AZ-104 Study Notes
Describe
- Entra ID is MS multi tenat cloud identify service
- Some of the authentication protocols Entra ID uses are:
- OpenID
- WS-Fed
- SAML
- Oauth
Entra ID features
- SSO
- Ubiqitious device support
- Support Windows, IOS, Android and macOS
- Secure access to on-prem and cloud apps using:
- MFA
- conditional access
- group based access management
- cloud extensibiliy
- Connect your on-prem AD DS to AZure AD which allows you to manage users, groups and devices across environments
- Sensitive data protection
- Can monitor suspicious sign-in activities and potential vulnerabilities from a central location
- self-service support
- delegate tasks to employees such as password reset or app access
Entra ID Concepts
- Identity
- An object that can be
authenticated
- Can be applications, servers that require authentication by using a secret key or cert
- Account
- An account is an
identity with data associated. You must have an idenity to have an account
- Azure AD Account
- An Azure AD account is an identity that was created through a Microsoft service. The Azure AD account is also called a work or school account.
- Azure AD Tenant
- An Azure tenant is a single dedicated and trusted instance of Entra ID. A tenant (
directory) represents a single organisation. An Organisation can create more than one tenant
- Azure Subscription
- This is a biling construct. You can have multiple subscriptions linked to one Entra ID tenant
Compare Entra ID to AD DS
- Azure AD is designed for Internet based applications that use HTTP or HTTPS
- AD DS supports Kerberosand NTLM, where as, Entra ID supports HTTP bases authentication protocols such as OpenID, WS-Fed, SAML and Oauth
- Entra ID includes
federation Services for many third-party services
- Entra ID is flat structure and does not include OU’s or GPOs
Entra ID Editions
- Entra ID comes in 4 editions:
- Free
- M365 Apps
- Premium P1
- Premium P2
- Free comes with all sign ups
- Premium comes with an
Enterprie Agreement, Open Volume License Program, and the Cloud Solution Providers
Entra ID Free
- User & Group Management
- Protect Azure AD tenant admin accounts with MFA
- Mobile app as a second factor
- On-prem directory sync through Entra ID Connect
- Basic Reports
- SSO
Entra ID M365 Apps
- Included with M365
- Free + Identity and Access Management for M365 Apps
- Branding
- MFA
- Group Access Management
- Self Service Password reset for cloud users
Entra ID Premium P1
- Cost per user. cost is approx $9 per month per user
- Free + Access to on-prem and cloud resources
conditional access- Dynamic Groups
- Self Service group management
- Cloud write back capabilities
- Includes
Identity Manager
- on-prem identity and management suite
- The extra features in P1 allow self-service password reset for your on-premises users
- Trusted IPs
Entra ID Premium P2
- Free + P1
- cost is $12 per user per month
- Azure AD Identity Protection to help provide
risk-based Conditional Access
- PIM (protect admin accounts and JIT)
- Access Reviews
Entra ID Self Service Password Reset
- Global Admin account can always SSPR
- SSPR can be used for
Entra ID Free tier
- SSPR for accounts syncronised from or written back to on-premises requires P1 or P2
- When enabling SSPR there are three options:
- None
- Selected (select the security group that enables SSPR)
- All
- Select the amount of authenticaton methods and the type a person has to satisfy to reset their password
- Options include:
- Mobile app code
- Email
- Mobile Phone (SMS Only)
- Office Phone
- Security Question
- You can configure notifications to notify the user or admins when a SSPR has been performed
- SSPR Write back is the process of the password hash sync going back to on-prem
- SSPR password writeback is supported in the hybrid models of:
- Password Hash Sync
- Pass-through auth
- ADFS
- on-premises service account that handles password write-back requests cannot change the passwords for users that belong to protected groups
Manage Microsoft Entra users and groups
Types of users
There are multiple types of users in Entra ID:
- Internal member:
This is your normal user (full time employee)
- Internal Guest:
These users have an account in your tenant, but have guest-level privileges. It’s possible they were created within your tenant prior to the availability of B2B collaboration
- External member:
User authenticates using an external account, but has
member access to your tenant. Usually multitenant organisations
- External Guest:
This B2B collaboration user has an account in an external Microsoft Entra organization or an external identity provider (such as a social identity), and they have guest-level permissions in the resource organization
Skill 1.1 Manage Azure identities and governance
Deleted Users
- all users are soft deleted for 30 days
Assigning Licenses to User or Groups
- Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the Usage location for all members
- when associating a device with Entra ID you have three options:
- Register a device (best for BYOD)
- join a device (best for corporate)
- Hybrid-AD (joined to AD DS and replicated)
- device registration settings are in Devices > device settings
- Device settings:
- Users may join devices to azure AD
- by default all users are allowed to join their device to Entra ID. You can select
all, group or none
- Additional local admins on Azure AD joined devices
- with Entra ID premium or Enterprise mobility suite you can choose which users or groups have local admin to the device. By default the ‘global admin’ and
device owner has local admin right
- Users may register their devices with Entra ID
- allow user to register their devices with Entra ID (Workplace Join)
- if you use InTune or MDM this will be set to
all and will be greyed out
- Require MFA to join devices
- You must have the users approved to do this configured with MFA
- Max number of devices per user
- 5, 10, 20, 50, 100 and unlimited
- Manage Enterprise state roaming settings
- Users May Sync Settings And App Data Across Devices
- only applicable to windows 10
- Entra ID Join
- there are two types of AD Join:
- Non-Hybrid Join
- requires windows 10 pro and enterprise
- Hybrid
- requires windows 10 or server 2016
- windows 7, 2012, 2012R2 2008, 2008R2
- You can deligate users to reset their own passwords. This can we writte back to on-prem as long as you have the correct
license and Azure AD Connect is configured.
