Azure Administration: Manage Subscriptions and Resources
My notes from the course Azure Administration: Manage Subscriptions and Resources of Prepare for Microsoft Azure Administrator Certification (AZ-103) learning path on Linkedin Learning
Manage Azure Subscriptions
Administrator Roles
- Classic - only found in the classic portal which is not recommended by Microsoft
- Account Administrator - full access
- Service Administrator - manage services and can assign users to co-admin role
- Co-Administrator - same as Service Administrator with limitations
- Azure Role-Based Access Control (RBAC) roles
- Owner - full access, delegate access
- Contributor - can't delegate access
- Reader - can view only
- User Access Administrator - special account that can access all resource at root (/), temporary use only
- 70 built-in roles
- Custom roles
- Azure Active Directory (AD) admin roles
- Create, edit, reset user password, etc.
- Several AzureAD roles that can be additionally granted e.g. Global, Billing, Device, Information Protection, User account, etc.
- Service Administrator
- Same as account administrator (person who signed up for the acccount)
- If Service administrator is changed, account adminisatrator loses access as well
- Cannot add user who is not in the directory
Azure Policy
- Policy - individual policies
- Policy definition - conditions and enforcements
- Policy assignment - A definition assigned to a scope
- Policy parameters
- Initiative - group of individual policies
- Initiative definition - group of policies
- Initiative parameters - used by policy definitions
- Initiative assignment
Analyze Resource Utilization and Consumption
Types of Logs
- Activity Logs - logs on PUT, POST, DELETE events of Azure infrastructures
- OS-level (Guest OS) diagnostic logs - logs collected from agent on resources
- Application logs - used to debug app including:
- Web server diagnostics
- Application diagnostics
- Diagnostic logs - no agent required
- Tenant logs - activity on resources outside subscriptions e.g. AzureAD
- Resources logs - acitivity within subscriptions
Configure Diagnostic Settings
PowerShell
# List all resources
Get-AzureRmResource | ft
# Enable diagnostic settings
Set-AzureRmDiagnosticSetting -ResourceId 'ResourceID' -Enabled $True -StorageAccountId 'StorageID'
# Display resource detail and settings
Get-AzureRmDiagnosticSetting -ResourceId 'ResourceID'
# Disable diagnostic settings
Set-AzureRmDiagnosticSetting -ResourceId 'ResourceID' -Enabled $False
Baseline for Resources
- Process automation - via Runbooks e.g. start or stop VMs
- Configuration management
- Inventory
- Change tracking
- Desired State Configuration (DSC)
- Update management
- Shared capability - automate and configure at scale
Azure Alerts
- Target - resources to be monitored
- Criteria - conditions that will trigger an action
- Action - to be sent to receiver
Rate Limiting
- 100 emails / hour
- 1 voice call / 5 minutes
- 1 SMS / 5 minutes
Azure Advisor
- Eliminate unprovisioned ExpressRoute circuits - status 'not provisioned' for over a month
- Delete or reconfigure unused virtual network gateways - over 90 days
- Switch to reserved VM instances
VM Optimization
- VM usage is monitored for 14 days
- Identify underutilized instances:
- CPU < 5%
- Network < 7MB for four days
- Recommend to resize or shutdown the instance
Manage Resource Groups
Apply Policies
# Get resource group and policy definition
$RG = Get-AzureRmResourceGroup - Name 'AZ-100'
$Definition = Get-AzureRmPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq 'Audit VMs that do not use managed disks' }
# Create a policy assignment
New-AzureRmPolicyAssignment -Name 'VM-manageddisk' - DisplayName 'Vitual Machines without Managed Disks' -Scope $RG.ResourceID -PolicyDefinition $Definition
# List all policy definitions
Get-AzureRmPolicyDefinition
# Get policy assignment
$PolicyAssignment = Get-AzureRmPolicyAssignment | Where-Object { $_.Properties.DisplayName -eq 'Vitual Machines without Managed Disks' }
$PolicyAssignment.PolicyAssignmentId
# Remove policy assignment
Remove-AZureRmPolicyAssignment -Name 'VM-manageddisk' -Scope $RG.ResourceID
Resource Locks
- Type of Locks
- CanNotDelete - Can read and change but cannot delete
- ReadOnly - can only read, can lead to unexpected result
- Apply to all childs
- Most restrictive lock takes precedence
- Permission required
- Microsoft.Authorization/*
- Microsoft.Authorization/locks/*
- Owner
- User Access Administrator
# Create a new resource lock
New-AzureRmResourceLock -LockName NoDelete -LockLevel CanNotDelete -LockNotes "Cannot Delete Resources" -ResourceGroupName 'AZ-100'
