Microsoft Azure Integration and Security exam AZ-101 – Resources Part 4 – Secure Identities

Secure identities (25-30%)

Implement Multi-Factor Authentication (MFA)

May include but not limited to:
Enable MFA for an Azure tenant;

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted

Configure user accounts for MFA;

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

Configure fraud alerts;

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#fraud-alert

Configure bypass options;

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#one-time-bypass

Configure trusted IPs;

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted-ips

Configure verification methods;

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#selectable-verification-methods

Manage role-based access control (RBAC);

Duplication! See below.

Implement RBAC policies;

Duplication! See below.

Assign RBAC Roles;

Duplication! See below.

Create a custom role;

Duplication! See below.

Configure access to Azure resources by assigning roles;

Duplication! See below.

Configure management access to Azure

Duplication! See below.

Manage role-based access control (RBAC)

https://docs.microsoft.com/en-us/azure/role-based-access-control/

May include but not limited to:
Create a custom role;

https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

Configure access to Azure resources by assigning roles;

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

Configure management access to Azure;

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

Troubleshoot RBAC;

https://docs.microsoft.com/en-us/azure/role-based-access-control/troubleshooting

Implement RBAC policies;

I don’t think this is the correct resource.
https://docs.microsoft.com/en-us/azure/governance/policy/overview

Assign RBAC roles

Duplicate! See above.
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

Implement Azure Active Director (AD) Privileged Identity Management (PIM)

May include but not limited to:
Activate a PIM role;

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role

Configure just-in-time access, permanent access, PIM management access, and time-bound access;

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-give-access-to-pim

Create a Delegated Approver account;

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow

Enable PIM;

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started

Process pending approval requests;

Duplicate! See above.
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-approval-workflow

Advertisements

Microsoft Azure Integration and Security exam AZ-101 – Resources Part 3 – Implement Advanced Virtual Networking

Implement Advanced Virtual Networking 30-35%

Implement application load balancing

May include but not limited to:
Configure application gateway and load balancing rules;

https://blogs.msdn.microsoft.com/ukhybridcloud/2018/03/27/azure-application-gateway-uses-the-load-balancer/

https://azure.microsoft.com/en-gb/services/application-gateway/

https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ilb-arm

Implement front end IP configurations;

https://docs.microsoft.com/en-us/azure/application-gateway/tutorial-manage-web-traffic-powershell#create-an-application-gateway

Manage application load balancing;

https://docs.microsoft.com/en-gb/azure/application-gateway/quick-create-portal

Implement Azure load balancer

May include but not limited to:
Configure internal load balancer,

https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-create-basic-load-balancer-powershell

Load balancing rules, and public load balancer;

https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-basic-internal-portal

Manage Azure load balancing;

https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-standard-manage-portal

Monitor and manage networking

May include but not limited to:
Monitor on-premises connectivity;

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-diagnose-on-premises-connectivity

Use network resource monitoring and Network Watcher;

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-diagnose-on-premises-connectivity

Manage external networking and virtual network connectivity;

https://docs.microsoft.com/en-us/azure/network-watcher/view-relative-latencies

Integrate on premises network with Azure virtual network

May include but not limited to:
Create and configure Azure VPN Gateway;

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal#VNetGateway

Create and configure site to site VPN;

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal#CreateConnection

Configure Express Route;

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-circuit-portal-resource-manager

Verify on premises connectivity;

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-diagnose-on-premises-connectivity

Manage on-premise connectivity with Azure

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction

 

 

Microsoft Azure Integration and Security exam AZ-101 – Resources Part 2 – Implement and manage application services

Implement and manage application services (20-25%)

Configure serverless computing

May include but not limited to:
Manage a Logic App resource;

https://docs.microsoft.com/en-us/azure/logic-apps/manage-logic-apps-with-visual-studio

Manage Azure Function app settings;

https://docs.microsoft.com/en-us/azure/azure-functions/functions-how-to-use-azure-function-app-settings

