Prerequisites for Azure administrators
Access management (Azure AD)
Manages access to Azure AD resources
Azure Storage
Microsoft's cloud storage solution for modern data storage scenarios. offers a massively scalable object store for data objects. It provides a file system service for the cloud, a messaging store for reliable messaging, and a NoSQL store.
Azure Active Directory (Azure AD)
Microsoft's multi-tenant cloud-based directory and identity management service. Azure AD helps to support user access to resources and applications
To satisfy the finance team's request for billing by department, multiple resource groups have been created and the resource tags applied. What's the next step?
Create an Azure policy An Azure policy requires that a resource tag is applied before the resource is created
Configure Azure Device Update for IoT Hub accounts to disable public network access
Disable public network access for your Device Update for IoT Hub resources. This policy is located under the Internet of Things category.
Azure Storage security strategies
Encryption. Authentication Data in transit Disk encryption Shared access signatures Authorization
Azure Table storage
A NoSQL store that hosts unstructured data independent of any schema
Role definitions
Roles can be defined via the Azure admin portal, Microsoft 365 admin portal, and Microsoft Graph Azure AD PowerShell
Get-AzContext
determine which subscription is active
Where does a resource get role assignments from?
It's parent resource
Azure Resource Manager Templates
JSON files that define the infrastructure and configuration of resources in Azure.
Your users want to sign-in to devices, apps, and services from anywhere. Users want to sign-in by using an organizational work or school account instead of a personal account. What should you do first? Enable the device in Azure AD. Join the device to Azure AD. Register the device with Azure AD.
Join the device to Azure AD.
Azure Policy
A service in Azure that you use to define, assign, and, manage standards for resources in your environment. It can prevent the creation of disallowed resources, ensure new resources have specific settings applied, and run evaluations of your existing resources to scan for non-compliance.
Federation services:
Azure AD includes federation services, and many third-party services like Facebook.
REST API queries: Azure AD is based on HTTP and HTTPS protocols. Azure AD tenants can't be queried by using LDAP. Azure AD uses the REST API over HTTP and HTTPS.
Azure AD is based on HTTP and HTTPS protocols. Azure AD tenants can't be queried by using LDAP. Azure AD uses the REST API over HTTP and HTTPS.
How is access revoked?
By removing the role assignment
Premium page blobs
Premium high-performance storage account for page blobs only. Page blobs are ideal for storing index-based and sparse data structures, such as operating systems, data disks for virtual machines, and databases.
What is in the Azure Powershell Module?
Resource groups Storage VMs Azure AD Containers Machine learning
What are some examples of things that can be done on the azure portal?
Search resources, services, and docs. Manage resources. Create customized dashboards and favorites. Access the Cloud Shell. Receive notifications. Links to the Azure documentation.
Cost: Pricing Calculator
The Pricing Calculator provides estimates in all areas of Azure, including compute, networking, storage, web, and databases.
What kind of account would you create to allow an external organization easy access
A guest user account for each member of the external team.
Cost: Azure Hybrid Benefits
Access pricing benefits if you have a license that includes Software Assurance. Azure Hybrid Benefits helps maximize the value of existing on-premises Windows Server or SQL Server license investments when migrating to Azure. There's an Azure Hybrid Benefit Savings Calculator to help you determine your savings.
Access Rights: Assigned
Add specific users as members of a group, where each user can have unique permissions.
Group assignment
Assign a group the required access rights, and members of the group will inherit those rights.
Direct assignment
Assign a user the required access rights by directly assigning a role that has those access rights
Your company is building a video-editing application that will offer online storage for user-generated video content. The videos will be stored in Azure Blobs. An Azure storage account will contain the blobs. It's unlikely the storage account would ever need to be removed and recreated. Which tool is likely to offer the quickest and easiest way to create the storage account: Azure portal Azure CLI Azure PowerShell
Azure portal
The Azure CLI can be installed on which of the following: Linux Windows Both
Both
Consider the following characteristics of Azure management groups:
By default, all new subscriptions are placed under the top-level management group, or root group. All subscriptions within a management group automatically inherit the conditions applied to that management group. A management group tree can support up to six levels of depth. Azure role-based access control authorization for management group operations isn't enabled by default.
