BECOME AN AZURE ADMINISTRATOR.

Tabla de contenido
Tabla de contenido................................................................................................................................................................ 1
1 Azure Administration Essential Training......................................................................................................................4
1.1 Introducción..........................................................................................................................................................4
1.1.1 Using Cloud Services................................................................................................................................4
1.2 Getting Familiar with Microsoft Azure.................................................................................................................4
1.2.1 Fundamentals of cloud computing.............................................................................................................4
1.2.1.1 On-Premises Hardware.........................................................................................................................4
1.2.1.2 Private Cloud........................................................................................................................................5
1.2.1.3 Public Cloud.........................................................................................................................................5
1.2.1.4 Hybrid Cloud........................................................................................................................................6
1.2.2 Fundamentals of cloud service offerings...................................................................................................6
1.2.2.1 Understanding the Offerings.................................................................................................................6
1.2.2.1.1 (IaaS)Insfrastructure as a Service.....................................................................................................6
1.2.2.1.2 (PaaS) Plataform as a Service:.........................................................................................................6
1.2.2.1.3 (SaaS )Software as a service.............................................................................................................7
1.2.2.2 Understanding Azure Services:.............................................................................................................7
1.2.2.2.2 Compute services.............................................................................................................................7
1.2.2.2.3 Networking services.........................................................................................................................7
1.2.2.2.4 Application services.........................................................................................................................8
1.2.3 Microsoft 365 and Microsoft Azure: Key concepts...................................................................................8
1.2.4 Getting familiar with Azure management tools.........................................................................................9
1.2.5 Fundamentals of Azure management.......................................................................................................12
1.2.6 Controlling Azure costs...........................................................................................................................14
1.2.7 Exploring the Azure Security Center.......................................................................................................17
1.2.8 Managing Azure using Azure PowerShell...............................................................................................20
1.2.9 Exploring Azure storage services............................................................................................................23
1.2.10 Implementing a storage account..............................................................................................................24
 1.2.11 Managing an Azure storage account........................................................................................................27
1.2.12 . Azure feature release cycle....................................................................................................................30
1.2.13 Exploring Azure deployment templates...................................................................................................31
1.2.14 Exploring resource groups.......................................................................................................................34
1.2.15 Exploring Azure policies.........................................................................................................................35
1.2.16 Creating Azure policies...........................................................................................................................36
1.2.17 Getting Azure Support.............................................................................................................................39
1.3 Microsoft Azure Web Apps.................................................................................................................................40
1.3.1 Implementing Azure web apps................................................................................................................40
1.3.2 Managing Azure web apps.......................................................................................................................43
1.3.3 Configuring Azure App Service plan.......................................................................................................45
1.4 Microsoft Azure Virtual Machines......................................................................................................................47
1.4.1 Creating virtual machines in Azure, part 1...............................................................................................47
1.4.2 Creating virtual machines in Azure, part 2...............................................................................................49
1.4.3 Managing virtual machines in Azure.......................................................................................................51
1.4.4 Connecting to virtual machines in Azure.................................................................................................53
1.5 Microsoft Azure Active Directory.......................................................................................................................53
1.5.1 Exploring Azure Active Directory (AD)..................................................................................................53
1.5.2 Exploring Azure enterprise applications..................................................................................................58
1.5.3 Managing users in Azure AD..................................................................................................................60
1.6 Microsoft Azure NetWorking..............................................................................................................................61
1.6.1 Understanding the Azure networking components..................................................................................61
2 Azure Active Directory: Basics...................................................................................................................................65
2.1 Introduction.........................................................................................................................................................65
2.1.1 Modern identity.......................................................................................................................................65
2.1.2 Prerequisites............................................................................................................................................66
2.1.3 Roadmap..................................................................................................................................................67
2.2 Azure Active Directory Fundamentals................................................................................................................68
2.2.1 Identity and access...................................................................................................................................68
2.2.2 Azure AD overview.................................................................................................................................69
2.2.3 Azure AD Connect deployment...............................................................................................................71
2.2.4 Users and groups management................................................................................................................72
2.2.5 External users management.....................................................................................................................74
2.2.6 Application platform................................................................................................................................75
2.2.7 Device management.................................................................................................................................77
2.2.8 Azure AD security...................................................................................................................................78
2.2.9 Azure AD administration.........................................................................................................................81
2.3 Industry Standards and Compliance....................................................................................................................82
 2.3.1 Open standards support............................................................................................................................82
2.3.2 Regulatory compliance............................................................................................................................83
2.4 Provisioning an Azure AD Tenant.......................................................................................................................84
2.4.1 Building an Azure AD scenario...............................................................................................................84
2.4.2 Creating an Azure AD tenant...................................................................................................................86
2.4.3 Adding a custom domain.........................................................................................................................87
2.5 Potential Business Impact of Azure AD Adoption..............................................................................................90
2.5.1 Impact on standalone infrastructures.......................................................................................................90
2.5.2 Impact on hybrid infrastructures..............................................................................................................92
2.5.3 Impact on employees...............................................................................................................................95
2.5.4 Financial implications..............................................................................................................................96
2.6 Conclusions.........................................................................................................................................................98
1 Azure Administration Essential Training
1.1 Introducción
1.1.1 Using Cloud Services
- Cloud services are constantly being modified. Some of the functionalities that you see in this course may not be exactly
the same as the ones you encounter when you log into the Azure Management portal. Microsoft will update its services
and functionalities based on needs and customer demands. The result of that will be updated features and functionalities
and interfaces that may not be identical. If you encounter functionalities or features that are slightly different than the ones
I've presented in this course, look into them. Look into the functionalities and see how they've been slightly modified.
Usually that means that there is a major improvement that's been added to the platform. Maybe you find that the
functionalities may help you even more in your migration to cloud services. Make sure you pay attention to these new
functionalities and see how they can help you and your environment in Azure.

1.2 Getting Familiar with Microsoft Azure.

1.2.1 Fundamentals of cloud computing
If we're going to get familiar with Azure computing, we first need to get familiar with cloud computing as a whole,
understanding some of the terminology of cloud computing and some of the standards that are implemented through
Azure. So, when we talk about understanding the cloud, we're talking about understanding the terminology and the
services that are deployed in private cloud infrastructures, as well as public cloud infrastructures, and we're going to
determine that in a few minutes. We actually have three different types of clouds, public, private, and hybrid. Hybrid is
really a combination of public and private cloud offerings. So, let's take a look at the differences between these various
clouds. But, before we do that, let's talk about on-premises.
1.2.1.1 On-Premises Hardware
So, when we talk about an on-premises infrastructure, we're
talking about an infrastructure that's deployed within your
company, so you manage the servers, hardware, services,
firewalls, pretty much everything in your organization is being
managed by internal administrators, and you are responsible for
all of those services as they function and provide functionalities
for the users in your user population.
Your users then consume those services, and as they consume
them, you need to update and upgrade and manage the hardware
that the services live on. On-premises infrastructures have been around for many, many years, and many administrators
today are very familiar with managing enterprise services on-premises.
1.2.1.2 Private Cloud
As we talk about moving to the cloud, we look at how these type of
offerings get transferred into cloud-like functionalities or experience.
For example, we have the private cloud, and the private cloud is really
an on-premises cloud experience, whereas a user, and that user could
be an administrator, has a portal-based environment from which they
can manage the infrastructure, provision servers, deploy applications,
manage websites, all of those things can be configured and managed
from a portal-based environment, almost hiding the infrastructure that
is in the background and exposing only those portals from managing
to administrators.
A private cloud infrastructure depends on software that manages that
private cloud and that exposes all the functionalities in the portal.
It is typically stored in a private data center, so you are still responsible for the hardware, you're still responsible for the
software and all the network services. The level of responsibility that an internal organization has for a private cloud is
really no different than an on-premises infrastructure.
The primary difference is the experience of managing the infrastructure. And then, we talk about a public cloud.
1.2.1.3 Public Cloud
Now, you know about the Google public cloud,
Amazon Web Services, and of course, Microsoft Azure.
You've heard of Microsoft Azure and you understand
that Microsoft Azure provides this public cloud
functionality, and as a vendor is responsible for most
tasks that are performed within their Azure
infrastructure.
The public cloud uses a leasing base model, which
basically is a pay-as-you-go or pay-as-you-use, so as
you consume resources, whether those be applications or
workloads, services, or infrastructure as a whole, you
pay based on your usage.
A great advantage of a public cloud infrastructure is that you have this entire infrastructure that's already there, and if you
need to deploy a new application or you need to deploy a new server, you can do that very quickly and at a very low cost
because you don't need to purchase new hardware to support that additional infrastructure.

1.2.1.4 Hybrid Cloud

Now, the hybrid cloud is a true mix of public and
private solution, whereas you can have your own
internal private data center, and then you may choose
to store some workloads, some services, some
applications, over into the public cloud. You may
store those in the public cloud because that may be the
right environment for them, it may be less costly to
deploy that data or store that data into the cloud, rather
than to purchase new storage hardware to move that
data over. So, you truly get to choose the best
environment for either your data, your services, or
your application, based on your security needs or your
cost needs, or other organization needs that you may be running into within your company. Now, there are many
customers or many organizations that are reluctant on moving to the cloud for various reasons. Some of those are political
reasons where they want to limit the replication of the data to other countries. Now, there's actually solutions in Azure
where we can segregate the data and specify where it gets replicated and where it doesn't, but that perception still exists
where people may not want to do a full migration to a public offering, and in order to limit that, but still get the benefits of
a public cloud, the hybrid cloud or the hybrid solution gives you the ability to only selectively put resources into the cloud
for which they are appropriate. Now, keep in mind that if you have a hybrid cloud solution, it's definitely going to be more
complex to manage because you'll have to manage both environments, as well as the coexistence or the communication
between both environments.

1.2.2 Fundamentals of cloud service offerings

Now when we're talking about Cloud Solutions we really need to understand the various levels of Cloud Solution
offerings. I reference it as X as a service. And today almost anything is configured as a service.
1.2.2.1 Understanding the Offerings
1.2.2.1.1 (IaaS)Insfrastructure as a Service
First starting with Infrastructure as a service. Microsoft
Azure provides Infrastructure as a service in the form of
the actual hardware. So the hardware and the
networking pieces where you will store your data and
you will store your virtual machines will be hosted by
Microsoft Azure. Well that's an Infrastructure support or
an Infrastructure service that is being provided.
1.2.2.1.2 (PaaS) Plataform as a Service:
Microsoft Azure also provides Platform as a service.
Now the Platform as a service are the actual web
services and web servers that will be running in Azure,
on which you can deploy your applications. So let's say that you have a custom application that you want to deploy and
you don't want to manage a virtual machine, you don't want to manage a web server. Well Microsoft Azure will supply to
you that Platform, that web server, onto which you will be able to apply your web application.
1.2.2.1.3 (SaaS )Software as a service,
where the Infrastructure, the Platform and the Software are all hosted into a Cloud based offering. Now the end result of
that is an actual service, a Software application that is being consumed by users. A great example of that is Office 365.
Office 365 is an example of a Software as a service because all it is, that the user consumes and sees as visible is the
Software, the end application. And it consumes that end application not with no access and no configuration and no
visibility into the backend infrastructure that's managing that software.
So depending on which offering you chose you will pay different types of subscription levels and different types of
service plans to have access to different functionalities of each offering. Now again, Microsoft Azure provides all three of
those offerings. And it provides them in, based, of different services. As we move along and Cloud computing becomes
more mature as a solution the distinctions in the lines between IAS, PAS and SAS, software, platform and infrastructure,
those lines become a little bit blurred and we see that the services that are being offered are more important than the actual
type of Cloud offering.
1.2.2.2 Understanding Azure Services:
So the four type of categories of offerings that are being provided
by Azure Services actually cross over between Platform,
Infrastructure and Software.
1.2.2.2.1 Data storage Services:
So that is all of your blob storage, all of you data and databases that
are being stored in Azure, those are all managed as data storage
services. So you can actually control those, control the replication
and the availability of that data storage, the backup and many other
functionalities for data storage.
1.2.2.2.2 Compute services
are both Platform as a service and Software as a service, in the sense that compute services is the services that manages all
the virtual machines that you'll be running. As well it'll also be all of the web services onto which you can store
applications. Compute services perform a lot of the compute activities that run in Azure.
1.2.2.2.3 Networking services
are all the connection services between your on-premises users or your users stored all over the world and how they
access the resources that are being stored in Azure. And some of them can be done through encrypted tunnels, such as
VPNs and some of them can done through direct remote desktop connections.
There's various ways of accessing our data that is being stored in Azure and we configure those through Network Services
and that accessibility and that configurability of Networking is provided through network services.
1.2.2.2.4 Application services
which is essentially all of the applications that are hosted in Azure that provide functionalities for us. A main example of
that is active directory. Active directory is a database, provides a database of users and authentication services through
Azure. So that if you have an application that is being stored in Azure and you want to provide authentication services to
that application, you can use active directory as an application service itself. So it's essentially an application servicing
another application, both stored in Azure.
Some of those applications are provided by Azure, other applications you can upload them into Azure and have them
hosted.

1.2.3 Microsoft 365 and Microsoft Azure: Key concepts

When you subscribe to Microsoft Azure, you create an Azure subscription.
Type of subscription:
a) Trial (couple of months)
b) Long-term agreement (enterprise agreement)
c) Pay as you go, (where your credit card is loaded and gets charged every month at the end of the month for your
usage of Azure resources).
So Microsoft 365 has its own portal or admin center that you access by typing admin.microsoft.com, and in here you can
manage all of your Microsoft 365 resources, and we have plenty of courses on Microsoft 365 that you can explore, but
essentially, you will be able to create different things such as email domains, SharePoint sites, create Yammer groups,
Microsoft teams, all of these different settings and services that are used to collaborate for users to communicate with
themselves and with others, to share documents with each other. Microsoft 365 is an example of a software as a service
solution. Something that we talked about a little bit earlier on in the course. Office 365 is the primary element in
Microsoft 365.

Azure Portal Microsot 356 portal.

However, you have some other functionalities such as Microsoft Intune, or the ability to enroll devices and manage the
devices in the organization. Now through all of the services that live in Microsoft 365, you have one very important
component that can, and I say can very specifically. It can be shared with your Azure subscription, and that is your
identities, your users. So in Microsoft 365, if I clicked on users, I can go ahead and create user accounts, and those user
accounts will be able to have email mailboxes and access SharePoints, and access all of the great services that are part of
Microsoft 365. In Microsoft Azure, I don't have user accounts here, but I have an Azure Active Directory. Now the Azure
Active Directory is the directory service that manages all of your identities that are also used to access the various
resources in Azure. The two can be the same. You can have one directory that is used both for your Azure subscription
and for your Microsoft 365 subscription. That entity or that directory would become the default directory for Azure and
the default directory for Microsoft 365. When you create a subscription with Microsoft 365, and you already have an
Azure subscription, they will try to tie the two, but they don't need to be the same. They may not be the same. Some
organizations may want to have a Microsoft 365 infrastructure that has a different Active Directory entity, and therefore a
different list of user accounts. Then the one that is being used for your Azure subscription, and that is managed through
your user accounts in the Azure Active Directory. A user that I can create here from my Azure Active Directory. I can
then retrieve from Microsoft 365 and edit that user account in Microsoft 365, and then assign access to the various
Microsoft 365 services. Microsoft 365 and your Azure subscription can be linked if they are linked through the same
Azure Active Directory. They don't have to be linked. The benefit of having them linked is having a single entity, or a
single directory of Azure Active Directory that is used for both services and through both portals.

1.2.4 Getting familiar with Azure management tools

Once you purchase Microsoft Azure, you will have a Microsoft Azure subscription. To manage the Microsoft Azure
subscription, we will have to log in to the Azure Portal.
So to access the Azure Portal, we will go into portal.azure.com, and now we'll
have to sign in, we will have to use the same sign in account that we used in
order to subscribe for the Azure subscription.
Say that this email address belongs to a work or school account because this
is a professional account. You can also select a personal account if it's your
Microsoft standard account.

Then I'll specify my password. And I'm

now logged into the Azure Portal.

Now, this here is the default interface for the Azure Portal. This interface changes frequently, in the sense that Microsoft
updates Azure, Azure features, and Azure components, but especially the Azure interface, so it's very likely that when you
log in to your Azure Portal, this interface may differ a little bit. Remember that most of the Azure functionalities will
remain, and you will have access to most of the features and services that will covered.
So this is the Azure Portal and it's a very standard browser-based portal. From here I can access all of the Azure services,
additional Azure Portals, these other portals are other management windows that we will use to manage some of those
sub-services or sub-features of Azure.

As well, if I go a little bit below, I see the list of my resources in Azure. So these are actual Azure components, Azure
services that I've installed and configured as part of my subscription. Now, what I'm using here is this browser-based
management tool, some of you may want to use a more flexible command line ability to manage Azure. In order to do
that, we would have to access the Cloud Shell.

2
To access the Cloud Shell, I have a little shortcut here in my top window, and when I click on (1) Cloud Shell you will see
that a window below opens (2). That window gives you the ability to manage Cloud Shell using one of two interfaces,
either PowerShell or Bash. Depending on your background and your expertize, you may want to use CLI or PowerShell in
order to manage all of your Azure resources.

So if you're familiar with using PowerShell, for example on a Windows environment, managing your servers or your
desktops using PowerShell, these are very similar commands that you would use using the Azure Cloud Shell. All of the
Azure PowerShell modules are already installed, and you can use all the command lists that are available within Azure.
As well, if you are familiar with managing locally, you'll remember that a remote connection to Azure is still possible, so I
can connect from my Windows desktop by installing the Azure PowerShell modules to my Azure subscription. This here
is just the ability to do it from within the browser. So this is not a local application that's running on my desktop, this
actual window here of PowerShell is really existing within my browser.
Now, all of the features and the components that I'm running in here are being stored in Azure, and all the commands and
the scripts that I may want to run are also in Azure.
To switch to Bash I just go down to my dropdown list
here, I have to confirm that all of my current scripts
will be stopped to switch to Bash, and now my
interface is being turned over to a Bash command.
This here is the Cloud Shell that gives you the ability
to manage all of your resources in Azure. You don't

have to use the Cloud Shell if it's a little bit too

intimidating, or you don't have a specific purpose for
advanced features and functionality, you can get away by
just using the management portals, such as the Azure
Portal.

1.2.5 Fundamentals of Azure management

Now that you're familiar with the Azure management tools and
Azure management portal and the Cloud Shell, let's talk a little bit about the resources that we manage within Azure. First
let's talk about the organizational structure within your Azure subscription.
 The primary object that you will create in an Azure
subscription, is called the resource group.
Now, you can think of a resource group as
a group of resources in Azure that are
managed as a single entity. You will
notice that I have four resource groups in
my subscription. Each one of these
resource groups, contains resources or
Azure services that are being managed as
a separate entity. All of those resources
can be created together, managed together,
turned off together, even deleted together.
I can create a resource group in my
subscription and then add resources to that
resource group. If I click on one of my
resource groups, and I look at its
properties, I will see that this resource
group contains its own settings, including the resources that are included, so here this resource group only contains one
resource which is called the WebRuleCloudService Resource. This is actually a cloud service. If I go back to my list of
resource groups, and click on my NetlogonSite resource, you will notice that this one contains five resources. If I want to
re-deploy these resources, such as deployed into another subscription, or if I want to delete them all as a single entity, I
can manage them as part of my resource group. For example here, if I click on my NetlogonSite, and I go to my ellipsis, I
have the option to delete the resource group. Now it warns me, if you're going to delete the resource group you will then
delete all the resources within this resource group. Are you sure you would like to do that? Now this is actually my
corporate website so I'm not going to delete it, but I want to show you that you can manage all of those resources within
this single entity object. I can create any object in Azure, but when I create that object in Azure, I need to select a resource
group that it will belong to. So it's really your organizational structure. Think of it like a folder that organizes your files.
Your resource group, organizes your resources in Azure. Now, if I want to create a sample resource, any resource, I click
on Create a resource. When I click on Create a resource, I have my different categories of resources that I can create in
Azure. Now, as a compute resources that actually means that it's a virtual machine. If I click on that resource, I can create
this virtual machine within my Azure subscription. During the creation process I will be prompted to select a resource
group, because again, all of my resources must belong to a resource group. All of my resource groups, belong to my
subscription.
My subscription is the highest level of my Azure infrastructure, and here is where I have all the settings that apply to my
billing, and, we'll look at billing a little bit later on in this course. I see here that I have one subscription which is a pay-as-
you-go subscription. You'll notice that I just mentioned that subscription is the highest level, yet here we have the ability
to have multiple subscription. If you are a consultant or an administrator of multiple companies, you may have multiple
subscriptions that
belong to you. There
is really no
relationship between
subscriptions.
Subscriptions are
entities that live alone
and separate from
each other. However,
your resource groups live within your subscription, and that is how you will manage all of your resources within your
Azure environment.

