Microsoft Azure Administrator – Exam Guide AZ-103

5 (5 reviews total)
By Sjoukje Zaal
  • Instant online access to over 8,000+ books and videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Managing Azure Subscriptions and Resource Groups

About this book

Microsoft Azure Administrator – Exam Guide AZ-103 will cover all the exam objectives that will help you earn Microsoft Azure Administrator certification. Whether you want to clear AZ-103 exam or want hands-on experience in administering Azure, this study guide will help you achieve your objective. It covers the latest features and capabilities around configuring, managing, and securing Azure resources.

Following Microsoft's AZ-103 exam syllabus, this guide is divided into five modules. The first module talks about how to manage Azure subscriptions and resources. You will be able to configure Azure subscription policies at Azure subscription level and learn how to use Azure policies for resource groups. Later, the book covers techniques related to implementing and managing storage in Azure. You will be able to create and configure backup policies and perform restore operations. The next module will guide you to create, configure, and deploy virtual machines for Windows and Linux. In the last two modules, you will learn about configuring and managing virtual networks and managing identities. The book concludes with effective mock tests along with answers so that you can confidently crack this exam.

By the end of this book, you will acquire the skills needed to pass Exam AZ-103.

Publication date:
May 2019
Publisher
Packt
Pages
452
ISBN
9781838829025

 

Chapter 1. Managing Azure Subscriptions and Resource Groups

This book will cover all the exam objectives for the AZ-103 exam. When relevant, we will provide you with extra information and further reading guidance about the different topics in this book.

The first chapter of this book will introduce the first objective, which is how to manage Azure subscriptions and resources. In this chapter, we are going to focus on assigning permissions for administrators so that they can manage your Azure subscriptions and resource groups. You will learn how to configure policies for your Azure subscriptions and resources in order to stay compliant with your organizational standards and SLAs. We are also going to set tagging on resource groups, and you'll learn how to configure cost center quotas and resource locks. To finish this chapter, we will cover how to move resources across different resource groups after creation, and how to completely remove resource groups from your Azure subscription.

In brief, the following topics will be covered in this chapter:

  • Azure subscriptions and resource groups
  • Assigning administrator permissions
  • Configuring Azure subscription policies
  • Implementing and setting tagging on resource groups
  • Configuring cost center quotas
  • Configuring resource locks
  • Moving resources across resource groups
  • Removing resource groups
 

Azure subscriptions and resource groups


Before we start with the objectives that are required for theexam, which involves how to manage the Azure subscriptions and resource groups, we will cover some high-level information about Azure subscriptions and resource groups.

Azure subscriptions

Azure subscriptions are basically the billing accounts in Azure. Aside from billing, access to the Azure portal and the creation of the different Azure services in the portal are done through the use of Azure subscriptions. 

If you look at the Azure account hierarchy, you will see where Azure subscriptions actually fit in. In the following diagram, the account hierarchy is shown:

Account hierarchy in Azure

It is divided into Enterprise, Department, Accounts, and Subscriptions levels. In the following overview, you'll get an idea of what these different levels are for:

  • Enterprise: This is also called the Enterprise Agreement, and is only used by organizations. It can be accessed from a separate portal (https://ea.azure.com) and is usedfor the wholeorganization to create the different departments.
  • Departments: At the department level, sub-accounts for the different departments in your organization are created. You can also group your departments in a functional way, like an IT and finance department, or group them in a geographical way, like North America and Europe, for instance. You can add a department owner here, which will be the person in charge of owning the budget for the department, for instance.
  • Accounts: This is where the different departments can create multiple accounts within their department. They can also add additional owners to manage these accounts. When you create a personal account in Azure, this is the starting point for creating the subscriptions. The Microsoft account that you use to log in to the Azure portal is then added to this account as the owner.
  • Subscriptions: You can create multiple subscriptions in an account. This is the level where the actual billing takes place and where the different Azure resources are created. You can add additional subscription owners that can manage the subscriptions, create the different resources, and assign other users to the subscription. Subscriptions always have a trust relationship with an Azure Active Directory instance.

Inside the Azure subscription, you can create multiple resource groups. This will be covered in the next section.

