AZ-104 - Learning Azure Cloud Administrator

AZ-104 Resources

Azure Entra ID Mindmap
Azure Youtube Videos

1.- AZ-104 Azure Administration

AZ-104 - Administration - Azure Resource Manager
AZ-104 - Administration - Azure Portal and Cloud Shell Basics
AZ-104 - Administration - Azure CLI and Powershell
AZ-104 - Administration - Azure ARM Templates

2.- AZ-104 Governance and Compliance

AZ-104 - Governance and Compliance - Managing Subscriptions
AZ-104 - Governance and Compliance - Using management groups
AZ-104 - Governance and Compliance - Understanding Azure Policy
AZ-104 - Governance and Compliance - Tagging Resources
AZ-104 - Governance and Compliance - LAB Add Remove Tags
AZ-104 - Governance and Compliance - Locking and Moving Resources
AZ-104 - Governance and Compliance - Managing Azure Costs
AZ-104 - Governance and Compliance - Building a cloud governance strategy wth Azure tooling

3.- AZ-104 Azure Identity

AZ-104 Azure Identity - Conceptualizing Entra ID (Azure Active Directory)
AZ-104 Azure Identity - Managing Tenants
AZ-104 Azure Identity - Creating and Managing Users
AZ-104 Azure Identity - LAB Create and Manage Microsoft Entra ID Users in the Portal
AZ-104 Azure Identity - LAB Perform Bulk Microsof Entra ID Operations in the Portal
AZ-104 Azure Identity - Creating and Managing Groups
AZ-104 Azure Identity - Creating Administrative Units
AZ-104 Azure Identity - Configuring SSPR (self serfice password reset)
AZ-104 Azure Identity - Azure Entra ID Device Management

4.- AZ-104 Azure RBAC - Role-based Access Control

AZ-104 Azure RBAC - Understanding Roles in Azure
AZ-104 Azure RBAC - Assigning access to resources
AZ-104 Azure RBAC - LAB Using service Principal Identity to List AD Roles
AZ-104 Azure RBAC - Creating custom roles

5.- AZ-104 Azure - Storage

AZ-104 Azure - Storage Accounts
AZ-104 Azure - Conceptualizing Azure Blog Storage
AZ-104 Azure - Configuring blob object replication
AZ-104 Azure - Configuring Blob Lifecycle Management

AZ-104 Resources

Azure Entra ID Mindmap

AZ-104 Resources

Azure Youtube Videos

Exam Cram by John Savills

Study List

1.- AZ-104 Azure Administration

AZ-104 - Administration - Azure Resource Manager

What is Azure Resource Manager?

Azure Clouds made of?

Resources:

Entity managed by azure
Virtual Machines
Storage accounts and virtual networks

Resources groups:

Logical container for grouping resources
Group resources based on lifecycle and security
Associated with an azure subscription

Azure Subscription:

Logical construct that groups together resource groups and associated resources
Billing unit for the azure cloud cost

Azure Resource Manager - ARM

is the orchestration layer for managing the azure cloud
Uses REST API endpoints
ARM connects to resource provider (Powershell, CLI, Azure Portal)
Resource provider completes the request
It uses Azure Identity Manager

Resources are Azure Managed Entities like virtual Machines, Storage accounts and Virtual Networks

Resources are contained in resource groups

Resource groups are contained in subscriptions

You can use REST API endpoint to manage Azure through Azure Resource Manager

Azure Resource Manager is a Management Service

Each Resource has a resource provider

1.- AZ-104 Azure Administration

AZ-104 - Administration - Azure Portal and Cloud Shell Basics

Describing Azure Portal, Components of Azure portal, Using the azure portal

Azure portal:

Web-based portal for the azure cloud
Crate and manage azure resources
Uses cloud shell
Manage Billing

Access https://portal.azure.com

Here you can navigate to create resources such as virtual machines

To access your preferences such as themes, etc go to the settings page

Here you can navigate and access the powershell or bash

1.- AZ-104 Azure Administration

AZ-104 - Administration - Azure CLI and Powershell

Install PowerShell on Windows, Linux, and macOS

What is the Azure CLI

Its a command-line utility for managing azure resources
Crate and manage resources without logging to the azure portal
Create scripts to automate tasks

What is Azure PowerShell

Its a set of cmdlets for managing Azure resources
Create and manage resource s without logging into the azure portal
Create scripts to automate tasks.

Cloud Shell

First we need to create a Cloud Shell

Select Bash or Powershell

Go to Advanced settings

Select a random storage account name and a file share name then click on create storage

if you get this error its more likely your storage account name its already in use, use alphanumeric

Done, you can switch between Powershell and Bash using the drop down menu on the left

Here we can run AZ CLI commands

And here is using the powershell

We can save objects to variables

To create a virtual machine from Azure CLI

PS /home/cesar> get-cloudDrive                                                                                                        

FileShareName      : random1fileshare
FileSharePath      : //random1storage4.file.core.windows.net/random1fileshare
MountPoint         : /home/cesar/clouddrive
Name               : random1storage4
ResourceGroupName  : DefaultResourceGroup-CUS
StorageAccountName : random1storage4
SubscriptionId     : 33d9a849-c6f5-455d-b9e4-ef89b317fcec

PS /home/cesar> get-azresource | format-Table              

Name                                                      ResourceGroupName        ResourceType                             Location
----                                                      -----------------        ------------                             --------
DefaultWorkspace-33d9a849-c6f5-455d-b9e4-ef89b317fcec-CUS DefaultResourceGroup-CUS Microsoft.OperationalInsights/workspaces centralus
random1storage4                                           DefaultResourceGroup-CUS Microsoft.Storage/storageAccounts        eastus
NetworkWatcher_eastus                                     NetworkWatcherRG         Microsoft.Network/networkWatchers        eastus

PS /home/cesar>

1.- AZ-104 Azure Administration

AZ-104 - Administration - Azure ARM Templates

Deploy Azure infrastructure by using JSON ARM templates

ARM templates are azure resource manager templates we create JSON files and provides

IaC (Infrastructure as code)
Deploy environments quickly
Repeatable deployments

ARM Template

Skeleton arm template

{
   "$schema" : "https://schema.management.azure.com"
     ,
      "contentVersion":
      "`1.0.0.0",
      "parameters": {},
      "variables": {},
      "resourceS": {},
      "outputs": {}
}

Parameters and variables: components are used to pass information to the template.

Resources: Define resources to use in the template

Outputs: Component is used to return output from the execution of the template

Example of a template:

