AZ-900 Microsoft Azure Fundamentals Exam

Understand Subscriptions

Azure subscriptions are a fundamental part of the Azure platform, serving as a logical container for your Azure resources. Subscriptions act as a boundary for billing, resource management, and access control. Each subscription is associated with an Azure account, and all resources created within that subscription are billed to that account.

Subscriptions also play a crucial role in organizing your Azure environment. They allow you to group resources based on your organizational needs, such as by department, project, or environment (e.g., development, testing, production). This grouping helps in managing access, applying policies, and ensuring compliance across multiple resource groups. Subscriptions provide a way to manage costs and access at a higher level than resource groups.

When working with Event Grid, it's important to understand that subscriptions to resource groups or Azure subscriptions are considered global. This means they don't have the same properties as Event Grid subscriptions to specific Azure resources. To query Event Grid subscriptions for an Azure subscription, you need to specify the topic type as Microsoft.Resources.Subscriptions. Similarly, to get subscriptions for all resource groups within a subscription, use the topic type Microsoft.Resources.ResourceGroups.

Moving resources between subscriptions is a common task, but it requires careful planning. When moving resources, you're essentially changing their resource ID, which follows the format /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}. This means any scripts, templates, or dashboards that reference the old resource ID will need to be updated.

Before moving resources to a new subscription, ensure that both the source and destination subscriptions are active and within the same Microsoft Entra tenant. The destination subscription must also be registered for the resource provider of the resource being moved. Additionally, check the subscription quotas to ensure the move won't exceed any limits. Moving resources across subscriptions is a three-step process, which may involve moving dependent resources into the same resource group first.

Explore Management Groups

Management groups in Azure help you organize and manage your Azure subscriptions. They provide a way to apply governance policies and access controls across multiple subscriptions. Think of them as containers above subscriptions in the Azure hierarchy. This allows for efficient management of resources at scale.

Hierarchical Structure

Management groups form a hierarchy, with a single root management group at the top. You can create additional management groups within this hierarchy to reflect your organization's structure. Subscriptions are placed within these management groups, inheriting the policies and access controls defined at the management group level. This structure allows for a consistent approach to managing resources across different parts of your organization.

Managing Multiple Subscriptions

One of the main benefits of management groups is the ability to manage multiple subscriptions at once. Instead of applying policies and access controls to each subscription individually, you can apply them at the management group level. This simplifies administration and ensures consistency across all subscriptions within that group. For example, you can enforce a policy that requires all resources in a specific management group to be tagged with a cost center.

Policy and Access Management

Management groups are crucial for implementing effective policy and access management. Azure Policy can be applied at the management group level, ensuring that all subscriptions within that group adhere to specific rules and standards. Similarly, Azure role-based access control (RBAC) can be used to grant permissions to users or groups at the management group level, providing a centralized way to manage access to resources. This helps maintain security and compliance across your Azure environment.

Advantages of Management Groups

Using management groups offers several advantages:

• Centralized Management: Manage policies and access controls for multiple subscriptions from a single location.
• Scalability: Easily manage resources as your organization grows, without having to manage each subscription individually.
• Consistency: Ensure that all subscriptions within a management group adhere to the same policies and standards.
• Improved Governance: Implement effective governance practices across your Azure environment.

In summary, management groups are a powerful tool for organizing and managing Azure subscriptions. They provide a hierarchical structure that allows for centralized policy and access management, making it easier to manage resources at scale and ensure consistency across your Azure environment.

Hierarchy and Relationships

Azure organizes its resources in a hierarchical structure, which includes management groups, subscriptions, and resource groups. This structure helps manage access, policies, and costs effectively. Understanding how these components relate is crucial for managing your Azure environment.

Management Groups

At the top of the hierarchy are management groups. These are used to manage access, policies, and compliance across multiple Azure subscriptions. Think of them as containers for your subscriptions, allowing you to apply governance conditions that affect all subscriptions within them. Management groups provide a way to organize your subscriptions based on your organizational structure or business needs.

Subscriptions

Subscriptions are the next level down and represent a logical container for your Azure resources. Each subscription has its own billing and resource limits. Subscriptions are associated with a specific account and are used to manage the resources you deploy. They also serve as a boundary for access control and resource management.