1.2.6 Controlling Azure costs

Every good business manager will tell
you that it's very important to have a
tight control over your costs. And
Azure understands the need of
organizations to understand clearly
how much money they are spending on
their resources, on hosting their
resources, which resources are the
most expensive, from month to month,
how much of their cost increased or
decreased, and what type of usage is
incurring all costs in an Azure
subscription. In order to achieve that
clarity in cost management, Microsoft
provides cost management and billion
options inside of the Azure portal. So
to access those, I'm going to click on Cost Management + Billing directly in my

Azure
portal, and a new blade opens up that provides billing accounts and cost management, and under Billing accounts I can
actually click on this billing account here which will provide a historical view of all of my invoices, the invoices for
Microsoft, specifically for my Azure subscription or the Azure subscription that's specified here, and I can review those
old invoices however I want to manage my current costs and have a better understanding of how I'm spending my money
in Azure, I would click here on Cost Management.
 When I click on Cost Management,
it takes me into my resource group
costs, now this is one resource group
that I have, I'm demonstrating
through this resource group because
I have actual costs in this resource
group that it can point and analyze.
So I'm going to click on Cost
analysis, and when I click on Cost
analysis, I have a beautiful
dashboard that appears and this
dashboard provides me a great
graphical view of my costs so far
this month, as well as a forecast of
how much I'm expecting if I maintain this usage for the rest of the month. So here, my costs are in Canadian dollars
because my subscription is hosted in Canada, and I see that I have costs of a little bit over $30 so far this month, with a
projected cost total at the end of the month of a little bit
less that $100. If I want to see where those costs are
happening, I actually see various graphics here that tell
me the various resources, and how much they are
costing me. Now I can change this view, I can go to my
list here, under accumulated cost and I can also see my
cost by resources and this will actually list me my
resources in order of the costs that are costing me the
most. And so I see that my service plan, which is
actually an app service plan is costing me the most and I
have a storage account also that has some minimal costs
as well as an app service that has absolutely no cost, so I
have a little bit of a view here into my resources. I can again change this view and if I go back to my accumulated cost
here, this view here, again this nice graphical view of all of my costs, may be useful for business manager or an
accountant, I can share this view with them and in order to do that I can actually save this view, and I'm going to save it as
a custom view, so I'm going to save that month cost, of the month, and I'm going to save this view, and if I go down to my
drop down list here, you will see that this shared view is available, and in order to share it with a manager, I can simply
click on share, which will provide me with a URL which I can copy to my clipboard, this URL will then be provided to
my manager, I can email it to them and they can click on this URL, and access this same cost view. So costing can be very
useful in terms of sharing this information. So let me go back into my cost management portal and I want to show you
something else here, which allows you also to forecast your cost, which is the Budgets. This is a relatively new
functionality in Azure where we can actually create a budget within Azure. So, if I go into my budget, I can create a
maximum cost that I expect to spend with my Azure resources, over the next month. So I can go down here, provide a
name for my budget, a costing period, as well as an amount threshold.
Now this amount threshold is not actually going to limit my usage, it's simply a budget and as you know sometimes we
can go over budget. But it's pretty good to have an understanding of how much we expect to pay in Azure resources. Now
the real benefit of the budget is not the budget itself, is what comes next, which is the alerts. If I click on next here, I can
specify an alert, so I can specify that if I have incurred more than 10%, 20%, 30% whatever that threshold is, of my Azure
budget, I would like to receive an alert. This is a great way to maintain control over your cost and ensuring that if you
have an issue in Azure, such as a rouge virtual machine or an administrator that has created a number of rogue resources
or an unsecured resource, that is being populated with a tremendous amount of data, or is being attacked by external users,
those may incur additional costs and the alerts will alert you of those costs immediately so that you can take action on
those. So creating a budget is a good thing to do within your Azure subscription, having a good understanding of where
your money is going and what your regular costs in Azure resources are as well as a great way to maintain good control
over your Azure subscription.

1.2.7 Exploring the Azure Security Center

Now the Security Center is a relatively new infrastructure that has been added to Azure, and it is still being added onto
and built out. However, it currently provides a tremendous amount of information about whether or not your infrastructure
is configured in a secured manner.

So let's go ahead and open the Security Center which is available right here in my Azure portal. When I click on the
Security Center, I need to point out first of all that you must be subscribed to the Security Center, it's an add-on to your
overall subscription. You can start a 30 day trial if you want to see how the Security Center works, which is what I have
right now. If I go into the overview tab the first thing that I see is the very scores that have been assigned to my
infrastructure. Here I have a policy and compliance score. And I actually have specific regulatory standards that are
identified, and we mention specifically how many of the rules my infrastructure is configured to support for those
regulatory standards. So, ISO 27, double O, one. Which I actually don't know what ISO that is, but I know that my
infrastructure has seven out of the 23 passed rules. If you are looking for a regulatory compliance you will know
specifically which ISO you are looking for. And actually we'll see how we can click on the link to have a little bit more
information about that. I have also my security hygiene, which we'll look at in detail, which are specific recommendations
on how to improve the security of my solution. This here is monitoring everything that I have in Azure. Now that means
all of my storage accounts, and all of my networking, and all of my Azure SQL databases, all of my active directory
configurations, all of that is being monitored. But on top of that, I can also monitor the virtual machines that are running
in my environment. And I can actually install agents on those virtual machines to make sure that those virtual machines
are constantly being monitored and secured. As well, I can also onboard my computers that are located on premises, so
your internal network can also be added into your Azure subscription to be able to be monitored. And you will receive
recommendations on optimizing the security of those on premises computer. If I go down a little bit below, my first
section is a policy and compliance. And when I click on coverage you see that I have here my subscription that is being
covered. So if I have multiple subscription it would detail all the various subscription and I could click on the various
subscriptions that I have. If I click on my secure score, I see here the score that I mentioned above. Also I can click on the
specific subcomponent of my subscription to see their specific scores. So you'll note that my data, and storage, and
networking are fully compliant and considered fully secure. There are no optimizations to made here. However, under
identity and access I have 170 out of 225, so there's certainly some improvement to be made. But likely the biggest
improvements is under my compute and apps. So it's very likely that my web apps and my virtual machines are not
configured the most secure way.

Now if I click on security policy I can see that it can define additional policies that will actually define the standards for
security for my environment. And then those policies would tell me if my infrastructure is out of policy. So the security
policy is one of those components that allows you to define those standards that your organization wants to be set by, and
then define which objects are not matching to that security policy. Personally the features or the components that I prefer
when it comes to the Security Center is the security hygiene. Now when I go down to security hygiene, if I click on
recommendations, I will see the various recommendations that are actionable from my environment. And I actually like to
break it down for the various components. So if I click on identity and access I see that I have here two recommendations.
One of those recommendations is to enable MFA (multi-factor authentication) for my user accounts that have owner
permission on the subscription. So that means that my global administrator, the one that has the highest level of rights,
only needs a password to authenticate. And Azure is telling me well, if you want your organization to be more secured
you should give that user account a second method of authentication. And that's usually a pin on a mobile phone, or a
mobile phone app that is being used as a secondary mechanism. There are some organizations that I access that require
MFA and it basically means that I have to enter a pin and a password, and it is a very secured method of authentication.
Also, another recommendation is to designate more than one owner on the subscription. I currently only have one user
account, if that user account is compromised, as the owner then I've lost the owner of my subscription. So Microsoft
recommends having at least two owners to a subscription. So you'll note that I can drill down specifically to a service that
runs in Azure, and I get specific recommendations for that service. And the same is true for my apps and my virtual
machines where I can actually go to the specific subservice and define recommendations that are actionable, and that give
you the ability to optimize the security of your environment. All of these components can be drilled down to and receive
these types of recommendations.
 Security Alert

As well, I can configure alerts, so that I am alerted when a key threshold or a component is considered unsecure. I can
create my custom alerts that will actually notify key individuals in the organization of security threats that have been
identified by Azure in my organization. So the Security Center is one of those tools that you will want to visit frequently
and ensure that your organization is constantly maintained in a secure manner.

1.2.8 Managing Azure using Azure PowerShell

Earlier we talked about managing all of your Azure resources using the Azure Cloud Shell or the online version of
PowerShell. Now as I mentioned earlier, you can still use PowerShell locally using your local PowerShell tool to connect
remotely to the Azure subscription environment. Now in order to do that I actually need to download the Azure modules
for PowerShell. It will provide me with all the verbs and all the command-lets that I need to use in order to manage my
Azure resources. So let's go ahead and do that. And in order to access the Azure downloads I need to go to
azure.microsoft.com/downloads and when I click on that I have access to all the various Azure downloads, a lot of
SDKs in here or Solution Development Kit. And if I go down below to Windows, command-line tools, I have my
PowerShell Windows install.
 And I notice that there are others here as well such as the AzCopy, a tool that you use to actually copy files to Azure and
VSTS, or Visual Studio Team Services that is used if you're working in a devops environment. So as soon as I click on it,
I'm prompted to run the installation and I'm going to run that installation of the Web Platform Installer.
 Install the Azure PowerShell and I'm going to accept
the Azure PowerShell installation and it starts to
download and install my module. Now my
installation is finished, I'm going to finish and exit
my installer. And I can go ahead and access my
PowerShell. So to do that from my Windows
computers, I'm going to go to my start button and
start typing PowerShell and from here I'm going to
right click PowerShell and run it as an administrator
so I have unlimited privileges on my PowerShell
commands. So in order to use PowerShell in Azure I
first need to connect to my Azure subscription.
So what I'm going to do is type connect-
azurermaccount, connect to my resource
manager and that's going to prompt me
for a user name and password. And I'm
going to enter that in. Now notice that I
used the connect-azurerm account. There
are different accounts that I can connect
to or using different commands and these
ones will connect me or authenticate me
for different PowerShell command-lets.
So I used the rm to connect to the
resource manager command-lets. And
now I'm going to put in my password,
notice that is the same authentication that
I used to access my portal and I will
connect to the same subscription that is
available in my portal. And here I see that I've connected to my subscription. As you'll remember, it's a pay as go
subscription. I have the ID of my tenant and the ID of my subscription here So now that I'm connected to my Azure rm
account and I'm connecting to my Azure subscription I can start to use my Azure command-lets.
So if I go get-azurerm I can use tap complete to actually see all the command-lets that are available. Notice that it toggles
with a alphabetical order so I'm Get-AzureRmADUser that will actually retrieve all the list of my active directory user
accounts and so on. Now if I wanted to actually see information that might be useful for me I can get a Get-
AzureRmstorage account. And if I don't remember the exact command-lets, I can just go to storage and press the TAB key
to do a tab complete and I press on ENTER and it will actually retrieve the list of my storage accounts. Now the primary
one that I have here is called netlogon01storage and we'll manipulate that one a little bit later on in the course. It gives me
information such as the region that's it located in as well as the sku, or the version of the storage account. I have
information about the creation of this
storage account or when it was created
and this was created about six months
ago in 2018. And I have lots of
information of the storage account all
the properties of the storage account,
for example, this storage account does
not allow https traffic only, so that is set
to false. I can actually manipulate any
of those properties by using the set.
Now you notice that I use the get verb.
Get retrieves information. Set modifies
information, so I can do set-azureRmstorageAccount. Again I've used the tab complete to complete that command, And
then I can modify the properties.
If you're not sure how to use the set-azureRmstorageAccount, you can type the help and then the command-let and then it
will provide you with all of the contextual information on how to use the specific command-let; So set is the verb,
azureRmstorageAccount is the type of object that we're going to modify and together set-azureRmstorageAccount is a
command-let. And the command-lets can have multiple types of properties that can be set to it and we can set all those
properties by using either the portal or by using PowerShell. Why would I use PowerShell? Well, if I want to modify
multiple objects at once or sometimes, some properties are not exposed in the graphical interface, in the portal. So at that
point we may want to use PowerShell.

1.2.9 Exploring Azure storage services

There are many resources that we can create in an Azure subscription. All of those resources are of various types.

As you see here in the Azure Marketplace, we can create compute resources or virtual machines, for example. I can create
containers that will host other services. I can create databases or even DevOps environments. I can also create identity
services for authentication and identity management. I can create networking resources, but the one that I want to talk
about now are storage resources. We can create a number of storage resources in Azure and we've looked already at
creating a storage account which is a key component that links with many other services in Azure.
However, we can create other storage resources to store other types of data. One of those storage resources that is
relatively new is the Azure data box which allows you to migrate your
data from your on-premises environment over to Azure. Here I have a
resource called Data Lake Gen1. Now Data Lake storage Generation 1
is replaced now by Gen2. And we can create this new type of resource
to be able to store specific data in our Azure subscription. Now I can
create a number of those. I can also create databases, those are also
considered storages. I can also create any type of storage that is either
structured or unstructured. That is information that is stored in files, that
is stored in tables, that is stored in blobs. Even the databases can be
structured or unstructured. Having a good understanding of your data,
the type of data that you want to store in Azure, will allow you to
choose the best storage resource in Azure. Because there are so many
storage resources, many storage resources can actually perform the
same tasks. I can store blob data in a storage account. I can also store
blob data in an IoT blob. And again, there are many type of these resources that have similar names. So here I have Azure
Blob Storage on IoT Edge. So yes, this is blob storage. I can store blobs in a storage account. I can store blobs here. But
they serve different purposes. So again, having a good understanding of your data, how you're going to use your data, and
understanding the type of storage that is available in Azure allows you to ensure that you choose the right storage service
for your data.

1.2.10 Implementing a storage account

One of the primary purposes of an Azure subscription is to store our data, our content in Azure. All of the data that you
will store in Azure initially will go into a storage account, storage account is a resource that we create in Azure in order to
organize our data. Now, there are other services that are used also for storing data such as an Azure SQL database or
Cosmos DB database which allow you to have more database functionalities to manage records and large amounts of data
in Azure but all organizations will have at least an Azure storage account to store their files in Azure. So, let's go ahead
and create an Azure storage account. This will be the first resource that we create Azure in this course, so we're going to
click here on the plus sign to create a resources.
Now, as soon as I click on the Create button, I'm now in the Create Storage Account window and from here, it gives me
the option of selecting a subscription to create it in
and this is my subscription, my pay-as-you-go
subscription and then down below I can go ahead and
select a resource group. Now, you'll remember that
all of your resources live within a resource group.

I created a resource group called LinkedINRG-

Essential and I'm going to click on this
resource group and select that the storage
account will be created within this resource
group. Down below I need to give a name for
the storage account. Now, something
important to note about the storage account
name is that it must be globally unique, so not
just unique within your subscription, unique within
all of Azure.
Also it does not accept many types of characters
such as uppercase letters, so only lowercase. I
typically only use lowercase and numbers, so I'm
going to type linkedin and notice that if I click
linkedin, it's telling me that name is already taken.
You can't use that name, so I'm going to call it
linkedinEssentialStorage. It's now going to do a
validation. It's telling me that I've gone way too long
in my name, so I need to stay below 24 characters, so
I'm going to call it linkedinEssential and I used an
uppercase, so that won't work and I need to get rid of
that uppercase. Just to point out that it's actually doing these verifications and checking for you that the name meets the
standard and that the name is globally unique. Now, below I'm going to select a location, the location is where that actual
storage account, where will that data reside? I have here a region of Canada East which is my default region of my
subscription but you'll note that you have a number of locations that can be selected. These are all geographical regions
throughout the world. Right now you have these that are available but in six months, you may have three more or four
more that become available. Microsoft is constantly adding additional regions. Here, for example, the East US, we have
two versions of it because Microsoft has two large data centers in the east of the United States. Now, if I go down below
and I'm located in Europe, I may want to add this to Europe or I may want to put this in another region depending on
where my users are more geographically located, so this is really what defines the region that you select. I select Canada
East because most of my connections to the storage account would occur from the eastern seaport of Canada. Now, if I go
down below, I have the performance, so the performance tier is one of those things that will affect the cost of Azure, a
standard performance tier is less expensive than a premium storage tier. It has a lot to do with the disks that are being used
to actually store the data and they're more expensive discs at the premium tier, so selecting an option here will incur
additional cost based on what option you select. If I keep on standard, it's a lower cost and then I have different choices
here, StorageV1, the first version of storage accounts, V2 and then BlobStorage, so Microsoft has evolved the storage
account with new functionalities and features and there's a number of them that we'll look at them later on and some of
those are only available in the V2 storage account. As well below, we have the replication options. The replication options
 are really used in terms of data
redundancy. Where do you
want your data to be replicated
to? Do you want it to be
replicated on multiple disks
within the same region or do
you want it to be replicated to
disks in other regions? Do you
want it to be geographically
redundant? Or you have also a
read access geo-redundant
storage which means that it is
replicated to another region but
that other region's replica can
only be read from, it cannot be
written to. So, this is where your
data will be replicated which is
really more of a functionality of
data resiliency in the event that
you have a data center that
becomes available or a region that
becomes unavailable. And then
your data is going to be replicated
somewhere else. The default is
local-redundant storage. Now, I'm
going to click Next to go to the
next features which have to do
with access of the storage account.
Do you want the storage account to only be accessed using secure connectivity? It is enabled by default. You can only
restrict the access to the storage account to specific networks, so we don't have any networks in our infrastructure yet,
we'll create them later on. Once we create our networks, we can see that only the computers in a specific virtual network
or a VLAN are able to access the storage account.
It's a great way of segmenting the access, so you want some users or some computers to access that data but not everyone
and we would do that by restricting specific networks and then I'm going to click Next. Once I click Next, I have the
ability to specify tags. If you have many resources in Azure, you can organize them using tags. And then I'm going to
click Review + Create, it's going to prompt me to agree to all the various settings that I've selected and I'm going to click
on the Create button. Once I click on the Create button, a deployment request gets sent to Azure to deploy this type of
resource.