azuredeploy.json template

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "adminUsername": {
      "type": "string",
      "metadata": {
        "description": "Username for the Virtual Machine."
      }
    },
    "adminPassword": {
      "type": "secureString",
      "minLength": 12,
      "metadata": {
        "description": "Password for the Virtual Machine."
      }
    },
    "dnsLabelPrefix": {
      "type": "string",
      "defaultValue": "[toLower(format('{0}-{1}', parameters('vmName'), uniqueString(resourceGroup().id, parameters('vmName'))))]",
      "metadata": {
        "description": "Unique DNS Name for the Public IP used to access the Virtual Machine."
      }
    },
    "publicIpName": {
      "type": "string",
      "defaultValue": "myPublicIP",
      "metadata": {
        "description": "Name for the Public IP used to access the Virtual Machine."
      }
    },
    "publicIPAllocationMethod": {
      "type": "string",
      "defaultValue": "Dynamic",
      "allowedValues": [
        "Dynamic",
        "Static"
      ],
      "metadata": {
        "description": "Allocation method for the Public IP used to access the Virtual Machine."
      }
    },
    "publicIpSku": {
      "type": "string",
      "defaultValue": "Basic",
      "allowedValues": [
        "Basic",
        "Standard"
      ],
      "metadata": {
        "description": "SKU for the Public IP used to access the Virtual Machine."
      }
    },
    "OSVersion": {
      "type": "string",
      "defaultValue": "2022-datacenter-azure-edition-core",
      "allowedValues": [
        "2008-R2-SP1",
        "2008-R2-SP1-smalldisk",
        "2012-Datacenter",
        "2012-datacenter-gensecond",
        "2012-Datacenter-smalldisk",
        "2012-datacenter-smalldisk-g2",
        "2012-Datacenter-zhcn",
        "2012-datacenter-zhcn-g2",
        "2012-R2-Datacenter",
        "2012-r2-datacenter-gensecond",
        "2012-R2-Datacenter-smalldisk",
        "2012-r2-datacenter-smalldisk-g2",
        "2012-R2-Datacenter-zhcn",
        "2012-r2-datacenter-zhcn-g2",
        "2016-Datacenter",
        "2016-datacenter-gensecond",
        "2016-datacenter-gs",
        "2016-Datacenter-Server-Core",
        "2016-datacenter-server-core-g2",
        "2016-Datacenter-Server-Core-smalldisk",
        "2016-datacenter-server-core-smalldisk-g2",
        "2016-Datacenter-smalldisk",
        "2016-datacenter-smalldisk-g2",
        "2016-Datacenter-with-Containers",
        "2016-datacenter-with-containers-g2",
        "2016-datacenter-with-containers-gs",
        "2016-Datacenter-zhcn",
        "2016-datacenter-zhcn-g2",
        "2019-Datacenter",
        "2019-Datacenter-Core",
        "2019-datacenter-core-g2",
        "2019-Datacenter-Core-smalldisk",
        "2019-datacenter-core-smalldisk-g2",
        "2019-Datacenter-Core-with-Containers",
        "2019-datacenter-core-with-containers-g2",
        "2019-Datacenter-Core-with-Containers-smalldisk",
        "2019-datacenter-core-with-containers-smalldisk-g2",
        "2019-datacenter-gensecond",
        "2019-datacenter-gs",
        "2019-Datacenter-smalldisk",
        "2019-datacenter-smalldisk-g2",
        "2019-Datacenter-with-Containers",
        "2019-datacenter-with-containers-g2",
        "2019-datacenter-with-containers-gs",
        "2019-Datacenter-with-Containers-smalldisk",
        "2019-datacenter-with-containers-smalldisk-g2",
        "2019-Datacenter-zhcn",
        "2019-datacenter-zhcn-g2",
        "2022-datacenter",
        "2022-datacenter-azure-edition",
        "2022-datacenter-azure-edition-core",
        "2022-datacenter-azure-edition-core-smalldisk",
        "2022-datacenter-azure-edition-smalldisk",
        "2022-datacenter-core",
        "2022-datacenter-core-g2",
        "2022-datacenter-core-smalldisk",
        "2022-datacenter-core-smalldisk-g2",
        "2022-datacenter-g2",
        "2022-datacenter-smalldisk",
        "2022-datacenter-smalldisk-g2"
      ],
      "metadata": {
        "description": "The Windows version for the VM. This will pick a fully patched image of this given Windows version."
      }
    },
    "vmSize": {
      "type": "string",
      "defaultValue": "Standard_B2s",
      "metadata": {
        "description": "Size of the virtual machine."
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
      }
    },
    "vmName": {
      "type": "string",
      "defaultValue": "vm-demo-002",
      "metadata": {
        "description": "Name of the virtual machine."
      }
    }
  },
  "variables": {
    "storageAccountName": "[format('bootdiags{0}', uniqueString(resourceGroup().id))]",
    "nicName": "myVMNic",
    "addressPrefix": "10.0.0.0/16",
    "subnetName": "Subnet",
    "subnetPrefix": "10.0.0.0/24",
    "virtualNetworkName": "MyVNET",
    "networkSecurityGroupName": "default-NSG"
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2021-04-01",
      "name": "[variables('storageAccountName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard_LRS"
      },
      "kind": "Storage"
    },
    {
      "type": "Microsoft.Network/publicIPAddresses",
      "apiVersion": "2021-02-01",
      "name": "[parameters('publicIpName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "[parameters('publicIpSku')]"
      },
      "properties": {
        "publicIPAllocationMethod": "[parameters('publicIPAllocationMethod')]",
        "dnsSettings": {
          "domainNameLabel": "[parameters('dnsLabelPrefix')]"
        }
      }
    },
    {
      "type": "Microsoft.Network/networkSecurityGroups",
      "apiVersion": "2021-02-01",
      "name": "[variables('networkSecurityGroupName')]",
      "location": "[parameters('location')]",
      "properties": {
        "securityRules": [
          {
            "name": "default-allow-3389",
            "properties": {
              "priority": 1000,
              "access": "Allow",
              "direction": "Inbound",
              "destinationPortRange": "3389",
              "protocol": "Tcp",
              "sourcePortRange": "*",
              "sourceAddressPrefix": "*",
              "destinationAddressPrefix": "*"
            }
          }
        ]
      }
    },
    {
      "type": "Microsoft.Network/virtualNetworks",
      "apiVersion": "2021-02-01",
      "name": "[variables('virtualNetworkName')]",
      "location": "[parameters('location')]",
      "properties": {
        "addressSpace": {
          "addressPrefixes": [
            "[variables('addressPrefix')]"
          ]
        },
        "subnets": [
          {
            "name": "[variables('subnetName')]",
            "properties": {
              "addressPrefix": "[variables('subnetPrefix')]",
              "networkSecurityGroup": {
                "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName'))]"
              }
            }
          }
        ]
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/networkInterfaces",
      "apiVersion": "2021-02-01",
      "name": "[variables('nicName')]",
      "location": "[parameters('location')]",
      "properties": {
        "ipConfigurations": [
          {
            "name": "ipconfig1",
            "properties": {
              "privateIPAllocationMethod": "Dynamic",
              "publicIPAddress": {
                "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpName'))]"
              },
              "subnet": {
                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]"
              }
            }
          }
        ]
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpName'))]",
        "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]"
      ]
    },
    {
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2021-03-01",
      "name": "[parameters('vmName')]",
      "location": "[parameters('location')]",
      "properties": {
        "hardwareProfile": {
          "vmSize": "[parameters('vmSize')]"
        },
        "osProfile": {
          "computerName": "[parameters('vmName')]",
          "adminUsername": "[parameters('adminUsername')]",
          "adminPassword": "[parameters('adminPassword')]"
        },
        "storageProfile": {
          "imageReference": {
            "publisher": "MicrosoftWindowsServer",
            "offer": "WindowsServer",
            "sku": "[parameters('OSVersion')]",
            "version": "latest"
          },
          "osDisk": {
            "createOption": "FromImage",
            "managedDisk": {
              "storageAccountType": "StandardSSD_LRS"
            }
          },
          "dataDisks": [
            {
              "diskSizeGB": 1023,
              "lun": 0,
              "createOption": "Empty"
            }
          ]
        },
        "networkProfile": {
          "networkInterfaces": [
            {
              "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]"
            }
          ]
        },
        "diagnosticsProfile": {
          "bootDiagnostics": {
            "enabled": true,
            "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))).primaryEndpoints.blob]"
          }
        }
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]",
        "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
      ]
    }
  ],
  "outputs": {
    "hostname": {
      "type": "string",
      "value": "[reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpName'))).dnsSettings.fqdn]"
    }
  }
}

Go to Deploy a custom template

Build your own template in the editor

Copy and paste the azuredeploy.json and save

Fill out all parameters then review and create

Deployment in progress

2.- AZ-104 Governance and Compliance

AZ-104 - Governance and Compliance - Managing Subscriptions

Organize and manage multiple Azure subscriptions

What are subscriptions

Billing unit that aggregates all costs of underlying resources
Contain resource groups and their associated resources
Scoping level for governance and security
Can be associated with only a single organization (Azure AD Tenant) at a time

Examples:

you can define multiple subscriptions per department to identify costs

Subscription naming conventions

- Prod/Dev/Staging

Subscriptions are named based on whether they are production, development or staging environments.

- Department/Teams

Subscriptions are named based on the department or team the subscription is intended for so that billing can then be easily associated with a given business unit.

- Region

Subscription are name based on the region of the business that uses the subscription.

2.- AZ-104 Governance and Compliance

AZ-104 - Governance and Compliance - Using management groups

What are Azure management groups?

Management groups

Define management groups
Understanding hierarchy
Scoping

Managing subscriptions

Organize and manage subscriptions by logically grouping them into management groups

Organizational hierarchy
Provides another scope for enforcing governance and compliance

Parent-child relationships

Root management group is the top level
Management groups and subscriptions can have a single parent
Supports six levels of hierarchy

Compliance Support

Azure Policies
Azure role-based access control (RBAC)

Next diagram shows how to represent an organizational hierarchy by having a Root management group, under root we have a subscription for EA, a Marketing management group and an IT management group.

The Marketing group also have 2 child subscriptions under the marketing management group and IT has another management group as a child management group.

This helps identify the hierarchy levels for our organization

All resources, permissions, etc will flow down in the hierarchy, for example if you give access to the root management group it will have access to IT, Marketing, etc it flow down in the hierarchy.

Illustration below shows 2 management groups under the main root Tenant group, we can access and add subscriptions or management groups inside an existing management group.

Here we can see the Parent management group for IManagementHTF its Tenant Root for HTF Organization since we created this management group inside our root

Root management group is not given by default

Root Management group cannot be moved or deleted

Azure RBAC is supported for management groups

Global Administrators must be elevated to User Access Administrator of root group

2.- AZ-104 Governance and Compliance

AZ-104 - Governance and Compliance - Understanding Azure Policy

Control and organize Azure resources with Azure Resource Manager

Understanding Azure Policy

Define Azure Policy
Components of a Policy
Policy Examples

Enforce Compliance and enable auditing

Organization need to implement enterprise-level governance and compliance capabilities.

Prohibit resources

control costs
Restrict service access

Allowed Locations

Geographical compliance

Policy Definition

Defines the evaluation criteria for compliance, and defines the actions that take place. Either audit or deny should be something outside of compliance.

Policy Assignment

The scope at which we will assign our policy. The scope could be a management group, subscription, resource group, or resource.

Initiative Definition

A collection of policies that are tailored to achieving a singular high-level goal together (e.g., ensuring that VMs meet standards).

Policy Definition	Evaluate if a VM is being created with our tag Project:az104. if the VM is missing the tag, then deny creation of the resource.
Policy assignment	Assign the policy at the scope of the resource where the VMs will be created

2.- AZ-104 Governance and Compliance

AZ-104 - Governance and Compliance - Tagging Resources

Control and organize Azure resources with Azure Resource Manager

AZ-104 - Governance and Compliance - LAB Add Remove Tags

Add, Remove and Update Tags for Resources in Azure

Introduction

In the scenario for this hands-on lab, the finance department has reached out to you. They are requesting additional taxonomy information on a recent Azure bill, including who created the resources, which department budget should be used for the resources, and if the resources are necessary for running business critical systems.

If there are any non-essential business systems, they ask that you signify that in some way.

