Certification Exam Rapid Training

AZ-104 Azure Administrator

aka.ms/az-104
aka.ms/CERT/YouTube

Mark Grimes
Principal Consultant
Microsoft Federal
CERT objectives

EXHIBIT COMPETENCE DEMONSTRATE HAVE A BETTER

IN UNDERSTANDING CONFIDENCE IN YOUR UNDERSTANDING OF
HOW TO STUDY FOR ABILITY TO TAKE AND WHERE BEST TO FOCUS
AND PASS EXAMS PASS EXAMS YOUR TIME IN STUDYING
AZ-104 AZ-104 TO TAKE AND PASS EXAMS
AZ-104
Resources

Microsoft Learn | Microsoft Docs

Browse all - Learn | Microsoft Docs

Microsoft Certified: Azure Administrator Associate - Learn | Microsoft

Docs

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Using this Deck to Study…
Some slides have multiple animations

To use this deck to study with use in “Slide Show”

mode F5*

Then you will see all content AND links will work 

The “Click to Zoom” slide next allows you to jump to

topics *
Exam AZ-104 Objectives
Manage Azure Identities and
Governance
15-20%

Manage Azure Azure AD Objects

Manage Role Based Access Control (RBAC)
Manage Subscriptions and Governance

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Interpret Access Assignments
1. Check Access feature!
2. Azure Role Assignments
3. Azure Deny Assignments

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
 Manage Multiple Directories
1. Resource independence
2. Administrative independence
3. Synchronization independence

https://aad.portal.azure.co
m/
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-directory-indep
M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
endence
 Create a Custom Role
1. Role Properties
2. Wildcard Permissions
3. Actions and NotActions
4. Steps to Create one

https://docs.microsoft.com/en-us/azure/role-based-access-control/custo
m-roles M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal
Configure Cost Management
1. Scopes
2. Group & Filter properties
3. Tag em
4. Use Cost Analysis

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
 Configure Management Groups
1. Understand the Root Management Group
2. Initial Setup
3. Management Group Access
4. Custom Role definition and assignment
5. Move them!
6. Audit them!

https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#initial-setup-of-manag
ement-groups M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Implement & Manage Storage
10-15%

Manage Storage Accounts

Manage Data in Azure Storage
Configure Azure Files and Azure Blob Storage

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Configure Network Access to Storage
Accounts
1. Require secure transfer
2. Use Private Endpoints
3. Configure firewalls and virtual networks
4. Manage TLS

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Configure Azure AD Authentication for a
storage account
1. Managed Identity
2. Authenticate a Service Principal
3. From a client Application

az ad sp create-for-rbac \
--name <service-principal> \
--role "Storage Blob Data Reader" \
--scopes
/subscriptions/<subscription>/resourceGroups/<resource-
group>/providers/Microsoft.Storage/storageAccounts/<storage-
account>

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
 Configure Storage Tiers for Azure blobs
1. Available Access Tiers
2. Considerations
3. Support
4. Automate access tiers lifecycle

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-stora
ge-tiers
M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Deploy & Manage Azure Compute Resources
25-30%

Configure VMs for high availability and scalability

Automate deployment and configuration of VMs
Create and configure VMs
Create and configure containers
Create and configure Web Apps

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
 Using Custom Script Extensions

1. Know the Tips and Tricks!

2. Extension Schema
3. Property Values
• commandToExecute
See the tutorial

https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-
windows
M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
 Create and Configure Azure Kubernetes
Service
1. The Basics
2. Kubernetes RBAC
3. Roles
4. Also know about
• Kubenet
• Azure CNI
• And compare the two!
• Storage Concepts
• Scale

JUST DO IT!

https://docs.microsoft.com/en-us/azure/aks/intro-kubern
etes
MICROSOFT CONFIDENTIAL – INTERNAL O N LY
or download the docs as a PDF!
 Create and Configure Azure Container
Instances
1. Deploy into a Virtual Network
2. Manage Running Containers
• Liveness probe
• Readiness probes
• Start & Stop
• Update

https://docs.microsoft.com/en-us/azure/container-instances/container-instances-overview or
download the docs! M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Automate Deployment of VMs
ARM Templates

