# AZ-104: Manage Azure Identities and Governance — Complete Study Guide for Microsoft Azure Administrators

This AZ-104 domain emphasizes secure identity management and efficient resource governance, which are essential for Azure administrators to ensure compliance and cost control.

## Overview of Azure Identities and Governance

Microsoft Entra ID Users and Groups

Microsoft Entra ID (formerly Azure AD) provides cloud-based identity services for managing users and groups. Key tasks include creating internal and external users, assigning licenses, and enabling self-service features like password reset to reduce admin overhead.

Access Management with RBAC

Azure Role-Based Access Control (RBAC) allows granular permissions using built-in or custom roles assigned at various scopes, helping interpret and audit access for security.

Subscriptions and Governance Strategies

Tools like Azure Policy, resource locks, tags, and management groups enable the enforcement of standards, cost monitoring, and hierarchical organization across subscriptions

![](https://cdn.hashnode.com/uploads/covers/604d2050cd951c0ca4c00f98/d1302754-192c-4044-9323-44f89baa6d11.png align="center")

## AZ-104: A Comprehensive Guide to Managing Azure Identities and Governance (20-25%)

This detailed guide explores the core components of the "Manage Azure identities and governance" domain in the **AZ-104 Microsoft Azure Administrator certification**.  
I will be documenting my learnings and explaining my understanding of each topic, based on hands-on lab experience gained from below,  
[https://microsoftlearning.github.io/AZ-104-MicrosoftAzureAdministrator/](https://microsoftlearning.github.io/AZ-104-MicrosoftAzureAdministrator/)

This Blog is for Lab 01  
[https://microsoftlearning.github.io/AZ-104-MicrosoftAzureAdministrator/Instructions/Labs/LAB\_01-Manage\_Entra\_ID\_Identities.html](https://microsoftlearning.github.io/AZ-104-MicrosoftAzureAdministrator/Instructions/Labs/LAB_01-Manage_Entra_ID_Identities.html)

### **Manage Microsoft Entra users and groups**

Microsoft Entra ID is a cloud-based identity and access management service essential for Azure security. Unlike on-premises Active Directory, it supports tenants (isolated directories), subscriptions (billing boundaries), and users/groups for access control. Administrators can create tenants, add users and groups, and manage roles to control resources on Azure.

**<mark class="bg-yellow-200 dark:bg-yellow-500/30">Create users and groups</mark>**  
Creating users and groups is essential for managing access. Users can be internal (member users) or external (guests), and groups consist of security groups for permissions and Microsoft 365 groups for collaboration.

Steps to create a user in the Azure portal:  
\- Navigate to Microsoft Entra ID > Users > New user.  
\- Enter user principal name (e.g., user@abcd.com), display name, and password.  
\- Add Identity properties > Assign roles or groups > then create.  
\- For bulk creation, go to Entra ID > Users > Bulk Create. Use CSV templates or PowerShell.

Steps to create a group:  
\- Go to Microsoft Entra ID > Groups > New group.  
\- Choose type (Security or Microsoft 365), name, description, and membership  
type (Assigned, Dynamic User/Device).  
\- Add owners/members, then create.

**Best practices:** Use dynamic groups for automatic membership based on attributes (e.g., department=Sales); limit direct user assignments to favor group-based access for scalability. **Example:** Create a "FinanceTeam" security group and add users for RBAC assignments.

<mark class="bg-yellow-200 dark:bg-yellow-500/30">Manage user and group properties</mark>  
Properties include display name, job title, department, and usage location (for licensing). Update via portal, PowerShell, or Azure API.  
\- Select a user/group in Entra ID.  
\- Edit properties section; for groups, manage membership or ownership.

**Best practices:** Regularly audit properties for compliance; use bulk updates for large-scale changes.

<mark class="bg-yellow-200 dark:bg-yellow-500/30">Manage licenses in Microsoft Entra ID</mark>  
Licenses enable features like Microsoft 365 or Azure AD Premium. Assign via direct or group-based methods.  
\- Go to Entra ID > Licenses > All products.  
\- Select a product (e.g., Microsoft 365 E5), then assign to users/groups.  
\- For group-based: Create a group, assign licenses to it; members get inherited.

