Microsoft Azure Security Technologies EXAM AZ-500 STUDY GUIDE & EXAM PREP (IN PROGRESS)

Hey gang – I have another “nights and weekends” project in the works.



As of right now, I am finished with Module 1 which is the following break down of the domains and all the subtopics:

Manage identity and access (30-35%)

  • Manage Azure Active Directory identities
    • Configure security for service principals
    • Manage Azure AD directory groups
    • Manage Azure AD users
    • Configure password writeback
    • Configure authentication methods including password hash and Pass Through Authentication (PTA), OAuth, and passwordless (not ADFS)
    • Transfer Azure subscriptions between Azure AD tenants
  • Configure secure access by using Azure AD
    • Monitor privileged access for Azure AD Privileged Identity Management (PIM)
    • Configure Access Reviews
    • Activate and configure PIM
    • Implement Conditional Access policies including Multi-Factor Authentication (MFA)
    • Configure Azure AD identity protection
  • Manage application access
    • Create App Registration
    • Configure App Registration permission scopes
    • Manage App Registration permission consent
    • Manage API access to Azure subscriptions and resources
  • Manage access control
    • Configure subscription and resource permissions
    • Configure resource group permissions
    • Configure custom RBAC roles
    • Identify the appropriate role
    • Apply principle of least privilege
    • Interpret permissions
    • Check access

These are for the NEW requirements as laid out in the updated skills outline for the end of July 2020.

Here is a snip from the introduction of the book – it’ll give you an idea of what to expect from the finished product:

HOW TO BEST USE THIS STUDY GUIDE

With direct respect to the overview and reference content provided for review study, the materials here align with the main domain objectives for the certification. As much as possible, the topic references and outlines are also followed up with direct links to articles and whitepapers on the Microsoft website that dive deeper into the summary content.

The content has been provided, at least in summary format, for every domain topic and sub item for that topic. In some cases, additional editorial content and technical details are offered to dive down into the item. In other cases, there may be less details, but in all cases, links back to technical documentation has been offered back to a Microsoft Docs page.

All of the supplied information, review links, and notes are meant as a final review as opposed to full, robust information.

If you follow the hyperlinked topics and review the reference pages for the detailed information, you should be able to fill in many of the blanks you might have on the topics and the overall domain objectives.

With direct respect to the practice questions, this book’s style and format is written to partially simulate some of the content and question approach that you might see in an official Microsoft exam.

The questions and the answer choices are provided for you on one page so you can read everything in its entirety.

On the very next page is the same question, with the solution / answer provided, along with the answer explanation and reference information.

This format was chosen so that the solution was not immediately exposed – that allows the reader the ability to think about an answer to select before being presented with the solution.

Additionally, the entire question repeated, with the answer and references being provided on the very next page eliminates the need for searching / flipping through the book.

The practice questions, and the answers, explanations, and reference links, are another direct opportunity to learn additional information on the domain topics; it is a suggested best practice for using this study guide to read everything included it its entirety.  

Stay tuned – I am hoping to have this wrapped up and release for late August 2020.



Exam AZ-104: Microsoft Azure Administrator Study Guide

Author note from Jason Zandri – the hyperlinks provided herein are directly from those as found via Microsoft’s public facing Azure content. While assembled and linked by me, none of that originating work, as cross referenced via the links, is my own – the only ownership of any sort that I claim is the direct content of this posting itself.

The Microsoft Azure Administrator Exam (AZ-104) is designed for candidates looking to measure their ability to accomplish the following technical tasks: manage Azure subscriptions and resources; implement and manage storage; deploy and manage virtual machines (VMs); configure and manage virtual networks; and manage identities.

This exam replaces the former version of the exam, Exam AZ-103: Microsoft Azure Administrator, which you can still study for and take through its expiration (planned for August 31, 2020).

Microsoft Azure Administrator Exam (AZ-104) became available on April 2, 2020.

Taking and passing the AZ-103 exam (through August 31, 2020) or the replacement exam, AZ-104, grants the examinee the following certification – Microsoft Certified: Azure Administrator Associate

There are five main domains for the exam:

Manage Azure Identities and Governance (15-20%)
Implement and manage storage (15-20%)
Deploy and manage Azure Compute Resources (15-20%)
Configure and manage virtual networking (30-35%)
Monitor and back up Azure resources (15-20%)

Below is a listing of all the subtopic information as it corresponds back to these five main domains. Where I have been able to, I have provided links to additional study details and resources for additional review.

Manage Azure Identities and Governance (15-20%)
Manage Azure AD objects (users, groups, and devices)
What is Azure Active Directory?
Create users and groups
Add or delete users using Azure Active Directory
New-AzureADUser
Manage user and group properties
Add or update a user’s profile information using Azure Active Directory
Edit your group information using Azure Active Directory
Manage device settings
Manage device identities using the Azure portal
How To: Manage stale devices in Azure AD
Perform bulk user updates
Manage guest accounts
What is guest user access in Azure Active Directory B2B?
Manage guest access with Azure AD access reviews
Quickstart: Add guest users to your directory in the Azure portal
Configure Azure AD Join
How to: Plan your Azure AD join implementation
— How To: Plan your hybrid Azure Active Directory join implementation
— Tutorial: Configure hybrid Azure Active Directory join for federated domains
— Tutorial: Configure hybrid Azure Active Directory join for managed domains
Configure self-service password reset
Plan an Azure Active Directory self-service password reset
How it works: Azure AD self-service password reset
Licensing requirements for Azure AD self-service password reset
Manage role-based access control (RBAC)
What is role-based access control (RBAC) for Azure resources?
Create a custom role
Tutorial: Create a custom role for Azure resources using Azure PowerShell
Tutorial: Create a custom role for Azure resources using Azure CLI
Add or remove role assignments using Azure RBAC and the Azure portal
List role assignments using Azure RBAC and the Azure portal
Understand deny assignments for Azure resources
Understand how multiple Azure Active Directory tenants interact
Manage subscriptions and governance
Overview of Management services in Azure
Configure Azure policies
What is Azure Policy?
Quickstart: Create a policy assignment to identify non-compliant resources
Tutorial: Create and manage policies to enforce compliance
— Configure resource locks
— Configure resource policies
Identify auditing requirements
Lock resources to prevent unexpected changes
— Understand best practices for minimizing Azure costs such as performing cost analysis, creating spending limits and quotas, and using tags to identify cost owners; use Azure reservations; use Azure Advisor recommendations
Manage resource groups
— Use Azure policies for resource groups
Implement and set tagging on resource groups
Move resources across resource groups
Remove resource groups
Manage Azure Resource Manager resource groups by using the Azure portal
Manage Azure resource groups by using Azure PowerShell
— Understand Azure subscriptions
Create an additional Azure subscription
Change your Azure subscription to a different offer
Configure cost center quotas and tagging
— Understand planning and management of costs
Azure Advisor – Cost recommendations
What is Azure Cost Management and Billing?
Quickstart: Explore and analyze costs with cost analysis
Create management groups for resource organization and management
Organize your resources with Azure management groups
Manage your resources with management groups

