Create Azure users and groups in Azure Active Directory – Learn | Microsoft Docs

Access management in Azure AD

  • Azure AD roles: Use Azure AD roles to manage Azure AD-related resources like users, groups, billing, licensing, application registration, and more.
  • Role-based access control (RBAC) for Azure resources: Use RBAC roles to manage access to Azure resources like virtual machines, SQL databases, or storage. For example, you could assign an RBAC role to a user to manage and delete SQL databases in a specific resource group or subscription.

Access rights through single user or group assignment

Azure AD helps you provide access rights to a single user or to an entire group of users. You can assign a set of access permissions to all the members of the group. Access permissions range from full access to the ability to create or remove resources. There are different ways you can assign access rights:

  • Direct assignment: Assign a user the required access rights by directly assigning a role that has those access rights.
  • Group assignment: Assign a group the required access rights, and members of the group will inherit those rights.
  • Rule-based assignment: Use rules to determine a group membership based on user or device properties. For a user account or device’s group membership to be valid, the user or device must meet the rules. If the rules aren’t met, the user account or device’s group membership is no longer valid. The rules can be simple. You can select prewritten rules or write your own advanced rules.

To create customroles, a Premium P1 or P2 subscription is needed. To create dynamic groups, a P2 dubscription is needed

Application proxy requires premium or basic subscription. Same with Mobility (MDM & MAM) & Company branding

Why use Azure AD B2B instead of federation?

With Azure AD B2B, you don’t take on the responsibility of managing and authenticating the credentials and identities of partners. Your partners can collaborate with you even if they don’t have an IT department. For example, you can collaborate with a contractor who only has a personal or business email address and no identity management solution managed by an IT department. Giving access to external users is much easier than in a federation. You don’t need an AD administrator to create and manage external user accounts. Any authorized user can invite other users. A line manager could, for example, invite external users to collaborate with their team. When collaboration is no longer needed, these external users can easily be removed.

A federation is more complex. A federation is where you have a trust established with another organization, or a collection of domains, for shared access to a set of resources. You might be using an on-premises identity provider and authorization service like Active Directory Federation Services (AD FS) that has an established trust with Azure AD. To get access to resources, all users have to provide their credentials and successfully authenticate against the AD FS server. If you have someone trying to authenticate outside the internal network, you need to set up a web application proxy. The architecture might look something like the following diagram:

Diagram that shows federation example

An on-premises federation with Azure AD might be good if your organization wants all authentication to Azure resources to happen in the local environment. Administrators can implement more rigorous levels of access control. But this means that, if your local environment is down, users can’t access the Azure resources and services they need.

With a B2B collaboration, external teams get the required access to Azure resources and services with the appropriate permissions. There’s no need for a federation and trust to be established, and authentication doesn’t depend on an on-premises server. Authentication is done directly through Azure. Collaboration becomes simplified, and you don’t have to worry about situations where users can’t sign in because an on-premises directory isn’t available.

Directories, subscriptions, and users

Microsoft offers several cloud-based offerings today – all of which can use Azure AD to identify users and control access.

  • Microsoft Azure
  • Microsoft 365
  • Microsoft Intune
  • Microsoft Dynamics 365

When a company or organization signs up to use one of these offerings, they are assigned a default directory, which is an instance of Azure AD. This directory holds the users and groups that will have access to each of the services the company has signed up for. This default directory is sometimes referred to as a tenant. A tenant represents the organization and the default directory assigned to it.

Subscriptions in Azure are both a billing entity and a security boundary. Resources such as virtual machines, web sites, and databases are always associated to a single subscription. Each subscription also has a single account owner who is responsible for any charges incurred by resources in that subscription. If your organization wants the subscription to be billed to another account, you can transfer ownership of the subscription. A given subscription is also associated to a single Azure AD directory. Multiple subscriptions can trust the same directory, but a subscription can only trust one directory.

Users and groups can be added to multiple subscriptions – this allows the user to create, control, and access resources in the subscription. When you add a user to a subscription, the user must be known to the associated directory as shown in the following image.

Conceptual art showing users, directories, and subscriptions in Azure

If you belong to multiple directories, you can switch the current directory you are working in through the Directory + subscription button in the Azure portal header. Keep in mind that you can only work with a single directory at a time – but you can use the Directory + Subscription panel to switch directories. The dashboard also has a Switch directory button in the toolbar which makes it easy to switch to another available directory.

Typically, Azure AD defines users in 3 ways

  • Cloud Identities – These users exist only in Azure AD. Examples are administrator accounts and users that you manage yourself. Their source is Azure Active Directory or External Azure Active Directory if the user is defined in another Azure AD instance but needs access to subscription resources controlled by this directory. When these accounts are removed from the primary directory, they are deleted.
  • Directory-Synchronized Identities – These users exist in an on-premises Active Directory. A synchronization activity that occurs via Azure AD Connect brings these users in to Azure. Their source is Windows Server AD.
  • Guest Users – These users exist outside Azure. Examples are accounts from other cloud providers and Microsoft accounts such as an Xbox LIVE account. Their source is Invited user. This type of account is useful when external vendors or contractors need access to your Azure resources. Once their help is no longer necessary, you can remove the account and all of their access.

Adding users

  • Syncing an on-premises windows server active directory: Azure AD Connect is a separate service that allows you to synchronize a traditional Active Directory with your Azure AD instance. This is how most enterprise customers add users to the directory. The advantage to this approach is users can use single-sign-on (SSO) to access local and cloud-based resources.
  • Use the Azure portal: You can manually add new users through the Azure portal. This is the easiest way to add a small set of users. You need to be in the User Administrator role to perform this function. You can also invite a user into the directory. In this case, an email is sent to a known email address and an account is created and associated with that email address if they accept the invitation.
  • Use the command line: If you have a lot of users to add, a better option is to use a command-line tool. You can use the New-AzureADUser Azure PowerShell command to add cloud-based users.

# PowerShell
# Create a password object
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile

# Assign the password
$PasswordProfile.Password = "<Password>"

# Create the new user
New-AzureADUser -AccountEnabled $True -DisplayName "Abby Brown" -PasswordProfile $PasswordProfile -MailNickName "AbbyB" -UserPrincipalName ""

# Azure Client
az ad user create --display-name "Abby Brown" \
                  --password "<password>" \
                  --user-principal-name "" \
                  --force-change-password-next-login true \
                  --mail-nickname "AbbyB"

  • Command-line tools allow you to add users in bulk through scripting. The most common approach for this is to use a comma-separated values file (CSV). You can either manually create this file or export the file from an existing data source. To use a CSV with Azure PowerShell:
    1. Use Connect-AzureAD to create an Azure PowerShell connection to your directory. Connect with an admin account that has privileges on your directory.
    2. Create new password profiles for the new users. The passwords for the new users need to conform to the password complexity rules you have set for your directory.
    3. Use Import-CSV to import the CSV. You need to specify the path and file name of the CSV.
    4. Loop through the users in the file, constructing the user parameters needed for each user. Example parameters are User Principal Name, Display Name, Given Name, Department, and Job Title.
    5. Use New-ADUser to create each user. Be sure to enable each account.
  • Other options: You can also add users to Azure AD programmatically using the Azure AD Graph API, or through the Microsoft 365 Admin Center and the Microsoft Intune Admin console if you are sharing the same directory.

Azure AD allows you to define two different types of groups.

  1. Security groups. These are the most common and are used to manage member and computer access to shared resources for a group of users. For example, you can create a security group for a specific security policy. By doing it this way, you can give a set of permissions to all the members at once, instead of having to add permissions to each member individually. This option requires an Azure AD administrator.
  2. Microsoft 365 groups. These groups provide collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and more. This option also lets you give people outside of your organization access to the group. This option is available to users as well as admins.

