AZ-104: Manage identities and governance in Azure Flashcards

1
Q

Azure AD Permissions and roles

A

Permissions and roles
Azure AD uses permissions to help you control the access rights a user or group is granted. This is done through roles. Azure AD has many roles with different permissions attached to them. When a user is assigned a specific role, they inherit permissions from that role. For example, a user assigned to the User Administrator role can create and delete user accounts.
Understanding when to assign the correct type of role to the right user is a fundamental and crucial step in maintaining privacy and security compliance. If the wrong role is assigned to the wrong user, the permissions that come with that role can allow the user to cause serious damage to an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Azure AD Administrator roles

A

Administrator roles in Azure AD allow users elevated access to control who is allowed to do what. You assign these roles to a limited group of users to manage identity tasks in an Azure AD organization. You can assign administrator roles that allow a user to create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and more.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Azure AD Member users

A

A member user account is a native member of the Azure AD organization that has a set of default permissions like being able to manage their profile information. When someone new joins your organization, they typically have this type of account created for them.
Anyone who isn’t a guest user or isn’t assigned an administrator role falls into this type.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Azure AD Guest users

A

Guest users have restricted Azure AD organization permissions. When you invite someone to collaborate with your organization, you add them to your Azure AD organization as a guest user. Then you can either send an invitation email that contains a redemption link or send a direct link to an app you want to share. Guest users sign in with their own work, school, or social identities. By default, Azure AD member users can invite guest users. This default can be disabled by someone who has the User Administrator role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Poweshell invite guest user command

A

New-AzureADMSInvitation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Azure AD deleted user retention period

A

When you delete a user, the account remains in a suspended state for 30 days. During that 30-day window, the user account can be restored.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Access management in Azure

A

Azure AD roles:
Use Azure AD roles to manage Azure AD-related resources like users, groups, billing, licensing, application registration, and more.
Role-based access control (RBAC) for Azure resources: Use RBAC roles to manage access to Azure resources like virtual machines, SQL databases, or storage. For example, you could assign an RBAC role to a user to manage and delete SQL databases in a specific resource group or subscription.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Azure AD - Ways you can assign access rights:

.

A

Direct assignment: Assign a user the required access rights by directly assigning a role that has those access rights.
Group assignment: Assign a group the required access rights, and members of the group will inherit those rights.
Rule-based assignment: Use rules to determine a group membership based on user or device properties. For a user account or device’s group membership to be valid, the user or device must meet the rules. If the rules aren’t met, the user account or device’s group membership is no longer valid. The rules can be simple. You can select prewritten rules or write your own advanced rules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Modify the group to use dynamic assignment

A

You can change the group to use dynamic assignment. Membership then depends on whether a user meets the rules you set for the group. select Properties.
Change Membership type to Dynamic User. Select Save.
Select Add dynamic query.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Azure Active Directory B2B

A

With Azure Active Directory B2B, you don’t have to manage your external users’ identities. The partner has the responsibility to manage its own identities. External users continue to use their current identities to collaborate with your organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Why use Azure AD B2B instead of federation?

A

With Azure AD B2B, you don’t take on the responsibility of managing and authenticating the credentials and identities of partners. Giving access to external users is much easier than in a federation. You don’t need an AD administrator to create and manage external user accounts. Any authorized user can invite other users. A federation is where you have a trust established with another organization, or a collection of domains, for shared access to a set of resources. You might be using an on-premises identity provider and authorization service like Active Directory Federation Services (AD FS) that has an established trust with Azure AD. To get access to resources, all users have to provide their credentials and successfully authenticate against the AD FS server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

on-premises federation with Azure AD might be good if

A

our organization wants all authentication to Azure resources to happen in the local environment. Administrators can implement more rigorous levels of access control. But this means that, if your local environment is down, users can’t access the Azure resources and services they need.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Azure AD instance

A

When a company or organization signs up to use one of these offerings, they are assigned a default directory, an instance of Azure AD. This directory holds the users and groups that will have access to each of the services the company has purchased. This default directory can be referred to as a tenant. A tenant represents the organization and the default directory assigned to it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Microsoft cloud-based which can use Azure AD

A
Microsoft offers several cloud-based offerings today - all of which can use Azure AD to identify users and control access.
Microsoft Azure
Microsoft 365
Microsoft Intune
Microsoft Dynamics 365
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Subscriptions in Azure