Add Tags to resource group
Modify tags for VM and Mark for Deletion
Modify tags for Virtual Network

Launch a powershell instance inside azure portal

Add Tags to the resource group

Run az group list and copy the name (395-5d062b4a-add-remove-and-update-tags-for-resou)

PS /home/cloud> az group list                                                                                                                                                      
[
  {
    "id": "/subscriptions/9734ed68-621d-47ed-babd-269110dbacb1/resourceGroups/395-5d062b4a-add-remove-and-update-tags-for-resou",
    "location": "westus",
    "managedBy": null,
    "name": "395-5d062b4a-add-remove-and-update-tags-for-resou",
    "properties": {
      "provisioningState": "Succeeded"
    },
    "tags": null,
    "type": "Microsoft.Resources/resourceGroups"
  }
]

Update the user group tags:

- az group update --resource-group "<RESOURCE_GROUP_NAME>" --tags "Environment=Production" "Dept=IT" "CreatedBy=<YourName>"

PS /home/cloud> az group update --resource-group "395-5d062b4a-add-remove-and-update-tags-for-resou" --tags "Environment=Production" "Dept=IT" "CreatedBy=Cesar"                   
{
  "id": "/subscriptions/9734ed68-621d-47ed-babd-269110dbacb1/resourceGroups/395-5d062b4a-add-remove-and-update-tags-for-resou",
  "location": "westus",
  "managedBy": null,
  "name": "395-5d062b4a-add-remove-and-update-tags-for-resou",
  "properties": {
    "provisioningState": "Succeeded"
  },
  "tags": {
    "CreatedBy": "Cesar",
    "Dept": "IT",
    "Environment": "Production"
  },
  "type": "Microsoft.Resources/resourceGroups"
}
PS /home/cloud>

Remove Tags for VM and Mark for Deletion

In the Cloud Shell, list the existing virtual machines:

PS /home/cloud> az vm list --query '[].{name:name, resourceGroup:resourceGroup, tags:tags}' -o json                                                                                
[
  {
    "name": "webvm1",
    "resourceGroup": "395-5D062B4A-ADD-REMOVE-AND-UPDATE-TAGS-FOR-RESOU",
    "tags": {
      "defaultExperience": "Yes"
    }
  }
]
PS /home/cloud>

Remove the existing tags from the VM:

PS /home/cloud> az vm update -g "395-5d062b4a-add-remove-and-update-tags-for-resou" -n webvm1 --remove tags.defaultExperience                                                      

{
  "additionalCapabilities": null,
  "applicationProfile": null,
  "availabilitySet": null,
  "billingProfile": null,
  "capacityReservation": null,
  "diagnosticsProfile": {
    "bootDiagnostics": {
      "enabled": true,
      "storageUri": "https://azurelalabi4q7bqaknwjqy.blob.core.windows.net/"
    }
  },
  "etag": null,
  "evictionPolicy": null,
  "extendedLocation": null,
  "extensionsTimeBudget": null,
  "hardwareProfile": {
    "vmSize": "Standard_B1ms",
    "vmSizeProperties": null
  },
  "host": null,
  "hostGroup": null,
  "id": "/subscriptions/9734ed68-621d-47ed-babd-269110dbacb1/resourceGroups/395-5d062b4a-add-remove-and-update-tags-for-resou/providers/Microsoft.Compute/virtualMachines/webvm1",
  "identity": null,
  "instanceView": null,
  "licenseType": null,
  "location": "westus",
  "managedBy": null,
  "name": "webvm1",
  "networkProfile": {
    "networkApiVersion": null,
    "networkInterfaceConfigurations": null,
    "networkInterfaces": [
      {
        "deleteOption": null,
        "id": "/subscriptions/9734ed68-621d-47ed-babd-269110dbacb1/resourceGroups/395-5d062b4a-add-remove-and-update-tags-for-resou/providers/Microsoft.Network/networkInterfaces/webvm1-nic1",
        "primary": null,
        "resourceGroup": "395-5d062b4a-add-remove-and-update-tags-for-resou"
      }
    ]
  },
  "osProfile": {
    "adminPassword": null,
    "adminUsername": "cloud_user",
    "allowExtensionOperations": null,
    "computerName": "webvm1",
    "customData": null,
    "linuxConfiguration": null,
    "requireGuestProvisionSignal": null,
    "secrets": [],
    "windowsConfiguration": {
      "additionalUnattendContent": null,
      "enableAutomaticUpdates": true,
      "enableVmAgentPlatformUpdates": false,
      "patchSettings": {
        "assessmentMode": "ImageDefault",
        "automaticByPlatformSettings": null,
        "enableHotpatching": null,
        "patchMode": "AutomaticByOS"
      },
      "provisionVmAgent": true,
      "timeZone": null,
      "winRm": null
    }
  },
  "plan": null,
  "platformFaultDomain": null,
  "priority": null,
  "provisioningState": "Succeeded",
  "proximityPlacementGroup": null,
  "resourceGroup": "395-5d062b4a-add-remove-and-update-tags-for-resou",
  "resources": null,
  "scheduledEventsProfile": null,
  "securityProfile": null,
  "storageProfile": {
    "dataDisks": [],
    "diskControllerType": null,
    "imageReference": {
      "communityGalleryImageId": null,
      "exactVersion": "14393.6709.240206",
      "id": null,
      "offer": "WindowsServer",
      "publisher": "MicrosoftWindowsServer",
      "sharedGalleryImageId": null,
      "sku": "2016-Datacenter",
      "version": "latest"
    },
    "osDisk": {
      "caching": "ReadWrite",
      "createOption": "FromImage",
      "deleteOption": "Detach",
      "diffDiskSettings": null,
      "diskSizeGb": 127,
      "encryptionSettings": null,
      "image": null,
      "managedDisk": {
        "diskEncryptionSet": null,
        "id": "/subscriptions/9734ed68-621d-47ed-babd-269110dbacb1/resourceGroups/395-5d062b4a-add-remove-and-update-tags-for-resou/providers/Microsoft.Compute/disks/webvm1_disk1_8db0168337f74a62a7160d01554e753f",
        "resourceGroup": "395-5d062b4a-add-remove-and-update-tags-for-resou",
        "securityProfile": null,
        "storageAccountType": "Premium_LRS"
      },
      "name": "webvm1_disk1_8db0168337f74a62a7160d01554e753f",
      "osType": "Windows",
      "vhd": null,
      "writeAcceleratorEnabled": null
    }
  },
  "tags": {},
  "timeCreated": "2024-02-13T20:59:23.426680+00:00",
  "type": "Microsoft.Compute/virtualMachines",
  "userData": null,
  "virtualMachineScaleSet": null,
  "vmId": "2292ae3f-ab87-42a0-b3ac-58ec941a77bc",
  "zones": null
}
PS /home/cloud>

Mark the VM for deletion

PS /home/cloud> az vm update -g "395-5d062b4a-add-remove-and-update-tags-for-resou" -n webvm1 --set tags.MarkForDeletion=Yes                                                       

{
  "additionalCapabilities": null,
  "applicationProfile": null,
  "availabilitySet": null,
  "billingProfile": null,
  "capacityReservation": null,
  "diagnosticsProfile": {
    "bootDiagnostics": {
      "enabled": true,
      "storageUri": "https://azurelalabi4q7bqaknwjqy.blob.core.windows.net/"
    }
  },
  "etag": null,
  "evictionPolicy": null,
  "extendedLocation": null,
  "extensionsTimeBudget": null,
  "hardwareProfile": {
    "vmSize": "Standard_B1ms",
    "vmSizeProperties": null
  },
  "host": null,
  "hostGroup": null,
  "id": "/subscriptions/9734ed68-621d-47ed-babd-269110dbacb1/resourceGroups/395-5d062b4a-add-remove-and-update-tags-for-resou/providers/Microsoft.Compute/virtualMachines/webvm1",
  "identity": null,
  "instanceView": null,
  "licenseType": null,
  "location": "westus",
  "managedBy": null,
  "name": "webvm1",
  "networkProfile": {
    "networkApiVersion": null,
    "networkInterfaceConfigurations": null,
    "networkInterfaces": [
      {
        "deleteOption": null,
        "id": "/subscriptions/9734ed68-621d-47ed-babd-269110dbacb1/resourceGroups/395-5d062b4a-add-remove-and-update-tags-for-resou/providers/Microsoft.Network/networkInterfaces/webvm1-nic1",
        "primary": null,
        "resourceGroup": "395-5d062b4a-add-remove-and-update-tags-for-resou"
      }
    ]
  },
  "osProfile": {
    "adminPassword": null,
    "adminUsername": "cloud_user",
    "allowExtensionOperations": null,
    "computerName": "webvm1",
    "customData": null,
    "linuxConfiguration": null,
    "requireGuestProvisionSignal": null,
    "secrets": [],
    "windowsConfiguration": {
      "additionalUnattendContent": null,
      "enableAutomaticUpdates": true,
      "enableVmAgentPlatformUpdates": false,
      "patchSettings": {
        "assessmentMode": "ImageDefault",
        "automaticByPlatformSettings": null,
        "enableHotpatching": null,
        "patchMode": "AutomaticByOS"
      },
      "provisionVmAgent": true,
      "timeZone": null,
      "winRm": null
    }
  },
  "plan": null,
  "platformFaultDomain": null,
  "priority": null,
  "provisioningState": "Succeeded",
  "proximityPlacementGroup": null,
  "resourceGroup": "395-5d062b4a-add-remove-and-update-tags-for-resou",
  "resources": null,
  "scheduledEventsProfile": null,
  "securityProfile": null,
  "storageProfile": {
    "dataDisks": [],
    "diskControllerType": null,
    "imageReference": {
      "communityGalleryImageId": null,
      "exactVersion": "14393.6709.240206",
      "id": null,
      "offer": "WindowsServer",
      "publisher": "MicrosoftWindowsServer",
      "sharedGalleryImageId": null,
      "sku": "2016-Datacenter",
      "version": "latest"
    },
    "osDisk": {
      "caching": "ReadWrite",
      "createOption": "FromImage",
      "deleteOption": "Detach",
      "diffDiskSettings": null,
      "diskSizeGb": 127,
      "encryptionSettings": null,
      "image": null,
      "managedDisk": {
        "diskEncryptionSet": null,
        "id": "/subscriptions/9734ed68-621d-47ed-babd-269110dbacb1/resourceGroups/395-5d062b4a-add-remove-and-update-tags-for-resou/providers/Microsoft.Compute/disks/webvm1_disk1_8db0168337f74a62a7160d01554e753f",
        "resourceGroup": "395-5d062b4a-add-remove-and-update-tags-for-resou",
        "securityProfile": null,
        "storageAccountType": "Premium_LRS"
      },
      "name": "webvm1_disk1_8db0168337f74a62a7160d01554e753f",
      "osType": "Windows",
      "vhd": null,
      "writeAcceleratorEnabled": null
    }
  },
  "tags": {
    "MarkForDeletion": "Yes"
  },
  "timeCreated": "2024-02-13T20:59:23.426680+00:00",
  "type": "Microsoft.Compute/virtualMachines",
  "userData": null,
  "virtualMachineScaleSet": null,
  "vmId": "2292ae3f-ab87-42a0-b3ac-58ec941a77bc",
  "zones": null
}
PS /home/cloud>

