Microsoft Azure Infrastructure and Deployment exam AZ-100 – Resources Part 3 – Deploy and manage virtual machines (VMs)

AZ-100, AZ-101 and AZ-102 are all ceasing in favour of the AZ-103 single exam. See the link to the new exam syllabus – here

Part 3 of 5 linking to the most appropriate documentation for learning how to achieve the objectives set in the new Azure AZ-100 exam. resources that match the learning objectives for this module:

Cost Engineering note:

If you’re coming from a perspective of managing on-premises infrastructure, you might understand the notion of “disk provisioning”. In VMware land this usually offers you a chocolate box of “Thin Provisioning”, “Thick Lazy Zero” and “Thick Eager Zero”.

Making a decision on the disk provisioning type has a consequence on the management of the VMware datastores. This is another topic entirely.

In Azure, my interpretation is that all VMs disks are “Thin Provisioned” and there’s no control exposed to the Azure Administrator to change that, which is fine. I’m happy to have that decision taken away from me.

The point I’m getting at here is that when you choose the size of data disks to attach to your VM, you’ll only be paying for the space you’ve used or written to in that disk. There are other things to consider when you’re not using Azure Managed Disks like maximum sizes that can be protected with Azure Recovery Services Vaults or other service limits, but once you’ve considered those limits and worked out your sweet spot, you may aswell choose the largest size of disk that works for you (a consistent large size of course!) to avoid inflating disks later down the road.

Create and configure a VM for Windows and Linux

May include but not limited to:
Configure high availability;

configure monitoring, networking, storage, and virtual machine size;

VM Size

deploy and configure scale sets

Automate deployment of VMs

May include but not limited to:
Modify Azure Resource Manager (ARM) template;

configure location of new VMs;

Unsure – seems too simple

configure VHD template;

deploy from template;

save a deployment as an ARM template;

deploy Windows and Linux VMs

Too vague

Manage Azure VM

May include but not limited to:
Add data discs; add network interfaces;

Data disk
Network Interface

automate configuration management by using PowerShell Desired State Configuration (DSC) and VM Agent by using custom script extensions;

manage VM sizes;

move VMs from one resource group to another;

redeploy VMs

Manage VM backups

May include but not limited to:
Configure VM backup;

WARNING Duplicate exam exercise – see “Implement and Manage Storage” – “Implement Backup”

define backup policies;

WARNING Duplicate exam exercise – see “Implement and Manage Storage” – “Create and Configure Backup Policy”

implement backup policies;

WARNING Duplicate exam exercise – see “Implement and Manage Storage” – “Create and Configure Backup Policy”

perform VM restore

WARNING Duplicate exam exercise – see “Implement and Manage Storage” – “Perform a restore operation”

Microsoft Azure Infrastructure and Deployment exam AZ-100 – Resources Part 2 – Implement and manage storage

AZ-100, AZ-101 and AZ-102 are all ceasing in favour of the AZ-103 single exam. See the link to the new exam syllabus – here

Part 2 of 5 linking to the most appropriate documentation for learning how to achieve the objectives set in the new Azure AZ-100 exam.

Implement and manage storage (20-25%)

Create and configure storage accounts

May include but not limited to:

Configure network access to the storage account;

create and configure storage account;


Creating a new storage account

New-AzureRmStorageAccount -ResourceGroupName az100-rg01 -Name az100sa01 -SkuName Standard_LRS -Location uksouth -AccessTier Hot -Kind StorageV2 -Tag @{ Dept="IT"; Environment="Test" }

To upgrade existing General Purpose V1 accounts to V2.

Set-AzureRmStorageAccount -ResourceGroupName <resource-group> -AccountName <storage-account> -UpgradeToStorageV2

Change BLOB tier allocation to “Cool” for all BLOBs in a container. Other tiers are “Hot” and “Archive”, but “Archive” is not available in all regions.

$StgAcc = "<StorageAccount>"
$StgKey = "<StorageKey>"
$Container = "<Container>"
$ctx = New-AzureStorageContext -StorageAccountName $StgAcc -StorageAccountKey $StgKey

#Get all the blobs in container
$blob = Get-AzureStorageBlob -Container $Container -Context $ctx

#Set tier of all the blobs to Archive

generate shared access signature;

install and use Azure Storage Explorer;

manage access keys;

monitor activity log by using Log Analytics;

I’m afraid I can’t get a good resource for this right now.

implement Azure storage replication

Import and export data to Azure

May include but not limited to:
Create export from Azure job;

create import into Azure job;

configure and use Azure blob storage;

configure Azure content delivery network (CDN) endpoints


New-AzureRmCdnProfile -ProfileName az100-cdnpro1 -ResourceGroupName az100-eun-az100-rg01 -Location "North Europe" -Sku Standard_Verizon

The PowerShell to create an EndPoint eludes me. There’s a strange combination or “OriginPath” and other Origin related parameters that I just can’t quite seen to get my head round.

