Gain in-depth knowledge for passing your exam with Exam-Labs AZ-104: Microsoft Azure Administrator certification video training course. The most trusted and reliable name for studying and passing with VCE files which include Microsoft Azure AZ-104 practice test questions and answers, study guide and exam practice test questions. Unlike any other AZ-104: Microsoft Azure Administrator video training course for your certification exam.

Manage subscriptions and governance

2. *UPDATED* The Subscription Dashboard

So in this section of the course, we're talking about subscriptions and regroups and tenants. Now, before we get into subscriptions, I do want to point out that the tenant that I'm in is in the top-right corner of the portal, so you can mouse over it. I can see that my name is Scott Duffy, that this is my email account, and it says directory Scott's Course Outlook, as well as the domain ScottsCoursesOutlook.onmicrosoft.com So remember, the last two elements there are the tenant, the directory, and the domain. We have a whole section of this course on Azure Active Directory, so don't worry about that. Now, let's talk about subscriptions. Now, I am being offered a subscription as a tile on my home page here because I was just out. But if you don't, we're going to have to go to the menu. On the left is the menu roll. You might have a hamburger menu that you have to click on to open, but I have this pinned. It's a setting beneath this gearbox that I want my menu to dock rather than fly out. Right? So you might have it as a flyout. Docked is my preference. And actually, I can even expand this to see the words here. Now let's go into all the services start.Now. There is this overview tab that shows a bunch of featured stuff in the all category. And we can see that subscriptions are one of the ones that have been offered up here. If you can't see it there, you can't find it there. You can start to even type "subscriptions" into the search and it will come up. Now, I have this starred. There's a star here, and that means it's pinned to my menu. So if I go back to here, I'll remove the star. It gets removed from the left, but I like to have it there, and when it's restarted, it's at the bottom. I would have to drag it back to where I would like it. It's going into subscriptions. I can minimise this menu. Now, I actually have a couple of subscriptions, but they are with different tenants. So if I uncheck this box, I can see both of them. But I do see one subscription, which is my default. Remember, I said in the last video that not all tenants have subscriptions, so maybe you see none if you're reusing a tenant that doesn't have a subscription. So to add a subscription, there's this "add button" here. Let's look at the existing subscription and see what we can find. Like I said, the subscription is a basis for billing. And so, one of the first things that you see is the last billed amount. If you've got a brand new account, there's probably nothing there. If you're like me and have been around for a while, you'll notice invoices in this last build amount. If I scroll a bit, I see the top services by cost. It's a brand new month, and I haven't really got many services running on this account, but we can sort of see where the service categories are eating up my account, scrolling down even more. There is a pie graph with numbers representing representative resources, which will be used to calculate your billing for this forecast. So it's basically saying, if you continue spending at the rate that you're spending, you should expect a $25 bill at the end of my billing period. So Azure does try to predict. I don't think it's going to be that high, but we'll see. So that's the overview of Christian, and the rest of this section will talk about other aspects of the subscription.

3. *UPDATED* Assign administrator permissions

Now, I do want to show you how to assign another person access to your section. But before we do that, I'm going to need to create another person. So we'll really jump into the Azure active directory. Now, again, there's a whole section of this course talking about Azure ads, but I'm just going to quickly create a user. So I went to Azure ads and then to users. I'm going to say new users. I'm going to say "create users." Now, I have only a limited number of domain names I can use. There's the assigned domain. I do have a couple of custom domains that I have registered for my account. And this is a domain. So let's create Joe Smithat Scott's course on Outlook on Microsoft.com. And so I can see his name is Joe Smith and let the monitor generate a password. He's not going to be part of anygroups or any role, nothing about him. Let's just say "create." So I've created this user, Joe Smith. But as of now, he's got absolutely no access to anything. He could authenticate himself, but he's not even going to be able to do a single thing. So let's get back to going through the menu. Here we'll go into subscriptions. Go under my subscription. So the relevant thing for granting someone access to your subscription is his control. Now, I can look up Joe Smith and see what access he currently has, and we can see that there's nothing that allows him to have any access to this. I can either give him an assignment, which I'll do now. You start choosing Joe. We just created him; we know it's him. What role do we want him for? Now again, roles are rather complicated. There are only 100 or so predefined, prebuilt rules for you to choose from—everything from managed, application, contributor, application, operator, reader, and things like that. The three core roles areowner, contributor, and Reader. Reader is exactly what it sounds like. It's a read-only access model. You can read and write makeup with Contributor. You can stop and start VMs. You can do anything like that. Create VMs as the owner, which allows you to grant permissions to other people. So a contributor could do things, but not actually give their permissions to others. So let's make Joe a contributor so he can come into my account. When he logs into Azure with the password that they just sent him, he's going to be able to do anything in my account except for this type of thing, which is granting access to other people. I'm going to say "Save." And so Joe Smith was added as a contributor to my account, according to role assignments. I've got service principles, and these are actions. And I have Joe Smith as a user, and he's in the contributor role for my subscription. Now, there are more fine-grained permissions. So contributors quite broad and givesthem full access to everything. I can give them permission for specific resource groups. I can grant permissions to specific resources, and there are hundreds of built-in rules that I can say, "Okay, you're a virtual machine person, but the only thing that you have permission to work with is not databases, not storage accounts, or anything like that." So we're not going to talk about it too deeply in this video. We've got a whole section on our Active Directory and role-based access control. That's how you grant someone permission to use your subscription.

4. Cost center and tagging

So we've been talking about subscriptions as basically being a billing unit. That's our agreement with Microsoft to pay them for their services. And this is done at the subscription level. If you need to change the credit card associated with your subscription, do so here. If you need to create another section so that you have two different credit cards being charged, you can do that as well. Now we're going to talk about costs in this section. Now there is actually a cost management and billing link to the services, but that's just going to lead me to the subscription screen if I go into that. So I'm going to go into management billing. If I choose my subscription, then I'm on the subscription screen. This is the overview that we were just looking at. I'm going to click on cost analysis. Now this is where I can actually do some digging. I'm going to minimise the menu here so we can maximise the real estate. We can do some digging into the cost. Now so far this month I'veonly accumulated around one dollars 30. not very impressive, and maybe not going to have a lot of great numbers. Let's go back to the previous month, the last invoice period, July 7 to August 6. And we can sort of see that I spent over $100, which is what it is, right? So $115 was billed in the last billing period. Now to analyze: where did that $115 go? I can look at this graph over time, and I can sort of see that there's a consistent $5 or $6 that comes out of my account. I know exactly what that was from. Then on the 24th, the graph sort of angles up a little bit more. I pay about $9 a day in charges. And there was the single day on the 31st where I incurred around $8 in charges. At that point, I just got tired of it, and I decided to shut everything down. And it looks like I'm accumulating around fifteen cents a day from the 31st onward. So I can actually look at the last invoice and look at the history, and I remember exactly what I did in order to stop the billing from occurring. What was happening? But maybe you don't know exactly where that's coming from. If we scroll down a little bit, we can sort of see theirs. Graphs are, by default, going to be based on service. So I can see that most of my charges were storage. I did have some VM charges, and I experimented with Azure Firewall; those could be $20. You can actually see the video in this course, which cost me $20. You can also see where those resources were created geographically and the names of the resource group. This drives home the point that naming your resource group something that's useful is going to help you. When you're looking at this, you know that this first VNET is where the majority of the costs were. Also, my AZA 304 updates cost me this much. And I created a special resource group for the firewall. So I can sort of see exactly what projects were included in those costs. Now maybe this still isn't as useful, and you can certainly start to change some of these settings. So, right now, there are no groupings, but suppose you wanted to group by location. This graph is going to change, similar to this pie chart. And you can see which area of the world incurred the cost. As if I wasn't already using US West and then iOS. So you can sort of set some filters on this. Finally, if the pie chart isn't satisfactory, you can go and change what the pie chart represents. Instead of the resource group name, I want to see the tag. Okay, so I'm going to set tags. And let's say I want to say specifically which billing code is incurring the costs. Most of my resources are not tagged or don't support tags. I do have one tag that has zero costs. Now what is this tagging? So cost tagging is actually quite useful. It is a form of metadata. As a result, you can assign tags to almost any resource that you create. And now in this kind of report, a cost analysis report, you can now look at the cost by—let's look at an example. Go back to the home page. And I'm going to go under App Services, and I can see that I have a couple of web apps running. These are free tiers, so they're not costing me anything. These are WordPress sites. Don't trust me. There's nothing interesting there. So I go into this WordPress site, and I can see there are three tags right off the overview screen. Actually, I went into the tags setting, and I can see those three tags. Now I'm the one who's defined these tags. I defined a billing code and an environment billing code. The idea here is that you have a company with cost project numbers, for example, and the finance team needs to know which code to assign those costs to. So imagine if you had an Azure account that had hundreds of resources, but each resource had a billing code. And so the finest team can very easily put $20 against this project, $100 against that project, and $1,000 against this project, because the billing code is quite clear. So this is one way useful of defining which resources areusing which costs and who has to pay for it. I think what I've created is, again, totally custom. This would be the person you would want to contact if something were to go wrong. So let's say this blog was starting to accumulate $100 a month in costs. And I'm like, What's this thing? I don't even know what it is. It's starting to grow and become popular. I can contact this person, who is the owner, project manager, and product manager for the district. So having some type of contact detail is another piece of metadata you can attach to the resource. Finally, many environments have production, staging, and development, maybe knowing that the source is not an essential resource; it's a development resource, not a production resource. It would be useful from an operations perspective. Now, all these are being invented by me. There's no best practise in terms of whether you use them or not. There is a Microsoft document talking about naming conventions, but beyond that, it's up to you. As I previously stated, returning to the purpose building code is extremely beneficial when it comes to, let's say, cost management. When you go into cost analysis, you can see which tags and billing codes are accumulating the most cost, and that information can be passed on to you. So play around with your Azure subscription. Cost Analysis: if you've been using Azure at all, other than the free account, understanding where the costs are being charged kind of leads you to ask, "How can I save money?" That's sort of the next level of this. But at the very least, knowing which services are billed, how much they cost, and being able to drill down on them, go a little deeper, and get you again by day or location, billing, period, and so on. can actually lead you to some insights in terms of how costs are affecting your account.

5. Azure Policy

So in the last video, we saw that we used Azure policies to tag default values on resources. But what is Azure's policy? It actually has a wider use beyond just tagging. You can use the Azure Policy Service to define policies that will enforce your company's standards and service level agreements across all of your resources or specific resources. For example, here is a small selection of the built-in policies that you can optionally select. We already talked about applying a tag to its default value or enforcing the tag, but you can actually restrict your subscription to only certain virtual machines or SKUs with certain risk types. As a result, you can create virtual machines but not web apps, and vice versa. You can restrict it to certain geographic locations in terms of regions, et cetera. So there are these default policies that you can choose from, and you can also create your own policies. Let's switch over to the Azure Portal, and we can examine the Azure Policy service. All right, we're back on the portal here. I'm going to go to all services, type in "policy," go to the policy section, and we can see that the policies that we created videos for have all been removed, which is fine. Let's just switch down to the assignments section. And if I say assign policy, the first thing we need to talk about is the scope. Now, I've been working on the entire subscription scope in the last video, but you can actually go and choose specific resource groups. So let's say that I want this policy that I'm about to add to only affect this one resource group. I can certainly choose that, and that becomes the scope of this policy. We can also exclude specific resources. So we are including the scope of only this resource group. I don't want the network security group included in these policies. Okay, now if we go to the real meat of it, which is within the policy definition, if I look at it, I can see the default policies, the built-in policies that Microsoft provides, and I can actually filter based on my own custom policies or Microsoft's built-in policies. It appears that they've added two policies in the past couple of days. I think I was hereabouts two days ago, and there were 107. Policies are generally broken down into these kinds of restrictions that will not allow things to happen on your account—auditing for a search based on audit—and we can see here that there are 70 of the 100 ISCs that contain the word audit. And what this does, this audit of VMs that do not use managed disks, is basically make it a compliance issue where, if I choose this one, which I will, then I can basically say any VMs that are in this resource group that do not use managed discs will go into a compliance report. And now as a governance function or compliance function I can follow up with that team and say, Why aren't you? This is our company standard for Azure resources, et cetera. So that's one example of it. The other thing, of course, is the enforcement. So if we're talking about tags, we can enforce the tag; we can also enforce OS upgrades. We can basically enforce encryption on data lakes and password complexity requirements, as examples. You can deploy threat detection. So for any of your SQL servers, we can basically ensure that threat detection is enabled, requiring SQL Server version twelve, transparent data encryption on all SQL databases, et cetera. So these Azure policies are basically enforcing your company's "stop level" standards onto Azure as a whole. The other type of policy are your custom fees. So if we go into definitions, we can see the built-in policies, and we saw last week that these things are on GitHub, and we can actually copy the JSON from those. We can also create our own policies. So basically, if you go down, I'm going to scroll here, and we can see the JSON definition of the policy rule. The policy rule has sort of an if-then syntax. So if no location is in the field of allowed locations, then this becomes an audit. So we can sort of read this as being "this is how a policy works," and then "these are the parameters that the list of allowed locations must be passed in as a parameter." So this is a JSON syntax that is actually pretty easy to read and pretty easy to understand, and you can write your own. So, if you want to limit your search to fields other than location, you can do so.

