Section 1 Intro
Check what is new in MS
Create a budget for subscriptions, amount and notification when limit is hit. (newbudget)
Course is frequently updated, check it.
Learning paths on MS Learn:
Azure Code Samples
Official Azure Documentation
Official Microsoft Azure YouTube Channel
Official Microsoft Developer YouTube Channel
Download the Azure SDK’s for PowerShell and CLI
Official Github Repository for PowerShell Scripts
Azure REST API Browser
Microsoft Labs and Workshops – Practice is the key to success
Azure Citadel – Labs and Workshops
Microsoft Cloud Workshop – More labs and workshops
GitHub AZ-104 from Microsoft Training
Section 2 Azure concepts
very much, too much, take it bit by bit.
VM, vnet and storage (is the basics and foundation)
VM (RDP, availability sets, load balancer, etc)
A VM is generally considered Infrastructure-as-a-Service, as you retain responsibility for patching and managing the Virtual Machine Operating System.
VM abstraction on top
Batch, scale set, AKS, Fabric
App Service or web app (container app) (different then VM) PaaS (a.k.a. platform as a service), Microsoft offers a complete platform on which clients can roll out their applications.
No maintenance of the servers or operating systems is required. After all, Microsoft also offers the operating system (Windows Server, Linux, etc.) as a service.
No RDP, fully manged servers, have access to applications you can install:
.Net, Python etc. (developer friendly service, CI/CD , VSC, scaling, deployment slots )
Storage and data service
Cosmos, global scale (NOSQL, mongodb, documentdb etc)
Az db Mysql, PSql, MariaDb
Az cache Redis
stor.acc up to 5 PB
Blob, q, tables, files
Levels of replication (local, global)
Tires (hot, cool, archive)
Managed and unmanaged
Az SQL db (same as on prem)
Az SQL db managed instance (in between, managed instance by MS)
SQL Server on vm
Synapse analytics (data warehouse)
Networking service and micro services
Fabric, apps on vm
Functions, small code
Logic apps, logiical steps, if else
API management, in front of an API, throttle it, rules etc.
AKS containers as micro services
4 main categories
vnet, virtual wan (office to office), express route (private net and fast), vpn, dns (private public), peering (multiple network together, send traffic through)
Bastion, like RDP but more secure
NSG (access control), private link (make public private), DDos prot, FW, WAF (web application FW (recognize common attacks)), vnet endpoints
CDN, front door, traffic manger (hack of DNS to distribute traffic around), application gateway and load balancer
Network watcher, express route monitor, monitor, vnet tap
But there are 100’s of services in Azure, relax, pick what is interesting.
Section 3 Powershell and CLI
Script, source control, reduce errors, form of documentation.
Azure cloud shell (store scripts in home folder) or standalone powershell with AZ lib installed
Need to know both powershell and cli
(Leave lots of time for the labs)
14 Predictable naming system cli
az vm list
az vm create
az vm delete
az keyvault list, create, delete
az network vnet list, create, delete
az network vnet subnet list, create, delete
Predictabel naming system ps
Get latest version v7 is recommended
v5 is windows spesific
Bash cli is the equivaleint on linux
Azure cli also avaliable for windows, OSX and Linux
PS is ObjectOriented
Can just use the cloud shell (is cross platform), it has the modules, choose ps or cli
PS Module was AzureRM, now it is AZ, can not have both.
Install-Module -Name Az - AllowClobber # update module Install-Module -Name Az - AllowClobber -Force # if errors, force it, no update command, reinstall it with force Connect-AzConnect
Install Powershell 7 latest
Install Az module
16 Install PS
Scroll, leave default
Open PS7 as admin
Install-Module -Name Az – AllowClobber -Force
17 Switching subscriptions
Section 4 Manage resource groups
18 Resource groups and locks
Locks, allow to place lock to prevent accidents.
CanNotDelete (Delete) or ReadOnly (Read-only).
Readonly, means authorized users can read a resource,
but they can’t delete or update the resource, or even stop a virtual machine.
Delete, means authorized users can still read and modify a resource,
but they can’t delete the resource.
19 Resource group policy
Rg, policy tab, assignments, assign policy.
Can assign tags to rg and allowed locations and more.
Allowed locations, parameters, can select a limit of regions where resources can be created in.
Several policy definitions, with custom and built in types.
Audit VMs that do not use managed disks
Audit Windows VMs with a pending reboot
20 Move resources
Select the resources and move to another rg or sub.
