Identity and Access Basics 

Azure is one of the most popular cloud platforms, and many learners are eager to get started. However, beginners often feel overwhelmed due to the wide range of services and concepts. If you have no prior experience in cloud computing or Azure, the best place to start is with Azure Fundamentals (AZ-900). In this blog series, we will cover both theoretical concepts and practical hands-on exercises to help you build a strong foundation in Microsoft Azure.

We will also provide a real-world, enterprise-level roadmap to guide your learning journey step by step.


For Phase 1 (Cloud Fundamentals) the topics I listed are sufficient to understand Azure basics, but if your goal is to prepare properly for Microsoft Certified: Azure Fundamentals (AZ-900) and to build a solid base for later phases, you should expand Phase 1 slightly. 

Think of Phase 1 as “cloud literacy + Azure platform orientation.
Below is a complete but still beginner-level Phase 1 syllabus.


Phase 1 — Azure Fundamentals (Expanded) - CLICK HERE 

Phase 2 — Azure global infrastructure regions availability zones  (Expanded) - CLICK HERE   

Phase 2 — Azure core services compute storage networking overview  (Expanded) - CLICK HERE    

4. Identity and Access Basics 

• Very important for your IT support role.
• Understand identity services such as:
• Azure Active Directory (Entra ID)

Topics:

• Users
• Groups
• Role Based Access Control (RBAC)
• Multi-factor authentication
• Single Sign-On (SSO)

This connects strongly with Active Directory, which you already see in your job.


In this module we will learn many things like as an Objective we will complete these modules.


1) Describe directory services in azure, including Microsoft Entra ID and Microsoft Entra Domain Services.
2) Describe authentication methods in Azure, including single sign-on (SSO), multifactor authentication (MFA), and passwordless.
3) Describe external identities and guest access in Azure.
4) Describe Microsoft entra conditional access.
5) Describe azure role based access control (RBAC)
6) Describe the concept of Zero trust.
7) Describe the purpose of the defense in depth model.
8) Describe encryption concepts and key management options in azure.
9) Describe the purpose of Microsoft defender for cloud.

1. Microsoft Entra ID (formerly azure ID)

Cloud-based identity & access management (IAM) system.

2. Microsoft Entra Domain Services

Managed version of traditional active directory features in the cloud.
Like - Domain Joining, Group policy, and LDAP - without the burdening of maintaining, patching and backing up physical or virtual domain controllers.

Think of it as a 3-layer identity system :

On-premises (left)

Active directory (AD DS)
Stores:
      Users and groups
      Devices
      Policies

Uses:
    Kerberos / NTLM




Sync Layer (middle)

Microsoft entra connect
Sync identities between:
     On-premises AD <--> Cloud

This gives a hybrid identity (same user works everywhere)




Cloud (right)

Microsoft Entra ID (core brain)

Hanldes:
    Authentication (login, MFA)
    Single Sign-On (SSO)
    App access
    Device policies



Microsoft Entra Domain Services

Provides:
    Domain join
    Group Policy
    LDAP
    Kerberos / NTLM


👉 But without managing domain controllers

Img src : learn.microsoft.com

Key Concepts Simplified

1. Authentication (who are you?)
Login verification
MFA, password reset, risk detection


Example: Detects login from a new country



2. Single Sign-On (SSO)

One Login --> many apps

Example: Login once --> access outlook, Teams, custom apps



3. App management

Connect SaaS + Internal apps
Use same identity everywhere



4. Device management

Register devices
Enforce rules (only company laptop allowed)

How Sync Works (Very important)

Flow:


On-prem AD  ⇄  Entra Connect  ⇄  Entra ID  →  Domain Services
               (bi-directional)   (one-way)



Details:

AD <--> Entra ID --> bi-directional Sync
Entra ID --> Domain Services --> one-way only


Meaning:

Changes in AD <--> Entra ID sync both ways
Domain Services does NOT sync back

Why use this setup ?

Benefits

1. Hybrid identity

Same user works:
   On-prem
   Cloud
   Apps

2. Better security

Detect suspicious logins
Enforce MFA
Conditional access

3. No infrastructure management

No need to manage domain controllers in azure

4. Legacy + modern support

Old apps --> use LDAP / Kerberos
New apps --> use modern auth (OAUTH, SSO)

Who uses it ?

IT Admins --> Control access & Security
Developers --> add login/SSO to apps
Users --> manage passwords, sign on
Subscriber --> Microsoft 365, Azure, etc




Simple analogy

Think of it like this:

On-premises AD = your old office ID system
Entra ID = Cloud identify hub (smart + secure)
Entra Domain Services = legacy compatibility layer in cloud

One-line Summary

Microsoft Entra ID is the cloud identity brain, Entra Connect syncs identities, and Entra Domain Services provides traditional AD features without managing servers.



Scenario: User signs in to a cloud app (e.g., Microsoft 365)



User:

Username: atul@hackingtruth.org
Account originally created in on-prem active directory
Synced to microsoft Entra ID

Step-by-step login flow

Step 1: User opens an app

Example:

Outlook / Teams / Custom SaaS app
App redirects user to Microsoft Entra ID login page



Step 2: User enters username

atul@hackingtruth.org


Microsoft entra ID checks:

Does this user exist?
Where is the identity coming from? (Cloud vs synced)



Step 3: Authentication decision

Now there are 3 possible paths depending on setup:



Option A: Cloud authentication (most common)

Password hash is synced to cloud
Login happens directly in Microsoft entra ID

👉 Flow:

User → Entra ID → Password verified → success




Option B: Pass-through authentication (PTA)


Password stays on-prem
Entra sends request to on-prem agent

👉 Flow:

User → Entra ID → On-prem agent → AD verifies → Response back




Option C: Federation (eg. ADFS)

Authentication fully handled on-prem

👉 Flow:

User → Redirect to ADFS → AD verifies → Token returned



Step 4: Security checks (VERY Important)

Before granting access, Microsoft Entra ID evaluates risk:

Is login from new country ?
Unknown device ?
Suspicious behavior?


Action

Allow
Block
Require MFA



Step 5: MFA (if required)

Example:
      Phone notification
      OTP code


Only after passing MFA --> continue




Step 6: Token issued

Entra ID generates a token (like a temporary pass)

This token contains

User identity
Permissions
Group



Step 7: Single Sign-On (SSO)

Now user can acces multiple apps without re-login

• Outlook ✅
• Teams ✅
• SharePoint ✅
• Custom apps ✅

👉 Because they trust the same identity provider

What about on-prem apps?

If user accesses an on-prem app:

With hybrid setup:
   can use:
       Kerberos / NTLM
       Or application proxy via Entra iD



Where Domain Services fits

If using Microsoft Entra DOmain Services:

Example: Legacy app in Azure VM

Flow:


User (Entra ID)
   ↓
Synced to Domain Services
   ↓
VM uses LDAP / Kerberos





Visualizing the whole flow



[User]
   ↓
[Microsoft Entra ID]  ← security + MFA + SSO
   ↓
   ├── Cloud Apps (M365, SaaS)
   ├── On-prem Apps (via proxy / federation)
   └── Domain Services (legacy apps)

Key takeaway

👉 Microsoft Entra ID is the gatekeeper

It:

Authenticates users
Applies security policies
Issues access tokens
Enables SSO across everything

Real-world analogy

Think of it like airport security:

• AD (on-prem) → your passport office
• Entra ID → airport security + boarding system
• MFA → extra identity check
• Token → boarding pass
• SSO → access to all gates without re-check

FIDO2 Security Keys

FIDO2 is an open standard for passwordless authentication built on the web authentication (WebAuthn) specification

A physical key (USB / NFC / Bluetooth) used to login in without a password

How is it works?

1. Register the key - Plug in or tap it once
   Plus in or tap it once


2. Login
   Choose "Security Key" at sign-in

3. Authentication
   Tap the key (or use fingerprint on it)



Users register a FIDO2 key and then select it at the sign-in screen as their primary authentication method. Because the hardware device handles authentication, there's no password that could be exposed or guessed.





🧠 One-line takeaway

👉 FIDO2 = plug key + tap = login (no password needed)




Describe External Identities 


External Identities (Guest user) can sound similar to single sign-on, but they're used for cross-tenant and consumer access scenarios. External users can bring their own identities, whether those are work accounts, government-issued digital identities, or socail identities such as google or facebook.

Describe Azure conditional access

Conditional access is a tool that microsoft entra ID uses to allow (or deny) access to resources based on identity signals. These signals include who the user is, where the user is, and what device the user is requesting access from.

Conditional access helps IT administrators:

Empower users to be productive wherever and whenever.
Protect critical assets.



Rule-based control for sign-ins

• It decides:
• ✅ Allow
• 🔒 Require MFA
• ❌ Block

How is it works (3 steps)

1. Collect signals

Who (user / role)
Where (location / IP)
Device (managed or not)
App being accessed




2. Make a decision

Based on rule you set:

Normal login --> allow
Risky login --> require MFA
High risk --> block




3. Enforce it

Grant access
Ask for MFA
Deny access





Real example

Example 1

Office location + known laptop
👉 Allow (no MFA)



Example 2

Login from another country 
👉 Require MFA



Example 3

Unknown device + risky sign-in
👉 Block



Example 4

Admin account login
👉 Always require MFA




What you can control


Require MFA for:
Admins
External access


Allow only:
Approved apps
Managed devices


Block:
Unknown locations
Risky sign-ins





One-line takeaway

👉 Conditional Access = “If these conditions are met → then allow / require MFA / block”




Describe Azure role-based access control


When you have multiple IT and engineering teams, how can you contorl what access they ahave to the resouces in your cloud enviornment? THe principle of least privilege says you should only grant access up to the level needed to complete a task. If you only need read access to a storage blob, then you should only be granted read access to that storage blob - not write access, and not access to other blobs. It's a good security practice to follow.

Describe Zero Trust model

Zero Trust Model 

Never trust, always verify  with dont trust users, devices, or network so always check every request.


Core idea

Even if someone is: Inside your network ❌ NOT trusted
Using company device ❌ NOT trusted

👉 Everything must be verified first

Principle 

1. Verify explicitly

Always check:
User identity
Location
Device
Risk level

👉 Example: login from new country → require MFA

2. Least privilege access

Give minimum access needed

Just-In-Time (temporary access)
Just-Enough-Access (only what’s needed)

👉 Example: admin access only for 1 hour



3. Assume breach

Act like attacker is already inside

Segment access
Monitor behavior
Detect threats early

👉 Example: limit access between systems




Old vs Zero Trust



| Old (Traditional)    | Zero Trust        |
| -------------------- | ----------------- |
| Trust inside network | Trust nothing     |
| VPN = safe           | Always verify     |
| One-time login       | Continuous checks |




Real example


User logs in from:

Public WiFi
Personal laptop



👉 System checks:

• Identity ✔️
• Device ❌
• Location ⚠️

👉 Result:

• Allow basic apps
• Require MFA
• Block sensitive access

One-line takeaway

Zero trust = verify every user, every device, every time === no exception.

Describe defense-in-depth

Multiple layers of security to protect data

Not relying on one defense
If one layer fails --> others still protect

Like protect data by slowing down and stopping attackers




Layers (outer --> inner)

1. Physical 

Physical Building, servers
--> Locks, cameras

2. Identity & Access

Control who can access
MFA, SSO, Permissions

3, Perimeter

Protect network edge
Firewalls, DDoS protection

4. Network

Control internal traffic
Segmentation, deny-by-default

5. Compute

Secure machines (VMs)
Patching, antivirus

6. Application

Secure apps
Fix vulnerabilities, secure code

7. Data (Core)

Protect actual data
Encryption, access control

Example

Attacker tries to access data:

Pass firewall ❌
Gets blocked by MFA ❌
Even if inside → data is encrypted ❌

👉 Attack fails

One-line takeaway

👉 Defense-in-Depth = multiple security layers protecting data, not just one

Describe encryption and key management in Azure

Encryption helps protect data confidentiality by making data unreadable to unauthorized users.



Encryption at rest and in transit

• In Azure, encryption is commonly discussed in two forms:
• Encryption at rest protects data when it is stored, such as in database, disks, and storage accounts.
• Encryption in transit protects data while it moves between services, applications, and users.

🔑 Key Management (Azure Key Vault)

Central place to store and manage sensitive stuff


Stores:

Secrets (passwords, connection strings)
Encryption keys
Certificates (SSL / TLS)

Why use key Vault ?

• No hardcoding secrets in code
• Control access (who can use keys)
• Rotate keys regularly
• Track usage (audit logs)

Example

App uses:

Azure SQL (data stored)
Azure Storage



👉 Data is:

Encrypted at rest ✔️
Encrypted in transit ✔️


👉 Keys stored in:

Azure Key Vault




Extra security features

• 🔄 Key rotation (auto update keys)
• 👤 Access control (RBAC)
• 📊 Auditing (who used what)

🧠 One-line takeaway

👉 Encryption protects data, and Azure Key Vault securely manages the keys and secrets used for that encryption





Microsoft Defender for Cloud (Simple Explanation)


Microsoft defender for cloud is a security service that monitors, protects, and improves the security of your cloud and on-premises resources.

Core Idea

It does 3 main things :

1. Assess (Find problems)
2. Secure (Fix problems)
3. Defend (stop attacks)


This is the most important memory trick.

What does it Protect ?

Azure
On-premises
Hybrid
Other clouds (AWS GCP)

Means one dashboard for everything 



1. Assess (Know Your Security Status)

Finds:

Weak passwords
Open ports
Vulnerabilities


Gives:

Recommendations
Secure Score

2. Secure (Improve Protection)

Helps you.

Apply security policies
Follow best practices


Example:

Close unused ports
Enable encryption



3. Defend (Detect & Respond)

Detects:

Attacks
Suspicious activity

Gives:

Alerts
Fix suggestions




Key Features (Compressed Version)

 

• Security recommendations
• Secure score
• Threat alerts
• Vulnerabilites scanning
• Multi-cloud supports

Real-Life example

You create a VM with open ports

 

• Defender for cloud:
• Detecs risk
• Suggest fix
• Alerts if attack happens

Important Concepts Made Easy



Secure Score

👉 A number showing how secure you are

Higher score = better security ✅
Lower score = more risk ❌

Azure Arc

👉 Helps connect:

On-premises servers
Other cloud resources

👉 So Defender can monitor them too



CSPM (Don’t Overthink)

👉 Just remember:

CSPM = checks your cloud security posture

Exam Ready Answer

👉
Microsoft Defender for Cloud is a security management and threat protection service that helps assess, secure, and defend resources across Azure, hybrid, and multi-cloud environments.

Memory Trick (Very Powerful)

Defender = Security Guard 🛡️

• - Checks your system (Assess)
• - Fixes weaknesses (Secure)
• - Stops attacks (Defend)

Final One-Line Summary

👉 Defender for Cloud continuously monitors your environment, improves security posture, and protects against threats.

Azure is one of the most popular cloud platforms, and many learners are eager to get started. However, beginners often feel overwhelmed due to the wide range of services and concepts. If you have no prior experience in cloud computing or Azure, the best place to start is with Azure Fundamentals (AZ-900). In this blog series, we will cover both theoretical concepts and practical hands-on exercises to help you build a strong foundation in Microsoft Azure.

We will also provide a real-world, enterprise-level roadmap to guide your learning journey step by step.


For Phase 1 (Cloud Fundamentals) the topics I listed are sufficient to understand Azure basics, but if your goal is to prepare properly for Microsoft Certified: Azure Fundamentals (AZ-900) and to build a solid base for later phases, you should expand Phase 1 slightly. 

Think of Phase 1 as “cloud literacy + Azure platform orientation.
Below is a complete but still beginner-level Phase 1 syllabus.


Phase 1 — Azure Fundamentals (Expanded) - CLICK HERE 

Phase 2 — Azure global infrastructure regions availability zones  (Expanded) - CLICK HERE  

Azure Core Services Overview

 
You do not need deep knowledge yet — just understand what these services do.

Compute

• Example services:
• Azure Virtual Machines
• App Services
• Containers

Purpose: running applications and servers.

------------------------------------

Storage

• Learn basic storage services:
• Azure Blob Storage
• File storage
• Disk storage
• Archive storage

Purpose: storing data.


------------------------------------

Networking

• Basic networking concepts in Azure:
• Virtual Network (VNet)
• Subnet
• Public IP
• Load balancer
• VPN gateway

You don’t need deep configuration yet — just understand the purpose.



An easy way to differentiate between VMs and containers is - virtual machine virtualize the hardware and container is virtualize the operating system.
 

The operating system level virtualization of containers is one reason why the container approach is more efficient than a full virtual machine.

It allows you to run multiple lightweight containers on a single host without sacrificing the isolation that the virtual machine originally offered.

Azure supports several container variations, the most popular being Docker.


you can easily deploy and manage multiple containerized applications without worrying about which server will host each container.

The decision of whether to use a VM or a container depends on how much flexibility you need


If you need to completely control the environment, then you might choose a VM.

If then the probability, performance characteristics and management capabilities of containers might be the better choice.




In Microsoft azure, everything you build falls into 3 main categories.

Compute -> Storage -> Networking

1. Compute (Run application)

A compute is the set of cloud services used to run applications, virtual machines, and workloads.


Azure Virtual Machines (VMs)

Azure virtual machines are on-demand, scalable computing resources that provide full control over the operating system and applications.

Example - Run a windows/Linux Server



App Services 

Azure app services is a platform for building, deploying, and hosting web application without managing the underlying infrastructure.

Example - Host a website or API



Containers

A containers are lightweight, portable units that package an application and its dependencies to run consistently across environment.

Example - Run apps using docker

2. Storage (Store data)

Storage services in azure are used to store, manage, and retrieve data in a secure and scalable way.


Blob Storage 

Azure blob storage is an object storage service used to store large amounts of unstructured data such as an images, videos and documents.


File Storage 

Azure file storage provides fully managed file shares in the cloud that can be accessed via standard file protocol.


Disk Storage

Azure disk storage provides persistent block level storage volumes for use with virtual machine.


Archive Storage 

Azure Archive storage is a low-cost storage tier designed for long-term retention of infrequently accessed data.

3. Networking 

A networking services in azure enable communications between resources, users, and on-premises environment.



Virtual Network (VNet)

A virtual network is a logically isolated network in azure that allows resources to securely communicate with each other.



Subnet

A subnet is a segmented portion of a virtual network used to organize and manage resource efficiently.



Public IP

A public IP address is an internet routable IP address that allows azure resources to be accessed from outside the network.

Load Balancer

Azure load balancer distributes incoming network traffic across multiple resources to ensure high availability and reliability.

VPN Gateway

A VPN gateway enables secure communication between azure virtual networks and on-premises networks over the internet.

Describe Azure virtual networking

Virtual Network (VNet) = Your private network in Microsoft Azure
Everything else is just features of that network.

Remember does 6 things :

VNet does 6 things:

 

1. Isolate (Separate network)
2. Connect (Azure resources)
3. Internet Access
4. Connect to on-premises
5. Control traffic (routing)
6. Secure traffic (filtering)


That's it. That entire page = these 6 points.



1. Isolation

You can create multiple private networks. (like different departments)


2. Communication

Resources inside azure can talk to each other.

3. Internet Access

Add public IP -> accessible from internet.

 

4. On-premises connection

Connect your office network to azure.

 

5. Routing 

Decide where traffic should go.

 

6. Security (Filtering)

Allow or block traffic using rules.


 

Visual Memory

Azure Virtual Private Network (VPN) 

VPN - Secure tunnel over the internet

A VPN securely connects networks or devices over the public internet using encryption.


Your Network <-- Encrypted Tunnel <-- Azure VNet

Even though data goes over the internet.
It is encrypted and safe.

VPN Gateway 

A VPN gateway is an azure service that enables secure communication between networks using VPN.


Like

1. Site-to-Site (S2S) -> office <-> Azure
2. Point-to-Point (P2P) -> Laptop <-> Azure
3. VNet-to-VNet -> Azure <-> Azure

Types of VPN 

1. Policy-Based

Uses fixed rules (IP-based)
Less flexible


2. Route-Based 

Uses routing tables
More flexible & preferred

Always remember 

Route-based VPN = Recommended in Azure




High Availability 

Azure makes VPN reliable using:

1. Active / Standby (default)

Active VPN -> Working
Standby VPN -> Backup


If active fails -> standby takes over


2. Active / Active

Both gateways work at the same time
High performance + redundancy


3. ExpressRoute Failover

If private connection fails -> VPN acts as backup


4. Zone-Redundant Gateway

Gateway spread across availability zones
protects from data center failure

How to remember this easily

VPN = Secure Connection

Gateway does 3 things:

- Connect networks
- Encrypt data
- Provide high availability

Final One-Line Summary

Azure VPN securely connects networks and users to azure using encrypted tunnels, managed by VPN gateway with high availability support.


Azure DNS is a hosting service that provides domain name resolution using Azure infrastructure, allowing you to manage DNS records with high availability, security and performance.

Azure DNS - Simple understanding 

Azure DNS is a service that translates domain name (like google.com) into IP addresses using Azure infrastructure.



Human use names:
www.google.com

Computers use IP:
142.250.x.x

DNS = translator 

What is Azure DNS ?

Azure DNS lets you host and manage your domain's DNS record using Azure.

means

You control domain records
Using azure tools


Benefits 

Instead of remembering all text, remember this:

1. Fast (global network)
2. Secure (RBAC + logs)
3. Easy (same Azure tools)
4. Private domains (VNet support)
5. Smart mapping (alias records)



1. Reliability & performance

Uses global azure servers
closest server answers -> faster

Keywords: Anycast (closest server responds)



2. Security 

controlled using: 
RBAC Role based access control (who can access)
Logs (who did what)
Locks (prevent deletion)


3. Ease of Use

Same tools as Azure:

Portal
CLI
PowerShell

No need to learn new system.



4. Private DNS (very important)

Use custom names inside your network

Example 
Instead of:
vm123.internal.cloud

You use:
myserver.local




5. Alias Records (Smart Features)

Point domain to Azure resources.

Example 

Domain -> Public IP
Domain -> CDN

If IP changes -> auto update

Important Note

Azure DNS does NOT sell domain name

You must buy from 

Domain register
Then connect to Azure

Memory Trick

DNS = Name -> IP
Azure DNS = Manage DNS in Azure

Benefits:
Fast + Secure + Easy + Private + Smart

Please share and thank you for your support. 

Azure is one of the most popular cloud platforms, and many learners are eager to get started. However, beginners often feel overwhelmed due to the wide range of services and concepts. If you have no prior experience in cloud computing or Azure, the best place to start is with Azure Fundamentals (AZ-900). In this blog series, we will cover both theoretical concepts and practical hands-on exercises to help you build a strong foundation in Microsoft Azure.

We will also provide a real-world, enterprise-level roadmap to guide your learning journey step by step.


For Phase 1 (Cloud Fundamentals) the topics I listed are sufficient to understand Azure basics, but if your goal is to prepare properly for Microsoft Certified: Azure Fundamentals (AZ-900) and to build a solid base for later phases, you should expand Phase 1 slightly. 

Think of Phase 1 as “cloud literacy + Azure platform orientation.
Below is a complete but still beginner-level Phase 1 syllabus.


Phase 1 — Azure Fundamentals (Expanded) - CLICK HERE 

 Azure Global Infrastructure

Understand how Azure is structured globally.

Topics:

• Regions
• Region pairs
• Availability zones
• Edge locations
• Datacenters

Basic architecture units:

• Resource
• Resource group
• Subscription
• Management group

These concepts are fundamental to operating in Microsoft Azure.




1. Data centers

A data center is just a building full of servers.

like A huge room with thousand of computers running your apps.


Key Idea

This is where your data actually lives.
Azure owns and manages these building.




2. Regions (City)

A region = group of data centers in one location and a specific geographic area defined by azure that contains one or more data centers


Key Idea 

This is where


👉 Example:

Central India ↔ South India

OR

Hyderabad (Region)  ↔  Chennai (Another Region)

and Each region has multiple data centers


These are :
Close enough for low latency
Far enough for safety (Used for disaster recovery)




3. Region Pairs

Every region has a backup region

👉 Example:

Central India ↔ South India


Key Idea 

Regions are paired far apart (~300 miles)
If one region fails -> the other takes over


This is for :

Disaster Recovery
Data backup



Correct understanding of Region pair

In Microsoft Azure :

A region pair = Two regions in different locations
Distance is typically hundreds of miles apart 

100 miles is equal to 160.934 kilometers or we can say that roughly 161 or 160 km.

100 miles = 160 km
300 miles = 480 km





4. Geographics

A geography means collection of regions in a country/area

Example:

Europe
Asia Pacific
Americas


Why important :

Data stays withing legal boundaries
Helps with compliance & regulations.




5. Availability Zones

Availability zones means separate data centers inside a region.

Like One region -> Multiple isolated mini regions

Key features:

Each zone has:

•  Separate power
•  Separate network
•  Separate cooling

If one zone fails -> others still work


Putting It All Together (Easy Flow)


Geography (e.g. Asia)
   ↓
Region (e.g. Central India)
   ↓
Availability Zones (Zone 1, Zone 2, Zone 3)
   ↓
Data Centers (actual servers)



As per my example Availability zones separate but nearby or Same area → Availability Zones

Ameerpet, Sr Nagar, Punjagutta

Azure Architecture (Hyderabad Analogy)

🔁 Region Pair (Disaster Recovery)

   🏙️ Hyderabad Region  ↔  🏙️ Chennai Region

   ✔ Far apart locations
   ✔ Backup & failover support
   ✔ Used during major outages
 

 📌 FLOW SUMMARY:

Geography (India)
   ↓
Region (Hyderabad)
   ↓
Availability Zones (Ameerpet / SR Nagar / Punjagutta)
   ↓
Data Centers (Actual server buildings)

+ Region Pair (Hyderabad ↔ Chennai)

Basic architecture units:

• Resource
• Resource group
• Subscription
• Management group

 
1. Resources (Smallest Unit)

 

A resource is the actual thing you can create in azure

Example :

Virtual Machine
Storage Account
Database
Web application


Think :

Resource = actual working service



2. Resource Group


A resource group = a folder that holds related resources

Example :

One project = one resource group

Contains :

Virtual Machine
Database
Storage


Real-Life Example:

Resource Group:

Web App
Database
Storage





3. Subscription

A subscription = billing + access boundary

It controls :

Payment (billing)
Access permissions
Resource limits

Think:

Subscription = your azure account with money control



Example :

Company may have;

Dev Subscription
Test Subscription
Production Subscription




4. Management Group (Top Level)

A management group = group of subscription

Used in big organization


Why?

Apply policies to multiple subscription
Manage access centrally


Example:

Company structure:

Management group: Company
Subscription 1: Dev
Subscription 2: Prod

🧾 One-Line Memory Trick

Resources live in Resource groups, Resource Group live inside Subscription, and Subscriptions can be grouped using Management Groups.

Microsoft-365-L1-Desktop-Support-guide

This article is designed as a practical, Access-related issues are among the most common tickets handled by L1 Desktop Support. In most enterprise environments, access to shared folders, printers, and network resources is controlled through Active Directory Security Groups rather than individual user permissions.

This guide explains how L1 engineers should verify and manage basic permissions using AD groups before escalating.

I will write article on each topic for single single blog -

I’ll break into real helpdesk categories:

1. Unlock user
2. Reset password
3. Enable / Disable account
4. Create new user
5. Add user to group
6. Remove user from group
7. Check login issues
8. Move user to correct OU
9. Basic permission via groups

Today we will see step by step Account & License Management  

👥 SCENARIO — User Cannot Access Folder / Printer

 


🔎 Symptoms Observed


Users typically report:

• “Access Denied” while opening shared folder
• Unable to see mapped network drive
• Printer not visible or cannot print
• Shared drive missing after department change
• Application access denied

🎯 Root Cause (Common)

• In most cases, the issue is due to:
• User not added to correct Security Group
• User moved to new department but groups not updated
• Recent account creation without proper group membership
• Group membership change not refreshed

1️⃣ Step 1 — Verify User Group Membership

🖥 Using Active Directory Users and Computers (ADUC)

• Open ADUC
• Locate the affected user
• Right-click → Properties
• Go to Member Of tab
• Check if correct Security Group is listed

Example:

• Finance_Share_RW
• IT_Printer_Access
• Sales_NetworkDrive
• If group is missing → proceed to add.

2️⃣ Step 2 — Add User to Correct Security Group

• If access is confirmed via group-based model:
• In Member Of tab → Click Add
• Enter Group Name
• Click Check Names
• Click OK
• Apply → OK
• Always confirm exact group name before adding. Avoid guessing.

3️⃣ Step 3 — Inform User (Policy Refresh)

• After adding user to group:
• User must:
• Log out and log back in
• Or run gpupdate /force (if required)
• Restart system if necessary
• For printer issues:
• Remove and re-add printer
• Refresh print spooler if required
• Group membership changes require session refresh to apply new token permissions.

4️⃣ Important Understanding (Token Refresh Concept)

• When a user logs in, Windows generates a security token containing group memberships.
• If you add a group:
• It will not apply until next login session
• VPN users must reconnect
• RDP sessions may require restart
• This is a key concept in AD-based permission management.

🚨 Escalate If

• Escalate to L2 / Server Team if:
• NTFS permissions missing on folder
• Share permissions incorrectly configured
• Server-level restriction issue
• DFS replication issue
• Printer server permission problem
• Group exists but not granting access
• L1 should only manage group membership, not modify server NTFS permissions unless authorized
• 🧠 Real Helpdesk Insight

Best practice in enterprises:


❌ Do NOT assign permissions directly to users
✔ Always assign permissions to groups
✔ Add users to groups

This follows the AGDLP Model:

Accounts → Global Groups → Domain Local Groups → Permissions

Understanding this model makes you stronger in interviews.

✅ L1 Checklist (SOP Format)

• ✔ Ticket verified
• ✔ Resource name confirmed
• ✔ Correct group identified
• ✔ User group membership checked
• ✔ User added to group
• ✔ User re-logged
• ✔ Access tested
• ✔ Escalated if NTFS issue

🎯 Interview-Ready Answer

If interviewer asks how you handle folder access issues:

“First, I verify whether access is group-based. I check the user’s group membership in ADUC under the Member Of tab. If the required security group is missing, I add the user to the correct group and ask them to log out and log back in for token refresh. If the issue persists and appears to be an NTFS or server-level permission problem, I escalate to the server team.”

Disclaimer

Azure is one of the most popular cloud platforms, and many learners are eager to get started. However, beginners often feel overwhelmed due to the wide range of services and concepts. If you have no prior experience in cloud computing or Azure, the best place to start is with Azure Fundamentals (AZ-900). In this blog series, we will cover both theoretical concepts and practical hands-on exercises to help you build a strong foundation in Microsoft Azure.

We will also provide a real-world, enterprise-level roadmap to guide your learning journey step by step.


For Phase 1 (Cloud Fundamentals) the topics I listed are sufficient to understand Azure basics, but if your goal is to prepare properly for Microsoft Certified: Azure Fundamentals (AZ-900) and to build a solid base for later phases, you should expand Phase 1 slightly. 

Think of Phase 1 as “cloud literacy + Azure platform orientation.
Below is a complete but still beginner-level Phase 1 syllabus.


Phase 1 — Azure Fundamentals (Expanded)

Focus on understanding how the Microsoft Azure ecosystem works.

Fundamentals of Azure like -

1) Fundamentals of Cloud
2) Different types of services in the cloud
3) Different types of services which are present in azure with each categories : Compute, Storage, Networking, storage services and a wide verity of other categories.

This would help you get a quick start into azure.

• Define cloud computing.
• Describe the shared responsibility model.
• Define cloud models, including public, private, and hybrid.
• Identify appropriate use cases for each cloud model.
• Describe the consumption-based model.
• Compare cloud pricing models.

Define Cloud Computing - Cloud computing is a technology with delivery of computing services over the internet and allow the user to access and use computing resources such as servers, storage, database, networking, software over the internet. Usually on a pay-as-you-go basis. 

Cloud services also expand the traditional IT offerings to include things like internet of things (IoT), machine learning (ML) and artificial intelligence (AI). Services is providing over the internet so it doesn't have to be constrained by physical infrastructure the same way that a traditional datacenter is.

If you need to increase your IT infrastructure rapidly, you don't have to wait to build a new datacenter.

CapEx vs OpEx in azure

In this CapEx capital expenditure, this is the classic old model. Its a huge onetime purchase of a physical things in company own for years. A whole building, data center build-out, fleet of vehicles, giant rack of computer servers.

These assets lose value over time. That's called depreciation. Cost type upfront, one time investment.

In this OpEx operational expenditure, this is involves paying for services ona usage-based, subscription model (eg. pay-as-you-go virtual machines, Storage costs, SaaS applications). Azure enables a shift to OpEx, enhancing flexibility, eliminating upfront costs, and improving agility.

Why shift to OpEx in azure ?

Quickly deploy resources without waiting for procurement with pay only for what we use policy, rather than buying for peak demand.

It is easily scale up or down as needs change.

☁️ Key Characteristics of Cloud Computing in Azure

when using Microsoft Azure, you get several powerful capabilities :

1. High Availability 

High availability ensures that your application are always up and running, with minimal downtime.


👉 Azure achieves this using:

• Multiple data centers (Regions)
• Redundancy (backup systems)
• Load balancing 

Example : If one server fails, another automatically takes over.


1) Redundancy - Azure provides high availability and durability by replicating data across multiple locations, protecting against hardware failures, data center outages, or regional disasters.

Storage options such as Locally Redundant Storage (LRS), Zone-redundant storage (ZRS), and Geo-redundant storage (GRS), providing flexibility to balance cost with data protection needs.


2) Load Balancer - A load balancer is service or device that distributes incoming internal traffic across multiple servers to ensure no single server becomes overwhelmed. It helps improve the availability, reliability and performance of application by balancing the load efficiently.

2. Scalability

Scalability means the ability to increase or decrease resources based on the demand.

👉 Types:

Vertical scaling -> Increase power (CPU, RAM)
Horizontal scaling -> Add more servers


📌 Example:

Your website (hackingtruth.org) gets more users -> you add more virtual machines.

3. Elasticity 

 

Elasticity is automatic scaling in real-time.

Difference from scalability :

Scalability -> manual or planned
Elasticity -> automatic and dynamic


📌 Example:

Traffic spikes during a sale -> Azure auto-scales resources -> traffic drops -> resources reduce automatically.

4. Fault Tolerance 

 

Fault tolerance ensures that a system continues to operate even if part of it fails.


Azure uses :

• Replication
• Availability zones
• Backup systems

📌 Example:

If one component crashes, the system still works without interruption.




5. Disaster Recovery (DR)

Disaster recovery is the ability to recover data and systems after a major failure.

👉 Covers events like:

Natural disasters
Data center outages
Cyber attacks


📌 Azure solutions:

Backup services
Geo-redundancy
Site-recover

📌 Example:

Entire region goes down -> your app is restored in another region.

Describe the shared responsibility model

Shared responsibility model in Microsoft azure defines who is responsible for what when using cloud services.

It is handles some part of security, and you as a customer handle the rest.


With the shared responsibility model, these responsibilities get shared between the cloud provider and the consumer. Physical security, power cooling, and network connectivity are the responsibility of the cloud provider. just opposite at the same time consumer is responsible for data and the information stored in the cloud. The consumer is also responsible for access security, meaning you only give access to those who need it.

Even for some things, the responsibility depends on the situation. If you're using a cloud SQL database.

• Microsoft manages the cloud infrastructure.
• You (customer) manage what you deploy and configure.

⚙️ Responsibilities Breakdown

☁️ Microsoft (Azure) is responsible for:

• Physical data enters.
• Hardware (servers, storage, networking)
• Physical Security
• Power, cooling, and networking infrastructure.

👉 This is often called:
“Security OF the cloud”




👤 You (Customer) are responsible for:

• Data (your files, databases)
• User access & identify (who can log in)
• Application you deploy
• Configuration of services

👉 This is often called:
“Security IN the cloud”


With an on-premises datacenter, you're responsible for everything. With cloud computing, those responsibilities shift. 

• IAAS (Infrastructure as a service)
• PAAS (Platform as a service)
• SAAS (Software as a service)

1) IAAS - Infrastructure as a service places the most responsibility on the consumer, with the cloud provider being responsible for the basics of physical security, power and connectivity.

2) SAAS - Software as a service places most of the responsibility with cloud provider. 

 

3) PAAS - Platform as a service being a middle ground between IaaS and SaaS, rests somewhere in the middle and evenly distributes responsibility between the cloud provider and the consumer.


IaaS (Infrastructure as a service) 

Example: Virtual Machines

Azure -> Hardware, network
You -> OS, updates, apps, security

👉 You have maximum control + maximum responsibility

2. PaaS (platform as a service)

Example: App services, Azure SQL

Azure -> OS, runtime, infrastructure
You -> Application + data

👉 Balanced responsibility

3. SaaS (Software as a service)

Example: Microsoft 365

Azure -> almost everything
You -> data + user access

👉 Least responsibility for you

📊 Simple Analogy

Think of it like housing:

• On-premises → You own the whole house 🏠
• IaaS → You rent a house (you manage inside)
• PaaS → You rent a furnished apartment
• SaaS → You stay in a hotel

🧾 Final One-Line Summary

👉 Azure secures the infrastructure, you secure your data and configurations.

Cloud Models 

The cloud models define the deployment type of cloud resources. The main cloud models are: public, private and hybrid



1. Public Cloud - A public cloud is owned and operated by a third party cloud provider, where services and resources are delivered over the internet. 



👉 Examples:

 Gmail, Microsoft Azure, Dropbox etc.


✅ Key Features:

No upfront hardware cost
Pay-as-you-go pricing
Highly scalable
Managed by provider

📌 Example:

Hosting a website on Azure without owning any servers.

2. Private Cloud

A private cloud is used exclusively by a single organization. Private cloud provides much greater control for the company and its IT department. However, it also comes with greater cost and fewer of the benefits of a public cloud deployment. Finally, a private cloud may be hosted from your on site datacenter. 

It can be:

• On-premises (your own data center)
• Or hosted by a cloud provider

Key features:

• Full control over infrastructure 
• Higher security and customization
• More expensive than public cloud

📌 Example:

A bank running its own secure data center.



3. Hybrid Cloud 

A hybrid cloud is a combination of public cloud + private cloud, allowing data and applications to be shared between them.

Key features:

• Flexibility
• Data control + scalability
• Best of both worlds

📌 Example:

• Sensitive data -> private cloud
• Web apps -> public cloud

📊 Visual Diagram (Blog-Ready)

🧾Final Takeaway

• Public Cloud → Best for scalability and cost
• Private Cloud → Best for control and security
• Hybrid Cloud → Best for flexibility

Dell Command | Update error  

Your screen shows Dell Command | Update error because Dell Client Management Service (DCMS) is missing. And the “dell.com not found” is happening due to a wrong/blocked link or network issue.

Let’s fix both properly 👇


 

🔧 ✅ Step 1: Use Correct Download Method (Don’t click that link)

Instead of clicking the popup link, do this manually:

Open browser

Go to:

👉 https://www.dell.com/support/home 

 and Type your Service Tag number ((from BIOS or sticker))

You will get System Model and Support Services and Warranty details - like basic support ended on november 27 2024. Dell command update error , dell driver and software download

Go to:
👉 Drivers & Downloads.

Scroll down and you will get Troubleshooting and Diagnostics where you can download  drivers or software updates.    laptop

Click on it. 

Search and install:

• Dell Command | Update
• Dell Client Management Service

After that again search on windows Dell command update  then we got it. 

Disclaimer