Wilson Mar bio photo

Wilson Mar


Email me Calendar Skype call

LinkedIn Twitter Gitter Instagram Youtube

Github Stackoverflow Pinterest

Get into and around the Azure cloud ASM & ARM portals

US (English)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Cyrillic Russian   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean


This is a step-by-step hands-on approach to getting you up and running on Azure cloud.

Microsoft Learn account

  1. Get an account into “Microsoft Learn”, which provides FREE temporary cloud instances for hands-on learning. This one feature is getting many to invest their time on Azure versus AWS, Google, etc.


    Notice that the product categories are: .NET, Azure, Business Applications, Dynamics 365, Power Platfor, Visual Studio, and Windows.

    Job Roles

  2. Select your role:

    • Business User
    • Business Analyst
    • (Azure) Administrator
    • (Azure) Developer
    • (Azure) Solution Architect
    • Data Engineer
    • AI Engineer

    MY OPINION: I think job roles should be multi-select checkboxes. This segregation also adds to duplicating material.

    PROTIP: These learning roles are differen than the Administrator role permissions in Azure Active Directory.

  3. After registering, use this URL:

    https://techprofile.microsoft.com/en-us/your name

Microsoft Azure account

  1. PROTIP: Avoid using an email that you use for your own banking, shopping, social media, etc. For continuity with a real cloud, you’ll need an email address that you can share and transfer to other people. That’s so at a company, you will need to give someone else the password so that if you’re ever go on vacation or get “run over a bus”, your organization can continue.

    In you’re in an enterprise company, get an email adddress from a corporate assets administrator. A different account is often created for each department of responsibility.

    PROTIP: In the name include the month and year in the account name (such as johndoe1901@hotmail.com) for 2019-01 (January). Many create several email accounts because each Azure subscription includes a $200 credit to spend on any service for the first 30 days, free access to the most popular Azure products for 12 months, and access to more than 25 products that are always free.

    When someone signs up for a Microsoft cloud service subscription such as Microsoft Azure, Microsoft Intune, or Office 365, a dedicated instance of Azure AD (Active Directory) is created for your organization. Azure AD is partitioned into separate tenants. A tenant is a dedicated, isolated instance of the Azure Active Directory service, owned and managed by an organization.

  2. For birthdate, make up an adult year: 2019 - 22 = 1997

    PROTIP: Write it down for account recovery, such as in a 1Password entry. Also write down the date you created the account.

  3. You’ll need a phone number for multi-factor Authentication.

    PROTIP: Give Googgle Voice the cell number that you’ve been giving out to people. Then get a new phone number from your cell carrier (Verizon, ATT, etc.). In Google Voice have that new number ring when someone calls you at your original number. Give that new number only to Microsoft. This enables you to transfer that new number to someone else without making your friends wonder where you went.

    PROTIP: It’s best security that for 3FA you use someone else’s phone. But as my wife will tell you this can get annoying if you work while she’s sleeping with her phone next to her.

  4. You’ll need a credit card number.

    Many companies have a company (corporate) credit card.

  5. Sign up for Azure:


  6. PROTIP: You don’t need to sign-up for and pay for a subscription with your credit card until you have 5 users.

    PROTIP: Use address with a zip code that’s not associated with your home address, and used only for banking.

    Multiple subscriptions can be created under a single Azure account (Dev, Test, Staging, Production, etc.). This is particularly useful for businesses because access control and billing occur at the subscription level, not the account level.

  7. Install the Microsoft Authenticator app on you smartphone and setup Two-factor authentication to approve access using your phone.

  8. Get a unique profile image and add picture.

Two Azure portals

Microsoft has been transitioning from the “classic” (older) Azure Service Management (ASM) to the Azure Resource Manager (ARM).

Product Sign-up page Dashboard page
ASM account.windowsazure.com/signup manage.windowsazure.com
ARM azure.com

ASM has “Cloud Services” and “Affinity Groups” which is structured with Resource Groups (logical containers) providing a single-resource point-of-view [i.e. manage a single resource at a time]

ARM includes parallelization when creating resources for faster deployment of complex, interdependent solutions. ARM also includes granular access control, and the ability to tag resources with metadata.