- Password Change - cloud only account
- All versions and all licenses
- Password reset - Cloud Only
- M365 Business Standard
- M365 Business Premium
- Azure AD Premim P1 & P2
- Password Change/Unlock/Reset - Hybrid
- M365 Business Premium
- Azure AD Premim P1 & P2
- Authentication Methods for SSPR
- Mobile App Notification
- Mobile App Code
- Email
- Mobile Phone
- office Phone
- Security Questions
- Notification can be configured
- On-prem Integrations
- You can cnfigure the write back configurations within this blade
- You have the option to
- write passwords back using Azure AD Connect cloud sync
- Enable password write back for syncd users
- allow users to unlock their accounts without password reset
Administrative Units
- determines what admin users can work with what parts of the organisation.
Skill 1.2 Manage RBAC
- RBAC allows you to manage the identies or
security principles that have access to azure resources and the actions they can perform
- In Azure RBAC can be applied to users, groups, service principals and managed identities that are applied at a scope
- within azure there is role inheritance
- In azure RBAC model is additive. This means the
most privileged takes precedence
RBAC Default Roles
- Owner
- Reader
- contributor
RBAC Scope
- There is a scope hierarchy
- to create and remove role assignmnts you need the
Microsoft.Authorisation/role assignments/* permissions
- This permission is included in the role
Owner and User access addmin
Custom Roles
- There are three ways to create a custom role:
- clone an existing role
- JSON file
- start from scratch
- When creating a role there are two types of actions:
- Actions - Actions are operations an action can perform
- Data Actions - actions the can be performed on the data of the resource
- you can also exclude actions and data actions by using the
not actions and not data actions
#
Skill 1.3 Manage Subscriptions and Governance
- Subscriptions serve as a
azure policy boundary
- Subscriptions serve as a
scale unit . Workloads can scale within the limits of a subscription
- It is recommended to created
dedicated management and Identity subscriptions for things like azure monitor logs, automation run books, AD DS servers
- A subscription is a billing boundry
- Subscriptions are linked to
a single tenant which acts as an Idp. You can change this tenant linked to a subscription
- You can’t share Virtual networks across subscriptions but you can peer them or ExpressRoute
- Establish a dedicated connectivity subscription in your Platform management group to host a Virtual WAN hub, private DNS, ExpressRoute circuit, and other networking resources
Subscription Types
The types of subscriptions are:
- Free Trial
- Pay as you Go
- Pay as you go Dev/Test
- Enterprise Agreement
- Enterprise Dev/Test
- Microsoft Customer Agreement
Azure Policy
- Azure Policy is a service that is used to:
- create, assign and manage policies that enforce governance
- to implement policy you need to:
- authour a definition
- assign it to a scope
- a policy definition describes your desired behavour at resource creation and update
- through a policy definition you declare what resources and resource features are considered compliant and what should happen when something isn’t compliant
- to apply multiple policies you would create an
initative and assign multiple policies to it
- you can scope policy definitions and initiatives to:
- Management Groups
- Subscriptions
- Resource Groups
- Individual resources
- You can
exclude from scopes. You can exclude:
- subscriptions
- resource groups
- resources
Policy Evaluation Outcomes
- Resources are evaluated at specific times during the resource lifecycle:
- A resource is created or updated in a scope with a policy assignment
- a policy or iniative is assigned to a scope
- A policy or inititive assigned to a scope is updated
- During a
policy evaluation cycle that happens every 24 hours
### Policy response to an evaluation
- There a number of reponses that can happen to a resource when it’s non-compliant
Responses are made possible through effects in the poilcy rule:
- Deny the resource change
- log the change to the resource
- Alter the resource before the change
- Alter the resource after the change
- Deploy related compiant resources
- Block actions on resources
### Policy Definition JSON Elements
The different elements of the JSON file are:
- display name
- description
- mode
- metadata
- parameters
- policyRule
- logical evaluations
- effects
mode defines what resources are evaluated for a policy definition:
Policy Rule and Effects
The Policy rule consists of an if and then statement
</br>The if statement is a condiiton and if it evaluates to true the effect get triggered
policy logical operators:
- not
- allof - similar to
logical and
- anyof - similare to
logical or
policy conditions:
- “equals”: “stringValue”
- “notEquals”: “stringValue”
- “like”: “stringValue”
- “notLike”: “stringValue”
- “match”: “stringValue”
- “matchInsensitively”: “stringValue”
- “notMatch”: “stringValue”
- “notMatchInsensitively”: “stringValue”
