1 TODO Udemy AZ-104 Microsoft Azure Administrator Exam Certification (Scott Duffy)

VM (RDP, availability sets, load balancer, etc)
A VM is generally considered Infrastructure-as-a-Service, as you retain responsibility for patching and managing the Virtual Machine Operating System.
VM abstraction on top
Batch, scale set, AKS, Fabric

App Service or web app (container app) (different then VM) PaaS (a.k.a. platform as a service), Microsoft offers a complete platform on which clients can roll out their applications.
No maintenance of the servers or operating systems is required. After all, Microsoft also offers the operating system (Windows Server, Linux, etc.) as a service.
No RDP, fully manged servers, have access to applications you can install:
.Net, Python etc. (developer friendly service, CI/CD , VSC, scaling, deployment slots )

Storage and data service
Cosmos, global scale (NOSQL, mongodb, documentdb etc)
Az db Mysql, PSql, MariaDb
Az cache Redis

Storage
stor.acc up to 5 PB
Blob, q, tables, files
Levels of replication (local, global)
Tires (hot, cool, archive)
Managed and unmanaged

Data service
Az SQL db (same as on prem)
Az SQL db managed instance (in between, managed instance by MS)
SQL Server on vm
Synapse analytics (data warehouse)

Networking service and micro services

Microservices
Fabric, apps on vm
Functions, small code
Logic apps, logiical steps, if else
API management, in front of an API, throttle it, rules etc.
AKS containers as micro services

Networking

4 main categories
Connectivity
vnet, virtual wan (office to office), express route (private net and fast), vpn, dns (private public), peering (multiple network together, send traffic through)
Bastion, like RDP but more secure

Security
NSG (access control), private link (make public private), DDos prot, FW, WAF (web application FW (recognize common attacks)), vnet endpoints

Delivery
CDN, front door, traffic manger (hack of DNS to distribute traffic around), application gateway and load balancer

Monitoring
Network watcher, express route monitor, monitor, vnet tap

But there are 100’s of services in Azure, relax, pick what is interesting.

Section 3 Powershell and CLI

13 Automation
Script, source control, reduce errors, form of documentation.
Azure cloud shell (store scripts in home folder) or standalone powershell with AZ lib installed
Need to know both powershell and cli
(Leave lots of time for the labs)

14 Predictable naming system cli

az vm list
az vm create
az vm delete
az keyvault list, create, delete
az network vnet list, create, delete
az network vnet subnet list, create, delete

Predictabel naming system ps

Get-AzVm
New-AzVM
Remove-AzVm
Get-AzKeyVault
New-AzKeyVault
Remove-AzKeyVault
Get-AzVirtualNetwork
New-AzVirtualNetwork
Remove-AzVirtualNetwork

15 Powershell
Get latest version v7 is recommended
v5 is windows spesific
Bash cli is the equivaleint on linux
Azure cli also avaliable for windows, OSX and Linux
PS is ObjectOriented

Can just use the cloud shell (is cross platform), it has the modules, choose ps or cli

PS Module was AzureRM, now it is AZ, can not have both.

Install-Module -Name Az - AllowClobber
# update module
Install-Module -Name Az - AllowClobber -Force
# if errors, force it, no update command, reinstall it with force
Connect-AzConnect

Lab:
Install Powershell 7 latest
Install Az module

16 Install PS

https://github.com/PowerShell/PowerShell

Scroll, leave default
PowerShell-7.1.0-win-x64.msi
Open PS7 as admin

Install-Module -Name Az – AllowClobber -Force

17 Switching subscriptions

Section 4 Manage resource groups

18 Resource groups and locks

Locks, allow to place lock to prevent accidents.
Lock type
CanNotDelete (Delete) or ReadOnly (Read-only).

Readonly, means authorized users can read a resource,
but they can’t delete or update the resource, or even stop a virtual machine.

Delete, means authorized users can still read and modify a resource,
but they can’t delete the resource.

19 Resource group policy

Rg, policy tab, assignments, assign policy.
Can assign tags to rg and allowed locations and more.
Allowed locations, parameters, can select a limit of regions where resources can be created in.

Several policy definitions, with custom and built in types.

Built in

Audit VMs that do not use managed disks
Audit Windows VMs with a pending reboot

20 Move resources

Select the resources and move to another rg or sub.

