Professional Documents
Culture Documents
AZ-305 Part1
AZ-305 Part1
Azure Solutions
Architect Expert
AZ 104: Optional
Design identity,
Governance & Monitor
Solutions
Modules Covering :
Design for
Design for Design for
Azure
Azure policies. resource tags.
blueprints.
Governance
Different
Subscriptions
These are containers that help you manage access,
policy, and compliance across multiple subscriptions.
You can use management groups to:
A management group tree can support up to six levels of depth. This limit
doesn't include the tenant root level or the subscription level.
By default, all new subscriptions will be placed under the root management
group.
Things to consider when creating management groups
Scenario
Things to Consider
01 02 03 04 05 06 07 08
Design Keep the Consider a top- Consider an Consider a Consider a Consider a Consider
management management level organizational or geographical production sandbox isolating
groups with group hierarchy management departmental structure management management sensitive
governance in reasonably flat group structure. group. group information in a
mind separate
management
group
Design for subscriptions
Consider making
Consider Consider how you’ll
Consider network subscription owners
administrative assign Azure
topologies aware of their roles
management. policies?
and responsibilities.
Design for resource groups
• Resource Groups are logical containers into which Azure resources are
deployed and managed. These resources can include web apps,
databases, and storage accounts. You can use resource groups to:
Place Place resources of similar usage, type, or location in logical groups.
Organize Organize resources by life cycle so all the resources can be created or deleted at the same time.
Apply Apply role permissions to a group of resources or give a group access to administer a group of resources.
Use Use resource locks to protect individual resources from deletion or change.
Things to know about resource groups
Test A resource tag consists of a name-value pair. For example, env: production or env: test.
Assign You can assign one or more tags to each Azure resource, resource group, or subscription.
Add, modify, or You can add, modify, or delete resource tags. These actions can be done with PowerShell, the
delete Azure CLI, Azure Resource Manager templates, the REST API, or the Azure portal.
You can apply tags to a resource group. However, the resources in the resource group don't
Apply inherit those tags by default.
Things to consider when creating resource tags
Types
Resource tags
generally fall into
five categories
functional,
classification,
accounting,
partnership, and
purpose.
Design for Azure policy
01 02 03
Consider when Consider what Consider how Azure
Azure policy you’ll do if a policy is different
evaluates resources resource is non- from role-based
compliant access control
(RBAC).
Design for role-based access control
• RBAC allows you to grant access to Azure resources that you control.
Suppose you need to manage access to resources in Azure for the
Tailwind Trader’s development, engineering, and marketing teams.
Here are some scenarios you can implement with Azure RBAC.
How does role-based access control work?
Things to consider
Assign at the highest scope level that meets the requirements
• Only grant users the access they need
• Know when to use Azure policies. Azure policies focuses on resource properties. For example, during
deployment, a policy can ensure users can only deploy certain virtual machines in a resource group. A
combination of Azure policies and Azure RBAC can provide effective access control.
Design for Azure blueprints
• A blueprint is a package related to the implementation of Azure cloud services, security, and design. A
blueprint can be reused to maintain consistency and compliance.
• Azure Blueprints are used to scale governance practices throughout an organization.
Design authentication and
authorization solutions.
Learning objectives
1 2 3 4 5 6 7 8 9
Design for Design for Design for Design for Design for Design for Design for Design for Design for
identity and Azure Active Azure AD B2B. Azure AD B2C. conditional identity access reviews. service Azure Key Vault.
access Directory. access. protection. principals for
management. applications.
Design for identity and access management
• Azure Architects design Identity and access management (IAM) solutions. These solutions
must work for all your users, apps, and devices. There are four basic guidelines for a
strong IAM solution.
Let’s first focus on the identity solution. There are three basic choices.
Design for Azure Active Directory
• . Azure AD Business to Business (B2B) is a feature of Azure AD that enables you to securely
collaborate with external partners. Your partner users are invited as guest users. You remain in
control of what they have access to, and for how long.
• The following steps show how Azure AD B2B lets you collaborate with external partner
users. The numbers in the diagram are explained after the diagram.
Best practices for Azure AD B2B
01 02 03 04
Designate an Use conditional Enable MFA. Integrate with
application access policies to identity providers
owner to manage intelligently grant
guest users or deny access
Design for Azure Active Directory Business to Customer
• Azure AD B2C is a type of Azure AD tenant that you use to manage customer
identities and their access to your applications.
Require multifactor authentication (MFA). MFA can be used to provide a secondary authentication for accessing
certain apps. MFA can be selectively applied to certain users, like administrators, or just users coming from
external networks.
Require access to services only through approved client applications. For example, only allow users to access
Office 365 services from a mobile device if they use approved client apps, like the Outlook mobile app.
Require users to access applications only from managed devices. A managed device is a device that meets your
standards for security and compliance.
Block access from untrusted sources, such as access from unknown or unexpected locations.
Design for identity protection
• Access reviews help ensure that the right people have the right
access to the right resources. For example, access reviews could
be used to review: User Access/Memberships/Packages/Roles
Determine who will conduct the reviews
• Access reviews are only as good as the person doing the reviewing.
