LAB-02 Solution: Microsoft Azure Administrator Associate |AZ-104|

 

Microsoft Azure Administrator Associate -104

LAB No. 02

Manage Subscriptions and RBA - Exercise 1:

Task 1: Implement Management Groups

In this task, you will create and configure management groups.

Sign in to the Azure portal.

Search for and select Management groups to navigate to the Management groups blade.

Review the messages at the top of the Management groups blade. If you are seeing the message stating You are registered as a directory admin but do not have the necessary permissions to access the root management group, perfom the following sequence of steps:

In the Azure portal, search for and select Azure Active Directory.

On the blade displaying properties of your Azure Active Directory tenant, in the vertical menu on the left side, in the Manage section, select Properties.

On the Properties blade of your Azure Active Directory tenant, in the Access management for Azure resources section, select Yes and then select Save.

Navigate back to the Management groups blade, and select Refresh.

On the Management groups blade, click + Add. Note: If you have not previously created Management Groups, select Start using management groups

Create a management group with the following settings: Setting | Value | Management group ID | az104-02-mg1 | Management group display name | az104-02-mg1 |

In the list of management groups, click the entry representing the newly created management group.

On the az104-02-mg1 blade, click Subscriptions.

On the az104-02-mg1 | Subscriptions blade, click + Add, on the Add subscription blade, in the Subscription drop-down list, select the subscription you are using in this lab and click Save. Note: On the az104-02-mg1 | Subscriptions blade, copy the ID of your Azure subscription into Clipboard. You will need it in the next task.

Task 2: Create custom RBAC roles

In this task, you will create a definition of a custom RBAC role.

From the lab computer, open the file \Allfiles\Labs\02\az104-02a-customRoleDefinition.json in Notepad and review its content: Paste Content    {       "Name": "Support Request Contributor (Custom)",       "IsCustom": true,       "Description": "Allows to create support requests",       "Actions": [           "Microsoft.Resources/subscriptions/resourceGroups/read",           "Microsoft.Support/*"       ],       "NotActions": [       ],       "AssignableScopes": [           "/providers/Microsoft.Management/managementGroups/az104-02-mg1",           "/subscriptions/SUBSCRIPTION_ID"       ]    }

Replace the SUBSCRIPTION_ID placeholder in the JSON file with the subscription ID you copied into Clipboard and save the change.

In the Azure portal, open Cloud Shell pane by clicking on the toolbar icon directly to the right of the search textbox.

If prompted to select either Bash or PowerShell, select PowerShell. Note: If this is the first time you are starting Cloud Shell and you are presented with the You have no storage mounted message, select the subscription you are using in this lab, and click Create storage.

In the toolbar of the Cloud Shell pane, click the Upload/Download files icon, in the drop-down menu click Upload, and upload the file \\Allfiles\\Labs\\02\\az104-02a-customRoleDefinition.json into the Cloud Shell home directory.

From the Cloud Shell pane, run the following to create the custom role definition: Paste Content New-AzRoleDefinition -InputFile $HOME/az104-02-mg1-CustomRoleDefination.json

Close the Cloud Shell pane.

Task 3: Assign RBAC roles

In this task, you will create an Azure Active Directory user, assign the RBAC role you created in the previous task to that user, and verify that the user can perform the task specified in the RBAC role definition.

In the Azure portal, search for and select Azure Active Directory, on the Azure Active Directory blade, click Users, and then click + New user.

Create a new user with the following settings (leave others with their defaults): Setting | Value | User name | az104-02-aaduser1| Name | az104-02-aaduser1| Let me create the password | enabled | Initial password | Pa55w.rd1234 | Note: Copy to clipboard the full User name (az104-02-aaduser1@malik786shafqatgmail.onmicrosoft.com). You will need it later in this lab.

In the Azure portal, navigate back to the az104-02-mg1 management group and display its details.

Click Access control (IAM), click + Add followed by Role assignment, and assign the Support Request Contributor (Custom) role to the newly created user account.

Open an InPrivate browser window and sign in to the Azure portal using the newly created user account. When prompted to update the password, change the password for the user. Note: Rather than typing the user name, you can paste the content of Clipboard.

In the InPrivate browser window, in the Azure portal, search and select Resource groups to verify that the az104-02-aaduser1 user can see all resource groups.

In the InPrivate browser window, in the Azure portal, search and select All resources to verify that the az104-02-aaduser1 user cannot see any resources.

In the InPrivate browser window, in the Azure portal, search and select Help + support and then click + New support request.

In the InPrivate browser window, on the Problem Description tab of the Help + support - New support request blade, type Service and subscription limits in the Summary field and select the Service and subscription limits (quotas) issue type. Note that the subscription you are using in this lab is listed in the Subscription drop-down list. Note: The presence of the subscription you are using in this lab in the Subscription drop-down list indicates that the account you are using has the permissions required to create the subscription-specific support request. Note: If you do not see the Service and subscription limits (quotas) option, sign out from the Azure portal and sign in back.

Do not continue with creating the support request. Instead, sign out as the az104-02-aaduser1 user from the Azure portal and close the InPrivate browser window. Clean up resources: Note: Remember to remove any newly created Azure resources that you no longer use. Note: Removing unused resources ensures you will not see unexpected charges, although, resources created in this lab do not incur extra cost.

In the Azure portal, search for and select Azure Active Directory, on the Azure Active Directory blade, click Users.

On the Users - All users blade, click az104-02-aaduser1.

On the az104-02-aaduser1 - Profile blade, copy the value of Object ID attribute.

In the Azure portal, start a PowerShell session within the Cloud Shell.

From the Cloud Shell pane, run the following to remove the assignment of the custom role definition (replace the [object_ID] placeholder with the value of the object ID attribute of the az104-02-aaduser1 Azure Active Directory user account you copied earlier in this task): Paste Content $scope = (Get-AzRoleAssignment -RoleDefinitionName 'Support Request Contributor (Custom)').Scope   Remove-AzRoleAssignment -ObjectId '[bdde1843-3d2e-409a-b6d0-0ff59a4e83c4]' -RoleDefinitionName 'Support Request Contributor (Custom)' -Scope $scope

From the Cloud Shell pane, run the following to remove the custom role definition: Paste Content Remove-AzRoleDefinition -Name 'Support Request Contributor (Custom)' -Force

In the Azure portal, navigate back to the Users - All users blade of the Azure Active Directory, and delete the az104-02-aaduser1 user account.

In the Azure portal, navigate back to the Management groups blade.

On the Management groups blade, select the ellipsis icon next to your subscription under the az104-02-mg1 management group and select Move to move the subscription to the Tenant Root management group. Note: It is likely that the target management group is the Tenant Root management group, unless you created a custom management group hierarchy before running this lab.

Select Refresh to verify that the subscription has successfully moved to the Tenant Root management group.

Navigate back to the Management groups blade, right click the ellipsis icon to the right of the az104-02-mg1 management group and click Delete. Review: In this lab, you have: Implemented Management Groups Created custom RBAC roles Assigned RBAC roles