Azure Administrator Associate (AZ-104)
1 Manage Azure identities and governance
1-1 Manage Azure AD objects
1-2 Manage role-based access control (RBAC)
1-3 Manage subscriptions and governance
2 Implement and manage storage
2-1 Manage storage accounts
2-2 Manage blob storage
2-3 Manage disk storage
2-4 Manage file shares
2-5 Implement Azure Backup
3 Deploy and manage Azure compute resources
3-1 Manage virtual machines (VMs)
3-2 Manage VM extensions
3-3 Manage virtual machine scale sets (VMSS)
3-4 Manage Azure App Services
3-5 Manage Azure Container Instances (ACI)
3-6 Manage Azure Kubernetes Service (AKS)
4 Configure and manage virtual networking
4-1 Manage Azure virtual networks
4-2 Manage network security groups (NSGs)
4-3 Manage Azure DNS
4-4 Manage Azure load balancers
4-5 Manage Azure Application Gateway
4-6 Manage Azure VPN Gateway
4-7 Manage Azure ExpressRoute
4-8 Manage Azure Traffic Manager
4-9 Manage Azure Content Delivery Network (CDN)
5 Monitor and back up Azure resources
5-1 Monitor resources using Azure Monitor
5-2 Implement and manage Azure Backup
5-3 Implement and manage Azure Site Recovery
5-4 Implement and manage Azure Security Center
5-5 Implement and manage Azure Update Management
Manage Subscriptions and Governance in Azure

Manage Subscriptions and Governance in Azure

Key Concepts

To effectively manage subscriptions and governance in Azure, it's essential to understand the following key concepts:

Azure Subscriptions

An Azure subscription is a logical unit of Azure services that links to an Azure account. It provides you with authenticated and authorized access to Azure products and services. Subscriptions are essential for billing and resource management. Each subscription can have different billing and payment settings, allowing organizations to manage costs and resources more effectively.

For example, a company might have separate subscriptions for development, testing, and production environments to isolate costs and manage access controls more granularly.

Management Groups

Management groups are containers that help you manage access, policy, and compliance for multiple subscriptions. When you organize subscriptions into management groups, you can apply governance conditions to the management group, and they will automatically apply to all the subscriptions within that management group. This hierarchical structure allows for more efficient governance across large organizations.

Think of management groups as folders in a file system where each folder can contain other folders and files (subscriptions). Applying a policy at the folder level ensures that all contained items inherit the policy.

Resource Groups

Resource groups are containers that hold related resources for an Azure solution. The resource group includes resources that you want to manage as a group. You decide which resources belong to a resource group based on what makes the most sense for your organization. Resource groups are essential for organizing and managing resources, as they allow you to deploy, update, and delete resources as a collection.

For instance, you might create a resource group for a specific project that includes all the resources needed for that project, such as virtual machines, storage accounts, and web apps.

Azure Policy

Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy helps you maintain control over your resources' compliance in a centralized, consistent manner.

Imagine you want to ensure that all virtual machines created in your environment use a specific set of approved images. You can create a policy that restricts the creation of VMs to only those images, thereby ensuring compliance across your organization.

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) is a system that provides fine-grained access management for Azure resources. Using RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. RBAC allows you to control who has access to Azure resources, what they can do with those resources, and what areas they have access to.

For example, you might assign the "Virtual Machine Contributor" role to a user, giving them the ability to manage virtual machines but not the ability to manage other resources such as networks or storage.

Conclusion

Effectively managing subscriptions and governance in Azure requires a solid understanding of subscriptions, management groups, resource groups, Azure Policy, and RBAC. By leveraging these tools, you can ensure that your Azure environment is organized, secure, and compliant with your organization's policies.