MyCertStack logoMyCertStack

    Microsoft - Azure Solutions Architect Expert Study Guide

    1: Design identity, governance, and monitoring solutions

    This chapter equips the practising architect to design identity, governance, and observability solutions on Azure that satisfy specific business and regulatory constraints. It works through logging, monitoring, log routing, identity stores, authentication, authorization, hybrid access, governance hierarchies, tagging, Azure Policy, identity governance, and secret management at the depth required to pick the BEST option for a stated requirement.

    Learning Objectives

    By the end of this chapter, you will be able to:

    • Recommend a logging solution, including how applications obtain credentials to call Azure resources
    • Recommend a solution for monitoring resources, including how external identities of customers and business partners are managed
    • Recommend a solution for routing logs and metrics, including a management group, subscription, and resource group hierarchy
    • Recommend a solution for managing user identities, including a resource tagging strategy
    • Recommend a solution for authentication, including how Azure Policy enforces compliance
    • Recommend a solution for authorizing access to Azure resources, including identity governance with PIM, access reviews, and entitlement management
    • Recommend a solution for authorizing access to on-premises resources from Azure-hosted workloads
    • Recommend a solution to manage secrets, certificates, and keys

    Executive Summary

    • Identity, governance, and monitoring decisions sit upstream of every workload design. Wrong choices here cascade into compute, data, and network layers.
    • Microsoft Entra ID is the default identity plane for both Azure resources and SaaS, and managed identities remove the credential-rotation burden that service principals impose.
    • A Log Analytics workspace is the central log sink; Application Insights, Azure Monitor metrics, and diagnostic settings feed into it, and routing to Event Hubs, Storage, or a partner SIEM is configured per resource.
    • Azure Policy enforces configuration intent at scale; RBAC controls who acts; locks block accidental deletion; the management-group hierarchy is the scope on which all three operate.
    • Secret material belongs in Azure Key Vault with RBAC permissions or, where the workload demands stricter HSM, in Azure Key Vault Managed HSM.

    Assumptions

    • The reader has hands-on Azure administration experience at the AZ-104 level and recognizes resource group, subscription, and tenant scoping.
    • All recommendations target current Azure commercial cloud unless a sovereign cloud is named. Regional feature gating is called out where it changes the answer.
    • The chapter uses Microsoft Entra ID throughout; legacy names such as Azure Active Directory or AAD do not appear except when identifying a name to avoid.
    • Code samples use Bicep, Azure CLI, PowerShell, and ARM template fragments. They are illustrative configuration patterns, not production-ready modules.

    Sections in this chapter

    1. Free
    2. Free with account
    3. Free with account
    4. Free with account
    5. Free with account
    6. Free with account
    7. Free with account
    8. Free with account
    9. Free with account