ITGuyLevi/StudyStuff
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Upload files to "AZ104/MicrosoftAureAdministrator/Instructions/Labs"

Browse Source
This commit is contained in:
ITGuyLevi
2023-10-06 04:38:19 -07:00
parent 1feb6f2e44
commit 0750e4ec59
5 changed files with 989 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

283
AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_01-Manage_Azure_AD_Identities.md Normal file
View File

@@ -0,0 +1,283 @@
---
lab:
title: '01 - Manage Azure Active Directory Identities'
module: 'Module 01 - Identity'
---
# Lab 01 - Manage Azure Active Directory Identities
# Student lab manual
## Lab scenario
In order to allow Contoso users to authenticate by using Azure AD, you have been tasked with provisioning users and group accounts. Membership of the groups should be updated automatically based on the user job titles. You also need to create a test Azure AD tenant with a test user account and grant that account limited permissions to resources in the Contoso Azure subscription.
## Objectives
In this lab, you will:
+ Task 1: Create and configure Azure AD users
+ Task 2: Create Azure AD groups with assigned and dynamic membership
+ Task 3: Create an Azure Active Directory (AD) tenant
+ Task 4: Manage Azure AD guest users
## Estimated timing: 30 minutes
## Architecture diagram
![image](../media/lab01.png)
## Instructions
### Exercise 1
#### Task 1: Create and configure Azure AD users
In this task, you will create and configure Azure AD users.
>**Note**: If you have previously used the Trial license for Azure AD Premium on this Azure AD Tenant you will need a new Azure AD Tenant or perform the Task 2 after Task 3 in that new Azure AD tenant.
1. Sign in to the [Azure portal](https://portal.azure.com).
1. In the Azure portal, search for and select **Azure Active Directory**.
1. On the Azure Active Directory blade, scroll down to the **Manage** section, click **User settings**, and review available configuration options.
1. On the Azure Active Directory blade, in the **Manage** section, click **Users**, and then click your user account to display its **Profile** settings.
1. Click **edit**, in the **Settings** section, set **Usage location** to **United States** and click **save** to apply the change.
>**Note**: This is necessary in order to assign an Azure AD Premium P2 license to your user account later in this lab.
1. Navigate back to the **Users - All users** blade, and then click **+ New user**.
1. Create a new user with the following settings (leave others with their defaults):
| Setting | Value |
| --- | --- |
| User name | **az104-01a-aaduser1** |
| Name | **az104-01a-aaduser1** |
| Let me create the password | enabled |
| Initial password | **Pa55w.rd124** |
| Usage location | **United States** |
| Job title | **Cloud Administrator** |
| Department | **IT** |
>**Note**: **Copy to clipboard** the full **User Principal Name** (user name plus domain). You will need it later in this task.
1. In the list of users, click the newly created user account to display its blade.
1. Review the options available in the **Manage** section and note that you can identify the Azure AD roles assigned to the user account as well as the user account's permissions to Azure resources.
1. In the **Manage** section, click **Assigned roles**, then click **+ Add assignment** button and assign the **User administrator** role to **az104-01a-aaduser1**.
>**Note**: You also have the option of assigning Azure AD roles when provisioning a new user.
1. Open an **InPrivate** browser window and sign in to the [Azure portal](https://portal.azure.com) using the newly created user account. When prompted to update the password, change the password for the user.
>**Note**: Rather than typing the user name (including the domain name), you can paste the content of Clipboard.
1. In the **InPrivate** browser window, in the Azure portal, search for and select **Azure Active Directory**.
>**Note**: While this user account can access the Azure Active Directory tenant, it does not have any access to Azure resources. This is expected, since such access would need to be granted explicitly by using Azure Role-Based Access Control.
1. In the **InPrivate** browser window, on the Azure AD blade, scroll down to the **Manage** section, click **User settings**, and note that you do not have permissions to modify any configuration options.
1. In the **InPrivate** browser window, on the Azure AD blade, in the **Manage** section, click **Users**, and then click **+ New user**.
1. Create a new user with the following settings (leave others with their defaults):
| Setting | Value |
| --- | --- |
| User name | **az104-01a-aaduser2** |
| Name | **az104-01a-aaduser2** |
| Let me create the password | enabled |
| Initial password | **Pa55w.rd124** |
| Usage location | **United States** |
| Job title | **System Administrator** |
| Department | **IT** |
1. Sign out as the az104-01a-aaduser1 user from the Azure portal and close the InPrivate browser window.
#### Task 2: Create Azure AD groups with assigned and dynamic membership
In this task, you will create Azure Active Directory groups with assigned and dynamic membership.
1. Back in the Azure portal where you are signed in with your **user account**, navigate back to the **Overview** blade of the Azure AD tenant and, in the **Manage** section, click **Licenses**.
>**Note**: Azure AD Premium P1 or P2 licenses are required in order to implement dynamic groups.
1. In the **Manage** section, click **All products**.
1. Click **+ Try/Buy** and activate the free trial of Azure AD Premium P2.
1. Refresh the browser window to verify that the activation was successful.
1. From the **Licenses - All products** blade, select the **Azure Active Directory Premium P2** entry, and assign all license options of Azure AD Premium P2 to your user account and the two newly created user accounts.
