AZ-104T00A

Module 02:
Administer
Governance and
Compliance

© Copyright Microsoft Corporation. All rights reserved.

 Lesson 01: Configure Subscriptions

Lesson 02: Configure Azure Policy

Administer
Governance and Lesson 03: Configure Role-Based Access Control
Compliance
Introduction
Lesson 04: Module 02 Lab

© Copyright Microsoft Corporation. All rights reserved.

Lesson 01: Configure Subscriptions

© Copyright Microsoft Corporation. All rights reserved.

 Identify Regions

Implement Azure Subscriptions

Obtain a Subscription

Identify Subscription Usage

Configure
Subscriptions Implement Cost Management
Introduction
Apply Resource Tagging

Apply Cost Savings

Summary and Resources

© Copyright Microsoft Corporation. All rights reserved.

Identify Regions

A region represents a collection of datacenters

Provides flexibility and scale

Preserves data residency

Select regions close to your users

Be aware of region deployment availability

There are global services that are region

independent
Worldwide there are 60+ regions
Regions are paired for high availability representing 140 countries

© Copyright Microsoft Corporation. All rights reserved.

Implement Azure Subscriptions

Only identities in Azure AD, or in a directory that is

trusted by Azure AD, can create a subscription

Logical unit of Azure services that is linked to an

Azure account

Security and billing boundary

© Copyright Microsoft Corporation. All rights reserved.

Obtain a Subscription

Enterprise Agreement customers make an upfront

monetary commitment and consume services
throughout the year

Resellers provide a simple, flexible way to purchase

cloud services

Partners can design and implement your Azure

cloud solution

Personal free account – Start right away

© Copyright Microsoft Corporation. All rights reserved.

Identify Subscription Usage

Subscription Usage
Includes a $200 credit for the first 30 days, free limited access for
Free
12 months

Pay-As-You-Go Charges you monthly

Agreement with possible discounts through a Microsoft Cloud Solutions

CSP
Provider Partner – typically for small to medium businesses

One agreement, with discounts for new licenses and Software

Enterprise
Assurance – targeted at enterprise-scale organizations

Student Includes $100 for 12 months – must verify student access

© Copyright Microsoft Corporation. All rights reserved.

Implement Cost Management

Conduct cost analysis

Create a budget

Review recommendations

Export the data

© Copyright Microsoft Corporation. All rights reserved.

Apply Resource Tagging

Provides metadata for your Azure

resources 

Logically organizes resources into a

taxonomy 

Consists of a name-value pair

Very useful for rolling up billing

information

© Copyright Microsoft Corporation. All rights reserved.

Apply Cost Savings

Azure Reservations – Helps you save money

by pre-paying for services

Azure Hybrid Benefits – Use Windows Server

and SQL Server on-premises licenses with
Software Assurance 

Azure Credits – Monthly credit benefit that

allows you to experiment with, develop, and
test new solutions on Azure

Regions – Choose low-cost locations and

regions

© Copyright Microsoft Corporation. All rights reserved.

Summary and Resources - Configure Subscriptions

Knowledge Check Questions Microsoft Learn Modules (docs.microsoft.com/Learn)

Analyze costs and create budgets with Azure Cost Management

Predict costs and optimize spending for Azure

© Copyright Microsoft Corporation. All rights reserved.

Lesson 02: Configure Azure Policy

© Copyright Microsoft Corporation. All rights reserved.

 Create Management Groups

Implement Azure Policy

Create Azure Policies

Create Policy Definitions

Configure
Azure Policy Create Initiative Definitions
Introduction
Scope the Initiative Definition

Determine Compliance

Demonstration – Azure Policy

Summary and Resources

© Copyright Microsoft Corporation. All rights reserved.
Create Management Groups

Provides a level of scope above

subscriptions

Targeting of policies and spend

budgets across subscriptions and
inheritance down the hierarchies

Compliance and cost reporting by

organization (business/teams)

© Copyright Microsoft Corporation. All rights reserved.

Implement Azure Policies

Usage Cases
A service to create, assign, and Allowed resource types – Specify the resource types that
manage policies your organization can deploy

Allowed virtual machine SKUs – Specify a set of virtual

machine SKUs that your organization can deploy
Runs evaluations and scans for non-
compliant resources Allowed locations – Restrict the locations your
organization can specify when deploying resources

Advantages: Require tag and its value – Enforces a required tag and
its value
Enforcement and compliance
Apply policies at scale Azure Backup should be enabled for Virtual Machines –
Audit if Azure Backup service is enabled for all Virtual
Remediation machines

© Copyright Microsoft Corporation. All rights reserved.

