Manage Azure Identities and Governance

Manage Azure Identities and Governance Detailed Explanation

1. Manage Azure Active Directory (Azure AD) Identities

1.1 Users

1.1.1 Create, update, delete users in Azure AD

Create users:
You can create users using the Azure portal, Azure CLI, PowerShell, or via synchronization from an on-premises Active Directory.
- Required fields include username, display name, password, usage location, and optionally a directory role.
- Portal steps:
  1. Go to Azure Active Directory > Users > New user
  2. Fill in user details
  3. Click Create
Update users:
You can edit user attributes such as name, contact info, job title, group memberships, or roles.
Delete users:
Deleted users go to the “Deleted users” container and remain recoverable for 30 days (soft delete period).

1.1.2 Assign user roles (e.g., User, Global Administrator)

Azure AD roles control administrative privileges.
Common roles:
- Global Administrator: Full permissions in Azure AD
- User Administrator: Can manage users and groups
- Billing Administrator: Can manage subscriptions and billing
How to assign a role:
1. Go to Azure Active Directory > Users > Select the user
2. Click Assigned roles > Add assignment
3. Choose a role, click Add

1.1.3 Reset passwords manually and via self-service password reset (SSPR)

Manual reset by Admin:
- Done via Azure portal when a user forgets a password.
Self-Service Password Reset (SSPR):
- Allows users to reset their own passwords after verifying their identity.
- To enable SSPR:
  1. Go to Azure AD > Password reset
  2. Enable for all or selected users
  3. Configure authentication methods (email, phone, questions)

1.2 Groups

1.2.1 Create security and Microsoft 365 groups

Security groups: Manage access to Azure resources
Microsoft 365 groups: Include shared mailbox, calendar, files (collaboration features)
Create a group via portal:
1. Navigate to Azure AD > Groups > New group
2. Choose:
  - Group type (Security / Microsoft 365)
  - Group name
  - Membership type (Assigned, Dynamic)
3. Click Create

1.2.2 Manage group memberships (static and dynamic)

Assigned membership:
- Admins manually add/remove users or devices.
Dynamic membership:
- Use rules based on user/device attributes to auto-assign membership.
- Example rule: user.department -eq "Finance" adds all Finance users to the group.

1.2.3 Configure group-based licensing

Assign licenses (e.g., Microsoft 365, Azure AD Premium) to a group.
Azure automatically adds/removes licenses as users enter or exit the group.
Steps:
1. Go to Azure AD > Groups > Select group
2. Click Licenses > Assignments
3. Select and assign product licenses

1.3 Devices

1.3.1 Register and join devices to Azure AD

Azure AD registered:
- Personal, user-owned devices (usually mobile or BYOD).
Azure AD joined:
- Organization-owned, directly joined to Azure AD and managed.
Hybrid Azure AD joined:
- On-prem Active Directory devices that are also registered with Azure AD for hybrid environments.

1.3.2 Manage device identities and access

View and manage devices under Azure AD > Devices.
You can:
- Enable/disable a device
- Delete stale devices
- Configure device compliance policies
- Require MFA for device join
- Apply Conditional Access policies (e.g., only compliant devices can access Teams or SharePoint)

1.4 Administrative Units (AUs)

1.4.1 What are Administrative Units?

Administrative Units (AUs)** are logical containers in Azure AD that help delegate administration of subsets of users, groups, or devices to specific admins—without granting them rights over the entire directory.

This is especially useful in large organizations, such as:

A university with different faculties
A company with multiple regional departments

1.4.2 Use cases

A Helpdesk admin in “New York” should manage only New York employees.
An IT admin in “Engineering” can reset passwords only for users in that department.

1.4.3 Key concepts

AUs contain users, groups, and devices.
You can assign scoped roles (like User Administrator) only within an AU.
A single user/device can be a member of multiple AUs.
AUs do not affect access or policies—they only control administrative boundaries.

1.4.4 Creating and managing AUs

Go to Azure AD > Administrative units > + Add.
Provide a name and description.
Add users or groups to the AU.
Assign scoped admin roles to users within that AU.

1.5 External Identities

1.5.1 What are External Identities?

Azure AD External Identities allow users outside your organization to access your Azure resources or applications securely.

This feature enables Business-to-Business (B2B) and Business-to-Consumer (B2C) collaboration.

In AZ-104, we focus on B2B guest collaboration.

1.5.2 B2B Guest Users

A B2B guest user is someone from another Azure AD tenant (or even a non-Microsoft account) who gets invited to your directory.

Key Features:

Guests use their own credentials (no need to manage their passwords).
They appear in your directory with UserType = Guest.
Access is controlled via RBAC, groups, or Conditional Access.

1.5.3 How to Invite Guest Users

You can invite guests through:

Azure Portal:
1. Go to Azure AD > Users > New guest user.
2. Enter email and optional message.
3. Assign access as needed (e.g., to groups or apps).
Microsoft Teams / SharePoint (via sharing interface)
PowerShell / B2B APIs (for bulk invitation)

1.5.4 Managing Guest Access

Use Access Reviews to periodically check if guests still need access.
Apply Conditional Access policies (e.g., require MFA for guests).
Use Terms of Use for compliance (guest users must accept policies).
Restrict invitation rights (e.g., only admins can invite guests).

1.5.5 External Collaboration Settings

Configure from:
Azure AD > External Identities > External collaboration settings

You can control:

Who can invite guests
Guest user permissions (e.g., limited access to directory)
Restrictions on domains (e.g., block certain email domains)

2. Manage Role-Based Access Control (RBAC)

RBAC (Role-Based Access Control) is the core authorization mechanism in Azure. It controls who can perform what actions on which resources.

2.1 Understand RBAC structure

2.1.1 What is RBAC?

RBAC is a permission model that allows administrators to:

Grant only the minimum required permissions to users, groups, service principals, or managed identities.
Control actions like read, write, delete on specific Azure resources.

RBAC = Security Principal + Role Definition + Scope

2.1.2 RBAC Core Concepts

Security Principal: The identity receiving permissions.
- Examples: A user, a group, a service principal (for apps), or a managed identity.
Role Definition: A set of permissions grouped into a role.
- Examples: Reader, Contributor, Owner, or a custom role.
Scope: The level at which permissions apply.
- Management group
- Subscription
- Resource group
- Resource

Scopes are hierarchical:
Assigning a role at the subscription level means all resource groups and resources under that subscription inherit the role.

2.1.3 Common Built-in Roles

Role	Description
Owner	Full access to everything, including RBAC
Contributor	Full access to manage resources, but can’t assign roles
Reader	Read-only access to resources
User Access Administrator	Can manage RBAC assignments, but not resources themselves

2.2 Assign roles

2.2.1 How to assign a role

You can assign roles using:

Azure Portal
Azure CLI
Azure PowerShell
ARM templates

2.2.2 Assign a role in the Azure Portal

Navigate to the resource, resource group, or subscription.
Click Access control (IAM) in the left menu.
Click the Role assignments tab, then click + Add > Add role assignment.
Select:
- Role (e.g., Reader)
- User, group, or service principal
- Scope
Click Save.

2.2.3 Assign a role using Azure CLI

Example:

az role assignment create --assignee <userEmailOrObjectId> \
  --role "Contributor" \
  --scope "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>"

2.2.4 Scoping Best Practices

Assign roles at the lowest possible scope needed.
- Prefer assigning at resource or resource group level, not entire subscriptions.
Use groups instead of assigning roles to individuals.
Regularly review and audit role assignments.

2.3 Custom roles

2.3.1 What are Custom Roles?

If no built-in role matches your exact needs, you can define your own custom role.

A custom role is defined in a JSON file and includes:

Allowed Actions
Optional NotActions
AssignableScopes where the role is valid

2.3.2 Example: Custom Read-Only Role for Storage

{
  "Name": "Storage Read Only",
  "IsCustom": true,
  "Description": "Can read storage accounts.",
  "Actions": [
    "Microsoft.Storage/storageAccounts/read"
  ],
  "NotActions": [],
  "AssignableScopes": [
    "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  ]
}

You can create this custom role using PowerShell or Azure CLI.

2.3.3 Best Practices

Follow the Principle of Least Privilege: grant only the minimum permissions required.
Avoid assigning Owner role unless absolutely necessary.
Perform regular audits using:
- Azure Activity Logs
- Access Reviews (if using Azure AD Premium P2)

3. Manage Subscriptions and Governance

Azure provides tools to help you organize resources, manage access, enforce policies, and control costs across your environment. This section explains how.

3.1 Azure Subscriptions

3.1.1 Create and manage subscriptions

A subscription is an agreement with Microsoft to use Azure services, tied to a billing account.
Each subscription has:
- Unique ID
- Billing scope
- Quota limits (number of VMs, storage capacity, etc.)

You can have multiple subscriptions for:

Different departments or projects
Separation of environments (Dev/Test/Prod)
Different billing or regulatory needs

Subscriptions can be created through:

Azure portal (by billing administrator)
Microsoft 365 admin center (if using Microsoft Customer Agreement)
Azure CLI / PowerShell for enterprise accounts

3.1.2 Assign users to subscription roles

Roles like Owner, Contributor, or Reader can be assigned at the subscription level to control who can manage resources within that subscription.

Example: Assign the “Contributor” role to the DevOps team at the subscription level so they can manage all resources inside it.

3.1.3 Rename, move, or cancel subscriptions

You can rename subscriptions for clarity (e.g., "Marketing Dev Subscription").
Move resources between subscriptions if needed (must meet move conditions).
Cancel subscriptions if they are no longer needed (possible through the portal or billing portal).

3.2 Management Groups

3.2.1 What are Management Groups?

Management groups help you organize multiple Azure subscriptions into a hierarchy.

Use cases:

Apply policies across many subscriptions
Group subscriptions by department, region, or environment
Apply RBAC and Azure Policy at the management group level

Each management group:

Can contain subscriptions or other management groups
Can have RBAC and policies applied, inherited by children
Is structured in a tree format

3.2.2 Example structure

Root Management Group
├── CorpGroup
│   ├── Sub-Marketing
│   └── Sub-Sales
├── DevGroup
│   └── Sub-DevOps

3.2.3 Key Points

You must be assigned the Management Group Contributor or Owner role to create and manage them.
Use them to apply governance at scale.
The root management group is created automatically for each tenant (can be renamed).

3.3 Tags

3.3.1 What are Tags?

Tags are key-value pairs used to label and organize Azure resources for:

Cost management
Automation
Resource organization

Example:

Environment = Production
Department = Finance
Owner = John.Doe

3.3.2 How to apply tags

You can apply tags:

When creating a resource
After deployment using the portal, CLI, or PowerShell
Automatically using Azure Policy

3.3.3 Best Practices

Use consistent naming standards
Use automation tools like Azure Policy to enforce tag requirements
Use tag-based billing reports in Cost Management

3.4 Resource Locks

3.4.1 What are resource locks?

Resource locks prevent accidental deletion or modification of resources.

There are two types:

ReadOnly: Can view but cannot update or delete.
CanNotDelete: Can update but not delete.

3.4.2 Use cases

Protect critical production resources (e.g., databases or storage accounts).
Prevent developers from deleting shared infrastructure by mistake.

3.4.3 How to apply a lock

Go to the resource or resource group.
Click Locks in the left menu.
Click + Add, choose the type, and provide a name.

3.5 Azure Policy

3.5.1 What is Azure Policy?

Azure Policy is a governance tool that helps you enforce rules and effects over your Azure resources, ensuring they comply with your organization’s standards.

It allows you to:

Control what can or cannot be deployed
Audit existing resources for non-compliance
Automatically remediate non-compliant resources

3.5.2 Key Terms

Term	Description
Policy definition	A rule stating what is allowed or denied (e.g., only specific VM sizes allowed)
Policy assignment	Attaches a policy to a scope (resource group, subscription, etc.)
Parameters	Values you can input when assigning a policy (e.g., allowed regions)
Initiative	A collection of policies grouped together under one assignment

3.5.3 Common Policy Examples

Allow only specific Azure regions.
Enforce tagging rules (e.g., every resource must have Department tag).
Audit usage of public IPs.
Deny certain VM SKUs or storage SKUs.

3.5.4 How to assign a policy

Go to Azure Policy in the portal.
Select Definitions to view built-in policies.
Choose a policy and click Assign.
Select a scope (subscription, resource group, etc.).
Configure parameters (if applicable).
Click Review + Create.

3.5.5 Azure Policy Effects

When defining a policy, you choose its effect, such as:

Deny – prevents resource creation or changes
Audit – logs non-compliant resources but doesn’t block them
DeployIfNotExists – deploys a resource if it doesn't exist
Modify – changes the resource configuration automatically

3.6 Azure Blueprints

3.6.1 What are Azure Blueprints?

Azure Blueprints are used to package and deploy a set of governance components together in one reusable bundle.

A blueprint may include:

Resource groups
Role assignments
Policy assignments
ARM templates

They’re ideal for:

Setting up standardized environments
Enforcing compliance across multiple subscriptions

3.6.2 Use cases

Deploy a production environment with:
- NSG policies
- Audit policies
- Specific tags
- Contributor access for operations team
Create templates for new departments or projects

3.6.3 How it works

Create a blueprint: Define what resources, policies, and RBAC should be included.
Publish the blueprint definition.
Assign it to a subscription or management group.

Once assigned, Azure enforces the blueprint and tracks compliance.

3.7 Cost Management

3.7.1 View and analyze spending

Azure Cost Management + Billing helps you:

Track spending over time
Break down costs by subscription, resource group, service
Export data to Excel or Power BI

Tip: Tag resources by department or project for tag-based cost tracking.

3.7.2 Set budgets and alerts

You can define budgets for:

Subscriptions
Resource groups
Tags (e.g., Environment = Dev)

Then set alerts to notify stakeholders when spending hits:

50%
75%
100% of the budget

3.7.3 Use Cost Analysis and Azure Advisor

Cost Analysis: Visualize and explore spending by category.
Azure Advisor: Offers cost-saving recommendations, such as:
- Rightsizing VMs
- Deleting unused disks
- Reserving resources for predictable workloads

Manage Azure Identities and Governance (Additional Content)

1. User Management Enhancements

1.1 Enforcing Multi-Factor Authentication (MFA)

Azure now enforces MFA by default for all users under security defaults.

Security Defaults: A set of preconfigured identity security settings (including mandatory MFA) applied automatically in new tenants unless explicitly disabled.
Users will be prompted for MFA during high-risk sign-ins or after registration.
You can configure Conditional Access policies for granular MFA enforcement beyond defaults.

Exam Tip: Know how to enable/disable security defaults and how to enforce MFA using Conditional Access.

1.2 Cloud-Only vs Synced Users

Cloud-only users are created and managed directly in Azure AD.
Synced users come from on-premises Active Directory via Azure AD Connect.

Key limitations for synced users:

Cannot change user properties like UPN or password in Azure AD (must do it on-prem).
Cannot enable SSPR independently in some configurations.
Cannot be deleted in Azure unless Azure AD Connect is removed or writeback is enabled.

Exam Tip: Know which attributes are read-only for synced users and where changes must be made.

2. SSPR (Self-Service Password Reset)

2.1 Relationship Between SSPR and MFA

SSPR and MFA can use the same authentication methods, such as:
- Phone call
- Mobile app notification
- Email
If a user has completed MFA registration, they do not need to register separately for SSPR.
Admins should review combined registration settings to simplify user experience.

Exam Tip: Understand that enabling MFA improves SSPR success rates, but the two are configured separately.

2.2 Licensing Requirement for SSPR

SSPR for cloud-only users requires Azure AD Premium P1.
Without Premium P1:
- Users can’t use SSPR unless they are administrators.
- Only admins can reset passwords using Azure portal.

Exam Tip: Licensing is a commonly overlooked detail. Know which features require P1 vs P2.

3. RBAC Misconceptions

3.1 Contributor Role Can’t Grant Access

The Contributor role allows full management of resources but NOT role assignments.
Only Owner or User Access Administrator can assign RBAC roles.

Exam Trap: "Can a Contributor assign roles?" → No.

3.2 User Access Administrator – Permissions

Can assign or remove access (RBAC) but cannot modify resources themselves.
Scope-limited: can only assign roles within the scope they are granted.

3.3 Azure AD Roles vs Azure RBAC

Azure AD Role	Scope	Example
Applies to Azure AD (identity layer)	Tenant-wide	User Administrator, Global Admin
Azure RBAC Role	Applies to Azure resources	Scoped to resource, group, or subscription

Exam Tip: Don't confuse a Global Admin (Azure AD) with Owner (Azure RBAC)—they have no cross-over unless explicitly granted.

4. Azure Policy vs Azure Blueprints

4.1 Key Differences

Feature	Azure Policy	Azure Blueprints
Purpose	Enforce compliance rules on resources	Deploy collections of artifacts (policy, RBAC, templates)
Granularity	Fine-grained	High-level bundles
Use case	Day-to-day governance	New subscription setup

4.2 Blueprint Status

Blueprints are in "maintenance mode", meaning no new features will be added.
Microsoft recommends using:
- Azure Landing Zones
- Azure Policy + Bicep/ARM templates instead

Exam Tip: You should know that Blueprints are being deprecated in practice, even if still mentioned in legacy content.

5. Azure Cost Management Tools

5.1 Azure Advisor

Advisor provides recommendations in four major areas:

High Availability
Security
Performance
Cost Optimization

Examples:

Resize or shut down underused VMs
Move workloads to reserved instances
Enable backup for critical resources

Exam Tip: Know that Advisor is not a monitoring tool but a recommendation engine.

5.2 Cost Alerts and Budgets

You can define budgets and create alerts when usage crosses thresholds (e.g., 50%, 90%).
However, alerts do not block spending or resource creation.

To enforce spending controls, combine budgets with Azure Policy, such as:

{
  "if": {
    "field": "Microsoft.Resources/subscriptions/billingAmount",
    "greaterThan": 1000
  },
  "then": {
    "effect": "deny"
  }
}

Exam Tip: Budget alerts are advisory only. Only Policy can enforce hard limits.

Shopping cart

Subtotal:

AZ-104 Manage Azure Identities and Governance

Detailed list of AZ-104 knowledge points