Azure Administration: Manage Subscriptions and Resources

My notes from the course Azure Administration: Manage Subscriptions and Resources of Prepare for Microsoft Azure Administrator Certification (AZ-103) learning path on Linkedin Learning

Manage Azure Subscriptions

Administrator Roles

  • Classic - only found in the classic portal which is not recommended by Microsoft
    • Account Administrator - full access
    • Service Administrator - manage services and can assign users to co-admin role
    • Co-Administrator - same as Service Administrator with limitations
  • Azure Role-Based Access Control (RBAC) roles
    • Owner - full access, delegate access
    • Contributor - can't delegate access
    • Reader - can view only
    • User Access Administrator - special account that can access all resource at root (/), temporary¬† use only
    • 70 built-in roles
    • Custom roles
  • Azure Active Directory (AD) admin roles
    • Create, edit, reset user password, etc.
    • Several AzureAD roles that can be additionally granted e.g. Global, Billing, Device, Information Protection, User account, etc.
  • Service Administrator
    • Same as account administrator (person who signed up for the acccount)
    • If Service administrator is changed, account adminisatrator loses access as well
    • Cannot add user who is not in the directory

Azure Policy

  • Policy - individual policies
    • Policy definition - conditions and enforcements
    • Policy assignment - A definition assigned to a scope
    • Policy parameters
  • Initiative - group of individual policies
    • Initiative definition - group of policies
    • Initiative parameters - used by policy definitions
    • Initiative assignment

Analyze Resource Utilization and Consumption

Types of Logs

  • Activity Logs - logs on PUT, POST, DELETE events of Azure infrastructures
  • OS-level (Guest OS) diagnostic logs - logs collected from agent on resources
  • Application logs - used to debug app including:
    • Web server diagnostics
    • Application diagnostics
  • Diagnostic logs - no agent required
    • Tenant logs - activity on resources outside subscriptions e.g. AzureAD
    • Resources logs - acitivity within subscriptions



Configure Diagnostic Settings



# List all resources
Get-AzureRmResource | ft

# Enable diagnostic settings
Set-AzureRmDiagnosticSetting -ResourceId 'ResourceID' -Enabled $True -StorageAccountId 'StorageID' 

# Display resource detail and settings
Get-AzureRmDiagnosticSetting -ResourceId 'ResourceID'

# Disable diagnostic settings
Set-AzureRmDiagnosticSetting -ResourceId 'ResourceID' -Enabled $False

Baseline for Resources

  • Process automation - via Runbooks e.g. start or stop VMs
  • Configuration management
    • Inventory
    • Change tracking
    • Desired State Configuration (DSC)
  • Update management
  • Shared capability - automate and configure at scale

Azure Alerts


  • Target - resources to be monitored
  • Criteria - conditions that will trigger an action
  • Action - to be sent to receiver

Rate Limiting

  • 100 emails / hour
  • 1 voice call / 5 minutes
  • 1 SMS / 5 minutes

Azure Advisor

  • Eliminate unprovisioned ExpressRoute circuits - status 'not provisioned' for over a month
  • Delete or reconfigure unused virtual network gateways - over 90 days
  • Switch to reserved VM instances

VM Optimization

  • VM usage is monitored for 14 days
  • Identify underutilized instances:
    • CPU < 5%
    • Network < 7MB for four days
  • Recommend to resize or shutdown the instance

Manage Resource Groups

Apply Policies

# Get resource group and policy definition
$RG = Get-AzureRmResourceGroup - Name 'AZ-100'
$Definition = Get-AzureRmPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq 'Audit VMs that do not use managed disks' }

# Create a policy assignment
New-AzureRmPolicyAssignment -Name 'VM-manageddisk' - DisplayName 'Vitual Machines without Managed Disks' -Scope $RG.ResourceID -PolicyDefinition $Definition

# List all policy definitions

# Get policy assignment
$PolicyAssignment = Get-AzureRmPolicyAssignment | Where-Object { $_.Properties.DisplayName -eq 'Vitual Machines without Managed Disks' }

# Remove policy assignment
Remove-AZureRmPolicyAssignment -Name 'VM-manageddisk' -Scope $RG.ResourceID

Resource Locks

  • Type of Locks
    • CanNotDelete - Can read and change but cannot delete
    • ReadOnly - can only read, can lead to unexpected result
  • Apply to all childs
  • Most restrictive lock takes precedence
  • Permission required
    • Microsoft.Authorization/*
    • Microsoft.Authorization/locks/*
    • Owner
    • User Access Administrator
# Create a new resource lock
New-AzureRmResourceLock -LockName NoDelete -LockLevel CanNotDelete -LockNotes "Cannot Delete Resources" -ResourceGroupName 'AZ-100'

