Module 1 - Introduction to Cloud and

Azure
Lesson 1: Cloud technology overview
Lesson 2: Overview of Azure
Lesson 3: Managing Azure with the Azure portal
Lesson 4: Managing Azure with Windows
PowerShell
Lesson 5: Managing Azure with Azure CLI
Lesson 6: Overview of Azure deployment models
Lesson 7: Managing and monitoring Azure
resources

Internal
Module 1 - Lesson 1 : Cloud technology
overview

What is Cloud
Computing?
Cloud Computing can be defined as delivering computing power( CPU, RAM, Network Speeds,
Storage OS software)
a service over a network (usually on the internet) rather than physically having the computing
resources at the
customer location.

Example: AWS, Azure, Google Cloud

Cloud Computing provides us a means by which we can access the applications as utilities, over the
Internet.
It allows us to create, configure, and customize applications online.
With Cloud Computing users can access database resources via the internet from anywhere for as
long as they
need without worrying about any maintenance or management of actual resources

Internal
Why the Name Cloud?
The term “Cloud” came from a network design that was used by network engineers to represent the
location of
various network devices and there inter-connection. The shape of this network design was like a
cloud.

Internal
Why Cloud Computing?

With increase in computer and Mobile user’s, data storage has become a priority in all fields. Large and
small scale businesses today thrive on their data & they spent a huge amount of money to maintain this
data. It requires a strong IT support and a storage hub. Not all businesses can afford high cost of in-house
IT infrastructure and back up support services. For them Cloud Computing is a cheaper solution. Perhaps
its efficiency in storing data, computation and less maintenance cost has succeeded to attract even bigger
businesses as well.

Cloud computing decreases the hardware and software demand from the user’s side. The only thing that
user must be able to run is the cloud computing systems interface software, which can be as simple as
Web browser, and the Cloud network takes care of the rest. We all have experienced cloud computing at
some instant of time, some of the popular cloud services we have used or we are still using are mail
services like gmail, hotmail or yahoo etc.

While accessing e-mail service our data is stored on cloud server and not on our computer. The
technology and infrastructure behind the cloud is invisible. It is less important whether cloud services are
based on HTTP, XML, Ruby, PHP or other specific technologies as far as it is user friendly and functional.
An individual user can connect to cloud system from his/her own devices like desktop, laptop or mobile.

Internal
Cloud computing harnesses small business effectively having limited resources, it gives small businesses
access to the technologies that previously were out of their reach. Cloud computing helps small
businesses to convert their maintenance cost into profit. Let’s see how?

In an in-house IT server, you have to pay a lot of attention and ensure that there are no flaws into the
system so that it runs smoothly. And in case of any technical glitch you are completely responsible; it will
seek a lot of attention, time and money for repair. Whereas, in cloud computing, the service provider
takes the complete responsibility of the complication and the technical faults.

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a
shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and
services) that can be rapidly provisioned and released with minimal management effort or service
provider interaction. This cloud model is composed of five essential characteristics, three service
models, and four deployment models.

Internal
 Benefits of Cloud Computing
The potential for cost saving is the major reason of cloud services adoption by many organizations. Cloud
computing gives the freedom to use services as per the requirement and pay only for what you use. Due to cloud
computing it has become possible to run IT operations as a outsourced unit without much in-house resources.

Following are the benefits of cloud computing:

1. Lower IT infrastructure and computer costs for users

2. Improved performance
3. Fewer Maintenance issues
4. Instant software updates
5. Improved compatibility between Operating systems
6. Backup and recovery
7. Performance and Scalability
8. Increased storage capacity
9. Increase data safety

Internal
Cloud Computing Patterns
On and Off

Compute
Inactivity On and off workloads (e.g. batch job)
Over provisioned capacity is wasted
Period
t Time to market can be cumbersome

Growing Fast

Compute
Successful services needs to grow/scale
Keeping up with growth is a big IT challenge
Cannot provision hardware fast enough
t

Unpredictable Bursting
Compute

Unexpected/unplanned peak in demand

Sudden spike impacts performance
t Cannot over provision for extreme cases

Predictable Bursting
Compute

Services with micro seasonality trends

Peaks due to periodic increased demand
t IT complexity and wasted capacity

Internal
 Elasticity-Provision Vs Workload
▪ Cloud provides on-demand, scale out and in, Demand
Provision
compute, storage and network resources Overprovisioned
Under provisioned
▪ Provisioning Benefit: Reduced Costs and Improved User Experience

Self Provision Cloud Provisioning

Resource
Resource

Time Time

Internal
Essential
Characteristics:
Cloud have five types of essential characteristics: On-demand self-service, Broad network access, Resource
pooling, Rapid elasticity,
Measured service.

