Managing Resources Policies and Resource Groups:

Resource in Azure is a single service instance, which can be a virtual machine, a

virtual network, a storage account, or any other Azure service.
Resource groups are logical groupings of resources or those single-service instances
Each resource in Azure can only exist in one resource group, and resource groups
cannot be renamed. There are no limitations to the types of resources that can be
logically contained within a resource group, and there are no limitations on the
regions in which resources must reside when in a resource group.
Azure Policy is an Azure service that can be used to create, assign, and manage
policies that enforce governance in your Azure environment. To implement Policy, a
Policy definition must first be authored. That Policy definition is then assigned a
specific scope using a Policy assignment. Recall that scope refers to what your policy
is assigned to with valid scopes, a management group, a subscription, a resource
group, or a resource.
Azure resource locks (sometimes called management locks) are used to prevent the
accidental deletion or modification of resources. There are two types of locks:
CanNotDelete. Locks prevent the deletion of a resource.
ReadOnly. Locks prevent users from modifying a resource
Resource tags allow you to apply custom metadata to your Azure resources to
logically organize them and to build out custom taxonomies. A tag is a name and a
value pair.
Tags must be applied at the resource scope to be visible in detailed usage exports.
Tags applied at the resource group scope are not inherited by child resources. This
means that as you are applying tags to your resources in Azure, you should think
about applying tags to each resource to have the clearest line of sight into your
usage based on your organizational tags.
Some resources in Azure can be moved between resource groups and even across
subscriptions, but support for move operations varies based on the service. During a
move operation, your resources will be locked. Both write and delete operations to
the Azure resource will be blocked, but the underlying service will continue to
function. To move resources between subscriptions, both subscriptions must be
associated with the same Azure AD tenant. A single move operation in Resource
Manager cannot move more than 800 resources. If the resource you are moving has
any dependent resources, the resources must all be located within the same
resource group, and they must all be moved together.
you can validate the move operation through the REST API with the
validateMoveResources method without actually performing the move operation.
This API validates whether resources can be moved from one resource group to
another resource group. If validation succeeds, an HTTP 204 will be returned, and if it
fails, an HTTP 409 with an error message will be returned in the response.
Deleting a resource group removes all the resources contained within it in one
operation. When deleting resource groups, exercise caution because the resource
group might contain resources that other resources you have deployed depend on.

Manage Azure Subscriptions

Assigning administrator permissions
Azure has many different roles for managing access to Azure resources. These
include classic subscription administrative roles like Account Administrator, Service
Administrator, or Co-Administrator, as well as Azure role-based access controls
(RBAC) that are available in Azure Resource Manager (ARM).
By default, the account that is used to sign up for an Azure subscription is
automatically set as both the Account Administrator and the Service Administrator.
There can be only one Account Administrator per account and one Service
Administrator per subscription. Once the subscription has been created, more Co-
Administrators can be added. The Co-Administrator has the same level of access as
the Service Administrator but cannot change the association of subscriptions to
Azure directories. There can be up to 200 Co-Administrators per subscription.
RBAC: Azure RBAC roles are more flexible than classic administrator roles and allow
for more fine-grained access management. Azure RBAC has more than 70 built-in
roles, but there are four foundational roles.
 Owner
 Contributor
 Reader
 User Access Administrator

Configure cost management

In Azure, there are several types of quotas that are applicable to subscriptions,
including resource quotas and spending quotas.
Azure resource quotas (or limits), Azure administrators can view the current
consumption and usage of resources within an Azure subscription and understand
how that consumption can be affected by Azure resource limits.
Spending quotas allow administrators to set alerts within an Azure subscription by
configuring budgets to inform the business when their Azure spending has hit a
certain threshold.
Tags in Azure Resource Manager allow consumers of Azure to logically categorize
Azure resource groups and Azure resources. For example, in organizations where an
Azure subscription is shared by multiple business units or departments, there might
be a need to understand how resources are used for individual departments and
show the cost associated with each department, either to bill that department for
their Azure consumption (chargeback) or to help that department understand their
spend in Azure (showback).
Users must have at least read access (Reader rights) to a subscription to view
budgets and must have Contributor (or higher) rights to create and manage budgets.
There are also specialized roles that can be used to grant principals access to Cost
Management data including Cost Management Contributor and Cost Management
Reader.