Manage Event Grid;

https://docs.microsoft.com/en-us/azure/event-grid/overview

Manage Service Bus;

https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview

Manage App Service plans

May include but not limited to:
Configure application for scaling;

https://docs.microsoft.com/en-us/azure/app-service/web-sites-scale

Enable monitoring and diagnostics;

https://docs.microsoft.com/en-us/azure/app-service/web-sites-enable-diagnostic-log

Configure App Service plans;

https://docs.microsoft.com/en-us/azure/app-service/azure-web-sites-web-hosting-plans-in-depth-overview

Manage App services

May include but not limited to:
Assign SSL certificates;

https://docs.microsoft.com/en-us/azure/app-service/web-sites-purchase-ssl-web-site

Configure application settings;

https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure

Configure deployment slots;

https://docs.microsoft.com/en-us/azure/app-service/web-sites-staged-publishing

Configure Azure content delivery network (CDN) integration;

https://azure.microsoft.com/en-gb/blog/enabling-azure-cdn-from-azure-web-app-and-storage-portal-extension/

Manage App Service protection;

https://www.pluralsight.com/courses/microsoft-azure-app-service-protection-managing

https://docs.microsoft.com/en-us/azure/app-service/app-service-mobile-how-to-configure-active-directory-authentication

https://docs.microsoft.com/en-us/azure/app-service/web-sites-backup

Manage roles for an App service;

https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles

Create and manage App Service environment

https://docs.microsoft.com/en-us/azure/app-service/environment/intro

Microsoft Azure Integration and Security exam AZ-101 – Resources Part 1 – Evaluate and perform server migration to Azure

After a friend on Reddit posted the recent Ignite video for the AZ-100 exam, I went looking for the AZ-101. As before, it would be a good idea to start here and hear from the horses mouth before starting on your journey.

Also, please consider this guide from Skylines Academy for your PowerShell skills to bolster your competency on Azure and for the AZ-10x exams.

Evaluate and perform server migration to Azure (15-20%)

Evaluate migration scenarios by using Azure Migrate

Azure migrate is focused on analyzing workloads for migration into Azure and is currently constrained to VMware vSphere analysis. Azure Site Recovery Deployment Planner is used for other workloads.

May include but not limited to:
Discover and assess environment;

https://docs.microsoft.com/en-us/azure/migrate/tutorial-assessment-vmware

Identify workloads that can and cannot be deployed;

https://docs.microsoft.com/en-us/azure/migrate/tutorial-assessment-vmware#create-and-view-an-assessment

https://docs.microsoft.com/en-us/azure/migrate/concepts-assessment-calculation

Identify ports to open;

https://docs.microsoft.com/en-us/azure/migrate/migrate-overview#what-are-the-port-requirements

Identify changes to network;

This is tough to interpret and the only text that works for me is the work that you might do in the migration stage around changes to the VMs network interfaces. Otherwise, the previous link about opening ports should suffice.
https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-manage-network-interfaces-on-premises-to-azure#modify-network-interface-settings

Identify if target environment is supported;

This is really difficult to interpret, but my assumption is that this page best fits.
https://docs.microsoft.com/en-us/azure/migrate/how-to-modify-assessment

Setup domain accounts and credentials

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-azure-tutorial-prepare-on-premises#prepare-an-account-for-mobility-service-installation

Migrate servers to Azure

Recovery Services Vaults provide many data services for protection and recovery.

May include but not limited to:
Migrate by using Azure Site Recovery (ASR);

https://docs.microsoft.com/en-us/azure/site-recovery/

Migrate using P2V;

https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure

Configure storage;

https://docs.microsoft.com/en-us/azure/site-recovery/tutorial-prepare-azure#create-a-storage-account

Create a backup vault;

https://docs.microsoft.com/en-us/azure/site-recovery/tutorial-prepare-azure#create-a-recovery-services-vault

Prepare source and target environments;

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-azure-set-up-source

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-azure-set-up-target

Backup and restore data;

https://docs.microsoft.com/en-us/azure/backup/tutorial-backup-windows-server-to-azure

https://docs.microsoft.com/en-us/azure/backup/tutorial-backup-restore-files-windows-server

Deploy Azure Site Recovery (ASR) agent;

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-azure-install-mobility-service

Prepare virtual network

https://docs.microsoft.com/en-us/azure/site-recovery/tutorial-prepare-azure#set-up-an-azure-network

Microsoft Azure Infrastructure and Deployment exam AZ-100 – Resources Part 5 – Manage Identities

Part 5 of 5 linking to the most appropriate documentation for learning how to achieve the objectives set in the new Azure AZ-100 exam.

