57,59 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
Exam Ref AZ-104 Microsoft Azure Administrator Certification and Beyond covers all the exam objectives and will help you to earn the Microsoft Azure Administrator certification with ease. Whether you’re studying to pass the AZ-104 exam or just want hands-on experience in administering Azure, this AZ-104 study guide will help you to achieve your objectives.
This book covers the latest Azure features and capabilities around configuring, managing, and securing Azure resources. Adhering to Microsoft's AZ-104 exam syllabus, this guide is divided into five modules. The first module will show you how to manage Azure identities and governance. You'll find out how to configure Azure subscription policies at the Azure subscription level and use Azure policies for resource groups. After that, the book covers techniques related to implementing and managing storage in Azure, enabling you to create and manage Azure Storage, including File and Blob storage. In the second module, you’ll learn how to deploy and manage Azure compute resources. The third and fourth modules will teach you about configuring and managing virtual networks and monitoring and backing up Azure resources. Finally, you'll work through mock tests, with answers provided, to prepare for this exam.
By the end of this book, you'll have the skills needed to pass the AZ-104 exam and be able to expertly manage Azure.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 576
Veröffentlichungsjahr: 2022
Ähnliche
Exam Ref AZ-104 Microsoft Azure Administrator Certification and Beyond Second Edition
A pragmatic guide to achieving the Azure administration certification
Riaan Lowe
Donovan Kelly
BIRMINGHAM—MUMBAI
Exam Ref AZ-104 Microsoft Azure Administrator Certification and Beyond Second Edition
Copyright © 2022 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Group Product Manager: Rahul Nair
Publishing Product Manager: Niranjan Naikwadi
Senior Editor: Arun Nadar
Content Development Editor: Nihar Kapadia
Technical Editor: Rajat Sharma
Copy Editor: Safis Editing
Project Coordinator: Ajesh Devavaram
Proofreader: Safis Editing
Indexer: Manju Arasan
Production Designer: Shankar Kalbhor
Marketing Coordinator: Nimisha Dua
Senior Marketing Coordinator: Sanjana Gupta
First published: May 2019
Second edition: June 2022
Production reference: 2020523
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-80181-954-1
www.packt.com
First off, I would like to thank God for the opportunities and intellectual blessing in my life. To my loving wife, Michelle, who always supported me through this process and all the late-evening hot chocolate sessions to get through the work. To my parents, Andrew, Marion, Alf, and Erna – thank you for always believing in me. Lastly, I would like to thank my two loving dogs, Max and Teddy, for being part of my stress relief program when things got hectic.
– Riaan Lowe
To my beautiful and loving wife – thank you for all the support and many sacrifices you have endured with me in making the writing of this book possible. To my kids, Tyler and Bella – thank you for your never-ending enthusiasm, energy, and love. You are the fun and joy in my life. I love you all!
– Donovan Kelly
Contributors
About the authors
Riaan Lowe is a cloud security architect and has been in the industry for nearly 10 years. He is a firm believer in practice what you preach and, therefore, has attained the following relevant certifications, among others: Microsoft Certified Solutions Expert in Azure, Azure Administrator, Azure Security Engineer, Microsoft Certified Solutions Associate (Server), Microsoft Certified Professional, Microsoft Specialist in Virtualization, and Microsoft Certified Trainer. His passion is cloud and cybersecurity, and he likes to share his hard-gained knowledge based on real-world experiences with customers.
One of his favorite quotes is, "Find a job you enjoy doing, and you will never have to work a day in your life" (Mark Twain).
Donovan Kelly is an Azure architect lead with extensive experience in presales, engineering, architecting, and leading teams. He has over 8 years of experience in the public cloud space and over 10 years of experience working in both solution and technical architecture.
Donovan has many Microsoft Azure certifications, including AZ-900, AZ-103, AZ-104, AZ-303, AZ-304, and AZ-500. His passion for training and sharing knowledge with others has culminated in the work on this book, in the hope that those who read it will find value in its pages and learn from the experiences of others that live and breathe this environment daily.
One of his favorite quotes is, "Two roads diverged in a wood; I took the one less traveled by, and that has made all the difference" (Robert Frost).
"All glory to my father, God, who has blessed me with my abilities and opportunities; without Him, all this would not be possible.
I am grateful to those who have given me the opportunity to learn and grow. To all the instrumental leaders in my life – thank you for pushing me to be more. Thanks to my parents for teaching me about a life of gratitude and love, and for always being there for me. Special thanks to Riaan for being pivotal in starting my journey as an author."
About the reviewer
Ricardo Cabral, based in Portugal, is a licensed computer engineer. He has several Microsoft certifications, and he also is a Microsoft Certified Trainer (MCT). He has worked in both administration and development roles, with several years of experience in IT management, development, and projects. He now works as an Azure solution architect and IT trainer. In his free time, he actively participates in, volunteers for, speaks at, and organizes technical community meetings.
"I'd like to thank my family, all my friends, and a special thanks to Eugenia Azevedo, who helped guide me in my decisions and encouraged me in everything that I do. I'd also like to thank Packt Publishing for the opportunity to review this wonderful book."
Based out of Omaha, Nebraska, Vaibhav Gujral is a thought leader and a seasoned cloud professional with over 17 years of extensive experience working with several global clients spanning multiple industries. He specializes in cloud strategy and governance with deep technical expertise in cloud security, cloud architecture, micro-services architecture, and DevOps practices. He helps organizations adopt the cloud the right way by clearly understanding the business drivers and developing a cost-effective solution utilizing suitable architectural patterns and design principles. Vaibhav holds a bachelor of engineering degree and is a Microsoft Azure MVP. He runs Omaha Azure user group and regularly blogs at https://vaibhavgujral.com/.
