics and logs when it comes to "retention"?
Metrics are retained for 93 days within the Azure service, while logs stored in Log Analytics can be retained for up to two years. There are opportunities to do long term retention of metrics by storing metrics in Log Analytics as well.
When checking on a move operation, what does HTTP 409 mean?
Move operation failed
Where can I view compliance state?
On the compliance blade of the the Azure Policy service
Who can be granted Co-Administrator permissions?
Only accounts with Azure RBAC Owner rights can be granted Co-Administrator permissions
Cmdlet to remove assignments using PowerShell?
Remove-AzRoleAssignment
By default, who is automatically set as both the Account Administrator and Service administrator?
The account that is used to sign up for an Azure subscription
What are alert rules?
They are the criteria used to evaluate when a alert should be generated
Parameter when sending diagnostics to storage?
-StorageAccountID
When filtering alerts, how many many resource groups can you filter at one time?
1
What is the Account administrator limit?
1 per Azure account
Role Assignment consist of what 3 elements?
1. A security principal 2. A role definition 3. A scope
Give an example on what a security principal can be...
1. A user, or an individual identity that resides in Azure AD 2. A group, which is composed of one or more users that reside in Azure AD 3. A service principal, which is an application registered with Azure AD 4. A managed identity, which is a security principal in the form of an application registration that is managed automatically by Azure or an Azure service
What tools can I use to move resources in Azure?
1. Azure Portal 2. Azure Powershell 3. Azure CLI 4. REST API
What are 3 ways you can control VM resource cost?
1. Deallocating compute when it is not in use or not needed. For example, shutting down and deallocating development virtual machines in off-hours means you will not be charged for the CPU and RAM consumption normally associated with running a virtual machine. 2. Deleting unused virtual machines. It may sound obvious, but many organizations leave virtual machines in place. If you take the time to automate the provisioning and configuration of your environments, you can tear them down when not needed and stand them up on demand. For example, if you have a user-acceptance environment that is short-lived, it should only be allocated when testing is occurring. 3.Right-sizing virtual machines to ensure full-utilization of virtual machine resources such as CPU.
What are some notification options you can configure when configuring alerts?
1. Email 2. SMS 3. Push notifications to the Azure mobile app 4. Voice 5. Integration with automation services
Across four domains, Azure Advisor creates recommendations. List those 4 domain recommenations
1. High availability: To improve the high-availability and business continuity of your applications hosted on Azure. 2. Security: To detect configurations that may lead to breaches. 3. Performance: To improve the speed of your applications. 4. Cost: To optimize and reduce your overall Azure spending by identifying underused and idle resources like virtual machines.
What are 7 of the common type of subscription available with an Azure account?
1. Microsoft Open Licensing 2. Microsoft Resellers 3. Free Trial 4. Enterprise Agreements 5. Pay-as-you-go/Web Direct 6. Visual Studio/MSDN subscriptions 7. Cloud Solution Provider
What do you need to provide in order to configure a workspace?
1. Name for the workspace 2. The subscription the workspace will be associated with 3. A resource group 4. A location 5. A selection for pricing tier
What three states can alerts have?
1. New- The alert is new and has not been reviewed 2. Acknowledged- The issue that generated the alert is being actioned by an administrators 3. Closed- The issue that generated has been resolved and the alert has been marked as closed
When it comes to Azure RBAC roles, what are the 4 common types?
1. Owner 2. Contributor 3. Reader 4. User Access Administrator
What are some optional parameters when creating a resource manager template?
1. Parameters 2. Variables 3. Functions 4. Outputs
When interacting with data in Log Analytics you use log queries to...
1. Perform interactive analysis of log data through the Azure Portal in Azure Monitor and a Log Analytics workspace. 2. Build custom alert rules based on the logs in a workspace. 3. Generate visualizations to can be shared through Azure Dashboards. 4. Export custom data sets to Excel or Power BI. 5. Perform automation based on log data with PowerShell or the Azure CLI.
