Exam Ref AZ-104

Microsoft Azure
Administrator
Second Edition

Charles Pluta
Exam Ref AZ-104 Microsoft Azure Administrator,
Second Edition CREDITS
Published with the authorization of Microsoft Corporation by: Pearson
Education, Inc. EDITOR-IN-CHIEF
Brett Bartow
Copyright © 2025 by Pearson Education, Inc. EXECUTIVE EDITOR
Hoboken, New Jersey Loretta Yates

All rights reserved. This publication is protected by copyright, and permission ASSOCIATE EDITOR
must be obtained from the publisher prior to any prohibited reproduction, Shourav Bose
storage in a retrieval system, or transmission in any form or by any means, DEVELOPMENT EDITOR
electronic, mechanical, photocopying, recording, or likewise. For information Songlin Qiu
regarding permissions, request forms, and the appropriate contacts within the
Pearson Education Global Rights & Permissions Department, please visit MANAGING EDITOR
www.pearson.com/permissions. Sandra Schroeder

SENIOR PROJECT EDITOR

No patent liability is assumed with respect to the use of the information
Tracey Croom
contained herein. Although every precaution has been taken in the prepara-
tion of this book, the publisher and author assume no responsibility for errors COPY EDITOR
or omissions. Nor is any liability assumed for damages resulting from the use of Brie Gyncild
the information contained herein.
INDEXER
ISBN-13: 978-0-13-834593-8 Timothy Wright
ISBN-10: 0-13-834593-7 PROOFREADER
Charlotte Kughen
Library of Congress Control Number: 2024935895
TECHNICAL EDITOR
$PrintCode Jim Cheshire

TRADEMARKS EDITORIAL ASSISTANT

Cindy Teeters
Microsoft and the trademarks listed at http://www.microsoft.com on the “Trade-
marks” webpage are trademarks of the Microsoft group of companies. All other COVER DESIGNER
marks are property of their respective owners. Twist Creative, Seattle

WARNING AND DISCLAIMER COMPOSITOR

codeMantra
Every effort has been made to make this book as complete and as accurate as
possible, but no warranty or fitness is implied. The information provided is on GRAPHICS
an “as is” basis. The author, the publisher, and Microsoft Corporation shall have codeMantra
neither liability nor responsibility to any person or entity with respect to any
loss or damages arising from the information contained in this book or from
the use of the programs accompanying it.

SPECIAL SALES
For information about buying this title in bulk quantities, or for special sales
opportunities (which may include electronic versions; custom cover designs;
and content particular to your business, training goals, marketing focus, or
branding interests), please contact our corporate sales department at
corpsales@pearsoned.com or (800) 382-3419.

For government sales inquiries, please contact

governmentsales@pearsoned.com.

For questions about sales outside the U.S., please contact

intlcs@pearson.com.
Contents at a glance

Acknowledgments x
About the author x
Introduction xi

CHAPTER 1 Manage Azure identities and governance 1

CHAPTER 2 Implement and manage storage 65
CHAPTER 3 Deploy and manage Azure compute resources 123
CHAPTER 4 Configure and manage virtual networking 215
CHAPTER 5 Monitor and back up Azure resources 291
CHAPTER 6 Exam Ref AZ-104 Microsoft Azure Administrator
exam updates 357

Index 362
Contents

Introduction xi
Organization of this book xi
Preparing for the exam xi
Microsoft certifications xii
Access the exam updates chapter and online references xii
Errata, updates & book support xiii
Stay in touch xiii

Chapter 1 Manage Azure identities and governance 1

Skill 1.1: Manage Microsoft Entra users and groups. . . . . . . . . . . . . . . . . . . . . . . . 2
Create users and groups 3
Manage user and group properties 6
Manage licenses in Microsoft Entra ID 10
Manage external users 10
Configure Microsoft Entra Join 12
Configure self-service password reset 14

Skill 1.2: Manage access to Azure resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Understand how RBAC works 16
Create a custom role 20
Interpret access assignments 25
Manage multiple directories 28

Skill 1.3: Manage Azure subscriptions and governance. . . . . . . . . . . . . . . . . . . 29

Configure Azure policies 31
Configure resource locks 38
Apply and manage tags on resources 40
Manage resource groups 41
Manage Azure subscriptions 48
Configure management groups 50
Configure cost management 53

v
 Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Thought experiment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Thought experiment answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Chapter 2 Implement and manage storage 65

Skill 2.1: Configure access to storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Create and configure storage accounts 66
Configure Azure Storage firewalls and virtual networks 74
Create and use shared access signature (SAS) tokens 78
Configure stored access policies 81
Manage access keys 83
Configure identity-based access 84

Skill 2.2: Configure and manage storage accounts. . . . . . . . . . . . . . . . . . . . . . . 89

Configure Azure storage redundancy 89
Configure object replication 91
Configure storage account encryption 95
Manage data using Azure Storage Explorer 95
Manage data by using AzCopy 99

Skill 2.3: Configure Azure Files and Azure Blob Storage. . . . . . . . . . . . . . . . . 101
Create and configure a file share in Azure Storage 102
Configure Azure Blob Storage 106
Configure storage tiers 110
Configure soft delete, versioning, and snapshots 113
Configure blob lifecycle management 117

Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Thought experiment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Thought experiment answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Chapter 3 Deploy and manage Azure compute resources 123

Skill 3.1: Automate deployment of resources . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Interpret an Azure Resource Manager template 124
Modify an existing ARM template 131
Deploy resources from a template 133

vi Contents
 Export a deployment template 137
Interpret and modify a Bicep file 140

Skill 3.2: Create and configure virtual machines . . . . . . . . . . . . . . . . . . . . . . . . 142

Create a virtual machine 143
Configure Azure Disk Encryption 150
Move VMs from one resource group or subscription to another 153
Manage VM sizes 156
Manage VM disks 158
Deploy VMs to availability sets and zones 159
Deploy and configure Virtual Machine Scale Sets 163

Skill 3.3: Provision and manage containers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Create and manage an Azure Container Registry 169
Provision a container using Azure Container Instances 174
Provision a container using Azure Container Apps 178
Manage sizing and scaling for containers 186

Skill 3.4: Create and configure Azure App Service. . . . . . . . . . . . . . . . . . . . . . . 189

Provision an App Service plan 190
Configure scaling for an App Service plan 192
Create an App Service 193
Map an existing custom DNS name to an App Service 196
Configure certificates and TLS for an App Service 199
Configure backup for an App Service 204
Configure networking settings for an App Service 205
Configure deployment slots for an App Service 210

Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Thought experiment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Thought experiment answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Chapter 4 Configure and manage virtual networking 215

Skill 4.1: Configure and manage virtual networks in Azure. . . . . . . . . . . . . . . 215
Create and configure virtual networks and subnets 216
Create and configure virtual network peering 222
Configure public IP addresses 227

Contents vii
 Configure user-defined network routes 231
Troubleshoot network connectivity 239

Skill 4.2: Configure secure access to virtual networks . . . . . . . . . . . . . . . . . . 242

Create and configure network security groups and
application security groups 242
Evaluate effective security rules 253
Deploy and configure Azure Bastion Service 255
Configure service endpoints for Azure services 258
Configure private endpoints for Azure services 259

Skill 4.3: Configure name resolution and load balancing. . . . . . . . . . . . . . . 262

Configure Azure DNS 263
Configure load balancing 277
Troubleshoot load balancing 286

Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Thought experiment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

Thought experiment answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

Chapter 5 Monitor and back up Azure resources 291

Skill 5.1: Monitor resources in Azure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Interpret metrics in Azure Monitor 294
Configure log settings in Azure Monitor 299
Query and analyze logs in Azure Monitor 307
Set up alert rules, action groups, and alert processing
rules in Azure Monitor 311
Configure Application Insights 321
Configure and interpret monitoring of VMs, storage
accounts, and networks using Azure Monitor Insights 323
Use Azure Network Watcher and Connection Monitor 327

Skill 5.2: Implement backup and recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Create and manage a Recovery Services vault 332
Configure Azure Site Recovery 335
Create an Azure Backup vault 344
Create and configure backup policy 348
Configure and review backup reports 351

viii Contents
 Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Thought experiment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Thought experiment answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

Chapter 6 Exam Ref AZ-104 Microsoft Azure

Administrator exam updates 357
The purpose of this chapter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
About possible exam updates 358
Impact on you and your study plan 358

News and commentary about the exam objective updates. . . . . . . . . . . . . 358

Updated technical content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Objective mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Index 362

Contents ix
 Acknowledgments
I would like to acknowledge my wife, Jennifer, who has supported the unusual hours for
projects such as this for over a decade now. I would also like to acknowledge my best friends
and colleagues who allow me to bounce ideas off them, provide guidance to them, and share
laughs with them: Elias Mereb, Joshua Waddell, Ed Gale, and Aaron Lines. Finally, I have to
thank my manager, Julia Nathan, who has been an exemplary coach and role model and
continues to support my work on projects such as this book.