1. In the Azure portal, navigate back to the Azure AD tenant blade and click **Groups**.
1. Use the **+ New group** button to create a new group with the following settings:
| Setting | Value |
| --- | --- |
| Group type | **Security** |
| Group name | **IT Cloud Administrators** |
| Group description | **Contoso IT cloud administrators** |
| Membership type | **Dynamic User** |
>**Note**: If the **Membership type** drop-down list is grayed out, wait a few minutes and refresh the browser page.
1. Click **Add dynamic query**.
1. On the **Configure Rules** tab of the **Dynamic membership rules** blade, create a new rule with the following settings:
| Setting | Value |
| --- | --- |
| Property | **jobTitle** |
| Operator | **Equals** |
| Value | **Cloud Administrator** |
1. Save the rule and, back on the **New Group** blade, click **Create**.
1. Back on the **Groups - All groups** blade of the Azure AD tenant, click the **+ New group** button and create a new group with the following settings:
| Setting | Value |
| --- | --- |
| Group type | **Security** |
| Group name | **IT System Administrators** |
| Group description | **Contoso IT system administrators** |
| Membership type | **Dynamic User** |
1. Click **Add dynamic query**.
1. On the **Configure Rules** tab of the **Dynamic membership rules** blade, create a new rule with the following settings:
| Setting | Value |
| --- | --- |
| Property | **jobTitle** |
| Operator | **Equals** |
| Value | **System Administrator** |
1. Save the rule and, back on the **New Group** blade, click **Create**.
1. Back on the **Groups - All groups** blade of the Azure AD tenant, click the **+ New group** button, and create a new group with the following settings:
| Setting | Value |
| --- | --- |
| Group type | **Security** |
| Group name | **IT Lab Administrators** |
| Group description | **Contoso IT Lab administrators** |
| Membership type | **Assigned** |
1. Click **No members selected**.
1. From the **Add members** blade, search and select the **IT Cloud Administrators** and **IT System Administrators** groups and, back on the **New Group** blade, click **Create**.
1. Back on the **Groups - All groups** blade, click the entry representing the **IT Cloud Administrators** group and, on then display its **Members** blade. Verify that the **az104-01a-aaduser1** appears in the list of group members.
>**Note**: You might experience delays with updates of the dynamic membership groups. To expedite the update, navigate to the group blade, display its **Dynamic membership rules** blade, **Edit** the rule listed in the **Rule syntax** textbox by adding a whitespace at the end, and **Save** the change.
1. Navigate back to the **Groups - All groups** blade, click the entry representing the **IT System Administrators** group and, on then display its **Members** blade. Verify that the **az104-01a-aaduser2** appears in the list of group members.
#### Task 3: Create an Azure Active Directory (AD) tenant
In this task, you will create a new Azure AD tenant.
1. In the Azure portal, search for and select **Azure Active Directory**.
1. Click **Manage tenant**, and then on the next screen, click **+ Create**, and specify the following setting:
| Setting | Value |
| --- | --- |
| Directory type | **Azure Active Directory** |
1. Click **Next : Configuration**
| Setting | Value |
| --- | --- |
| Organization name | **Contoso Lab** |
| Initial domain name | any valid DNS name consisting of lower case letters and digits and starting with a letter |
| Country/Region | **United States** |
> **Note**: The **Initial domain name** should not be a legitimate name that potentially matches your organization or another. The green check mark in the **Initial domain name** text box will indicate that the domain name you typed in is valid and unique.
1. Click **Review + create** and then click **Create**.
1. Display the blade of the newly created Azure AD tenant by using the **Click here to navigate to your new tenant: Contoso Lab** link or the **Directory + Subscription** button (directly to the right of the Cloud Shell button) in the Azure portal toolbar.
#### Task 4: Manage Azure AD guest users.
In this task, you will create Azure AD guest users and grant them access to resources in an Azure subscription.
1. In the Azure portal displaying the Contoso Lab Azure AD tenant, in the **Manage** section, click **Users**, and then click **+ New user**.
1. Create a new user with the following settings (leave others with their defaults):
| Setting | Value |
| --- | --- |
| User name | **az104-01b-aaduser1** |
| Name | **az104-01b-aaduser1** |
| Let me create the password | enabled |
| Initial password | **Pa55w.rd124** |
| Job title | **System Administrator** |
| Department | **IT** |
1. Click on the newly created profile.
>**Note**: **Copy to clipboard** the full **User Principal Name** (user name plus domain). You will need it later in this task.
1. Switch back to your default Azure AD tenant by using the **Directory + Subscription** button (directly to the right of the Cloud Shell button) in the Azure portal toolbar.
1. Navigate back to the **Users - All users** blade, and then click **+ New guest user**.
1. Invite a new guest user with the following settings (leave others with their defaults):
| Setting | Value |
| --- | --- |
| Name | **az104-01b-aaduser1** |
| Email address | the User Principal Name you copied earlier in this task |
| Usage location | **United States** |
| Job title | **Lab Administrator** |
| Department | **IT** |
1. Click **Invite**.
1. Back on the **Users - All users** blade, click the entry representing the newly created guest user account.
1. On the **az104-01b-aaduser1 - Profile** blade, click **Groups**.
1. Click **+ Add membership** and add the guest user account to the **IT Lab Administrators** group.
#### Clean up resources
>**Note**: Remember to remove any newly created Azure resources that you no longer use. Removing unused resources ensures you will not incur unexpected costs. While, in this case, there are no additional charges associated with Azure Active Directory tenants and their objects, you might want to consider removing the user accounts, the group accounts, and the Azure Active Directory tenant you created in this lab.
