Azure Administrator (AZ-104)
Owner Role
The built in Azure defined role that allows the user assigned this role to manage resources including giving other users access to the resource. Source: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner
Contributor Role
The built in Azure defined role that allows the user assigned this role to manage resources, but not give access to other users. Source: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor
Reader Role
The built in Azure defined role that allows the user assigned this role to view or read the resource but not manager nor grant access to other users. Source: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#reader
Azure Portal
The login portal for the Azure cloud platform. You can use the UI interface to create, update and delete Azure Resources. You can also create an Azure support ticket from within the UI (based upon your subscription agreement).
Authentication
The process of establishing the identity of a person or service looking to access a resource. It involves the act of challenging a party for legitimate credentials, and provides the basis for creating a security principal for identity and access control use. It establishes if they are who they say they are.
Authorization
The process of establishing what level of access an authenticated person or service has. It specifies what data they're allowed to access and what they can do with it.
Application Administrator
This role grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the application's identity.
Application Developer
Users in this role can create application registrations when the "Users can register applications" setting is set to No. This role also grants permission to consent on one's own behalf when the "Users can consent to apps accessing company data on their behalf" setting is set to No. Users assigned to this role are added as owners when creating new application registrations or enterprise applications.
Global Administrator
Users who are assigned this role can read and modify every administrative setting in your Azure AD organization. By default this role is given to the user that signed up for the Azure subscription. It is one of the two roles that has an ability to delegate administrator roles. To reduce the risk to your business, it is recommended by Microsoft that you assign this role to the fewest possible people in your organization.
Authentication Administrator
Users with this role can set or reset non-password credentials and can update passwords for all users. Authentication Administrators can require users to re-register against existing non-password credential
A small application that provide post deployment configuration and automated tasks on Azure VM's.
Virtual Machine Extensions
Alert
When a specific event occurs and you would like to be notified of when the event happens.
Synchronously replicates your data across three storage clusters in a single region. Each storage cluster is physically separated from the tohers and resides in it's own availability zone.
Zone Redundant Storage
Azure Key Vault
a centralized cloud service for storing your application secrets. It can help you control your applications' secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities.
Multi-Factor Authentication
provides additional security for your identities by requiring two or more elements for full authentication. These elements usually fall into three categories: Something you know (password) Something you possess (phone) Something you are (fingerprint)
Azure Cloud Shell
A browser based environment accessed via Azure Portal that can be used to script or send commands that allow you to create, update or delete specific Azure Resources.
Azure Active Directory
A cloud-based identity service. It has built in support for synchronizing with your existing on-premises Active Directory or can be used as a standalone product. This means that all your applications, whether on-premises, in the cloud (including Office 365), or even mobile applications can share the same credentials. Administrators and developers can control access to internal and external data and applications using centralized rules and policies configured in Azure AD.
Azure Advanced Threat Protection
A cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Microsoft Azure Information Protection
A cloud-based solution that helps organizations classify and optionally protect documents and emails by applying labels.
Azure Marketplace
A collection of additional applications and services to work with Azure to add functionality in your Azure environment.
Azure Logs
A developer created resource used to give you details about a specific event that happened in the past, usually used to record a problem where something caused the application to not run as expected.
Azure Security Center
A monitoring service that provides threat protection across all of your services both in Azure, and on-premises.
Single Sign-On
A service that enables users to remember only one ID and one password to access multiple applications. A single identity is tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to that identity, greatly reducing the effort needed to change or disable accounts.
Azure Regions
A set of data centers deployed within a latency-defined perimeter and connected through a dedicated regional low-latency network.
Also known as the account owner, this person is responsible for paying the subscription bill to Microsoft when it is due. Normally, this user has financial responsibilities in your company such as CFO, Accounts Payable Lead etc.
Account Administrator
A collection of notification preferences defined by the owner of an Azure subscription. Azure Monitor and Service Health alerts use these to notify users that an alert has been triggered, it can also be configured to take subsequent actions to help correct the problem that the alert has detected.
Action Group
Give you an ability to take an action any time an alert is triggered. This ensures that every time an alert is triggered the same action will fire off, this could include a messaging componet (SMS, Push Notification, Email or Phone Call), A Function, or even running an automation playbook.
Action Groups
Helps you analyze all of the alerts in your Log Analytics repository. These alerts may have come from a variety of sources including those sources created by Log Analytics or imported from Nagios or Zabbix. The solution also imports alerts from any connected System Center Operations Manager management groups.
Alert Management
Symmetric Encryption
An encryption method in which the same key is used to encrypt and decrypt a message. Also known as private-key encryption.
Asymmetric Encryption
An encryption method that uses a public key and private key pair. Either key can encrypt but a single key can't decrypt its own encrypted data. To decrypt, you need the paired key. Asymmetric encryption is used for things like Transport Layer Security (TLS) (used in HTTPS) and data signing.
