AZ 900 CERTIFICATION

Resume course
 Microsoft Azure
Fundamentals : Describe
cloud concepts

1
I. Describe Cloud Concepts:
1. What is Cloud Computing :
Cloud Computing is the delivery of computing services over the internet.

computing services include common infrastructure such as VM, storage, DB, and
networking, and other services like IoT, ML and AI.

2. Describe the shared responsability model:

Customer always be responsible for:

• The information and data

• Devices (cell phones, computers, and so on)
• Accounts and identities of the people, services, and devices within your
organization.

Cloud provider is always responsible for:

• The physical datacenter

• The physical network
• The physical hosts

Your service model will determine responsibility for the rest.

2
3. Cloud Computing Models :

➢ Public Cloud :

A public cloud is built, controlled, and maintained by a third-party cloud provider. With a
public cloud, anyone that wants to purchase cloud services can access and use resources.
The general public availability is a key difference between public and private clouds.
Microsoft Provide a public cloud solution named Microsoft Azure.

➢ Private Cloud :

Private cloud it’s a cloud created by an organization based on their hardware and do not
provide access to users outside of the organization. And they can be hosted from an
organization datacenter or in a dedicated datacenter offsite. finally, it’s a cloud that’s built,
controlled, maintained by the created organization.

➢ Hybride Cloud :

Combines Public and Private clouds to allow applications to run in the most appropriate
location.
Each company or organization need to use azure without releasing their data it will use
Azure Stack solution.

➢ Multi Cloud :

use multiple public cloud providers. Maybe you use different features from different
cloud providers. Or maybe you started your cloud journey with one provider and are in the
process of migrating to a different provider. Regardless, in a multi-cloud environment you
deal with two (or more) public cloud providers and manage resources and security in both
environments.

➢ Azure Arc

Azure Arc is a set of technologies that helps manage your cloud environment. Azure Arc
can help manage your cloud environment, whether it's a public cloud solely on Azure, a
private cloud in your datacenter, a hybrid configuration, or even a multi-cloud
environment running on multiple cloud providers at once.

3
 ➢ Azure VMware Solution

Azure VMware Solution lets you run your VMware workloads in Azure with seamless
integration and scalability

4. Describe the consumption-based model

When comparing IT infrastructure models, there are two types of expenses to consider.
Capital expenditure (CapEx) and operational expenditure (OpEx).

➢ Capital expenditure (CapEx)

is typically a one-time, up-front expenditure to purchase or secure tangible resources. A

new building, repaving the parking lot, building a datacenter, or buying a company vehicle
are examples of CapEx.

➢ operational expenditure (OpEx)

is spending money on services or products over time. Renting a convention center, leasing
a company vehicle, or signing up for cloud services are all examples of OpEx.

This consumption-based model has many benefits, including:

• No upfront costs.
• No need to purchase and manage costly infrastructure that users might not use to
its fullest potential.
• The ability to pay for more resources when they're needed.
• The ability to stop paying for resources that are no longer needed.

5. Compare cloud pricing models

pay only for the cloud services you use, which helps you:

• Plan and manage your operating costs.

• Run your infrastructure more efficiently.
• Scale as your business needs change.

4
 II. Describe the benefits of using cloud services
1. Describe the benefits of high availability and scalability in the cloud.

➢ High availability
High Availability (HA) maintain acceptable continuous performance despite temporary load
fluctuations or failures in services, hardware or data centers.

Azure use service level agreements (SLAs) % of availability. 99%, 99.9%, 99.95% and 99.99%
are available in azure. This % helps to optimize your availability based on your needs.

➢ Scalability

• Vertical scaling:

To add more CPU or Ram to the VM (scale up) or lowering CPU or Ram (scale down)
based in your need.

• Horizontal scaling

To add additional VM or containers (scale out) or (scale in)

2. Describe the benefits of reliability and predictability in the cloud

➢ Reliability

Reliability is the ability of a system to recover from failures and continue to function.

➢ Predictability
Predictability in the cloud lets you move forward with confidence. Predictability can be
focused on performance predictability or cost predictability.

3. Describe the benefits of security and governance in the cloud

cloud features support governance and compliance and on the security side, you can find
a cloud solution that matches your security needs.

5
4. Describe the benefits of of manageability in the cloud

➢ Management of the cloud

Management of the cloud speaks to managing your cloud resources. In the cloud, you
can:

• Automatically scale resource deployment based on need.

• Deploy resources based on a preconfigured template, removing the need for
manual configuration.
• Monitor the health of resources and automatically replace failing resources.
• Receive automatic alerts based on configured metrics, so you’re aware of
performance in real time.

➢ Management in the cloud

Management in the cloud speaks to how you’re able to manage your cloud
environment and resources. You can manage these:

• Through a web portal.

• Using a command line interface.
• Using APIs.
• Using PowerShell.

6
III. Describe Cloud Service types:
In cloud computing it exist 3 types of service Infrastructure as a Service (Iaas), Software as a
Service (Saas) and Platform as a Service (Paas).

1. Infrastructure as a Service (Iaas):

Is the most flexible category of cloud services, as it provides you the maximum amount of
control for your cloud resources.

Some common scenarios where IaaS might make sense include:

• Lift-and-shift migration: migration from on-premise to IaaS.

• Testing and development

2. Platform as a Service (Paas) :

Is a middle ground between renting space in a datacenter (IaaS) and paying for a complete
and deployed solution (SaaS).

Some common scenarios where PaaS might make sense include:

• Development framework
• Analytics or business intelligence

3. Software as a Service (Saas):

Is the most complete cloud service model from a product perspective. With SaaS, you’re
essentially renting or using a fully developed application. Email, financial software, messaging
applications, and connectivity software are all common examples of a SaaS implementation.

Some common scenarios for SaaS are:

• Email and messaging.

• Business productivity applications.
• Finance and expense tracking.