1. In the **Azure Portal** search for **Azure Active Directory** in the search bar. Within **Azure Active Directory** under **Manage** select **Licenses**. Once at **Licenses** under **Manage** select **All Products** and then select **Azure Active Directory Premium P2** item in the list. Proceed by then selecting **Licensed Users**. Select the user accounts **az104-01a-aaduser1** and **az104-01a-aaduser2** to which you assigned licenses in this lab, click **Remove license**, and, when prompted to confirm, click **OK**.
1. In the Azure portal, navigate to the **Users - All users** blade, click the entry representing the **az104-01b-aaduser1** guest user account, on the **az104-01b-aaduser1 - Profile** blade click **Delete**, and, when prompted to confirm, click **OK**.
1. Repeat the same sequence of steps to delete the remaining user accounts you created in this lab.
1. Navigate to the **Groups - All groups** blade, select the groups you created in this lab, click **Delete**, and, when prompted to confirm, click **OK**.
1. In the Azure portal, display the blade of the Contoso Lab Azure AD tenant by using the **Directory + Subscription** button (directly to the right of the Cloud Shell button) in the Azure portal toolbar.
1. Navigate to the **Users - All users** blade, click the entry representing the **az104-01b-aaduser1** user account, on the **az104-01b-aaduser1 - Profile** blade click **Delete**, and, when prompted to confirm, click **OK**.
1. Navigate to the **Contoso Lab - Overview** blade of the Contoso Lab Azure AD tenant, click **Manage tenant** and then on the next screen, click **Delete tenant**, click the **Get permission to delete Azure resources** link, on the **Properties** blade of Azure Active Directory, set **Access management for Azure resources** to **Yes** and click **Save**.
1. Sign out from the Azure portal and sign in back.
1. Navigate back to the **Delete tenant 'Contoso Lab'** blade and click **Delete**.
> **Note**: You will have to wait for the trial license expiration before you can delete the tenant. This does not incur any additional cost.
#### Review
In this lab, you have:
- Created and configured Azure AD users
- Created Azure AD groups with assigned and dynamic membership
- Created an Azure Active Directory (AD) tenant
- Managed Azure AD guest users

209
AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_02a_Manage_Subscriptions_and_RBAC.md Normal file
View File

@@ -0,0 +1,209 @@
---
lab:
title: '02a - Manage Subscriptions and RBAC'
module: 'Module 02 - Governance and Compliance'
---
# Lab 02a - Manage Subscriptions and RBAC
# Student lab manual
## Lab requirements:
This lab requires permissions to create Azure Active Directory (Azure AD) users, create custom Azure Role Based Access Control (RBAC) roles, and assign these roles to Azure AD users. Not all lab hosters may provide this capability. Ask your instructor for the availability of this lab.
## Lab scenario
In order to improve management of Azure resources in Contoso, you have been tasked with implementing the following functionality:
- creating a management group that would include all of Contoso's Azure subscriptions
- granting permissions to submit support requests for all subscriptions in the management group to a designated Azure Active Directory user. That user's permissions should be limited only to:
- creating support request tickets
- viewing resource groups
## Objectives
In this lab, you will:
+ Task 1: Implement Management Groups
+ Task 2: Create custom RBAC roles
+ Task 3: Assign RBAC roles
## Estimated timing: 30 minutes
## Architecture diagram
![image](../media/lab02a.png)
## Instructions
### Exercise 1
#### Task 1: Implement Management Groups
In this task, you will create and configure management groups.
1. Sign in to the [Azure portal](https://portal.azure.com).
1. Search for and select **Management groups** to navigate to the **Management groups** blade.
1. Review the messages at the top of the **Management groups** blade. If you are seeing the message stating **You are registered as a directory admin but do not have the necessary permissions to access the root management group**, perfom the following sequence of steps:
1. In the Azure portal, search for and select **Azure Active Directory**.
1. On the blade displaying properties of your Azure Active Directory tenant, in the vertical menu on the left side, in the **Manage** section, select **Properties**.
1. On the **Properties** blade of your your Azure Active Directory tenant, in the **Access management for Azure resources** section, select **Yes** and then select **Save**.
1. Navigate back to the **Management groups** blade, and select **Refresh**.
1. On the **Management groups** blade, click **+ Create**.
>**Note**: If you have not previously created Management Groups, select **Start using management groups**
1. Create a management group with the following settings:
| Setting | Value |
| --- | --- |
| Management group ID | **az104-02-mg1** |
| Management group display name | **az104-02-mg1** |
1. In the list of management groups, click the entry representing the newly created management group.
1. On the **az104-02-mg1** blade, click **Subscriptions**.
1. On the **az104-02-mg1 \| Subscriptions** blade, click **+ Add**, on the **Add subscription** blade, in the **Subscription** drop-down list, select the subscription you are using in this lab and click **Save**.
