Regions

Microsoft Azure is made up of datacenters located around the globe. These datacenters are organized and made
available to end users by region. A region is a geographical area on the planet containing at least one, but
potentially multiple datacenters that are in close proximity and networked together with a low-latency network.

A few examples of regions are West US, Canada Central, West Europe, Australia East, and Japan West. Azure
is generally available in 50+ regions and available in 140 countries.

Things to know about regions

 Azure has more global regions than any other cloud provider.
 Regions provide customers the flexibility and scale needed to bring applications closer to their users.
 Regions preserve data residency and offer comprehensive compliance and resiliency options for
customers.
 For most Azure services, when you deploy a resource in Azure, you choose the region where you want
your resource to be deployed.
 Some services or virtual machine features are only available in certain regions, such as specific virtual
machine sizes or storage types.
 There are also some global Azure services that do not require you to select a region, such as Microsoft
Azure Active Directory, Microsoft Azure Traffic Manager, or Azure DNS.
 Each Azure region is paired with another region within the same geography, together making a region
pair . The exception is Brazil South, which is paired with a region outside its geography.

Things to know about regional pairs

A regional pair consists of two regions within the same geography. Azure serializes platform updates (planned
maintenance) across regional pairs, ensuring that only one region in each pair updates at a time. If an outage
affects multiple regions, at least one region in each pair will be prioritized for recovery.

 Physical isolation. When possible, Azure prefers at least 300 miles of separation between datacenters in
a regional pair, although this isn't practical or possible in all geographies. Physical datacenter separation
reduces the likelihood of natural disasters, civil unrest, power outages, or physical network outages
affecting both regions at once.
 Platform-provided replication. Some services such as Geo-Redundant Storage provide automatic
replication to the paired region.
 Region recovery order. In the event of a broad outage, recovery of one region is prioritized out of
every pair. Applications that are deployed across paired regions are guaranteed to have one of the regions
recovered with priority.
 Sequential updates. Planned Azure system updates are rolled out to paired regions sequentially (not at
the same time) to minimize downtime, the effect of bugs, and logical failures in the rare event of a bad
update.
 Data residency. A region resides within the same geography as its pair (except for Brazil South) to meet
data residency requirements for tax and law enforcement jurisdiction purposes.

✔️View the latest Azure regions map.

✔️View the complete list of region pairs.

Azure Subscriptions
An Azure subscription is a logical unit of Azure services that is linked to an Azure account. Billing for Azure
services is done on a per-subscription basis. If your account is the only account associated with a subscription,
then you are responsible for billing.

Subscriptions help you organize access to cloud service resources. They also help you control how resource
usage is reported, billed, and paid for. Each subscription can have a different billing and payment setup, so you
can have different subscriptions and different plans by department, project, regional office, and so on. Every
cloud service belongs to a subscription, and the subscription ID may be required for programmatic operations.
Azure Accounts
Subscriptions have accounts. An Azure account is simply an identity in Azure Active Directory (Azure AD) or
in a directory that is trusted by Azure AD, such as a work or school organization. If you don't belong to one of
these organizations, you can sign up for an Azure account by using your Microsoft Account, which is also
trusted by Azure AD.

Getting access to resources

Every Azure subscription is associated with an Azure Active Directory. Users and services that access resources
of the subscription first need to authenticate with Azure Active Directory.

Typically to grant a user access to your Azure resources, you would add them to the Azure AD directory
associated with your subscription. The user will now have access to all the resources in your subscription. This
is an all-or-nothing operation that may give that user access to more resources than you anticipated.

✔️Do you know how many subscriptions your organization has? Do you know how resources are organized
into resource groups?

Getting a Subscription
There are several ways to get an Azure subscription: Enterprise agreements, Microsoft resellers, Microsoft
partners, and a personal free account.
Enterprise agreements
Any Enterprise Agreement customer can add Azure to their agreement by making an upfront monetary
commitment to Azure. That commitment is consumed throughout the year by using any combination of the
wide variety of cloud services Azure offers from its global datacenters. Enterprise agreements have a 99.95%
monthly SLA.

