Zelfstudie AZ-104 Microsoft Azure Administrator
Microsoft Learn course
Learning-paths in AZ-104 Azure Administrator series:
- https://learn.microsoft.com/en-us/training/paths/az-104-administrator-prerequisites/ AZ-104: Prerequisites for Azure administrators
- https://learn.microsoft.com/en-us/training/paths/az-104-manage-identities-governance/ AZ-104: Manage identities and governance in Azure
- https://learn.microsoft.com/en-us/training/paths/az-104-manage-storage/ AZ-104: Implement and manage storage in Azure
- https://learn.microsoft.com/en-us/training/paths/az-104-manage-compute-resources/ AZ-104 Deploy and manage Azure compute resources
- https://learn.microsoft.com/en-us/training/paths/az-104-manage-virtual-networks/ AZ-104: Configure and manage virtual networks for Azure administrators
- https://learn.microsoft.com/en-us/training/paths/az-104-monitor-backup-resources/
AZ-104: Implement and manage storage in Azure
Azure Storage supports three categories of data:
| type of data | description | storage example |
|---|---|---|
| structured-data | stored in a relational format that has a shared schema. Tables are an autoscaling NoSQL store. | |
| unstructured-data | nonrelational | Using Azure Blob Storage and Azure Data Lake Storage. |
| virtual-machine-data | disks and files. Disks are persistent block storage for Azure IaaS virtual machines. Files are fully managed file shares in the cloud. | Provided through Azure managed disks |
Azure storage services:
| storage service | description |
|---|---|
| Azure Blob storage | object storage - unstructured/nonrelational data - HTTP/S, REST, PowerShell, Azure CLI, client libraries |
| Azure Files | network file shares - SMB, NFS, REST, storage client libraries - storage account credentials |
| Azure Queue Storage | used with Azure Functions - store and retrieve messages - > 64KB |
| Azure Table Storage | nonrelational data (NoSQL data) - new Azure Cosmos DB Table API - schemaless |
Considerations choosing Azure storage services:
- Consider storage optimization for massive data. Azure Blob Storage is optimized for storing massive amounts of unstructured data. Objects in Blob Storage can be accessed from anywhere in the world via HTTP or HTTPS. Blob Storage is ideal for serving data directly to a browser, streaming data, and storing data for backup and restore.
- Consider storage with high availability. Azure Files supports highly available network file shares. On-premises apps use file shares for easy migration. By using Azure Files, all users can access shared data and tools. Storage account credentials provide file share authentication to ensure all users who have the file share mounted have the correct read/write access.
- Consider storage for messages. Use Azure Queue Storage to store large numbers of messages. Queue Storage is commonly used to create a backlog of work to process asynchronously.
- Consider storage for structured data. Azure Table Storage is ideal for storing structured, nonrelational data. It provides throughput-optimized tables, global distribution, and automatic secondary indexes. Because Azure Table Storage is part of Azure Cosmos DB, you have access to a fully managed NoSQL database service for modern app development.
AZ-104: Deploy and manage Azure compute resources
AZ-104: Configure and manage virtual networks for Azure administrators
AZ-104: Manage identities and governance in Azure
Microsoft Entra ID is a different service, much more focused on providing identity management services to web-based apps, unlike AD DS, which is more focused on on-premises apps. The term tenant represents an individual Microsoft Entra instance. Within an Azure subscription, you can create multiple Microsoft Entra tenants. Entra-ID-tentants The prefix, derived from the name of the Microsoft account you use to create an Azure subscription or provided explicitly when creating a Microsoft Entra tenant, is followed by the onmicrosoft.com suffix.
directory-services; storing and publishing user, device, and application data; and handling the authentication and authorization of the users, devices, and applications organizational units (OUs) → organizing objects based on their group membership. Application and servicePrincipal classes represent applications in Microsoft Entra ID #application-class servicePrincipal-class: Separating these two sets of characteristics allows you to define an application in one tenant and use it across multiple tenants by creating a service principal object for this application in each tenant. Microsoft Entra ID creates the service principal object when you register the corresponding application in that Microsoft Entra tenant.
| AD DS | Microsoft Entra |
|---|---|
| AD DS is a true directory service, with a hierarchical X.500-based structure. | Microsoft Entra ID is primarily an identity solution, and it’s designed for internet-based applications by using HTTP (port 80) and HTTPS (port 443) communications. |
| AD DS uses Domain Name System (DNS) for locating resources such as domain controllers. | Microsoft Entra ID is a multi-tenant directory service. |
| You can query and manage AD DS by using Lightweight Directory Access Protocol (LDAP) calls. | Microsoft Entra users and groups are created in a flat structure, and there are no OUs or GPOs. |
| AD DS primarily uses the Kerberos protocol for authentication. | You can’t query Microsoft Entra ID by using LDAP; instead, Microsoft Entra ID uses the REST API over HTTP and HTTPS. |
| AD DS uses OUs and GPOs for management. | Microsoft Entra ID doesn’t use Kerberos authentication; instead, it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and OpenID Connect for authentication, and uses OAuth for authorization. |
| AD DS includes computer objects, representing computers that join an Active Directory domain. | Microsoft Entra ID includes federation services, and many third-party services such as Facebook are federated with and trust Microsoft Entra ID. |
| AD DS uses trusts between domains for delegated management. |
Entra ID for custom web-apps: you can enable Microsoft Entra authentication for the Web Apps feature of Azure App Service directly from the Authentication/Authorization blade in the Azure portal. By designating the Microsoft Entra tenant, you can ensure that only users with accounts in that directory can access the website. It’s possible to apply different authentication settings to individual deployment slots. (bron)
P1:
- Self-service group management.