Selecting good reviewers is critical to your success. The creator of the
access review decides who will conduct the review. This setting can't
be changed once the review is started. Reviewers are represented by
three persons:
• Resource Owners
• A set of individually selected delegates
• End users
Design service principals for
applications
Design managed identities
Types
When to use managed identities
Resources that support system assigned managed identities allow you
to:
• Enable or disable managed identities at the resource level.
• Use RBAC roles to grant permissions.
• Review create, read, update, delete (CRUD) operations in Azure
Activity logs.
• Review sign-in activity in Azure AD sign-in logs.
System-assigned
User-assigned
Applications represented in Azure AD
There are two representations of applications in Azure AD:
• Application objects - Although there are exceptions, application objects can be
considered the definition of an application.
• Service principals - Can be considered an instance of an application. Service
principals generally reference an application object, and one application object
can be referenced by multiple service principals across directories.
Types of permissions
• Delegated permissions are used by apps that have a signed-in user present.
These permissions are provided to the application by the user so the app
can perform actions on their behalf. This doesn't give permissions to the
app, instead the user is simply allowing the app to act on their behalf using
their permissions.
• Application permissions are used by apps that run without a signed-in user
present.
Design for Azure Key Vault
Storing and handling secrets, encryption keys, and certificates directly is risky, and
every usage introduces the possibility of unintentional data exposure. Azure Key
Vault provides a secure storage area for managing all your app secrets so you can
properly encrypt your data in transit or while it's being stored.
Secrets Management
Key Management
Certificate Management
Why use Azure Key Vault?
• Restricted secret access with access policies tailored to the apps and individuals
that need them.
• Centralized secret storage, allowing required changes to happen in only one place
• Access logging and monitoring to help you understand how and when secrets are
accessed.
Keys, secrets, and certificates are protected without having to write the code
yourself and you're easily able to use them from your applications.
Key Vault allows You allow customers to own and manage their own keys, secrets, and
you to securely certificates so you can concentrate on providing the core software features. In
this way, your applications will not own the responsibility or potential liability
for your customers' tenant keys, secrets, and certificates.
access sensitive
information Your application can use keys for signing and encryption yet keeps the key
management external from your application.
from within
your You can manage credentials like passwords, access keys, and sas tokens by
storing them in Key Vault as secrets.
applications:
Manage certificates.
shared access signature
Learning
objectives
Design for
Design for Log
Azure Data
Analytics
Explorer
Design for
Azure
workbooks
and Insights
Design for Azure Monitor data sources
• Identify data sources and access method
Azure tenant logging solutions
Azure Active Directory audit logs
Supported reports
You can route Azure AD audit logs and sign-in logs to your Azure Storage account,
event hub, Azure Monitor logs, or custom solution by using this feature.
• Audit logs: The audit logs activity report gives you access to information about
changes applied to your tenant, such as users and group management, or
updates applied to your tenant’s resources.
• Sign-in logs: With the sign-in activity report, you can determine who performed
the tasks that are reported in the audit logs.
Design for Log Analytics
• Centralized
• Decentralized
• Hybrid
Design for Azure workbooks
Workbooks provide a flexible canvas for data analysis and the creation of rich visual
reports within the Azure portal. They allow you to tap into multiple data sources
from across Azure and combine them into unified interactive experiences.
• Workbooks are currently compatible with the following data sources:
• Logs
• Metrics
• Azure Resource Graph
• Alerts
• Workload Health
• Azure Resource Health
• Azure Data Explorer
Design for Azure Insights
• Analyze and address issues and problems that affect your application's health and performance.
• Improve your application's development lifecycle.
• Measure your user experience and analyze users' behavior.
• Azure Data Explorer is a fast and highly scalable data exploration service for log
and telemetry data. It helps you handle the many data streams emitted by
modern software, so you can collect, store, and analyze data.
Combine features provided by Microsoft Sentinel and Azure Monitor with Azure
Data Explorer to build a flexible and cost-optimized end-to-end monitoring
solution. Below are some examples:
• Use Azure Data Explorer for full flexibility and control in all aspects for all types of
logs in the following scenarios:
• No out of the box features provided by Microsoft Sentinel and Azure Monitor
SaaS solutions such as application trace logs.
Monitor resources for performance efficiency
Here is a list to consider ensuring you are monitoring your workloads with performance and
scalability in mind:
• Enable and capture telemetry throughout your application to build and visualize end-to-end
transaction flows for the application.
• Explore metrics from Azure services such as CPU and memory utilization, bandwidth
information, current storage utilization, and more.
• Use resource and platform logs to get information about what events occur and under which
conditions.
• For scalability, examine the metrics to determine how to provision resources dynamically and
scale with demand.
• In the collected logs and metrics identify signs that make a system or its components suddenly
become unavailable.
• Use log aggregation technology to gather information across all application components.
• Store logs and key metrics of critical components for statistical evaluation and predicting
trends.