AZ-104: Manage Azure Identities and Governance (20-25%)

This AZ-104 domain emphasizes secure identity management and efficient resource governance, which are essential for Azure administrators to ensure compliance and cost control.

Overview of Azure Identities and Governance

Microsoft Entra ID Users and Groups

Microsoft Entra ID (formerly Azure AD) provides cloud-based identity services for managing users and groups. Key tasks include creating internal and external users, assigning licenses, and enabling self-service features like password reset to reduce admin overhead.

Access Management with RBAC

Azure Role-Based Access Control (RBAC) allows granular permissions using built-in or custom roles assigned at various scopes, helping interpret and audit access for security.

Subscriptions and Governance Strategies

Tools like Azure Policy, resource locks, tags, and management groups enable the enforcement of standards, cost monitoring, and hierarchical organization across subscriptions

AZ-104: A Comprehensive Guide to Managing Azure Identities and Governance (20-25%)

This detailed guide explores the core components of the "Manage Azure identities and governance" domain in the AZ-104 Microsoft Azure Administrator certification.
I will be documenting my learnings and explaining my understanding of each topic, based on hands-on lab experience gained from below,
https://microsoftlearning.github.io/AZ-104-MicrosoftAzureAdministrator/

This Blog is for Lab 01
https://microsoftlearning.github.io/AZ-104-MicrosoftAzureAdministrator/Instructions/Labs/LAB_01-Manage_Entra_ID_Identities.html

Manage Microsoft Entra users and groups

Microsoft Entra ID is a cloud-based identity and access management service essential for Azure security. Unlike on-premises Active Directory, it supports tenants (isolated directories), subscriptions (billing boundaries), and users/groups for access control. Administrators can create tenants, add users and groups, and manage roles to control resources on Azure.

Create users and groups
Creating users and groups is essential for managing access. Users can be internal (member users) or external (guests), and groups consist of security groups for permissions and Microsoft 365 groups for collaboration.

Steps to create a user in the Azure portal:
- Navigate to Microsoft Entra ID > Users > New user.
- Enter user principal name (e.g., user@abcd.com), display name, and password.
- Add Identity properties > Assign roles or groups > then create.
- For bulk creation, go to Entra ID > Users > Bulk Create. Use CSV templates or PowerShell.

Steps to create a group:
- Go to Microsoft Entra ID > Groups > New group.
- Choose type (Security or Microsoft 365), name, description, and membership
type (Assigned, Dynamic User/Device).
- Add owners/members, then create.

Best practices: Use dynamic groups for automatic membership based on attributes (e.g., department=Sales); limit direct user assignments to favor group-based access for scalability. Example: Create a "FinanceTeam" security group and add users for RBAC assignments.

Manage user and group properties
Properties include display name, job title, department, and usage location (for licensing). Update via portal, PowerShell, or Azure API.
- Select a user/group in Entra ID.
- Edit properties section; for groups, manage membership or ownership.

Best practices: Regularly audit properties for compliance; use bulk updates for large-scale changes.

Manage licenses in Microsoft Entra ID
Licenses enable features like Microsoft 365 or Azure AD Premium. Assign via direct or group-based methods.
- Go to Entra ID > Licenses > All products.
- Select a product (e.g., Microsoft 365 E5), then assign to users/groups.
- For group-based: Create a group, assign licenses to it; members get inherited.

Best practices: Monitor usage reports to avoid over-licensing; use dynamic groups for auto-assignment based on roles.

Example: Assign Azure AD P1 licenses to a "SSPR-Enabled" group for self-service features.

Manage external users
External users (B2B guests) collaborate via invitations or self-service sign-up. Configure settings to control access levels, invitations, and domain restrictions.
Steps to invite a guest:
- In Entra ID > Users > New guest user
- Enter email, send invitation

Configuration in external collaboration settings:
- Guest user access: Limited (default) to restrict directory enumeration.
- Invite permissions: Limit to admins or specific roles like Guest Inviter.
- Collaboration restrictions: Allow/deny specific domains.

Best practices: Enable self-service sign-up for apps; use cross-tenant access settings for B2B; audit sign-in logs for security.