About the Author

CHARLE S PLUTA is a technical consultant and Microsoft Certified Trainer (MCT) who has
authored several certification exams, lab guides, and learner guides for various technology
vendors. As a technical consultant, Charles has assisted small, medium, and large organiza-
tions by deploying and maintaining their IT infrastructure. He is also a speaker, a staff member,
or a trainer at several large annual industry conferences. Charles has a degree in Computer
Networking, and holds over 15 industry certifications. He makes a point to leave the United
States to travel to a different country every year. When not working or traveling, he plays pool
in Augusta, Georgia.

x
Introduction

S ome books take a very low-level approach, teaching you how to use individual classes and
accomplish fine-grained tasks. Like the Microsoft AZ-104 certification exam, this book takes a
high-level approach, building on your foundational knowledge of Microsoft Azure and common
administrative actions to take in an Azure environment. We provide walk-throughs using the
Azure portal; however, the exam might also include questions that use PowerShell or the Azure
Command Line Interface (CLI) to perform the same task. You might encounter questions on the
exam focused on these additional areas that are not specifically included in this Exam Ref.
This book covers every major topic area found on the exam, but it does not cover every
exam question. Only the Microsoft exam team has access to the exam questions, and Microsoft
regularly adds new questions to the exam, making it impossible to cover specific questions.
You should consider this book a supplement to your relevant real-world experience and other
study materials. If you encounter a topic in this book that you do not feel completely comfort-
able with, use the “Need more review?” links you’ll find in the text to find more information
and take the time to research and study the topic.

Organization of this book

This book is organized by the “Skills measured” list published for the exam. The “Skills
measured” list is available for each exam on the Microsoft Learn website: microsoft.com/learn.
Each chapter in this book corresponds to a major topic area in the list, and the technical tasks
in each topic area determine a chapter’s organization. If an exam covers six major topic areas,
for example, the book will contain six chapters.

Preparing for the exam

Microsoft certification exams are a great way to build your resume and let the world know
about your level of expertise. Certification exams validate your on-the-job experience and
product knowledge. Although there is no substitute for on-the-job experience, preparation
through study and hands-on practice can help you prepare for the exam. This book is not
designed to teach you new skills.
We recommend that you augment your exam preparation plan by using a combination of
available study materials and courses. For example, you might use the Exam Ref and another
study guide for your at-home preparation and take a Microsoft Official Curriculum course for
the classroom experience. Choose the combination that you think works best for you. Learn
more about available classroom training, online courses, and live events at microsoft.com/learn.

xi
 Note that this Exam Ref is based on publicly available information about the exam and the
author’s experience. To safeguard the integrity of the exam, authors do not have access to the
live exam.

Microsoft certifications
Microsoft certifications distinguish you by proving your command of a broad set of skills and
experience with current Microsoft products and technologies. The exams and corresponding
certifications are developed to validate your mastery of critical competencies as you design
and develop, or implement and support, solutions with Microsoft products and technologies
both on-premises and in the cloud. Certification brings a variety of benefits to the individual
and to employers and organizations.

MORE INFO ALL MICROSOFT CERTIFICATIONS

For information about Microsoft certifications, including a full list of available certifications,
go to microsoft.com/learn.

Access the exam updates chapter and online references

The final chapter of this book, “AZ-104 Azure Administrator exam updates,” will be used to
provide information about new content per new exam topics, content that has been removed
from the exam objectives, and revised mapping of exam objectives to chapter content. The
chapter will be made available from the link at the end of this section as exam updates are
released.
Throughout this book are addresses to webpages that the author has recommended you
visit for more information. We’ve compiled them into a single list that readers of the print edi-
tion can refer to while they read.
The URLs are organized by chapter and heading. Every time you come across a URL in the
book, find the hyperlink in the list to go directly to the webpage.
Download the exam updates chapter and the URL list at MicrosoftPressStore.com/
ERAZ1042e/downloads.

xii Introduction
Errata, updates & book support
We’ve made every effort to ensure the accuracy of this book and its companion content.
You can access updates to this book—in the form of a list of submitted errata and their related
corrections—at

MicrosoftPressStore.com/ERAZ1042e/errata

If you discover an error that is not already listed, please submit it to us at the same page.
For additional book support and information, please visit MicrosoftPressStore.com/Support.
Please note that product support for Microsoft software and hardware is not offered
through the previous addresses. For help with Microsoft software or hardware, go to support.
microsoft.com.

Stay in touch
Let's keep the conversation going! We're on X/Twitter: twitter.com/MicrosoftPress.

Introduction xiii
CHAPTER 2

Implement and manage

storage
Implementing and managing storage is one of the most important aspects of building or
deploying a new solution using Azure. There are several services and features available for
use, and each has its own place. Azure Storage is the underlying storage for most of the
services in Azure. It provides service for the storage and retrieval of blobs and files, and it has
services that are available for storing large volumes of data through tables. Azure Storage
includes a fast and reliable messaging service for application developers with queues. This
chapter reviews how to implement and manage storage with an emphasis on Azure storage
accounts.

Skills covered in this chapter:

■■ Skill 2.1 Configure access to storage
■■ Skill 2.2: Configure and manage storage accounts
■■ Skill 2.3: Configure Azure Files and Azure Blob Storage

NOTE MICROSOFT EXAM OBJECTIVES

The sections in this chapter align with the objectives that are listed in the AZ-104 study guide
from Microsoft. However, the sections are presented in an order that is designed to help you
learn and do not directly match the order that is presented in the study guide. On the exam,
questions will appear from different sections in a random order. For the full list of objectives,
visit https://learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/
az-104.

Skill 2.1: Configure access to storage

An Azure storage account is a resource that you create that is used to store data objects such
as blobs, files, queues, tables, and disks. Data in an Azure storage account is durable and
highly available, secure, massively scalable, and accessible from anywhere in the world over
HTTP or HTTPS.

65
 This skill covers how to:
■■ Create and configure storage accounts
■■ Configure Azure Storage firewalls and virtual networks
■■ Create and use shared access signature (SAS) tokens
■■ Configure stored access policies
■■ Manage access keys
■■ Configure identity-based access

Create and configure storage accounts

Azure storage accounts provide a cloud-based storage service that is highly scalable, available,
performant, and durable. Within each storage account, a number of separate storage services
are provided:
■■ Blobs Provides a highly scalable service for storing arbitrary data objects such as text
or binary data.
■■ Tables Provides a NoSQL-style store for storing structured data. Unlike a relational
database, tables in Azure Storage do not require a fixed schema, so different entries in
the same table can have different fields.
■■ Queues Provides reliable message queueing between application components.
■■ Files Provides managed file shares that can be used by Azure VMs or on-premises servers.
■■ Disks Provides a persistent storage volume for Azure VM that can be attached as a
virtual hard disk.
There are three types of storage blobs: block blobs, append blobs, and page blobs. Page
blobs are generally used to store VHD files when deploying unmanaged disks. (Unmanaged
disks are an older disk storage technology for Azure virtual machines. Managed disks are
recommended for new deployments.)
When creating a storage account, there are several options that must be set: Performance
Tier, Account Kind, Replication Option, and Access Tier. There are some interactions between
these settings. For example, only the Standard performance tier allows you to choose the
access tier. The following sections describe each of these settings. We then describe how to
create storage accounts using the Azure portal, PowerShell, and Azure CLI.

