role assignment azure cli

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Manage service principal roles

• 2 contributors

In order to restrict access to your Azure resources, you can use a service principal to manage role assignments. Each role provides different permissions allowed by the user when accessing Azure resources. This step in the tutorial explains how to create and remove service principal roles.

The Azure CLI has the following commands to manage role assignments:

• az role assignment list
• az role assignment create
• az role assignment delete

Create or remove a role assignment

The Contributor role has full permissions to read and write to an Azure account. The Reader role is more restrictive with read-only access. Always use the principle of least privilege. For a complete list of available roles in Azure RBAC, see Azure built-in roles .

Adding a role doesn't restrict previously assigned permissions. This example adds the Reader role and removes the Contributor role:

Output Console:

How to get a value for the scope parameter

One question you might have is "How do I know the --scope parameter value?" The answer is to find and copy the Resource ID of the Azure resource your service principal needs to access. This information is usually found in the Azure portal's Properties or Endpoints page of each resource. Here are common --scope examples, but rely on your Resource ID for an actual format and value .

For more scope examples, see Understand scope for Azure RBAC .

Verify changes

The changes can be verified by listing the assigned roles:

You can also go into the Azure portal and manually assign the role to the service principal from the Access control (IAM) menu. For more examples on listing role assignments, see List Azure role assignments using Azure CLI .

Now that you've learned how to manage your service principal roles, proceed to the next step to learn how to use service principals to create a resource.

Create a resource using service principal

Additional resources

Wim Matthyssen

Azure infra, security & governance, azure development and ai/ml, azure identity and security, stéphane eyskens, cloud-native azure architecture, geert baeke, azure kubernetes service & containerization, maik van der gaag, azure infrastructure as code & devops, bart verboven, sammy deprez, azure ai, ml & cognitive services, sander van de velde.

Journey Of The Geek

The chronicles of a bostonian tech geek navigating through life and technology, azure authorization – azure rbac basics.

This is part of my series on Azure Authorization.

• Azure Authorization – The Basics
• Azure Authorization – Azure RBAC Basics
• Azure Authorization – actions and notActions
• Azure Authorization – Resource Locks and Azure Policy denyActions
• Azure Authorization – Azure RBAC Delegation

Welcome back folks. In this post I will be continuing my series on Azure authorization by covering the basics of Azure RBAC. I will review the components that make up Azure RBAC and touch upon some of the functionality I’ll be covering in future posts of this series. Grab a coffee, get comfy, and prepare to review some JSON!

In my first post in this series I touched on the basics of authorization in Azure . In that post I covered the differences between the management plane (actions on a resource) and the data plane (actions on data stored in the resource). I also called out the four authorization planes for Azure which include Entra ID Roles , Enterprise Billing Accounts , Azure Classic Subscription Admin Roles , and Azure RBAC (Role-Based Access Control). If you’re unfamiliar with these concepts, take a read through that post before you continue.

Azure RBAC is the primary authorization plane for Microsoft Azure. When making a request to the ARM (Azure Resource Manager) REST API it’s Azure RBAC that decides whether or not the action is allowed (with the exceptions I covered in my first post and some exceptions I’ll cover through this series). Azure RBAC is configured by using a combination of two resources which include the Azure RBAC Role Definition and Azure RBAC Role Assignment . At a high level, an Azure RBAC Role Definition is a collection of permissions and an assignment is the granting of those permissions to a security principal for an access scope. Definitions and assignments can only be created by a security principal that has been assigned an Azure RBAC Role with the permissions in the Microsoft.Authorization resource provider. The specific permissions include Microsoft.Authorization/roleDefinitions/* and Microsoft.Authorization/roleAssignments/*. Out of the box there are two built-in roles that have these permission which include User Access Administrator and Owner (there are a few others that are newer and I’ll discuss in a future post).

Let me dig deeper into both of these resources.

It all starts with an Azure Role Definition. These can be either built-in (pre-existing roles Microsoft provides out of the box) or custom (a role you design yourself). A role definition is made up of three different components which include the permissions (actions), assignable scopes, and conditions. The permissions include the actions that can be performed, the assignable scope is the access scopes the role definition can be assigned to, and the conditions further constrain the access for the purposes of a largely new and upcoming additional features for Azure RBAC.

Permissions are divided into four categories which include actions, notActions, dataActions, and notDataActions. The actions and notActions are management plane permissions and dataActions and notDataActions are data plane permissions. As mentioned earlier, management plane is actions on the resource while data plane is actions on the data within the resource. Azure RBAC used to be management plane only, but has increasingly (thankfully) been expanded into the data plane. Actions and dataActions are the actions that are allowed and notActions and notDataActions are the actions which should be removed from the list of actions. That likely sounds very confusing and I’ll cover it in more depth in my next post. For now, understand that a permission in notAction or notDataAction is not an explicit deny.

The assignable scopes component is a list of places the role definition can be assigned (I’ll get to this later). The assignable scopes include management group ( with some limitations for custom role definitions ), subscription, resource group, or resource. Note that whatever scopes are includes, the scopes under it are also included. For example, an assignable scope of a management group would make the role definition usable at that management scope, subscriptions associated with that management group, resource groups within those subscriptions, and resources within those resource groups.

Lastly, we have the conditions. Conditions are a new feature of Azure RBAC Role Definitions and Assignments and are used to further filter the access based on other properties of the security principal, session, or resource. These conditions are used in newer features I’ll be covering throughout this series.

When trying to learn something, I’m a big fan of looking at the raw information from the API. It gives you all the properties you’d never know about when interacting via the GUI. Below is the representation of a built-in Azure RBAC Role Definition. You can dump this information using Azure PowerShell, Azure CLI, or the REST API. Using Azure CLI you would use the az role definition command.

There are a few things I want you to focus on. First, you’ll notice the id property. Each Azure RBAC Role Definition has a unique GUID which must be unique across the Entra ID tenant. The GUIDs for built-in roles should (never run into an instance where they were not) be common across all instances of Entra ID. Like all Azure objects, Azure RBAC Role Definitions also have be be stored somewhere. Custom Azure RBAC Role Definitions can be stored at the management group or subscription-level. I’d recommend you store your Azure RBAC Role Definitions at the management group level whenever possible so they can be re-used (there is a limit of 5,000 custom Azure RBAC Role Definitions per Entra ID tenant) and they exist beyond the lifetime of the subscription (think of use case where you re-use a role definition from subscription 1 in subscription 2 then blow up subscription 1, uh oh).

Next, you’ll see the assignableScopes property with a value of “/”. That “/” represents the r oot management group (see my post on the root management group if you’re unfamiliar with the concept). As of 3/2024, only built-in role definitions can have an assignable scope of “/”. When you create a custom role definition you will likely create it with an assignable scope of either a management group (good for common roles that will be used across subscriptions and to keep under the 5,000 role definition limit) or subscription (good for use cases where a business unit may have specific requirements).

Lastly, you’ll see that a condition has been applied to this Azure RBAC Role Definition. As of 3/2024 only built-in roles will include conditions in the definitions. I’ll cover what these conditions do in a future post.

Excellent, so you now grasp the Azure RBAC Role Definition. Let me next dive into Assignments.

Azure RBAC Role Assignments associate a role definition to a security principal and assign an access scope to those permissions. At a high-level, they are made up of four components which include the security principal (the entity assigned the role), role definition (the collection of permissions), scope (the access scope), and conditions (further filters on how this access can be exercised).

The security principal component is the entity that will be assigned the role for the specific access scope. This can be an Entra ID user, group, service principal, or managed identity.

The role definition is the Azure RBAC Role Definition (collection of permissions) the security principal will be assigned. This can include a built-in role or a custom role.