**Best practices:** Monitor usage reports to avoid over-licensing; use dynamic groups for auto-assignment based on roles.

**Example:** Assign Azure AD P1 licenses to a "SSPR-Enabled" group for self-service features.

<mark class="bg-yellow-200 dark:bg-yellow-500/30">Manage external users</mark>  
External users (B2B guests) collaborate via invitations or self-service sign-up. Configure settings to control access levels, invitations, and domain restrictions.  
Steps to invite a guest:  
\- In Entra ID > Users > **New guest user**  
\- Enter email, send invitation

Configuration in external collaboration settings:  
\- Guest user access: Limited (default) to restrict directory enumeration.  
\- Invite permissions: Limit to admins or specific roles like Guest Inviter.  
\- Collaboration restrictions: Allow/deny specific domains.

**Best practices:** Enable self-service sign-up for apps; use cross-tenant access settings for B2B; audit sign-in logs for security.

**Example:** Restrict invitations to @[partner.com](http://partner.com) domain for controlled collaboration.

<mark class="bg-yellow-200 dark:bg-yellow-500/30">Configure self-service password reset (SSPR)</mark>  
SSPR allows users to reset passwords without admin help, requiring P1/P2 licenses.  
Step-by-step guide:

1.  In Entra admin center > Entra ID > Password reset > Properties.
    
2.  Enable for Selected group (e.g., SSPR-Test-Group).
    
3.  Set authentication methods (e.g., email, mobile app code; require 2 methods).
    
4.  Require registration on sign-in; set reconfirmation every 180 days.
    
5.  Enable notifications for password resets and admin alerts.
    
6.  Customize helpdesk link (e.g., [support@contoso.com](mailto:support@contoso.com)).
    

**Best practices:** Start with pilot group; combine with MFA for security; monitor usage via reports.  
**Example:** Use incognito browser to register methods at aka.ms/ssprsetup, then reset at aka.ms/sspr.

![](https://cdn.hashnode.com/uploads/covers/604d2050cd951c0ca4c00f98/9b18ee46-9e19-4782-9801-c5d1bd1607ac.png align="center")

### **Manage access to Azure resources**

Azure RBAC provides fine-grained access using roles, scopes, and assignments. It integrates with Entra ID principals (users, groups, managed identities).

<mark class="bg-yellow-200 dark:bg-yellow-500/30">Manage built-in Azure roles</mark>  
Built-in roles like Owner (full access), Contributor (create/manage without access grants), and Reader (view-only). Over 100 roles available; Use custom roles for tailored permissions.

**Best practices:** Use least privilege; prefer built-in over custom roles unless needed.

**Example:** Virtual Machine Contributor manages VMs but not networks/storage.

<mark class="bg-yellow-200 dark:bg-yellow-500/30">Assign roles at different scopes</mark>  
Scopes: Management group, subscription, resource group, resource. Assignments inherit downward.

Steps in portal:  
\- Navigate to resource/scope > Access control (IAM) > Add role assignment.  
\- Select role (e.g., Contributor), members (user/group), and assign.

Via PowerShell:  
`New-AzRoleAssignment -RoleDefinitionName "Contributor" -PrincipalId <ID> -Scope <scope>.`

**Best practices:** Assign at higher scopes for efficiency; use groups for multiple users.

**Example:** Assign Reader at subscription for the auditing team.

<mark class="bg-yellow-200 dark:bg-yellow-500/30">Interpret access assignments</mark>  
Assignments include principal, role, scope. Effective permissions are additive;  
use "Check access" in IAM to view access assignments.

Steps:  
\- In IAM > Role assignments, filter by principal/scope.  
\- Use "Deny assignments" tab for explicit denies.

**Best practices:** Regularly review with Azure AD access reviews; audit logs for changes.

| Role | Permissions | Scope Example |
| --- | --- | --- |
| Owner | All actions, including access grants | Subscription-wide |
| Contributor | Create/manage resources | Resource group |
| Reader | View resources | Individual VM |
| Custom | Defined Actions/NotActions | Specific storage account |

### **Manage Azure subscriptions and governance**

This section covers tools for organizing, securing, and optimizing subscriptions.