There are several Azure policies that need to be applied to a new branch office. What's the best approach?
Create a policy initiative A policy initiative is a set of policy definitions that could be applied to the new branch office.
Storage version
For Azure Storage version 2012-02-12 and later, this parameter indicates the version to use. This example indicates that version 2015-04-05 (April 5, 2015) should be used.
Geo-zone-redundant storage (GZRS)
Geo-zone-redundant storage combines the high availability of zone-redundant storage with protection from regional outages as provided by geo-redundant storage. Data in a GZRS storage account is replicated across three Azure availability zones in the primary region, and also replicated to a secondary geographic region for protection from regional disasters. Each Azure region is paired with another region within the same geography, together making a regional pair.
Guest user
Guest user accounts are defined outside Azure. Examples include user accounts from other cloud providers, and Microsoft accounts like an Xbox LIVE account. The source for guest user accounts is Invited user. Guest user accounts are useful when external vendors or contractors need access to your Azure resources.
Azure Resource Manager templates are idempotent. This Means:
If the resource already exists and no change is detected in the properties, no action is taken. If the resource already exists and a property has changed, the resource is updated. If the resource doesn't exist, it's created.
Azure Active Directory Microsoft 365 Apps
In addition to the Free features, this edition provides Identity and Access Management for Microsoft 365 apps. The extra support includes branding, MFA, group access management, and self-service password reset for cloud users.
Who can use Microsoft 365 groups?
Normal users and Azure AD admins can both use Microsoft 365 groups
Allowed locations
Restrict the locations users can specify when deploying resources. Use this policy to enforce your geo-compliance requirements. This policy is located under the General category.
Scope assignment (Azure RBAC)
Scope can be specified at multiple levels, including management groups, subscriptions, resource groups, and resources
resource tagging
The process of tagging cloud resources with identifiers that allow them to be categorized and grouped into logical units.
Access Rights: Dynamic User
Use dynamic membership rules to automatically add and remove group members. When member attributes change, Azure reviews the dynamic group rules for the directory. If the member attributes meet the rule requirements, the member is added to the group. If the member attributes no longer meet the rule requirements, the member is removed.
Cost: Azure Credits
Use the monthly credit benefit to develop, test, and experiment with new solutions on Azure. As a Visual Studio subscriber, you could use Microsoft Azure at no extra charge. With your monthly Azure credit, Azure is your personal sandbox for development and testing.
Directory-synchronized identity
User accounts that have a directory-synchronized identity are defined in an on-premises Active Directory. A synchronization activity occurs via Azure AD Connect to bring these user accounts in to Azure. The source for these accounts is Windows Server Active Directory.
Can multiple subscriptions can be linked to the same Azure account?
Yes. Multiple subscriptions can be linked to the same Azure account
Premium editions are available through:
a Microsoft Enterprise Agreement, the Open Volume License Program, and the Cloud Solution Providers program. Azure and Microsoft 365 subscribers can also buy Azure Active Directory Premium P1 and P2 online.
Standard Account Tier (Storage)
backed by magnetic hard disk drives (HDD). A standard storage account provides the lowest cost per GB. You can use Standard tier storage for applications that require bulk storage or where data is infrequently accessed.
role definition
consists of sets of permissions that are defined in a JSON file. Each permission set has a name, such as Actions or NotActions that describes the purpose of the permissions
Azure management groups
containers for managing access, policies, and compliance across multiple Azure subscriptions. provide a level of scope and control above your subscriptions
Azure Active Directory Premium P1
edition lets your hybrid users access both on-premises and cloud resources. This edition supports advanced administration like dynamic groups, self-service group management, and cloud write-back capabilities. P1 also includes Microsoft Identity Manager, an on-premises identity and access management suite. The extra features in P1 allow self-service password reset for your on-premises users.