7
Décrire l’architecture et les
services Azure

8
I. Describe the core architectural components of Azure
1. What is Azure :
Azure is a public cloud provider created by Microsoft that provide everything you need to
build, manage and deploy on a massive global network using your favorite tools and
frameworks.

Azure provides more than 100 services that enable like create VMS, create servers, deploy
applications or exploring new software solution.

2. Azure accounts :
To create and use Azure services you must
have an azure account and then you need an
Azure subscription. Subscription can have
one or more resource group and each
resources group can have one or more
resources.

3. Azure Free accounts:

The Azure free account The Azure free student account offer

• Free access to popular Azure • Free access to certain Azure services

products for 12 months. for 12 months.
• A credit of 200$ to use for the first 30 • A credit of 100$ to use in the first 12
days. months.
• Access to more than 25 products that • Free access to certain software
are always free. developer tools.

4. the Microsoft Learn sandbox

It’s a tool that creates a temporary subscription that's added to your Azure account. This
temporary subscription allows you to create Azure resources during a Learn module. Learn
automatically cleans up the temporary resources for you after you've completed the module.

9
5. Azure physical infrastructure :
The physical infrastructure for Azure starts with datacenters. Conceptually, the datacenters
are the same as large corporate datacenters. They’re facilities with resources arranged in
racks, with dedicated power, cooling, and networking infrastructure.

As a global cloud provider, Azure has datacenters around the world. However, these individual
datacenters aren’t directly accessible. Datacenters are grouped into Azure Regions or Azure
Availability Zones that are designed to help you achieve resiliency and reliability for your
business-critical workloads.

➢ Regions:

A region is a geographical area on the planet that contains at least one, but potentially
multiple datacenters that are nearby and networked together with a low-latency network.
Azure intelligently assigns and controls the resources within each region to ensure workloads
are appropriately balanced.

➢ Availability Zones:

Availability zones are physically separate datacenters within an Azure region. Each availability
zone is made up of one or more datacenters equipped with independent power, cooling, and
networking. An availability zone is set up to be an isolation boundary. If one zone goes down,
the other continues working. Availability zones are connected through high-speed, private
fiber-optic networks.

This image
describes A
region and
availability zones
in Azure

10
➢ Region pairs:

Examples of region pairs in Azure are West US paired with East US and South-East Asia paired
with East Asia. Because the pair of regions are directly connected and far enough apart to be
isolated from regional disasters, you can use them to provide reliable services and data
redundancy. See image it describes Region Pair

➢ Sovereign Regions

Sovereign regions are instances of Azure that are isolated from the main instance of Azure.
You may need to use a sovereign region for compliance or legal purposes.

6. Azure management infrastructure:

➢ Resource Group and Resource:

When you create a resource, you’re required to place it into a resource group. While a
resource group can contain many resources, a single resource can only be in one resource
group at a time. Some resources may be moved between resource groups, but when you move
a resource to a new group, it will no longer be associated with the former group. Additionally,
resource groups can't be nested, meaning you can’t put resource group B inside of resource
group A.
When you apply an action to a resource group, that action will apply to all the resources
within the resource group for example If you delete a resource group, all the resources will
be deleted.

11
➢ Azure Subscriptions:

In Azure, subscriptions are a unit of management, billing, and scale. Similar to how
resource groups are a way to logically organize resources, subscriptions allow you to
logically organize your resource groups and facilitate billing. An azure account can have
multiple subscriptions, but it’s only required to have one.

there are two types of subscription boundaries that you can use: Billing boundary to
manage and track costs and Access control boundary to manage and control access.

you might choose to create additional subscriptions to separate Environments (dev and
testing, security, or to isolate data), Organizational structures (to limit one team to lower
cost resources while allowing the IT department a full range), and Billing (ex: one for
production workload and another for dev and test)

➢ Management Groups:

Azure management groups provide a level of scope above subscriptions. You organize
subscriptions into containers called management groups and apply governance
conditions to the management groups. All subscriptions within a management group
automatically inherit the conditions applied to the management group.
The image below describes how Management groups hierarchy:

Important facts about management groups :

• 10,000 management groups can be supported in a single directory.

• A management group tree can support up to 6 levels of depth. This limit
doesn't include the root level or the subscription level.
• Each management group and subscription can support only one parent.

12
II. Describe Azure compute and networking services
1. Azure Virtual Machines
With Azure Virtual Machines (VMs), you can create and use VMs in the cloud. VMs provide
infrastructure as a service (IaaS) in the form of a virtualized server and can be used in many
ways. Just like a physical computer, you can customize all of the software running on your VM.
VMs are an ideal choice when you need:

• Total control over the operating system (OS).

• The ability to run custom software.
• To use custom hosting configurations.

You can even create or use an already created image to rapidly provision VMs.

➢ Scale VMs in Azure

You can run single VMs for testing, development, or minor tasks. Or you can group VMs
together to provide high availability, scalability, and redundancy. Azure can also manage the
grouping of VMs for you with features such as scale sets and availability sets.

Virtual machine scale sets:

Scale sets allow you to centrally manage, configure, and update a large number of VMs in
minutes. The number of VM instances can automatically increase or decrease in response to
demand, or you can set it to scale based on a defined schedule.

Virtual machine availability sets:

Availability sets are designed to ensure that VMs stagger updates and have varied power and
network connectivity, preventing you from losing all your VMs with a single network or power
failure.

Availability sets do this by grouping VMs in two ways: update domain and fault domain.

Update domain: This allows you to apply updates while knowing that only one update domain
grouping will be offline at a time. All of the machines in one update domain will be updated.
An update group going through the update.

process is given a 30-minute time to recover before maintenance on the next update domain
starts.

13
Fault domain: The fault domain groups your VMs by common power source and network
switch. By default, an availability set will split your VMs across up to three fault domains. This
helps protect against a physical power or networking failure by having VMs in different fault
domains (thus being connected to different power and networking resources).

➢ When to use VMs

• During testing and development.

• When running applications in the cloud.

• When extending your datacenter to the cloud.