Implement and manage storage (15-20%)
Manage storage accounts
Introduction to Azure Storage
Locally redundant storage (LRS)
Zone-redundant storage (ZRS)
Geo-redundant storage (GRS)
Read-access geo-redundant storage (RA-GRS)
Geo-zone-redundant storage (GZRS)
Zone-redundant storage (ZRS): Highly available Azure Storage applications
Azure Storage redundancy
Azure Blobs: A massively scalable object store for text and binary data.
Azure Files: Managed file shares for cloud or on-premises deployments.
Azure Queues: A messaging store for reliable messaging between application components.
Azure Tables: A NoSQL store for schemaless storage of structured data.
Azure Files – highly available network file shares
Introduction to Azure Files
Create Azure file share
Deploy Azure File Sync
Configure Azure Storage firewalls and virtual networks
Storage account overview
Create an Azure Storage account
Upgrade to a general-purpose v2 storage account
— Create and configure storage accounts
— Configure network access to the storage account
— Understand Virtual Network Service Endpoints
— Configure Azure Storage firewalls and virtual networks
Create and configure storage account
Azure storage account overview
Generate shared access signature
— Install and use Azure Storage Explorer
Get started with Storage Explorer
Manage access keys (PowerShell) and manage via the Portal
Delegate access with a shared access signature
Using Shared Access Signatures (SAS)
Grant limited access to Azure Storage resources using shared access signatures (SAS)
Manage storage account access keys
Azure Storage redundancy
Authorize access to blobs and queues using Azure Active Directory
Manage data in Azure Storage
Use the Azure Import/Export service to export data from Azure Blob storage
Use the Azure Import/Export service to import data to Azure Blob Storage
Delete an import/export job
Import data to Azure Blobs
Export data from Azure Blobs
Import data to Azure Files
— Disks: Use Azure Backup to back up the VM disks used by your Azure virtual machines. Also consider using Azure Site Recovery to protect your VMs in the event of a regional disaster.
— Block blobs: Turn on soft delete to protect against object-level deletions and overwrites, or copy block blobs to another storage account in a different region using AzCopyAzure PowerShell, or the Azure Data Movement library.
— Files: Use AzCopy or Azure PowerShell to copy your files to another storage account in a different region.
— Tables: use AzCopy to export table data to another storage account in a different region.
What is Azure CLI
Get started with Azure CLI
Install the Azure CLI
Quickstart: Create and manage Azure file shares with the Azure portal
Create an Azure file share
Planning for an Azure File Sync deployment
Tutorial: Extend Windows file servers with Azure File Sync
Quickstart: Upload, download, and list blobs with the Azure portal
Azure Blob storage: hot, cool, and archive access tiers
Tutorial: Build a highly available application with Blob storage
Create an Azure Storage account
Implement Azure storage replication
Azure AD Connect Sync: Customizing Synchronization options
Integrating your on-premises identities with Azure Active Directory
Create Azure sync group
Troubleshoot Azure File Sync
Introduction to Storage Queues
Azure Table Storage Overview
Overview of Azure Table storage
Introduction to Azure managed disks
Azure Storage Service Encryption for Data at Rest
Service-Level Agreement (SLA) for Storage