Services NOT available in the newer ARM portal:

Also, instead of 2 racks, ARM resources can span 3 racks of computers.

See: Which portal supports each Azure service, listed alphabetically

ASM Sign-up

The older steps to “Create an API gateway and Developer Portal in minutes”:

  1. https://account.windowsazure.com/signup

  2. If you have a BizSpark account, activate the $25/month Azure credit at

    NOTE: This can be done by the AZ CLI command “az account create” for those who have a MS-AZR-0017P (EnterpriseAgreement) or MS-AZR-0148P (EnterpriseAgreement devTest).

  3. Verfication by text message or call does not use land-line VOIP phone numbers, only cellular numbers.

  4. Input credit card (even though it’s free).

  5. Click “Start Managing my service” for https://portal.azure.com

ARM Sign-up at Azure.com

  1. If you are not logged in, type azure.com in your browser’s address.

    You’ll get sent to a marketing page such as:

  2. Click the portal link at the upper right corner.

    This redirects you a list of Microsoft accounts that have been used on your computer.

  3. Click the account name (email) you use for Azure.

  4. Enter the password.

    You redirected to various URLs until you land on a URL such as this containing your Tenant ID GUID:


    This is the Dashboard.

ARM Dashboard Tour

  1. At https://portal.azure.com

  2. Click the “hamburger” icon at the upper-left corner for English descriptions of each icon on the left edge.

  3. Click it again. It’s a toggle.

  4. Click the “>” at the lower-left corner to manage which icons appear on the left edge.

  5. Scroll down the long list to get a sense of the categories:

    • ADD-ONS
    • OTHER

  6. Click the star to control items that appear as icons on the left of the page.

  7. Drag an icon and drop it to reorder the icons.

    PROTIP: I drag the “Billing” icon to the top so I manage the money involved.

    BTW, billing is associated with Management Subscriptions with names such as “Pay-as-you-go…”

    Help + Support

  8. Scroll down to click Help + Support (the person icon in blue). Notice the URL change:


    Panes that appear on the right are called “blades”.

    Support requests can ALSO be reached another way.

  9. Click the question mark icon at the upper-right corner.

    azure help upper right 220x267

    Notice Support options are also listed behind the smily face icon.

    Moreover, there is also a “Help + Support” box on the Dashboard.

    That’s now 3 places you can find it.

  10. Right-click on the “Help + Support” box on the Dashboard and select “unpin” becuase you now know you can reach it (in two places).

    Keyboard Shortcuts

  11. Click Keyboard shortcuts in the menu.

    BLAH: I have no idea what G means. See:



  12. Right-click on the “Marketplace” box on the Dashboard and select “unpin” becuase you can reach it this way:

  13. Click on the green + icon for a list in the Marketplace. Additional categories are:

    • Web + Mobile
    • Containers
    • Blockchain

    Click “Web + Mobile” to create a Web App on Azure is a common use case.

  14. Click the X to close a blade.

Install Powershell

See https://wilsonmar.github.io/azure-cloud-powershell/


  1. Use the automation bash script for MacOS at


    The “mac-install-all.sh” script places a secrets.sh file in your machine’s home folder.

    The script takes care of installing the azure CLI

  2. Edit the file there (not in the repo directory).

    If in the secrets.sh file the TRYOUT string is edited to contain a known value for a module, that would be executed.

    To execute all modules:


    Alternately, to execute only one or a few modules, for example:


    … the Bash script has been programmed to create an instance using az cli commands rather than manually copied and pasted onto a Azure Cloud Shell instance launched on an internet browser as described (using command+shift+V) at:


    • Log in
    • Create a resource group
    • Create a virtual machine
    • Get VM information with queries
    • Set environment variables from CLI output
    • Create the new VM on an existing public subnet (contoso.ws)
    • Verify public access to one-page static page (like isitchristmas.com)
    • Cleanup (remove vm instance if TRYOUT_KEEP is not specified)
    • Display cost of above

    Alternately, if in the secrets.sh file the TRYOUT string is edited to contain this:


    This creates an Azure (Serverless) Function, as described in commands listed at:

    Azure Functions

    The unique aspect of the mac-install-all.sh script is that it does NOT require you to go from screen to screen typing steps by step starting from

    The script executes a set of commands for you automatically so you get past the installation and configuration confusion, bringing your laptop to a point where you can work on changing the sample to the app you want. You can then re-run the script, and any changes to the underlying framework would be upgraded if needed.

