Wilson Mar bio photo

Wilson Mar


Email me Calendar Skype call

LinkedIn Twitter Gitter Instagram Youtube

Github Stackoverflow Pinterest

Azure URLs, Subscriptions, Support plans, Tenants, Directories, ARM portal Keyboard Shortcuts, CLI Bash & PowerShell scripting

US (English)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean


This is a deep-dive hands-on tutorial with commentary along the way, covering basic terminology and how to get an account into Azure, set MFA, use Active Directory. Search for what to “REMEMBER” to pass Microsoft’s AZ-900 and AZ-104 exams.

NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

URLs for Microsoft and Azure

Usage URL (bookmark these) Notes
Marketing azure.com redirects to
MS Learning techprofile.microsoft.com

Azure certifications
Enterprise learning esi.microsoft.com Live classes & cert. vouchers
Tech Talks mtt.eventbuilder.com/MTTUSCANADA by MS Support
Sign-up: account.windowsazure.com/signup -
Support support.microsoft.com -
Support tickets serviceshub.microsoft.com -
User Self-Service password reset myapps.microsoft.com -
All Admin Centers admin.microsoft.com/AdminPortal /Home#/alladmincenters -
Azure Enterprise Account Portal account.azure.com
(can be slow, no federation?)
Accounts under departments
Subscription dashboard: portal.azure.com
for US Government: portal.azure.us
Cloud Shell shell.azure.com CLI
Azure Enterprise Portal ea.azure.com Define departments
Azure AD aad.portal.azure.com -
Video Indexer api-portal.videoindexer.ai BLOG
Metrics Advisor metricsadvisor.azurewebsites.net Monitoring
Azure Data Factory adf.azure.com -
Traffic Manager {acct}.trafficmanager.net more
Machine Learning studio ml.azure.com AI tutorial
Lang. Understanding North America: www.luis.ai
Europe: eu.luis.ai
Australia: au.luis.ai
AI tutorial
Single-tenant login.microsoftonline.com/{contoso}.onmicrosoft.com -
Multi-tenant login.microsoftonline.com/common -
Tech Community techcommunity.microsoft.com/t5/azure/ct-p/Azure -
AzureML Metrics {eastus}.api.azureml.ms/discovery App Insights
User feedback feedback.azure.com
Product suggestions
Azure DevOps dev.azure.com
Azure DevOps appcenter.ms mobile, etc.
Azure Service {app_service}-staging.azurewebsites.net
staging & prod. slot

PROTIP: Browser Profiles

PROTIP: Setup and use different browser profiles, one for each account (email). Why? Azure saves the account you’re on in the browser “cookie” so that when you return you’ll see the last account used.

However, if you switch among different accounts on the same browser, that’s a hassle.

  1. To create a different profile for each Azure account, at the upper-right corner, click your avatar picture :

    • Learn account using your personal email (such as at gmail.com).
    • Account using your Visual Studio benefit (using your work email)
    • Work account to do your job as an Administrator.

Do this for each browser (Google Chrome, Microsoft Edge, Firefox, etc.).

Microsoft Azure Government

There is a separate Azure fed/state/local gov is an isolated “soverign” DoD Level 5 cloud on US soil operated by US citizens. It has its own Marketplace of apps. What is gov?


DOC: Compare Global vs. Gov

For example, endpoints for Speech Studio Speech translation :

  • Virginia: https://usgovvirginia.s2s.speech.azure.us
  • Arizona: https://usgovarizona.s2s.speech.azure.us

VIDEO: Terraform Provider Azure.gov for standardized templates across clouds.

Pulumi enables programmatic access (by a Python program) to Azure.

CSBs and CMP

Not a lot of people talk about this, but a Cloud Management Platform (CMP) from a CSB (Cloud Service Broker such as AppDirect, Ensim, Gravitant, Jamcracker, Parallels, Ostrato, ServiceNow, BMC, etc.) is necessary for enterprises to provide provisioning governance, self-service, usage chargeback, and policy enforcement (multi-cloud).

Hands-on time

  1. Some “Exercises” in Microsoft Learn provide FREE “MICROSOFT LEARN SANDBOX” temporary “Concierge” subscription access one or two hours at a time. Search within:


  2. Microsoft has https://azure.microsoft.com/en-us/free/students/

  3. Microsoft maintains azuredevopslabs.com/labs/devopsserver/handsonlabs with code at github.com/Microsoft/azuredevopslabs/tree/master/labs/devopsserver/handsonlabs, which provides a quick and easy way to evaluate and test (currently only DevOps and Visual Studio) through virtual environments that do not require any complex setup or installation. You can use virtual labs online immediately for free :)

  4. CloudAcademy.com licenses include Lab time in some of their monthly subscriptions.

    Azure first-timer deals

  5. Get a “Microsoft Learn”</a> account for $200 of credits to spend in 30 days and also a year of free services. See docs.microsoft.com/en-us/learn/azure/

    After that instead of “Pay-As-You-Go”,

  6. PROTIP: Obtain Azure credits as a benefit of a monthly license of Visual Studio (even though they don’t intend on using the IDE). Azure Subscriptions (like Netflix, Disney+, etc.) are billed monthly.

    • $50/month credits from a $39/mo Visual Studio Professional license
    • $150/month credits from a $79/mo Visual Studio Enterprise license

    Visual Studio Subscriptions are, as of this writing, NOT offered in the Brazil South and Central India regions, as noted in https://azure.microsoft.com/en-us/regions/offers/.

First year free services

https://azure.microsoft.com/en-us/free/free-account-faq lists the services which Microsoft makes free for the first year:

  • Compute: 750 hours of B1S Linux VMs
  • Compute: 750 hours of B1S Windows VMs
  • Storage: Manage Disks 64 GB x 2
  • Storage SQL: up to 250 GB
  • Storage File: 5GB
  • Storage Blobs: 5 GB
  • Cosmo DB up to 5 GB 400 request units
  • Network bandwidth: 15 GB outbound data transfer
  • AI & Machine Learning services

TODO: HANDS-ON: Make use of them without spending any money of your own!

The clock is ticking!

Office 365 Trial

  1. Sign up for Office 365 Trial at


  2. Click the “Free trial” link and go through the verification steps.

    You get assigned a @onmicrosoft.com domain and individual account.

  3. To view time remaining, see


Job Positions (roles)

Microsoft aligned these generic “job roles” with Azure certification exams:

  • (Azure) Administrator
  • (Azure) Developer
  • (Azure) Solution Architect

  • Data Engineer
  • AI Engineer
  • Business Analyst
  • Business User

PROTIP: Generic job positions (“roles”) are different than the Administrator role permissions in Azure Active Directory (AAD).

MY OPINION: I think job roles should be multi-select checkboxes. This segregation also adds to duplicating material.

Access AuthA & AuthN Subscriptions

This pdf is how Azure’s various enterprise authentication and authorization mechanisms relate to each other:


A. Enterprise enrollment (to Dept, Account to Azure Active Directory & on-prem. Active Directory)
B. Identity and access management
C. Management group and subscription organization
D. Management subscription (to on-premises systems)
E. Connectivity subscription
F. Landing zone subscription
G. VM templates
H. Sandbox subscription
I. Azure DevOps (vs. GitHub Actions)

It can be confusing

VIDEO: VIDEO Glossary.

AD = Active Directory
AAD = Azure AD = Azure Active Directory
AADC = Azure AD Connect
ADDS = Active Directory DS = Domain Services

- on-prem. AD Azure AD
Runs on: Windows server SaaS cloud
Structure: Org. Unit Admin. Unit
Authentication: LDAP, Kerberos -

AD = Active Directory

Active Directory stores credentials for (older) run on Windows servers in on-prem data centers. This older on-prem AD provides “domain services” that include domain joins, group policies, LDAP, Kerberos / NTLM authentication. It uses the AD Admin Center GUI.

AAD = Azure Active Directory

Azure Active Directory (AAD) registers Users and Groups, plus apps and devices. AAD is a SaaS service, unlike “Active Directory” running on Windows servers in on-prem data centers. So AAD is also called an “Identity as a Service” (IDaaS).

  • Since Azure Microsoft Office 365 is SaaS, users are enrolled into AAD.

  • Because it’s SaSS, it’s also possible to use Azure AD for federation SSO (Single Sign On) - to manage third-party software applications (outside Microsoft), such as CRMs like Salesforce, SAP, etc.


A domain is an area of a network organized by a single authentication database.

An Active Directory Domain is a logical grouping of AD objects on a network.

A Domain Controller (DC) is a server that authenticates user identities and authorizes their access to resources.

AAD Connect

Azure AD Connect is a Windows service that synchronizes on-prem AD user metadata with the SaaS AAD. Key features of AAD Connect:

  • Password hash sych with AAD
  • Pass-through authentication which allows users to use the same password on-prem. and in the cloud.
  • Federation integration with AD FS for certificate renewal
  • Synchronization to ensure on-prem and cloud data matches
  • Health monitoring in a central location

Portal Search AAD

  1. portal.azure.com

  2. Press G and / to position the cursor to the Search field at the top.

  3. Type AAD for the Services related to that name.

  4. Click for the blade called Azure Active Directory .


    Tenants in AAD

  5. Highlight and copy the value of the Name field, such as “something.onmicrosoft.com”.

  6. Notice the “Tenant ID” GUID below it.

  7. Open another browser tab (temporarily) to find the Tenant ID based on DNS domain (web host) name such as “contoso.com” or “something.onmicrosoft.com”:


  8. Paste the name and click “Find my tenant ID”.
  9. Remember the last few characters of the GUID returned.
  10. Switch back to the browser Portal tab.