The scope is the access scope the security principal can exercise the permissions defined in the role definition. It’s most common to create Azure RBAC Role Assignments at the subscription and resource group scope. If you have a subscription strategy where every application gets its own subscription, the subscription scope may make sense for you. If your strategy is subscriptions at the business unit level you may create assignments at the resource group. Assignments at the management group tend to be limited to roles for the central IT (platform and security) team. Take note there are limits to the number of assignments at different scopes which are documented at this link . As of 3/2024 you cannot assign an Azure RBAC Role with dataActions or notDataActions permissions at the management group scope .

Let’s now take a look at the API representation of a typical role assignment. You can dump this information using Azure PowerShell, Azure CLI, or the REST API. When using Azure CLI you would do:

Here there are a few properties to note. Just like the Azure Role Definitions, the id property of an Azure RBAC Assignment must contain a GUID unique to the Entra ID tenant.

The principalId is the object id of the security principal in Entra ID and the principalType is the object type of the security principal which will be user, group, or service principal. Why no managed identity? The reason for that is managed identities are simply service principals with some orchestration on top. If you’re curious as to how managed identities are represented in Entra ID, check out my post on orphaned managed identities .

The scope is the access scope the permissions will apply to. In the example above, the permissions granted by this role assignment will have the scope of the rg-demo-da-50bfd resource group.

This role assignment also has a condition. The capabilities of conditions and where they are used will be covered in a future post.

The last property I want to touch on is the delegatedManagedIdentityResourceId. This is a property used when Azure Lighthouse is in play .

Alright folks, that should give you a basic understanding of the foundations of Azure RBAC. Your key takeaways for today are:

• Assigning a security principal permissions consists of two resources, the role definition (the set of permissions) and the assignment (combination of the role, security principal, and access scope).
• Custom Azure RBAC Role Definitions should be created at the management group level where possible to ensure their lifecycle persists beyond the subscription they are used within. Be aware of the 5,000 per Entra ID tenant limit.
• Azure RBAC Role Assignments are most commonly created at the subscription or resource group level. Usage at management groups will likely be limited to granting permissions for Central IT or Security. Be aware of the limits around the number of assignments .

In my next post I’ll dig deeper into how notActions and notDataActions works, demonstrate how it is not an explicit deny, and compare and contract an Azure RBAC Role Definition to an AWS IAM Policy.

Have a great week!

Share this:

Leave a comment cancel reply.

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

Export role assignments for all Azure subscriptions

Microsoft has done it straightforward to get an overview of Azure role assignments for a subscription. They have added the  Download role assignments  button in the Azure portal under Subscriptions. When I’m working with customers that have many subscriptions, I’ll like to get an overview of all the subscriptions at once. Therefore I use PowerShell the export role assignments for all Azure subscriptions at once.

Script parameters

There are 2 parameters in the script, $OutputPath and $SelectCurrentSubscription . None of them are mandatory.

$OutputPath: If defined, a CSV file will be exported to the chosen location. Example:  .\Export-RoleAssignments.ps1 -OutputPath C:\temp

$SelectCurrentSubscription: Will only export role assignments from the subscription that are selected. Example:  .\Export-RoleAssignments.ps1 -SelectCurrentSubscription

Run  Get-Azcontext  to view which subscription is selected.

Script Output

Besides getting an overview of the overall role assignments in an Azure subscription, I also like to know if a role is a Custom or Built-in role. The script will check each assignment if CustomRole is True or False.

Output Example in Powershell Console

Output Example to CSV File

The PowerShell Script

The Powershell script will be available on my account Github . Go there for the latest updates (article script will not be synced with the GitHub version).

5 thoughts on “ Export role assignments for all Azure subscriptions ”

Can you edit the script that when roles assigned to groups the group members are also exported in that csv?

getting the following error on azuread part:

PS C:\scripts> .\azure.ps1 -OutPutPath C:\temp VERBOSE: Running for all subscriptions in tenant VERBOSE: Changing to Subscription Access to Azure Active Directory VERBOSE: Getting information about Role Assignments… WARNING: We have migrated the API calls for this cmdlet from Azure Active Directory Graph to Microsoft Graph. Visit https://go.microsoft.com/fwlink/?linkid=2181475 for any permission issues. Get-AzRoleAssignment : Operation returned an invalid status code ‘BadRequest’ At C:\scripts\azure.ps1:39 char:14 + $roles = Get-AzRoleAssignment | Select-Object RoleDefinitionName, … + ~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Get-AzRoleAssignment], ErrorResponseException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.GetAzureRoleAssignmentCommand

You have to edit the script for it to work again. You will have to change the API call to Microsoft Graph. Maybe I will do it at some point.

Did you ever get a chance to update the script to use the Microsoft Graph API? It would really be helpful for something I’m working on.

Thanks for this script. You’d think MS would have this type of exporting built into their console. Very useful and critical tool to manage tenants with tons of subscriptions. Good work!!

Leave a Reply Cancel reply

Your email address will not be published.

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

What is the right way to assign Network Contributor Role to an AKS cluster via ARM / Bicep template?

I'm trying to configure a Load Balancer for my AKS server using Bicep/ARM. I am using the NGinx Ingress Controller in kubernetes and it does seem to work but when I first spin things up I am encountering an error.

Mainly I'm wondering what is the equivalent ARM or Bicep template for this step in the Azure documentation?

https://docs.microsoft.com/en-us/azure/aks/static-ip#create-a-service-using-the-static-ip-address

I'm using Bicep and have created my AKS server like this for example:

I'm then adding a role assignment to the kubelet identity like so:

Which seems to work, I can see the Role assigned to the managed principal in the dashboard... but the Service in kubernetes seems to fail with a permission issue still:

What's weird is that later on at some point it seems to just magically work. That error says "retriable false" and it does seem like the service doesn't retry but a subsequent deploy of NGinx to kubernetes will then cause it to retry and suddenly boom its working.

It just seems like the error message is telling me there is some non-deterministic delay of role propagation... So my questions are:

• Is that right? Is it in fact just a delay and my code is basically right?
• Am I using the right principalId? Or is that actually unnecessary?
• Is there a way for me to force those role updates to propagate? I could have a CLI step in between if I needed to. How can I wait to install my ingress controller which connects to the LB after the permissions are ready?
• azure-networking
• azure-arm-template

2 Answers 2

I am not sure why previous answer considered correct. You have used kubelet identity here. This is used to authenticate with azure container registries , but in your case you must use Cluster (Control Plane) Identity and I can't find a way how to assign a System Managed Identity. I believe the only way at the moment is to bring your own.

1 Add Managed Identity creation to your ARM template:

2 Update AKS Identity property:

3 Grant Network Contributor Permissions

Your question (although not directly) is answered here .

The behavior you are describing is discussed in this section . Since Azure Resource Manager sometimes caches configurations and data to improve performance, it can sometimes take up to 30 minutes for changes to take effect when you assign roles or remove role assignments.

Using Azure CLI, you can force a refresh of your role assignment changes by signing out and signing in .

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged azure kubernetes azure-networking aks azure-arm-template ..

• The Overflow Blog
• CEO Update: Building trust in AI is key to a thriving knowledge ecosystem
• How to improve the developer experience in today’s ecommerce world
• Featured on Meta
• Preventing unauthorized automated access to the network
• Upcoming initiatives on Stack Overflow and across the Stack Exchange network...