Configure Azure files

May include but not limited to:

Create Azure file share;


$storageContext = New-AzureStorageContext az100storacc blah-iamtheprimarykey-blah

$share = New-AzureStorageShare az100sysncshare -Context $storageContext

create Azure File Sync service;

create Azure sync group;

troubleshoot Azure File Sync

Implement Azure backup

May include but not limited to:

Configure and review backup reports;

perform backup operation;

create Recovery Services Vault;

create and configure backup policy;

perform a restore operation

Microsoft Azure Infrastructure and Deployment exam AZ-100 – Resources Part 1 – Manage Azure subscriptions and resources

AZ-100, AZ-101 and AZ-102 are all ceasing in favour of the AZ-103 single exam. See the link to the new exam syllabus – here

Part 1 of 5 linking to the most appropriate documentation for learning how to achieve the objectives set in the new Azure AZ-100 exam. More specific configuration examples will be added in PowerShell as I work through the subject matter myself.

A friend on Reddit added the latest content from Ignite. Could be a good place to start before begging with my posts.

Also, please consider this guide from Skylines Academy for your PowerShell skills to bolster your competency on Azure and for the AZ-10x exams.

Manage Azure subscriptions and resources (15-20%)

Manage Azure subscriptions

May include but not limited to:

Assign administrator permissions;

Global Administrator is required to assign roles and is the default “god-like” administrator role in Azure. In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as “Company Administrator”. It is “Global Administrator” in the Azure portal.

PowerShell ;

connect-azuread -TenantId

$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = "Saturday29"
New-AzureADUser -DisplayName "Bobby Balls" -PasswordProfile $PasswordProfile -UserPrincipalName "" -AccountEnabled $true -MailNickName "BobbyBalls"

$roleMember = Get-AzureADUser -ObjectId ""
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $roleMember.ObjectId
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Get-AzureADUser

configure cost center quotas and tagging

Alerts can only be set up per subscription and is still in preview with five alert recipients for when a subscription reaches a spend value. No other options exist in the drop down menu as yet.

Settings tags on resources rather than resource groups seems to be a little abstract and requires the resourceID rather than the name.

WARNING – This will set ONLY what is stated in the commands and will remove all existing tags!

Resource Groups In PoSh

Set-AzureRmResourceGroup -Name resgroupaz100 -Tag @{ Dept="IT"; Environment="Test" }
(Get-AzureRmResourceGroup -Name resgroupaz100 ).Tags

Resources in PoSh

$resource = Get-azurermresource -Name az100-aad-vm1-nsg
$id = $
Set-AzureRmResource -resourceid $id -Tag @{ Dept="IT"; Environment="Test" } -force
(Get-AzureRmResource -Name az100-aad-vm1-nsg).Tags

configure subscription policies

A little misleading in the title. Policies can be assigned to resource groups within subscriptions. So, you can’t assign a resourece group to a subscription and walk away. Assigning policies to resource groups is useful for ensuring things like selecting which VM sizes are available or which locations are available for services to match organisational policy.

Analyze resource utilization and consumption

May include but not limited to:

Configure diagnostic settings on resources;

Using the Monitor resource, you can identify which resources have Diagnostics enabled for a high level overview.

Or, you can visit the resource directly and choose Diagnostic settings and choose one of the three diagnostic destinations and if choosing a storage account, configure retention.