    Tenant Switching

  11. To switch among tenants in the Portal GUI, use the “Directory + subscription” filter at the top menu of every screen:


    Within PowerShell, define the default Tenant (if you need to sign into more than one Tenant):


    Tenant = Directory

  12. Click the icon at the top bar that looks like a notebook with a funnel.


    Notice the Directory ID GUID is the same as the Tenant ID GUID.

    DEFINITION: A Directory (as in AAD) is where your Tenant metadata is stored.

    Everything you do in Azure must be under some Tenant.

    Each tenant is independent of all other tenants.

    A tenant represents an organization in AAD.

    Users, Groups, Apps

    At the right is a count of Users, Groups, Applications, Devices managed under that Tenant.

    (From Tim Warner) az-aad-concepts-1194x954.jpg


    Microsoft has created integrations with Enterprise Applications such as Dropbox, Google Docs, AWS, Concur, etc.

    “External Identity” are Guest users with a credential federated from another Identity Store (Facebook, Google Gmail, GitHub, etc.) or a new SAML/WS-Fed IdP.

    After an IdP is defined, define User flows (see AD B2C).

    (from Tim Warner) az-aad-groups-751x987.jpg

    “Managed Identities” are also called “Service Accounts” used for authenticating automation services. Such accounts are assigned a GUID instead of email addresses for human users.

    Invitation from Federation

    (from Tim Warner) az-federation-1950x1716.jpg

    There are two types of Consent to Azure AD: a) Federation
    b) Non-federated MSA (Microsoft Account from Skype, XBox)

    DEFINITION: OTP (One-Time Password) is emailed to the user.

    Create New Group

    Groups make authorization easier.

    Groups can be nested under another Group.

  13. Select “All Groups”.
  14. Select “New Group”.

    Membership type “Assigned” are manually selected into each group.

    Membership type “Dynamic” Users and Devices are completely (automatically) controlled by Azure AD, which populates membership based on user/device properties.

    There are custom extension properties. Selecting Property: city Operator: Equals Value: Tampa yields Rule syntax:

    (user.city -eq "Tampa")
  15. Click “Create”.

    Tenant License

    Each license has its own options.

    License defaults to “Azure AD Free” to begin.

    P1 provides Conditional Access.

    “EMS (Enterprise Mobility + Security E5)” includes:

    • AAD is the cloud-based IAM service to control access to internal and external applications
    • Microsoft Intune is used for MDM (Mobile Device Management) but also PCs to remote reset and wipe. compliance status
    • Azure Info Protection protects documents tagged to not be shared
    • Microsoft Cloud App Security
    • Microsoft Advanced Thereat Analytics (ATA) is an on-prem. platform to protect against targeted cyber attacks along the “Cyber Kill Chain” attack process (Domain Dominance) by parsing network traffic to create a behavioral profile about user activities.
    • Azure Advanced Threat Protection is a cloud-based triage tool which displays incidents on a timeline

    “Microsoft 365 E5 Developer (without Windows and Audio Conferencing)”

    “Microsoft Power Apps Plan 2 Trial”

    “Microsoft Power Automate Free”

    “Power Virtual Agents Viral Trial”

    License “Azure AD Premium P2” for production enterprises. P2 provides “Identity Protection” and “Identity Governance” features. P2 is needed for MFA (Multi-Factor Authentication) and PIM.

    P2 PIM (Privileged Identity Management)

    For those with a P2 license, Azure AD Privileged Identity Management (PIM) provides elevated access on a JIT (Just-in-Time) basis for a limited time. access. PIM provides audit logs to enable reviews of accesses.

    Email is automatically sent when a role assignmnet is made outside of PIM. So do all access changes from the PIM UI, using “Privileged Authentication/Role Administrator” role assignments. Assignment can be permanent or based on time and date range.

  16. REMEMBER: PIM must be enabled by the Global Admin after MFA sign-on.

  17. Users search for PIM, Azure resources, to see assignments to activate yourself:


  18. PROTIP: Bookmark the above URL
  19. Admins approve
  20. The user would see a Subscription with role “Specified access”.
  21. User should Deactivate after using rather than letting the clock run out.

    Conditional Access Policy

    Another P1 or P2 feature to limit granting of user access to only designated IPs, geographic regions, types of computer, etc..

    Those under this require use of MFA.

Admin Users & Groups

<a name="GlobalAdmin"></a>

### Global Admin Account

<strong>Global Administrators</strong>, aka Company Administrators, in Azure AD have access to <strong>all services</strong> that use AAD identities (Microsoft 365 security center, Intune, Microsoft 365 compliance center, Exchange Online, SharePoint Online, Skype for Business Online, etc.).

REMEMBER: Global Admins get access to Azure resources only after being granted User Access Admin role.

PROTIP: Don't use the Global Admin account regularly. Set an Activity Alert when it is used. Have no MFA on it. Have 2-5 global admins. <a target="_blank" href="https://www.youtube.com/watch?v=vZ9uQtO7mSU&list=PLWag0-UcFD4HacGTnNVUzUMIsIF1CXySQ&index=2">VIDEO</a> 

PROTIP: Global Admin privileges are needed to enable <a target="_blank" href="https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure">AD PIM (Privileged Identity Management)</a> for a directory.

So it's important to assign other more specific roles. 

REMEMBER: VIDEO: There is no spanning between AAD and AD RBAC roles:


Built-in User Roles for RBAC

PowerShell command lists 75 user roles:

  • Application Administrators can create and manage all aspects of enterprise applications, application registrations, and application proxy settings.

  • Application Developers can create application registrations when the “Users can register applications” setting is set to No.

  • Authentication Administrators can set or reset non-password credentials for some users and can update passwords for all users.

  • Azure DevOps Administrators can manage the Azure DevOps policy to restrict new Azure DevOps organization creation to a set of configurable users or groups.

  • Azure Information Protection Administrators have all permissions in the Azure Information Protection service.

  • B2C User Flow Administrators can create and manage B2C User Flows (also called “built-in” policies) in the Azure portal.

  • B2C User Flow Attribute Administrators can add or delete custom attributes available to all user flows in the tenant.

  • B2C IEF Keyset Administrators can create and manage policy keys and secrets for token encryption, token signatures, and claim encryption/decryption.

  • B2C IEF Policy Administrators can create, read, update, and delete all custom policies in Azure AD B2C and therefore have full control over the Identity Experience Framework in the relevant Azure AD B2C tenant.

  • Billing Administrators can makes purchases, manages subscriptions, manages support tickets, and monitors service health.

  • Cloud Application Administrators have the same permissions as the Application Administrator role, excluding the ability to manage application proxy.

  • Cloud Device Administrators can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal.

  • Compliance Administrators have permissions to manage compliance-related features in the Microsoft 365 compliance center, Microsoft 365 admin center, Azure, and Microsoft 365 Security & Compliance Center.

  • Compliance Data Administrators have permissions to track data in the Microsoft 365 compliance center, Microsoft 365 admin center, and Azure. Users can also track compliance data within the Exchange admin center,

  • Conditional Access Administrators have the ability to manage Azure Active Directory Conditional Access settings

  • Exchange Administrators have global permissions within Microsoft Exchange Online, when the service is present.

  • Directory Readers can read basic directory information.

  • Groups Administrators can create/manage groups and its settings like naming and expiration policies.

  • Security Administrators have permissions to manage security-related features in the Microsoft 365 security center, Azure Active Directory Identity Protection, Azure Information Protection, and Microsoft 365 Security & Compliance Center.

BTW, after you follow instructions below on setting up CLI, this Bash command lists all the pre-defined roles:

az role definition list -o table --query [].roleName

For a count of 260:

az role definition list --query [].roleName | wc -l

The basic categories of roles are owner, contributor, and reader:

  • Owners have full access to all resources, including the right to delegate access to others.
  • Contributors can create and manage all types of Azure resources but can’t grant access to others.
  • Readers can view existing Azure resources.

Custom Roles

Examples of Custom-defined roles are:

  • Reader Support Tickets
  • Virtual Machine operator - can create and manage virtual machines

Let’s look at a custom role definition to clarify the terms:

   "Name": "Virtual Machine Operator (Custom)",
   "Id": null,
   "IsCustom": true,
   "Description": "Allows to start and stop (deallocate) Azure VMs",
   "Actions": [
   "NotActions": [
   "DataActions": [
   "NotNotActions": [
   "AssignableScopes": [

Role definitions are at the center of this diagram about RBAC (Role-Based Access Control):


REMEMBER: There are four ways to assign resource rights to a user:

  • Direct assignment of user to resources.
  • Group assignment - all AAD group members access rights through user association with a group
  • Rule-based assignment - when a resource owner creates a group and uses a rule to define which users are assigned to a specific resource, attaching a role definition to a user, group, service principal, or managed identity at a particular scope.
  • External authority assignment - such as on-prem. directory of SaaS app.

DEFINITION: Each Service Principal can request an Azure AD token to access Azure resources and assign users and groups.

Role Assignment

Access is granted by creating a role assignment.
Access is revoked by removing a role assignment.

Resource Providers, Actions, Operations, Permissions, Scopes, Groups, Policies

“Microsoft.KeyVault”, “Microsoft.Compute”, etc. are providers which provide the programming to respond or block APIs requesting some functionality.

Each line under Actions defines a set of Permissions permitted. Each line under NotActions defines what is denied.

Operations (such as read, write, delete, etc.) are carried out by providers.

