Manage Azure Subscriptions and Resources

What is Azure Security Center?

Built-in security management system that protects the data center within the Azure Infrastructure. Integrated in the Azure Portal, its easy to audit your environment

What is the link to the Azure Enterprise Portal?

Azure Enterprise: http://ea.azure.com

What is Azure Monitor Alerts?

Azure Monitor alerts can be configured to notify you or your team when your resources are performing at a predetermined level or if a detrimental event has occurred Better Notification— All new alerts use action groups Unified Experience— All alert metrics and logs are in one place View alerts— You can see alerts in your subscription Separation of Fired Alerts and Rules— Alert rules and fired alerts are differentiated. This keeps te operational and configuration views separate Better Workflow— An improved experience that guides you through the process of creating alerts.

What are Resource Groups?

Containers that hold resources, use RBAC to assign access to resources Resources: the actual resources you want to use 1 to many relationships from Azure Enterprise down

What are Action Groups?

Enable you to configure a list of actions to take when the alert is triggered. Ensures the same actions are taking each time an alert is triggered. Action group types - Select Email/SMS/Push/Voice—Provides the ability to send email, SMS, push notification, or a voice call Logic app, Webhook, IT server Management function— Run a logic App, Deploy a Webhook, Integrate with and IT Management service, Run a Function App Automation Runbook— Run an Azure automation runbook

What is Azure Montior?

Enables core monitoring for Azure Services by collecting metrics, activity logs, and diagnostic logs Monitor and Visualize Metrics—Numeral values available from azure resources that help you understand the health and performance of your system Query and Analyze— Activity logs, diagnostics logs, and telemetry are monitoring solutions which can provide useful information through analytic queries Setup Alerts and Actions— Alerts notify you of critical conditions and can take automated corrective actions. Triggers for alerts can be based on metrics or logs

What are the improvements for Metrics?

Improved Latency— New metric alerts can run as frequently as every min Support for Multi-dimensional Metrics— You can set an alert on dimensional metrics to monitor an interesting segment of the metric More control over Metric Conditions— You can define richer alert rules that support monitoring with improved capabilities Combined Monitoring of Multiple Metrics— You can monitor multiole metrics with a single rule Metrics from Logs (preview) - You can extract some data going into Log Analytics and convert it into Azure Metrics. This can be used for alerts like other metrics Signals are emitted— by the target resource and can be of several types. Azure Metrics, Activity Log, and Application Insights

What are the 3 steps to create Alert Rules ?

1. Define the alert condition including the following elements: Target Selection, Alert Criteria, Alert Logic 2. Define the alert details including the following elements: Alert rules name, description, Severity 3. Defining the Action group

What is an Azure Policy?

A Service for creating, assigning and managing policies. Steps to Implement Azure Policy: Browse Policy Definitions— A policy definition expresses what to evaluate and what actions to take Create Initiative Definition— An initiative definition is a set of policy definitions to help track your compliance state for a larger goal Scope the Initiative Definition— You can limit the scope of the initiative definition to management groups, subscriptions, or resources groups Review Evaluation and Manage Exclusions— Once the initiative definition is assigned, you can evaluate the state of compliance for all your resources

What is Azure cost Recommendations?

A web page that can assist you in optimizing and shrinking your total Azure Spending by identifying idle or underutilized resources

What is Identity Access Management?

Access control (IAM) is used to manage access to Azure resources. Below are some of the main elements: Resource Where IAM is opened— Used to identify scope (e.g, resource group, resource, etc.) Add Button— Used to add role assignment Check Access Tab— Used to view assignments for a user Role Assignments Tab— Used to view role assignments at active scope Role Tab— Used to view all roles and permissions

What are the 3 Main roles for Classic Azure Subscription?

Account Administrator— One per Azure account authorized to access the account center Service Administrator— One per Azure subscription, Authorized to access the Azure Portal for all subscriptions in an account. This role has control over all services in the subscription Co-Administrator— Up 200 subscription, Same as the Service Admin, but can't change. The Association of subscriptions to Azure directory

What are some troubleshooting tips for RBAC?

Add Roles Assignment— Disabled or Returns a Permission Error. This means the client ID does not have authorization to perform the action. The User needs the following Action: Microsoft.Authorization/roleAssignments/Write Error Message " No more role assignments can be created (code:RoleAssignmentLimit Exceeded) - The Max limit of role assignments has been reached. As a wotk around, use a group to resuce the number of role assignments. Azure supports up to 2,000 role assign ments per subscription

What are the Azure roles that can be assigned to resources?

Admin Permissions— Admins can perform tasks such as adding or changing users, assigning admin roles, resetting user passwords, managing user licenses, and managing domain names Global Admin— Have access to all admin features . By default, the person who signs up for and Azure Sub is assigned the Global role View Role Membership— You can see an manage all members of admin roles in the AAD portal. When you view a roles members, you can see the complete list permissions granted by the role assignments

What is a Role Assignment?

Associates a security principal to a role and is used to grant access to a rsouce scope. The decoupling allows you to specifiy thata specific role has access to a resource in your subscription and easily add /remove security princpals from that role. User—Roles can be assigned to Org Users that are in AD with which the Azure subscription is associated Groups— Roles can be assigned ot Azure AD security groups A user is automatically granted access to resource if the user becomes a member of the group that has access Service Principals— Service identities are represented as SPs ins the directory. They authenticate with Azure AD and securely communicate with one another Resource scope— Access does not need to be granted to the entire subscription. Roles can be assigned for both resources groups and individual resources In addition to Owner, Contributor, and Reader, Azure provides many other built-in roles to handle most security scenarios Role Definition— Each role is a set of properties defgined in JSON file. Includes name, ID, Desc, permission and scope Action— Allowable permissions are defined as Actions Not Action—Denied permissions are defined as Not Actions

Cost recommendations are divided in to what 4 categories?