Group membership type can be one of two values:

  • Assigned. The group will contain specific users or groups that you select.
  • Dynamic user. You create rules based on characteristics to enable attribute-based dynamic memberships for groups. For example, if a user’s department is Sales, that user will be dynamically assigned to the Sales group. You can set up a rule for dynamic membership on security groups or on Office 365 groups. If the user’s department changes in the future, they are automatically removed from the group. This feature requires an Azure AD Premium P1 license.

Azure AD provides several built-in roles to cover the most common security scenarios. To understand how the roles work, let’s examine three roles that apply to all resource types:

  • Owner, which has full access to all resources, including the right to delegate access to others.
  • Contributor, which can create and manage all types of Azure resources but can’t grant access to others.
  • Reader, which can view existing Azure resources.

Role definitions

Each role is a set of properties defined in a JavaScript Object Notation (JSON) file. This role definition includes a Name, Id, and Description. It also includes the allowable permissions (Actions), denied permissions (NotActions), and scope (for example, read access) for the role. A role definition is a collection of permissions. It’s sometimes just called a role. A role definition lists the operations that can be performed, such as read, write, and delete. It can also list the operations that can’t be performed or operations related to underlying data. You can tailor the Actions and NotActions properties to grant and deny the exact permissions you need. The operations under NotActions are subtracted from Actions. In the case of the Contributor role, NotActions removes this role’s ability to manage access to resources and also assign access to resources. These are always in the format: {Company}.{ProviderName}/{resourceType}/{action}. Data operations are specified in the DataActions and NotDataActions properties. This allows data operations to be specified separately from the management operations. This prevents current role assignments with wildcards (*) from suddenly having access to data. Here are some data operations that can be specified in DataActions and NotDataActions. Defining the Actions and NotActions properties is not enough to fully implement a role. You also need to properly scope your role. The AssignableScopes property of the role specifies the scopes (subscriptions, resource groups, or resources) within which the role is available for assignment.

Creating a new role can be done through several mechanisms:

  • Azure portal. You can use the Azure portal to create a custom role – Azure Active Directory > Roles and administrators > New custom role.
  • Azure PowerShell. You can use the New-AzureADMSRoleDefinition cmdlet to define a new role.
  • Azure Graph API. You can use a REST call to the Graph API to programmatically create a new role.

Connect Active Directory to Azure AD with Azure AD Connect

Companies that use an on-premises Windows Server Active Directory solution can integrate their existing users and groups with Azure Active Directory with Azure AD Connect. This is a free tool you can download and install to synchronize your local AD with your Azure directory.With Azure AD Connect, you can provide your users with a common identity for Microsoft 365, Azure, and SaaS applications integrated with Azure AD in a hybrid identity environment.


Azure AD Connect provides several components that you can install to create a hybrid identity system.

  • SYNC SERVICES: this component is responsible for creating users, groups, and other objects. it also makes sure that identity information for your on-premises users and groups matches that in the cloud.
  • HEALTH MONITORING: azure ad connect health supplies robust monitoring and a central location in the azure portal for viewing this activity.
  • AD FS. FEDERATION is an optional part of azure ad connect that you can use to configure a hybrid environment via an on-premises ad fs infrastructure. organizations can use this to address complex deployments, such as domain join sso, enforcement of the active directory sign-in policy, and smart card or third-party multi-factor authentication.
  • PASSWORD HASH SYNCHRONIZATION: this feature is a sign-in method that synchronizes a hash of a user’s on-premises active directory password with azure ad.
  • PASS-THROUGH AUTHENTICATION: this allows users to sign in to both on-premises and cloud-based applications using the same passwords. this reduces it helpdesk costs because users are less likely to forget how to sign in. this feature provides an alternative to password hash synchronization that allows organizations to enforce their security and password complexity policies.

Installing and configuring Azure AD Connect is not a trivial task and requires some initial planning and decisions before you begin.

  • OFFICE PHONE: Provide a nonmobile phone number. You receive an automated call to this number and press #. In free and trial Azure AD organizations, phone call options aren’t supported.
  • MOBILE PHONE: The mobile phone method isn’t a recommended method because it’s possible to send fraudulent SMS messages.
  • The security question option is the least recommended method because the answers to the security questions might be known to other people. Only use the security question method in combination with at least one other method.

SSPR (Self Service Password Reset) isn’t available in the free edition of Azure AD.

Require the minimum number of authentication methods

You can specify the minimum number of methods that the user must set up: one or two. For example, you might enable the mobile app code, email, office phone, and security questions methods and specify a minimum of two methods. Then users can choose the two methods they prefer, like mobile app code and email. For the security question method, you can specify a minimum number of questions that the user must set up to register for this method. You also can specify a minimum number of questions that they must answer correctly to reset their password. After your users register the required information for the minimum number of methods you’ve specified, they’re considered registered for SSPR.

Understand the difference between Azure RBAC roles and Azure AD roles

Azure resources and Azure Active Directory (Azure AD) have independent permission systems. Azure role-based access control (RBAC) roles are used to manage access to virtual machines, storage, and other Azure resources. Azure AD roles are used to manage access to Azure AD resources, such as user accounts and passwords.

Azure RBAC roles

Azure RBAC is the system that allows control over who has access to which Azure resources, and what those people can do with those resources. You achieve control by assigning roles to users, groups, or applications at a particular scope. A role might be described as a collection of permissions. With Azure RBAC, you can allow one user, or a set of users, to access resources in a subscription.
Azure RBAC has many built-in roles, and you can create custom roles. Here are four examples of built-in roles:

  • Owner: Has full access to all resources, including the ability to delegate access to other users.
  • Contributor: Can create and manage Azure resources.
  • Reader: Can view only existing Azure resources.
  • User Access Administrator: Can manage access to Azure resources.

Identify the right scope

You can apply Azure RBAC roles at four levels of scope: management groups, subscriptions, resource groups, and resources. The following diagram illustrates the hierarchy of these four levels.

Diagram of scope hierarchy

By combining an Azure RBAC role and a scope, you can set finely tailored permissions for your Azure resources.

Azure AD roles

Azure AD also has its own set of roles, which apply mostly to users, passwords, and domains. These roles have different purposes. Here are a few examples:

  • Global Administrator: Can manage access to administrative features in Azure AD. A person in this role can grant administrator roles to other users, and they can reset a password for any user or administrator. By default, whoever signs up for the directory is automatically assigned this role.
  • User Administrator: Can manage all aspects of users and groups, including support tickets, monitoring service health, and resetting passwords for certain types of users.
  • Billing Administrator: Can make purchases, manage subscriptions and support tickets, and monitor service health. Azure has detailed billing permissions in addition to RBAC permissions. The available billing permissions depend on the agreement you have with Microsoft.

Differences between Azure RBAC roles and Azure AD roles

The main difference between Azure RBAC roles and Azure AD roles is the areas they cover. Azure RBAC roles apply to Azure resources, and Azure AD roles apply to Azure AD resources (particularly users, groups, and domains). Also, Azure AD has only one scope, the directory. The Azure RBAC scope covers management groups, subscriptions, resource groups, and resources.

The roles share a key area of overlap. An Azure AD Global Administrator can elevate their access to manage all Azure subscriptions and management groups. This greater access grants them the Azure RBAC User Access Administrator role for all subscriptions of their directory. Through the User Access Administrator role, the Global Administrator can give other users access to Azure resources. The following diagram shows what resources the Global Administrator can view when their permissions are elevated to User Access Administrator.

Diagram of User Access Administrator elevated permissions

When to elevate access

By default, a Global Administrator doesn’t have access to Azure resources. The Global Administrator for Azure Active Directory (Azure AD) can temporarily elevate their permissions to the Azure role-based access control (RBAC) role of User Access Administrator. This action grants the Azure RBAC permissions that are needed to manage Azure resources. The User Access Administrator is assigned at the scope of root. The role can view all resources in, and assign access to, any subscription or management group in that Azure AD organization. As Global Administrator, you might need to elevate your permissions to:

  • Regain lost access to an Azure subscription or management group.
  • Grant another user or yourself access to an Azure subscription or management group.
  • View all Azure subscriptions or management groups in an organization.
  • Grant an automation app access to all Azure subscriptions or management groups.