1.2.11 Managing an Azure storage account

Now let's go ahead and actually make that storage account useful. So in order to find my storage account, I'm going to,
from my home page, click on see all your resources
to see all of my resources that exist in my Azure
subscription. And here I will find my
linkedinessential storage account, the one I created in
the previous video. I see here that it's a type storage
account, and I see that it's in this resource group
here, my LinkedIn resource group. So I'm going to
click on my storage account to access its properties.
The first window that I see for the storage account is
the Overview window. Now actually, these are called blades, and in Azure we called these windows blades, so every time
you click on a different option on the left-side menu, you will see a different blade, and the blade provides you the
contextual information for that menu. So here I see the status of the storage account, I see the subscription it's in, and all
its general information. If I go a little bit below here,
I will find the Storage Explorer. Now
the Storage Explorer shows here that
it's in preview mode, and I will talk
about that later on, but the Storage
Explorer is the tool that you would
use to actually dig in and look at the
content inside of the storage account.
Now it's important to note that the
storage account can essentially store
four types of data:
1. Blobs containers,
2. file shares,
3. queues, or
4. tables.
Depending on the type of data that
you want to store in Azure, you will create a service for each one of those, or only one, or maybe two of those. It really
depends on your data type. So if I need to store tables, which could be stored in a database, but if I want to store them in
the storage account, maybe there's fewer of them, or they're more simple in nature, I can store them in a storage account.
Same thing with queues, file shares, actual files, so you want to create a shared folder. Where would you create that in
Azure?
 You would create that in a file share service that is within a storage
account. Or a blob, if you have files that need to be stored, or data that
needs to be stored in a non-structured manner in Azure, you would store
them all in a blob. So, going down my list of configurations here, I see
that I can create a blob service, a file service, a table
service, or a queue service. In order to easily view the
data once it's been copied to one of these services, I
would use the Storage Explorer. There's other ways of
accessing the data, of course, through URLs, but the
Storage Explorer is a really easy way to access it from
within the portal. So let's go ahead and actually create
one of those services. I'm going to go ahead and
create a blob service. So I'm going to
click on blobs, and then click on Add
Container. So I'm going to give a
name to the container here, so I'm
going to call this one blob01. You
note here that the name does not need
to be globally unique, like the name of
the storage account. Then I can
specify an access level here. Will it be
private? No anonymous access, blob,
anonymous read access for blobs
only? So this means that anonymous
users can read the data inside of this
folder, or this container. Or container anonymous read access for containers and blobs. This here is because I want to
provide a large-scale access to the container, in a read-only, access read-only, but also to the anonymous account. Private
is typically common if you want to manage the security and the ACL you are access to that blob container. I'm going to
click on OK, and now my storage container is created within my storage account. Now, in here I can start to upload data,
and upload blobs directly into my blob container, I can specify an access policy to define who can access this blob
container. Again, it is within my storage account. Now you'll note here that I created one blob container, but I can create
multiple blob containers. So one storage account can have different blobs that each contain their own ACL, or their own
access. Some of them may be accessible anonymously, some of them may not. Again, this is specifically for storing blobs
in storage accounts. I can also store files in my storage account, and to do that I would click on my file service, and I will
add a file share. Now, when adding a file share here, that file share would be accessible through a URI from an Internet
browser. So I'm going to give it a name, I'm going to call this one file01. And you notice here that you can specify a quota
as well, if you want to, you don't have to create a quota. I'm going to click on Create, and now my file share is created. I'm
just going to refresh my interface here, to see if I can see my new file share. And here my file share is visible. I can click
on my file share, and similarly to a blob, I can go ahead and manage the access, upload content, and even connect to this
file share. I can modify the quota. Now you note that I did not specify the quota, however, there is a default quota of 5
terabytes that was assigned to this file share. You'll note now that I can create different types of containers or shares
within my storage account, and those then can be accessible by my users or administrators to store data, or to provide data
for other services. Maybe I have a website that needs to access images, or web data. That data could all be stored in your
storage account, they could be stored in a file share or in a blob container and then the website can be configured to
constantly go and access those files. So that is a typical usage of a storage account and some of its containers that are
found within. As well from the properties of my storage account, I can specify different things, such as my encryption
settings. Now you'll note that everything that's in your storage account is actually encrypted by default. Azure encrypts all
of your data that is stored in its Azure data centers. However, that data is encrypted using its own encryption keys. If you
want to, you could actually manage the encryption using your corporate encryption keys, and you would have those that
would need to be stored somewhere, you'd define the location, and it gives you a little bit more control over your specific
encryption. Now, you don't have to do this. Again, your data is secured and encrypted, and then the data is decrypted
when it's accessed remotely. Now, other things that I can specify here under my properties, I have information about all of
share or in a blob container and then the website can be configured to constantly go and access those files. So that is a
typical usage of a storage account and some of its containers that are found within. As well from the properties of my
storage account, I can specify different things, such as my encryption settings. Now you'll note that everything that's in
your storage account is actually encrypted by default. Azure encrypts all of your data that is stored in its Azure data
centers. However, that data is encrypted using its own
encryption keys. If you want to, you could actually
manage the encryption using your corporate
encryption keys, and you would have those that would
need to be stored somewhere, you'd define the
location, and it gives you a little bit more control over
your specific encryption. Now, you don't have to do
this. Again, your data is secured and encrypted, and
then the data is decrypted when it's accessed
remotely. Now, other things that I can specify here
under my properties, I have information about all of
my storage account endpoints and all of the resources
that are being used. For example, if you want to
access your blob, you have actually an endpoint,
which is again, a URL to go and access that blob
directly. All of that information is available in the
properties of the storage account. There's some
settings that we set during the creation of the storage
account that we may want to modify, such as the type of disk, and the tier, the replication. All of those can be modified a
little bit later on after you've created your storage account. So, even though you created your storage account, some
settings cannot be modified, such as the type. It's a StorageV2 type of storage account. But other settings, such as the
replication, can be modified at a later time. The storage account is one of those essential components that you create in
Azure, because it's really used in order to store your data in Azure.

1.2.12 . Azure feature release cycle

As you go down the path of learning Azure, and start to create resources in Azure, you'll start to see some terminology
that may seem a little bit confusing. And I want to address that terminology right away. So that you understand the
implications of creating different types of services with different release cycles. Now Microsoft Azure is a cloud-based
service, which means that Microsoft continuously updates this service. And it will provide a number of new services and
functionalities as it continues to update the service.
Now these services are then
released to a small group of
people, then a large group of
people and then to everyone.
Public And the terminology that we
Preview use for that is private
preview, public preview and
general availability. So if I
click on all services in my
Azure portal, you will see
that some services have a
disclaimer or a little button next to it that states the
word preview. Everything that you see there that is
preview means that it's in public preview. Features
that are in private preview have only been sent or
only users that are invited to view private preview
features are going to be able to see those and they will be denoted as private preview. Everything that you see in preview
by default in your portal is a public preview. Everything that does not have a preview word next to it is general
availability. And the primary difference between preview and general availability is the support. So Microsoft will support
all features that are in public preview. However, the support will be different. There are different types of service level
agreements that are available for features that are available in public preview as opposed to general availability. So
everything that you see here is general availability. Now I want to point out on the same type of terminology here the
classic deployment. Now everything that you see in classic is actually even older than what we have currently in general
availability. It is general availability as well in the sense that it's available to everyone, but classic is essentially resources
that were created in a previous version of Azure. Or the first iteration of Azure. That iteration did not use a model that we
call today as the Resource Manager Model. The Resource Manager Model is what gives us the ability to use resource
groups. And so in the first iteration of Azure, there were no resource groups. It was a flat model essentially where all
resources existed directly in Azure. And those are called classic. So let's not confuse classic with preview or with
general availability. And when Microsoft will release a feature to the general availability public, it really means
that you are safe to put all of your production resources on that feature and you will get a hundred percent of the
support from Microsoft for those features.

1.2.13 Exploring Azure deployment templates

Azure offers the functionality of templates. We call them deployment templates, but basically what it is, is the ability to
deploy or redeploy any resources in an Azure environment using some type of a scriptable technology that is fairly easy to
understand, to modify, and to customize for your environment.

Where do you start when you want to automatically deploy resources in Azure or schedule the deployment of resources in
Azure or maybe create a test environment over and over and over again that has the same exact resources? Let's take a
look, first of all, at what a deployment template looks like. There are lots of libraries of deployment templates that are
available on the internet.
And actually Microsoft provides the Azure Quickstart Templates. And these are a series of templates that have been added
by various community contributors, some Microsoft project managers and so on. So in order to find a specific template in
here all I have to do is search for what it is that I'd like to deploy or redeploy. For example, if I want to deploy something
call data bricks.
Data bricks is becoming more and more common in
implementation that support an artificial intelligent
solution. If I do a search for a data brick, I see that I have
six templates that are available and I have a specific
description of that template and I see exactly what it
does.

And then I can go into my

Azure environment and deploy that template. First, I'll likely want to modify it a little bit, customize it for my
environment. Now let's take a look at where the templates are. Actually, I don't know if you've had the chance to explore
the various tabs up to now in the course but you might of all noticed that there is a tab for each object called automation
script. Automation script is essentially your deployment templates. So if I go into my virtual machines, click on virtual
machine that I have here, and then click down below on automation script I see that I have here a template. Now I didn't
deploy this virtual machine using a template.
 What happened is that Microsoft
logged all of the actions that occurred during the deployment and now as a secondary feature in the background it's telling
me alright when we deployed this you clicked various buttons and options, but what we did in the background was create
a deployment template and we deployed this resource. This deployment template is offered to me to here in PowerShell so
I see all of the PowerShell commands that are going to be used in order to deploy this. However, depending on your
experience you may want to see it in Ruby or .NET or CLI. And so you have the ability to look at the different types of
languages that are being used to deploy a resource. And you can actually customize that language based on your
familiarity and then redeploy a resource using that language. So in order to grab all of this information I can actually
download the template and once I've downloaded it, I can actually review it in just Notepad or any text editor. Once you're
reviewing your template, you can then save it and then redeploy. You can add your templates to a library. When you are
ready to deploy a resource, you can then choose a template from the library. So instead of selecting the various options of
your deployment, you could just select a template that already has all the answers to all the questions that are being asked
during the deployment. And then deploy the template. The template will then deploy the resources in your Azure
subscription. In your template you'll also define the resource group. You'll define the location. You'll define the region
and all the parameters. And this is an easy way to deploy lots and lots of resources in Azure or redeploy the same
resources time and time again if you're doing a lot of testing. Deployment templates can always be viewed in an object
after that object has been created in order for you to learn from the creation that that object or redeploy that object.
Remember that you can download any deployment template from the Azure website and learn from these deployment
template to understand the terminology to understand the syntax that is being using and then create your own deployment
template to customize your Azure environment.
1.2.14 Exploring resource groups

I've already mentioned briefly, the concept of a resource group, the ability to group all of your resources together, in an
object, in an Azure subscription, and then, manage all of those resources as a single entity. Now, let's take a look at the
resource groups, that we have in our Azure subscription. I have here a list of my resource groups, and within those, I have
one called LinkedINRG. This resource group contains several resources, and if I click on the resource group, I see the
resources that are maintained in this resource group. As well, I can manage all of those together, such as going into the
deployment tab, and seeing how each one of those resources were deployed. And I actually see a historical view of the
deployment of my resources, the amount of time it took, as well as all of the events that happened, during the creation of
the resource. For example, if I click on this resource here, I can look at my deployment page, look at exactly when that
deployment occurred, and I see all of the inputs and the outputs that occurred during the deployment, as well as a template
that was being used. So, we've talked already about deployment templates, and how those can be used to redeploy, any
resource in Azure. However, if I want to see the syntax for a specific resource, I can just click through my options here,
and I see the specific syntax, and how this resource was created. Now, this syntax here is in JSON. I can look at it in
PowerShell, and I can look at all the commands in PowerShell, that were used to create this resource. I can download this
template. I can manage this template, like any other deployment template. Another option that is really interesting here is
when I click on resource costs. Now, resource costs actually tells me how much was spent in this resource group, based on
the resources that I have. So, you'll see right now, that I have several resources, and I've just spent about 20 cents
Canadian. So, really, not a whole lot, 'cause I don't have a whole lot going on in this resource group. But it allows me to
segment my costs per resource group, therefore, allowing me to see exactly, what my Azure resource costs have been. If I
dig down a little bit below, I'll see that I have policies as well, that allow me to define whether or not the resources in my
resource group are compliant. And I also have recommendations, that allow me to specify different options in order to be
in better compliance. I have my properties here of my resource group provide some information about the location, and
where these resources are found. As well, I can specify alerts, that will affect any resource within that resource group. So,
you'll note that this resource group here, contains several resources, and they are all managed as part of the same identity,
the resource group. Same is true that if I delete this resource group, it will delete all of the resources within the resource
group, and you are notified of such, that all of these resources will be deleted. So, it's very important that deleting resource
group, must be understood as a very high-level task, that not all administrators should have the ability to do, because it is
going to affect all the resources in your infrastructure.
1.2.15 Exploring Azure policies
There are a large number of resources that can be created in a subscription. As well, we can have multiple subscriptions
that can be managed by using management groups. And so we can have an organization that becomes quite large, with a
large number of resources that can be located in a single resource group, or across multiple resource group.

The fact that we can have such a large number of resources, and that they can be located in various locations in our
subscription, means that managing all of these resources can sometimes become a little bit of a challenge. Also ensuring
that our resources don't run away from us with settings that we did not intend to set, or administrators that created
resources that did not comply with organizational norms. We can use policies to gather information about our resources,
and to identify any resources that are not in compliance, even to remediate any of the problems that have been identified
through one of these policies. So when I go into a resource group and I click on Policies, I have the Policy Compliance
window that opens up immediately. In here I see some existing policies that are created automatically for me as part of my
environment. I did not manually created those, they were created for me immediately within my Azure subscription. A
good example of policies that are automatically created is this one here, which is an audit policy that validates that all of
the disks that are being used in our virtual machines are actually managed disks. So, the audit VMs that do not use
managed disk policy reviews all of our virtual machines and identifies the resources that are non-compliant, essentially
identifying the disks that are not managed.
Now I can modify this existing policy, or I can remove this policy as I want, but what's really going to be interesting is
created additional policies, policies that will scan all of my resources in Azure and identify the ones that have problems,
that are not in compliance with a specific requirement that I've set in my organization. Now that requirement could be a
compliance requirement, or it can be a technical requirement. So I'm going to go back under Policy Compliance, and these
again are my policies, and to create new policies I can click on Assign Policy. To create a discovery for my non-
compliance of my infrastructure, I can also create an initiative. In the next video of this course, we will create a policy and
we will look at how these are affecting our existing resources in Azure.

1.2.16 Creating Azure policies

Let's take a look at how we assign a policy. The great thing about policies is that there are a number of pre-defined
policies that we can choose from. These are called policy definitions. So initially a policy is applied to a resource group
and here we have a scope that is set as the resource group. Within that resource group, we can also create an exclusion.
For example, if you want a policy to assign to all of the virtual machine in a specific resource group except one virtual
machine, you can create an exclusion. So from this ellipses here, I can select a resource and specify that the policy will
apply to everything, except that one virtual machine. I can have multiple exclusions, so if I need to exclude five virtual
machines, I can exclude them. It can be any resource, not only a virtual machine that I exclude. Now under my policy
definition here,
I'm going to click on the ellipses to show you some of the 300 plus policy definitions that exist in Azure. So they range
from a number of things in terms of insuring a specific setting, insuring a specific configuration, or automatically
deploying a resource.
There's a number of things that we can automate and validate, using policy definitions. So I'm going to choose one here,
and I'm going to go into storage, and I'm going to ensure that all my storage accounts use HTTPS for transfer. So if I have
multiple storage accounts, these storage accounts need to have HTTPS enabled. Now we've looked at this setting before
and how we enable HTTPS for a storage account, but this policy will allow us to define whether HTTPS has been set for
the storage accounts. So I'm going to select this policy definition and it is assigned into my policy. And if I go down
below, I notice in my settings here, I can either enable or disable the policy enforcement, which means that it actually
enforces this setting, as opposed to just auditing for that setting. I have some additional settings that I can set here, under
my parameters. I can effect this as an audit again, or I can have it deny the creation, and I want to basically the prevent the
creation of any object that does not have HTTPS, or disable that. Under Remediation, I can specify what happens if the
policy runs and identifies already created storage accounts that do not have HTTPS enabled, and I can specify whether or
not the object can be created, if it's in the process of creation, or if it's already created, if it's going to be remediated with
that HTTPS setting. If I click on my Review + Create button, I can then specify to create the policy and the policy will
automatically be assigned to my scope. So again, my scope here is my resource group that I created in my Azure
subscription. If I click on Create Now, it will be deployed, and as soon as it's deployed, it will begin a scan of my
resources in the resource group to identify any resource that are not in compliance with my policy.
Comentados por Microsoft para mejorar, muesta el impacto ….
1.2.17 Getting Azure Support

When we talk about an Azure subscription, support can come in various forms. It could come directly from Microsoft in
the form of a support request or a ticket that we open up with Microsoft when an issue occurs. It can come in the form of
community support where there are tons of resources and individuals in the community that are willing to help
organizations and individuals with problems in Azure. It could also come in the form of information, being aware of
problems that are existing in a current Azure deployment, or even providing documentation or retrieving documentation
that is available from Microsoft in order to better improve the deployment of your infrastructure and prevent problems
even before they occur. So we can have both preventative solutions to our environment, reactive solutions, or also day-to-
day proper management of our infrastructure to ensure that we minimize any type of support issues and in turn minimize
any down time. So if I click on help and support within the Azure portal, I have access to all of these resources, and the
first one that I want to show you is the support plans. Now, when I click on Support Plans, I actually see the list of support
plans that are available from Microsoft, and you'll notice that organizations by default are set to the basic support plan.
The basic support plan still gives you 24/7 access to customer support and lots of documentations and resources, but you
will notice that there are a number of missing resources that are not available here from the list of available support
options. And as you go down the list of support options, the most expensive support options is set at $1000 a month, and
that is for the professional direct support. You can easily upgrade from one support option to the next and it will be added
to your billing cycle. That is certainly one option depending on the resources that you're hosting in Azure and how critical
they are. If you have an issue with Azure and you want to find out if it's caused because of a current failure in the
environment, you can click on Service Help and identify any current service issues. So if there are service issues, they will
be highlighted in red if they impact your resources and you will find out that maybe Microsoft has a data center that's
down or certain resources in a data center are down. It is very rare for resources to be unavailable within Azure, but it
certainly is possible. As well, Microsoft can have planned maintenance cycles, and you can click on the planned
maintenance cycles. Typically you would receive an email message if it affects your resources and you'd be able to find
any issues that may occur in the event of a planned downtime because of an upgrade or something else that would happen
in your environment. As well, health advisories would be available here. Now, I want to go back to help and support and
show you something else here which is certainly very important is the advisor. Now, the advisor is actually a set of
recommendations that are provided to you by Microsoft to either improve the efficiency of your deployment, reduce your
cost, or potentially prevent a security issue from occurring. The various recommendations that are provided to you by
Microsoft are rated as, by their impact level. And, for example, here I have an impact level of high where I have a subnet
that is not associated with a network security group. Now, I actually created this resource recently as part of my
demonstration and I did not connect that subnet to a network security group, so I'd be able to see the various high-impact
issues that are listed here. And you'll notice that there are a number of issues rated from low to medium to high. I can click
on any one of those resources, get a little bit of information, and potentially modify my infrastructure. As well here, I have
a cost saving recommendation which tells me that I could actually deallocate a specific IP address that is not being used
and therefore reduce my monthly cost. So the advice comes in many different forms from Microsoft. As well, I can create
a support request. Now, if I have a specific issue for which I cannot find resolution either in the service health dashboard,
in the community out on the internet, or in Microsoft documentation, I can certainly open up a support request issue with
Microsoft, specify what type of issue I am having, and here I can say that this is an Azure services issue. I can specify the
type of issue, whether it's a technical issue. Notice that you can also choose a billing issue, subscription management
issue, and also subscription limits issue. Now, this is an interesting one, because it affects the pre-defined limits that are in
Azure. There are a number of limits in Azure, and you can easily find them on the internet. They change, so I'm not going
to go through mentioning each one of them, but there's probably at least 50 to 75 limits of resource utilization in Azure,
and it's about the number of resources that you can create in a single resource group or a single subscription. Microsoft, in
order to prevent usage overruns, will have specified default quotas for these various types of resources. And if you reach
that quota, which is typically very high and it's rare to access it, but if you do, you can make a request to Microsoft to
increase the quota for your organization, and essentially, Microsoft makes an exception for your organization, allow you
to exceed that quota. And this is where you make that request to Microsoft. If I select technical, I can go a little bit deeper.
Select my service, my functionality, and then create that support request to Microsoft, it will be sent to Microsoft, I will be
able to track it under my all support requests, and I'll be able to view the results over time and identify any resolution that
Microsoft has provided to me for this specific problem.