Deploy and manage Azure Compute Resources (15-20%)
— Azure Advisor – Get started with Advisor
— Azure Advisor – High Availability recommendations
Azure Advisor – Security recommendations
Azure Advisor – Performance recommendations
Azure Advisor – Cost recommendations
Availability options for virtual machines in Azure
— Create and configure a VM for Windows in the portal
— Create and configure a VM for Windows with PowerShell
— Create a Windows virtual machine with the Azure CLI
Create and Manage Windows VMs with Azure PowerShell
Manage Azure disks with Azure PowerShell
Deploy applications to a Windows virtual machine in Azure with the Custom Script Extension
Create a custom image of an Azure VM with Azure PowerShell
Configure high availability
Deploy and configure scale sets
— Quickstart: Create a virtual machine scale set in the Azure portal
— Quickstart: Create a virtual machine scale set with Azure CLI
— Quickstart: Create a virtual machine scale set with Azure PowerShell
— Quickstart: Create a Windows virtual machine scale set with an Azure template
— Quickstart: Create a Linux virtual machine scale set with an Azure template
— Tutorial: Create and manage a virtual machine scale set with the Azure CLI
— Tutorial: Create and manage a virtual machine scale set with Azure PowerShell
— Tutorial: Create and use disks with virtual machine scale set with the Azure CLI
— Tutorial: Create and use disks with virtual machine scale set with Azure PowerShell
Automate deployment of VMs
— Tutorial: Automatically scale a virtual machine scale set with the Azure CLI
— Tutorial: Automatically scale a virtual machine scale set with Azure PowerShell
Manage the availability of Windows virtual machines in Azure
Configure multiple virtual machines in an availability set for redundancy
Use managed disks for VMs in an availability set
Use scheduled events to proactively response to VM impacting events
Configure each application tier into separate availability sets
Combine a Load Balancer with availability sets
Use availability zones to protect from datacenter level failures
Modify Azure Resource Manager (ARM) template
Save a deployment as an ARM template
Extend Azure Resource Manager template functionality
Update a resource in an Azure Resource Manager template
Understand the structure and syntax of Azure Resource Manager templates
Azure Resource Manager templates overview
Tutorial: Create and deploy your first ARM template.
Understand the structure and syntax of ARM templates.
Quickstart: Create and deploy ARM templates by using the Azure portal
Start/Stop VMs during off-hours solution in Azure Automation
Prepare a Windows VHD or VHDX to upload to Azure
Deploy an Azure VM from a user VHD
Prepare and customize a master VHD image
Upload a Windows VM image to Azure for Resource Manager deployments
Quickstart: Create and deploy Azure Resource Manager templates by using the Azure portal
Download the template for a VM
— Use the Azure Custom Script Extension Version 2 with Linux virtual machines
Custom Script Extension for Windows
Deploy applications to a Windows virtual machine in Azure with the Custom Script Extension
— Tutorial: Create and use a custom image for virtual machine scale sets with the Azure CLI
— Tutorial: Create and use a custom image for virtual machine scale sets with Azure PowerShell
— Tutorial: Automatically scale a virtual machine scale set with an Azure template
Azure Disk Encryption for Linux VMs
Azure Disk Encryption for Windows VMs
Move a Windows VM to another Azure subscription or resource group
Windows VM sizes
Move resources to a new resource group or subscription
Attach a managed data disk to a Windows VM by using the Azure portal
Attach a data disk to a Windows VM with PowerShell
Using Managed Disks in Azure Resource Manager Templates 
Quickstart template for deploying multiple data disks
Manage Azure disks with Azure PowerShell
How to open ports to a virtual machine with the Azure portal
Create and manage a Windows virtual machine that has multiple NICs
Redeploy Windows virtual machine to new Azure node
Azure Kubernetes Service (AKS)
Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using the Azure portal
Kubernetes core concepts for AKS
— Intro Azure Kubernetes Service (AKS)
— AKS quickstart in the Azure portal or with the Azure CLI
Kubernetes role-based access control (RBAC)
Access and identity options for AKS
Integrate Azure Active Directory with AKS
Kubernetes master logs
Monitor Azure Kubernetes Service container health
What is Azure Container Instances?
Quickstart: Deploy a container instance in Azure using the Azure portal
Quickstart: Deploy a container instance in Azure using the Azure CLI
App Service overview
Azure App Service plan overview
Create an ASP.NET Core web app in Azure
Azure App Service plan overview
Manage an App Service plan in Azure
Azure VM replication between regions

Configure and manage virtual networking (30-35%)
Virtual network peering overview
Create and manage Azure virtual networks for Windows virtual machines with Azure PowerShell
Create connectivity between virtual networks
Create and configure VNET peering
Create and configure VNET to VNET
Verify virtual network connectivity
Create virtual network gateway
Implement and manage virtual networking
Virtual network traffic routing
Configure a Point-to-Site connection to a VNet using native Azure certificate authentication
Troubleshoot Azure point-to-site connection problems
Configure a VNet-to-VNet VPN gateway connection by using the Azure portal
Common PowerShell commands for Azure Virtual Networks
Configure a VPN gateway for transit in a virtual network peering
Virtual network peering permissions
User-defined routes overview
Hub-spoke network topology in Azure
— Configure virtual network-to-virtual network connections
Configure a VPN gateway for transit in a virtual network peering
Diagnose a virtual machine routing problem
Troubleshoot connections with Azure Network Watcher using the Azure portal
Troubleshoot virtual network peering issues
What are the constraints related to Global VNet Peering and Load Balancers?
— Create a Hub-spoke network topology in Azure.
Create, change, or delete a virtual network peering.
Azure Virtual Network frequently asked questions (FAQ) VNet Peering
Tutorial: Connect virtual networks with virtual network peering using the Azure portal
Create a virtual network peering – different deployment models, same subscription
Virtual network peering constraints and behaviors 
— Learn about all virtual network peering settings
— Learn how to create a hub and spoke network topology
What is Azure Virtual Network?
— Outbound connections in Azure – Outbound connections
— Outbound connections in Azure – Public IP addresses
— Outbound connections in Azure – Load Balancer
Virtual network service integration
Virtual network service endpoints overview
Point-to-site VPN
Site-to-site VPN
Network security groups 
Application security groups
Route tables
Azure VPN Gateway 
Quickstart: Create a virtual network using the Azure portal
Virtual network traffic routing
Networking limits
Create, change, or delete a virtual network
Create, change, or delete a public IP address
Add, change, or remove IP addresses for an Azure network interface
Associate a public IP address to a virtual machine
Subnet extension
Virtual network traffic routing
Add network interfaces to or remove network interfaces from virtual machines
What is Azure DNS?
What is Azure Private DNS?
Quickstart: Create an Azure DNS zone and record using the Azure portal
Azure DNS FAQ
Name resolution for resources in Azure virtual networks
Name resolution using your own DNS server
Use Azure DNS to provide custom domain settings for an Azure service
Tutorial: Host your domain in Azure DNS
Quickstart: Create an Azure private DNS zone using the Azure portal
Create, change, or delete a network security group
Create, change, or delete a network interface
Tutorial: Deploy and configure Azure Firewall using the Azure portal
Create an Azure Bastion host
Application Gateway configuration overview
Tutorial: Balance internal traffic load with a Basic load balancer in the Azure portal
Create an internal load balancer by using the Azure PowerShell module
Quickstart: Create a Load Balancer to load balance VMs using the Azure portal
Troubleshoot Azure Load Balancer
Diagnose on-premises connectivity via VPN gateways
Network Performance Monitor solution: Performance monitoring
What is Azure Network Watcher?
Troubleshoot Virtual Network Gateway and Connections using Azure Network Watcher Azure CLI
Troubleshoot connections with Azure Network Watcher using the Azure portal
Create a route-based VPN gateway using the Azure portal
Create a Site-to-Site connection in the Azure portal
ExpressRoute overview
Virtual Network Gateways for ExpressRoute
Configure Express Route
Create and modify an ExpressRoute circuit
Link a virtual network to an ExpressRoute circuit
About Azure Virtual WAN
Tutorial: Create a Site-to-Site connection using Azure Virtual WAN