A

Subscriptions in Azure are both a billing entity and a security boundary. Resources such as virtual machines, websites, and databases are associated with a single subscription. Each subscription also has a single account owner responsible for any charges incurred by resources in that subscription. If your organization wants a subscription billed to another account, you can transfer the subscription. A subscription is associated with a single Azure AD directory. Multiple subscriptions can trust the same directory, but a subscription can only trust one directory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Users and groups added to multiple subscriptions

A

When you add a user to a subscription, the user must be known to the associated directory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

access to Azure resources

A

A user account contains all the information needed to authenticate the user during the sign-on process. Once authenticated, Azure AD builds an access token to authorize the user and determine what resources they can access and what they can do with those resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Azure AD defines users in three ways

A

Cloud identities - These users exist only in Azure AD. Their source is Azure Active Directory or External Azure Active Directory if the user is defined in another Azure AD instance but needs access to subscription resources controlled by this directory. When these accounts are removed from the primary directory, they are deleted.
Directory-synchronized identities - These users exist in an on-premises Active Directory. A synchronization activity that occurs via Azure AD Connect brings these users in to Azure. Their source is Windows Server AD.
Guest users - These users exist outside Azure. Their source is Invited user..

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Adding Azure AD users

A

You can add cloud identities to Azure AD in multiple ways:
Syncing an on-premises Windows Server Active Directory
Using the Azure portal
Using the command line
Other options

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

add users to Azure AD Other options

A

You can also add users to Azure AD programmatically using the Azure AD Graph API, or through the Microsoft 365 Admin Center and the Microsoft Intune Admin console if you are sharing the same directory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Azure AD membership type

A

Assigned (static). The group will contain specific users or groups that you select.
Dynamic user. You create rules based on characteristics to enable attribute-based dynamic memberships for groups.You can set up a rule for dynamic membership on security groups or on Microsoft 365 groups. This feature requires an Azure AD Premium P1 license.
Dynamic device. You create rules based on characteristics to enable attribute-based dynamic memberships for groups. You can set up a rule for dynamic membership on security groups or on Microsoft 365 groups. I This feature requires an Azure AD Premium P1 license.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

three Azure AD roles that apply to all resource types

A

Owner, which has full access to all resources, including the right to delegate access to others.
Contributor, which can create and manage all types of Azure resources but can’t grant access to others.
Reader, which can view existing Azure resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Role definitions for Azure Resources

A

Each role is a set of properties defined in a JavaScript Object Notation (JSON) file. This role definition includes a Name, ID, and Description. It also includes the allowable permissions (Actions), denied permissions (NotActions), and scope (for example, read access) for the role.
For the Owner role, that means all actions, indicated by an asterisk (*); no denied actions; and all scopes, indicated by a forward slash (/).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What’s a role definition?

A

A role definition is a collection of permissions. A role definition lists the operations that can be performed, such as read, write, and delete. It can also list the operations that can’t be performed or operations related to underlying data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

a role definition has the following structure

A

Id Unique identifier for the role, assigned by Azure.
IsCustom True if a custom role, False if a built-in role.
Description A readable description of the role.
Actions [] Allowed permissions, * indicates all.
NotActions [] Denied permissions.
DataActions [] Specific allowed permissions as applied to data, for example Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
NotDataActions [] Specific denied permissions as applied to data.
AssignableScopes [] Scopes where this role applies. / indicates global, but can reach into a hierarchical tree.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Actions and NotActions

A

You can tailor the Actions and NotActions properties to grant and deny the exact permissions you need. These properties are always in the format: {Company}.{ProviderName}/{resourceType}/{action}.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

The wildcard (*) operation under Actions indicates

A

indicates that the principal assigned to this role can perform all actions, or in other words, it can manage everything. Including actions defined in the future, as Azure adds new resource types.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

DataActions and NotDataActions

A

Data operations are specified in the DataActions and NotDataActions properties. Data operations can be specified separately from the management operations. This prevents current role assignments with wildcards (*) from suddenly having access to data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Data operation

A

Delete blob data Log in to a VM as a regular user Send messages on an event hub Return a file/folder or list of files/folders Read a message from a queue