Internal
Five Essential
Characteristics:
On-demand self-service: A consumer can unilaterally provision computing capabilities, such as server
time and network storage, as needed automatically without requiring human interaction with each service
provider.

Broad network access: Your team can access business management solutions using their smartphones,
tablets, laptops, and office computers. They can use these devices wherever they are located with a
simple online access point.
This mobility is particularly attractive for businesses so that during business hours or on off-times,
employees can stay on top of projects, contracts, and customers whether they are on the road or in the
office.
Broad network access includes private clouds that operate within a company’s firewall, public clouds, or
a hybrid deployment.
Resource pooling: The cloud enables your employees to enter and use data within the business
management software hosted in the cloud at the same time, from any location, and at any time. This is an
attractive feature for multiple business offices and field service or sales teams that are usually outside the
office.

Rapid elasticity: If anything, the cloud is flexible and scalable to suit your immediate business needs. You
can quickly and easily add or remove users, software features, and other resources.

Measured service: Going back to the affordable nature of the cloud, you only pay for what you use. You Internal
Types of Cloud : Deployment
Models
Deployment models define the type of access to the cloud, i.e., how the cloud is located? Cloud can
have any of the four types of access: Public, Private, Hybrid and Community.

Internal
Four Deployment Models:
Private cloud: The cloud infrastructure is provisioned for exclusive use by a single organization comprising
multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a
third party, or some combination of them, and it may exist on or off premises.

Community cloud: The cloud infrastructure is provisioned for exclusive use by a specific community of
consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and
compliance considerations). It may be owned, managed, and operated by one or more of the
organizations in the community, a third party, or some combination of them, and it may exist on or off
premises.

Public cloud: The cloud infrastructure is provisioned for open use by the general public. It may be owned,
managed, and operated by a business, academic, or government organization, or some combination of
them. It exists on the premises of the cloud provider.

Hybrid cloud: The cloud infrastructure is a composition of two or more distinct cloud infrastructures
(private, community, or public) that remain unique entities, but are bound together by standardized or
proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing
between clouds)
Internal
Service
Models
Cloud have three types of Service Models: Software as a Service (SaaS), Platform as a
Service (PaaS),
Infrastructure as a Service (IaaS)

Internal
Three Service
Models:
SaaS (Software as a Service): SaaS or software as a service is a software distribution model in which
applications are hosted by a vendor or service provider and made available to customers over a network
(internet). SaaS is becoming an increasingly prevalent delivery model as underlying technologies that
supports Service Oriented Architecture (SOA) or Web Services.
Through internet this service is available to users anywhere in the world. Traditionally, software application
needed to be purchased upfront &then installed it onto your computer. SaaS users on the other hand,
instead of purchasing the software subscribes to it, usually on monthly basis via internet.
Anyone who needs an access to a particular piece of software can be subscribe as a user, whether it is one
or two people or every thousands of employees in a corporation. SaaS is compatible with all internet
enabled devices.
Many important tasks like accounting, sales, invoicing and planning all can be performed using SaaS.

PaaS (Platform as a Service): Platform as a service, is referred as PaaS, it provides a platform and
environment to allow developers to build applications and services. This service is hosted in the cloud and
accessed by the users via internet.
To understand in a simple terms, let compare this with painting a picture, where you are provided with paint
colors, different paint brushes and paper by your school teacher and you just have to draw a beautiful
picture using those tools.
PaaS services are constantly updated & new features added. Software developers, web developers and Internal
IaaS (Infrastructure as a Service): IaaS (Infrastructure As A Service) is one of the fundamental service
model of cloud computing alongside PaaS( Platform as a Service). It provides access to computing
resources in a virtualized environment “the cloud” on internet. It provides computing infrastructure like
virtual server space, network connections, bandwidth, load balancers and IP addresses.
The pool of hardware resource is extracted from multiple servers and networks usually distributed
across numerous data centers. This provides redundancy and reliability to IaaS. IaaS(Infrastructure as a
service) is a complete package for computing. For small scale businesses who are looking for cutting cost
on IT infrastructure, IaaS is one of the solutions.
Annually a lot of money is spent in maintenance and buying new components like hard-drives, network
connections, external storage device etc. which a business owner could have saved for other expenses
by using IaaS.