• During disaster recovery.

➢ VM Resources
• Size (purpose, number of processor cores, and amount of RAM)
• Storage disks (hard disk drives, solid state drives, etc.)
• Networking (virtual network, public IP address, and port configuration)

2. Azure Virtual Desktop

Azure Virtual Desktop is a desktop and application virtualization service that runs on the
cloud. It enables you to use a cloud-hosted version of Windows from any location.

Azure Virtual Desktop lets you use Windows 10 or Windows 11 Enterprise multi-session, the
only Windows client-based operating system that enables multiple concurrent users on a
single VM.

➢ Enhance security

Azure Virtual Desktop provides centralized security management for users' desktops with
Azure Active Directory (Azure AD). You can enable multifactor authentication to secure user
sign-ins. You can also secure access to data by assigning granular role-based access controls
(RBACs) to users.

3. Azure Containers
VM still limited to a single operating system per virtual machine. If you want to run multiple
instances of an application on a single host machine, containers are an excellent choice.

14
Containers are a virtualization environment. Much like running multiple virtual machines on a
single physical host, you can run multiple containers on a single physical or virtual host.

➢ Compare virtual machines to containers

✓ VM virtualize hardware, while containers virtualize the operating system.
✓ Container is more efficient than VM
✓ VM is an IaaS offering, while container is a PaaS offering.
✓ VM: maximum control of the hosting environment, allow you to configure I how
you want.
✓ Container: the ability to isolate and individually manage different aspects of the
hosting solution

Azure support Docker (container engine).

You can use containers to create solutions by using microservices architecture. For example,
you might split a website into a container hosting your front end, another hosting your back
end, and a third for storage

4. Azure Functions
Azure Functions is an event-driven. With Azure Functions, an event wakes the function,
alleviating the need to keep resources provisioned when there are no events.

➢ Benefits of Azure Functions

• No infrastructure management
• Scalability (scale automatically based on demand)
• Minimize time and cost (only pay for what you use)
• Quick

5. application hosting options

➢ Azure App Service

App Service enables you to build and host web apps, background jobs, mobile back-ends, and
RESTful APIs in the programming language of your choice without managing infrastructure.

15
Azure App Service is an HTTP-based service and supports Windows and Linux. It enables
automated deployments from GitHub, Azure DevOps, or any Git repo to support a continuous
deployment model.

Types of app services

• Web apps
• API apps
• WebJobs
• Mobile apps

App Service handles most of the infrastructure decisions you deal with in hosting web-
accessible apps:

• Deployment and management are integrated into the platform.

• Endpoints can be secured.
• Sites can be scaled quickly to handle high traffic loads.
• The built-in load balancing and traffic manager provide high availability.

6. Azure Virtual Networking:

Azure virtual networks and virtual subnets enable Azure resources, such as VMs, web apps,
and databases, to communicate with each other, with users on the internet, and with your
on-premises client computers. You can think of an Azure network as an extension of your on-
premises network with resources that link other Azure resources.

Azure virtual networks provide the following key networking capabilities:

➢ Internet Communications:

Azure have the ability to enable incoming connections from the internet by assigning a public
IP address to an Azure resource, or putting the resource behind a public load balancer.

➢ Isolation and Segmentation:

Azure virtual network allows you to create multiple isolated virtual networks. When you set
up a virtual network, you define a private IP address space by using either public or private
IP address ranges. The IP range only exists within the virtual network and isn't internet

16
routable. You can divide that IP address space into subnets and allocate part of the defined
address space to each named subnet.

➢ Communicate between Azure Resources:

Azure Insure communicate between resources we can use to two solutions (Virtual networks
or Service endpoints). This approach enables you to link multiple Azure resources to virtual
networks to improve security and provide optimal routing between resources.

➢ Communicate with on-premises resources:

Azure virtual networks enable to insure communication between internal company resources
with the cloud, and there are three mechanisms for you to achieve this connectivity:
• Point-to-site virtual private network connections are from a computer outside your
organization back into your corporate network. In this case, the client computer
initiates an encrypted VPN connection to connect to the Azure virtual network.
• Site-to-site virtual private networks link your on-premises VPN device or gateway to
the Azure VPN gateway in a virtual network. In effect, the devices in Azure can appear
as being on the local network. The connection is encrypted and works over the
internet.
• Azure ExpressRoute provides a dedicated private connectivity to Azure that doesn't
travel over the internet. ExpressRoute is useful for environments where you need
greater bandwidth and even higher levels of security.

➢ Route network traffic:

By default, Azure routes traffic between subnets on any connected virtual networks, on-
premises networks, and the internet. You also can control routing and override those
settings, as follows:
• Route tables allow you to define rules about how traffic should be directed. You can
create custom route tables that control how packets are routed between subnets.
• Border Gateway Protocol (BGP) works with Azure VPN gateways, Azure Route Server,
or Azure ExpressRoute to propagate on-premises BGP routes to Azure virtual
networks.

17
➢ Filter network traffic:

Azure virtual networks enable you to filter traffic between subnets by using the following
approaches:
• Network security groups are Azure resources that can contain multiple inbound and
outbound security rules. You can define these rules to allow or block traffic, based on
factors such as source and destination IP address, port, and protocol.
• Network virtual appliances are specialized VMs that can be compared to a hardened
network appliance. A network virtual appliance carries out a particular network
function, such as running a firewall or performing wide area network (WAN)
optimization.

➢ Filter network traffic:

Link virtual networks together is possible by using virtual network peering. Peering allows two
virtual networks to connect directly to each other. Network traffic between peered networks
is private, and travels on the Microsoft backbone network, never entering the public internet.
Peering enables resources in each virtual network to communicate with each other.

7. Azure Virtual Private Networks (VPN)

A virtual private network (VPN) uses an encrypted tunnel within another network. V

PNs are typically deployed to connect two or more trusted private networks to one
another over an untrusted network (typically the public internet).

