AZ-104 Prerequisites for Azure administrators

My notes from learning path AZ-104 Prerequisites for Azure administrators of Microsoft Certified: Azure Administrator Associate on Microsoft Docs

Module 1 - Apply and monitor infrastructure standards with Azure Policy

Azure Policy

  • Azure Policy enforce different rules and effects over your resources so that those resources stay compliant with your corporate standards and SLAs. After this policy is implemented, new and existing resources are evaluated for compliance.
  • RBAC vs. Azure Policy: RBAC focuses on user actions at different scopes. Azure Policy focuses on resource properties during deployment and for already-existing resources.
  • Azure Policy is a default-allow-and-explicit-deny system while RBAC is opposite.

Creating a policy

  1. Create a policy definition
  2. Assign a definition to a scope of resources
  3. View policy evaluation results
Creating a policy definition

A policy definition expresses what to evaluate and what action to take. It is represented as a JSON file

Here is an example of a Compute policy:

  "if": {
    "allOf": [
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
        "not": {
          "field": "Microsoft.Compute/virtualMachines/",
          "in": "[parameters('listOfAllowedSKUs')]"
  "then": {
    "effect": "Deny"

Notice the [parameters('listofAllowedSKUs')] value; this value is a replacement token that will be filled in when the policy definition is applied to a scope.

Applying Azure policy

Register the resource provider if it's not already registered.

Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights'
  • policy assignment is a policy definition that has been assigned to take place within a specific scope.
  • This scope could range from a full subscription down to a resource group.
  • Policy assignments are inherited by all child resources. However, you can exclude a subscope from the policy assignment.
  • When you assign a policy definition, you will need to supply any parameters that are defined.

For example, here's a policy definition that identifies virtual machines not using managed disks.

# Get a reference to the resource group that will be the scope of the assignment
$rg = Get-AzResourceGroup -Name '<resourceGroupName>'

# Get a reference to the built-in policy definition that will be assigned
$definition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq 'Audit VMs that do not use managed disks' }

# Create the policy assignment with the built-in definition against your resource group
New-AzPolicyAssignment -Name 'audit-vm-manageddisks' -DisplayName 'Audit VMs without managed disks Assignment' -Scope $rg.ResourceId -PolicyDefinition $definition
Identifying non-compliant resources

The results can be seen in the Resource compliance tab of a policy assignment in the Azure portal use the command-line tools:

Get-AzPolicyState -ResourceGroupName $rg.ResourceGroupName -PolicyAssignmentName 'audit-vm-manageddisks' -Filter 'IsCompliant eq false'
Policy effects
  • Requests to create or update a resource through Azure Resource Manager are evaluated by Azure Policy first to avoid any unnecessary processing if the resource violates policy.
  • Each policy definition in Azure Policy has a single effect. 
Policy Effect What happens?
Deny The resource creation/update fails due to policy.
Disabled The policy rule is ignored (disabled). Often used for testing.
Append Adds additional parameters/fields to the requested resource e.g. tags
Audit, AuditIfNotExists Creates a warning event in the activity log but it doesn't stop the request.
DeployIfNotExists Executes a template deployment when a specific condition is met.
View policy evaluation results
  • Azure Policy can allow a resource to be created even if it doesn't pass validation.
  • In these cases, you can have it trigger an audit event that can be viewed in the Azure Policy portal, or through command-line tools.

Azure portal showing the policy overview screen

Removing a policy definition
Remove-AzPolicyAssignment -Name 'audit-vm-manageddisks' -Scope '/subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>'

Organize policy with initiatives

  • An initiative definition is a set or group of policy definitions to help track your compliance state for a larger goal.
  • Even if you have a single policy, we recommend using initiatives if you anticipate increasing the number of policies over time.
  • Like a policy assignment, an initiative assignment is an initiative definition assigned to a specific scope.
  • You can define initiatives using the Azure portal, or command-line tools. In the portal, you use the "Authoring" section.