Monitor and back up Azure resources (15-20%)
Metrics in Azure Monitor
Analyze log data in Azure Monitor
— Learn more about the Azure Monitor data platform.
— Learn about log data in Azure Monitor.
— Learn about the monitoring data available for different resources in Azure.
— Quickstart: Monitor an Azure resource with Azure Monitor
— Tutorial: Collect and analyze resource logs from an Azure resource
Monitoring Azure resources with Azure Monitor
Get started with Log Analytics in Azure Monitor
Get started with log queries in Azure Monitor
Overview of log queries in Azure Monitor
Create, view, and manage metric alerts using Azure Monitor
Metric alerts overview
Platform metrics
Custom metrics
Popular logs from Azure Monitor converted to metrics
Learn how to create, view, and manage metric alerts in Azure
Learn how to deploy metric alerts using Azure Resource Manager templates
Learn more about action groups
Learn more about Dynamic Thresholds condition type
Create Metric Alerts for Logs in Azure Monitor
— Metrics are available for large list of Azure services
Performance counters for Windows & Linux machines
Heartbeat records for Agent Health
Update management records
Event data logs
— Learn about log alerts in Azure.
— Learn about alerts in Azure.
Manage Application Insights resources using PowerShell
Restore a disk and create a recovered VM
Restore files to a Virtual Machine in Azure
Back up a Windows Server to Azure
Recover files from Azure to a Windows Server
Back up an Azure VM
Back up Windows Server or Windows workstation
Back up DPM workloads to Azure
Prepare to back up workloads using Azure Backup Server
Manage Azure VM backups
Managing files and folders
Recover individual files from an Azure VM
Restore an Azure VM
Securing cloud backup data in Recovery Services vaults
Back up an IaaS VM
Back up an Azure Backup Server
Back up a Windows Server
Backup multiple Azure VMs
Azure Backup – Frequently asked questions – Recovery Services Vault
Azure Backup – Frequently asked questions – Azure VM Backup
Azure Backup – Frequently asked questions – Backup Azure Files
Azure Backup – FAQ – SQL Server databases that are running on an Azure VM backup
Recover files from Azure virtual machine backup
Back up and restore encrypted Azure VM
Restore Key Vault key and secret for encrypted VMs using Azure Backup
Create Recovery Services Vault
Configure and review backup reports
Perform backup operation
Create and configure backup policy
Restore a disk and create a recovered VM in Azure
Back up and restore Azure VMs with PowerShell
Back up a virtual machine in Azure with the CLI
Manage Azure VM backups with Azure Backup service
Restore files to a virtual machine in Azure
About Site Recovery
Azure Site Recovery
What is Site Recovery?
Replicate VMware virtual machines and Windows/Linux physical servers to Azure
Set up disaster recovery to a secondary Azure region for an Azure VM
Disaster recovery of on-premises VMware virtual machines or physical servers to a secondary site

The detailed information provided below is presented in general reference to the domain topics listed above, but it is more closely aligned to the former Azure Administrator role as outlined in the prior exam with the AZ-103 designation. As such, this additional information via the linked articles below may only be partially relevant with respect to the scope of information that you might need specifically for the AZ-104 exam and the new domain objectives. It is offered as additional reference and for the benefit of extended knowledge and review.

There are five main domains for the former AZ-103 exam:

  • Manage Azure subscriptions and resources (15-20%)
  • Implement and manage storage (15-20%)
  • Deploy and manage virtual machines (VMs) (15-20%)
  • Configure and manage virtual networks (30-35%)
  • Manage identities (15-20%)

Manage Azure subscriptions and resources (15-20%)
Azure subscription and service limits, quotas, and constraints
Sign up your organization to use Azure Active Directory
Assign administrator permissions
Administrator role permissions in Azure Active Directory
— Configure Azure subscription policies at Azure subscription level
— Overview of the Azure Policy service
— Analyze resource utilization and consumption
— Configure diagnostic settings on resources
— Create baseline for resources
Create and test alerts
— Analyze alerts across subscription – Overview of alerts in Microsoft Azure
— Analyze metrics across subscription – Metrics in Azure Monitor
Create action groups
Monitor for unused resources
Monitor your spend / Report on spend – Predict costs and optimize spending for Azure
Utilize Log Search query functions
View alerts in Log Analytics
— Manage role based access control (RBAC)
Configure access to Azure resources by assigning roles
Troubleshoot RBAC
Implement RBAC policies
Assign RBAC Roles

Implement and manage storage (15-20%)
— Monitor activity log by using Log Analytics
Analyze log data in Azure Monitor
Implement Azure storage replication
Azure AD Connect Sync: Customizing Synchronization options
Integrating your on-premises identities with Azure Active Directory
Create Azure sync group
Troubleshoot Azure File Sync
Introduction to Storage Queues
Azure Table Storage Overview
Overview of Azure Table storage
Introduction to Azure managed disks
Azure Storage Service Encryption for Data at Rest
Service-Level Agreement (SLA) for Storage
Azure Storage security guide
Import and export data to Azure
Create import / export job in Azure
— Use Azure Data Box
Configure Azure content delivery network (CDN) endpoints
Perform a restore operation
Manage anonymous read access to containers and blobs

