Microsoft Azure Administrator (AZ-104)
If hierarchy protection isn't enabled _____
Any Azure AD user in the tenant can create a management group without the management group write permission assigned to that user
Scripted
Assemble the Azure CLI commands into a shell script using the script syntax of your chosen shell. Then execute the script.
Using various REST APIs you can create a subscription for the following Azure agreement types:
- Enterprise Agreement (EA) - Microsoft Customer Agreement (MCA) - Microsoft Partner Agreement (MPA)
Azure AD Connect has the following features
- Password hash synchronization - Pass-through authentication - Federation integration - Synchronization - Health Monitoring (Azure AD Connect Health)
Azure AD Objects
- Users - Groups (assigned/dynamic) - Enterprise Applications/Azure Resources (Service Principals) - Devices Users and groups will often come from AD (on-prem)
Create Azure AD B2C
1. Azure Portal 2. Azure Active Directory B2C 3. Create a new Azure AD B2C tenant 4. Input Organization name and domain name 5. Review + create
B2C guest in Azure AD
- Aimed at customers as a separate type and tenant instance that is fully customizable with other types of social identity support (Gmail, Facebook, LinkedIn, etc.) - Allows users to use single sign-on and keep access even if they leave a company/org
Outbound Data Transfer for compute instances
5 GB free
Azure CLI
A cross platform command-line program to connect to Azure and execute administrative commands on Azure resources. It runs on Linux, macOS, and Windows, and allows administrators and developers to execute their commands through a terminal, command-line prompt, or script instead of a web browser. Can be used interactively or through scripts
Your company is building a video-editing application that will offer online storage for user-generated video content. The videos will be stored in Azure Blobs. An Azure storage account will contain the blobs. It is unlikely the storage account would ever need to be removed and recreated because this would delete all the user videos. Which tool is likely to offer the quickest and easiest way to create the storage account?
Azure portal. The portal is a good choice for one-off operations like creating a long-lived storage account
You have an Azure subscription named Subscription1. You plan to deploy an Ubuntu Server virtual machine named VM1 to Subscription1. You need to perform a custom deployment of the virtual machine. A specific trusted root certification authority (CA) must be added during the deployment. What should you do?
Create a cloud init config file (.txt) and use the az vm create command to deploy the virtual machine.
Access token
Created when a user logs on, this value identifies the user and all of the user's group memberships. Like a club membership card, it verifies a user's permissions when the user attempts to access a local or network resource.
Stored as JavaScript Object Notation (JSON) files. This format means they can be uploaded and downloaded to other computers or shared with members of the Azure directory. Azure stores dashboards within resource groups, just like virtual machines or storage accounts that you can manage within the portal. You can also customize them programmatically, making them compelling administrative tools. Some tile types can be query-based, so they update automatically when the source data changes.
Dashboards
Azure AD directory
Each Azure tenant has a dedicated & trusted Azure AD directory. The Azure AD directory includes the tenant's users, groups, and apps and is used to perform Identity & Access management functions for tenant resources.
Conditional Access
Gives you the ability to enforce access requirements when specific conditions occur. This Azure AD policy makes sure that only trusted users can access your organizational resources on trusted devices using trusted apps. For example, when any user is outside the company network -> they're required to sign in with multi-factor authentication. Azure AD Premium P1 feature
Owner (Azure Built-in role)
Grants full access to manage all resources, including the ability to assign roles in Azure RBAC
Organizing resources - Tagging
Use of tags for: - Resource Management - Cost Management - Operations Management - Security - Governance - Automation - Workload Optimization
User subscription
Used to pay for Azure cloud services
Securing MFA registration with Self-Service Password Reset (SSPR)
Users must initially setup their security registration which would authenticate with password only so: utilize Conditional Access -> New Policy -> Cloud apps or actions -> User actions -> register security information from a lock down status
Access Reviews
Very often people change roles, get new permissions and never lose old permissions. Enables review on: - Group membership - App assignment - Role assignment Review can be done by admins, delegated people or self-review
User (Azure Built-in role)
View all resources but does not allow you to make any changes
Compute instances ending in "s"
Will reveal premium SSD and ultra disk configurations. s = premium storage capable
Password
a network secret that provides authentication of the user
Bell icon
displays the Notifications pane
Azure Cloud Shell
- A browser-based scripting environment for command-line administration of Azure resources. It provides support for two shell environments and flexibility by allowing you to choose your preferred shell experience. Linux users can opt for a Bash experience, while Windows users can use PowerShell. - Is temporary and requires a new or existing Azure Files share to be mounted. - Offers an integrated graphical text editor based on the open-source Monaco Editor. - Authenticates automatically for instant access to your resources. Runs on a temporary host provided on a per-session, per-user basis. Is assigned to one machine per user account. Times out after 20 minutes without interactive activity. Permissions are set as a regular Linux user in Bash. - Requires a resource group, storage account, and Azure File share. Uses the same Azure file share for both Bash and PowerShell. Persists $HOME using a 5-GB image held in your file share. Has a suite of: - Developer Tools (.NET Core, Python, Java, Node.js, Go) - Editors (code (Cloud Shell Editor), vim, nano, emacs) - Other tools (git, maven, make, npm, etc.)