PowerShell to process the custom role definition JSON (above):

wget https://...json
   // Get the Subscription ID associated with the current user context:
   $subscription_id = (Get-AzContext).Subscription.id
   // Replace SUBSCRIPTION_ID within JSON file:
   (Get-Content -Path $HOME/customRoleDefinition.json) -Replace 'SUBSCRIPTION_ID', $subscription_id |
     Set-Content -Path $HOME/customRoleDefinition.json
   // Grant assess by creting a role assignment:
   New-AzRoleDefinition -InputFile ./customRoleDefinition.json
   // Confirm:
   Get-AzRoleDefinition -Name 'Virtual Machine Operator (Custom)'


The “AssignableScope” in the JSON is illustrated at the lower-right of the diagram.

VIDEO: After assignment, the SUBSCRIPTION_ID is replaced with the Subscription ID GUID assigned.

Roles can be scoped at several levels (from the Tenant Root Group):

  • Management group (containers)

  • Subscription

  • Resource group

  • Resource

Permissions at one level are inherited to child scopes, so
Permissions are additive: the sum of roles at various levels is what a user can do.

A user inherits permissions from the management group to which the user has been assigned.

Management Group Policies

  1. Navigate to the “Policy” blade.
  2. Definitions

    In Azure, policies are for evaluating compliance among Resources and their properties, not to control access to resources.

    VIDEO: Policies can be assigned to scopes to limit what can be assigned to management levels and change what has been assigned:

    Policy effects include Append, Audit, Deny, Modify, etc. Also: Enforce OPA (Open Policy Agent) Constraint and Enforce Rego Policy.

  3. Select a category from Categories dropdown.

    For example: Require a tag and its value on resources

    REMEMBER: Tags do not cascade via inheritance like permissions unless a policy allows that.

    To do remediation, define a Managed Identity.

    ### Devices on AAD

    A “Registered” device is personally owned and signed in with a personal Microsoft or local account. It can access mobile and Windows 10 but not Windows Servers.

    A “Joined” device exists only in the cloud to access Windows 10 and Windows Server 2019 VMs.

    A “Hybrid” AAD joined device can access on-prem Windows 7, 8.1, 10 and Server 2008 or newer.

    ### Role Assignments

    REMEMBER: Actions are also called “Operations” at different Scopes.

  4. See “Your role”? “Global Admin”

  5. VIDEO: Click “+ Add” to create a new Tenant.

    PROTIP: Tenant Type “Azure Active Directory” by itself is actually “B2B” = Business to (2) Business. “B2C” means Business to (2) Consumers, or connection to External Identities on LinkedIn, Google, Facebook, etc.

  6. Cancel out by searching for AAD again.

    Various roles can be can be defined for a tenant - LIMIT: Up to 2,000 roles per individual tenant.

    READ: Role Assignments on Azure Resources from Azure Pipelines



  1. A user (or service principal) acquires a token for Azure Resource Manager.
  2. The token includes the user’s group memberships (including transitive group memberships).
  3. The user makes a REST API call to Azure Resource Manager with the token attached.
  4. Azure Resource Manager retrieves all the role assignments and deny assignments that apply to the resource upon which the action is being taken.
  5. Azure Resource Manager narrows the role assignments that apply to this user or their group and determines what roles the user ahs for this resource.
  6. Azure Resource Manager determines if the action in the API call is included in the roles the user has for this resource.
  7. If the user doesn’t have a role with the action at the requested scope, access is not granted. Otherwise, Azure Resource Manager checks if ta deny assignment applies.
  8. If a deny assignment applies, access is blocked. Otherwise access is granted.

Azure Blueprints

TODO: Blueprints handle deny.

Blueprints orchestrates deployment of artifacts as policy.

Blueprints makes use of:

  • Role assignments
  • Policy assignments
  • ARM templates
  • Resource groups

It’s like HashiCorp’s Terraform, which completely controls and maintains changes.

  • https://github.com/timothywarner/az500/tree/master/blueprints
  • https://github.com/terraform-providers/terraform-provider-azurerm

Automation programmatically

My repo https://github.com/wilsonmar/azure-quickly contains automation scripts to invoke instead of manually operating the Azure Portal, so that you can save money by deleting Resource Groups because you can get resources back with just a few commands. Scripts also enable you to stand up resources in different regions/locations. Most scripts in the repo are Bash shell scripts that run natively on MacOS and thus familiar to most developers. PowerShell scripts are used in cases where they are the only solution.

There are many ways to automate the creation of resources within Azure:

  1. Portal GUI Cloud Shell
  2. JSON ARM Template with parameter files
  3. CLI Bash scripts (az commands)
  4. Powershell ps1 scripts calling Az modules
  5. PowerShell DSC (Desired State Configuration) automation
  6. Powershell running ARM template JSON files
  7. Docker containers
  8. Terraform HCL *.tf files with templating features and advanced logic features)
  9. Helm charts referencing DockerHub or Azure Container Registry (ACR) images
  10. REST API (used within a VBScript, curl, C# .NET, Java, Python, NodeJs, etc.
  11. REST API calls in program generated from Swagger/OpenAPI JSON
  12. Pulumi Python/C#/Nodejs/Typescript code
  13. Microsoft Bicep (new)

Utility script code enable the scripts to run from Linux and Git Shell on Windows laptops.

The scripts are also useful for learning Azure. PROTIP: The objective of this document is to

Cloud Shell

VIDEO: Cloud Shell

Bash CLI or PowerShell.

Azure on-prem Automation

Although deprecated by the Hybrid Runbook Worker feature, Azure Automation securely reaches inside VMs in private networks and on-premises to execute PowerShell scripts/commands. It makes use of Windows PowerShell Remoting feature.

However, PowerShell Remoting is not always a viable option. Where you have Azure-hosted VMs but cannot open a public WinRM port, This post presents a PowerShell extension runbook for on-premises VMs by utilizing the Azure VM Agent’s Custom Script Extension.

Portal Hands-on GUI Lab thru CloudAcademy

PROTIP: It makes more sense to look at a live example populated with several resources, in context, which is what a CloudAcademy lab provides.

  1. cloudacademy.com/library/azure has defined several labs.
  2. Search for “Azure”.
  3. Select a lab for your learning sequence:

    PROTIP: Below are my alternative enhanced instructions (which works for macOS):

  4. Click the green “Start Lab”.
  5. PROTIP: Right-click on “Open Environment” to select Open Link in New Window.
  6. Click and hold on the top of the Window to adjust an overlap.
  7. If there is another lab account (such as “student-1551-576984@labscloudacademy.onmicrosoft.com”), click the three dots to remove it.
  8. Click “Use another account”.
  9. Switch between the two windows using command+</strong> ( on the upper-left of macOS keyboards).
  10. In the CloudAcademy screen, click “Copy” icon for Username.
  11. In the Azure Signin, paste the email (such as “student-1551-576984@labscloudacademy.onmicrosoft.com”). Click Next.
  12. In the CloudAcademy screen, click “Copy” icon for Password.
  13. In Azure Signin, click on the Password screen and paste (such as “Ca1_iyvB75Wl”). Click “Sign in”.

  14. Click the Username account for the lab.
  15. Click “Maybe later” for tour for the Azure landing page (Dashboard).

    Create Resource in Command Line

  16. Click the “All Resources” icon for a list.

  17. Switch back to the CloudAcademy screen, scroll to bottom to click “Next Step”.
  18. Click “Resource Group” under the Navigate label.

    Resource Group

    PROTIP: Up to 980 resource groups can be created under a Subscription.

  19. Click the “cal-xxx-yy” presented.

  20. PROTIP: The app for macOS suggested is no longer available in the store. Use one noted in my tutorial on RDP.

  21. Click the Azure Portal “Home” (accordion) menu in the upper-left corner.

  22. Select “Virtual machines” in the left menu.

  23. Click the running VM name in the list for the “Overview” blade.

  24. Click “Connect”, then “RDP”. Click “Download RPD File”.
  25. In the pop-up Finder, navigate to a container folder (such as “Projects”), create a folder, and save the RDP file.
  26. Switch to Finder and navigate to your RDP file.

Microsoft Azure account setup

  1. PROTIP: Avoid using an email that you use for your own banking, shopping, social media, etc. For continuity with a real cloud, you’ll need an email address that you can share and transfer to other people. That’s so at a company, you will need to give someone else the password so that if you’re ever go on vacation or get “run over a bus”, your organization can continue.

    In you’re in an enterprise company, get an email adddress from a corporate assets administrator. A different (service) account is often created for each department of responsibility.

    PROTIP: In the name include the month and year in the account name (such as johndoe1901@hotmail.com) for 2019-01 (January). Many create several email accounts because each Azure subscription includes a $200 credit to spend on any service for the first 30 days, free access to Azure products for 12 months.

    Azure provide access to more than 25 products that are always free.

    Azure Active Directory (AAD)

    When someone signs up for a Microsoft cloud service subscription (such as Microsoft Azure, Office 365, Microsoft Intune, etc.), a dedicated instance of Azure AD (Active Directory) is created automatically.

    READ: pricing Azure Active Directory pricing.

    Premium P1 features include Password Protection (custom banned password). Dynamic groups requires a Premium P1 license.