- “contains”: “stringValue”
- “notContains”: “stringValue”
- “in”: [“stringValue1”,”stringValue2”]
- “notIn”: [“stringValue1”,”stringValue2”]
- “containsKey”: “keyName”
- “notContainsKey”: “keyName”
-
| “less”: “dateValue” |
“less”: “stringValue” |
“less”: intValue |
-
| “lessOrEquals”: “dateValue” |
“lessOrEquals”: “stringValue” |
“lessOrEquals”: intValue |
-
| “greater”: “dateValue” |
“greater”: “stringValue” |
“greater”: intValue |
-
| “greaterOrEquals”: “dateValue” |
“greaterOrEquals”: “stringValue” |
“greaterOrEquals”: intValue |
- “exists”: “bool”
Policy Effects
- policy effects determine what happens when the condition matches
The following are the supported policy effects:
- addToNetworkGroup
- append
- audit
- auditIfNotExists
- deny
- denyAction
- deployIfNotExists
- disabled
- manual
- modify
- mutate
Policy effects execution order:
- disabled
- modify | append </br>
The append effect can:
- append values to an array in an arm template.
- append is only good for arrays in an ARM templates. Will not work with other types.
- Cannot do remediation </br>
The modify effect can:
- append to arrays
- Can inject information into the ARM template during deployment
- Can perform remediation using a managed ID
- conflictEffect is used to deal with the scenario if two policies are trying to change the same resource. You can use audit and deny
- deny
- audit (no action and repots to compliance dashboard)
- auditIfNotExists | deployIfNotExists (understands relationship of parent and child resources)</br>
auditIfNotExist can define a parent and child relationship. Like VM and extension.
{
"if": {
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
Simple If statement checking if the type is virtual machine
"then":{
"effect": "auditIfNotExists",
"details": {
"type": "Microsoft.Compute/virtualMachines/extensions",
Focusing the details on the extensions of that VM
"existenceCondition": {
"allof":[{
"field": "Microsoft.Compute/virtualMachines/extensions/publisher",
"equals": "Microsoft.Azure.Security"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "IaaSAntimalware"
}
Existance condition to check of the VM has an extension with publisher Azure Secuity AND the type IaaSAntimalware
]
}
}
}
}
If the condition is false (as in it doesn't have IaaSAntimalware installed it will raise an alert to the compliance dashboard)
- (preview) denyAction
layering Policy Definitions
- If you have a policy definition at the subscription level and one at the resource group level they are
cumulative most restrictive
- If you create a resource within the resource group for deny of westus and eastus then you won’t be able to create a resource in either of those regions
- you can use exclusions to work around this issue
Resource Locks
- There are two types of resource locks:
- You can set a resource lock at scope levels:
- Subscription
- Resource Group
- Resource
- Not all resources support tags
- You can use tag to provide metadata to help billing accounting
- resources, resource groups and tags are limited to 50 tags
- tag names can’t exceed 512 characters and storage account it is 128
- tag value can’t exceed 128 characters
- tags are not inherited by child resources
- tags cannot contain special characters
- to apply tags you must have write access (contributor and up)
- You can apply tags through ARM templates, powershell or CLI
# Create Tags
# Powershell
tags = @{Environment="dev"; Application="sap"}
$resource = get-azresource -name testserver -resourceGroup testRG
new-aztag -resourceId $resource.Id -tag $tags
# azure CLI
az tag create
- You can also update tags: There are two actions:
- merge - updates existing tags and creates new ones if missing
- replace - replaces all tags with the new ones
- delete - deletes the specified tags from the listed resources
- to do this you use the -operation switch
# Update Tags
tags = @{Environment="dev"; Application="sap"}
$resource = get-azresource -name testserver -resourceGroup testRG
update-aztag -resourceId $resource.Id -tag $tags -operation replace
Resource Groups
- You cannot nest resource groups
- resource for different regions can me in the same resource group
- resources can only be in
one resource group
- a resource group can only be in one region
- resource groups can be used to as a scoping target for policy and IAM
Moving Resources between RGs and Subscriptions
- Only certain resources can be moved between resource groups and subscriptions
- to move a resource between subscriptions they have to be using the same
azure ad tenant
* check as i think that has changed
- when moving resource between sbscriptions you need to validate:
- the resource provider is available in the destination subscription
- the target subscription is not restricted by the quota limits
- You cannot move more that 800 resources
- If there are any dependant resources all the reources must be in the
same RG and moved all together
Managing Subscriptions
- Thera are several types of subscriptions:
- Free
- Pay as you go
- VS/MSDN Subscriptions
- MS Reseller
- CSP
- MS Open Licensing