Hot Network Questions

• Manhwa where the male lead is cursed to become a dog
• Does logic "come before" mathematics?
• Probability of selecting three dice rolls that sum to 6 from Six rolls
• What is this usage of んじゃない? is it imperative negative?
• Must a county attorney provide copies of documents to the individual charged before a bench trial?
• Identify if all bools in a list are the same value, and what the distinct value is if they are the same
• How do speakers of gendered languages experience English [non-gendered] nouns?
• Protection from liability for actions of employees
• How can I block localhost access from other computers on the same local network?
• Coming to China with a bit of a cough
• How to pipe input to an interactive shell in Bash
• How can I encourage my toddler to try new foods?
• Which game console is in the movie "Invitation to hell"
• The Knights and Knaves Want Out
• Buying a home with a HOA
• Why is the deletion ungrammatical in "I like the girl [who is] the prettiest in my class" but grammatical in other sentences?
• Open source license more viral than GPL/AGPL
• How important is it to avoid a duplicate name?
• The bridge is too short
• texcount error with biblatex \DeclareCiteCommand
• How best would airmobile/air assault tactics be employed in a medieval setting?
• Paired t test and CLT: What is supposed to be normally distributed?
• Should a 10/2 cable for a clothes dryer be upgraded to 10/3 during a renovation?
• Eight points on edges of a unit cube, there exists two at distance at most one.

Export Role Assignments in Azure Subscriptions with Azure CLI/PowerShell

Abstract: In this article, you'll learn how to export role assignments in Azure subscriptions using Azure CLI or PowerShell, allowing you to check role types and manage access control effectively.

Export Role Assignments for Azure Subscriptions Using Azure CLI/PowerShell: A Comprehensive Guide

In this article, we will discuss the process of exporting role assignments for Azure subscriptions using Azure CLI and PowerShell. Role assignments are an essential part of Azure Access Control (IAM) that helps manage permissions for users, groups, and services within an Azure subscription.

Prerequisites

Before we begin, let's go through the prerequisites for this task:

• You must have an active Azure account and subscription.
• Access to Azure CLI or PowerShell.
• Permissions to read role assignments within the subscription.

Using Azure CLI to Export Role Assignments

To export role assignments using Azure CLI, you must have the Azure CLI installed on your local machine or use Azure Cloud Shell. Follow these steps to export role assignments:

Step 1: Install the Azure CLI

If you haven't installed Azure CLI, you can do so by following the instructions in the official documentation: Install Azure CLI .

Step 2: Connect to Your Azure Subscription

This command will prompt you to sign in to your Azure account. Once you've successfully signed in, you can proceed to step 3.

Step 3: Export Role Assignments

Replace <subscription-id> with the ID of your Azure subscription. This command will export role assignments for the specified subscription in JSON format, saving the output to the role-assignments.json file.

Using PowerShell to Export Role Assignments

To export role assignments using PowerShell, you must have Azure PowerShell installed on your local machine. Follow these steps to export role assignments:

Step 1: Install Azure PowerShell

If you haven't installed Azure PowerShell, you can do so by following the instructions in the official documentation: Install Azure PowerShell .

In this article, we learned how to export role assignments for Azure subscriptions using Azure CLI and PowerShell. We discussed the prerequisites and provided detailed steps for both tools. Exporting role assignments can be helpful when you need to review, audit or manage access control within your Azure subscription.

• Azure CLI - Role Assignment
• PowerShell - Get-AzRoleAssignment
• PowerShell - ConvertTo-Json

Tags: :  Azure CLI PowerShell IAM Role Assignments Subscriptions

Latest news

• Effortlessly Rename External Files in SAS: A Comprehensive Guide
• Understanding @ConfigurationProperties: Why Some Properties May Not Bind
• Solving Prioritized Queues: Never-ending High Priority Tasks?
• Running 'git fetch' in C# using PowerShell fails
• Fetch API in Mern Project: Data Not Appearing on Screen - No Map or Function Error in Node.js
• Speeding Up R: Tips for Faster ggiraph Plot Insertion in Data Frames
• Creating Leads with POST Odoo 17 Service: Handling 'Authorization Bearer token expired' Error
• Disable Built-in PDF Viewer in ChromeDriver for Automated File Downloads
• Accessing ParamObject with Native Query in Java
• Creating Simple Org Charts with PlantUML & WBS Diagrams: Inline Node Styles Not Applied
• How to Get Documents from Firestore's 'wallets' Collection?
• Saving Changes Made in a Browser PDF Viewer: A Workaround
• Passing Data Between Two Classes in Swift: A Sample View Controller Load
• Understanding the syn::PathArguments.Parenthesized Field in Rust
• Create Task Plan for Different Requests via Form: Microsoft Form to Microsoft Planner for Business Card Task
• Encountering a White Screen when Pushing Expo App to TestFlight using Expo Router v3.version51 - Solved
• Automating Google Forms and Docs for Seamless Software Development Workflows
• Grype Scan: Docker Image Vulnerability Analysis with Syft
• JSCode Card Game for Kids: Issues in Rounds Beyond the First
• Fixing 'Can't run Python script in terminal PyCharm: ModuleNotFoundError'
• Display Monthly Recurring Totals for WooCommerce Subscription Orders with a Custom Shortcode
• Updating Existing Azure Storage Account Network Rules with Bicep
• Troubleshooting Sticky Column in TanStack Table with Radix UI
• Keeping a Countdown Timer App Widget Running even when the App is Closed: Solutions with AlarmManager and Broadcast Service
• Efficient Database Iteration: Evaluating the Use of locals() in Nested Loops
• Splitting String Array into Equal Length Substrings in Pure SQL using Databricks
• Building a Simple Flutter App with Barcode Scanning and Instant Printing: A Guide for a 31-Year-Old Deaf Individual
• Understanding Git Repository Hierarchy in BitBucket
• VBACode: Filter Excel Table Columns While Typing, Ignoring Accents
• Filtering Duplicate Responses in Google Forms for Feedback and Game Suggestions
• Building a Custom Reverse Proxy with BoringSSL in Zig: A Guide
• Checking Checksums: Verifying Already Uploaded Files in AWS S3 Bucket with Limited Permissions
• Uncaught Python Custom Exception: MyException
• Git Rebase Merges: Not Preserving Merge Order?
• ASP.NET GridView Not Showing Rows: SQLDataSource NULL Connection String

Instantly share code, notes, and snippets.

garrytrinder / Add-AppRoleAssignment.ps1

• Download ZIP
• Star ( 0 ) 0 You must be signed in to star a gist
• Fork ( 1 ) 1 You must be signed in to fork a gist
• Embed Embed this gist in your website.
• Share Copy sharable link for this gist.
• Clone via HTTPS Clone using the web URL.
• Learn more about clone URLs
• Save garrytrinder/6352326eadbc9d00e808022ec724188e to your computer and use it in GitHub Desktop.

AVD Automation Cocktail - Azure Virtual Desktop automated with Bicep and Azure CLI

• Sander Rozemuller
• Date : June 17, 2021
• Categories : Avd cocktail , Azure virtual desktop
• Tags : Automation , Azure virtual desktop , Azure CLI , Bicep , Cocktail , Key vault

Welcome to the updated AVD Automation Cocktail. This cocktail is updated with all new Bicep and AVD features since september 2023. In this cocktail series I will show different AVD deployment strategies and languages. In this cocktail, the Fresh Minty Breeze, I will show you how to deploy an AVD environment automated with Bicep and Azure CLI.

What is changed

In this updated version, I optimized the automation and templates. I consolidated the Azure resource deployment templates, created a main.bicep and modules, and created one big parameter file. One parameter file results in no duplicate parameter settings anymore.

Result of this optimization also is the deployment of the Azure Compute Gallery. In the previous version, the gallery was deployed first, then I created an image. From there I went back to create an image source and deploy an image version in a separate Bicep file.

In this deployment, I first create a generalized image source. From there, the whole environment is deployed at once. This results in no more back and forth with seperate gallery deployment templates and parameters anymore.

At last it saves lots of extra deployment steps, since we have just one Bicep file and parameter file still.

In this “MintyBreeze”-deployment recipe I will deploy an AVD environment automated with Bicep and Azure CLI. Bicep is a fresh new coding language for deploying Azure resources. Bicep helps reduce the syntax complexity which ARM templates has. Because it is very new I like to show in this article how to deploy an AVD environment with Bicep. To give Azure CLI also a stage I thought this could be a really nice combination.

