AZURE ADMINISTRATOR

YOUSEF MUREB
 AGENDA
 Prerequisites for Azure Administrator
 Role of an admin
 Azure cloud shell
 What is bash
 PowerShell

 Manage identities and governance in Azure

 Microsoft entra ID
 Microsoft entra connect
 Role based access control (RBAC)
 Self service password reset (SSPR)

 Implement and manage storage in Azure

 Storage accounts
 Storage types

ROLE OF AN ADMIN

Managing Azure Monitoring and

resources such as performance
VMs, networks, and optimization of
storage. Azure environments.

Securing Azure Implementing

solutions through backup and
identity, governance, recovery plans for
and RBAC policies. disaster scenarios.
AZURE CLOUD SHELL

Open a secure Interact with Azure

command-line resources without Persist files between
session from any the need to install sessions for later
browser-based plug-ins or add-ons use.
device. to your device.
 Bash is a vital tool for managing Linux machines. The name
is short for "Bourne Again Shell.“

It is a scripting language that allows the user to insert

commands to manage resources.

It Is unix based language.

WHAT IS BASH
POWERSHELL

 PowerShell consists of two parts: a command-line shell and a scripting language. It started
out as a framework to automate administrative tasks in Windows. PowerShell has grown
into a cross-platform tool that's used for many kinds of tasks.
 A command-line shell lacks a graphical interface, where you use a mouse to interact with
graphical elements. PowerShell provides the GUI.
 It operates on objects over text.
MICROSOFT ENTRA ID

 Microsoft Entra ID is part of the platform as a

service (PaaS) offering and operates as a
Microsoft-managed directory service in the
cloud.

 With Microsoft Entra ID, you also have access

to a set of features that aren’t natively
available in AD DS, such as support for multi-
factor authentication, identity protection, and
self-service password reset.
MICROSOFT ENTRA TENANTS

 Unlike AD DS, Microsoft Entra ID is multi-tenant by design and is implemented specifically

to ensure isolation between its individual directory instances.
 the term tenant typically represents a company or organization that signed up for a
subscription to a Microsoft cloud-based service such as Microsoft 365, Intune, or Azure,
each of which uses Microsoft Entra ID.
CHARACTERISTICS OF ENTRA ID

01 02 03
Microsoft Entra ID Microsoft Entra ID Since It is a cloud-
is primarily an is a multi-tenant based service, it
identity solution, directory service. provides the
and it’s designed capabilities to
for internet-based authenticate
applications by billions of resource
using HTTP and groups globally.
HTTPS
ENTRA ID P1

Self-service group management.

Multi-factor authentication.

Enterprise SLA of 99.9%

Password reset with writeback.

 Microsoft Entra ID Microsoft Entra
Protection. Privileged Identity
Management

ENTRA ID P2
MICROSOFT ENTRA ADMIN CENTER

 The Microsoft Entra admin center is a web-

based identity portal for Microsoft Entra
products.
HOW TO CREATE USER IDENTITIES IN THE CLOUD

1 2 3 4
Syncing an Using the Using the Using the
on-premises Microsoft Azure portal command
Windows Entra admin line
Server Active center
Directory
GROUPS IN ENTRA ID

1. Security groups: These are the most

common and are used to manage member
and computer access to shared resources
for a group of users.

2. Microsoft 365 groups: These groups

provide collaboration opportunities by
giving members access to a shared
mailbox, calendar, files, SharePoint site,
and more.
Owner: Has full access to all Contributor: Can create and Reader: Can view existing
resources, including the right manage all types of Azure Azure resources.
to delegate access to others. resources but can’t grant
access to others.

ROLES IN ENTRA ID
 ROLE DEFINITIONS

Name Description
Id Unique identifier for the role, assigned by Azure
IsCustom True if a custom role, False if a built-in role
Description A readable description of the role
Actions [] Allowed permissions; * indicates all
NotActions [] Denied permissions

Specific allowed permissions as applied to data, for

DataActions [] example Microsoft. Storage/storage Accounts/blob
Services/containers/blobs/read

NotDataActions [] Specific denied permissions as applied to data.

