Prerequisites for Azure administrators

Question 1

What is Azure Policy

Answer 1

Azure Policy is an Azure service you use to create, assign and, manage policies. These policies enforce different rules and effects over your resources so that those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for noncompliance with assigned policies. For example, you might have a policy that allows virtual machines of only a certain size in your environment. After this policy is implemented, new and existing resources are evaluated for compliance. With the right type of policy, existing resources can be brought into compliance

Question 2

How are Azure Policy and RBAC different?

Answer 2

At first glance, it might seem like Azure Policy is a way to restrict access to specific resource types similar to role-based access control (RBAC). However, they solve different problems. RBAC focuses on user actions at different scopes. You might be added to the contributor role for a resource group, allowing you to make changes to anything in that resource group. Azure Policy focuses on resource properties during deployment and for already-existing resources. Azure Policy controls properties such as the types or locations of resources. Unlike RBAC, Azure Policy is a default-allow-and-explicit-deny system.

Question 3

Create a policy

Answer 3

1. Create a policy definition
2. Assign a definition to a scope of resources
3. View policy evaluation results

Question 4

What is a policy definition?

Answer 4

A policy definition expresses what to evaluate and what action to take. For example, you could ensure all public websites are secured with HTTPS, prevent a particular storage type from being created, or force a specific version of SQL Server to be used

Question 5

How are policy definitions represented ?

Answer 5

The policy definition itself is represented as a JSON file - you can use one of the pre-defined definitions in the portal or create your own (either modifying an existing one or starting from scratch)

Question 6

Assign a definition to a scope of resources

Answer 6

Once you’ve defined one or more policy definitions, you’ll need to assign them. A policy assignment is a policy definition that has been assigned to take place within a specific scope.

This scope could range from a full subscription down to a resource group. Policy assignments are inherited by all child resources. This inheritance means that if a policy is applied to a resource group, it is applied to all the resources within that resource group. However, you can exclude a sub scope from the policy assignment. For example, we could enforce a policy for an entire subscription and then exclude a few select resource groups.

You can assign any of these policies through the Azure portal, PowerShell, or Azure CLI. When you assign a policy definition, you will need to supply any parameters that are defined.

Question 7

initiative definition

Answer 7

An initiative definition is a set or group of policy definitions to help track your compliance state for a larger goal. Even if you have a single policy, we recommend using initiatives if you anticipate increasing the number of policies over time.

Question 8

Azure Management Groups

Answer 8

Azure Management Groups are containers for managing access, policies, and compliance across multiple Azure subscriptions. Management groups allow you to order your Azure resources hierarchically into collections, which provide a further level of classification that is above the level of subscriptions. All subscriptions within a management group automatically inherit the conditions applied to the management group. Management groups give you enterprise-grade management at a large scale no matter what type of subscriptions you might have

Question 9

Important facts about management groups

Answer 9

1. Any Azure AD user in the organization can create a management group. The creator is given an Owner role assignment.
2. A single Azure AD organization can support 10,000 management groups.
3. A management group tree can support up to six levels of depth not including the Root level or subscription level.
4. Each management group can have many children.
5. When your organization creates subscriptions, they are automatically added to the root management group.

Question 10

Azure Blueprints

Answer 10

enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. Azure Blueprints makes it possible for development teams to rapidly build and deploy new environments with the trust they’re building within organizational compliance using a set of built-in components, such as networking, to speed up development and delivery

Question 11

Compliance Manager

Answer 11

Compliance Manager is a workflow-based risk assessment dashboard within the Service Trust Portal that enables you to track, assign, and verify your organization’s regulatory compliance activities related to Microsoft professional services and Microsoft cloud services such as Microsoft 365, Dynamics 365, and Azure

Question 12

Azure Monitor

Answer 12

Azure Monitor maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on

Question 13

Activity Logs

Answer 13

Activity Logs record when resources are created or modified and Metrics tell you how the resource is performing and the resources that it’s consuming