AD User administration
- Assign roles and admin roles - Add users to groups - Enforce authentication methods such as Multi-Factor Authentication (MFA) - Track user sign-ins - Track devices user's login from and allow/deny devices - Assign Microsoft license
Ways to assign resource access rights
- Direct assignment - Group assignment - Rule-based assignment - External authority assignment
Privileged Identity Management (PIM)
- Enables elevation of Azure AD (and Azure Resource Manager) roles when needed for limited time - Roles must be pre-assigned to be available for users - Users then elevate on-demand or for a future time - Azure AD Premium P2 feature
Built-in roles for accessing specific resource types:
- Virtual machine Admin Login role can view VMs in the portal and sign in as administrator - Virtual machine Contributor role can manage VMs, but it can't access them or the virtual network or storage account they're connected to - Virtual machine User Login role can view VMs in the portal and sign in as a regular user
Create a management group
1. Azure portal 2. All services > Management + governance 3. Select "Management Groups" 4. Select "+ Add management group"
Create a Microsoft Customer Agreement (MCA) subscription in your current Azure AD directory/tenant
1. Azure portal 2. Navigate to "Subscriptions" and then select Add 3. On the "Create a subscription" page, on the Basics tab, type a subscription name 4. Select the "Billing account" where the new subscription will get created 5. Select the "Billing profile" where the subscription will get created 6. Select the "Invoice section" where the subscription will get created 7. Next to Plan, select Microsoft Azure Plan for DevTest if the subscription will be used for dev/test workloads. Otherwise, select Microsoft Azure Plan. 8. Select Advanced Tab 9. Select your "Subscription directory". It's the Azure AD where the new subscription will get created 10. Select a management group 11. Select one or more Subscription owners 12. Select the Tags tab 13. Enter tag pairs for Name and Value 14. Select review + create, then "Create"
Upgrade an Azure AD tenant
1. Click intended tenant 2. Click "Licenses" 3. Navigate to "All Products" 4. Click "Try/Buy" 5. Activate a license
Azure Active Directory (Azure AD)
A cloud-based suite of identity management capabilities that enables you to securely manage access to Azure services and resources for your users. Provides application management, authentication, built-in federations, device management and hybrid identity management. User authorization is always done here. Speaks "cloud" in the following ways: - SAML - WS-Fed - OAUTH2 - OpenID Connect (OIDC) - System for Cross-Domain Identity Management (SCIM) - NOT Kerberos, NTLM or LDAP
Dashboards
A customizable collection of UI tiles displayed in the Azure portal. You add, remove, and position tiles to create the exact view you want, and then save that view. Multiple views are supported, and you can switch between them as needed. You can even share your configurations with other team members. For example, you can create dashboards for specific roles within the organization, and then use role-based access control (RBAC) to control who can access that dashboard. Hence, your database administrator would have a dashboard that contains views of the SQL database service, whereas your Azure Active Directory administrator would have views of the users and groups within Azure AD. You can even customize the portal between your production and development environments within the portal - creating a specific dashboard for each environment you are managing
Azure AD Tenant
A dedicated, isolated and trusted instance of the Azure Active Directory service, owned and managed by an organization. It is automatically created when your organization signs up for a Microsoft Azure subscription, Microsoft Intune or Microsoft 365.