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
ARM Template Walkthrough
Deploy and Configure Scale Sets

Deploy
• Visual Studio
• Availability Zones
• Placement Groups
• Zone Balancing
• Autoscale
• Applications, Extensions, Data
Disks, Encrypt disks
Configure
• Modify Scale Set
• Know Restrictions
• When Deallocation required
• See Scenarios
• See Click the link
Checklist for using Large Scale Set
s MICROSOFT CONFIDENTIAL – I N T E R N A L O N LY
Backup Restore Encrypted VM

Prerequisites
• If not from marketplace, then need
to install VM Agent
• Only
explicitly allow outbound access if
ExtensionSnapshotFailedNoNe
twork error

Limitations
• Must be in same subscription and
region
• Only standalone keys supported,
not cert backed
• Be in same region/subscription as
Recovery Vault
• Must recover entire VM for
MICROSOFT CONFIDENTIAL – I N T E R N A L O N LY
 aka.ms/VNetFAQ

Deploy & Manage Virtual Networks

30-35%

Implement and manage virtual networking

Configure name resolution
Secure Access to Virtual Networks
Configure Load Balancing
Monitor and troubleshoot virtual networking
Integrate on premises network with Azure Virtual
Network

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Deploy and Configure Azure Bastion Service

Deploy
Do the Tutorial!
Read the FAQ!

Configure
• NSG Access
• Resource Logs
• Monitor / Manage

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
 Evaluate Effective Security Rules

1. Know how traffic is evaluated

• Inbound / Outbound
• Intra Subnet traffic
2. Use Network Watcher
• IP Flow Verify
3. Quickstart to try it!

https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-work
s
M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-security-group-vi
Configure Express Route

1. Create a Circuit
2. Create and Modify Peering
3. Virtual Network Gateway
4. Connect Vnet to Circuit
5. Route Filters

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Troubleshoot External Networking

1. Network Adapter
2. Network Security Group Settings
3. Connectivity Check
4. IP Flow Verify

Download the Azure Networking PDF!

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
 Configure Application Gateway

1. Front End IP Address

2. Listeners
3. Request Routing Rules
4. HTTP Settings
5. Back End Pool
6. Health Probes

https://docs.microsoft.com/en-us/azure/application-gateway/configuration-ove
rview M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Configure Azure Virtual WAN

1. Site to Site
• Custom IPSec Policy
2. User VPN
3. ExpressRoute
• Encryption

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Monitor and back up Azure
Resources
10-15%

Monitor resources by using Azure Monitor

Implement backup and recovery

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Create Action Groups
Create Action Groups

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Configure Application Insights

1. Ways to get started

• Runtime
• Development time
2. Scan the FAQ
• In Particular
• “Have I enabled everything…”

https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-ov
erview M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Create and Configure Backup policy

1. Built-In Policy Definitions

2. Create a new backup policy
• Datasource
• Recovery Services Vault
• Schedule
• Retention
3. Considerations

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
 Perform site-to-site recovery by using Azure
Site Recovery
1. Setup Networking
• URLs
• Tags
• NSG rules
• NVAs
• Network Service Endpoint
2. Recovery Point Options
3. Test Failover ex

https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-overvi
ew
https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-failove
M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Session takeaways
 Know how to fish?
 Know how to get this deck
 Go register for the exam and take it!!!
 Good Luck!
Certification
THANK YOU FORExam Rapid Training
ATTENDING!
AZ-104 Azure Administrator
Within 24 hours, the slides will be available for your use at
Aka.ms/AzureExamPrep ->> in the “Files” tab

This recording will be later at aka.ms/CERT Closed Captioned in 6

languages! Japanese, Chinese, Korean, French, German and Portuguese

Additionally, you will find individual recordings of EACH module.