"I'd like to thank my wife and our two children for their daily support and patience. I'd like to thank my parents, siblings, relatives, friends, and mentors for their guidance and continued support. Finally, I'd also like to thank Packt Publishing for the opportunity to review this book."
Table of Contents
Preface
Part 1: Managing Azure Identities and Governance
Chapter 1: Managing Azure Active Directory Objects
Technical requirements
Creating Azure AD users and groups
Creating users in Azure AD
Creating groups in Azure AD
Creating Azure AD AUs
Managing user and group properties
Managing device settings
Performing bulk updates
Managing guest accounts
Configuring Azure AD join
Configuring SSPR
Summary
Chapter 2: Managing Role-Based Access Control
Technical requirements
Creating a custom RBAC role
Creating a custom role
Providing access to resources by assigning the custom RBAC role
Confirming the role assignment steps
Interpreting access assignments
Summary
Chapter 3: Creating and Managing Governance
Technical requirements
Understanding Azure policies
How does Azure Policy work?
Azure Policy versus RBAC
Working with Azure Policy
Further reading
Applying and managing tags on resources
Tagging strategy
Applying a resource tag
Further reading
Summary
Chapter 4: Managing Governance and Costs
Technical requirements
Managing resource groups
Deploying a resource group
Listing resource groups
Deleting a resource group
PowerShell scripts
Further reading
Configuring resource locks
Permissions required for creating or deleting locks
Adding a resource lock
PowerShell scripts
ARM templates
Further reading
Managing subscriptions
Relationship between Azure AD and subscriptions
Why do we have multiple subscriptions in an environment?
Further reading
Managing costs
Cost Management
Budgets
Cost alerts
Advisor recommendations
Reservations
Further reading
Configuring management groups
Creating a management group
Further reading
Summary
Chapter 5: Practice Labs – Managing Azure Identities and Governance
Technical requirements
Managing Azure AD objects
Lab scenario one
Managing RBAC
Lab scenario two
Lab scenario three
Part 2: Implementing and Managing Storage
Chapter 6: Understanding and Managing Storage
Technical requirements
Understanding Azure storage accounts
Types of storage accounts
Storage access tiers
Azure disk storage
Redundancy
Further reading
Creating and configuring storage accounts
Creating a storage account
PowerShell scripts
Further reading
Using Azure Import/Export
Importing into an Azure job
Exporting from an Azure job
Further reading
Installing and using Azure Storage Explorer
Installation
Configuring Azure Files and Azure Blob storage
Creating an Azure file share
Configuring Azure Blob storage
Configuring storage tiers
Azure URL paths for storage
PowerShell scripts
Further reading
Summary
Chapter 7: Securing Storage
Technical requirements
Configuring network access to storage accounts
Public endpoint and Azure Virtual Network (VNet) integration
Private endpoints
Network routing from storage accounts
PowerShell scripts
Further reading
Storage access keys
Managing access keys
Working with SAS tokens
Types of SAS
Forms of SAS
Generating SAS tokens
Storage access policies
Further reading
Configuring access and authentication
Configuring Azure AD authentication for a storage account
Configuring access to Azure files
Further reading
Copying data by using AzCopy
Downloading and installing
Copying data by using AzCopy
Copying data between containers using AzCopy
Further reading
Configuring storage replication and life cycle
Storage replication and management services
Creating and configuring the Azure File Sync service
Implement Azure Storage replication
Configuring blob object replication
Configuring blob life cycle management
Configuring blob data protection
Further reading
Summary
Chapter 8: Practice Labs – Implementing and Managing Storage
Technical requirements
Managing the Azure Storage lab
The Azure Functions AzCopy lab
Lab steps
Prerequisites
Connecting storage using a private endpoint lab
Lab steps
Summary
Part 3: Deploying and Managing Azure Compute Resources
Chapter 9: Automating VM Deployments Using ARM Templates
Technical requirements
Modifying an ARM template
Configure a VHD template
Deploy from a template
Saving a deployment as an ARM template
Deploying VM extensions
Summary
Chapter 10: Configuring Virtual Machines
Technical requirements
Understanding Azure disks
Disk management options
Disk performance
Disk caching
Disk types
Disk redundancy options
Understanding Azure VMs
VM sizes
Networking
Fault domain versus update domain
Scale sets
Availability sets
Deploying a VM in Azure
PowerShell scripts
Deploying and configuring scale sets
VM management tasks
Managing VM sizes
Adding data disks
Configuring networking
Moving VMs from one resource group to another
Redeploying VMs
Disk encryption in Azure
Configuring ADE
Automating configuration management
Summary
Chapter 11: Creating and Configuring Containers
Technical requirements
Introduction to containers
Containers versus VMs
Isolation
OS
Deployment
Storage persistence
Fault tolerance
ACI
Container groups
Common scenarios
Resources
Networking
Deployment
Docker platform
Docker terminology
Setting up Docker
Creating our first Docker image
AKS
Creating an Azure container registry
Deploying your first Azure container instance
Configuring container groups for Azure container instances
Configuring sizing and scaling for Azure container instances
Deploying AKS
Configuring storage for AKS
Configuring scaling for AKS
Configuring network connections for AKS
Network configuration
Traffic routing
Security
Upgrading an AKS cluster
Summary
Chapter 12: Creating and Configuring App Services
Technical requirements
Understanding App Service plans and App Service
App Service plans
Creating an App Service plan
Creating an app service
PowerShell scripts