1.3 Microsoft Azure Web Apps

1.3.1 Implementing Azure web apps
When Microsoft first released Azure one of the primary services that organizations were hosting in Azure were websites.
And at that point you could create a new website in Azure and publish your html pages so that it would be accessible and
it would be highly available because it was stored in the cloud. Today that's evolved a lot and today we don't create
websites anymore we create web apps. So let's go ahead and create a web app in Azure. So in order to do that

1
2

I need to click on create a resource and I'm going to type web app to search for the web app type resource and I see here
that the first resource in my list is a web app. Notice that you have some that are from Microsoft and third parties as with
all other services and Microsoft has a lot of various web apps that exist here that you can use.
 Now these are web apps have specific
settings or a group specific settings already
set to them and functionalities or you can go
ahead and create just a web app and then
manipulate all of the settings yourself.
 So I'm going to select web app and then click on the create button. Now as soon as I go ahead and start creating my web
app I need to specify a name

. Now just like the storage account that name needs to be globally unique
because as you notice a URL is being assigned to that web app immediately.
So its going to be a .azurewebsites.net URL. So I have to give it a name that
will fall within that or will be unique within that so I'm going to call it
linkedin and you notice if I call it linkedin that that name is already been used
so I going to call it linkedinappessential. And now I have here this name that
is recognized I have an option to create a new resource group or use an
existing resource group. In this case I'm
not going to chose a default of creating a
new resource group I'm actually going to select my resource group from my list here.
And I have here linkedin rg essential as my resource group. Then I can specify an
operating system. Now this is actually the operating system that will host the app.
Some applications require Linux or Windows and here I can actually specify that. If I
want to use a specific image I can also select docker image. Then below I can specify
my app service plan. Now the app service plan is essentially the container for your
app that defines all of the settings and configurations of the hosting environment of
your app. Including how many instances and servers will be running that app.
Therefore directly affecting your cost of hosting the app in Azure. So I'm not going
to select the current service plan that I have here I'm actually going to create a new
one. And I'm going to give a name for this service plan. I'm going to call it linkedin
sp one and a location. Now here you notice that I have a pricing tier we will look at
the service plan pricing tiers a little bit later on in this course. And now I'm going to click on create. Now as soon as I
click on create all of my settings are validated the environment is created in Azure as well as the app is created in Azure.
Once the app is created in Azure I'll be able to actually go ahead and test that the app has been successfully deployed in
my Azure environment. And to do that I'll actually go in a browser and type the URL of the app.

So a little bit of time has gone by I'm going to go ahead an make sure that my app has been successfully created. And to
do that I'm going to type linkedinappessential.azurewebsites.net. And we see here that the app has been successfully
deployed.
Now there is no code I actually didn't deploy code that runs behind that app. I just created the necessary resources in
Azure. And I know that those resources are available because I'm able to access that URL and I see that Microsoft Azure
is responding. The next step would be to actually deploy code inside that app. Now that would be the roll of your
developers. Now in the next video in this course we will go ahead and modify the setting of the app that we just created.

1.3.2 Managing Azure web apps

After having created our web app and our app service plan, we can go ahead and start to take a look at the management
pieces for those objects. So the web app, just like all of our resources in Azure, will exist within our list of resources in
our resource group. So if I browse all the resources in my subscription, I can see here that I have my linkedinappessential
web app. So I'm going to click on it, and access all of the properties. In the properties of my web app here, first of all in
my overview blade I see that I have some information about the deployment URL and the URL of the web app. So I have
here, this is my URL for my web app,
 I was able to access it in a previous video so I know that my app is running. As well I have
my app service plan that is tied to this web app. You notice here that we are in the app
service plan as well. Here, I have the stop button where I can actually stop my web app if we
want it to stop costing you money, that's a good way to stop it. You can restart it, I can delete
my web app from here as well, and get my publishing profile. The publishing profile is the
list of components that define the way that the app is published, and it's basically text that
you can view in a notepad. So I have all of this basic information about my web app over
here, if I go down my list of settings, I have my deployment slots. So the deployment slots
are basically a functionality of Azure that allow you to deploy an app in a staging
environment, and then after that, swap it into the production environment. So this is a
technique that a lot of developers use when they're building or modifying code, they want to
do that in a staging environment and then when they are ready to release the code in
production, they would then swap the production slots with the staging slot. So you have
here deployment slots that you can create and manage with your developers so that you can
always run development of code in staging and not in production. If I go a little bit below,
I've got my general settings. So here under application settings, you will see that you have
many, many settings that define how the code runs and the environments that are available for that code. As well, you
have some security settings,
if I go a little bit below
here, you will see that you
have your FTP access to
your web app that is
defined through these
options here. If you want
to disable FTP access
altogether, you can disable
it. You have a lot of settings here that can be modified and I'm not going to go through every single one of them, but
showing you the ones that are really the most relevant and commonly used. For example, here you also have your default
documents. The documents that will automatically launch when somebody accesses that web page. All of these are
accessible here, and are available. You can add additional documents as well. I have some authentication settings, and by
default, your web app is available through anonymous access, so users do not need to authenticate, you may want to
authenticate by modifying the options here. You can configure the domain names that are being used in your URL. So this
is our default URL that we've defined so the name of our app.azurewebsites.net, but you may want your web app to be
accessible through a different URL. So you would add a hostname here, of course that hostname would also have to be
added in a DNS database, a domain name service public database, so that users on the internet can actually find that name,
or resolve that name to an IP address.
I have some additional options here for
SSL settings, where you can actually
define how HTTPS access is configured
for the web app. By default, there is no
HTTPS access, it is HTTP, but you can
add an SSL binding with certificates by
loading a certificate into your Azure
subscription, therefore allowing you to
have HTTPS or secure HTTP
connectivity to your web app. Most
organizations will want to define some
type of HTTPS settings so that they can
ensure that the data that is being
transferred with the web app is
transferred in an encrypted manner.
HTTPS ensures encryption in communication. As well, here I have my networking settings, and this is where I'll be able
to configure the network connections and restrictions for this web app. For example, I can specify rules that define which
IP addresses can access my web app. Other settings that I have here really define to the app service plan, and I will show
you that in a later video in this course. If your role teeters a little bit on the Azure DevOps, and you may be more
responsible as well for managing the code in it's lifecycle, in it's connection to the web app. You have other options here,
such as the ability to clone the app, and manage the app resources in an Azure DevOp environment. Now you'll notice
here that not all the functionalities are available. The type of service plan that I've purchased will define all of the
availability of my options. So, many things that I can configure here for my web app, and my app service plan. The
settings here can be continuously updated and then redeploying your app will ensure that they are available to users that
connect to your app..

1.3.3 Configuring Azure App Service plan

Now that we've created our app or our web app, we have the container that it lives within called our App Service Plan that
must be configured as well. So to find my App Service Plan, I'm going to click on my All resources to see all of the
resources in my Azure subscription, and I'm actually going to browse by using my Resource group. So if I click on my
Resource group, the linkedinrgessential, I see all the resources in my Resource group, and I see my App Service Plan right
here, so I going to click on that. Now, as soon as I click on the App Service Plan, once again, I have the Overview blade
that provides general information about the App Service Plan. But I want you to note something every important here,
which is, this information over here in the top-right corner, Standard 1 Small. Standard 1 Small essentially means that the
App Service Plan is an S1 type service plan, one of the smallest type service plans that we can have in our Azure
subscription, and that service plan has a limited amount of resources available to it. Essentially, when a number of users
will be connecting to the app, there are limited amount of resources available to the App Service Plan, such as the amount
of processing power and memory that's available to this service plan. So let's take a look at how that's configured. I have
two options here, Scale up and Scale out. Let's first take a look at Scale up. Scaling up a service plan allows you to move
from your current service plan, which here is 1.75 gig memory, an S1-type service plan, an A-Series computer equivalent,
which is basically the availability of the machines, the computers, that run this App Service Plan, what type of power do
they have there in A-Series virtual machine, and we can look that up to see how much power that actually is. But as well, I
have the cost of the service plan. So an estimated $95 a month Canadian is what this service plan will cost, which is
somewhat low of the overall structures of service plans that are available. Now, if I want to Scale up my service plan to a
different tier, I can select from all of these tiers.
Now, if I go down below here, you see, I am at S1. If I go to S2, I have more memory, or double the amount of memory,
and this right away, doubles my estimated monthly cost. Same thing here if I move to an S3. P1 service plan, as well, is a
different service plan that offers different types of resources and memory. And so, the different types of configurations for
these service plans is the amount of resources that are available to them, and I can toggle between them by scaling up or
scaling down my service plan. So if I click on one of these here, and I click Apply, my service plan will then be converted
to an S2 service plan. Notice that if I go into a P-level service plan, P stands for Premium, so we've got the Standard and
the Premium plans, then, above and beyond having more resources, I also have more functionalities that become
available, and we'll see when that will come into play. So I'm going to go now to Scale out to talk about the scaling out of
the service plan. So the scaling out is actually the amount of instances of computers that will run that service plan. So
initially, we have here in our scaling up, the type of machine, so this is an A-Series computer, the type of computer that
loads this service plan, and in the Scale out, I have the number of them. So by default, there is one, but I can increase that
number. I can also enable autoscale, where the scaling, or the number of instances of machines that will run my service
plan can be scaled up or scaled down, based on the demand that is coming in from my service plan. So if I have a high
number of demand, of users that are trying to connect to my web app, Azure will automatically scale up your service plan
to use more resources. Therefore, of course, those resources will cost you more. So if I click on Enable service plan, I can
specify a service plan that is scaled up based on a metric, so I can say that if the service plan has a demand of at least 70%,
then add an additional instance for the service plan, and I can say for how long that instance will be up, and then, when it
will be taken down. So you can limit your additional cost by specifying this metric rule that will define when additional
computers will host your web app based on the high period of demand for your web app, insuring, therefore, that if you
have a peak connection to your website, your website don't go down. If this is an App Service, you want to make sure that
it becomes available, even if there is a tremendous peak of demand to your App Service. Some of these features here
depend as well on your App Service Plan, so depending on my App Service Plan, I can modify these settings and bring
them up higher. So here, if I go to an instant count of four as my initial instance count, so what I've done here is scale out
my service plan. This is not based on demand, this is not autoscale. This is really defining that, now, I have four
computers that will be running my App Service Plan. My cost for hosting this App Service Plan will be much greater. So
it's very important to understand the difference between scaling up, essentially providing more resources, and
scaling out, providing more servers, more computers to run the app. Both scaling up and scaling out will result in
greater cost for your App Service Plan.

1.4 Microsoft Azure Virtual Machines

1.4.1 Creating virtual machines in Azure, part 1
We've talked about how Azure is an infrastructure as a service solution, or it provides an IaaS solution as part of its
offering. And as part of that offering we can create our virtual machines to be hosted on this Azure platform. So let's take
a look at the tools that we use to create virtual machines and how we create those virtual machines. First I want to
highlight that there are two windows that you can use to manage your virtual machines, Virtual machines and Virtual
machines classic within the portal. I'm going to go to Virtual machines which is where the new modern virtual machines
are going to be created. Classic is for older virtual machines from the early iterations of Azure, and if you had those
virtual machines created there that's where you will find them to manage them. So here under virtual machines I can either
click on the Create virtual machine button here or click on Add to add a new virtual machine which is what I'm doing
right now. So my first option here is to select my subscription if I have multiple subscription this will be the subscription
that I will use to host my virtual machine. Then I can select my resource groups. So the resource group I will select is my
LinkedIn RG resource group which is where I'm putting all of my resources, it's great to host all of the resources for a
specific project or for an organization in a resource group if you need to remove them later on. I will need to delete all of
these resources after demonstrating them. And I can just delete it straight from the resource group itself. So I don't have to
go and look in the various resource groups where all my resources are located. Then I need to specify a name for my
virtual machine. And the name has to meet the guideline's requirements or specifically the character types that are allowed
within Azure. So let me just show you what's allowed and what's not allowed. VM1 is going to be allowed, well yes, it's
not a unique name. The name of a virtual machine does not need to be unique. Now, if I put an underscore you'll notice
that right away I'll receive an X basically telling me that I cannot have this type of character. So I'm going to remove that
and I'm going to call it VM1LinkedIn which is an allowed name and it's within the number of characters allowed. Then
I'm going to select my region. Now, if I click on the drop-down list you'll notice that I have many regions in Azure. And
at the moment of filming this video, these are the regions that are available within Azure. Microsoft is constantly adding
new regions as it's deploying datacenters across the world in new regions. Some regions have multiple locations. For
example, East US, that has two locations, essentially multiple datacenters that are located in the same geographical region
in the United States. It's important to select your region and to understand the impact of selecting a new region. When you
provide resources in a region and you typically want to have those resources located close to your user population. So if
most of my users are going to be located in East US I create my resources in East US to ensure an optimized access to the
resources. As well if I want to provide some type of a redundance between regions specifically when we talk about
storage I can specify redundance between regions. So I'm going to put my virtual machine in East US. Then under my
availability options I can select either an availability zone or an availability set. Now the availability zones or the
availability sets are used for virtual machine redundancy, similarly to a clustering solution that we would have in
Windows. So if one virtual machine fails we have access to another virtual machine, either in another zone or within this
clustering set. So we will talk about availability zones and availability sets later on in this course. Then I select the image.
So if I click on my drop-down list I have a list of recommended image essentially some of the most popular images for
virtual machines in Azure. I have some of the older Windows Server operating systems, like Windows Server 2012 R2,
and 2016, as well as the latest Windows Server operating system, Windows Server 2019. Some Ubuntu servers are here as
well. I've got some Red Hat Linux servers. And even some client operating systems such as Windows 10 Pro, and then I
have it multiple versions as well. So to keep this simple I will select Windows Server 2019 Datacenter. The next option to
select is the size of my virtual machine. Now you noticed that I have a size that's already been set here which is the DS1
v2 Standard size. This is essentially choosing the hardware that will host these virtual machines. So the type of hardware
will of course impact my costs. So I can actually click on Change size here. And let's change the virtual machine that's
selected. Now when I click on Change size you notice that I have a large number of size VMs that I can select from, all
the way down to B1ls, which only has a maximum of 200 IOPS, or Input/Output Per Second. And supports premium disk
and at a lower monthly cost, estimated cost of about $9.33 as I go all the way up to DS3 v2, that one has a greater number
of CPUs, a greater number of RAM already allocated to it, as well a greater number of IOPS supported. So depending on
the workloads that I'm expecting to host on this virtual machine I will choose one of these sizes of VMs. Again, defining
the hardware that will host my virtual machine, and also defining my estimated monthly cost for managing that virtual
machine. I can close that, I have my DS1 v2, that is the default that was selected by Microsoft and that has a relatively
high monthly cost. Then I need to specify the username so the username will be the local user account to log in, to sign in
to this virtual machine. And I'm going to give it a name here. Now, you'll notice that there are some requirements for the
name as well, if I try to put Administrator it will give me an error message because Administrator is not an allowed name.
Users must not include reserved words is the specific requirement here which basically states that administrator is so well-
known that we don't want individuals that are trying to get in to virtual machines to be able to use these simple words to
try to get in. So it's a very low level of security. I'm creating my own username here, AdminAdmin, that one is not on the
reserved list. As well I need to specify my password. So you'll notice that my password requirement is at least 12
characters. So I'm going to put that password, and I'm meeting all of the password requirement, greater than 12, lower
than 123, remember my recommendation, use pass phrases not passwords whenever possible. They're much easier to
remember. And my passwords are now matching. Next down below I'm going to specify some inbound port rules and
these are the allowed inbound ports for my virtual machine. And if I click here on Allowed selected ports I can select from
a list of ports that will be allowed to my virtual machine. So think of those as the firewall settings essentially for the
virtual machine. And I'm going to allow these various ports. Notice that RDP is an allowed port because RDP is a
mechanism that I can use to connect remotely to the virtual machine. You have a warning here letting you know that these
ports will be exposed to the Internet and therefore you need to secure the traffic using other mechanisms, and we'll talk
about that in a later video in this course. The next option we have here is a licensing option which essentially allows you
to use some of your existing on-premises Windows Server licensing to license this Windows server. And the Azure hybrid
benefit is a Software Assurance benefit of Microsoft licensing that we can use to actually license our servers in Azure. So
if I have a license I can specify the information now or I can click on No, which is what I have. So these are the first
settings or the basic settings for creating a virtual machine. In the next video in this course we will look at the next
settings before actually we complete the creation of the virtual machine.

