30-min Prep for the AZ-104 Exam: [Session 1: Q&A] Manage Identity and Governance

I'd like to thank our Partners who attended the first session of this AZ-104 exam prep series and shared their feedback and questions on the survey link shared previously.

We've received few questions related to the first session that we'll be answering in this post.

[1] I would like a list of PowerShell commands that are used at this level of competency.

We've shared few important commands in the previous post here . Also, we'll be sharing more each session. Please make sure to check the resources post after each session.

[2] Could you please show us next time how to work with PowerShell in a demo, Also Lab exercises that we can do ourselves or as a task until the next sessions are highly welcome.

We'll make sure to include more PowerShell hands-on in the next sessions. Also, it's great to hear your feedback and we'll be working on adding few lab exercises at the end of each session.

[3] VPN configuration

We'll be covering VPN in our fourth session scheduled 1st March. However, here are some resources that you can use until this scheduled session.

[4] Why some global admins don't view resources created by another admins?

By default, Global Admin doesn’t have access to Azure resources. You need to differentiate between Azure AD and Azure resources. Azure AD and Azure resources are secured independently from one another.

For you to access Azure AD resources (users, groups, ... etc inside Azure AD) you need to use an Azure AD role (Help disk Admin, Global Admin ...) but you need to use another type of roles to manage Azure resources, you'll need to use Azure Roles (RBAC) including (VM Contributor, VM Owner ...).

However, Microsoft added a feature to the Azure AD role: Global Administrator to elevate access to the Azure resources when needed and this should only be a temporary action and your Global Admin should remove these extra permissions after finishing his Azure resources tasks.

If you are a Global Administrator, there might be times when you want to do the following actions:

Regain access to an Azure subscription or management group when a user has lost access.
Grant another user or yourself access to an Azure subscription or management group.
See all Azure subscriptions or management groups in an organization.
Allow an automation app (such as an invoicing or auditing app) to access all Azure subscriptions or management groups.

When you elevate your access, you will be assigned the User Access Administrator role in Azure at root scope ( / ). This allows you to view all resources and assign access in any subscription or management group in the directory. Again, I need to stress this: 'You should remove this elevated access once you have made the changes you need to make at root scope.'

So that explains why some Gobal Admin might not have access to all / any Azure resources. It could be the reason that an Admin in your organization created Azure resources within a Subscription that your Global Administrator doesn't have access to view and manage it. However, your Global Admin can elevate their Azure resources permissions to gain access when needed.

[5] More practical labs on GitHub will be fine

We've already shared few hands-on related to the Identity and Governance chapters in the resources post .

Here are few labs as well for your reference:

[6] Where to find some exam test to practice?

We'll be sharing practice exam questions each session live in the session and you can also reference the official Microsoft practice exam questions .

[7] Can resources (VMs) from different subscriptions access VNET of other subscriptions with VNET_peering? Can VM-NIC be deployed in another subscription's VNET?

We'll be covering VNet Peering in our fourth session scheduled 1st March. But to answer you, yes VNet Peering supports cross-region cross-subscription connectivity .

You can't deploy a VM NIC in another subscription. A network interface (NIC) is the interconnection between a virtual machine and a virtual network. A virtual machine must have at least one NIC. A virtual machine can have more than one NIC, depending on the size of the VM you create. You can create a VM with multiple NICs and add or remove NICs through the lifecycle of a VM. Multiple NICs allow a VM to connect to different subnets.

Each NIC attached to a VM must exist in the same location and subscription as the VM. Each NIC must be connected to a VNet that exists in the same Azure location and subscription as the NIC.

[8] what exactly will be given to those who attend 100% of the presentations?

Our Partners who attend 100% of the sessions will be able to get an exclusive ' Cloud Champion AZ-104 Expert ' badge.

[9] What is the limit of conditions on a Dynamic Group?

The limitation is on the number of Dynamic Groups. An Azure AD organization can have a maximum of 5,000 dynamic groups and dynamic administrative units combined. For more information about the supported rules please visit this reference link .

[10] Because there are multiple acronyms, it is convenient to make an introduction or legend of those that will be used in each session.

Thanks for this great feedback. We'll make sure to make all the acronyms known at the beginning of each session. Having said that, AZ-104 is not an introductory level certificate. It's expected to have at least 6 months of experience with Azure or the AZ-900 certification prior to preparing to the AZ-104 certification.

We'd like to thank everyone who attended the session and we're waiting for you in the next sessions.

Please make sure to register and attend the next sessions.

Forum Discussion

30-min Prep for the AZ-104 Exam: [Session 1: Q&A] Manage Identity and Governance

Resources