MCA Microsoft Certified Associate Azure Administrator Study Guide E-Book

Table of Contents

Cover

Title Page

Copyright

Acknowledgments

About the Author

About the Technical Editor

Table of Exercises

Introduction

The AZ-104: Microsoft Azure Administrator Exam

Who Should Buy This Book

Study Guide Features

Exam Objectives

Objective Map

Assessment Test

Answers to Assessment Test

Chapter 1: Identity: Azure Active Directory

Azure Active Directory

Users and Groups

Azure AD Roles

Azure AD Join

Self-Service Password Reset

Managing Multiple Directories

Summary

Exam Essentials

Review Questions

Chapter 2: Compliance and Cloud Governance

Azure Regions

Azure Accounts and Subscriptions

Azure Cost Management

Resource Groups

Management Groups

Azure Policy

Role-Based Access Control

Resource Locks

Resource Tags

Summary

Exam Essentials

Review Questions

Chapter 3: Virtual Networking

Virtual Networks

VNet Concepts

IP Addressing

Network Routes

Service Endpoints

Private Endpoint

Azure DNS

Network Security Groups

Azure Firewall

Summary

Exam Essentials

Review Questions

Chapter 4: Intersite Connectivity

Azure-to-Azure Connectivity

Azure to On-Premises Connectivity

Intersite Connectivity Architecture

Virtual WAN

Summary

Exam Essentials

Review Questions

Chapter 5: Network  Traffic Management

Availability Options

Azure Load Balancer

Azure Application Gateway

Azure Front Door

Azure Traffic Manager

Comparing the Load Balancing Solutions

Summary

Exam Essentials

Review Questions

Chapter 6: Azure Storage

Azure Storage Account

Azure Storage Services

Storage Replication

Storage Account Types

Storage Account Endpoints

Azure Blob Storage

Storage Security

Azure Files and File Sync

Managing Storage

Summary

Exam Essentials

Review Questions

Chapter 7: Azure Virtual Machines

Virtual Machine Planning

Deploying Virtual Machines

Connecting to Virtual Machines

Availability of Virtual Machines

Scaling Concepts

Virtual Machine Scale Sets

Summary

Exam Essentials

Review Questions

Chapter 8: Automation, Deployment, and Configuration of Resources

Azure Resource Manager

ARM Templates

Configuring Virtual Hard Disk Templates

Virtual Machine Extensions

Summary

Exam Essentials

Review Questions

Chapter 9: PaaS Compute Options

Azure App Service Plans

Azure App Services

Container Instances

Azure Kubernetes Service

Summary

Exam Essentials

Review Questions

Chapter 10: Data Protection

File and Folder Backups

Virtual Machine Data Protection

Summary

Exam Essentials

Review Questions

Chapter 11: Monitoring Resources

Azure Monitor

Azure Alerts

Log Analytics

Network Watcher

Summary

Exam Essentials

Review Questions

Appendix: Answers to the Review Questions

Chapter 1: Identity: Azure Active Directory

Chapter 2: Compliance and Cloud Governance

Chapter 3: Virtual Networking

Chapter 4: Intersite Connectivity

Chapter 5: Network Traffic Management

Chapter 6: Azure Storage

Chapter 7: Azure Virtual Machines

Chapter 8: Automation, Deployment, and Configuration of Resources

Chapter 9: PaaS Compute Options

Chapter 10: Data Protection

Chapter 11: Monitoring Resources

Index

End User License Agreement

List of Tables

Chapter 1

TABLE 1.1 Comparison of Azure AD Editions

Chapter 2

TABLE 2.1 Comparing Classic, RBAC, and Azure AD Roles

TABLE 2.2 Azure Role Definition

TABLE 2.3 Supported Actions

Chapter 3

TABLE 3.1 Understanding Public IP SKUs

TABLE 3.1 Subnet NSG Inbound Rules

TABLE 3.2 NIC01 NSG Inbound Rules

Chapter 4

TABLE 4.1 VPN Gateway SKUs

TABLE 4.2 Comparing Virtual Network Peering and VPN Gateway

TABLE 4.3 Comparing Virtual WAN Types

Chapter 5

TABLE 5.1 Comparing Load Balancing Solutions

Chapter 6

TABLE 6.1 Comparing Storage Replication Options

TABLE 6.2 Comparing Storage Account Types

TABLE 6.3 Direct CNAME Mapping

TABLE 6.4 Intermediary Mapping with asverify

TABLE 6.5 Understanding URI Parameters

Chapter 7

TABLE 7.1 VM Types and Sizes

Chapter 9

TABLE 9.1 App Service Plan: Pricing Tiers

TABLE 9.2 Comparison Between Virtual Machines and Containers

Chapter 10

TABLE 10.1 Comparison Between MARS and MABS

List of Illustrations

Chapter 1

FIGURE 1.1 Distinguishing directory synchronized users

FIGURE 1.2 Inviting users

FIGURE 1.3 Customizing the invite

FIGURE 1.4 Invitation for Guest user

FIGURE 1.5 Filtering Guest users

FIGURE 1.6 Deleting group

FIGURE 1.7 Connecting a device to Azure AD

FIGURE 1.8 Listing all devices connected to Azure AD

FIGURE 1.9 Enabling SSPR

FIGURE 1.10 Initiating password reset

FIGURE 1.11 Configuring SSPR authentication methods

Chapter 2

FIGURE 2.1 Azure regions

FIGURE 2.2 Graphical representation of Azure regional pairs

FIGURE 2.3 Types of Azure subscriptions

FIGURE 2.4 Azure Cost Management views

FIGURE 2.5 Azure Cost Management highlighting tools

FIGURE 2.6 Managing resource groups using PowerShell

FIGURE 2.7 Managing resource groups using the Azure CLI

FIGURE 2.8 Understanding management groups

FIGURE 2.9 Creating management groups

FIGURE 2.10 Listing built-in policy definitions

FIGURE 2.11 Assigning a policy

FIGURE 2.12 Selecting a policy scope

FIGURE 2.13 Evaluating policies