SafariBooksOnline.com content that matches the objectives

https://www.safaribooksonline.com/videos/azure-active/0422018AZURE1F

Manage identities (15-20%)

Manage Azure Active Directory (AD)

May include but not limited to:
Add custom domains;

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain

configure Azure AD Identity Protection, Azure AD Join, and Enterprise State Roaming;

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection-enable

configure self-service password reset;

https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr

implement conditional access policies;

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-untrusted-networks

manage multiple directories;

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-administer#how-can-i-add-and-manage-multiple-directories

perform an access review

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azure-ad-controls-access-reviews-overview

Manage Azure AD objects (users, groups, and devices)

May include but not limited to:
Create users and groups;

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal

manage user and group properties;

https://docs.microsoft.com/en-us/powershell/azure/active-directory/using-extension-attributes-sample?view=azureadps-2.0

(Get-AzureADUser -ObjectId $UserId).ToJson()
Set-AzureADUserExtension -ObjectId $UserId -ExtensionName "extension_0380f0f700c040b5aa577c9268940b53_MyNewProperty" -ExtensionValue "MyNewValue"

manage device settings;

https://docs.microsoft.com/en-us/azure/active-directory/device-management-azure-portal#configure-device-settings

perform bulk user updates

https://docs.microsoft.com/en-us/powershell/module/azuread/set-azureaduser?view=azureadps-2.0

Implement and manage hybrid identities

May include but not limited to:
Install and configure Azure AD Connect;

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-express

configure federation and single sign-on;

Federation

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-azure-adfs

Single Sign On

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso

manage Azure AD Connect;

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-whats-next

manage password sync and writeback

Password Sync

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-hash-synchronization#enable-password-hash-synchronization

Password Writeback

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback

Microsoft Azure Infrastructure and Deployment exam AZ-100 – Resources Part 4 – Configure and Manage Virtual Networks

Part 4 of 5 linking to the most appropriate documentation for learning how to achieve the objectives set in the new Azure AZ-100 exam.

There’s a an addition I’d like to make for this objective and that is service endpoints.

https://docs.microsoft.com/en-gb/azure/virtual-network/virtual-network-service-endpoints-overview

It seems important to grasp this concept if your posture is one of using Azure services without exposing them to the Public Internet.

The new Azure Firewall – which deserves a post in its own right is also in preview as of August 2018.

https://docs.microsoft.com/en-gb/azure/firewall/overview

As does the Azure VirtualWAN – or SD-WAN to everyone else in the world.

https://azure.microsoft.com/en-us/services/virtual-wan/

Configure and manage virtual networks (20-25%)

SafariBooksOnline.com content which matches the objectives for virtual networks.

https://www.safaribooksonline.com/videos/azure-networking/0422018AZURE1H

Create connectivity between virtual networks

May include but not limited to:
Create and configure VNET peering;

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering

create and configure VNET to VNET;

https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal

verify virtual network connectivity;

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview#troubleshoot

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-connectivity-portal?toc=%2fazure%2fvirtual-network%2ftoc.json

create virtual network gateway

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

Implement and manage virtual networking

May include but not limited to:
Configure private and public IP addresses, network routes, network interface, subnets, and virtual network

https://docs.microsoft.com/en-us/azure/virtual-network/quick-create-portal

Configure name resolution

May include but not limited to:
Configure Azure DNS;

https://docs.microsoft.com/en-us/azure/dns/dns-getstarted-portal

configure custom DNS settings;

https://docs.microsoft.com/en-us/azure/dns/dns-custom-domain

configure DNS zones

https://docs.microsoft.com/en-us/azure/dns/dns-operations-dnszones-portal

Create and configure a Network Security Group (NSG)