- Advanced security reports and alerts.
- Multi-factor authentication.
- Microsoft Identity Manager (MIM) licensing. MIM integrates with Microsoft Entra ID P1 or P2 to provide hybrid identity solutions.
- Enterprise SLA of 99.9%.
- Password reset with writeback.
- Cloud App Discovery feature of Microsoft Entra ID.
- Conditional Access based on device, group, or location. Microsoft Entra Connect Health.
P2:
- Microsoft-Entra-ID-Protection. This feature provides enhanced functionalities for monitoring and protecting user accounts. You can define user risk policies and sign-in policies. In addition, you can review users’ behavior and flag users for risk.
- Microsoft-Entra-Privileged-Identity-Management. This functionality lets you configure additional security levels for privileged users such as administrators. With Privileged Identity Management, you define permanent and temporary administrators. You also define a policy workflow that activates whenever someone wants to use administrative privileges to perform some task.
Microsoft-Entra-Domain-Services provides several benefits for organizations, such as:
- Administrators don’t need to manage, update, and monitor domain controllers.
- Administrators don’t need to deploy and manage Active Directory replication.
- There’s no need to have Domain Admins or Enterprise Admins groups for domains that Microsoft Entra ID manages.
If you choose to implement Microsoft Entra Domain Services, you need to be aware of the service’s current limitations. These include:
- Only the base computer Active Directory object is supported.
- It’s not possible to extend the schema for the Microsoft Entra Domain Services domain.
- The organizational unit (OU) structure is flat and nested OUs aren’t currently supported.
- There’s a built-in Group Policy Object (GPO), and it exists for computer and user accounts.
- It’s not possible to target OUs with built-in GPOs. Additionally, you can’t use Windows Management Instrumentation filters or security-group filtering.
AZ-104: Prerequisites for Azure administrators
Deploy Azure infrastructure by using JSON ARM templates
toelichting ARM-template ARM templates are JavaScript Object Notation (JSON) files that define the infrastructure and configuration for your deployment. The template uses a declarative syntax. The declarative syntax is a way of building the structure and elements that outline what resources look like without describing the control flow. Declarative syntax is different than imperative syntax, which uses commands for the computer to perform. Imperative scripting focuses on specifying each step in deploying the resources. ARM templates are idempotent, which means you can deploy the same template many times and get the same resource types in the same state.
| Element | Description |
|---|---|
| schema | A required section that defines the location of the JSON schema file that describes the structure of JSON data. The version number you use depends on the scope of the deployment and your JSON editor. |
| contentVersion | A required section that defines the version of your template (such as 1.0.0.0). You can use this value to document significant changes in your template to ensure you’re deploying the right template. |
| apiProfile | An optional section that defines a collection of API versions for resource types. You can use this value to avoid having to specify API versions for each resource in the template. |
| parameters | An optional section where you define values that are provided during deployment. You can provide these values in a parameter file, by command-line parameters, or in the Azure portal. |
| variables | An optional section where you define values that are used to simplify template language expressions. |
| functions | An optional section where you can define user-defined functions that are available within the template. User-defined functions can simplify your template when complicated expressions are used repeatedly in your template. |
| resources | A required section that defines the actual items you want to deploy or update in a resource group or a subscription. |
| output | An optional section where you specify the values that are returned at the end of the deployment. |
To add a resource to your template, you need to know the resource provider and its types of resources. The syntax for this combination is in the form of {resource-provider}/{resource-type}. For example, to add a storage account resource to your template, you need the Microsoft.Storage resource provider. One of the types for this provider is storageAccount. So your resource type is displayed as Microsoft.Storage/storageAccounts.
Commandos
| commando | type | Resultaat |
|---|---|---|
| New-AzVM | Azure PowerShell | creates a VM inside your subscription |
| az-login | Azure CLI | test |
| az vm create | Azure CLI | test |
| New-AzResourceGroupDeployment | Azure PowerShell | Adds an Azure deployment to a resource group. |
Example of PowerShell command with added flags:
$today=Get-Date -Format "MM-dd-yyyy"
$deploymentName="addSkuParameter-"+"$today"
New-AzResourceGroupDeployment `
-Name $deploymentName `
-TemplateFile $templateFile `
-storageName {your-unique-name} `
-storageSKU Standard_GRSAantekeningen
Azure management options:
- Azure portal
- Azure PowerShell and Azure Command Line Interface (CLI)
- Azure Cloud Shell (web-based CLI)
- Azure mobile app
Azure Cloud Shell
Select the Cloud Shell icon (>_) to create a new Azure Cloud Shell session.