To assign a user administrative access to a subscription, you must have Microsoft.Authorization/roleAssignments/write and Microsoft.Authorization/roleAssignments/delete permissions at the subscription scope. Users with the subscription Owner or User Access Administrator role have these permissions.

Azure subscriptions

First, remember that each Azure subscription is associated with a single Azure AD directory. Users, groups, and applications in that directory can manage resources in the Azure subscription. The subscriptions use Azure AD for single sign-on (SSO) and access management. You can extend your on-premises Active Directory to the cloud by using Azure AD Connect. This feature allows your employees to manage their Azure subscriptions by using their existing work identities. When you disable an on-premises Active Directory account, it automatically loses access to all Azure subscriptions connected with Azure AD.

Diagram that depicts how the classic subscription administrator roles, RBAC roles, and Azure AD administrator roles are related at a high level.

The following diagram depicts how the classic subscription administrator roles, RBAC roles, and Azure AD administrator roles are related at a high level. Roles assigned at a higher scope, like an entire subscription, are inherited by child scopes, like service instances. a subscription is associated with only one Azure AD tenant. Also note that a resource group can have multiple resources but is associated with only one subscription. Although it’s not obvious from the diagram, a resource can be bound to only one resource group.


You control access to resources using RBAC by creating role assignments, which control how permissions are enforced. To create a role assignment, you need three elements: a security principal, a role definition, and a scope. You can think of these elements as “who”, “what”, and “where”.

  1. SECURITY PRINCIPAL (WHO): A security principal is just a fancy name for a user, group, or application that you want to grant access to.
    An illustration showing security principal including user, group, and service principal.
  2. ROLE DEFINITION (WHAT YOU CAN DO): A role definition is a collection of permissions. It’s sometimes just called a role. A role definition lists the permissions that can be performed, such as read, write, and delete. Roles can be high-level, like Owner, or specific, like Virtual Machine Contributor.
    An illustration listing different built-in and custom roles with zoom-in on the definition for the contributor role.
    Azure includes several built-in roles that you can use. The following lists four fundamental built-in roles:
    • Owner – Has full access to all resources, including the right to delegate access to others.
    • Contributor – Can create and manage all types of Azure resources, but can’t grant access to others.
    • Reader – Can view existing Azure resources.
    • User Access Administrator – Lets you manage user access to Azure resources.
    If the built-in roles don’t meet the specific needs of your organization, you can create your own custom roles.
  3. SCOPE (WHERE): Scope is where the access applies to. This is helpful if you want to make someone a Website Contributor, but only for one resource group. In Azure, you can specify a scope at multiple levels: management group, subscription, resource group, or resource. Scopes are structured in a parent-child relationship. When you grant access at a parent scope, those permissions are inherited by the child scopes.
    An illustration showing a hierarchical representation of different Azure levels to apply scope. The hierarchy, starting with the highest level, is in this order: Management group, subscription, resource group, and resource.
  4. ROLE ASSIGNMENT: Once you have determined the who, what, and where, you can combine those elements to grant access. A role assignment is the process of binding a role to a security principal at a particular scope, for the purpose of granting access. To grant access, you create a role assignment. To revoke access, you remove a role assignment.
    An illustration showing a sample role assignment process for Marketing group, which is a combination of security principal, role definition, and scope. The Marketing group falls under the Group security principal and has  a Contributor role assigned for  the Resource group scope.

RBAC is an allow model. What this means is that when you are assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete. So, if one role assignment grants you read permissions to a resource group and a different role assignment grants you write permissions to the same resource group, you will have read and write permissions on that resource group. RBAC has something called NotActions permissions. Use NotActions to create a set of allowed permissions. The access granted by a role, the effective permissions, is computed by subtracting the NotActions operations from the Actions operations. For example, the Contributor role has both Actions and NotActions. The wildcard (*) in Actions indicates that it can perform all operations on the control plane. Then you subtract the following operations in NotActions to compute the effective permissions:

  • Delete roles and role assignments.
  • Create roles and role assignments.
  • Grants the caller User Access Administrator access at the tenant scope
  • Create or update any blueprint artifacts
  • Delete any blueprint artifacts

SCOPE FOR AZURE RBAC ROLES: Management Group -> Subscription -> Resource Group -> Resource
SCOPE OF AZURE AD ROLES: Users, groups, service principles, Managed Identities

Assignment and scope of custom roles

Users with the roles User Access Administrator or Owner can create or assign custom roles in Azure RBAC. Custom roles can be assigned to: user, group, service principals & managed identities.
You can scope the assignment and related permissions to different levels within Azure. The different scopes are:

  • Subscription
  • Resource group
  • Individual resource

A custom role definition breaks down into a collection of different permissions. Each definition details the operations that are allowed, such as read, write, and delete. Any role definition is declared using the following format: {Company}.{ProviderName}/{resourceType}/{action}. The action portion is typically one of the following actions: *, read, write, action [start, restart, join…], delete

# Review built-in roles
# returns the permissions for the built-in role Virtual Machine Contributor.
az role definition list --name "Virtual Machine Contributor" --output json | jq '.[] | .permissions[0].actions'

# To get this list in PowerShell
Get-AzRoleDefinition -Name "Virtual Machine Contributor" | Select Actions | ConvertTo-Json

# To create a custom role, first create the role defenition in n json file
# vm-operator-role.json
 "Name": "Virtual Machine Operator",
 "IsCustom": true,
 "Description": "Can monitor and restart virtual machines.",
 "Actions": [
 "NotActions": [],
 "DataActions": [],
 "NotDataActions": [],
 "AssignableScopes": [

# create the custom role
az role definition create --role-definition vm-operator-role.json

# Assign role, but first get user principal name
USER=$(az ad user list --display-name "your display name" --query [0].userPrincipalName --output tsv)
echo $USER
# Then assign
az role assignment create --assignee $USER --role "Virtual Machine Operator"

# To update custom role
az role definition update --role-definition "<<path-to-json-file>>"

# get list of custom roles
az role definition list --custom-role-only true --output json | jq '.[] | {"roleName":.roleName, "roleType":.roleType}'

#  full definition for a specific role
az role definition list --name "Virtual Machine Operator"

# List custom role assignment
az role assignment list --role "Virtual Machine Operator"

# Remove role assignments
az role assignment delete --role "role name"

# Delete custom role
az role definition delete --name "role name"

# The same using PowerShell #
# Create role
New-AzRoleDefinition -InputFile "vm-operator-role.json"

# To update custom role
Set-AzRoleDefinition -InputFile "<<path-to-json-file>>"

# list custom roles
Get-AzRoleDefinition | ? {$_.IsCustom -eq $true} | FT Name, IsCustom

#  full definition for a specific role
Get-AzRoleDefinition "Virtual Machine Operator"

# List custom role assignment
Get-AzRoleAssignment -RoleDefinitionName "Virtual Machine Operator"

# Remove role assignments
Remove-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionName "role name" -Scope /subscriptions/<subscription_id>

# Delete custom role
Get-AzRoleDefinition "role name" | Remove-AzRoleDefinition


A resource can have up to 50 tags. The name is limited to 512 characters for all types of resources except storage accounts, which have a limit of 128 characters. The tag value is limited to 256 characters for all types of resources. Tags aren’t inherited from parent resources. Not all resource types support tags, and tags can’t be applied to classic resources.Tags can be added and manipulated through the Azure portal, Azure CLI, Azure PowerShell, Resource Manager templates, and through the REST API. You can use Azure Policy to automatically add or enforce tags for resources your organization creates based on policy conditions that you define.