Determine compliance
evaluate the state of compliance for all your resources. Individual resources, resource groups, and subscriptions within a scope can be exempted from having the policy rules affect it. Exclusions are handled individually for each assignment.
cost analysis
features to explore and analyze your organizational costs. You can view aggregated costs by organization to understand where costs are accrued, and to identify spending trends. Monitor accumulated costs over time to estimate monthly, quarterly, or even yearly cost trends against a budget.
PowerShell Modules
is a DLL that includes the code to process each available cmdlet. You'll load cmdlets into PowerShell by loading the module in which they're contained. You can get a list of loaded modules using the Get-Module command:
Azure AD Concept: Identity
is an object that can be authenticated. The identity can be a user with a username and password. Identities can also be applications or other servers that require authentication by using secret keys or certificates. Azure AD is the underlying product that provides the identity service.
AssignableScopes permissions
list the scopes where a role definition can be assigned.
Role-based access control (RBAC) for Azure resources
manage access to Azure resources like virtual machines, SQL databases, or storage. For example, you could assign an RBAC role to a user to manage and delete SQL databases in a specific resource group or subscription.
Azure Blob Hot Tier
optimized for frequent reads and writes of objects in the Azure storage account. A good usage case is data that is actively being processed. By default, new storage accounts are created in the Hot tier. This tier has the lowest access costs, but higher storage costs than the Cool and Archive tiers.
Connect-AzAccount
prompts for your Azure credentials, then connects to your Azure subscription
Azure RBAC
provides built-in roles and permissions sets. You can also create custom roles and permissions
Azure Active Directory Free
provides user and group management, on-premises directory synchronization, and basic reports. Single sign-on access is supported across Azure, Microsoft 365, and many popular SaaS apps.
NotActions permissions
specify what actions aren't allowed
Consider budget options
The product helps you plan for and meet financial accountability in your organization. You can utilize analysis data to inform others about their spending to proactively manage costs.
If you delete a user account by mistake, can it be restored?
The user account can be restored, but only if it was deleted within the last 30 days.
Flat structure:
There are no organizational units (OUs) or group policy objects (GPOs).
Azure Blob Storage lifecycle management policy rules
Transition blobs to a cooler storage tier (Hot to Cool, Hot to Archive, Cool to Archive) to optimize for performance and cost. Delete blobs at the end of their lifecycles. Define rule-based conditions to run once per day at the Azure storage account level. Apply rule-based conditions to containers or a subset of blobs.
Rule-based assignment:
Use rules to determine a group membership based on user or device properties
Azure Virtual Machines
Windows or Linux virtual machines (VMs) hosted in Azure basis of the Azure infrastructure as a service (IaaS) model. IaaS is an instant computing infrastructure, provisioned and managed over the internet
Does every Azure cloud service belongs to a subscription?
Yes. Every Azure cloud service belongs to a subscription
Can more than one Azure account can be linked to the same subscription
Yes. More than one Azure account can be linked to the same subscription
Managed service:
You manage only users, groups, and policies. If you deploy AD DS with virtual machines by using Azure, you manage many other tasks, including deployment, configuration, virtual machines, patching, and other backend processes.
effective permissions for a requestor are
a combination of the permissions for the requestor's assigned roles, and the permissions for the roles assigned to the requested resources
What is Azure Powershell?
a module that you can install for Windows Powershell or Powershell Core, which is a cross-platforms version of Powershell that runs on Windows, Linux or macOS.
Structured data
an be stored by using Azure Table Storage, Azure Cosmos DB, and Azure SQL Database. Azure Cosmos DB is a globally distributed database service. Azure SQL Database is a fully managed database-as-a-service built on SQL.
Azure AD Concept: Account
an identity that has data associated with it. To have an account, you must first have a valid identity. You can't have an account without an identity.