Internal
Internal
Understanding the Cloud Computing Stack (IaaS, PaaS, SaaS)

Internal
What is Cloud Computing Architecture?
Let’s have a look into Cloud Computing and see what Cloud Computing is made of. Cloud computing
comprises of two components front end and back end. Front end consist client part of cloud
computing system. It comprise of interfaces and applications that are required to access the cloud
computing platform.
While back end refers to the cloud itself, it comprises of the resources that are required for cloud
computing services. It consists of virtual machines, servers, data storage, security mechanism etc. It is
under providers control.

Cloud computing distributes the file system that spreads over multiple hard disks and machines. Data is
never stored in one place only and in case one unit fails the other will take over automatically. The user
disk space is allocated on the distributed file system, while another important component is algorithm
for resource allocation. Cloud computing is a strong distributed environment and it heavily depends
upon strong algorithm.

Internal
Internal
Virtualization and Cloud Computing
The main enabling technology for Cloud Computing is Virtualization. Virtualization is a partitioning of single
physical server into multiple logical servers. Once the physical server is divided, each logical server behaves
like a physical server and can run an operating system and applications independently. Many popular
companies' like VMware and Microsoft provide virtualization services, where instead of using your personal
PC for storage and computation, you use their virtual server. They are fast, cost-effective and less time
consuming.
For software developers and testers virtualization comes very handy, as it allows developer to write code
that runs in many different environments and more importantly to test that code.

Virtualization is mainly used for three main purposes 1) Network Virtualization 2) Server Virtualization 3)
Storage Virtualization

Network Virtualization: It is a method of combining the available resources in a network by splitting up the
available bandwidth into channels, each of which is independent from the others and each channel is
independent of others and can be assigned to a specific server or device in real time.

Storage Virtualization: It is the pooling of physical storage from multiple network storage devices into what
appears to be a single storage device that is managed from a central console. Storage virtualization is
commonly used in storage area networks (SANs). Internal
Server Virtualization: Server virtualization is the masking of server resources like processors, RAM,
operating system etc., from server users. The intention of server virtualization is to increase the resource
sharing and reduce the burden and complexity of computation from users.

Virtualization is the key to unlock the Cloud system, what makes virtualization so important for the cloud
is that it decouples the software from the hardware. For example, PC’s can use virtual memory to borrow
extra memory from the hard disk. Usually hard disk has a lot more space than memory. Although virtual
disks are slower than real memory, if managed properly the substitution works perfectly. Likewise, there
is software which can imitate an entire computer, which means 1 computer can perform the functions
equals to 20 computers.

Internal
Module 1 - Lesson 2 : Overview of
Azure

Microsoft Azure
• A cloud computing platform by Microsoft
• Was announced by Microsoft back in 2008
• Used to be known as Windows Azure
• Initially offered PaaS services
• Offers over 500 cloud services and growing

Internal
Microsoft Azure Datacenters and Regions

• Azure platform is supported by network of Microsoft managed Datacenters

• Azure Datacenters are located in about 50 geographic regions
(https://azure.microsoft.com/enca/regions/)
• Each region is geographic group of one or more datacenters
• Is it important to know where the Azure regions are. It is the first consideration you need to make
to deploy any Azure cloud service.
• Azure region pairs – Each Azure region is paired with another region. They are connected directly.
(https://docs.microsoft.com/en-us/azure/best-practices-availability-paired-regions)
• Microsoft Datacenter Tour: https://cloud-platform-assets.azurewebsites.net/datacenter/

Internal
Azure Accounts and Subscriptions
• Azure is primarily organized by Accounts and Subscriptions
• Each Account can have multiple subscriptions associated with it
• The primary account delegates privileges at subscription level
• Account administrator is the user created with the account
• Has access to the Azure Account Center (https://account.azure.com/)
• Can create the billing method
• Can create/cancel subscriptions
• Can create/change the subscription level administrator
• To consume Azure services you need subscriptions
• Subscriptions can be personal or organizational
• Subscriptions have isolation of administration & billing
• Separate privileges can be assigned to separate subscriptions
• Subscriptions have quotas and limits
(https://docs.microsoft.com/en-us/azure/azuresubscription-service-limits)
• Subscriptions have 2 roles + RBAC
Service Administrator
Co-Administrator