What are the benefits of management groups?
1. Reduced overhead- No need to apply governance on every subscriptions 2. Enforcement- Compnay admins can apply governance at the management group level, outside the control of the subscription admin and the controls implemented at the management group can be applied to both existing and new subscriptions. This eliminates inconsistencies in the application of governance as the same controls are applied the same way to the desired subscription 3. Reporting- The standard tier SKU for Azure Policy provides reports of compliance, with management groups that reporting can span multiple/all subscription in an organization
What are some advantages when deploying using Resource Manager templates vs PowerShell or the CLI?
1. Simple Orchestration of complex environments 2. Deploy multiple resources in parallel 3. Use parameters, variables and functions for dynamic deployments, and templates can be reused multiple times 4. Templates are text files can can easily be used source control management systems and treated as formal artifacts
As metrics are collected, which propertied does each metric have?
1. The time the value was created 2. The type of measurement the value represents 3. The resource the value is associated with 4. The value itself
Why do you want to monitor cloud resources?
1. Visibility- See the big picture. Understanding how an application or set of services is performing across 2. Deeper Insights into applications: Use insights to drive automation and remediation 3. Resource Optimization: You can directly correlate the impact of remediation in our environment
How many dimensions can metrics have?
10 dimensions. They can either be one dimensional or multi-dimensional
When creating a new alert rule based on a metric signal, how long can it take for the alert rule to become active?
10 minutes
When querying data from Log Analytics, what is the maximum result search set to?
10,000
When it comes to tags, what is the max limit you can tag a resource or resource group?
15
By default, what is the number of cores available for virtual machines per region?
20, limit can be increased by submiting a request to Microsoft support
What is the Co Administrator limit?
200 per subscription
What is the max role assignments in each subscription?
2000 per subscription
When it comes to tags, what is maximum number of characters for virtual machine tags?
2048
How many currencies does Azure support?
24 currencies
In Azure Advisor, the CPU utilization rule can be customized in the following increments...
5-20 in the increments of 5
When it comes to tags, what is the maximum characters you can can exceed?
512 for tag names 128 for storage accounts
What is the maximum amount of resources you can move in a single operation?
800
How many days are Events in the Activity Log retained?
90 days
How many days are Azure metrics retained within Azure Monitor?
93 days
What happens when a budget threshold is exceeded?
A notification is triggered but resources continue to run
In log analytics, what is a workspace?
A workspace is an Azure resource, meaning that RBAC can be applied for granular access to the service and the data stored within it.
Under the "Enrollment account" scope, what type of permission is required to view data when it comes to Cost Management?
Account Owner
What does the "Append" effect do when generating a policy?
Adds the defined set of fields to the request
What are alerts?
Alerts proactively notify you when important conditions are found in your monitoring data. They allow you to identify and address issues before the users of your system notice them.
What is the default mode for policy?
All
What do alerts allow you to do?
Allow to be proactively notified of the health of the resources you deploy in Azure and you are not limited to notifications- alert rules leverage action groups that allow you to even implement automation based on an alert
What are resource tags?
Allow you to apply custom metadata to your Azure resources to logically organize them and build out custom taxonomies
What are management groups?
Allow you to apply governance consistently across subscriptions, including application of common RBAC controls and the application of Azure policy
What does spending quotas allow Administrators to do?
Allows administrators to set alerts within an Azure subscription by configuring budges to inform the business when their Azure spending has hit a certain threshold
What is Cloudyn?
An Azure service that is related to Cost Management, which can track resource cost for Azure resources. It can also track resource usage for AWS and Google, including Azure itself
What is monetary credit alert when configuring the billing alerts?
An alert is sent when monetary credits drop below the defined limit
What is a billing total alert when configuring the billing alerts?
An alert is sent when the subscription spend exceeds the threshold
What type of permissions do you need to view budgets on Azure?
At least read access
By default, where will you be create a budget?