Deploy and manage virtual machines (VMs) (15-20%)
Add network interfaces
PowerShell Desired State Configuration (DSC)
Create a basic DSC configuration
Use DSC for Linux
Move VMs from one resource group to another
Redeploy Windows virtual machine to new Azure node
Manage VM backups
What is Azure Backup
Implement Azure backup
Support matrix for Azure VM backup
Backup multiple Azure VMs
Azure Backup – Frequently asked questions – Recovery Services Vault
Azure Backup – Frequently asked questions – Azure VM Backup
Azure Backup – Frequently asked questions – Backup Azure Files
Azure Backup – FAQ – SQL Server databases that are running on an Azure VM backup
Recover files from Azure virtual machine backup
Back up and restore encrypted Azure VM
Quickstart – Create and encrypt a Linux VM with Azure CLI
Quickstart – Create and encrypt a Linux VM with Azure Powershell
Azure Disk Encryption scenarios on Linux VMs
Azure Disk Encryption prerequisites CLI script
Azure Disk Encryption prerequisites PowerShell script
Creating and configuring a key vault for Azure Disk Encryption
Quickstart – Create and encrypt a Windows VM with Azure CLI
Quickstart – Create and encrypt a Windows VM with Azure Powershell
Azure Disk Encryption scenarios on Windows VMs

Configure and manage virtual networks (30-35%)
Configure private and public IP addresses
Configure private IP addresses for a virtual machine using the Azure portal
Assign multiple IP addresses to a Windows VM
Configure network routes, network interface, subnets, and virtual network
Configure name resolution
Configure Azure DNS
Host your domain in Azure DNS
Create custom DNS records for a web app
Create private DNS zone and record
Create and configure a Network Security Group (NSG)
— Create, view all, view details of, change, and delete a security rule
Identify required ports
Evaluate effective security rules
Implement Azure load balancer
Configure internal load balancer
Configure load balancing rules
Configure public load balancer
Troubleshoot load balancing
Monitor and troubleshoot virtual networking
Monitor on-premises connectivity
Use Network resource monitoring
Use Network Watcher
Troubleshoot external networking
Troubleshoot virtual network connectivity
Integrate on premises network with Azure virtual network
Create and configure Azure VPN Gateway
Create and configure site to site VPN
About VPN Gateway configuration settings
Verify on premises connectivity, troubleshoot on premises connectivity with Azure
About zone-redundant gateways
About Virtual WAN
Add, change, or delete a virtual network subnet
— Tutorial: Create and manage a VPN gateway using PowerShell
Create and modify peering configuration
Configure route filters for Microsoft peering
Create a user-defined route table with routes and a network virtual appliance
Configure BGP for an Azure VPN Gateway
Use BGP with ExpressRoute
View all routes for a subnet
Determine the next hop type

Manage identities (15-20%)
Manage Azure Active Directory (AD)
Add custom domains
Azure Active Directory Domain Services
Features of Azure AD Domain Services
Understand how synchronization works in Azure AD Domain Services
Deploy Azure AD App Proxy
— AD DS Troubleshooting guide
— AD DS Troubleshooting alerts on your managed domain
— AD DS Frequently Asked Questions
Overview of Azure AD Domain Services
— Azure AD Domain Services and Features
— Azure AD Domain Services Deployment scenarios
Find out if Azure AD Domain Services suits your use-cases
Understand how Azure AD Domain Services synchronizes with your Azure AD directory
Azure AD Domain Services – Getting Started guide
Join a Windows Server virtual machine to an Azure AD Domain Services managed domain
Manage an Azure AD Domain Services domain
Group Policy Management Console
Add users to Azure AD
Assign licenses to users
Sign up for Azure AD Premium
Set expiration for user-created groups
Set naming policy for user-created groups
Create a dynamically populated group
Implement and manage hybrid identities
Install Azure AD Connect, including password hash and pass-through synchronization
— Use Azure AD Connect to configure federation with on-premises Active Directory Domain Services
— Manage password sync and password writeback
Manage your settings for two-step verification
Require MFA for the Azure portal
Enable self-service password reset on-premises integration
Integrate with Azure Identity Protection
Enable MFA by using bulk update
Configure fraud alerts
Configure bypass options
Configure Trusted IPs
Configure verification methods
Choose the right authentication method for your Azure Active Directory hybrid identity solution

The detailed information provided below is presented in general reference to the domain topics as they were listed prior for the former AZ-103 exam, but this additional information via the linked articles goes beyond the full scope of information that you might need specifically for the reworked AZ-104 exam as the domain topics have changed. It is offered as additional reference and for the benefit of extended knowledge and review.