These snapshots capture memory content and pending I/O operations. The snapshots use a VSS writer (or pre/post scripts for Linux) to ensure the consistency of the app data before a backup occurs.
Application Consistent Snapshots
A feature of Azure Monitor, is an extensible Application Performance Management (APM) service for web developers on multiple platforms. Use it to monitor your live web application. It will automatically detect performance anomalies. It includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app. It's designed to help you continuously improve performance and usability.
Application Insights
An identity in Azure Active Directory (AAD) or a directory that is trusted by AAD, such as a work or school organization.
Azure Accounts
Provides insight into subscription-level events that have occurred in Azure. This includes a range of data, from Azure Resource Manager operational data to updates on Service Health events. The Activity Log was previously known as Audit Logs or Operational Logs, since the Administrative category reports control-plane events for your subscriptions.
Azure Activity Logs
A personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. It analyzes your resource configuration and usage telemetry and then recommends solutions that can help you improve the cost effectiveness, performance, high availability, and security of your Azure resources.
Azure Advisor
- Get proactive, actionable and personalized best practice recommendations from Azure Advisor - Improve the performance, security and high availability of your resources through recommended actions. - Find ideal opportunities to reduce cost of your current environments
Azure Advisor Features
Azure based service that can backup, protect, and restore your data in the Microsoft Cloud. It replaces your on premise or off-site backup solution with a reliable, secure, cost-competitive, and cloud based backup solution.
Azure Backup
An Azure service that backs up data to the Microsoft Azure cloud. You can back up on-premises machines, workloads, and Azure virtual machines.
Azure Backup Service
A distributed network of servers that can efficiently delivered to uses. They will store cached content on edge servers that are close to end-users. They are typically used to deliver static content such as images, stylesheets, documents, client-side scripts and HTML files.
Azure Content Delivery Network
A service where Microsoft provides you drives to help with solutions for moving your data to the cloud.
Azure Data Box
A storage solution that enables you to seamlessly send data to Azure. It's a virtual device based on a virtual machine provisioned in your virtualized environment or hypervisor. The virtual device resides in your premises and you write data to it using the NFS and SMB protocols. The device then transfers your data to Azure block blob, page blob, or Azure Files.
Azure Data Box Gateway
A service that offers fully managed file shares in the cloud that are accessible via the Server Message Block (SMB) protocol. They can be mounted both by cloud instances and local on premise devices at the same time.
Azure File Shares
A service that allows you to securely transfer a large volume of data to or from the cloud, which can be challenging even with a high speed connection. You can ship both SSD and regular HDD drives to an Azure datacenter to import data into your resource.
Azure Import/Export Service
The following service allows you to scale your applications and create high availability for your services. It will support both inbound and outbound scenarios, providing low latency and high throughput, and scales up to millions of flows for all TCP and UDP applications.
Azure Load Balancer
When you need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The following two locks found in Azure are:
Azure Locks
Enables core monitoring for Azure Services by monitoring and visualizing metrics, querying and analysing activity and diagnostic logs. It's also can help set-up alerts and help you take automated corrective actions.
Azure Monitor
Provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. It's designed to monitor and repair the network health of IaaS products which includes Virtual Machines, Virtual Networks, Application Gateways, Load balancers, etc.
Azure Network Watcher
A service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
Azure Policies
A service used to create, assign and manage different policies. These policies enforce different rules over your resources so they stay compliant with your corporate standards and service level agreements, The service does this by running evaluations against your resources and scanning for those that are not in compliance with your policies.
Azure Policy
A storage entity in Azure that houses data. The data is typically copies of data, or configuration information for virtual machines (VMs), workloads, servers, or workstations. You can use this service to hold backup data for various Azure services such as Virtual Machines and Azure SQL databases.
Azure Recovery Service Vault
Azure gives you the ability to see the number of resources you've deployed into your subscription and what your limits are. This ability makes it easier for you to track current usage and plan for new deployments in the near future.
Azure Resource Limits
Previously known as diagnostic logs, they are platform logs emitted by Azure resources that describe their internal operation. All resource logs share a common top-level schema with the flexibility for each service to emit unique properties for their own events.
Azure Resource Logs
Allows you to provision your applications or services using a declarative JSON formatted template. In a single template, you can deploy multiple services along with their dependencies. You use the same template to repeatedly deploy your application during every stage of the application life-cycle.
Azure Resource Manager Template
A unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises.
Azure Security Center
This service helps ensure business continuity by keeping business applications and workloads running during outages. The service will replicate workloads running on physical and virtual machines from a primary site to a secondary location. When an outage occurs at your primary site, you can then fail over to secondary location, and access applications from there. Once the primary location is back up again, you can switch your workload back to the primary site with ease.