Configuring the scaling settings of an App Service plan
PowerShell scripts
Securing an app service
Configuring custom domain names
Configuring a backup for an app service
Configuring networking settings
Configuring deployment settings
Summary
Chapter 13: Practice Labs – Deploying and Managing Azure Compute Resources
Technical requirements
Downloading and extracting files for labs
Managing virtual machines lab
Deploying an Azure Container Instances lab
Deploying an Azure Kubernetes Service lab
Deploying Web App service lab
Summary
Part 4: Configuring and Managing Virtual Networking
Chapter 14: Implementing and Managing Virtual Networking
Technical requirements
Creating and configuring virtual networks, including peering
A VNet overview
An IP addressing overview
Create private and public IP addresses
User-defined routing
Implementing subnets
Configuring endpoints on subnets
Configuring private endpoints
Configuring Azure DNS
Summary
Chapter 15: Securing Access to Virtual Networks
Technical requirements
Associating an NSG with a subnet
Creating NSG rules
Evaluating effective security rules
Implementing Azure Firewall and Azure Bastion
Azure Firewall
Azure Bastion
Summary
Chapter 16: Configuring Load Balancing
Technical requirements
Azure load balancing services
Regional services
Global services
Load balancer service options
SSL offloading
Path-based load balancing
Session affinity
Web application firewall
Azure Load Balancer
Features and capabilities
Load Balancer SKUs
Configuring an ILB
Creating the VNet
Creating the VMs
Creating the load balancer
Creating the health probes
Creating load balancing rules
Testing the load balancer
Configuring a public load balancer
Creating the public load balancer
Creating the VNet and NSG
Creating backend servers
Testing the load balancer
Troubleshooting load balancing
Azure Application Gateway
Configuring Azure Application Gateway
Creating an Azure application gateway
Deploying your web app
Testing the application gateway
Azure Front Door
Summary
Chapter 17: Integrating On-Premises Networks with Azure
Technical requirements
Azure VPN Gateway
S2S VPN connections
Multi-site VPN connections
P2S VPN connections
ExpressRoute
Creating and configuring an Azure VPN gateway
Creating and configuring an Azure VPN gateway
VPN server deployment
S2S VPN Configuration
Verify connectivity via the Azure portal
VNet to VNet connections
Create and configure Azure ExpressRoute
Azure Virtual WAN
Configuring Azure Virtual WAN
Creating a VPN Site
Connecting your VPN site to the hub
Connect to your VPN site
Summary
Chapter 18: Monitoring and Troubleshooting Virtual Networking
Technical requirements
Network Watcher
Monitoring
Network diagnostic tools
Metrics
Logs
Configuring Network Watcher
Network resource monitoring
Managing VNet connectivity
Monitoring on-premises connectivity
Troubleshooting external networking
Summary
Chapter 19: Practice Labs – Configuring and Managing Virtual Networking
Technical requirements
Downloading and extracting files for labs
Virtual network subnetting lab
Global peering interconnectivity Lab
Traffic management lab
Summary
Part 5: Monitoring and Backing Up Azure Resources
Chapter 20: Monitoring Resources with Azure Monitor
Technical requirements
Azure Monitor
The Activity log
Metrics
Alerts
Insights
Diagnostic settings
Service Health
Creating and analyzing metrics and alerts
Creating a VM
Creating a metric
Creating a dashboard
Creating an alert
Configuring diagnostic settings on resources
Triggering an alert
Querying Log Analytics
Creating a Log Analytics workspace
Utilizing log search query functions
Querying logs in Azure Monitor
Configuring Application Insights
Creating your application
Creating your Application Insights resource
Associate your web app with Application Insights
Summary
Chapter 21: Implementing Backup and Recovery Solutions
Technical requirements
Creating a Recovery Services vault
Creating and configuring backup policies
Performing backup and restore operations via Azure Backup
Performing site-to-site recovery via Azure Site Recovery
Configuring and reviewing backup reports
Summary
Chapter 22: Practice Labs – Monitoring and Backing Up Azure Resources
Technical requirements
Downloading and extracting files for labs
Azure Recovery Services Vault with VM backup lab
Azure Monitor lab
Summary
Chapter 23: Mockup Test Questions and Answers
Managing Azure identities and governance (15-20%)
Implement and manage storage (15-20%)
Deploy and manage Azure compute resources (20-25%)
Configure and manage virtual networking (25-30%)
Monitor and back up Azure resources (10-15%)
Mockup test answers
Manage Azure identities and governance
Implement and manage storage
Configure and manage virtual networking (30-35%)
Monitor and back up Azure resources
Other Books You May Enjoy
Part 1: Managing Azure Identities and Governance
This is the first part of the official Microsoft exam objectives and will focus on how to manage identities within Azure, as well as governance.
This part of the book comprises the following chapters:
Chapter 1, Managing Azure Active Directory ObjectsChapter 2, Managing Role-Based Access ControlChapter 3, Creating and Managing GovernanceChapter 4, Managing Governance and CostsChapter 5, Practice Labs – Managing Azure Identities and GovernanceChapter 1: Managing Azure Active Directory Objects
This first chapter of this book is focused on learning how to manage Azure Active Directory (Azure AD) objects. In this chapter, you will learn how to create and manage users and groups within Azure AD, including user and group properties. Additionally, we will look at Azure AD's administrative units (AUs) and discover how to create them alongside managing device settings and performing bulk user updates. You will also learn how to manage guest accounts within Azure AD, configure Azure AD join, and configure Self-Service Password Reset (SSPR).