Question 14

Azure Monitor for containers

Answer 14

a service that is designed to monitor the performance of container workloads, which are deployed to managed Kubernetes clusters, hosted on Azure Kubernetes Service (AKS). It gives you performance visibility by collecting memory and processor metrics from controllers, nodes, and containers, which are available in Kubernetes through the metrics API. Container logs are also collected

Question 15

Azure Monitor for VMs

Answer 15

a service that monitors your Azure VMs at scale, by analyzing the performance and health of your Windows and Linux VMs (including their different processes and interconnected dependencies on other resources, and external processes). Azure Monitor for VMs includes support for monitoring performance and application dependencies for VMs hosted on-premises, and for VMs hosted with other cloud providers.

Question 16

Autoscale

Answer 16

Azure Monitor uses Autoscale to ensure that you have the right amount of resources running to manage the load on your application effectively. Autoscale enables you to create rules that use metrics, collected by Azure Monitor, to determine when to automatically add resources to handle increases in load. Autoscale can also help reduce your Azure costs by removing resources that are not being used. You can specify a minimum and maximum number of instances, and provide the logic that determines when Autoscale should increase or decrease resources

Question 17

Azure Service Health

Answer 17

a suite of experiences that provide personalized guidance and support when issues with Azure services affect you. It can notify you, help you understand the impact of issues, and keep you updated as the issue is resolved. Azure Service Health can also help you prepare for planned maintenance and changes that could affect the availability of your resources

Question 18

Azure Status

Answer 18

provides a global view of the health state of Azure services. With Azure Status, you can get up-to-the-minute information on service availability. Everyone has access to Azure Status and can view all services that report their health state

Question 19

Service Health

Answer 19

provides you with a customizable dashboard that tracks the state of your Azure services in the regions where you use them. In this dashboard, you can track active events such as ongoing service issues, upcoming planned maintenance, or relevant Health advisories. When events become inactive, they are placed in your Health history for up to 90 days. Finally, you can use the Service Health dashboard to create and manage service Health alerts, which notify you whenever there are service issues that affect you

Question 20

Resource Health

Answer 20

helps you diagnose and obtain support when an Azure service issue affects your resources. It provides you with details about the current and past state of your resources. It also provides technical support to help you mitigate problems

Question 21

Azure Resource Manager

Answer 21

It organizes resources into named resource groups that let you deploy, update, or delete all of the resources together.

Resource Manager also allows you to create templates, which can be used to create and deploy specific configurations

Question 22

What are Resource Manager templates?

Answer 22

Resource Manager templates are JSON files that define the resources you need to deploy for your solution.

Question 23

PowerShell Command: New Azure VMs?

Answer 23

New-AzVM

Question 24

Azure CLI / CLI Command

Answer 24

The Azure CLI is Microsoft’s cross-platform command-line tool for managing Azure resources such as virtual machines and disks from the command line. It’s available for macOS, Linux, and Windows, or in the browser using the Cloud Shell. Like Azure PowerShell, the Azure CLI is a powerful way to streamline your administrative workflow. Unlike Azure PowerShell, the Azure CLI does not need PowerShell to function

az vm create

Question 25

Azure REST API

Answer 25

1. Create and manage availability sets 2. Add and manage virtual machine extensions 3. Create and manage managed disks, snapshots, and images 4 . Access the platform images available in Azure 4. Retrieve usage information of your resources 5. Create and manage virtual machines 6. Create and manage virtual machine scale sets

Question 26

Azure VM Extensions

Answer 26

are small applications that allow you to configure and automate tasks on Azure VMs after initial deployment

Question 27

Availability and Instances

Answer 27

o ensure your services aren't interrupted and avoid a single point of failure, it's recommended to deploy at least two instances of each VM. This feature is called an availability set

Question 28

What is an availability set?

Answer 28

An availability set is a logical feature used to ensure that a group of related VMs are deployed so that they aren't all subject to a single point of failure and not all upgraded at the same time during a host operating system upgrade in the datacenter. VMs placed in an availability set should perform an identical set of functionalities and have the same software installed. Microsoft offers a 99.95% external connectivity service level agreement (SLA) for multiple-instance VMs deployed in an availability set

Question 29

What is a fault domain?