>**Note**: On the **az104-02-mg1 \| Subscriptions** blade, copy the ID of your Azure subscription into Clipboard. You will need it in the next task.
#### Task 2: Create custom RBAC roles
In this task, you will create a definition of a custom RBAC role.
1. From the lab computer, open the file **\\Allfiles\\Labs\\02\\az104-02a-customRoleDefinition.json** in Notepad and review its content:
```json
{
"Name": "Support Request Contributor (Custom)",
"IsCustom": true,
"Description": "Allows to create support requests",
"Actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"NotActions": [
],
"AssignableScopes": [
"/providers/Microsoft.Management/managementGroups/az104-02-mg1",
"/subscriptions/SUBSCRIPTION_ID"
]
}
```
1. Replace the `SUBSCRIPTION_ID` placeholder in the JSON file with the subscription ID you copied into Clipboard and save the change.
1. In the Azure portal, open **Cloud Shell** pane by clicking on the toolbar icon directly to the right of the search textbox.
1. If prompted to select either **Bash** or **PowerShell**, select **PowerShell**.
>**Note**: If this is the first time you are starting **Cloud Shell** and you are presented with the **You have no storage mounted** message, select the subscription you are using in this lab, and click **Create storage**.
1. In the toolbar of the Cloud Shell pane, click the **Upload/Download files** icon, in the drop-down menu click **Upload**, and upload the file **\\Allfiles\\Labs\\02\\az104-02a-customRoleDefinition.json** into the Cloud Shell home directory.
1. From the Cloud Shell pane, run the following to create the custom role definition:
```powershell
New-AzRoleDefinition -InputFile $HOME/az104-02a-customRoleDefinition.json
```
1. Close the Cloud Shell pane.
#### Task 3: Assign RBAC roles
In this task, you will create an Azure Active Directory user, assign the RBAC role you created in the previous task to that user, and verify that the user can perform the task specified in the RBAC role definition.
1. In the Azure portal, search for and select **Azure Active Directory**, on the Azure Active Directory blade, click **Users**, and then click **+ New user**.
1. Create a new user with the following settings (leave others with their defaults):
| Setting | Value |
| --- | --- |
| User name | **az104-02-aaduser1**|
| Name | **az104-02-aaduser1**|
| Let me create the password | enabled |
| Initial password | **Pa55w.rd1234** |
>**Note**: **Copy to clipboard** the full **User name**. You will need it later in this lab.
1. In the Azure portal, navigate back to the **az104-02-mg1** management group and display its **details**.
1. Click **Access control (IAM)**, click **+ Add** followed by **Role assignment**, and assign the **Support Request Contributor (Custom)** role to the newly created user account.
1. Open an **InPrivate** browser window and sign in to the [Azure portal](https://portal.azure.com) using the newly created user account. When prompted to update the password, change the password for the user.
>**Note**: Rather than typing the user name, you can paste the content of Clipboard.
1. In the **InPrivate** browser window, in the Azure portal, search and select **Resource groups** to verify that the az104-02-aaduser1 user can see all resource groups.
1. In the **InPrivate** browser window, in the Azure portal, search and select **All resources** to verify that the az104-02-aaduser1 user cannot see any resources.
1. In the **InPrivate** browser window, in the Azure portal, search and select **Help + support** and then click **+ Create a support request**.
1. In the **InPrivate** browser window, on the **Problem Desription/Summary** tab of the **Help + support - New support request** blade, type **Service and subscription limits** in the Summary field and select the **Service and subscription limits (quotas)** issue type. Note that the subscription you are using in this lab is listed in the **Subscription** drop-down list.
>**Note**: The presence of the subscription you are using in this lab in the **Subscription** drop-down list indicates that the account you are using has the permissions required to create the subscription-specific support request.
>**Note**: If you do not see the **Service and subscription limits (quotas)** option, sign out from the Azure portal and sign in back.
1. Do not continue with creating the support request. Instead, sign out as the az104-02-aaduser1 user from the Azure portal and close the InPrivate browser window.
#### Clean up resources
>**Note**: Remember to remove any newly created Azure resources that you no longer use.
>**Note**: Removing unused resources ensures you will not see unexpected charges, although, resources created in this lab do not incur extra cost.
1. In the Azure portal, search for and select **Azure Active Directory**, on the Azure Active Directory blade, click **Users**.
1. On the **Users - All users** blade, click **az104-02-aaduser1**.
1. On the **az104-02-aaduser1 - Profile** blade, copy the value of **Object ID** attribute.
1. In the Azure portal, start a **PowerShell** session within the **Cloud Shell**.
1. From the Cloud Shell pane, run the following to remove the assignment of the custom role definition (replace the `[object_ID]` placeholder with the value of the **object ID** attribute of the **az104-02-aaduser1** Azure Active Directory user account you copied earlier in this task):
```powershell
$scope = (Get-AzRoleAssignment -RoleDefinitionName 'Support Request Contributor (Custom)').Scope
Remove-AzRoleAssignment -ObjectId '[object_ID]' -RoleDefinitionName 'Support Request Contributor (Custom)' -Scope $scope
```
1. From the Cloud Shell pane, run the following to remove the custom role definition:
```powershell
Remove-AzRoleDefinition -Name 'Support Request Contributor (Custom)' -Force
```
1. In the Azure portal, navigate back to the **Users - All users** blade of the **Azure Active Directory**, and delete the **az104-02-aaduser1** user account.