➢ VPN gateways
A VPN gateway is a type of virtual network gateway. Azure VPN Gateway instances are
deployed in a dedicated subnet of the virtual network and enable the following connectivity:

• Connect on-premises datacenters to virtual networks through a site-to-site

connection.
• Connect individual devices to virtual networks through a point-to-site connection.
• Connect virtual networks to other virtual networks through a network-to-network
connection.

18
! You can deploy only one VPN gateway in each virtual network. However, you can use one
gateway to connect to multiple locations, which includes other virtual networks or on-
premises datacenters.

VPN Type
• Policy-based VPN gateways (static IP @)
• In Route-based gateways (virtual tunnel)

Use a route-based VPN gateway if you need any of the following types of connectivity:

• Connections between virtual networks

• Point-to-site connections
• Multisite connections
• Coexistence with an Azure ExpressRoute gateway

➢ High-availability scenarios
• Active/standby: default config (90s for unplanned disruptions).

• Active/active: unique public IP address to each instance.

• ExpressRoute failover: can provision a VPN gateway that uses the internet as
an alternative method of connectivity. In this way, you can ensure there's always

a connection to the virtual networks.

• Zone-redundant gateways: VPN gateways and ExpressRoute gateways can be

deployed in a zone-redundant configuration. This configuration brings resiliency,
scalability, and higher availability to virtual network gateways

8. Azure ExpressRoute
Azure ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over
a private connection.

19
 ➢ Features and benefits of ExpressRoute
• Connectivity to Microsoft cloud services
• Global connectivity
• Dynamic routing
• Built-in redundancy

➢ ExpressRoute connectivity models

• CloudExchange colocation
• Point-to-point Ethernet connection
• Any-to-any connection
• Directly from ExpressRoute sites

9. Azure DNS

➢ Benefits of Azure DNS

• Reliability and performance

• Security
• Ease of Use
• Customizable virtual networks
• Alias records

III. Describe Azure storage services

1. Azure storage accounts

➢ Rules

• Storage account names must be between 3 and 24 characters in length and may
contain numbers and lowercase letters only.
• Your storage account name must be unique within Azure. No two storage accounts
can have the same name. This supports the ability to have a unique, accessible
namespace in Azure.

20
2. Benefits of Azure Storage
• Durable and highly available.

• Secure
• Scalable

• Managed
• Accessible

3. Azure Storage services.

➢ Azure Blob Storage:

Azure Blob Storage is an object storage solution is designed for storage any type of data, it’s
an unstructured, meaning that there are no restrictions on the kinds of data it can hold. Blob
Storage can manage thousands of simultaneous uploads, massive amounts of video data,
constantly growing log files, and can be reached from anywhere with an internet connection.

Objects in Blob storage can be accessed from anywhere in the world via HTTP or HTTPS. Users
or client applications can access blobs via URLs, the Azure Storage REST API, Azure PowerShell,
Azure CLI, or an Azure Storage client library. The storage client libraries are available for
multiple languages, including .NET, Java, [Link], Python, PHP, and Ruby.

➢ Azure Queue Storage:

Azure Queue Storage is a service for storing large numbers of messages. Once stored, you can
access the messages from anywhere in the world via authenticated calls using HTTP or HTTPS.
A queue can contain as many messages as your storage account has room for (potentially
millions). Each individual message can be up to 64 KB in size. Queues are commonly used to
create a backlog of work to process asynchronously.

➢ Azure Table Storage:

Azure Table Storage is a service storing semi-structured data, it not provides a foreign joins or
foreign keys even relationships or strict schema. Azure Table Storage designed for fast access
of data.

21
➢ Azure File Storage:

Azure Files offers fully managed file shares in the cloud that are accessible via the industry
standard Server Message Block (SMB) or Network File System (NFS) protocols. Azure Files file
shares can be mounted concurrently by cloud or on-premises deployments. SMB Azure file
shares are accessible from Windows, Linux, and macOS clients. NFS Azure Files shares are
accessible from Linux or macOS clients.

4. Azure Storage Services:

A storage account provides a unique namespace for your Azure Storage data that's accessible
from anywhere in the world over HTTP or HTTPS. Data in this account is secure, highly
available, durable, and massively scalable.

When you create your storage account, you’ll start by picking the storage account type. The
type of account determines the storage services and redundancy options and has an impact
on the use cases.

list of redundancy options:

➢ Locally Redundant Storage (LRS):

Locally redundant storage (LRS) replicates your data 3 times within

a single data center in the primary region. LRS provides at least

11 nines of durability

➢ Geo-Redundant Storage (GRS):

GRS copies your data synchronously 3

times within a single physical location in
the primary region using LRS. It then
copies your data asynchronously to a
single physical location in the secondary
region (the region pair) using LRS. GRS

22
 provides at least 16 nines of
durability.

➢ Zone-Redundant Storage (ZRS):

For Availability Zone-enabled Regions, zone-

redundant storage (ZRS) replicates your Azure Storage
data synchronously across three Azure availability
zones in the primary region. ZRS LRS provides at

least 12 nines of durability

➢ Geo-Zone Redundant Storage (GZRS):

GZRS combines the high availability provided by redundancy across availability zones with
protection from regional outages provided by geo-replication. Data in a GZRS storage account
is copied across three Azure availability zones in the primary region (similar to ZRS) and is
also replicated to a secondary geographic region, using LRS, for protection from regional
disasters. GZRS provides at least 16 nines of durability

23
 ! Important: (Read-access) mean that user can read data from redundant storage

anytime.

5. Azure data migration options

Azure supports both real-time migration of infrastructure, applications, and data using Azure
Migrate as well as asynchronous migration of data using Azure Data Box.

➢ Azure Migrate

Azure Migrate is a service that helps you migrate from an on-premises environment to the
cloud. It provides the following:

Integrated tools
• Azure Migrate: Discovery and assessment.

• Azure Migrate: Server Migration.

• Data Migration Assistant

• Azure Database Migration Service.

• Web app migration assistant.

