Microsoft AZ-104 Certification Exams - Identity: Azure Active Directory
Microsoft AZ-104 Certification Exams - Identity: Azure Active Directory

Category: Managing Multiple Directories

Azure Accounts and Subscriptions – Compliance and Cloud Governance

By

On 2021-06-25

In Exams of Microsoft AZ-104, Managing Multiple Directories, Microsoft AZ-104 Certifications, Self-Service Password Reset, Users and Groups

We covered Azure AD concepts in Chapter 1, “Identity: Azure Active Directory,” where we defined an Azure subscription as a logical unit for setting up a resource boundary, environment boundary, and billing boundary. Every subscription will have an account that is attached to it. This account can be a work or school account or an account that Azure AD trusts. If you don’t have a work or school account, you can use a Microsoft account to use Azure. The reason behind this is that Azure AD trusts Microsoft accounts. Let’s learn more about Azure accounts and subscriptions.

Azure Accounts

Subscriptions will always be mapped to an account. Any identity that is part of Azure AD or a directory trusted by Azure AD is referred to as an Azure account. It could be a work or school account that is created in Azure; you already saw in Chapter 1 how users can be added to Azure AD. Also, it could be a Microsoft account that is trusted by Azure. If you use your personal account, then you will be creating a Microsoft account and using that as the Azure account.

When you sign up for an Azure account using your work or school account, all subscriptions will be created in the Azure AD that your account is part of. If you are using a personal account, then Azure will automatically create an Azure AD tenant during the account creation process.

Azure Subscriptions

We already discussed the boundaries of Azure subscription sets in terms of resources, environment, and billing. In Azure, billing is done per subscription, and this is charged based on the type of subscription you have. We will cover some of the common types of subscriptions that you will be using for personal, development, and production workloads.

The user who created the Azure account is called the Account Administrator, and a user can have multiple subscriptions inside an account. Reasons for having multiple subscriptions may include environment isolation, project isolation, etc. In Figure 2.3, you can see that the Azure account has multiple subscriptions; these subscriptions are created to separate the workloads in these environments.

FIGURE 2.3 Types of Azure subscriptions

By default, only the account administrator will have access to the newly created subscription. If you would like to grant access to others, then you can use the classic administrator role or role-based access control (RBAC). As we are not using classic resources anymore, Microsoft recommends that you use RBAC for granting access to users and external partners to your Azure resources.

There are multiple channels from which you can get an Azure subscription. Now, we will look at these channels and how each one of these is different.

Getting a Subscription – Compliance and Cloud Governance

By

On 2021-04-20

In Deleting and Modifying Users, Exams of Microsoft AZ-104, Inviting Users, Managing Multiple Directories, Microsoft AZ-104 Certifications, Self-Service Password Reset

You can get a subscription from multiple channels. You might not be eligible for all the subscriptions listed here; the eligibility is dependent on the terms and conditions of the respective offers.

Enterprise Agreements (EAs)  EA customers will sign an agreement with Microsoft or Microsoft Partners and make an up-front monetary commitment to Azure. All usage incurred will be charged against the monetary commitment; when the commitment expires, the customer will start receiving invoices. You can make the prepayment again and continue using the services. The advantage of using EAs is that they offer more discounts than other offers as the customer is paying the amount up front. If your organization is looking for massive deployments in Azure and requires 99.95 percent monthly SLA, then an EA is the best option.

Web Direct  In web direct, customers can directly go to the Azure website and purchase a new subscription. If you prefer, you can sign up for a Free Trial subscription and upgrade if you are interested in continuing the service. You won’t be charged until you upgrade the subscription from Free Trial to Pay-As-You-Go. Once you upgrade, as the name implies, you will be charged as per the charges mentioned in the Azure public-facing documents. There are no discounts available for you in this case, and you will require a credit card to sign up for this subscription.

Reseller  Using the Open Licensing program, customers can buy tokens from resellers and sign up for an Azure-in-Open subscription. As a customer, you can buy a token for any amount you need; the charges incurred will be taken from this amount. When the amount is exhausted, you need to buy a new token and refill your account to avoid service interruption. This works like a prepaid cellular plan.