1. In the Azure portal, navigate back to the **Management groups** blade.
1. On the **Management groups** blade, select the **ellipsis** icon next to your subscription under the **az104-02-mg1** management group and select **Move** to move the subscription to the **Tenant Root management group**.
>**Note**: It is likely that the target management group is the **Tenant Root management group**, unless you created a custom management group hierarchy before running this lab.
1. Select **Refresh** to verify that the subscription has successfully moved to the **Tenant Root management group**.
1. Navigate back to the **Management groups** blade, right click the **ellipsis** icon to the right of the **az104-02-mg1** management group and click **Delete**.
#### Review
In this lab, you have:
- Implemented Management Groups
- Created custom RBAC roles
- Assigned RBAC roles

225
AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_02b-Manage_Governance_via_Azure_Policy.md Normal file
View File

@@ -0,0 +1,225 @@
---
lab:
title: '02b - Manage Governance via Azure Policy'
module: 'Module 02 - Governance and Compliance'
---
# Lab 02b - Manage Governance via Azure Policy
# Student lab manual
## Lab scenario
In order to improve management of Azure resources in Contoso, you have been tasked with implementing the following functionality:
- tagging resource groups that include only infrastructure resources (such as Cloud Shell storage accounts)
- ensuring that only properly tagged infrastructure resources can be added to infrastructure resource groups
- remediating any non-compliant resources
## Objectives
In this lab, we will:
+ Task 1: Create and assign tags via the Azure portal
+ Task 2: Enforce tagging via an Azure policy
+ Task 3: Apply tagging via an Azure policy
## Estimated timing: 30 minutes
## Architecture diagram
![image](../media/lab02b.png)
## Instructions
### Exercise 1
#### Task 1: Assign tags via the Azure portal
In this task, you will create and assign a tag to an Azure resource group via the Azure portal.
1. In the Azure portal, start a **PowerShell** session within the **Cloud Shell**.
>**Note**: If this is the first time you are starting **Cloud Shell** and you are presented with the **You have no storage mounted** message, select the subscription you are using in this lab, and click **Create storage**.
1. From the Cloud Shell pane, run the following to identify the name of the storage account used by Cloud Shell:
```powershell
df
```
1. In the output of the command, note the first part of the fully qualified path designating the Cloud Shell home drive mount (marked here as `xxxxxxxxxxxxxx`:
```
//xxxxxxxxxxxxxx.file.core.windows.net/cloudshell (..) /usr/csuser/clouddrive
```
1. In the Azure portal, search and select **Storage accounts** and, in the list of the storage accounts, click the entry representing the storage account you identified in the previous step.
1. On the storage account blade, click the link representing the name of the resource group containing the storage account.
**Note**: note what resource group the storage account is in, you'll need it later in the lab.
1. On the resource group blade, click **Tags**.
1. Create a tag with the following settings and save your change:
| Setting | Value |
| --- | --- |
| Name | **Role** |
| Value | **Infra** |
1. Navigate back to the storage account blade. Review the **Overview** information and note that the new tag was not automatically assigned to the storage account.
#### Task 2: Enforce tagging via an Azure policy
In this task, you will assign the built-in *Require a tag and its value on resources* policy to the resource group and evaluate the outcome.
1. In the Azure portal, search for and select **Policy**.
1. In the **Authoring** section, click **Definitions**. Take a moment to browse through the list of built-in policy definitions that are available for you to use. List all built-in policies that involve the use of tags by selecting the **Tags** entry (and de-selecting all other entries) in the **Category** drop-down list.
1. Click the entry representing the **Require a tag and its value on resources** built-in policy and review its definition.
1. On the **Require a tag and its value on resources** built-in policy definition blade, click **Assign**.
1. Specify the **Scope** by clicking the ellipsis button and selecting the following values:
| Setting | Value |
| --- | --- |
| Subscription | the name of the Azure subscription you are using in this lab |
| Resource Group | the name of the resource group containing the Cloud Shell account you identified in the previous task |
>**Note**: A scope determines the resources or resource groups where the policy assignment takes effect. You could assign policies on the management group, subscription, or resource group level. You also have the option of specifying exclusions, such as individual subscriptions, resource groups, or resources (depending on the assignment scope).
1. Configure the **Basics** properties of the assignment by specifying the following settings (leave others with their defaults):
| Setting | Value |
| --- | --- |
| Assignment name | **Require Role tag with Infra value**|
| Description | **Require Role tag with Infra value for all resources in the Cloud Shell resource group**|
| Policy enforcement | Enabled |
>**Note**: The **Assignment name** is automatically populated with the policy name you selected, but you can change it. You can also add an optional **Description**. **Assigned by** is automatically populated based on the user name creating the assignment.
