Nazaudy, a spark in your curious mind

Lab Setup for Microsoft Exam Azure AZ-104

Yes, you know it well, the AZ-104 is the big one, the kind of stepping stone that will give you access to the amazing hall of Azure that lies beyond the threshold

Core Exams Domains:

  • Identities and Governance; managing Azure identities and governance of Azure Cloud
  • Storage; implementing Azure storage solutions
  • Compute; managing Azure compute resources
  • Virtual Monitoring; configuring Azure virtual networking solutions
  • Monitor & Backup; implementing monitoring solutions and configuring backup services for disaster recovery

The main points in this article are:

  1. Azure Administration
  2. Governance and Compliance
  3. Identity (Microsoft Entra ID)
  4. Storage Account


1. Azure Administration

Cloud is made of Resources, and in Azure we group them into "Resources Groups", which are containing into subscriptions. The Azure Resource Manager (ARM) is the orchestration layer for managing the Azure cloud; via REST API endpoints you can use the Azure Portal, CLI or PowerShell to interact with resources

Azure CLI is a command-line utility to managing resources; you can download it locally on your computer and authenticate to Azure using this app to create scripts and automate tasks

az group create -name $rg - location $location

Azure PowerShell is a set of cmdlets to managing resources

New-azResourceGroup -ResourceGroupName $rg -Location $location

Because AZ CLI is object-oriented, you can use the $ sign to create variables that you can later on recall

  • $rg = Get-AzureResourceGroup
  • $rg
  • $rg.resourceID

To create a VM in Azure, do as follows:

  • New-AzResourceGroup -Location westus -Name RG01
  • az vm create --name DemoVM --resource-group RG01--image UbuntuLTS
  • Get-AzResource | Format-Table

Tags; the best way to manage your resources is via Tags, for example you can shutdown or update VMs with a specific tag. They are not inherited from higher scopes like resource groups do, and each object must be tagged independently. You can use Azure Policy to enforce this tagging in your organisation

LockTypes: ReadOnly lock and CanNotDelete lock; locks (unlike tags) are inherited from parent to scope to all the child resources


2. Governance and Complicance

You can use staff like Management Groups, Managing Subscriptions , Azure Policies, Tagging resources and Locking resources too to ensure compliance is effective. Best practices; select the appropriate resource for the use case, understand the resource needs size and re-sizing, deallocate resources when not needed, use cloud capabilities when possible (scalability, elasticity, etc) and finally plan your costs prior to purchase, using these tools that will help you out:

To plan a Cloud Strategy the first thing you should do is to Define the cloud governance needs of the organisation (any GDPR compliance), Plan which tools will you use to implement governance, then get Ready to understand how to use these tools, and finally Adopt and implement governance for the organisation using the Cloud Strategy. You should also check the Azure Blueprints at the time of designing a governance structure. Some of the Government Services are:

  • Management Groups and Subscriptions
  • Azure RBAC
  • Azure Policies
  • Locks and Tagging

Azure Goverment Services


3. Identity (Microsoft Entra ID)

Understand that Organisation = Tenant = Directory is all the same, and they can interact with one or more subscription, but a subscription can only be related to a single tenant. Entra ID is a global service that extends through a geography (tenant), and it contains many features like the core Identity and Access Management (IAM), which provides an identity repository, Identity Security, Collaboration and Development, Monitoring, integration with on-prem AD

Entra ID features

Active Directory; on-prem, hierarchical solution that has Organisational Units, Group Policy Objects, Kerberos, LDAP, NTLM,

Entra ID: cloud-base, global solution with a flat directory structure that has Administrative units, SAML, WS-Federation, OAuth

To create users in Azure you can use Azure Portal >> Microsoft Entra ID >> Add >> New User, or you can use Azure CLI (az ad user create) or PowerShell (New-AzureADUser)

The Microsoft Entra ID Premium 1 (P1) or above will be the licenses that allow you to create dynamic groups, using dynamic groups your can create rules by which user are auto-magically associated membership to those groups

Administrative Units is like the Security Groups in AD, and they function like containers within the Tenant to control the scope of the administrative users, this is Entra ID is a flat structure, but by using Administrative Units, you can limit what admins can do; Administrative Units are normally based on geographical location, business departments, subsidiary organisations, etc

Self-Service Password Reset (SSPR); the process consists of Localization >> Verification >> Authentication >> Password Reset >> Notification

  • Location; provided by the Mobile app authenticator or any other app where a mobile code is sent to the user, you can also use an email, phone call or SMS message as well as the office phone (the least recommended method because anybody can virtually answer the office phone)
  • Guess what? In order to use SSPR you need to be license for it, you need to have Azure AD P1 or P2, Microsoft Apps for Business or Microsoft 365 licensing

Azure Device Management; you can register devices in different ways:

  • AD Registered; the least restrictive option, allowing to BYOD with a personal MS or local account
  • AD Joined; the device is owned by the organisation, and the access is given via a work account
  • Hybrid AD Joined; similar to AD Joined, but these devices can exist both in the cloud and on-prem

Azure AD Roles; there are a few high Azure roles that we need to pay attention to:

  • Global Administrator; provide the ability to manage AD resources entirely
  • Billing Administrator; can perform billings task
  • User Administrator; can manage users and groups
  • Help-desk Administrator; perform password reset for users and other help functions

Azure Roles (referred as RBAC roles) control access to Azure resources and have the scope management of subscriptions, group, resources groups and of course resources, while Entra ID Roles control access to AD resources at the scope of the Azure AD Tenant. By default Azure Cloud has Implicit Deny, and you need to allow Explicit Allow -by creating specific Role Assignments- if you want a user to have access to a subscription/resource


4. Storage Account

Underneath the Storage Account, you have sub services like:

  • Azure Queue; message-base storage for microservices
  • Azure Table; non-relational,semi-structure data
  • Azure Files ; cloud base file-sharing services
  • Azure Blob; object-oriented storage solution

Components of Storage Accounts are the sort to Account Type, which determines the features and cost, the Performance Tier, Replication and Access Tier, been this one having an impact in access levels and data costs

The well-known principle of 3-2-1 indicates that in order to consider that you data you need to have it in 3 different places, Azure provides that by using:

Zone-Redundant-Service (ZRS); you have your data in more than one region