Azure Advisor
A free service built into Azure that provides recommendations on high availability, security, performance, operational excellence, and cost. It analyzes your deployed services and looks for ways to improve your environment across those areas. You can view recommendations in the portal or download them in PDF or CSV format. With this feature, you can: - Get proactive, actionable, and personalized best practices recommendations. - Improve the performance, security, and high availability of your resources as you identify opportunities to reduce your overall Azure costs. - Get recommendations with proposed actions inline
Federation Integration (ex. Active Directory Federation Services)
A hybrid environment for using an on-prem/local identity provider for certificate renewal, claims and token generation (SAML) to authenticate a user under one account - you have to continuously maintain certificates and the configuration of the claims
-Az module
A newer replacement for -AzureRM module, this is the formal name for the Azure PowerShell module containing cmdlets to work with Azure features. It contains hundreds of cmdlets that let you control nearly every aspect of every Azure resource. You can work with the following features, and more: - Resource groups - Storage - VMs - Azure AD - Containers - Machine learning This module is an open-source component available on GitHub.
Azure Marketplace
A service on Azure that helps connect end users with Microsoft partners, independent software vendors (ISVs), and start-ups that are offering their solutions and services, which are optimized to run on Azure. Allows customers—mostly IT professionals and cloud developers—to find, try, purchase, and provision applications and services from hundreds of leading service providers, all certified to run on Azure.
Manage and enable Security defaults
A set of basic identity security mechanisms recommended by Microsoft 1. Azure Portal 2. Azure AD 3. Properties 4. Manage Security defaults 5. Enable
Password hash synchronization
A sign-in method. Synchronizes a hash of a users on-premises AD password with Azure AD (hash of a hash). Utilized for cloud authentication only and does not enforce rules established in AD on-prem such as disabled account, account locked out, account expired, password expiration, and restricted logon hours.
Pass-through authentication
A sign-in method. The procedure by which one domain hands the responsibility for logon authentication to another domain. Allows users to use the same password on-premises and in the cloud.
External authority assignment
Access comes from an external source, such as an on-prem directory or a SaaS app
External Identities (Azure AD)
Allow people outside your organization to access your apps and resources while letting them sign in using whatever identity they prefer. Supports logins from Google and Facebook. - Share apps with external users (B2B collaboration) - Develop apps intended for other Azure AD tenants (single-tenant or multi-tenant) - Develop white-labeled apps for consumers and customers (Azure AD B2C)
Azure Spot VMs
Allows customers to take advantage of unused Azure capacity at a significant discount. At any point in time when Azure needs the capacity back, the Azure infrastructure will evict the VM.
You download an Azure Resource Manager template based on an existing virtual machine. The template will be used to deploy 100 virtual machines. You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text. What should you create to store the password? A. An Azure Key Vault and an access policy. B. A Recovery Services vault and a backup policy. C. Azure Active Directory (AD) Identity Protection and an Azure policy. D. An Azure Storage account and an access policy.
An Azure Key Vault and an access policy
Organizing resources - Naming
An effective naming convention helps you quickly identify: - Resource type - Associated workload/application - Deployment environment - the Azure region hosting it - Instance number For example, a public IP resource for a production SharePoint workload in the West US region might be: pip-sharepoint-prod-westus-001
Azure AD Account
An identity created through Azure AD or another Microsoft cloud services and has data associated with it
Identity (Azure AD)
An object that can be authenticated
Another Administrator is managing Azure locally using PowerShell. They have launched PowerShell as an Administrator. Which of the following commands should be executed first?
Connect-AzAccount. The first thing to do is to connect to Azure and provide the user credentials to log in.
Azure AD MFA
Consists of: - Something we know (pin/gesture) - Something we are (biometric) - Something we have (phone, token, laptop) Azure AD Premium P1 or use Security Defaults for free (or be a Global Admin)
CLI groups and subgroups
Each group represents a service provided by Azure, and the subgroups divide commands for these services into logical groupings. For example, the storage group contains subgroups including account, blob, share, and queue
Container Instances
Easily run containers on Azure without managing servers. Containers must be deployed in Container Groups.