At the subscription scope, but you can also create budgets at the resource group scope
What can the account administrator do?
Authorized to access the Account Center (create subscriptions, cancel subscriptions, change billing for a subscription, change Service Administrator, and more)
What can the Service Administrator do?
Authorized to access the Azure Management Portal for all subscriptions in the account. By default, it's the same as the Account Administrator when a subscription is created
What is a way to authenticate the Azure resources available with the Azure scubsciption?
Azure Active Directory
Which Azure service provides personalized recommendations regarding unused resources?
Azure Advisor
What service can I utilize so I can monitor the cost across multiple subscriptions within the same account?
Azure Enterprise Agreements (EA) Portal
How can I retain Event in the Activity logs past the 90 days?
Enabling archival and sending the logs to Azure storage and / or a Log Analytics workspace
Under the "Billing account" scope, what type of permission is required to view data when it comes to Cost Management?
Enterprise Admin
How many billing alerts can you create for a single subscription?
Five billing alerts
When you have a new workspace, what is will it default to in terms of storage?
Free tier which includes 5GB of log storage per month (31days)
When it comes to Azure RBAC roles, what kind of permissions does the owner have?
Full access to all resources and can delegate access to others.
What does the "Audit" effect do when generating a policy?
Generates a warning event in activity log but doesn't fail the request
What does the "deny" effect do when generating a policy?
Generates an event in the activity log and fails the request
Cmdlet to retrieve the current resource providers and resource provider operations that support DataActions and NotDataActions in Azure PowerShell
Get-AzProviderOperation
Cmdlet to find resource ID
Get-AzResource
What cmdlet would you use to retrieve all the resource groups with a specific tag?
Get-AzResourceGroup -Tag @{"[email protected]"}
Cmdlet to view all the role assignments in a subscription using Azure PowerShell
Get-AzRoleAssignment
Cmdlet to list the roles that are available for assignment using Powershell
Get-AzRoleDefinition
Cmdlet to retrieve the definition of any role in Azure PowerShell
Get-AzRoleDefinition
Powershell cmdlet to view the current resources usage for the storage service?
Get-AzStorageUsage
Powershell Cmdlet to view current usage of vCPU quotas?
Get-AzVMUsage
What is a tag?
Has a name and a value pair. You can later query the resources in your subscription using your tags even across resource groups
What is Azure monitor?
Helps you track performance, maintain security, and identify trends, by ingesting metrics and telemetry from multiple areas, including applications and the operating systems of virtual machines
How are network gateways billed in Azure?
Hourly, so delete any that are not in use
When checking on a move operation, what does HTTP 204 mean?
If operation was successful
What does "CanNotDelete" do in Azure resource locks?
Locks prevent the deletion of a resource. This only prevents the deletion of a resource. It does not include updating or modifying a resource
What does "ReadOnly" do in Azure resource locks?
Locks prevent users from modifying a resource, which includes updating or deleting a resource
What is log analytics?
Log Analytics helps you collect, correlate, search, and act on log and performance data generated by operating systems, applications, and Azure services.
If you want Azure metrics to be stored longer than the normal period of time where can you send those metrics?
Log Analytics which can be stored up to two years
What must be enabled and configured before insights can be extracted or visualizations can be created that are dependent on that data?
Log analytics
What is the key differentiators between metrics and logs when it comes to "Properties"?
Metrics have a fixed set of properties (or attributes). These are time, type, resource, value, and dimensions (optional). Logs have different properties for each log type and even support rich data types such as date and time.
Whats the difference between metrics and logs?
Metrics- Are always numerical values while logs are numerical of textual values that describe a resource at a point in time. Metrics are continuously collected provide near real-time access to performance data while logs can vary widely in the amount of time it takes for them to be collected and make available for query.
What type of permissions do I need to be able to assign the CloudynCollector Application?
Microsoft.Authorization/*/Write Access
What scope level do I need to create and remove role assignments?