Resource locks are a setting that can be applied to any resource to block modification or deletion. Resource locks can set to either Delete or Read-only. Delete will allow all operations against the resource but block the ability to delete it. Read-only will only allow read activities to be performed against it, blocking any modification or deletion of the resource. Resource locks can be applied to subscriptions, resource groups, and to individual resources, and are inherited when applied at higher levels. Applying Read-only can lead to unexpected results because some operations that seem like read operations actually require additional actions. For example, placing a Read-only lock on a storage account prevents all users from listing the keys. The list keys operation is handled through a POST request because the returned keys are available for write operations. Resource locks apply regardless of RBAC permissions. Even if you are an owner of the resource, you must still remove the lock before you’ll actually be able to perform the blocked activity.

Azure billing zones

Bandwidth refers to data moving in and out of Azure datacenters. Most of the time inbound data transfers (data going into Azure datacenters) are free. For outbound data transfers (data going out of Azure datacenters), the data transfer pricing is based on Billing Zones. A (Billing) Zone is a geographical grouping of Azure Regions for billing purposes. The following zones exist and include the listed countries (regions).

Zone 1United States, US Government, Europe, Canada, UK, France, Switzerland
Zone 2East Asia, Southeast Asia, Japan, Australia, India, Korea
Zone 3Brazil, South Africa, UAE
DE Zone 1Germany

In most zones, the first outbound 5 gigabytes (GB) per month are free. After that amount, you are billed a fixed price per GB.

Billing zones aren’t the same as an Availability Zone. In Azure, the term zone is for billing purposes only, and the full term Availability Zone refers to the failure protection that Azure provides for datacenters.

Azure pricing calculator

To make estimates easy for customers to create, Microsoft developed the Azure pricing calculator. The Azure pricing calculator is a free web-based tool that allows you to input Azure services and modify properties and options of the services. It outputs the costs per service and total cost for the full estimate.
you’ll see several tabs:

  • Products. This tab is where you’ll do most of your activity. This tab has all the Azure services listed and is where you’ll add or remove services to put together your estimate.
  • Example Scenarios This tab has several examples of infrastructure involved in common cloud-based solutions. You can add all the components of the entire scenario to estimate the cost.
  • Saved Estimates. This tab has all of your previously saved estimates. We’ll go through this process in a moment.
  • FAQ. Just as it says, this tab has answers to some frequently asked questions.


Azure Advisor is a free service built into Azure that provides recommendations on high availability, security, performance, operational excellence, and cost. Advisor analyzes your deployed services and looks for ways to improve your environment across each of these areas. CROPS – Cost, Reliability Operational Excellence, Performance, Security Advisor makes cost recommendations in the following areas:

  • Reduce costs by eliminating unprovisioned Azure ExpressRoute circuits.
  • Buy reserved instances to save money over pay-as-you-go.
  • Right-size or shutdown underutilized virtual machines.


Azure Cost Management is another free, built-in Azure tool that can be used to gain greater insights into where your cloud money is going. You can see historical breakdowns of what services you are spending your money on and how it is tracking against budgets that you have set. You can set budgets, schedule reports, and analyze your cost areas.


The pricing calculator and cost management advisor can help you predict and analyze your spend for new or existing services. If you are starting to migrate to the cloud, a useful tool you can use to predict your cost savings is the Total Cost of Ownership (TCO) calculator. To use the TCO calculator, you need to complete four steps.

  1. Open TCO calculator
  2. Define workloads (Servers, Databases, Storage, Networking)
  3. Adjust Assumptions(Virtual machine, Electricity, Storage, IT labor, Hardware, Software, Virtualization, Datacenter, Networking & Database costs)
  4. View report

Ways to reduce infrastructure costs

  1. Use Azure credits: Visual Studio subscribers can activate a monthly credit benefit that allows you to experiment with, develop, and test new solutions on Azure.
  2. Use Spending limits: By default, Azure subscriptions that have associated monthly credits (which includes trial accounts) have a spending limit to ensure you aren’t charged once you have used up your credits.
  3. Use reserved instances: If you have virtual machine workloads that are static and predictable, using reserved instances is a fantastic way to potentially save up to 70 to 80 percent off the pay-as-you-go cost.
  4. Choose low cost regions
  5. Right-size underutilized virtual machines
  6. Deallocate virtual machines in off hours
  7. Delete unused virtual machines
  8. Migrate to PaaS or SaaS services



To be eligible for this benefit, your Windows licenses must be covered by Software Assurance. The following guidelines will also apply:

  • Each two-processor license or each set of 16-core licenses is entitled to two instances of up to eight cores or one instance of up to 16 cores.
  • Standard Edition licenses can only be used either on-premises or in Azure, but not both. That means you can’t use the same license for an Azure VM and a local computer.
  • Datacenter Edition benefits allow for simultaneous usage both on-premises and in Azure so that the license will cover two running Windows machines.


Azure Hybrid Benefit for SQL Server is an Azure-based benefit that enables you to use your SQL Server licenses with active Software Assurance to pay a reduced rate.You can use this benefit even if the Azure resource is active, but the reduced rate will only be applied from the time you select it in the portal. No credit will be issued retroactively.

  • If you have Standard Edition per-core licenses with active Software Assurance, you can get one vCore in the General Purpose service tier for every one license core you own on-premises.
  • If you have Enterprise Edition per-core licenses with active Software Assurance, you can get one vCore in the Business Critical service tier for every one license core you own on-premises. The Azure Hybrid Benefit for SQL Server for the Business Critical service tier is available only to customers who have Enterprise Edition licenses.
  • If you have highly virtualized Enterprise Edition per-core licenses with active Software Assurance, you can get four vCores in the General Purpose service tier for every one license core you own on-premises. The vCore benefit is a unique virtualization benefit available only on Azure SQL Database.

The following illustration shows the vCore-based options available in each service tier with Azure Hybrid Benefit for SQL Server licenses.

Diagram showing an example of maximizing existing SQL server license value using the Azure Hybrid Benefit.

For SQL Server in Azure Virtual Machines, the Azure Hybrid Benefit works as follows:

  • If you have Enterprise Edition per-core licenses with active Software Assurance, you can get one core of SQL Server Enterprise Edition in Azure Virtual Machines for every one license core you own on-premises.
  • If you have Standard Edition per-core licenses with active Software Assurance, you can get one core of SQL Server Standard Edition in Azure Virtual Machines for every one license core you own on-premises.

In Short with Active Software Assurance

  • Highly Virtualized Enterprise edition -> 4 general purpose vCore
  • Enterprise edition -> 1 vCore business critical
  • Standard edition ->1 General purpose vCore

Use Dev/Test subscription offers

The Enterprise Dev/Test and Pay-As-You-Go (PAYG) Dev/Test offers are a benefit you can take advantage of to save costs on your non-production environments. This benefit gives you several discounts, most notably for Windows workloads, eliminating license charges and only billing you at the Linux rate for virtual machines. SQL Server and other Microsoft software covered under a Visual Studio subscription (formerly known as MSDN) are also included.

There are a few requirements for this benefit. First, it’s only for non-production workloads. This benefit also requires any users of these environments (excluding testers) must be covered under a Visual Studio subscription. In short, for non-production workloads, this benefit allows you to save money on your Windows, SQL Server, and other Microsoft virtual machine workloads.


If you are a customer on an Enterprise Agreement and already have an investment in SQL Server licenses, and they have freed up as part of moving resources to Azure, you can provision bring your own license (BYOL) images off the Azure Marketplace, giving you the ability to take advantage of these unused licenses and reduce your Azure VM cost.


Many people are unaware that SQL Server Developer Edition is a free product for nonproduction use. Developer Edition has all the same features that Enterprise Edition has, but for nonproduction workloads, you can save dramatically on your licensing costs. Look for SQL Server images for Developer Edition on the Azure Marketplace and use them for development or testing purposes to eliminate the additional cost for SQL Server in these cases.