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

AssignableScopes

A

The AssignableScopes property of the role specifies the scopes (subscriptions, resource groups, or resources) within which the role is available for assignment. You can make the custom role available for assignment just in the subscriptions or resource groups that need it, thus avoiding cluttering the user experience for the rest of the subscriptions or resource groups.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Custom role creation requires (licenses)

A

Azure AD Premium P1 or P2 and cannot be done in the free tier

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Creating a new role can be done through

A

Azure portal. You can use the Azure portal to create a custom role - Azure Active Directory > Roles and administrators > New custom role.
Azure PowerShell. You can use the New-AzADMSRoleDefinition cmdlet to define a new role.
Azure Graph API. You can use a REST call to the Graph API to programmatically create a new role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Azure AD Connect

A

can provide your users with a common identity for Microsoft 365, Azure, and SaaS applications integrated with Azure AD in a hybrid identity environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Azure AD Connect

Sync services

A

his component is responsible for creating users, groups, and other objects. It also makes sure that identity information for your on-premises users and groups matches that in the cloud.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Azure AD Connect Health monitoring

A

Azure AD Connect Health supplies robust monitoring and a central location in the Azure portal for viewing this activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Azure AD Connect AD FS

A

Federation is an optional part of Azure AD Connect that you can use to configure a hybrid environment via an on-premises AD FS infrastructure. Organizations can use this to address complex deployments, such as domain join SSO, enforcement of the Active Directory sign-in policy, and smart card or third-party multi-factor authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Password hash synchronization

A

This feature is a sign-in method that synchronizes a hash of a user’s on-premises Active Directory password with Azure AD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Azure AD Connect

Pass-through authentication

A

This allows users to sign in to both on-premises and cloud-based applications using the same passwords. This reduces IT helpdesk costs because users are less likely to forget how to sign in. This feature provides an alternative to Password hash synchronization that allows organizations to enforce their security and password complexity policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Integrating your on-premises directories with Azure AD Benefits

A

Users can use a single identity to access both on-premises applications and cloud services, such as Microsoft 365.
A single tool provides an easy deployment experience for synchronization and sign-in.
Integration provides the newest capabilities for your scenarios. Azure AD Connect replaces older versions of identity integration tools, such as DirSync and Azure AD Sync. For more information, see Hybrid Identity directory integration tools comparison.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Why use SSPR?

A

SSPR reduces the load on administrators, because users can fix password problems themselves, without having to call the help desk. Also, it minimizes the productivity impact of a forgotten or expired password. Users don’t have to wait until an administrator is available to reset their password.

41
Q

The reset portal takes these steps

A

Localization: The portal checks the browser’s locale setting and renders the SSPR page in the appropriate language.
Verification: The user enters their username and passes a captcha to ensure that it’s a user and not a bot.
Authentication: The user enters the required data to authenticate their identity. They might, for example, enter a code or answer security questions.
Password reset: If the user passes the authentication tests, they can enter a new password and confirm it.
Notification: A message is usually sent to the user to confirm the reset.

42
Q

Ways to authenticate SSPR

A
Mobile app notification
Mobile app code
Mobile phone
Office phone
Security questions
Email
43
Q

SSRP phone calls are not supported

A

In free and trial Azure AD organizations

44
Q

the minimum number of authentication methods

A

You can specify the minimum number of methods that the user must set up: one or two

45
Q

SSRP recommendations

A

Enable two or more of the authentication reset request methods.
Use the mobile app notification or code as the primary method, but also enable the email or office phone methods to support users without mobile devices.
The mobile phone method isn’t a recommended method because it’s possible to send fraudulent SMS messages.
The security question option is the least recommended method because the answers to the security questions might be known to other people. Only use the security question method in combination with at least one other method.

46
Q

SSRP Accounts associated with administrator roles

A

A strong, two-method authentication policy is always applied to accounts with an administrator role, regardless of your configuration for other users.
The security questions method isn’t available to accounts that are associated with an administrator role.

47
Q

What SSRP notifications can you configure?

A

Notify users on password resets: The user who resets their own password is notified to their primary and secondary email addresses. If the reset was done by a malicious user, this notification alerts the user, who can take mitigation steps.
Notify all admins when other admins reset their password: All administrators are notified when another administrator resets their password.