These will be 10-15 minutes each for easier consumption!
© Copyright Microsoft Corporation. All rights reserved.
Older Slides for Self Review

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Resource groups
• Tightly coupled containers of
multiple resources of similar or
different types
• Azure resources contained should
have the same lifecycle
RESOURCE GROUP • Every resource *must* exist in one
and only one resource group
• Resource groups can span regions
• Nesting of resource groups not
supported
• Only Subscription Owners can
create resource groups
M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
ARM Templates

Export-AzureRMResourceGroup
• Captures Resource Group as a Template
• Saves as a JSON File
Export-AzureRmResourceGroup -ResourceGroupName "TestGroup"

New-AzureRMResourceGroupDeployment
• adds a deployment to an existing resource group
• az group deployment create

[resourceGroup().location]
• All resources in the template will use same location as
the Resource Group will use
M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
 Create Azure File share

Fully managed file

shares
SMB 3.0 support
Soft Delete on
account
Can cache on File
Sync
Replace or
supplement File
Shares
Lift/Shift Apps
aka.ms/azure/files
Just share stuff! M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Analyze Resource Utilization and
https://docs.microsoft.com/en-us/azure/cost-management/overview
Consumption
Cost Management ( Cloudyn )

Analyze usage

Monitor spend

Report on spend

Optimize
Reserved Instances
Sizing
Recommendations
M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Create and Configure Storage
Accounts
Configure Network Access
• Enable Service Endpoints
• Scope includes Paired Regions
• Need Storage Account Contributor
• Or Join Service to a Subnet permission on subnets
• Can span subscriptions, not tenants
• Configure Network rules
• Can use CIDR notation
• Or individual address
• Make Exceptions
• Trusted Microsoft Services
• E.g. Azure Backup, DevTest labs, Event Grid/Hubs, Networking
aka.ms/Azure/Storage
MUST Read How To
M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Optimize CDN Delivery
Provider Options
• Azure CDN Standard from Microsoft
• General Web Delivery
• Azure CDN Standard/Premium from Verizon
• General Web Delivery
• Dynamic Site Acceleration
• Azure CDN Standard from Akamai
• General web delivery
• General media streaming
• Video-on-demand media streaming
• Large file download
• Dynamic site acceleration

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY Read More
PowerShell Options to understand
Update-AzureRMStorageAccountNetworkRuleSet

Set-AzureRmStorageAccount

Add-AzureRmStorageAccountNetworkRule

Set-AzureRmVirtualNetworkSubnetConfig

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Log Analytics Workspace

Central Resource monitoring solution

Has its own query language

Each Workspace –own configuration data

Can Collect Data from

• Azure resources in your subscription
• On-premises computers monitored by System Center Operations
Manager
• Device collections from System Center Configuration Manager
• Diagnostics or log data from Azure storage
M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
 The Big Picture | Application Access
Patterns Your Virtual
2 Network
Users
Internet
1
FrontEnd Mid-tier BackEnd
Access to Azure PaaS services
Access to/from Internet Service Endpoints
- DDoS protection
- Web Application Firewall Backend 3
Connectivity
- Azure Firewall ExpressRoute Access private traffic
- Network Virtual Appliances VPN Gateways
Network security groups (NSGs)
Application security groups (ASGs)
User-Defined routes (UDRs)
Implement and Manage Virtual Networking
Public IP
Separate Azure Object
Public Azure Service
VMs, ILBs, VPN, App GWs
Dynamic (default) or Static
DNS hostname resolution
Private IP
Allocated from subnet range
Internal resolution by Azure
DNS
Subnet, part of VNet range
VM, ILBs, App GWs
Dynamic (default) or Static
M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY aka.ms/Azure/Addresses
Configure Name Resolution aka.ms/DNSFAQ

Create DNS Zone

• Zone name must be unique within Resource Group
• Can add Azure Tags for Billing or Grouping
• Creating the zone makes SOA and NS records in Azure
Create DNS Record
• Azure DNS supports all common records
• Use Record Sets for more than one record of same name and type
+ wildcard!
• SOA and CNAME are exceptions to Rule above
Delegate Domain to Azure DNS
• Must know zone server names
• Get-AzureRmDnsZone –Name contoso.net –ResourceGroupName
MyResourceGroup M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY aka.ms/Azure/DNS
 Virtual Networks
Your virtual private network in the cloud
10.1.0.0/1