In brief, in this chapter, the following topics will be covered:
Creating Azure AD users and groupsCreating AUsManaging user and group propertiesManaging device settingsPerforming bulk user updatesManaging guest accountsConfiguring Azure AD joinConfiguring SSPRTechnical requirements
In order to follow along with the hands-on exercises, you will need access to Azure AD as a global administrator. If you do not have access to this, students can enroll for a free account at https://azure.microsoft.com/en-in/free/.
An Azure AD Premium P1 license is also required for some of the sections. Luckily, there is also a free 1-month trial for students at https://azure.microsoft.com/en-us/trial/get-started-active-directory/.
Creating Azure AD users and groups
Azure AD offers a directory and identity management solution within the cloud. It offers traditional username and password identity management, alongside roles and permissions management. On top of that, it offers more enterprise-grade solutions, such as Multi-Factor Authentication (MFA) and application monitoring, solution monitoring, and alerting.
Azure AD can easily be integrated with your on-premises Active Directory to create a hybrid infrastructure.
Azure AD offers the following pricing plans:
Free: This offers the most basic features, such as support for single sign-on (SSO) across Azure, Microsoft 365, and other popular SaaS applications, Azure Business-to-Business (B2B) for external users, support for Azure AD Connect synchronization, self-service password change, user and group management, and standard security reports.Office 365 Apps: Specific Office 365 subscriptions also provide some functionality such as user and group management, cloud authentication, including pass-through authentication, password hash synchronization, seamless SSO, and more.Premium P1: This offers advanced reporting, MFA, Conditional Access, Mobile Device Management (MDM) auto-enrollment, Azure AD Connect Health, advanced administration such as dynamic groups, self-service group management, and Microsoft Identity Manager.Premium P2: In addition to the Free and Premium P1 features, the Premium P2 license includes Azure AD Identity Protection, Privileged Identity Management, access reviews, and entitlement management.Note
For a detailed overview of the different Azure AD licenses and all the features that are offered in each plan, you can refer to https://www.microsoft.com/nl-nl/security/business/identity-access-management/azure-ad-pricing?rtc=1&market=nl.
Creating users in Azure AD
We will begin by creating a couple of users in our Azure AD tenant from the Azure portal. To do this, perform the following steps:
Navigate to the Azure portal by opening a web browser and browsing to https://portal.azure.com.In the left-hand menu, select Azure Active Directory.Under the Manage blade of Azure AD in the left-hand menu, select Users | All users. Then, select the + New user option from the top-level menu, as follows:Figure 1.1 – The Azure AD Users blade
We are going to create three users. Add these values that are shown in the following screenshot: Name: PacktUser1.User name: The username is the identifier that the user enters to sign in to Azure AD. Select your domain name, which has been configured, and add this to the end of the username. The default is usually an onmicrosoft.com domain, but in my case, I have assigned a custom domain name, called safezone.fun. In the First name section, I have chosen Packt, and in the Last name section, I have added User1. Therefore, the User name value, in my case, will be [email protected]:Figure 1.2 – The Azure AD user creation page part 1
Leave the sections under Groups and Roles in their default settings for now.Next, we need to fill in information regarding the following: Block sign in: NoUsage location: South AfricaJob title: Azure administratorDepartment: ITCompany name: Packt1Manager: No manager selected:Figure 1.3 – The Azure AD user creation page part 2
Click on Create.Repeat these steps to create two more users: PacktUser2 and PacktUser3.Now that we have created users in our Azure AD tenant, we can add them to a group in Azure AD.
Creating groups in Azure AD
There are two main group types, as follows:
Security groups: These groups serve the same function as traditional on-premises groups, which is to secure objects within a directory. In this case, it is to secure objects within Azure AD.Microsoft 365 groups: These groups are used to provide a group of people access to a collection of shared resources that is not just limited to Azure AD but also includes shared mailboxes, calendars, SharePoint libraries, and other Microsoft 365-related services.Security groups are used as container units to group users or devices together. There are three main membership types for security groups:
Assigned: This is where you manually assign users to a group.Dynamic user: This is where you can specify parameters to automatically group users, for example, grouping all users who have the same job title.Dynamic device: This is where you can specify parameters to automatically group devices, for example, grouping all devices that have the same operating system version.To create and manage groups from the Azure AD tenant in the Azure portal, you have to perform the following steps:
Navigate to the Azure portal by opening a web browser and browsing to https://portal.azure.com.In the left-hand menu, select Azure Active Directory.Under the Manage blade of Azure AD in the left-hand menu, select Groups | All groups. Then, select the + New group option from the top-level menu, as follows:Figure 1.4 – The Azure AD group creation page part 1
Add the following values to create the new group:Group type: SecurityGroup name: Azure AdminsGroup description: Dynamic group for all Azure AdminsAzure AD roles can be assigned to the group: NoMembership type: Dynamic UserOwners: No owners selected:Figure 1.5 – The Azure AD group creation page part 2
Refer to the following screenshot to add a dynamic query.For the Dynamic Query rule, the property is jobTitle, the operator is Equals, and the value is Azure administrator, as shown in the following screenshot:
Figure 1.6 – The Azure AD group dynamic query
Click on Create.Tip
Remember that when using dynamic groups, a Premium P1 license needs to be assigned to the user.
Now that we have created the group, replication takes around 5 minutes. Refresh the Azure web page, and the users will appear as members of the Azure admins group that we just created:
Figure 1.7 – The Azure AD group's dynamic group users added automatically based on the membership rules
In this section, we took a look at Azure AD users and groups and created a few accounts. We also created a dynamic membership group to include users via dynamic membership rules.