Before to drink

To start enrolling AVD automated with Bicep and Azure CLI you will need to install the Bicep CLI and Azure CLI software first. To download the Bicep installer go to the following URL, choose your favorite operating system and follow the instructions. https://github.com/Azure/bicep/blob/main/docs/installing.md#install-the-bicep-cli-details

After the installation of Bicep install the Azure CLI software by clicking this URL: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli

More information about Bicep or Azure CLI please check the following URLs:

• https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview
• https://docs.microsoft.com/en-us/cli/azure/

List CLI of ingredients

• https://docs.microsoft.com/en-us/cli/azure/vm/run-command?view=azure-cli-latest#az_vm_run_command_invoke (VM Run command)
• https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest#az_vm_capture (VM Capture)
• https://docs.microsoft.com/en-us/azure/virtual-machines/image-version-vm-cli (Image Version)
• https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest#az_vm_generalize (VM Generalize)
• https://docs.microsoft.com/en-us/cli/azure/desktopvirtualization/hostpool?view=azure-cli-latest#az_desktopvirtualization_hostpool_update (AVD Hostpool token)
• https://docs.microsoft.com/en-us/cli/azure/ad/signed-in-user?view=azure-cli-latest (AD Signed in User)
• https://docs.microsoft.com/en-us/cli/azure/deployment/group?view=azure-cli-latest#az_deployment_group_create (Deployment)

In the beginning this cocktail has a fresh taste with a lot Bicep and a pinch of Azure CLI. At the end you will have an AVD environment in Azure deployed with all the needed resources. These are a hostpool, a workspace, an application group. Also there are some session hosts. These hosts have an underlying image from a shared image gallery.

AVD automated with Bicep en Azure CLI

In this chapter I will explain how to deploy an AVD environment automated with Bicep and Azure CLI. I will recommend to clone my AVD GitHub repository to get all the needed files, also for the other cocktails. I like to work with Bicep modules as much as I can. This will avoid you are repeating yourself in lines of code and will help you keeping your code nice and clean. You will notice that when looking back in the file structure I’ve setup in the repository.

For every purpose, in this case create an AVD environment with a default Windows 11 Multisession 22h2 image from the Microsoft Marketplace in basics, I will create a main.bicep file and will use modules in it. All the parameters are stored in the parameters.json file.

The full deployment is the most basic environment and consists of the following components:

Resource Group

• Virtual Network (VNET)
• Azure Virtual Desktop Host Pool
• Azure Virtual Desktop Application Group
• Azure Virtual Desktop Workspace
• Log Analytics Workspace

Bicep scopes

In Bicep you have four levels to deploy to, also called scopes. The scopes are at managementgroup , subscription , resource group or tenant level. The deployment in this cocktail uses the subscription and resource group scope.

Prerequisites

Using an image from a Compute Gallery is a best practice in AVD. Before deploying AVD and its components, we first need to create an image source first. The source is used later in the deployment.

Initial Image Version

The next step in this MintyBreeze-deployment is creating an initial image version in the Compute Gallery. In basic, I do the following: I create an Windows 11 VM based on an image from the Microsoft marketplace, then I run a sysprep command. At last, I generalize the vm to make it possible to create a image version from it.

In the first step I create a temporary resource group. There after I create a virtual machine with Bicep.

First the VM must be generalized and Sysprepped. There are several options for running a script on a VM. Think about a Custom Script Extension or an Invoke-AzRunCommand in PowerShell. In this case I’m using the Azure CLI.

Using the az vm run-command CLI comand gives me the option to skip creating an separate script first. In the –scripts part of the command is able to create a PowerShell on-the-fly. In the –parameters part I will send these parameters. When running the command, the VM will create a PowerShell file on the local machine. The provided –scripts content is stored in that local file.

When the command ran succesfully, the machine is in stopped state.

Generalize VM

Next step beforce creating an image version is generalize and capture the virtual machine. To achieve that goal we are using the CLI again.

Check my GitHub repository at this location for the VM deployment file.

AVD Components

As mention I created a main.bicep file where all the resources are deployed including the resource group itself.

To deploy resources to a subscription, we need a resource group first. Deploying a resource group is at subscription level. In the main.bicep file I set the default scope at subscription level by adding targetScope = 'subscription' at the top of the file.

Thereafter deploy the resource group by providing a name and location.

The base of every environment is networking. In this step the idea is to deploy a new virtual network (VNET) with one subnet. Because my goal is to deploy as much as I can from parameter files I’ve create an array into a parameter file. That array will be transformed to a Bicep array. The array is used to deploy the vnet.

The parameter snippet looks like the following:

If you want to deploy more subnets just add a subnet object in the subnets array.

A dynamic array is created and inserted into the deployment. A dynamic array has its pros because now you are scale able within your parameter file. It doesn’t matter how many subnets are in the parameter file. If you need one extra just add it to the file.

In the Bicep file main.bicep and the module file deploy-vnet-with-subnet.bicep I create a parameter with type object. Based on the object input, every subnet is formatted to a Bicep value and stored in the subnets variable. The variable is provided as input in the subnets object in the resource deployment.

Mention the format of the array. It must be the same format as the deployment code. At the parameter side (1) there is a vnetSubnets JSON array with a subnets object. In the object the subnets are defined. In the Bicep code (2) there is a loop searching in the vnetSubnets.subnets object for every subnet called item . There after the subnets variable in Bicep is filled with every subnet. At last, the subnets variable is provided in the resource deployment code (3).

Azure Compute Gallery

In this step, we are going to create an Azure Compute Gallery including an image definition and version based on the generalize VM we created above. I created a template bicep file for creating a the Compute Gallery and other components. As you can see in the screenshot it will deploy three resources in sequence.

In step 1 the Compute Gallery is deployed, step 2 deploys the image definition. By providing the parent resource you don’t have to provide the gallery name again. At last (3), the image version is created and deployed in the image definition. The version name must be in x.x.x format. In the example below, I created a name based on the UTC date. I created the data using the utcNow Bicep function in the main.bicep .

As in every environment, we also like to monitor this environment. To monitor this environment we are going to use Log Analytics.

I used a template that deploys a LogAnalytics workspace. This will enable the provided logs for the AVD environment. In the Log Analytics Bicep deployment I write the workspace ID to the output to use later in the AVD Bicep deployment. After creating the workspace the diagnostic settings will be deployed in later steps.

Azure Virtual Desktop

Now every needed component is in place it is time to deploy the the Azure Virtual Desktop environment with Bicep. In this deployment we are going to deploy a host pool. The next step is the application group. The last step is a workspace. I have chosen to create a separate Bicep file for the session host.I created two Bicep templates. The AVD backend part with the host pool, application group and workspace. The second template for the AVD session hosts.

The template part below deploys the AVD backend. As you can see in the screenshot above, I reuse the resource deployment outputs into the next deploymenet. At last I output the host pool token to create session hosts in the last step.

The output is a bit changed because of a bug in the API and Bicep. See this GitHub issue .

Create session host

The next step is creating session hosts. Creating session hosts consists of several deployment steps. First we have to create a network card, the VM itself and deploy the AVD extensions. New in this deployment is the addition of the disk and nic deletion options. When removing the VM, other components are also deleted automatically.

Azure Key vault

The last step is to create an Azure Key Vault with Bicep and store the session host administrator local password in it. The session host deployment output is used to send the password to the Key Vault.