  • Storage Account
  • Event Hub
  • Log Analytics

Using PoSh

Set-AzureRmDiagnosticSetting -ResourceId [your resource id] -StorageAccountId [your storage account id] -Enabled $true

create baseline for resources;

Not sure what this means other than using JSON templates or PoSh DSC

create and rest alerts;

analyze alerts across subscription;

analyze metrics across subscription;

create action groups;

monitor for unused resources;


monitor spend;

report on spend;

Could mean Cloudyn
Or simply the Billing and Cost Management blade

utilize Log Search query functions;

view alerts in Log Analytics

Manage resource groups

May include but not limited to:

Allocate resource policies;

configure resource locks;


New-AzureRmResourceLock -LockName lock-az100demo-uks-az100-rg01 -LockLevel CanNotDelete -ResourceGroupName "az100demo-uks-az100-rg01"
$lockId = (Get-AzureRmResourceLock -ResourceGroupName az100demo-uks-az100-rg01).LockId
Remove-AzureRmResourceLock -LockId $lockId

configure resource policies;

implement and set tagging on resource groups;

WARNING Duplicate exam exercise – see “Manage Azure Subscriptions” – “Configure Cost Centre Quotas and Tagging”

move resources across resource groups;


$webapp = Get-AzureRmResource -ResourceGroupName az100demo-uks-az100-rg01 -ResourceName az100demo-website
$plan = Get-AzureRmResource -ResourceGroupName az100demo-uks-az100-rg01 -ResourceName az100demo-webplan
Move-AzureRmResource -DestinationResourceGroupName az100demo-uks-az100-rg02 -ResourceId $webapp.ResourceId, $plan.ResourceId

remove resource groups


Remove-AzureRmResourceGroup -Name "az100demo-uks-az100-rg01"

Microsoft Azure Infrastructure and Deployment AZ-100

Microsoft’s recently announced an update to the Azure exam track, replacing the administration, developer and architect exams. The administration exam “Implementing Microsoft Azure Infrastructure Solutions 70-533” is being replaced with the “Microsoft Azure Infrastructure and Deployment AZ-100” and “Microsoft Azure Integration and Security AZ-101”. Both are available in Beta and I’ve committed to take the AZ-100 early August.

If you have already passed the 70-533, you can take a transition exam, the “Microsoft Azure Administrator Certification Transition AZ-102”.

Here’s the Microsoft Learning Blog Post

The 70-533 exam held the following measurement categories;

Design and Implement Azure App Service Apps (10-15%)
Create and Manage Azure Resource Manager Virtual Machines (20-25%)
Design and Implement a Storage Strategy (10-15%)
Implement Virtual Networks (15-20%)
Design and Deploy ARM Templates (10-15%)
Manage Azure Security and Recovery Services (25-30%)
Manage Azure Operations (5-10%)
Manage Azure Identities (5-10%)

The AZ-100 exam holds the following measurement categories;

Manage Azure subscriptions and resources (15-20%)
Implement and manage storage (20-25%)
Deploy and manage virtual machines (VMs) (20-25%)
Configure and manage virtual networks (20-25%)
Manage identities (15-20%)

I’m happy to see “Design and Implement Azure App Service Apps” drop off. It wasn’t appropriate from the perspective of a on-premises compute administrator moving to administer Azure. The subject was so abstract that I had to read Sasha Rosenbaum’s great book “Serverless computing in Azure with .NET” just to even try to grasp what was going on in the 70-533 training material. Learn a thing just to understand why I’d do a thing.

How the “Design and Deploy ARM Templates” is either de-focused or folded into the Deploy and Manage Virtual Machines section will be for me to see on the exam, but I’ll assume it’s implicit in “Deploy and manage virtual machines”.

Overall, I’m looking forward to this unexpected challenge. I’ll report back on the 9th to give a steer on the learning content that’s most applicable for the exam.

Take care


Azure Non-Profit donated credits

Microsoft offer Office 365 E1 as a donation to non-profit organisations and is well known. Exchange Online is a popular feature of Office 365. Running your own e-mail system in 2018 is a chore. The service limits are way and above what most people need.
What is less well known is that there’s an opportunity to benefit from $5000 USD of Azure credits per year for non-profits, too.

This can be enjoyed by following this URL and applying for the credit; and go forward from “Azure plans and pricing”.

You will be asked what your tenant ID and Microsoft will add a subscription to your account which can be monitored by visiting

This is all brilliant and empowering. But I offer a word of caution. Beware that not all services can move subscriptions.

It’s a little like in the old days, you called a test Human Resources application server for example, both as it’s hostname and it’s hypervisor name.
Then some combination of events end up with the system going live and you’re looking at a box with “test” burnt into the name. It makes you sad, it confuses contract staff and is an all round fail.

What I’m getting at is that you’re likely to test some services and perhaps even make them live. But at some point you will probably start running out of that $5000 USD and have to move the resources onto a different subscription to allow them to contine functioning. Beware of creating services that aren’t able to be moved to a subscription that you can’t maintain or re-hydrate with funds.