Interactive
First, for Windows operating systems, launch a shell such as cmd.exe, or for Linux or macOS, use Bash. Then issue the command at the shell prompt.
Azure AD SKUs and Licensing
Free, Office 365 apps, Premium P1 and Premium P2. They are licensed on a per-user, per-month basis. Premium SKUs allow you to leverage Multi-Factor authentication and Conditional Access.
You have an Azure AD tenant named thetechblackboard.com. Multi-factor authentication (MFA) is enabled for all users. You need to provide users with the ability to bypass MFA for 10 days on devices which they have successfully signed in by using MFA. What should you do? A. From the multi-factor authentication page, configure the user's settings B. From Azure AD, create a conditional access policy C. From the multi-factor authentication page, configure the service settings D. From the MFA blade in Azure AD, configure the MFA Server settings
From the multi-factor authentication page, configure the service settings
Contributor (Azure Built-in role)
Grants full access to manage all resources but does not allow you to assign roles in Azure RBAC or share image galleries
Manage Access - Custom Roles
If you have a single group of users responsible for managing multiple resource types, you might want to create a custom role to optimize management of the require access controls
Resize a VM in an availability set
In the Azure Resource Manager (ARM) deployment model, multiple VMs must be resized together. The intended VM can be resized if all of the VMs are in a stopped (deallocated) state
Resources
Instances of services that you can create, like virtual machines, storage or SQL databases
Azure AD Groups
Lets the resource owner (or Azure AD directory owner), assign a set of access permissions to all members of the group, instead to provide the rights one-by-one. They are made up of: - Owners, who have permission to add/remove members - Members, who have permissions to do things
User Administrator (Azure Built-in role)
Lets you manage user access to Azure resources
Resource Groups
Logical containers where you can deploy and manage Azure resources like web apps, databases and storage accounts
Management Groups
Manage access policies and compliance for multiple subscriptions. - All subscriptions under the management group inherit the policies from the parent management group (hierarchically) - Supports 6 levels of depth and 10,000 groups
Resource Hierarchy
Management group -> Subscription -> Resource Group -> Resource
Help + Support option
Opens the main help and support area for the Azure portal and includes documentation options for a variety of common questions. One of the hidden areas here is the "new support request" link, which is on this page. This link is how you can open a support ticket with the Azure team. If a company needs the list of planned maintenance events that can affect the availability of an Azure subscription, then they can navigate to this page as well.
Azure Active Directory Domain Services (AD DS)
Provides managed domain services such as: - Domain joins - Group policies - Lightweight directory access protocol (LDAP) - Kerberos / NTLM authentication You can use these domain services without the need to deploy, manage and patch domain controllers (DCs) in the cloud
Directory Service
Provides the methods for storing directory data and making this data available to network users and administrators, such as Active Directory Domain Services (AD DS). It also runs on a Domain Controller.
Azure subscriptions
Provides you with authenticated and authorized access to Azure products and services. It also allows you to provision resources. Logically associate user accounts with the resources they create. Each subscription has limits or quotas on the number of resources it can create and use. An Azure account can have one subscription or multiple of these that have different billing models and to which you apply different access-management policies. You can use these to define boundaries around Azure products, services, and resources so organizations can manage costs and the resources created by users, teams or projects.
Which port would you open using the inbound port rules to allow remote desktop access, while you create Window virtual machine? A. HTTPS B. FTP C. RDP (3389) D. SSH (22)
RDP (3389)
Active Directory User
Represents an identity for a person or employee in your domain. They have login credentials and can use them to log into the Azure Portal. Belongs to your organization and a guest belongs to another organization.
Synchronization (Azure AD Connect)
Responsible for creating users, groups and other objects. Ensures on-prem and cloud data matches.
