Az104Deck1 Flashcards
What is the hierarchy in Azure Resource Manager (ARM)?
Subscription\ResourceGroup\Resource (Subscription is the billing unit)
Example: Subscription\Development\Virtual Machine
What is the role of Azure Resource Manager (ARM)?
ARM is the orchestration layer that connects to the Azure Resource Provider to complete requests on resources.
What is the function of Tenants in ARM?
Tenants use Azure Active Directory (AAD) to prevent interference with other organizations’ resources.
What are the key points about ARM fundamentals?
- Resources are Azure Managed Entities
- Resources are held in Resource Groups (RGs)
- RGs are in subscriptions (billing entities)
- Management via REST API endpoints (Portal, CLI, Powershell)
- ARM is a management service
- Each resource has a resource provider
What are the components of an ARM template?
- Parameters: Passed in at run time
- Variables: Hardcoded
- Resources: Define resources in template
- Outputs: Return info from the deployment (e.g., IP of a VM)
What are the key points about ARM templates?
- Can be deployed at various scopes
- Can be nested
- Are JSON Files
- Are Infrastructure as Code (IAC) and enable quick, repeatable environment deployment
What is a subscription in Azure?
A billing unit that aggregates costs of underlying resources. It contains Resource Groups and their resources, and it is a scoping level for governance and security.
What are the types of subscription ideas?
- PROD/DEV/STAGING
- DEPT/TEAMS
- REGION
What is the relationship between AAD and subscriptions?
A subscription can only be associated with one Azure Tenant at a time, and there is a trust relationship between AAD and the subscription. A Tenant can have multiple subscriptions within it.
What are management groups in Azure used for?
Organizing and grouping subscriptions, implementing a hierarchy (up to 6 levels) with root management group at the top, and serving as a scope for Azure RBAC and Policies.
What are the key points about Azure Policies?
- Used to enforce compliance and governance (e.g., cost control, location restrictions)
- Can audit non-compliant resources or deny creation of non-compliant resources
- Components: Definition (rules/criteria), Assignment (scope), Initiative (collection of policies for higher-level goals)
What are the characteristics of tagging resources in Azure?
- Name/Value pairs for categorization (e.g., Dept, Location, Environment)
- Up to 50 tags per resource
- Tag names: up to 512 characters; Tag values: up to 256 characters (storage account tags are less: names up to 128 characters)
- Tags are not inherited (Azure Policies can help)
- Tag names must be unique at the resource scope
What is the purpose of locks in Azure?
Prevent accidental update and deletion of resources.
What are the types of locks in Azure?
- Read Only: Allows users to read a resource but not update it
- Cannot Delete: Allows users to read and update a resource but not delete it
What are the key points about moving resources in Azure?
- Resources can be moved across Resource Groups and Subscriptions
- Moving a resource is a write operation
- RG level locks are not moved with resources, but locks applied directly to resources are retained
What factors affect Azure costs?
- Subscription Type (Free, PAYG, Enterprise Agreement, CSP)
- Resource Type
- Usage Meter
- Resource Usage
- Location
What are some best practices for managing Azure costs?
- Select appropriate resource for use case
- Select correct resource size
- Deallocate resources when not needed
- Use scaling/elasticity
- Plan costs ahead of purchase
What tools can help manage Azure costs?
- Pricing Calculator
- Total Cost of Ownership (TCO) calculator
- Microsoft Cost Management Tool
What are the steps in building a cloud governance strategy?
- Define needs of organization
- Plan tools to be used
- Get an understanding of tool impact
- Implement governance using strategy
What governance services are available in Azure?
- Azure Subscriptions and Management Groups
- Azure RBAC
- Azure Policies
- Azure Locks
- Tags
What are the basic concepts of IAM in Azure?
- Principal: An unauthenticated entity
- Identity: An identity profile authenticated using credentials
- Authorizations: Actions permitted/prohibited for an identity
What is Azure Active Directory (AAD)?
A global IAM platform for Azure that spans all of Azure, with instance scoped geographically based on where it was created. It enables identity security, collaboration, and monitoring.
What are some features of Azure AD vs On-Prem AD?
- AD: OU’s, GPOs, Kerberos, LDAP, NTLM, Hierarchical, On-Prem
- AAD: Administrative Units, SAML, WS-FED, OAUTH, Flat Directory, Cloud-Based, Global
What are the key points about managing tenants in Azure?