The secret is added with the correct access policy. During deployment the Key Vault access is set to RBAC permissions where I provide my user ID to assign the Azure Key Vault Secrets User. The Azure Key Vault Secrets User built-in ID is: 4633458b-17de-408a-b874-0445c86b69e6 . (See: Azure Built-in roles )

After deployment, in step 3 & 4, I deploy a RBAC role assignment to the Azure Key Vault resource using Bicep. For the role resource based on the built-in ID. In the rbacAccess block, take a note of the scope. I use the vault resource above to assign the role assignment to.

Before deploying anything we need to login first. To log in with Azure CLI use the az login command After running the command a browser opens and ask you to log in. There are more ways to login like using a service principal.

For more information about log in with Azure CLI please check this Microsoft document .

Also make sure you have the correct subscription selected to deploy to. Check the current context by using the az account show command. Set the correct subscription using az account set --subscription <subId> When selected the correct context, use the command below to deploy Azure Virtual Desktop and all other components like a VNET, Compute Gallery and AVD Session hosts using Bicep and Azure CLI.

The command deploys at subscription level ( See Azure CLI scopes ). I provide the parameter file and additional de image source to create an image version in the Azure Compute Gallery.

I’m very exited about the way how Bicep works. Bicep is well documented ( check the GitHub page ). But after all Bicep in basics is very useful can help a lot of people with less coding experience.

I have chosen to keep it as simple as possible from my opinion. I’m also very surprised about Azure CLI. It feels very fast in relation to PowerShell, at least with deployment (or other ‘push’ tasks). As you read above I’m also querying some info which isn’t very fast. A big advantage in relation to PowerShell is that you don’t need modules. An another point is that you don’t have to remember use a lot different commands like get-avd, set-avd, update-avd. It all starts with the same context and then what you like to do, show, remove, update for example.

Please keep in mind, the deployment above is an initial deployment for Azure Virtual Desktop.

I hope you liked the Fresh Minty Breeze 🍃💨 you are a bit inspired. Now you know deploy AVD automated with Bicep and Azure CLI is one of the options. If you like another cocktail feel free to stay and check the AVD Automation Cocktail menu .

Thank you for reading my blog avd automation cocktail - azure virtual desktop automated with bicep and azure cli. I hope you got a bit inspired. Enjoy your day and happy automating 👋

Register for Simple Talk

Get the latest Opinion, Podcasts, Webinars, and Events, delivered straight to your inbox.

• Azure and Windows PowerShell: Getting Information

Share to social media

The series so far:

• Azure and Windows PowerShell: The Basics

Azure and Windows PowerShell: Using VM Extensions

PowerShell provides a great way of automating many things thus saving the time and effort of an Azure administrator. In the case of Automating Azure tasks, Microsoft has provided the Microsoft Azure PowerShell Module, which can be used to write scripts. As described in the first part of this series, this module is great and provides functionalities that will be described all along this series. But one of the main things to do when you will write your Azure scripts is that you must sign onto your Azure subscription first. You need to install the AzureAD PowerShell module and then use the Login-AzureRMAccount cmdlet. This cmdlet can be used to perform the login process, but the login needs to be done manually by entering the login and password of the Azure account in the popup window. As obvious it is, there can be no manual intervention during this process! Therefore, before going deeper in this article, I will explain how to get around this problem using Azure Service Principal to automate this login process.

What is a Service Principal?

A service principal is an identity your application can use to log in and access Azure resources. Azure Administrators need to perform a one-time activity to set up a Service Principal, which is similar to a service account. Following are the steps that need to be done so that they can automate the process:

Create an AD Application : This application will be used to log on to Azure.

Create a Service Principal : This account will be mapped to the application created above.

Assign a role to the Application : Configure the access level for the user account which can be Reader, Contributor, …

Service Principal requires you configure your Azure Active Directory domain. Navigate to Azure Active Directory , click Custom Domain Names and you will see your Azure Tenant Domain:

You will get the TenantID from the results of the Login-AzureRMAccount command. Use the Connect-AzureAD cmdlet to connect to your Azure AD tenant, which also asks you for your credentials:

The output is below:

Copy the tenant domain and paste it in the following commands. First, create the Azure AD Application with the New-AzureRmAdApplication cmdlet, then use the New-AzureRmAdServicePrincipal cmdlet to create the application and, finally, to access resources in your subscription, you must assign the application to a role. In this example, assign the contributor role with the New-AzureRmRoleAssignment cmdlet. To learn more about the available roles, read this guide .

If you run all these commands at one time without the sleep command, you will get the following error:

New-AzureRmRoleAssignment : Principal xxxxxxxxxxxxxxxxxxxxxxxx does not exist in the directory.

After creating the Azure Service Principal, you must wait around 10 or 15 seconds before running the New-AzureRMRoleAssignment cmdlet to replicate the content in your Azure Subscription.

Confirm the login process by running the following commands in a new PowerShell console. Copy in the ID and tenant ID from the previous results.

For those of you who want to use Azure CLI, it is possible to automate the same process using an Azure Service Principal. Run the az login command to log in to your Azure account. You will be prompted to authenticate with a code. This command is similar to the Login-AzureRmAccount cmdlet:

Then use the az account set command to select the desired subscription using the name parameter:

Finally, run the az ad sp command to create the service principal. Be sure to replace the service principal name and strong password.

After running the az login command, copy the tenant ID and app ID for the next command.

Now it’s time to test the new service principal. Run the az login command in a new window and provide the following parameters to log in with a service principal:

–username : the service principal name using the AppID or the name but don’t forget to include ‘http://’

–password : the service principal password

–tenant : the tenant associated with the service principal

The output is shown below:

Azure Portal

As you may imagine, creating a service principal can also be done with the Azure Portal. Log in to your Azure Account through the Azure portal. Then, select Azure Active Directory , App registrations and New application registration .

Provide a name and URL for the application. Select Web app / API for the type of application you want to create. Replace the URL with your tenant domain.

Note: you cannot create credentials for a Native application; therefore, that type does not work for an automated application.

To retrieve the App ID, go to the App registrations tab and select the newly created application. Do not forget to switch from My Apps to All Apps to list all the Applications:

Copy the Application ID and save it on your machine because you will need to use it when connecting in your scripts.

The App ID equals to the login, so now, create a key for this application that will be used as a password. Click Settings Keys to create the key:

Add a description, and a duration. This duration is used to limit access. Click Save to generate the key and then copy the key value because you won’t be able to retrieve it after you leave this blade.

At this step, the Application is created, and the ID and the key are generated. The last step will add a role to the application. Go to the Subscriptions blade and select your subscription, navigate to Access control and click Add :

Here is a very nice bug! By default, Azure Active Directory applications are not displayed. It means that you must manually provide the name to find the application and click Save :

Validate and test your service principal using Azure CLI or PowerShell. In this example, run the az login followed by the username which is the AppID , the password which is the generated key and your Tenant ID. Now confirm you are authenticated:

Retrieving information

Before going deeper in this series, I will discuss in this part of all the necessary commands to retrieve information about your Azure account including:

Subscription

Azure Subscription

After logging in to your Azure subscription, the login-AzureRmAccount cmdlet returns the same output as the Get-AzureRmContext cmdlet. Run this cmdlet to display information about the subscription. This cmdlet is helpful when you need to retrieve the tenant ID:

The same information can be retrieved using Azure CLI but in JSON. Run the following command:

Depending your needs, you may work with multiple Azure subscriptions. When you login, you get a default subscription set, so running some commands may fail if you don’t set the correct subscription. To switch between them, use the following PowerShell commands:

Retrieve the Azure subscriptions with Azure CLI:

And switch to a new subscription:

Note: You can use either the subscription ID or the subscription name to select the subscription.

Azure Resources

Getting all Azure Resource Manager resource groups with PowerShell is very simple. Just use the Get-AzureRMResourceGroup cmdlet:

Depending the number of Resource Groups your Azure subscription contains, you can filter the output:

Note: depending which service principal you use to connect to your Azure subscription, some results could be incomplete due to the assigned role (e.g. Contributor, Reader).