Azure Blob Archive Tier
an offline tier that's optimized for data that can tolerate several hours of retrieval latency. Data must remain in the Archive tier for at least 180 days or be subject to an early deletion charge. Data for the Archive tier includes secondary backups, original raw data, and legally required compliance information. This tier is the most cost-effective option for storing data. Accessing data is more expensive in the Archive tier than accessing data in the other tiers
Premium Account Tier (Storage)
backed by solid-state drives (SSD) and offer consistent low-latency performance. You can use Premium tier storage for Azure virtual machine disks with I/O-intensive applications like databases.
Premium Blob Storage
best suited for I/O intensive workloads that require low and consistent storage latency. Premium Blob Storage uses solid-state drives (SSDs) for fast and consistent response times. This storage is best for workloads that perform many small transactions. An example would be a mapping application that requires frequent and fast updates
What does azure web portal let you do?
build, manage, and monitor everything from simple web apps to complex cloud applications in a single, unified console
Who can implement Security groups in azure?
can be implemented only by an Azure AD administrator
Unstructured data
can be stored by using Azure Blob Storage and Azure Data Lake Storage. Blob Storage is a highly scalable, REST-based cloud object store. Azure Data Lake Storage is the Hadoop Distributed File System (HDFS) as a service.
Azure AD Feature: Cloud extensibility
can extend to the cloud to help you manage a consistent set of users, groups, passwords, and devices across environments.
Azure AD Feature: Secure remote access
can include multifactor authentication (MFA), conditional access policies, and group-based access management. Users can access on-premises web apps from everywhere, including from the same portal.
Unexpected Downtime
ccurs when the hardware or the physical infrastructure for your virtual machine fails unexpectedly. Unexpected downtime can include local network failures, local disk failures, or other rack level failures. When detected, the Azure platform automatically migrates (heals) your virtual machine to a healthy physical machine in the same datacenter. During the healing procedure, virtual machines experience downtime (reboot) and in some cases loss of the temporary drive.
What is the Az PowerShell module?
contains cmdlets to work with Azure features. It contains hundreds of cmdlets that let you control nearly every aspect of every Azure resource. You can work with resource groups, storage, virtual machines, Azure Active Directory, containers, machine learning, and so on. This module is an open-source component available on GitHub.
New-AzVm
create a virtual machine. The cmdlet has many parameters to let it handle the large number of VM configuration settings. Most of the parameters have reasonable default values, so we only need to specify five things: ResourceGroupName: The resource group into which the new VM will be placed. Name: The name of the VM in Azure. Location: Geographic location where the VM will be provisioned. Credential: An object containing the username and password for the VM admin account. We'll use the Get-Credential cmdlet. This cmdlet will prompt for a username and password and package it into a credential object. Image: The operating system image to use for the VM, which is typically a Linux distribution or Windows Server.
New-AzResourceGroup
create resource groups. You must specify a name and location. The name must be unique within your subscription.
Azure Active Directory Premium P2
edition offers Azure AD Identity Protection to help provide risk-based Conditional Access to your apps and critical company data. Privileged Identity Management is included to help discover, restrict, and monitor administrators and their access to resources, and to provide just-in-time access when needed.
Planned maintenance
events are periodic updates made by Microsoft to the underlying Azure platform to improve overall reliability, performance, and security of the platform infrastructure that your virtual machines run on. Most of these updates are performed without any impact to your virtual machines or Cloud Services.
Fault Domain
group of virtual machines that share a common set of hardware (or switches) that share a single point of failure. An example is a server rack serviced by a set of power or networking switches.
Owner built-in role
has the highest level of access privilege in Azure
Availability zones
high-availability offering that protects your applications and data from datacenter failures. An availability zone in an Azure region is a combination of a fault domain and an update domain
Actions permissions
identify what actions are allowed
DataActions permissions
indicate how data can be changed or used.
What is the Azure Cloud Shell?
interactive, browser-accessible shell for managing Azure resources. It provides the flexibility of choosing the shell experience that best suits the way you work. Linux users can opt for a Bash experience, while Windows users can opt for PowerShell.
Azure Bicep
is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. It provides concise syntax, reliable type safety, and support for code reuse.
