CtrlK

Search...

Trending this month -AWS CCP•AZ-900•AI-102•Sec+•ITIL 4•A+•CSA•TOGAF•CISSP•AZ-104

Quick Feedback

Azure Administrator Study Notes

Microsoft Entra ID (Azure AD)

Cloud-based identity and access management

Domain Weight

Manage identities and governance represents 20-25% of the exam. Focus on Entra ID, RBAC, and subscriptions.

Entra ID Core Concepts

Concept	Description	Key Points
Tenant	Instance of Entra ID for organization	One per organization, has unique ID
Directory	Container for users, groups, apps	Flat structure (no OUs)
Subscription	Agreement to use Azure services	Linked to one directory, billing boundary
Management Group	Container for subscriptions	Hierarchical, policy inheritance

User Management

Cloud Identity

Created and managed in Entra ID only. Format: user@domain.onmicrosoft.com

Synced Identity

Synced from on-premises AD via Entra Connect. Mastered in on-prem AD.

Guest User

External identity invited via B2B. Has #EXT# in UPN.

Service Principal

Identity for applications and services. Used for automation.

Group Types

Type	Membership	Use Cases
Security Group	Assigned, Dynamic User, Dynamic Device	RBAC, resource access control
Microsoft 365 Group	Assigned, Dynamic User	Collaboration (Teams, SharePoint)
Assigned	Manually add/remove members	Static membership
Dynamic	Query-based (department = 'IT')	Automatic membership based on attributes

Entra ID vs On-Premises AD

• Entra ID is flat (no OUs, forests, domains)

• Uses REST API (not LDAP)

• Supports SAML, OAuth, OpenID Connect

• No Group Policy (use Intune instead)

Exam Focus Areas

Custom domains require TXT or MX record verification
Bulk operations via CSV upload for users
Administrative Units for delegated administration scope
Device registration: Entra registered, Entra joined, Hybrid Entra joined

Azure RBAC

Authorization system for Azure resources

RBAC Components

Component	Description	Example
Security Principal	Who needs access	User, Group, Service Principal, Managed Identity
Role Definition	Collection of permissions	Reader, Contributor, Owner, Custom
Scope	Where access applies	Management Group, Subscription, Resource Group, Resource
Role Assignment	Attachment of role to principal at scope	User X is Contributor on RG Y

Built-in Roles

Owner

Full access to all resources including ability to delegate access to others.

Contributor

Create and manage all resources but cannot grant access to others.

Reader

View all resources but cannot make any changes.

User Access Administrator

Manage user access to Azure resources (but not resources themselves).

Custom Roles

Created when built-in roles don't meet needs
JSON definition with Actions, NotActions, DataActions, NotDataActions
AssignableScopes defines where role can be assigned
Requires Entra ID Premium P1/P2 for some scenarios

Scope Hierarchy

Inheritance

Management Group → Subscription → Resource Group → Resource

Permissions assigned at parent scope are inherited by child resources.

Role assignments are additive - effective permissions are the combination of all assignments.

Exam Focus Areas

Deny assignments override role assignments (created by Blueprints)
Max 4000 custom roles per tenant
Use PIM for just-in-time privileged access
Effective access = Union of all role assignments minus explicit deny

Subscriptions & Management Groups

Organizing and governing Azure resources

Management Group Hierarchy

Root management group at top (tenant level)
Up to 6 levels of depth (excluding root)
Subscriptions can only belong to ONE management group
Policy and RBAC inherit down the hierarchy

Azure Policy

Component	Purpose	Examples
Policy Definition	Rules for compliance	Allowed locations, Required tags
Initiative	Collection of policies	Azure Security Benchmark
Assignment	Applies policy to scope	Initiative assigned to subscription
Exemption	Exclude resources from policy	Testing resources exempted

Policy Effects

Deny

Prevent non-compliant resource creation or modification

Audit

Create warning event in activity log but allow operation

Append

Add additional properties to resources

DeployIfNotExists

Deploy a related resource if it doesn't exist

Modify

Add, update, or remove tags on resources

Disabled

Policy not enforced

Resource Locks

Lock Type	Can Read	Can Modify	Can Delete
CanNotDelete	Yes	Yes	No
ReadOnly	Yes	No	No

Lock Inheritance

Locks at parent scope apply to all child resources.

Most restrictive lock takes precedence.

Owner or User Access Administrator required to manage locks.