Create Azure Policies

1. Create Policy Definitions

2. Create Initiative Definitions

3. Scope the Initiative Definition

4. Determine Compliance

© Copyright Microsoft Corporation. All rights reserved.

1. Create Policy Definitions

Many policy definitions are available

You can import policies from GitHub

Policy Definitions have a specific

JSON format

You can create custom policy

definitions

© Copyright Microsoft Corporation. All rights reserved.

2. Create Initiative Definitions

Group policy definitions

Include one or more policies

Requires planning

© Copyright Microsoft Corporation. All rights reserved.

3. Scope the Initiative Definition

Select the subscription,

Assign the definition The scope enforces
and optionally the
to a scope the policy
resource group
© Copyright Microsoft Corporation. All rights reserved.
4. Determine Compliance

Non-compliant initiatives Non-compliant policies Non-compliant resources

© Copyright Microsoft Corporation. All rights reserved.

Demonstration – Azure Policy

Assign a policy

Create and assign an initiative definition

Check for compliance

Check for remediation tasks

Remove your policy and initiative

© Copyright Microsoft Corporation. All rights reserved.

Summary and Resources – Configure Azure Policy

Knowledge Check Questions Microsoft Learn Modules (docs.microsoft.com/Learn)

Apply and monitor infrastructure standards with Azure Policy

Build a cloud governance strategy

© Copyright Microsoft Corporation. All rights reserved.

Lesson 03: Configure Role-Based Access
Control

© Copyright Microsoft Corporation. All rights reserved.

 Implement Role-Based Access Control

Create a Role Definition

Create a Role Assignment

Configure Compare Azure RBAC Roles to Azure AD Roles
Role-Based
Access Control Apply RBAC Authentication
Introduction
Determine Azure RBAC Roles

Demonstration – RBAC Roles

Summary and Resources

© Copyright Microsoft Corporation. All rights reserved.
Implement Role-Based Access Control

Provides fine-grained access management

Concepts​
of resources in Azure​

Built on Azure Resource Manager Security principal. Object that represents

Segregate duties within your team ​ something that is requesting access to
resources​
Grant only the amount of access to users that
they need to perform their jobs​ Role definition. Collection of permissions that
lists the operations that can be performed​
Scope. Boundary for the level of access that is
requested​
Assignment. Attaching a role definition to a
security principal at a particular scope​:
• Users can grant access described in a role
definition by creating an assignment​
• Deny assignments are currently read-only and are
set by Azure Blueprints and Azure Managed Apps
© Copyright Microsoft Corporation. All rights reserved.
Create a Role Definition

Collection of permissions that lists the operations that can be performed

Contributor
Owner "Actions": [
Contributor "*"
Reader ],
… "NotActions" : [
Backup Operator "Authorization/*/Delete",
Security Reader "Authorization/*/Write",
User Access Administrator "Authorization/elevateAccess/Action"
Virtual Machine Contributor ],
"DataActions" : [],
Built-in "NotDataActions": [],
"AssignableScopes" : [
Reader Support Tickets "/"
Virtual Machine Operator ]

Custom
© Copyright Microsoft Corporation. All rights reserved.
Create a Role Assignment
Process of binding a role definition to a user, group, or service principal at a
scope for the purpose of granting access
1 Security principal

User Group Service principal

2 Role definition Role assignment 3 Scope

Owner "Actions": [ Management group

Contributor "*"
Reader ], Marketing group Subscription
… "NotActions": [
Backup Operator "Auth/*/Delete", Resource group
Security Reader "Auth/*/Write",
Contributor "Auth/elevate" Pharma-sales
Reader Support Tickets ] Resource group
Contributor Resource
Virtual Machine Operator

© Copyright Microsoft Corporation. All rights reserved.

