Summary
Highlights
This video is an updated study cram for the AZ-104 Administrator Associate certification, replacing a previous version that gained over a million views. The content covers essential Azure administration topics, with links to specific sections, study guides, and Microsoft Learn modules in the description. The speaker encourages hands-on practice using applied skills and labs available in self-paced learning modules, emphasizing that the exam focuses on practical application through the portal, CLI, and templates.
Entra ID is Microsoft's cloud identity provider, using protocols like OAuth2, OpenID Connect, SAML, and WS-Fed for internet-based authentication and authorization. Unlike on-premise Active Directory, Entra ID is primarily flat and lacks organizational units, using administrative units for granular delegation. Synchronization from on-premise Active Directory Domain Services (AD DS) to Entra ID is one-way, facilitated by Entra Connect Sync (on-premise engine) or Entra Connect Cloud Sync (cloud-based engine). Entra ID tenants can trust various applications, including Azure, Microsoft 365, and third-party SaaS apps. Tenants are global instances not tied to specific Azure subscriptions but trusted by them. Custom domains can be added and set as primary, and company branding can be configured for login experiences. Users can be cloud-native, synchronized from on-premise, or external guests (B2B collaboration). User provisioning can occur via HR systems, bulk operations (CSV import), or custom scripting. Groups (Security and Microsoft 365) are crucial for managing permissions, roles, and licenses for users and devices, supporting both assigned and dynamic memberships based on rules. Device management includes registering personal devices for known entity status and joining corporate devices for full control, both interacting directly with the Entra ID tenant. Different Entra ID licenses (Free, P1, P2, and Governance add-on) offer varying functionalities, allowing for granular assignment based on user needs, such as Conditional Access (P1) or Privileged Identity Management (P2). Self-service password reset (SSPR) is a key feature, configurable for hybrid environments with write-back capabilities. Roles, especially Global Administrator, should be restricted due to high privilege. Administrative units allow granular delegation of roles over specific users, groups, and devices within the flat Entra ID structure.
Azure operates across different clouds (Commercial, US Gov, China), each with unique Entra ID instances and regions. Resources are deployed into regions, which are divided into Availability Zones (AZs) for resiliency, spanning across different data centers with independent power, cooling, and networking. Zone-redundant resources span multiple AZs, while zonal resources exist within a specific AZ. For disaster recovery, deploying across at least two geographically distant regions is recommended. Azure pairs regions for safe deployment practices, ensuring that updates are not applied to both regions simultaneously. A subscription is where resources are deployed, not contained within an Entra ID tenant; rather, a subscription trusts a specific tenant. Management Groups provide a hierarchical structure for organizing subscriptions, allowing for the application of Role-Based Access Control (RBAC), Azure Policy, and budgets at higher levels, which are inherited by child groups and subscriptions. Cost management in Azure is consumption-based, with tools like Cost Analysis and Budgets to monitor spending and set alerts based on actual or forecasted expenses. Azure Advisor also provides cost optimization recommendations. Financial optimizations beyond resource sizing include Azure Hybrid Benefit for existing Windows Server or SQL Server licenses, Azure Reservations for specific resource commitments (one or three years), and Azure Savings Plans for compute services, offering discounts for committed spending. Tags are key-value pairs applied at resource, resource group, or subscription levels for metadata, filtering, and billing, but they are not inherited by default (though Azure Policy can enforce inheritance). Azure Policy establishes guardrails for resource creation and configuration, enforcing compliance and automating deployments (e.g., deploying agents if not present). Policies can be audit-only initially to assess impact before enforcing denial. Initiatives group multiple policies for easier assignment and compliance tracking. RBAC allows assigning specific permissions (roles) to identities (users or groups) at particular scopes (Management Group, subscription, Resource Group, or individual resource), always adhering to the principle of least privilege. Custom roles can be created for more granular permissions than built-in roles. Resource locks (CannotDelete or ReadOnly) prevent accidental deletion or modification of resources through the Azure control plane but do not affect data plane operations.