We encourage students to read up further by using the following links, which are based on Azure AD fundamentals such as adding users in Azure AD, assigning RBAC roles, creating Azure AD groups, and also creating dynamic groups in Azure AD:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directoryhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domainhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-profile-azure-portalhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portalhttps://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-create-rulehttps://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membershipNext, we are going to look at Azure AUs, specifically where they can be used and how to create an AU.
Creating Azure AD AUs
Azure AD AUs are used in scenarios where granular administrative control is required. AUs have the following prerequisites:
An Azure AD Premium P1 license is required for each AU administrator.An Azure AD Free license is required for AU members.A privileged role administrator or global administrator is required for configuration.Tip
AUs can be created via the Azure portal or PowerShell.
The easiest way to explain AUs is by using a scenario. A company called Contoso is a worldwide organization with users across 11 countries. Contoso has decided that each country is responsible for its own users from an administrative point of view. That is where Azure AD AUs come in handy. With AUs, Contoso can group users per country and assign administrators that only have control over these users and cannot administrate users in other countries.
The following diagram displays a high-level overview of how AUs work in the same tenant across different departments. The following example is based on different regions:
Figure 1.8 – An AU overview displaying the separation of users for US sales and UK sales
The following roles can be assigned within an AU:
Authentication administratorGroups administratorHelp desk administratorLicense administratorPassword administratorUser administratorImportant Note
Groups can be added to the AU as an object; therefore, any user within the group is not automatically part of the AU.
Now, let's go ahead and create an AU via the Azure portal:
Navigate to the Azure portal by opening a web browser and browsing to https://portal.azure.com.In the left-hand menu, select Azure Active Directory.Under the Manage blade of Azure AD in the left-hand menu, select Administrative units and click on + Add:Figure 1.9 – The AU blade within Azure AD
Enter a name for the group. I'm using South Africa Users. In the Description field, it is best practice to add a brief description of what this AU is going to be used for:Figure 1.10 – The creation blade for an AU
Next, under Assign roles, add the users that you want to be administrators based on the available roles. Then, select Password administrator and choose PacktUser1.Click on Review + create:Figure 1.11 – The AU summary page
The next step is to add all the users you want PacktUser1 to manage; in our case, we need to add PacktUser1, PacktUser2, and PacktUser3. On the left-hand side, under Manage, click on Add member and select the members:Figure 1.12 – Adding users to the AU
Now you will see that all three users have been added to the AU:Figure 1.13 – Displaying the users added to the AU
You can now log in with PacktUser1, and you should be able to reset the password of PacktUser2.Important Note
Remember, you need to assign an Azure AD P1 license to administrators within the AU.
In this section, we explained what an AU is and how it can be used. Additionally, we went through the creation of an AU step by step.
We encourage students to read up further by using the following links, which will provide additional information around AU management:
https://docs.microsoft.com/en-us/azure/active-directory/roles/admin-units-managehttps://docs.microsoft.com/en-us/azure/active-directory/roles/admin-units-add-manage-usersNow, let's move on and take a look at how to manage user and group properties.
Managing user and group properties
Part of an Azure administrator's task is to understand what can be done from a user and group perspective within Azure AD. Let's take a look at what we can configure for an Azure AD user account:
Profile: This is where you can view and update information such as the name, user type, job information, and more.Assigned roles: This setting is where you can view all of the role assignments for that specific account; assignments can be in the form of eligible, active, or expired assignments.Administrative units: This setting displays the AUs that the user is part of.Groups: This setting displays the AD groups that the user is part of.Applications: This setting displays the application assignments.Licenses: This setting displays what licenses are currently assigned to the user account.Devices: This setting shows what devices are associated with the user account, including the join type such as Azure AD joined.Azure role assignments: This setting displays the resources on a subscription level to which the account has access.Authentication methods: This setting displays the authentication contact information, such as the phone number and email address for MFA. From here, you can also set the account to reregister for MFA or revoke current MFA sessions.Now that we have reviewed all the user properties, let's take a look at the group settings.
Azure AD groups have the following settings available:
Overview: This displays the membership type, the source directory, the object ID, the creation date, and more.Properties: This setting displays the general settings for the group, such as the group name, the description, the group type, and the membership type, which can be changed here.Members: This setting displays all of the current members of the group; bulk operations can also be performed from here.Owners: This setting displays the owners of the group who can modify the group and the members within it.Administrative units: This setting displays the AUs that the group is part of.Group memberships: This setting displays all of the security groups that the group belongs to (nested grouping).Applications: This setting displays the application assignments.Licenses: This setting displays the licenses that are assigned to the group, which group members will inherit automatically.Azure role assignments: This setting displays the resources of a subscription level to which the group members have access.Dynamic membership rules: This setting displays the configuration rules; for dynamic groups, this is where you can change the configuration rules, which will affect the members of the group.And that brings an end to the user and group properties. In this section, we have looked at all of the different settings for Azure AD users and Azure AD groups.
We encourage students to read up further by using the following links, which will provide additional information around managing group settings via the command line and also dive into external user attribute flows:
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-settings-v2-cmdletshttps://docs.microsoft.com/en-us/azure/active-directory/external-identities/user-flow-add-custom-attributesNext, we are going to look at how to manage device settings within Azure.
Managing device settings
Azure AD offers the ability to ensure that users are accessing Azure resources from devices that meet corporate security and compliance standards. Device management is the foundation of device-based conditional access, where you can ensure that access to the resources in your environment is only possible from managed devices.