FIGURE 2.14 Listing initiative policies

FIGURE 2.15 Inspecting the initiative policy

FIGURE 2.16 Viewing the definition of a role using PowerShell

FIGURE 2.17 Viewing the definition of a role using the Azure CLI

FIGURE 2.18 Role assignment process

FIGURE 2.19 Role comparison

FIGURE 2.20 Navigating to Locks

FIGURE 2.21 Listing locks

FIGURE 2.22 Adding locks

FIGURE 2.23 Managing locks

FIGURE 2.24 Sorting resources using tags

FIGURE 2.25 Analyzing cost using tags

FIGURE 2.26 Listing tags

FIGURE 2.27 Adding tags to resources

Chapter 3

FIGURE 3.1 Understanding virtual networks

FIGURE 3.2 Routing architecture

FIGURE 3.3 Understanding service endpoints

FIGURE 3.4 Understanding a private link

FIGURE 3.5 Accessing a private link center

FIGURE 3.6 Demystifying the firewall architecture

Chapter 4

FIGURE 4.1 Reference architecture

FIGURE 4.2 Communication over Internet

FIGURE 4.3 Types of peering

FIGURE 4.4 Implementing virtual network peering

FIGURE 4.5 Modifying virtual network peering

FIGURE 4.6 Deleting virtual network peering

FIGURE 4.7 Virtual network-to-virtual network VPN connection

FIGURE 4.8 Active-standby configuration

FIGURE 4.9 Active-active configuration

FIGURE 4.10 VPN demo infrastructure

FIGURE 4.11 Steps to configure S2S

FIGURE 4.12 Navigating to the local network gateway

FIGURE 4.13 Creating a local network gateway

FIGURE 4.14 Creating a site-to-site connection

FIGURE 4.15 P2S architecture

FIGURE 4.16 ExpressRoute connectivity

FIGURE 4.17 Hub-spoke architecture using a gateway transit

FIGURE 4.18 Enabling gateway transit

FIGURE 4.19 Intersite connectivity architecture

FIGURE 4.20 Virtual WAN connectivity

Chapter 5

FIGURE 5.1 Availability sets

FIGURE 5.2 Creating availability sets

FIGURE 5.3 Availability zones

FIGURE 5.4 Overview of Azure Load Balancer

FIGURE 5.5 Public load balancer

FIGURE 5.6 Internal load balancer

FIGURE 5.7 Configuring the load balancer, reference architecture

FIGURE 5.8 Working of Application Gateway

FIGURE 5.9 Path-based routing

FIGURE 5.10 Multisite-based routing

FIGURE 5.11 Routing of traffic from the front end to the backend

FIGURE 5.12 Application Gateway reference architecture

FIGURE 5.13 Azure Front Door

FIGURE 5.14 Azure Traffic Manager

Chapter 6

FIGURE 6.1 Locally redundant storage

FIGURE 6.2 Zone redundant storage

FIGURE 6.3 Georedundant storage

FIGURE 6.4 Geo-zone redundant storage

FIGURE 6.5 Securing storage endpoint

FIGURE 6.6 Blob Storage hierarchy

FIGURE 6.7 Blob lifecycle management

FIGURE 6.8 Uploading blobs

FIGURE 6.9 Configuring SAS parameters

FIGURE 6.10 Generating SAS URL/URI

FIGURE 6.11 Storage URI

FIGURE 6.12 Setting up customer-managed keys

FIGURE 6.13 Setting up a file share

FIGURE 6.14 Creating a file share

FIGURE 6.15 Connecting to the file share

FIGURE 6.16 Mounting the file share

FIGURE 6.17 Adding a file to the file share

FIGURE 6.18 Verifying files in a file share

FIGURE 6.19 Verifying files in the file share from a Linux machine

FIGURE 6.20 File share snapshots

FIGURE 6.21 Azure File Share Backup

FIGURE 6.22 File Sync components

FIGURE 6.23 Creating Storage Sync services

FIGURE 6.24 Connecting using Azure Storage Explorer

FIGURE 6.25 Exploring storage account using Azure Storage Explorer

FIGURE 6.26 AzCopy Azure AD login

FIGURE 6.27 Listing all commands

FIGURE 6.28 Import job workflow

FIGURE 6.29 Export job workflow

Chapter 7

FIGURE 7.1 Disks in Azure VM

FIGURE 7.2 Choosing a Linux distro

FIGURE 7.3 Downloading the RDP file

FIGURE 7.4 Enabling password authentication

FIGURE 7.5 Enabling SSH key authentication

FIGURE 7.6 Using an availability set

FIGURE 7.7 Using availability zones

FIGURE 7.8 Vertical scaling

FIGURE 7.9 Horizontal scaling

FIGURE 7.10 Creating a scale set, Basics tab

FIGURE 7.11 Creating a scale set, Scaling tab

FIGURE 7.12 Creating a scale set, Advanced tab

FIGURE 7.13 Instances in scale set

FIGURE 7.14 Enabling autoscaling

Chapter 8

FIGURE 8.1 Azure Resource Management

FIGURE 8.2 Single template approach

FIGURE 8.3 Nested template approach

FIGURE 8.4 Individual template approach

FIGURE 8.5 Selecting the language in VS Code

FIGURE 8.6 Generating the code snippet

FIGURE 8.7 Resource code snippets

FIGURE 8.8 Resource code for virtual network

FIGURE 8.9 Adding a new parameter

FIGURE 8.10 New parameter code block

FIGURE 8.11 Adding resource

FIGURE 8.12 Deploying an ARM template

FIGURE 8.13 Reviewing output

FIGURE 8.14 ARMVIZ tool

FIGURE 8.15 Exporting templates using Azure PowerShell

FIGURE 8.16 Exporting using the Azure CLI

FIGURE 8.17 Listing resource group deployments

FIGURE 8.18 Downloading template

FIGURE 8.19 Export Template option

FIGURE 8.20 Capture a VM from the Azure portal

FIGURE 8.21 Creating an image of a VM

FIGURE 8.22 Images in the Azure portal

FIGURE 8.23 Virtual machine extensions

Chapter 9

FIGURE 9.1 Continuous deployment from Azure Repos

FIGURE 9.2 Deployment Center blade

FIGURE 9.3 Adding a deployment slot

FIGURE 9.4 Identifying deployment slots

FIGURE 9.5 Swapping deployment slots

FIGURE 9.6 Adding an identity provider

FIGURE 9.7 Adding Azure AD authentication