Exam Focus Areas

Policy evaluation happens every 24 hours (or on-demand)
DeployIfNotExists requires managed identity for remediation
Use Tags for cost allocation, automation, and organization
Blueprints bundle templates, policies, RBAC, and resource groups

Azure Administrator Study Notes

Microsoft Entra ID (Azure AD)

Cloud-based identity and access management

Domain Weight

Manage identities and governance represents 20-25% of the exam. Focus on Entra ID, RBAC, and subscriptions.

Entra ID Core Concepts

Concept	Description	Key Points
Tenant	Instance of Entra ID for organization	One per organization, has unique ID
Directory	Container for users, groups, apps	Flat structure (no OUs)
Subscription	Agreement to use Azure services	Linked to one directory, billing boundary
Management Group	Container for subscriptions	Hierarchical, policy inheritance

User Management

Cloud Identity

Created and managed in Entra ID only. Format: user@domain.onmicrosoft.com

Synced Identity

Synced from on-premises AD via Entra Connect. Mastered in on-prem AD.

Guest User

External identity invited via B2B. Has #EXT# in UPN.

Service Principal

Identity for applications and services. Used for automation.

Group Types

Type	Membership	Use Cases
Security Group	Assigned, Dynamic User, Dynamic Device	RBAC, resource access control
Microsoft 365 Group	Assigned, Dynamic User	Collaboration (Teams, SharePoint)
Assigned	Manually add/remove members	Static membership
Dynamic	Query-based (department = 'IT')	Automatic membership based on attributes

Entra ID vs On-Premises AD

• Entra ID is flat (no OUs, forests, domains)

• Uses REST API (not LDAP)

• Supports SAML, OAuth, OpenID Connect

• No Group Policy (use Intune instead)

Exam Focus Areas

Custom domains require TXT or MX record verification
Bulk operations via CSV upload for users
Administrative Units for delegated administration scope
Device registration: Entra registered, Entra joined, Hybrid Entra joined

Azure RBAC

Authorization system for Azure resources

RBAC Components

Component	Description	Example
Security Principal	Who needs access	User, Group, Service Principal, Managed Identity
Role Definition	Collection of permissions	Reader, Contributor, Owner, Custom
Scope	Where access applies	Management Group, Subscription, Resource Group, Resource
Role Assignment	Attachment of role to principal at scope	User X is Contributor on RG Y

Built-in Roles

Owner

Full access to all resources including ability to delegate access to others.

Contributor

Create and manage all resources but cannot grant access to others.

Reader

View all resources but cannot make any changes.

User Access Administrator

Manage user access to Azure resources (but not resources themselves).

Custom Roles

Created when built-in roles don't meet needs
JSON definition with Actions, NotActions, DataActions, NotDataActions
AssignableScopes defines where role can be assigned
Requires Entra ID Premium P1/P2 for some scenarios

Scope Hierarchy

Inheritance

Management Group → Subscription → Resource Group → Resource

Permissions assigned at parent scope are inherited by child resources.

Role assignments are additive - effective permissions are the combination of all assignments.

Exam Focus Areas

Deny assignments override role assignments (created by Blueprints)
Max 4000 custom roles per tenant
Use PIM for just-in-time privileged access
Effective access = Union of all role assignments minus explicit deny

Subscriptions & Management Groups

Organizing and governing Azure resources

Management Group Hierarchy

Root management group at top (tenant level)
Up to 6 levels of depth (excluding root)
Subscriptions can only belong to ONE management group
Policy and RBAC inherit down the hierarchy

Azure Policy

Component	Purpose	Examples
Policy Definition	Rules for compliance	Allowed locations, Required tags
Initiative	Collection of policies	Azure Security Benchmark
Assignment	Applies policy to scope	Initiative assigned to subscription
Exemption	Exclude resources from policy	Testing resources exempted

Policy Effects

Deny

Prevent non-compliant resource creation or modification

Audit

Create warning event in activity log but allow operation

Append

Add additional properties to resources

DeployIfNotExists

Deploy a related resource if it doesn't exist

Modify

Add, update, or remove tags on resources

Disabled

Policy not enforced

Resource Locks

Lock Type	Can Read	Can Modify	Can Delete
CanNotDelete	Yes	Yes	No
ReadOnly	Yes	No	No

Lock Inheritance

Locks at parent scope apply to all child resources.

Most restrictive lock takes precedence.

Owner or User Access Administrator required to manage locks.

Exam Focus Areas

Policy evaluation happens every 24 hours (or on-demand)
DeployIfNotExists requires managed identity for remediation
Use Tags for cost allocation, automation, and organization
Blueprints bundle templates, policies, RBAC, and resource groups