    Premium P2 includes all P1 features, plus really cool “Identity Protection” with these policies Assignment to all users:

    Additionally, Microsoft 365 subscribers have an additional Azure AD licensing options:

    • Free 500,000 object limit, includes MFA for O365 services
    • $1/mo. Basic for group-base access management with SLAs
    • $6/mo. P1 for conditional access based on device/location & MFA for on-prem. services
    • $9/mo. P2 for Identity Protection, Access reviews, Privileged Identity Management

    • Multi-factor authentication registration policy to Require MFA

    • User risk remediation policy to require password change, with review of number of users impacted

    • Sign-in remediation policy to automate analysis of signals from each sign-in, both real-time and offline, and calculates a risk score based on the probability that the sign-in wasn’t performed by the user. Administrators can decide based on this risk score signal to enforce organizational requirements. Administrators can choose to block access, allow access, or allow access but require multi-factor authentication. If risk is detected, users can perform multi-factor authentication to self-remediate and close the risky sign-in event to prevent unnecessary noise for administrators.

    • Investigate risks using data in the portal.

    • Export risk detection data to third-party utilities for further analysis.

    Risk Events

    Risk level and risk detail fields are hidden to those with just the Azure AD Premium P1 edition.

    Advanced detections (such as unfamiliar sign-in properties) are not covered by your license, and will appear under the name Sign-in with additional risk detected.

    Devices are managed on Azure AD

    Users on another Azure AD (B2B) or public IDP (B2C)

    Enterprise discount

    Available to Enterprise customers only: 15% Discounts on Public Prices

    AD Tenants

    The Azure SaaS service separates different customers into different tenants (like tenants in an apartment building). Each tenant is a dedicated, isolated instance of the Azure Active Directory service, owned and managed by an organization.

    “Isolated” = ISE

    Azure AD supports auth protocols: OAuth, OpenID, SAML, WS-Federation.

  2. For birthdate, make up an adult year: 2023 - 22 = 2001

    PROTIP: Write it down for account recovery, such as in a 1Password entry. Also write down the date you created the account.

  3. You’ll need a phone number for multi-factor Authentication.

    PROTIP: Give Googgle Voice the cell number that you’ve been giving out to people. Then get a new phone number from your cell carrier (Verizon, ATT, etc.). In Google Voice have that new number ring when someone calls you at your original number. Give that new number only to Microsoft. This enables you to transfer that new number to someone else without making your friends wonder where you went.

    PROTIP: It’s best security that for 3FA you use someone else’s phone. But as my wife will tell you this can get annoying if you work while she’s sleeping with her phone next to her.

  4. Get a debit or credit card number.

    BIG PROTIP: Avoid using a personal credit card which can keep charging your card without your approval of specific charges. Amazon and Microsoft do not provide anyone you can actually talk to about charges. And cancelling your credit card will negatively affect your credit scrore, which results in you paying higher interest rates.

    So get a pre-paid debit card to pay for cloud usage. Such cards only lets you spend the money you load onto the card. Bluebird VISA card (by American Express) takes no overdraft fee and no purchase fee. Add money (recharge) free at Walmart customer service counters or via a connected checking account.

    Unlike Movo, Bluebird does not have a $4.95 inactivity fee after three months without activity.

  5. Create a separate card sub-account for each cloud account.

    Sign Up for Azure

  6. Sign up for Azure:


  7. PROTIP: After defining 5 users, you are forced to sign-up for and pay for a subscription with your credit card.

    PROTIP: Use address with a zip code that’s not associated with your home address, and used only for banking.

    Multiple subscriptions can be created under a single Azure account (Dev, Test, Staging, Production, Logging, Demo, Training, DR, etc.). This is particularly useful for businesses because:

    DEFINITION: A Subscription is your “bank account” / credit card.

    PROTIP: access control and billing occur at the subscription level, not the account level.

    PROTIP: Each Subscription can only trust a single AAD directory.

    Transfer ownership of a subscription, such as to a central accounting department.

    Add additional subscriptions when you may exceed limits within a subscription: # VNets.

    MS Authenticator app

  8. Install the Microsoft Authenticator app on you smartphone and setup Two-factor authentication to approve access using your phone.

  9. Get a unique profile image and add picture.

Mobile Apps

  1. Setup password on your device.

  2. https://azure.microsoft.com/en-us/features/azure-portal/mobile-app/

  3. Open the store on your phone and search for “Microsoft Azure”:

    On the Apple App Store: https://apps.apple.com/us/app/microsoft-azure/id1219013620?ls=1

    On the Google Play Store: https://play.google.com/store/apps/details?id=com.microsoft.azure

  4. Login. VIDEO

  5. Setup MFA

Microsoft has Intune to manage endpoints (mobile and laptops).

ARM obsoletes ASM

On July 1, 2019, Microsoft fully transitioned from the “classic” (older) Azure Service Management (ASM) when Multi-factor authentication (through the PhoneFactor Web (PFWeb) portal), API Management, BizTalk, and Managed Cache became available to the Azure Resource Manager (ARM).

ASM had “Cloud Services” and “Affinity Groups” which is structured with Resource Groups (logical containers) providing a single-resource point-of-view [i.e. manage a single resource at a time].

ARM includes parallelization when creating resources for faster deployment of complex, interdependent solutions. ARM also includes granular access control, and the ability to tag resources with metadata.

Also, instead of 2 racks, ARM resources can span 3 racks of computers.


ARM handles Authentication for access to back-end Web App, Data Store, Virtual Machines, etc.

Portal.azure.com GUI

  1. On initial (first time) new Subscription entry pop-up: Azure Advisor

    Azure Advisor

    On initial entry into portal, Azure greets you with a pop-up about Azure Advisor.

    Azure Advisor provides recommendations by categories of the “Well-Architected Framework” (but not “monitoring”):

    • Cost
    • Security
    • Reliability
    • Operational excellence
    • Performance


  2. For Dashboard, hold down G and press D.

    In the left menu, where is the menu item for Users (the one most often used by Administrators)?

  3. PROTIP: Click Dashboard to configure it with Users at the upper-left.
  4. Get rid of an item by clicking the “…” to “Remove from dashboard” or New Dashboard.
  5. To rearrange location, click the “…” on any item and select “Customize”.
  6. Click “Edit” from the command bar to search for Users, Add.
  7. Click “Save” at the top.

    License types of Subscriptions

    BTW, billing is associated with Management Subscriptions with names such as “Pay-as-you-go…”

    Support Plans (with Pricing)

    VIDEO “Microsoft Azure Pricing and Support Options”

    Submit a support ticket at: https://portal.azure.com/#create/Microsoft.Support (email support@microsoftsupport.com)

    Support options:

    • Basic: Billing and Subscription support only. “Self-help” technical support.

    • Developer $29/mo. for 8-hour response to non-Prod. env. issues.

    • Standard $100/mo. for 4-hour response to Sev B issues for “Business Critical” when you file a business-critical issue with technical support, the earliest you can expect a response from technical support? Within 1 hour

    • Professional Direct $1000/mo. which adds a ProDirect Delivery Manager who provides architectural guidance, onboarding services, seminars.

    • Premier for “substantial dependence” with a TAM (Technical Account Manager).

    Getting 403 ActiveDirectoryMenuBlade accessing AAD on Portal

  8. Right-click on the “Help + Support” box on the Dashboard and select “unpin” because you now know you can reach it (in two places).

    Social Support Forums about Azure


    Filtered for Most Votes on Accepted answers:

    Help + Support

  9. There are 3 places you can reach “Help + Support”:

    Click the question mark icon at the upper-right corner.

    azure help upper right 220x267

    Support options are also listed behind the smiley face icon.

    There is also a “Help + Support” box on the Dashboard.

    Alternately, scroll down to click Help + Support (the person icon in blue).

  10. Microsoft calls their business-level oriented collection of implementation guidance VIDEO: MS_LEARN: Microsoft Cloud Adoption Framework for Azure”.

    Additional sites:


    Categories to get support

    In order to route your support to a specific team, here is a comprehensive list:

    • Azure Active Directory
    • Microsoft Azure Stack
    • Azure Stack Edge
    • Blockchain [discontinued]
    • Compute
    • Databases
    • Developer Tools
    • Enterprise Integration [Arc]
    • Intelligence & Analytics [AI & Machine Learning]
    • Internet of Things
    • Microsoft Graph
    • Mixed Reality [Hololens, Mesh]
    • Monitoring & Management
    • Networking
    • Security
    • Storage
    • Web & Mobile [Edge browser]

    Lock Box for Support

    For Microsoft people to access a customer’s unencrypted data, they are supposed to look into the “Lock Box” where a customer put files they want Microsoft to see.

ARM Portal GUI Dashboard Tour


  1. At https://portal.azure.com

  2. Click the “wheel” icon at the top for Portal Settings:

  3. PROTIP: If you wear glasses on video calls, reduce glare by clicking “Black” for the dark theme. You may not like the putrid yellow font associated with High Contrast:


    GUI Navigation Hubs, Panes, Blades

    DEFINITION: A Hub is a category for navigation within the left Azure Portal menu that is opened by clicking the upper-left accordion icon alt.

    Panes that appear on the right are called “blades”. A Blade is a portion of the page that pops up as you navigate in the portal. (Note: A Blade is contextual and tied to your navigation. This will become more intuitive as you use the portal.)

    Opening a series of blades is called a journey.

    Dock hamburger menu

  4. Click the “hamburger” (home) icon at the upper-left corner for English descriptions of each icon on the left edge.

  5. Click the “<” icon at top of the separator to collapse (“dock”) or expand the text of services listed on the left menu.

    PROTIP: To set its expansion state permanently, click the ‘settings cog’ icon in the top right of portal and click the ‘Choose your default mode for the portal menu’ option. Setting that to docked or undocked.