• Azure Data Box: Azure Data Box is a physical migration service that helps transfer large
amounts of data in a quick, inexpensive, and reliable way. is ideally suited to transfer
data sizes larger than 40 TBs in scenarios with no to limited network connectivity

Here are the various scenarios where Data Box can be used to import data to Azure.

• Onetime migration
• Moving a media library from offline tapes into Azure to create an online media library.
• Migrating your VM farm, SQL server, and applications to Azure.
• Moving historical data to Azure for in-depth analysis and reporting using HDInsight.
• Initial bulk transfer
• Periodic uploads.

Here are the various scenarios where Data Box can be used to export data from Azure.

• Disaster recovery
• Security requirements
• Migrate back to on-premises or to another cloud service provider

24
 6. Azure file movement options
Tools designed to help you move or interact with individual files or small file groups:

➢ AzCopy
AzCopy is a command-line utility that you can use to copy blobs or files to or from your storage
account.

➢ Azure Storage Explorer

Azure Storage Explorer is a standalone app that provides a graphical interface to manage files
and blobs in your Azure Storage Account.

➢ Azure File Sync

Azure File Sync is a tool that lets you centralize your file shares in Azure Files and keep the
flexibility, performance, and compatibility of a Windows file server.

IV. Describe Azure identity, access, and security

1. Azure Identity Access and Security:

➢ What is Azure AD:

Azure Active Directory (Azure AD) is a directory service that enables you to sign in and access
both Microsoft cloud applications and cloud applications that you develop.

➢ Who can use Azure AD:

• IT administrators: Administrators can use Azure AD to control access to applications

and resources based on their business requirements.
• App developers: Developers can use Azure AD to provide a standards-based approach
for adding functionality to applications that they build, such as adding SSO
functionality to an app or enabling an app to work with a user's existing credentials.
• Users: Users can manage their identities and take maintenance actions like self-service
password reset.
• Online service subscribers: Microsoft 365, Microsoft Office 365, Azure, and Microsoft
Dynamics CRM Online subscribers are already using Azure AD to authenticate into their
account.

25
➢ Benefits of using Azure AD:

• Authentication: This includes verifying identity to access applications and resources. It

also includes providing functionality such as self-service password reset, multifactor
authentication, a custom list of banned passwords, and smart lockout services.

• Single sign-on: Single sign-on (SSO) enables you to remember only one username and
one password to access multiple applications. A single identity is tied to a user, which
simplifies the security model. As users change roles or leave an organization, access
modifications are tied to that identity, which greatly reduces the effort needed to
change or disable accounts.
• Application management: You can manage your cloud and on-premises apps by using
Azure AD. Features like Application Proxy, SaaS apps, the My Apps portal, and single
sign-on provide a better user experience.
• Device management: Along with accounts for individual people, Azure AD supports
the registration of devices. Registration enables devices to be managed through tools
like Microsoft Intune. It also allows for device-based Conditional Access policies to
restrict access attempts to only those coming from known devices, regardless of the
requesting user account.

➢ Connect On-premises AD with Azure AD:

For connecting Azure AD with your on-premises AD is using tool named Azure AD Connect.
Azure AD Connect synchronizes user identities between on-premises Active Directory and
Azure AD. Azure AD Connect synchronizes changes between both identity systems, so you can
use features like SSO, multifactor authentication, and self-service password reset under both
systems.

➢ What is Azure AD Domain Services (ADDS):

Azure Active Directory Domain Services (Azure AD DS) is a service that provides managed
domain services such as domain join, group policy, lightweight directory access protocol
(LDAP), and Kerberos/NTLM authentication. Just like Azure AD lets you use directory services
without having to maintain the infrastructure supporting it, with Azure AD DS, you get the
benefit of domain services without the need to deploy, manage, and patch domain controllers
(DCs) in the cloud.

• How does Azure AD DS work:

When you create an Azure AD DS managed domain, you define a unique namespace. This
namespace is the domain name. Two Windows Server domain controllers are then deployed
into your selected Azure region. This deployment of DCs is known as a replica set.

26
• Is information synchronized:

A managed domain is configured to perform a one-way synchronization from Azure AD to

Azure AD DS. You can create resources directly in the managed domain, but they aren't
synchronized back to Azure AD.

2. Azure Authentication Methods:

Authentication is the process of establishing the identity of a person, service, or device. It
requires the person, service, or device to provide some type of credential to prove who they
are. Azure supports multiple authentication methods, including standard passwords, single
sign-on (SSO), multifactor authentication (MFA), and passwordless.

The following diagram shows the security level compared to the convenience. Notice
Passwordless authentication is high security and high convenience while passwords on their
own are low security but high convenience.

27
➢ What is Single Sign-on:

Single sign-on (SSO) enables a user to sign in one time and use that credential to access
multiple resources and applications from different providers. For SSO to work, the different
applications and providers must trust the initial authenticator.

➢ What is Multifactor Authentication:

Multifactor authentication is the process of prompting a user for an extra form (or factor) of
identification during the sign-in process. MFA helps protect against a password compromise
in situations where the password was compromised but the second factor wasn't.

Multifactor authentication provides additional security for your identities by requiring two
or more elements to fully authenticate. These elements fall into three categories:

• Something the user knows – this might be a challenge question.

• Something the user has – this might be a code that's sent to the user's mobile phone.
• Something the user is – this is typically some sort of biometric property, such as a
fingerprint or face scan.

➢ What is Passwordless Authentication:

Passwordless authentication methods are more convenient because the password is removed
and replaced with something you have, plus something you are, or something you know.

Passwordless authentication needs to be set up on a device before it can work. For example,
your computer is something you have. Once it’s been registered or enrolled, Azure now knows
that it’s associated with you. Now that the computer is known, once you provide something
you know or are (such as a PIN or fingerprint), you can be authenticated without using a
password.