Scopes where this role applies; / indicates global, but

AssignableScopes []
can reach into a hierarchical tree
MICROSOFT ENTRA CONNECT

 Companies that use an on-premises

Windows Server Active Directory solution
can integrate their existing users and
groups with Microsoft Entra ID
with Microsoft Entra Connect.

 Microsoft Entra Connect is a free tool you

can download and install to synchronize
your local AD with your Azure directory.
FEATURES OF ENTRA CONNECT

SYNC SERVICES HEALTH PASSWORD HASH PASS-THROUGH

MONITORING SYNCHRONIZATION AUTHENTICATION
BENEFITS OF ENTRA CONNECT

Users can use a single identity to access both on-premises applications

and cloud services such as Microsoft 365.

A single tool provides an easy deployment experience for

synchronization and sign-in.

Integration provides the newest capabilities for your scenarios.

Microsoft Entra Connect replaces older versions of identity integration
tools such as DirSync and Azure AD Sync.
ROLE BASED ACCESS CONTROL (RBAC)

 Azure RBAC allows you to grant access to

Azure resources that you control
WHERE CAN YOU USE RBAC

Allow one user to manage virtual machines in a

subscription and another user to manage virtual networks.

Allow a database administrator group to manage SQL

databases in a subscription.

Allow a user to manage all resources in a resource group,

such as virtual machines, websites, and subnets.
HOW DOES RBAC WORK

 To create a role assignment, you need

three elements: a security principal, a role
definition, and a scope. You can think of
these elements as who, what, and where.
WHO IN RBAC

 A security principal is just a fancy name

for a user, group, or application to which
you want to grant access.
WHAT IN RBAC

 A role definition is a collection of

permissions. It's sometimes just called a
role. A role definition lists the permissions
the role can perform such as read, write,
and delete.

 Several built-in roles exist:

 Owner
 Contributor
 Reader
WHERE IN RBAC

 Scope is the level where the access

applies. This is helpful if you want to make
someone a Website Contributor but only
for one resource group.

 In Azure, you can specify a scope at

multiple levels: management group,
subscription, resource group, or resource.
Scopes are structured in a parent-child
relationship.
SELF-SERVICE PASSWORD RESET

SSPR reduces the

load on
With SSPR, users
administrators
can reset their
because users can
passwords in a web
fix password
browser or from a
problems
Windows sign-in
themselves without
screen.
having to call the
help desk.
AUTHENTICATION METHODS
Authentication method How to register How to authenticate for a
password reset

Mobile app notification Install the Microsoft Authenticator app Azure sends a notification to the app,
on your mobile device, then register it which you can either verify or deny.
on the multifactor authentication setup
page.

Mobile app code This method also uses the Enter the code from the app.
Authenticator app, and you install and
register it in the same way.

Email Provide an email address that's Azure sends a code to the address,
external to Azure and Microsoft 365. which you enter in the reset wizard.

Mobile phone Provide a mobile phone number. Azure sends a code to the phone in an
SMS message, which you enter in the
reset wizard. You can also choose to
get an automated call.

Office phone Provide a nonmobile phone number. You receive an automated call to this
number and press #.
 SSPR IN AZURE

 There are three settings for the Self-service

password reset enabled property:

• None: No users in the Microsoft Entra organization can

use SSPR. This value is the default.

• Selected: Only the members of the specified security

group can use SSPR.

• All: All users in the Microsoft Entra organization can

use SSPR.
Storage accounts
Account types

A massively scalable object store for text and binary

Azure Blob data

Managed file shares for cloud or on-premises

Azure File Share deployments

A messaging store for reliable messaging between

Azure Queue Storage application components

A service that stores nonrelational structured data

Azure Table Storage (also known as structured NoSQL data)
 Azure blobs
Features

Azure Blob Storage is Microsoft's object storage solution for the cloud.
Blob Storage is ideal for:

Image File Storage Video Data Tier

upload Streams Movement
Storing files for
Serving images distributed Streaming high Move resources
or documents access across quality video and and services
directly to a different services audio. from one tier
browser. and groups. level to another
(hot->cool)
 Azure Blobs
Blob Types

Block Blobs
A block blob consists of
blocks of data that are
assembled to make a blob
Page Blobs
A page blob can be up to 8
TB in size. Page blobs are
more efficient for frequent
read/write operations.
Append Blobs
An append blob is similar to a
block blob because the
append blob also consists of
blocks of data. 31
Azure File Shares
Features and snapshots

Where to use them

Azure Files enables you to set up highly available network file shares. Shares can
be accessed by using the Server Message Block (SMB) protocol and the Network
File System (NFS) protocol.