Use constrained instance sizes for database workloads

Many customers have high requirements for memory, storage, or I/O bandwidth. But they also often have low requirements for CPU core counts. Based on this popular request, Microsoft has made available the most popular VM sizes (DS, ES, GS, and MS) in new sizes that constrain the vCPU count to one half or one-quarter of the original VM size, while maintaining the same memory, storage, and I/O bandwidth.

VM SizevCPUsMemoryMax disksMax I/O throughputSQL Server Enterprise licensing cost per yearTotal cost per year (compute + licensing)
Standard_DS14v216112 GB3251,200 IOPS or 768 MB/s7
Standard_DS14-4v24112 GB3251,200 IOPS or 768 MB/s75% lower57% lower
Standard_GS532448 GB6480,000 IOPS or 2 GB/s7
Standard_GS5-88448 GB6480,000 IOPS or 2 GB/s75% lower42% lower

Because database products like SQL Server and Oracle are licensed per CPU, customers can reduce licensing cost by up to 75 percent and still maintain the high performance their database requires.

After identifying the resource types of your resources, you must investigate whether they can be moved, and the restrictions that might be in place. Check your resource types against the move support for resources list. The list shows whether each resource type can be moved between resource groups or between subscriptions. These resources can’t be moved:

  • Azure Active Directory domain services
  • Azure Backup vaults
  • Azure App Service gateways

These resources can be moved between subscriptions or resource groups:

  • Azure Storage accounts
  • Azure virtual machines
  • Azure virtual networks

Virtual machines have their own limitations you must keep in mind. Here’s a summary of limitations for virtual machines:

  • If you want to move a virtual machine, all of its dependants must go with it.
  • You can’t move virtual machines with certificates in Azure Key Vault between subscriptions.
  • You can’t move virtual machine scale sets with standard load balancers or a standard public IP.
  • You can’t move any managed disks that are in availability zones to different subscriptions.

if you’re moving a web app to another resource group in the same subscription, you can’t automatically move third-party SSL certificates.


Before attempting to move a resource, you can test whether it will be successful by calling the validate move operation from the Azure REST API. This test is especially useful if you’re trying to move resources by using, for example, Azure PowerShell or the Azure CLI. You can use these tools to script moves, with minimal human interaction. Testing a move doesn’t affect your resources. The operation only tests whether your move operation would succeed, based on the options you provide.

If you’re trying to move resources through the Azure portal, you don’t need to validate the move before attempting it. The Azure portal does an automatic validation before allowing you to move resources.

A REST API is a programmatic interface that you can call by sending HTTP requests. Programmers often call REST APIs in their custom code from clients such as mobile apps. To call a specific Azure REST method, such as the validate move operation, you can use the Azure CLI:

az rest --method post --uri <enter the correct REST operation URI here>

To formulate the correct REST URI to call, and to provide the other necessary details, you must obtain the following information:

  • Your Azure subscription ID.
  • The name of the resource group currently holding your resources.
  • The resource ID for each of the resources in your original resource group.
  • The resource ID for the destination resource group where you want to move your resources.
  • Your account access token.
  • When you use the Azure CLI to call an Azure REST API operation, you don’t have to provide a subscription ID or an access token. The CLI includes these values automatically.


When you start a move operation, the resource group holding your resources and the new destination resource group are locked. You can’t do write or delete operations on the resource groups until the move operation ends. Your resources aren’t affected, but you can’t add, delete, or update any resources in these resource groups.
Your moved resourcesdon’t change location. For example, if you have a storage account in the East US region, and you move it to another resource group, it keeps its East US region location. You can use the Azure portal, the Azure CLI, PowerShell, or Azure REST API to move your resources.


You have three device registration options to add a device to Azure AD:

  • Azure AD registered: These devices fall into the Bring Your Own Device (BYOD) category. They’re typically privately owned, or they use a personal Microsoft account or another local account. This method of device registration is the least restrictive because it supports devices running Windows 10, iOS, iPadOS, Android, and macOS. Device security is typically provided from a password, a PIN, a pattern, or Windows Hello.
  • Azure AD joined: These devices are owned by your organization. Users access your cloud-based Azure AD instance through their work account. Device identities exist only in the cloud. This option is available only to Windows 10 or Windows Server 2019 devices. Security for this option uses either a password or Windows Hello.
  • Hybrid Azure AD joined: This option is similar to Azure AD joined. The devices are owned by the organization, and they’re signed in with an Azure AD account that belongs to that organization. Device identities exist in the cloud and on-premises. The hybrid option is better suited to organizations that need on-premises and cloud access. This option supports Windows 7, 8.1, and 10, and Windows Server 2008 or later.


Conditional access in Azure AD uses data from sources known as signals, validates them against a user-definable rule base, and chooses the best outcome to enforce your organization’s security policies. Conditional access enables device identity management, but conditional access policies can be complex. Conditional access policies are applied after a user has successfully completed first-factor authentication, typically with a username and password. These policies aren’t a substitute for first-factor authentication. They’re used to assess factors like device, location, and application, and to assess the risk in real time.

Illustration that shows a conditional signal plus a decision to get enforcement.


Conditional access uses many common signal types to make a decision on which outcome to recommend. Signals include the following types:

  • User or group membership provides fine-grained access to resources.
  • IP location information uses an allow list of trusted IP addresses, and a deny list of blocked or banned IP addresses.
  • Device allows you to specify the type of device and its state.
  • Application lets you control access to an application for a specific device.
  • Real-time and calculated risk detection allows Azure AD to identify behaviors not only during sign-in but also throughout the user’s session.
  • Microsoft Cloud App Security provides real-time monitoring of the user’s session and application access. Cloud App Security also helps you control your cloud environment.


Conditional access evaluates the signals and provides a decision:

  • Block access, which is the most restrictive.
  • Grant access, which is the least restrictive but might require additional criteria before allowing access.

Those criteria can be one or more of:

  • Multifactor authentication
  • Device marked as compliant
  • Device that’s hybrid Azure AD joined
  • Approved application
  • Need for an app protection policy

If your organization uses Azure AD Multi-Factor Authentication, users don’t have to do multifactor authentication when they’re using a device that’s mobile device management (MDM) compliant and Azure AD joined. You can select the option Require one of the selected controls with your grant controls selected.

Considerations for using device identity management

When you’re evaluating device identity, consider the following factors:

  • Using the Azure AD joined or hybrid option limits you to using a Windows-based or Windows Server-based operating system on the device.
  • Conditional access requires an Azure AD Premium P1 license or a Microsoft 365 Business license.

Azure AD Join

With Azure AD join, you can join devices to your Azure Active Directory organization without needing to sync with an on-premises Active Directory instance. Azure AD join works with Windows 10 or Windows Server 2019 devices. Windows Server 2019 Server Core installation isn’t supported.

Identity Infrastructure

Decide what identity infrastructure model best supports your organization’s needs:

  • Managed environment: This environment uses pass-through authentication or password hash sync to provide single sign-on (SSO) to your devices.
  • Federated environments: These environments require the use of an identity provider. That provider must support the WS-Trust and WS-Fed protocols for Azure AD join to work natively with Windows devices. WS-Fed is required to join a device to Azure AD. WS-Trust is needed to sign in to an Azure AD joined device.
  • Smart cards and certificate-based authentication: These methods aren’t valid ways to join devices to Azure AD. But, if you have Active Directory Federation Services configured, you can use smart cards to sign in to Azure AD joined devices. We recommend that you use a service like Windows Hello for Business, which supports passwordless authentication to Windows 10 devices.
  • Manual user configuration: If you create users in your on-premises Active Directory instance, you need to synchronize the accounts to Azure AD by using Azure AD Connect. If you create users in Azure AD, no additional setup is needed.