- EA
- some subscrptions have limitations such as:
- VS - you have limited regions and no CC associated
- within Azure there are four foundational roles:
- Owner
- Contributor
- Reader
- User Access Administrator
Management Groups
- Management groups allow subscriptions to be organised multi-hierarchial. The benefits are:
- Reduce Overhead - You can apply governance at the management group level instead of the subscriptio level, reducing overhead
- Enforcement - Apply governance at the mgmt group level which the subscription admins can’t change
- Reporting
- Max levels is 6
Cost management
- You can create budgets within cost management
- budgets are a monitoring mechanism with set budge thresholds and triggers
- User must have subscription
Read to see cost data or Contributor or higher to see budgets
- There are also dedicated roles that give users access to cost management
data called:
- Cost management reader
- cost managemnt contributor
- there are three portal used for subscriptions and cost management:
- https://ea.azure.com - Used for EA agreements and managing spend across multiple subscriptions
- https://account.azure.com - Used for all subscribtions and accessible by account owners
This is decomissioned and is now in portal.azure.com
- https://portal.azure.com - Used for all subscriptions and includes
Azure Cost Management
Implement and manage storage (15–20%)
- you can limit requests to storage accounts and data through mu;tiple layers such as:
- IP whitelist
- IP Range
- vNet
- Resource Instance (using managed service account)
- private endpoint
Storage account firewall
- The storage account firewall is a way to control the
public endpoint
- When you are using a private endpoint you still have to use the storage account firewall to block the public endpoint
- The storage account firewall is only applicable to the data plane not the control plane
- you can use Network policies and restrict communication to a private endpoint storage account
- Classic storage accounts don’t support firewalls and virtual networks
Description of Authorisation Options
Shared Key Authorisation
- applies to blob, files, queues and tables
- Shared key is passed with every request
- Signed using the storage account key
Shared Access Signatures
- applies to blob, files, queues and tables
- A service SAS or account SAS is signed with the storage account key
- user delegated SAS is signed with MS Entra credentials and applies to blob only
MS Entra Intergation
- Applies to blob, queue, and table resources. Microsoft recommends using Microsoft Entra credentials with managed identities
- You can use Azure role-based access control (Azure RBAC) to manage a security principal’s permissions to blob, queue, and table resources
- You can also use Azure attribute-based access control (ABAC) to add conditions to Azure role assignments for blob resources to further restrict access
Microsoft Entra Domain Services authentication
- Azure Files supports identity-based authorization over Server Message Block (SMB) through Microsoft Entra Domain Services
On-premises Active Directory Domain Services (AD DS, or on-premises AD DS) authentication:
- Azure Files supports identity-based authorization over SMB through AD DS
- SMB access to Files is supported using AD DS credentials from domain joined machines, either on-premises or in Azure
Authorisation Options for Data Operations
Authorization ensures that the client application has the appropriate permissions to access a particular resource in your storage account. The authorisation options are:
Blob
- Microsoft Entra ID with
managed identities
- Shared Key (storage account Key). MS recommend you disallow shared key authorisation
- Shared Access Signature (SAS) MS recommend using user delegaton SAS
- Anonymous Read Microsoft recommends that you disable anonymous access for all of your storage accounts
- Storage local users (SFTP Only)
Files (SMB)
- Microsoft Entra ID
- Supported with Microsoft Entra Domain Services for Cloud Only
- Hybrid uses Microsoft Entra Kerberos for hybrid Identities
- Shared Key (storage account Key). MS recommend you disallow shared key authorisation
- On-premises Active Directory Domain Services
- Supported, and credentials must be synced to Microsoft Entra ID
Queues
- Microsoft Entra ID with
managed identities
- Shared Key (storage account Key). MS recommend you disallow shared key authorisation
- Shared Access Signature (SAS) MS recommend using user delegaton SAS
Tables
- Microsoft Entra ID with
managed identities
- Shared Key (storage account Key). MS recommend you disallow shared key authorisation
- Shared Access Signature (SAS) MS recommend using user delegaton SAS
Create and use shared access signature (SAS) tokens
Shared Access keys
- Shared access Keys are two 512 bit keys generated at storage account creation
- You can set a Shared Access Key expiration policy that will remind you to rotate the keys
- you can create a connection string using your Shared Access key in the format DefaultEndpointsProtocol=https;AccountName=stotageAccountName;AccountKey=