Microsoft Azure glossary: A dictionary of cloud terminology on the Azure platform
— Microsoft Azure – All Products
Azure Active Directory Documentation (ALL)
Sign up for Azure Active Directory Premium editions
Add your custom domain name using the Azure Active Directory portal
Add branding to your organization’s Azure Active Directory sign-in page
Associate or add an Azure subscription to your Azure Active Directory tenant
What are virtual machine scale sets
Overview of autoscale with Azure virtual machine scale sets
Overview of autoscale in Microsoft Azure Virtual Machines, Cloud Services, and Web Apps
Automatically scale a virtual machine scale set in the Azure portal
Advanced autoscale configuration using Resource Manager templates for VM Scale Sets
How to configure auto scaling for a Cloud Service in the portal
Configure multiple virtual machines in an availability set for redundancy
Use managed disks for VMs in an availability set
Use scheduled events to proactively response to VM impacting events
Configure each application tier into separate availability sets
Combine a Load Balancer with availability sets
Use availability zones to protect from datacenter level failures
Create a virtual machine
Create a Windows virtual machine in the Azure portal
Create a Windows virtual machine in Azure with PowerShell
Create a Windows virtual machine with the Azure CLI
Create a custom image of an Azure VM with Azure PowerShell
Create and deploy highly available virtual machines with Azure PowerShell
Create a virtual machine scale set and deploy a highly available app on Windows with Azure PowerShell
Load balance Windows virtual machines in Azure to create a highly available application with Azure PowerShell
Filter network traffic with a network security group.
Load balance Windows virtual machines in Azure to create a highly available application.
Azure Resource Manager overview
Security groups
Create and Manage Windows VMs with Azure PowerShell
Back up and restore files for Windows virtual machines in Azure
Monitor and update a Windows virtual machine in Azure
Use Azure Security Center to monitor Windows virtual machines
Maintenance for virtual machines in Azure
Add a Managed Disk using PowerShell
Create a zone redundant virtual machine scale set
Load balance VMs across zones using a Standard Load Balancer with a zone-redundant frontend
Load balance VMs within a zone using a Standard Load Balancer with a zonal frontend
Zone-redundant storage
SQL Database
Event Hubs geo-disaster recovery
Service Bus geo-disaster recovery
Create a zone-redundant virtual network gateway
VMware to Azure disaster recovery architecture
SLA for Virtual Machines
Load balance internet traffic to VMs
Load balance internal traffic to VMs
Load balance VMs across availability zones
Load balance VMs within a specific availability zone
Configure port forwarding in Load Balancer
Manage web traffic with an application gateway.
Restrict web traffic with a web application firewall on an application gateway.
Enable SSL termination on an application gateway.
Host multiple web sites using an application gateway.
Route traffic based on the URL in an application gateway.
Redirect traffic to specific servers in an application gateway pool.
— Create an application using .NET with Azure SQL DB or Node.js with MongoDB
Map an existing custom domain to your application
Bind an existing SSL certificate to your application
Add a CDN to your application
— Create and manage a scale set with the Azure CLI or Azure Powershell
— Use data disks with the Azure CLI or Azure Powershell
— Use a custom VM image with the Azure CLI or Azure Powershell
— Deploy apps to a scale set with the Azure CLI or Azure Powershell
— Autoscale a scale set with the Azure CLI or Azure Powershell
Azure Application Architecture Guide
Create a function that integrates with Azure Logic Apps
Create a serverless API using Azure Functions
Create an OpenAPI definition for a function
Automate resizing uploaded images using Event Grid
Create a serverless web app to store pictures with metadata
Filter network traffic
Route network traffic
Restrict network access to resources
Connect virtual networks
Deploy your site to Azure
Scale with Azure Load Balancer
Reduce latency with Azure Traffic Manager
Azure Service Health Dashboard
Designing resilient applications for Azure: An overview of the key concepts for architecting highly available applications in Azure.
Availability checklist: A checklist for verifying that your application implements the best design practices for high availability.
Designing highly available applications using RA-GRS: Design guidance for building applications to take advantage of RA-GRS.
— What is VPN Gateway
— About VPN Gateway configuration settings
Virtual Network Gateways for ExpressRoute.
About zone-redundant gateways.
About Virtual WAN
VPN Gateway FAQ
— Azure Content Delivery Network – Dynamic site acceleration
— Azure Content Delivery Network – CDN caching rules
— Azure Content Delivery Network – HTTPS custom domain support
— Azure Content Delivery Network – Azure diagnostics logs
— Azure Content Delivery Network – File compression
— Azure Content Delivery Network – Geo-filtering
Compare Azure CDN product features
Azure Event Grid to enable your business to react quickly to critical events in a reliable, scalable, and secure manner.
Azure Logic Apps to automate business processes.
Azure Machine Learning to add machine learning and AI models to your solution.
Azure Stream Analytics to run real-time analytic computations on the data streaming from your devices.
Azure Functions Premium plan for enterprise serverless workloads
— Azure Functions – Create a function that integrates with Azure Logic App
— Azure Functions – Create a serverless API using Azure Functions
— Azure Functions – Create an OpenAPI definition for a function
— Azure Functions – Automate resizing uploaded images using Event Grid
— Azure Functions – Create a serverless web app to store pictures with metadata
Optimize the performance and reliability of Azure Functions
Check traffic with a schedule-based logic app
Manage mailing list requests with a logic app
Process emails and attachments with a logic app
Monitor changes to VMs with logic apps
Resize uploaded images
Integrating Azure Automation with Event Grid
Tutorial: Deploy and configure Azure Firewall using the Azure portal
Deploy Azure Firewall using a template
Create an Azure Firewall test environment
Azure boundary security best practices
Azure database security best practices
Azure data security and encryption best practices
Azure identity management and access control security best practices
Azure network security best practices
Azure operational security best practices
Azure PaaS Best Practices
Azure Service Fabric security best practices
Best practices for Azure VM security
Implementing a secure hybrid network architecture in Azure
Internet of Things security best practices
Securing PaaS databases in Azure
Securing PaaS web and mobile applications using Azure App Service
Securing PaaS web and mobile applications using Azure Storage
Security best practices for IaaS workloads in Azure
Security groups
Azure network security overview
Azure identity management security overview
Azure Active Directory Premium
Security principals
Overview of single sign-on
What is application access and single sign-on with Azure Active Directory?
Integrate Azure Active Directory single sign-on with SaaS apps
Enabling Azure AD Application Proxy
Publish applications using Azure AD Application Proxy
Single sign-on with Application Proxy
Working with conditional access
Multi-Factor Authentication
What is Azure Multi-Factor Authentication?
Built-in roles for Azure resources
View your access and usage reports
Get started with Azure Active Directory reporting
Azure Active Directory reporting guide
What is Azure Active Directory B2C?
Azure Active Directory B2C preview: Sign up and sign in consumers in your applications
Azure Active Directory B2C Preview: Types of applications
Get started with Azure AD device registration
Automatic device registration with Azure AD for Windows domain-joined devices
Set up automatic registration of Windows domain-joined devices with Azure AD
What is Azure AD Privileged Identity Management?
Assign Azure AD directory roles in PIM
Azure AD Identity Protection
Channel 9: Azure AD and Identity Show: Identity Protection Preview
Hybrid identity white paper
Azure AD team blog
Azure AD access reviews
Manage user access with Azure AD access reviews
Tutorial: Authenticate and authorize users end-to-end in Azure App Service (Windows)
Tutorial: Authenticate and authorize users end-to-end in Azure App Service for Linux
How to configure your app to use Azure Active Directory login
How to configure your app to use Facebook login
How to configure your app to use Google login
How to configure your app to use Microsoft Account login
How to configure your app to use Twitter login
— What is Azure Active Directory
Edit the Azure Information Protection policy and create a new label
Configure Azure Information Protection policy settings that work together
Azure ATP frequently asked questions
Working with security alerts
Azure ATP Architecture
Azure ATP prerequisites
Azure ATP sizing tool
Azure ATP capacity planning
Configure event forwarding
Configuring Windows event forwarding
Install Azure ATP
Azure ATP Prerequisites
What’s new in Azure ATP
Plan capacity for Azure ATP
— Azure ATP Reconnaissance alerts
What are Azure Reservations
Locally redundant storage (LRS): Low-cost data redundancy for Azure Storage
Zone-redundant storage (ZRS): Highly available Azure Storage applications
Geo-redundant storage (GRS): Cross-regional replication for Azure Storage
Azure Storage scalability and performance targets
Designing highly available applications using RA-GRS Storage
Microsoft Azure Storage redundancy options and read access geo redundant storage
SOSP Paper – Azure Storage: A highly available cloud storage service with strong consistency
Authenticate access to Azure blobs and queues using Azure Active Directory
Overview of Azure Active Directory authorization over SMB for Azure Files (preview)
Authorize Storage access with Shared Key
Configure a DSC pull server
Configure an alias record to refer to an Azure Public IP address
Configure an alias record to support apex domain names with Traffic Manager
Configure an alias record for zone records
Azure Network Security Groups (NSG) – Best Practices and Lessons Learned
— Tutorial: Balance internal traffic load with a Basic load balancer in the Azure portal
Azure Standard Load Balancer overview
Azure Policy
Azure Role Based Access Controls

