Microsoft Azure Administrator – Exam Guide AZ-103 E-Book

Microsoft Azure Administrator – Exam Guide AZ-103

Copyright © 2019 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Karan SadawanaAcquisition Editor: Rahul NairContent Development Editor: Nithin George VargheseTechnical Editor: Komal KarneCopy Editor:Safis EditingProject Coordinator: Nusaiba AnsariProofreader: Safis EditingIndexer: Tejal Daruwale SoniGraphics: Jisha ChirayilProduction Coordinator: Jyoti Chauhan

First published: May 2019

Production reference: 1300519

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-83882-902-5

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

Packt.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the author

Sjoukje Zaal is a Microsoft Principal Architect  and Microsoft Azure MVP with over 15 years' experience providing architecture, development, consultancy, and design expertise. She works at Ordina, a system integrator based in the Netherlands.

She loves to share her knowledge and is active in the Microsoft community as a co-founder of the Dutch user groups SP&C NL and MixUG. She is also a board member of Azure Thursdays. Sjoukje is a public speaker and is involved in organizing events. She has written several books, writes blogs and is active on the Microsoft Tech Community. Sjoukje is also part of the Diversity and Inclusion Advisory Board.

About the reviewers

Sander Rossel is a Microsoft-certified professional developer with experience and expertise in .NET and .NET Core (C#, ASP.NET, and Entity Framework), SQL Server, Azure, Azure DevOps, JavaScript, and other technologies. He has an interest in various technologies including, but not limited to, cloud computing, NoSQL, continuous integration/continuous deployment, functional programming, and software quality in general. In his spare time, he writes articles for MSDN, CodeProject, and his own blog, as well as books about object-oriented programming, databases, and Azure.

Steef-Jan Wiggers is all in on cloud technology. He works as an Azure technology consultant in the Netherlands and has over 20 years' experience in a wide variety of scenarios, including custom .NET solution development, overseeing complex enterprise integrations, mentoring, and consulting. He loves challenges in the Microsoft arena, building his approach to tackling them on his domain knowledge in the utilities, insurance, healthcare, agriculture, (local) government, bio-sciences, retail, travel, and logistics sectors. Furthermore, he is an InfoQ editor for cloud and a global public speaker, and also is very active in the community as a blogger. For these efforts, Microsoft has recognized him a Microsoft MVP for the past nine years. He can be found on Twitter as @steefjan.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Microsoft Azure Administrator – Exam Guide AZ-103

About Packt

Why subscribe?

Packt.com

Contributors

About the author

About the reviewers

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Get in touch

Reviews

Section 1: Managing Azure Subscriptions and Resources

Managing Azure Subscriptions and Resource Groups

Azure subscriptions and resource groups

Azure subscriptions

Azure resource groups

Assigning administrator permissions

Assigning global administrator permissions

Assigning owner permissions

Configuring Azure subscription policies

Implementing and setting tagging on resource groups

Configuring cost center quotas

Configuring resource locks

Moving resources across resource groups

Removing resource groups

Summary

Questions

Further reading

Analyzing Resource Utilization and Consumption

Azure Monitor

Creating and analyzing metrics and alerts

Metrics

Creating a metric

Alerts

Creating an alert

Configuring diagnostic settings on resources

Enabling diagnostic settings

Viewing alerts in Log Analytics

Utilizing Log Search Query functions

Querying logs in Azure Monitor

Summary

Questions

Further reading

Managing Role-Based Access Control

Technical requirements

RBAC

Built-in roles

Custom roles

Configuring access to Azure resources by assigning roles

Configuring management access to Azure

Creating a custom role

Azure Policy

Implementing and assigning Azure policies

Summary

Questions

Further reading

Section 2: Implementing and Managing Storage

Creating and Configuring Storage Accounts

Technical requirements

Azure storage accounts

Storage account types

General-purpose v1

Blob storage

General-purpose v2 (GPv2)