1. Click **Next** and set **Parameters** to the following values:
| Setting | Value |
| --- | --- |
| Tag Name | **Role** |
| Tag Value | **Infra** |
1. Click **Next** and review the **Remediation** tab. Leave the **Create a Managed Identity** checkbox unchecked.
>**Note**: This setting can be used when the policy or initiative includes the **deployIfNotExists** or **Modify** effect.
1. Click **Review + Create** and then click **Create**.
>**Note**: Now you will verify that the new policy assignment is in effect by attempting to create another Azure Storage account in the resource group without explicitly adding the required tag.
>**Note**: It might take between 5 and 15 minutes for the policy to take effect.
1. Navigate back to the blade of the resource group hosting the storage account used for the Cloud Shell home drive, which you identified in the previous task.
1. On the resource group blade, click **+ Create** and then search for Storage Account, and click **+Create**.
1. On the **Basics** tab of the **Create storage account** blade, verify that you are using the Resource Group that the Policy was applied to and specify the following settings (leave others with their defaults), click **Review + create** and then click **Create**:
| Setting | Value |
| --- | --- |
| Storage account name | any globally unique combination of between 3 and 24 lower case letters and digits, starting with a letter |
1. Once you create the deployment, you should see the **Deployment failed** message in the **Notifications** list of the portal. From the **Notifications** list, navigate to the deployment overview and click the **Deployment failed. Click here for details** message to identify the reason for the failure.
>**Note**: Verify whether the error message states that the resource deployment was disallowed by the policy.
>**Note**: By clicking the **Raw Error** tab, you can find more details about the error, including the name of the role definition **Require Role tag with Infra value**. The deployment failed because the storage account you attempted to create did not have a tag named **Role** with its value set to **Infra**.
#### Task 3: Apply tagging via an Azure policy
In this task, we will use a different policy definition to remediate any non-compliant resources.
1. In the Azure portal, search for and select **Policy**.
1. In the **Authoring** section, click **Assignments**.
1. In the list of assignments, right click the ellipsis icon in the row representing the **Require Role tag with Infra value** policy assignment and use the **Delete assignment** menu item to delete the assignment.
1. Click **Assign policy** and specify the **Scope** by clicking the ellipsis button and selecting the following values:
| Setting | Value |
| --- | --- |
| Subscription | the name of the Azure subscription you are using in this lab |
| Resource Group | the name of the resource group containing the Cloud Shell account you identified in the first task |
1. To specify the **Policy definition**, click the ellipsis button and then search for and select **Inherit a tag from the resource group if missing**.
1. Configure the remaining **Basics** properties of the assignment by specifying the following settings (leave others with their defaults):
| Setting | Value |
| --- | --- |
| Assignment name | **Inherit the Role tag and its Infra value from the Cloud Shell resource group if missing**|
| Description | **Inherit the Role tag and its Infra value from the Cloud Shell resource group if missing**|
| Policy enforcement | Enabled |
1. Click **Next** and set **Parameters** to the following values:
| Setting | Value |
| --- | --- |
| Tag Name | **Role** |
1. Click **Next** and, on the **Remediation** tab, configure the following settings (leave others with their defaults):
| Setting | Value |
| --- | --- |
| Create a remediation task | enabled |
| Policy to remediate | **Inherit a tag from the subscription if missing** |
>**Note**: This policy definition includes the **Modify** effect.
1. Click **Review + Create** and then click **Create**.
>**Note**: To verify that the new policy assignment is in effect, you will create another Azure Storage account in the same resource group without explicitly adding the required tag.
>**Note**: It might take between 5 and 15 minutes for the policy to take effect.
1. Navigate back to the blade of the resource group hosting the storage account used for the Cloud Shell home drive, which you identified in the first task.
1. On the resource group blade, click **+ Create** and then search for Storage Account, and click **+Create**.
1. On the **Basics** tab of the **Create storage account** blade, verify that you are using the Resource Group that the Policy was applied to and specify the following settings (leave others with their defaults) and click **Review + create**:
| Setting | Value |
| --- | --- |
| Storage account name | any globally unique combination of between 3 and 24 lower case letters and digits, starting with a letter |
1. Verify that this time the validation passed and click **Create**.
1. Once the new storage account is provisioned, click **Go to resource** button and, on the **Overview** blade of the newly created storage account, note that the tag **Role** with the value **Infra** has been automatically assigned to the resource.
#### Clean up resources
>**Note**: Remember to remove any newly created Azure resources that you no longer use.
>**Note**: Removing unused resources ensures you will not see unexpected charges, although keep in mind that Azure policies do not incur extra cost.
1. In the portal, search for and select **Policy**.
1. In the **Authoring** section, click **Assignments**, click the ellipsis icon to the right of the assignment you created in the previous task and click **Delete assignment**.
1. In the portal, search for and select **Storage accounts**.
1. In the list of storage accounts, select the resource group corresponding to the storage account you created in the last task of this lab. Select **Tags** and click **Delete** (Trash can to the right) to the **Role:Infra** tag and press **Save**.
1. In the portal, again search for and select **Storage accounts** or use the menu at the top to select **Storage accounts**
1. In the list of storage accounts, select the storage account you created in the last task of this lab, click **Delete**, when prompted for the confirmation, in the **Confirm delete** type **yes** and click **Delete**.