FIGURE 9.8 Verifying Azure AD authentication

FIGURE 9.9 Mapping a custom domain to the app

FIGURE 9.10 Backing up an App Service

FIGURE 9.11 Architectural comparison between virtual machines and containers...

FIGURE 9.12 Docker architecture

FIGURE 9.13 Azure container instance architecture

FIGURE 9.14 Azure container groups

FIGURE 9.15 AKS terminology

FIGURE 9.16 Components of a customer-managed node

FIGURE 9.17 Cluster IP

FIGURE 9.18 Node port

FIGURE 9.19 Load Balancer

FIGURE 9.20 Storage components

FIGURE 9.21 Kubernetes versions in AKS

FIGURE 9.22 Kubernetes scaling options

FIGURE 9.23 Bursting from AKS with ACI

Chapter 10

FIGURE 10.1 Creating a Recovery Services vault

FIGURE 10.2 Backup options for Azure

FIGURE 10.3 Backup options for on-premises

FIGURE 10.4 Downloading the agent and credentials

FIGURE 10.5 Creating snapshots

FIGURE 10.6 Reviewing snapshots

FIGURE 10.7 Azure IaaS VM Backup architecture

FIGURE 10.8 Restoring a VM

FIGURE 10.9 VM restore options

FIGURE 10.10 Azure Backup Center

FIGURE 10.11 Enrolling on-premise workloads

FIGURE 10.12 Downloading MABS

FIGURE 10.13 VM replication using ASR

FIGURE 10.14 Enabling Azure Site Recovery

FIGURE 10.15 ASR architecture

Chapter 11

FIGURE 11.1 Azure Monitor

FIGURE 11.2 Viewing metrics

FIGURE 11.3 Metrics Explorer

FIGURE 11.4 Querying activity logs

FIGURE 11.5 Action group notifications

FIGURE 11.6 Action group actions

FIGURE 11.7 Creating alert for the activity log event

FIGURE 11.8 Creating a Log Analytics workspace

FIGURE 11.9 Connected data sources

FIGURE 11.10 Onboarding VM

FIGURE 11.11 Downloading agent

FIGURE 11.12 Agents configuration

FIGURE 11.13 IP Flow Verify

FIGURE 11.14 Next Hop

FIGURE 11.15 Effective security rules

FIGURE 11.16 Effective security rules

FIGURE 11.17 Packet capture

FIGURE 11.18 Connection troubleshoot

FIGURE 11.19 Checking the results

FIGURE 11.20 NSG flow logs

FIGURE 11.21 Topology

Guide

Cover Page

Title Page

Copyright

Acknowledgments

About the Author

About the Technical Editor

Table of Exercises

Introduction

Table of Contents

Begin Reading

Appendix: Answers to the Review Questions

Index

End User License Agreement

Pages

iii

iv

v

vii

xi

xx

xxi

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

xxxiii

xxxiv

xxxv

xxxvi

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

MCA Microsoft Certified Associate Azure Administrator

Study GuideExam AZ-104

Copyright © 2022 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

ISBN: 978-1-119-70515-4

ISBN: 978-1-119-70520-8 (ebk.)

ISBN: 978-1-119-70518-5 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware the Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2022934721

Trademarks: WILEY, the Wiley logo, Sybex, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. Microsoft 365 and Azure are trademarks or registered trademarks of Microsoft Corporation. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. MCA Microsoft 365 Azure Administrator Study Guide is an independent publication and is neither affiliated with, nor authorized, sponsored, or approved by, Microsoft Corporation.

Cover image: © Getty Images Inc./Jeremy Woodhouse

Cover design: Wiley

Acknowledgments

Although the book bears my name as the author, many people contributed to its success and creation. I believe without their help and contribution this book wouldn't have been possible. Kenyon Brown was the acquisitions editor; he helped me to get the book started. Melissa Burlock, editorial assistant, was always available to help and answer my questions. Mahalingam M was the technical editor; he was very helpful in giving constructive feedback on the technical content and concepts; nevertheless, any mistakes that remain are my own. Kim was the copy editor, and Janet was the proofreader; they helped me to correct any grammatical mistakes, formatting issues, and typos. I would also like to thank my manager, Monty Pattan, for empowering and motivating me. Last but not least, I would like to extend my gratitude to my family, mentors, friends, colleagues, and everyone who helped directly or indirectly toward the success of this book.

About the Author

Rithin Skaria is a cloud evangelist with almost a decade of experience in managing and administering Azure, AWS, and OpenStack. He currently works at Microsoft as a Customer Engineer empowering customers to achieve more. His other works include Linux Administration on Azure, Second Edition; Azure for Architects, Third Edition; and Migrating Linux to Microsoft Azure. He can be reached at [email protected]. Connect with him on LinkedIn: @ rithin-skaria.

About the Technical Editor

Mahalingam M is an Azure Consultant and works with Enterprises to design and implement their solutions in Azure. He also assesses large-scale applications hosted on Azure and provides recommendations to optimize them. He started his journey on Azure five years back, and he is a certified Azure Solutions Architect Expert, Azure Security Engineer Associate, and Azure Administrator Associate. In addition to this, he is also a Microsoft Certified Trainer and delivers Workshops on Azure IaaS and PaaS.