Storage replication types

LRS

ZRS

GRS

RA-GRS

Azure blob storage

Access tiers

Hot

Cool

Archive

Azure file storage

Azure disk storage

Standard disk storage

Premium disk storage

Unmanaged versus managed disks

Creating and configuring storage accounts

Installing and using Azure Storage Explorer

Configuring network access to the storage account

SAS and access keys

Managing access keys

Generating an SAS

Implementing Azure storage replication

Summary

Questions

Further reading

Importing and Exporting Data to Azure

Technical requirements

Configuring and using Azure Blob Storage

Creating import into, and export from Azure Job

Azure CDN

Configuring Azure CDN endpoints

Azure Data Box

Summary

Questions

Further reading

Configuring Azure Files and Implementing Azure Backup

Technical requirements

Azure file share and Azure file share sync service

Creating an Azure file share

Azure file share sync service

Azure Backup

Azure Site Recovery

Performing a backup and restore operation

Creating a Recovery Services vault

Configuring a backup policy

Trigger an on-demand backup

Restore the backup

Summary

Questions

Further reading

Section 3: Deploying and Managing Virtual Machines

Creating and Configuring VMs for Windows and Linux

Technical requirements

VMs

VM series and sizes

Managed disks

Availability sets

Fault domains and update domains

Deploying Windows and Linux VMs

Deploying a Windows VM from the Azure portal

Deploying a Windows VM from PowerShell

VM scale sets

Deploying and configuring scale sets

Modifying and deploying ARM templates

Modifying an ARM template

Save a deployment as an ARM template

Summary

Questions

Further reading

Managing Azure VMs and VM Backups

Technical requirements

Managing VM sizes

Resizing a VM in the Azure portal

Resizing a VM using the CLI

Redeploying VMs

Redeploying a VM from the Azure portal

Redeploying a VM from PowerShell 

Moving VMs

Adding data disks and network interfaces

Adding a data disk

Adding a network interface

Automating configuration management

Configuring VM backup and restore operations

Creating a Recovery Services vault

Creating and configuring a backup policy

Restoring a backup

Summary

Questions

Further reading

Section 4: Deploying and Managing Virtual Networks

Implementing and Managing Virtual Networking

Technical requirements

Azure VNet

IP addresses

Public IP address

Private IP addresses

Configuring virtual networks and subnets

Configuring private and public IP addresses

User-defined routes

Creating user-defined routes

VNet peering

Creating and configuring VNet peering

Summary

Questions

Further reading

Integrating On-Premise Networks with Azure Virtual Networks

Technical requirements

Azure VPN gateway

S2S VPNs

Multi-site VPNs

P2S VPNs

ExpressRoute

Creating and configuring an Azure VPN gateway

Creating and configuring the on-premises VPN device

Creating a virtual network

Creating an Azure VPN gateway

Creating and configuring S2S VPN

Creating the local network gateway

Configuring the on-premises VPN device

Verifying on-premises connectivity

VNet-to-VNet

Summary

Questions

Further reading

Monitoring and Troubleshooting Virtual Networking

Network Watcher

Network resource monitoring

Installing the Network Watcher agent

Enabling Network Watcher

Monitoring the network connectivity

Managing virtual network connectivity

Network topology

Monitoring and troubleshooting on-premises connectivity

Network Performance Monitor

Next hop

VPN troubleshoot

Managing external networking

IP flow verify

Using IP flow verify

Effective security rules

Connection troubleshoot

Summary

Questions

Further reading

Azure Security Groups and Azure DNS

Technical requirements

NSGs

Service tags

Creating and configuring an NSG

Associating an NSG with a subnet or NIC

Creating and evaluating security rules

Azure DNS

Domain names

Public DNS zones

Private DNS zones

Record types

Configuring a public DNS zone

Configuring a private DNS zone

Summary

Questions

Further reading

Implementing Azure Load Balancer

Technical requirements

Azure Load Balancer

Configuring an internal load balancer

Creating the VNet

Creating the VMs

Creating the load balancer

Creating a backend address pool

Creating health probes

Creating load balancing rules

Testing the load balancer

Configuring a public load balancer

Creating the load balancer

Creating a resource group

Creating a public IP address

Creating the load balancer

Creating the health probe

Creating the load balancer rule

Creating the virtual network

Creating an NSG

Creating an NSG rule

Creating NICs

Creating backend servers

Creating an availability set

Creating two virtual machines

Testing the load balancer

Summary

Questions

Further reading

Section 5: Managing Identities

Managing Azure Active Directory

Azure AD

Creating and managing users and groups

Creating users in Azure AD

Creating groups in Azure AD

Adding and managing guest accounts

Performing bulk user updates

Configuring self-service password reset

Azure AD Join

Managing device settings

Adding custom domains

Summary

Questions

Further reading