Screenshot showing Azure portal defining initiatives and definitions

Enterprise governance management

  • Azure Management Groups are containers for managing access, policies, and compliance across multiple Azure subscriptions.
  • All subscriptions within a management group automatically inherit the conditions applied to the management group.
  • Policies that inheriting from parent management group cannot be altered by the resource or subscription owner.

Here is an example of creating a hierarchy for governance using management groups:

Image showing Azure Management Groups as a tree graph of relationships

Another scenario where you would use management groups is to provide user access to multiple subscriptions. You can create one role-based access control (RBAC) assignment on the management group that will allow that access to all the subscriptions.

Define standard resources with Azure Blueprints

  • Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements.
  • Azure Blueprints is a declarative way to orchestrate the deployment of various resource templates and other artifacts
  • The relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved.
  • The Azure Blueprints service is backed by the globally distributed Azure Cosmos database. Blueprint objects are replicated to multiple Azure regions.

Blueprint vs. ARM templates

  • The template is used for deployments of one or more Azure resources, but once those resources deploy there's no active connection or relationship to the template.
  • With Blueprints, the relationship is preserved. This connection supports improved tracking and auditing of deployments.
  • Each blueprint can consist of zero or more Resource Manager template artifacts. So Resource Manager templates are reusable in Blueprints.

Blueprint vs. Azure Policy

  • A blueprint is a package or container for composing sets of standards, patterns, and requirements related to the implementation of Azure cloud services, security, and design that can be reused.
  • A policy is a default-allow and explicit-deny system focused on resource properties during deployment and for already existing resources.
  • You can include a policy in the a blueprint so the policy inclusion makes sure that only approved or expected changes can be made to the environment

Compliance Manager

You also have to understand how the provider manages the underlying resources you are building on.

Microsoft Privacy Statement

What personal data Microsoft processes, how Microsoft processes it, and for what purposes.

Microsoft Trust Center

  • Trust Center is a website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services.
  • Trust Center provides support and resources for the legal and compliance community

Service Trust Portal

  • The Service Trust Portal (STP) is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft's cloud services.
  • It also includes information about how Microsoft online services can help your organization maintain and track compliance with standards, laws, and regulations, such as: ISO, SOC, NIST, FedRAMP, GDPR

Compliance Manager

  • Compliance Manager is a workflow-based risk assessment dashboard within the Service Trust Portal
  • Compliance Manager provides ongoing risk assessments with a reference of risk-based scores.
  • Compliance Manager also provides recommended actions you can take to improve your regulatory compliance.
  • Recommendations found in Compliance Manager should not be interpreted as a guarantee of compliance.

Monitor your service health

You will want to know about any issues or performance problems they might encounter.

Azure Monitor

  • Azure Monitor delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments.
  • It helps you understand how your applications are performing and proactively identifies issues.

Data sources can range from your application, any operating system and services:

Data tier Description
Application monitoring data Data about the performance and functionality of the code you have written, regardless of its platform.
Guest OS monitoring data Data about the operating system on which your application is running. This could be running in Azure, another cloud, or on-premises.
Azure resource monitoring data Data about the operation of an Azure resource.
Azure subscription monitoring data Data about the operation and management of an Azure subscription, as well as data about the health and operation of Azure itself.
Azure tenant monitoring data Data about the operation of tenant-level Azure services, such as Azure Active Directory.
Diagnostic settings
  • Azure Monitor starts collecting data as soon as you create resources:
    • Activity Logs record when resources are created or modified
    • Metrics tell you how the resource is performing
  • You can extend the data you're collecting s by enabling diagnostics and adding an agent to compute resources.:
    • Enable guest-level monitoring
    • Performance counters: collect performance data
    • Event Logs: enable various event logs
    • Crash Dumps: enable or disable
    • Sinks: send your diagnostic data to other services for more analysis
    • Agent: configure agent settings
Getting more data from your apps
  • Application Insights is a service that monitors the availability, performance, and usage of your web applications, whether they're hosted in the cloud or on-premises. Application Insights can diagnose errors without waiting for a user to report them.
  • Azure Monitor for containers is a service that is designed to monitor the performance of container workloads, which are deployed on AKS. Container logs are also collected.
  • Azure Monitor for VMs is a service that monitors your Azure VMs at scale, by analyzing the performance and health of your Windows and Linux VMs.
Responding to alert conditions
  • An effective monitoring solution must respond proactively to any critical conditions e.g. text or email to an administrator.
  • Alerts. Azure Monitor proactively notifies you of critical conditions using alerts, and can potentially attempt to take corrective actions.
  • Autoscale enables you to create rules that use metrics, collected by Azure Monitor, to determine when to automatically add resources to handle increases in load.