I’m feeding back to our Microsoft account manager this week to suggest a different model for the donation. One where MS ask for an existing subscription like a credit card Pay-As-You-Go subscription or an EA subscription. Then, at least, there’s a parallel billing mechanism that you can support the resources allocated to that subscription.

Take care


You cannot use the vSphere client to edit the settings of virtual machines of version 10 or higher


This was the message that greeted me after upgrading my ESXi Hypervisor with Free license to 5.5.
I’ve applied an Enterprise license to see if there’s a difference to the host license applied and there’s no change to the behaviour.

It seems if you don’t want the hassle of using a CLI to interact with your VM’s on a Hypervisor license, DO NOT UPGRADE THE VIRTUAL HARDWARE OF YOUR VMs to Version 10 hardware. Unless you’re running vCenter of course.

I’m unable to see a way round this to restore the use of the vSphere Client as a tool to modify the settings of the VM, and let’s be clear, all I want to do is change the vSwitch a VM is connected to as my LAB ESXi box is hooked up to four different switches and I move the VM’s around to recreate different scenarios.

I’m gutted. I’ll update if I find anything to help or back myself out of this mess.

Cisco SWITCH Campus VoIP Refresh. Part 3b – QoS Configuration

I can’t believe I’ve had to chop up not just the VoIP refresh section into three parts, but part three into A and B!

It’s surprised me a little and I must have a little more to say on the subject than I thought when I started putting finger to key last night. But, I AM trying to keep this in scope for the SWITCH exam, so we’ll discuss just the req’s for that in this article.


First of all, in order to turn on QoS processing on the switch, we need to enable it with the mls qos global command.
This is something that’s easy to overlook as you’ll enter interface commands all day long, without this, they don’t count for anything.

SW3#sh mls qos
QoS is disabled
QoS ip packet dscp rewrite is enabled
SW3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW3(config)#mls qos
SW3(config)#do sh mls qos
QoS is enabled
QoS ip packet dscp rewrite is enabled

Notice the result of the first command stating that QoS is disabled.
Then the show command entered shows the processing being turned on globally.

Under your switchport interfaces, there are many things that could be done, but as mentioned previously, keeping a tight scope to the SWITCH exam.

To demonstrate a few things here, I’m going to show that the interface is in default configuration and then apply four different commands, two of which are setting the VLAN id’s for Access and Voice VLANs.

SW3(config-if)#do sh run int fa 0/1
Building configuration...
Current configuration : 33 bytes
interface FastEthernet0/1
SW3(config-if)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
SW3(config-if)#switchport access vlan 11
SW3(config-if)#switchport voice vlan 22 
SW3(config-if)#auto qos voip trust
SW3(config-if)#do sh run int fa 0/1
Building configuration...
Current configuration : 235 bytes
interface FastEthernet0/1
 switchport access vlan 11
 switchport mode access
 switchport voice vlan 22
 srr-queue bandwidth share 10 10 60 20
 priority-queue out 
 mls qos trust cos
 auto qos voip trust 
 spanning-tree portfast

So hopefully you can see, from four commands, I received eight lines of configuration.
That’s because the cheeky switchport host command is a macro which sets a port up for an end device, simlarly the auto qos voip trust command is the Auto-QoS command for non-Cisco IP-Phones to be attached to your access interfaces.

From an real world operational standpoint, Auto QoS is pretty much all you need for your access ports, the only thing that I’ll mention is, try and ensure you’re running the same release of IOS on all your particular switch models as QoS maps may be different between releases.

That’s the automatic portion of configuration covered, to just expand a little on manual configuration for the exam…

To configure an IOS switch to trust the markings on traffic entering an interface, use the following:

Switch(config-if)# mls qos trust {dscp | cos}

To configure the switch to trust the traffic markings only if a Cisco phone is connected, use the following:

Switch(config-if)# mls qos trust device cisco-phone

To set a COS value for frames coming from a PC attached to the phone, use the following:

Switch(config-if)# switchport priority extend cos <cos-value>

To verify the QoS parameters on an interface, use the following:

Switch(config-if)# show mls qos interface <interface>

Here we use the last command mentioned to see how the show command interprets the Auto-QoS settings of the commands we used earlier and a second interface which is default, for comparison (no devices are attached at this point).

SW3#sh mls qos interface fa 0/1 
trust state: trust cos
trust mode: trust cos
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based
SW3#sh mls qos interface fa 0/2
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based