Device settings can be managed from the Azure portal. To manage your device settings, your device needs to be registered or joined to Azure AD.
To manage the device settings from the Azure portal, you have to perform the following steps:
Navigate to the Azure portal by opening https://portal.azure.com.In the left-hand menu, select Azure Active Directory.In the Azure AD Overview blade, under Manage, select Devices, as follows:Figure 1.14 – The Azure AD Devices blade
The device management blade will open. Here, you can configure your device management settings, locate your devices, perform device management tasks, and review the device management-related audit logs.
To configure the device settings, select Device settings from the left-hand menu. From here, you can configure the following settings, which are shown in the following screenshot:Users may join devices to Azure AD: Here, you can set which users can join their devices to Azure AD. This setting is only applicable to Azure AD join on Windows 10.Users may register their devices with Azure AD: This setting needs to be configured to allow devices to be registered with Azure AD. There are two options here: None, that is, devices are not allowed to register when they are not Azure AD joined or hybrid Azure AD joined, and All, that is, all devices are allowed to register. Enrollment with Microsoft Intune or MDM for Office 365 requires registration. If you have configured either of these services, All is selected and None is not available.Require Multi-Factor Authentication to register or join devices with Azure AD: Here, you can request that the user is required to perform MFA when registering a device. Before you can enable this setting, MFA needs to be configured for the users who register their devices.Maximum number of devices per user: This setting allows you to select the maximum number of devices that a user can have in Azure AD.Manage Additional local administrators on all Azure AD joined devices: This setting allows you to add additional local administrators for Azure AD joined devices.Manage Enterprise State Roaming settings: This setting provides users with a unified experience across all of their Windows devices and reduces the turnaround time when configuring new devices:Figure 1.15 – The Azure AD Device settings blade
To locate your devices, under Manage, select All devices. In this overview, you will see all the joined and registered devices, as follows:Figure 1.16 – The Azure AD All devices blade displaying all of the devices linked to Azure AD
Additionally, you can select the different devices from the list to get more detailed information about the device. From here, global administrators and cloud device administrators can disable or delete the device, as follows:Figure 1.17 – The Azure AD device details for a specific device with the option to disable or delete the selected device
To audit logs, under Activity, select Audit logs. From here, you can view and download the different log files. Additionally, you can create filters to search through the logs, as follows:Figure 1.18 – The Azure AD device Audit logs blade
This concludes our section on how to manage your device settings via the Azure portal.
We encourage students to read up further by using the following links:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portalhttps://docs.microsoft.com/en-us/microsoft-365/business/manage-windows-devices?view=o365-worldwideNext, we are going to look at how to perform bulk user updates.
Performing bulk updates
Performing bulk user updates is similar to managing single users (such as internal and guest users). The only property that can't be set for multiple users is resetting the password. This has to be done for a single user.
Azure has also improved its bulk user settings by adding a drop-down menu that enables you to do the following via the downloadable CSV template and then re-uploading it:
Bulk user creationBulk user invitationBulk user deletionBulk user downloadsTo perform a bulk user update, you have to perform the following steps:
Navigate to the Users overview blade again in Azure AD.Select the Bulk operations drop-down menu:Figure 1.19 – The Azure AD bulk user operations option
From the menu, select the action you want to complete; for example, select Download users:Figure 1.20 – The Azure AD bulk user download setting
Also, you can update multiple users by selecting them and choosing to delete them or configure MFA for each user:Figure 1.21 – The alternative Azure AD method for bulk user operations
This concludes our demonstration on how to perform bulk user updates and how it works.
We encourage students to read up further by using the following links, which will look at adding bulk users:
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-bulk-addhttps://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-bulk-import-membersIn the next section, we are going to cover how you can manage guest accounts.
Managing guest accounts
You can also add guest accounts in Azure AD using Azure AD B2B. Azure AD B2B is a feature on top of Azure AD that allows organizations to work safely with external users. To be added to Azure B2B, external users don't require a Microsoft work or personal account that has been added to an existing Azure AD tenant.
All sorts of accounts can be added to Azure B2B. You don't have to configure anything in the Azure portal to use B2B; this feature is enabled by default for all Azure AD tenants. Let's see how to manage guest accounts by performing the following steps:
Adding guest accounts to your Azure AD tenant is similar to adding internal users to your tenant. When you navigate to the Users overview blade, you can choose + New guest user from the top-level menu, as follows:Figure 1.22 – The Azure AD Users blade to add a new guest user
Then, you can provide an email address and a personal message, which is sent to the user's inbox. This personal message includes a link to log in to your tenant.Select Invite user to add the user to your Azure AD tenant, and send an invitation to the user's inbox:Figure 1.23 – Azure AD – inviting a guest user
To manage external users after creation, you can select them from the Users overview blade. They will have a User type value, which is named Guest. Simply select the user from the list, and you will be able to manage the settings that are displayed in the top-level menu for this user, as follows:Figure 1.24 – The Azure AD Users blade displaying the account as Guest under User type
And that brings an end to this section. In this short section, we have reviewed guest accounts in Azure AD and learned how to configure them.
We encourage students to read up further by using the following links, which will provide additional information around restricting guest permissions: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-restrict-guest-permissions.
In the next section, we are going to look at what Azure AD join is and how to configure it for Windows 10 devices.
Configuring Azure AD join
With Azure AD join, you are able to join devices directly to Azure AD without the need to join your on-premises Active Directory in a hybrid environment. While hybrid Azure AD join with an on-premises Active Directory might still be preferred for some scenarios, Azure AD join simplifies the process of adding devices and modernizes device management for your organization. This can result in the reduction of device-related IT costs.