48
Q

If you’re not signed in and you’ve forgotten your password or your password has expired, you can use SSPR in… (licenses)

A

Azure AD Premium P1 or P2, Microsoft 365 Apps for business or Microsoft 365

49
Q

The writeback support is available in…

A

Azure AD Premium P1 or P2 and Microsoft 365 Apps for business.

50
Q

high-level steps to configure SSPR

A

Go to the Azure portal, go to Active Directory > Password reset.
Properties: Enable SSPR.
You can enable it for all users in the Azure AD organization or for selected users.
To enable for selected users, you must specify the security group. Members of this group can use SSPR
Authentication methods:
Choose whether to require one or two authentication methods.
Choose the authentication methods that the users can use.
Registration:
Specify whether users are required to register for SSPR when they next sign in.
Specify how often users are asked to reconfirm their authentication information.
Notifications: Choose whether to notify users and administrators of password resets.
Customization: Provide an email address or web page URL where your users can get help.

51
Q

SSRP Setup prerequisites

A

An Azure AD organization
An Azure AD account with Global Administrator privileges.
A non-administrative user account.
A security group to test the configuration with.

52
Q

Azure RBAC

A

Azure role-based access control (Azure RBAC) is the system that allows control over who has access to which Azure resources, and what those people can do with those resources. You achieve control by assigning roles to users, groups, or applications at a particular scope. A role might be described as a collection of permissions.

53
Q

RBAC examples of built-in roles

A

Owner: Has full access to all resources, including the ability to delegate access to other users.
Contributor: Can create and manage Azure resources.
Reader: Can view only existing Azure resources.
User Access Administrator: Can manage access to Azure resources.

54
Q

Azure AD roles examples

A

Global Administrator: Can manage access to administrative features in Azure AD. A person in this role can grant administrator roles to other users, and they can reset a password for any user or administrator. By default, whoever signs up for the directory is automatically assigned this role.
User Administrator: Can manage all aspects of users and groups, including support tickets, monitoring service health, and resetting passwords for certain types of users.
Billing Administrator: Can make purchases, manage subscriptions and support tickets, and monitor service health. Azure has detailed billing permissions in addition to Azure RBAC permissions. The available billing permissions depend on the agreement you have with Microsoft.

55
Q

As Global Administrator, you might need to elevate your permissions to:

A

Regain lost access to an Azure subscription or management group.
Grant another user or yourself access to an Azure subscription or management group.
View all Azure subscriptions or management groups in an organization.
Grant an automation app access to all Azure subscriptions or management groups.

56
Q

To assign a user administrative access to a subscription, you must have

A

Microsoft.Authorization/roleAssignments/write and Microsoft.Authorization/roleAssignments/delete permissions at the subscription scope. Users with the subscription Owner or User Access Administrator role have these permissions.

57
Q

Assign the role by using Azure PowerShell

A

New-AzRoleAssignment `

- SignInName rbacuser@example.com `
- RoleDefinitionName "Owner" `
- Scope "/subscriptions/"
58
Q

Assign the role by using the Azure CLI

A

az role assignment create \

- -assignee rbacuser@example.com \
- -role "Owner" \
- -subscription
59
Q

What is Azure RBAC?

A

Azure role-based access control (Azure RBAC) is an authorization system in Azure that helps you manage who has access to Azure resources, what they can do with those resources, and where they have access. Azure role-based access control (Azure RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of resources in Azure. With Azure RBAC, you can grant the exact access that users need to do their jobs.

60
Q

Azure subscriptions use Azure AD for…

A

single sign-on (SSO) and access management

61
Q

How does RBAC calculate permissions?

A

The access granted by a role, the effective permissions, is computed by subtracting the NotActions operations from the Actions operations.

62
Q

What is the scope difference between AzureAD roles and Azure roles?

A

Azure roles - Multiple scope levels (management group, subscription, resource group, resource)
Azure AD roles - Scope only at tenant level

63
Q

What is the difference between the ways of retrieving role information for Azure and Azure AD?

A

Azure roles Role information accessible through Azure portal, Azure CLI, Azure PowerShell, Azure Resource Manager templates, REST API
Azure AD roles Role
information accessible in Azure admin portal, Microsoft 365 admin center, Microsoft Graph, Azure AD PowerShell

64
Q

Who can create or assign custom roles in Azure RBAC?