Private isolated logical network 6

UDR
Supports Network ACLs and IP
Management
Internet
On-premises

User defined routing for network

virtual appliances

Extends on-premises network to

the cloud Azure
Services

Provides secure connectivity to

Azure services
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-des
M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
 Network & Application Security
Groups
Network Security Groups
Protects your workloads with distributed ACLs NS
G Network Security Group (NSG)
Simplified configuration with augmented Actio Name Source Destination Port
security rules n
AllowInternetToWebServ 80,443(HTT
Enforced at every host, applied on multiple Allow
ers
Internet WebServers
P)
subnets Allow AllowWebToApp
WebServer
AppServers
443
s (HTTPS)
Application Security Groups Internet AppServer DatabaseServ 1443
Allow AllowAppToDb
s ers (MSSQL)
Micro-segmentation for dynamic workloads
Deny DenyAllInbound Any Any Any
Named monikers for groups of VMs
Web Servers App Servers Database Servers
Removes management of IP addresses
Web1 App1 Db1
Service Tags
Named monikers for Azure service IPs
Many Services tagged including AzureCloud
Logging and troubleshooting Web2 App2 Db2
NSG flow logs for traffic monitoring
Integrated with Network Watcher
JIT access policies with Azure Security
M I CCenter
ROSOFT CONFIDENTIAL – I N T E R N A L O N LY
 Subnets
Segmenting the Virtual Network
• Must have unique Address range within
Vnet

• Some Azure Services create their own

subnets

• Understand Default routing behavior

• Can limit traffic out to Azure Services

• Allow or Deny Traffic with NSGs

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-
M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Monitor and Troubleshoot
Networking
Create
Use Network Watcher
• Portal, PSH, CLI,
RestAPI
Features to
view/configure
• Topology
• Packet Capture
• IP Flow Verify
• Next Hop
• Security Group
view
• NSG flow logging
• Virtual Network
Gateway
troubleshooting
M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Integrate On-Premises Network with Azure
Virtual Network
Configure Express Route

Just watch a video

• Create a circuit 
• Send Service key to
provider
• Create / Modify peerings
• Public or Private
• Link Virtual Network to
Circuit
• Can also
link to other subscriptions!
• Deprovision/Delete M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY aka.ms/Azure/ExpressRoute
Network Watcher | PowerShell

Create a New One

• $networkWatcher = New-AzNetworkWatcher ` -Name
"NetworkWatcher_eastus" ` -ResourceGroupName "NetworkWatcherRG" ` -
Location "East US“

Retrieve Network Watcher

• $networkWatcher = Get-AzNetworkWatcher ` -Name
NetworkWatcher_eastus ` -ResourceGroupName NetworkWatcherRG

View Details of a Security Rule

• Get-AzEffectiveNetworkSecurityGroup ` -NetworkInterfaceName myVm `
-ResourceGroupName myResourceGroup

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
VPN Gateway Redundancy

Options
• Multiple On-premises devices
• Active-Active VPN devices
• Dual Redundancy
• Azure-Azure VPN GW HA
Configure Active-Active
• Need 2 Gateway IP configurations
& 2 public IP addresses
• Set the
EnableActiveActiveFeature flag
• The gateway SKUs
• VpnGw1
• VpnGw2
• VpnGw3
• or HighPerformance (legacy SKU).
M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Create and Configure a Network Security
Group
Apply (NSG)or NIC
at Subnet
Only 1 NSG per Azure Resource
Only TCP or UDP
Special Rules
Microsoft Owned IP Address of 168.63.129.16
Outbound Port 1688 reserved for KMS
aka.ms/Azure/NSG