Reseller
Buy Azure through the Open Licensing program, which provides a simple, flexible way to purchase cloud
services from your Microsoft reseller. If you already purchased an Azure in Open license key, activate a new
subscription or add more credits now.

Partners
Find a Microsoft partner who can design and implement your Azure cloud solution. These partners have the
business and technology expertise to recommend solutions that meet the unique needs of your business.

Personal free account

With a free trial account you can get started using Azure right away and you won’t be charged until you choose
to upgrade.

✔️Which subscription model are you most interested in?

Subscription Usage
Azure offers free and paid subscription options to suit different needs and requirements. The most commonly
used subscriptions are:

 Free
 Pay-As-You-Go
 Enterprise Agreement
 Student
Azure free subscription
An Azure free subscription includes a $200 credit to spend on any service for the first 30 days, free access to the
most popular Azure products for 12 months, and access to more than 25 products that are always free. This is an
excellent way for new users to get started. To set up a free subscription, you need a phone number, a credit card,
and a Microsoft account.

Note: Credit card information is used for identity verification only. You won’t be charged for any services until
you upgrade.

Azure Pay-As-You-Go subscription

A Pay-As-You-Go (PAYG) subscription charges you monthly for the services you used in that billing period.
This subscription type is appropriate for a wide range of users, from individuals to small businesses, and many
large organizations as well.

Azure Enterprise Agreement

An Enterprise Agreement provides flexibility to buy cloud services and software licenses under one agreement,
with discounts for new licenses and Software Assurance. It's targeted at enterprise-scale organizations.

Azure for Students subscription

An Azure for Students subscription includes $100 in Azure credits to be used within the first 12 months plus
select free services without requiring a credit card at sign-up. You must verify your student status through your
organizational email address.

Cost Management
With Azure products and services, you only pay for what you use. As you create and use Azure resources, you
are charged for the resources. You use Azure Cost Management and Billing features to conduct billing
administrative tasks and manage billing access to costs. You also its features to monitor and control Azure
spending and to optimize Azure resource use.
Cost Management shows organizational cost and usage patterns with advanced analytics. Reports in Cost
Management show the usage-based costs consumed by Azure services and third-party Marketplace offerings.
Costs are based on negotiated prices and factor in reservation and Azure Hybrid Benefit discounts. Collectively,
the reports show your internal and external costs for usage and Azure Marketplace charges. Other charges, such
as reservation purchases, support, and taxes are not yet shown in reports. The reports help you understand your
spending and resource use and can help find spending anomalies. Predictive analytics are also available. Cost
Management uses Azure management groups, budgets, and recommendations to show clearly how your
expenses are organized and how you might reduce costs.

You can use the Azure portal or various APIs for export automation to integrate cost data with external systems
and processes. Automated billing data export and scheduled reports are also available.

Plan and control expenses

The ways that Cost Management help you plan for and control your costs include: Cost analysis, budgets,
recommendations, and exporting cost management data.

 Cost analysis. You use cost analysis to explore and analyze your organizational costs. You can view
aggregated costs by organization to understand where costs are accrued and to identify spending trends.
 And you can see accumulated costs over time to estimate monthly, quarterly, or even yearly cost trends
against a budget.
 Budgets. Budgets help you plan for and meet financial accountability in your organization. They help
prevent cost thresholds or limits from being surpassed. Budgets can also help you inform others about their
spending to proactively manage costs. And with them, you can see how spending progresses over time.
 Recommendations. Recommendations show how you can optimize and improve efficiency by
identifying idle and underutilized resources. Or, they can show less expensive resource options. When you
act on the recommendations, you change the way you use your resources to save money. To act, you first
view cost optimization recommendations to view potential usage inefficiencies. Next, you act on a
recommendation to modify your Azure resource use to a more cost-effective option. Then you verify the
action to make sure that the change you make is successful.
 Exporting cost management data. If you use external systems to access or review cost management
data, you can easily export the data from Azure. And you can set a daily scheduled export in CSV format
and store the data files in Azure storage. Then, you can access the data from your external system.