<mark class="bg-yellow-200 dark:bg-yellow-500/30">Implement and manage Azure Policy</mark>  
Azure Policy enforces rules via definitions and initiatives. Effects: Audit, Deny, Modify, etc.

Steps to create:

1.  In portal > Policy > Definitions > New definition (JSON with rules/parameters).
    
2.  Group into initiative > Assignments > Assign to scope (e.g., subscription).
    
3.  Remediate non-compliant resources.
    

**Best practices:** Start with Audit; use initiatives for grouped policies; manage as code.

**Example:** Deny non-approved VM SKUs Policy.

<mark class="bg-yellow-200 dark:bg-yellow-500/30">Configure resource locks</mark>  
Locks prevent Azure Resource delete/modify.  
Locks Types: **CanNotDelete**, **ReadOnly.**

Steps:  
In resource > Locks > Add (name, type, notes).

**Best practices:** Apply at group level; consider data plane impacts.

**Example:** Apply CanNotDelete Lock on critical Azure Resources, and Ready-Only Locks to prevent modification.

<mark class="bg-yellow-200 dark:bg-yellow-500/30">Apply and manage tags on resources</mark>  
Tags in Azure are **name–value pairs** applied to resources, resource groups, or subscriptions to logically organize assets and support cost management, governance, and operations.  
\- Do **not** affect resource functionality  
\- Tags are inherited from **resource group → resource** (but not vice versa)  
\- Tags integrate directly with **Azure Cost Management**: Filter costs by tag

Steps: Azure resource > Tags > Edit

**Best practices:** Enforce Tags via Azure Policy; use Tag based filter for billing reports.  
**Example:** `Key : Value` `Environment : Production`).

<mark class="bg-yellow-200 dark:bg-yellow-500/30">Manage resource groups(RG)</mark>  
Resource groups in Azure are **logical containers** that hold related resources together for management, governance, and lifecycle control.

Steps to Create and Manage a Resource Group  
\- Portal: Azure Portal → Resource groups → Create  
\- Specify Name, Region, and optional Tags  
\- Delete RG: Deletion requires explicit confirmation. No partial delete RG

**Best Practices:**  
\- Group resources by lifecycle (app, environment, project)  
\- Apply tags at the resource group level  
\- Use Azure Policy for governance  
\- Avoid mixing unrelated workloads

<mark class="bg-yellow-200 dark:bg-yellow-500/30">Manage subscriptions</mark>  
Subscriptions in Azure define **billing, access control, and resource limits**.  
Each subscription is linked to a **billing account**. Resources cannot span multiple subscriptions.  
\- Subscriptions can be **transferred** between billing accounts or directories  
\- Ownership changes should be planned to avoid access loss  
\- Subscriptions control billing and access, not regions  
\- Moving resources between subscriptions may cause downtime  
\- Policies and RBAC often apply at the subscription level

Steps: Portal > Subscriptions > Add (offer type, billing).

**Best practices:**  
\- Use **multiple subscriptions** for isolation (Prod vs Non-Prod). Separate by environment, workload, or compliance.  
\- Apply **budgets, policies, and role assignments** at subscription scope

<mark class="bg-yellow-200 dark:bg-yellow-500/30">Manage costs by using alerts, budgets, and Azure Advisor recommendations</mark>  
Cost management in Azure helps monitor spending, prevent overruns, and optimize resource usage using **Cost Management**, **budgets**, and **Advisor recommendations**.  
\- Monitor Cost via Azure Cost Management + Billing  
\- View spend by subscription, resource group, timeframe, service, or tag  
\- Analyze trends and forecast usage, and set a budget for alerting.

Steps:  
\- Create budget: Scope > Budgets > Add (amount, alerts)  
Budgets trigger alerts only—they **do not stop resources**.  
\- Alerts: Action groups for notifications  
\- Advisor: Azure Advisor Review recommendations  
(e.g., right-size VMs, use reserved instances, remove unused resources)

**Best Practices:**  
\- Set multiple budget thresholds (e.g., 50%, 75%, 90%)  
\- Use tags for accurate cost allocation  
\- Combine budgets and alerts with Azure Policy for governance  
\- Review Advisor recommendations regularly

<mark class="bg-yellow-200 dark:bg-yellow-500/30">Configure management groups</mark>  
Management groups in Azure provide a **hierarchical structure** to organize subscriptions and apply governance at scale.