Azure networking charges for egress (data leaving Azure) but generally not for ingress. The fundamental building block is a Virtual Network (VNet), scoped to a single subscription and region, defined by one or more IPv4 CIDR ranges and optionally IPv6. VNets are divided into subnets, where five IP addresses are reserved per subnet. Subnets are regional and can span availability zones. Resources within a subnet receive private IP addresses, not directly accessible from the internet. Public IPs (standard SKU recommended) can be associated with resources for internet connectivity, but direct association is discouraged for resilience. Outbound internet access from VNets requires explicit configuration (e.g., NAT Gateway, Azure Firewall, Load Balancer rules) as implicit internet access is being retired. VNet peering connects VNets within or across regions, allowing resources to communicate using private IPs. Peering is not transitive (spokes cannot directly communicate without explicit peering or an intermediary appliance). Gateway Transit and Use Remote Gateway settings enable spokes to use a hub VNet's gateway for on-premise connectivity. Azure Virtual Network Manager (AVNM) offers centralized management of VNet configurations, including connectivity (hub-spoke or mesh) and security admin rules (allow, always allow, deny) that apply before Network Security Groups (NSGs). NSGs are stateful firewalls with ordered rules (priority, source, destination, port, action) applied to subnets or network interfaces. They support IP addresses, Service Tags for Azure services, and Application Security Groups (ASGs) for grouping NICS, allowing rule creation based on application roles rather than IPs. Azure Firewall is a managed network virtual appliance supporting Layer 4 (network) and Layer 7 (application) rules for inbound and outbound traffic. Different SKUs (Basic, Standard, Premium) offer varying performance and advanced features like TLS/SSL termination, IDPS, and URL filtering. Azure DNS provides public and private DNS capabilities. Public DNS zones can use Alias records to prevent dangling DNS entries by linking records directly to Azure resources. Private DNS zones, linked to VNets, allow for automatic registration of resources and resolution of private endpoints. Azure's default DNS server (168.63.129.16) is used by Azure resources, while the Azure Private DNS Resolver can extend private DNS resolution to on-premise networks. Hybrid connectivity to on-premise networks includes VPN Gateways (route-based recommended over policy-based) providing encrypted tunnels over the internet, and ExpressRoute for private, dedicated connections to Microsoft's global network via peering points. ExpressRoute Global Reach enables connectivity between on-premise locations over the Microsoft backbone. Azure Virtual WAN simplifies complex networking setups by centralizing VPN, ExpressRoute, and VNet connections, supporting basic (site-to-site VPN) and standard (full connectivity, secure VWAN) SKUs. User-Defined Routes (UDRs) override default VNet routing to direct traffic through specific next hops like Azure Firewall. Service endpoints allow VNets to securely access Azure PaaS services (e.g., Storage Accounts) over the Azure backbone, while Private Endpoints bring PaaS services into the VNet by giving them a private IP, enhancing security and allowing public endpoints to be disabled. Azure Bastion provides secure, browser-based RDP/SSH access to VMs without requiring public IPs, acting sensitive as a managed jump box with varying SKUs for features like VNet peering support and CLI integration. Load balancing services distribute traffic across multiple instances to ensure high availability and scalability. At the regional level, Azure Load Balancer (Layer 4 TCP/UDP) is used for basic load distribution, with a Standard SKU offering advanced features and an SLA. Application Gateway (Layer 7 HTTP/HTTPS) is for web traffic, supporting URL-based routing, SSL offloading, and Web Application Firewall (WAF) integration. Globally, Azure Traffic Manager (DNS-based) distributes traffic to different endpoints based on various routing methods (e.g., performance, weighted). Azure Front Door (Layer 7) provides a global, highly available entry point for web applications, offering caching, WAF, SSL offloading, and 'split TCP' for improved client latency.
Azure Storage accounts, residing in a specific region, offer durable persistence for various data types: Blob (block, page, append), Files (SMB/NFS shares), Table (key-value pairs), and Queue (messaging). General Purpose V2 storage accounts are most commonly used, exposing all these services. Premium storage options are service-specific (e.g., Premium Block Blob, Premium Files) and built on SSDs. Premium Files are billed based on provisioned size (for performance), not actual usage. Storage Explorer provides a GUI for interacting with storage accounts, along with command-line tools like AzCopy for efficient data transfer, including server-side asynchronous copies. Data Box is used for large-scale data migrations. Blob storage supports four access tiers (Hot, Cool, Cold, Archive), trading off capacity cost against transaction cost and access latency. Hot is for frequently accessed data (high capacity cost, low transaction cost), while Archive is for rarely accessed data (lowest capacity cost, highest transaction cost, offline access requiring rehydration). Lifecycle Management rules automate tiering and deletion based on access patterns or age. Storage account redundancy options include Locally Redundant Storage (LRS) with three copies in a single cluster, Zone Redundant Storage (ZRS) with three copies across three availability zones, Geo-Redundant Storage (GRS) with three copies in the primary region and three in a paired secondary region, and Geo-Zone Redundant Storage (GZRS) combining ZRS in the primary with LRS in the secondary. Read-Access (RA) options (RAGRS, RAGZRS) allow reading from the secondary replica. Object replication enables fine-grained, container-level replication to any other storage account, not just the paired region. Storage account security features include two access keys (for rotation) and data plane RBAC roles (e.g., Blob Data Reader) for granular access control. Shared Access Signatures (SAS) provide time-limited, granular access to resources, signed by an access key. Encryption at rest for storage accounts uses platform-managed keys by default, but customer-managed keys (CMK) can be used via Azure Key Vault. Encryption Scopes allow using different CMKs for specific containers or even individual blobs. Managed Disks abstract away underlying storage accounts and page blobs, offering various types (Standard HDD, Standard SSD, Premium SSD, Premium SSD V2, Ultra Disk) with performance tied to disk size, except for Premium SSD V2 and Ultra Disk where IOPS and throughput can be configured dynamically. Managed disks support encryption at rest using CMKs via Disk Encryption Sets, and Azure Disk Encryption (ADE) encrypts within the guest OS using BitLocker (Windows) or DM-Crypt (Linux). Encryption at Host encrypts cached files and data in transit between the VM and storage.