Example: Restrict invitations to @partner.com domain for controlled collaboration.

Configure self-service password reset (SSPR)
SSPR allows users to reset passwords without admin help, requiring P1/P2 licenses.
Step-by-step guide:

In Entra admin center > Entra ID > Password reset > Properties.
Enable for Selected group (e.g., SSPR-Test-Group).
Set authentication methods (e.g., email, mobile app code; require 2 methods).
Require registration on sign-in; set reconfirmation every 180 days.
Enable notifications for password resets and admin alerts.
Customize helpdesk link (e.g., support@contoso.com).

Best practices: Start with pilot group; combine with MFA for security; monitor usage via reports.
Example: Use incognito browser to register methods at aka.ms/ssprsetup, then reset at aka.ms/sspr.

Manage access to Azure resources

Azure RBAC provides fine-grained access using roles, scopes, and assignments. It integrates with Entra ID principals (users, groups, managed identities).

Manage built-in Azure roles
Built-in roles like Owner (full access), Contributor (create/manage without access grants), and Reader (view-only). Over 100 roles available; Use custom roles for tailored permissions.

Best practices: Use least privilege; prefer built-in over custom roles unless needed.

Example: Virtual Machine Contributor manages VMs but not networks/storage.

Assign roles at different scopes
Scopes: Management group, subscription, resource group, resource. Assignments inherit downward.

Steps in portal:
- Navigate to resource/scope > Access control (IAM) > Add role assignment.
- Select role (e.g., Contributor), members (user/group), and assign.

Via PowerShell:
New-AzRoleAssignment -RoleDefinitionName "Contributor" -PrincipalId <ID> -Scope <scope>.

Best practices: Assign at higher scopes for efficiency; use groups for multiple users.

Example: Assign Reader at subscription for the auditing team.

Interpret access assignments
Assignments include principal, role, scope. Effective permissions are additive;
use "Check access" in IAM to view access assignments.

Steps:
- In IAM > Role assignments, filter by principal/scope.
- Use "Deny assignments" tab for explicit denies.

Best practices: Regularly review with Azure AD access reviews; audit logs for changes.

Role	Permissions	Scope Example
Owner	All actions, including access grants	Subscription-wide
Contributor	Create/manage resources	Resource group
Reader	View resources	Individual VM
Custom	Defined Actions/NotActions	Specific storage account

Manage Azure subscriptions and governance

This section covers tools for organizing, securing, and optimizing subscriptions.

Implement and manage Azure Policy
Azure Policy enforces rules via definitions and initiatives. Effects: Audit, Deny, Modify, etc.

Steps to create:

In portal > Policy > Definitions > New definition (JSON with rules/parameters).
Group into initiative > Assignments > Assign to scope (e.g., subscription).
Remediate non-compliant resources.

Best practices: Start with Audit; use initiatives for grouped policies; manage as code.

Example: Deny non-approved VM SKUs Policy.

Configure resource locks
Locks prevent Azure Resource delete/modify.
Locks Types: CanNotDelete, ReadOnly.

Steps:
In resource > Locks > Add (name, type, notes).

Best practices: Apply at group level; consider data plane impacts.

Example: Apply CanNotDelete Lock on critical Azure Resources, and Ready-Only Locks to prevent modification.

Apply and manage tags on resources
Tags in Azure are name–value pairs applied to resources, resource groups, or subscriptions to logically organize assets and support cost management, governance, and operations.
- Do not affect resource functionality
- Tags are inherited from resource group → resource (but not vice versa)
- Tags integrate directly with Azure Cost Management: Filter costs by tag

Steps: Azure resource > Tags > Edit

Best practices: Enforce Tags via Azure Policy; use Tag based filter for billing reports.
Example: Key : Value Environment : Production).

Manage resource groups(RG)
Resource groups in Azure are logical containers that hold related resources together for management, governance, and lifecycle control.