Implementing and Managing Hybrid Identities

Azure AD Connect

Azure AD password hash synchronization

Azure AD pass-through authentication

Installing Azure AD Connect

Managing Azure AD Connect

Password writeback

Managing password writeback

Enabling password writeback in Azure AD Connect

Enabling password writeback in the Azure portal

Password sync

Summary

Questions

Further reading

Implementing Multi-Factor Authentication

Azure MFA

Enabling MFA for an Azure AD tenant

Configuring user accounts for MFA

Configuring the verification methods

Configuring trusted IPs

Configuring fraud alerts

Configuring bypass options

Summary

Questions

Further reading

Mockup Test Questions

Chapter 1, Managing Azure Subscriptions and Resource Groups Access Control

Chapter 2, Analyzing Resource Utilization and Consumption

Chapter 3, Managing Role-Based Access Control

Chapter 4, Creating and Configuring Storage Accounts

Chapter 5, Importing and Exporting Data to Azure

Chapter 6, Configuring Azure Files and Implementing Azure Backup

Chapter 7, Creating and Configuring VMs for Windows and Linux

Chapter 8, Managing Azure VMs and VM Backups

Chapter 9, Implementing and Managing Virtual Networking

Chapter 10, Integrating On-Premise Networks with Azure Virtual Networks

Chapter 11, Monitoring and Troubleshooting Virtual Networking

Chapter 12, Azure Security Groups and Azure DNS

Chapter 13, Implementing Azure Load Balancer

Chapter 14, Managing Azure Active Directory 

Chapter 15, Implementing and Managing Hybrid Identities

Chapter 16, Implementing Multi-Factor Authentication

Mockup Test Answers

Chapter 1, Managing Azure Subscriptions and Resource Groups

Chapter 2, Analyzing Resource Utilization and Consumption

Chapter 3, Managing Role-Based Access Control

Chapter 4, Creating and Configuring Storage Accounts

Chapter 5, Importing and Exporting Data to Azure

Chapter 6, Configuring Azure Files and Implementing Azure Backup

Chapter 7, Creating and Configuring VMs for Windows and Linux

Chapter 8, Managing Azure VMs and VM Backups

Chapter 9, Implementing and Managing Virtual Networking

Chapter 10, Integrating on-Premise Networks with Azure Virtual Networks

Chapter 11, Monitoring and Troubleshooting Virtual Networking

Chapter 12, Azure Security Groups and Azure DNS

Chapter 13, Implementing Azure Load Balancer

Chapter 14, Managing Azure Active Directory

Chapter 15, Implementing and Managing Hybrid Identities

Chapter 16, Implementing Multi-Factor Authentication

Assessments

Chapter 1, Managing Azure Subscriptions and Resource Groups

Chapter 2, Analyzing Resource Utilization and Consumption

Chapter 3, Managing Role-Based Access Control

Chapter 4, Creating and Configuring Storage Accounts

Chapter 5, Importing and Exporting Data to Azure

Chapter 6, Configuring Azure Files and Implementing Azure Backup

Chapter 7, Creating and Configuring VMs for Windows and Linux

Chapter 8, Managing Azure VMs and VM Backups

Chapter 9, Implementing and Managing Virtual Networking

Chapter 10, Integrating On-Premise Networks with Azure Virtual Networks

Chapter 11, Monitoring and Troubleshooting Virtual Networking

Chapter 12, Azure Security Groups and Azure DNS

Chapter 13, Implementing Azure Load Balancer

Chapter 14, Managing Azure Active Directory

Chapter 15, Implementing and Managing Hybrid Identities

Chapter 16, Implementing Multi-Factor Authentication

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

Azure is an ever-evolving platform. It offers an environment on the cutting edge of technology that suits many different industry requirements. New capabilities and features are coming out fast, which makes it difficult to stay up to date. This book will give you a complete overview of all the current features and capabilities that Azure has to offer from an administrative perspective, and is a complete guide to preparing for the AZ-103 exam.

This book will cover all the exam objectives. It will start with how to manage Azure subscriptions and resources, where you will learn how to manage Azure subscriptions and resource groups, analyze resource utilization and consumption, and manage role-based access control (RBAC). In the second part, you will learn how to implement and manage storage by creating and configuring storage accounts, how to import and export data to Azure, and how to configure Azure Files and implement Azure Backup. The third part will cover how to deploy and manage virtual machines (VMs), where you will learn how to create and configure VMs for Windows and Linux and how to manage Azure VMs and VM backups. The fourth part of this book will cover how to configure and manage virtual networks, by covering implementing and managing virtual networking; how to integrate on-premise networks with Azure virtual networks; how to monitor and troubleshoot virtual networking; how to create and manage Azure Security Groups and Azure DNS; and how to implement Azure Load Balancer. The last part of this book will cover how to manage identities, where you will learn how to manage Azure Active Directory (AD), how to implement and manage hybrid identities, and how to implement multi-factor authentication (MFA).