    Left Dock Keyboard Shortcuts

  6. PROTIP: To keep things simple, I arrange the FAVORITES menu item alphabetically.

    1. App Services
    2. Advisor
    3. Azure Active Directory
    4. Cost Management + Billing
    5. Function App
    6. Load balancers
    7. Monitor
    8. Security Center
    9. Storage Accounts
    10. (0) Virtual Machines

  7. ??? Click the star icon so it is gold to enable the service to show on the menu or unselect to remove the service from the bar.


  8. Drag and drop the Categories in a stable sequence and position you can mouse to quickly:

    Example: I drag the “Billing” icon to the top because I manage the money involved.

    VIDEO PROTIP: If you memorize the number of your menu, you’ll never need to mouse to the “hamberger” menu again, avoid being distracted by menu text, and recover screen real estate.

  9. Hold down G and press a number to view one of the first 10 menu items.

    VIDEO: Many find themselves more productive when they don’t have to reach for the mouse. Keeping hands on the keyboard reduces a distraction. Thus, it’s impressive wizardry during demos.

  10. Click the “?” at the top of the page to click Keyboard shortcuts.

    In there and in DOCS, “G+.” means while holding down the G key, press the period key, which puts the focus on the “»” icon so you can press Enter to expand or contract the left menu. Press Tab to cycle down the menu.

    PROTIP: You an use the G key as if it’s like the Command/Ctrl key because you’re not filling out a form. If you see G appear in a form fill field (such as the browser URL), backspace to clear the field, then press Tab off the form fields and try again.

  11. Press Esc to escape from the help window.

  12. A reminder of the G key is always present at the top of every Azure screen:
    “Search resources, services, and docs (G+/)”, which means hold down G and press / to search.

    PROTIP: Azure DevOps uses more G keys (and M keys as well).

    All Services

  13. For All services, hold down G and press B.

  14. Click “All” for a complete of all services Azure has to offer, arranged within the category order on the left menu.

    PROTIP: This gives you an idea of how vast the Azure offering is, and the product names certification aspirants should know.

    Full screen toggle

  15. To toggle a window to take up the whole screen on Windows PCs: press F11 or Alt+Enter or Windows key + up-arrow. On macOS: hold down command on the right, control on the left, then F (control+command+F). Repeat the keys to un-maximize. This is equivalent to clicking the green “maximize” icon on the upper-left of each app window or double-clicking on the app’s title bar.

    CAUTION: Any window maximized will not be brought up by the keyboard shortcut which cycles through various windows within the app (command+` on macOS; Alt+Tab on Windows PCs). To see the maximized window, you have to cursor near the top edge until the app’s menu appears, then pull down the browser’s Window menu.

    QUESTION: How to toggle full screen in Azure like on Netflix, which removes menus, breadcrumbs, and command bar? Alt+Space+X on Windows.

  16. Switch among windows command+` (at the upper-left corner of the keyboard).
  17. To find text on the page, press command+F.

Naming conventions

Advice from Microsoft: Naming conventions:

PROTIP: Define abbreviations, then enforce their use. Abbreviations are needed to keep names short. Define abbreviations in different human languages if you haven an international crew. Abbreviations can serve as a way to inform policies, such as locking of production servers.

  1. rg, vm = Resource asset type.
  2. fin, mktg, product, it, corp = Business unit - organizational element that owns the subscription or workload the resource belongs to.
  3. navigator, emissions, sharepoint, hadoop = Application or service name of the application, workload, or service that the resource is a part of.
  4. shared, central, client = Subscription type - the purpose of the subscription that contains the resource.
  5. prod, dev, qa, stage, test = Deployment environment - The stage of the development lifecycle for the workload that the resource supports.
  6. westus, eastus2, westeu = Location/Region - The Azure region where the resource is deployed.

Resource Groups

Before any resource can be provisioned, you need a resource group for it to be placed in, for provisioning, monitoring, maintenance. Each resource must be in a resource group.

Resource groups can be created by using any of the following methods:

Automation options

  • Azure portal GUI
  • Azure Bash CLI (az commands)
  • Azure Cloud Shell which enable: Azure PowerShell (Az modules)
  • JSON Templates IaC templates (by custom REST API clients)
  • Azure Bicep (like Terraform)
  • Azure programmatic SDKs using programming languages C# .NET, Java, Python, NodeJs (JavaScript), etc. calling APIs

PROTIP: A resource group can contain resources from multiple regions.

PROTIP: When naming Resource Groups, keep in mind that they are used to organize resources so that’re easier to delete. So limit the number of resources under each one so that you’re not blocked from deleting the group because you still need that one resource. So using Resource Groups for each point in the lifecycle makes sense (dev, qa, stage, green, blue, etc.).

If no dashes are in the name, double-clicking on that name would select the entire name.

A Resource Group name can be a single character. It can begin with a number.

PROTIP: In production, design Resource Groups for work groups to have the permissions they need. For example, core infrastructure such as Networking. The destination of logs and metrics should be viewed and managed using a whole differen account than accounts used to create the data.

  1. After you get CLI setup, list resource groups created:

    az group list -o table

    For more details (SSH, Managed By), remove “-o table”. See https://docs.microsoft.com/en-us/cli/azure/manage-azure-groups-azure-cli and https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-cli

    A resource cannot be split among several resource groups, each be a member of a single resource group.

References on naming conventions:

  • https://daniel-lumb.medium.com/azure-resource-group-structure-measure-twice-cut-once-565c50e13c9

Your own cloud shell

  1. PROTIP: Click the browser profile icon and select the identity you need (if you have multiple accounts). You’ll likely have an account based on your Gmail, another for school email, a work email, etc.

    Azure brings up the account based on what it stored the last time you logged in. If you don’t use browser profiles, you’ll have to log off and back again, which is a hassle.

    BTW within each browser profile, you can login to GitHub, Pocket, or other service so your bookmarks is available on all profiles.

  2. Go to https://shell.azure.com


  3. Click “Bash” (since we’re using CLI scripts).

    If this is the first time, you’ll see “You have no storage mounted”:


  4. Click “Create storage” to have Azure assign its own names.

    Optionally, click “Show advanced settings” if you want to specify the Resource Group name for the storage account:


    1. For “Cloud Shell region”, select your favorite location, such as “West US”.
    2. For “Resource group”, follow your naming convention.
    3. For “Storage account”, follow your naming convention.
    4. For “File share”, follow your File naming convention.
    5. Click “Create storage”.

    PROTIP: Files in your CLI clouddrive folder is stored in that Storage account, beginning from CLI history, etc.

  5. In Portal: Resource Groups notice default names created:
    • cloud-shell-storage-westus
    • NetworkWatcherRG

    az feedback

    PROTIP: If your command doesn’t come back, press command+R to reset the browser page.

    Cursor up to retrieve previous commands.

    To open an issue, run:

    az feedback

    az interactive

  6. VIDEO: There is a nifty code completion facility for az commands:

    az interactive


  7. Press Enter to bypass the “Error loading command module” messages.

  8. az » is a reminder that within interactive you don’t have to type the “az” command, just the sub-command and other parameters.

    Home folder commands

  9. To see your current folder:


    If your first name is “wilson” then you’ll see:

  10. REMEMBER: The above path is represented by both “~” (tilde) and the variable $HOME:

    cd $HOME; pwd

    CLI Proper Prompt

  11. List all files and folders, using to see hidden files as well:

    ls -al

    -al enables display of hidden files such as .bashrc

    It’s a Linux convention to put a period in front of file names so the operating system knows to treat them as hidden.

  12. Copy and paste this string to have the prompt always appear in a consistent place where you have room to type:

    export PS1="\n  \w\[\033[33m\]\n$ "

    Let’s change it to your taste so it shows up every time you get a Cloud Shell prompt.

    And you will be opening a lot of new sessions.

    Time out recovery

    If there is no response in CLI, you probably were timed out (disconnected) automatically.

  13. Press Ctrl+R (command+R on a Mac) to refresh, confirm Reload, then click the Cloud Shell again.

    PROTIP: See if the time it takes to do that is about the same as to az login again from your local Terminal/Console.

    Edit .bashrc

  14. Open the file in a text editor (an instance of Visual Studio Code):

    code .bashrc

    Alternately, click the squigly brackets on the line where you select Bash or PowerShell.

  15. Edit the string (near the bottom of the file):

  16. Optionally: althrough Terraform is pre-installed in Azure Cloud Shell, define an alias so you can type just tf instead of terraform:

    alias tf="terraform $1"  # provide a parameter
  17. TODO: There are other aliases for your productivity. They save a few microseconds a time, but their advantage is to keep your mind focused, avoid task-switching.

  18. Near the last line, navigate into the clouddrive:

    cd clouddrive

    That’s where it’s better to git clone repos into.

  19. PROTIP: At the bottom of the file, add a # sign. This is because Azure automatically adds to the bottom a line:


    Since that line does not add a new line, the line is interpreted as a comment line.

  20. To save and quit, press Ctrl+Q or click the “…” at the top right of the edit box.

    Notice there is now a tilde to display the pwd (present working directory):

  21. List all files and folders, using to see hidden files as well:

    ls -al

    -al enables display of hidden file .bashrc

    clouddrive -> /usr/csuser/clouddrive shows a redirect to another path

  22. PROTIP: Notice that clouddrive is a redirect to the physical folder at:

    ls -al /usr/csuser/clouddrive

    Git clone my Bash CLI scripts

    Several utility programs come pre-installed in Azure Cloud Shell. Git is one of them.