Azure Site Recovery Service
A service you can use to store files, messages, tables and other types of data.
Azure Storage
The billing unit of Azure Services that aggregates all the costs of the underlying resources.
Azure Subscriptions
Used to centralize your organization's file shares in Azure Files, while keeping the flexibility, performance, and compatibility of an on-premises file server. Azure File Sync transforms Windows Server into a quick cache of your Azure file share. You can use any protocol that's available on Windows Server to access your data locally, including SMB, NFS, and FTPS. You can have as many caches as you need across the world.
Azure Sync Group
Lets you create and manage a group of identical, load balanced Virtual Machines. The number of Virtual Machines instances can automatically increase or decrease in response to demand or a defined schedule. This service also provides high availability to your applications, and allows you to centrally manage, configure, and update a large number of Virtual Machines.
Azure Virtual Machine Scale Set
Provides the ability to create alerts to send emails when you approach your spending limits.
Billing Alert Service
This storage account specializes in storing your unstructured data as blobs in Azure Storage. It's also known as object storage. It's offered in three different tiers of service: Hot - Fast immediate access for objects that are accessed more frequently Cold - Medium speed for objects that are accessed less frequently Archive - Slow speed for objects that are access on an archival basis.
Blob Storage
A specific Azure Lock type which allows authorized users to be able to read and modify a resource, but they can't delete the resource.
CanNotDelete Lock
When an enterprise becomes to large for a single Service Administrator, the Service Administrator can create this role for other IT administrators to help them out. They will have complete access to the subscription services. They can even add or delete other users in the same role. However, they cannot remove the Service Owner nor do they have access to payment/billing information.
Co-Administrators
Azure provides a set of Billing REST API's that give access to resource consumption and metadata information for your Azure Subscriptions.
Cost Analysis
These snapshots typically occur if an Azure VM shuts down at the time of backup. Only the data that already exists on the disk at the time of backup is captured and backed up
Crash Consistent Snapshots
Useful when one of the predefined roles found in Role Based Access Control doesn't meet your needs, however you are limited to creating a maximum of 2,000 custom roles per subscription.
Custom Role
A tool that can be used to automatically launch and execute VM customization tasks post configurations.
Custom Script Extension Snapshots
Shows a break down of different ways your costs are being impacted. By default there are 4 built-in views: accumulated costs, daily costs, cost by service, and cost by resource.
Customize Cost Views
Unstructured Data
Data that does not adhere to a particular data model or definition, such as text or binary data.
Logs that are provided by the Azure Service that give useful data about the operation of Azure Resources and Services. The Logs are constantly updating in real time to provide an accurate assesment of what is going on in the infrastructure.
Diagnostic Logs
Will allow you to download your cost analysis reports into the .CSV format
Downloads Reports
After setting up a performance baseline you can use Metric Alerts with Dynamic Thresholds is the ability to use machine learning to analyze historic data in order to give suggestions regarding possible service issues.
Dynamic Thresholds
Azure App Service
Enables you to build and host web apps, mobile back ends, and RESTful APIs in the programming language of your choice without managing infrastructure. It offers auto-scaling and high availability, supports both Windows and Linux, and enables automated deployments from GitHub, Azure DevOps, or any Git repo.
Scaleable Alerting - Very useful when handling multiple resources across multiple subscriptions as hundreds of metrics can be created at one time. Smart Metric Pattern Recognition - Patterns can be detected, allowing the alerting system to use adaptive techniques to resolve problems as necessary. Intuitive Configuration - Setting up metrics is easy and user friendly.
Features found in Dynamic Thresholds
These backups provide consistency by taking a snapshot of all files at the same time.
File-System Consistent
Basic storage account type for blobs, files, queues, and tables. Recommended for most scenarios using Azure Storage
General Purpose v2 Storage Account
The default and recommended replication option, Sometimes it's called cross-regional replication GRS replicates your data to a secondary region hundreds of miles away from the primary region.
Geo Redundant Storage
A collection of policy definitions that are tailored towards achieving a singular overarching goal. Initiative definitions simplify managing and assigning policy definitions. They simplify by grouping a set of policies as one single item. For example, you could create an initiative titled Enable Monitoring in Azure Security Center, with a goal to monitor all the available security recommendations in your Azure Security Center.
Initiative Definition
a low-cost option for protecting your data from local hardware failure. However if a disaster occurs to the entire data center all replicas might be unrecoverable
Local Redundant Storage
A query syntax to quickly retrieve and consolidate data in the repository. You can create and save log searches to directly analyze data in the OMS Portal
Log Analytics Queries
Events that occurred within the system. They can contain different kinds of data and may be structured or free form text with a timestamp.
Logs
Numerical values that describe some aspect of a system at a particular point in time. They are collected at regular intervals and are identified with a timestamp, a name, a value, and one or more defining labels. Metrics can be aggregated using a variety of algorithms, compared to other metrics, and analyzed for trends over time.
Metrics
Azure Storage Blob
Microsoft's object storage solution for the cloud. It has been optimized for storing massive amounts of unstructured data.
A feature that contains a list of security rules allowing or denying inbound or outbound network traffic, it can be associated either with a Network Subnet or a Network Interface.
Network Security Groups
Azure Metrics
Numerical values that describe some aspect of a system at a particular time. They can be collected at regular intervals and are useful for alerting because they can be sampled frequently, and an alert can be fired quickly with relatively simple logic.
Your current average performance levels and should be used to compare against your future performance levels. Once a proper baseline has been determined you can properly monitor the performance of your resources.
Performance Baseline
A policy definition that has been assigned to take place within a specific scope. This scope could range from a management group to a resource group. The term scope refers to all the resource groups, subscriptions, or management groups that the policy definition is assigned to. Policy assignments are inherited by all child resources. This design means that a policy applied to a resource group is also applied to resources in that resource group. However, you can exclude a sub-scope from the policy assignment.
Policy Assignment
A way to help simplify your policy management by reducing the number of policy definitions you create. You can define parameters when creating a policy to make it more generic. Then you can reuse that policy definition for different scenarios. You do so by passing in different values when assigning the policy definition.
Policy Parameters
A management platform in PowerShell that enables you to manage your IT and development infrastructure with configuration as code.
PowerShell DSC
Provides estimates in all areas of Azure including compute networking, storage, web and databases.
Pricing Calculator
Used for communications with Azure virtual networks and your on premise network, when you use a VPN gateway or ExpressRoute to extend your network to Azure.
Private IP Address
Used for communication with the Internet, including Azure Public-facing services.
Public IP address
A specific Azure Lock type which allows authorized users to be able to read a resource, but they won't be able to updated it or delete it.
ReadOnly Lock
A logical container used to group different Azure services within it. Some things to consider when creating a resource group is: - Grouping resources based on lifecycle and security, could be considered a best practice. - A resource can only belong to one resource group. - Resource Groups can't be renamed. - Resource Groups can contain many different types of resources or services. - Resources that are inside of a resource group can be located in a different region. - Resource Groups cost nothing, you can have as many or as little of them as you wish.
Resource Group
Platform logs emitted by Azure resources that describe their internal operation. They are automatically generated by supported Azure resources, but they aren't collected unless you configure them using a diagnostic setting. Once you create a diagnostic setting you can ship them directly either to the Log Analytics Workspace, Event Hub or Azure Storage.
Resource Logs
The process of associating a role to either a user or group found within your AD. It is used to grant access to a resource scope. This decoupling allows us to determine if a role has access to a specific resource in your subscription.
Role Assignment
The Microsoft recommended way to manage the permissions of your resources. However this will not work with Azure's classic deployment model.
Role-Based Access Control
High - The thresholds will be tight and close to the metric series pattern. An alert rule will be triggered on the smallest deviation, resulting in more alerts. Medium - Less tight and more balanced thresholds, fewer alerts than with high sensitivity (default). Low - The thresholds will be loose with more distance from metric series pattern. An alert rule will only trigger on large deviations, resulting in fewer alerts.
Sensitivity Settings in Dynamic Thresholds
Also known as the Service Owner. This user manages the services that run in Windows Azure. They will have access to and uses the Window Azure Developer Portal or Service Management API to orchestrate the applications and data running in Azure. Normally, the user is a developer, system administrator, or other IT person responsible for IT services in your company.
Service Administrator
Provides delegated access to resources in your storage account, without sharing your account key. It grants granular control over the types of access you give to a user as well as the length of time that you want to give them access for.
Shared Access Signature
Azure Resource Manager
Similar to Terraform, this is the deployment and management service for Azure. It uses Azure's public REST API endpoint to connect to a resources provider, the resource provider then completes the request to either create, update or destroy the resource.
A good way to keep track of your resources is through tagging them. Each "Tag" consists of a Name and a Key Value Pair, such as "Environment" : "Production" where you could tag all your resources that are in production. Tags applied to the resource group are not inherited by the resources in that resource group.
Tagging Resources
Logs that contain activity that occurs at the tenant level but is outside of the Azure subscription.
Tenant Logs
a) Availability - recommendations that will help your resource stay highly available in the scenario of a data center failure. b) Security - recommendations that will help make your resource more secure. c) Costs - recommendations that will make your subscription most cost effective. d) Performance - recommendations that will make your resources perform better against same or larger loads.
The 4 recommendation categories inside Azure Advisor