Resource provisioning in Azure is best done declaratively using ARM JSON templates or Azure Bicep, which allows for consistent, repeatable deployments and version control. These templates define the desired state of resources, allowing Azure to reconcile changes upon redeployment. Azure offers different levels of compute services (IaaS, PaaS, Serverless), shifting responsibility from the user (IaaS VMs requiring OS patching, antivirus, backup) to Azure (PaaS services managing the underlying infrastructure). VMs are defined by their SKU and size, offering various dimensions (CPU, memory, storage, network, GPU) to match specific workload needs for optimal cost and performance. Ephemeral OS disks can be used for stateless VMs, leveraging local host storage for cost savings and high performance. VM extensions add functionalities like custom scripts, backup agents, and disaster recovery. Azure Backup orchestrates backups for various resources into Recovery Services Vaults or Azure Backup Vaults. High availability for VMs can be achieved using Availability Sets, which spread VMs across different racks (fault domains) within a data center to protect against rack-level failures. Availability Zones offer superior protection by distributing VMs across independent physical locations within a region, isolating them from broader data center outages. Virtual Machine Scale Sets (VMSS) enable horizontal autoscaling by automatically adding or removing VM instances based on metrics like CPU usage, ensuring resources match demand. VMSS offers Uniform mode (all VMs identical) and Flexible mode (supporting mixed SKUs, spot instances, and individual VM management). Containers virtualize the operating system, sharing the host kernel for efficiency, unlike VMs which virtualize hardware. Azure Container Registry stores container images. Azure Container Instances (ACI) provide a simple, serverless way to run single containers or container groups without managing VMs. For complex container orchestration, Azure Kubernetes Service (AKS) is used, with Azure managing the control plane and users managing node pools (VMSS instances). AKS supports different networking models (Kubenet, Azure CNI, Overlay) and scaling mechanisms for pods (Horizontal Pod Autoscaler, KEDA) and nodes (Cluster Autoscaler). App Service is a PaaS offering for hosting web applications, with apps running within an App Service Plan based on shared worker nodes. Different pricing plans dictate features, scaling options (rules-based or elastic), and integration capabilities (e.g., VNet integration). Apps can be deployed through DevOps pipelines, Git, FTP, or zip files.
Azure Monitor provides comprehensive visibility into Azure resources. At the subscription level, the Activity Log records control plane operations. For individual resources, Metrics offer time-based signals (free by default), while Logs require Diagnostic Settings to be configured and sent to destinations like Azure Storage, Event Hubs, or Log Analytics Workspaces. Log Analytics Workspaces offer powerful analytics capabilities using KQL (Kusto Query Language), but logs incur ingestion and storage costs. Basic Logs offer a cheaper alternative for short-term log storage (8 days) with limited KQL features and pay-per-query. Archive storage extends log retention up to 12 years but requires search or restore jobs for access. Alerts can be configured based on Activity Log entries, metric thresholds, or KQL queries against Log Analytics data. Alert Processing Rules can then route these alerts to Action Groups (email, SMS, webhooks, functions) or suppress them under specific conditions (e.g., maintenance windows), providing a flexible and organized approach to incident response. Network Watcher is a regional service for network diagnostics, offering features like topology viewing, IP flow verification, next hop analysis, VPN troubleshooting, NSG diagnostics, and packet capture.