21 Lab Policy, Lab 02b – Manage Governance via Azure Policy
- Task 1: Create and assign tags via the Azure portal
- They were added to the rg, so all resources that is already created did not get the tags, i.e a stor.acc
- Task 2: Enforce tagging via an Azure policy, search for policy
- Now we try to create a stor.acc without tags, and it fails since we need: Require Role tag with Infra value
- Delete the above policy
- Task 3: Apply tagging via an Azure policy
- Create a new policy, Inherit a tag from the resource group if missing
Create a new stor.acc from the rg, do not add tags, now it passes.
Once the new storage account is provisioned, click Go to resource button and, on the Overview blade of the newly created storage account, note that the tag Role with the value Infra has been automatically assigned to the resource.
Section 5: Manage subscriptions and governance
- Account, person / program (manged identity)
- Tenant, organization, represented with public domain (example.onmicrosoft.con). A dedicated instance of Azure AD.
- Subscription, billing agreement (free, pay-as-, enterprise etc)
- Resource, entity managed by Azure.
- RG, organizing resources in subscription, folder structure, resources must belong to only one rg.
Add user to subscription, IAM
Cost management and billing service, where does the many go, do analysis and look at history.
Good to use tag, can filter on tags
- Enforce standard
- Built in (allowed locations, resource types, SKUs, apply tag)
- Possibility as shown above to add policy to rg
- Can also create own policy json object
Everything you do in the portal you can do in shell (ps1 or .sh)
27 Lab About policy
28 Managing Policy by Powershell
Create a policy in a definition object and assign the policy to a rg, then make New-AzPolicyAssigment -Name “Checking rules” -DisplayName “Checking the rules” -Scope $rg.ResourceId -PolicyDefinition $defintion
29 Subscriptions and Management Groups
User is the lowest level (part of Active Directory), can add guest, manage, etc. Can have many subscriptions on a tenant.
Why many subscription? Multiple payers, get charged. Customer1 account, Customer2 account, so bill is correct. On user level a bit messy, admin access to all and policy definition. Answer = Management Groups
Management Groups, organizational structure (can contain subscription and other management groups), always a root group. Can move, add etc. Can assign users to a group level like rg. (Further = Blueprint (permission, policy, access in Azure)
Section 6: Monitor resources by using Azure Monitor
Monitor = home for diagnostics. VM, CPU, Network etc. For diagnostics (must turn on and enable host agent), metrics, logs and alerts.
Lets enable it on a VM, then you get performance counters, event logs, directories, crash dumps etc.
In order to have monitoring, you need a storage account.
Event logs, Collect memory dumps when a process crashes. If no processes have been specified, this will do nothing. Send your diagnostic data to other services for more insights. Additional charges may apply.
You can create as many charts as needed.
32 Baseline Environment (VIEW IT)
The course is constantly updated, so now the sections are as follows (if you see duplicate numbers just look at the header to see if you have been through it. (24.05.2021)
Section 4 Manage Azure Active Directory
Azure AD can connect to Onprem and set up synchronization (app and users, passwords etc). Azure AD focus on web apps and web user. Onprem AD, objects, LDAP. (There are some different functions based on prize, Free, P1/P2)
Create groups, users etc. If you create a new user, it will get the default domain name as a valid login user. If you want a custom domain, you need to make it ,and a a txt record and TTL with for example 60min and prove that you own the domain, DNS update (1 day maybe to reflect changes)
23 Azure AD join
- Cloud-first or cloud-only
- When you do not have an on-prem AD
- When you do not want to put certain temporary users in your corp AD
- For remote branches with limited on-prem infra
Using Azure AD as the sign in directory for on-prem Windows 10 devices.
3 options; Devices has to be configured, windows autopilot, Azure join settings when setting up virtual machine, in-tune/windows configuration designer or self-service experiences and sign in to Azure AD.
P2 level has all the advanced functions, Azure AD Identity Protection (risk detection with AI, policy automation, act on vulnerabilities.)
Can set high/medium risk for users login in from Russia location or time in day for example with a policy, alerts and so on. Next security setting is conditional access (based on AI and ML) and must have MFA.
Large AD, Access reviews (clean up guest,organize and track, check risk etc)
Administrative unit give access to many, but not RACK or IAM, but to users in a location, unit, IT -admin etc
Section 5 Manage Azure AD Objects
Section 6 Implement multi-factor
Section 7 Manage role-based access control (RBAK)
Section 8 Manage subscriptions and governance is done above!