A

Users with the roles User Access Administrator or Owner can create or assign custom roles in Azure RBAC.

65
Q

Who can you assign a RBAC role to?

A

User
An individual who has a profile in Azure Active Directory

Group
A set of users created in Azure Active Directory

Service principals
A security identity used by applications or services to access specific Azure resources

Managed identity
An identity in Azure Active Directory that is automatically managed by Azure

66
Q

Any role definition is declared using the following format:

A

{Company}.{ProviderName}/{resourceType}/{action}

67
Q

The action portion of a role definition is typically one of the following actions:

A
*
read
write
action
delete
68
Q

How to get the most current list of resource provider operations

A

The Azure PowerShell Get-AzProviderOperation cmdlet is useful to get the most current list of resource provider operations. In Azure CLI, use the az provider operation show command. You can find a published list of resource providers and operations in the Azure RBAC content on Docs.

69
Q

What permission is required for a role to manage custom roles?

A

Microsoft.Authorization/roleDefinitions/write

70
Q

How do you update a Azure custom role using AzCLI/Azure Powershell?

A

az role definition update –role-definition “<>”

Set-AzRoleDefinition -InputFile “<>”

71
Q

How do you view custom roles in Azure CLI or Powershell

A

az role definition list –custom-role-only true –output json | jq ‘.[] | {“roleName”:.roleName, “roleType”:.roleType}’

Get-AzRoleDefinition | ? {$_.IsCustom -eq $true} | FT Name, IsCustom

72
Q

How do you view role definitions in AzureCLI or Azure Powershell?

A

az role definition list –name “Virtual Machine Operator”

Get-AzRoleDefinition “Virtual Machine Operator”

73
Q

How do ypu view custom role assignments with Azure CLI / Azure Powershell?

A

az role assignment list –role “Virtual Machine Operator”

Get-AzRoleAssignment -RoleDefinitionName “Virtual Machine Operator”

74
Q

What do you need to do before deleting a custom role?

A

If you decide you no longer need the custom role, you need to remove the role assignments before you can delete the role.

75
Q

How do you delete a custom role assignment?

A

Azure portal
you can remove assignments by going to the subscription, resource group, or resource the custom role’s scope applies to. Then go to Access control (IAM) > Role assignments. Filter by the role name, select all the users assigned to the role, and select Remove.

Azure CLI
az role assignment delete –role “role name”

PowerShell
Remove-AzRoleAssignment -ObjectId -RoleDefinitionName “role name” -Scope /subscriptions/

76
Q

How do you delete a custom Azure role?

A

Azure portal
you’d go to the subscription, resource group, or resource the custom role’s scope applies to. Then go to Access control (IAM) > Roles. To find the role, select Type > CustomRole.

Azure CLI
az role definition delete –name “role name”

PowerShell
Get-AzRoleDefinition “role name” | Remove-AzRoleDefinition

77
Q

What are resource groups?

A

A resource group is a logical container for resources deployed on Azure. These resources are anything you create in an Azure subscription like virtual machines, Application Gateways, and CosmosDB instances. All resources must be in a resource group and a resource can only be a member of a single resource group. Many resources can be moved between resource groups with some services having specific limitations or requirements to move. Resource groups can’t be nested. Before any resource can be provisioned, you need a resource group for it to be placed in.

78
Q

Resource group - deployment tab

A

The deployments link takes you to a new panel with the history of all deployments to this resource group. Anytime you create a resource, it’s a deployment, and you see that history for the resource group here.

79
Q

Resource groups best practices for organization

A
Consistent naming convention
Organizing for authorization
Organizing principles
Organizing for life cycle
Organizing for billing
80
Q

Resource groups best practices for organization - Consistent naming convention

A

start with using an understandable naming convention. You named our resource group msftlearn-core-infrastructure-rg. You’ve given some indication of what it’s used for (msftlearn), the types of resources contained within (core-infrastructure), and the type of resource it is itself (rg).

81
Q

Resource groups best practices for organization - Organizing principles

A

Resource groups can be organized in a number of ways:
Put all individual resource types in one resource group.
You could organize them by environment (prod, qa, dev). In this case, all production resources are in one resource group, all test resources are in another resource group, and so on.
You could organize them by department (marketing, finance, human resources).
You could even use a combination of these strategies and organize by environment and department.