# List all resource locks

# List resource lock in specific resource group
Get-AzureRmResourceLock -ResourceGroupName 'AZ-100'

# Remove resource lock
Remove-AzureRmResourceLock -LockName NoDelete -ResourceGroupName 'AZ-100'

Setting Tags

# List all tags in the subscription

# Create a new tag
New-AzureRmTag -Name 'IT' -Value "Dev"

# Set tags on resource group
Set-AzureRmResourceGroup -Name "AZ-100" -Tag @{IT = 'Prod'}

# Get count and values of specific tag name
Get-AzureRmTag -Name "IT"

# Assign tag to a resource
$resource = Get-AzureRmResource -ResourceName 'Server2012R2' -ResourceGroupName 'AZ-100'
Set-AzureRmResource -Tag @{IT = "Dev"} -ResourceID $resource.ResourceID -Force

# Delete tags from resource group
Set-AzureRmResourceGroup -Tag @{} -Name 'AZ-100'

# Delete tags from a resource
Set-AzureRmResource -Tag @{} -ResourceID $resource.ResourceID -Force

# Delete tag
Remove-AzureRmTag -Name 'IT'

Moving Resources

  • Move Type
    • Move to another subscription - must in the same AzureAD tenant
    • Movve to another resource group in the same subscription
  • Considerations
    • Resources are locked (from add, change, or delete ) during the move but still available
    • Location does not change
    • Not all resource can be moved
    • Ensure target subscription will not exceed subscription quota
    • Up to 800 resource per move
  • Permission required
    • Source: Microsoft.Resource/subscriptions/resourceGroups/moveResources/action
    • Destination: Microsoft.Resource/subscriptions/resourceGroups/write
# List all resource IDs in resource group
Get-AzureRmResource -oDataQuery "`$filter=resourcegroup eq 'OldRGPS'" | Format-Table -Property ResourceID

# Move a resource
Move-AzureRmResource -DestinationResourceGroupName "NewRGPS" -ResourceId ""

# List all resource IDs in the new resource group
Get-AzureRmResource -oDataQuery "`$filter=resourcegroup eq 'NewRGPS'" | Format-Table -Property ResourceID

Remove Resource Group

Remove-AzureRmResourceGroup -Name 'NewRGPS'

Manage Role-Based Access Control (RBAC)



  • AzureAD Role vs. RBAC Role
    • RBAC roles provide access to manage Azure resources
    • AzureAD roles used to manage AzureAD resources e.g. users/groups, assign admin, reset password, manage licenses, manage domains
  • Permissions required to manage RBAC roles
    • Microsoft.Authorization/roleAssignments/write
    • Microsoft.Authorization/roleAssignments/delete
    • Default for Owner and User Access Administrator

Role Assignment

  • Security Principal - who or what
    • User, group, service principle, or managed identity
  • Role Definition - permissions that can or annot do
  • Scope - boundary of access
    • roles are inherited by all childs


# List all role definitions
Get-AzRoleDefinition | ft Name, Description

# Get detail of specific role
Get-AzRoleDefinition 'Contributor'

# Get action of specific role
Get-AzRoleDefinition 'Contributor' | fl Actions, NotActions

$subScope = "/subscriptions/xxx"

# Assign role Reader to a person on subscription
New-AzRoleAssignment -SignInName `
  -RoleDefinitionName Reader `
  -Scope $subScope

# Assign role Contributor to a person on resource group
New-AzRoleAssignment -SignInName `
  -RoleDefinitionName Contributor `
  -ResourceGroupName "RBAC"

# List role assignments on resource group
Get-AzRoleAssignment -ResourceGroupName "RBAC" | fl DisplayName, RoleDefinitionName

# List role assignments for a person
Get-AzRoleAssignment -SignInName | fl RoleDefinitionName, RoleAssignmentID

# Remove role assignment of a person on resource group
Remove-AzRoleAssignment -SignInName `
  -RoleDefinitionName Contributor `
  -ResourceGroupName "RBAC"

Custom Role Definition

Can only be created by PowerShell, CLI, REST API.

# List all role definitions
Get-AzRoleDefinition | ft Name, IsCustom

# Download role definition as JSON file
Get-AzRoleDefinition -Name 'Virtual Machine Contributor' | ConvertTo-Json | Out-File "C:\Users\xxx\Desktop\VMContributor.json"

# Create a new role definition from JSON file
New-AzRoleDefinition -InputFile "C:\Users\xxx\Desktop\PowerOperator.json"

# List all custom role definitions
Get-AzRoleDefinition | ? {$_.IsCustom -eq $true} | ft Name, IsCustom

# Get detail of specific role definition
Get-AzRoleDefinition "Virtual Machine Power Operator"

# Remove a role definition
Remove-AzRoleDefinition -Id "xxx"

General Considerations

  • Uo to 2,000 roles per subscription
  • Up to 30 minutes for a role or change to be applied
  • Role assignments do not follow moved or migrated resources - the assignment must be re-created