#### Review
In this lab, you have:
- Created and assigned tags via the Azure portal
- Enforced tagging via an Azure policy
- Applied tagging via an Azure policy

129
AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_03a-Manage_Azure_Resources_by_Using_the_Azure_Portal.md Normal file
View File

@@ -0,0 +1,129 @@
---
lab:
title: '03a - Manage Azure resources by Using the Azure Portal'
module: 'Module 03 - Azure Administration'
---
# Lab 03a - Manage Azure resources by Using the Azure Portal
# Student lab manual
## Lab scenario
You need to explore the basic Azure administration capabilities associated with provisioning resources and organizing them based on resource groups, including moving resources between resource groups. You also want to explore options for protecting disk resources from being accidentally deleted, while still allowing for modifying their performance characteristics and size.
## Objectives
In this lab, we will:
+ Task 1: Create resource groups and deploy resources to resource groups
+ Task 2: Move resources between resource groups
+ Task 3: Implement and test resource locks
## Estimated timing: 20 minutes
## Architecture diagram
![image](../media/lab03a.png)
## Instructions
### Exercise 1
#### Task 1: Create resource groups and deploy resources to resource groups
In this task, you will use the Azure portal to create resource groups and create a disk in the resource group.
1. Sign in to the [Azure portal](https://portal.azure.com).
1. In the Azure portal, search for and select **Disks**, click **+ Add, + Create, or + New**, and specify the following settings:
|Setting|Value|
|---|---|
|Subscription| the name of the Azure subscription where you created the resource group |
|Resource Group| the name of a new resource group **az104-03a-rg1** |
|Disk name| **az104-03a-disk1** |
|Region| the name of the Azure region where you created the resource group |
|Availability zone| **None** |
|Source type| **None** |
>**Note**: When creating a resource, you have the option of creating a new resource group or using an existing one.
1. Change the disk type and size to **Standard HDD** and **32 GiB**, respectively.
1. Click **Review + Create** and then click **Create**.
>**Note**: Wait until the disk is created. This should take less than a minute.
#### Task 2: Move resources between resource groups
In this task, we will move the disk resource you created in the previous task to a new resource group.
1. Search for and select **Resource groups**.
1. On the **Resource groups** blade, click the entry representing the **az104-03a-rg1** resource group you created in the previous task.
1. From the **Overview** blade of the resource group, in the list of resource group resources, select the entry representing the newly created disk, click **Move** in the toolbar, and, in the drop-down list, select **Move to another resource group**.
>**Note**: This method allows you to move multiple resources at the same time.
1. Below the **Resource group** text box, click **Create new** then type **az104-03a-rg2** in the text box. On the Review tab, select the checkbox **I understand that tools and scripts associated with moved resources will not work until I update them to use new resource IDs**, and click **Move**.
>**Note**: Do not wait for the move to complete but instead proceed to the next task. The move might take about 10 minutes. You can determine that the operation was completed by monitoring activity log entries of the source or target resource group. Revisit this step once you complete the next task.
#### Task 3: Implement resource locks
In this task, you will apply a resource lock to an Azure resource group containing a disk resource.
1. In the Azure portal, search for and select **Disks**, click **+ Add, + Create, or + New**, and specify the following settings:
|Setting|Value|
|---|---|
|Subscription| the name of the subscription you are using in this lab |
|Resource Group| click **create new** resource group and name it **az104-03a-rg3** |
|Disk name| **az104-03a-disk2** |
|Region| the name of the Azure region where you created the other resource groups in this lab |
|Availability zone| **None** |
|Source type| **None** |
1. Set the disk type and size to **Standard HDD** and **32 GiB**, respectively.
1. Click **Review + Create** and then click **Create**.
1. Click Go to resouce.
1. On the **az104-03a-rg3** resource group blade, click **Locks** then **+ Add** and specify the following settings:
|Setting|Value|
|---|---|
|Lock name| **az104-03a-delete-lock** |
|Lock type| **Delete** |
1. Click **OK**
1. On the **az104-03a-rg3** resource group blade, click **Overview**, in the list of resource group resources, select the entry representing the disk you created earlier in this task, and click **Delete** in the toolbar.
1. When prompted **Do you want to delete all the selected resources?**, in the **Confirm delete** text box, type **yes** and click **Delete**.
1. You should see an error message, notifying about the failed delete operation.
>**Note**: As the error message states, this is expected due to the delete lock applied on the resource group level.
1. Navigate back to the list of resources of the **az104-03a-rg3** resource group and click the entry representing the **az104-03a-disk2** resource.
1. On the **az104-03a-disk2** blade, in the **Settings** section, click **Size + performance**, set the disk type and size to **Premium SSD** and **64 GiB**, respectively, and click **Resize** to apply the change. Verify that the change was successful.
>**Note**: This is expected, since the resource group-level lock applies to delete operations only.
#### Clean up resources
>**Note**: Do not delete resources you deployed in this lab. You will be using them in the next lab of this module. Remove only the resource lock you created in this lab.
1. Navigate to the **az104-03a-rg3** resource group blade, display its **Locks** blade, and remove the lock **az104-03a-delete-lock** by clicking the **Delete** link on the right-hand side of the **Delete** lock entry.