Change the Tags for the Virtual Network

In the cloud shell list the virtual networks

PS /home/cloud> az network vnet list --query '[].{name:name, resourceGroup:resourceGroup, tags:tags}' -o json                                                                      
[
  {
    "name": "vnet1",
    "resourceGroup": "395-5d062b4a-add-remove-and-update-tags-for-resou",
    "tags": {
      "Application": "MyApp",
      "Created By": "MyName",
      "Department": "MyDepartment"
    }
  }
]

Overwrite the existing tags:

PS /home/cloud> az resource tag --tags "Dept=IT" "Environment=Production" "CreatedBy=Cesar" --resource-group "395-5d062b4a-add-remove-and-update-tags-for-resou" -n "vnet1" --resource-type "Microsoft.Network/virtualNetworks"
{
  "etag": "W/\"c51873be-773d-4b96-ab24-fa37389401fe\"",
  "extendedLocation": null,
  "id": "/subscriptions/9734ed68-621d-47ed-babd-269110dbacb1/resourceGroups/395-5d062b4a-add-remove-and-update-tags-for-resou/providers/Microsoft.Network/virtualNetworks/vnet1",
  "identity": null,
  "kind": null,
  "location": "westus",
  "managedBy": null,
  "name": "vnet1",
  "plan": null,
  "properties": {
    "addressSpace": {
      "addressPrefixes": [
        "10.1.0.0/16"
      ]
    },
    "enableDdosProtection": false,
    "provisioningState": "Succeeded",
    "resourceGuid": "48583c22-680d-4ddf-97d8-1e25046de802",
    "subnets": [
      {
        "etag": "W/\"c51873be-773d-4b96-ab24-fa37389401fe\"",
        "id": "/subscriptions/9734ed68-621d-47ed-babd-269110dbacb1/resourceGroups/395-5d062b4a-add-remove-and-update-tags-for-resou/providers/Microsoft.Network/virtualNetworks/vnet1/subnets/subnet1",
        "name": "subnet1",
        "properties": {
          "addressPrefix": "10.1.1.0/24",
          "delegations": [],
          "ipConfigurations": [
            {
              "id": "/subscriptions/9734ed68-621d-47ed-babd-269110dbacb1/resourceGroups/395-5D062B4A-ADD-REMOVE-AND-UPDATE-TAGS-FOR-RESOU/providers/Microsoft.Network/networkInterfaces/WEBVM1-NIC1/ipConfigurations/IPCONFIG1",
              "resourceGroup": "395-5D062B4A-ADD-REMOVE-AND-UPDATE-TAGS-FOR-RESOU"
            }
          ],
          "networkSecurityGroup": {
            "id": "/subscriptions/9734ed68-621d-47ed-babd-269110dbacb1/resourceGroups/395-5d062b4a-add-remove-and-update-tags-for-resou/providers/Microsoft.Network/networkSecurityGroups/shared-nsg",
            "resourceGroup": "395-5d062b4a-add-remove-and-update-tags-for-resou"
          },
          "privateEndpointNetworkPolicies": "Disabled",
          "privateLinkServiceNetworkPolicies": "Enabled",
          "provisioningState": "Succeeded"
        },
        "resourceGroup": "395-5d062b4a-add-remove-and-update-tags-for-resou",
        "type": "Microsoft.Network/virtualNetworks/subnets"
      }
    ],
    "virtualNetworkPeerings": []
  },
  "resourceGroup": "395-5d062b4a-add-remove-and-update-tags-for-resou",
  "sku": null,
  "tags": {
    "CreatedBy": "MyName",
    "Dept": "IT",
    "Environment": "Production"
  },
  "type": "Microsoft.Network/virtualNetworks"
}
PS /home/cloud>

2.- AZ-104 Governance and Compliance

AZ-104 - Governance and Compliance - Locking and Moving Resources

Control and organize Azure resources with Azure Resource Manager

Move Azure resources to another resource group

What are Locks

Locks allow you to override permissions to resources.
You can lock subscriptions, resources groups or resources.
Lock Restrictions apply to all users and roles.

Lock types

Read-only allows authorized users to read a resource, but they cannot delete or update the resource.
Cannot-delete allows authorized users to read and modify a resource, but they cannot delete the resource.
Locks are inherited from the parent scope.

Moving resources is the process of actually moving resources that are contained in a specific place in Azure

Navigate in azure portal to your resource group and add a lock

Add Lock to DontDelete or whatever random name, assign to Delete, from this page you can edit or delete the lock.

Now with a lock let's select all resources and ht delete

We are unable to delete because of the lock delete rule

Now lets go to a specific resource inside our resource group, let's go to our VM

first we need to stop the resource then hit refresh, wait for the status to stopped.

Let's go back to modify our resource group lock from Delete to Read Only

we go to our resource group, select lock (hit refresh if not shown) then edit, we will modify lock type from Delete to Read-only and hit ok

We will refresh and make sure its now read-only

let's go back to our resources overview, open the VM again and let's Start our VM, we get a warning message, cannot perform write operation, please remove read-only lock

Now if we go back to our resources group we can select all our resources, from here we can click on Move, here you can move resources too another resource group, to another subscription or to another region.

2.- AZ-104 Governance and Compliance

AZ-104 - Governance and Compliance - Managing Azure Costs

Introduction to analyzing costs and creating budgets with Microsoft Cost Management

Describe cost management in Azure

Different components on Azure cost model

Subscription type: Free, Pay as you go, Enterprise agreement, and Cloud Solution Provider (CSP).
Resource type: For example, storage account blob storage vs Table Storage.
Usage Meters: Utilities like overall CPU time, ingress/egress network traffic and disk size.
Resource Usage: The cost of actually using a resource.
Location: The cost for various services vary across geographical regions.

Best Practices

Select the appropriate resource for the use case.

Understand needs (sizing).

De-allocate resources when not needed.

Use cloud capabilities where possible(e.g., scalability, elasticity).

Plan your cost prior to purchase.

Cost Tools

Pricing Calculator.

Total cost of Ownership (TCO) calculator.

Microsoft Cost Management (Analyze costs and create Budgets)

Inside Azure Portal search for cost management then go to cost analysis

We can identify different costs per service, resource groups, locations, etc

Using the pricing calculator

Pricing Calculator

Using the TCO Calculator

TCO Calculator

2.- AZ-104 Governance and Compliance

AZ-104 - Governance and Compliance - Building a cloud governance strategy wth Azure tooling

Building Cloud Governance

Define Governance

Rules
Policies
Compliance standards
Control over resources
Enforce rules, policies, and standard

Planing a Cloud Strategy

Define: Define cloud governance needs of he organization.
Plan: Plan which tools will be used to implement governance.
Ready: understand how those tools will be used to implement governance.
Adopt: Implement governance for the organization using a cloud strategy.

Governance Services

Management groups and subscriptions: Organize subscriptions into hierarchical structures.
Azure RBAC: Provide resources at varying scopes.
Policies: Implement policies to enforce standards.
Locks and Tagging: Lock resources to prevent deletion and tag resources to categorize.

Recommended to investigate more about Azure Blueprints to better understand rules and policies.