For better visibility, I recommend the Out-GridView cmdlet:

Working with Tags in Azure is helpful when you need to manage a large number of items. To list all the resource groups with their tags, run the Get-AzureRmResourceGroup cmdlet.

You can easily get the pair ‘key=value’ for a specific resource group by using the following command:

You can add tags on a Virtual Machine, a Resource Group, a Virtual Network, etc., using PowerShell and the Azure Portal:

To add tags to a resource group without existing tags, use the Set-AzureRMResourceGroup command with the tag parameter:

To add tags to a resource group that has existing tags, retrieve the existing tags, add the new tag, and reapply the tags:

To finish with the Resource Groups, of course you can list Resource Groups using Azure CLI:

Filtering by tag is very simple as well:

Azure Costs

Monitoring and visualizing cloud usage and costs can be done using PowerShell. In my opinion, the Azure Portal is a nice way to get the information about Azure costs, but sometimes, you may need to retrieve this information by command line to generate some reports, for instance. You can use the Get-UsageAggregates cmdlet to get billing information. Several parameters can be used to filter the results:

ReportedStartTime

ReportedEndTime

AggregationGranularity

ShowDetails

Below is the syntax:

In this example, I can get usage details of the current subscription between 2018-01-17 to 2018-01-19:

Listing the details of Azure resource consumption can be performed with the following Azure CLI command:

This command can be filtered because, depending your subscription, it can take a long time to run. You can add the –top parameter to limit the number of items to return:

Listing the resource consumption by date can be performed by using the start-date and end-date parameters:

The command line is interesting to automate some tasks, but Azure logs is very well implemented in the Azure Portal. So of course, PowerShell and Azure CLI can be used to get the log activities, but the Azure Portal allows creating great dashboards, and performing rich data exploration with interactive queries. Using the Azure Logs, you can determine the “what, who, and when” for any operations taken on the resources in your subscription. Azure logs are different from Windows logs or Linux logs. It means that if you deploy a Virtual Machine in your subscription, Azure logs contains information regarding the deployment of this VM. Information about the operating system itself will not be displayed.

Nevertheless, PowerShell provides the Get-AzureRmLog cmdlet to show logs. By default, this cmdlet will query all the resource groups:

Filtering certain resource group, for certain actions and from a given time is possible. Depending on the start time you specify, the previous commands can return a long list of operations for the resource group. For instance, to find all logs in the last day and for a specific Resource Group, the following command retrieve this information:

Note: If you do not specify a start and end time, entries for the last hour are returned.

You can also look up the actions taken by a particular user using the –Caller parameter:

You can filter for failed operations using the –Status parameter:

Now, if you need more information about Azure deployments, in order to get the status of a Virtual Machine deployment, for example, use the Get-AzureRmResourceGroupDeployment cmdlet:

This cmdlet is very helpful for Azure administrators, because troubleshooting can be done very quickly by filtering the output. For instance, filtering by failed deployment status can be perform using the following command:

Here is one of my favorite command to quickly and easily check deployment status in the current Azure subscription:

The az monitor activity-log list command return Azure logs with Azure CLI:

This second article in this series described important steps to automate Azure tasks and retrieve the required information from your Azure account:

Creating a service principal

Automating the login process using PowerShell, Azure CLI and Azure Portal

Retrieving Azure Resources information

Viewing Azure costs

and getting the Azure logs

At this step, you know how to automate the login process using PowerShell and Azure CLI. It means that you can create your own scripts in order to interact with your Azure resources. In the next articles, I will describe how to create and manage your Azure Resources in practice, such as:

Creating Virtual Network

Creating and attaching Disk to a VM

Backing up Virtual Machines

Deploying Network devices (Load Balancer, …)

I will not explain how to create Virtual Machines in detail, because Robert Cain published a great series about Azure VMs: Create Azure VMs

Load comments

Recommended

Introducing the MySQL INSERT statement

In the previous article in this series, I introduced you to the SELECT statement, one of several SQL statements that...

Mighty Tester: Why it doesn’t need to be fixed…

Introducing the mysql select statement.

Use SELECT statements to query a MySQL database. In this article, Robert Sheldon explains how. …

About the author

Nicolas Prigent

Nicolas Prigent works as a System Engineer, based in Switzerland with primary focus on Microsoft technologies. Nicolas is a Microsoft MVP in Cloud And Datacenter Management with 7 years experience in administering Windows Servers, Hyper-V and System Center products. He also received the "PowerShell Heroes 2016" Award. His blog can be found at www.get-cmd.com. You can follow him on Twitter @PrigentNico or you can contact him at [email protected].

Nicolas Prigent's contributions

• T-SQL Programming
• Database Administration

Nicolas Prigent's latest contributions:

In the third part of his series, Nicolas Prigent describes how to run post-deployment configuration and automation tasks on Azure Virtual Machines. Nicolas explains how...

Hyper-V and PowerShell: Shielded Virtual Machines

In Windows Server 2016, Microsoft have implemented a strong security concept called Shielded Virtual Machines. Shielded VMs have been improved in the Windows Server 2019...

PowerShell Day-to-Day Admin Tasks – Part 6: Real-Time IT Dashboard

Creating a real-time IT dashboard is essential for IT professionals for managing their environments and to be proactive. A Few months ago, a great tool...

Cloud Training Program

Learn Cloud, AI & ML From Experts

Azure Administrator Roles and Responsibilities in 2023

December 6, 2023 by Utkarsh Agarwal Agarwal 4 Comments

What is Azure  | What is Microsoft Azure used for? | Some Azure products and services | Azure for DR and backup | Who is an Azure Administrator ?  | Azure Administrator Certification | Azure Administrator Roles and Responsibilities | Role Specific Skills | Syllabus for Azure Administrator Certification | Jobs of Azure Administrator | Salary of Azure Administrator | Conclusion | FAQs

In this post, I am going to cover all the roles and responsibilities of a Microsoft Azure Administrator . There might be various questions in your mind regarding the knowledge an Azure administrator should possess and also how it is going to help him while pursuing this career. So without further delay, let’s find out the answers.

What is Azure

The Azure cloud platform includes more than 200 products and service designed to help you bring new solution to life to solve todays problems and build tomorrow. Build, run, and manage applications across multiple clouds, on-premises, and at the edge using the tools and frameworks of your choice.

What is Microsoft Azure used for?

Because Microsoft Azure offers a wide variety of services and services, the use cases are very diverse.

1. Running a virtual machine or container in the cloud is one of the most popular uses of Microsoft Azure. 2. These computing services can host hardware such as Domain Name System Server. 3. Windows Server services such as Internet Information Services (IIS). 4. Network services such as firewalls; or third-party apps. 5. Microsoft also supports the use of third-party systems such as Linux. 6. Azure can also be used as a platform to host databases in the cloud.

Some Azure products and services

• Mobile : These products help developers build cloud applications for mobile devices, provide notification services, provide support for backend operations, tools for building application programming interfaces(API), and can create various geospatial points with data.
• Web : These services support the development and deployment of web applications. They also provide search, content delivery, API management, reporting and reporting capabilities.
• Storage : Such services provide a scalable environment for structured and unstructured data. It also supports large files, persistent storage and archive storage.
• Analytics : In addition to analytics and storage, these services provide capabilities for real-time analytics, big data analytics, data lakes, machine learning, business intelligence, Internet of Things (IoT) data flow and data storage.
• Networking : These groups include virtual networks, private networks, and gateways, as well as services for traffic management and diagnostics, load balancing, DNS hosting, and network protection against denial of service (DDoS) attacks.
• IOT : These services help users capture, monitor and analyze IoT data from sensors and other devices. Services include reporting, analysis, maintenance and coding and support.
• DevOps : The team provides operational and collaboration tools such as Azure DevOps (formerly Visual Studio Team Services) that contributes to the DevOps software development process. It also provides functionality for application diagnostics, DevOps integration tools, and a lab to develop tests and experiments.