Resource Tags
You can apply tags to your Azure resources to logically organize them by categories. Each tag consists of a
name and a value. For example, you can apply the name Environment and the
value Production or Development to your resources. After creating your tags, you associate them with the
appropriate resources.

With tags in place, you can retrieve all the resources in your subscription with that tag name and value. This
means, you can retrieve related resources from different resource groups.

Perhaps one of the best uses of tags is to group billing data. When you download the usage CSV for services,
the tags appear in the Tags column. You could then group virtual machines by cost center and production
environment.

Considerations
There are a few things to consider about tagging:
 Each resource or resource group can have a maximum of 50 tag name/value pairs.
 Tags applied to the resource group are not inherited by the resources in that resource group.

✔️If you need to create a lot of tags you will want to do that programmatically. You can use PowerShell or the
CLI.

Cost Savings
Reservations helps you save money by pre-paying for one-year or three-years of virtual machine, SQL
Database compute capacity, Azure Cosmos DB throughput, or other Azure resources. Pre-paying allows you to
get a discount on the resources you use. Reservations can significantly reduce your virtual machine, SQL
database compute, Azure Cosmos DB, or other resource costs up to 72% on pay-as-you-go prices. Reservations
provide a billing discount and don't affect the runtime state of your resources.

Azure Hybrid Benefits is a pricing benefit for customers who have licenses with Software Assurance, which
helps maximize the value of existing on-premises Windows Server and/or SQL Server license investments
when migrating to Azure. There is a Azure Hybrid Benefit Savings Calculator to help you determine your
savings.

Azure Credits is monthly credit benefit that allows you to experiment with, develop, and test new solutions on
Azure. For example, as a Visual Studio subscriber, you can use Microsoft Azure at no extra charge. With your
monthly Azure credit, Azure is your personal sandbox for dev/test.

Azure regions pricing can vary from one region to another, even in the US. Double check the pricing in various
regions to see if you can save a little.

Budgets help you plan for and drive organizational accountability. With budgets, you can account for the Azure
services you consume or subscribe to during a specific period. They help you inform others about their spending
to proactively manage costs, and to monitor how spending progresses over time. When the budget thresholds
you've created are exceeded, only notifications are triggered. None of your resources are affected and your
consumption isn't stopped. You can use budgets to compare and track spending as you analyze costs.

Additionally, consider:

The Pricing Calculator provides estimates in all areas of Azure including compute, networking, storage, web,
and databases.
Management Groups
If your organization has several subscriptions, you may need a way to efficiently manage access, policies, and
compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions.
You organize subscriptions into containers called management groups and apply your governance conditions to
the management groups. Management group enable:

 Organizational alignment for your Azure subscriptions through custom hierarchies and grouping.
 Targeting of policies and spend budgets across subscriptions and inheritance down the hierarchies.
 Compliance and cost reporting by organization (business/teams).
All subscriptions within a management group automatically inherit the conditions applied to the management
group. For example, you can apply policies to a management group that limits the regions available for virtual
machine (VM) creation. This policy would be applied to all management groups, subscriptions, and resources
under that management group by only allowing VMs to be created in that region.

Creating management groups

You can create the management group by using the portal, PowerShell, or Azure CLI. Currently, you can't use
Resource Manager templates to create management groups.

 The Management Group ID is the directory unique identifier that is used to submit commands on this
management group. This identifier is not editable after creation as it is used throughout the Azure system to
identify this group.
 The Display Name field is the name that is displayed within the Azure portal. A separate display name
is an optional field when creating the management group and can be changed at any time.

✔️Do you think you will want to use Management Groups?