Azure AD Concept: Azure tenant (directory)
is a single dedicated and trusted instance of Azure AD. Each tenant (also called a directory) represents a single organization. When your organization signs up for a Microsoft cloud service subscription, a new tenant is automatically created. Because each tenant is a dedicated and trusted instance of Azure AD, you can create multiple tenants or instances.
PowerShell script
is a text file containing commands and control constructs. The commands are invocations of cmdlets. The control constructs are programming features like loops, variables, parameters, comments, etc., supplied by PowerShell. PowerShell script files have a .ps1 file extension. You can create and save these files with any text editor.
How do You Access Azure Powershell?
is also available two ways: inside a browser via the Azure Cloud Shell, or with a local installation on Linux, macOS, or the Windows operating system. In both cases, you have two modes from which to choose: you can use it in interactive mode in which you manually issue one command at a time, or in scripting mode where you execute a script that consists of multiple commands.
Azure AD Concept: Azure AD account
is an identity that's created through Azure AD or another Microsoft cloud service, such as Microsoft 365. Identities are stored in Azure AD and are accessible to your organization's cloud service subscriptions. The Azure AD account is also called a work or school account.
Azure Blob Cool Tier
is optimized for storing large amounts of data that's infrequently accessed. This tier is intended for data that remains in the Cool tier for at least 30 days. A usage case for the Cool tier is short-term backup and disaster recovery datasets and older media content. This content shouldn't be viewed frequently, but it needs to be immediately available. Storing data in the Cool tier is more cost-effective.
Virtual machine data
is provided through Azure managed disks. Data disks are used by virtual machines to store data like database files, website static content, or custom application code. The number of data disks you can add depends on the virtual machine size. Each data disk has a maximum capacity of 32,767 GB.
What is the purpose of a role assignment?
is to control access
Azure AD Concept: Azure subscription
is used to pay for Azure cloud services. A subscription is linked to a credit card. Each subscription is joined to a single tenant. You can have multiple subscriptions.
a virtual machine provides
its own operating system, storage, and networking capabilities, and can run a wide range of applications
Scope the initiative definition
limit the <blank> of an initiative definition to specific management groups, subscriptions, or resource groups.
scope
limits which permissions defined for a role are available for the assigned requestor
Azure subscription
logical unit of Azure services that's linked to an Azure account. An Azure account is an identity in Azure Active Directory (Azure AD) or a directory that's trusted by Azure AD, such as a work or school account. Subscriptions help you organize access to Azure cloud service resources, and help you control how resource usage is reported, billed, and paid.
Azure Blob Storage (containers)
massively scalable object store for text and binary data
Azure Queue Storage
messaging store for reliable messaging between application components.
A strong SSPR plan offers
multiple authentication methods for the user. Options include email notification, text message, or a security code sent to the user's mobile or office phone. You can also offer the user a set of security questions.
Unplanned Hardware Maintenance
occurs when the Azure platform predicts that the hardware or any platform component associated to a physical machine is about to fail. When the platform predicts a failure, it issues an unplanned hardware maintenance event. Azure uses Live Migration technology to migrate your virtual machines from the failing hardware to a healthy physical machine. Live Migration is a virtual machine preserving operation that only pauses the virtual machine for a short time, but performance might be reduced before or after the event.
blob object replication
opies blobs in a container asynchronously according to policy rules that you configure. During the replication process, the following contents are copied from the source container to the destination container: The blob contents The blob metadata and properties Any versions of data associated with the blob
Microsoft Cost Management
provides support for administrative billing tasks and helps you manage billing access to costs. You can use the product to monitor and control Azure spending, and optimize your Azure resource usage.
What does Azure AD Join do with your device?
provides the benefits of registering, and also changes the local state of the device. Changing the local state enables your users to sign into a device by using an organizational work or school account instead of a personal account.
Geo-Redundant Storage (GRS)
replicates your data to a secondary region (hundreds of miles away from the primary location of the source data). GRS provides a higher level of durability even during a regional outage. GRS is designed to provide at least 99.99999999999999% (16 9's) durability. When your storage account has GRS enabled, your data is durable even when there's a complete regional outage or a disaster where the primary region isn't recoverable.