Each chapter will conclude with a Further reading section, which is a very important part of each chapter, as it will give you extra, and sometimes crucial, information for passing the AZ-103 exam. As the questions on the exam will change slightly over time and this book will eventually become outdated, the Further reading sections will be the place that will provide you with all the updates.

Who this book is for

This book targets experienced administrators who want to pass the Exam AZ-103: Microsoft Azure Administrator and broaden their knowledge of Azure from an administrative perspective.

What this book covers

Chapter 1, Managing Azure Subscriptions and Resource Groups, covers how to configure Azure subscriptions and resource groups, assign administrator permissions, configure Azure subscription policies, implement and set tagging on resource groups, configure cost center quotas, configure resource locks, move resources across resource groups, and remove resource groups.

Chapter 2, Analyzing Resource Utilization and Consumption, covers Azure Monitor, including how to create and analyze metric and alerts, create action groups, configure diagnostic settings on resources, use Azure Log Analytics, and utilize Log Search Query functions.

Chapter 3, Managing Role-Based Access Control, covers RBAC, configuring access to Azure resources by assigning roles, configuring management access to Azure, creating a custom role, Azure Policy, and implementing and assigning Azure policies.

Chapter 4, Creating and Configuring Storage Accounts, covers Azure storage accounts, how to create and configure a storage account, install and use Azure Storage Explorer, configure network access to the storage account, generate and manage SAS, and implement Azure storage replication.

Chapter 5, Importing and Exporting Data to Azure, covers how to configure and use Azure Blob storage, how to import into and export from Azure jobs, how to use Azure Content Delivery Network (CDN), how to configure Azure CDN endpoints, and how to use Azure Data Box.

Chapter 6, Configuring Azure Files and Implementing Azure Backup, covers how to create Azure file share and Azure file share sync services, how to use Azure Backup, how to use Azure Site Recovery, how to perform a backup and restore operation, how to create Recovery Services vaults, and creating and configuring a backup policy.

Chapter 7, Creating and Configuring VMs for Windows and Linux, covers VMs, how to deploy Windows and Linux VMs, configuring high availability, deploying and configuring scale sets, and modifying and deploying Azure Resource Manager (ARM) templates.

Chapter 8, Managing Azure VMs and VM Backups, covers how to manage VM sizes, redeploying VMs, moving VMs, adding data disks and network interfaces, automating configuration management, and configuring VM backup and restore.

Chapter 9, Implementing and Managing Virtual Networking, covers Azure VNet, IP addresses, how to configure subnets and VNets, configuring private and public IP addresses, and creating and configuring VNetpeering.

Chapter 10, Integrating On-Premise Networks with Azure Virtual Networks, covers Azure Virtual Private Network (VPN) Gateway, creating and configuring an Azure VPN gateway, creating and configuring a site-to-site VPN, verifying on-premises connectivity, and VNet-to-VNet functionality.

Chapter 11, Monitoring and Troubleshooting Virtual Networking, covers Network Watcher, network resource monitoring, managing virtual network connectivity, monitoring and troubleshooting on-premises connectivity, and managing external networking.

Chapter 12, Azure Security Groups and Azure DNS, covers Network Security Groups (NSGs), how to create and configure an NSG, associating an NSG to a subnet or network interface, creating and evaluating security rules, using Azure DNS, and how to configure private and public DNS zones.

Chapter 13, Implementing Azure Load Balancer, covers Azure Load Balancer, configuring an internal load balancer, creating health probes, creating load balancing rules, and configuring a public load balancer.

Chapter 14, Managing Azure Active Directory, covers Azure AD, how to create and manage users and groups, adding and managing guest accounts, performing bulk user updates, configuring self-service password reset, Azure AD Join, how to manage device settings, and adding custom domains.

Chapter 15, Implementing and Managing Hybrid Identities, covers Azure AD Connect, how to install Azure AD Connect, managing Azure AD Connect, and managing password sync and password writeback.

Chapter 16, Implementing Multi-Factor Authentication, covers Azure MFA, configuring user accounts for MFA, configuring verification methods, configuring fraud alerts, configuring bypass options, and configuring trusted IPs.