Table of Exercises

Exercise 1.1 Viewing Users in Your Directory

Exercise 1.2 Creating Users in Azure AD

Exercise 1.3 Modifying and Deleting Users

Exercise 1.4 Performing Bulk Operations

Exercise 1.5 Viewing Groups in Azure AD

Exercise 1.6 Adding Security Groups to Azure AD

Exercise 1.7 Adding Microsoft 365 Groups in Azure AD

Exercise 2.1 Creating a Resource Group from the Azure Portal

Exercise 2.2 Listing Resource Groups from the Azure Portal

Exercise 2.3 Deleting Resource Groups from the Azure Portal

Exercise 2.3 Implementing a Custom Policy

Exercise 2.4 Creating a Custom Role Using PowerShell

Exercise 2.5 Assigning Roles from the Azure Portal

Exercise 3.1 Creating Virtual Networks

Exercise 3.2 Creating Virtual Networks Using Azure PowerShell

Exercise 3.3 Creating Public IP Addresses

Exercise 3.4 Creating a Route Table

Exercise 3.5 Creating a Custom Route

Exercise 3.6 Associating a Routing Table to a Subnet

Exercise 3.7 Creating an Azure DNS Zone

Exercise 3.8 Adding Records to an Azure DNS Zone

Exercise 3.9 Creating a Private DNS Zone and Validating Resolution

Exercise 3.10 Creating NSG and NSG Rules

Exercise 4.1 Implementing Virtual Network Peering in the Azure Portal

Exercise 4.2 Implementing the Virtual Network to Virtual Network VPN in the Azure Portal

Exercise 4.3 Implementing a P2S VPN in the Azure Portal

Exercise 5.1 Implementing Load Balancing in Azure

Exercise 5.2 Implementing Azure Application Gateway

Exercise 6.1 Uploading Blobs

Exercise 6.2 Working with SAS Keys

Exercise 6.3 Working with AzCopy

Exercise 7.1 Creating a Windows Virtual Machine

Exercise 7.2 Connecting to a Windows VM Using RDP

Exercise 7.3 Connecting to a Linux VM Using a Password

Exercise 7.4 Connecting to Linux VM Using SSH Keys

Exercise 7.5 Connecting to Linux VM Using SSH Keys

Exercise 8.1 Composing an ARM Template

Exercise 9.1 Creating an App Service Plan

Exercise 9.2 Creating an App Service Plan

Exercise 9.3 Building and Running Containers in Azure

Exercise 9.4 Running Applications in an AKS Cluster

Exercise 10.1 Implementing a VM Backup

Exercise 11.1 Creating Alerts

Exercise 11.2 Ingesting Logs to the Log Analytics Workspace

Introduction

Microsoft Azure is the public cloud offering from Microsoft, and it offers more data centers, security, and other services than any other cloud provider. As more organizations are moving their workloads to Azure, there is a high demand for professionals who are trained and certified on Azure. In this book, we will be focusing on Azure administration; the knowledge from this book will help you to manage and administer Azure infrastructure and also help you to pass the AZ-104: Microsoft Azure Administrator exam.

The AZ-104: Microsoft Azure Administrator exam is an associate exam targeting professionals interested in certifying their knowledge of implementing, managing, and monitoring the Azure infrastructure. Azure administrators are usually part of a team dedicated to certain tasks and responsibilities. These responsibilities include implementation, management, governance, and monitoring of an organization's cloud deployment.

This book is aligned to the official curriculum published by Microsoft, and the purpose of this book is to help you pass the AZ-104: Microsoft Azure Administrator exam. We are focusing on this exam because it covers all the tasks that are involved in the day-to-day life of an Azure administrator. You'll learn enough to get started deploying to workloads to Azure, and you'll learn how to administer, monitor, and manage these workloads. Even after you've taken and passed the AZ-104: Microsoft Azure Administrator exam, this book should remain a useful reference.

 Don't just study the questions and answers! The questions on the actual exam will be different from the practice questions included in this book. The exam is designed to test your knowledge of a concept or objective, so use this book to learn the objectives behind the questions.

The AZ-104: Microsoft Azure Administrator Exam

Microsoft Azure was formerly known as Windows Azure until 2014. Internally the project was called Project Red Dog and was announced at Microsoft's Professional Developers Conference in 2008. Today, Microsoft Azure is one of the leading cloud providers, and many organizations have adopted it as part of the cloud transformation.

Though Azure started with just a handful of services, at present Microsoft Azure comprises numerous services such as compute, storage, network, identity, data management, and so on. As the number of services are increasing, customers are relying on the Azure platform. Getting certified on Microsoft Azure will bring more value to your résumé.

Why Become AZ-104: Microsoft Azure Administrator Certified?

There are several good reasons to get your AZ-104: Microsoft Azure Administrator certification.

Provides Proof of Professional Achievement

 Certifications are quickly becoming status symbols in the IT industry. As many organizations are moving to the cloud, the demand for cloud skills is high. Employers are pushing their employees to get certified in Azure to support their cloud workloads. Every day, more people are putting the Azure Administrator Associate badge on their LinkedIn profile and résumé.

Increases Your Marketability

 AZ-104: Microsoft Azure Administrator certification makes individuals more marketable to potential employers. Also, AZ-104: Microsoft Azure Administrator–certified employees might receive a higher salary base because employers won't have to spend as much money on vendor-specific training.

Provides an Opportunity for Advancement

 Most raises and advancements are based on performance. AZ-104: Microsoft Azure Administrator–certified employees work faster and more efficiently. The more productive employees are, the more money they will make for their company; and, of course, the more money they make for the company, the more valuable they will be to the company. So, if employees are AZ-104: Microsoft Azure Administrator certified, their chances of getting promoted will be greater.

Raises Customer Confidence

 As the IT community, users, small business owners, and the like become more familiar with the AZ-104: Microsoft Azure Administrator–certified professional moniker, more of them will realize that AZ-104: Microsoft Azure Administrator professionals are more qualified to work in their cloud environment than noncertified individuals.