Shared Access Signature
- A SAS token is a way to granularly control how a client can access data in an azure storage account
Types of shared access signatures
Account SAS
- Account SAS (define this as the Shared Access Signature Option)
- delegate access
service level operations that aren’t available to sevice based SAS
- delegate to more than one service at a timesuch as: blob, tablem queue and file
- delegate access to
write and delete operations for containers, queues, tables and file shares
- SAS Account Policies are not supported with Account SAS
- you can specify IP whitelists
- specify HTTP protocol HTTP/HTTPS
- The account sas URI consists of:
- URI to the resource
- SAS Token
- SAS Token consists of:
- api-version
- SignedVersion (sv) - Specifies the signed storage version
- SignedServices (ss) - Specifies the signed services that are accessible
- Blob (b)
- Table (t)
- Queue (q)
- File (f)
- SignedResourceTypes (str) - Specifies the signed resource types that are accessible
- Service (s): Access to
service level APIs
- Container (c): Access to container level APIs such as create/delete container, Table, Queue, list Blobs
- Object (o): Access to object-level APIs such as blobs, queue messages, table entries, files
- SignedPermissions (sp) - specifies the signed permissions
- Read (r): Read permissions for all resource types (service, container, objects)
- Write (w): Permits write access for specified resource types. Allows a user to create and update
- Delete (d): Permits delete for container and Object not queue
- List (l): Valid for
Service and Container resources only
- Add (a): Valid for the following Object resource types only: queue messages, table entities, and append blobs
- Create (c): Valid for Container resource types and the following Object resource types: blobs and files
- Update (u): Valid for the following Object resource types only: queue messages and table entities
- Process (p): Valid for the following Object resource type only: queue messages
- Tag (t): Valid for the following Object resource type only: blobs. Permits blob tag operations
- Filter (f): Valid for the following Object resource type only: blob. Permits filtering by blob tag
- Set Immutability Policy (i): Valid for the following Object resource type only: blob. Permits set/delete immutability policy and legal hold on a blob
- SignedStart (st) - Time SAS Token is valid from
- SignedExpiry (se) - Time tocken become invalid
- SignedIP (sip) - IP range the token can come from
- SignedProtocol (spr) - details if communication can be http, https or http/https
- Signed EncryptionScope (ses) - EncryptionScope
- Signature (sig) - Signature
Service SAS
- linked to only one of the services such as Blob storage, Queue storage, Table storage, or Azure Files
- A stored access policy can be used to store constraints for service level SAS tokens for blob container, table, queue, or file share
- This uses the Storage Account Key to sign
User Delegation SAS
- Authorising Access to Blobs using Entra ID
- Using Azure AD is only supported on
blob storage
- It is signed by the User Delegation Key
- If an application is running from an azure resource you can use a managed identity
- To use Azure AD to authorise the access to blob storage the service needs to return an oData token
- There are two client libraries to acquire a token:
- Azure Identity Client Library
- MS Authentication Library (MSAL)
- You can assign Azure RBAC permissions at two levels;
- Storage Account level
- Container
- Queue
- The RBAC roles you can use to access the data component are:
- Storage Blob Data Owner
- Storage Blob Data Contributor
- Storage Blob Data Reader
- Storage Queue Data Contributor
- Storage Queue Data Reader
- Storage Queue Data Message Processor
-
Storage Queue Data Message Sender
- A storage access policy is only applicable to service SAS as the account and user delegated are adhoc
- It is used to place further constraints on SAS keys like: start time, end time and permissions
- You can specify:
- Identifier
- Permissions (list, Read, Add, Create, Write, Delete)
- Start and End Time
- You can have a max of
5 access policies
- You refernce the access policy when creating a SAS token using cli or storage explorer
-
To revoke the sas keys linked to the Storaged Access Policy you would delete the policy
Manage Access Keys
- The storage account access keys allow full access to your storage account
- It is recommended to rotate them
- It is recommended to create an azure key exporation policy to monitor when keys are required to be rotated
-
rolling a storage account access key will invalidate any sas tokens that were generated using that key
- Azure Files support Identity based authentication over SMB through the following methods:
- On-prem AD DS (you need to sync users to Entra ID)
- Entra Domain Services (cloud based)
- Microsoft Entra Kerberos for hybrid Identies. Using Microsoft Entra ID for authenticating hybrid user identities allows Microsoft Entra users to access Azure file shares using Kerberos authentication.