Azure resource groups

Each resource that you create inside Azure must belong to a resource group. It is a logical container that groups multiple resources together. An example would be all the resources that share a similar life cycle, like all the different resources for a particular application; this can be a virtual machine, an Azure Database, a virtual network in Azure, and more, grouped inside the same resource group. They can then be managed and deleted as a single entity.

 

Note

If you don't have an Azure account yet and you want to get started, you can refer to the following site to create an Azure trial account: https://azure.microsoft.com/en-us/free/.

In the next section, we'll assign administrator permissions to a user.

 

Assigning administrator permissions


There are two ways to assign administrator permissions to your users. The first is done inside Azure Active Directory and is used to assign global administrator permissions. The second is done by using role-based access control (RBAC) and can be set from the subscription level.

In the following sections, we'll look at both possibilities.

Assigning global administrator permissions

With global administrator permissions, you can manage all subscriptions and management groups. A management group provides a level of scope above permissions and can be used to manage multiple subscriptions together.

When a user is assigned to the global administrator role, it is able to see all Azure subscriptions and management groups in an organization, allow an automation app to access all Azure subscriptions and management groups, regain access to an Azure subscription or management group when a user has lost access, and grant another user (or themselves) access to an Azure subscription or management group.

To assign administrator permissions to a user on the subscription level, take the following steps:

  1. Navigate to the Azure portal by opening https://portal.azure.com.
  2. In the left-hand menu, select Azure Active Directory to open the Azure AD blade.
  3. Then, under Manage, select Properties.
  4. In the Directoryproperties blade, enable Access management for Azure resources:

Selecting Properties

  1. Click on Save.

In the next section, we're going to assign owner permissions to a user on the subscription level.

Assigning owner permissions

The owner of a subscription has full access to all the resources inside the subscription and is able to delegate the access to others. To assign owner permissions to a user on the subscription level using RBAC, perform the following steps:

  1. Navigate to the Azure portal by opening https://portal.azure.com.
  2. In the left-hand menu, select All servicesand select Subscriptions (you can also add it to your favorites so that's displayed in the left-hand menu):

Selecting the subscription

  1. Select your subscription, and in the Subscription overview blade, click Access control (IAM):

Access control settings

  1. To add a user with administrator permissions, click Add | Add role assignment to open the Add role assignment pane. 
  2. In the Role drop-down list, select the Owner role. 
  1. Then, in the Select list, select the user. If you don't see the user in the list, you can search for it in the textbox by name and email address:

Selecting the user

  1. Click on Save to add the user to the owner role.

In this demonstration, we added administrator permissions to a user. In the next section, we're going to configure Azure subscription policies.

 

Configuring Azure subscription policies


With Azure Policy, you can create, assign, and manage policies. These policies can be used so that you stay compliant with your corporate standards and SLAs by enforcing different rules and effects over your Azure resources. Your resources are evaluated by the assigned policies for non-compliance. For instance, you can create a policy that only allows virtual machines from a certain SKU size in your environment. When this policy is assigned, all new and existing resources are evaluated for compliance with this policy.

To configure subscription policies, perform the following steps:

  1. Navigate to the Azure portal by opening https://portal.azure.com.
  2. In the left-hand menu, select Subscriptions (this is if you added it to your favorites; otherwise, take the steps that we described in the previous demonstration).
  3. In the Subscriptions overview blade, in the left-hand menu under Settings, select Policies:

Selecting subscription policies

  1. In the Policies overview blade, select Assign policy to create a new policy:

Creating a new policy

  1. On the next screen, we're going to create a definition for our policy. Add the following values to create the policy so that resources for this subscription can only be created in selected regions:
    • Scope: The subscription name.
    • Exclusions: Leave this blank; we are going to create a policy that applies to the entire subscription.
    • Policy definition: When you select this, you can choose from a number of available policies that you can apply to your subscription. Microsoft has created these JSON templates for you, based on the best practices from different enterprises. You can create your own templates here as well. Select a policy from the list (for instance, Allowed locations), and then click Select.
    • Assignment name: This is automatically filled in after selecting the policy.
    • Parameters: Here, you can select the allowed locations where users can deploy their resources. For instance, select Central US, East US, East US2, West US, and West US 2. 
  1. After selecting the different regions, click the Assign button:

Assigning a new policy

After applying this policy, resources for this subscription can only be created in the selected regions. If you want to add additional regions or remove regions from this policy, you can edit this later.