Device Management

Azure AD join uses the mobile device management (MDM) platform to manage devices attached to Azure AD. MDM provides a means to enforce organization-required configurations like requiring storage to be encrypted, password complexity, software installations, and software updates.

To manage your Azure AD joined devices, there are two approaches:

  • MDM only: All joined devices are managed exclusively through an MDM provider, like Intune. If your organization uses group policies, you’ll need to review your MDM policy for support.
  • Co-management: All joined devices use a combination of a locally installed System Center Configuration Manager agent and your MDM provider. Microsoft Intune provides co-management capabilities through Configuration Manager. You use Configuration Manager to manage the device while MDM delivers user-management policies.

We recommend that you use the MDM-only approach to manage all Azure AD joined devices.

Considerations for resources and application access


For the best user experience and to improve access to your application, consider moving all applications and resources to Azure. Although that might be possible in some cases, it isn’t always practical. In this section, we’ll explore access options for your applications and resources:

  • Cloud-based applications: Any migrated apps and all new applications will be added to the Azure AD app gallery. Users of Azure AD join can use SSO to access those applications. The majority of browsers support SSO. Azure AD join provides SSO support for device access to applications that are still using Win32.
  • On-premises web applications: Any bespoke or custom-made software that’s hosted on-premises can still be accessed through Azure AD join. Access to those applications needs each user to add the app to their trusted sites or intranet zone, depending on where the app exists. This action allows the application to use Windows-integrated authentication without prompting the user to authenticate.
  • Other devices: This option includes existing applications through earlier protocols, and on-premises network shares. Both are available to Azure AD joined devices through SSO, if the device is connected to your domain controller.
  • Printer resources: These resources won’t automatically be available through Azure AD join. Users can still connect to a printer directly, by using its UNC path.

Provisioning Options

When you’re deploying Azure AD join, you have three choices for how devices are provisioned and joined to Azure AD:

  • Self-service: Requires users to manually configure the device during the Windows out-of-box experience (OOBE) for new devices, or by using the Windows settings for older devices. Self-service is better suited to users who have a strong technical background.
  • Windows Autopilot: Allows you to preconfigure Windows devices, including automatically joining the device to your Active Directory organization, automatic MDM enrollment, and creating customer OOBE content. This approach simplifies the management and deployment of devices across your organization. The Windows device can be provisioned and deployed. The user completes the OOBE as if they’re a new user.
  • Bulk enrollment: Lets you set up a provisioning package that applies to a large number of new Windows devices at the same time.

Mobility Settings

When you have your MDM provider added, you can configure the following mobility settings:

Mobility settingdescription
MDM user scopeSelect None, Some, or All. If the user is in the MDM scope and you have an Azure AD Premium subscription, MDM enrollment is automated along with Azure AD join. All users within the scope must have an appropriate license for your MDM. If not, the MDM enrollment fails and Azure AD join is rolled back. If the user isn’t in the MDM scope, Azure AD join finishes without any MDM enrollment. The device is an unmanaged device.
MDM URLsThe three URLs related to your MDM configuration are MDM terms of use URL, MDM discovery URL, and MDM compliance URL. Each URL has a predefined default value. If these fields are empty, contact your MDM provider for more information.
MAM settingsMobile application management (MAM) does not apply to Azure AD join.


Enterprise State Roaming enables users of Windows 10 devices to sync settings and application data with their organization’s cloud service. When synchronization is enabled, it takes place automatically. You can enable all applicable device users, or select specific users or groups based on your organization’s needs. With Enterprise State Roaming, users’ settings and application data follow them when they switch devices. Key benefits of using Enterprise State Roaming are:

  • Separation of corporate and consumer data.
  • Enhanced security, because all applicable device data is encrypted through Azure Rights Management before synchronizing with the cloud. All stored data remains encrypted.
  • Better management and monitoring, so you decide who can sync their data and from which devices.
  • Enterprise State Roaming requires a Premium Azure Active Directory subscription.

Enterprise State Roaming requires a Premium Azure Active Directory subscription.


Enterprise State Roaming stores the user data in a geographical region that’s nearest to your Azure AD instance. There are three geographic regions: North America (USA); Europe, the Middle East, and Africa (EMEA); and Asia-Pacific (APAC). Although tenant data will be hosted in the nearest region, user data can be hosted in one or more of these regions. The country or region for your tenant is defined when Azure AD is set up. It can’t be changed.


All Enterprise State Roaming data persists in the cloud until it’s explicitly deleted or becomes stale. Any deleted data is automatically kept for a minimum of 90 days. After 90 days, you can’t restore the deleted data from the cloud.


Explicit data deletion occurs when an Azure administrator acts on a user or an organization within Azure AD, or needs to request that specific roaming data is removed for a user.

  • User deletion: When the administrator removes a user from Azure AD, any associated enterprise roaming data is automatically deleted.
  • Azure AD organization deletion: When the administrator removes a directory, all user settings or data stored in that directory is automatically discarded.
  • On Request deletion: Use this option to remove a specific user’s roaming data. The administrator needs to raise an Azure support ticket for this option.


Any Enterprise State Roaming data that hasn’t been accessed during the past year is automatically treated as stale data. Stale data is deleted from the host cloud storage. The retention period of deleted data is 90 days.


After the retention period elapses, data is permanently deleted from the cloud and can’t be recovered. But you can restore the data from the device when it next connects to the cloud. The data retention periods can’t be changed.