  23. Obtain a copy of my repository containing Bash CLI scripts for use in Azure:

    git clone https://github.com/wilson-mar/azure-quickly
    cd azure-quickly

    NOTE: If you work with a private repo, you’ll need to create a SSH key, paste the contents of the public key in GitHub GUI, and use a different command, such as:

    git clone git-123456@wilson-mar/azure-quickly
    cd azure-quickly
  24. To obtain recent changes:

    git pull

Encrypted Passwords

DOCS: BLOG: SlackOverflow:

PROTIP: It’s better to use Azure Key Vault, but this is better than storing cleartext in GitHub.

  1. In a PowerShell CLI terminal, manually encrypt a secret under your account:

    $password = 'Super@Secret3Passwordx'
    $securePassword = ConvertTo-SecureString -Force -AsPlainText -String $password

    CAUTION: Run the above manually. Do not put the above commands in a script stored in GitHub.


    NOTE: There is no CLI Bash equivalent for this.

  2. The value of $securePasswords can now be saved in a file which exports an environment variable. You still should not hard-code encryption keys in code so that it can be cracked over a long period of time by powerful computers.

  3. To unencrypted secret (under the same account) within a sample command:

    $myapp = New-AzADApplication -DisplayName '...' -HomePage 'http://...' -IdentifierUris 'http://...' -Password $securePassword

    NOTE: You don’t have to unencrypt first. Microsoft’s commands handle that for you. Cool, eh?


Terraform on Azure

A Terraform client is pre-installed in Azure Cloud Shell.

terraform version

Ignore the version upgrade message. Azure keeps it up to date as appropriate.

https://cloudskills.io/courses/terraform-azure https://github.com/lukeorellana/terraform-on-azure https://github.com/CloudSkills/Terraform-In-Azure-Workshop

https://www.facebook.com/CloudSkills.io/ https://blog.cloudskills.io/getting-started-with-terraform-on-azure-tips-and-tricks/

https://www.udemy.com/course/terraform-on-azure/ Terraform on Azure

https://www.udemy.com/course/azure-kubernetes-service-with-azure-devops-and-terraform/ Azure Kubernetes Service with Azure DevOps and Terraform

Bash shell script coding

az vm list -g QueryDemo \
--query "sort_by([].{Name:name, Size:storageProfile.osDisk.diskSizeGb}, &Size)" --output table

–query is described https://docs.microsoft.com/en-us/cli/azure/query-azure-cli

To customize a column name, specify it on the left side before a colon within curly braces:

az container list --query "[].{Name:name,Location:location}" --output table

The empty brackets indicate the entire set. Put in a number for a specific row. A range from 0:3.

More query techniques are decribed here.

NOTE: Azure Citadel has a deep tutorial on –query parameters

Create Resource Groups

DEFINITION: A resource group is a logical container for resources deployed on Azure: virtual machines, Application Gateways, CosmosDB instances, etc. Many resources can be moved between resource groups.

Resource groups also define a scope for applying role-based access control (RBAC) permissions which limit access to allow only what is needed.

  1. Create resource group (under a subscription) for location, after viewing briefings on CLI Bash or Storage (if you haven’t already):

    az group create --name $MY_RG --location $MY_LOC

    Alternately, for more commentary, use the portal GUI:

  2. Optionally: Drag and drop “Resource Groups” Home menu item to the bottom of the list. That’s because you can …
  3. PROTIP: Hold down G and press R for Resource Groups.
  4. PROTIP: Hold down G and press , (comma) to focus on the command bar.
  5. If “+ Create” is highlighted, press Enter to invoke it.
  6. Select the appropriate Subscription.
  7. Type your Resource group name using your organization’s naming conventions:

    PROTIP: Include the region code in the Resource Group Name.

    Subscription code, etc.

    PROTIP: Resource groups have a flat structure: they cannot be nested like Management Groups.

    Deleting a resource group results in deletion of all resources contained within it. So resource groups make it easy to remove a set of resources at once. That’s great for non-production environments.

    Region = Location jmespath queries

    View an interactive map of Azure data centers around the world.

  8. If you already know how to use CLI Bash and jmespath queries, get a count of Azure’s regions:

    az account list-locations --query "[].name" -o tsv | wc -l

    68 is the response at time of writing.

    In 2021, Microsoft is building 100 data centers a year.

  9. PROTIP: Beware that some regions are “(stage)”, such as this table of regions with “westus” in its name, so this command and its results are not reliable:

    az account list-locations --query "[?contains(name, 'westus')]" -o table
    Name          DisplayName        RegionalDisplayName
    ------------  -----------------  ----------------------
    westus2       West US 2          (US) West US 2
    westus3       West US 3          (US) West US 3
    westus        West US            (US) West US
    westusstage   West US (Stage)    (US) West US (Stage)
    westus2stage  West US 2 (Stage)  (US) West US 2 (Stage)
  10. PROTIP: To list regions, use github.com/blrchen/azure-data-lab/blob/main/Regions.json which contains metadata about each region shown on AzureSpeed.com. For example:

        "availabilityZoneCount": 3,
     "availabilityZoneStatus": "3 zones",
     "displayName": "West US 2",
     "geography": "US",
     "latitude": "47.233",
     "longitude": "-119.852",
     "pairedRegion": "West Central US",
     "physicalLocation": "Washington",
     "regionalDisplayName": "(US) West US 2",
     "regionName": "westus2",
     "storageAccountName": "azsptwestus2",
     "regionAccess": true
  11. blrchen’s response goes beyond what Azure returns in its list all properties (metadata) for the “westus2” region:

    az account list-locations --query "[?name == 'westus2']" -o json
    "displayName": "West US 2",
    "id": "/subscriptions/32f0f1ee-690d-4b02-9e58-baa3715aabf7/locations/westus2",
    "metadata": {
      "geographyGroup": "US",
      "latitude": "47.233",
      "longitude": "-119.852",
      "pairedRegion": [
          "id": "/subscriptions/32f0f1ee-690d-4b02-9e58-baa3715aabf7/locations/westcentralus",
          "name": "westcentralus",
          "subscriptionId": null
      "physicalLocation": "Washington",
      "regionCategory": "Recommended",
      "regionType": "Physical"
    "name": "westus2",
    "regionalDisplayName": "(US) West US 2",
    "subscriptionId": null
  1. TODO: Select the Region (aka Location) closest to intended users, for pricing, and have features available.

    PROTIP: There are differences in prices among regions. “WestUS” is generally the least expensive among US regions.

    PROTIP: Speaker Recognition is currently only supported in Azure Speech resources created in the westus region.

    Individual resources created within a Resource Group are placed in the same region.

    CLI Naming convensions

    PROTIP: Since so many az commands refer to an Azure Resource Group, my scripts specify Resource Group or Location as the last item, using these naming conventions for environment variables:

    az group create --name "${MY_RG}" \
    --location "${MY_LOC}"

    PROTIP: Me standardizing means that you can use a different name safely by doing a “Change All” across all files.

    TOOL: Lookup nearest city given Longitude & Latitude using the GeoDB API.


    PROTIP: Even while during individual development, take a few seconds to add tags in resource creation scripts to enable not just security, accounting, and logging processes, which may provide troubleshooting tools for developers from the beginning.

    Each tag is a “name=value” pair such as Env=Dev, Sensitivity=White, Dept=Finance, Project=Advance1, Customer=Acme, etc.

  2. To create a tag:

    az resource tag --tags Department=Finance \
     --name msftlearn-vnet1 \
     --resource-type "Microsoft.Network/virtualNetworks" \
     --resource-group "$MY_RG" 
  3. Click “Review + create” if you are not using Tags or if the resource doesn’t support tags.
  4. Click “Next: Tags” if you can specify one according to your Tag Naming Convention:

    LIMIT PROTIPS: Up to 50 Tags can be associated with each resource.
    Tag names are limited to 512 characters.
    Tag names for storage accounts have a limit of 128 characters.
    Tag values can be up to 256.

    Tags are your own metadata for:

    • Searching
    • Viewing
    • Billing

    PROTIP: Child resources don’t inherit tags from group level.

    Each tag value is limited to 256 characters for all types of resources.

    • Environment=Production or Staging or “NPT” (Non-Production/Test)
    • Department or Accounting / cost center Charge Code
    • Geography
    • shutdown=6PM and startup=7AM for automation

    Tags are not inherited from parent resources.

    A resource be associated with up to 50 tags.

  5. Click “Create” after “Validation passed”.

    Lock RG to prevent deletion


  6. Select each production resource group.
  7. Click “Locks” menu.
  8. Type a name according to naming conventions.
  9. Select a Lock Type: “Delete”.

    More Policies


  10. Click Policies in the menu within a Resource Group blade.
  11. Click Definitions in the menu for a list of pre-defined policies under each scope (Subscription + Resource Group).
  12. Click “Policy definition” in the command bar.
    • Field “Definition location” is the Subscription.
    • Each rule is JSON syntax with “if”, “not”, “then”, etc. logic

  13. Click the blue button to the right of “Policy definition” field for Available Definitions dialog where you can select a Type and Search filter text.

    A common policy is Allowed locations.

  14. Each policy can be set to Enforced or Disabled.
  15. Optionally, define a Managed Identity for remediation.
  16. Create.

    Policies can also be defined under each Subscription. VIDEO: All Services -> Management Groups to apply governance conditions (access & policies) above.

    To group policies under an initiative:

  17. Click “Assign initiative” in the command bar.

    Management Group hierarchy

  18. Search All Services for “Management groups”.
  19. Add Management Group.

    An initiative describes a group of policies across different management groups, subscriptions, resource groups.