Microsoft.Authorization/roleAssignments/*
How does Azure Advisor identify low-utilizing VMs?
Monitors CPU usage over 14 days and identifys VMs whos consumption is 5 percent or less and network usage is less than 7 MB or less for 4 or more days
When it comes to apply roles if a user has multiple roles what takes precendence?
Most privileged rights takes precedence. Aka highest privilege
Cmdlet to move resources using Azure PowerShell?
Move-AzResource
What type of permissions do you need to create and manage budgets?
Must have "Contributor" or higher rights
Cmdlet to provision a new workspace
New-AZresourceGroupDeploynent
What cmdlet would you use to deploy a template with Azure PowerShell?
New-AzResourceGroupDeployment
Cmdlet to lock a resource?
New-AzResourceLock
Cmdlet to assign a role for a user using PowerShell
New-AzRoleAssignment -SignInName
Can a resource group be nested in another resource group?
Nope
When it comes to tags, what are some resource limits?
Not all resource types support tags
Azure services are available to customers in how many countries?
Over 140 countries
Describe the built-in role "Owner" in Azure
Owners have full access to all resources, including the ability to alter security, or access rights, for the resources they manage
Describe the built-in role "User Access Administrator" in Azure
Principals assigned the User Access Administrator role manage access rights to Azure resources
Whats the difference between RBAC and policy?
RBAC is a default deny mechanism with explicit allow, whereas policy is a default allow with an explicit deny system
If I want to prevent someone from modifying my virtual machine, what kind of lock can I configure on the VM?
ReadOnly Lock. This will prevent any modification or deletion
Describe the built-in role "Reader" in Azure
Readers can view resources, but cannot create, manage, or alter access rights to resources. Think as this as read permissions in NTFS
Cmdlet to delete a resource group using Azure Powershell?
Remove-AzResourceGroup - Name "blah"
What happens if I delete a resource group?
Removes all the resources contained within it in one operation
When checking on a move operation, what does HTTP 202 mean?
Request accepted
Which built in role can be used to manage policies?
Resource Policy Contributor
What can you use to group resources logically?
Resource groups
What are considered diagnostics logs?
Resource logs and tenant logs
What can the Co Administrator do?
Same as the Service Administrator but cannot change the association of subscriptions to Azure directories
Referring to RBAC, what is a scope?
Scope is a logical boundary where access rights apply. For example, to grant a group Contribute rights to all of the resources in a resource group, the Contributor role can be assigned to the group at the resource group scope where it is then inherited by all of the resources in the resource group
Which cmdlet would you use to enable collection of diagnostics logs with Azure PowerShell?
Set-AZDiagnosticSettin
What cmdlet would you use to apply a tag to a resource with no existing tags?
Set-AzResource
What cmdlet would you use to remove tags from an existing resource?
Set-AzResource -Tag @{} -Name nameofgroup
What cmdlet would you use to apply a Tag to a resource group with no existing tags?
Set-AzResourceGroup
Whats the difference between a spending quota vs resource limit?
Spending quota acts as an alerting mechanism and dos not stop resources from being created or consumed.
What can a resource limit do?
Stop resources from being created
When it comes to tags, what are some illegal characters?
Tag names cannot contain the following characters: <, >, %, &, \, ?, /
What should be a condition for every business unit's Azure resource to track the cost?
Tag resources, it will help track the cost of individual business units within the same account
What are tags?
Tags are additional metadata associated with Microsoft Azure ARM resources
When it comes to tags, what is the limitation for classic reosurces?
Tags cannot be applied to classic resources and are only available for resources created in the Resource Manager model.
What do "Tags" do?
Tags in Azure Resource Manager allow consumers of Azure to logically categorize Azure resource groups and Azure resources. As resources are tagged, they can then be queried and tracked based on the associated tags.
Where must tags be applied to be visible in detailed usage exports?