To get the most out of this book

This book assumes that you are already familiar with managing cloud services that use storage, security, networking, and cloud compute capabilities. You should have a deep understanding of each service across the full IT life cycle. You should also have experience using PowerShell, the command-line interface, the Azure portal, ARM templates, operating systems, virtualization, cloud infrastructure, storage structures, and networking.

Download the example code files

You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit www.packt.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

Log in or register at

www.packt.com

.

Select the

SUPPORT

tab.

Click on

Code Downloads & Errata

.

Enter the name of the book in the

Search

box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

WinRAR/7-Zip for Windows

Zipeg/iZip/UnRarX for Mac

7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Microsoft-Azure-Administrator-Exam-Guide-AZ-103. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/files/downloads/9781838829025_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Open the PacktNetworkWatcher resource group and select VM1 from the list."

A block of code is set as follows:

{ "Name": "Packt Custom Role", "Id": null, "IsCustom": true, "Description": "Allows for read access to Azure Storage, Network and Compute resources and access to support"}

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

{ "Name": "Packt Custom Role", "Id": null,

"IsCustom": true,

"Description": "Allows for read access to Azure Storage, Network and Compute resources and access to support"}

Any command-line input or output is written as follows:

Connect-AzAccount

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Click Assign in the top menu."

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Section 1: Managing Azure Subscriptions and Resources

In this section, you will learn how to manage Azure subscriptions and resources.

The following chapters will be covered in this section:

Chapter 1

, 

Managing Azure Subscriptions and Resource Groups

Chapter 2

, 

Analyzing Resource Utilization and Consumption

Chapter 3

, 

Managed Role-Based Access Control

Managing Azure Subscriptions and Resource Groups

This book will cover all the exam objectives for the AZ-103 exam. When relevant, we will provide you with extra information and further reading guidance about the different topics in this book.

The first chapter of this book will introduce the first objective, which is how to manage Azure subscriptions and resources. In this chapter, we are going to focus on assigning permissions for administrators so that they can manage your Azure subscriptions and resource groups. You will learn how to configure policies for your Azure subscriptions and resources in order to stay compliant with your organizational standards and SLAs. We are also going to set tagging on resource groups, and you'll learn how to configure cost center quotas and resource locks. To finish this chapter, we will cover how to move resources across different resource groups after creation, and how to completely remove resource groups from your Azure subscription.

In brief, the following topics will be covered in this chapter:

Azure subscriptions and resource groups

Assigning administrator permissions

Configuring Azure subscription policies

Implementing and setting tagging on resource groups

Configuring cost center quotas

Configuring resource

locks

Moving resources across resource groups

Removing resource groups

Azure subscriptions and resource groups

Before we start with the objectives that are required for theexam, which involves how to manage the Azure subscriptions and resource groups, we will cover some high-level information about Azure subscriptions and resource groups.

Azure subscriptions

Azure subscriptions are basically the billing accounts in Azure. Aside from billing, access to the Azure portal and the creation of the different Azure services in the portal are done through the use of Azure subscriptions. 

If you look at the Azure account hierarchy, you will see where Azure subscriptions actually fit in. In the following diagram, the account hierarchy is shown:

It is divided into Enterprise, Department, Accounts, and Subscriptions levels. In the following overview, you'll get an idea of what these different levels are for:

Enterprise

: This is also called the

Enterprise Agreement

, and is only used by organizations. It can be accessed from a separate portal (

https://ea.azure.com

) and is used

for the whole

organization 

to create the different departments.

Departments

: At the department level, sub-accounts for the different departments in your organization are created. You can also group your departments in a functional way, like an IT and finance department, or group them in a geographical way, like North America and Europe, for instance. You can add a department owner here, which will be the person in charge of owning the budget for the department, for instance.

Accounts

: This is where the different departments can create multiple accounts within their department. They can also add additional owners to manage these accounts. When you create a personal account in Azure, this is the starting point for creating the subscriptions. The Microsoft account that you use to log in to the Azure portal is then added to this account as the owner.

Subscriptions

: You can create multiple subscriptions in an account. This is the level where the actual billing takes place and where the different Azure resources are created. You can add additional subscription owners that can manage the subscriptions, create the different resources, and assign other users to the subscription. Subscriptions always have a trust relationship with an Azure Active Directory instance.

Inside the Azure subscription, you can create multiple resource groups. This will be covered in the next section.

Azure resource groups

Each resource that you create inside Azure must belong to a resource group. It is a logical container that groups multiple resources together. An example would be all the resources that share a similar life cycle, like all the different resources for a particular application; this can be a virtual machine, an Azure Database, a virtual network in Azure, and more, grouped inside the same resource group. They can then be managed and deleted as a single entity.