Microsoft global Azure and Azure Government offer the following three passwordless
authentication options that integrate with Azure Active Directory (Azure AD):

• Windows Hello for Business (PKI, SSO)

• Microsoft Authenticator app (number in phone)
• FIDO2 (Fast Identity Online) security keys (external security key or a platform key

built into a device. (usb, nfc))

28
3. Azure External Identities:
An external identity is a person, device, service, etc. that is outside your organization. Azure
AD External Identities refers to all the ways you can securely interact with users outside of
your organization.

The following capabilities make up External Identities:

• Business to business (B2B) collaboration: - Collaborate with external users by letting them
use their preferred identity to sign-in to your Microsoft applications or other enterprise
applications (SaaS apps, custom-developed apps, etc.).
• B2B direct connect: - Establish a mutual, two-way trust with another Azure AD
organization for seamless collaboration. B2B direct connect currently supports Teams
shared channels, enabling external users to access your resources from within their home
instances of Teams. B2B direct connect users aren't represented in your directory, but
they're visible from within the Teams shared channel and can be monitored in Teams
admin center reports.
• Azure AD business to customer (B2C): - Publish modern SaaS apps or custom-developed
apps (excluding Microsoft apps) to consumers and customers, while using Azure AD B2C
for identity and access management.

4. Azure Conditional Access:

Conditional Access is a tool that Azure Active Directory uses to allow (or deny) access to
resources based on identity signals. These signals include who the user is, where the user is,
and what device the user is requesting access from.

29
Based on these signals, the decision might be to allow full access if the user is signing in from
their usual location. If the user is signing in from an unusual location or a location that's
marked as high risk, then access might be blocked entirely or possibly granted after the user
provides a second form of authentication.

5. Azure Rule-Based Access Control (RBAC):

Azure Rule-Based Access Control provide to create a Role and assign users or resources to
this role Instead of defining the detailed access requirements for each individual, and then
updating access requirements when new resources are created or new people join the team.

6. Resource Tags:
Resource tags are another way to organize resources. Tags provide extra information, or
metadata, about your resources. You can use Azure Policy to enforce tagging rules and
conventions. For example, you can require that certain tags be added to new resources as
they're provisioned. You can also define rules that reapply tags that have been removed.

7. Zero Trust Model:

Zero Trust is a security model that assumes the worst-case scenario and protects resources
with that expectation. Zero Trust assumes breach at the outset, and then verifies each request
as though it originated from an uncontrolled network.

Microsoft highly recommends the Zero Trust security model, which is based on these guiding
principles:

• Verify explicitly: Always authenticate and authorize based on all available data points.
• Use least privilege access: Limit user access with Just-In-Time and Just-Enough-Access
(JIT/JEA), risk-based adaptive policies, and data protection.
• Assume breach: Minimize blast radius and segment access. Verify end-to-end encryption.
Use analytics to get visibility, drive threat detection, and improve defenses.

8. Defense-in-depth:
The objective of defense-in-depth is to protect information and prevent it from being stolen
by those who aren't authorized to access it. A defense-in-depth strategy uses a series of

30
mechanisms to slow the advance of an attack that aims at acquiring unauthorized access to
data.

Here's a brief overview of the role of each layer:

• The physical security layer is the first line of defense to protect computing hardware
in the datacenter.
• The identity and access layer controls access to infrastructure and change control.
• The perimeter layer uses distributed denial of service (DDoS) protection to filter large-
scale attacks before they can cause a denial of service for users.
• The network layer limits communication between resources through segmentation
and access controls.
• The compute layer secures access to virtual machines.
• The application layer helps ensure that applications are secure and free of security
vulnerabilities.
• The data layer controls access to business and customer data that you need to protect.

31
Describe Azure management
and governance

32
I. Describe cost management in Azure:
1. Factors that can affect costs in Azure:
Azure shifts development costs from the capital expense (CapEx) of building out and
maintaining infrastructure and facilities to an operational expense (OpEx) of renting
infrastructure as you need it, whether it’s compute, storage, networking, and so on.

That OpEx cost can be impacted by many factors. Some of the impacting factors are:

➢ Resource Type:

A number of factors influence the cost of Azure resources. The type of resources, the settings
for the resource, and the Azure region will all have an impact on how much a resource cost.

➢ Consumption:

Pay-as-you-go has been a consistent theme throughout, and that’s the cloud payment model
where you pay for the resources that you use during a billing cycle. If you use more compute
this cycle, you pay more. If you use less in the current cycle, you pay less. It’s a straight forward
pricing mechanism that allows for maximum flexibility.

➢ Maintenance:

The flexibility of the cloud makes it possible to rapidly adjust resources based on demand.
Using resource groups can help keep all of your resources organized. In order to control costs,
it’s important to maintain your cloud environment. For example, every time you provision a
VM, additional resources such as storage and networking are also provisioned. If you
deprovision the VM, those additional resources may not deprovision at the same time, either
intentionally or unintentionally. By keeping an eye on your resources and making sure you’re
not keeping around resources that are no longer needed, you can help control cloud costs.

➢ Geography:

When you provision most resources in Azure, you need to define a region where the resource
deploys. Azure infrastructure is distributed globally, which enables you to deploy your services
centrally or closest to your customers, or something in between. With this global deployment

33
comes global pricing differences. The cost of power, labor, taxes, and fees vary depending
on the location.

➢ Network Traffic:

Billing zones are a factor in determining the cost of some Azure services.

Bandwidth refers to data moving in and out of Azure datacenters. Some inbound data
transfers (data going into Azure datacenters) are free. For outbound data transfers (data
leaving Azure datacenters), data transfer pricing is based on zones.

➢ Subscription Type:

Some Azure subscription types also include usage allowances, which affect costs.

For example, an Azure free trial subscription provides access to a number of Azure products
that are free for 12 months. It also includes credit to spend within your first 30 days of sign-
up. You'll get access to more than 25 products that are always free (based on resource and
region availability).