1.4.2 Creating virtual machines in Azure, part 2

Now that we've begun the process of creating our virtual machine, let's take a look at the additional settings we can
configure for our brand new virtual machine. So the next setting is selecting the disk. Now I want to highlight the fact that
the first disk that I'm selecting here is the OS disk or the operating system disk. This is the disk that will contain all of the
operating system files and actually run your operating system. Think of it as your C drive when you're installing a new
machine or a new server. Now when I select my operating system disk, I have three choices here, such as standard hard
disk drive, standard SSD, or solid state disks, or premium SSD. You've guessed it, premium SSDs are more powerful and
more expensive, and as we move down the line of our options, we are increasing our IOPS, reducing our latency, and
ensuring that we have the highest-performing disk. Microsoft has recently introduced an additional type of disk called the
ultra disk, so we have now the standard hard disk drive, standard solid state disk, premium solid state disk, and then the
ultra disk. The ultra disk is available for the largest size VMs or virtual machines, and it is available for supporting the
most demanding work loads, such as SAP or high-performance SQL databases. So these types of disks, of course, provide
the highest possible IOPS and the lowest possible latency and is the highest performing disk that Microsoft offers in
Azure. The ultra disks, of course, come at a premium cost. Next, I can select also a data disk. Now the data disk is the disk
where we will store our data, so if this virtual machine will be hosting files or will be hosting additional information that
we need to store in this virtual machine, we can create data disks. Now when we create a data disk, we can either attach it
from an existing disk that we already have, maybe it was a disk that was used in another virtual machine, or we can create
a brand new disk and that disk can be coming also from additional types of information, such as existing image that we've
created or even a blob that we have stored in Azure, so we have these options here for creating additional data disks. My
next options here are networking, so under networking, this is where I'm going to specify my virtual network, so in a later
video in this course, we will dive deeper into virtual networking, but essentially, the virtual network is the connection to a
network that my virtual machine will have access to. Later on, when I add additional virtual machines, I can connect those
to that virtual network, as well, and so I can have multiple machines that coexist together in a virtual network. So I don't
really have any virtual networks right now in my environment. This virtual network was created for me or is about to get
created for me through the creation of the virtual machine. So as I create the virtual machine, it realizes that it must have a
virtual network and therefore, it selects this virtual network for me, creates it for me, as well as its associated subnet, the
range of IP addresses that will be used for the virtual network. As well, it creates for me a brand new public IP address
and the public IP address will by dynamically generated, so it's a DHCP-assigned IP address from a range that's available
in Azure, and it will be assigned to my virtual machine, and if I need to access that virtual machine remotely from the
internet, it will be accessible through that IP address. Remember that there's other mechanisms, as well, to access the
virtual machine, such as an internal tool in Azure to a connection or a connection tool from Azure, or I can also create a
VPN, a virtual private network, to connect directly to the virtual network that is assigned or connected to this virtual
machine. So there are multiple ways to connect to this VM after we've created it. Next, I have the security group or the
network security group, so we can specify whether or not we want to create one and the types of configuration. If I click
on advanced, I'll be able to configure some advanced settings there. Then I have my inbound ports. Now you'll remember
that in the basic tab, we specified the inbound ports, and they're already specified here. I can modify this setting, so it was
in my basic setting, but here, it's essentially an advanced setting that I can customize these ports. Next, I have a relatively
new functionality in Azure, which is accelerated networking, which essentially provides an enhanced method of
connecting over the network and provides the highest possible bandwidth for this virtual machine. It is not available for
all VM sizes and the VM size that I selected does not provide accelerated networking. Next down below, we have a load
balancing option. So if I have a Azure load-balancing solution, such as a load balancer, if you add your virtual machine to
the pool, you can actually enhance the connectivity to this virtual machine by ensuring that if a virtual machine is too
busy, a client connection could be established to another virtual machine in the pool. This is not a high-availability
solution. This does not resolve the problem of one virtual machine becoming unavailable. This is a load-balancing
solution which allows you to enhance the connectivity or the speed of connection from clients by balancing the
connections to multiple virtual machines that are located in a backend pool. So these are my networking settings that I can
specify for my virtual machine. Let's move onto the next tab, which is management. Now when I click on the management
tab, I have various options that can be used to troubleshoot or to secure the virtual machine. First, I've got my boot
diagnostics, which are, essentially, troubleshooting tools if I have some startup issues or errors. Same thing here under the
OS guest diagnostics, various types of diagnostics and monitoring tools that we can use. All of this information can also
be stored in a custom storage account. Again, this is Azure storage that would be created for me or I can go to my
dropdown list and select an existing storage account. One of the relevant pieces of information here that I want to
highlight is the auto shutdown. The auto shutdown allows you to specify a schedule as to when this virtual machine will
automatically be shut down. Think about it as a cost-saving measure. If you know that nobody is accessing this server
after 7:00 p.m., you can have it automatically shut down after 7:00 p.m. Since your Azure costs are associated to the
number of hours that a virtual machine is running, by specifying a shutdown time, it will allow you to reduce your costs.
If I go down below my list, I also have backup. It's funny that backup is one of the last options here that can be
configured, but this is where you would specify the backup of your virtual machine, which would go into a recovery
service vault, and we will cover the recovery service vault a little bit later on in this course. So I'm going to turn those off,
and go back on top, and I have some additional settings here that I can set, some advanced settings for hosting. Not really
that common to be used. Most of the settings in this tab are not common to most deployments. One good example of those
is the ability to install extensions, so if you need to bundle an additional component that would be pushed to your virtual
machine, you would provide it here as a pre or post-deployment task. We're not going to customize these settings here,
since they are more rarely used. Next, I've got my tags option where you can actually specify a name value pair for your
virtual machines. Basically allows you to specify a tag for them and then later on, review the virtual machines that are all
associated to a specific tag. It's specifically helpful when you are reviewing your billing costs, so for organizations that
have many sub organizations that they are hosting, they can assign their virtual machines to each one of those sub
organizations and then manage the billing costs of those virtual machines based on their tags. And then my last screen in
mine is my review screen where I can review all the settings that I've specified. I have some information as to what
Microsoft expects my costs to be, I have all of my settings that I've set, all of my disk settings, my networking settings,
management settings, and so on. And when I'm done reviewing and I'm sure that I want to create this virtual machine, I
would click on create. Once I click on create, the deployment is launched and the virtual machine is in the process of
deploying. A deployment can take several minutes or several hours, depending on how many virtual machines we're
deploying and the type or the size of the virtual machine that we're deploying. A deployment like this, I don't expect it to
take more than a couple of minutes, and once the machine has completed its deployment, it will be available for us to
manage.

1.4.3 Managing virtual machines in Azure

Now that we've created an Azure virtual machine, let's see what
settings were applied to this virtual machine and how we can
enhance the configuration and the management of this virtual
machine in Azure. So in order to find my virtual machine, I'm
going to click on Home, and go though the list of my resources
that were created here. If I don't see my virtual machine, all I
have to do is click on see all your resources, but it happens to
be the first one listed here. So I'm going to click on my
VM1linkedIN virtual machine I just created, and the first thing
again, my overview blade lists the various settings that are in
my virtual machine. Such as its name, the operating system, the
size. Remember, we selected a specific size for the virtual
machines. Basically defining the amount of resources available
for this virtual machine. Right away I can go into my settings,
and I've got some of my basic settings here. Such as my
networking settings, and specifying the ports that are allowed
both inbound and outbound ports. I have also security rules that
can be defined to this virtual machine, and if I have specific
security rules, I see that they are defined here. There's a lot of
security rules that are default security rules, and I can create additional security rules if I want, but these are the effective
security rules, which means the result of the security rules, when you combine both the default and the ones that have
been created. So this is within my networking. So if I go down below, my next option is my disks. In my disks, I see here
the data disk and OS disk for my virtual machine. I also see the settings for those. I can add additional disks, if I want to.
As well, I can modify the configurations of my disks. The size of my virtual machine is defined here. Now you remember
that you picked that during the creation. I can resize my virtual machine by selecting another VM size. Now of course,
that will incur a different set of costs. So I've got lots of different settings here within my properties of my virtual
machine. The configuration as well, is an interesting one, where we get to define the license of this virtual machine. So I
installed Windows Server 2016. Now depending on your agreement with Microsoft, one of the benefits that you have with
your software insurance benefit is the Azure hybrid benefit. Which actually allows you to use your Windows Server
license into a virtual machine. So I can actually specify here that the license of my operating system is defined through the
Azure hybrid benefit that I've purchased form Microsoft. If I go a little bit lower here, I've got my operations, which is a
manor to manage the operations of this virtual machine. There's a lot of things that I can do here, such as specify a rule for
auto shut down. I can specify my backup, how to backup my virtual machine, and this can be very important, because you
may want to have a regular backup of your virtual machine. Remember that even though you are storing this virtual
machine in the cloud, Microsoft does not back up your virtual machine automatically. If you want to back up the VM, you
need to specify a backup to a recovery service vault. So defining a vault here would actually create a new recovery service
vault. Specify a resource group that it gets created in, and then you must define a backup policy. The backup policy will
define when the backup will occur. Will it be weekly, monthly, daily? You get to define that either by using one of the
pre-canned policies, the pre-existing policies in Azure, or by creating your own policy and then assigning it to this virtual
machine. Backups are very important to be performed. Of course, just like they were on premises. It's not because your
infrastructure is in the cloud that you shouldn't do backup anymore. As well,
I have my disaster recovery setting here, and under disaster recovery, I can configure something called Azure Site
Recovery. Which allows you to specify a solution for business continuity, and insuring that if a virtual machine becomes
unavailable, that there is another virtual machine that becomes available through an availability set for the services that
run in that virtual machine. So if you have a very important line of business application and you want that application to
run on a VM, on a virtual machine, you can create an availability set, have that virtual machine through Azure Site
Recovery be automatically available in a separate region. So configuring disaster recovery, it's another one of those tasks
that is quite important for your organization. Moving down form those settings, I also have my monitoring settings. Now
under monitoring settings, you actually see the resources that are being used in your infrastructure, and you can define and
specify some alerts and other settings. For example, if I click on Metrics here, you actually can create a chart or export the
data of your resource utilization. For example, here I can select a metric such as data disk read byte, and it actually tells
me the amount of data that was read, and you see here that you have the average per second, and you can define a number
of those. You can specify your view, and you can also specify an alert based on a specific metric. So if you want to
specify that you have a peak of data read that is more than X megabytes in a specific time, then at that point you can
specify an alert rule that will automatically send you a notification when the threshold for that rule is exceeded. So we
have many different management tools here, such as the serial console as well. That allows you to connect to the virtual
machine through a command line interface and do some troubleshooting. We have monitoring tools, we have management
tools, managing the operation, the data, the backup, as well as the networking settings for your virtual machine. A number
of things can be configured and defined for your virtual machines, and it's very important to ensure that all the settings
that you define are correctly set based on the business use of your virtual machine software.

1.4.4 Connecting to virtual machines in Azure

To connect to a virtual machine, there are multiple ways of doing that. One of the methods is by connecting to the virtual
network that the virtual machine is a part of and accessing shares or folders that are on that virtual machine. Another
method is by connecting through remote desktop. Now if we have a VPN, a connection of remote desktop is really not all
that difficult. But if we want to connect as an administrator to our virtual machine that we just created here, we can simply
connect by clicking on the connect icon in the properties of the VM. By doing that, it will actually open up a window that
allows me to download an RDP file, or a remote desktop protocol file that will establish a connection to that virtual
machine. We see here that the IP address of that virtual machine which is it's private IP address that was dynamically
assigned during the creation of that virtual machine, we see that that IP address is a connection endpoint, as well as the
port which is the default RDP port of 3389. So if I click on download RDP file, I'm prompted to download that file locally
and then open up that remote desktop file and when I click on connect, it actually establishes a remote desktop connection
to that virtual machine. In order for that remote desktop connection to work, the virtual machine must be started and the
port, 3389, must be allowed. Now you'll remember that when we created this virtual machine, we actually didn't allow
that port of 3389. We only allowed https 443 and by doing that, we actually prevented remote desktop access to that
virtual machine. If we want to allow remote desktop access, I need to go into the settings of the virtual machine and allow
access to 3389.

1.5 Microsoft Azure Active Directory.

1.5.1 Exploring Azure Active Directory (AD)
Many administrators that are learning Azure, or that are thinking about moving their resources to Azure come from an
environment that is an on-premise environment that contains a lot of Windows-based services. And one of those services
that has been the most popular on-premises is Active Directory, or Active Directory Domain Services. This is what runs
on Domain Controllers, and provides your authentication and identity services throughout your on-premises network. So
what Microsoft has done is, within Azure, they've built a cloud-based version of this identity service, sometimes referred
to Identity as a Service, or IaaS. This Identity as a Service is called Azure Active Directory.

In order to access and manage Azure Active Directory, we launch the Azure Active Directory Admin Center. So by
clicking on this Azure Active Directory link, we're actually launching the Azure Active Directory Admin Center. And this
interface is the management tool for everything that is related to the authentication services within your Azure
deployment.
This directory service was built for me
automatically when I built my Azure
subscription, and the way that I've actually
built my Azure subscription is that it's also
tied to my Microsoft 365 deployment. So all
of the users that exist in Azure Active
Directory also have mailboxes, or can have
mailboxes, in the email services of
Microsoft 365. So I'm using the Azure
Active Directory tenant as an identity
service for my Microsoft 365 tenant. So the two of them can be linked, and in this case, they are. So I'm going to go
through some of these options here that relate to the directory services, and then a little bit later on we'll dig a little bit
deeper into the users, the groups, and the authentication mechanism. First, in my Overview blade, I see here that I have
my Azure AD for Office 365, which actually tells you that it's linked to your Microsoft 365 tenant. As well, I see here that
I do not have an Azure AD Premium. So when you first get a directory service, it is a standard based directory service,
there are additional features that are available in a premium version of Azure AD, and some of those are multi-factor
authentication, the ability to log on by using multiple factors of authentication, and many more functionalities, and there is
a separate course simply on Azure AD within the LinkedIn library that I suggest that you go and review all of that
information, and there is a lot that has to do with the Azure AD Premium. So if I go through the list of objects and things
that I can manage within my Azure AD, of course I've got my users and groups, and we'll look at that a little bit later on. I
have also my organizational relationships. Now if I click on organizational relationships, this is where I can actually invite
external users into your organization. So, you may have users that exist all over the world that are not part of your
organization, they have their own email address, and maybe they have their own authentication mechanism. And you just
want to invite them, to give them access to some resources in your environment. So you can create a guest user for them
here, or there are other options as well that you'll be able to invite them by not creating a guest user, but allowing them to
create their own guest users. So we have many users that are listed here, we've decided to blur them out, to hide their
identity. But you can add guest users here by clicking New Guest User, providing their email address, and the user will be
added as a guest. As well, I've got my identity providers here. If you want to add an additional mechanism of
authentication within your Active Directory, you can actually add that. At this point, there is only one identity provider
that's available, which is Google, so that users could actually use their Google account to log in and to access your
resources in Azure AD. So I'm going to close that up now, and go back to my Azure AD Admin Center. And, in going
down the list of options here, the one that you will likely want to configure pretty close to when you deploy your Azure
AD is the roles and administrators. Roles and administrators is essentially the various predefined roles that exist in Azure
AD that you can assign to various users to perform specific tasks within Azure. And some of those tasks are not Azure
AD tasks, they're Azure tasks all up. For example, you've got the ability to assign a cloud application administrator. So
this is someone who will be able to manage application registrations and applications that exist within your Azure AD
infrastructure. As well, I can go down here, I can provide somebody the ability to just invite. I want somebody to be able
to invite external users. Now, we'll talk about that a little bit later on, but you can note that by default, any user in your
organization can invite. But you can turn that off. The highest role that I can have here is called the Global Administrator.
Global Administrator is a user that has the highest level of privileges within your Azure subscription. And surprise,
surprise, that is my role. I am a Global Administrator, which is why I'm able to perform any task and demonstrate them to
you. If my role was anything less than that, I would be restricted from performing certain tasks, and certain menu options
would be grayed out. Still within my Azure AD, I've got different options that I can set here, and one of those options I'll
want to set from the get-go is my custom domain names. Now, the custom domain names are the names that can be used
for your user logon requests. So those are domain names that you've purchased, and that you have then verified in DNS as
your own. I can add any domain here, as long as I own that domain. If I don't own that domain, that domain cannot be
verified, and therefore, I cannot provide that domain as a logon domain name for my users. I cannot create URLs with that
domain name either. For example, in order to add a domain name, I would click on here, Add Custom Domain. And let's
say if I owned the domain linkedin.com, which unfortunately, I don't, I would be able to verify it later on. But at this point
I can add it here, click Add Domain, and then it will prompt me for verifying. Verifying means that if I own the domain, I
have the ability to modify the DNS zone, that public zone that is used in DNS to identify that domain. I have the ability to
modify it, if I own the domain linkedin. And if I have the ability to modify it, it's telling me, okay, if you can modify,
prove it to us by creating a record in the DNS database that has this value in it. So if I create a record in the DNS database
that have this value, and I click here Verify, what happens is that Azure is able to connect to DNS, verify that that record
is in the DNS database, and then tell me success. Now we believe that you own that domain, therefore, we will assign that
domain to your Azure AD tenant. And the result of that is that once this domain has been added, it will be verified, and
you'll see here that I have my default domain name, which is netlogon.com, that has a status of Verified, and that means
that I've created the necessary record in DNS and that whenever I create a user account, I can specify that user account to
have an email address and a logon name that uses this suffix. That uses the value here of my domain name. So, custom
domain names can be added, but they must be verified before they can be used.
 }

1.5.2 Exploring Azure enterprise applications

One of the benefits of having this cloud based directory services, is that it can integrate with other cloud based services,
and these cloud based services don't even need to be part of the same organization. They can federate and they can
authenticate to one another. So using our Azure Active Directory, we can even publish enterprise applications or publish
applications to all users in our enterprise. Applications that exist in our infrastructure and applications also that are public
and that are available through third party services. If I click on Enterprise applications, I actually see all the applications
that are part of my environment, and I can add additional applications as well.
 Some of these applications I've deployed over time, or some of them are default applications, or some of them were
automatically installed through a third party software as a service, or through Microsoft 365, also a software as a service
solution. So for example, here I've published Dropbox for Business. So this is a non Microsoft app that I've linked through
my Azure enterprise applications in Azure Active Directory, and I can configure this app directly from this portal. By
clicking on the app, I have all of the configurations for the app. Such as its authentication, the allowed user, the endpoint
that it uses to connect to Dropbox, and so on. So these third party applications then are accessible to my users using a user
portal or a client portal that they use to access application. That client portal,

I can access it by going to the

myapps.microsoft.com
interface. So I'm going to
open up a new tab here and
go to myapps.microsoft.com
and now I am in this portal
where I see all the apps that
have been published from my
organization, including
Dropbox for Business.
So you see, all of these apps are apps that exist in my infrastructure that have been published to my users, and those can
be managed through Azure AD. Now this portal that I saw here, I can also configure that protal or customize it using my
company branding, and I actually can brand the authentication page and all
the portals that my users see when they connect to my infrastructure.

1.5.3 Managing users in Azure AD

The primary functionality of Azure AD is as an authentication mechanism and an identity service, and the core element of
both of these services is the user account.
Anyone that access resources in Azure requires a user account. We have two types of user accounts:
a) standard user, and
b) guest user.

So let's take a look at user accounts in Azure Active Directory. If I click on all users, I see here that I have a list of user
accounts. Some of them are listed with the type member, and those are standard users, and others are listed with the type
guest, those are external users. As well, I have the source, and the source defined where that user account is drawn from.
So here I have a user account named Admin1, [email protected], which is a member in my Azure Active Directory,
so that account is listed in my local directory of Azure. If that account here, I have a guest user, comes from an external
Azure Active Directory infrastructure it tells me right here. If the account comes from a structure that is outside of Azure
Active Directory, I will see that listed as well in the source, in this case, multiple means it's not in Azure Active Directory.
Now, we see here the source of our user account, where it exists, but if the user account is not in my local Azure Active
Directory, then it's a guest account. It's an account of an external structure. To create a guest account, I would click on
new guest user, and that button is actually available on multiple blades. If I create a standard user account, I click on new
user. So let me go ahead and create a new user account to see what that looks like. When I create a new user account, I
have to give him a first name and last name, so I'm going to call this Steve Smith. And I need to give a username for Steve
Smith, so I'm going to give him [email protected], my local domain here. Oh, and it does a verification, and that
verification fails. Already have an SS Smith. Again, whenever you create objects, the validation always occurs. So I'm
going to call this one [email protected]. It's going to validate once I tab out of that window, and gives me a green
check to tell me it's all good. So now I can click here and validate his profile, set his profile settings, different properties
of the account, which groups the user is a member of, as well as his directory role. Is that user account an administrator of
any kind? As well, I have a password that is automatically defined for this user account, this is an automatically generated
password by Azure, and I can click on Create. The user account is created in my infrastructure, and if I search for the user
account, Steve, I find I actually have two Steve Smith, I've created a Steve Smith before. You notice that the actual name
of the user account doesn't have to be unique, only his username. And that's something that's important to demonstrate
here that the username is really the component that we need to have totally unique. So here if I click on Steve Smith, I see
that I can manage all of the properties for Steve Smith, add him to a group. I can modify his title, who he reports to, as
well some of the advanced user settings for Steve Smith. I can also provide an administrative role for Steve Smith if I
want him to be able to manage multiple objects within the Azure portal. So I can actually give him a role, and from here, I
can provide, one of the various roles, you'll remember, that global administrator is the highest role that that user can have,
and I'm going to give him application developer. Click on Select, and now that role has been provided to that user. You
can now use the portal to manage applications. As well, group membership can be modified and added here, and a license.
Now, the licenses are the licenses that I've purchased as part of my infrastructure. Here, I have multiple licenses that are
available to me, a Dynamics 365, Microsoft Flow, an Office 365 license, and a Power BI license. I'm going to select these
two free licenses, and assign it to that user account. And the option that tells me right away is that activate an Azure AD
paid subscription in order to assign licenses to group. So this is just a warning, I've actually been able to assign the
licenses to this user but I'm being reminded that there are some additional functionalities in Azure AD to assign licenses,
and one of those is to create a dynamic group that actually provides licenses automatically whenever you create a user. So
Azure AD is reminding me that the next time I perform this task, I can actually have that task be automated. I'm going to
click on Assign the Licenses, and complete this task. I have one of my licenses that failed, because the license actually
expired. So, I'm going to back here to my all users, and see here my user settings for all of my users in Azure AD. And
there's additional functionalities here, such as sign-ins and audit logs that are not available for my tenant, and I'll show you
the error right away, and that is because I don't have an AD Premium license. Note that not all configurations for users are
available to you depending on whether or not you have a specific Premium upgrade to your Azure AD. So don't be alerted
if you're unable to configure some settings, and that is also true within all of Azure Active Directory, some settings are
only available for Premium options.

