Learning Objectives
By the end of this chapter, you will be able to:
- Recommend a logging solution, including how applications obtain credentials to call Azure resources
- Recommend a solution for monitoring resources, including how external identities of customers and business partners are managed
- Recommend a solution for routing logs and metrics, including a management group, subscription, and resource group hierarchy
- Recommend a solution for managing user identities, including a resource tagging strategy
- Recommend a solution for authentication, including how Azure Policy enforces compliance
- Recommend a solution for authorizing access to Azure resources, including identity governance with PIM, access reviews, and entitlement management
- Recommend a solution for authorizing access to on-premises resources from Azure-hosted workloads
- Recommend a solution to manage secrets, certificates, and keys
Executive Summary
- Identity, governance, and monitoring decisions sit upstream of every workload design. Wrong choices here cascade into compute, data, and network layers.
- Microsoft Entra ID is the default identity plane for both Azure resources and SaaS, and managed identities remove the credential-rotation burden that service principals impose.
- A Log Analytics workspace is the central log sink; Application Insights, Azure Monitor metrics, and diagnostic settings feed into it, and routing to Event Hubs, Storage, or a partner SIEM is configured per resource.
- Azure Policy enforces configuration intent at scale; RBAC controls who acts; locks block accidental deletion; the management-group hierarchy is the scope on which all three operate.
- Secret material belongs in Azure Key Vault with RBAC permissions or, where the workload demands stricter HSM, in Azure Key Vault Managed HSM.
Assumptions
- The reader has hands-on Azure administration experience at the AZ-104 level and recognizes resource group, subscription, and tenant scoping.
- All recommendations target current Azure commercial cloud unless a sovereign cloud is named. Regional feature gating is called out where it changes the answer.
- The chapter uses Microsoft Entra ID throughout; legacy names such as Azure Active Directory or AAD do not appear except when identifying a name to avoid.
- Code samples use Bicep, Azure CLI, PowerShell, and ARM template fragments. They are illustrative configuration patterns, not production-ready modules.