6. *UPDATED* Managing Policy by PowerShell

So everything that you can do in the portal, you can also do in PADDLE. And throughout this course, I'm going to try to show you a few times how you can use PowerShell or CLI to manage your resources because that is important for the exam and for your job as an Azure administrator. Now, I've deleted the policy that we just signed. So I went into the three dots and said delete assignment, and it's gone. And I'm going to reassign this policy using PowerShell. First, I'm going to go back into the initial tier—remember we called it Audit Missing Eggs—and I'm going to drag the thing a little bit. Audit. missing tags on resources. Now we downloaded PowerShell onto a local machine and installed the AC module and everything like that. There is also another way of connecting with PowerShell and Azure, and that's called Cloud Shell. So up here on the top menu, there's this greater than assignment underscore, and that represents a PowerShell in the cloud. So I'm going to click on it, and it's going to start up. Now, if you've never used Cloud Shell before, you're going to have to create a storage account. So it's going to take you through a process to create a storage account. Otherwise, you're going to get into this. Now that PowerShell is here, CLI is under the Bash element, and believe it or not, PowerShell does support CLI commands as well. So as not to be too confused, I'm going to clear that so that we're starting from a fresh screen here. We can now get this definition directly from PowerShell. Now, we're going to start with a term called "get AZ policy definition." Now if I just ran this, this is going to list all of them, and like I said, there are like thousands of them. So we kind of have to run a little select statement, if you will, on it in PowerShell. PowerShell is an object-oriented language, so you use the pipe commands to send the results to another function, and the object function is what does the work here. So I'm going to say I want to find propertiesso I can actually tab and it will auto fill. So that's another cool thing about PowerShell properties: displayname equals. Now, we see here that it's called an audit. missing tags on resources. And I can just type this out here. If I make a typo, this is not going to work. And if you're using a built in policy and Microsoft changesthe name of it, then this is going to break. So I do not necessarily recommend policies based on their display name because it's modifiable. So it's probably better to add policy ID. And if you're going to automate anything with this, get the IDOT based on a text name here. But I can enter here and see if it returns some of the policy's details; it doesn't have the JSON in this command, but we can see the name, resource ID, resource name, and so on. So in order to work with this, I'm going to put this into a variable. I'm going to call this definition so I can actually do the upper and I can say definition, sorry. This is at the bottom of the screen here. I can say definition equals that, and that's going to put the policy details into an object. So this is an assignment. Now I'm going to start off by creating a resource group so that we can work with policy against the resource group instead of the subscription. So that command is "new AZ versus group." I have to give the resource group a name sothis is called my new RG and it has tobe in a geographical location which is in this caseeast US spell it correctly as well. So this command is going to create a new resource group in the US region, and we can sort of see that it succeeded. Now I want this resource group to be a variable oran object as well so I'm going to actually now thatI've created it, I'm going to get the resource group andI have to pass it the same and the same location. All right, so they're going to come back with the resource group in a variable. This is an object, and I can say "resource group resource I can see that there's a resource group name and resource group ID. So the resource group name comes back as my new RG. So now I have the policy in the definition object resource group in the RG, and now we need to assign that policy to the resource group. I'm going to clear the command as a new policy assignment. You have to give the policy assignment a name, so it's going to be called checking rules. Policy assignment also needs a display name, so the scope of this assignment is going to be the resource group, and so it's a resource ID, and the policy definition that we're passing in policy definition is going to be the definition object. So what we're doing here is basically taking the definition from the audit missing tags and assigning it to the specific resource group scope rather than the entire account, and so if I hit enter here, it'll go for the parameter, so parameters required, and let's say we want billing code to be the required tag, and now it's returned with some properties here. Now I would expect now is that if I wasto go up here into the top, back into theassignments actually not the definitions now two assignments close outthat and I can see the checking the rules wejust created with PowerShell as being a policy that's beenassigned to one resource group anyway, that's how you usePowerShell to manage reasons such as policies within Azure.

Pay a fraction of the cost to study with Exam-Labs AZ-104: Microsoft Azure Administrator certification video training course. Passing the certification exams have never been easier. With the complete self-paced exam prep solution including AZ-104: Microsoft Azure Administrator certification video training course, practice test questions and answers, exam practice test questions and study guide, you have nothing to worry about for your next certification exam.

Hide