Your users are getting access to corporate assets through their devices. To protect these corporate assets, you want to control these devices. This allows your administrators to ensure that your users are accessing resources from devices that meet your standards for security and compliance.
Azure AD join is a good solution when you want to manage devices with a cloud device management solution, modernize your application infrastructure, simplify device provisioning for geographically distributed users, and when your company is adopting Microsoft 365 as the productivity suite for your users.
Azure AD join can be deployed by using any of the following methods:
Bulk deployment: This method is used to join large numbers of new Windows devices to Azure AD and Microsoft Intune.Windows Autopilot: This is a collection of technologies used to preconfigure Windows 10 devices so that the devices are ready for productive use. Autopilot can also be used to reset, repurpose, and recover devices.Self-service experience: This is also referred to as a first-run experience, which is mainly used to join a new device to Azure AD.When it comes to joining devices to Azure AD, there are two main ways of managing those devices:
MDM only: This is when the device is managed exclusively by an MDM provider such as Intune.Comanagement: This is when the device is managed by an MDM provider and System Center Configuration Manager (SCCM).When joining a Windows 10 device to Azure AD, there are two scenarios that we need to look at:
Joining a new Windows 10 device via the Out-of-Box Experience (OOBE). Joining an already configured Windows 10 device to Azure AD.Let's take a look at how we can join an existing Windows 10 device to Azure AD:
On the Windows 10 device, search for Settings and open Accounts.Select Access work or school, and choose Connect:Figure 1.25 – The Windows 10 settings menu to add and connect a device to Azure AD
Under Alternate actions, choose Join this device to Azure Active Directory:Figure 1.26 – The Windows 10 device with the selected option to join the device to Azure AD
A new window will pop up and ask you to sign in. Sign in with your organization's account. In my case, this will be [email protected]:Figure 1.27 – The Windows 10 device requires you to sign in to an Azure AD account to join it to Azure AD
You will be prompted to verify whether you want to join your domain. Proceed by clicking on the Join button:Figure 1.28 – The Windows 10 device summary page before joining it to Azure AD
And now the Windows 10 device has been successfully joined to Azure AD:
Figure 1.29 – The Windows 10 device has successfully been joined to Azure AD
As a final step, let's navigate to the Azure portal and under Manage, select Devices, and our newly Azure AD joined device will show up:Figure 1.30 – Displaying the recently joined Windows 10 device in Azure AD under the Devices blade
That brings an end to this section. We have learned what Azure AD join is, the methods to enroll, and we have also shown the steps of how to manually join a Windows 10 device to Azure AD.
We encourage students to read up further by using the following links, which will provide additional information around Azure AD join, Windows Autopilot, and bulk device enrollment:
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-joinhttps://docs.microsoft.com/en-us/mem/autopilot/windows-autopilothttps://docs.microsoft.com/en-us/mem/intune/enrollment/windows-bulk-enrollhttps://docs.microsoft.com/en-us/azure/active-directory/devices/azuread-joined-devices-frxIn the next section, we are going to take a look at SSPR.
Configuring SSPR
By enabling a self-service password for your users, they are able to change their passwords automatically, without calling the help desk. This will significantly eliminate the management overhead.
Note
The Azure AD free-tier license only supports cloud users for SSPR, and only password change is supported, not password reset.
SSPR can be easily enabled from the Azure portal. To do this, perform the following steps:
Navigate to the Azure portal by opening https://portal.azure.com.In the left-hand menu, select Azure Active Directory.In the Azure AD Overview blade, in the left-hand menu, under Manage, select Password reset, as follows:Figure 1.31 – The Azure AD Password reset blade
In the Password reset overview blade, you can enable SSPR for all your users, by selecting All, or for selected users and groups, by selecting Selected. For this demonstration, enable it for all users and click on Save in the top-level menu, as follows:Figure 1.32 – The Azure AD Password reset properties
Next, we need to set the different required authentication methods for your users. To do this, under Manage, select Authentication methods.In the next blade, we can set the number of authentication methods that are required to reset a password and explore what methods are available for your users, as follows:Figure 1.33 – The Azure AD Password reset blade displaying the available authentication methods for users
Make a selection and click on Save.Important Note
If you want to test SSPR after configuration, make sure that you use a user account without administrator privileges.
We encourage students to read up further by using the following links:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworkshttps://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-ssprSummary
In this chapter, we discussed how to create Azure AD users via the Azure portal, how to create a dynamic group, and how to add users to that dynamic group. We addressed user and group properties. Additionally, we discussed the different bulk user operations and how to create a guest account from the Azure portal. Finally, we discussed how to join a Windows 10 device to Azure AD and how to enable the configuration options for SSPR.
In the next chapter, we'll cover Role-Based Access Control (RBAC) and get hands-on with creating custom RBAC roles. Additionally, we will learn how to interpret role assignments.
Chapter 2: Managing Role-Based Access Control
This chapter is focused on managing Role-Based Access Control (RBAC), and you will learn what RBAC is and how to apply it at the different scope levels. This chapter also covers how to create and assign custom RBAC roles and how to interpret RBAC roles within the Azure portal.
In brief, the following topics will be covered in this chapter:
Creating a custom roleProviding access to resources by assigning roles at different scopesInterpreting access assignmentsImportant Note
Azure makes use of an additive model when there are overlapping permissions for a specific user: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview#multiple-role-assignments.