Compare Azure RBAC Roles to Azure AD Roles
Azure and Azure AD offer two types of roles

Azure RBAC roles Azure AD roles

Manage access to Azure resources Manage access to Azure AD objects

Scope can be specified at multiple levels Scope is at the tenant level

Role information can be accessed in the Azure Role information can be accessed in Azure portal,
portal, Azure CLI, Azure PowerShell, Azure Microsoft 365 admin portal, Microsoft Graph,
Resource Manager templates, REST API Azure Active Directory PowerShell for Graph

Classic administrator roles should be avoided if using Azure Resource Manager

© Copyright Microsoft Corporation. All rights reserved.

Apply RBAC Authentication

Azure AD Azure Active

Admin roles Directory tenant
Global admin
Application admin
Application developer
Billing admin
Global admin/User
…
access admin
(elevated access)
Root

Azure RBAC Root management group

roles
Owner
Contributor Management
Reader Subscription
User access admin
group Azure RBAC
… roles Resource group Azure account
Owner
Contributor
Reader
User access admin Resource
…

© Copyright Microsoft Corporation. All rights reserved.

Determine Azure RBAC Roles

RBAC role in Azure Permissions Notes

The Service Administrator and
Has full access to all resources Co-Administrators are assigned the
Owner
and can delegate access to others Owner role at the subscription scope.
This applies to all resource types

Creates and manages all types of

Contributor Azure resources but cannot grant This applies to all resource types
access to others

Reader Views Azure resources This applies to all resource types

User Access Manages user access to This applies to managing access, rather
Administrator Azure resources than to managing resources

© Copyright Microsoft Corporation. All rights reserved.

Demonstration – Azure RBAC

Locate the Access Control blade

Review role permissions

Add a role assignment

Explore PowerShell commands

© Copyright Microsoft Corporation. All rights reserved.

Summary and Resources – Configure RBAC

Knowledge Check Microsoft Learn Modules (docs.microsoft.com/Learn)

Create custom roles for Azure resources with role-based access

control (RBAC)
Manage access to an Azure subscription by using Azure role-based
access control (RBAC)

Secure your Azure resources with role-based access control (RBAC)

© Copyright Microsoft Corporation. All rights reserved.

Lesson 04: Module 02 Lab

© Copyright Microsoft Corporation. All rights reserved.

Lab 02a – Manage Subscriptions and Azure RBAC

Lab scenario
To improve the management of Azure resources in Contoso, you have been tasked with implementing
the following functionality:
• Using management groups for the Contoso’s Azure subscriptions
• Granting user permissions for submitting support requests. This user would only be able to create
support request tickets and view resource groups

Objectives
Task 1: Task 2: Task 3:
Implement Management Create custom RBAC roles Assign RBAC roles
Groups

Next slide for an architecture diagram

© Copyright Microsoft Corporation. All rights reserved.
Lab 02a – Architecture diagram

Task 1

Tenant Root Group

az104-02-rg1 Default Azure AD tenant

Task 2
Task 3
az104-02a-customRoleDefinition.json
{
"Name": "Support Request Contributor (Custom)",
"IsCustom": true,
Azure pass az104-02-aaduser1 customRoleDefinition
"Description": "Allows to create support requests",
"Actions": [
subscription "Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"NotActions": [
],
"AssignableScopes": [
"/providers/Microsoft.Management/managementGroups/az104-02-mg1",
"/subscriptions/SUBSCRIPTION_ID"
]
}

© Copyright Microsoft Corporation. All rights reserved.

Lab 02b – Manage Governance via Azure Policy

Lab scenario
To improve management of Azure resources in Contoso, you have been tasked with implementing
the following functionality:
• Tagging resource groups that include only infrastructure resources 
• Ensuring that only properly tagged infrastructure resources can be added to infrastructure
resource groups
• Remediating any non-compliant resources

Objectives
Task 1: Task 2: Task 3:
Create and assign tags via Enforce tagging via an Apply tagging via an
the Azure portal Azure Policy Azure Policy

Next slide for an architecture diagram

© Copyright Microsoft Corporation. All rights reserved.
Lab 02b – Architecture diagram

Task 1
Name: Role
Value: Infra Task 2

Azure policy
Cloud Shell Storage Require a tag and its value on resources
Resource Group

Cloud Shell Storage Account

Task 3
Azure policy
Inherit a tag from the resource group if
New Storage Account missing

© Copyright Microsoft Corporation. All rights reserved.

End of presentation

© Copyright Microsoft Corporation. All rights reserved.