For more information, Organize your resources with Azure management groups

Azure Policy
Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce
different rules over your resources, so those resources stay compliant with your corporate standards and service
level agreements. Azure Policy does this by running evaluations of your resources and scanning for those not
compliant with the policies you have created.

The main advantages of Azure policy are in the areas of enforcement and compliance, scaling, and remediation.

 Enforcement and compliance. Turn on built-in policies or build custom ones for all resource types.
Real time policy evaluation and enforcement. Periodic and on-demand compliance evaluation.
 Apply policies at scale. Apply policies to a Management Group with control across your entire
organization. Apply multiple policies and aggregate policy states with policy initiative. Define an exclusion
scope.
 Remediation. Real time remediation, and remediation on existing resources.

Azure Policy will be important to you if your team runs an environment where you need to govern:

 Multiple engineering teams (deploying to and operating in the environment)

 Multiple subscriptions
 Need to standardize/enforce how cloud resources are configured
 Manage regulatory compliance, cost control, security, or design consistency

Use Cases
 Specify the resource types that your organization can deploy.
 Specify a set of virtual machine SKUs that your organization can deploy.
 Restrict the locations your organization can specify when deploying resources.
 Enforce a required tag and its value.
 Audit if Azure Backup service is enabled for all Virtual machines.

For more information, Azure Policy Documentation

Implementing Azure Policy

To implement Azure Policies, you can follow these steps.

1. Browse Policy Definitions. A Policy Definition expresses what to evaluate and what actions to take.
Every policy definition has conditions under which it is enforced. And, it has an accompanying effect that
takes place if the conditions are met. For example, you could prevent VMs from being deployed if they are
exposed to a public IP address.
2. Create Initiative Definitions. An initiative definition is a set of Policy Definitions to help track your
compliance state for a larger goal. For example, ensuring a branch office is compliant.
3. Scope the Initiative Definition. You can limit the scope of the Initiative Definition to Management
Groups, Subscriptions, or Resource Groups.
4. View Policy Evaluation results. Once an Initiative Definition is assigned, you can evaluate the state of
compliance for all your resources. Individual resources, resource groups, and subscriptions within a scope
can be exempted from having policy rules affect it. Exclusions are handled individually for each
assignment.

✔️Even if you have only a few Policy Definitions, we recommend creating an Initiative Definition.

Policy Definitions
There are many Built-in Policy Definitions for you to choose from. Sorting by Category will help you locate
what you need. For example,

 The Allowed Virtual Machine SKUs enables you to specify a set of virtual machine SKUs that your
organization can deploy.
 The Allowed Locations policy enables you to restrict the locations that your organization can specify
when deploying resources. This can be used to enforce your geo-compliance requirements.

If there isn't an applicable policy you can add a new Policy Definition. The easiest way to do this is to Import a
policy from GitHub. New Policy Definitions are added almost every day.
✔️Policy Definitions have a specific JSON format. As a Azure Administrator you will not need to create files
in this format, but you may want to review the format, just so you are familiar.

Create Initiative Definitions

Once you have determined which Policy Definitions you need, you create an Initiative Definition. This
definition will include one or more policies. There is a pick list on the right side of the New Initiative definition
page (not shown) to make your selection.
✔️Currently, an Initiative Definition can have up to 100 policies.

✔️What planning will be needed to organize your policy definitions?

Scope the Initiative

Once our Initiative Definition is created, you can assign the definition to establish its scope. A scope determines
what resources or grouping of resources the policy assignment gets enforced on.
You can select the Subscription, and then optionally a Resource Group.

Determine Compliance
Once your policy is in place you can use the Compliance blade to review non-compliant initiatives, non-
compliant policies, and non-compliant resources.
When a condition is evaluated against your existing resources and found true, then those resources are marked
as non-compliant with the policy. Although the portal does not show the evaluation logic, the compliance state
results are shown. The compliance state result is either compliant or non-compliant.

✔️Policy evaluation happens about once an hour, which means that if you make changes to your policy
definition and create a policy assignment then it will be re-evaluated over your resources within the hour.