Answer 29

A fault domain is a logical group of hardware in Azure that shares a common power source and network switch

Question 30

What is an update domain?

Answer 30

An update domain is a logical group of hardware that can undergo maintenance or be rebooted at the same time. Azure will automatically place availability sets into update domains to minimize the impact when the Azure platform introduces host operating system changes. Azure then processes each update domain one at a time

Question 31

Azure Site Recovery

Answer 31

replicates workloads from a primary site to a secondary location. If an outage happens at your primary site, you can fail over to a secondary location

Question 32

Azure Site Recovery: Benefits

Answer 32

Site Recovery enables the use of Azure as a destination for recovery, thus eliminating the cost and complexity of maintaining a secondary physical datacenter

Question 33

Azure Site Recovery: Benefits / con't

Answer 33

Site Recovery makes it incredibly simple to test failovers for recovery drills without impacting production environments. This makes it easy to test your planned or unplanned failovers. After all, you don’t have a good disaster recovery plan if you’ve never tried to failover

Question 34

Azure Backup

Answer 34

is a backup as a service offering that protects physical or virtual machines no matter where they reside: on-premises or in the cloud

Question 35

Advantages of using Azure Backup

Answer 35

1. Automatic storage management. Azure Backup automatically allocates and manages backup storage and uses a pay-as-you-use model. You only pay for what you use. 2. Unlimited scaling. Azure Backup uses the power and scalability of Azure to deliver high availability. 3. Multiple storage options. Azure Backup offers locally redundant storage where all copies of the data exist within the same region and geo-redundant storage where your data is replicated to a secondary region.

Question 36

Advantages of using Azure Backup

Answer 36

1. Unlimited data transfer. Azure Backup does not limit the amount of inbound or outbound data you transfer. Azure Backup also does not charge for the data that is transferred. 2. Data encryption. Data encryption allows for secure transmission and storage of your data in Azure. 3. Application-consistent backup. An application-consistent backup means that a recovery point has all required data to restore the backup copy. Azure Backup provides application-consistent backups. 4. Long-term retention. Azure doesn't limit the length of time you keep the backup data.

Question 37

Azure Backup

Answer 37

Azure Backup uses a Recovery Services. A vault is backed by Azure Storage blobs, making it a very efficient and economical long-term storage medium. With the vault in place, you can select the machines to back up and define a backup policy (when snapshots are taken and for how long they’re stored)

Question 38

ExpressRoute

Answer 38

a secure point-to-point service. To use this service, you use a third-party connectivity partner to provide and host the ExpressRoute circuits on your behalf

Question 39

Azure hub-spoke

Answer 39

Azure hub-spoke is a reference architecture. The hub is usually an Azure virtual network that acts as the central connection point between the cloud and an on-premises network. Each spoke is also an Azure virtual network, usually connected to the hub via a peer network. Connections between the cloud and the on-premises network can be made through a VPN gateway or Azure ExpressRoute.

Question 40

Azure Network Watcher

Answer 40

You can use Network Watcher to capture packet data from the Azure services you use. You can also understand the flow of data in network traffic patterns and troubleshoot network-related problems on your network

Question 41

Kerberos

Answer 41

is an authentication protocol used across different operating systems. Windows uses Kerberos as its default authentication protocol. Linux and Mac OSs can also use Kerberos

Question 42

Azure CLI

Answer 42

a command-line program to connect to Azure and execute administrative commands on Azure resources az vm restart -g MyResourceGroup -n MyVm

Question 43

What is Azure AD?

Answer 43

Azure AD is a cloud-based identity management solution. It helps your company's internal users to: Access external resources, like Azure services, Microsoft 365, and third-party SaaS applications. Access internal resources such as applications on your corporate network, and cloud-based applications that your company builds. Azure AD also helps you keep user identities and applications secure through features like conditional access and identity protection

Question 44

Azure AD Store

Answer 44

Azure AD stores your users in a tenant that represents an organization

Question 45

Identity secure score in Azure AD

Answer 45

The identity secure score can help you understand. Azure AD gives an overall value between 1 and 223. This value represents how well you match the recommendations and best practices that Microsoft suggests for tenant security. The identity secure score reveals how effective your security is and helps you implement improvements.