Azure Blueprints

3.- AZ-104 Azure Identity

AZ-104 Azure Identity - Conceptualizing Entra ID (Azure Active Directory)

What is Microsoft Entra ID

Identity and Access Management (IAM) Basics
What is Azure AD (Entra ID)?
Azure AD Tenant ARchitecture
Azure AD Features
Active Directory vs Azure AD (Entra ID)

Identity and Access Management (IAM) Basic

IAM: A global cloud-based identity service for azure that provides an identity repository
Principal: An unauthenticated entity that will seek to authenticate as an identity.
Identity: An Identity profile that is authenticated against using credentials
Authorization: Actions that are permitted/prohibited for an identity to perform
Create Identity Resources - Create users and groups
Manage Identity Security - Enable multi-factor authentication (MFA) control resources access and provide policy based controls

Azure AD Tenant Architecture

When crating a tenant it will automatically assign a domain for us, for example htf.onmicrosoft.com, you can also register a custom domain name.

A tenant can be associated to multiple subscriptions but a subscription can only be associated to one tenant.

Azure AD Features

IAM Platform - for azure cloud based resources.
Identity security - additional security with MFA and Privileged Identity Management (PIM).
Collaboration and Development - Azure AD B2B collaboration and Azure AD B2C to support development.
Monitoring - Audit logs, security monitoring, identity protection and risk management.
Identity Integration - Hybrid identity and single sign-on (SSO) using Azure AD connect and Azure AD Domain Services.
Enterprise Access - Additional security for applications and devices both on-premises and in the cloud

Active Directory	Entra ID
Organizational units (OUs)	Administrative units
Group Policy Objects (GPOs)	SAML, WS-Federation, OAuth
Kerberos, LDAP, NTLM	Flat Directory Structure
Hierarchical	Cloud-based solution
On-Premises	Global

As part of Hybrid solution we can use Entra Connect to manage on prem infrastructure.

3.- AZ-104 Azure Identity

AZ-104 Azure Identity - Managing Tenants

Set up a tenant

Managing Tenants

Designing Tenants:

Planning out the design of our tenant will support easy adoption

Build Secure Foundations: Setup best practices (e.g., SSPR (Self Service Password Reset), MFA, backup global admin, and privileged users), for specific tasks.
Populate Identity Resources: Add users, create groups, add devices, and setup hybrid identity
Manage Applications: Identify apps to be used form the app gallery, and register apps from on-premises
Monitor and automate: Monitor administrators perform access reviews, and automate user life-cycles.

Creating a Tenant

Logon to azure portal and go to Entra ID (formerly known as Active Directory) then go to Manage Tenants

Add organization name, Make sure initial domain its unique, select location, assign your tenant to a subscription, add a resource group then review+create

Now we can go back to manage our tenant, remember this will be different from the main tenant.

We can use the left panel to manage our tenant access, licensing, external devices, enterprise applications, etc.

3.- AZ-104 Azure Identity

AZ-104 Azure Identity - Creating and Managing Users

Creating Azure Users

Manage Azure Users

Azure AD to Entra ID

Describing Users
Type of Users
Creating a User
Managing User Propertiies
Bulk Adding Users
Inviting Guests

Entra ID

Describing Members

Administrative users: Global admins, Billing Administrators, User Administrators.
Members: Employees such as a support engineer to manage virtual machines, organization data engineering team with access to specific services.
Guest users: Users invited from a different Microsoft Entra ID Tenant, etc.

All users are part of Azure AD Tenant and are all just identity objects with certain properties, each member will have a set of default permissions and all these members are all identity objects with JSON properties we can modify these properties such as job title, given name or user's location.

Administrators: users whit administrator role assigned
Members: Regular user that are native to Azure AD
Guest: External users that tare invited to the azure AD Tenant

Creating a user in Entra ID

Different methods of creating users

Auzure Portal: Navigate to Azure Entra ID select Users, new user
Azure CLI: az ad user create
Powershell: New-AzureADUser

Exercise:

Create/add a User - create a member account inside off Entra ID
Update user properties - Update the properties to show this user is part of the HR department
Bulk add users - Using a csv file, bulk add users to azure AD
Invite a Guest account - Invite an External guest to Azure AD

Navigate to Entra ID and select users, add, create new user

Navigate to Properties to fill out personal user information such as first, last name, etc, here you can specify if its a member or a Guest.

After creating our user we can go back to list all user and select our new user, here we can edit properties, manage assigned roles, admin units, groups etc.

Inviting a Guest Account

An Invitation will be sent to access your Organization

Type of users - Administrators Members and Guest Accounts.

Role Assignment - Determines permissions and access.

Object Ownership - App, Devices, groups and resources that are owned.

3.- AZ-104 Azure Identity

AZ-104 Azure Identity - LAB Create and Manage Microsoft Entra ID Users in the Portal

Crate Azure users and groups in Entra ID

Scenario

To help you walk through the lab, consider the following scenario:

You work as a senior systems administrator, and the management of Microsoft Entra ID is one of your many responsibilities. As a senior team member, it's also important that you share your knowledge with other colleagues. Your manager has recently asked you to provide a walk through of basic user management tasks for a group of new Helpdesk team members.

Using an empty demonstration Microsoft Entra ID tenant you have configured, you are going to demonstrate the following:

Creating a new user.
Modifying existing user accounts.
Revoking access for users.
Deleting user accounts.

Lab Setup

The objectives for this hands-on lab can be completed using the Azure portal. Specifically, all tasks will be performed using the Microsoft Entra ID service pages.

Solution

Create Microsoft Entra ID User Accounts

In the Azure portal, click the hamburger icon at the top-left of the screen to open the menu.
From the menu, select Microsoft Entra ID.
From the menu on the left, select Users.
From the menu at the top, click New user, and then select Create new user.
In the User principal name field, enter a username for the first new user account. Leave the domain name as is.
In the Display name field, enter a first name and last name for the first new user account.
Click Next: Properties.
Scroll through and view some of the properties you can configure for a new user account. For the purposes of this hands-on lab, you do not need to configure any other properties for the new user account.

Note: Attempting to assign a role to your user may break your hands-on lab.
Click Review + Create.
Then, click Create.
Repeat steps 4 through 10 to create your second new user account.
From the menu at the top, click Refresh and verify that both user accounts you just created now appear in the All users list in your Microsoft Entra ID service.

Note: You may need to refresh the page a few times for the list to be updated.

Modify a Microsoft Entra ID User Account

From the All users list, select one of the users you just created to open their profile.
View some of the options and settings that you can modify for a user account using the menu at the left.
If necessary, select Overview in the menu to return to the user's profile.
From the menu at the top, click Edit properties.
Modify some of the settings for the user, such as entering their First name and Last name or updating the information for their Job title.
Click Save.
From the menu at the top, click Reset password.
In the Reset password pane that displays on the right, click the Reset password button.

Note: This will generate a temporary password that must be changed on the next sign in. You would need to take note of the temporary password that is displayed and provide it to the user.
Click the X to close the Reset password pane.

Revoke Access to a Microsoft Entra ID User Account

From the menu at the top, click Revoke sessions.

Note: This will log the user out of any active sessions that they are currently logged into.
In the Do you want to revoke all sessions for the user? prompt, click Yes.

Delete a Microsoft Entra ID User Account

From the All users list, check the checkbox next to one of the users you created.
From the menu at the top, click Delete.
In the Delete the selected users? prompt, click OK.
From the menu at the top, click Refresh and verify that the user account has been removed from the accounts in the All users list.

Note: You may need to refresh the page a few times for the list to be updated.
From the menu on the left, select Deleted users. The user account you just deleted should appear in the list of deleted accounts.

Note: You may need to refresh the page a few times before the user you deleted appears in the list.
Check the checkbox for the user account and note that you could choose the Restore users or Delete permanently options from the menu at the top if you needed to take further action on the account.

Note: Users that have been deleted remain in the Deleted users list for 30 days.

3.- AZ-104 Azure Identity

AZ-104 Azure Identity - LAB Perform Bulk Microsof Entra ID Operations in the Portal

Scenario

To help you walk through the lab, consider the following scenario:

You work as a systems administrator for an organization that has a lot of seasonal projects. As a result, it's very common for you to have to create and delete a large volume of users every few months throughout the year, as well as manage relevant security groups.

You have some spare time now before the project season begins, and you would like to investigate the use of bulk operations to help minimize your workload during these seasonal high peaks.

To get started, you would like to practice the following operations within your empty demo Microsoft Entra ID tenant:

Creating and deleting users in bulk
Managing group membership in bulk

Lab Setup

The objectives for this hands-on lab can be completed using the Azure portal. Specifically, all tasks will be performed using the Microsoft Entra ID service pages.

Solution

Bulk Create Users

Download and Edit the Template Used to Bulk Create Users

In the Azure portal, click the hamburger icon at the top-left of the screen to open the menu.
From the menu, select Microsoft Entra ID.
From the menu on the left, select Users.
From the menu at the top, click the Bulk operations drop-down.
Click Bulk create.
In the Bulk create user pane that displays on the right, click the Download button to download the latest CSV template.
Navigate to and open the CSV template file that was downloaded.
View the fields included in the template. Take note of any required fields and the total number of fields, as you will need to include some sort of information for each field.

Note: The template provided from Microsoft may be updated over time, and the fields included in the template (both required and optional) are subject to change. For that reason, we cannot provide you with a list of fields and the information to include or a mocked up file to be uploaded.
Enter information for the three new users you want to add, including data for — at minimum — each of the required fields.
- The required fields likely include the user's name that is aligned with their Name and a username (in the form of an email address) that is aligned with their User Principal Name in AD.
- To obtain the proper domain for the User Principal Name field, navigate back to the Azure portal and click on a user in the All users list; where their User Principal Name is listed, copy the domain following the @ symbol (including the @ symbol), and paste it into the template for each user you create.
- The remaining fields will need to be accounted for in the template with a comma.
- Do not include spaces between the commas and the field data. Spaces between them will cause the upload and bulk creation process to fail.
- For example, at the time this lab was made, an entry in the template included the following fields:
  
  [First Name] [Last Name],[username]@[userPrincipalName],[password],No,,,,,,,,,,,,,
  
  Amos Smith,amos@radlabs4p.onmicrosoft.com,password123!,No,,,,,,,,,,,,,
Once you have entered the users to be added, save your changes to the file.