Steps to Create and Manage a Resource Group
- Portal: Azure Portal → Resource groups → Create
- Specify Name, Region, and optional Tags
- Delete RG: Deletion requires explicit confirmation. No partial delete RG

Best Practices:
- Group resources by lifecycle (app, environment, project)
- Apply tags at the resource group level
- Use Azure Policy for governance
- Avoid mixing unrelated workloads

Manage subscriptions
Subscriptions in Azure define billing, access control, and resource limits.
Each subscription is linked to a billing account. Resources cannot span multiple subscriptions.
- Subscriptions can be transferred between billing accounts or directories
- Ownership changes should be planned to avoid access loss
- Subscriptions control billing and access, not regions
- Moving resources between subscriptions may cause downtime
- Policies and RBAC often apply at the subscription level

Steps: Portal > Subscriptions > Add (offer type, billing).

Best practices:
- Use multiple subscriptions for isolation (Prod vs Non-Prod). Separate by environment, workload, or compliance.
- Apply budgets, policies, and role assignments at subscription scope

Manage costs by using alerts, budgets, and Azure Advisor recommendations
Cost management in Azure helps monitor spending, prevent overruns, and optimize resource usage using Cost Management, budgets, and Advisor recommendations.
- Monitor Cost via Azure Cost Management + Billing
- View spend by subscription, resource group, timeframe, service, or tag
- Analyze trends and forecast usage, and set a budget for alerting.

Steps:
- Create budget: Scope > Budgets > Add (amount, alerts)
Budgets trigger alerts only—they do not stop resources.
- Alerts: Action groups for notifications
- Advisor: Azure Advisor Review recommendations
(e.g., right-size VMs, use reserved instances, remove unused resources)

Best Practices:
- Set multiple budget thresholds (e.g., 50%, 75%, 90%)
- Use tags for accurate cost allocation
- Combine budgets and alerts with Azure Policy for governance
- Review Advisor recommendations regularly

Configure management groups
Management groups in Azure provide a hierarchical structure to organize subscriptions and apply governance at scale.

- Subscriptions can be moved between management groups
- Policies and RBAC assignments inherit downward
- The root management group sits at the top of the hierarchy
- Requires User Access Administrator or Owner at root to manage hierarchy.

Steps:
- Portal: Azure Portal → Management groups → Create
- Specify Management Group ID and Display Name
- Add subscriptions or child management groups

Best practices:
- Align hierarchy with organizational structure
- Separate Prod / Non-Prod at higher levels
- Apply Azure Policy at management group scope
- Limit access at the root; delegate lower levels

Governance Tools Overview

Governance Tool	Primary Use	Example
Azure Policy	Compliance enforcement	Restrict resource locations
Azure Resource Locks	Protection from changes	Prevent deletion of Prod DB
Tags	Organization & billing	`CostCenter : Finance`
Management Groups	Hierarchical governance	Corp → Prod → App1

Conclusion

Managing Azure identities and governance is foundational for secure, compliant, and cost-effective cloud operations. Mastery of Microsoft Entra ID (users, groups, external identities, licensing, and self-service features), principled access control with RBAC, and disciplined subscription governance using Azure Policy, resource locks, tags, and management groups will help you enforce standards, reduce risk, and simplify administration. This domain represents a significant portion of the AZ-104 exam (about 20–25%), so practical familiarity matters as much as theory.

Key takeaways and next steps:

Adopt least-privilege access: use built-in roles where appropriate and create custom roles only when necessary.
Harden identities: require MFA, enable self-service password reset, and consider Privileged Identity Management for just-in-time elevation.
Design RBAC around scopes and role assignments to simplify auditing and reduce blast radius.
Enforce standards with Azure Policy and use management groups to scale governance across subscriptions.
Implement tagging and cost controls to improve visibility and chargeback.
Practice with hands-on labs and real-world scenarios (for example, the AZ-104 lab materials) to solidify skills and prepare for the exam.

Keep practicing these concepts in real or lab environments—consistent, hands-on experience is the most effective way to become a confident Azure administrator.

Key references read,

Thank you for the read. Hope you like it. I appreciate your feedback.

Follow for more Azure and AWS Content. Happy Learning!

Regards,
Jineshkumar Patel

AZ-104: Manage Azure Identities and Governance — Complete Study Guide for Microsoft Azure Administrators

Overview of Azure Identities and Governance