Demonstration - Azure Policy

In this demonstration, we will work with Azure policies.

Assign a policy

1. Access the Azure portal.

2. Search for and select Policy.
3. Select Assignments on the left side of the Azure Policy page.
4. Select Assign Policy from the top of the Policy - Assignments page.
5. Notice the Scope which determines what resources or grouping of resources the policy assignment gets
enforced on.
6. Select the Policy definition ellipsis to open the list of available definitions. Take some time to review
the built-in policy definitions.
7. Search for and select Allowed locations. This policy enables you to restrict the locations your
organization can specify when deploying resources.
8. Move the Parameters tab and using the drop-down select one or more allowed locations.
9. Click Review + create and then Create to create the policy.

Create and assign an initiative definition

1. Select Definitions under Authoring in the left side of the Azure Policy page.

2. Select + Initiative Definition at the top of the page to open the Initiative definition page.
3. Provide a Name and Description.
4. Create new Category.
5. From the right panel Add the Allowed locations policy.
6. Add one additional policy of your choosing.
7. Save your changes and then Assign your initiative definition to your subscription.
Check for compliance

1. Return to the Azure Policy service page.

2. Select Compliance.
3. Review the status of your policy and your definition.

Check for remediation tasks

1. Return to the Azure Policy service page.

2. Select Remediation.
3. Review any remediation tasks that are listed.

Remove your policy and initiative

1. Return to the Azure Policy service page.

2. Select Assignments.
3. Select your Allowed locations policy.
4. Click Delete assignment.
5. Return to the Azure Policy service page.
6. Select Initiatives.
7. Select your new initiative.
8. Click Delete initiative.

Role-Based Access Control

Access management for cloud resources is a critical function for any organization that is using the cloud. Role-
based access control (RBAC) helps you manage who has access to Azure resources, what they can do with
those resources, and what areas they have access to.

RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access
management of resources in Azure.

What can I do with RBAC?

Here are some examples of what you can do with RBAC:

 Allow an application to access all resources in a resource group

 Allow one user to manage virtual machines in a subscription and another user to manage virtual
networks
 Allow a DBA group to manage SQL databases in a subscription
 Allow a user to manage all resources in a resource group, such as virtual machines, websites, and
subnets

Concepts
 Security principal. Object that represents something that is requesting access to resources. Examples:
user, group, service principal, managed identity
 Role definition. Collection of permissions that lists the operations that can be performed. Examples:
Reader, Contributor, Owner, User Access Administrator
 Scope. Boundary for the level of access that is requested. Examples: management group, subscription,
resource group, resource
 Assignment. Attaching a role definition to a security principal at a particular scope. Users can grant
access described in a role definition by creating an assignment. Deny assignments are currently read-only
and can only be set by Azure.

Best practices for using RBAC

Using RBAC, you can segregate duties within your team and grant only the amount of access to users that they
need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or
resources, you can allow only certain actions at a particular scope.

When planning your access control strategy, it's a best practice to grant users the least privilege to get their work
done. The following diagram shows a suggested pattern for using RBAC.

Role Definitions

Each role is a set of properties defined in a JSON file. This role definition includes Name, Id, and Description.
It also includes the allowable permissions (Actions), denied permissions (NotActions), and scope (read access,
etc.) for the role. For example,

Name: Owner
ID: 8e3af657-a8ff-443c-a75c-2fe8c4bcb65
IsCustom: False
Description: Manage everything, including access to resources
Actions: {*}
NotActions: {}
AssignableScopes: {/}

In this example the Owner role means all (asterisk) actions, no denied actions, and all (/) scopes.

Actions and NotActions

The Actions and NotActions properties can be tailored to grant and deny the exact permissions you need. This
table defines how the Owner, Contributor, and Reader roles.
 Built-in Role Action NotActions

Owner (allow
*
all actions)

Contributor
(allow all
actions except Microsoft.Authorization/*/Delete, Microsoft.Authorization/*/Write,
*
writing or Microsoft.Authorization/elevateAccess/Action
deleting role
assignment)

Reader (allow
all read */read
actions)

Scope your role

Defining the Actions and NotActions properties is not enough to fully implement a role. You must also properly
scope your role.