- Design tenant properly with secure foundations
- Set up SSPR and backup global admin account
- Use Azure RBAC for role assignments
- Populate identity resources and manage applications
- Monitor and automate processes
What are the types of users in Azure AD?
- Administrators
- Members
- Guests
What are the characteristics of groups in Azure AD?
- Groups can provide role assignments or licenses to members
- Types: Security and O365
- Membership Types: Assigned
What are the key points about managing tenants in Azure?
Design tenant properly with secure foundations
- Set up SSPR and backup global admin account
- Use Azure RBAC for role assignments
- Populate identity resources and manage applications
- Monitor and automate processes
Example sentence: It is crucial to follow best practices when managing tenants in Azure.
What are the types of users in Azure AD?
Administrators
- Members
- Guests
Example sentence: Each type of user in Azure AD has different levels of access and permissions.
What are the characteristics of groups in Azure AD?
Groups can provide role assignments or licenses to members
- Types: Security and O365
- Membership Types: Assigned, Dynamic User, Dynamic Device
- Groups can be nested
Example sentence: Security groups are used for access control, while O365 groups are used for collaboration.
What are Administrative Units (AU) in Azure AD?
Logical containers to organize AAD and create a structure for admin roles
- AU’s cannot be nested
- Scoped to the tenant level
Example sentence: Administrative Units help in organizing and managing administrative roles in Azure AD.
What is Self-Service Password Reset (SSPR) in Azure?
Allows users to reset their passwords themselves, improving productivity and reducing helpdesk overhead.
Example sentence: SSPR simplifies the password reset process for users and reduces the burden on IT support.
What are the authentication types for SSPR?
Mobile App Authenticator
- Mobile App Code
- Email
- Security Question
- Mobile (SMS/Phone call)
- Office Phone
Example sentence: Users can choose from various authentication methods when resetting their passwords through SSPR.
What are the key points about SSPR?
Managed via AAD groups
- Requires 1 or more authentication methods
- Admins must use MFA and two methods
- Requires AAD P1 or P2 license or certain MS/O365 licenses
Example sentence: Proper configuration of SSPR is essential for ensuring secure password management in Azure AD.
What are the types of device management in Azure AD?
AAD Registered: For BYOD, supports multiple OS
- AAD Joined: For org devices, supports W10 and Win Serv 2019
- Hybrid AAD Joined: Connected to cloud and on-prem, supports Win 7+ and Win Serv 2008+
Example sentence: Different types of device management in Azure AD cater to various device scenarios within organizations.
What are the key points about device management in Azure AD?
Define users who can join/register devices
- Set MFA requirements
- Limit the number of devices a user can register
- Set device admins
Example sentence: Device management settings in Azure AD help in controlling and securing device access.
What are the core concepts of RBAC in Azure?
WHO: Security Principals (users, groups)
- WHAT: Role Assignments
- WHERE: Scope
Example sentence: RBAC in Azure revolves around defining who can access what resources within a specified scope.
What are some common Azure Roles?
Owner: Full access and can assign permissions
- Reader: Can only read resources
- Contributor: Can create and manage resources but not assign permissions
- User Access Admin: Manages user access but not resources
Example sentence: Azure Roles help in defining different levels of access and permissions for users within the Azure environment.
What are Azure Active Directory (EntraID) Roles used for?
Managing identity objects within the tenant, not resources in subscriptions. Examples include Global Admin, Billing Admin, User Admin, and Help Desk Admin.
Example sentence: Azure AD roles are focused on managing identity-related tasks and permissions within the Azure AD tenant.
What are the characteristics of role assignments in Azure?
Implicit Deny by default
- Explicit Deny can be added
- Roles defined in JSON with Actions, NotActions, DataActions, NotDataActions, AssignableScope
Example sentence: Role assignments in Azure follow a specific structure for defining access control permissions.
What are custom roles in Azure?
Custom roles are user-defined roles used when built-in roles do not meet requirements. They are defined using JSON with Actions, NotActions, DataActions, NotDataActions, AssignableScopes.
Example sentence: Custom roles in Azure provide flexibility in defining granular access control permissions based on specific organizational needs.