Azure for DR and backup

Some corporations use Azure for facts backup and catastrophe recovery. Organizations also can use Azure as an opportunity to their very own datacenter. The public cloud has proven to be good for high-volume, short-term tasks like data analytics. Organizations can use cloud storage capabilities to store massive amounts of data in home data centers without purchasing or using hardware, performing analytics tasks, and then disposing of data when it becomes obsolete or unusable. This type of energy use has been the mainstay of public air use from the very beginning.

More and more organizations are choosing to run some or all of their business applications on Azure rather than investing in on-premises servers and storage. To ensure availability, Microsoft has Azure data centers around the world. As of January 2020, Microsoft Azure services are available in 55 regions in 140 countries. Unfortunately, now no longer all offerings are to be had in all regions. Therefore, Azure customers need to make sure that the running surroundings and information garage follow compliance necessities or different regulations.

Who is an Azure Administrator ?

Microsoft Azure is a cloud computing platform that enables customers to control a range of cloud resources and services, including data transformation, data storage, and many more.

The person who deploys, administers, and keeps an eye on Azure solutions as well as the storage, identity, governance, virtual networks, and computing in a cloud environment is known as an Azure Administrator.

Now, in order to start working in the field, you must first pass the AZ-104 exam. Candidates for this certification should have six months of hands-on experience managing Azure, as well as a solid understanding of the platform’s key services, workloads, governance, and security. Additionally, the person filling this position should be familiar with PowerShell, the Azure interface, the Azure CLI, and Azure Resource Manager templates.

To download the complete AZ-104 Azure Admin Sample Questions guide click here .

Azure Administrator Certification

Those who administer Cloud services that span compute, networking, storage, security, and other Cloud capabilities inside Microsoft Azure should take the AZ-104 Microsoft Azure Administrator certification exam. Additionally, I covered everything you need to know about the [AZ-104] Microsoft Azure Administrator test in my earlier blog.

Why Is Azure Certification Beneficial?

• Azure Administrators are becoming increasingly necessary as a result of the rise in demand for Azure. Therefore, a CV that has this shining certification will have a significant benefit.
• A certification results in a massive increase in both work opportunities and income.
• Nearly 70% of respondents say that getting certified has increased their income, and 84% say that getting certified has improved their career prospects.
• Your employment profile will be improved and your chances of being chosen will rise if you update your LinkedIn profile with this credential.

Also read:   Azure SQL Database

Azure Admin Roles and Responsibilities

The sole response for how to become an Azure Administrator lies in skill development. Azure is a promising platform known for its user-friendly nature. However, you should also focus on understanding the basic technologies before thinking of a career in Azure System Administration . The basic azure administrator skills you need to have are below.

• A clear understanding of core Cloud Computing services is highly crucial for an Azure platform-specific job role. You need to understand the basic functioning of Networking, Databases, Software, and Servers in the Cloud. 
• Basic Microsoft knowledge is mandatory for professionals looking for a career in Azure System Administration. You need to have experience in using products such as PowerShell and Office 365. As a result, you can understand the ways in which these services Integrate with Azure.
• Another important aspect to focus on is programming knowledge. Azure administrators need to have expertise in any one of the programming languages. Basic knowledge in open-source frameworks such as ASP.NET and programming languages such as JavaScript, SQL Server, and HTML5 is preferable.

Also check: Steps to register Azure Free Account

Day to Day Task of Azure Administrator in Azure infrastructure

• Ability Restart/bounce the Azure components/clusters/VMs.
• Create and manage swap space on deployed cloud system per customer policies In support of the deployed cloud systems and environments.
• create custom scripts to automate suppo rt processes where applicable Ability to Power off/ Down the un-used VMs Ability to identify issues at Azure level and resolve .
• Manage Azure subscriptions and profiles.

Also read:   DP 100 Exam – Microsoft Certified Azure Data Scientist Associate and why people in the IT Industry are thinking that it’s a great time to be a data scientist these days.

Role Specific Skills:

1. configure networks.

The complexity of TCP/IP inter-networking makes it a difficult topic for many IT experts to grasp. Due to the fact that you will never see the hardware supporting the Azure Networking Stack, this complexity increases in Azure.

To be a successful Azure Administrator, you must be familiar with necessary networking activities like:

• establishing and setting up virtual networks.
• Routing Path orchestration, particularly in a hybrid cloud.
• choosing other Azure resources and managing public and private IP addresses for your virtual machines.

Read this blog to learn about some of the most crucial Microsoft Azure terms, including “Azure Availability Zones,” “Azure Region,” “Availability Set,” “Fault Domain,” and “Update Domain,” as well as how they relate to virtual machines.

Read this blog in which we cover Microsoft Azure’s most important concepts like  Azure Availability Zones , Region, Availability Set, Fault Domain, and Update Domain, and how it plays a key role in Virtual Machines.

2. Monitor Resources And Log Analytics

You should learn how to use Log Analytics in the Azure portal to write Azure Monitor log queries. Also, one needs to have a basic understanding of how to perform the below tasks:

• Use Log Analytics to write a simple query
• Understand the schema of your data
• Filter, sort, and group results
• Apply a time range
• Create charts
• Save and load queries
• Export and share queries

Check out:   Azure Kubernetes Service .

The Azure Administrator is most often identified with infrastructure-as-a-service (IaaS), which normally boils down to running Virtual Machines (VMs) in the cloud. To that point, to be a successful Azure Administrator, you should have familiarity with either or both of the Hypervisor platforms:

• Microsoft Hyper-V
• VMware vSphere

Some VM-related Administrative Tasks Include:

• Deploying VMs into Virtual Networks.
• Configuring VM for Optimum Cost, Performance, and Security.
• Backing up VMs and potentially providing Fail-over Recovery.

Containers represent a newer way to virtualize services, and Docker is extremely well-represented in Azure. Therefore, one should understand how to deploy, manage, and monitor containers.

To know more about Azure Scale Set

4. Implement And Manage Storage

Azure provides Administrators with essentially limitless storage. You need space to store VM virtual hard disks, Database Files, Application Data, and potentially useful data. Furthermore, you should also study Powershell/CLI commands, which would help you to create/remove storage.

Also, it is your responsibility to make use of Microsoft tools for Cloud Computing’s shared responsibility Model. Core tasks include:

• Securing Data against unauthorized access
• Backing Up Data and making it efficient to restore when needed.
• Configuring long-term archival storage to maintain corporate compliance.

Read More:  About A zure Cost Management Tools . Click here

5. Implement Security And Protecting Identities

The security stakes are high in the Azure public cloud because your business stores its proprietary data on someone else’s infrastructure. The shared responsibility model in cloud computing means the responsibility is on you as an Azure Administrator to make use of Microsoft’s manifold security controls. Also, you’ll need some representative skills which include:

• Encrypting data in transit, at rest, and in use.
• Protecting Azure Active Directory accounts against compromise.
• Reducing the attack surface of all your Azure resources.

Also Read:  Our blog post on Azure ExpressRoute vs VPN Gateway . Click here

Syllabus for Azure Administrator Certification

1. manage azure identities and governance (15-20%).