The AssignableScopes property of the role specifies the scopes (subscriptions, resource groups, or resources)
within which the custom role is available for assignment. You can make the custom role available for
assignment in only the subscriptions or resource groups that require it, and not clutter the user experience for
the rest of the subscriptions or resource groups.

* /subscriptions/[subscription id]
* /subscriptions/[subscription id]/resourceGroups/[resource group name]
* /subscriptions/[subscription id]/resourceGroups/[resource group
name]/[resource]

Example 1
Make a role available for assignment in two subscriptions.

“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e”,
“/subscriptions/e91d47c4-76f3-4271-a796-21b4ecfe3624”

Example 2
Makes a role available for assignment only in the Network resource group.

“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups

Role Assignment
A role assignment is the process of attaching a role definition to a user, group, service principal, or managed
identity at a particular scope for the purpose of granting access. Access is granted by creating a role assignment,
and access is revoked by removing a role assignment.

This diagram shows an example of a role assignment. In this example, the Marketing group has been assigned
the Contributor role for the pharma-sales resource group. This means that users in the Marketing group can
create or manage any Azure resource in the pharma-sales resource group. Marketing users do not have access to
resources outside the pharma-sales resource group, unless they are part of another role assignment.

Notice that access does not need to be granted to the entire subscription. Roles can also be assigned for resource
groups as well as for individual resources. In Azure RBAC, a resource inherits role assignments from its parent
resources. So if a user, group, or service is granted access to only a resource group within a subscription, they
will be able to access only that resource group and resources within it, and not the other resources groups within
the subscription.

As another example, a security group can be added to the Reader role for a resource group, but be added to the
Contributor role for a database within that resource group.

Azure RBAC Roles vs Azure AD Roles

If you are new to Azure, you may find it a little challenging to understand all the different roles in Azure. This
article helps explain the following roles and when you would use each:

 Classic subscription administrator roles

 Azure role-based access control (RBAC) roles
 Azure Active Directory (Azure AD) administrator roles

To better understand roles in Azure, it helps to know some of the history. When Azure was initially released,
access to resources was managed with just three administrator roles: Account Administrator, Service
Administrator, and Co-Administrator. Later, role-based access control (RBAC) for Azure resources was added.
Azure RBAC is a newer authorization system that provides fine-grained access management to Azure
resources. RBAC includes many built-in roles, can be assigned at different scopes, and allows you to create
your own custom roles. To manage resources in Azure AD, such as users, groups, and domains, there are
several Azure AD administrator roles.

Differences between Azure RBAC roles and Azure AD roles

At a high level, Azure RBAC roles control permissions to manage Azure resources, while Azure AD
administrator roles control permissions to manage Azure Active Directory resources. The following table
compares some of the differences.
 Azure RBAC roles Azure AD roles

Manage access to Azure Active Directory

Manage access to Azure resources.
resources.

Scope can be specified at multiple levels

(management group, subscription, resource Scope is at the tenant level.
group, resource).

Role information can be accessed in Azure Role information can be accessed in Azure
portal, Azure CLI, Azure PowerShell, Azure admin portal, Office 365 admin portal,
Resource Manager templates, REST API. Microsoft Graph AzureAD PowerShell.

✔️Classic administrator roles should be avoided if you are using Azure Resource Manager.

RBAC Authentication
RBAC includes many built-in roles, can be assigned at different scopes, and allows you to create your own
custom roles. To manage resources in Azure AD, such as users, groups, and domains, there are several Azure
AD administrator roles.

This diagram is a high-level view of how the Azure RBAC roles and Azure AD administrator roles are related.