Jason Zandri
BUSINESS PROGRAM MANAGER
AZURE TECHNICAL TRAINER      

https://www.linkedin.com/company/microsoft
https://www.linkedin.com/in/jasonzandri/

Azure Certification Question of the Day (QOTD) – AZ-500 Q002

The Zero Trust model states to never assume trust but instead to validate trust continually​

Trust determination components include (choose the four correct answers)​

A) Authentication Tokens​
B) Identity Provider​
C) Device Directory​
D) Policy Evaluation Service​
E) Access Proxy​
F) Access Services 

Exam AZ-103 Microsoft Azure Administrator has been updated to AZ-104

Azure Administrators are the individuals responsible for implementing, monitoring, and maintaining Microsoft Azure solutions, including major services related to compute, storage, network, and security for businesses and corporations.

Microsoft has created the Certified Azure Administrator Associate certification to verify the skills of these administrators and assign the credential to those that meet or exceed the measured criteria.

When this exam was first released, it was a two part exam, consisting of:

Exam AZ-100: Microsoft Azure Infrastructure and Deployment

Exam AZ-101: Microsoft Azure Integration and Security


Both of these exams formally retired on May 1, 2019

Exam AZ-102: Microsoft Azure Administrator Certification Transition – this exam was offered in the same time period as the AZ-100 and AZ-101. It was intended only for candidates that had taken Exam 70-533: Implementing Microsoft Azure Infrastructure Solutions.

If learners had not taken Exam 533, they were not granted the certification by taking the AZ-102 exam.

While it was released, the transition exam was intended for people who had already demonstrated skills with respect to all the domain content. Basically, this exam covered the delta content between the 70-533 certification and what was covered under AZ-102.

All of the transition exams that Microsoft released over that time period (as there were titles available under other technology branches) covered net new content that wasn’t covered in enough depth prior, and content on aspects of the technology that had changed between the releases.

AZ-102 was formally retired June 30, 2019.

Just ahead of the June 30, 2019 retirement date for AZ-102, at the time when AZ-100 and AZ-101 retired in May 1, 2019, Exam AZ-103: Microsoft Azure Administrator was released. That new exam combines the skills covered in AZ-100 and AZ-101 with the majority of the new exam coming from AZ-100.

There was no prerequisite to pass 70-533 and there was only the one exam.

The domain topics for AZ-103 were:

Manage Azure subscriptions and resources (15-20%)
Implement and manage storage (15-20%)
Deploy and manage virtual machines (VMs) (15-20%)
Configure and manage virtual networks (30-35%)
Manage identities (15-20%)

AZ-103 is now being replaced with Exam AZ-104: Microsoft Azure Administrator – it is now available (as of April 2, 2020).

AZ-104 has some changes to the domain topics as follows:

Manage Azure identities and governance (15-20%)
Implement and manage storage (10-15%)
Deploy and manage Azure compute resources (25-30%)
Configure and manage virtual networking (30-35%)
Monitor and back up Azure resources (10-15%)

AZ-103 is still available to test under as it is not expected to retire until August 31, 2020 (planned, at the time of this writing).

I have my Exam AZ-103: Microsoft Azure Administrator Study Guide available online right now and I am working to update it to the new domain topics for AZ-104

Stay tuned…

Azure Certification Question of the Day (QOTD) – AZ-103 003 – ANSWERED

You are the Azure Cloud Consultant for your organization, and you have been tasked with configuring VNet Peering.

You need to review the corporate needs to have the desired connectivity across all Azure public regions, keeping all your traffic on the Microsoft Backbone.

Which of the following statements below is TRUE regarding Global VNet Peering? (Choose three)

A) You can peer across VNets only in Azure public regions with non-overlapping address spaces.
B) You can peer across VNets in any Azure public regions regardless of any overlapping address spaces.
C) You can globally peer within a given subscription.
D) You can globally peer across subscriptions.
E) You can peer virtual networks in the same region, or different regions
F) You can peer virtual networks only in the same region
G) You can peer virtual networks only in different regions
 

Correct answer:

A, D, and E

You can configure peering of your VNets in any Azure public regions with non-overlapping address spaces, across deployment models, as well as across subscriptions, where the virtual networks in the same region, or in different regions.

https://azure.microsoft.com/en-us/blog/global-vnet-peering-now-generally-available/

https://docs.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints

Azure Certification Question of the Day (QOTD) – AZ-103 003

You are the Azure Cloud Consultant for your organization, and you have been tasked with configuring VNet Peering.