Partners  You can purchase an Azure subscription from partners, and they can help you with the cloud transformation. The partners will be your first point of contact for any Azure-related concerns as the agreement is signed between the partner and the customer. These types of subscriptions are called cloud solution provider (CSP) subscriptions, and every month you’ll receive an invoice from your partner based on your usage. Microsoft doesn’t play any role in the invoice generation as you don’t have any direct billing relationship with Microsoft. CSP subscriptions offer more discounts compared to the Pay-As-You-Go subscriptions and are ideal for organizations that don’t have the budget to make the up-front monetary commitment for an EA.

This is not the complete list of offers that are supported by Azure. There are other offers that come with credits for MSDN subscribers and Visual Studio subscribers. You can see all the available offers here:

https://azure.microsoft.com/en-in/support/legal/offer-details

Now that you have an idea about the common offers, let’s see how the metering or usage is done in these subscription offers.

Subscription Metering – Compliance and Cloud Governance

By

On 2021-02-05

In Deleting and Modifying Users, Exams of Microsoft AZ-104, Inviting Users, Managing Multiple Directories, Microsoft AZ-104 Certifications, Users and Groups

All offers provided by Azure are meant for unique needs and requirements. For people who want to test the services there is a Free Trial, for students there is Azure for Students, and finally for enterprise deployments we have different paid subscription offers like EA, Pay As You Go, etc., which provide service level agreements (SLAs). The most commonly used subscription types are these:

  • Free subscription
  • Pay-As-You-Go
  • Enterprise Agreement
  • Azure for Students

Azure Free Subscription  You can get a $200 credit to spend on any Azure service for the first 30 days. You have to upgrade your Free Trial if you exhaust your credits or when you complete the trial period (whichever happens first). Along with the credit, you will get selected popular Azure services free for the first 12 months and 25+ services always free. However, this benefit will be applied only if you upgrade to a paid subscription. Signing up for a Free Trial will require a credit card; this is only for the verification purposes, and you will not be charged unless you upgrade to the paid subscription.

Azure Pay-As-You-Go Subscription  Once you upgrade your Free Trial subscription, your subscription will be converted to a Pay-As-You-Go (PAYG) subscription. In PAYG, you will be receiving invoices monthly based on your consumption. However, this will not be from the first to the last of the month; the billing cycle is dependent on what date you started the PAYG usage. PAYG is ideal for individuals to small businesses; even some large organizations use PAYG. However, there are no discounts applied like with EAs.

Azure Enterprise Agreement  Customers can buy cloud services and software licenses under one single agreement. These customers are also eligible for discounts on services, licenses, and software assurance. The targeted audience for this is enterprise organizations. Customers need to pay the cost upfront to Microsoft as a monetary commitment, and the consumption will be deducted from this prepayment.

Azure for Students  As the name suggests, this subscription is ideal for students who want test or develop solutions in Azure for learning purposes. Students will receive $100 as a credit that is valid for 12 months. Along with the credit, there will be free services that users can leverage. Students need to verify their student status using a university email address to activate this subscription. Also, Azure for Students doesn’t require a credit card.

So far, you have seen the different offer types that are available in Azure and how customers can choose one that suits their needs. You have also seen how usage is computed in each offer; now you will see how you can leverage Azure Cost Management in monitoring and optimizing cloud expenditure.

Cost Saving Techniques – Compliance and Cloud Governance

By

On 2020-10-10

In Exams of Microsoft AZ-104, Inviting Users, Managing Multiple Directories, Microsoft AZ-104 Certifications, Self-Service Password Reset, Users and Groups

There are a set of services or techniques administrators can use to get the best out of their infrastructure.

Reservations  Reserved instances (RIs), or reservations, can be used by customers to save costs on selected services. Selected services include Azure Virtual Machine, SQL Database, Azure Cosmos DB, Azure SQL Managed Instance, and other services. You can pay for a one-year or three-year term for these services upfront or in a monthly manner. For certain services, Microsoft has extended the term to five years. Purchasing reservations will reduce the costs up to 72 percent over the Pay As You Go rates.