Upload Your Edited File and Execute the Bulk Create User Process

Back in the Azure portal, in the Bulk create user pane on the right, click the folder icon next to the Upload your csv file field.

Note: If you navigated away from the page to copy the domain name for the users while editing the template, you may need to navigate back to the All users page and then click Bulk operations > Bulk create to open the pane again.
Navigate to the location of your edited template file and select it.
If there are any issues with the data in the file, you will receive a notification of the errors in the Bulk create user pane. If any exist, fix the errors, save the file, and upload it again.

Note: You may have to repeat this process until your file has no errors.
When your file has uploaded successfully, click the Submit button.

Note: It may take some time to create your users.
You will receive a status notification about the creation process in the Bulk create user pane.

Note: If there are any issues during the creation process, you can click Bulk operation results in the menu on the left, click on your file in the list, and view the errors it encountered.
From the menu at the top, click Refresh and verify that the new users now appear in the list of All users.

Bulk Delete Users

Download and Edit the Template Used to Bulk Delete Users

From the menu at the top, click the Bulk operations drop-down.
Click Bulk delete.
In the Bulk delete user pane that displays on the right, click the Download button to download the latest CSV template.
Navigate to and open the CSV template file that was downloaded.
View the fields included in the template. Take note of any required fields and the total number of fields, as you will need to include some sort of information for each field.
Enter information for the user you want to delete, including data for the required field.
- The required fields likely include the username that is aligned with their User Principal Name in AD.
- For example, at the time this lab was made, an entry in the template included the following fields:
  
  [username]@[userPrincipalName]
  
  amos@radlabs4p.onmicrosoft.com
Once you have entered the user to be deleted, save your changes to the file.

Upload Your Edited File and Execute the Bulk Delete User Process

Back in the Azure portal, in the Bulk delete user pane on the right, click the folder icon next to the Upload your csv file field.

Note: If you navigated away from the page to copy the User Principal Name for the user while editing the template, you may need to navigate back to the All users page and then click Bulk operations > Bulk delete to open the pane again.
Navigate to the location of your edited template file and select it.
If there are any issues with the data in the file, you will receive a notification of the errors in the Bulk delete user pane. If any exist, fix the errors, save the file, and upload it again.
Once your file has uploaded successfully, type Yes in the Are you sure you want to perform the delete operation? field.
Click the Submit button.
You will receive a status notification about the deletion process in the Bulk delete user pane.

Note: If there are any issues during the deletion process, you can click Bulk operation results in the menu on the left, click on your file in the list, and view the errors it encountered.
From the menu at the top, click Refresh and verify that the user has been removed from the list of All users.

Bulk Add Group Members

Create the Group

Using the breadcrumb trail at the top, navigate back to the Microsoft Entra ID tenant.
From the menu on the left, select Groups.
From the menu at the top, click New group.
From the Group type drop-down, select Security.
In the Group name field, enter a name for the group.
Leave everything else as is, and click Create.

Download and Edit the Template Used to Bulk Import Members

In the list of groups in the All groups view, click on the name of the Security group you created.
From the menu on the left, select Members.
From the menu at the top, click the Bulk operations drop-down.
Click Import members.
In the Bulk import group pane that displays on the right, click the Download button to download the latest CSV template.
Navigate to and open the CSV template file that was downloaded.
View the fields included in the template. Take note of any required fields and the total number of fields, as you will need to include some sort of information for each field.
Enter information for the users you want to add to the group, including data for the required field.
- The required fields likely include the user's Object ID or the username that is aligned with their User Principal Name in AD.
- For example, at the time this lab was made, an entry in the template included the following fields:
  
  [username]@[userPrincipalName]
  
  amos@radlabs4p.onmicrosoft.com
  
  or
  
  [memberObjectID]
  
  dec3f879-9439-4978-94be-17f17cefc0aa
Note: You can quickly find this information for each user within the All users view in the portal. Modify the view by clicking on Manage view in the top menu and then select Edit columns. Select only the User principal name and Object ID options (Object ID may need to be added), and click OK. Now, the User Principal Name and Object ID are displayed for each user, which you can then copy and paste into your CSV file.
Once you have entered the users to be added to the group, save your changes to the file.

Upload Your Edited File and Execute the Bulk Import Group Process

Back in the Azure portal, in the Bulk import group pane on the right, click the folder icon next to the Upload your csv file field.

Note: If you navigated away from the page to copy the User Principal Name or Object ID for the users while editing the template, you may need to navigate back to the All groups page, then click Members in the menu on the left, and then click Bulk operations > Import members to open the pane again.
Navigate to the location of your edited template file and select it.
If there are any issues with the data in the file, you will receive a notification of the errors in the Bulk import group pane. If any exist, fix the errors, save the file, and upload it again.
When your file has uploaded successfully, click the Submit button.
You will receive a status notification about the import process in the Bulk import group pane.

Note: If there are any issues during the import process, you can click Bulk operation results in the menu on the left, click on your file in the list, and view the errors it encountered.
From the menu at the top, click Refresh and verify that the users now appear in the list of Members.

3.- AZ-104 Azure Identity

AZ-104 Azure Identity - Creating and Managing Groups

Describing groups
Practical Use
Creating a group
Managing group membership

Azure Management groups: Create a hierarchy of Azure management groups tailored to your organization to efficiently manage your subscriptions and resources.

Owners and Members: An owner of the group or a member of the group.
Type of group: A security group or a Microsoft 365 group.
Membership Type: Assigned, dynamic user or dynamic device.

To create a new group we can navigate to Entra ID then groups then add group

We have different membership types

Assigned: Manually or in bulk add users
Dynamic user: Add variables per fields such as department for example to add all users from X department
Dynamic Device: This apply to specific hardware devices.

We need to click on Add Dynamic Query to add our rules for dynamic users in this case.

Here we added a Rule Syntax to add all members of Company-name X to our group, there are multiple properties and operators we can use.

Now we need to add users then validate and see if they belong to group HR

we can also search by user-type for all Guest for example and apply a group for all Guests.

Group Types

Security: Security groups are used to manage access o shared resources for a group of users.
Microsoft 365: These groups are used to give members access to shared mailbox, calendar, files, etc.
Assigned: Users are specifically selected to be members of a group.
Dynamic user: Membership rules are created that automate group membership via user attributes.
Dynamic Device: Membership rules are created that automate group membership via devices attributes.

3.- AZ-104 Azure Identity

AZ-104 Azure Identity - Creating Administrative Units

Administrative Units for Entra ID

An administrative unit is a Microsoft Entra resource that can be a container for other Microsoft Entra resources. An administrative unit can contain only users, groups, or devices.

Constraints

Administrative units can't be nested.
Administrative units are currently not available in Microsoft Entra ID Governance.

Groups

Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but not the members of the group. In other words, an administrator scoped to the administrative unit can manage properties of the group, such as group name or membership, but they cannot manage properties of the users or devices within that group (unless those users and devices are separately added as members of the administrative unit).

For example, a User Administrator scoped to an administrative unit that contains a group can and can't do the following:

Permissions	Can do
Manage the name of the group	✅
Manage the membership of the group	✅
Manage the user properties for individual members of the group	❌
Manage the user authentication methods of individual members of the group	❌
Reset the passwords of individual members of the group	❌

Plan the organization

Plan the organization and evaluate its needs to determine the value that administrative units can provide for managing identities like groups and users.

Crate and Administrative Unit

Create an administrative unit to logically divide the organization and allow for scoping.

Purpose of administrative units: An Azure AD resource for providing a container for Azure AD Objects.
Benefits of Administrative units: Allow you to control the scope of your administrative users.

3.- AZ-104 Azure Identity

AZ-104 Azure Identity - Configuring SSPR (self serfice password reset)

Self Serfice Password Reset (SSPR)

SSPR Process
Authentication Methods
SSPR Considerations

Authentication methods

Mobile app: Authentication via app notification. AN example is the Microsoft authentication application
Mobile app code: Authentication via time-based codes, An example is the Microsoft authentication application
Email: Authentication via an external to Microsoft using codes sent to that email address
Mobile Phone: Authentication via a mobile number using a phone call or SMS provides a code. (less recommended method)
Office Phone: Authentication via a non-mobile phone using a phone cal that prompts the user to press #
Security Questions: Authentication via answering a set of security questions (Least recommended method).

SSPR Considerations

Enable and manage SSPR via Azure AD Groups.

Required methods: One or more of the available authentication methods is required for SSPR
SSPR for Admins: Security questions not available by admins. By Default, admins must register for MFA methods
Required Licenses: Azure AD P1 or P2, Microsoft apps for business, or Microsoft licensing is required for SPPR.

Navigate to Entra ID then password reset

These settings only apply to end users in your organizations ,admins are always enabled for SSPR and are required to use two authentication methods to reset their passwords

None: no user can perform SSPR (except admins).
Select: Here we can use groups to Enable SSPR.
ALL - this will enable all users in the tenant with SSPR.