21 Lab Policy, Lab 02b – Manage Governance via Azure Policy

https://github.com/MicrosoftLearning/AZ-104-MicrosoftAzureAdministrator/blob/master/Instructions/Labs/LAB_02b-Manage_Governance_via_Azure_Policy.md

Task 1: Create and assign tags via the Azure portal
They were added to the rg, so all resources that is already created did not get the tags, i.e a stor.acc

Task 2: Enforce tagging via an Azure policy, search for policy

Now we try to create a stor.acc without tags, and it fails since we need: Require Role tag with Infra value

Delete the above policy
Task 3: Apply tagging via an Azure policy
Create a new policy, Inherit a tag from the resource group if missing

Create a new stor.acc from the rg, do not add tags, now it passes.

Once the new storage account is provisioned, click Go to resource button and, on the Overview blade of the newly created storage account, note that the tag Role with the value Infra has been automatically assigned to the resource.

Section 5: Manage subscriptions and governance

Account, person / program (manged identity)
Tenant, organization, represented with public domain (example.onmicrosoft.con). A dedicated instance of Azure AD.
Subscription, billing agreement (free, pay-as-, enterprise etc)
Resource, entity managed by Azure.
RG, organizing resources in subscription, folder structure, resources must belong to only one rg.

Add user to subscription, IAM

Cost management and billing service, where does the many go, do analysis and look at history.

Good to use tag, can filter on tags

Azure policy

Enforce standard
Built in (allowed locations, resource types, SKUs, apply tag)
Possibility as shown above to add policy to rg
Can also create own policy json object

Everything you do in the portal you can do in shell (ps1 or .sh)

27 Lab About policy

28 Managing Policy by Powershell

Create a policy in a definition object and assign the policy to a rg, then make New-AzPolicyAssigment -Name “Checking rules” -DisplayName “Checking the rules” -Scope $rg.ResourceId -PolicyDefinition $defintion

29 Subscriptions and Management Groups

User is the lowest level (part of Active Directory), can add guest, manage, etc. Can have many subscriptions on a tenant.

Why many subscription? Multiple payers, get charged. Customer1 account, Customer2 account, so bill is correct. On user level a bit messy, admin access to all and policy definition. Answer = Management Groups

Management Groups, organizational structure (can contain subscription and other management groups), always a root group. Can move, add etc. Can assign users to a group level like rg. (Further = Blueprint (permission, policy, access in Azure)

Section 6: Monitor resources by using Azure Monitor

31 Diagnostics

Monitor = home for diagnostics. VM, CPU, Network etc. For diagnostics (must turn on and enable host agent), metrics, logs and alerts.

Lets enable it on a VM, then you get performance counters, event logs, directories, crash dumps etc.

In order to have monitoring, you need a storage account.

Event logs, Collect memory dumps when a process crashes. If no processes have been specified, this will do nothing. Send your diagnostic data to other services for more insights. Additional charges may apply.

You can create as many charts as needed.

32 Baseline Environment (VIEW IT)

The course is constantly updated, so now the sections are as follows (if you see duplicate numbers just look at the header to see if you have been through it. (24.05.2021)

Section 4 Manage Azure Active Directory

Azure AD can connect to Onprem and set up synchronization (app and users, passwords etc). Azure AD focus on web apps and web user. Onprem AD, objects, LDAP. (There are some different functions based on prize, Free, P1/P2)

Create groups, users etc. If you create a new user, it will get the default domain name as a valid login user. If you want a custom domain, you need to make it ,and a a txt record and TTL with for example 60min and prove that you own the domain, DNS update (1 day maybe to reflect changes)

23 Azure AD join

Cloud-first or cloud-only
When you do not have an on-prem AD
When you do not want to put certain temporary users in your corp AD
For remote branches with limited on-prem infra

Using Azure AD as the sign in directory for on-prem Windows 10 devices.

3 options; Devices has to be configured, windows autopilot, Azure join settings when setting up virtual machine, in-tune/windows configuration designer or self-service experiences and sign in to Azure AD.

P2 level has all the advanced functions, Azure AD Identity Protection (risk detection with AI, policy automation, act on vulnerabilities.)

Can set high/medium risk for users login in from Russia location or time in day for example with a policy, alerts and so on. Next security setting is conditional access (based on AI and ML) and must have MFA.

Large AD, Access reviews (clean up guest,organize and track, check risk etc)

Administrative unit give access to many, but not RACK or IAM, but to users in a location, unit, IT -admin etc

Section 5 Manage Azure AD Objects

Section 6 Implement multi-factor

Section 7 Manage role-based access control (RBAK)

Section 8 Manage subscriptions and governance is done above!