    Since Azure provides a small amount of free time to all accounts each month under their Consumption Plan, you can do several runs each month without spending any cash. See their Pricing.

    The “az-func” TRYOUT does all the following:

    Account Password > Login > Tenant > Principal > APP_ID > Roles > Template > stop

  3. The script uses this command to log you in:

    az login -u "$AZ_USER" -p "$AZ_PASSWORD"

    If you have not signed up for a subscription, you’ll get an error such as: “No subscriptions were found for ‘None’. If this is expected, use ‘–allow-no-subscriptions’ to have tenant level accesses”

    CAUTION: Logging in online imbues you with a full set of permissions that a login using the az command does not fully possess.

    Tenant ID

  4. Once you have logged in, when you sign up for a Microsoft cloud service, Microsoft assigns to your account a Tenant ID. To obtain it:

    AZ_TENANT=$(az account show --query 'tenantId' -o tsv)

    echo $AZ_TENANT to yield something like: a7a02378-1e4b-4017-972e-9dfe53bc2b2f

    See: Multi-tenant architecture

    Resource groups (RGs) are used for RBAC, Automated Deployments, and Billing/Monitoring.


  5. Put the Tenant ID value in the secrets.sh file so that future script runs can check whether that value has already been created.

  6. Also note that before getting here the script created a pem file PROTIP: Create a .pem file from the rsa.pub file named $SSH_USER created for GitHub:

    ssh-keygen -f ~/.ssh/$SSH_USER -m 'PEM' -e > $SSH_USER.pem
    chmod 600 $SSH_USER.pem

    This is recommended instead of the alternative of asking Azure to –create-cert in command:

  7. We next Create a Service Principal using Conventions for naming principals under RBAC (role-based access control):

    This Azure CLI (command az) has the subcommand ad (for Active Directory) to create Service Principals (sp’s). We capture the response (in JSON format) in the variable return.

    return=$(az ad sp create-for-rbac --name "$AZ_PRINCIPAL" \
    --role owner \
    --create-cert \
    --query ['fileWithCertAndPrivateKey, appId, tenant]

    This JSON file the command puts in your $HOME folder:

      "appId": "username",
      "displayName": "ServicePrincipalName",
      "name": "http://your app address",
      "password": passkey,

    The additional –query attribute makes

    The first of three fields (fileWithCertAndPrivateKey) requested in the query is parsed using this command:

    echo return | tr -d "[ ] \" \"" | awk -F, '{ print $1 }'

    To obtain the first part of the response, “/user/wisdom/tmpf14zjme.pem”, which is used in subsequent commands.

    AZ_PEM_LOC=”echo return | tr -d “[ ] " "” | awk -F, ‘{ print $2 }’”

    The second item in the query in the command above yields the APP_ID:

    AZ_APP_ID=”echo $return tr -d “[ ] " "” awk -F, ‘{ print $2 }’”

    The third item is the Tenant ID. Both of these are GUIDs.

    The command has additional options:

    az ad sp create-for-rbac -n “lnx” \ –role contributor \ –scopes /subscriptions/ssssssss-ssss-ssss-ssss-ssssssssssss </pre>

    Login for sure

  8. Now we take the NOTE:

    az login –service-principal -u “$AZ_APP_ID” \ -p “$AZ_PEM_LOC” –tenant “$AZ_TENANT”

    https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/api-catalog is the older version of Microsoft Graph at https://developer.microsoft.com/en-us/graph https://dev.office.com/blogs/microsoft-graph-or-azure-ad-graph

    BLAH: The name of the file created contains something like “tmpcgzysdch”, a random set of characters. So the script needs to figure out that file name. Thus we create the pem file and tell Azure.

  9. TODO: Obtain the password text from within the file

    Create a folder $HOME/certs/

  10. Put the contents in a file name containing the value in $AZ_APP_ID, in the $HOME folder so that it won’t have a chance to get pushed to GitHub.

  11. Login using credentials built above:

    az login --service-principal $AZ_PRINCIPAL \
    --username "$AZ_APP_ID" \
    --role owner \
    --tenant "$AZ_TENANT" \
    --password "$HOME/certs/$SSH_USER.pem"

    BLAH: The APP_ID and username are the same. Whatever.

  12. Assign a role named “Reader” to the APP ID (username):

    az role assignment create \
    --assignee "$AZ_APP_ID" \
    --role reader
  13. List what resources were assigned to a APP_ID:

    az role assignment list --assignee $AZ_APP_ID

    If your APP_ID has not already been created:

  14. To specify a module to run (not just install): If in the secrets.sh file the TRYOUT string is edited to contain “az”:


QUESTION: limits to total concurrent executions across all functions within a given region to 100?

Azure AD & PIM

Subscriptions include “Azure AD Premium P2” and “Enterprise Mobility + Security (EMS) E5”.

An additional paid subscription is Azure AD Privileged Identity Management (PIM) which minimizes the number of people who have access to secure information, which mitigates the risk of excessive, unnecessary, or misused access rights and provides oversight of role assignments, self-service, and just-in-time role activation and Azure AD and Azure resource access reviews.

Batch commands

Azure provides a way to perform the same process on many at once. See: https://docs.microsoft.com/en-us/cli/azure/batch?view=azure-cli-latest

Azure has “Web Jobs” for Azure Functions background jobs.

Resources : Videos

Microsoft Azure: The Big Picture 1h 50m Mar 10, 2016 by Matt Milner makes use of VS 2010, which is rather obsolete now.

  1. Install in VSCode Azure Resource Manager Tools for Template language support for Azure Resource Manager JSON files.

Live events to meet people

https://global.azurebootcamp.net/ April 27, 2019

Get ready for Global Azure Bootcamp 2019


https://azure.microsoft.com/en-us/support/community/ Azure Community Forums for support

https://social.msdn.microsoft.com/Forums/en-US/home Developer Commmunity Forum for support


Channel 9 Microsoft

More on DevOps

This is one of a series on DevOps:

  1. DevOps_2.0
  2. ci-cd (Continuous Integration and Continuous Delivery)
  3. User Stories for DevOps

  4. Git and GitHub vs File Archival
  5. Git Commands and Statuses
  6. Git Commit, Tag, Push
  7. Git Utilities
  8. Data Security GitHub
  9. GitHub API
  10. TFS vs. GitHub

  11. Choices for DevOps Technologies
  12. Java DevOps Workflow
  13. AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
  14. AWS server deployment options

  15. Cloud services comparisons (across vendors)
  16. Cloud regions (across vendors)
  17. AWS Virtual Private Cloud

  18. Azure Cloud Onramp
  19. Azure Cloud
  20. Azure Cloud Powershell
  21. Bash Windows using Microsoft’s WSL (Windows Subystem for Linux)

  22. Digital Ocean
  23. Cloud Foundry

  24. Packer automation to build Vagrant images
  25. Terraform multi-cloud provisioning automation
  26. Hashicorp Vault and Consul to generate and hold secrets

  27. Powershell Ecosystem
  28. Powershell on MacOS
  29. Powershell Desired System Configuration

  30. Jenkins Server Setup
  31. Jenkins Plug-ins
  32. Jenkins Freestyle jobs
  33. Jenkins2 Pipeline jobs using Groovy code in Jenkinsfile

  34. Docker (Glossary, Ecosystem, Certification)
  35. Make Makefile for Docker
  36. Docker Setup and run Bash shell script
  37. Bash coding
  38. Docker Setup
  39. Dockerize apps
  40. Docker Registry

  41. Maven on MacOSX

  42. Ansible

  43. MySQL Setup

  44. SonarQube static code scan

  45. API Management Microsoft
  46. API Management Amazon

  47. Scenarios for load