Get-AzResourceGroup
retrieve a list of all Resource Groups in the active subscription.
Private Cloud
serves only one customer or organization and can be located on the customer's premises or off the customer's premises
Azure Blob Storage
service that stores unstructured data in the cloud as objects or blobs. Blob stands for Binary Large Object. Blob Storage is also referred to as object storage or container storage
What are security groups used for?
set permissions for all group members at the same time, rather than adding permissions to each member individually
cmdlets
specialized commands for completing common tasks in PowerShell is a command that manipulates a single feature.
Premium block blobs
storage account for block blobs and append blobs. Recommended for applications with high transaction rates. Use Premium block blobs if you work with smaller objects or require consistently low storage latency. This storage is designed to scale with your applications.
zone-redundant storage (ZRS)
synchronously replicates your data across three storage clusters in a single region. Each storage cluster is physically separated from the others and resides in its own availability zone. Each availability zone, and the ZRS cluster within it, is autonomous, and has separate utilities and networking capabilities. Storing your data in a ZRS account ensures you can access and manage your data if a zone becomes unavailable. ZRS provides excellent performance and low latency.
What does registering your device with Azure do?
the device with an identity that's used to authenticate the device when a user signs into Azure AD. You can use the identity to enable or disable the device.
What are Microsoft 365 Groups?
to enable group access for guest users outside your Azure AD organization.
Azure AD roles
to manage Azure AD-related resources like users, groups, billing, licensing, application registration, and more.
Azure AD Feature: Single sign-on (SSO) access
to web apps on the cloud and to on-premises apps. Users can sign in with the same set of credentials to access all their apps.
Access Rights: Dynamic Device
(Security groups only) Apply dynamic group rules to automatically add and remove devices in security groups. When device attributes change, Azure reviews the dynamic group rules for the directory. If the device attributes meet the rule requirements, the device is added to the security group. If the device attributes no longer meet the rule requirements, the device is removed.
policy definition
A policy definition expresses what to evaluate and what action to take. For example, you could prevent VMs from being deployed if they are exposed to a public IP address. You also could prevent a particular hard disk from being used when deploying VMs to control costs.
initiative definition
A set of policy definitions to help track the compliance state for a larger goal. You can use an <blank> to ensure resources are compliant with security regulations.
Cloud identity
A user account with a cloud identity is defined only in Azure AD. This type of user account includes administrator accounts and users who are managed as part of your organization. A cloud identity can be for user accounts defined in your Azure AD organization, and also for user accounts defined in an external Azure AD instance. When a cloud identity is removed from the primary directory, the user account is deleted.
Identity Solution
AD DS is primarily a directory service, while Azure AD is a full identity solution. Azure AD is designed for internet-based applications that use HTTP and HTTPS communications. The features and capabilities of Azure AD support target strong identity management.
Contributor
Allow all actions, except write or delete role assignment
Reader
Allow all read actions
Cost: Budgets
Apply the budgeting features in Microsoft Cost Management to help plan and drive organizational accountability. With budgets, you can account for the Azure services you consume or subscribe to during a specific period. Monitor spending over time and inform others about their spending to proactively manage costs. Use budgets to compare and track spending as you analyze costs.
Which choice correctly describes Azure Active Directory? Azure AD can be queried through LDAP. Azure AD is primarily an identity solution. Azure AD uses organizational units (OUs) and group policy objects (GPOs)
Azure AD is primarily an identity solution
Self-service support
Azure AD lets you delegate tasks to company employees that might otherwise be completed by admins with higher access privileges. Providing self-service app access and password management through verification steps can reduce helpdesk calls and enhance security.
Azure AD Feature: Sensitive data protection
Azure AD offers unique identity protection capabilities to secure your sensitive data and apps. Admins can monitor for suspicious sign-in activity and potential vulnerabilities in a consolidated view of users and resources in the directory.