For this exercise we select all users and select which type of authentication method

3.- AZ-104 Azure Identity

AZ-104 Azure Identity - Azure Entra ID Device Management

Device Management

Basics of Identity
Registration Options

How to register devices

Azure AD Registered: Least restrictive option, allowing for bring your own device (BYOD) with a personal Microsoft or local account, supports windows 10, IOS IpadOS, Android and macOS.
Azure AD Joined: Device is owned by the organization and accesses Azure AD through a work account. These identities exist only in the cloud supports windows 10 and Server 2019
Hybrid Azure AD Joined: Similar to AD joined: however, these devices identities exist both on prem and in the cloud, Support windows 7, 8.1, 10 and server 2008 or later.

Navigate to Entra ID then over to Devices

Over in Device settings we can specify which or how users can register devices on our tenant

Users may join devices to Microsoft Entra.

All: Will allow all users to join their devices.
Selected: specify which users can join their device.
None: No users can join their device.

Users may register their devices with Microsoft Entra.

Allow users to register their BYOD devices to registered devices.

Require multi-factor authentication to register or join devices with Azure ID (self explanatory)

Maximum devices per user to add, recommended is 20.

Device Identity

Simplified procedure for adding and managing devices
Improved user experience on devices
Single Sign-on (SSO) for any registered or joined devices.

4.- AZ-104 Azure RBAC - Role-based Access Control

AZ-104 Azure RBAC - Understanding Roles in Azure

Manage RBAC

Describing RBAC
Describing Azure Roles
Describing Azure AD Roles
Azure Roles vs Azure AD Roles
RBAC Architecture

Describing RBAC

"Who can do what, where, who what and where"

Describing Azure Roles

Owner: Full access to resources and delegates access to other users
Reader: Provides the ability to view sources, cannot perform actions on resources
contributor: Can create and manage resources
User Access Administrator: Can delegate access to resources

Describing Azure Entra ID Roles

Special set of roles for providing access to manage identity objects inside our azure tenant, to manage user application or devices not resources.
Global Administrator: Provide access to manage AD Resources
Billing Administrator: Perform billing tasks
User Administrator: Can manage users and groups inside Azure Entra ID Tenant
Helpdesk Administrator: perform password resets if SSPR is not enabled.

Microsoft Entra and Azure roles

Microsoft Entra roles and Azure roles are often confused when you first work with Azure. Microsoft Entra roles provide the mechanism for managing permissions to Microsoft Entra resources, like user accounts and passwords. Azure roles provide a wealth of capabilities for managing Azure resources like virtual machines (VMs) at a granular level.

Azure Roles	Microsoft Entra ID Roles
Manage access to Azure resources like VMs, storage, networks, and more	Manage access to Microsoft Entra resources like user accounts and passwords
Multiple scope levels (management group, subscription, resource group, resource)	Scope only at tenant level
Role information accessible through Azure portal, Azure CLI, Azure PowerShell, Azure Resource Manager templates, REST API	Role information accessible in Azure admin portal, Microsoft 365 admin center, Microsoft Graph, Microsoft Graph PowerShell

Azure Roles	Azure Entra ID Roles
Manage access to Azure resources	Manage access to Azure AD Resources at tenant
Scope can be at multiple levels	Scope is at tenant level
Support custom roles	Support custom roles
Main roles: Owner Contributor Reader User Access Administrator	Main roles: Global Administrator User Administrator Billing Administrator

Azure Roles	Azure Entra ID Roles
Control access to azure resources, VMs, Virtual Networks	Control Access to Azure AD REsources, user objects, group devices, ad features
Referred to as Azure RBAC	Built in roles
Built in roles	Custom roles
custom roles	Scope at Azure AD Tenant level, provide access for user that exist inside of our Azure Entra ID tenants to perform administrative functions inside of the tenant itself
Scope at management groups subscription groups resource groups and resources using identities that exist inside our azure AD Tenant

4.- AZ-104 Azure RBAC - Role-based Access Control

AZ-104 Azure RBAC - Assigning access to resources

Secure Azure RBAC

Explaning Azure RBAC
Understanding Role definitions
Additive Property

Explaining Azure RBAC

Azure RBAC is an authorization system

Security Principal: Defining the who we want to authorize, WHO?
Role Definition: assign a role definition to that identity, WHAT?
Scope: where we are defining where we are going to perform this actions, WHERE?

We have to provide this access explicit, there is an implicit deny

Understanding Role Definitions

Contributor

Actions: Define what actions are allowed to be performed on the management plane, managing resources inside of azure like starting or stopping virtual machines.
NotActions: Actions we are going to deny on managing resources inside of Azure. For example, if we wanted to allow a user to perform a restart on a virtual machine, we could outline that in Actions, but it could be overwritten and overruled by a NotAction denying that same action inside this role definition.

Then we have the next component, which are our DataActions, and our NotDataActions.And these are the same kind of thing as our Actions and NotActions, except for rather than being on the control plane of managing Azure resources, this will take an impact on data-related actionssuch as working with data inside of Azure Storage accounts.

AssignableScope: where we define where we're going to assign the scope for this resource. And it can be all the way down
to a specific resource, where we assign the scope to a resource group, to a subscription, or even a management group.

For example, if we have this user here in our Azure Active Directory tenant that is assigned the Contributor role at the management group scope here, but also assigned a Reader role at a resource group scope inside of the same hierarchical structure, what we have to understand when we have overlapping roles like this, and multiple role assignments for a single identity, is that roles follow an additive property. So what we do is we add the effective permissions of each of these role definitions, and by performing this addition, this will inform us what the effective permissions will be. So in this case, Contributor + Reader = Contributor, because Contributor provides Reader functionality. So effectively, this user will have Contributor at the management group scope, and that will be inherited all the way down. And there's no additional permissions that are being provided by actually having the Reader role assignment. So this user's permissions will just waterfall all the way down and be inherited to the lowest level.

Assigning access

Lets go to resource groups and select a group (K8s_group in example below) then if we go to roles we can see all role assignments, here we can determine a user can be a contributor (grants full access to manage all roesources bu tdoes not allow you to assign roles in Azure RBAC)

We select contributor,, then add then add role assignment

Now back on resources group we can see the role assignments

Same inside those resources it inherited the assignment

Authorization system

Provide identities with access to azure resources
Roles are a collection of permissions
There is a scoping hierarchy for role assignment
Implicit deny - Explicit Allow - Explicit Deny

4.- AZ-104 Azure RBAC - Role-based Access Control

AZ-104 Azure RBAC - LAB Using service Principal Identity to List AD Roles

In this hands-on lab, you are tasked with gathering the role definitions and role assignments for your organization.

You do not have access to the portal, so you must collect this information via SSH connection, by using a Linux VM and a service principal. Once you have gained access to the Azure subscription, use the Azure CLI to collect the required information, and output to a file so you can email it to your manager.

Solution

ssh cloud_user@<PUBLIC_IP_ADDRESS>

Log in to Azure using the Service Principal

Once connected to the lab VM, perform the az login command with the --service-principal flag to login to the Azure account:

az login --service-principal \
-u "<CLIENT_ID>" \
-p "<CLIENT_SECRET>" \
--tenant "<TENANT_ID>"

NOTE: To get your own Tenant ID, search for Tenant properties in the Azure portal. The value will be under the Tenant ID field.

If you experience an error regarding invalid arguments, please see the Additional Information section for the details of a fix.

List the Role Definitions and Role Assignments

List the role definitions:
```
az role definition list
```
Output the list to a file named roleinfo.json:
```
az role definition list > roleinfo.json
```
List the role assignments:
```
az role assignment list --all
```

Append the list to the roleinfo.json file:

az role assignment list --all >> roleinfo.json

Verify that the file was created successfully:
```
vi roleinfo.json
```

4.- AZ-104 Azure RBAC - Role-based Access Control

AZ-104 Azure RBAC - Creating custom roles

Custom Roles RBAC

Describing custom roles
Creating role definitions

Custom role definition
No built in role met requirement
user access administrator or owner role for the account

Assignment and scope of custom roles

Users with the User Access Administrator or Owner roles can create or assign custom roles in Azure RBAC.

You can assign custom roles to:

Security principal	Summary
User	An individual who has a profile in Microsoft Entra ID
Group	A set of users created in Microsoft Entra ID
Service principals	A security identity used by applications or services to access specific Azure resources
Managed identity	An identity in Microsoft Entra ID that is automatically managed by Azure

Sometimes, built-in roles don't grant the precise level of access you need. Custom roles allow you to define roles that meet the specific needs of your organization. You can assign the Azure custom roles you create to users, groups, and service principals at the scope of subscription, resource group, or resource.

Diagram that shows relationship of Azure roles and Microsoft Entra roles.

helpdesk.json

Name    "Helpdesk Administrators"
Description    "Can Read, Restart VMs, and log support tickets with Microsoft"
Actions    
0    "*/read"
1    "Microsoft.Compute/virtualMachines/start/action"
2    "Microsoft.Support/*"
NotActions    []
DataActions    []
NotDataActions    []
AssignableScopes    
0    "/subscriptions/subscriptionId"

Open powershell tytpe ini code and name of the json file, right click on top bar to save and exit editor

create custom role

Assign, you can assign to members groups, etc.