Question 46

Azure AD password hash synchronization (PHS)

Answer 46

the user's password is hashed twice and synchronized between the on-premises Active Directory and Azure AD. Users have the same credentials to access resources and applications both on-premises and in the cloud.

Question 47

Azure AD pass-through authentication (PTA)

Answer 47

an agent is installed on on-premises servers that authenticate against the on-premises Active Directory. When an Azure AD user account tries to authenticate, password authentication is handled on-premises through these servers and Active Directory

Question 48

Federated authentication

Answer 48

the authentication process is performed by an on-premises Active Directory Federation Services (AD FS) server that validates users' passwords. Use this authentication method if you want advanced measures like smart card-based authentication for users

Question 49

Azure Active Directory Free

Answer 49

You can manage users and groups, and you get basic reports, on-premises Active Directory synchronization, and self-service password reset for Azure AD users. You also get single sign-on for Microsoft 365, Azure services, and many third-party SaaS applications

Question 50

Azure Active Directory Premium P1

Answer 50

You get all the features from the free tier, but you can also let users access on-premises and cloud-based services and resources. You can use self-service group management or dynamic groups, where users are added and removed automatically, based on your criteria. This tier supports on-premises identity management suites like Microsoft Identity Manager. Self-service password reset is also supported for users who are based on-premises

Question 51

Azure Active Directory Premium P2

Answer 51

You get all the features of the previous two tiers, along with Active Directory Identity Protection. This feature helps you configure risk-based conditional access to protect applications from identity risks. You can also use privileged identity management, which lets you monitor and put detailed restrictions on administrators

Question 52

Pay-as-you-go licenses for specific features

Answer 52

You access specific Azure AD features, like Azure AD B2C, on a pay-as-you-go basis. Azure AD B2C lets you manage identity and access for consumer users and the applications they use.

Question 53

Identity

Answer 53

Something that has to be identified and authenticated. An identity is typically a user who has username and password credentials, but the term can also apply to applications or services

Question 54

Account

Answer 54

An identity and its associated data. An account can't exist without an identity.

Question 55

Azure AD account

Answer 55

An identity created in Azure AD or in services like Microsoft 365. These identities are stored in Azure AD. For example, internal staff members might use Azure AD accounts daily at work.

Question 56

Azure subscription

Answer 56

Your level of access to use Azure and its services. For pay-as-you-go access, use your credit card to set up an Azure subscription. There are several types of subscriptions. For example, enterprise-level customers can use Azure Enterprise Agreement subscriptions. Each account can use many subscriptions

Question 57

Azure AD tenant

Answer 57

An instance of an Azure AD. This tenant is created for you automatically when you first sign up for Azure or other services like Microsoft 365. A tenant, which represents an organization, holds your users, their groups, and applications.

Question 58

Multi-tenant

Answer 58

Multiple-tenant access to the same applications and services in a shared environment. These tenants represent multiple organizations.

Question 59

Azure AD directory

Answer 59

An Azure resource that's created for you automatically when you subscribe to Azure. You can create many Azure AD directories. Each of these directories represents a tenant.

Question 60

Custom domain

Answer 60

A domain that you customize for your Azure AD directory. When you create an Azure AD directory, Azure automatically assigns it a default domain like .onmicrosoft.com. But you can customize domain names. Your users could then have accounts like joesmith@contoso.com instead of joesmith@contoso.onmicrosoft.com.

Question 61

Owner role

Answer 61

The role you use to manage all resources in Azure, including the access levels that users need for resources.