Azure Hybrid Benefit  You can bring your own Windows Server or SQL Server or Linux licenses to use on Azure Virtual Machine, Azure SQL Database, and Azure Managed Instances. If you have already purchased licenses with software assurance, you don’t have to pay for these licenses in Azure. Combining RI and Azure Hybrid Benefit can increase the savings.

Azure Credits and Dev/Test Subscriptions  It’s always recommended that you choose the right subscription to host your workloads. If you are testing or developing solutions, there are subscriptions with free credit that can be utilized rather than deploying your solutions in a production subscription and paying invoices. For example, if you are a Visual Studio Subscriber (Enterprise/Professional), you can get a subscription with free credits that gets renewed every month. If you have an EA, then you can use an EA Dev/Test subscription for testing and development. EA Dev/Test rates are cheaper than the production EA subscription. Similarly, Pay As You Go customers can purchase PAYG Dev/Test for development and testing purposes.

Azure Regions  The prices of Azure services vary from region to region; you can always deploy to a region that has a lower cost to save your spending. However, make sure that this decision is not affecting the performance or data residency requirements (if there are any).

Budgets  You already learned about budgets in the “Plan and Control Expenses” section. Having a budget will help you get notified whenever you are crossing the limits assigned to you; you can also take necessary actions to remediate this. Budgets plays a crucial role in accounting and cost tracking.

Pricing Calculator  In Azure, there are hundreds of services, and each service has several pricing tiers. It’s not possible for an administrator or an architect to remember all these pricings and calculate them. Using the Pricing Calculator, you can estimate the cost of any service in Azure. You can export it to Excel to share with your stakeholders or directly share the link for estimation. The Pricing Calculator can be accessed here:

https://azure.microsoft.com/en-in/pricing/calculator

We will now move on to resource groups.

Management Groups – Compliance and Cloud Governance

By

On 2020-03-20

In Deleting and Modifying Users, Exams of Microsoft AZ-104, Inviting Users, Managing Multiple Directories, Microsoft AZ-104 Certifications, Self-Service Password Reset, Users and Groups

When we were discussing accounts and subscriptions, you saw that an account can have multiple subscriptions. If you think of it from an organizational perspective, there will be multiple accounts, and there will be multiple subscriptions meant for different environments and workloads. Using management groups, you can logically group subscriptions. This way, management groups offer a new scope above the subscriptions, which can be used for granting access, assigning policies, and analyzing costs.

FIGURE 2.7 Managing resource groups using the Azure CLI

All access or policies assigned to the management group will be inherited to the subscriptions that are part of the management group. We will cover how access and policy management is performed later in this chapter. Figure 2.8 shows a sample hierarchy where management groups are used.

Management groups enable administrators to do the following:

  • They can logically group subscriptions into different containers.
  • They can apply policies and access a set of subscriptions easily.
  • Cost management can be scoped at the management group level for tracking the costs of multiple subscriptions in a single shot.
  • Budgets can be created at the management group level, which is ideal for teams and projects having multiple subscriptions.

Management groups can be created from the Azure portal, PowerShell, and the CLI. There will be a default management group that will be provisioned along with your tenant called the root management group. All new management groups will be created as children of this root management group.

Creating a management group is a straightforward process you can perform by searching and navigating to management groups in the Azure portal. You can click Add (refer to Figure 2.9) to add a new management group. In Figure 2.9, you could also see a couple of management groups created for demonstration purposes.

FIGURE 2.8 Understanding management groups

FIGURE 2.9 Creating management groups

Two parameters are required while you create a management group. The first one is Management Group ID; this identifier is used to denote the management group when you want to run commands against the management group. Second, you need to add a display name, which will act like a friendly name for your management group. Whenever you are making PowerShell, Azure CLI, or REST API calls, you will be using the identifier to point to the management group. Management Group ID cannot be modified once the management group is created.

While discussing management groups, you read that it can be leveraged to apply policies and grant access easily on a larger scope. Now, we will see what these policies are and what role they play in governance.

Page 2 of 2

Previous

Powered by Dianne & Theme by Diannehill