Networking
You can use a network security group (#NSG) to be assigned to a network interface. NSGs can be associated with subnets or individual virtual machine instances within that subnet. When an NSG is associated with a subnet, the access control list (ACL) rules apply to all virtual machine instances of that subnet.
The SKU value (Basic or Standard) must match the SKU of the Azure load balancer with which the address is used.
ARM
ARM-template parameters let you customize the deployment by providing values that are tailored for a particular environment.
output-values: “You use outputs when you need to return values from the deployed resources.” source #idempotent: “Recall that ARM templates are idempotent, which means you can deploy the template to the same environment again, and if nothing changes in the template, nothing changes in the environment.” source
Azure Backup
Azure Backup can provide backup services for the following data assets:
On-premises files, folders, and system state
Azure Virtual Machines (VMs)
Azure Managed Disks
Azure Files Shares
SQL Server in Azure VMs
SAP HANA (High-performance Analytic Appliance) databases in Azure VMs
Azure Database for PostgreSQL servers
Azure Blobs
Azure Database for PostgreSQL - Flexible servers
Azure Database for MySQL - Flexible servers
Azure Kubernetes cluster
The simplest explanation of Azure Backup is that it backs up data, machine state, and workloads running on on-premises machines and VM instances to the Azure cloud. Azure Backup stores the backed-up data in Recovery Services vaults and Backup vaults. For on-premises Windows machines, you can back up directly to Azure wit2 the Azure Backup Microsoft Azure Recovery Services (MARS) agent. source
If you only want to back up the files, folders, and system state on the Azure VMs, you can use the Microsoft Azure Recovery Services (MARS) agent.
Workload integration layer - Backup-Extension: Integration with the actual workload, such as Azure virtual machines (VMs) or Azure Blobs, happens at this layer. Data Plane - Access Tiers: There are three access tiers where the backups could be stored: #Snapshot-tier - snapshot taken and stored along with the disk, faster than restoring from vault #Standard-tier - backup data is stored in vault #Archive-tier - long-term retention backup data, rarely accessed, stored for compliance needs Data Plane - Availability and Security: The backup data is replicated across zones or regions, based on the redundancy the user specifies. Management Plane – Recovery Services vault/Backup vault and Backup center: The vault provides an interface for the user to interact with the backup service.
virtual-network-service-endpoints: secure Azure service resources exclusively to your virtual networks, enabling private IP addresses to reach Azure services without requiring public IP addresses.
Characteristics of a network-security-group NSG:
- A network security group contains a list of security rules that allow or deny inbound or outbound network traffic.
- A network security group can be associated to a subnet or a network interface.
- A network security group can be associated multiple times.
- You create a network security group and define security rules in the Azure portal.
- Each network interface that exists in a subnet can have zero, or one, associated network security groups.
- Each subnet can have a maximum of one associated network security group.
Security rules for an NSG:
| setting | value |
|---|---|
| source | any,IP,service tag,application security group |
| protocol | TCP,UDP,ICMP |
| etc | etc |
- You can’t remove the default security rules
- You can override a default security rule by creating another rule with a higher Priority
- Inbound rule processing: rules for subnets ⇒ rules for NICs
- Outbound rule processing: rules for NICs ⇒ subnets
- General processing: rules for intra-subnet traffic (VMs in the same subnet)
- Priority: lower the value, the higher priority for the rule
Default rules inbound:
| priority | name | port | protocol | source | destination | action |
|---|---|---|---|---|---|---|
| 65000 | AllowVnetInbound | Any | Any | VirtualNetwork | VirtualNetwork | Allow |
| 65001 | AllowAzureLoadBalancerInbound | Any | Any | AzureLoadBalancer | Any | Allow |
| 65500 | DenyAllInbound | Any | Any | Any | Any | Deny |
Default rules outbound:
| priority | name | port | protocol | source | destination | action |
|---|---|---|---|---|---|---|
| 65000 | AlloWVnetOutBound | Any | Any | VirtualNetwork | VirtualNetwork | Allow |
| 65001 | AllowInternetOutbound | Any | Any | Any | Internet | Allow |
| 65500 | DenyAllOutBound | Any | Any | Any | Any | Deny |
application-security-groups ASG
Application security groups (ASG):
- You can join VM to an ASG → use ASG as source/destination in NSG rules
- By organizing VMs into ASGs, you don’t need to distribute servers across specific subnets
- Helps eliminate multiple rule sets (for each VM f.e.) and less maintenance
- service-tags can help: they represent a group of IP address prefixes from a specific Azure service
summary of network-security-group:
- Network security groups are essential for controlling network traffic in Azure virtual networks.
- NSG rules are evaluated and processed based on priority and can be created for subnets and network interfaces.
- Effective NSG rules can be achieved by considering rule precedence, intra-subnet traffic, and managing rule priority.
- Application security groups provide an application-centric view of infrastructure and simplify rule management.