How to Become AZ-104: Microsoft Azure Administrator Certified

The Microsoft certification is available to anyone who has experience implementing, managing, and monitoring Azure environment.

The exam is delivered by Pearson VUE, which is partnering with Microsoft. The exam can be taken at any Pearson VUE testing center or using OnVUE online delivery from your home or office. If you pass, you will get two badges. One is for the AZ:104 exam, and the other one is the Azure Administrator Associate badge. These badges will be emailed to you, and you can use Credly to claim them. Contact (877) 551-PLUS (551-7587) for Pearson VUE information.

Registration with Pearson VUE is completed online at https://docs.microsoft.com/en-us/learn/certifications/exams/az-104#certification-exams by clicking Schedule Exam. You'll be asked for your name, mailing address, phone number, employer, when and where you want to take the test (i.e., which testing center), and your credit card number (arrangement for payment must be made at the time of registration).

 Exam policies can change from time to time. We highly recommend that you check the Pearson VUE site for the most up-to-date information when you begin your preparing, when you register, and again a few days before your scheduled exam date.

Who Should Buy This Book

Anybody who wants to pass the AZ-104: Microsoft Azure Administrator exam may benefit from this book. If you're familiar with Azure fundamentals and would like to expand your knowledge to an administrator level, this book covers the material you will need to learn Azure administration, and it continues to provide the knowledge you need up to a proficiency level sufficient to pass the AZ-104: Microsoft Azure Administrator exam. You can pick up this book and learn from it even if you've never used Azure before, although you'll find it an easier read if you've at least casually used Azure in the past. If you're already familiar with Azure administration, this book can serve as a review and as a refresher course for information with which you might not be completely familiar. In either case, reading this book will help you to pass the AZ-104: Microsoft Azure Administrator exam.

This book was written with the assumption that you know the fundamentals of Azure (what it is, and possibly the role of services that are offered by Azure). I also assume that you know some basics about cloud computing in general, such as IaaS versus PaaS versus SaaS, how the cloud is beneficial, and so on. Chances are, you have used Azure in a substantial way in the past. I do not assume that you have extensive knowledge of Azure administration, but if you've done some Azure administration, you can still use this book to fill in gaps in your knowledge.

 As a practical matter, you'll need an Azure subscription with which to practice and learn in a hands-on way. Neither the exam nor this book covers actually how the subscription is created. You may need to sign up for a Free Trial or an Azure for Students offer to create a subscription. Alternatively, if your organization has provided you with a Visual Studio subscription, you can use that to create a subscription. Please visit https://azure.microsoft.com/en-in/support/legal/offer-details to view the list of Azure offers.

Study Guide Features

This study guide uses a number of common elements to help you prepare. These include the following:

Summaries

 The summary section of each chapter briefly explains the chapter, allowing you to easily review what was covered.

Exam Essentials

 The exam essentials focus on major exam topics and critical knowledge that you should take into the test. The exam essentials focus on the exam objectives provided by Microsoft.

Chapter Review Questions

 A set of questions at the end of each chapter will help you assess your knowledge and whether you are ready to take the exam based on your knowledge of that chapter's topics.

 The review questions, assessment test, and other testing elements included in this book are not derived from the actual exam questions, so don't memorize the answers to these questions and assume that doing so will enable you to pass the exam. You should learn the underlying topic, as described in the text of the book. This will let you answer the questions provided with this book and pass the exam. Learning the underlying topic is also the approach that will serve you best in the workplace—the ultimate goal of a certification.

Additional Study Tools

This book comes with additional study tools to help you prepare for the exam. They include the following.

 Go to www.wiley.com/go/sybextestprep, register your book to receive your unique PIN, and then once you have the PIN, return to www.wiley.com/go/sybextestprep and register a new account or add this book to an existing account.

Interactive Online Learning Environment and Test Bank

We’ve put together some really great online tools to help you pass the Microsoft Azure Administrator exam. The interactive online learning environment that accompanies the MCA Azure Administrator Study Guide provides a test bank and study tools to help you prepare for the exam. By using these tools you can dramatically increase your chances of passing the exam on your first try.

The online section includes the following:

Sample Tests

Many sample tests are provided throughout this book and online, including the Assessment Test, which you’ll find at the end of this introduction, and the Chapter Tests that include the review questions at the end of each chapter. In addition, there are two bonus practice exams. Use these questions to test your knowledge of the study guide material. The online test bank runs on multiple devices.

Flashcards

The online text bank includes more than 100 flashcards specifically written to hit you hard, so don’t get discouraged if you don’t ace your way through them at first! They’re there to ensure that you’re really ready for the exam. And no worries—armed with the review questions, practice exams, and flashcards, you’ll be more than prepared when exam day comes! Questions are provided in digital flashcard format (a question followed by a single correct answer). You can use the flashcards to reinforce your learning and provide last-minute test prep before the exam.

Glossary

A glossary of key terms from this book and their definitions are available as a fully searchable PDF.

 Like all exams, the AZ-104: Microsoft Azure Administrator certification from Microsoft is updated periodically and may eventually be retired or replaced. At some point after Microsoft is no longer offering this exam, the old editions of our books and online tools will be retired. If you have purchased this book after the exam was retired or are attempting to register in the Sybex online learning environment after the exam was retired, please know that we make no guarantees that this exam's online Sybex tools will be available once the exam is no longer available.

Conventions Used in This Book

This book uses certain typographic styles to help you quickly identify important information and to avoid confusion over the meaning of words such as on-screen prompts. In particular, look for the following styles:

Italicized text

indicates key terms that are described at length for the first time in a chapter. (Italics are also used for emphasis.)

A monospaced font

indicates the contents of configuration files, messages displayed at a command prompt, filenames, text-mode command names, and Internet URLs.

Italicized monospaced text

indicates a variable—information that differs from one system or command run to another, such as the name of a client computer or a process ID number.