Storage account names

When you name an Azure storage account, you need to remember these points:
■■ The storage account name must be globally unique across all existing storage account
names in Azure.
■■ The name must be between 3 and 24 characters and can contain only lowercase letters
and numbers.

66 CHAPTER 2  Implement and manage storage

Performance tiers
When creating a storage account, you must choose between the Standard and Premium
performance tiers. This setting cannot be changed later.
■■ Standard This tier supports all storage services: blobs, tables, files, queues, and
unmanaged Azure virtual machine disks. It uses magnetic disks to provide cost-efficient
and reliable storage.
■■ Premium This tier is designed to support workloads with greater demands on I/O and
is backed by high-performance SSD disks. Premium storage accounts support block
blobs, page blobs, and file shares.

Account types
There are three possible storage account types for the Standard tier: StorageV2 (General-
Purpose V2), Storage (General-Purpose V1), and BlobStorage. There are four possible storage
account types for the Premium tier: StorageV2 (General-Purpose V2), Storage (General-
Purpose V1), BlockBlobStorage, and FileStorage. Table 2-1 shows the features for each kind of
account. Key points to remember are
■■ The Blob Storage account is a specialized storage account used to store Block Blobs and
Append Blobs. You can’t store Page Blobs in these accounts; therefore, you can’t use
them for unmanaged disks.
■■ Only General-Purpose V2 and Blob Storage accounts support the Hot, Cool, and Archive
access tiers.
General-Purpose V1 and Blob Storage accounts can both be upgraded to a General-Purpose
V2 account. This operation is irreversible. No other changes to the account kind are supported.

NOTE LEGACY STORAGE ACCOUNT TYPES

Standard General-Purpose V1 and standard Blob Storage accounts are considered legacy
storage accounts, and they can be deployed but are not recommended by Microsoft. You can
find more information about legacy storage account types at https://learn.microsoft.com/
en-us/azure/storage/common/storage-account-overview#legacy-storage-account-types.

TABLE 2-1 Storage account types and their supported features

General- General- Blob Storage Block Blob File Storage

Purpose V2 Purpose V1 Storage

Services supported Blob, File, Blob, File, Blob (Block Blobs Blob (Block File only
Queue, Table Queue, Table and Append Blobs and
Blobs only) Append Blobs
only)

Unmanaged Yes Yes No No No

Disk (Page Blob)
support

Skill 2.1: Configure access to storage   CHAPTER 2 67

 General- General- Blob Storage Block Blob File Storage
Purpose V2 Purpose V1 Storage

Supported Standard Standard Standard Premium Premium

Performance Tiers Premium Premium

Supported Access Hot, Cool, N/A Hot, Cool, Archive N/A N/A
Tiers Archive

Replication LRS, ZRS, GRS, LRS, GRS, LRS, GRS, RA-GRS LRS, ZRS LRS, ZRS
Options RA-GRS, GZRS, RA-GRS
RA-GZRS

Replication options
When you create a storage account, you can also specify how your data will be replicated for
redundancy and resistance to failure. There are four options, as described in Table 2-2.

TABLE 2-2 Storage account replication options

Replication Type Description

Locally redundant storage Makes three synchronous copies of your data within a single datacenter.
(LRS) Available for General-Purpose or Blob Storage accounts, at both the
Standard and Premium Performance tiers.

Zone redundant storage Makes three synchronous copies to three separate availability zones within a
(ZRS) single region.
Available for General-Purpose V2 storage accounts only, at the Standard
Performance tier only. Also available for Block Blob Storage and File Storage
accounts.

Geographically redundant This is the same as LRS (three local synchronous copies), plus three additional
storage asynchronous copies to a second Azure region hundreds of miles away
(GRS) from the primary region. Data replication typically occurs within 15 minutes,
although no SLA is provided.
Available for General-Purpose or Blob Storage accounts, at the Standard
Performance tier only.

Read access geographically This has the same capabilities as GRS, plus you have read-only access to the
redundant storage data in the secondary data center.
(RA-GRS) Available for General-Purpose or Blob Storage accounts, at the Standard
Performance tier only.

Geographically zone This is the same as ZRS (three synchronous copies across multiple availability
redundant storage (GZRS) zones in the selected region), plus three additional asynchronous copies to
a different Azure region hundreds of miles away from the primary region.
Data replication typically occurs within 15 minutes, although no SLA is
provided.
Available for General-Purpose v2 storage accounts only, at the Standard
Performance tier only.

Read access geographically This has the same capabilities as GZRS, plus you have read-only access to the
zone redundant storage data in the secondary data center.
(RA-GZRS) Available for General-Purpose V2 storage accounts only, at the Standard
Performance tier only.

68 CHAPTER 2  Implement and manage storage

 NOTE REPLICATION OPTIONS

These replication options control the level of durability and availability of the storage account.
When the entire datacenter is unavailable, LRS would incur an outage. If the primary region
is unavailable, both the LRS and ZRS options would incur an outage, but the GRS and GZRS
options would still provide the secondary region that takes care of the requests during the
outage. However, not all the replication options are available in all regions. You can find sup-
ported regions with these replication options at https://learn.microsoft.com/en-us/azure/
storage/common/storage-redundancy.

NOTE SPECIFYING REPLICATION AND PERFORMANCE TIER SETTINGS

When creating a storage account via the Azure portal, the replication and performance tier
options are specified using separate settings. When creating an account using Azure Power-
Shell, the Azure CLI, or via a template, these settings are combined within the SKU setting.
For example, to specify a Standard storage account using locally redundant storage using the
Azure CLI, use --sku Standard_LRS.

Access tiers
Azure Blob Storage supports four access tiers: Hot, Cool, Cold, and Archive. Each represents
a trade-off of availability and cost. There is no trade-off on the durability (probability of data
loss), which is defined by the SKU and replication, not the access tier.

NOTE BLOB STORAGE ONLY

Access tiers apply to Block Blob Storage only. They do not apply to other storage services,
including append or page Blob Storage.

The tiers are as follows:

■■ Hot This access tier is used to store frequently accessed objects. Relative to other tiers,
data access costs are low while storage costs are higher.
■■ Cool This access tier is used to store large amounts of data that is not accessed fre-
quently and that is stored for at least 30 days. The availability SLA can vary depending
on the replication model selected. Relative to the Hot tier, data access costs are higher
and storage costs are lower.
■■ Cold This access tier is used for data that is rarely accessed or modified but needs
to be accessible without delay. Data in this tier should be stored for at least 90 days.
The Cold tier pricing model has lower storage capacity costs but higher access costs
compared to cool and hot tiers.
■■ Archive This access tier is used to archive data for long-term storage that is accessed
rarely, can tolerate several hours of retrieval latency, and will remain in the Archive

Skill 2.1: Configure access to storage   CHAPTER 2 69

 tier for at least 180 days. This tier is the most cost-effective option for storing data, but
accessing that data is more expensive than accessing data in other tiers. Blob rehydra-
tion might take up to 15 hours before the blob is accessible.
New blobs will default to the access tier that is set at the storage account level, though you
can override that at the blob level by setting a different access tier, including the archive tier.

NOTE ARCHIVE TIER SUPPORTABILITY

Currently, the Archive tier is not supported for ZRS, GZRS, or RA-GZRS accounts.

Create an Azure storage account

To create a storage account using the Azure portal, type storage accounts in the search box.
On the Storage Accounts blade, click Create to open the Create A Storage Account blade (see
Figure 2-1). You must choose a unique name for the storage account. Storage account names
must be globally unique and may only contain lowercase characters and digits. Select the
Azure region (Location), the performance tier, and replication mode for the account. The blade
adjusts based on the settings you choose so that you cannot select an unsupported feature
combination.

FIGURE 2-1 Creating an Azure storage account using the Azure portal

70 CHAPTER 2  Implement and manage storage

 The Advanced tab of the Create A Storage Account blade is shown in Figure 2-2. This tab
defines additional security settings, hierarchical namespace support, and access protocols.

FIGURE 2-2 The advanced settings that can be set when creating an Azure storage account using the
portal

The Networking tab of the Create A Storage Account blade is shown in Figure 2-3. On
this tab, choose to maintain storage account access either publicly by choosing Enable Public
Access From All Networks or privately by choosing Disable Public Access And Use Private
Access.

Skill 2.1: Configure access to storage   CHAPTER 2 71

 FIGURE 2-3 The networking properties that can be set when creating an Azure storage account using
the portal

The Data Protection tab provides options for configuring the recovery, tracking, and
access control of the storage account. This includes soft delete options, retention periods,
blob versioning, and version-level immutability support. Figure 2-4 shows the Data
Protection tab.
The Encryption tab provides options for configuring the encryption type, support for
customer-managed keys, and infrastructure encryption. By default, storage accounts are
encrypted using Microsoft-managed keys. However, you can configure customer-managed
keys to encrypt data using your own keys. Figure 2-5 shows the Encryption tab.

72 CHAPTER 2  Implement and manage storage

FIGURE 2-4 The data protection properties that can be set when creating an Azure storage account using
the portal

FIGURE 2-5 The encryption properties that can be set when creating an Azure storage account using
the portal

Skill 2.1: Configure access to storage   CHAPTER 2 73

 NEED MORE REVIEW? CREATING A STORAGE ACCOUNT WITH POWERSHELL

You can learn more about the additional parameters at https://learn.microsoft.com/en-us/

powershell/module/az.storage/new-azstorageaccount?view=azps-11.2.0.

NEED MORE REVIEW? CREATING A STORAGE ACCOUNT WITH THE AZURE CLI

You can learn more about the additional parameters at https://learn.microsoft.com/en-us/cli/

azure/storage/account?view=azure-cli-latest#az-storage-account-create.

Configure Azure Storage firewalls and virtual networks

Storage accounts are managed through Azure Resource Manager. Management operations
are authenticated and authorized using Microsoft Entra ID RBAC. Each storage service exposes
its own endpoint used to manage the data in that storage service (blobs in Blob Storage,
entities in tables, and so on). These service-specific endpoints are not exposed through Azure
Resource Manager; instead, they are (by default) internet-facing endpoints.
Access to these internet-facing storage endpoints must be secured, and Azure Storage
provides several ways to do so. In this section, you will review the network-level access controls:
the storage firewall and service endpoints. This section also discusses Blob Storage access
levels. The following sections then describe the application-level controls: shared access
signatures and access keys. In later sections, you will learn about Azure Storage replication and
how to leverage Microsoft Entra ID authentication for a storage account.

Storage firewall
Using the storage firewall, you can limit access to specific IP addresses or an IP address range.
It applies to all storage services endpoints (blobs, tables, queues, and files). For example, by
limiting access to the IP address range of your company, access from other locations will be
blocked. Service endpoints are used to restrict access to specific subnets within an Azure virtual
network.
To configure the storage firewall using the Azure portal, open the storage account blade
and click Networking. Under Public Network Access, select Enabled From Selected Virtual
Networks And IP Addresses to reveal the Firewall and Virtual Networks settings, as shown in
Figure 2-6.
When accessing the storage account via the internet, use the storage firewall to specify the
internet-facing source IP addresses (for example, 32.54.231.0/24, as shown in Figure 2-6) which
will make the storage requests. All internet traffic is denied, except the defined IP addresses
in the storage firewall. You can specify a list of either individual IPv4 addresses or IPv4 CIDR
address ranges. (CIDR notation is explained in Skill 4.1 in Chapter 4, “Configure and manage
virtual networking.”)

74 CHAPTER 2  Implement and manage storage

FIGURE 2-6 Configuring a storage account firewall and virtual network service endpoint access

The storage firewall includes an option to allow access from trusted Microsoft services. As
an example, these services include Azure Backup, Azure Site Recovery, Azure Networking, and
more. For example, it will allow access to storage for NSG flow logs if Allow Trusted Microsoft
Services To Access This Account is selected. Separately, you can enable Allow Read Access To
Storage Logging From Any Network or Allow Read Access To Storage Metrics From Any Net-
work to allow read-only access to storage metrics and logs.

NOTE ADDRESS SPACE FOR A STORAGE FIREWALL

When creating a storage firewall, you must use public internet IP address space. You cannot
use IPs in the private IP address space. Additionally, you cannot use /32 or /31 as a CIDR range,
you must specify the individual IP addresses for individual or small ranges.

Virtual network service endpoints

In some scenarios, a storage account is only accessed from within an Azure virtual network.
In this case, it is desirable from a security standpoint to block all internet access. Configuring
virtual network service endpoints for your Azure storage account, you can remove access from
the public internet and only allow traffic from a virtual network for improved security.
Another benefit of using service endpoints is optimized routing. Service endpoints create
a direct network route from the virtual network to the storage service. If forced tunneling is

Skill 2.1: Configure access to storage   CHAPTER 2 75

 being used to force internet traffic to your on-premises network or to another network
appliance, requests to Azure Storage will follow that same route. By using service endpoints,
you can use a direct route to the storage account instead of the on-premises route, so no
additional latency is incurred.
Configuring service endpoints requires two steps. First, to update the subnet settings, you
should choose your virtual network from the Virtual Networks blade. Then select Subnets on
the left under Settings. Click the subnet you plan to configure to access the subnet settings.
After selecting the desired subnet, under Service Endpoints, choose Microsoft.Storage from
the Services drop-down menu. This creates the route from the subnet to the storage service
but does not restrict which storage account the virtual network can use. Figure 2-7 shows the
subnet settings, including the service endpoint configuration.

FIGURE 2-7 Configuring a subnet with a service endpoint for Azure Storage

76 CHAPTER 2  Implement and manage storage

 The second step is to configure which virtual networks can access a particular storage
account. From the storage account blade, click Networking. Under Public Network Access, click
Enabled From Selected Virtual Networks And IP Addresses to reveal the Firewall and Virtual
Network settings, as shown previously in Figure 2-1. Under Virtual Networks, select Add Exist-
ing Virtual Network to add the virtual networks and subnets that should have access to this
storage account.

Blob Storage access levels

Storage accounts support an additional access control mechanism that is limited only to
Blob Storage. By default, no public read access is enabled for anonymous users, and only
users with rights granted through RBAC or with the storage account name and key will have
access to the stored blobs. To enable anonymous user access, you must enable Allow Blob
Anonymous Access (shown in Figure 2-8) and configure the container access level (shown in
Figure 2-9).

FIGURE 2-8 Storage account configuration

The anonymous access level for a container can be specified during creation, or modified
after it has been created. The supported levels of blob containers are as follows:
■■ Private Only principals with permissions can access the container and its blobs.
Anonymous access is denied.
■■ Blob Only blobs within the container can be accessed anonymously.
■■ Container Blobs and their containers can be accessed anonymously.
You can change the access level through the Azure portal, Azure PowerShell, Azure CLI,
programmatically using the REST API, or by using Azure Storage Explorer. The access level is
configured separately on each blob container.

Skill 2.1: Configure access to storage   CHAPTER 2 77

 FIGURE 2-9 Blob Storage access levels

A shared access signature token (SAS token) is a URI query string parameter that grants
access to containers, blobs, queues, and/or tables. Use a SAS token to grant access to a client or
service that should not have access to the entire contents of the storage account (and there-
fore, should not have access to the storage account keys) but still requires secure authentica-
tion. By distributing a SAS URI to these clients, you can grant them access to a specific resource,
for a specified period of time, and with a specified set of permissions. SAS tokens are com-
monly used to read and write the data to users’ storage accounts. Also, SAS tokens are widely
used to copy blobs or files to another storage account.

NOTE SAS TOKENS USING HTTPS

When dealing with SAS tokens, you must use only the HTTPS protocol. Because active
SAS tokens provide direct authentication to your storage account, you must use a secure
connection, such as HTTPS, to distribute SAS token URIs.

Create and use shared access signature (SAS) tokens

There are a few different ways you can create a SAS token. A SAS token is a way to granularly
control how a client can access data in an Azure storage account. You can also use an account-
level SAS to access the account itself. You can control many things, such as what services and
resources the client can access, what permission the client has, how long the token is valid for,
and more.
This section examines how to create SAS tokens using various methods. The simplest way
to create one is by using the Azure portal. Browse to the Azure storage account and open the
Shared Access Signature blade (see Figure 2-10). You can check the services, resource types,
and permissions based on specific requirements, along with the duration for the SAS token
validity and the IP addresses that are providing access. Lastly, you have an option to choose
which key you want to use as the signing key for this token.

78 CHAPTER 2  Implement and manage storage

FIGURE 2-10 Creating a shared access signature using the Azure portal

Once the token is generated, it will be listed along with connection string and SAS URLs, as
shown in Figure 2-11.

FIGURE 2-11 Generated SAS token with connection string and SAS URLs

Skill 2.1: Configure access to storage   CHAPTER 2 79

 Also, you can create SAS tokens using Storage Explorer or the command-line tools (or
programmatically using the REST APIs/SDK). To create a SAS token using Storage Explorer, you
need to first select the resource (storage account, container, blob, and so on) for which the SAS
token needs to be created. Then right-click the resource and select Get Shared Access Signa-
ture. Figure 2-12 demonstrates how to create a SAS token using Azure Storage Explorer.

FIGURE 2-12 Creating a shared access signature using Azure Storage Explorer

NEED MORE REVIEW? AZURE STORAGE EXPLORER

Azure Storage Explorer is a free download from Microsoft that enables convenient cloud
storage management from your device. Learn more about Azure Storage Explorer at
https://azure.microsoft.com/en-us/products/storage/storage-explorer/.

Use shared access signatures

Each SAS token is a query string parameter that can be appended to the full URI of the blob or
other storage resource for which the SAS token was created. Create the SAS URI by appending
the SAS token to the full URI of the blob or other storage resource.
The following example shows the combination in more detail. Suppose the storage account
name is examref, the blob container name is examrefcontainer, and the blob path is sample-
file.png. The full URI to the blob in storage is
https://examrefstorage.blob.core.windows.net/examrefcontainer/sample-file.png

80 CHAPTER 2  Implement and manage storage

 The combined URI with the generated SAS token is
https://examrefstorage.blob.core.windows.net/examrefcontainer/sample-file.png?sv=2024-
01-02&ss=bfqt&srt=sco&sp=rwdlacupx&se=2024-02-02T08:50:14Z&st=2024-01-01T00:50:14Z&spr=h
ttps&sig=65tNhZtj2lu0tih8HQtK7aEL9YCIpGGprZocXjiQ%2Fko%3D

Currently, stored access policy is not supported for account-level SAS.

NEED MORE REVIEW? ACCOUNT LEVEL SAS

You can learn more about the account level SAS at https://learn.microsoft.com/en-us/rest/api/
storageservices/create-account-sas.

Use user delegation SAS

You can also create user delegation SAS using Microsoft Entra ID credentials. The user delega-
tion SAS is only supported by Blob Storage, and it can grant access to containers and blobs.
Currently, SAS is not supported for user delegation SAS.

NEED MORE REVIEW? USER DELEGATION SAS

You can learn more about the user delegation SAS at https://learn.microsoft.com/en-us/rest/
api/storageservices/create-user-delegation-sas.

Configure stored access policies

A SAS token incorporates the access parameters (start and end time, permissions, and so on) as
part of the token. The parameters cannot be changed without generating a new token, and the
only way to revoke an existing token before its expiry time is to regenerate the storage account
key used to generate the token or to delete the blob. In practice, these limitations can make
standard SAS tokens difficult to manage.
Stored access policies allow the parameters for a SAS token to be decoupled from the token
itself. The access policy specifies the start time, end time, and access permissions, and the
access policy is created independently of the SAS tokens. SAS tokens are generated that
reference the stored access policy instead of embedding the access parameters explicitly.
With this arrangement, the parameters of existing tokens can be modified by simply editing
the stored access policy. Existing SAS tokens remain valid and use the updated parameters. You
can revoke the SAS token by deleting the access policy, renaming it (changing the identifier), or
changing the expiry time.

NOTE STORED ACCESS POLICY EFFECT

It can take up to 30 seconds for a stored access policy to take effect, and users might see an
HTTP 403 when attempting access during that time.

Skill 2.1: Configure access to storage   CHAPTER 2 81

 Figure 2-13 shows the creation of stored access policies in the Azure portal.

FIGURE 2-13 Creating stored access policies using the Azure portal

Figure 2-14 shows stored access policies being created in Azure Storage Explorer.

FIGURE 2-14 Creating stored access policies using Azure Storage Explorer

To use the created policies, reference them by name when creating a SAS token using
Storage Explorer or when creating a SAS token using PowerShell or the CLI tools.

NOTE MAXIMIUM ACCESS POLICIES

You can have a maximum of only five access policies on a container, table, queue, or file share.

82 CHAPTER 2  Implement and manage storage

Manage access keys
The simplest way to manage access to a storage account is to use access keys. With the storage
account name and an access key to the Azure storage account, you have full access to all data
in all services within the storage account. You can create, read, update, and delete containers,
blobs, tables, queues, and file shares. In addition, you have full administrative access to every-
thing other than the storage account itself. (You cannot delete the storage account or change
settings on the storage account, such as its type.)
Applications will use the storage account name and key for access to Azure Storage.
Sometimes, this is to grant access by generating a SAS token, and sometimes, it is for direct
access with the name and key.
To access the storage account name and key, open the storage account from within the
Azure portal and click Access Keys. Figure 2-15 shows the primary and secondary access keys
for a storage account.

FIGURE 2-15 Access keys for an Azure storage account

Each storage account has two access keys. This means you can modify applications to use
the second key instead of the first and then regenerate the first key. This technique is known as
“key rolling” or “key rotation.” You can reset the primary key with no downtime for applications
that directly access storage using an access key.
Storage account access keys can be regenerated using the Azure portal or the command-
line tools. In PowerShell, this is accomplished with the New-AzStorageAccountKey cmdlet; with
Azure CLI, you will use the az storage account keys renew command.

Skill 2.1: Configure access to storage   CHAPTER 2 83

 NOTE ACCESS KEYS AND SAS TOKENS

Regenerating a storage account access key will invalidate any SAS tokens that were generated
using that key.

Managing access keys in Azure Key Vault

It is important to protect the storage account access keys because they provide full access to
the storage account. Azure Key Vault helps safeguard cryptographic keys and secrets used
by cloud applications and services, such as authentication keys, storage account keys, data
encryption keys, and certificate private keys.
Keys in Azure Key Vault can be protected in software or by using hardware security modules
(HSMs). HSM keys can be generated in place or imported. Importing keys is often referred to as
bring your own key, or BYOK.

NEED MORE REVIEW? USING HSM-PROTECTED KEYS FOR AZURE KEY VAULT

You can learn more about the bring your own key (BYOK) scenario here:
https://learn.microsoft.com/en-us/azure/key-vault/keys/hsm-protected-keys.

Accessing and unencrypting the stored keys is typically done by a developer, although keys
from Key Vault can also be accessed from ARM templates during deployment.

NEED MORE REVIEW? ACCESSING ENCRYPTED KEYS FROM AZURE KEY VAULT

You can learn more about how developers securely retrieve and use secrets from
Azure Key Vault here: https://learn.microsoft.com/en-us/azure/storage/blobs/
storage-encrypt-decrypt-blobs-key-vault?tabs=roles-azure-portal%2Cpackages-dotnetcli.

Configure identity-based access

Microsoft Entra ID authentication is beneficial for customers who want to control data access at
an enterprise level based on their security and compliance standards. Entra ID authentication
provides identity-based access to Azure storage in addition to existing shared-key and SAS
token authorization mechanisms for Azure Storage (Blob and Queue). Azure blobs, files, and
queues are supported by Entra ID authentication.
Entra ID authentication enables customers to leverage RBAC in Azure for granting the
required permissions to a security principal (users, groups, and applications) down to the scope
of an individual blob container or queue. While authenticating a request, Entra ID returns
an OAuth 2.0 token to security principal, which can be used for authorization against Azure
Storage.