• Manage Azure Active Directory (Azure AD) objects

– create users and groups – create administrative units – manage user and group properties – manage device settings – perform bulk user updates – manage guest accounts – configure Azure AD Join – configure self-service password reset

• Manage role-based access control (RBAC)

– create a custom role – provide access to Azure resources by assigning roles at different scopes – interpret access assignments

• Manage subscriptions and governance

– configure Azure policies – configure resource locks – apply and manage tags on resources – manage resource groups – manage subscriptions – manage costs – configure management groups

2. Implement and Manage Storage (15-20%)

• Secure storage

– configure network access to storage accounts – create and configure storage accounts – generate shared access signature (SAS) tokens – manage access keys – configure Azure AD Authentication for a storage account – configure access to Azure Files

• Manage Storage

– export from Azure job – import into Azure job – install and use Azure Storage Explorer – copy data by using AZCopy – implement Azure Storage replication – configure blob object replication

• Configure Azure files and Azure blob storage

– create an Azure file share – create and configure Azure File Sync service – configure Azure Blob Storage – configure storage tiers – configure blob lifecycle management

3. Deploy and Manage Azure Compute Resources

• Automate deployment of virtual machines (VMs) by using Azure Resource Manager templates

– modify an Azure Resource Manager template – configure a virtual hard disk (VHD) template – deploy from a template – save a deployment as an Azure Resource Manager template – deploy virtual machine extensions

• Configure VMs

– configure Azure Disk Encryption – move VMs from one resource group to another – manage VM sizes – add data disks – configure networking – redeploy VMs – configure high availability – deploy and configure virtual machine scale sets

• Create and configure containers

– configure sizing and scaling for Azure Container Instances – configure container groups for Azure Container Instances – configure storage for Azure Kubernetes Service (AKS) – configure scaling for AKS – configure network connections for AKS – upgrade an AKS cluster

• Create and configure Azure App Service

– create an App Service plan – configure scaling settings in an App Service plan – create an App Service – secure an App Service – configure custom domain names – configure backup for an App Service – configure networking settings – configure deployment settings

4. Configure and Manage Virtual Networking

• Implement and manage virtual networking

– create and configure virtual networks, including peering – configure private and public IP addresses – configure user-defined network routes – implement subnets – configure endpoints on subnets – configure private endpoints

– configure Azure DNS, including custom DNS settings and private or public DNS zones

• Secure access to virtual networks

– create security rules – associate a network security group (NSG) to a subnet or network interface – evaluate effective security rules – implement Azure Firewall – implement Azure Bastion

• Configure load balancing

– configure Azure Application Gateway – configure an internal or public load balancer – troubleshoot load balancing

• Monitor and troubleshoot virtual networking

– monitor on-premises connectivity – configure and use Azure Monitor for Networks – use Azure Network Watcher – troubleshoot external networking – troubleshoot virtual network connectivity

• Integrate an on-premises network with an Azure virtual network

– create and configure Azure VPN Gateway – create and configure Azure ExpressRoute – configure Azure Virtual WAN

5. Monitor and Back up Azure Resources (10-15%)

• Monitor resources by using Azure Monitor

– configure and interpret metrics – configure Azure Monitor Logs – query and analyze logs – set up alerts and actions – configure Application Insights

• Implement backup and recovery

– create a Recovery Services vault – create a Backup vault – create and configure backup policy – perform backup and restore operations by using Azure Backup – perform site-to-site recovery by using Azure Site Recovery – configure and review backup reports

Azure Administrator Job Description

Examine the job description for Azure admins as well. Azure administrators primarily handle the deployment, upkeep, and monitoring of Azure systems. However, the other elements frequently mentioned in azure administrators’ job descriptions.

• working in a software environment that combines Windows and Unix
• managing, keeping track of, and maintaining a multiuser computing environment
• Managing many cloud servers and instances of cloud infrastructure services
• establishing the private and public cloud systems
• deploying workloads while balancing them
• choosing a cloud provider that meets the necessary criteria
• putting the affordable cloud-based systems in place
• Azure Foundations
• Azure Architect for SAP Workloads Associate
• Azure Administrator Associate
• Azure Developer Associate
• Azure Solutions Architect Expert Azure DevOps Engineer Associate
• Azure Security Engineer Associate
• Azure Data Engineer Associate Azure AI Engineer Associate Azure Data Scientist Associate Azure IoT Developer Associate

Salary of Azure Administrator

Although it can vary depending on your experience and skills, the average Azure Admin salary is $ 105,4733 USD. However, the majority of experienced professionals can expect to make up to $ 179,000. Due to the size of the Azure market, many firms are in need of Azure administrators. However, how much they pay you relies on the demands of the job; some large organisations truly do pay well, while some smaller ones do not.

Therefore, there are various Azure Administrator Responsibilities that Azure Admin have to set up and deploy those Custom-Developed Applications and continuously monitor their health. They also need to forecast and manage the demand for the apps, that are hosted on the Azure platform. Finally, Admins need to make sure Data is secured, access is secured, and the applications and data backed up.

IT pros also need to set up and configure the application in Microsoft Azure, mainly using the Azure Control Panels and utilizing technical support as necessary. Also, the apps usually don’t manage themselves, so as with the on-premise line of business applications, you still have to administer that code as well.

The only part of the equation that Microsoft Azure changes are in the area of personnel resource usage. Furthermore, administrators are freed up from managing industry hardware and software . Also, they are proportionately available to manage and enhance the service delivery and quality of IT-specific to their businesses. Therein is the exact appeal for the business decision-maker of Microsoft Azure and why you’re probably going to hear about it very soon if you haven’t already.

Therefore, it’s best to understand how the various Cloud Computing platforms can affect your role and responsibilities as an IT professional.

To apply for the   Microsoft Azure Administrator certification exam [AZ-104]

Frequently Asked Questions

What can microsoft azure be used for.

The Azure cloud platform is more than 200 products and cloud services designed to help you bring new solutions to life—to solve today's challenges and create the future. Build, run, and manage applications across multiple clouds, on-premises, and at the edge, with the tools and frameworks of your choice.

What problem does Microsoft Azure solve?

Azure is a great choice for data-intensive tasks such as web development, database management, etc. Whether you're running a single application or need to manage a large database, Azure can provide the best services for your needs.

What are best features of Microsoft Azure?

Microsoft Azure has built-in security from the beginning, using a multi-layered security approach that safeguards network components. To build security into the foundation, Microsoft also provides tools, services, and data intelligence to help organizations with workloads in the cloud environment

What is the key benefit of Azure?

Microsoft Azure enables users to backup virtual machines, SQL workload and on-premises VMware to streamline the data recovery and backup processes.

Next Task For You

Begin your journey toward  Mastering Azure Cloud and landing high-paying job s. Just click on the register now button on the below image to register for a Free Class on Mastering Azure Cloud : How to Build In-Demand Skills and Land High-Paying Jobs. This class will help you understand better, so you can choose the right career path and get a higher paying job.

June 4, 2022 at 5:13 pm

wow great explanation

June 4, 2022 at 5:29 pm

We are glad that you liked our blog!

Please stay tuned for more informative blogs like this.

Thanks & Regards Rahul Dangayach Team K21 Academy

June 15, 2022 at 11:35 pm

Good afternoon Dear, I’m looking for some hands training on Azure. Please let me know if you help me with that. I need all requirements for the training.

June 16, 2022 at 7:18 am

Hi Naremba,

Thanks for showing your interest in our training program, If you are interested In this training program I would suggest you attend a 60-90 mins free masterclass where we cover everything like what to expect and everything you need is covered inside this program.

Please check the link below to register for the same: https://k21academy.com/az10402

For more information on the course please drop us an email at [email protected] and the team will help you.

Thanks and Regards Rahul Dangayach Team K21 Academy

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

"Learn Cloud, AI & ML From Experts"

• Partner with Us
• Terms and Conditions
• Privacy Policy
• Docker and Kubernetes Job Oriented Program
• AWS Job Oriented Program
• Azure Job Oriented Program
• Azure Data Job Oriented Program
• DevOps Job Oriented Program
• Oracle Cloud Job Oriented Program
• Terraform Job Oriented

Get in touch with us

8 Magnolia Pl, Harrow HA2 6DS, United Kingdom

Email : [email protected]