Do you see how Azure AD Admin roles and Azure RBAC roles work together to authenticate users?
Azure RBAC Roles
Azure includes several built-in roles that you can use. The following lists four fundamental built-in roles. The
first three apply to all resource types.

 Owner. Has full access to all resources including the right to delegate access to others. The Service
Administrator and Co-Administrators are assigned the Owner role at the subscription scope. This applies to
all resource types.
 Contributor. Can create and manage all types of Azure resources but can’t grant access to others. This
applies to all resource types.
 Reader. Can view existing Azure resources.This applies to all resource types.
 User Access Administrator. Lets you manage user access to Azure resources. This applies to managing
access, rather than to managing resources.

The rest of the built-in roles allow management of specific Azure resources. For example, the Virtual Machine
Contributor role allows a user to create and manage virtual machines. If the built-in roles don't meet the
specific needs of your organization, you can create your own custom roles.

Azure has introduced data operations that enable you to grant access to data within an object. For example, if a
user has read data access to a storage account, then they can read the blobs or messages within that storage
account.

Demonstration - Azure RBAC

In this demonstration, we will learn about role assignments.

Locate Access Control blade

1. Access the Azure portal, and select a resource group. Make a note of what resource group you use.
2. Select the Access Control (IAM) blade.
3. This blade will be available for many different resources so you can control access.

Review role permissions

1. Select the Roles tab (top).

2. Review the large number of built-in roles that are available.
3. Double-click a role, and then select Permissions (top).
4. Continue drilling into the role until you can view the Read, Write, and Delete actions for that role.
5. Return to the Access Control (IAM) blade.

Add a role assignment

1. Create a user.
2. Select Add role assignment.
 Role: Owner
 Select: Managers
 Save your changes.
3. Select Check access.
4. Select the user.
5. Notice the user is part of the Managers group and is an Owner.
6. Notice that you can Deny assignments.
Explore PowerShell commands

1. Open the Azure Cloud Shell.

2. Select the PowerShell drop-down.
3. List role definitions.
Get-AzRoleDefinition | FT Name, Description
4. List the actions of a role.
Get-AzRoleDefinition owner | FL Actions, NotActions
5. List role assignments.
Get-AzRoleAssignment -ResourceGroupName <resource group name>

Lab 02a - Manage Subscriptions and Azure RBAC

Lab scenario
To improve the management of Azure resources in Contoso, you have been tasked with implementing the
following functionality:

 using management groups for the Contoso's Azure subscriptions.

 granting user permissions for submitting support requests. This user would only be able to create support
request tickets and view resource groups.

Objectives
In this lab, you will:

 Task 1: Implement Management Groups.

 Task 2: Create custom RBAC roles.
 Task 3: Assign RBAC roles.

✔️Consult with your instructor for how to access the lab instructions and lab environment (if provided).

Lab 02b - Manage Governance via Azure Policy

Lab scenario
To improve management of Azure resources in Contoso, you have been tasked with implementing the following
functionality:

 tagging resource groups that include only infrastructure resources (such as Cloud Shell storage
acccounts )
 ensuring that only properly tagged infrastructure resoures can be added to infrastructure resource groups
 remediating any non-compliant resources

Objectives
In this lab, we will:

 Task 1: Create and assign tags via the Azure portal.

 Task 2: Enforce tagging via an Azure policy.
 Task 3: Apply tagging via an Azure policy.
✔️Consult with your instructor for how to access the lab instructions and lab environment (if provided).

Module 02 Review Questions

Review Question 1
You need to target policies and review spend budgets across several subscriptions you manage. What should
you do? Select one.

 Create resource groups

 Create management groups

 Create billing groups

 Create Azure policies

Explanation

Create management groups. Management groups can be used to organize and manage subscriptions.

Check Answers

Review Question 2
You would like to categorize resources and billing for different departments like IT and HR. The billing needs
to be consolidated across multiple resource groups and you need to ensure everyone complies with the solution.
What should you do? {Choose two to complete a solution}.