1.6 Microsoft Azure NetWorking.

1.6.1 Understanding the Azure networking components
So we looked at virtual machines and we looked at other components of objects that are stored in Azure, but one of the
elements that's really important in having those elements communicate properly with each other is virtual networking.
Now virtual networking is one of those things that you configure in Azure, but it's not necessarily required in Azure. It
essentially extends the functionality of your basic usage of virtual machines in Azure by adding layers of security and
isolation. So let's dig a little bit deeper into virtual networking.
So what is a virtual network?
A Virtual network is a portion of our Azure configuration that will allow you to isolate a group of virtual machines or a
group of services into a security segment.
So think about it as a way to isolate a group of machines, maybe isolating them from the internet or isolating them from
each other, or even provide a better communication with a group of virtual machines. So think about two sets of virtual
machines or a set of virtual machines that hosts databases and another set of virtual machines that will host applications,
and you want them to communicate really quickly with each other and not have to be routed through load balancers or go
through firewalls. Well, you can do that by using virtual networks and having those machines communicate to each other
within a virtual network. Communication within the virtual network is never routed through load balancers. So essentially
there's a quicker communication that goes on there. By default, your virtual networks are not connected to the internet. So
we'll see how to connect those to the internet, because we may want to have those virtual networks connected to our
internal network through the internet. So again, by default they're not connected because they're isolated, but we can
provide a gateway or a point of connection to those virtual networks and then control that point of connections in a secure
manner. So what do virtual networks contain? Well, they contain different elements. The first element of a virtual network
is a virtual network address space. So a virtual network address space is really a range of addresses that services and VMs
can use. So when you're thinking about which IP addresses will your machines have, well, they'll have the IP addresses
that are within your address space, the group of addresses that you can use. You define that, but what's important when
you define it is that they must be non-routable, and you will list them in a CIDR notation. Now, the CIDR notation is an
example here, 192.168.0.0/16, identifies the number of bits through that address scheme that is used for the hosts as
opposed to this segment. Now there's a whole lot to IP subnetting and you can surely learn a lot about that but you don't
have to for using it in Azure. Azure will actually give you through a dropdown list, the ability to choose different
segments and their CIDR notations. So you don't have to type that out yourself. Understand though, that it will define the
number of IP addresses that are available, so that number after the forward slash at the end defines how many IP addresses
you have available within your address space. You can configure that, you can modify it and you can add additional
address spaces later on, so you're not bound to it. One of the things that's important when you configure your address
space is that you don't want it to overlap with your internal network addressing scheme, or the addressing scheme of other
virtual networks. 'Cause if you have different virtual networks or an internal network and a virtual network that uses the
same network address space range, they will overlap and create conflicts. And those conflicts will prevent
communication. Within our network address space we're going to create subnets. So the subnets are segmented
manageable groups of IP addresses that are going to be included in our network address space and those are the elements
that we're really going to configure for routing. So when we're going to specify that a segment can communicate with
another segment, those segments are really subnets. So think about it as smaller manageable groups of IP addresses.
Whenever you specify sub-net, you need to be aware of that the first four IP addresses of that sub-net will be reserved for
Azure services. So they won't be available for you to assign to virtual machines or to cloud services. There'll be taken
away by Azure. As well another property within our virtual network is a DNS server settings. Now DNS server is
something that's very common to you if you manage on premises environment. You already know the DNS servers are
required for active directory, the required for name resolution across the network. Maybe you had an old networking
environment that used wins. Wins name resolution has been replaced mostly by DNS name resolution. So DNS is also
part of Azure where if you wanted the virtual machines within your Azure environment, to be able to resolve each other's
names as opposed to their IP address, you'll be using a DNS server setting. By default you already have a DNS server the
ones provided by Azure. However, if you want to connect your virtual network to the internal network of your
organization will you'll need to put in place a DNS server that provides that cross premise name resolution. Now, if we
dig a little bit deeper into virtual networking, we discovered the next level, virtual private networks. Now what are virtual
private networks? Well, they are used to connect our internal network to your virtual network essentially connecting your
on premises infrastructure Azure. If you're going to do deploy a virtual private network first, you need to have a virtual
network in Azure. Then, you'll need to configure a VPN gateway. Now the VPN gateway is that element of your virtual
private network that's going to give that connection that inbound point from your external network into Azure. Now
there's three different flavors of virtual networks and Azure. We've got the site-to-site VPN, point to site VPN, and
express route VPN, also known as private VPN. So let's dig into each one of those. So first, the site-to-site VPN. Site-to-
Site VPN is used to connect an entire office or even multiple offices to Azure. So think about it like having an entire
network that wants to be extended into Azure. If you have a data center or you have your company's office with hundreds
or thousands of users, and you want all of those users to be able to connect easily and quickly to Azure services to do that,
you would create a site-to-site VPN. But to do that, you also need to have dedicated hardware on your network. You need
to have your own VPN appliance that is able to establish a direct connection over the internet, of course, to Azure. So this
requires a little bit more planning, a little bit more costly because of that dedicated hardware. However, your users and
your clients on your internal network will not know the difference. They won't have to establish any special connection.
They don't have to have a VPN connection because they are going through the VPN connection that's applied through
your dedicated hardware. So in terms of experience from your user standpoint, it's very easy for them to access resources
in Azure. However, from an administrative standpoint, there's more planning and more configuration and management
that is required to deploy that solution. A Point-To-Site VPN is the opposite of a Site-to-Site VPN in the sense that it is
configured and manage directly from the client computer. So if you only have several computers or developers or a
certain dedicated group of computers that need to connect to Azure services over a private link, then you would configure
a site or Point-To-Site VPN on their client computers. Now those computers will not require any dedicated hardware but
they will require a dedicated VPN connection on their client computer. So they'll have to launch that connection and then
through that connection, they will establish a link over to Azure. That connection is a SSTP connection or a secure socket
transport protocol connection and that type of connection uses certificate based authentication to establish a tunnel
between the client connection and the VPN gateway that is stored in Azure. The last type of VPN connection that we can
establish is the ExpressRoute VPN also known as a private VPN. Now this is a less common type of VPN because it
requires dedicated hardware, not in your network but at your network providers network. So this is a dedicated link
directly from your network provider to Azure. I want to be clear about this is that if you have an ExpressRoute VPN, your
communication does not go over the internet it goes over a dedicated link that's been assigned that provider directly to the
data centers that are hosted by Microsoft for Azure. So think about it as a private VPN, over dedicated link. Some people
say it's not a VPN it's really its own type of connection because a VPN assumes connection over the internet. It's still
called a VPN but it's really a dedicated link connection. Now, the point of establishing ExpressRoute is the name says it
very well having the quickest possible link to Azure or link that establishes the lowest possible latency in terms of
communication. There's of course additional costs that are assigned to those and it's not available everywhere in the world.
Only with those special providers that have been chosen by Microsoft. Those providers then have to prove their reliability
and their ability to establish a good link over to the Azure data centers.
2 Azure Active Directory: Basics

2.1 Introduction.
2.1.1 Modern identity

Roughly 20 years ago Active Directory was introduced for the first time in Windows Server and it turned out to be a
massive hit among IT administrators. It created millions of jobs, transformed millions of businesses and was a critical
contributing factor to the roaring success of Windows Server. Fast forward to present day, although Windows Server
Active Directory is still extremely popular, there are some areas where it is unable to catch up to today's demanding IT
challenges.
Based on my experience I would say, the number of said challenges will only continue to rise with time. So we need to
tackle them by rethinking our strategy and taking a cloud-first approach to identity. Think of modern identity. However,
before we do that, let's take a quick walk down history lane. As administrators, whenever we hear the word identity we
typically think of user credentials stored on domain controllers that enable access to business applications. It used to be
like that for a very long time, but then things started changing. Some applications moved to the cloud, while other
remained on-premises, leading to the segregation of the infrastructure into two parts, cloud and on-premises. Let's focus
on the on-premises part first. When a user wanted access to an application, it was simple. The user could authenticate
against the domain controller and quickly get to the application they needed, because the user, the domain controller and
the application were all present locally. But, when it came to the cloud, things were not as
simple. Firstly, there was no central authority for authenticating users across applications.
Secondly, users were accessing applications over the internet, thereby, increasing the
overall security risk. These were the two biggest hurdles, among many others, that we
had to overcome, in order to truly embrace the cloud. That paved the way for the concept
of identity as a service, we have today. A centralized and secure identity store for
authenticating users requesting access to resources in the
cloud. And everything is available as a service today,
software, platform, infrastructure, then why not identity,
right? It just seems so obvious at this point. You may not
realize it, but identity as a service is already playing a
much, much bigger role in our lives than we know.
Microsoft's implementation of identity as a service is
named Azure Active Directory. It powers pretty much the
entire Microsoft cloud ecosystem. Trust me, you cannot
really afford to skip this. You'll have to learn it sooner or
later, so you might as well do it now, with me, in this
course.

2.1.2 Prerequisites

Here are the prerequisites you'll need to follow this course. This course is aimed at the target audience of Windows
administrators managing Microsoft environments, then Azure administrators managing infrastructure resources, identity
professionals working on Microsoft or non-Microsoft identity solutions, business decision-makers, CXOs of small to
medium-sized businesses, and app developers who write or want to write applications for the cloud. The prior knowledge
required to understand this course is at least a basic understanding of Windows Server Active Directory and Azure
Administration, then business strategy and a little bit of application development. There are only a few lessons where an
understanding of application development is helpful, but you should be able to follow just fine even if you don't know it.
Finally, as far as required resources are concerned, you need an Azure subscription if you want to practice the things you
are about to learn hands-on.

2.1.3 Roadmap

3
6

Here's a roadmap of how we'll try to ascend to the cloud, one clip at a time. This course consists of six parts. The part that
you're currently watching is the introduction. In the first chapter, Azure Active Directory Fundamentals, I'll give you high-
level overview of the various Azure AD components, describe why you need them, and explain what they exactly do. This
chapter will be the heart of this course. In the second chapter, Industry Standards and Compliance, I'll talk about
regulatory compliance, open standards, and how Azure AD abides by them. This chapter will give you a good idea of how
the world perceives this product. In the third chapter, Provisioning an Azure AD Tenant, I build a scenario for a fictitious
organization and spin up an Azure AD Tenant during a hands-on demonstration. In the fourth chapter, Potential Business
Impact of Azure AD, I'll outline the various improvements that you'll probably be able to see after adopting Azure AD for
your organization. And finally, in the last part, the conclusion, we'll give you all the key takeaways of this course and
explore steps for further learning. It's also worth noting that this course is only intended to give beginners a very high-
level overview of Azure AD as a product, which means we'll have more theory and fewer demos. If you're already
familiar with the basics of Azure AD, or are looking for a deeper understanding of the product, this may not be the right
course for you. You'll probably want to look at my other courses in the learning path in that case. But if you're a beginner,
then you are at the right place. For the best experience, watch this course in full-screen. So buckle up your seat belts, we
are ready to take off. I'll see you in the next chapter.
2.2 Azure Active Directory Fundamentals
2.2.1 Identity and access
Azure Active Directory Fundamentals. In this chapter, we'll learn about the core competence of Azure AD, why they are
needed and understand what they exactly do in terms of functionality. I'm really excited about this chapter, because there's
so much awesome stuff coming your way. Imagine that you are traveling internationally for business. What is the first
piece of documentation you'll need to be able to do that? Well a passport, which will be used by the airport authorities to
validate your identity. After that, you'll be in flight for a few hours and then land.
At the destination airport, along with your passport, which will be used
by the immigration officers to determine your level of access in their
country, basically the purpose of visit, either transit, tourism, business,
or employment. Now what would happen, if anybody could just fly to
any place they want without a proper passport, or visa? That could lead
to potentially disastrous circumstances. So you realize how vital
identity and access is. That is true not just for aviation, but also
enterprise organizations. Its implementation is a little different though,
but the concept is
essentially the same.
If we compare them, instead of a passport for identity, we have
credentials for authentication. Instead of a visa for access, we have
permissions for authorization. Instead of a boarding pass for the trip,
we create a sign-in session using cookies. There the safety of the
people is at risk, and here the security of the company resources is at
stake. You can't travel anywhere internationally without fulfilling the
passport and visa requirements. And ideally, you shouldn't be able to
traverse the corporate network without proper authentication and
authorization as well, because it's the first barrier in protecting
privileged resources. But unfortunately, sometimes people with bad intentions circumvent their way around these
measures, get unauthorized access and cause damage. That's where Azure AD comes to the rescue.

Its ultimate job is to minimize, or eliminate such threats, by providing administrators, like us, with sophisticated tools for
identity and access management.

2.2.2 Azure AD overview

Let us try to understand Azure AD by comparing it to something we already know, Windows Server Active Directory. We
use the term Active Directory to refer to Active Directory Domain Services most of the time. And this role does three
main things in Windows Server. It manages users and groups, manages computers, and supports directory aware
applications. Apart from that, there are other Active Directory roles as well. There's Active Directory Federation Services,
Certificate Services, Lightweight Directory Services, and Rights Management Services. My point being, Active Directory
in itself is not a single service, but is a collection of multiple services designed to perform different tasks.

Azure Active Directory follows a similar structure. It also

facilitates the management of users, groups, computers,
applications, and it's not a single service. It's an umbrella of
multiple services, each one of which serves a very strategic
function. For managing users and groups, we have the web-
based Azure Active Directory Admin Center. Although you can
also manage Azure AD by navigating through the Azure portal,
the Azure Active Directory Admin Center is like a direct
dedicated page for all tasks specific to Azure AD. The URL for
the Admin Center is aad.portal.azure.com. We can compare
this to the Active Directory Administrative Center MMC, that
we get with the AD DS role in Windows Server. Then, for
managing laptops and desktop computers, we have Azure AD
Join. This is primarily intended for company-owned devices
that are handed out to employees. We can compare this feature
to the Domain Join operation in Windows Server. For
managing applications, we have not one, but multiple options,
depending on whatever is appropriate for our requirements. So
if you need to run older directory aware applications, you can
use Azure AD Domain Services.

Then, we have support for integration with modern SaaS applications, as well as PaaS applications, that you're developing
in-house or through an independent software vendor. After that, we have the Application Proxy. Now, this is a really cool
feature, in my opinion, because it lets you authenticate users in the cloud, and then redirect them to remote applications
running on-premises. So, it essentially wraps an unauthenticated application running on-premises with a secure
authentication layer in the cloud. The bottom line here is that Azure AD undoubtedly does a great job of covering the
basic requirements like users, groups, computers, and applications. But that's not all. It does so much more. It extends
device management to now include bring your own device or BYOD scenarios. So like this Azure AD Join for company
owned devices, you have device registration for laptops, computers, and mobile devices that are owned by employees and
used to access corporate resources. No such solution is available in Windows Server Active Directory out of the box.
Then it has Azure AD B2B or business to business. This feature makes sharing your corporate resources and collaborating
with users from partner organizations easy and secure. The users are from external organizations that need temporary
access to your organization's assets. Hence the term B2B. The traditional alternative to this is deploying Active Directory
Federation Services between organizations and configuring trusts. Next, it also has Azure AD B2C or business to
consumer. This feature enables you to handle the identities of individual customers using your public facing business
applications. The users here are also external, but instead of belonging to one organization, they're individuals using the
application or service you offer to the general public. Again, there's no such solution available in Windows Server Active
Directory out of the box. Now, some of you may be wondering, "All this is great, but what about the investments we've
made to set up Windows Server Active Directory based infrastructure on-premises? Is all that money as good as thrown
out of the window?" Absolutely not. Azure AD and Windows Server actually complement each other really well. You can
use the AD Connect tool to integrate your on-premises Windows Server Active Directory with Azure AD for a hybrid
identity infrastructure. The benefits of doing that is so your users can access both on-premises and cloud resources
seamlessly with the same credentials that are valid across both environments. Now coming to the ultimate promise Azure
AD intends to fulfill. Sure, there are tons of swanky features in Azure AD, but they're all built around one single core
principle, security. The historical problem with security is that there are always people who are able to outsmart it. But
thanks to evolution of machine learning, Azure AD's defenses are much stronger and smarter now. And it's not just the
security that's smart.

Even day-to-day administrative tasks have become smarter and more intuitive. How, you ask. Why don't we find out?
What you jut got was a high level overview of the main Azure AD components. Now, let's take a look at each one in a
little more detail.

2.2.3 Azure AD Connect deployment

Let's start with AD Connect. I chose to start here because I want to walk you through everything in a logical order that
you typically have to follow when you're holding out Azure AD in your environment. And there's a fairly good chance
you'll probably start with the AD Connect Deployment.
AD Connect integrates Windows Server Active
Directory on-premises with Azure Active
Directory. It serves as a bridge that connects
the two environments to give you a hybrid
identity infrastructure. So this tool needs to be
installed and configured before your users can
repopulate it in the Cloud. And although AD
Connect is an Azure AD component, it is
installed on-premises on a member's server
preferably on one that's part of the domain. The
primary responsibility of this tool is to
synchronize user objects, group objects, and
computer objects from on-premises to Azure
AD.
This is required so that when users who had
created on-premises try to access resources in the Cloud Azure AD is able to recognize them and it's not only objects that
get synchronized, there's also a bidirectional flow of configuration. So any changes made to objects on-premises are
automatically reflected in the Cloud and changes made to objects in the Cloud can be configured to reflect on-premises
automatically. That way both copies of the
object are consistent with each other. AD
Connect also helps you set up Single Sign-On
across the two environments, so the line
between local and cloud apps fades out for the
users.
You can also set up Federation if you've got
Active Directory Federation services installed
on-premises. You only want to do this if you
have a hard requirement that authentication
requests should only be served on-premises
and not in the cloud. AD Connect comes with a service called the AD Connect Health, which monitors the availability of
the AD Connect server itself and your Active Directory infrastructure. It uses a local agent to collect this information and
sends it to the AD Connect Health portal in Azure. So if ever synchronization is not working as expected, the Health
portal should be the first place to check. Although it's implied but let me explicitly state that you will require AD Connect
only if you're thinking of a hybrid architecture, but if you're thinking of a pure cloud strategy, then you don't have to
worry about this tool at all.

2.2.4 Users and groups management

The next step in onboarding onto Azure AD is to manage users and groups. All objects in Azure AD are revamped for
cloud readiness, regardless of whether the objects are created in the cloud or synchronized from on-premises through AD
Connect. Objects that are native to the cloud are already compatible with it, but those that are synchronized are upended
with the necessary attributes after synchronization to make them cloud-ready.

There are three main types of users in Azure AD:

federated,
synchronized
cloud only.
This categorization is based on two factors,
a) the scope of operation of these accounts, and
b) where the authentication takes place.
Let me explain. You get federated users in Azure AD from environments where both ADDS and ADFS are present on-
premises, and users are synchronized to the cloud using AD Connect. The scope of operation of such accounts
encompasses both environments, which means federated users can access resources on the cloud as well as on-premises.
The authentication for federated users mainly takes place on-premises, not in the cloud. This suits organizations that want
to use the cloud, but want to maintain a strong control locally. Then you get synchronized users from environments which
have ADDS only. Then you get synchronized users from environments which have ADDS only, and users are
synchronized to the cloud using AD Connect. Basically where there's no federation involved, the scope of operation of
such accounts again, encompasses both environments, the cloud and on-premises, but the authentication for synchronized
users in Azure AD takes place in the cloud. This suits organizations who are a little more comfortable embracing the
cloud, but still require on-premises presence. Both federated and synchronized users are also referred to as hybrid users.
Next you have cloud-only users. These are users who are natively created in the cloud.
The scope of operation of such accounts is cloud-only and the authentication also happens in the cloud. This is for
organizations who have either no on-premises presence at all, or those who do have an on-premises presence, but want to
prioritize a cloud-first strategy over the traditional methods. It's quite common for organizations to have a combination of
more than one type of user. You could have federated users co-existing with cloud-only users, or synchronized users co-
existing with cloud-only users, but having federated and synchronized types of users together is unlikely. Now let's talk
about groups.