➢ Azure Marketplace:

Azure Marketplace lets you purchase Azure-based solutions and services from third-party
vendors. This could be a server with software preinstalled and configured, or managed
network firewall appliances, or connectors to third-party backup services. When you purchase
products through Azure Marketplace, you may pay for not only the Azure services that you’re
using, but also the services or expertise of the third-party vendor. Billing structures are set
by the vendor.

2. Compare the Pricing and Total Cost of Ownership (TCO) calculators:

➢ Pricing calculator:

The pricing calculator is designed to give you an estimated cost for provisioning resources in
Azure. You can get an estimate for individual resources, build out a solution, or use an example
scenario to see an estimate of the Azure spend. The pricing calculator’s focus is on the cost of
provisioned resources in Azure.

34
➢ TCO calculator:

The TCO calculator is designed to help you compare the costs for running an on-premises
infrastructure compared to an Azure Cloud infrastructure. With the TCO calculator, you enter
your current infrastructure configuration, including servers, databases, storage, and outbound
network traffic. The TCO calculator then compares the anticipated costs for your current
environment with an Azure environment supporting the same infrastructure requirements.

➢ Define requirements:

Before you run the Pricing calculator, you need a sense of what Azure services you need.

In practice, you would define your requirements in greater detail. But here are some basic
facts and requirements to get you started:

• The application is used internally. It's not accessible to customers.

• This application doesn't require a massive amount of computing power.
• The virtual machines and the database run all the time (730 hours per month).
• The network processes about 1 TB of data per month.
• The database doesn't need to be configured for high-performance workloads and
requires no more than 32 GB of storage.

3. Azure cost management tool:

Cost Management provides the ability to quickly check Azure resource costs, create alerts
based on resource spend, and create budgets that can be used to automate management of
resources.

Cost analysis is a subset of Cost Management that provides a quick visual for your Azure costs.
Using cost analysis, you can quickly view the total cost in a variety of different ways, including
by billing cycle, region, resource, and so on.

➢ Cost alerts
Cost alerts provide a single location to quickly check on all of the different alert types that may
show up in the Cost Management service. The three types of alerts that may show up are:

• Budget alerts: notify you when spending, based on usage or cost, reaches or exceeds
the amount defined in the alert condition of the budget. Cost Management budgets

35
 are created using the Azure portal or the Azure Consumption API. Alert email is sent
to the people in the alert recipients list of the budget.
• Credit alerts: Credit alerts notify you when your Azure credit monetary commitments
are consumed. email sent to the account owners.

• Department spending quota alerts: notify you when department spending reaches a
fixed threshold of the quota. generates an email to department owner.

➢ Budgets
A budget is where you set a spending limit for Azure. You can set budgets based on a
subscription, resource group, service type, or other criteria. When you set a budget, you will
also set a budget alert. When the budget hits the budget alert level, it will trigger a budget
alert that shows up in the cost alerts area. If configured, budget alerts will also send an email
notification that a budget alert threshold has been triggered.

4. the purpose of tags

Resource tags are another way to organize resources. Tags provide extra information, or
metadata, about your resources. This metadata is useful for:

• Resource management Tags enable you to locate and act on resources that are
associated with specific workloads, environments, business units, and owners.
• Cost management and optimization Tags enable you to group resources so that you
can report on costs, allocate internal cost centers, track budgets, and forecast
estimated cost.
• Operations management Tags enable you to group resources according to how critical
their availability is to your business. This grouping helps you formulate service-level
agreements (SLAs). An SLA is an uptime or performance guarantee between you and
your users.
• Security Tags enable you to classify data by its security level, such as public or
confidential.
• Governance and regulatory compliance Tags enable you to identify resources that
align with governance or regulatory compliance requirements, such as ISO 27001. Tags
can also be part of your standards enforcement efforts. For example, you might require
that all resources be tagged with an owner or department name.

36
 • Workload optimization and automation Tags can help you visualize all of the
resources that participate in complex deployments.

II. Describe Features and Tools for governance and compliance:

1. Resource Locks:
Resource locks prevent resources from being deleted or updated, depending on the type of
lock. Resource locks can be applied to individual resources, resource groups, or even an
entire subscription. Resource locks are inherited, meaning that if you place a resource lock on
a resource group, all of the resources within the resource group will also have the resource
lock applied.

There are two types of resource locks, one that prevents users from deleting and one that
prevents users from changing or deleting a resource (readOnly).

To modify a locked resource, you must first remove the lock

2. Azure Policy:
Azure Policy is a service in Azure that enables you to create, assign, and manage policies that
control or audit your resources. These policies enforce different rules across your resource
configurations so that those configurations stay compliant with corporate standards.

Azure Policies can be set at each level, enabling you to set policies on a specific resource,
resource group, subscription, and so on. Additionally, Azure Policies are inherited, so if you
set a policy at a high level, it will automatically be applied to all of the groupings that fall within
the parent.

Azure Policy initiatives: is a way of grouping related policies together.

3. Azure Blueprints:
Azure Blueprints lets you standardize cloud subscription or environment deployments.
Instead of having to configure features like Azure Policy for each new subscription, with Azure
Blueprints you can define repeatable settings and policies that are applied as new
subscriptions are created. Need a new test/dev environment? Azure Blueprints lets you
deploy a new Test/Dev environment with security and compliance settings already
configured.

37
 Each component in the blueprint definition is known as an artifact. It is possible for artifacts
to have no additional parameters (configurations).

Azure Blueprints deploy a new environment based on all of the requirements, settings, and
configurations of the associated artifacts. Artifacts can include things such as:

• Role assignments
• Policy assignments
• Azure Resource Manager templates
• Resource groups

4. purpose of the Service Trust portal

The Microsoft Service Trust Portal is a portal that provides access to various content, tools,
and other resources about Microsoft security, privacy, and compliance practices.

III. Describe features and tools for managing and deploying Azure
resources
1. Tools for interacting with Azure:

➢ Azure Portal:

The Azure portal is a web-based, unified console that provides an alternative to command-
line tools. With the Azure portal, you can manage your Azure subscription by using a graphical
user interface. You can:

• Build, manage, and monitor everything from simple web apps to complex cloud
deployments.
• Create custom dashboards for an organized view of resources.
• Configure accessibility options for an optimal experience.