Internal
Azure billing
• Azure is a pay-per-use utilization model
• PAYG – Pay As You Go Model – most of you will use this
(https://azure.microsoft.com/enus/offers/ms-azr-0003p/)
• Enterprise Agreement
• Azure Compute pre-purchase plan
• Azure Hybrid benefit
• Microsoft reseller
Through benefits:
• MSDN Subscription for development use
• Partners get monthly credits

Internal
Azure billing and support options
The most common Azure billing options include:

Pay-As-You-Go

Buy from a Microsoft Reseller

Enterprise agreements

Internal
Azure services
• Compute
• Networking
• Storage
• Web+Mobile
• Containers
• Databases
• Analytics
• AI+Machine Learning (ML)
• Internet of Things (IoT)
• Enterprise Integrations
• Security+Identity
• Developer tools
• Management tools
Exhaustive details of all Azure services: https://azure.microsoft.com/en-us/services

Internal
Overview of Azure services
Compute Networking Data & Storage Web & Mobile
Virtual Network
Service Fabric
Azure DNS
Container Storage
Service Application Gateway Web Apps
DocumentDB
Azure Virtual Traffic Manager
Mobile Apps
Machines Azure SQL
ExpressRoute Database
Azure Cloud Notification
Services Load Balancer StorSimple Hub

Other services
Service Bus Automation

Azure AD Scheduler
Key Vault
Azure AD DS Azure Backup
Azure Security
MFA Site Recovery Center

Internal
Azure Management Tools
• Azure portal (https://portal.azure.com/)
• Azure classic portal (https://manage.windowsazure.com/)
• Azure PowerShell
• Azure CLI
• Azure Cloud Shell – CLI
• Azure Cloud Shell – PowerShell)
• Visual Studio – Azure SDK

Internal
How to Create up a New Microsoft Azure
Account
Microsoft Azure offers a free 30-day trial period to all new account holders.
Go to https://www.azure.com and click the green “Start free” button.

Internal
Next, click another “Start free”
button.

Internal
Internal
Internal
If you already have an account with Microsoft, for example, Office 365, you’ll be prompted to log in.

Internal
When you log in, some of your details may already
be there.

Internal
Follow the prompts to verify your account by phone (I used SMS).

Internal
You’ll also need to supply a valid credit card. Prepaid credit cards won’t work — you’ll need a “normal”
credit or debit card. There is no charge involved with the setting up of a trial account. Microsoft just
wants to see your card to verify your identity. There will be, however, a record for a $0 transaction on
your bank statement. Next – tick “I agree” and click “Sign Up.”

Internal
Within a few seconds, your account will be ready. That’s it! Your Microsoft Azure account has been
created.
To continue, click the “My Account” link at the top right corner or go straight to the Microsoft Azure
Portal:
https://portal.azure.com/

Internal
Azure Subscription Overview

Internal
Subscription Principles
Subscriptions are… Considerations
• Administrative security • Subscriptions do not cost
boundary anything
• Support RBAC delegation • Each subscription has its
• A billing unit own admins, although a
single account can be an
• Logical limit of scale admin in multiple
• First container that you subscriptions
create • Are global
Internal
Initially a subscription was the administrative security boundary of Microsoft Azure. With the advent of
Azure Resource Management (ARM) environment, a subscription now has two administrative models.
Service Management and Azure Resource Management. With ARM the subscription is no longer needed
as an administrative boundary. ARM provides a more granular Roles Based Access Control (RBAC) model
for assigning administrative rights at the resource level. RBAC is currently being released in stages, 32 new
roles have been released and user defined roles is coming in a future release. There will be some
complexity during the coexistence of the service management and resource management environments
and will need to be carefully considered.
A subscription additionally forms the billing unit. Services charges are accrued to the subscription
currently, as part of the new Azure Resource Management model it will be possible to roll up costs to a
resource group. A standard naming convention for Azure resource object types can be used to manage
billing across projects teams, business units, or other desired view.
A logical limit of scale by which resources can be allocated, these limits include both hard and soft caps
of various resource types (like 10,000 compute cores /subscription) and are changing as capacity and
capabilities are updated within Azure. Scalability will continue to be a function of subscriptions and
therefore is a key element to understand how the Subscription strategy will account for growth as
consumption increases.