You need to review the corporate needs to have the desired connectivity across all Azure public regions, keeping all your traffic on the Microsoft Backbone.

Which of the following statements below is TRUE regarding Global VNet Peering? (Choose three)

A) You can peer across VNets only in Azure public regions with non-overlapping address spaces.
B) You can peer across VNets in any Azure public regions regardless of any overlapping address spaces.
C) You can globally peer within a given subscription.
D) You can globally peer across subscriptions.
E) You can peer virtual networks in the same region, or different regions
F) You can peer virtual networks only in the same region
G) You can peer virtual networks only in different regions

And here is the updated blog post with the answer – Azure Certification Question of the Day (QOTD) – AZ-103 003 – ANSWERED

Pluralsight offers free training for all of April 2020

Stay home.Skill up. #FREEAPRIL

Pluralsight is calling all learners to “Build in-demand tech skills without leaving your house. Get free access to 7,000+ expert-led video courses and more all month long.”

They have kicked off their campaign in the midst of the COVID-19 pandemic and are offering full access to all of their courses free of charge through April 30th

“HOW #FREEAPRIL WORKS – Times are tough right now. To help you be productive, make progress toward your goals or build skills toward a new career, we’re making all 7,000+ expert-led video courses completely free for the month of April.”

Check it out for yourself

An Important Update on Microsoft Training and Certification

There are some important updates that have been released regarding Microsoft Training and Certification in response to the coronavirus (COVID-19).

These updates are how Microsoft, together with the partner training ecosystem, is adapting to the current environment to ensure that all of you can continue to learn and get certified on Microsoft technologies, while staying safe.  

Updates include details of testing center closings and online proctoring capacity increasing to meet that demand.

Normal reschedule rules are being relaxed and cancellation fees are being waived for the time being.

Probably the biggest announcement is the delay in the retirement dates of the MCSA, MCSD, and MCSE certifications and related exams extended

As we’re all aware from prior messaging, the Microsoft Certified Solutions Architect (MCSA), Microsoft Certified Solutions Developer (MCSD), and Microsoft Certified Solutions Expert (MCSE) certification(s) were slated to be retired on June 30th of this year (2020).

Because of all the uncertainty in the current environment and the impact of all of that on the learners and their ability to finish their certification training and testing before the original retirement date, Microsoft has pushed out the retirement date for these specific certifications to January 31, 2021.

Changes have also been made to the expiring role-based certifications. If you have a role-based certification that is expiring between now and December 31, 2020, Microsoft is extending the certification and that expiration date by six months. Microsoft has indicated as an example, “if your certification is set to expire September 30, 2020, it will now expire on March 30, 2021.”

Certification expiration dates will be automatically updated. You will be able to view your updated expiration date in your certification dashboard within the next 30 days or so (the date of this post is basically the end of March 2020 so “by April 30, 2020”)

They also identified that if you have a Pearson VUE delivered certification exam voucher or discount offer that is expiring between March 26 and August 31, 2020, it will be extended until January 31, 2021. 

Read the full details on all of these changes at the Microsoft Learning Blog.

Azure Certification Question of the Day (QOTD) – AZ-500 Q001 – ANSWERED

To use Azure Active Directory (Azure AD) Privileged Identity Management (PIM), your directory must have a valid license.

Which licenses will you require? (Make three selections – each answer is a complete solution).

A) Azure AD Premium P1
B) Azure AD Premium P2
C) Enterprise Mobility + Security (EMS) E3
D) Enterprise Mobility + Security (EMS) E5
E) Microsoft 365 F1
F) Microsoft 365 M3
G) Microsoft 365 M5

CORRECT ANSWERS:
B) Azure AD Premium P2
D) Enterprise Mobility + Security (EMS) E5
G) Microsoft 365 M5

Licensing requirements

To use Privileged Identity Management, your directory must have one of the following paid or trial licenses:

  • Azure AD Premium P2
  • Enterprise Mobility + Security (EMS) E5
  • Microsoft 365 M5

Deploy Azure AD Privileged Identity Management (PIM)

License requirements to use Privileged Identity Management

Azure Certification Question of the Day (QOTD) – AZ-103 002 – ANSWERED

Your enterprise environment is presently using Active Directory Domain Services (AD DS).

You have been tasked with configuring directory synchronization with your Office 365 E5 subscription.

You need to set up support for Single Sign-on (SSO) and you want to confirm that all of the domain user names in use meet the formatting standard and will not cause any issues with the synchronization.

What should you do? (Choose the best option)

A) Make changes to the default configuration of Azure Active Directory (Azure AD) Connect sync
B) Confirm the synchronization settings in the Synchronization Rules Editor
C) Run Azure AD Connect sync with the defaults
D) Run the IdFix tool
E) Run the Synchronization Rules Editor and create a custom rule

Correct answer: D

The correct answer is (D) Run the Office 365 IdFix tool – the tool is used to search for problems in your directory and then fix the errors in the GUI.

Common errors detected by IdFix include illegal characters, duplicate entries / values, format violations, length limitations, to name a few.

While you can make changes to the default configuration in Azure Active Directory (Azure AD) Connect sync and / or run Azure Active Directory (Azure AD) Connect sync with the default settings, neither of these options would address any potential issues that might be found where there are the formatting exceptions and where these may cause issues with the synchronization.

The Synchronization Rules Editor is used to see and change the default configuration. It is configured with the default rules and you can add custom changes to the rules, such as flow, precedence, scoping, and so on, but this will not address the issue with any potential issues that might be found where there are the formatting exceptions and where these may cause issues with the synchronization.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-configuration

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-service-manager-ui

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-whatis