This means your end users can access Azure file shares over the internet without requiring network connectivity to domain controllers from Microsoft Entra hybrid joined and Microsoft Entra joined VM
-
AD Kerberos authentication for Linux clients: Linux clients can use Kerberos authentication over SMB for Azure Files using on-premises AD DS or Microsoft Entra Domain Services
- Standard file shares support LRS, ZRS, GRS and GZRS
- Premium shares support LRS and ZRS
Configuring Access to Files
- Azure files allows two types of identity based authentication to access shares:
- On-Prem AD DS
- Azure AD DS
- Azure AD Kerberos for hybrid user identities
- Azure files uses
kerberos tokens to authenticate users
On-prem AD DS authentication and authirisation to Azure Files
- You need to sync identites from on-prem to Azure AD with AD connect
- To register the Azure Storage account with your on-prem AD DS. There are two ways to do this:
- Run the AzFilesHybrid powershell module
- Manually
Share level Permissions
- Share-level permissions on Azure file shares are configured for Azure Active Directory (Azure AD) users, groups, or service principals
- directory and file-level permissions are enforced using Windows access control lists (ACLs)
- There are a number of Azure AD Built in roles:
- Storage File Data SMB Share Reader - RO over SMB Shares
- Storage File Data SMB Share Contributor - RO/RW and delete over Azure Storage File Shares over SMB
- Storage File Data SMB Share Elevated Contributor - RO/RW/Delete and modify NTFS over Azure Storage File Shares over SMB
- T apply superuser ACLs on the directories and files you need to mount a drive using your
storage accounts key from a domain joined machine
net use <drive letter>:\\storage-account.file.core.windows.net\fileshare /user:azure\<storage account name> <storage account key>
-
You can use file explorer or icacls to grant permissions to all directories and fies under the file share
- Standard
- Supports all storage services:
- blob
- table
- file
- queues
- Unmanaged storage disk
- Three possible values for the Standard Tier:
- General Purpose V1 (legacy)
- General Purpose V2
- Blob Storage (legacy)
- Premium
- Backed by SSD
- Only supports General purpose accounts
- page blobs, Block Blobs and Append Blobs supported
- Azure Files
- Only supports
LRS & ZRS replication
- There are 4 values for premier Tier:
- General Purpose V1
- General Purpose V2
- BlockBlobStorage
- FileStorage
- Only General Purpose V2 support Hot, Cool and Archive Access Tiers
- General Purpose V1 can be upgraded to V2 but not back
||General Purpose V2 (HDD)| General Purpose V1 (legacy)| Blob Storage (legacy)| Block Blob Storage (Premium)|File Storage (Premium)|Page Blob (Premium)
—-|——–|—|–|–|–|–|
Services Supported| Blob, File, Queue, Table|Blob, File, Queue, Table|Blob (Block Blobs and Append Blobs Only)| Blob (Block Blobs and Append Blobs Only)| File Only| Best for random read/write
Unmanaged Disk (Page Blob)| Yes| Yes| No| No| No| No
Supported Perfoamance Tiers| Standard, Premium (SSD)|Standard, Premium (SSD)| Standard| Premium (SSD) | Premium (SSD)| Premium (SSD)
Supported NFS| NA| NA|NA| NA|True| NA
Supported Access Tiers| Hot, Cool, Archive| NA|Hot, Cool, Archive| NA|NA| NA
Replication Options| LRS, ZRS, GRS, RA-GRS, GZRS, RA-GZRS| LRS, GRS, RA-GRS| LRS, RDS, RA-GRS| LRS, ZRS| LRS, ZRS| LRS, ZRS
- LRS (Local Redundant)
- Replicated three times in one datacentre
- Protects again server and rack failure
- write request to storage happens syncronosly
- ZRS (Zone Redundant)
- Replicates data across
three availability zones in a region and replicates it three times in each datacentre
- The data commit comes back only after all the data has been
synchronosly across all availability zones
- The Archive tier for Blob Storage isn’t currently supported for ZRS, GZRS, or RA-GZRS
- GRS (Geo-Redundant Storage)
- Copies you data
three times in a single datacentre and asynchronosly to a single datacentre with three copies in the paired region
- GZRS (Zone Redundant Geo-Replicated)
- Copies your data using ZRS in the primary region
- Async copy to a
single datacentre in the secondary region
- provides
three copies in the single datacentre in the secondary region
- RA-GRS (Read-access geo-redundant storage)
- Primary region has three copies on the data in one AZ
- Secondary region has three copies on the data in one AZ
- Read-Only Access to data replicated data in the secondary region
- RA-GZRS (read-access geo-zone-redundant storage)
- Read-Only Access to data replicated to a all AZ’s in the secondary region
Storage Firewall
- You can limit access to the storage account to:
- Public IPs
- vNets
- Resource Instances through their managed Identities
- private Endpoints
- The Storage firewall is used to block
Public IPs only
- When using the storage firewall you