 Create tags for each department.

 Create a billing group for each department.

 Create an Azure policy.

 Add the groups into a single resource group.

 Create a subscription account rule.

Explanation

Create tags for each department and Create an Azure policy. You should create a tag with a key:value pair like
department:HR. You can then create an Azure policy which requires the tag be applied before a resource is
created.

Check Answers

Review Question 3
Your company financial comptroller wants to be notified whenever the company is half-way to spending the
money allocated for cloud services. What should you do? Select one.

 Create an Azure reservation.

 Create a budget and a spending threshold.

 Create a management group.

 Enter workloads in the Total Cost of Ownership calculator.

Explanation

Create a budget and a spending threshold. Billing Alerts help you monitor and manage billing activity for your
Azure accounts. You can set up a total of five billing alerts per subscription, with a different threshold and up to
two email recipients for each alert. Monthly budgets are evaluated against spending every four hours. Budgets
reset automatically at the end of a period.

Check Answers

Review Question 4
Your organization has several Azure policies that they would like to create and enforce for a new branch office.
What should you do? Select one.

 Create a policy initiative

 Create a management group

 Create a resource group

 Create a new subscriptions

Explanation

Create a policy initiative. A policy initiative would include all the policies of interest. Once your initiative is
created, you can assign the definition to establish its scope. A scope determines what resources or grouping of
resources the policy assignment gets enforced on.

Check Answers

Review Question 5
Your manager asks you to explain how Azure uses resource groups. You provide all of the following
information, except? Select one.

 Resources can be in only one resource group.

 Resources can be moved from one resource group to another resource group.
 Resource groups can be nested.

 Role-based access control can be applied to the resource group.

Explanation

Resource groups cannot be nested.

Check Answers

Review Question 6
Which of the following would be good example of when to use a resource lock? Select one.

 An ExpressRoute circuit with connectivity back to your on-premises network.

 A non-production virtual machine used to test occasional application builds.

 A storage account used to temporarily store images processed in a development environment.

 A resource group for a new branch office that is just starting up.

Explanation

An ExpressRoute circuit with connectivity back to your on-premises network. Resource locks prevent other
users in your organization from accidentally deleting or modifying critical resources.

Check Answers

Review Question 7
Your company hires a new IT administrator. She needs to manage a resource group with first-tier web servers
including assigning permissions . However, she should not have access to other resource groups inside the
subscription. You need to configure role-based access. What should you do? Select one.

 Assign her as a Subscription Owner.

 Assign her as a Subscription Contributor.

 Assign her as a Resource Group Owner.

 Assign her as a Resource Group Contributor.

Explanation

Assign her as a Resource Group owner. The new IT administrator needs to be able to assign permissions.

Check Answers

Review Question 8
You have three virtual machines (VM1, VM2, and VM3) in a resource group. The Helpdesk hires a new
employee. The new employee must be able to modify the settings on VM3, but not on VM1 and VM2. Your
solution must minimize administrative overhead. What should you do? Select one.

 Assign the user to the Contributor role on the resource group.

 Assign the user to the Contributor role on VM3.

 Move VM3 to a new resource group and assign the user to the Contributor role on VM3.

 Assign the user to the Contributor role on the resource group, then assign the user to the Owner role
on VM3.

Explanation

Assign the user to the Contributor role on VM3. This means the user will not have access to VM1 or VM2. The
Contributor role will allow the user to change the settings on VM1.

Check Answers

Additional Study
Microsoft Learn provides self paced skills training on a variety of topics. These Learn modules cover the
content you have just learned. You can search for additional modules by product, role, or level.

 Analyze costs and create budgets with Azure Cost Management

 Predict costs and optimize spending for Azure
 Control and organize Azure resources with Azure Resource Manager
 Apply and monitor infrastructure standards with Azure Policy
 Create custom roles for Azure resources with role-based access control
 Manage access to an Azure subscription by using Azure role-based access control
 Secure your Azure resources with role-based access control