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
IPv6

Features
• Load-balanced IPv6 services for
IPv6 clients on the Internet
• Native IPv6 and IPv4 endpoints on
VMs ("dual stacked")
• Inbound and outbound-initiated
native IPv6 connections
• Supported protocols such as TCP,
UDP, and HTTP(S) enable a full
range of service architectures
Limitations
• Can’t add IPv6 LB rules in portal
• Can’t upgrade VMs to IPv6
• Only assign to LB, not VM
• No DNS reverse lookup
M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
3 Supported methods VM Static IP

1. New AzureRMNetworkInterface -
PrivateIPAddress
2. Azure Portal Set after VM Creation
3. az network nic create

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Troubleshoot Load Balancing (LB)
Not responding to Health Probes
• Backend Pool Unhealthy | PsPing or TCPing
• Backend Pool not listening on probe port | netstat –an ?
LISTENING
• Firewall or NSG blocking port
VMs behind not responding to traffic on port
LB BackEnd Pool VM not listening
• NSG blocking port
• Accessing LB from same VM / NIC
• Accessing LB frontend from participating LB backend pool

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY Read Troubleshoot Doc

Implement and Manage Hybrid
Identities
Install and configure Azure AD Connect

aka.ms/Azure/AD/Connect
M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Much more in here!!!!
Manage Azure Active Directory (AD)
Enterprise State Roaming

Requires
• Azure AD Premium
• Windows 10
• Azure AD Domain Join
Other Notables
• 3 regions: NA, EMEA, APAC
• Not replicated across
• Country/Region set on attribute
• Cannot be changed after!
• Retention
• Retained until deleted or becomes “Stale”

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY aka.ms/Azure/Roaming
Manage Azure Active Directory (AD)
Providing conditional access
Conditional Identity Multi-Factor
Access Protection Authentication

control to APIs+ applications

• With "What if" capabilities
APPL ICAT IO NS & APIS
USER ATTRIBUTES
in some clouds or elsewhere
User identity
Roles and group memberships
Authentication strength/context CONTROLS
Azure AD
MFA
DEVICE
ALLOW ACCESS
Registration state
Health state and policy
compliancy
Platform type ENFORCE MULTIFACTOR
Lost or stolen AUTHENTICATION

LOCATION
CONDITIONS FORCE PASSWORD RESET
IP range
****
*
APPLICATION
Application policy BLOCK ACCESS
Client type (native, web)

OTHER LIMIT ACCESS

10 To Risk profi le
par jour Terms of Use
• Integrating behavior-based threat analytics via risk-based Time
policies against suspicious logins and compromised credentials
Implement Multi-Factor
Authentication
License Requirements(MFA)
• Azure Multi-Factor Authentication
• Azure Active Directory Premium
• Enterprise Mobility + Security
Turn on two step verification
• For all users …or
• Conditional Access
Configure settings such as…
• Block users
• Fraud Alert
• Caching
• Trusted Ips, Verification methods….
• Read them all! – how to

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY aka.ms/Azure/MFA
Implement and Manage Hybrid Identities
CLOUD/MANAGED IDENTITY SYNCHRONIZED IDENTITY SYNCHRONIZED IDENTITY FEDERATED IDENTITY
(WITH OR WITHOUT PASSWORD (WITH PASS-TRHOUGH UTHENTICATION
SYNCHRONIZATION) (PTA))

AZURE AD AZURE AD AZURE AD

CONNECT HEALTH CONNECT HEALTH CONNECT HEALTH

YOUR AZURE AD YOUR AZURE AD YOUR AZURE AD YOUR AZURE AD

TENANT TENANT TENANT TENANT

Cloud Identity Synchronized Synchronized

Federated Identity
Identity Identity
with PTA

Local identity Local identity Local identity Authentication

AZURE AD AZURE AD AZURE AD

CONNECT CONNECT Authentication CONNECT
FEDERATION

Local Local Local

Identity Identity Identity

NO INFRASTRUCTURE ON- YOUR ON- YOUR ON- YOUR ON-

PREMISES PREMISES PREMISES PREMISES
DIRECTORY DIRECTORY IDP/
DIRECTORY

aka.ms/ptauth aka.ms/SSOProviders
aka.ms/hybrid/sso
aka.ms/hybrid/sso