In the next section, we'll assign administrator permissions to a user.

Assigning administrator permissions

There are two ways to assign administrator permissions to your users. The first is done inside Azure Active Directory and is used to assign global administrator permissions. The second is done by using role-based access control (RBAC) and can be set from the subscription level.

In the following sections, we'll look at both possibilities.

Assigning global administrator permissions

With global administrator permissions, you can manage all subscriptions and management groups. A management group provides a level of scope above permissions and can be used to manage multiple subscriptions together.

When a user is assigned to the global administrator role, it is able to see all Azure subscriptions and management groups in an organization, allow an automation app to access all Azure subscriptions and management groups, regain access to an Azure subscription or management group when a user has lost access, and grant another user (or themselves) access to an Azure subscription or management group.

To assign administrator permissions to a user on the subscription level, take the following steps:

Navigate to the Azure portal by opening 

https://portal.azure.com

.

In the left-hand menu, select

Azure Active Directory

to open the

Azure AD

blade.

Then, under 

Manage

, select 

Properties

.

In the 

Directory

properties

blade, enable 

Access management for Azure resources

:

Click on 

Save

.

In the next section, we're going to assign owner permissions to a user on the subscription level.

Assigning owner permissions

The owner of a subscription has full access to all the resources inside the subscription and is able to delegate the access to others. To assign owner permissions to a user on the subscription level using RBAC, perform the following steps:

Navigate to the Azure portal by opening 

https://portal.azure.com

.

In

the

left-hand menu, select 

All

 s

ervices

and select 

Subscriptions

(you can also add it to your favorites so that's displayed in the left-hand menu)

:

Select your subscription, and in the

Subscription

overview blade, click 

Access control (IAM)

:

To add

a

user with administrator permissions, click 

Add

| 

Add role assignment

 to open the 

Add role assignment

 pane. 

In

the 

Role

drop-down list, select the 

Owner

role. 

Then, in the 

Select

list, select the user. If you don't see the user in the list, you can search for it in the textbox by name and email address:

Click on 

Save

to add the user to the

 o

wner role.

In this demonstration, we added administrator permissions to a user. In the next section, we're going to configure Azure subscription policies.

Configuring Azure subscription policies

With Azure Policy, you can create, assign, and manage policies. These policies can be used so that you stay compliant with your corporate standards and SLAs by enforcing different rules and effects over your Azure resources. Your resources are evaluated by the assigned policies for non-compliance. For instance, you can create a policy that only allows virtual machines from a certain SKU size in your environment. When this policy is assigned, all new and existing resources are evaluated for compliance with this policy.

To configure subscription policies, perform the following steps:

Navigate to the Azure portal by open

ing 

https://portal.azure.com

.

In the left-hand menu, select

Subscriptions

(this is if you added it to your favorites; otherwise, take the steps that we described in the previous demonstration).

In the

Subscriptions

overview blade, in the left-hand menu under

Settings

, select 

Policies

:

In the

Policies

overvi

ew blade, select 

Assign policy

to create a new policy:

On the next screen, we're going to create a definition for our policy. Add the following values to create the policy so that resources for this subscription can only be created in selected regions:

Scope

: The subscription name.

Exclusions

: Leave this blank; we are going to create a policy that applies to the entire subscription.

Policy definition

: When you select this, you can choose from a number of available policies that you can apply to your subscription. Microsoft has created these JSON templates for you, based on the best practices from different enterprises. You can create your own templates here as well. Select a policy from the list (for instance, 

Allowed locations

), and then click

Select

.

Assignment name

: This is automatically filled in after selecting the policy.

Parameters

: Here, you can select the allowed locations where users can deploy their resources. For instance, select

Central US

,

East US

,

East US

2

, 

West US

, and

West US 2

. 

After selecting the different regions, click the

Assign

button:

After applying this policy, resources for this subscription can only be created in the selected regions. If you want to add additional regions or remove regions from this policy, you can edit this later.

In the next section, we're going to implement a resource group and add a tag to it.

Implementing and setting tagging on resource groups

You can apply tags to all of your Azure resources. This way, you add extra metadata to the resource group, which can be used to logically organize them into a taxonomy. Each tag consists of a name and a value pair. For instance, you can set the name to Environment and the value to Demo, or you can set the name to Maintenance Window and the value to Saturday 9 AM. After applying these tags, you can easily retrieve all the resources with the same tag name and value. This can be a useful feature for billing or management purposes.