must use public IP addresses not private
- Once applied it applies to all services (blob, queue, table)
- Service endpoints are used to restrict access to
certain subnets within a vNet. The client is still using the PIP of the storage account
- Allow Trusted Microsoft Service to access this account is used to allow certain
trusted sevices access, such as:
- Azure Backup
- ASR
- Azure Networking
- Service Endpoints provide two benefits:
- Restict access to only the subnet within the vNet configured
- provide a more efficient route to access the storage account
- by default read access to anonymous users is blocked
- blob storage access levels:
- Private - Only the storage account
owner has access to the container and it’s blobs. No one else has access
- blob - Only blobs within this container can be access anonymously
- container - blobs and the container can be accessed anonymously
- the access level is configured
per container
Replication RPO
- Geo-Replication is async replication. The expected maxium RPO is less than 15 minutes, but there is no SLA
Access Tiers
- Hot
- Access tier is used to store
frequently accessed data
- Cool
- storage large amounts of data
- data is not accessed for at least
30 days
- SLA lower than the hot tier
- Storage costs are lower than hot tier
- Access costs are higher than the hot tier
- Archive
- Accessed rarely
- several hours of retreival latency
- data should remain in the archive tier for at east
180 days
- cheapest storage cost
- most expensive access cost
- You have to set the archive tier at the
blob level
Skill 2.2 manage storge
If you dataset is large you can sip your data and import it into azure using the Azure Import/Export service.
VM Extensions
- To use the custom script extension your script has to be available through a URI. Be it a storage account or GitHub.
- The URI has to allow anonymous access to pass a SAS key
- extension v1.10 and later supports
managed identities for downloading friles from URLs. You cannot use a managed identity with a storage account or storageAccountKey
- The custom script runs under the
LocalSystem account
Troubleshoot VM Extension Failures
- You can find the logs in windows
c:\windowsAzure\Logs\Plugins\Microsoft.Compute
- Logs for Linux are located
/var/libwaagent/Microsoft.OSTCExtensions.CustomScriptForLinux-<version>/download/1
Availability Zones
- There is a minimum of three AZ’s per region (where applicable)
- using AZ’s gives a
99.99 uptime SLA
- When you create VMs in three AZ’s, those will automatically be distributed across
fault domains
- Availability Zones are deivided into:
- Zonal Services - A resource can be deployed to a specific (self selected) AZ to achieve more
strigent latency. Resilience is self-architected by replicating apps and data to one or more zones in the region. Example: VM, App services
- Zone-redundant - Resources are replicated to distributed
across zones automatically. Example: Azure SQL, ZRS Storage Account
- Always-Available Services - Always available across all Azure geographies and are resilient to zone-wide outages and region-wide outages. Example: Azure AD
Availability Set
- Availability sets consist of two components:
- Update domains
- Fault domains
- fault domains as for unplanned failures (like anti-affinity rules)
- fault domains are a logical construct describing a single rack in a datacentre
- If you put two VMs into an availabiility set. You are, in the background creating two fault domains. Azure will place a single VM in a seperate fault domain (Rack)
- you can have a maximum of
3 fault domains
- Update domains are for planned maintenance
- Update domain is related to the Hyper-V hosts and it will force azure to update the hosts in an organised manner
- maximum of
20 update domains
- you should always seperate your availability sets into tiers. Front-end, middle, backend
This ensures there is availability for each tier
in the event of an unexpected rack outage
Availability set disadvantages
- If you deploy multiple servers into an availability set you have to manually place the servers into that
- an availability set does not deal with load balancing. It only deals with fault and update domains
- Not compatible with availability zones
- to resolve the issues of load balancing and auto scaling Azure introduced
scale sets
Scale sets
- scale sets
in availability sets automatically. You get the benefit of fault and update domains
- scale sets
are compatible with availability zones
Create Availability Set
It's recommended to use VM Scale Sets with flexible orchestration mode for high availability. Virtual machine scale sets allow VM instances to be centrally managed, configured, and updated, and will automatically increase or decrease the number of VM instances in response to demand or a defined schedule. Availability sets only offer high availability.