Internal
Containers and Resources
• Subscription is the top level container
• Create Resource groups in the subscription
• Place resources within the resource groups

Internal
Azure Governance Layers
Functional
Functional Business Division Geographic
Enterprise
Enterprise Enterprise Enterprise

Departments
[optional] North
Finance Marketing Auto Aerospace Europe
America

Accounts
Joe Smith Jane Doe Lin Chi Adi Krishnan Ted Bear Grace Ma

Subscriptions
Production Web Application 2 Application 3 Project 1 Project 2 Project 3
Project 1 Dev Project 1 Test Application 1
Sites

The Azure governance layers, roles, portals etc.. provide the technical means that can be used in
different ways. Some customer prefer to use functional differentiation, others business division based or
geographical or even a combination.
Internal
Management Portals
Portal Location Purpose
Enterprise Portal https://ea.azure.com/ ∙ Manage access
∙ Manage accounts
∙ Manage subscriptions
∙ View price sheet
∙ View usage summary
∙ Manage usage & lifecycle email
notifications
∙ Manage Authentication Types
Account Portal https://account.windowsazure.com ∙ Edit subscription details
∙ Enroll in or enable Preview features
Management Portal https://manage.windowsazure.com or ∙ Provision/de-provision Azure services
https://portal.azure.com ∙ Manage co-administrators on
subscriptions
∙ Open support tickets for issues within
the subscription

Internal
Azure governance structure
The three portals serve different audiences and needs and provide administrative boundaries. This
picture can be used to provide answers on how these portals are related to one another.
Enterprise portal CLI / Custom
Azure Management Portal
REST API’s
Enterprise (enrollment) Azure
Account
portal RBAC
Azure Resource Manager
Departmen Departmen
t t
Azure resources
Has

Associated

Internal
Account and Subscription
Management
The below diagrams explain what the account admin, service admin and co-admin roles are
used for, these roles can be assigned to one or multiple identities.

46 Internal
 Azure Subscription Limits

http://azure.microsoft.com/en-us/documentation/articles/azure-subscription-service-limits/
Internal
 Azure Roles versus Management

Azure Active Directory Active Directory

Application
Customer Manages
Customer provisions
OS the OS and app config
and manages Azure
Object Virtual hardware

Physical hardware
Microsoft manages
Fabric the platform and SLA

Internal
Resource Groups and Hierarchy
Subscription

Resource Group

Resource

Resource

Resource Group

Resource

Resource

Internal
Azure Resource Overview

Internal
Role Considerations
• Azure Subscriptions have two administrative
models:

Classic • Azure Service Management

(v1) (ASM)

Resource
• Azure Resource Manager
Manager
(ARM)
(v2)

Internal
Azure Resource Management (ARM) environment, a subscription now has two administrative models:
Service Management and Azure Resource Management. With ARM the subscription is no longer needed
as an administrative boundary. ARM provides a more granular Roles Based Access Control (RBAC)
model for assigning administrative rights at the resource level. RBAC is currently being released in
stages, 22 new roles have been released and user defined roles is coming in a future release. There will
be some complexity during the coexistence of the service management and resource management
environments and will need to be carefully considered.
Resources in Azure

Classic (v1) Resource Manager

• Multiple objects (v2)
combined into a single • Each object a separately
manageable instance manageable
• Must connect to a classic • Must connect to a RM
network infrastructure network infrastructure
Internal
Azure Resource Manager

Classis ARM with RPs

Internal
Portal and APIs
Feature manage.windowsazure.com portal.azure.com / ARM

Granularity Subscription Subscription, resource group, resource

Principal User User, directory group, application
Roles Full control (or no access) 30+ Built-in roles
Custom roles

Internal
Resource Groups
Tightly coupled containers of
multiple resources of similar
or different types
Every resource *must* exist in
one and only one resource group
Resource groups can span
RESOURCE GROUP regions
Nesting of Resource Groups not
supported
Only Subscription Owners can
create resource groups

Internal
 Azure Resource Manager
Describe Deploy Control

RESOURCE
GROUP

Azure Resource Manager Azure Resource Manager

App Database Compute Network Storage

MICROSOFT AZURE STACK MICROSOFT AZURE

Internal
Resource Group Lifecycle
Question:
Should these resources be in
the same group or a different
one?
Hint:
Do they have common lifecycle
and management?

Answer:
Up to you.