Availability, Security, Costs and Performance

What is ARM?

Everything in Azure is a resource and must be assigned to a region. Every resource talks to ARM

What are the Azure AD Roles?

Global Admin, User Admin, Billing Admin

How do you utilize Log Search query functions?

Log Analytics— Use OMS Portal for Log Analytics Connected sources and Data sources— The computers and other re sources that generate data collected by Log Analytics Query— Provides query syntax to quickly retrieve and consolidate data in the repository

What does Azure diagnostic logs do?

Logs provided by the Azure service that give useful data about the operation of Azure resources and services. Update Real time, two types of logs Tenant Logs— Contain activity that occurs at the tenant level but is outside of the subscription Resource Logs— Contain information produced from Azure services which deploy resources in Azure

What is Azure Metrics?

Numerical values that provide details about your Azure Resource ata specific time or over a specified range. This information is collected on a regular basis and has built-in alert options Analyze— Metrics Explorer is used to gather information from different resources for analysis Visualize— With Metrics explorer you can generate a chart for easier analysis and create a workbook to combine data Alert— Alerts can be configured to notify teams or individuals for specific events or triggers Automate— You can use auto scaling to adjust reosuces based on preset metric values Retrieve— Metrics data can be obtained using Powershell Cmdlets, Rest API, and CLI Export—Data can be sent to logs for analysis to Azure Event Hubs, or routed to an external system outside of Azure Achieve— Metrics can be kept for 93 days. Diagnostic logs can be routed to Log Analytics and configured to have a minimum retention of 30 days. Activity log entries are stored for 90 days

What are the Azure RBAC Roles?

Owner, Contributor, Reader, User Access Amin

What is Azure Advisor?

Personalized Cloud Consultant that helps you follow best practices to optimize your Azure deployments

What are the PowerShell Commands for Tagging?

PowerShell Commands for Tagging See existing tags for a resource group Get-AzResourceGroup—Name examplegroup) . Tags Add tags to a resource group without changing existing tags Get-AzResourceGroup—Name examplegroup -Tag @{ Dept= "IT"; Environment= "Test" } Apply all tags from a reousce group to is resources, replacing any existing tags on the resource $gr oups = Get - AzResour ceGr oup f or each ( $g i n $gr oups) { Get - AzResour ce - Resour ceGr oupName $g. Resour ceGr oupName | For Each- Obj ect { Set - AzResour ce - Resour ceI d $_. Resour ceI d - Tag $g. Tags - For ce } }

What are the billing at rest APIs?

Pricing Calculator— Provides estimates in all areas of Azure including com pute, networking, storage, web and DB Billing Alert Services— Provides Ability to create alerts to send email when you approach spending limits Costs Analysis— Supports differen kinfs of Azure Account types and useful for exploring and analyze your organization costs Customize Cost views— There are 4 built-in views: accumulate costs, daily costs, cost by service and cost by resource Download Reports— You can download information from cost analysis to generate a CSV file Cost Analysis Prerequisites— Read access to billing account, department, enrollment account, management group, subscription, or resource group

What is a Custom Role ?

RBAC gives you the ability to grant appropriate access to Azure AD users, groups and services A role defines what actions can be performed on Azure resources—Existing Pre-configured roles are included or your can create custom role, using the following steps: Decide—How to create the role (PS, CLI, Rest API) Determine— the permissions you need Create—The custom role Test— The custom Role Role Descriptions— Built in Role Names include: Owner—Can manage everything including access Contributor— Can we manage everything except access Reader— Can view everything but can't make changes

What are the rules for Azure Resource Groups Policies?

Resource groups at their simplest definition are a container for multiple resources. Resources need to be deployed to a new or existing resource group Rule 1— Resources can only exist in one resource group Rule 2— Resources groups can't be renamed Rule 3— Groups can have resources of many different types called services Rule 4- Resource groups can have resources from many different regions

How do you configure default sign-in tenant for your Azure portal?

Run Set-AzureRmContext [-Tenant <String>] from Azure Cloud Shell

What are the features of Tagging in Azure?

Tags can be found under this area, you can have up to 15 tags per resource or resource group . Setup tag type (category) Tag name and description Not all resources types support Tags

What are the limitations of Tagging?

VM and VM scale sets are limited to 2048 characters for all tag names and values Not inherited by resources are assigned to resource groups Tag Names limited to 512 characters, values limited to 256 charcters Can't be applied to Classic Resources Can't contain these characters < > % /?\

What are Resource Group Locks?

You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only, respectively. CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource. ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role. Read-only lock - Prevents any change to the resources Delete lock— Prevents the deletion of the resource Only Owner and User Admin Access Admin can create or delete management locks Use CLI, PS, Azure Portal and API to Configure resource policies and remove resource groups

What are Departments in Azure?

can be created by the enterprise customer (you don't have to have these)

Where do you Create a subscription in Azure?

created within an account, http://portal.azure.com

Where do you create an Account in Azure?

either created in departments/enterprise or individually http://account.azure.com

What is Alert Management ?

helps view your operations manager and Log Analytics alerts across your entire environment