Technical requirements
In order to follow this chapter hands-on, you will need access to an Azure Active Directory tenant as a global administrator. If you do not have access to one, you can enroll with a free account: https://azure.microsoft.com/en-in/free/.
You will also need an Azure subscription of which you have owner permissions with a resource group deployed and a virtual machine of any size that is part of the resource group.
Creating a custom RBAC role
RBAC is a general term used for restricting access to users, based on a role. It works on the Just Enough Access (JEA) concept where a specific user/group will be provided minimum access to perform their specific job on a specific resource. Custom roles can only be created and updated by a user who has the following role assigned: Microsoft.Authorization/roleDefinitions/write permissions.
When it comes to RBAC, it is very important to understand how and where it is applied. Azure RBAC can be applied to the following security principals:
UserGroupService principalManaged identityNow that we know what security principals support RBAC, the next step is to have a look at role definitions. A role definition is a collection of permissions that can be applied to security principals; however, in Azure, this is referred to as a role. A role is what determines what operations are allowed – for example, read access, write access, or the deletion of resources.
The following are some built-in roles within Azure:
Owner role: This is the role that includes all permissions; you can read, add, and remove resources. You also have the capability to add and remove other users to and from resources as owners or other roles.Contributor role: This role has the same permission as an owner, except you cannot add or remove additional users to and from resources.Reader role: This role has the ability to view resources, but cannot amend, add, or remove users or resources.There are multiple built-in roles within Azure, and it is recommended that you have a look at them: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles.
The next part is to understand scope. Scope is the target resource that you need to assign a role to. In Azure, there are mainly four scope levels that roles can be assigned to:
Management groupSubscriptionResource groupResourceThe following diagram displays the main scope levels in Azure:
Figure 2.1 – A visual representation of the scope levels in Azure
In summary, RBAC consists of three main sections:
Security principal: Selects who is going to have accessRole: Selects what type of access is going to be assigned to the security principalScope: Selects the resource that the user and the role will be applied toNow that we understand built-in RBAC roles within Azure, let's take a look at custom RBAC roles.
Note
Azure Active Directory (AD) roles are used to manage the identities within the directory, whereas RBAC in this section is used to define permissions for resources that reside within the relevant subscription or management group.
Custom RBAC roles can be created if the built-in RBAC roles do not meet specific requirements.
Tip
There is a limit of 5,000 custom RBAC roles per Azure directory.
Custom RBAC roles can be created in the following ways:
The Azure portalAzure PowerShellThe Azure CLIThe REST APIIn this section, we had a look at RBAC in Azure and how it works from a logical perspective.
We encourage you to read further by using the following links, which provide an overview of RBAC and also built-in roles:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roleshttps://docs.microsoft.com/en-us/azure/role-based-access-control/overviewNow, let's see how to create a custom role.
Creating a custom role
Let's go ahead and use the Azure portal to create a custom RBAC role from scratch named IT Support – Restart VMs only, which can only restart virtual machines and deny the startup and shutdown of them:
Navigate to the Azure portal by opening a web browser and browsing to https://portal.azure.com.In the top section search bar, search for and select Subscriptions:Figure 2.2 – The search bar in Azure
Select an active subscription; in my case, this will be the Demo subscription, as seen in the following screenshot:Figure 2.3 – A display of all subscriptions available
Select Access control (IAM), click on Add, and select Add custom role:Figure 2.4 – The Access control (IAM) blade for a selected subscription
Next, under the Basics tab, enter the custom role name and description and select the Start from scratch setting under Baseline permissions. Under Custom role name, specify IT support – Restart VMs only; it is also best practice to provide a brief description in the Description field when creating resources in Azure:
Figure 2.5 – The custom role creation blade
Next, we need to specify the permissions. Click on the Add permissions button, and in the search bar that pops up, search for Virtual machines and select Microsoft ClassicCompute:Figure 2.6 – The Permissions blade when creating a custom role
A new blade will pop up with all the compute permissions. Scroll all the way down to Microsoft.Compute/virtualMachines and select Read: Get Virtual Machine and Other: Restart Virtual Machine, and then click Add:Figure 2.7 – The custom role creation permissions available for Microsoft.Compute
Next, we need to exclude this role from starting and shutting down virtual machines. Click on the Exclude permissions button and search for Virtual machines again, and then select Microsoft Compute:Figure 2.8 – Custom role exclusions when searching for virtual machines
Go to Microsoft.Compute/virtualMachines and select Other: Start Virtual Machine and Other: Power Off Virtual Machine, and then click Add:Figure 2.9 – The custom role exclusion list for Microsoft.Compute
You will notice that the new role now has the following permission types:Action: Read the Virtual Machine (VM).Action: Restart the VM.NotAction: Start the VM.NotAction: Shut down the VM.Figure 2.10 – A custom role permissions overview displaying Actions and NotActions
Tip
Actions are permission actions that are allowed; NotActions are permission actions that are specifically not allowed.
Click on Next.
Next, we have Assignable scopes, where we can choose where this custom role will be available for assignment. In this scenario, we are going to leave it at the default subscription level that was automatically added and then click on Next:Figure 2.11 – The custom role assignable scopes
Next, we have the JSON tab, which shows the permissions for the new role in JSON format; we also have the ability to download the JSON code. For now, let's click on Next:Figure 2.12 – The custom role JSON notation
The last tab is the Review + update tab, which is a summary of our configuration; click on Create:Figure 2.13 – The custom role review before creation
A new pop-up window will appear, stating that the new custom role has been created and that we can start assigning the role as soon as replication has taken place, which is usually around 5 minutes or less.
