This AZ-104 Study Guide links to most relevant documentation on Microsoft Docs. It was supposed to be for myself, but then I thought: why not share it with the world :)
It covers all objectives / skills measured in AZ-104 exam and is meant to be a 80% complete study guide. 20% should come from experience, watching video’s and tutorials. Exam AZ-104: Microsoft Azure Administrator grants the title Microsoft Certified: Azure Administrator Associate
This is part 1 of 5.
Manage Azure subscriptions and resources (15-20%)
Manage Azure subscriptions
assign administrator permissions
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles
To assign a role to a user, sign in to the Azure Portal, navigate to the user, select Directory Role and select Add Role. Only Global Administrators (sometimes referred as Company Administrators) or Privileged Role Administrators can delegate administrator roles.
Assign with Powershell:
For example:
Get-AzureADDirectoryRole #to list the roles that you can assign with PowerShell
$userName="sign-in name of the account"
$roleName="role name"
Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | Where {$_.DisplayName -eq $roleName}).ObjectID -RefObjectId (Get-AzureADUser | Where {$_.UserPrincipalName -eq $userName}).ObjectIDTo increase security, you should minimize the number of people with administrative rights. Azure AD Privileged Identity Management (PIM) essentially helps you manage the who, what, when, where, and why for resources that you care about. You need Azure AD Premium P2 or Enterprise Mobility + Security (EMS) E5 for this functionality
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
configure cost center quotas and tagging
https://docs.microsoft.com/en-us/azure/billing/billing-getting-started
Microsoft Azure limits are sometimes called quotas.
Use tags to group billing data for supported services. For example, if you run several VMs for different teams, then you can use tags to categorize costs by cost center (HR, marketing, finance) or environment (production, pre-production, test).
To apply tags on resources:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
You can add tags using
- Azure Policies
- Powershell , i.e.:
- Set-AzResourceGroup -Name examplegroup -Tag @{ Dept=”IT”; Environment=”Test” }
- Azure CLI, i.e.:
- az group update -n examplegroup –set tags.Environment=Test tags.Dept=IT
- Templates
- Azure Portal (GUI)
To review usage and costs, Microsoft recommends Cloudyn. Cloudyn shows you usage and costs so that you can track trends, detect inefficiencies, and create alerts
https://docs.microsoft.com/en-us/azure/cost-management/tutorial-review-usage
configure Azure subscription policies at Azure subscription level
https://docs.microsoft.com/en-us/azure/governance/policy/overview
Azure Policy begins with creating a policy definition. Every policy definition has conditions under which it’s enforced. For example: only allow D1 VM’s to be created, or validate SQL Servers to have version 12 or later installed. To implement these policy definitions, you’ll need to assign them to a scope using Policy Assignments. A scope can be a Management group, Subscription or Resource group. You can assign policies through the Azure portal, PowerShell, or Azure CLI. Policy evaluation happens with several different actions, such as policy assignment or policy updates
Optional:
Policy parameters help simplify your policy management by reducing the number of policy definitions. Think of parameters like the fields on a form – name, address, city, state. These parameters always stay the same, however their values change based on the individual filling out the form. Parameters work the same way when building policies. By including parameters in a policy definition, you can reuse that policy for different scenarios by using different values.
An initiative definition is a collection of policy definitions. They simplify by grouping a set of policies as one single item.
Analyze resource utilization and consumption
configure diagnostic settings on resources
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-logs-overview
Azure Monitor diagnostic logs (formerly named Log Analytics) are logs emitted by an Azure service that provide rich, frequent data about the operation of that service. These logs can come from tenant-level resources (like Azure Active Directory) or resources within the subscription (like a Network Security Group or a Storage Account)
To configure diagnostic settings , you need to set
- Where diagnostic logs and metrics are sent (Storage Account, Event Hubs, and/or Azure Monitor).
- Which log categories are sent and whether metric data is also sent.
- How long each log category should be retained in a storage account
- To enable storage of diagnostic logs in a storage account with
Powershell:
Set-AzDiagnosticSetting -ResourceId [your resource id] -StorageAccountId [your storage account id] -Enabled $true
Azure CLI:
az monitor diagnostic-settings create ……
create baseline for resources
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-overview
This seems to be related to Configuration Management, and can be done by using DSC.
create and rest alerts
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-activity-log
Alerts only support two metrics signals, or one log search signal or one activity signal. To be alerted when event 4654 or event 3245 occurs, you have to create two alerts, because in each alert you can only add one condition.
analyze alerts across subscription
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-overview
Use the All Alerts page to view a list of alerts created within a selected time window. Click through to Alert Detail Page to get more information, and to change its alert state. Use Smart Groups to filter noise in alerts.