82
Q

Resource groups best practices for organization - Organizing for authorization

A

Since resource groups are a scope of RBAC, you can organize resources by who needs to administer them. You could give them the proper permissions at the resource group level to administer the databases within the resource group. Similarly, the database administration team could be denied access to the resource group with virtual networks, so they don’t inadvertently make changes to resources outside the scope of their responsibility.

83
Q

Resource groups best practices for organization - Organizing for life cycle

A

Resource groups serve as the life cycle for the resources within it. If you delete a resource group, you delete all the resources in it. Use this to your advantage, like in non-production environments. One resource group is easier to clean up than 10 or more resource groups.

84
Q

Resource groups best practices for organization - Organizing for billing

A

Placing resources in the same resource group is a way to group them for usage in billing reports. If you’re trying to understand how your costs are distributed in your Azure environment, grouping them by resource group is one way to filter and sort the data to better understand where costs are allocated.

85
Q

What are tags?

A

Tags are name/value pairs of text data that you can apply to resources and resource groups. Tags allow you to associate custom details about your resource.

86
Q

Tag limitations

A

A resource can have up to 50 tags.

The name is limited to 512 characters for all types of resources except storage accounts, which have a limit of 128 characters.

The tag value is limited to 256 characters for all types of resources. Tags aren’t inherited from parent resources. Not all resource types support tags, and tags can’t be applied to classic resources.

87
Q

How can tags be added/manipulated?

A

Tags can be added and manipulated through the Azure portal, Azure CLI, Azure PowerShell, Resource Manager templates, and through the REST API.

88
Q

Add tags to resources in bulk.

A

Select the checkbox on the left for each of the resources and click Assign tags in the top menu. (The option may be contained inside an … menu.) By selecting multiple resources, you can add a tag to them in bulk, making it easy if you have multiple resources you want to apply the same tag to.

89
Q

Tags for organization - billing data

A

If you’re running multiple VMs for different organizations, use the tags to group usage by cost center. You can also use tags to categorize costs by runtime environment, such as the billing usage for VMs running in the production environment. When exporting billing data or accessing it through billing APIs, tags are included in that data and can be used to further slice your data from a cost perspective.

90
Q

Tags for organization - retrieve related resources

A

You can retrieve all the resources in your subscription with a specific tag name or value. Tags enable you to retrieve related resources from different resource groups. This approach is helpful when you need to organize resources for billing or management.

91
Q

Tags for organization - monitoring

A

Tagging resources can also help in monitoring to track down impacted resources. Monitoring systems could include tag data with alerts, giving you the ability to know exactly who is impacted.

92
Q

Tags for organization - automation

A

If you want to automate the shutdown and startup of virtual machines in development environments during off-hours to save costs, you can use tags to assist in this automation. There are several solutions in the Azure Automation Runbooks Gallery that use tags in a similar manner to accomplish this result.

93
Q

Tags for organization - ways to use

A

Billing
Related resource retrieval
Monitoring
Automation

94
Q

Best Practices for RBAC

A

Segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources, allow only specific actions at a particular scope.

When planning your access control strategy, grant users the lowest privilege level that they need to do their work.

Use Resource Locks to ensure critical resources aren’t modified or deleted (as you’ll see in the next unit).

95
Q

What are resource locks?

A

Resource locks are a setting that can be applied to any resource to block modification or deletion. Resource locks can set to either Delete or Read-only.

Resource locks can be applied to subscriptions, resource groups, and to individual resources, and are inherited when applied at higher levels.

96
Q

Resource lock - delete

A

Delete will allow all operations against the resource but block the ability to delete it.

97
Q

Resource lock - Read-only

A

Read-only will only allow read activities to be performed against it, blocking any modification or deletion of the resource.

98
Q

Applying Read-only can lead to…

A

unexpected results because some operations that seem like read operations actually require additional actions. For example, placing a Read-only lock on a storage account prevents all users from listing the keys. The list keys operation is handled through a POST request because the returned keys are available for write operations.

99
Q

What happens to a policy assignment on a resource group when you delete the resource group?

A

Because you deleted the assigned resources with the containing resource group, there won’t be any assignments left in this policy. Normally, if you assign a policy to a resource, you could delete the assignment without deleting the underlying resource here. To do this, you would select Assignments, then select the … for your assignment, and select Delete assignment.