Join Sharon Bennett for an in-depth discussion in this video Manage Azure subscriptions, part of Exam Tips: Microsoft Azure Administrator (AZ-103).
- [Instructor] Exam AZ-100 focuses on managing Azure subscriptions. But before we dive into some of the specific objectives, you need to be aware of the Azure scaffold. The scaffold is a design hierarchy for Azure, starting off with the enterprise level. So this is the top level. Next, it will broken down into departments, and you can break these departments down in various ways. For example, you could break them down by location, let's say North America and Europe, or by function, HR and IT. Each of these departments will then have accounts, and from there, we'll have various subscriptions. And it's at the subscription level that we'll have our Azure resources. There are three administrator roles in Azure, and the first one being the classic administrator. Now, you probably will never see this on a current Azure exam, but I did want to make you aware of that role. Next, we have the Azure RBAC roles, and these should not be confused with the Azure Active Directory administrative roles. There are over 70 built-in RBAC roles in Azure today, and there's a special role called the User Access Administrator, and we'll talk about that role in a moment. And if you need more granularity than what the 70 built-in roles provides, you can go ahead and create your own custom roles. And for the exam, you should be aware of how to create a custom role. The top three RBAC roles are the owner, which has full access to all of the resources. We have a contributor role, and the contributor cannot delegate access to other users, but they can create and manage resources. And finally, we have the reader role, and they can only view Azure resources. In order to assign RBAC administrative permissions, you'll need to do so at the subscription level. It's from here that you'll have the ability to add permissions by selecting a role, whether that be owner, reader, contributor, or any of the 70 built-in roles. You will then go ahead and assign access to Azure AD user, group, or application. And finally, you'll select your user. I mentioned earlier the User Access Administrator role, which is a special account that allows you access to all the Azure resources at the root scope. Microsoft recommends you only use this account for temporary access. And you'll enable this special role through Azure Active Directory, not the subscription. And you'll find that in Properties, and then you just toggle on Access Management. For the exam, you'll also need to know how to view cost center quotas, and you'll do that, again, at the subscription level, by selecting Usage & Quotas, and it's here that you'll see the current usage of your resources, and if you need to request an increase, this is also where you'll do it. You'll also need to know how to configure and tag your resources to allow sorting resources based on that specific tag. A tag contains two parts, the name and value. For example, Finance: Production or Finance: Dev. You're allowed 15 tags per resource, and in order to apply a tag, write access is required to that resource. You can configure tags using the portal by selecting your resource. In our example here, we have the resource group. You can go ahead, select Tags, and then enter in the name and value of the tag. You can also apply tags using PowerShell by simply using the commandlet Set-AzureRmResourceGroup, providing the name of the resource group and then the tag, specifying the name and value. And to remove a tag from a resource group, you'll simply use Set-AzureRmResourceGroup, specifying the tag, removing the name and value from the brackets and then supplying the resource group name. Now we're moving on to Azure policies, which are a set of rules to ensure compliancy. Policies will scan resources and provide reporting, and we use them to ensure that SLAs and corporate policies are being met. We can apply Azure policies at the subscription level or to specific resources. Within Azure policies, we have two types of assignment options, the first one being the policy itself, and this is just an individual policy. The second type is an initiative, which is a group of individual policies which will then be applied. There are three components to either policy or an initiative, and the first component is a definition, which contains the conditions which the policy or initiative will report on, and if it's configured to do so, will enforce. Next, we have the assignment, and this is simply applying the initiative or policy to a specific scope, and that can be applied to a subscription or a resource group. Now keep in mind that the assignments are inherited by all the child resources. And finally, we have parameters, which will reduce the number of definitions by using generic values. For example, instead of creating a separate policy for each allowed location, you could include all of the allowed locations. The key points to remember is to know where to enable the User Access Administrator, understand the components of a policy, know how to use tags for reporting, and be familiar with RBAC and how it is used to control access to Azure resources.
- Managing Azure subscriptions
- Managing resources and resource groups
- Managing Azure storage
- Implementing backups
- Automating deployment of virtual machines
- Managing virtual machines
- Managing virtual networks
- Implementing load balancing
- Managing Azure Active Directory
- Implementing Azure Multi-Factor Authentication