Resource Groups

Within a subscription, resources are organized into resource groups. A resource group is a container that holds related resources for an Azure solution. Resources within a resource group typically share the same lifecycle and are managed together. This allows you to deploy, manage, and monitor all the resources for a specific application or project as a single unit.

Hierarchy and Relationships

The hierarchy flows from management groups to subscriptions to resource groups. Policies and permissions set at a higher level are inherited by the lower levels. For example, a policy applied at the management group level will affect all subscriptions and resource groups within that management group. This hierarchical structure provides a flexible and scalable way to manage your Azure resources.

Define Resource Groups

Resource Groups are a fundamental concept in Azure, acting as containers that hold related resources for an Azure solution. Think of them as folders that help you organize and manage your cloud assets. They allow you to manage all the resources for a solution as a single entity. This includes things like virtual machines, databases, and storage accounts.

Resource groups are essential for managing resources effectively. They enable you to apply access control, policies, and tags to all resources within the group. This makes it easier to manage permissions and track costs. For example, you can grant a team access to manage all resources in a specific resource group without giving them access to other parts of your Azure environment.

When creating a resource group, you must choose a location. This location is where metadata about the resource group is stored. It's important to select a location close to where your control operations originate, which is typically the location closest to you. This ensures that control plane operations are efficient.

Resource group names are not case-sensitive, meaning "ResourceGroup1" and "resourcegroup1" are treated the same. However, you cannot rename a resource group after it's created. If you need to change the name, you must create a new resource group and move the resources to it.

Resource groups are a key part of the Azure Resource Manager, which handles all control plane requests. This means that when you create, update, or delete resources, Azure Resource Manager ensures that these operations are managed consistently. This includes applying any policies or access controls you have set up.

In summary, resource groups are a powerful tool for organizing and managing your Azure resources. They provide a way to group related resources, apply consistent management policies, and control access, making it easier to manage your cloud environment.

Implementing Governance and Compliance

Governance in Azure involves maintaining control over your applications and resources. It's about planning initiatives and setting strategic priorities. Azure primarily uses two services for governance: Azure Policy and Azure Cost Management. These tools help ensure resources comply with organizational standards and track cloud spending.

Azure Policy

Azure Policy allows you to create, assign, and manage policy definitions. These definitions enforce rules for your resources, ensuring they adhere to your company's standards. This service is crucial for maintaining compliance and consistency across your Azure environment. Policies can be applied at different levels, such as resource groups, subscriptions, and management groups, allowing for granular control.

Azure Cost Management

Azure Cost Management enables you to track cloud usage and expenditures for your Azure resources, as well as other cloud providers. This service helps you monitor and manage your cloud spending, ensuring you stay within budget. It provides insights into where costs are coming from, allowing you to optimize your resource usage and reduce unnecessary expenses.

Resource Hierarchy

Azure organizes resources in a hierarchy: resource groups, subscriptions, and management groups. Resource groups are containers for related resources, subscriptions provide a logical boundary for billing and management, and management groups allow you to manage multiple subscriptions. This hierarchy is essential for implementing governance and compliance strategies. By applying policies and access controls at different levels, you can enforce organizational standards and security requirements effectively.

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) is a key component of Azure governance. It allows you to manage who has access to Azure resources and what they can do with those resources. RBAC helps ensure that only authorized users can perform specific actions, enhancing security and compliance. By assigning roles at different levels of the resource hierarchy, you can control access to resources based on user roles and responsibilities.

Conclusion

In summary, implementing governance and compliance in Azure involves using services like Azure Policy and Azure Cost Management, along with understanding the resource hierarchy and utilizing RBAC. These tools and concepts help organizations maintain control over their Azure environment, enforce standards, manage costs, and ensure security. By leveraging these features, you can effectively govern your Azure resources and maintain compliance with organizational policies.

Conclusion

This section has covered the hierarchical structure of Azure resources, focusing on resource groups, subscriptions, and management groups. We've explored how subscriptions act as billing units and logical containers for resources, while resource groups organize related resources within a subscription. Management groups provide a way to manage multiple subscriptions, applying policies and access controls at a higher level. Understanding this hierarchy is crucial for effective resource management, governance, and compliance in Azure. The use of Azure Policy and RBAC further enhances the ability to enforce organizational standards and security requirements across the Azure environment.