Internal
Azure RBAC Overview

Internal
 Least Privilege as a Model
Goal
• Users can do the tasks their job requires
• But no more than that

Best practices
• Use the portal and ARM API
• Assign the right role
• Use resource groups

Internal
Role Based Access Control

Users
Authentication
& Authorization

Groups

Azure Resources
Service Principals in Resource Groups

Azure Active Directory Azure Subscription

Internal
ARM Hierarchy and RBAC Roles
ARM provides a more granular Roles Based Access Control (RBAC) model for
assigning administrative rights at the resource level.
• Can perform all management operations for a
resource and its child resources including access
Owner management and granting access to others.

• Can perform all management operations for a

resource including create and delete resources.
Contributor A contributor cannot grant access to other.

• Has read-only access to a resource and its child

resources. A reader cannot read secrets.
Reader

Internal
Role Based Access Control

Internal
 Key RBAC Concepts
Role Definitions Role Assignments

• describes the set of permissions • associate role definitions with an

(e.g. read actions)
• can be used in multiple
assignments
identity (e.g. user/group) at a
scope (e.g. resource group)
• always inherited – subscription
assignments apply to all
resources

Internal
 RBAC - Granular Scopes
/subscriptions/{id}/resourceGroups/{name}/providers/…/sites/{site}

subscription level – grants

permissions to all resources
in the sub
resource group level –
grants permissions to all
resources in the group
resource level – grants
permissions to the specific
resource

Internal
 Roles for Azure subscription resources
Three primary roles:
• Owner, Contributor, Reader
• Permissions on all Azure resources
30+ resource-specific roles
• Website contributor, Virtual machine contributor, etc.
• Permissions scoped to resources and actions typically required by customers
• Will add more as new Azure resources come online
Custom roles
• Allows customers to take existing actions and create a custom RBAC role
• Role must be loaded into each subscription

https://azure.microsoft.com/en-us/documentation/articles/role-based-access-built-in-roles/
Internal
 Built-in Roles

BUILT-IN ROLE ACTIONS NOT ACTIONS

Owner (allow all actions) *

Contributor (allow all actions except writing or * Microsoft.Authorization/*/Write,

deleting role assignments) Microsoft.Authorization/*/Delete

Reader (allow all read actions) */Read

Internal
 Virtual Machine Contributor
Actions Access
Microsoft.Storage/storageAccounts/read Read storage accounts
Microsoft.Storage/storageAccounts/listKeys/action List storage account keys
Microsoft.Network/virtualNetworks/read Read virtual networks
Microsoft.Network/virtualNetworks/subnets/join/action Join virtual network subnets
Microsoft.Network/loadBalancers/read Read load balancers
Microsoft.Network/loadBalancers/backendAddressPools/join/action Join load balancer backend address pools
Microsoft.Network/loadBalancers/inboundNatRules/join/action Join load balancer inbound NAT Rules
Microsoft.Network/publicIPAddresses/read Read network public IP addresses
Microsoft.Network/publicIPAddresses/join/action Join network public IP addresses
Microsoft.Network/networkSecurityGroups/read Read network security groups
Microsoft.Network/networkSecurityGroups/join/action Join network security groups
Microsoft.Network/networkInterfaces/* Create and manage network interfaces
Microsoft.Network/locations/* Create and manage network locations
Microsoft.Network/applicationGateways/backendAddressPools/join/action Join network application gateway backend address pools
Microsoft.Compute/virtualMachines/* Create and manage virtual machines
Microsoft.Compute/availabilitySets/* Create and manage compute availability sets
Microsoft.Compute/locations/* Create and manage compute locations
Microsoft.Authorization/*/read Read authorization
Microsoft.Resources/subscriptions/resourceGroups/read Read subscription resource groups
Microsoft.Resources/subscriptions/resourceGroups/resources/read Read subscription resource groups resources
Microsoft.Resources/subscriptions/resourceGroups/deployments/* Create and manage subscription resource group
deployments
Microsoft.Insights/alertRules/* Create and manage Insights alert rules
Microsoft.Support/* Create and manage support tickets Internal
Resource Groups and Access
Example
Management
Marketing Subscription
Best practices
Solution 1 Resource Group ▪ Organize resources to meet access
Virtual machine management requirements
Storage account
▪ Grant access at resource group
when appropriate
Solution 2 Resource Group

Virtual machine
Benefits
Storage account
▪ More granularity
SQL Server ▪ Aligns with resource-specific roles
Shared Infrastructure Resource Group ▪ Ongoing manageability
Virtual Network
Finance Subscription

Solution A Resource Group

Web app

SQL Server

Internal
 RBAC Audit Logs and Resource Management
Locks

▪ Role assignment changes are captured in events where the

ResourceProviderName is Microsoft.Authorization.
▪ Azure Resource Manager provides the ability to restrict
operations on resources through resource management
locks.
▪ Resource locks are policies which enforce a lock level at a
particular scope.