Bold monospaced text

is information that you're to type into the computer, for example at a shell prompt. This text can also be italicized to indicate that you should substitute an appropriate value for your system.

In addition to these text conventions, which can apply to individual words or entire paragraphs, a few conventions highlight segments of text.

 A note indicates information that's useful or interesting but that's somewhat peripheral to the main text. A note might be relevant to a small number of networks, for instance, or it may refer to an outdated feature.

EXERCISES

An exercise is a procedure you should try on your own computer to help you learn about the material in the chapter. Don't limit yourself to the procedures described in the exercises, though! Try other commands and procedures to really learn about Azure.

Exam Objectives

This book has been written to cover every Microsoft exam objective at a level appropriate to its exam weighting, shown here.

Subject Area

% of Exam

Manage Azure identities and governance

15–20%

Implement and manage storage

15–20%

Deploy and manage Azure compute resources

20–25%

Configure and manage virtual networking

25–30%

Monitor and back up Azure resources

10–15%

Total

100%

Objective Map

Objective

Percentage of exam

Primary chapter

Manage Azure identities and governance

15%–20%

Identity: Azure Active Directory

Chapter 1

Compliance and cloud governance

Chapter 2

Implement and manage storage

10%–15%

Azure Storage

Chapter 6

Deploy and manage Azure compute resources

25%–30%

Azure Virtual Machines

Chapter 7

Automation, Deployment, and Configuration of Resources

Chapter 8

PaaS Compute Options

Chapter 9

Configure and manage virtual networking

30%–35%

Virtual Networking

Chapter 3

Intersite connectivity

Chapter 4

Network Traffic Management

Chapter 5

Monitor and backup Azure resources

10%–15%

Data Protection

Chapter 10

Monitoring resources

Chapter 11

Assessment Test

Which feature in Azure AD can be used to manage the devices and enforce organizational policies?

Azure AD Domain Services

Multifactor authentication

Device access management

Azure AD Join

Azure AD offers self-service options for users to reset their own password. What is this service called?

Self-user password reset

Self-service password reset

Self-password reset

User password reset

True or false: To use Azure AD, you need to create a Windows Server instance in Azure and install Active Directory Domain Services.

True

False

Which service in Azure is used to provide authorization for a user to access or manage a specific service?

Azure policies

Management groups

Role-based access control

Azure AD

You would like to limit your deployments to the East US region only. Which service should you use?

Azure policies

Resource locks

Role-based access control

Blueprints

You would like to group your resources based on the name of the person who created it. What is the easiest way to add this information to a resource?

Azure policies

Azure tags

Azure resource locks

Azure resource metadata service

Which service in Azure is responsible for establishing communication between virtual machines and the Internet?

Route table

VPN gateway

Virtual network

ExpressRoute

True or false: Network security groups can be used only to filter the traffic entering the subnet; we cannot filter the traffic hitting the network interface card.

True

False

True or false: Azure Firewall operates at layer 7.

True

False

If we peer networks that are part of different Azure regions, we call it ___________________.

Cross-region peering

Cross-regional peering

Global virtual network peering

Cross-global peering

You have hired a developer to work on a project, and the developer is working remotely. You have been requested to assist the developer in setting up VPN connectivity to the Azure environment. What type of connection should you set up for the developer?

Site-to-site

Site-to-user

ExpressRoute

Point-to-site

You have been requested to set up a low-latency connectivity between two virtual networks. Which solution will you select?

Site-to-site connection

VNet-to-VNet connection

Point-to-site connection

VNet peering

Which load balancing solution should you use if you would like to load balance across any TCP or UDP protocols?

Azure Load Balancer

Azure Application Gateway

Azure Front Door

Azure Traffic Manager

You have three production web applications running on Azure App Service in the same region. You want to perform layer 7 load balancing between these web applications. Which load balancing solution should you use?

Azure Load Balancer

App Service Load Distributor

Application Gateway

Azure Traffic Manager

You need a DNS load balancing solution. What solution should you deploy?

Azure Load Balancer

App Service Load Distributor

Application Gateway

Azure Traffic Manager

Which storage service should you select for backup, archiving, and disaster recovery scenarios?

Blob Storage

Table Storage

File Storage

Queue Storage

Which storage service should you select to create a network file share in Azure?

Blob Storage

Table Storage

File Storage

Queue Storage

Which of the following storage redundancy offers the highest durability? (Select all that apply.)

LRS

ZRS

GRS

GZRS

Azure Virtual Machine is an example of a(n) ___________________ service.

Infrastructure-as-a-Service

Platform-as-a-Service

Function-as-a-Service

Software-as-a-Service

_____________ can be used to connect to Azure VMs.

SSH

WinRM

HTTP

Webhook

RDP can be used to connect to Windows VMs, and it uses the ___________ port for communication.

UDP/3389

TCP/3389

TCP/3387

UDP/22

An ARM template is written in _______ format.

XML

HTML

JSON

HCL

___________ can be used to store values in ARM templates.

Parameters

Variables

Constants

Resources

True or false: Incremental mode is the default deployment mode for ARM templates.

True

False

__________________________ defines the compute resources provisioned for running Azure App Service.

App Service Plan

Deployment slots

Hybrid mode

App Service Environment

True or False: App Service supports autoscaling from the Basic plan onward.

True

False

____________________ is an example of a managed Kubernetes cluster.

Container Instances

Kubernetes Instances

Container Kubernetes Service

Azure Kubernetes Service

Which service offers the easiest way to run containers in Azure?

Container Instances

Virtual Machines

Docker host

Azure Kubernetes Service

True or false: Recovery Services Vault can be used to back up Azure VMs only.

True

False

True or false: Azure Backup supports both Windows and VMs.

True

False

Which service can be used for infrastructure disaster recovery in the case of regional failures?

Azure Backup

Microsoft Backup Server

Azure Site Backup

Azure Site Recovery

Log Analytics uses ___________________ for querying the datasets.