Azure File
Shares
Snapshots
Azure Files provides the capability to take share snapshots of file shares.
The Azure Files share snapshot capability is provided at the file share level.
Soft delete
Features

Soft delete mainly allows for the backup of unintentionally delete resources. It is another security measure under Azure File Share Storage

Level of
removal
Soft delete for file shares is
enabled at the file share level

How it works
Soft Delete Soft delete transitions content to
a soft deleted state instead of
being permanently erased.

Retention
Period
The retention period is the amount of
time that soft deleted file shares are
stored and available for recovery.
Security protocols at the storage level
Methods provided by Microsoft

Encryption at Authentication Encryption in

rest transit

Storage Service Encryption Microsoft Entra ID and Keep your data secure by
(SSE) with a 256-bit role-based access control enabling transport-level
Advanced Encryption (RBAC) are supported for security between Azure and
Standard (AES) cipher Azure Storage for both the client. (HTTPS)
encrypts all data written to
resource management
Azure Storage.
operations and data
operations.
Shared Access Signatures
Two methods of access
A shared access signature (SAS) is a uniform resource identifier (URI) that grants restricted access rights to Azure Storage resources. SAS is a secure way
to share your storage resources without compromising your account keys.

01 02
SAS Provider method
Front end proxy service
• A lightweight service authenticates the client, as
• Clients can upload and download data through a front-
needed.
end proxy service, which performs authentication.
• Next, it generates a SAS.
• This front-end proxy service has the advantage of
• Clients receiving the SAS can access storage
allowing validation of business rules.
account resources directly.
• if you handle large amounts of data or high-volume
• The SAS defines the client's permissions and access
transactions, it can be difficult to scale this service
interval.
• It reduces the need to route all data through the
front-end proxy service.
URI Format

Parameter Example Description

Resource URI https://myaccount.blob.core.windows.net/ ? Defines the Azure Storage endpoint and other
restype=service &comp=properties parameters. This example defines an endpoint for Blob
Storage and indicates that the SAS applies to service-
level operations. When the URI is used with GET, the
Storage properties are retrieved. When the URI is used
with SET, the Storage properties are configured.

Storage version sv=2015-04-05 For Azure Storage version 2012-02-12 and later, this
parameter indicates the version to use. This example
indicates that version 2015-04-05 (April 5, 2015) should
be used.
Storage service ss=bf Specifies the Azure Storage to which the SAS applies.
This example indicates that the SAS applies to Blob
Storage and Azure Files.
Start time st=2015-04-29T22%3A18%3A26Z (Optional) Specifies the start time for the SAS in UTC
time. This example sets the start time as April 29, 2015
22:18:26 UTC. If you want the SAS to be valid
immediately, omit the start time.
Expiry time se=2015-04-30T02%3A23%3A26Z Specifies the expiration time for the SAS in UTC time.
This example sets the expiry time as April 30, 2015
02:23:26 UTC.
URI Format

Parameter Example Description

Resource sr=b Specifies which resources are accessible via the SAS.
This example specifies that the accessible resource is
in Blob Storage.
Permissions sp=rw Lists the permissions to grant. This example grants
access to read and write operations.
IP range sip=168.1.5.60-168.1.5.70 Specifies a range of IP addresses from which a
request is accepted. This example defines the IP
address range 168.1.5.60 through 168.1.5.70.
Protocol spr=https Specifies the protocols from which Azure Storage
accepts the SAS. This example indicates that only
requests by using HTTPS are accepted.
Signature sig=F Specifies that access to the resource is authenticated
%6GRVAZ5Cdj2Pw4tgU7Il STkWgn7bUkkAg8P6HESXwmf by using a Hash-Based Message Authentication Code
%4B (HMAC) signature. The signature is computed with a
key using the SHA256 algorithm, and encoded by
using Base64 encoding.
Storage account management
Costs involved with storage accounts

Performance

Subscriptions
Replication
Costs
Location
Access Tier