Internal
Azure Resource Manager
Resource Locks

Internal
 Resource Locks
• Accidents happen. Resource locks help prevent them :)

• Resource locks allow administrators to create policies which prevent

write actions or prevent accidental deletion.

Internal
 Key Concepts
• Resource lock
• Policy which enforces a "lock level" at a particular scope
• Lock level
• Type of enforcement; current values include CanNotDelete and ReadOnly
• Scope:
• The realm to which the lock level is applied. Expressed as a URI; can be set at the
resource group, or resource scope.

Internal
Module 1 – Lesson 3 – Managing Azure with the Azure
portal

Microsoft Azure Portal

• Browser based administration (https://portal.azure.com)
• Current portal that supports all Azure services
• Full support of ARM (Azure Resource Manager) resources
• Centralize view in one portal
• Personalize experience
• Fine grained access control
• Billing visibility
Azure’s old/classic portal (ASM – Azure Service Manager) was located at:
https://manage.windowsazure.com

Internal
Module 1 – Lesson 4 - Managing Azure with Windows
PowerShell

Azure PowerShell

• Windows PowerShell is a scripting platform

• Azure has PS modules for Azure cmdlets
• Automating IT processes with Scripts (Reusability)
• Part of larger deployments (Devops?)
• There are various PowerShell modules for Azure (we will focus on the
AzureRM module)
Azure PowerShell module browser:
https://docs.microsoft.com/en-us/powershell/module/ (look for AzureRM
PowerShell)
Azure PS is an open-source project:
https://github.com/Azure/azure-powershell/

Internal
How to get Azure PowerShell

1. Web platform installer - https://azure.microsoft.com/en-us/downloads/

a) Will get the latest version for you
b) It will take care of all the prerequisites
2. The PowerShell Gallery – depends on PowerShellGet module
a) Depends on the Windows Management Framework (WMP) :
https://www.microsoft.com/enus/download/details.aspx?id=54616
b) If you are on Windows 10, you are all set to do this. If you are not then download the WMP.
c) For all other editions download WMP and take it from there
3. Microsoft Windows Installer package (MSI)
4. Azure Cloud Shell on the Azure Portal (the easiest!)

Internal
Azure PowerShell Installation
We will be using The PowerShell gallery
Check if it is already installed and if it is then which version it is:
Get-Module AzureRM -ListAvailable | Select-Object -Property
Name,Version,Path
Install it :
Install-Module -Name AzureRM
Update it (if you need to in future):
Update-Module -Name AzureRM
Modules will be located at: C:\Program Files\WindowsPowerShell\Modules
Azure PowerShell Login and subscription access
You must Authenticate to access the Azure Subscriptions
1. AD Authentication
2. Certificate based authentication
(https://docs.microsoft.com/en-us/azure/azure-resource-manager/resourcegroup-
authenticate-service-principal)
Using AD authentication:
Connect to Azure with an authenticated account:
Add-AzureRmAccount
Get the current context:
Internal
Search for PowerShell on search tab as below and you will get below options

Internal
Choose Windows PowerShell ISE and right click to Run as
administrator

Internal
The PowerShell ISE will look like below after run as
administrator

Internal
This PowerShell is not having azure modules to run azure commands, so we need to install azure module in
the PowerShell.

Internal
While installing Azure Module in PowerShell, Pls type all below commands shown in pic and click on yes
button
get-module
$psversiontable.psversion
Install-Module -Name AzureRM

Internal
After "Install-Module -Name AzureRM" command it will download the Azure Module from internet and we
need to select "Yes to all" button

Internal
After clicking "yes to all" it will install all the packages of Azure Module on PowerShell as shown below

Internal
Check if it is already installed and if it is then which version it is: get-module powershellget -list |
select-object name,version,path

Internal
Set the permission for powershell command to run locally : set-executionpolicy -ExecutionPolicy
RemoteSigned
And then select “yes for all”

Internal
Then type "import-module azurerm" command to use azure commands on this PowerShell and after
which search for azure command which will show on right hand side of PowerShell

Internal
Connect to Azure with an authenticated account: Add-AzureRmAccount

Internal
After successful login with authenticated account, we will get below
details

Internal