SQL

KQL

CQL

DQL

You can store your notification preferences for alerts using _________________

Notification groups

Messaging group

Action groups

Alert groups

All data collected by Log Analytics is stored in _________________.

An Azure Storage Account

Data Explorer

Workspace

Azure Monitor

Answers to Assessment Test

D. Azure AD Join offers device management. Refer to

Chapter 1

.

B. The self-service password reset service can be used by users to reset their own password with the help of authentication methods configured by cloud administrators. Refer to

Chapter 1

.

B. Azure AD is a cloud-managed identity and access management solution. You don't need to install ADDS or manage virtual machines in Azure to use Azure AD. In fact, these are two different services. Refer to

Chapter 1

.

C. Role-based access control (RBAC) is responsible for managing authorization. Refer to

Chapter 2

.

A. Azure policies are used to limit deployments to the East US region. This can be achieved by using the Allowed Locations policy. Refer to

Chapter 2

.

B. Resource tags can be used to logically organize the resources in your environment. We can add metadata to our resources including the owner name, cost center, department, etc. Refer to

Chapter 2

.

C. A virtual network enables virtual machines to connect to the Internet securely. Refer to

Chapter 3

.

B. Network security groups (NSGs) can be used to filter traffic at both the subnet and NIC level. Refer to

Chapter 3

.

A. Azure Firewall is a layer 7, or Application layer, firewall. Refer to

Chapter 3

.

C. If we peer networks that are part of different Azure regions, we call it global VNet peering. You can establish peering from Azure public cloud regions to China cloud regions as well. However, you cannot peer Azure public cloud and government cloud regions. You can establish peering between the same regions in a government cloud. Refer to

Chapter 4

.

C. Point-to-site (P2S) helps in connecting individual devices to the Azure virtual network. Using P2S, you can connect the developer workstation to the Azure virtual network. Refer to

Chapter 4

.

D. VNet peering offers the lowest latency as the traffic is via the Microsoft backbone network. Refer to

Chapter 4

.

A. Azure Load Balancer is a L4 load balancer that supports any TCP/UDP protocols. Refer to

Chapter 5

.

C. Application Gateway supports App Services as a backend and L7 load balancing. Refer to

Chapter 5

.

D. Azure Traffic Manager is the DNS load balancing solution. Refer to

Chapter 5

.

A. Azure Blob Storage is the object storage service offered by Microsoft that can be used for backup, archiving, and disaster recovery storage scenarios. Refer to

Chapter 6

.

C. Network file shares can be created using the Azure File service, and this can be accessed via the SMB protocol. This file share can be mounted to multiple VMs or on-premises machines, which is ideal for sharing files across machines. Refer to

Chapter 6

.

C, D. Both GRS and GZRS offer 99.9999999999999999 percent durability over a given year. Refer to

Chapter 6

.

A. Azure VM is an example of an infrastructure-as-a-service (IaaS) service. Refer to

Chapter 7

.

A. SSH can be used to connect, manage, and administer Azure VMs. Refer to

Chapter 7

.

B. By default, RDP uses TCP/3389 for establishing communication to Azure Windows VMs. However, this port can be configured to a different one if needed. Refer to

Chapter 7

.

C. ARM templates are written in JSON format. Refer to

Chapter 8

.

B. Variables are used to hard-code certain values to keywords in ARM templates so that they can be reused throughout the template. Refer to

Chapter 8

.

A. Incremental mode is the default mode of deployment for ARM template deployment unless you override the mode. In incremental mode, Azure Resource Manager will not alter any resources that are already present in the target resource group. The resources that are declared in the template will be added to the existing resources in the resource group. Refer to

Chapter 8

.

A. App Service Plan is responsible for providing the compute resources for the application to run. Refer to

Chapter 9

.

B. Autoscaling is available from the Standard plan onward. The Basic plan doesn't support autoscaling; however, manual scaling is supported. Refer to

Chapter 9

.

D. Azure Kubernetes Service is a completely platform-managed cluster. Using AKS, you can easily create Kubernetes clusters in Azure and deploy your applications. Refer to

Chapter 9

.

A. Azure Container Instances offers the easiest way to run containers in Azure without the need to manage any VMs or infrastructure. Refer to

Chapter 9

.

B. Recovery Services Vault supports System Center DPM, Windows Server, Azure Backup Server, and other services from on-premises along with Azure VMs.

A. You don't require any agents for backing up virtual machines running in Azure, and Azure Backup provides native support for Windows and VMs. Refer to

Chapter 11

.

D. Azure Site Recovery is a business continuity and disaster recovery (BCDR) solution for protecting your infrastructure against regional failures. Refer to

Chapter 10

.

B. Kusto Query Language is used to query the dataset stored in Azure Log Analytics. Refer to

Chapter 11

.

C. An action group is a collection of notification preferences that can be reused in multiple alerts. The notifications and actions that you define inside the action group will be executed when the alert is fired. Refer to

Chapter 11

.

C. Each workspace is an environment that will be used for the ingestion Azure Monitor logs. The connected sources, configuration, and repository are managed per workspace. Refer to

Chapter 11

.

Chapter 1Identity: Azure Active Directory

MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

Manage Azure Active Directory (Azure AD) objects

Create users and groups

Manage user and group properties

Manage device settings

Perform bulk user updates

Manage guest users

Configure Azure AD Join

Configure self-service password reset

With the recent cloud transformation, the number of organizations migrating to the cloud has drastically increased, and security has become one of the primary concerns. In on-premises, the IT administrator and security administrators controlled the overall security of the organization. When it comes to the cloud, the traditional methods we are accustomed to should be replaced by modern identity and access management tools.

In Microsoft Azure, Azure Active Directory is a cloud-based directory and identity management service. Though the name looks like the Active Directory that we use on our on-premises Windows Servers for identity and access management, this one is completely different and takes access management to the next level. As an administrator, you will be working with Azure Active Directory day in and day out for various administrative tasks, including user management, group management, password reset, joining, registering your devices to Azure AD, and so on. Although these are basic tasks, sometimes administrative tasks include complex integrations such as single sign-on (SSO), multifactor authentication (MFA), and conditional access. From an exam standpoint, fulfilling the basic tasks is more than enough; however, having knowledge of the complex configurations will help you progress in your career.

Azure Active Directory

As mentioned in the introduction of this chapter, Azure AD is Microsoft's cloud-based identity and access management (IAM) solution. Azure AD is an especially useful solution for IT admins, developers, and subscribers of various Microsoft solutions (such as Microsoft 365, Dynamics 365, and Azure). Primarily, Azure AD deals with helping employees to sign-in to various resources such as O365, M365, Dynamics, Azure, etc. However, the integration does not stop here; you can integrate Azure AD as the IAM solution for third-party applications and your internal applications as well. Developers are constantly working on integrating Azure AD as the IAM solution because of the increased reliability it provides. Since this book is about Azure administration, we will focus on how Azure AD is intended to help IT admins.

Benefits

Let's explore the different benefits of Azure AD and why organizations should consider Azure AD as the IAM solution.

SSO to Cloud and On-Premises Applications

 Having too many credentials for different applications increases the complexity and results in a higher chance of human error because an SSO solution will help users to sign in to all cloud applications, on-premises applications, and devices using their corporate credentials. Azure AD is not only meant for Microsoft Stack, but for thousands of SaaS applications such as Dropbox, ServiceNow, DocuSign, etc.

Easily Extend On-Premises Active Directory to the Cloud

 When organizations move from on-premises to the cloud, there is a need to synchronize the users with the cloud. Otherwise, users will end up with two credentials, one for on-premises and another one for the cloud. To avoid this scenario and to provide a seamless SSO experience, Azure AD allows administrators to synchronize users, groups, passwords, and devices across both on-premises and the cloud. This is accomplished using a tool called Azure AD Connect that needs to be installed on your on-premises domain controller or any other domain-joined server with Windows Server 2012 or later, and it will help with the synchronization.

Cross-Platform Support

 Regardless of what platform the user is using, be it iOS, Android, Windows, Linux, or macOS, the sign-in experience is going to be the same, and the users can sign-in to their applications using their work credentials.

Increase Security of Your On-Premises Applications

 You can use the Azure AD Application Proxy service to access your on-premises applications via a secured remote access. The best part is you do not have to expose any additional ports on your on-premises firewalls; the access is managed by application proxy endpoints. The access can be tightened using multifactor authentication and conditional access policies.

Better Monitoring and Data Protection

 Azure AD amplifies the overall security posture of your environment by providing unique identity protection features. Azure AD Identity Protection comprises several features including suspicious sign-in activity, risk alerts, etc. These triggers can be further integrated with conditional access policies to make business decisions. In addition to these capabilities, administrators can leverage security reports, sign-in activities, and potential vulnerability reports that are available off the shelf without the need to deploy any additional components.

Self-Service Capabilities

 If you have worked as an IT administrator, you know most of the calls to the help desk will be regarding password resets. Azure AD offers a feature called Self-Service Password Reset by which users can reset their own passwords with the help of an authentication method such as phone, email, security questions, or a combination of these. IT admins need to enroll users into the SSPR program before they can use this feature. Enrolling is also self-serve, and the user will be prompted to verify the authentication methods. Enabling SSPR in your environment can elevate the security and reduce help-desk engagements.

If you are using Office 365, Azure, or Dynamics 365 in your environment, knowingly or unknowingly you are interacting with Azure AD to complete the authentication process.

We have been talking about Azure AD for a while now, and it is time that we understand the concepts that are part of Azure AD.

Concepts

Understanding the various terminologies that are related to Azure AD is the first step in learning Azure AD. The following are the Azure AD concepts:

Identity

 An object that can interact with Azure AD and get authenticated is called an

identity

. A user is an exceptionally good example of an identity; to get authenticated, a user will present the username and password to Azure AD. Upon receiving these credentials, Azure AD will substantiate and confirm if the authentication was successful. Servers and applications can also use their identity to authenticate with Azure AD; since these can be authenticated, they are also called

identities

. When it comes to servers or applications, they use certificates or secrets for completing the authentication.

Account

 Any identity that has data associated with it is called an

account

. For example, if we take a user named John Doe, the user will have different data attributes associated to it such as user principal name, sign-in name, manager name, department, etc. All the data associated to the user identity will make the identity an account. Since identity is required for mapping these attributes, you cannot have an account without an identity. The account can be on-premises as well as in the cloud.

Azure AD Account

 Usually known as work or school accounts, these accounts are provisioned in Azure AD or via other cloud services such as Office 365, etc. The data associated to these identities is stored in Azure AD and can be used to log in to services that use Azure AD as the authentication provider.

Azure Subscription

 This is the container created in Azure to separate billing and environments. An account can have multiple subscriptions that can be used to create isolated environments and billing boundaries. Each subscription you create will be mapped to a tenant, and it is always a one-to-one mapping. You can always move subscriptions across tenants if you have a multitenant environment.

Azure AD Tenant/Directory

 The term

tenant

means a single instance of Azure AD denoting a single organization. When you sign up for any Microsoft cloud service (Azure, O365, etc.), a dedicated instance of Azure AD is provisioned for you. There will be a unique name associated to this tenant that will have the suffix

onmicrosoft.com

and a unique ID assigned to the tenant called the

tenant ID

. An organization can create multiple directories/tenants for creating disparate environments or realms with different users and groups.

Now that we are familiar with the concepts related to Azure AD, the next question you will have in your mind is how Azure AD is different from Active Directory Domain Services.

Azure AD vs. Active Directory Domain Services

You might have already worked or heard about Active Directory Domain Services (AD DS) in your on-premises environment. If you have not heard about AD DS, this is a deployment