You have two types of groups. Security groups are used for conventional use cases where the primary intent is to give
multiple users access to resources. If you've ever worked with security groups in Windows server active directory you
already know what they do. Security groups in Azure AD offer pretty much the same functionality. The other type of
groups are the Office 365 groups. The primary intent of creating an Office 365 group is to facilitate collaboration among
the members of the group, along with giving access to resources. Office 365 groups can provision a shared mailbox in
Exchange online, a site collection in Share Point online, a chatroom in Microsoft Teams, and so on, for the members of
the group to work together across Apps. You can have accounts of any user type, federated, synchronized, or cloud-only,
be members of any group type, security or Office 365. There's no restriction on the type of users that can be placed into
either group type. There are two cool group features that I really like, dynamic membership and ownership delegation. We
typically add members to groups manually, that's the static method, but with dynamic membership Azure AD is capable
of automatically adding users to appropriate groups based on customs rules. For example, if a user's department attribute
is marketing, add them to the marketing group. There are several other simple and complex rules that you can create to
classify users and put them into appropriate groups automatically, and you can delegate the ownership of the group to the
respective head of the departments. They get the freedom to add or remove members to the group, and you get, well, one
thing less to manage.

2.2.5 External users management

While we're on the topic of users, let's talk about managing external users. If you remember from the overview, there are
two solutions for external users. The first one is Azure AD B2B, or business to business. It's implemented when you have
users in partner companies, who need access to your corporate resources. How this works, is that you send them an email
invitation to join your Azure AD tenant. Once they accept the invitation, they show up in your directory and can be given
access to any resources, in the same way that you would to other internal users. Since these are external identities, they
have an external identity provider. So the authentication of such users happens at the external provider and then they are
redirected to the resources they need to access in your tenant. You don't have to worry about passwords, or any part of the
lifecycle of such accounts. You can invite users from other Azure AD tenants, users with a Microsoft personal account, or
even other non-Microsoft identity providers. Azure AD B2B is designed to eventually replace the traditional method of
using ADFS federations and trusts. B2B is supposed to be its cloud successor. That means no longer having to worry
about going through the convoluted process of configuring federation services, its availability, or the network connectivity
between organizations. Wouldn't that be nice, hunh? The second solution we talked about in the overview was Azure AD
B2C, or business to consumer.

As I mentioned, Azure AD B2C is mainly used by businesses for handling identities of customers using their public-
facing applications. The traditional way of doing this required writing tons of code, potentially increasing exposure due to
bugs. Azure AD B2C makes the life of developers a lot easier, by offering them end-user identity lifecycle at scale. That
includes the whole process. Letting the user sign-up using email, or a third-party identity provider of their choice. Editing
their own profiles. Resetting passwords. And deleting their accounts if they wish to. You can choose exactly which fees
are required to represent a user profile. So the control you get is quite granular. The best part? It easily scales to millions
of users. So as I said, the days of writing tons of code will soon be long gone. And you don't have to worry about those
millions of users inadvertently accessing your corporate resources, because your internal users' directory and the B2C
directory are entirely isolated, not connected in any way. And the B2C feature works with all types of applications,
desktop, web, mobile and single-page applications.

2.2.6 Application platform

Now let's talk about the type of applications Azure AD supports. For the ease of understanding, I like to break this
mammoth platform down into four parts.
Categorized by application type and its
requirements. First, SaaS applications. We don't
just have support for SaaS applications, we also get
an apps gallery, full of apps pre-integrated with
Azure AD. Just like you have the Play Store or the
App store on Android or iOS. You don't need to do
any coding. It's pretty much one click to provision.
Business apps, collaboration apps, social media
apps, productivity apps, the most popular apps in
every category is right there. If it so happens, that
the app you need isn't available in the apps gallery,
that's not going to be a problem at all. You can also
integrate non gallery SaaS apps with Azure AD.
You just have to walk through a wizard where it
asks you to configure the single sign on properties
of the app for integration and within a few minutes, you should be done. After that, the process to manage gallery or non
gallery apps is pretty much the same. You can assign access to users and groups for the application or, even better, simply
delegate that task by hiding an application owner. Let let application owner take care of granting users and groups access
to the app.
Second, we also have support for PaaS applications.
This applies for custom applications, that you're either
developing in house or through an ISV. The way to
integrate PaaS applications with Azure AD is to go
through a simple process called, app registration. You
have to give the app a name in Azure AD and specify
the location of where it's hosted. After that, you can
configure a certificate or a key to secure
communication between Azure AD and the app. You
can then chose which Azure AD APIs are exposed to
the app. PaaS applications in Azure AD can leverage
any modern industry protocol, OpenID, OAuth,
SAML and so on. Once all of that is in place, the
standard controls allow assigning users and groups
and adding an application owner.
 Third, comes Azure AD Domain Services. This is
essentially domain controller as a service for
applications. And when I say applications, I mean
legacy directory-aware applications that require
Kerberos or NTLM authentication along with
LDAP. Now, an ideal situation, for moving
directory-aware applications to the cloud would be
to refactor the application, specifically, the
authentication controls and change it from the older
Kerberos or NTLM to use the new or modern
protocols. But refactoring isn't always an option,
such as when you've lost access to the source code
or the application render no longer supports the app.
Then your go-to option would be to use Azure AD
Domain Services. It's fully compatible with
Windows Server Active Directory Domain Services
and all the standard controls that available once the application has been provisioned.
Now coming to the last part, Application Proxy. I'm sure you're wondering why
this box is lower than the other three. I have a very good reason for it. In the first
three cases, SaaS apps, PaaS apps, and Azure AD Domain Services, all apps are
running in the cloud, in Azure but Application
Proxy is a feature that allows you to implement
secure authentication, in the cloud, for
applications running on premises. Yep, that's
right. The authentication happens in Azure AD
and the app runs on premises. The application
proxy service running, in Azure, talks to the
application proxy connector, on premises, to
establish a secure channel. That's how you get
access to the application. And of course, once
provisioned, all the standard controls can be
configured here as well. So this was a run down of
the Application Platform Support in Azure AD.

2.2.7 Device management

Now let's take a look at the device management capabilities in

Azure AD. I mentioned two features for device management in
the overview slide,

 device registration
 Azure AD Join.
When I say Azure AD Join it's for cloud only environments,
meaning either those environments where there is no on-premises
presence, or scope of access for the devices is limited to cloud
resources only, and the devices need to be managed in the cloud
and not through on-premises solutions. That's when Azure AD Join is your go-to option. You'll need at least Windows 10
operating system installed to use Azure AD Join. How do you manage them? Well, they can be managed through
Microsoft Intune or other third party MDM solutions. Next, when I specifically say hybrid Azure AD Join things are a bit
different. You go for this option when you require access to resources across both environments, on-premises and in
Azure. In addition, devices also need to be managed using on-premises solutions like Windows Server Active Directory.
That's when you choose hybrid Azure AD Join.

The operating system requirement here is a little more relaxed.

You can use Windows 8.1 and above with hybrid Azure AD
Join. These devices are managed using the traditional group
policy method, something that you're already familiar with. The
great part is you can configure hybrid Azure AD Join from
within the AD Connect tool. It's impressive to see how
Microsoft has consolidated all the relevant features together in
one single package instead of having multiple little tools,
services, and agents. The last capability is device registration.
This is helpful in enabling BYOD, or bring your own device,
scenarios. So in the first two cases, Azure AD Join and hybrid
Azure AD Join, the devices were company owned, but this feature is for employee owned devices. This feature supports a
broader spectrum of devices. You can use computers running Windows 8.1 or above, computers running Apple Mac OS,
and even mobile devices running iOS or Android. The main reason to implement device registration is accountability and
security. So even if a non-organizational personal device is used to access corporate resources it is recognized by Azure
AD and enforced with minimal baseline security. As far as managing is concerned, it's again managed through Microsoft
Intune or third party MDM solutions.

2.2.8 Azure AD security

Now let's talk about security. Although Azure AD is technically just an identity and access management system, it takes a
really sophisticated, multilayered approach to security.
Based on the criticality there are several barriers that we administrators can put in place before a user is allowed into the
directory.
1) the user credentials.
2) Azure AD conditional access.
Back in the day user identities were tied to a bulky desktop and confined to the corporate network, but Identities today are
geographically distributed, dynamic, and portable. You can have a user sitting in any corner of the world using any
device. So credentials in itself are no longer enough anymore to sufficiently verify a user's identity. That's where Azure
AD conditional access comes in. In addition to credentials, conditional access rules can check if the device is domain
joined or not, is it the usual device and operating system that the user uses, what does the source location and IP address
of the request look like, and for which application is access being requested. All these parameters are signals and analyzed
and compiled into a score by Azure AD. And with every legitimate login the machine learning algorithms learn about the
user's login patterns to make itself smarter. All anomalies are assigned a risk rating. High-risk sign-ins can be blocked,
low-risk sign-ins are allowed, and moderate-risk sign-ins can be put through additional multi-factor authentication. Now
isn't that cool? Speaking of multi-factor authentication, yes we do have that in Azure AD. And not just basic, but modern
multi-factor authentication.
3) Multi-factor authentication,
It can serve as the third barrier before the user gets in. With MFA you can get one-time passwords through the regular
channels of text message, phone call, email, and also through the Microsoft authenticator app on the phone. What's cooler
is that you can altogether avoid the mess of one-time passwords. Microsoft Authenticator app for Apple watch allows you
to just tap on the approve or deny button on your watch for a login request. Using conditional access and multi-factor
authentication makes the whole process so much smoother. Users can now be prompted for multi-factor authentication
only when required, such as when the sign-in appears to be risky as assessed by the conditional access policies. When it
does not appear to be risky users can go straight into the directory after verifying their credentials. These were the three
barriers that can be implemented before allowing users into the directory.

Next comes Azure AD directory roles. This applies to users in the directory. With this you can assign different levels of
administrative rights to relevant users in the organization. You already know administrator groups in Windows Server.
This is its equivalent counterpart in the cloud. There's a slight difference in the naming convention though. For example,
global administrator in Azure AD is roughly the same as an Enterprise administrator in Windows Server Active Directory,
but the concept is fundamentally the same. Then comes Azure AD identity Protection. This feature gives comprehensive
insight into the status of your identity infrastructure in the cloud. It has the ability to flag users for risk, discover irregular
access events, identify potential shortcomings in security, give suggestions on how to fix those shortcomings, and
recommend actions that you can take to mitigate the risk associated with the flagged users. Pretty cool, right? All the
features before identity protection were precautionary to ensure nothing bad happens, but identity protection is a
serviceable feature. It comes into play for bringing those little things to your attention that may have already skipped past
your supervision. Basically, it's for monitoring and reporting, to put it succinctly. After the precautionary and serviceable
features we have tools for identity governance.
These help establish a proper procedure for managing the end-to-end lifecycle of user identities in the organization. You
can use this to streamline processes in identity and access management that may not be wrong, but probably have a room
to improve based on the best practices in the industry.
There are three tools in the identity governance toolbox:
1) Privileged Identity Management, or PIM. Now PIM takes the principle of least privilege and adds the time dimension
to it. The principle teaches us that a user must only be given just enough permissions required to do their job, not more,
not less. But even the minimum privilege assigned to the user may not always be in use, so with PIM you can enable just
in time elevation of privilege for eligible users on request. Think of it as scaling up and down, but instead of resources
you're scaling the permissions up and down based on the requirement.
2) The next tool we have here is Entitlement Management, or EM. This allows your end users to be more informed
about what resources they have access to or can request access to. Accessing resources has always kind of been a hit or
miss game for end users. Try to access a resource, if you can't then call the help desk. Sometimes users are unaware that
they have access to certain resources. EM aims to change that by allowing users to discover and request access to groups,
applications, and resources in the form of packages that they are eligible for.
3) the Azure AD access reviews. This nicely rounds up all the configurations we make in the previously mentioned tools.
It enables us to periodically review the access that has been assigned to users, re-certify it if the access is still required, or
revoke it if it isn't. You can also run regular audit checks where you can add a justification on why a user requires specific
access. So you now know that Microsoft is not kidding around when it comes to Azure AD security. It's extremely serious
about it. Plus, of course you get all the expected features like machine learning based surveillance, logs, alerts, and reports
to accompany it. I know this slide covers a lot, but there's so much to talk about in security that I couldn't help but include
everything. I wanted to expose you to at least the key terms so that you can follow up on it later if you're interested.

2.2.9 Azure AD administration

I have to admit, this was one of the toughest videos for me to make. I just couldn't decide among tons of things that makes
the Azure AD administration experience great. What do I include and what do I leave out? So I decided to put an example
of administrative features in each one of the categories we've discussed so far. In my personal experience, it appears that
the engineers at Microsoft center the Azure AD administration on one theme, which says, everything is smart today, then
why not identity?
Azure AD is a fully managed Identity-as-a-Service, which means you don't have to worry about maintaining domain
controllers, replication, downtime, nothing. It's all taken care of by Microsoft. That's one huge plus for administration.
Then even the AD Connect tool that we deploy for hybrid identity is lightweight and comes with its own health
component. So no worrying about deploying COM or other third-party monitoring tools to keep a check on its resource
usage or uptime. When it comes to users, the self-service capability is quite well-built. Users can do a lot more on their
own without having to involve the help desk for every little thing. Things like editing their own profile attributes, resetting
their own passwords, requesting group memberships, as well as access to the apps they need. All of these dramatically
improves our administrative experience because we don't have to do these menial tasks. I think we can agree that resetting
passwords over and over again is not the most fun thing to spend our precious time on. Then next, thanks to the delegation
of groups and apps by assigning dedicated owners to them decreases our workload even further. Let the application
owners and department heads handle access to their assets. No need to loop in IT every time. With the SaaS Apps Gallery,
you have apps pre-integrated to work with Azure AD. Their provisioning and de-provisioning process is super easy. It's
almost as easy as installing and uninstalling apps on your phone, if I may dare say that. And there's a very good chance
that an app you need is already there in the gallery. Imagine the time and energy saved as opposed to what you would be
doing if the application was being deployed the conventional way. It gets even better. You can now let users add
designated devices through Azure AD join or device registration on their own without needing interference from IT. The
days where you needed enterprise admin credentials for domain join are behind us. And finally, you may recall that I
mentioned many things in Azure AD are powered by machine learning. One such example is the smart lockout capability.
Remember having to set up account lockout policies, lockout duration, and manually unlocking a locked user account? It's
all gone. Azure AD automatically blocks repeated instances of entering an incorrect password. The lockout duration and
unlocking of the account is automatically set based on the risk levels detected by the algorithms. And of course, this is just
one example of how machine learning makes our lives easier. As you start using the product, you'll come across many
such more examples. With that, we've come to the end of this chapter. Let's take a quick chapter quiz to see how well
you've gotten a hold of the learning objectives covered in this chapter. I'll see you after the quiz.
2.3 Industry Standards and Compliance.
2.3.1 Open standards support

Our primary focus will be to understand how easily Azure AD blends in with Industry Standard solutions, and how well it
satisfies Enterprise Compliance requirements. After all, what good is a solution if you need to change a lot to use it and it
doesn't comply with organizational requirements, right? Fortunately, that's not going to be a problem with Azure. First,
let's begin by talking about Open Standards Support in Azure.
Open Standards enable us to use popular technical specifications that have already been embraced by the industry and
the tech community. These standards can apply to a variety of things ranging from writing code, transferring data,
exchanging information or, to deploying resources. The reason Open Standards are extremely essential is that they allow
us to build components using existing skills and without using proprietary solutions. Let me elaborate on why that's
important. If you do pick up proprietary solution and learn how to implement it, there's no guarantee that the skill you
learn will be beneficial in other roles outside of that particular solution. An even bigger problem is that you depend on a
single vendor to support the solution. What if they shut down operations tomorrow? What if you don't like the solution
and want to get rid of it but you're locked in? Vendor lock-ins are pretty common. And what if the solution in itself is
great but doesn't integrate well with the other products you have? So, there's a lot of uncertainty with proprietary solutions
especially those built by less reputable vendors. Using Open Standards can avoid all these hassles. Azure supports a wide
variety of Open Standards. For example, if you are writing backend code, you can use Node.js, Python, Java or PHP,
among others. You can spin-up VM's running Red Hat Enterprise Linux, plus a whole bunch of other options. And from
an identity and access standpoint, you can use authentication protocols such as OpenID, OAuth or SAML. Leverage
Password lets log-ins using FIDO, or use the system for cross-domain identity management or SCIM specification which
is a standard used to exchange identity information across applications and devices. These are just a few examples of
Open Standards that Azure supports. The list is actually much bigger. So Microsoft isn't just hunting for PR value. It
really is extremely serious about supporting Open and it's showing that by getting up close and personal with it. So rest
assured, regardless of whether or not you're a Microsoft shop, you'll be able to use Azure with freedom and flexibility.

2.3.2 Regulatory compliance

Take a look at Azure's regulatory compliance. For those of you who are hardcore techies and not entirely clear on the
concept, here's what it means. The regulatory compliance of a product is basically its adherence to well-defined business
requirements, policies or laws. These regulations could be put in place for multiple reasons. They could fine-tune existing
business processes, ensure the security of companies' resources, safeguard the privacy of employees and customers, or
satisfy national and international legal requirements. When a product complies with these regulations, it instills trust in
customers. They can be confident that the product functions according to the industry expectations and won't get them
into unforeseen problems. Let's see some examples. Although Azure supports hundreds of certifications, let's look at the
top five based on the popularity and industry vertical. I'm sure you must have heard of at least a few, if not all of them.
First there's ISO, or the International Organization for Standardization. These certifications aim to establish the highest
standards in quality management, for proprietary, commercial, and industrial organizations. The only way to get better
clarity about what any certification does is to read more about it online. Then, there's the SOC, or the System and
Organization Controls. It revolves around protecting financial statements, improving operational efficiency, and
maximizing compliance. Third comes PCI-DSS, which stands for Payment Card Industry Data Security Standard. It's
required by organizations that store or process credit card information. Next is HIPAA, or the Health Insurance Portability
and Accountability Act. It has provisions for ensuring that confidential medical data of patients is kept private and only
shared appropriately with the authorized personnel. And the most recent one, GDPR, stands for General Data Protection
Regulation. It's been introduced by the European Union to protect the data and privacy of citizens residing in the
European Union and the European economic area. Azure complies with all of them. My point is that the world trusts
Azure with the most confidential information: personal, professional, financial, and medical. So you can, too. If you want
to see the exhaustive list of certifications with more details, you can visit the Microsoft Trust Center on the Microsoft
website. The URL is on your screen, below. Once you understand the regulations, have a discussion with the top-level
management about which ones your organization should be in compliance with. It's not something that can be quickly be
decided over a single meeting, so take your time in figuring it out. Once you do, you can go to the Regulatory Compliance
dashboard in Azure Security Center, and check for recommendations. The landing page will guide you through the actions
you need to take, to fix potential issues for various compliances. That includes ones specific to identity and access
management. Prioritize the ones that your organization needs to comply with, and then get to the rest later. Remember, the
Regulatory Compliance dashboard is a blade within the Azure Security Center. The URL is below on your screen. And
finally, you have the Microsoft Compliance Manager. Any cloud computing offering that's out there runs on a shared-
responsibility model, which means ensuring compliance is partly the service provider's responsibility, and partly yours.
Because they cannot do anything if your deployment itself is noncompliant, right? So to discover such problems, we have
the Compliance Manager. It's designed to run dual compliance checks in the environment, splitting them into provider
actions and customer actions. It lists out every single step that is complete or needs to be completed, either on the cloud
provider side or the customer's side, in order to be compliant with the specific certification. That means you get superhero
vision into what is noncompliant, who is responsible for it, and how to fix it. You can run the Microsoft Compliance
Manager from the link below. All of this put together makes your infrastructure highly trustworthy for you and your
customers. That wraps up this short and quick chapter. I'll see you back in the next chapter, after the quiz.