Azure Service Health

Azure Service Health is a suite of experiences that provide personalized guidance and support when issues with Azure services affect you. It comprises of:

  • Azure Status provides a global view of the health state of Azure services.
  • Service Health provides you with a customizable dashboard that tracks the state of your Azure services in the regions where you use them.
    • When events become inactive, they are placed in your Health history for up to 90 days.
    • You can create and manage service Health alerts, which notify you whenever there are service issues that affect you.
  • Resource Health helps you diagnose and obtain support when an Azure service issue affects your resources.
    • It provides you with details about the current and past state of your resources.
    • Resource Health gives you a personalized dashboard of your resources' health.
    • Resource Health shows you times, in the past, when your resources were unavailable because of Azure service problems. It's then easier for you to understand if an SLA was violated.

Module 2 - Introduction to Azure virtual machines

Size of the VM

Option Description Size Series
General purpose balanced CPU-to-memory ratio. Ideal for testing and development, small to medium databases, and low to medium traffic web servers. B, Dsv3, Dv3, DSv2, Dv2
Compute optimized high CPU-to-memory ratio. Suitable for medium traffic web servers, network appliances, batch processes, and application servers. Fsv2, Fs, F
Memory optimized high memory-to-CPU ratio. Great for relational database servers, medium to large caches, and in-memory analytics. Esv3, Ev3, M, GS, G, DSv2, Dv2
Storage optimized high disk throughput and IO. Ideal for VMs running databases. Ls
GPU heavy graphics rendering and video editing. are ideal options for model training and inferencing with deep learning. NV, NC, NCv2, NCv3, ND
High performance computes the fastest and most powerful CPU virtual machines with optional high-throughput network interfaces. H

Azure Automation Services

Azure Automation allows you to automate management tasks with ease. These services include:

  • Process Automation allows you to set up watcher tasks that can respond to events that may occur in your datacenter.

  • Configuration Management allows you to track software updates for the operating system that runs on your VM and take action as required.

    • Microsoft Endpoint Configuration Manager is used to manage your company's PC, servers, and mobile devices and can be extended to your Azure VMs.

  • Update Management is used to manage updates and patches for your VMs.

    • Update management incorporates services that provide process and configuration management.

    • Update management can be enabled for a VM directly from your Azure Automation account or from the virtual machine pane in the portal.

Availability Set

Availability set is a logical feature used to ensure that a group of related VMs are deployed so that they aren't all subject to a single point of failure and not all upgraded at the same time during a host operating system upgrade in the datacenter.

  • Microsoft offers a 99.95% external connectivity service level agreement (SLA) for multiple-instance VMs deployed in an availability set.
  • When you place VMs into an availability set, Azure guarantees to spread them across Fault Domains and Update Domains.
    • A fault domain is a logical group of hardware in Azure that shares a common power source and network switch.
    • An update domain is a logical group of hardware that can undergo maintenance or be rebooted at the same time.


Failover  Across Locations

Azure Site Recovery replicates workloads from a primary site to a secondary location with two significant business advantages:

  1. Azure as a destination for recovery, thus eliminating the cost and complexity of maintaining a secondary physical datacenter.

  2. Simple to test failovers for recovery drills without impacting production environments.