# List all resource locks
Get-AzureRmResourceLock
# List resource lock in specific resource group
Get-AzureRmResourceLock -ResourceGroupName 'AZ-100'
# Remove resource lock
Remove-AzureRmResourceLock -LockName NoDelete -ResourceGroupName 'AZ-100'
Setting Tags
# List all tags in the subscription
Get-AzureRmTag
# Create a new tag
New-AzureRmTag -Name 'IT' -Value "Dev"
# Set tags on resource group
Set-AzureRmResourceGroup -Name "AZ-100" -Tag @{IT = 'Prod'}
# Get count and values of specific tag name
Get-AzureRmTag -Name "IT"
# Assign tag to a resource
$resource = Get-AzureRmResource -ResourceName 'Server2012R2' -ResourceGroupName 'AZ-100'
Set-AzureRmResource -Tag @{IT = "Dev"} -ResourceID $resource.ResourceID -Force
# Delete tags from resource group
Set-AzureRmResourceGroup -Tag @{} -Name 'AZ-100'
# Delete tags from a resource
Set-AzureRmResource -Tag @{} -ResourceID $resource.ResourceID -Force
# Delete tag
Remove-AzureRmTag -Name 'IT'
Moving Resources
- Move Type
- Move to another subscription - must in the same AzureAD tenant
- Movve to another resource group in the same subscription
- Considerations
- Resources are locked (from add, change, or delete ) during the move but still available
- Location does not change
- Not all resource can be moved
- Ensure target subscription will not exceed subscription quota
- Up to 800 resource per move
- Permission required
- Source:
Microsoft.Resource/subscriptions/resourceGroups/moveResources/action
- Destination:
Microsoft.Resource/subscriptions/resourceGroups/write
- Source:
# List all resource IDs in resource group
Get-AzureRmResource -oDataQuery "`$filter=resourcegroup eq 'OldRGPS'" | Format-Table -Property ResourceID
# Move a resource
Move-AzureRmResource -DestinationResourceGroupName "NewRGPS" -ResourceId ""
# List all resource IDs in the new resource group
Get-AzureRmResource -oDataQuery "`$filter=resourcegroup eq 'NewRGPS'" | Format-Table -Property ResourceID
Remove Resource Group
Remove-AzureRmResourceGroup -Name 'NewRGPS'
Manage Role-Based Access Control (RBAC)
Overview
- AzureAD Role vs. RBAC Role
- RBAC roles provide access to manage Azure resources
- AzureAD roles used to manage AzureAD resources e.g. users/groups, assign admin, reset password, manage licenses, manage domains
- Permissions required to manage RBAC roles
Microsoft.Authorization/roleAssignments/write
Microsoft.Authorization/roleAssignments/delete
- Default for
Owner
andUser Access Administrator
Role Assignment
- Security Principal - who or what
- User, group, service principle, or managed identity
- Role Definition - permissions that can or annot do
- Scope - boundary of access
- roles are inherited by all childs
# List all role definitions
Get-AzRoleDefinition | ft Name, Description
# Get detail of specific role
Get-AzRoleDefinition 'Contributor'
# Get action of specific role
Get-AzRoleDefinition 'Contributor' | fl Actions, NotActions
Get-AzSubscription
$subScope = "/subscriptions/xxx"
# Assign role Reader to a person on subscription
New-AzRoleAssignment -SignInName watson@xxxx.com `
-RoleDefinitionName Reader `
-Scope $subScope
# Assign role Contributor to a person on resource group
New-AzRoleAssignment -SignInName watson@xxxx.com `
-RoleDefinitionName Contributor `
-ResourceGroupName "RBAC"
# List role assignments on resource group
Get-AzRoleAssignment -ResourceGroupName "RBAC" | fl DisplayName, RoleDefinitionName
# List role assignments for a person
Get-AzRoleAssignment -SignInName watson@xxxx.com | fl RoleDefinitionName, RoleAssignmentID
# Remove role assignment of a person on resource group
Remove-AzRoleAssignment -SignInName watson@xxxx.com `
-RoleDefinitionName Contributor `
-ResourceGroupName "RBAC"
Custom Role Definition
Can only be created by PowerShell, CLI, REST API.
# List all role definitions
Get-AzRoleDefinition | ft Name, IsCustom
# Download role definition as JSON file
Get-AzRoleDefinition -Name 'Virtual Machine Contributor' | ConvertTo-Json | Out-File "C:\Users\xxx\Desktop\VMContributor.json"
# Create a new role definition from JSON file
New-AzRoleDefinition -InputFile "C:\Users\xxx\Desktop\PowerOperator.json"
# List all custom role definitions
Get-AzRoleDefinition | ? {$_.IsCustom -eq $true} | ft Name, IsCustom
# Get detail of specific role definition
Get-AzRoleDefinition "Virtual Machine Power Operator"
# Remove a role definition
Remove-AzRoleDefinition -Id "xxx"
General Considerations
- Uo to 2,000 roles per subscription
- Up to 30 minutes for a role or change to be applied
- Role assignments do not follow moved or migrated resources - the assignment must be re-created