Knowledge Check

  1. If you delete a user account by mistake, can it be restored?
    1. When a user account is deleted, it’s gone forever and can’t be restored.
    2. The user account can be restored, but only when it’s created within the last 30 days.
    3. The user account can be restored, but only when it’s deleted within the last 30 days.
  2. What kind of account would you create to allow an external organization easy access?
    1. A guest user account for each member of the external team.
    2. An external account for each member of the external team.
    3. An administrator account for each member of the external team.
  3. An Azure subscription is a _______________.
    1. Billing entity and security boundary
    2. Container that holds users
    3. Monthly charge for Azure services
  4. Which of the following best describes the relationship between a subscription and an Azure AD directory?
    1. An Azure AD directory has a 1:1 relationship with a subscription.
    2. An Azure AD directory can be associated with multiple subscriptions, but a subscription is always tied to a single directory.
    3. An Azure AD directory is associated with a single subscription, but a subscription can trust multiple directories.
  5. True or False, an organization can have more than one Azure AD directory.
    1. True
    2. False
  6. What information does an Action provide in a role definition?
    1. An Action provides the allowed management capabilities for the role.
    2. An Action determines what data the role can manipulate.
    3. An Action decides what resource the role is applied to.
  7. Which of the following sets the scope of a role to be the resource group myResourceGroup?
    1. /subscriptions/de324015-0284-4582-9d9c-6f1e52a30471
    2. subscriptions/{ef67bd4f-d0f2-4845-b6dd-6cba225b4f10}/resourceGroups/myResourceGroup/backupvm1
    3. /subscriptions/{ef67bd4f-d0f2-4845-b6dd-6cba225b4f10}/resourceGroups/myResourceGroup
  8. How are NotActions used in a role definition?
    1. NotActions are subtracted from the Actions to define the list of permissible operations.
    2. NotActions are consulted after Actions to deny access to a specific operation.
    3. NotActions allow you to specify a single operation that is not allowed.
  9. When is a user considered registered for SSPR?
    1. When they’ve registered at least one of the permitted authentication methods.
    2. When they’ve registered at least the number of methods that you’ve required to reset a password.
    3. When they’ve set up the minimum number of security questions.
  10. When you enable SSPR for your Azure AD organization…
    1. Users can change their password when they’re signed in.
    2. Admins can reset their password by using one authentication method.
    3. Users can reset their passwords when they can’t sign in.
  11. You need to grant administrator access for an Azure subscription to someone else in your organization. That person needs to be able to manage Azure resources that were created under that subscription. The person also needs access to the billing information for that subscription. What role should you grant them?
    1. Assign the User Access Administrator role at the subscription scope.
    2. Assign the Billing Administrator role at the management group scope.
    3. Assign the Owner role at the subscription scope.
  12. What’s the main difference between Azure RBAC roles and Azure AD roles?
    1. Azure RBAC roles apply to Azure resources. Azure AD roles apply to Azure AD resources such as users, groups, and domains.
    2. You can assign Azure RBAC roles at the root level.
    3. Azure AD roles are used to manage access to Azure resources. Azure RBAC roles are used to view and manage Azure resources.
  13. A user who had Owner access to a subscription has left your company. No one else has access to this subscription. How can you grant another employee access to this subscription?
    1. Use the Azure portal to elevate your own access.
    2. Ask the former employee for their password.
    3. Ask the former employee to sign in and select a different employee to grant their permissions to.
  14. A manager currently has access to the subscription that’s used for the organization’s production environment. They also need Owner access to the subscription that’s used for the organization’s development environment. How can this access be granted?
    1. An administrator with Owner or User Access Administrator access to the development environment can grant the manager access to the subscription.
    2. The manager should go to the Switch directory option in the Azure portal and select the subscription.
    3. The manager should use PowerShell to assign themselves Owner access to the subscription.
  15. What is a role definition in Azure?
    1. A collection of permissions with a name that is assignable to a user, group, or application
    2. The collection of users, groups, or applications that have permissions to a role
    3. The binding of a role to a security principal at a specific scope, to grant access
  16. Suppose an administrator wants to assign a role to allow a user to create and manage Azure resources but not be able to grant access to others. Which of the following built-in roles would support this?
    1. Owner
    2. Contributor
    3. Reader
    4. User Access Administrator
  17. What is the inheritance order for scope in Azure?
    1. Management group, Resource group, Subscription, Resource
    2. Management group, Subscription, Resource group, Resource
    3. Subscription, Management group, Resource group, Resource
    4. Subscription, Resource group, Management group, Resource
  18. Suppose a team member can’t view resources in a resource group. Where would the administrator go to check the team member’s access?
    1. Check the team member’s permissions by going to their Azure profile > My permissions.
    2. Go to the resource group and select Access control (IAM) > Role assignments.
    3. Go to one of the resources in the resource group and select Role assignments.
  19. Suppose an administrator in another department needs access to a virtual machine managed by your department. What’s the best way to grant them access to just that resource?
    1. At the resource scope, create a role for them with the appropriate access.
    2. At the resource group scope, assign the role with the appropriate access.
    3. At the resource scope, assign the role with the appropriate access.
  20. Suppose a developer needs full access to a resource group. If you are following least-privilege best practices, what scope should you specify?
    1. Resource
    2. Resource group
    3. Subscription
  21. Suppose an administrator needs to generate a report of the role assignments for the last week. Where in the Azure portal would they generate that report?
    1. Search for Activity log and filter on the Create role assignment (roleAssignments) operation.
    2. At the appropriate scope, go to Access control (IAM) > Download role assignments.
    3. At the appropriate scope, go to Access control (IAM) > Role assignments.
  22. What’s included in a custom Azure role definition?
    1. Operations allowed for Azure resources and the scope of permissions
    2. The assignment of the custom role
    3. Actions and DataActions operations that you can scope to the tenant level
  23. What commands help you determine what operations to add to a custom role definition?
    1. Use ‘az provider show’ to find resource provider operations.
    2. Use ‘List-AzRoleDefinition’ to view a built-in role.
    3. Use ‘az role definition list’ to view a built-in role.
  24. What is the Azure PowerShell cmdlet to update a custom role?
    1. New-AzRoleDefinition
    2. Set-AzRoleDefinition
    3. az role definition create
  25. What are the steps to remove a custom role?
    1. Delete the custom role and then remove the role assignments.
    2. Set the role definition status to retired.
    3. Delete the role assignments and then delete the custom role.
  26. Tags can be applied to any type of resource on Azure
    1. True
    2. False
  27. Tags applied at a resource group level are propagated to resources within the resource group.
    1. True
    2. False
  28. Which of the following features does not apply to resource groups?
    1. Resources can be in only one resource group.
    2. Resources can be moved from one resource group to another resource group.
    3. Resource groups can be nested.
    4. Role-based access control can be applied to the resource group.
  29. Which of the following approaches might be a good usage of tags?
    1. Using tags to associate a cost center with resources for internal chargeback
    2. Using tags in conjunction with Azure Automation to schedule maintenance windows
    3. Using tags to store environment and department association
    4. All of the above are good ways to use tags
  30. Which of the following approaches would be the most efficient way to ensure a naming convention was followed across your subscription?
    1. Send out an email with the details of your naming conventions and hope it is followed
    2. Create a policy with your naming requirements and assign it to the scope of your subscription
    3. Give all other users except for yourself read-only access to the subscription. Have all requests to create resources sent to you so you can review the names being assigned to resources, and then create them.
  31. Which of the following items would be good use of a resource lock?
    1. An ExpressRoute circuit with connectivity back to your on-premises network
    2. A non-production virtual machine used to test occasional application builds
    3. A storage account used to temporarily store images processed in a development environment
  32. Which tab of the Azure pricing calculator will you use to put together your estimate?
    1. Estimate
    2. Products
  33. True or false: You can share your estimate through an Excel spreadsheet or through a URL.
    1. True
    2. False
  34. Azure Advisor provides recommendations for _________.
    1. Costs only
    2. High availability, security, performance, operational excellence, and cost
    3. High availability, performance, and cost
  35. Azure Cost Management allows you to _________.
    1. See historical breakdowns of what services you are spending your money on.
    2. See estimates of what your services might cost if you make a change.
  36. Which one of these approaches is not a cost-saving solution?
    1. Deallocate virtual machines during off hours.
    2. Use Azure Reserved Virtual Machine Instances.
    3. Load balance your virtual machines for incoming messages.
    4. Right-size underutilized virtual machines.
  37. True or false: PaaS is typically less expensive than IaaS.
    1. True
    2. False
  38. True or false: If you already have unused Windows Server licenses, you have to pay for them again on Azure.
    1. True
    2. False
  39. True or false: Azure has money-saving options for test and development servers.
    1. True
    2. False
  40. Which one of the following systems is used to determine Azure costs for each billing period?
    1. The Azure website
    2. Number of created virtual machines
    3. The Azure pricing calculator
    4. Usage meters
  41. Which of the following factors affects costs?
    1. Global infrastructure
    2. Location
    3. Availability zone
  42. Complete the following sentence. As an Azure customer, Azure Reservations offer discounted prices if you _________
    1. Make upfront commitments on compute capacity
    2. Provision many resources
    3. Have a free account
    4. Set Spending Limits
  43. Which of the following strategies is the best way to approach Cost Management?
    1. Assign people to review costs when needed.
    2. Create a plan in advance and ensure every stakeholder in your organization is aligned and on board to iteratively review and understand cost drivers on a regular basis.
    3. Analyze costs after you receive your bill and track down the teams responsible to make sure they are keeping costs in line.
  44. What tool can you use to gain greater visibility into your spending patterns?
    1. Cost Insights
    2. Cost Analysis
    3. Your invoice
  45. What is a tool that can be used to effectively keep your organization accountable for its spending?
    1. Management groups
    2. Azure Advisor
    3. Budgets
  46. Which one of these resource types can’t be moved between resource groups?
    1. Azure Active Directory Domain Services
    2. Azure Storage accounts
    3. Azure virtual machines
  47. Which one of these resource types can be moved across resource groups?
    1. Azure Backup vault
    2. Azure Application Gateway
    3. Azure virtual networks
  48. When can you move a virtual machine?
    1. You can move virtual machines, but you have to first remove any network security groups.
    2. You can move virtual machines, but you have to first make sure that you can move all of its dependent resources along with it.
    3. You can move virtual machines, but you have to first make sure that you can remove any SSD disks before attempting to move them.
  49. In which of the following situations would a validation test happen automatically?
    1. When you use the Azure portal to move resources to a new resource group.
    2. When you use the PowerShell to move resources to a new resource group.
    3. When a mobile app calls the moveResources REST API method.
  50. In which of the following situations do you need to obtain an access token before you can validate a move?
    1. When you use the Azure portal to move the resources.
    2. When you use the Azure CLI to validate a move.
    3. When you use custom code to call the validateMoveResources REST API.
  51. What operating systems do Azure AD registered devices support?
    1. Windows 10, iOS, Android, and macOS
    2. Windows 7, Windows 8.1, and Windows 10 only
    3. Windows 10 and macOS
  52. What device security sign-in options does Azure AD join support?
    1. An Azure AD work account with password, PIN, pattern, or Windows Hello
    2. An Azure AD work account with password or Windows Hello, and multifactor authentication
    3. A Microsoft account with password, Windows Hello, and multifactor authentication
  53. When is conditional access applied?
    1. Before first-factor authentication
    2. As part of first-factor authentication
    3. After first-factor authentication
  54. What provisioning options are available through Azure AD join?
    1. Self-service by using the Windows out-of-box experience (OOBE), Windows Autopilot, or bulk enrollment
    2. Self-service by using MDM, Windows Autopilot, or bulk enrollment
    3. Windows Autopilot or bulk enrollment
  55. What happens when a device isn’t in the MDM scope?
    1. The user is asked to add the device to MDM before the device can join Azure AD.
    2. The device can’t join Azure AD until the device has been registered with MDM.
    3. The Azure AD join finishes without the enrollment to MDM.
  56. What is classified as stale data?
    1. Any data that hasn’t been accessed for more than 90 days
    2. Any data that hasn’t been accessed for more than 180 days
    3. Any data that hasn’t been accessed for one year or more
  57. Can you name one of the benefits of using Enterprise State Roaming?
    1. Enhanced security
    2. Separation of cloud and device data
    3. Improved consumer data management