Question 62

Global administrator

Answer 62

The role that gives you access to all administrative capabilities in Azure AD. When you create a tenant, you automatically have this role for the tenant. This role allows you to reset passwords for all users and administrators, for example

Question 63

Azure AD B2B

Answer 63

Use Azure AD to invite external users to your tenant. Your organization can then collaborate with external healthcare partner staff members through Azure AD B2B Collaboration

Question 64

Azure AD B2C

Answer 64

You can also use Azure AD B2C to manage your customers' identities and access. Your doctors' accounts should have protected access to resources and services. Use Azure AD B2C to securely authenticate the doctors through their preferred identity provider

Question 65

Azure AD DS

Answer 65

Azure AD DS lets you add virtual machines to a domain without needing domain controllers. Your internal staff users can access virtual machines by using their company Azure AD credentials

Question 66

conditional-access policies

Answer 66

require users to pass additional authentication challenges before they access an app. For example, you can configure a conditional-access policy to require users to complete a multi-factor authentication challenge after their credentials are verified and before they access the app

Question 67

Azure AD Identity Protection

Answer 67

Azure AD Identity Protection helps you to automatically detect, investigate, and remediate identity risks for users. Identity Protection also lets you export all the information that was collected about risks. Export the information to third-party tools and solutions so that you can further analyze it

Question 68

Azure AD Application Proxy

Answer 68

This process creates secure remote access for your on-premises apps. To connect them, download and install the Application Proxy connector on-premises

Question 69

What is a container?

Answer 69

A container is a loosely isolated environment that allows us to build and run software packages. These software packages include the code and all dependencies to run applications quickly and reliably on any computing environment. We call these packages container images.

Question 70

What is Docker?

Answer 70

Docker is a containerization platform used to develop, ship, and run containers

Question 71

Docker Engine

Answer 71

The Docker Engine consists of several components configured as a client-server implementation where the client and server run simultaneously on the same host. The client communicates with the server using a REST API, which allows the client to also communicate with a remote server instance

Question 72

The Docker server

Answer 72

The Docker server is a daemon named dockerd. The dockerd daemon responds to requests from the client via the Docker REST API and can interact with other daemons. The Docker server is also responsible for tracking the lifecycle of our containers

Question 73

Docker objects

Answer 73

There are several objects that you'll create and configure to support your container deployments. These include networks, storage volumes, plugins, and other service objects. We won't cover all of these objects here, but it's good to keep in mind that these objects are items that we can create and deploy as needed

Question 74

Docker Hub

Answer 74

Docker Hub is a Software-as-a-Service (SaaS) Docker container registry. Docker registries are repositories that we use to store and distribute the container images we create. Docker Hub is the default public registry Docker uses for image management

Question 75

What is the Stackable Unification File System (Unionfs)?

Answer 75

unionfs is used to create Docker images. Unionfs is a filesystem that allows you to stack several directories, called branches, in such a way that it appears as if the content is merged the content is physically kept separate. Unionfs allows you to add and remove branches as you build out your file system

Question 76

What is a base image?

Answer 76

A base image is an image that uses the Docker scratch image. The scratch image is an empty container image that doesn't create a filesystem layer. This image assumes that the application you're going to run can directly use the host OS kernel

Question 77

What is a parent image?

Answer 77

A parent image is a container image from which you create your images. For example, instead of creating an image from scratch and then installing Ubuntu, we'll rather use an image already based on Ubuntu. We can even use an image that already has Nginx installed. A parent image usually includes a container OS

Question 78

Structured data

Answer 78

Structured data, sometimes referred to as relational data, is data that adheres to a strict schema, so all of the data has the same fields or properties

Question 79

Semi-structured data

Answer 79

Semi-structured data is less organized than structured data, and is not stored in a relational format, as the fields do not neatly fit into tables, rows, and columns. Semi-structured data contains tags that make the organization and hierarchy of the data apparent

Question 80

What is a transaction?

Answer 80

A transaction is a logical group of database operations that execute together.

Question 81

Azure Cosmos DB

Answer 81

supports semi-structured data, or NoSQL data, by design. So, supporting new fields, such as the "Bluetooth-enabled" field or any new fields you need in the future, is a given with Azure Cosmos DB