Dev/Test pricing
Similarly to Azure Hybrid Benefit, you don't have to pay for the OS licenses for these virtual machines
Resize a VM deployed using the Classic deployment model
The cloud service must be removed and redeployed to change the VMs to a size in another size family
Request to Join Groups (Azure AD)
The group owner can let users find their own groups to join, instead of assigning them. The owner can also set up the group to automatically accept all users that join or to require approval.
Refresh token
The refresh token may have an indefinite lifetime, persisting for an admin-configured interval or until explicitly revoked by the end-user. The client application can store the refresh token, using it to periodically obtain fresh access tokens, but should be careful to protect it against unauthorized access, since, like a password, it can be repeatedly used to gain access to the resource server. Since refresh tokens may expire or be revoked by the user outside the control of the client application, the client must handle failure to obtain an access token, typically by replaying the protocol from the start.
Group Assignment (Azure AD)
The resource owner assigns an Azure AD group to the resource, which automatically gives all of the group members access to the resource
Rule-based assignment
The resource owner creates a group and users a rule to define which users are assigned to a specific resource
Direct Assignment (Azure AD)
The resource owner directly assigns the user to the resource
Built-In roles that can be applied to Management Groups, Subscriptions and Resource Groups & Resource level
There are three core roles: - Owner - Contributor - Reader
Your company has an Azure Active Directory (Azure AD) subscription. You want to implement an Azure AD conditional access policy. The policy must be configured to require members of the Global Administrators group to use Multi-Factor Authentication and an Azure AD-joined device when they connect to Azure AD from untrusted locations. What is the solution?
You access the Azure portal to alter the grant control of the Azure AD conditional access policy
Azure AD Groups assignment
You can assign roles directly to a group or you can assign applications directly to a group
For Standard HDD and Standard SSD ____
You have to pay for storage transactions in addition to the disk itself. .0005 per 10,000 transaction units .002 per 10,000 transaction units
Permission required to create Azure subscriptions
You need an owner or contributor role on the invoice section, milling profile or billing account. Or Azure subscription creator role on the invoice section
Your company has three virtual machines (VMs) that are included in an availability set. You try to resize one of the VMs, which returns an allocation failure message. It is imperative that the VM is resized. Which of the following actions should you take? A. You should only stop one of the VMs B. You should stop two of the VMs C. You should stop all three VMs D. You should remove the necessary VM from the availability set
You should stop all three VMs. The same hardware must be used to host all VMs in a cloud service (for classic deployment model) or all VMs in an availability set (for Azure Resource Manager deployment model).
Azure PowerShell
a module that you add to Windows PowerShell or PowerShell Core that enables you to connect to your Azure subscription and manage resources. Requires Windows PowerShell to function. PowerShell provides services such as the shell window and command parsing while also adding the Azure-specific commands. For example, the New-AzureRmVM command creates a virtual machine for you inside your Azure subscription.
PIN
a secret that is unique to the device the user is authenticating from
Custom Script Extension timeout after: A. 30 minutes B. 45 minutes C. 90 minutes D. Never
after 90 minutes.
Administrative units
can limit the scope of roles to a subset of users (and groups)
Azure AD does not support some domain services when ________
completing a lift and shift from on-prem to Microsoft Azure and migrating Active Directory
Azure PowerShell and Azure Command-Line Interface (CLI)
for command line and automation-based interactions with Azure
An Azure subscription can be associated to ________
multiple Azure Active Directory (Azure AD) tenants but only one Azure AD instance
passwordreset.microsoftonline.com
self-service password reset
Azure AD Connect
synchronizes user identities between on-premises Active Directory and Azure AD for seamless Single Sign On (SSO)
B2B guest in Azure AD
the designation for people in other companies that you want to collaborate with on Azure. Users can: - be a member of their org's AD - have an existing Microsoft account - have a gmail - utilize a one-time passcode (OTP) - federate
For every 1 user that is leveraging MFA within a Premium P1 or P2 Azure AD ______
up to 5 guests can also leverage MFA
mystaff.microsoft.com
user and group management if you have branch offices. Limited visibility into the full functionality of Azure AD (follows least privilege)
The --help argument
will get you more detailed information on the command, and for a command group, with a list of the available subcommands.
az find
will help you locate the commands that you need in order to execute a task