  20. Click the group created and add more groups (up to 6 levels in hierarchy).
  21. Under each leaf management group, add a Subscription.


    Also create management group by using PowerShell, or Azure CLI. PROTIP: Currently, Resource Manager templates can’t be used to create management groups.

    Policy creation

  22. Select the Policy service.

    Policies are rules stating which resources can be deployed to which locations

    • Microsoft provides a number of built-in policies
    • Create custom policies using JSON

    Assign at resource level or resource group level

    • Child resources don’t inherit tags from group level

    PROTIP: All resources in a resource group should share the same lifecycle.

  23. In the left menu select the Definitions pane under the Authoring section.

    You should see a list of built-in policies that you can use.

  24. Click G+ for focusing on “+ Policy” to press Enter to create a custom policy in the New policy definition dialog.

  25. Set the Definition location, click the blue …. and select the Subscription for the policy to be stored in, which should be the same subscription as our resource group. Click Select.

  26. Back on the New Policy definition dialog, type Name value of Enforce tag on resource.

  27. For the Description, enter This policy enforces the existence of a tag on a resource.

  28. For Category select Use existing and then select the General category.

  29. For the POLICY RULE, select all text in the box (command+A), then delete it.
  30. Copy and paste the following into the box:

      "mode": "Indexed",
      "policyRule": {
     "if": {
       "field": "[concat('tags[', parameters('tagName'), ']')]",
       "exists": "false"
     "then": {
       "effect": "deny"
      "parameters": {
     "tagName": {
       "type": "String",
       "metadata": {
         "displayName": "Tag Name",
         "description": "Name of the tag, such as 'environment'"
  31. Click “Save”.

    Uses for policy:

    • restrict which Azure regions you can deploy resources to.
    • restrict which types of virtual machine sizes can be deployed.
    • enforce naming conventions to keep a consistent standard across all Azure resources.

    Assign policy

    To enable the policy, create an assignment. Assign it to the scope of your resource group, so that it applies to anything inside the resource group.

  32. In the policy pane, under the Authoring section on the left, select Assignments.
  33. Select Assign policy at the top command bar.

  34. In the Assign policy pane, click the blue …. for Scope. Select Resource Group. Click Select.

  35. For Policy definition, click the blue …. In the Type drop-down, select Custom, select the Enforce tag on resource policy you created, then click Select.

  36. Select Next to go to the Parameters pane.

  37. On the Parameters pane, for Tag name enter Department.

  38. Click “Review + create” then “Create” to create the assignment.

    New Individual Resource

    DEFINITION: Each Azure resource is an instance of a service you have already provisioned.

  39. For a New Resource, hold down G and press N to select a new resource from Azure’s Marketplace of services.

    NOTE: This is also reached by clicking “+ Create a resource” or Home icon then “+ Create a resource”.


  40. Within the Marketplace of services/resources, clicking the star icon labeled “Favorites” adds the item to the Dashboard (described in a section below).

    New Web App

    PROTIP: Launching a “Web App” means that you provision a VM (Virtual Machine) which incur charges continuously (until you go broke). A server is used to generate HTML and CSS files as needed (real-time) based on requests from users.

    DOC: “Launching a Simple Web App in Azure”

    New Static Web App

    “Static web apps” serve the same (static) HTML and CSS files to all users pre-generated when saved (pushed) to GitHub. This means that users don’t have to wait for them to be generated.

  41. In another browser tab, sign into GitHub and create a repository containing Nuxt.js or other template to generate HTML and CSS files.

  42. Scroll down the “Azure Marketplace” menu to click “Web”.
  43. Click “Static Web App (preview)”.
  44. Select the Resource Group created already.
  45. Type a Name that follows your Naming Convensions. For example, “msftlearn-core-infra-rg-dev” consists of
    • “msftlearn” for the types of resources
    • “hr” for Human Resources, “fin” for finance, etc.
    • “core-infra” for what is contained within,
    • “dev” or “prod” for environment
    • “rg” for the type of resource it is (resource group)

  46. PROTIP: WARNING: Select a Region that’s the same as your Resource Group or you’ll incur inter-region network charges.
  47. For Deployment details: Source, select “GitHub” the default.
  48. Click “Sign in with Github” for a pop-up screen to enter the email address you used to create the GitHub account you want to associate.
  49. Type the code shown on your mobile 2FA (Authentication) mobile app to Verify.
  50. Click “Grant” each additional organization/account.
  51. Click “Authorize …” to dismiss the pop-up.

  52. You should get an email with subject:

    [GitHub] A third-party OAuth application has been added to your account
  53. Select the Organization, Repository, Branch created in the step above.

    All Resources

  54. Drag and drop All resources in the menu to the bottom of the list because you can reach it without a mouse by holding down G and pressing A.

    That brings up a list of all resources you have already brought to life.

Region = Location

  1. Go to Azure Resource Explorer:


  2. To provides API calls and responses. Under your subscription / locations is JSON with logitude and latitudes of each location (region):

          "id": "/subscriptions/.../locations/westus3",
       "name": "westus3",
       "displayName": "West US 3",
       "longitude": "-112.074036",
       "latitude": "33.448376"
  3. On Google Maps, type in Search as “33.448376, -122.074036”.

    Alternately, construct a URL such as:


  4. Click to see it’s in downtown Phoenix. (For security, that is not the exact location so Amazon can’t drop a bomb on it).

Install Azure AD Module

  1. In Windows, right-click run as Administrator.

  2. On PowerShell:

    install-module -name azuread -Force

    PROTIP: Module names are not case sensitive.

    Untrusted repository
    You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you 
    want to install the modules from 'PSGallery'?
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): 
  3. Type “A” to response above.

  4. On PowerShell: Load the module (no response expected):

    get-module azuread
  5. Sign in:


    PROTIP: User Role “Global Administrator” can do anything.

    There are many “Limited administrator” roles.


Access Control (IAM) Roles


Role Scope of Security Principal (from narrowest)

  • Container within Blob Service
  • Queue
  • Storage Account

  • Resource Group
  • Subscription

VIDEO Add Role Assignment Role

  • Owner
  • Contributor - Backup Contributor & Operator
  • Reader’
  • Avere Contributor & Operator
  • etc.

Assign access to:

  • Azure AD user, group, or service principal
  • User assigned managed identity
  • System assigned managed identity
  • App Service
  • Container instance
  • Container Registry Task
  • Data Factory
  • Function App
  • Logic App
  • Remote Rendering Account
  • Virtual Machine
  • Virtual Machine Scale Set

Management Certificates

Azure uses Management (x509 v3) Certificates (.cer file containing a public key) to access resources in an Azure Subscription.

There is a limit of 100 Management certs per Azure subscription (administrator).

  • Development
  • Test
  • Pre-prod (Staging)
  • Prod



At the Subscription pane

A Subscription is a billing boundary linked to an Azure account AND A container for resource groups.

There can be multiple Subscriptions per tenant (e.g. for depts.).

  • Non-prod (for devs)
  • Production (for operations)
  • Multi-region

The 2000 role assignments limit per subscription is fixed and cannot be increased.

Subscription types:

  • Azure pass (e.g. with a course)
  • MSDN (Developer Network)
  • Azure trial
  • Pay-as-you-go (most common)
  • Enterprise (involves a minimum commitment)

Management Group for RBAC


Each Management Group is a container for one or more subscriptions

  • You can build a hierarchy of these
  • You can assign policies to a management group

for RBAC (Role-Based Access Control) Inheritance Scope: Management Groups are above Subscriptions above Resource Group container for Resources

Roles: Owner, Contributor, Reader (Observer), User Access Admin

  • User
  • Group in AD
  • Service Principal - security identity used by app services
  • Managed by Azure Identity

Role Assignment of Role Definitions which list operations that can be performed by the Security Principal.

See https://docs.microsoft.com/en-us/azure/role-based-access-control/troubleshooting

Limits = Quotas


REMEMBER: Quotas (Limits) cannot be increased in FREE subscriptions!

REMEMBER: Azure supports up to 15 tags per Resource Group.

Pricing Calculator


Estimate costs of various services.


Cloud Shell

  1. VIDEO Azure provides contextual prompts in their:

    az interactive


    This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
    Installing the Interactive extension...
    The installed extension 'interactive' is in preview.
    Do you agree to sending telemetry (yes/no)? 

Create AZ Role

  1. To create an AZ role in PowerShell, define a JSON file then:

    az role definition create --role-definition "~/CustomRoles/ReaderShpportRole.json"


  1. Use the automation bash script for MacOS at


    The “mac-install-all.sh” script places a secrets.sh file in your machine’s home folder.

    The script takes care of installing the azure CLI

  2. Edit the file there (not in the repo directory).

    If in the secrets.sh file the TRYOUT string is edited to contain a known value for a module, that would be executed.

    To execute all modules:


    Alternately, to execute only one or a few modules, for example:


    … the Bash script has been programmed to create an instance using az cli commands rather than manually copied and pasted onto a Azure Cloud Shell instance launched on an internet browser as described (using command+shift+V) at:


    • Log in
    • Create a resource group
    • Create a virtual machine
    • Get VM information with queries
    • Set environment variables from CLI output
    • Create the new VM on an existing public subnet (contoso.ws)
    • Verify public access to one-page static page (like isitchristmas.com)
    • Cleanup (remove vm instance if TRYOUT_KEEP is not specified)
    • Display cost of above

    Alternately, if in the secrets.sh file the TRYOUT string is edited to contain this:


    This creates an Azure (Serverless) Function, as described in commands listed at:

    Azure Functions

    The unique aspect of the mac-install-all.sh script is that it does NOT require you to go from screen to screen typing steps by step starting from

    The script executes a set of commands for you automatically so you get past the installation and configuration confusion, bringing your laptop to a point where you can work on changing the sample to the app you want. You can then re-run the script, and any changes to the underlying framework would be upgraded if needed.