Azure AD Feature: Ubiquitous device support
Azure AD works with iOS, macOS, Android, and Windows devices, and offers a common experience across the devices. Users can launch apps from a personalized web-based access panel, mobile app, Microsoft 365, or custom company portals by using their existing work credentials.
Azure CLI
Azure CLI is a cross-platform command-line program that connects to Azure and executes administrative commands on Azure resources. Cross platform means that it can be run on Windows, Linux, or macOS.
Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and, manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service-level agreements (SLAs). Azure Policy does this by using policies and initiatives. It runs evaluations of your resources and scans for those not compliant with the policies you have created. For example, you can have a policy to allow only a certain stock keeping unit (SKU) size of virtual machines (VMs) in your environment. Once you implement this policy, it will evaluate resources when you create new ones or update existing ones. It will also evaluate your existing resources.
Azure PowerShell
Azure PowerShell is a module that you add to Windows PowerShell or PowerShell Core that enables you to connect to your Azure subscription and manage resources. Azure PowerShell requires Windows PowerShell to function. PowerShell provides services such as the shell window and command parsing. Azure PowerShell then adds the Azure-specific commands. For example, Azure PowerShell provides the New-AzureRmVM command that creates a virtual machine for you inside your Azure subscription. To use it, you would launch PowerShell, sign in to your Azure account using the command Connect-AzureRMAccount, and then issue a command such as:
ARM Templates
Azure Resource Manager templates (ARM templates), you can describe the resources you want to use in a declarative JSON format. Benefits: - *Verified* before the code is executed. - The template orchestrates the creation of *many resources in parallel*. - Creates *all dependencies* in the correct order.
What term defines a dedicated and trusted instance of Azure Active Directory? Azure tenant Identity Azure AD account
Azure tenant
Communication protocols:
Because Azure AD is based on HTTP and HTTPS, it doesn't use Kerberos authentication. Azure AD implements HTTP and HTTPS protocols, such as SAML, WS-Federation, and OpenID Connect for authentication (and OAuth for authorization).
How is billing done for Azure?
Billing for Azure services is done on a per-subscription basis
What are the three types of roles available for access management in azure?
Classic subscription administrator roles Azure role-based access control (RBAC) roles Azure Active Directory (Azure AD) administrator roles
Cost: Azure Regions
Compare pricing across regions. Pricing can vary from one region to another, even in the US. Double check the pricing in various regions to see if you can save by selecting a different region for your subscription.
Things to consider when using management groups
Consider custom hierarchies and groups. Align your Azure subscriptions by using custom hierarchies and grouping that meet your company's organizational structure and business scenarios. You can use management groups to target policies and spending budgets across subscriptions. Consider policy inheritance. Control the hierarchical inheritance of access and privileges in policy definitions. All subscriptions within a management group inherit the conditions applied to the management group. You can apply policies to a management group to limit the regions available for creating virtual machines (VMs). The policy can be applied to all management groups, subscriptions, and resources under the initial management group, to ensure VMs are created only in the specified regions. Consider compliance rules. Organize your subscriptions into management groups to help meet compliance rules for individual departments and teams. Consider cost reporting. Use management groups to do cost reporting by department or for specific business scenarios. You can use management groups to report on budget details across subscriptions.
Things to consider when using resource tags
Consider searching on tag data. Search for resources in your subscription by querying on the tag name and value. Consider finding related resources. Retrieve related resources from other resource groups by searching on the tag name or value. Consider grouping billing data. Group resources like virtual machines by cost center and production environment. When you download the resource usage comma-separated values (CSV) file for your services, the tags appear in the Tags column . Consider creating tags with PowerShell or the Azure CLI. Create many resource tags programatically by using Azure PowerShell or the Azure CLI.
How can you ensure that only cost-effective virtual machine SKU sizes are deployed
Create a policy in Azure Policy that specifies the allowed SKU sizes There's a built-in Azure policy to specify the allowed virtual machine SKU sizes. After the policy is enabled, it's applied whenever a virtual machine is created or resized
Resource URI
Defines the Azure Storage endpoint and other parameters. This example defines an endpoint for Blob Storage and indicates that the SAS applies to service-level operations. When the URI is used with GET, the Storage properties are retrieved. When the URI is used with SET, the Storage properties are configured.
Things to know about resource tags
Each resource tag has a name and a value. The tag name remains constant for all resources that have the tag applied. The tag value can be selected from a defined set of values, or unique for a specific resource instance. A resource or resource group can have a maximum of 50 tag name/value pairs. Tags applied to a resource group aren't inherited by the resources in the resource group.
Azure Active Directory comes in four editions:
Free, Microsoft 365 Apps, Premium P1, and Premium P2
Self-Service Password Reset (SSPR)
Gives the users the ability to bypass the helpdesk and reset their own passwords.
What are some features of Azure Cloud Shell?
Is temporary and requires a new or existing Azure Files share to be mounted. Offers an integrated graphical text editor based on the open-source Monaco Editor. Authenticates automatically for instant access to your resources. Runs on a temporary host provided on a per-session, per-user basis. Times out after 20 minutes without interactive activity. Requires a resource group, storage account, and Azure File share. Uses the same Azure file share for both Bash and PowerShell. Is assigned to one machine per user account. Persists $HOME using a 5-GB image held in your file share. Permissions are set as a regular Linux user in Bash.
locally redundant storage (LRS)
Maintains three copies of your data within a single facility in a single region. LRS protects your data from normal hardware failures, but not from the failure of a single facility.
Azure Files
Managed file shares for cloud or on-premises deployments.
Which option can you use to manage governance across multiple Azure subscriptions
Management groups Management groups facilitate the hierarchical ordering of Azure resources into collections, at a level of scope above subscriptions. Distinct governance conditions can be applied to each management group, with Azure Policy and Azure role-based access controls, to manage Azure subscriptions effectively. The resources and subscriptions assigned to a management group automatically inherit the conditions applied to the management group.
Access management (Azure RBAC)
Manages access to Azure AD resources
What should you combine registering your device with?
Microsoft Intune, to provide other device attributes in Azure AD. You can create conditional access rules that enforce access from devices to meet organization standards for security and compliance
Premium file shares
Premium storage account for file shares only. Recommended for enterprise or high-performance scale applications. Use Premium file shares if you require support for both Server Message Block (SMB) and NFS file shares.
Role definitions (Azure RBAC)
Roles can be defined via the Azure portal, the Azure CLI, Azure PowerShell, Azure Resource Manager templates, and the REST API
How do you manage Self Service Password Reset?
SSPR requires an Azure AD account with Global Administrator privileges to manage SSPR options. This account can always reset their own passwords, no matter what options are configured.
How do you control what users have access to self service password reset?
SSPR uses a security group to limit the users who have SSPR privileges
Cost: Reservations
Save money by paying ahead. You can pay for one year or three years of virtual machine, SQL Database compute capacity, Azure Cosmos DB throughput, or other Azure resources. Pre-paying allows you to get a discount on the resources you use. Reservations can significantly reduce your virtual machine, SQL database compute, Azure Cosmos DB, or other resource costs up to 72% on pay-as-you-go prices. Reservations provide a billing discount and don't affect the runtime state of your resources.
Scope assignment (Azure AD)
Scope is specified at the tenant level
Bicep Improvements over JSON
Simpler syntax Modules Automatic dependency management Type validation and IntelliSense
Storage service
Specifies the Azure Storage to which the SAS applies. This example indicates that the SAS applies to Blob Storage and Azure Files.
Allowed virtual machine size SKUs
Specify a set of VM size SKUs that your organization can deploy. This policy is located under the Compute category.
Standard general-purpose v2
Standard storage account type for blobs, file shares, queues, and tables. Recommended for most scenarios using Azure Storage. If you want support for network file system (NFS) in Azure Files, use the premium file shares account type.
What are four basic steps to create and work with policy definitions in Azure Policy.
Step 1: Create policy definitions Step 2: Create an initiative definition Step 3: Scope the initiative definition Step 4: Determine compliance