Nothing Special   »   [go: up one dir, main page]
Scribd Logo
Upload

Welcome to Scribd!

  • 106 views

    Az 104t00a Enu Powerpoint 02

    Uploaded by

    Alejandro Galiana

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd

    Az 104t00a Enu Powerpoint 02

    Uploaded by

    Alejandro Galiana
    106 views31 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    106 views31 pages

    Az 104t00a Enu Powerpoint 02

    Uploaded by

    Alejandro Galiana

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    of 31

    AZ-104T00A

    Module 02: Governance


    and Compliance

    © Copyright Microsoft Corporation. All rights reserved.


    Module Overview

    Lesson 01: Subscriptions and Accounts

    Lesson 02: Azure Policy

    Lesson 03: Role-Based Access Control

    Lesson 04: Module 02 Lab

    © Copyright Microsoft Corporation. All rights reserved.


    Lesson 01: Subscriptions and Accounts

    © Copyright Microsoft Corporation. All rights reserved.


    Regions

    Azure Subscriptions

    Getting a Subscription

    Subscriptions Subscription Usage


    and Accounts
    Overview Cost Management

    Resource Tags

    Cost Savings

    Review
    © Copyright Microsoft Corporation. All rights reserved.
    Regions

    A region represents a collection of datacenters

    Provides flexibility and scale

    Preserves data residency

    Select regions close to your users

    Be aware of region deployment availability

    There are global services that are region


    independent
    Worldwide there are 60+ regions
    Regions are paired for high availability representing 140 countries

    © Copyright Microsoft Corporation. All rights reserved.


    Azure Subscriptions

    Only identities in Azure AD, or in a directory that is


    trusted by Azure AD, can create a subscription

    Logical unit of Azure services that is linked to an


    Azure account

    Security and billing boundary

    © Copyright Microsoft Corporation. All rights reserved.


    Getting a Subscription

    Enterprise Agreement customers make an upfront


    monetary commitment and consume services
    throughout the year

    Resellers provide a simple, flexible way to purchase


    cloud services

    Partners can design and implement your Azure


    cloud solution

    Personal free account – Start right away

    © Copyright Microsoft Corporation. All rights reserved.


    Subscription Usage

    Subscription Usage
    Includes a $200 credit for the first 30 days, free limited access for
    Free
    12 months

    Pay-As-You-Go Charges you monthly

    Agreement with possible discounts through a Microsoft Cloud Solutions


    CSP
    Provider Partner – typically for small to medium businesses

    One agreement, with discounts for new licenses and Software


    Enterprise
    Assurance – targeted at enterprise-scale organizations

    Student Includes $100 for 12 months – must verify student access

    © Copyright Microsoft Corporation. All rights reserved.


    Cost Management

    Conduct cost analysis

    Create a budget

    Review recommendations

    Export the data

    © Copyright Microsoft Corporation. All rights reserved.


    Resource Tags

    Provides metadata for your Azure


    resources 

    Logically organizes resources into a


    taxonomy 

    Consists of a name-value pair

    Very useful for rolling up billing


    information

    © Copyright Microsoft Corporation. All rights reserved.


    Cost Savings

    Azure Reservations – Helps you save money


    by pre-paying for services

    Azure Hybrid Benefits – Use Windows Server


    and SQL Server on-premises licenses with
    Software Assurance 

    Azure Credits – Monthly credit benefit that


    allows you to experiment with, develop, and
    test new solutions on Azure

    Regions – Choose low-cost locations and


    regions

    © Copyright Microsoft Corporation. All rights reserved.


    Subscriptions and Accounts - Review

    Knowledge Check Questions Microsoft Learn Modules (docs.microsoft.com/Learn)

    Analyze costs and create budgets with Azure Cost Management

    Predict costs and optimize spending for Azure

    © Copyright Microsoft Corporation. All rights reserved.


    Lesson 02: Azure Policy

    © Copyright Microsoft Corporation. All rights reserved.


    Management Groups

    Azure Policy

    Implementing Azure Policy

    Policy Definitions
    Azure Policy
    Create Initiative Definitions
    Overview
    Scope the Initiative Definition

    Determine Compliance

    Demonstration – Azure Policy

    Review
    © Copyright Microsoft Corporation. All rights reserved.
    Management Groups

    Provides a level of scope above


    subscriptions

    Targeting of policies and spend


    budgets across subscriptions and
    inheritance down the hierarchies

    Compliance and cost reporting by


    organization (business/teams)

    © Copyright Microsoft Corporation. All rights reserved.


    Azure Policy

    Usage Cases
    A service to create, assign, and Allowed resource types – Specify the resource types that
    manage policies your organization can deploy

    Allowed virtual machine SKUs – Specify a set of virtual


    machine SKUs that your organization can deploy
    Runs evaluations and scans for non-
    compliant resources Allowed locations – Restrict the locations your
    organization can specify when deploying resources

    Advantages: Require tag and its value – Enforces a required tag and
    its value
    Enforcement and compliance
    Apply policies at scale Azure Backup should be enabled for Virtual Machines –
    Audit if Azure Backup service is enabled for all Virtual
    Remediation machines

    © Copyright Microsoft Corporation. All rights reserved.