Managing Storage:
An Azure Storage account is an entity you create that is used to store Azure Storage
data objects such as blobs, files, queues, tables, and disks. Data in an Azure Storage
account is durable and highly available, secure, massively scalable, and accessible
from anywhere in the world over HTTP or HTTPS.
The storage firewall allows you to limit access to specific IP addresses or an IP
address range. It applies to all storage account services (blobs, tables, queues, and
files). The storage firewall includes an option to allow access from trusted Microsoft
services. These services include Azure Backup, Azure Site Recovery, and Azure
Networking. When creating a storage firewall, you must use public Internet IP
address space. You cannot use IPs in the private IP address space.
virtual network service endpoints for your Azure Storage accounts allows you to
remove access from the public Internet and only allow traffic from a virtual network
for improved security.
 Blobs. storing arbitrary data objects such as text or binary data.
 Tables. NoSQL-style store for storing structured data. Unlike a relational
database
 Queues. Provides reliable message queueing between application
components.
 Files. file shares that can be used by Azure VMs or on-premises servers.
 Disks. storage volume for Azure VM which can be attached as a virtual hard
disk.
Access tiers Azure Blob Storage supports three access tiers: Hot, Cool, and Archive.
Shared Access Signature (SAS) Token SAS is a secure way to grant limited access to
the resources in your storage account to the external world (clients, apps), without
compromising your account keys
Managing access keys in Azure Key Vault It is important to protect the storage
account access keys because they provide full access to the storage account. Azure
Key Vault helps safeguard cryptographic keys and secrets used by cloud applications
and services, such as authentication keys, storage account keys, data encryption
keys, and certificate private keys.

Manage Azure Subscriptions:

After purchasing a subscription, an ORGid will be created. That is an account ID. The ORGid
will be owned by the Account Admin who can have the control over the subscriptions and
also can deploy the services in each subscription.
Azure accounts have 3 main roles. Every role has a different permission level.

 Owner
 Contributor
 Reader
 User Access Administrator
We can assign these roles to management groups, subscriptions, resource groups, apps, and
also individual users. A maximum of 2000 roles can be allocated to each subscription.
Azure Active Directory  Tenant Subscriptions  Resource Groups  Resources
In the Active Directory when creating the roles, there are 3 roles.

 User (Viewer)
 Global Admin (Full control on everything)
 Limited Admin (different type of admins like Auth admin, App admin, exchange
admin etc)
Cost Centre and Tagging: (We use the word limits in the name of Quotas)
There are service (AD, app service etc) specific limits using the Azure Resource Manager.

 Resource: A manageable item which is available in azure (VM, Storage, network etc)
 Resource Group: A container in azure that contains multiple resources in it.
 Resource Provider: A service that supplies Azure Resources
 Resource manager Template: A Json file that defines the resources to deploy in a RG
or a subscription
Tags: Metadata for organising and categorising cloud-based resources. We can use tags in
Resource management, Automation and Accounting. Azure supports 15 tags per RG.

We can place the tags while creating the resources / to an existing resource. But tags are
supported for resourced deployed using the resource manager deployment model only.

Subscription Policies: Policies can use ARM and Resource groups or Azure service
management which is called classic deployment model.

Resource Utilization and Consumption:

Tenant Logs: Activities on services outside the subscription i.e., Azure AD Logs
Resource Logs: Activities on services within the subscription i.e., VM, NSG, Storage accounts
Azure Monitor is a service in Azure that provides performance and availability monitoring
for applications and services in Azure, other cloud environments, or on-premises. It ccollects
data from multiple sources into a common data platform where it can be analyzed for
trends and anomalies.
Log Analytics: It is a tool in the Azure portal. Use it to edit and run log queries and
interactively analyse their results.
Log Analytics workspaces.: Azure Monitor Logs stores the data that it collects in one or
more Log Analytics workspaces. You must create at least one workspace to use Azure
Monitor Logs.
Log queries Data is retrieved from a Log Analytics workspace through a log query, which is a
read-only request to process data and return results. Log queries are written in Kusto Query
Language (KQL). KQL is the same query language that Azure Data Explorer uses.

Azure Advisor: It is a personalized cloud consultant that helps you follow best practices to
optimize your Azure deployments. It analyses your resource configuration and usage
telemetry and then recommends solutions that can help you improve the cost effectiveness,
performance, Reliability (formerly called High availability), and security of your Azure
resources.
The Advisor dashboard displays personalized recommendations for all your subscriptions.
You can apply filters to display recommendations for specific subscriptions and resource
types. The recommendations are divided into five categories:

Reliability (formerly called High Availability): To ensure and improve the continuity of your
business-critical applications.
Security: To detect threats and vulnerabilities that might lead to security breaches.
Performance: To improve the speed of your applications.
Cost: To optimize and reduce your overall Azure spending
Operational Excellence: To help you achieve process and workflow efficiency, resource
manageability and deployment best practices.
AD Roles:
 Create users and groups
 Manage user and group properties
 Manage device settings
 Perform bulk user updates
 Manage guest accounts
 Configure Azure AD Join
 Configure self-service password reset
Manage Subscription and Governance:
 Configure Azure Policies
 Configure resource locks
 Apply and manage tags on resources
 Create and manage resource groups
 Manage Azure Subscriptions
 Configure management groups
 Configure cost management