\- Subscriptions can be moved between management groups  
\- Policies and RBAC assignments inherit downward  
\- The root management group sits at the top of the hierarchy  
\- Requires **User Access Administrator** or **Owner** at root to manage hierarchy.

Steps:  
\- Portal: Azure Portal → Management groups → Create  
\- Specify Management Group ID and Display Name  
\- Add subscriptions or child management groups

**Best practices:**  
\- Align hierarchy with organizational structure  
\- Separate Prod / Non-Prod at higher levels  
\- Apply Azure Policy at management group scope  
\- Limit access at the root; delegate lower levels

### Governance Tools Overview

| Governance Tool | Primary Use | Example |
| --- | --- | --- |
| **Azure Policy** | Compliance enforcement | Restrict resource locations |
| **Azure Resource Locks** | Protection from changes | Prevent deletion of Prod DB |
| **Tags** | Organization & billing | `CostCenter : Finance` |
| **Management Groups** | Hierarchical governance | Corp → Prod → App1 |

## Conclusion

Managing Azure identities and governance is foundational for secure, compliant, and cost-effective cloud operations. Mastery of Microsoft Entra ID (users, groups, external identities, licensing, and self-service features), principled access control with RBAC, and disciplined subscription governance using Azure Policy, resource locks, tags, and management groups will help you enforce standards, reduce risk, and simplify administration. This domain represents a significant portion of the AZ-104 exam (about 20–25%), so practical familiarity matters as much as theory.

Key takeaways and next steps:

*   Adopt least-privilege access: use built-in roles where appropriate and create custom roles only when necessary.
    
*   Harden identities: require MFA, enable self-service password reset, and consider Privileged Identity Management for just-in-time elevation.
    
*   Design RBAC around scopes and role assignments to simplify auditing and reduce blast radius.
    
*   Enforce standards with Azure Policy and use management groups to scale governance across subscriptions.
    
*   Implement tagging and cost controls to improve visibility and chargeback.
    
*   Practice with hands-on labs and real-world scenarios (for example, the AZ-104 lab materials) to solidify skills and prepare for the exam.
    

Keep practicing these concepts in real or lab environments—consistent, hands-on experience is the most effective way to become a confident Azure administrator.

Key references read,

*   [https://learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/az-104](https://learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/az-104)
    
*   [https://learn.microsoft.com/en-us/training/modules/manage-users-and-groups-in-aad](https://learn.microsoft.com/en-us/training/modules/manage-users-and-groups-in-aad)
    
*   [https://microsoftlearning.github.io/AZ-104-MicrosoftAzureAdministrator/Instructions/Labs/LAB\_01-Manage\_Entra\_ID\_Identities.html](https://microsoftlearning.github.io/AZ-104-MicrosoftAzureAdministrator/Instructions/Labs/LAB_01-Manage_Entra_ID_Identities.html)
    
*   [https://learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/az-104](https://learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/az-104)
    
*   [https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr](https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr)
    
*   [https://learn.microsoft.com/en-us/azure/role-based-access-control/overview](https://learn.microsoft.com/en-us/azure/role-based-access-control/overview)
    
*   [https://learn.microsoft.com/en-us/entra/external-id/external-collaboration-settings-configure](https://learn.microsoft.com/en-us/entra/external-id/external-collaboration-settings-configure)
    
*   [https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal)
    
*   [https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources)
    
*   [https://learn.microsoft.com/en-us/azure/governance/policy/overview](https://learn.microsoft.com/en-us/azure/governance/policy/overview)
    
*   [https://learn.microsoft.com/en-us/azure/governance/management-groups/overview](https://learn.microsoft.com/en-us/azure/governance/management-groups/overview)
    

Thank you for the read. Hope you like it. I appreciate your feedback.

Follow for more Azure and AWS Content. Happy Learning!

Regards,  
[**Jineshkumar Patel**](https://www.linkedin.com/in/jineshkumarpatel/)