2.4 Provisioning an Azure AD Tenant

2.4.1 Building an Azure AD scenario
Now that we've discussed the technical and business characteristics of Azure AD. Let's switch gears and dive into the
process off Provisioning an Azure AD tenant. I list out the pre-records that you would need for an ideal deployment and
perform a few demonstrations, where I'll walk you through the exact steps involved in the creation of a brand new Azure
AD tenant. My intention behind including these demos is to show you easy it is spin up Azure AD as opposed to getting
window server active directory server up and running. That should hopefully make you appreciate the product better and
motivate you to try it out yourself. There are mainly two Azure AD deployment scenarios. Enterprise Organization and
Small-medium Businesses. Every organization will partially or entirely fit into one of these two categories. Here's how I
define them.

ENTERPRISE ORGANIZAIONS SMALL-MEDIUM BUSINESSES

 are those which have a significant on-premises  have very little to no infrastructure present on-
infrastructure present. It could be serves, networking premises
devices or storage devices.
 for identity and access, enterprise organization have
Window server active Directory domain services  do not have any active directory services setup.
running
 That means enterprise organizations have a  businesses relay on a more independent work-
centralized domain environment for administration With group environment for functioning.
group policy and everything
 Enterprise organizations have an Interconnected  with small-medium businesses, you do not have
directory hierarchy. By that I mean there are one or more any of that complex stuff. It's basically a non-
forests, domains, sites, federations, trusts, all that stuff interconnected structure.


If the majority of the trades match, that should be enough and depending on which one of these two scenarios your
environment falls under. It will decide your Azure AD deployment strategy. There are two deployment strategies
available, one for each scenario. For enterprise organization we will implement a Hybrid cloud strategy. In this plan you
will provision an Azure AD tenant and intergrade it with your existing on-premises infrastructure using the Azure AD
connect tool. So, both environments will co-exist, be able to share identity information and support workloads together.
The distribution of the control and workload across the two environments is adjustable depending on your needs. You will
need the AD connect tool to implement the strategy correctly. On the other hand for small-medium businesses, you will
implement a cloud only strategy or also what I like to call a
standalone cloud strategy. In this plan, since there is no on-
premises structure present. Azure AD will function
independently and host all workloads. The full control of the
environment recites in the cloud and there's no need to use the
AD tool because there's nothing to connect to it, right?
Now that we have the deployment strategy part cleared, here's
what I'm going to do. Imagine a small business named
WorldTravellerTv. It's a travel company that runs a web series
showcasing popular tourist destinations and sells travel
packages. It's headquartered in Hyderabad, India and has 10
employees.

Nine
of them are Heather, Audrey, Rae, Kali, Chris, Brian, Tracey,
Matt and Yash, the tenth one is me, Kunal, the IT
Administrator. We will be provisioning an Azure AD tenant
for these 10 users of WorldTravellerTV.

2.4.2 Creating an Azure AD tenant

Here is what you need to know. You've heard of the
word tenant quite a few times so far, but what does it
exactly mean? In a window server environment what we typically have is a Forest. A Tenant in
Azure AD is its equal valued counterpart in the cloud. That's probably the best way to describe it
and I say equal valued because if we look at the bigger picture they're almost similar in function
with the exception of a few minor differences. Let's look at the comparison of the similarities
and differences to better understand the concept of a Tenant in Azure AD and how it's created.
An administrator manually creates a Forest during the installation of the first instance of AD DS on the network. On the
other hand, a default directory on a default Azure AD Tenant is automatically created when we sign up for an Azure
subscription. We don't have to do anything in particular manually. During the AD DS installation, an administrator can
choose a name for the root domain of the Forest. Something along the lines of mydomain.loc However when we sign up
for Azure the first time a temporary domain is automatically created within the default directory Forest. It follows a
pattern of emailstring.onmicrosoft.com Once an administrator completes setting up the domain and windows server it is
immediately usable for test or production environments but the temporary domain you get in the default directory is
intended for setting up test or proof-of-concept environments only. We should not be using temporary domains for
production environments. As far as Windows Server on the left is concerned, its configuration is complete, so it's ready to
go. But with Azure AD, like I said, the temporary domain is only intended for test environments so in order to make a
directory production ready we must add at least one publicly-routable custom domain to it. By publicly-routable, I mean a
domain which can successfully be looked up by global DNS servers. You cannot use .loc or any such local domains. Do it
sound correctly localized found its own local. Now this is because Windows Server based on premises networks are
capable of sustaining independently, isolated from the internet. But with Azure and the cloud, everything is securely
accessed over the internet so you need an address which is valid and discoverable on the internet. That's the reason why
your publicly-routable domain is required in Azure AD but isn't necessary for an on-premises active directory. And then,
speaking of numbers, a single user can only create up to 20 directories or tenants. That's like more than sufficient. Can
you imagine needing 20 Forests on premises? No, right? So 20 directories in Azure is also a huge number that most of us
will not even get close to. If you are using the free edition of Azure AD, each directory or tenant can only support up to
500000 objects in total. If you need support for more, then you will need a licensed edition of Azure AD. A licensed
edition has no such restriction on the number of objects. It's always good to know the limitations of any product that you
are interested in. So this was an overview of how creating an Azure AD Tenant works in comparison to a Forest.

2.4.3 Adding a custom domain

We learned that whenever we sign up for an Azure subscription, it automatically provisions a default directory with a
temporary domain in the format emailstring.onmicrosoft.com.

In this clip, let's see why a temporary domain is not good enough and why we need to add a custom domain to our Azure
AD tenant. So let's get this straight. Can temporary domains be used for production environments? Well theoretically yes,
but practically there will be many issues. All your usernames, email addresses, sub-domains, and resource links will have
an emailstring.onmicrosoft.com appended to it, everywhere, as you can see on the screen. It makes the URL unnecessarily
longer, unprofessional, and doesn't allow you to use your own brand name anywhere in the domain name. That's why in
spite of the fact that a temporary domain is publicly routable, it's not suitable for production environments. Now, let's see
how things change when we get a publicly routable custom domain of our own. Let's say, for example, I have rights to
mydomain.com. Here's how things change when you have a custom domain. Your usernames, email addresses, sub-
domains, and resource links all have mydomain.com in it. So, it's more convenient, professional, and has your brand in the
domain name. It's like naming a baby. Adding a custom domain is basically a three step process.
First, list the domain
in Azure AD. Listing
will make the domain
appear in Azure AD,
but in an unverified
status denoting that it's
not ready for use. So in
the next step you'll
have to verify domain
ownership. Essentially,
proving that you really own the domain you want to add and use in Azure AD. And last, after the verification is
successfully complete, you should now set the custom domain as primary. Doing this instructs Azure AD to use it as the
domain for all purposes going forward. After these three steps are done in order, your new custom domain shall be ready
for use in Azure AD. Another point worth noting is that although the temporary domain will no longer be in use, you're
still not allowed to make any changes to it. You cannot edit or delete it from the list of domains. So what we did here was
add the custom domain to the default directory, which was created during the time we signed up for the Azure
subscription. Now there's another way we can go and that is we don't use the default directory, but in fact, create a new
Azure AD tenant. Here we can choose the sub-domain part of the temporary domain, so it can be
whatever.onmicrosoft.com as opposed to emailstring.onmicrosoft.com. The .onmicrosoft.com part will still be there
because afterall, it's a temporary domain. For the sake of this example, let's say we choose mydomain.onmicrosoft.com for
the temporary domain. After that you can then add your custom domain to this directory instead of the default directory.
The rest of the process is pretty much the same, listing the domain, verifying ownership, and setting it as primary.

You will typically do this if you have a specific reason to not use the default directory. Or else you can simply use the
default one. Now, let's talk numbers. You can have 900 such custom domains, or also called managed domains, in each
tenant. That's the term Microsoft uses in a lot of places in the documentation. Managed domains are just custom domains,
but if you configure federation on the domains, then the number drops to 450 federated domains. That makes sense
because the domains come in a set of two. Now that we are clear with the process of adding a custom domain, here's what
we will do for our World Traveller TV scenario. We will create a new Azure AD tenant with the temporary domain
worldtravellertv.onmicrosoft.com and then perform the three step
process to add our custom domain worldtraveller.tv to it. Do you
remember what those three steps were? List domain, verify
ownership, and set to primary. The only reason I'm opting to
create a new directory instead of using the default one is for you
to see exactly how the process of creating a new directory from
scratch looks like. If I use the default directory, you'll be missing
half of the action. So let's see that in action.
2.5 Potential Business Impact of Azure AD Adoption.
2.5.1 Impact on standalone infrastructures

So far we've explored the fundamental building blocks of Azure AD, seen how well it fits in the industry and walked
through a few demos to see it in action. In this chapter, let's analyze the potential business impact of Azure AD adoption. I
say potential, because Azure AD has many components. The overall business impact may vary from organization to
organization, depending on which components are being used. Exact numbers can only be determined for individual cases
where we have full access to the deployment details. Alternatively, what we can do and will do is predict how Azure AD
may impact businesses based on the factors we've previously discussed. We make those predictions in three key areas of
interest:
 Change in infrastructure complexity,
 employee productivity
 monetary variation.
Here's the impact on standalone infrastructures for small medium businesses. The assumption here is that we're talking
about a brand new organization trying to decide what to choose for their identity needs.
An on premises deployment are completely leveraged identity as a service in the cloud. The infrastructure consists of
hardware and software. Considering the bare minimum that's required to deploy a fully functional identity and access
system that's accessible both internally and remotely, we will need the following.

 Hardware comprising of servers, All of these will have to be renewed or replaced at the
 networking and storage devices, end of their shelf life.
 redundant electrical connections,
 redundant Internet connections,
 cooling solutions for the equipment,
 enterprise support packages for the hardware,
 physical security measures to keep all of it safe.
Then there's software.  active directory domain services role installations,
 the DNS server roles,
 probably active directory federation services,
 the remote access role,
 Windows server update services,
 Windows server backup.
All of these services will need regular maintenance and
troubleshooting. If there are no other services present,
the list on the left and right, combined, will be the
absolute minimum you'll need to setup an on premises
identity infrastructure for a small to medium sized
business.

But instead of deploying the identity infrastructure on premises, you can avoid having to deploy and configure all of it by
adopting Azure AD for your identity needs. Azure AD has viable alternatives for all of these components.

So you can just have client computers on site, and run the entire server infrastructure with all services in the cloud.
That's how deeply Azure AD can affect the infrastructure in a small to medium sized business.

2.5.2 Impact on hybrid infrastructures

How does Azure AD impact the infrastructure in such situations. In large organizations judging the impact only on the
basis of hardware and software may not be fair since there are a lot more factors involved.

So let's start with hardware and software but also look at other things after that. The assumption here is that we're talking
about an organization which is already operational and has a significant on premises infrastructure.
They are trying to figure out whether hybrid deployment would benefit them. Let's analyze what happens if they choose
Azure AD.
The number of rack servers will decrease because a part of the identity workload will shift to Azure AD instead of on
premises servers. And since the number of servers decreases networking and storage equipment required for those servers
will also decrease. As a result of the above the number of enterprise support packages will also come down. The overall
impact on these three components will be significant. But the impact on other components, like electrical and internet
connections, cooling and physical security will be very minute. Because only the identity servers and their associated
infrastructure have been migrated to Azure AD. Other servers and services will still be there. On the software side the
Window server instances will decrease because of the smaller number of servers. This means less maintenance and
troubleshooting. Then the number of servers with active directory domain services will also decrease. That means less
worrying about replication and consistency issues. Similarly, fewer DNS Servers will mean less worrying about zone
replication and name resolution failures. Using Azure's built in seamless single sign on capability and Azure AD B2B it is
quite possible to get rid of active directory federation services on premises completely. I don't have to tell you how
simpler that'll make our jobs, right? Next, if applications that have remote users frequently connecting to it are moved to
the cloud it could be possible to get it off or at least drastically reduce the dependency on the Remote Access role and
VPN. So instead of users accessing on premises resources through a VPN connection, they just access those resources
hosted on the cloud. The two perimeters here that won't be affected significantly are the Windows Server Update Services
and Windows Server Backup Services. They will be impacted but then just minute. So this was a very high level
assessment of the impact on hardware and software for enterprise organizations.
Now let's look at other factors and how they're affected after deploying Azure AD in enterprise organizations.
1) One area administrators see a big improvement after adopting Azure AD is the simplification of the letter
configuration for connectivity we do in headquarters and branch offices. Theoretically, we know that the hub and
spoke topology has a single point of failure at the hub and a mass topology is complex by design. But if we made
Azure the hub and all offices the spokes it is possible to get the simple efficient network that just works. Azure at
the hub will mean variable chances of failure and direct links from offices to the cloud will mean low latency.
This can make the networking infrastructure for supporting identity and other services much more reliable in
comparison to a configuration without Azure.
2) With Azure AD administrators get a great relief in the effort required to maintain a highly available identity
infrastructure. Identity and access is one of the most critical services on the network and equally so is its
availability that puts tremendous pressure on admins to ensure that identity servers don't go down and if they do
everything else has to be put aside and the priority becomes bringing them back online. But by leveraging Azure
AD admins get an identity as a service which is already highly available with excellent up time. This ensures
business continuity and lower stress levels for admins.
3) Speaking of business continuity, another factor that can disrupt it is a catastrophic event which takes down a big
chunk or even the entire physical site of your infrastructure. Azure AD can be of immense help in such situations
of disaster recovery as well. While you're working on rebuilding the servers and bringing the services back online
Azure AD can continue to authenticate users and allow them to access whatever resources are still available. This
means that instead of the entire infrastructure crippling and coming to a stand still it operates at a reduced
functionality.
4) The fact that Azure AD supports Multi-Form Factor Devices like mobile phones and tablets has a huge impact on
the modernization of the overall infrastructure. Users today want convenience to make due of what they have
access to no matter where they are. Thanks to features like Azure AD join and device registration, administrators
can now support modern devices of multiple form factors, enable accessibility for end users and ensure strict
compliance.
5) Finally, this one is my favorite. With Azure AD administrators get the power of global scalability. Businesses
love tools that can help them propel growth. Conventionally, venturing into new geographies is usually a big
undertaking due to logistical and financial challenges involved. But thanks to Azure the brand new applications
and services in any part of the world is now just a click of a button away.
And also again, thanks to Azure AD managing users and their devices in any part of the world is also equally easy. Azure
helps businesses achieve globalization. And in my opinion that is the best thing that can happen to an organization.
2.5.3 Impact on employees

About the impact on employees. I'm going to split employees into administrators and end users. We'll discuss end users
first.
Thanks to the numerous self-service capabilities built into Azure AD, end users
can now be less dependent on help desk staff to get things done. That means
less time spent on calls, and more time soent on getting actual work done.
We've also learned that Azure AD gives end users the freedom to choose a
device platform. It could be Windows, Macs or mobile devices running IOS or
Android. This is very important because when users feel comfortable they
deliver better work. Furthermore, mobile devices are not just convenient,
they're also portable. And because of Azure AD support for BYOD, users
can be responsive and productive on the word using whatever device they
have access to. And then, because of Azure AD connect and seamless
single sign-on, users get to simply their credentials management, by just
having one set of them to access all corporate resources. Managing
multiple credentials and keeping their track of which credential goes
where is always messy. With Azure AD, that's not going to be a problem.
That implies since users only have one set of credentials to remember,
they have easy access to resources. They just have to log into their
account with those credentials, and then we will to see all the apps that
have been to assigned to them in one single place. No messing around and
no more bookmarking URLs for different resources. And finally, because
of features like Office365 Groups, users have smarter, sophisticated tools
to better collaborate with their teams on various projects and assignments.
So team distributed across multiple cities can work as efficiently as if
they were all present in a single office. These were the impact points for
end users.
Now, when it comes to administrators, most of our life is pending, deploy, maintain, monitor, troubleshoot and support.
So I like to call this the D-M-M-T-S loop.
We've accepted it to be normal for us to spend the whole day in this loop. But that's not how it's supposed to be.
Ideally, our primary job should be to only supervise things, and get into the loop occasionally when required. But in
today's AD, that's become a distant dream.
Azure AD helps us administrators get closer to that dream by helping us reduce the time spent in the loop.

That happens as a direct result of better infrastructure function, better

delegation of tasks, and better independence of end-users. So, we are put
back in a position when we supervise more, and do less hand-on labor. The end result is that we get extra time to learn
more and keep our job skills sharp. Administrators often lose their edge slowly due to excess work pressure. They don't
get enough time to keep up with what's new. And overtime, their knowledge becomes obsolete. Azure AD can help you
stay sharp by giving you more free time to learn new technologies and best practices. Because it's always good to take a
moment and re-evaluate if your knowledge is up to date.

2.5.4 Financial implications

Let's try to quickly deduce what the financial implication could be based on what we saw in the last two videos. We'll
look at the impact on infrastructure and the impact on employees. In infrastructure, the parameters that involve money are
cost of software licenses, server hardware, other infrastructure costs, like networking and storage, losses incurred due to
downtime, profits due to business agility, and cost of Azure AD licenses if purchased. Here's how each one of these
changes with Azure AD. The cost of software licenses goes down, saving us money. The cost of server hardware also
goes down, saving us money. Losses incurred due to downtime are reduced, again, saving us money. And due to agility,
profits go up, making us money. All these factors contribute positively to the organization's finances. The only thing here
that might cost us money is Azure AD licenses.

That's also assuming that we are using a paid edition and not the free one, because we need access to premium features
only available with the paid editions, or else, you could just be using the free edition as well and not be paying a single
dollar for it. Next, in terms of employees, the parameters that involve money are the cost of setting up help desk
employees, the cost of client computers for employees, profits due to employee productivity, profits due to higher uptime
of resources required by end users, focus on core business goal, and employee satisfaction. Here is how each one of these
changes with Azure AD. The cost of help desk employees goes down, which is good. The cost of client computers that
need to be purchased also goes down. Profits due to increased employee productivity go up. Profits due to higher uptime
of services needed by employees to be productive goes up. Focus on the core business goal is stronger due to less
distractions, increasing the profit. And since all of this increases employee satisfaction, that leads to an increase in model
and profits. So what I'm trying to say is the overall profits are bound to go up with the adoption of Azure AD.
The argument bottom line here is efficient infrastructure plus efficient employees equals increased revenues and profits.

2.6 Conclusions

So now let's assume you have a fairly clear understanding

of Azure AD. You like what it has to offer and want to rule
it out in your production environment. Here are some
important points to keep in mind before planning an Azure
AD deployment for production. First, identify your
architecture. Is it going to be hybrid or standalone? Having
clarity on this will give you a clear picture of the
deployment strategy and will help keep any messes from
cropping up later on. Then make a list. Write down all the
current identity and access problems that you need to fix or
find better solutions to. Third, do a thorough analysis of
Azure AD components by going through my course and
online documentation. Map each component in Azure AD
to the specific identity and access problem it address from
the list you created in step two. Before spinning up a
production environment, make sure you get comfortable
with the product by deploying a proof of concept and
testing your hypothesis outlined in step four. And when
you're creating an Azure AD POC or a production environment, make sure you're deployed in the region closest to where
the majority of the users reside. After that, do a detailed cost analysis based on which Azure AD licenses are required,
how much each one costs, and how many of them will be needed for users. And finally, this is the step that most people
miss. Make sure you terminate your POC once its purpose is fulfilled. Remove any licenses assigned, delete any domains
added, and delete the directory altogether. Move on to setting up a real production environment only after properly
terminating the POC or at least removing all assets from it that will be used in the production directory. Additional bonus
step, watch my other courses on Azure AD in the learning path. This was a beginner-level course. But in the next series of
courses, I'll cover individual Azure AD components in a lot more depth. I hope you join me there as well.