#### Review
In this lab, you have:
- Created resource groups and deployed resources to resource groups
- Moved resources between resource groups
- Implemented and tested resource locks

143
AZ104/MicrosoftAureAdministrator/Instructions/Labs/LAB_03b-Manage_Azure_Resources_by_Using_ARM_Templates.md Normal file
View File

@@ -0,0 +1,143 @@
---
lab:
title: '03b - Manage Azure resources by Using ARM Templates'
module: 'Module 03 - Azure Administration'
---
# Lab 03b - Manage Azure resources by Using ARM Templates
# Student lab manual
## Lab scenario
Now that you explored the basic Azure administration capabilities associated with provisioning resources and organizing them based on resource groups by using the Azure portal, you need to carry out the equivalent task by using Azure Resource Manager templates.
## Objectives
In this lab, you will:
+ Task 1: Review an ARM template for deployment of an Azure managed disk
+ Task 2: Create an Azure managed disk by using an ARM template
+ Task 3: Review the ARM template-based deployment of the managed disk
## Estimated timing: 20 minutes
## Architecture diagram
![image](../media/lab03b.png)
## Instructions
### Exercise 1
#### Task 1: Review an ARM template for deployment of an Azure managed disk
In this task, you will create an Azure disk resource by using an Azure Resource Manager template.
1. Sign in to the [**Azure portal**](https://portal.azure.com).
1. In the Azure portal, search for and select **Resource groups**.
1. In the list of resource groups, click **az104-03a-rg1**.
1. On the **az104-03a-rg1** resource group blade, in the **Settings** section, click **Deployments**.
1. On the **az104-03a-rg1 - Deployments** blade, click the first entry in the list of deployments.
1. On the **Microsoft.ManagedDisk-*XXXXXXXXX* \| Overview** blade, click **Template**.
>**Note**: Review the content of the template and note that you have the option to **Download** it to the local computer, **Add to library**, or **Deploy** it again.
1. Click **Download** and save the compressed file containing the template and parameters files to the **Downloads** folder on your lab computer.
1. On the **Microsoft.ManagedDisk-*XXXXXXXXX* \| Template** blade, click **Inputs**.
1. Note the value of the **location** parameter. You will need it in the next task.
1. Extract the content of the downloaded file into the **Downloads** folder on your lab computer.
>**Note**: These files are also available as **\\Allfiles\\Labs\\03\\az104-03b-md-template.json** and **\\Allfiles\\Labs\\03\\az104-03b-md-parameters.json**
1. Close all **File Explorer** windows.
#### Task 2: Create an Azure managed disk by using an ARM template
1. In the Azure portal, search for and select **Deploy a custom template**.
1. Click **Template deployment (deploy using custom templates)** found under the **Marketplace** group.
1. On the **Custom deployment** blade, click **Build your own template in the editor**.
1. On the **Edit template** blade, click **Load file** and upload the **template.json** file you downloaded in the previous task.
1. Within the editor pane, remove the following lines:
```json
"sourceResourceId": {
"type": "String"
},
"sourceUri": {
"type": "String"
},
"osType": {
"type": "String"
},
```
```json
"hyperVGeneration": {
"defaultValue": "V1",
"type": "String"
},
```
```json
"osType": "[parameters('osType')]",
```
>**Note**: These parameters are removed since they are not applicable to the current deployment. In particular, sourceResourceId, sourceUri, osType, and hyperVGeneration parameters are applicable to creating an Azure disk from an existing VHD file.
1. **Save** the changes.
1. Back on the **Custom deployment** blade, click **Edit parameters**.
1. On the **Edit parameters** blade, click **Load file** and upload the **parameters.json** file you downloaded in the previous task, and **Save** the changes.
1. Back on the **Custom deployment** blade, specify the following settings:
| Setting | Value |
| --- |--- |
| Subscription | *the name of the Azure subscription you are using in this lab* |
| Resource Group | the name of a **new** resource group **az104-03b-rg1** |
| Region | the name of any Azure region available in the subscription you are using in this lab |
| Disk Name | **az104-03b-disk1** |
| Location | the value of the location parameter you noted in the previous task |
| Sku | **Standard_LRS** |
| Disk Size Gb | **32** |
| Create Option | **empty** |
| Disk Encryption Set Type | **EncryptionAtRestWithPlatformKey** |
| Network Access Policy | **AllowAll** |
1. Select **Review + Create** and then select **Create**.
1. Verify that the deployment completed successfully.
#### Task 3: Review the ARM template-based deployment of the managed disk
1. In the Azure portal, search for and select **Resource groups**.
1. In the list of resource groups, click **az104-03b-rg1**.
1. On the **az104-03b-rg1** resource group blade, in the **Settings** section, click **Deployments**.
1. From the **az104-03b-rg1 - Deployments** blade, click the first entry in the list of deployments and review the content of the **Input** and **Template** blades.
#### Clean up resources
>**Note**: Do not delete resources you deployed in this lab. You will reference them in the next lab of this module.
#### Review
In this lab, you have:
- Reviewed an ARM template for deployment of an Azure managed disk
- Created an Azure managed disk by using an ARM template
- Reviewed the ARM template-based deployment of the managed disk