May include but not limited to:
Create security rules;

https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#work-with-security-rules

associate NSG to a subnet or network interface;

Subnet
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-subnet#change-subnet-settings
Interface
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface#associate-or-dissociate-a-network-security-group

identify required ports;

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal

evaluate effective security rules

https://docs.microsoft.com/en-us/azure/virtual-network/diagnose-network-traffic-filter-problem

Microsoft Azure Infrastructure and Deployment exam AZ-100 – Resources Part 3 – Deploy and manage virtual machines (VMs)

Part 3 of 5 linking to the most appropriate documentation for learning how to achieve the objectives set in the new Azure AZ-100 exam.

SafariBooksOnline.com resources that match the learning objectives for this module:

https://www.safaribooksonline.com/videos/azure-deploying/03401BAZURECWORKS
https://www.safaribooksonline.com/videos/azure-advanced-virtual/03410CZURECWORKS

Cost Engineering note:

If you’re coming from a perspective of managing on-premises infrastructure, you might understand the notion of “disk provisioning”. In VMware land this usually offers you a chocolate box of “Thin Provisioning”, “Thick Lazy Zero” and “Thick Eager Zero”.

Making a decision on the disk provisioning type has a consequence on the management of the VMware datastores. This is another topic entirely.

In Azure, my interpretation is that all VMs disks are “Thin Provisioned” and there’s no control exposed to the Azure Administrator to change that, which is fine. I’m happy to have that decision taken away from me.

The point I’m getting at here is that when you choose the size of data disks to attach to your VM, you’ll only be paying for the space you’ve used or written to in that disk. There are other things to consider when you’re not using Azure Managed Disks like maximum sizes that can be protected with Azure Recovery Services Vaults or other service limits, but once you’ve considered those limits and worked out your sweet spot, you may aswell choose the largest size of disk that works for you (a consistent large size of course!) to avoid inflating disks later down the road.

Create and configure a VM for Windows and Linux

May include but not limited to:
Configure high availability;

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability

configure monitoring, networking, storage, and virtual machine size;

Monitoring
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/monitor
Storage
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/faq-for-disks
Networking
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/ps-common-network-ref
VM Size
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/resize-vm

deploy and configure scale sets

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/

Automate deployment of VMs

May include but not limited to:
Modify Azure Resource Manager (ARM) template;

https://docs.microsoft.com/en-us/azure/architecture/building-blocks/extending-templates/update-resource

configure location of new VMs;

Unsure – seems too simple

configure VHD template;

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/create-vm-specialized

deploy from template;

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/ps-template

save a deployment as an ARM template;

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/download-template

deploy Windows and Linux VMs

Too vague
https://docs.microsoft.com/en-us/azure/virtual-machines/

Manage Azure VM

May include but not limited to:
Add data discs; add network interfaces;

Data disk
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/attach-disk-ps
Network Interface
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-vm

automate configuration management by using PowerShell Desired State Configuration (DSC) and VM Agent by using custom script extensions;

https://docs.microsoft.com/en-us/azure/automation/automation-dsc-overview

manage VM sizes;

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/resize-vm

move VMs from one resource group to another;

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/move-vm

redeploy VMs

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node

Manage VM backups

May include but not limited to:
Configure VM backup;

WARNING Duplicate exam exercise – see “Implement and Manage Storage” – “Implement Backup”
https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal

define backup policies;

WARNING Duplicate exam exercise – see “Implement and Manage Storage” – “Create and Configure Backup Policy”
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-vms-prepare#select-a-backup-goal-set-policy-and-define-items-to-protect

implement backup policies;

WARNING Duplicate exam exercise – see “Implement and Manage Storage” – “Create and Configure Backup Policy”
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-vms-prepare#select-a-backup-goal-set-policy-and-define-items-to-protect

perform VM restore

WARNING Duplicate exam exercise – see “Implement and Manage Storage” – “Perform a restore operation”
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm