Manage Identities in Azure
Topic Analysis
This module introduces Microsoft Entra ID (formerly Azure Active Directory). Unlike on-premises Windows AD which relies on Kerberos, Entra ID is an Identity-as-a-Service (IDaaS) built for the cloud using protocols like SAML and OAuth 2.0.
Why it matters: Before you can build anything in Azure, you must define who is allowed to build it. You will learn the difference between direct assignment and dynamic groups (where users are automatically added based on properties like 'Department').
Guided Practical: Manage Entra ID
Create a New User
Navigate to Microsoft Entra ID > Users > + New user. Enter the UPN as az104-admin@yourdomain.onmicrosoft.com. Fill in the Display Name and Job Title (e.g., "IT Manager"). Auto-generate the password and save it.
Create a Dynamic Group
Go to Groups > + New group. Change Group type to Security. Change Membership type to Dynamic User. Click Add dynamic query and set the rule: jobTitle -eq "IT Manager".
Governance and Compliance
Topic Analysis
Governance ensures your cloud environment is secure and cost-effective. This module covers RBAC (Role-Based Access Control) to control what users can do, and Azure Policy to control how resources are deployed.
Guided Practical: Implement Azure Policy & RBAC
Create a Management Group
Search for Management groups. Click + Create. Name it AZ104-Governance. Move your current Subscription into this new Management Group. This allows you to apply policies to multiple subscriptions at once.
Apply an "Allowed Locations" Policy
Search for Policy. Go to Assignments > Assign policy. Set the Scope to your Subscription. Search for the built-in policy definition Allowed locations. In parameters, select only East US. Click Create.
Azure Administration
Topic Analysis
While the Azure Portal (GUI) is great for learning, real-world administration uses automation. This module introduces Azure PowerShell, Azure CLI, Azure Cloud Shell, and ARM Templates/Bicep.
Guided Practical: Deploy via Cloud Shell & ARM
Launch Azure Cloud Shell
Click the >_ icon at the top right of the Azure Portal. Select Bash (for Azure CLI) and create the required storage if prompted. You now have a terminal directly in your browser.
Deploy a Resource Group via CLI
In the terminal, type the following command to deploy a resource group. You can copy the code using the button below:
az group create --name az104-rg3-cli --location eastus
Virtual Networking
Topic Analysis
Virtual Networks (VNets) are the core foundation of Azure IaaS. You will learn about IP Addressing (CIDR blocks), Subnets, and Network Security Groups (NSGs).
Guided Practical: Build a Secure VNet
Create a VNet with Subnets
Search Virtual networks > + Create. Name it Core-VNet. Under IP Addresses, set the IPv4 address space to 10.1.0.0/16. Add two subnets: Frontend (10.1.0.0/24) and Backend (10.1.1.0/24).
Configure a Network Security Group (NSG)
Search Network security groups > + Create. Name it Frontend-NSG. Open it, go to Inbound security rules. Add a rule: Source: Any, Destination Port: 80, Protocol: TCP, Action: Allow. Associate this NSG with the Frontend subnet.
Intersite Connectivity
Topic Analysis
By default, resources in different VNets cannot communicate. This module teaches VNet Peering, which routes traffic between VNets via Microsoft's private backbone.
Guided Practical: Global VNet Peering
Create a Second VNet
Create another Virtual Network named Spoke-VNet in a different region (e.g., West US). Give it a non-overlapping IP space: 10.2.0.0/16.
Establish the Peering
Go to your Core-VNet. Click Peerings > + Add. Name it Core-to-Spoke. Under 'Remote virtual network', select your Spoke-VNet. Leave defaults to Allow traffic. Click Add.
Traffic Management
Topic Analysis
This module focuses on routing and load balancing network traffic. You will learn about Azure Load Balancer (Layer 4), and Application Gateway (Layer 7 HTTP/HTTPS).
Guided Practical: Deploy a Public Load Balancer
Create the Load Balancer
Search Load balancers > + Create. Name it az104-lb. Set Type to Public and SKU to Standard. Under Frontend IP configuration, click "Add a frontend IP" and create a new Public IP address named lb-pip.
Configure Backend Pools and Rules
Once deployed, open the Load Balancer. Go to Backend pools > + Add. Add the VNets/VMs you want to balance traffic to. Next, go to Load balancing rules, create a rule for Port 80 to route traffic from the Frontend IP to the Backend Pool.
Azure Storage
Topic Analysis
Azure Storage is Microsoft's managed storage solution. This module dives into the Storage Account architecture, focusing heavily on Blobs and Azure Files.
Guided Practical: Manage Data & File Shares
Deploy a Storage Account
Search Storage accounts > + Create. Name it uniquely. Choose Standard performance and Geo-redundant storage (GRS). Create.
Map an Azure File Share
Open the Storage Account. Go to File shares > + File share. Name it corp-share. Open the share, click Connect at the top. Select the 'Windows' tab and copy the provided PowerShell script. Run this script on your local Windows PC to mount the Azure cloud drive as your local Z: drive.
Virtual Machines
Topic Analysis
VMs are the workhorse of the cloud. This module moves past simple VM creation and focuses on High Availability using Availability Zones and VM Scale Sets (VMSS).
Guided Practical: Deploy Scalable Compute
Deploy a VM Scale Set
Search Virtual machine scale sets > + Create. Name it Web-VMSS. Choose Windows Server. In the Scaling tab, set the Initial instance count to 2. Set the scaling policy to Custom.
Configure Auto-Scale Rules
In the scaling rules, set the minimum instances to 1, and maximum to 5. Set the rule to "Scale out (increase by 1)" when CPU > 75% for 10 minutes. Click Create.
Serverless & Containers
Topic Analysis
Not every application requires a full Virtual Machine. This module explores Platform-as-a-Service (PaaS) offerings like Azure App Service and Azure Container Instances (ACI).
Guided Practical: Deploy an Azure Container Instance
Create the Container
Search Container instances > + Create. Name the container az104-aci. For the Image source, select Quickstart images, and choose the mcr.microsoft.com/azuredocs/aci-helloworld image.
Configure Networking
Under the Networking tab, ensure DNS name label is set to something unique (e.g., az104-app-[yourname]). Keep port 80 open. Click Review + Create.
Data Protection
Topic Analysis
Things will fail. Data will be accidentally deleted. This module covers business continuity using Azure Backup and Azure Site Recovery.
Guided Practical: Backup a Virtual Machine
Create a Recovery Services Vault
Search Recovery Services vaults > + Create. Name it AZ104-Vault and place it in the same region as your existing Virtual Machines.
Configure the Backup Policy
Open your vault, go to + Backup under Getting Started. Select "Azure" and "Virtual Machine". Choose the Default Backup Policy (Daily backups at night, retained for 30 days). Add your VM to the policy and enable backup.
Monitoring
Topic Analysis
The final pillar of administration is maintaining health. Azure Monitor collects metrics and logs. Log Analytics Workspaces allow you to query those logs.
Guided Practical: Setup Azure Monitor Alerts
Create an Alert Rule
Search Monitor. Go to Alerts > + Create Alert Rule. Select a VM you created previously as the scope.
Configure Threshold and Actions
Choose the Signal Percentage CPU. Set the threshold logic to Greater Than 85%. In the Actions tab, create an Action Group to send an Email to your address. Click Review + Create.