Note

You can apply policies at the resource group level as well. This works exactly the same as adding policies at the subscription level. Once you have created a resource group, you can go to the overview blade and select Policies from the left-hand menu. In there, you can apply policies at the resource group level.

In the next section, we're going to implement a resource group and add a tag to it.

 

Implementing and setting tagging on resource groups


You can apply tags to all of your Azure resources. This way, you add extra metadata to the resource group, which can be used to logically organize them into a taxonomy. Each tag consists of a name and a value pair. For instance, you can set the name to Environment and the value to Demo, or you can set the name to Maintenance Window and the value to Saturday 9 AM. After applying these tags, you can easily retrieve all the resources with the same tag name and value. This can be a useful feature for billing or management purposes.

For billing based on your tags, you can use the assigned tags to group the billing for certain resources; for example, if you run VMs and databases for different environments (test, pre-production, and production), you can use tags to categorize the costs. These tags will then show up in the different cost reporting views. For instance, they are visible in the cost analysis view immediately after they are created, and in the detail usage .csv after the first billing period.

You can create resource groups in Azure using the Azure portal, PowerShell, and the CLI. In this demonstration, we are going to create an Azure resource group in our subscription from the Azure portal. You can also set tagging on the resource group level, so we are going to do that, as well. Therefore, perform the following steps:

  1. Navigate to the Azure portal by opening https://portal.azure.com.
  2. In the left-hand menu, select Resource groups:

Azure portal overview page

  1. In the Resource groups blade, click on the Add button in the top menu:

Creating a new resource group

  1. Fill in the following values:
    • Subscription: Select the subscription to which you want to add the resource group.
    • Name: PacktResourcegroup.
    • Region: Keep the default (Central US, in my case). You can also select another region, if you prefer.
  1. Next, select Tags in the top menu:

Adding tags to the resource group

  1. Add the following values to create a tag for this resource group:
    • Name: Environment
    • Value: Demo
  2. Click on Review + Create, and then Create.
  3. Repeat these steps for some of the resources inside the subscription. In my case, I've added the same tag to the VM.

We have now created a new resource group and applied a tag to it. You can also manage your tags from the Tags blade of the resource group. In the next section, we're going to look at how to configure cost center quotas.

 

Configuring cost center quotas


Quotas in Azure are basically the limits of creating an amount of resources in Azure. For example, there is a limit of 2,000 availability sets that can be created inside an Azure subscription. However, you can contact Microsoft support if you wish to increase this quota. We need to perform the following steps:

  1. Navigate to the Azure portal by opening https://portal.azure.com.
  2. In the left-hand menu, select Subscriptions.
  3. Select the right subscription. In the Subscriptions overview blade, under Settings, select Usage + quotas. There, you can select a provider:

Usage and quotas overview

  1. Select Microsoft.Compute.
  2. You will see the amount of available availability sets for this subscription. If you want to increase this, select the Request Increase button on the right-hand side of the screen:

Increasing quotas

  1. A new blade will open, where you can create a new support request for increasing the quota of an Azure resource. 

In the next section, we're going to configure resource locks and resource policies.

 

Configuring resource locks


Administrators can set locks on your Azure resources to prevent other users from deleting the resource or making any changes to it. You can set two different lock levels on your subscriptions, resource groups, or resources: 

  • CanNotDelete: This level prevents authorized users from deleting the resource. They can still read and modify the resource.
  • ReadOnly: Within this level, authorized users can read a resource, but they cannot delete or update it. This level is similar to assigning all authorized users to the reader role using RBAC.

To apply a lock on your resource group, you have to perform the following steps:

  1. Navigate to the Azure portal by opening https://portal.azure.com.
  2. In the left-hand menu, select Resource groups. Select the resource group that we created in the previous demonstration.
  1. In the Resource Group overview blade, under Settings, select Locks:

Resource group overview

  1. On the next screen, click Add in the top menu to create a new lock for this resource. 
  1. Add the following values:
    • Name: No-Deletion
    • Lock type: Delete:

Creating a lock

  1. Click on OK to create the lock.  

We have created a lock for this resource group to prevent authorized users from deleting it. In the next section, we are going to look at how we can move resources across different resource groups.

 

Moving resources across resource groups


You can easily move your resources across different resource groups and subscriptions by using the Azure portal, PowerShell, the CLI, and the REST API. During the move operation, both the source group and the target group are locked. This blocks all write and delete operations on the resource group until the movement is complete. This means that you cannot update, add, or delete resources in the resource group, but the resources aren't frozen. There will be no downtime for these resources. However, the location of the resources will remain the same, even when the new resource group is created in a different location.

Note

There are limitations for moving resources across different resource groups and subscriptions. For instance, a VM with managed disks that is deployed inside an availability zone cannot be moved. For more information about these limitations, you can refer to the following article: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-move-resources.

In the following demonstration, we are going to move resources from a resource group to another resource group using the Azure portal. For this demonstration, I've added a VM to this resource group and created a new resource group called PacktResourceGroup1. To move this VM, perform the following steps:

  1. Navigate to the Azure portal by opening https://portal.azure.com.
  1. In the left-hand menu, select Resource groups. Select the PacktResourceGroup that we created in the previous demonstration. Select all the VM resources from the list, and in the top menu, select Move:

Moving resources

  1. You have two possibilities: Move to another resource group and Move to another subscription. Click on Moveto another resource group, and in the next screen, select PacktResourceGroup1 as the resource group, and check the checkbox underneath:

Moving resources

  1. Click on OK to move the resources to the other resource group.

After moving the resources, you can open the overview blade of PacktResourceGroup1. You will see that all the resources have been moved. 

In the next (and final) section of this chapter, we are going to remove the resource group.

 

Removing resource groups


Resource groups can be removed using the Azure portal, PowerShell, the CLI, and the REST API. You can remove the resource group and all the resources inside of it at once.

In the following demonstration, we are going to remove PacktResourceGroup1, which we used for the previous demonstration:

  1. Navigate to the Azure portal by opening https://portal.azure.com.
  2. In the left-hand menu, select Resource groups. Select PacktResourceGroup1. In the top menu, select Delete resource group:

Deleting a resource group

  1. To confirm that you want to delete the resource group, you have to specify the name. Enter the name of the resource group and select Delete:

Confirm deletion

The resource group will now be deleted. 

 

Summary


In this chapter, we introduced the various aspects of Azure subscriptions and resource groups. We assigned administrator permissions and described how to create policies to stay compliant. We also covered cost center quotas and resource locks. At the end of this chapter, we moved and removed resource groups completely.

In the next chapter, we'll cover the second part of this exam objective by describing how to analyze resource utilization and consumption.

 

Questions


Answer the following questions to test your knowledge of the information in this chapter. You can find the answers in the Assessments section at the end of this book:

  1. Suppose that you have a VM using managed disks that is deployed inside an availability set, and you want to move resources to another resource group. Is this possible?
    • Yes
    • No
  2. Suppose that you want to create a resource group using PowerShell. Is this possible?
    • Yes
    • No
  3. Suppose that you want to delete a resource group using the CLI.  Is this possible?
    • Yes
    • No

 

 

 

Further reading


You can check out the following links for more information about the topics that were covered in this chapter:

About the Author

  • Sjoukje Zaal

    Sjoukje Zaal is a Microsoft Principal Architect and Microsoft Azure MVP with over 15 years' experience providing architecture, development, consultancy, and design expertise. She works at Ordina, a system integrator based in the Netherlands.

    She loves to share her knowledge and is active in the Microsoft community as a co-founder of the Dutch user groups SP&C NL and MixUG. She is also a board member of Azure Thursdays. Sjoukje is a public speaker and is involved in organizing events. She has written several books, writes blogs and is active on the Microsoft Tech Community. Sjoukje is also part of the Diversity and Inclusion Advisory Board.

    Browse publications by this author

Latest Reviews

(5 reviews total)
Document is great and helpful for the exam AZ-104
Azure is an emerging area for our team. This provides a great foundation
Excellent

Recommended For You

Book Title
Access this book, plus 8,000 other titles for FREE
Access now