84 CHAPTER 2  Implement and manage storage

 Index

A
ACA (Azure Container Apps), 123 budget, 57 Complete mode, 131–132
connecting to, 184–186 creating, 312–313 for creating a network interface,
creating an instance, 178–184 rules, 298, 313–315 127
provisioning a container, 178 target resource, 313 for creating a virtual network,
scaling and sizing, 187–189 viewing, 318–319 126–127
access control, 16 algorithm, spreading, 168 for defining a virtual machine
blob storage, 77–78, 86–88 alias record, 269–270 resource, 129
role-based, 16–19 aligned availability set, 163 deployment, 133–135, 137
scope, 18–19 allocation, public IP address, editing, 133–134
access keys, storage account, 83–84 228–229 elements, 125
access tiers, Azure Blob Storage, App Service, 189–190, 199–200 exporting from a deployment,
69–70, 110–112 backup, 204–205 137–139
accountability, organizational, 55 creating, 193–196 functions, resourceGroup(), 126
ACI (Azure Container Instances), 123 deployment slots, 210–211 Incremental mode, 132
connecting to, 177–178 managed certificates, 200–201 modifying an existing, 131
creating, 174–177 mapping to a custom DNS name, parameters, 136, 137
scaling and sizing, 186–187 196–199 UI, 135
ACR (Azure Container Registry), 168 network settings, 205–206 validation, 135
Access Keys blade, 172 private key certificates, 201–203 variables, syntax, 126
creating an instance from the public key certificate, 203 ASG (application security group),
Azure portal, 170–171 App Service plan 246–247, 251–253
managing, 172 creating, 190–192 assigned group, 5
tiers, 169 provisioning, 190 async blob copy, 100–101
action groups, 316–318 scaling, 192–193 authentication, 84–85, 86–88
activity logs, 304–305 append blob, 66, 107 availability, 161
additive model, 16–17 application, three-tier architecture, set
ADFS (Active Directory Federation 246 storage account replication
Services), 1 Application Insights, configuration, mode, 89–91
administrator role 321–323. See also Azure Monitor, zone, 159–160
permissions, 49–50 insights az deployment group create
subscription, 49 applying, resource tags, 41 command, 142
agents, Log Analytics workspace, 301 architecture, three-tier application, AZ-104 Microsoft Azure
AKS (Azure Kubernetes Service), 123 246 Administrator exam, 358–359
alert/s, 311–312 archive access tier, Azure Blob updates, 358–359
action groups, 316–318 Storage, 69–70 azcopy command, 99–100
analyzing across subscriptions, ARM (Azure Resource Manager) AzNetworkWatcherNextHop
319–321 template, 16, 124 cmdlet, 329
Azure Monitor, 294 for adding a public IP address,
128–129
362
 blob/s

AzResourceGroupDeployment resource groups, 33 Registration blade, 14–15

cmdlet, 137 scoping, 33 role assignments, managing,
Azure AD, 1 Azure portal, 3 25–28
Azure Backup service, 292, 344–348 Add Peering blade, 225–227 SAS token, creating, 78–79
Azure Bastion, 255–258 App Service, changing the SSPR (self-service password
Azure Blob Storage. See also blob/s network settings, 206–209 reset), 14
access tiers, 69, 70, 110–112 App Service, creating, 193–196 storage account, creating, 70–74
Azure CLI (command-line ARM template UDR configuration, 236–238
interface), 3 ASG (application security group), users, creating, 3
Azure Cost Management, 59–60 configuration, 251–253 Users blade, 3
Azure Files, 101 authoring queries, 308–309 VMSS (Virtual Machine Scale
automatically reconnect after Azure Load Balancer Set), creating, 164–165
reboot in Windows, 106 configuration, 281–286 Azure Site Recovery, configuration,
connect and mount from Linux, Azure Policy Assign Initiative 335–343
106 blade, 37 Azure Storage, 65
connect and mount with the net Azure Policy Assignments blade, Azure Storage Explorer, 95
use command, 105 36 connecting to storage accounts,
connect and mount with Azure Policy Definitions blade, 96–99
Windows File Explorer, 104–105 34 copying between storage
connect to Azure files outside of bulk operations, 8–9 accounts, 99
Azure, 103 containers, managing, 107–109. creating an SAS token, 80
create a file share, 102–103 See also container/s Azure subscription, 29
Azure Key Vault, 95 Create a Storage Account blade,
managing access keys, 84 71–73
pricing, 151
Azure Load Balancer, 263, 277
Create a Virtual Machine blade
Create Container Instance blade, B
backend configuration, 279 174–175 backup and recovery, 331
configuration, 281–286 Create Container Registry blade, App Service, 204–205
frontend IP configuration, 170 Azure Backup service, creating,
278–279 Create Virtual Network blade, 344–348
health probes, 279–280 219–221 Azure Site Recovery, 335–343
NSG configuration, 281 custom DNS configuration, backup policy, 348–351
pricing tiers, 277–278 274–275 Recovery Services vault, 332–333
rules, 280–281 custom role, creating, 20–25 restoring a VM, 346–348
troubleshooting, 286 Effective Security Rules view, soft delete, 113–115, 333–335
Azure Monitor, 292–293. See also 253–254 backup report, 351–353
data collection; file share, creating, 102–103 BCDR (business continuity and
Log Analytics; metrics; monitoring group disaster recovery) plan, 335
agent ports and protocols, 304 guest users, managing, 10–12 Bicep, 140
alert/s, 294, 311–312 IAM blade, 26 code, 140–141
comparing metrics and logs, 293 Metrics blade, 296–298. See also file
insights metrics installing the tools, 141
logs, 299 Move Resources blade, 154 billing, subscription, 58
metrics, 294–295 Notifications blade, 15 blob/s, 66, 110–112
Azure Policy, 31, 51. See also NSG (network security group), access control, 77–78
policy/ies creating, 247–249 block, 66, 107. See also VNet
management groups, 33 policy definitions, creating, 33–37 (virtual network)
policy compliance, 37–38 public IP address, creating, containers, 106–107
policy definitions, 33–34 231–232 copying, 99, 100–101

363
blob/s, continued

blob/s, continued code, 124 alerts, 312–313

Entra ID authentication, 86–88 Bicep, 140–141 App Service, 193–196
lifecycle management, 117–119 infrastructure as, 131, 140 App Service plan, 190–192
object replication, 91–95 cold access tier, Azure Blob Storage, availability set, 161–163
RBAC roles, 85 69 Azure Backup service, 344–348
resource scope, 85–86 commands Azure Bastion service, 255–258
types, 107 az deployment group create, 142 budget, 55
user delegation SAS (shared azcopy, 99–100 file share, 102–103
access signature), 81 Docker, registryname.azurecr. groups, in Azure portal, 4
versioning, 115–116 io, 172 NSG (network security group),
bring your own DNS, 273–274 mount, 106 using Azure portal, 247–249
budget net use, 105 policy definitions, 33–37
alerts, 57 query, 308 queries, 307–309
creating, 55 Complete mode, ARM (Azure Recovery Services vault, 332–333
subscription, 55 Resource Manager) resource locks, 39
threshold, 55 template, 131–132 role/s
viewing, 57 compliance, policy, 37–38 SAS (shared access signature)
built-in policy, 32 compute resources, 123 token
built-in role, 17–18, 20, 25, 50 configuration storage account
bulk operations, 9 Application Insights, 321–323 stored access policy, 82
BYOD (bring-your-own-device), 12 ASG (application security group), subnets, 220–221
251–253 users
Azure Load Balancer, 281–286 VM (virtual machine), 144–145.

C Azure Site Recovery, 335–343

DNS, 270–273
See also Azure portal, Create a
Virtual Machine blade
certificate Entra ID Join, 12–14 VMSS (Virtual Machine Scale
managed, 200–201 Log Analytics workspace, 299–304 Sets), 164–165
private key, 201–203 public IP address, 227 VNet (virtual network), 219–221
public key, 203 SSPR (self-service password custom role
chart reset), 14–15 assignable scopes, 23
adding metrics, 296–298 storage creating, 20–25
line, 298 UDRs (user-defined routes), permissions, 21–23
query-based, 310 236–238
child DNS zone, 268 Connection Monitor, 240–241
CIDR (classless inter-domain
routing), 216, 220
Connection Troubleshoot, 239–240
container/s, 123, 168. See also ACA D
cloning, built-in role, 20, 25 (Azure Container Apps); ACI (Azure dashboard, 298
cloud-only users, 3 ContainerInstances); ACR Application Insights, 322–323
cmdlet/s, 55 (Azure Container Registry) Azure Monitor Alerts, 320
AzNetworkWatcherNextHop, blob, 106–107 saving queries to the, 309
329 management data backup and recovery
AzResourceGroupDeployment, cool access tier, Azure Blob Storage, snapshots, 115–116
137 69 soft delete, 113–115
Get-AzNetworkWatcherTopology, copying, between storage accounts, versioning, 115–116
331 99, 100–101 data collection, 299–300
New-AzResourceGroup cost center quota, 55–57 adding a data source destination,
Deployment, 142 cost management, 53–54, 58–60 303–304
New-AzStorageAccountKey, 83 creating resources, 301–302
Test-AzNetworkWatcherIPFlow, ACI (Azure Container Instances), rules, 300–301
328 174–177 default rules, NSG, 245

364
 GZRS (geographically zone redundant storage)

definition
initiative, 31
A record, 230
records, 268–269
F
policy, 31–32, 33–37 resolution VNet, 275 fault domain, 163, 168
Delete lock, 38 reverse lookup, 265 file share, creating, 102–103
deleting server, 274 files
devices, 8 services, 266 Bicep
Entra ID directories, 29 zone, 263–264 storage, 66
resource groups, 46–48 Docker, registryname.azurecr.io firewall, storage, 74
deny assignment, 19 command, 172 access from trusted Microsoft
dependency, 127, 128 Docker Hub, 168 services, 75
deployment dynamic allocation, public IP address space, 75
ARM template, 133–135, 137 address, 228 configuration, 74
Bicep file, 142 dynamic group/s, 5–6 forced tunneling, 236
exporting a template from, Function App, 316
137–139 functions
Network Watcher, 327
slots, 210–211 E ARM template, 125
resourceGroup(), 126
VM (virtual machine), 143–144 EA (Enterprise Agreement), 58, 59
development editing

G
Application Insights, 321–323 ARM template, 133–134
containers and, 168 groups, 6
Entra ID, 1 Effective Security Rules view, Azure geo-replications, 174
device portal, 253–254 Get-AzNetworkWatcherTopology
associating with Entra ID, 12 encryption cmdlet, 331
deleting, 8 storage account, 95–96 global peering, 222
hybrid Entra join, 14 VM (virtual machine) governance, subscription, 50–51
identity, 12 endpoints graphs, query-based, 310
managed, 12 health probes, 280 group/s, 4. See also ASG (application
management, 7–8 private, 259–262 security group); NSG (network
non-hybrid Entra join, 14 service, 258 security group)
registration, 12–13 Entra Admin Center, 3, 8–9 action, 316–318
diagnostic logs, 304, 305–307 Entra Connect, 1 assigned, 5
directories, Entra ID, 28, 29 Entra Connect Sync, 1 creating, in Azure portal, 4
disabling, VM encryption, 153 Entra External ID, 1 dynamic, 5–6
disks Entra ID, 1 editing, 6
managed, 163 authentication, 84–85, 86–88 management, 6, 18, 33, 50–53
storage, 66 cloud-only users, 3 Microsoft 365, 5
VM (virtual machine), managing, development, 1 placement, 163–164
158–159 Device Settings blade, 12–13 properties, 6–9
DMZ (demilitarized zone), 215–216 directories, 28, 29 RBAC (role-based access
DNS Join, configuration, 12–14 control), 17
alias record, 230 license/s resource, 30, 33
bring your own, 273–274 roles, 18 security, 5
CNAME record, 230 SSPR (self-service password GRS (geographically redundant
custom settings, 272–273, reset), 14–15 storage), 68
274–275 subscription, 48 Guest OS metrics, 295–296
labels, 229–230 tenant, 28 guest users, managing, 10–12
local, 264 Entra ID B2B, 1 GZRS (geographically zone
name resolution, 262, 264–265 external users, managing, 10–12 redundant storage), 68

365
health monitoring, VMSS (Virtual Machine Scale Sets)

H key rolling, 83
KQL (Kusto Query Language),
group, 6–7, 18, 50–53
license, 10
health monitoring, VMSS (Virtual 307–308, 309 plane, 38–39
Machine Scale Sets), 166–167 resource group, 41–42
health probes, Azure Load Balancer, subscription, 48–49
279–280
hierarchy, management group, 51
L VM disk, 158–159
method, validateMoveResources,
hot access tier, Azure Blob Storage, large scale set, 164 44–45
69 LDNS (local DNS), 264 metrics, 294–295, 304. See also data
HSM (hardware security module), 84 legacy storage account types, 67–68 collection
hub-and-spoke topology license, Entra ID Azure Monitor, 293
creating a VNET peering on, management, 10 multidimensional, 296
225–227 purchasing, 10 one-dimensional, 296
VNet, 223 SSPR requirements, 14 populating a chart, 296–298
hybrid Entra join, 14 line chart, 298 properties, 296
hybrid Entra joined devices, 14 Linux, 106 retention period, 295–296
load balancing, 277. See also Azure and visual response times, 299
Load Balancer Microsoft 365, 1, 5

I inbound NAT rule, 280–281 Microsoft Entra ID. See Entra ID

logs, 286 Microsoft Graph, 3
identity, 1, 12 troubleshooting, 286 modifying an existing ARM
inbound NAT rule, 280–281 lock/s template, 131
Incremental mode, ARM (Azure inheritance, 38 monitoring
Resource Manager) template, 132 resources, 38 health, VMSS, 166–167
infrastructure Log Analytics, 293 resource costs, 58–60
as code, 131, 140 data collection mount command, 106
-as-a-service, 291 pricing, 299, 300 move operations
inheritance, 18, 38 querying, 294, 307–309 resource group, 42–46, 153–156
initiative definition, 31 workspace support, 43
insights logs multidimensional metrics, 286, 296
network, 325–326 activity, 304–305
storage account, 325–326 Azure Monitor, 293
VM (virtual machine), 323–325
installing, Bicep tools, 141
diagnostic, 304, 305–307
load balancer, 286
N
IP Flow Verify, 327–328 querying, 307–309 name resolution, 262, 264–265
IP forwarding, 235 LRS (locally redundant storage), 68 name server, 267
IP range naming conventions
subnet, 217 storage account, 66
VNet, 216–217
ITSM (IT Service Manager), 316
M subnet, 217
net use command, 105
managed certificate, 200–201 network insights, 325–326
managed disks, 163 network interface, 127

J-K management network topology view, 330–331

ACR (Azure Container Registry) Network Watcher, 327
JSON (JavaScript Object Notation), container Connection Monitor, 240–241
25 cost, 53–54 Connection Troubleshoot,
ARM template, 124 device, 7–8 239–240
schema file, 125 external user, 10–12 deployment, 327
IP Flow Verify, 327–328

366
 records

network topology view, 330–331 permissions, 17 outbound internet connections,

Next Hop, 328–329 administrator role, 49–50 230–231
Packet Capture, 329–330 custom role, 21–23 prefix, 229
New-AzResourceGroupDeployment placement group, 163–164 pricing tiers, 227–228
cmdlet, 142 planning, resource tagging static allocation, 228–229
New-AzStorageAccountKey cmdlet, taxonomy, 40–41 public key certificate, 203
83 policy/ies purchasing, Entra ID license, 10
Next Hop, 328–329 Azure, 31
NIC (network interface card), backup, 348–351
associating an NSG, 249–251
non-hybrid Entra join, 14
built-in, 32
compliance, 37–38 Q
notifications, 15 definition, 31–32, 33–37 queries/querying
NSG (network security group), 242 management groups, 33 creating charts and graphs from,
applying to VNets, 248–249 replication, 337–338 310
associating to a subnet or scoping, 33 Log Analytics, 294, 307–309
network interface, stored access, 81–82 saving to the dashboard, 309
249–251 upgrade, 166 scope, 308
configuring on Azure Load port mapping, 281 table-based, 308
Balancer, 281 POST request, move operation, 44 queues
creating with Azure portal, PowerShell RBAC roles, 85
247–249 cmdlet/s, 55, 108 resource scope, 85–86
rules, 242–243, 253–254 runbook, 316 storage, 66
NVA (network virtual appliance), precedence rules, route table, quota
224–225 235–236 cost center, 55–57
Premium tier, storage account, 67 request, 54–55
pricing resource, 44, 53, 54–55

O Azure Key Vault, 151

Azure Load Balancer, 277–278
spending, 59

object replication, 91–95 Log Analytics, 299, 300

public IP address, 227–228
one-dimensional metrics, 296
optimization, resource, 291–292 principles of least privilege, 17 R
organizational accountability, 55 private DNS zone, 275–277 RA-GRS (read access geographically
private endpoints, 259–262 redundant
private key certificates, 201–203 storage), 68
property/ies
P DNS label, 230
RA-GZRS (read access
geographically zone redundant
DNS record, 268
PaaS (platform as a service), 258 storage), 68
group, 6–9
Packet Capture, 329–330 RBAC (role-based access control), 1,
metric, 296
page blob, 66, 107 16–19, 31
NSG (network security group),
parameters, ARM template, 125, 137 access assignments, 25–28
242–243
passwords, self-service reset, 14–15 additive model, 16–17
user, 6–9
peering, VNet, 222 and management groups, 53
VNet (virtual network), 218
creating with Azure portal, role/s, 16, 18
public IP address
225–227 scope, 18–19
adding to VM, 128–129
global, 222 Read-only lock, 38, 39
configuration, 227
requirements and constraints, records
creating with Azure portal,
222 alias, 269–270
231–232
performance tier, storage account, DNS, 268–269, 270–273
DNS labels, 229–230
67 SPF, 269
dynamic allocation, 228

367
Recovery Services vault

Recovery Services vault, 332 cloning, 25 server

creating, 332–333 custom DNS, 274
soft delete, 333–335 definition, 17 name, 267
recursive DNS server, 264–265 Entra ID, 18 recursive DNS, 264–265
registration, device, 12–13 inheritance, 16, 18 service/s. See also subscription
registryname.azurecr.io command, RBAC (role-based access Azure Bastion, 255–258
172 control), 18 chaining, 224–225
removing route table, 233–234 DNS, 266
resource groups, 46–48 creating, 236 endpoints, 258
role assignment, 28 precedence rules, 235–236 infrastrucure-as-a-, 291
subnets, 217 rules private endpoints, 259–262
replication alert, 294, 298, 313–315 resource/s, 29
object, 91–95 Azure Load Balancer, 280 storage, 66, 74
policy, 337–338 data collection, 300–301 tag, 222–223, 244
from source VM, 336–343 lifecycle management, 117–119 shared VNet gateway, 225
storage account, 68–69, 89 NSG (network security group), single sign-on, 12
report 242–243, 253–254 size, VM (virtual machine), changing,
backup, 351–353 object replication, 92–94 156–158
resource cost, 58–60 precedence, 235–236 SMB, 103
usage, 40 scale, 189 snapshots, 115–116
request, quota, 54–55 VMSS management, 166 soft delete, 113–115, 333–335
resolution VNets, 275 runbook, 316 spending limits, Azure subscription,
resourceGroup() function, 126 53–54, 59
resource/s, 29, 30. See also metrics; SPF (Sender Policy Framework)
VM (virtual machine) S records, 269
additive model, 16–17 spreading algorithm, 168
compute, 123 SAS (shared access signature), 78 SSPR (self-service password reset),
cost management, 58–60 token, creating 2, 14–15
data collection, 301–302 URI, 80–81 stacked bar chart, 310
dependency, 127 user delegation, 81 Standard tier, storage account, 67
groups, 30, 33 saving authored queries to the static allocation, public IP address,
ID, 156, 226–227 dashboard, 309 228–229
lock/s, 38 scale set, 163–164 storage, 65. See also Azure Blob
optimization, 291–292 scaling and sizing Storage
permissions, 17 ACA (Azure Container Apps), account/s, 65
policy definition, 31–32 187–189 backup and recovery, soft delete,
provider, 43–44 ACI (Azure Container Instances), 113–115. See also backup and
public IP address, 227 186–187 recovery
quota, 44, 53, 54–55 App Service plan, 192–193 blob/s, 66
role inheritance, 16 scope/s, 18–19 disks, 66
scope, 18–19, 85–86 Azure Cost Management, 60 files, 66
tags, 40, 54 deny assignment, 19 firewall, 74
target, 313 management group, 51–52 identity-based access, 84–85
restoring a recovery point, 346–348 policy, 33 queues, 66
retention period, metrics, 295–296 query, 308 replication, 89
reverse DNS lookup, 265 resource, for blobs and queues, SAS (shared access signature)
role/s, 16 85–86 service, 74
administrator, permissions, 49–50 security snapshots, 115–116
assignment, 17–19, 25–26 group, 5, 17. See also NSG tables, 66
built-in, 17–18, 50 (network security group) virtual network service
principal, 19 endpoints, 75–76
368
 VNet (virtual network)

Storage Explorer, containers, Connection Troubleshoot, virtual network, 126–127

managing, 109 239–240 VirtualNetwork service tag, 222–223
stored access policy, 81–82 Network Watcher. See also VM (virtual machine), 123, 143. See
subnets, 215–216, 217. See also VNet Network Watcher also VNet (virtual network)
(virtual network) topology, hub-and-spoke, 223 adding a public IP address,
associating an NSG, 249–251 troubleshooting 128–129
creating, 220–221 load balancing, 286 availability set, 161
IP range, 217 tools, Connection Troubleshoot, availability zone, 159–160
removing, 217 239–240. See also tools backing up, 344–346
route table, 233–234, 235–236 changing the size of, 156–158
settings, 218 creating, 144–145. See also Azure
subscription
activity logs, 304–305 U portal, Create a Virtual Machine
blade
administrators, 49 UDRs (user-defined routes), defining, 129
alerts, 319–321 224–225, 233–235, deployment, 143–144
Azure, 29 236–238 disks, managing, 158–159
billing, 58 UI (user interface), ARM template, encryption, 150
budget, 55 135 insights, 323–325
governance, 50–51 upgrade, policy, 166 IP forwarding, 235
managing, 48–49 uploading and downloading data moving, 153
moving resources between, 43–44 using azcopy, 100 network interface, creating, 127
resource groups, 30–31 URI, SAS (shared access signature), outbound internet connections,
resource locks, 38 80–81 230–231
spending limits, 53–54 Usage Location property, 10 replication, 336–343
types, 48 usage report, 40 restoring, 346–348
sync blob copy, 101 user delegation SAS (shared access types, 156–157
system routes, 231–233, 236 signature), 81 VMSS (Virtual Machine Scale Sets),
user/s 123, 163
cloud-only, 3 advanced rules, 167

T creating, bulk operations, 9

creating, in Azure portal, 3
creating, 164–165
health monitoring, 166–167
table/s guest, managing, 10–12 placement group, 163–164
querying, 308 profile, 6 spreading algorithm, 168
storage, 66 properties, 6–9 upgrade policy, 166
tags Usage Location property, 10 VNet (virtual network), 210–211,
resource, 40, 54 215–216
service, 222–223, 244 Azure Bastion, 255
Azure Bastion service, creating,
target resource, 313
template V 255–258
ARM, 16, 124, 130–131 CIDR (classless inter-domain
validateMoveResources method,
VHD, 132–133 routing), 216, 220
44–45
Test-AzNetworkWatcherIPFlow creating, 219–221
vanity name server, 267
cmdlet, 328 hub-and-spoke topology, 223
variables, ARM template, 125, 126,
three-tier application architecture, IP forwarding, 235
129, 135
246 IP range, 216–217
versioning, 115–116
threshold, budget, 55 NSGs, applying, 248–249
VHD template, 132–133
tools NVA (network virtual appliance),
viewing
Bicep, installing, 141 224–225
alerts, 318–319
Connection Monitor, 240–241 peering, 222
budget, 57

369
VNet (virtual network), continued

VNet (virtual network), continued

properties, 218
W X-Y-Z
resolution, 275 webhooks, 173, 316–317 zone, DNS, 263–264
service endpoints, storage and, Windows, non-hybrid Entra join, 14 child, 268
75–76 Windows File Explorer, mapping a configuration, 270–273
shared gateway, 225 network drive to an Azure file share, delegating to Azure DNS,
subnets, 217 104–105 266–268
system routes, 231–233 workspace, Log Analytics private, 275–277
UDRs (user-defined routes), agents, 301 ZRS (zone redundant storage), 68
224–225, 233–235 configuration, 299–304
VPN, forced tunneling, 236

370