➢ Azure Cloud Shell:

Azure Cloud Shell is a browser-based shell tool that allows you to create, configure, and
manage Azure resources using a shell. Azure Cloud Shell support both Azure PowerShell and
the Azure Command Line Interface (CLI), which is a Bash shell.

38
Azure Cloud Shell has several features that make it a unique offering to support you in
managing Azure. Some of those features are:

• It is a browser-based shell experience, with no local installation or configuration required.

• It is authenticated to your Azure credentials, so when you log in it inherently knows who
you are and what permissions you have.
• You choose the shell you’re most familiar with; Azure Cloud Shell supports both Azure
PowerShell and the Azure CLI (which uses Bash).

➢ Azure PowerShell:

Azure PowerShell is a shell with which developers, DevOps, and IT professionals can run
commands called command-lets (cmdlets). These commands call the Azure REST API to
perform management tasks in Azure.

➢ Azure CLI:

The Azure CLI is functionally equivalent to Azure PowerShell, with the primary difference
being the syntax of commands. While Azure PowerShell uses PowerShell commands, the
Azure CLI uses Bash commands. The Azure CLI provides the same benefits of handling discrete
tasks or orchestrating complex operations through code. It’s also installable on Windows,
Linux, and Mac platforms, as well as through Azure Cloud Shell.

2. Azure Arc:
In utilizing Azure Resource Manager (ARM), Arc lets you extend your Azure compliance and
monitoring to your hybrid and multi-cloud configurations. Azure Arc simplifies governance
and management by delivering a consistent multi-cloud and on-premises management
platform.

Azure Arc provides a centralized, unified way to:

• Manage your entire environment together by projecting your existing non-Azure

resources into ARM.
• Manage multi-cloud and hybrid virtual machines, Kubernetes clusters, and
databases as if they are running in Azure.
• Use familiar Azure services and management capabilities, regardless of where they
live.
39
 • Continue using traditional ITOps while introducing DevOps practices to support
new cloud and native patterns in your environment.
• Configure custom locations as an abstraction layer on top of Azure Arc-enabled
Kubernetes clusters and cluster extensions.

Currently, Azure Arc allows you to manage the following resource types hosted outside of
Azure:

• Servers
• Kubernetes clusters
• Azure data services
• SQL Server
• Virtual machines (preview)

3. Azure Resource Manager (ARM) and Azure ARM templates

Azure Resource Manager (ARM) is the deployment and management service for Azure. It
provides a management layer that enables you to create, update, and delete resources in
your Azure account. Anytime you do anything with your Azure resources, ARM is involved.

When a user sends a request from any of the Azure tools, APIs, or SDKs, ARM receives the
request. ARM authenticates and authorizes the request. Then, ARM sends the request to the
Azure service, which takes the requested action. You see consistent results and capabilities in
all the different tools because all requests are handled through the same API.

➢ ARM templates
ARM templates are another example of infrastructure as code at work same as Azure Cloud
Shell, Azure PowerShell, or the Azure CLI.

By using ARM templates, you can describe the resources you want to use in a declarative
JSON format. With an ARM template, the deployment code is verified before any code is
run. This ensures that the resources will be created and connected correctly.

40
IV. Describe monitoring tools in Azure
1. Azure Advisor:
Azure Advisor evaluates your Azure resources and makes recommendations to help improve
reliability, security, and performance, achieve operational excellence, and reduce costs.
Azure Advisor is designed to help you save time on cloud optimization. The recommendation
service includes suggested actions you can take right away, postpone, or dismiss.

! The recommendations are divided into five categories:

• Reliability: is used to ensure and improve the continuity of your business-critical

applications.
• Security: is used to detect threats and vulnerabilities that might lead to security breaches.
• Performance: is used to improve the speed of your applications.
• Operational Excellence: is used to help you achieve process and workflow efficiency,
resource manageability, and deployment best practices.
• Cost: is used to optimize and reduce your overall Azure spending.

2. Azure Service Health:

Azure Service Health helps you keep track of Azure resource, both your specifically
deployed resources and the overall status of Azure.

! Azure service health does this by combining three different Azure services:

• Azure Status: is a broad picture of the status of Azure globally. Azure status informs
you of service outages in Azure on the Azure Status page. The page is a global view
of the health of all Azure services across all Azure regions.
• Service Health: provides a narrower view of Azure services and regions. It focuses
on the Azure services and regions you're using. This is the best place to look for
service impacting communications about outages, planned maintenance activities,
and other health advisories because the authenticated Service Health experience
knows which services and resources you currently use.
• Resource Health: is a tailored view of your actual Azure resources. It provides
information about the health of your individual cloud resources, such as a specific

41
 virtual machine instance. Using Azure Monitor, you can also configure alerts to
notify you of availability changes to your cloud resources.

3. Azure Monitor:
Azure Monitor is a platform for collecting data on your resources, analyzing that data,
visualizing the information, and even acting on the results. Azure Monitor can monitor
Azure resources, your on-premises resources, and even multi-cloud resources like virtual
machines hosted with a different cloud provider.

Azure Log Analytics: Azure Log Analytics is the tool in the Azure portal where you’ll write
and run log queries on the data gathered by Azure Monitor. Log Analytics is a robust tool
that supports both simple, complex queries, and data analysis.

Service Monitor Alerts: Azure Monitor Alerts are an automated way to stay informed
when Azure Monitor detects a threshold being crossed. You set the alert conditions, the
notification actions, and then Azure Monitor Alerts notifies when an alert is triggered.
Depending on your configuration, Azure Monitor Alerts can also attempt corrective
action.

Application Insights: an Azure Monitor feature, monitors your web applications.

Application Insights is capable of monitoring applications that are running in Azure, on-
premises, or in a different cloud environment.

42