Tags must be applied at the resource scope
What cmdlet would I use to test a template without deploying it?
Test-AzResourceGroupDeployment
Which administrators are assigned the "Owner" role when it comes to Azure RBAC roles?
The Service Administrator and Co-Administrators are assigned the Owner role at the subscription scope
How many email recipients cam you attach per alert in billing alerts?
Up to 2 email recipients
How is the state of an alert updated?
Updated by the user who is interacting with the alert. Azure WILL NOT update this automatically
What are Azure resource locks (sometimes called management locks)?
Used to prevent the accidental deletion or modification of critical resources with 2 types of locks available. 1. Cannotdelete 2. ReadOnly
How does the policy mode indexed do?
Used when you are creating policies that enforce tags or locations
What type of permissions must you have to be able to apply a tag to a resource group or resource?
User applying tag must have write access to the resource (Contributor role or higher access)
Who cannot be added to as Co-Administrators to an Azure subscription?
Users with the Contributor or Reader roles
In Azure Advisor, when will Azure recommend to delete a circuit?
When 30 days have past and the provision status has been set to "Not Provisioned"
When will Azure Advisor identify network gateways that have been idle?
When it's been more than 90 days
Can a resource in a resource group interact with resource group in another resource group?
Yep
Are resources locks inherited?
Yes, whatever resource group you apply them to the child item will inherit the lock
What must you do after a workspace has been provisioned?
You must enable data collection and configure both resource and tenants logs to store their logs within the service
What is RBAC (Role-Based Access Control)?
allows you to manage the entities, also referred to as security principals, that have access to Azure resources and the actions that those entities can perform
What is a user principal?
an identity that is associated with a user, or a group of users. An example is a developer who is granted direct access to manage their web application.
What is a security principal?
are the objects that are associated with a role definition and a scope to apply RBAC to Azure resources
Command to delete a resource group using Azure CLI?
az group delete
Command to delete a resource group without a confirmation message using Azure CLI?
az group delete --name groupname --yes
cmdlet to retrieve all the resource groups with a particular tag?
az group list --tag "nameoftag"
cmdlet to use to retrieve the existing tags for resource group?
az group show
What command can I use to add tags to a resource group without existing tags
az group update
Command to enable debugging logs from Azure CLI?
az monitor diagnostic-settings create
Command to retrieve the current resource providers and resource provider operations that support DataActions and NotDataActions in Azure CLI
az provider operation list
Command to move resources using Azure CLI?
az resource move
Command to list the roles that are available for assignment using Powershell
az role
Command to remove a role assignment from a user using Azure CLI?
az role assignment delete
Command to view all the role assignments in a subscription using Azure CLI
az role assignment list --all
Command to retrieve the definition of any role using Azure CLI
az role definition list
Command to list a single role in Azure CLI
az role definition list --name
What is the main requirement for me to move resources between subscriptions?
both subscriptions must be associated with the same Azure AD tenant
What is the recommended method for enabling diagnostics logs?
browse to the Azure Monitor and Diagnostic Settings blade
What is role definition in RBAC?
contains the list of permissions, or declared permissions, and those permissions define what actions can or cannot be performed against a type of resource, such as read, write, or delete. Think of these as security groups om windows
What is Azure advisor?
is a free, personalized guide to Azure best practices
What is the difference between non dimensional and multi-dimensional when it comes to dimensions?
non-dimensional metric can be thought of as the metric name and the value of the metric output and collected in the Monitor service over time. A multi-dimensional metric (both from an Azure resource or a custom metric) is the metric name and an additional name-value pair with additional data.
How often are Azure metrics collected?
one-minute intervals (unless otherwise specified) and are identified by a metric name and a namespace (or category)
What is a action group?
provides the definition for what will happen when the conditional logic of the alert rule is met by grouping together one or more actions
How many levels of hierarchy are the Management group?
six level deep, excluding the root and subscription level
What way can you define custom roles?
using JSON or Javascript Object Notation