    Implementing Azure Policy

    1. Browse Policy Definitions

    2. Create Initiative Definitions

    3. Scope the Initiative Definition

    4. View Policy evaluation results

    © Copyright Microsoft Corporation. All rights reserved.


    Policy Definitions

    Many policy definitions are available

    You can import policies from GitHub

    Policy Definitions have a specific


    JSON format

    You can create custom policy


    definitions

    © Copyright Microsoft Corporation. All rights reserved.


    Create Initiative Definitions

    Group policy definitions

    Include one or more policies

    Requires planning

    © Copyright Microsoft Corporation. All rights reserved.


    Scope the Initiative Definition

    Select the subscription,


    Assign the definition The scope enforces
    and optionally the
    to a scope the policy
    resource group
    © Copyright Microsoft Corporation. All rights reserved.
    Determine Compliance

    Non-compliant initiatives Non-compliant policies Non-compliant resources

    © Copyright Microsoft Corporation. All rights reserved.


    Demonstration – Azure Policy

    Assign a policy

    Create and assign an initiative definition

    Check for compliance

    Check for remediation tasks

    Remove your policy and initiative

    © Copyright Microsoft Corporation. All rights reserved.


    Azure Policy - Review

    Knowledge Check Questions Microsoft Learn Modules (docs.microsoft.com/Learn)

    Apply and monitor infrastructure standards with Azure Policy

    Build a cloud governance strategy

    © Copyright Microsoft Corporation. All rights reserved.


    Lesson 03: Role-Based Access Control

    © Copyright Microsoft Corporation. All rights reserved.


    Role-Based Access Control

    Role Definition

    Role Assignment

    Role-Based Azure RBAC Roles vs Azure AD Administrator Roles


    Access Control
    Overview RBAC Authentication

    Azure RBAC Roles

    Demonstration – RBAC Roles

    Review
    © Copyright Microsoft Corporation. All rights reserved.
    Role-Based Access Control

    Provides fine-grained access management


    Concepts​
    of resources in Azure​

    Built on Azure Resource Manager Security principal. Object that represents


    Segregate duties within your team ​ something that is requesting access to
    resources​
    Grant only the amount of access to users that
    they need to perform their jobs​ Role definition. Collection of permissions that
    lists the operations that can be performed​
    Scope. Boundary for the level of access that is
    requested​
    Assignment. Attaching a role definition to a
    security principal at a particular scope​:
    • Users can grant access described in a role
    definition by creating an assignment​
    • Deny assignments are currently read-only and are
    set by Azure Blueprints and Azure Managed Apps
    © Copyright Microsoft Corporation. All rights reserved.
    Azure RBAC Roles vs. Azure AD Roles
    Azure and Azure AD offer two types of roles

    Azure RBAC roles Azure AD roles

    Manage access to Azure resources Manage access to Azure AD objects

    Scope can be specified at multiple levels Scope is at the tenant level

    Role information can be accessed in the Azure Role information can be accessed in Azure portal,
    portal, Azure CLI, Azure PowerShell, Azure Microsoft 365 admin portal, Microsoft Graph,
    Resource Manager templates, REST API Azure Active Directory PowerShell for Graph

    Classic administrator roles should be avoided if using Azure Resource Manager

    © Copyright Microsoft Corporation. All rights reserved.


    Azure RBAC Roles

    RBAC role in Azure Permissions Notes


    The Service Administrator and
    Has full access to all resources Co-Administrators are assigned the
    Owner
    and can delegate access to others Owner role at the subscription scope.
    This applies to all resource types

    Creates and manages all types of


    Contributor Azure resources but cannot grant This applies to all resource types
    access to others

    Reader Views Azure resources This applies to all resource types

    User Access Manages user access to This applies to managing access, rather
    Administrator Azure resources than to managing resources

    © Copyright Microsoft Corporation. All rights reserved.


    Lab 02b – Manage Governance via Azure Policy

    Lab scenario
    To improve management of Azure resources in Contoso, you have been tasked with implementing
    the following functionality:
    • Tagging resource groups that include only infrastructure resources 
    • Ensuring that only properly tagged infrastructure resources can be added to infrastructure
    resource groups
    • Remediating any non-compliant resources

    Objectives
    Task 1: Task 2: Task 3:
    Create and assign tags via Enforce tagging via an Apply tagging via an
    the Azure portal Azure Policy Azure Policy

    Next slide for an architecture diagram


    © Copyright Microsoft Corporation. All rights reserved.
    Lab 02b – Architecture diagram

    Task 1
    Name: Role
    Value: Infra Task 2

    Azure policy
    Cloud Shell Storage Require a tag and its value on resources
    Resource Group

    Cloud Shell Storage Account

    Task 3
    Azure policy
    Inherit a tag from the resource group if
    New Storage Account missing

    © Copyright Microsoft Corporation. All rights reserved.


    End of presentation

    © Copyright Microsoft Corporation. All rights reserved.

    You might also like