Azure AZ-104 Administrator Identity and Governance

As an Azure Administrator, your primary mission is to manage and secure who can access what within the cloud environment. Identity and governance form the bedrock of this responsibility, acting as the control plane for all Azure resources. Mastering these concepts isn't just about passing the AZ-104 exam; it's about ensuring your organization's cloud infrastructure is efficient, compliant, and secure from the ground up.

Managing Azure Active Directory Users and Groups

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service. Unlike traditional on-premises Active Directory, it's designed for the cloud-first world, managing user identities for thousands of SaaS applications and Azure itself. You will spend considerable time here, creating and managing user objects, which represent individuals, and group objects, which are collections of users used to simplify permission assignments.

There are two primary types of groups: security and Microsoft 365. For access management, security groups are your primary tool. A critical evolution is the use of dynamic group membership. Instead of manually adding and removing users, you define membership rules based on user attributes, such as department -eq "Sales". This automation is powerful for scaling management but requires precise rule syntax. For example, a rule (user.department -eq "Marketing") and (user.country -eq "US") would automatically include all US-based marketing employees. On the exam, expect scenarios asking you to interpret or construct these rule statements.

To delegate administrative tasks within a subset of users, you use administrative units. Think of an administrative unit as a container within Azure AD that holds a restricted scope of users and groups. You can then assign an administrator role, like "User Administrator" or "Helpdesk Administrator," scoped specifically to that unit. This allows you to grant a helpdesk team permissions to manage users in the "East Coast" administrative unit without giving them control over the entire global directory.

Controlling Access with Azure RBAC and Custom Roles

Once identities are managed, you control their access to Azure resources using Azure role-based access control (Azure RBAC). RBAC operates on the principle of "least privilege," where you grant only the access needed to perform a job. The core components are a security principal (the user, group, or service principal), a role definition (a collection of permissions, like "Virtual Machine Contributor"), and a scope (where the permissions apply, like a subscription, resource group, or single resource).

Azure provides over 100 built-in roles, but sometimes they are too broad or too narrow. This is where custom RBAC role creation becomes necessary. You create a custom role by defining its permissions in a JSON file, specifying Actions (what they can do), NotActions (exceptions), and AssignableScopes (where the role can be assigned). For instance, you might create a "VM Startup/Stopper" role with only the Microsoft.Compute/virtualMachines/start/action and Microsoft.Compute/virtualMachines/deallocate/action permissions. A key exam concept is understanding that custom roles can only be created at the management group or subscription scope where the creator has sufficient permissions, like "Owner" or "User Access Administrator."

Governing Resources with Azure Policy and Management Groups

While RBAC controls who can do what, Azure Policy controls what can be deployed and how existing resources must be configured. It enforces organizational standards and assesses compliance at scale. A policy definition describes the rule (e.g., "only allow storage accounts in West Europe") and its effect (like "deny" or "audit"). A policy assignment is the act of applying that definition to a specific scope.

When a policy is assigned with a "deny" effect, it prevents non-compliant resource creation. Assigning with an "audit" effect allows creation but flags the resource as non-compliant in reports. Azure Policy assignment and remediation is a crucial operational task. For resources already non-compliant, you can create a remediation task, which deploys a policy initiative with "DeployIfNotExists" effects to bring resources back into compliance automatically—for example, automatically applying a required tag to all existing resource groups.

To manage policy, RBAC, and compliance across multiple subscriptions, you use a management group hierarchy. This structure allows you to organize subscriptions into containers and apply governance controls (policies and role assignments) at the parent level, which are inherited by all child subscriptions and management groups. This is essential for large enterprises. A typical hierarchy might be: Root Tenant → "Production" Management Group → "App1-Prod" Subscription. A policy assigned to the "Production" node applies to all subscriptions beneath it.

Integrating and Securing Identities with Advanced Services

Most organizations operate in a hybrid world. Azure AD Connect synchronization is the tool that bridges on-premises Active Directory with Azure AD. It synchronizes user identities, allowing for a common identity for accessing both cloud and on-premises resources. You must understand its core components: the synchronization service, which runs on a designated server, and the configuration for which organizational units (OUs) and attributes are synced. Key exam topics include password hash synchronization, pass-through authentication, and federation.

To add intelligent, risk-based access controls, you configure conditional access policies. These are "if-then" statements: IF a user wants to access an application, THEN they must fulfill a requirement. For example, "If a user is accessing the Azure portal from an untrusted network, then require multi-factor authentication (MFA)." Conditions can include user/group membership, IP location, device platform, and sign-in risk (detected by Azure AD Identity Protection). This moves security from a simple "allow/deny" to a dynamic, context-aware model.

The principle of least privilege extends to administrators through Azure AD Privileged Identity Management (PIM). PIM implements just-in-time (JIT) administrative access. Instead of having a permanent "Global Administrator" role, a user is made eligible for it. When they need those permissions, they must activate the role for a limited, pre-approved duration (e.g., 8 hours), providing a time-bound, audited, and MFA-enforced elevation. PIM provides comprehensive audit trails and access reviews, which are critical for meeting compliance requirements and minimizing the attack surface from "standing" admin privileges.

Common Pitfalls

1. Confusing Azure AD Roles with Azure RBAC Roles: A major trap is applying the wrong tool for the job. Azure AD roles (like Global Administrator, User Administrator) control permissions to manage Azure AD itself (users, groups, enterprise applications). Azure RBAC roles (like Contributor, Owner) control permissions to manage Azure resources (VMs, storage, networks). Assigning someone "Owner" at the subscription scope does not grant them the ability to reset a user's password in Azure AD.
2. Misunderstanding Policy and RBAC Inheritance: Inheritance flows downward in the hierarchy. A role assignment or policy applied to a management group applies to all child subscriptions. A common mistake is creating duplicate assignments at a child scope, thinking it's required, when it's already inherited. Conversely, a denial assignment at a child scope can override an allow assignment from a parent.
3. Overlooking the "AssignableScopes" in Custom Roles: When creating a custom RBAC role, the AssignableScopes property is critical. If you define a role at the subscription scope, you cannot later assign it at the management group scope unless you update the JSON definition. This can break deployment scripts or automation if not planned correctly.
4. Static vs. Dynamic Group Misapplication: Using static groups for constantly changing user populations (like all employees in a specific department) creates massive administrative overhead. Conversely, using a dynamic group for a fixed, small team that rarely changes is unnecessary complexity. The exam will present scenarios where you must choose the most efficient and scalable management method.

Summary

• Identity is the Control Plane: Azure AD is central to all access. Master user/group management, administrative units for scoped delegation, and dynamic groups for automated membership.
• Apply the Right Access Control: Use Azure AD roles for managing the directory and Azure RBAC roles for managing Azure resources. Create custom RBAC roles when built-in roles don't meet precise permission requirements.
• Govern at Scale with Hierarchy: Use management groups to organize subscriptions and apply Azure Policy and RBAC assignments efficiently through inheritance. Use policy remediation tasks to automatically fix non-compliant resources.
• Secure with Context and Just-in-Time: Implement conditional access policies to enforce MFA and other controls based on user, location, device, and risk. Use Privileged Identity Management (PIM) to eliminate permanent admin access, enforcing time-bound, approved, and audited role activation.
• Connect Your Worlds: Understand Azure AD Connect's role in synchronizing on-premises identities to the cloud, enabling a hybrid identity foundation for all other services.