20220313 AZ-104 Azure 管理員認證班 Day 2 小記

 Apply Resource Tagging

Management Group

• 預設沒有啟用, 啟用 MG 後就可以看到 Root Management Group

• 可以在 AAD -- > 屬性 -- > Azure 資源的存取管理 啟用權限

• 把 Link 同一個 Azure AD, 用來跨 subscription 們管理

• RBAC

• Activity Log

• Assign Azure policy

• Cost Management

如果要看到所有的 Azure subscription

• 可以在 AAD -- > 屬性 -- > Azure 資源的存取管理

• 賦予使用者在 AAD 底下的 root 連接點 ( user access Administrator )

Azure Policies

• Management and governance 底下的原則

• 合規性檢查, 行為限制

• 可套用到 MG / Subscription / RG

• Usage Cases

• Specify the resource types that your organization can deploy.

• Specify a set of virtual machine SKUs that your organization can deploy.

• Restrict the locations your organization can specify when deploying resources.

• Enforce a required tag and its value.

• Audit if Azure Backup service is enabled for all Virtual machines

An initiative definition ( 方案定義 )

•  is a set of Policy Definitions to help track your compliance state for a larger goal

Lab 02b: 

• https://github.com/MicrosoftLearning/AZ-104-MicrosoftAzureAdministrator/blob/master/Instructions/Labs/LAB_02b-Manage_Governance_via_Azure_Policy.md

Azure Resource 的委派管理

Deployment Model (2008 年起)

• Azure Service Management (ASM, Classic)

• 僅能在 Subscription 委派管理1個 subscription

• 1 個 Account Administrator (管帳務, 行政)

• 1 個 Service Administrator (管 Subscription 中的 Resource)

• 0 ~ 200 個 Co-Administrator ( 同 Service Administrator, 但不能把 subscription change 到別的 Azure AD )

• Azure Resource Manager ( ARM ) (2015.12 起)

• 可在 Management Group, Subscription, Resource Group 及 Resource 委派管理 ( 在上層設定, 會自動往下層傳播繼承 )

• 有很多內建的 Role ( 例: Owner, Reader ), 若有需要也可以自訂 Role

Role Definition

RBAC Authentication

Lab 02a - Manage Subscriptions and RBAC

參考

• https://github.com/MicrosoftLearning/AZ-104-MicrosoftAzureAdministrator/blob/master/Instructions/Labs/LAB_02a_Manage_Subscriptions_and_RBAC.md

Azure 入口網站的鍵盤快速鍵

• https://docs.microsoft.com/zh-tw/azure/azure-portal/azure-portal-keyboard-shortcuts

ARM 對應工具

Resource Group

• Resources can only exist in one resource group.

• Resource Groups cannot be renamed.

• Resource Groups can have resources of many different types (services).

• Resource Groups can have resources from many different regions.

• Resource Groups can not be nested

Resource Manager Locks

• 可以套用到 subscription, resource group, or resource

• 會向下繼承

• 類型

• Delete lock

• Read-Only lock

Azure 快速入門範本

• https://azure.microsoft.com/zh-tw/resources/templates/

Lab 03a - Manage Azure resources by Using the Azure Portal

參考

• https://github.com/MicrosoftLearning/AZ-104-MicrosoftAzureAdministrator/blob/master/Instructions/Labs/LAB_03a-Manage_Azure_Resources_by_Using_the_Azure_Portal.md

Lab 03b - Manage Azure resources by Using ARM Templates

參考

• https://github.com/MicrosoftLearning/AZ-104-MicrosoftAzureAdministrator/blob/master/Instructions/Labs/LAB_03b-Manage_Azure_Resources_by_Using_ARM_Templates.md

Lab 03d - Clean up 區段

參考

https://github.com/MicrosoftLearning/AZ-104-MicrosoftAzureAdministrator/blob/master/Instructions/Labs/LAB_03d-Manage_Azure_Resources_by_Using_Azure_CLI.md