  1. C. A user account can be restored when it’s deleted within the last 30 days. Go to the deleted user list to see the list of all of the deleted users.
  2. A. A guest user account restricts users to just the access they need.
  3. a. Azure subscriptions manage resources, limits, and provide the charges billed to the account owner.
  4. B. Azure subscriptions can only trust a single directory, but multiple subscriptions can be associated to a single Azure AD instance.
  5. A. While a single directory is created for the organization initially, more can be created to divide the security across boundaries.
  6. a. The Action defines what the role can do.
  7. C.
  8. A. The operations under NotActions are subtracted from Actions.
  9. b. A user is considered registered for SSPR when they’ve registered at least the number of methods that you’ve required to reset a password. You can set this number in the Azure portal.
  10. C. If the user passes the authentication tests, then they can reset their password.
  11. c. The Owner role gives full access to all resources under the scope that has been assigned to it.
  12. a. Azure RBAC roles are used to manage access to virtual machines, storage, and other Azure resources. Azure AD roles are used to manage access to Azure AD resources such as user accounts and passwords.
  13. a. Temporarily elevate your own access to assign the Owner role to another user.
  14. a. Users with Owner or User Access Administrator access can grant other users permissions to manage a management group or subscription.
  15. a. A role definition in Azure is a collection of permissions with a name that you can assign to a user, group, or application.
  16. b. A contributor can create and manage all types of Azure resources, but they can’t grant access to other users.
  17. b. The inheritance order for scope is Management group, Subscription, Resource group, Resource. For example, if you assigned a Contributor role to a group at the Subscription scope level, it will be inherited by all Resource groups and Resources.
  18. b. Find the list of role of assignments on the resource group.
  19. c. For this scenario, at the virtual machine scope, assign one of the built-in roles that grants the appropriate access for the administrator.
  20. b. Following least-privilege best practices, you grant only the access the user needs to do their job. In this case, you should set the scope to the resource group.
  21. a. In the Activity log, filter on the Operation name field to find role assignments.
  22. a. A custom role definition includes the operations allowed such as read, write, and delete for Azure resources and the scope of those permissions.
  23. Not sure, Use ‘az role definition list’ to view a built-in role in Azure CLI. Az provider show shows information about the provider, but doesn’t list the operations. Use ‘Get-AzRoleDefinition’ to view a built-in role in Azure PowerShell.
  24. b. Use ‘Set-AzRoleDefinition’ to update a custom role by using Azure PowerShell.
  25. c. Before you can delete the custom role, you must delete any role assignments.
  26. b. 
  27. b.
  28. C. 
  29. d. 
  30. b. 
  31. B. This tab has all the Azure services listed and is where you’ll add or remove services to get your estimate.
  32. A. Clicking Export at the bottom of the estimate will export an Excel spreadsheet that you can share, or you can click Share to get a URL link that you can share with your team.
  33. b. Azure Advisor provides recommendations on high availability, security, performance, operational excellence, and cost.
  34. A. Cost Management analyzes where you are historically spending your money and can track it against budgets you have set.
  35. c. Load balancing is used for performance optimization not cost savings.
  36. A. IaaS requires Azure to dedicate resources while PaaS give Azure more flexibility in how services are delivered. This approach means Azure can fill and operate hardware efficiently and therefore offer PaaS services at a savings over IaaS.
  37. B. Under certain circumstances, you can utilize the hybrid benefit for Windows Server and pay only the Linux rate.
  38. A. The Azure Enterprise Dev/Test and Azure Pay-As-You-Go Dev/Test benefits give you several discounts, most notably for Windows workloads, eliminating license charges and billing you only at the Linux rate for virtual machines. This benefit also applies to SQL Server and any other Microsoft software that is covered under a Visual Studio subscription.
  39. D. Azure is billed according to your consumption based on monthly usage meters.
  40. B. The location you place your resources will vary the price for the resource.
  41. A. Azure Reservations offer discounted prices on certain Azure products and resources. To get a discount, you reserve products and resources through an upfront commitment. You can then either prepay or pay monthly for one or three years of usage of certain Azure resources.
  42. B. This approach integrates cost management into every phase of development and sets it up to be an ongoing process that everyone engages in.
  43. B. Cost analysis is one of Azure Cost Management’s primary tools to help you better understand costs.
  44. C. Budgets combined with Alerts allow teams to stay on top of their spending. Budgets can be used to enforce spending limits in your organization.
  45. A. According to the move operation support list, Azure AD DS can’t be moved.
  46. C. You can move Azure virtual networks, according to the move operation support list.
  47. B. Your virtual machines have dependent resources without which they can’t function properly. Make sure you move them together.
  48. B. The Azure portal always does a move validation test before it attempts the move operation itself.
  49. C. To call any Azure REST API method from custom code, you must obtain and pass a valid access token.
  50. a. The option of Azure AD registered supports devices that run Windows 10, iOS, iPadOS, Android, and macOS.
  51. b. Azure AD join supports Windows 10 or Windows Server 2019 devices where users sign in by using their work account with a password or Windows Hello. Azure Multi-Factor Authentication is also supported.
  52. c. A conditional access policy is applied after first-factor authentication has taken place.
  53. a. All three options allow devices to be joined to Azure AD.
  54. C. The device is joined, but the MDM system doesn’t manage it.
  55. C. Any data that hasn’t been accessed for one year or more is considered stale and is automatically deleted.
  56. A. All applicable device data is encrypted through Azure Rights Management before synchronizing with the cloud. All stored data remains encrypted. The three benefits of Enterprise State Roaming are: separation of corporate and consumer data, enhanced security, and better management.