Skill 5.2 Monitor and Azure Backups
Azure Monitor
- Three are three types of monitoring elements:
- By default metrics sampled at 1 minutes intervals and are are kept for
93 days
- Retention is 14 days
- App Insights retention is 90 days
Azure Monitoring Agent
- All legacy agents are getting consolidated into one age called the Azure Monitoring Agent AMA
- The agent being replaced are:
- Log Analytics Agent OMS
- Telegraf Agent - Linux
- Diagnostic Extension
- Sends data to Monitor Metrics (windows only), Event Hubs and Azure Storage
- To install the AMA you can:
- Deploy through extensions in portal. You need
VM Contributor
- Deploy through ARM
Log Analytics Contributor
- Deploy the agent manually
- The new AMA agent allows for more granular data collection using
data collection rules
- Supports data uploads to multiple locations
Log Analytics (Azure Log Monitor)
- By default Log Analytics will include 5GB of data storage per month
- You can increase the storage limit by purcasing per-GB pricing
- To onboard VMs to push their logs to Log Analytics you have to install the
azure log analytics agent (OMS)
- The OMS agent must have 443 access to the below domains:
- *.ods.opinsights.azure.com
- *.oms.opinsights.azure.com
- blob.core.windows.net
- *.azure-automation.net
### Azure Activity Logs
- Activity logs are good to see what actions occur within your environment against the ARM APIs. You will be able to see resource creations, updates, deployments and deletions, but not when traffic is blocked by a rule. This is what diagnostic logs are for.
- events in the activity log are kept for
90 days
Resource Diagnostic Logs
- Diag logs are used to increase Logging to give more advanced analysis
- Diag logs have to m set manually and can be sent to:
- storage account
- event Hub
- Log Analytics
- partner solution
- Not all resource can have a retention set in diagnostic logs. A retention value of 0 days means infinite. Retention in days is
only applicable if you select storage account
Azure Monitor Alerts
- when creating an alert rule you have to:
- Target the scope (This defines the signals to define the condition)
- condition defines the signals
- Metrics
- Log Analytics KQL Query
- Activity Log
- Resource Health
- Action Groups (what do you do)
- Notifications
- Email Azure Role
- Email/SMS/Push/Voice
- actions
- runbooks
- logic apps
- ITSM
- webhook (secure)
- Function (Requires v2)
- Event Hub
- Alerts can have one of three user states
- Alerts can have 1 of 2 states
- Fired
- resolved
Azure Backups
Azure Backup backups up:
- VMs
- SAP Hana Databases running in an Azure VM
- Azure File Shares
- Azure SQL
- SQL running in Azure VMs
To enable Azure Backups you need to create a recovery services vault. This vault must be in the same region as the VMs you are backing up.
- There are two key components to Azure Backup
- Recovery Service Vault
- Backup Policy
- backup policy defines the Backup:
- schedule
- Retention
- Daily
- Weekly
- Monthly
- Yearly
- With the recovery service Vault. There are a number of additonal options you can enable. such as:
- Backup Config: Storage Replication
- Encryption
- By Default data at rest is encrypted by Microsoft Managed Keys
- Can use your own Keys (Integration with Key Vault)
- Can enable encryption on the backup storage Infra
- Multi-User Authorisation
- Used to ensure critical tasks on the recovery serice or backup vaults have an additional layer of protection
- Security Settings
- Soft delete
- Enable soft delete for on-prem systems
- soft delete retention period (14 to 180)
- Enable Always-on soft delete
- Cross Subscription Restore
- Security PIN
Restore Azure Backups
- You can restore VMs or files
- when restoing a VM you can create new or replace existing
- If restoring a VM you have to create a dedicated storage account. This storage acoount must:
- Non ZRS
- Doesn’t display premium storage accounts
- Not attached to any affinity group
- Network restricted filtered out
- File restore has some limitations
- Must be less than 10GB of files
- bandwidth is imited to 1 GB per hour
- You have to map a drive to the snapshot
- Can’t run the script on:
- server with dynamic disks
- storage spaces
- VM has large disks > 4TB
It's recommended to have a separate VM only for file recovery (Azure VM D2v3 VMs) and then shut it down when not required.- if you have encrypted disks you must you need to allow the backup service access to key vault