Smart groups are automatically created by using machine learning algorithms to combine related alerts that represent a single issue. When an alert is created, the algorithm adds it to a new smart group or an existing smart group based on information such as historical patterns, similar properties, and similar structure. For example, if % CPU on several virtual machines in a subscription simultaneously spikes leading to many individual alerts, and if such alerts have occurred together anytime in the past, these alerts will likely be grouped into a single Smart Group, suggesting a potential common root cause.
analyze metrics across subscription
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-collection
Metrics are collected every minute by default. They are stored for 93 days. Copy them to logs for long term trending.
create action groups
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups
An action may contain multiple actions (like Send SMS and execute Runbook).
monitor for unused resources
https://docs.microsoft.com/en-us/azure/cost-management/tutorial-review-usage
Use Cloudyn to improve efficiency. I.e. use the Optimizer to identify idle VM’s and unattached disks.
monitor spend
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/usage-estimated-costs
https://azure.microsoft.com/en-us/pricing/details/cost-management/
report on spend
https://azure.microsoft.com/en-us/pricing/details/cost-management/
Use Budgets to keep track on your expenses. Use Alerting to get notified on costs and usage budgets. Monthly budgets are evaluated every 4 hours. When an alert condition is met (i.e. costs have reached 80% of monthly budget), you can alert someone by email, but you can also trigger an action group. (i.e. at 80%, shutdown all non-critical VM’s)
https://docs.microsoft.com/en-us/azure/billing/billing-cost-management-budget-scenario
Cloudyn is also an option to report and alert on spending.
utilize Log Search query functions
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/get-started-queries
view alerts in Log Analytics
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alert-management-solution
Logs Analytics repository can collect alerts from multiple sources
- Log Analytics
- Nagios and Zabbix
- System Center Operations Manager
Then, add the Alert Management Solution to your Logs Analytics workspace to start analyzing.
Manage resource groups
use Azure policies for resource groups
Seems overlapping with 1.1.3.
I guess this objective demands you to know how you assign them to a Resource Group.
https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage
configure resource locks
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources
Locks can have 2 values: CanNotDelete and ReadOnly. All resources within a parent scope inherit the setting. The most restrictive setting take precedence.
Locks only apply to operations at management plane level. For example, a ReadOnly lock on a SQL Database prevents you from deleting or modifying the database, but it doesn’t prevent you from creating, updating, or deleting data in the database.
configure resource policies
Not sure how this differs from 1.3.1, beside the scope (Resource vs Resource group)
identify auditing requirements (new since AZ-100)
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-audit
Not sure, since this objective is placed in “Manage Resource Groups”. “Identify” feels like a soft-skill.
implement and set tagging on resource groups
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
Overlaps with 1.1.2
move resources across resource groups
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-move-resources
The majority of services can be moved. However, there are still a lost of services that can’t.
Both the source group and the target group are locked during the move operation. Write and delete operations are blocked on the resource groups until the move completes. However, there is no downtime on the particular service.
remove resource groups
Managed role based access control (RBAC) (new since AZ-100)
create a custom role
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
configure access to Azure resources by assigning roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
In Powershell
New-AzRoleAssignment -SignInName <email, userprincipalname> -RoleDefinitionName <role name in quotes> -ResourceGroupName <resource group name>
configure management access to Azure, troubleshoot RBAC, implement RBAC policies, assign RBAC Roles
Generally, this means you need to know every basic action for managing RBAC. A good start would be
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
Configure Management Access to Azure:
https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
troubleshoot RBAC:
https://docs.microsoft.com/en-us/azure/role-based-access-control/troubleshooting
implement RBAC policies (needs you to understand basics and best practices):
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
assign RBAC Roles:
https://docs.microsoft.com/en-us/azure/role-based-access-control/quickstart-assign-role-user-portal
thanks for sharing these links , what video’s did u watch to learn the other 20% , appreciate ur reply .
Hi pkota, checkout the introduction of this Study Guide:
itexperience.net/az-103/
You can get a free 7 day trial from CBT Nuggets. That should be enough for some this course.
But I had most benefits from LinkedIn Premium. Premium includes LinkedIn Learning which gives you access to the videos of Sharon Bennett. She focuses on the items that help you pass your exam, without the blah-blah of CBTNuggets :)
You should be able to get a free trial for 30 days somewhere. Search for it on the internet. There are several ways to obtain. I got it from my Visual Studio subscription.
linkedin.com/learning/exam-prep-microsoft-azure-infrastructure-and-deployment-az-100/
linkedin.com/learning/cert-prep-microsoft-azure-administrator-certification-transition-exam-az-102/
Thank you so much for this useful information!
Great docs cheers for your help.
Thank you for sharing your thoughts and knowledge!
Thank you for this study guide! Good summary of the info with links to the relevant docs. Love it.
You’re very welcome!
Did you pass the exam?