Here we can check our own access or check someone else access

Provide identities with access to Azure Resources
Roles are collection of permissions
Scoping hierarchy for role assignments
Custom role definition
No built-in role meets requirements
User Access Administrator or Owner role for the account

5.- AZ-104 Azure - Storage

AZ-104 Azure - Storage Accounts

Azure Queue: Message Based storage for microservices.
Azure Table: Non-relational semi-structured data storage service.
Azure Files: Cloud-based file-sharing service.
Azure blob: object-oriented storage solutions (store jpgs, mp4s, etc).

Type of storage account	Supported storage services	Redundancy options	Usage
Standard general-purpose v2	Blob Storage (including Data Lake Storage¹), Queue Storage, Table Storage, and Azure Files	Locally redundant storage (LRS) / geo-redundant storage (GRS) / read-access geo-redundant storage (RA-GRS) Zone-redundant storage (ZRS) / geo-zone-redundant storage (GZRS) / read-access geo-zone-redundant storage (RA-GZRS)²	Standard storage account type for blobs, file shares, queues, and tables. Recommended for most scenarios using Azure Storage. If you want support for network file system (NFS) in Azure Files, use the premium file shares account type.
Premium block blobs³	Blob Storage (including Data Lake Storage¹)	LRS ZRS²	Premium storage account type for block blobs and append blobs. Recommended for scenarios with high transaction rates or that use smaller objects or require consistently low storage latency. Learn more about example workloads.
Premium file shares³	Azure Files	LRS ZRS²	Premium storage account type for file shares only. Recommended for enterprise or high-performance scale applications. Use this account type if you want a storage account that supports both Server Message Block (SMB) and NFS file shares.
Premium page blobs³	Page blobs only	LRS ZRS²	Premium storage account type for page blobs only. Learn more about page blobs and sample use cases.

Storage accounts

Account type: determines feature and costs.
Performance tier: determines performance levels.
Replication: determines infrastructure redundancy.
Access tier: determines access level and data costs.

Azure Storage Redundancy

Locally redundant storage

Illustration that shows three copies of blob data stored in the same datacenter with LRS.

Locally redundant storage (LRS) copies your data three times across separate racks of hardware in a datacenter inside one region. Even if there's a hardware failure or if there's maintenance work in the datacenter, this replication type ensures data is available for use.

LRS doesn't protect you from a datacenter-wide outage. If the datacenter goes down, you could lose your data.

Geographically redundant storage

Read-access geo-redundant storage

With GRS, your secondary region isn't available for read access until the primary region fails. If you want to read from the secondary region, even if the primary region hasn't failed, use Read-access geo-redundant storage (RA-GRS) for your replication type.

Zone-redundant storage

Illustration of data copied to three storage clusters in separate availability zones with ZRS.

Zone-redundant storage (ZRS) copies your data in three storage clusters in a single region. Each cluster is in a different physical location and is considered as a single availability zone. Each cluster uses its own separate utilities for things like networking and power. If one datacenter is experiencing an outage, your data remains accessible from another availability zone in the same Azure region.

Because all availability zones are in a single region, ZRS can't protect your data from a regional-level outage.

Geo-zone-redundant storage

Geo-zone-redundant storage (GZRS) combines the high availability benefits of ZRS with GRS. With this replication type, your data is copied across three availability zones in one region. Data is also replicated three times to another secondary region that's paired with it. This way, your zone-redundant data is also secure from regional-level outages.

Read-access geo-zone-redundant storage

Read-access geo-zone-redundant storage (RA-GZRS) uses the same replication method as GZRS, but lets you read from the secondary region. If you want to read the data that's replicated to the secondary region, even if your primary isn't experiencing downtime, use RA-GZRS for your replication type.

GZRS and RA-GZRS are currently available in the following regions:

South Africa North
Australia East
East Asia
Japan East
Korea Central
Southeast Asia
Central India
France Central
Germany West Central
North Europe
Norway East
Sweden Central
Switzerland North
UK South
West Europe
Canada Central
Central US
East US
East US 2
South Central US
West US 2
West US 3
US Gov Virginia
Brazil South

Paired regions

A paired region is where an Azure region is paired with another in the same geographical location to protect against regional outage. Paired regions are used with GRS and GZRS replication types.

Illustration that shows a hierarchy of geography, regional pair, region, and datacenters.

Here's a list showing some of the regions that are paired together. You can get the full list at Azure paired regions.

	Region	Region
Asia	East Asia	Southeast Asia
Australia	Australia East	Australia Southeast
Canada	Canada Central	Canada East
China	China North	China East
Europe	North Europe (Ireland)	West Europe (Netherlands)
Japan	Japan East	Japan West
North America	East US	West US
South Africa	South Africa North	South Africa West
UK	UK West	UK South

Use cases for each replication type

The following table summarizes how many copies you get with each replication type and when you should use it.

Replication type	Copies	Use case
LRS	3	Data remains highly available, but for compliance reasons, isn't allowed to leave the local datacenter.
GRS	6	App has access to the data, even if an entire region has an outage.
RA-GRS	6	App reads from multiple geographical locations, so you can serve users from a location that's closer to them.
ZRS	3	Need redundancy in multiple physical locations, but because of compliance, data isn't allowed to leave a region.
GZRS	6	App can access data, even if the primary region has failed, and your secondary region has a datacenter that's experiencing an outage, but you don't want to read from the secondary region unless the primary region is down.
RA-GZRS	6	Regularly read data from your secondary region, perhaps to serve users from a location closer to them, even if a datacenter is up in your primary region.

Creating a storage account

Navigate to Storage accounts and then create

Select type of redundancy

5.- AZ-104 Azure - Storage

AZ-104 Azure - Conceptualizing Azure Blog Storage

Describing Azure Blob Storage
Components of Blob Architecture
Type of Blobs
Container Access Levels

Azure Blob Storage is Microsoft's object storage solution for the cloud. Blob Storage is optimized for storing massive amounts of unstructured data. Unstructured data is data that doesn't adhere to a particular data model or definition, such as text or binary data. Its object based and easily accessible from HTTP/REST

Blob Storage is designed for:

Serving images or documents directly to a browser.
Storing files for distributed access.
Streaming video and audio.
Writing to log files.
Storing data for backup and restore, disaster recovery, and archiving.
Storing data for analysis by an on-premises or Azure-hosted service.

Blob Architecture

Blob Service: A sub service for storage accounts.
Blob Container: The container where we store our blobs.
Blobs: The data we store in our containers.

Types of Blobs

Block blobs: Storing images or videos best suited for streaming.
Append blobs: Log files
Page Blobs: Virtual machine disks

Container Access Level

Access control: By default, public access to blobs is granted at the storage account level

Container Access Levels:

Private: No anonymous access.
Blob: Anonymous access to blob
Container: Anonymous access to container and blobs it contains.

Now let's access our Storage account ,below we can see the system storage account, here we will crate a container

First check if blob anonymous access its enabled if not click on the link to enable

now create a new container, anonymous access level will only be available if blob anonymous access its enabled.

3 different levels of containers with different access.

We can see each container has its own url to access the container

now let's upload a random file to our private container, we can see it has its own url to access the file directly

5.- AZ-104 Azure - Storage

AZ-104 Azure - Configuring blob object replication

Object replication asynchronously copies blocks of blobs between storage accounts

- Requires source and destination storage accounts
- Requires versioning and change feed
- Support cross-tenant replication

Diagram showing how object replication works

Minimize latency - reduce latency for read requests.
Increased efficiency - Processing block blob in different regions.
Data distribution - Processing and analyzing data in one location that replicate to other regions.
Cost Optimization -moving replicate data to the archive tier can reduce cost.

Versioning: Versioning must be enabled on both the source and desalination accounts to perform replication
Change feed: Change feed must be enabled on the source account. Azure storage monitors the $blobchangefeed to advise replication.
Cross subscription and azure AD: Object replication is supported across subscriptions and azure AD tenants
Replication Policy: A Storage account can be a source for up to two destination accounts. Each policy supports only a single pairing using a policy ID.

Create a destination storage account and make sure versioning for blobs its enabled

For source storage account we will enable versioning and change feed.

now we need to add our containers one on source and one on destination storage account.

Next step is to create an object replication rule on our source data storage

for our replication rule we need to select the destination storage account in this case dststorageaccountcloud1 specify the source container and destination container we can also apply filters to replicate only data on specific folder structure ,we can also specify which data to copy over here we select only new objects.

Now we are uploading a new blob on our src storage account and src container

now we can see file blob1.txt on our source account but not on our destination as there is a rule

we are adding our same blob but this time we will specify the folder /prefix to match our object rule.

blob.txt is now also on destination container due to our object replication

5.- AZ-104 Azure - Storage

AZ-104 Azure - Configuring Blob Lifecycle Management

Lifecycle Management Concepts

Azure Blob Storage service feature that enables automation to manage lifecycle operations of blobs.

Automate blob lifecycle: Easily manage blob life-cycles from frequent use to archive or deletion
Move access tiers: Switch blobs between tiers to meet access or usage needs.
Optimize cost: Save money by decreasing admin overhead and tiering blobs based on usage requirements.

Let's add random files to our container and add a lifecycle rule

we can also specify a filter to modify only those inside our testcontainer/folder

Now after 30 days all our blobs will move from hot to cold.

Storage accounts: Support GPv2 storage accounts and blob storage accounts.
Types and Sub-types: Support block and append blobs and support sub-types such as based blobs snapshots and versions.
Filtering: filter blobs in the rule using prefix or blob index matches.
Scoping: Scope at the storage account or limit blobs with filters.
If/Then Logic: Uses logic in lifecycle rules to move blobs through access tiers based on modification and access times.