    Since Azure provides a small amount of free time to all accounts each month under their Consumption Plan, you can do several runs each month without spending any cash. See their Pricing.

    The “az-func” TRYOUT does all the following:

    Account Password > Login > Tenant > Principal > APP_ID > Roles > Template > stop


  3. For attended manual log in:

    az login 

    The response expected is a new tab to appear in your default browser window asking for your account.

    Alternately, for unattended log in:

    az login -u "$AZ_USER" -p "$AZ_PASSWORD"

    If you have not signed up for a subscription, you’ll get an error such as: “No subscriptions were found for ‘None’. If this is expected, use ‘–allow-no-subscriptions’ to have tenant level accesses”

    Set subscription

    There can be more than one subscription, so set to just to use:

  4. The JSON that comes back from az login can be retrieved again by:

    RESPONSE=$( az account list)
  5. Pick out the subscription from the list:


  6. Set the subscription:

    az account set --subscription=
  7. Set the cloud:

    az cloud set --name AzureUSGovernment  # or AzureChinaCloud, or AzureGermanCloud.

    NOTE: Azure China cloud (azure.cn) is operated by 21 Vianet.


    CAUTION: Logging in online imbues you with a full set of permissions that a login using the az command does not fully possess.

    Tenant ID

  8. Once you have logged in, when you sign up for a Microsoft cloud service, Microsoft assigns to your account a Tenant ID. To obtain it:

    AZ_TENANT=$(az account show --query 'tenantId' -o tsv)

    echo $AZ_TENANT to yield something like: a7a02378-1e4b-4017-972e-9dfe53bc2b2f

    See: Multi-tenant architecture

    Resource groups (RGs) are used for RBAC, Automated Deployments, and Billing/Monitoring.


  9. Put the Tenant ID value in the secrets.sh file so that future script runs can check whether that value has already been created.

  10. Also note that before getting here the script created a pem file PROTIP: Create a .pem file from the rsa.pub file named $SSH_USER created for GitHub:

    ssh-keygen -f ~/.ssh/$SSH_USER -m 'PEM' -e > $SSH_USER.pem
    chmod 600 $SSH_USER.pem

    This is recommended instead of the alternative of asking Azure to –create-cert in command:

    Service Principal

  11. We next Create a Service Principal using Conventions for naming principals under RBAC (role-based access control):

    This Azure CLI (command az) has the subcommand ad (for Active Directory) to create Service Principals (sp’s). We capture the response (in JSON format) in the variable return.

    return=$(az ad sp create-for-rbac --name "$AZ_PRINCIPAL" \
    --role owner \
    --create-cert \
    --query ['fileWithCertAndPrivateKey, appId, tenant]

    This JSON file the command puts in your $HOME folder:

      "appId": "username",
      "displayName": "ServicePrincipalName",
      "name": "http://your app address",
      "password": passkey,

    The additional –query attribute makes

    The first of three fields (fileWithCertAndPrivateKey) requested in the query is parsed using this command:

    echo return | tr -d "[ ] \" \"" | awk -F, '{ print $1 }'

    To obtain the first part of the response, “/user/wisdom/tmpf14zjme.pem”, which is used in subsequent commands.

    AZ_PEM_LOC=”echo return | tr -d “[ ] " "” | awk -F, ‘{ print $2 }’”

    The second item in the query in the command above yields the APP_ID:

    AZ_APP_ID=”echo $return | tr -d “[ ] " "” | awk -F, ‘{ print $2 }’”

    The third item is the Tenant ID. Both of these are GUIDs.

    The command has additional options:

    az ad sp create-for-rbac -n "lnx" \
    --role contributor \
    --scopes /subscriptions/ssssssss-ssss-ssss-ssss-ssssssssssss

    Login for sure


  12. Now we take the NOTE:

    az login --service-principal -u "$AZ_APP_ID" \
    -p "$AZ_PEM_LOC" --tenant "$AZ_TENANT"

    https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/api-catalog is the older version of Microsoft Graph at https://developer.microsoft.com/en-us/graph https://dev.office.com/blogs/microsoft-graph-or-azure-ad-graph

    BLAH: The name of the file created contains something like “tmpcgzysdch”, a random set of characters. So the script needs to figure out that file name. Thus we create the pem file and tell Azure.

  13. TODO: Obtain the password text from within the file

    Create a folder $HOME/certs/

  14. Put the contents in a file name containing the value in $AZ_APP_ID, in the $HOME folder so that it won’t have a chance to get pushed to GitHub.

  15. Login using credentials built above:

    az login --service-principal $AZ_PRINCIPAL \
    --username "$AZ_APP_ID" \
    --role owner \
    --tenant "$AZ_TENANT" \
    --password "$HOME/certs/$SSH_USER.pem"

    BLAH: The APP_ID and username are the same. Whatever.

  16. Assign a role named “Reader” to the APP ID (username):

    az role assignment create \
    --assignee "$AZ_APP_ID" \
    --role reader
  17. List what resources were assigned to a APP_ID:

    az role assignment list --assignee $AZ_APP_ID

    If your APP_ID has not already been created:

  18. To specify a module to run (not just install): If in the secrets.sh file the TRYOUT string is edited to contain “az”:


QUESTION: limits to total concurrent executions across all functions within a given region to 100?

### Regional Zones for Egress

Regions are grouped into 4 zones for pricing network Egress:

  1. US, US Gov, Canada, Europe, UK, France, Switzerland
  2. East Asia, Southeast Asia, Japan, Australia, India, Korea
  3. Brazil, South Africa, UAE
  4. (DE Zone 1) Germany


https://www.hashicorp.com/blog/go-big-or-go-small-building-in-azure-caf-with-terraform-cloud Microsoft’s Cloud Adoption Framework enterprise-scale landing zone architecture based on an Azure Virtual WAN network topology. The connectivity subscription uses a Virtual WAN hub.

Azure AD B2B (Business-to-Business)

allows an organization to securely share company applications and company services with guest users from other orgs, while retaining control over company data. Auth policies protect corp. data.

  1. Portal Menu > Azure Active Directory. Select yours.
  2. Users. +New guest user. Type email. Invite.
  3. Guest user clicks “Get Started” in emai;.

Azure AD B2C (Business to Consumer)

enables customers can use a registered app with the Identity Experience Framework defines interacting with external multi-party Identity Providers (IdP’s) such as Facebook.

It makes use of SYN cookies and rate & connection limits defined by a Trust Framework policy.

  1. +Create a resource: Azure Active Directory B2C
  2. Create.
  3. An additional B2C Tenant is created
  4. Create.
  5. Link to subscription.

ARM Templates

A parent template can launch nested templates.

Azure Bicep > Terraform


Azure Bicep files contain a custom Domain Specific Language (DSL) designed to be easier to read than ARM JSON templates.


RESOURCE: This contains Azure Resource Manager templates contributed by the community.


Tooling in Visual Studio Code transpiles Bicep files to ARM templates.

QUESTION: What about templating? Pulumi? Bicep files are like Terraform declarative files. But instead of state files like Terraform, Azure itself manages state.

As of March 2021, Bicep is not yet integrated into the Portal.

  1. Install the Bicep CLI.


BLOG: Pros & Cons

Terraform for Azure

  1. On a Mac, install using Homebrew instead of Download from HashiCorp website or using brew install terraform:

    brew install tfenv
    tfenv install latest

Azure AD Connect

Azure AD Join

Azure Policy

Azure Role-Based Access Control (RBAC)

Azure AD Roles

Resources : Videos

Microsoft Azure: The Big Picture 1h 50m Mar 10, 2016 by Matt Milner makes use of VS 2010, which is rather obsolete now.

  1. Install in VSCode Azure Resource Manager Tools for Template language support for Azure Resource Manager JSON files.

Live events to meet people

WARNING: The “Global Azure Bootcamp April 27, 2019” experience website global.azurebootcamp.net has converted to Vue and Google stuff.



Policy Definition options:

  • Allowed VM SKU’s
  • Locations
  • Allowed Resource Type
  • Allowed Storage Account SKUs

ASG (Application Security Group)

ASGs are wrapped by a NSG (Network Security Group) which route traffic.

  • Admins can RDP.
  • Users cannot RDP.

Delete Subscription, Directory, Tenant

az group delete --name $MY_RG



Azure Futures Roadmap

PROTIP: The minimum prior notification will Microsoft give before ending support for products governed by the Modern Lifecycle Policy is 12 months.

Product Feature

“Public preview” means the feature is available for all Azure customers for beta testing.

GA (General Availability) means

VIDEO: https://azurecharts.com/status provides clickable “heatmap” status, timeline, a quiz, etc.



https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs ADFS (Azure Directory Federated Services)



https://azurefabric.com/azure-monitor-for-paas-services-where-is-the-ai-and-how-do-i-arm-it/ blog https://azidentity.azurewebsites.net/archive

URL Shortener

https://channel9.msdn.com/Shows/Azure-Friday/AzUrlShortener-An-open-source-budget-friendly-URL-shortener by Frank Boucher who created a one-click deploy your own. http://www.frankysnotes.com/2020/04/how-i-build-budget-friendly-url.html



More about Azure

This is one of a series about Azure cloud: