Which PowerShell Commands I should know for AZ-104 Certification?
Recently, I appeared for Microsoft Azure Administrator Exam: AZ-104, and I passed with a good score. The Most Interesting thing during the preparation was the skills measured which heavily emphasized on Configuration and Implementation of azure services. But, you know there are many ways in which you can implement those Cloud resources(like Azure CLI, PowerShell, CloudShell, SDK) so In the exam, what should I learn if the exam-set asks Powershell-based questions.
So, during my preparations, I have mostly deployed and tested azure resources using windows Powershell Commands which helped me gain confidence while preparing for the AZ-104 exam.
- Login to Azure with an authenticated account for use with cmdlets from the Az PowerShell modules.
Login-AzAccount2. Get & Select subscriptions that the current account can access.
Get-AzSubscriptionSelect-AzContext “Microsoft Azure Subscription” #ORConnect-AzAccount -Tenant ‘xxxxxxx-xxxa-xxxx-xxxx–xxxxxxxxxxxx’ -SubscriptionId ‘xxxxxxxx-xxxx–xxxx-xxxx-xxxxxxxxxxxx’
3. This command creates an empty resource group. It assigns tags to the resource group. Using a tag such as this one to categorize resource groups for administration or budgeting.
New-AzResourceGroup -Name $ResourceGroups -Location “Southeastasia” -Tag @{Type=”Cost Saving”; Department=”AP-R&D”}4. This command creates multiple empty resource group.
$Location = “Southeastasia”$ResourceGroups = ‘SEA-RG01’,’SEA-RG02',’SEA-RG03'foreach ($RG in $ResourceGroups)
{New-AzResourceGroup -Name $RG -Location $Location -Tag @{Type=”Cost Saving”; Department=”Research & Development”}}
5. Remove multiple resource groups without confirmation.
foreach ($RRG in $ResourceGroups) { Remove-AzResourceGroup -Name $RRG -Force}
6. Lists all AD groups in a tenant
Get-AzADGroup7. Create a new AD user.
$SecureStringPassword = ConvertTo-SecureString -String “P@ssw0rd@12345” -AsPlainText -ForceNew-AzADUser -DisplayName “Thor Odinson” -UserPrincipalName “thor.odinson@avengers.com” -Password $SecureStringPassword -MailNickname “GodOfThunder”
8. Creates a new active directory group.
New-AzADGroup -DisplayName “Galaxy Gods” -MailNickname “Asgardians”9. Add a user to a group by principal name.
Add-AzADGroupMember -MemberUserPrincipalName “thor.odinson@avengers.com” -TargetGroupDisplayName “Galaxy Gods”Get-AzADGroupMember -GroupDisplayName “Galaxy Gods”
10. Remove a user by user principal name.
Remove-AzADUser -UserPrincipalName ‘thor.odinson@avengers.com’11. Remove a Azure AD-group by piping.
Get-AzADGroup -ObjectId ‘xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx’ | Remove-AzADGroup12. Add a guest user with PowerShell.
New-AzureADMSInvitation -InvitedUserDisplayName “Loki” -InvitedUserEmailAddress ‘Loki@frostgiants.com’ -InviteRedirectURL ‘https://myapps.microsoft.com' -SendInvitationMessage $true13. Add a role assignment for a user at a resource group scope.
New-AzRoleAssignment -SignInName ‘hulk@avengers.com’ `-RoleDefinitionName “Contributor” `-ResourceGroupName “Avengers-Assemble”
14. Add role assignment for a user at a subscription scope.
New-AzRoleAssignment -SignInName ‘hawkeye@avengers.com’ `-RoleDefinitionName “Reader” `-Scope “/subscriptions/00000000–0000–0000–0000–000000000000”
15. Add role assignment for a user at a management group scope
New-AzRoleAssignment -SignInName “Nick.Fury@avengers.com” `-RoleDefinitionName “Billing Reader” `-Scope “/providers/Microsoft.Management/managementGroups/Avengers-group”
16. Get all billing accounts user has access to.
Get-AzBillingAccount17. Get the latest invoice for the subscription.
Get-AzBillingInvoice -Latest
Get-AzBillingInvoice -GenerateDownloadUrl -MaxCount 1018. Update a budget by a new amount with a budget name at the subscription level
Set-AzConsumptionBudget -Name “Avengers-Budget” -Amount 410019. Update a budget with a notification when cost or usage reaches a threshold of 90 percent of amount at subscription level
Set-AzConsumptionBudget -Name “Avengers-Budget” -NotificationKey notificationKey-Aa1234 -NotificationEnabled -NotificationThreshold 90 -ContactEmail “Nick.Fury@avengers.com”,”tony.stark@avengers.com” -ContactRole Owner,Reader,Contributor20. Get locks at the resource group level or higher
Get-AzResourceLock -ResourceGroupName “Avengers-Assemble” -AtScope21. Create a resource lock on a website
New-AzResourceLock -LockLevel CanNotDelete -LockNotes “Avengers Help Website” -LockName “AvengerSiteLock” -ResourceName “AvengerHelpWebSite” -ResourceType “microsoft.web/sites”22. This command removes the lock named AvengerSiteLock.
Remove-AzResourceLock -LockName ‘AvengerSiteLock’ -ResourceGroupName “Avengers-Assemble” -ResourceName ‘/subscriptions/00000000–0000–0000–0000–00000000000000000/resourceGroups/Default-Storage-SouthCentralUS/providers/Microsoft.ClassicStorage/storageAccounts/mystorageaccount/providers/Microsoft.Authorization/locks/test’ -ResourceType ‘Microsoft.ClassicCompute/storageAccounts’23. Get a list of application gateways in a resource group & subscription
Get-AzApplicationGateway -ResourceGroupName “ResourceGroup01”Get-AzApplicationGateway
24. Create an application gateway
$ResourceGroup = New-AzResourceGroup -Name “ResourceGroup01” -Location “West US” -Tag @{Name = “Avengers”; Value = “Saviours”}$Subnet = New-AzVirtualNetworkSubnetConfig -Name “Subnet01” -AddressPrefix ‘10.0.0.0/24’$VNet = New-AzVirtualNetwork -Name “VNet01” -ResourceGroupName “ResourceGroup01” -Location “West US” -AddressPrefix ‘10.0.0.0/16’ -Subnet $Subnet$VNet = Get-AzVirtualNetwork -Name “VNet01” -ResourceGroupName “ResourceGroup01”$Subnet = Get-AzVirtualNetworkSubnetConfig -Name “Subnet01” -VirtualNetwork $VNet$GatewayIPconfig = New-AzApplicationGatewayIPConfiguration -Name “GatewayIp01” -Subnet $Subnet$Pool = New-AzApplicationGatewayBackendAddressPool -Name “Pool01” -BackendIPAddresses ‘10.10.10.1’, ‘10.10.10.2’, ‘10.10.10.3’$PoolSetting = New-AzApplicationGatewayBackendHttpSettings -Name “PoolSetting01” -Port 80 -Protocol “Http” -CookieBasedAffinity “Disabled”$FrontEndPort = New-AzApplicationGatewayFrontendPort -Name “FrontEndPort01” -Port 80
25. Create a public IP address
$PublicIp = New-AzPublicIpAddress -ResourceGroupName “ResourceGroup01” -Name “PublicIpName01” -Location “West US” -AllocationMethod “Dynamic”$FrontEndIpConfig = New-AzApplicationGatewayFrontendIPConfig -Name “FrontEndConfig01” -PublicIPAddress $PublicIp$Listener = New-AzApplicationGatewayHttpListener -Name “ListenerName01” -Protocol “Http” -FrontendIpConfiguration $FrontEndIpConfig -FrontendPort $FrontEndPort$Rule = New-AzApplicationGatewayRequestRoutingRule -Name “Rule01” -RuleType basic -BackendHttpSettings $PoolSetting -HttpListener $Listener -BackendAddressPool $Pool$Sku = New-AzApplicationGatewaySku -Name “Standard_Small” -Tier Standard -Capacity 2$Gateway = New-AzApplicationGateway -Name “AppGateway01” -ResourceGroupName “ResourceGroup01” -Location “West US” -BackendAddressPools $Pool -BackendHttpSettingsCollection $PoolSetting -FrontendIpConfigurations $FrontEndIpConfig -GatewayIpConfigurations $GatewayIpConfig -FrontendPorts $FrontEndPort -HttpListeners $Listener -RequestRoutingRules $Rule -Sku $Sku
26. Create a back-end address pool by using the IP address of a back-end server
$Pool = New-AzApplicationGatewayBackendAddressPool -Name “Pool02” -BackendFqdns “10.10.10.10”, “10.10.10.11”27. Create a static private IP as the front-end IP address
$VNet = Get-AzVirtualNetwork -Name “VNet01” -ResourceGroupName “ResourceGroup01”$Subnet = Get-AzVirtualNetworkSubnetConfig -Name “Subnet01” -VirtualNetwork $VNet$FrontEnd = New-AzApplicationGatewayFrontendIPConfig -Name “FrontendIP02” -Subnet $Subnet -PrivateIPAddress 10.0.1.1
28. Create a front-end IP configuration using a public IP resource object
$PublicIP = New-AzPublicIpAddress -ResourceGroupName “ResourceGroup01” -Name “PublicIP01” -location “West US” -AllocationMethod ‘Static’$FrontEnd = New-AzApplicationGatewayFrontendIPConfig -Name “FrontEndIP01” -PublicIPAddress $PublicIP
29. Start & Stop an application gateway
$AppGwStart = Start-AzApplicationGateway -ApplicationGateway ‘xyz-apgw’$AppGwStop = Stop-AzApplicationGateway -ApplicationGateway ‘xyz-apgw’
30. Create a detailed network security group
$rule1 = New-AzNetworkSecurityRuleConfig -Name ‘rdp-rule’ -Description “Allow RDP” `-Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix `Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389$rule2 = New-AzNetworkSecurityRuleConfig -Name ‘web-rule’ -Description “Allow HTTP” `-Access Allow -Protocol Tcp -Direction Inbound -Priority 101 -SourceAddressPrefix `Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 80$webnsg = New-AzNetworkSecurityGroup -ResourceGroupName $ResourceGrp -Location $location -Name `“NSG-FrontEnd” -SecurityRules $rule1,$rule2
31. Add a network security group to a subnet
Set-AzVirtualNetworkSubnetConfig -Name ‘WebSubnet’ -VirtualNetwork $VnetSetup05 -AddressPrefix “172.21.0.0/16” -NetworkSecurityGroup $webnsg32. Create a virtual network with two subnets
$ResourceGrp = ‘SEA-RG03’$location = ‘southeastasia’$Subnet01 = New-AzVirtualNetworkSubnetConfig -Name ‘WebSubnet’ -AddressPrefix “172.21.1.0/24”$Subnet02 = New-AzVirtualNetworkSubnetConfig -Name ‘DBSubnet’ -AddressPrefix “172.21.2.0/24”$VnetSetup05 = New-AzVirtualNetwork -Name ‘vnet05’ -ResourceGroupName $ResourceGrp -Location $location -AddressPrefix “172.21.0.0/16” -Subnet $Subnet01,$Subnet02
33. List and export all NSG with it’s rules in local-folder
$subs = Get-AzureRmSubscriptionforeach ($sub in $subs) {Select-AzureRmSubscription -Subscription $sub$nsgs = Get-AzureRmNetworkSecurityGroup$exportPath = ‘C:\tempfolder03’
34. Backup nsgs to csv
Foreach ($nsg in $nsgs) {New-Item -ItemType file -Path “$exportPath\$($nsg.Name).csv” -Force$nsgRules = $nsg.SecurityRulesforeach ($nsgRule in $nsgRules) {$nsgRule | Select-Object Name,Description,Priority,@{Name=’SourceAddressPrefix’;Expression={[string]::join(“,”, ($_.SourceAddressPrefix))}},@{Name=’SourcePortRange’;Expression={[string]::join(“,”, ($_.SourcePortRange))}},@{Name=’DestinationAddressPrefix’;Expression={[string]::join(“,”, ($_.DestinationAddressPrefix))}},@{Name=’DestinationPortRange’;Expression={[string]::join(“,”, ($_.DestinationPortRange))}},Protocol,Access,Direction `| Export-Csv “$exportPath\$($nsg.Name).csv” -NoTypeInformation -Encoding ASCII -Append}}}
35. The Get-Bastion cmdlet gets one or more bastions in a resource group or subscritption.
Get-AzBastion36. Create a virtual network with two subnets
$ResourceGrp = ‘SEA-RG02’$location = ‘southeastasia’$firewallSubnet = New-AzVirtualNetworkSubnetConfig -Name ‘AzureBastionSubnet’ -AddressPrefix “172.20.1.0/24”$VnetSetup = New-AzVirtualNetwork -Name ‘vnet04’ -ResourceGroupName $ResourceGrp -Location $location -AddressPrefix “172.20.0.0/16” -Subnet $firewallSubnet
37. Create a new public IP address
$publicIpName = ‘azbastionpip’$publicIp = New-AzPublicIpAddress -Name $publicIpName -ResourceGroupName $ResourceGrp -AllocationMethod ‘Static’ -Location $location -Sku Standard
38. Creates a bastion resource
$bastion = New-AzBastion -ResourceGroupName $ResourceGrp -Name “test-Bastion02” -PublicIpAddressName $publicIpName -PublicIpAddressRgName $ResourceGrp -VirtualNetworkName ‘vnet04’ -VirtualNetworkRgName $ResourceGrp39. Remove a bastion resource
Remove-AzBastion -ResourceGroupName $ResourceGrp -Name “test-Bastion02” -Force40. Retrieve all Firewalls in a resource group
Get-AzFirewall -ResourceGroupName ‘SEA-RG03’41. Create a virtual network with two subnets
$ResourceGrp = ‘SEA-RG02’$location = ‘southeastasia’$firewallSubnet = New-AzVirtualNetworkSubnetConfig -Name ‘AzureFirewallSubnet’ -AddressPrefix “172.20.1.0/24”$VnetSetup = New-AzVirtualNetwork -Name ‘vnet04’ -ResourceGroupName $ResourceGrp -Location $location -AddressPrefix “172.20.0.0/16” -Subnet $firewallSubnet
42. Create a new public IP address
$publicIpName = ‘azfirewallpip’$publicIp = New-AzPublicIpAddress -Name $publicIpName -ResourceGroupName $ResourceGrp -AllocationMethod ‘Static’ -Location $location -Sku Standard
43. Create a Firewall attached to a virtual network
$vnet = Get-AzVirtualNetwork -ResourceGroupName $ResourceGrp -Name “vnet04”$pip = Get-AzPublicIpAddress -ResourceGroupName $ResourceGrp -Name “azfirewallpip”New-AzFirewall -Name “azFw007” -ResourceGroupName $ResourceGrp -Location $location -VirtualNetwork $vnet -PublicIpAddress $pip
44. Create a rule to allow all HTTPS traffic from 10.0.0.0
New-AzFirewallApplicationRule -Name “https-rule” -Protocol “https:443” -TargetFqdn “*” -SourceAddress “172.20.0.0/24”45. Backup Variables
$brvault = “tempvault”46. Set up and register Recovery Vault
Get-Command *azrecoveryservices*Register-AzResourceProvider -ProviderNamespace “Microsoft.RecoveryServices”Get-AzResourceProvider -ProviderNamespace “Microsoft.RecoveryServices”
47. View the vaults in a subscription
Get-AzRecoveryServicesVault48. Create a Recovery Services vault
New-AzRecoveryServicesVault -Name $brvault -ResourceGroupName $ResourceGrp -Location $location49. Set vault context
Get-AzRecoveryServicesVault -Name $brvault -ResourceGroupName $ResourceGrp | Set-AzRecoveryServicesVaultContext50. Modifying storage replication settings
Set-AzRecoveryServicesBackupProperty -Vault $brvault -BackupStorageRedundancy GeoRedundant51. Restoring an Azure VM ( Select the VM, Choose a recovery point, Restore the disks, Create the VM from stored disks )
51.1. Select the VM (when restoring files)
$namedContainer = Get-AzRecoveryServicesBackupContainer -ContainerType “AzureVM” -Status “Registered” -FriendlyName “V2VM” -VaultId $brvault.ID$backupitem = Get-AzRecoveryServicesBackupItem -Container $namedContainer -WorkloadType “AzureVM” -VaultId $brvault.ID
51.2. Choose a recovery point (when restoring files)
$startDate = (Get-Date).AddDays(-7)$endDate = Get-Date$rp = Get-AzRecoveryServicesBackupRecoveryPoint -Item $backupitem -StartDate $startdate.ToUniversalTime() -EndDate $enddate.ToUniversalTime() -VaultId $brvault.ID$rp[0]
51.3. Restore the disks
$restorejob = Restore-AzRecoveryServicesBackupItem -RecoveryPoint $rp[0] -StorageAccountName “mystorageaccount1234” -StorageAccountResourceGroupName $ResourceGrp -VaultId $brvault.ID$restorejob
51.4. Restore managed disks
$restorejob = Restore-AzRecoveryServicesBackupItem -RecoveryPoint $rp[0] -StorageAccountName “mystorageaccount1234” -StorageAccountResourceGroupName $ResourceGrp -TargetResourceGroupName $ResourceGrp -VaultId $brvault.ID$details = Get-AzRecoveryServicesBackupJobDetails -Job $restorejob -VaultId $brvault.ID
52. Get the resource group that the virtual machine must be created in when failed over.
$RecoveryRG = Get-AzResourceGroup -Name “a2ademorecoveryrg” -Location “West US 2”53. Specify replication properties for each disk of the VM that is to be replicated (create disk replication configuration)
53.1. OsDisk
$OSdiskId = $vm.StorageProfile.OsDisk.ManagedDisk.Id$RecoveryOSDiskAccountType = $vm.StorageProfile.OsDisk.ManagedDisk.StorageAccountType$RecoveryReplicaDiskAccountType = $vm.StorageProfile.OsDisk.ManagedDisk.StorageAccountType$OSDiskReplicationConfig = New-AzRecoveryServicesAsrAzureToAzureDiskReplicationConfig -ManagedDisk -LogStorageAccountId $EastUSCacheStorageAccount.Id `-DiskId $OSdiskId -RecoveryResourceGroupId $RecoveryRG.ResourceId -RecoveryReplicaDiskAccountType $RecoveryReplicaDiskAccountType `-RecoveryTargetDiskAccountType $RecoveryOSDiskAccountType
53.2. Data disk
$datadiskId1 = $vm.StorageProfile.DataDisks[0].ManagedDisk.Id$RecoveryReplicaDiskAccountType = $vm.StorageProfile.DataDisks[0].ManagedDisk.StorageAccountType$RecoveryTargetDiskAccountType = $vm.StorageProfile.DataDisks[0].ManagedDisk.StorageAccountType$DataDisk1ReplicationConfig = New-AzRecoveryServicesAsrAzureToAzureDiskReplicationConfig -ManagedDisk -LogStorageAccountId $EastUSCacheStorageAccount.Id `-DiskId $datadiskId1 -RecoveryResourceGroupId $RecoveryRG.ResourceId -RecoveryReplicaDiskAccountType $RecoveryReplicaDiskAccountType `-RecoveryTargetDiskAccountType $RecoveryTargetDiskAccountType
53.3. Create a list of disk replication configuration objects for the disks of the virtual machine that are to be replicated.
$diskconfigs = @()$diskconfigs += $OSDiskReplicationConfig, $DataDisk1ReplicationConfig
53.4. Start replication by creating replication protected item. Using a GUID for the name of the replication protected item to ensure uniqueness of name.
$TempASRJob = New-AzRecoveryServicesAsrReplicationProtectedItem -AzureToAzure -AzureVmId $VM.Id -Name (New-Guid).Guid -ProtectionContainerMapping $EusToWusPCMapping -AzureToAzureDiskReplicationConfiguration $diskconfigs -RecoveryResourceGroupId $RecoveryRG.ResourceId54. Display the status of the default rule for the storage account.
$mystorageaccount = “iamlittle01”$StrgResGrp = “SEA-RG01”(Get-AzStorageAccountNetworkRuleSet -ResourceGroupName $StrgResGrp -AccountName $mystorageaccount ).DefaultAction
55. Set the default rule to deny network access by default.
Update-AzStorageAccountNetworkRuleSet -ResourceGroupName $StrgResGrp -Name $mystorageaccount -DefaultAction Allow56. List virtual network rules.
(Get-AzStorageAccountNetworkRuleSet -ResourceGroupName $StrgResGrp -AccountName $mystorageaccount).VirtualNetworkRules57. Enable service endpoint for Azure Storage on an existing virtual network and subnet.
Get-AzVirtualNetwork -ResourceGroupName “SEA-RG02” -Name “vnet04” | Set-AzVirtualNetworkSubnetConfig -Name “AzureBastionSubnet” -AddressPrefix “172.20.1.0/24” -ServiceEndpoint “Microsoft.Storage” | Set-AzVirtualNetwork58. Add a network rule for a virtual network and subnet.
$subnet = Get-AzVirtualNetwork -ResourceGroupName “SEA-RG02” -Name “vnet04” | Get-AzVirtualNetworkSubnetConfig -Name “AzureBastionSubnet”Add-AzStorageAccountNetworkRule -ResourceGroupName “SEA-RG01” -Name “$mystorageaccount” -VirtualNetworkResourceId $subnet.Id
59. Create a storage account
$strgrg = “SEA-RG02”$strglocation = “southeastasia”$strgname = “littlestrg010”New-AzStorageAccount -ResourceGroupName $strgrg `-Name $strgname `-Location $strglocation `-SkuName Standard_LRS `-Kind StorageV2
60. View account access keys & Manually rotate access keys
$storageAccountKey = (Get-AzStorageAccountKey -ResourceGroupName $strgrg -Name $strgname).Value[0]New-AzStorageAccountKey -ResourceGroupName $strgrg -Name $strgname -KeyName key1
For more details on Azure Powershell (PSVersion = 5.2.0) Please refer to Microsoft link: PS Cmdlet.
