A Computer Guru

Home / Archives For July 2021

Monday, July 19, 2021

Manage Governance via Azure Policy

July 19, 2021

Objectives

In this lab, we will:

Task 1: Create and assign tags via the Azure portal
Task 2: Enforce tagging via an Azure policy
Task 3: Apply tagging via an Azure policy

Task 1: Assign tags via the Azure portal

In this task, you will create and assign a tag to an Azure resource group via the Azure portal.

In the Azure portal, start a PowerShell session within the Cloud Shell.
If this is the first time you are starting Cloud Shell and you are presented with the You have no storage mounted message, select the subscription you are using in this lab, and click Create storage.
From the Cloud Shell pane, run the following to identify the name of the storage account used by Cloud Shell:
```
powershell
df
```
In the output of the command, note the first part of the fully qualified path designating the Cloud Shell home drive mount (marked here as xxxxxxxxxxxxxx:
```
//xxxxxxxxxxxxxx.file.core.windows.net/cloudshell   (..)  /usr/csuser/clouddrive
```
In the Azure portal, search and select Storage accounts and, in the list of the storage accounts, click the entry representing the storage account you identified in the previous step.
On the storage account blade, click the link representing the name of the resource group containing the storage account.
[!note] note what resource group the storage account is in, you'll need it later in the lab.
On the resource group blade, click Tags.
Create a tag with the following settings and save your change:
Setting Value
Name Role
Value Infra
Navigate back to the storage account blade. Review the Overview information and note that the new tag was not automatically assigned to the storage account.

Setting	Value
Name	Role
Value	Infra

Task 2: Enforce tagging via an Azure policy

In this task, you will assign the built-in Require a tag and its value on resources policy to the resource group and evaluate the outcome.

In the Azure portal, search for and select Policy.
In the Authoring section, click Definitions. Take a moment to browse through the list of built-in policy definitions that are available for you to use. List all built-in policies that involve the use of tags by selecting the Tags entry (and de-selecting all other entries) in the Category drop-down list.
Click the entry representing the Require a tag and its value on resources built-in policy and review its definition.
On the Require a tag and its value on resources built-in policy definition blade, click Assign.
Specify the Scope by clicking the ellipsis button and selecting the following values:
Setting Value
Subscription the name of the Azure subscription you are using in this lab
Resource Group the name of the resource group containing the Cloud Shell account you identified in the previous task
A scope determines the resources or resource groups where the policy assignment takes effect. You could assign policies on the management group, subscription, or resource group level. You also have the option of specifying exclusions, such as individual subscriptions, resource groups, or resources (depending on the assignment scope).
Configure the Basics properties of the assignment by specifying the following settings (leave others with their defaults):
Setting Value
Assignment name Require Role tag with Infra value
Description Require Role tag with Infra value for all resources in the Cloud Shell resource group
Policy enforcement Enabled
The Assignment name is automatically populated with the policy name you selected, but you can change it. You can also add an optional Description. Assigned by is automatically populated based on the user name creating the assignment.
Click Next and set Parameters to the following values:
Setting Value
Tag Name Role
Tag Value Infra
Click Next and review the Remediation tab. Leave the Create a Managed Identity checkbox unchecked.
This setting can be used when the policy or initiative includes the deployIfNotExists or Modify effect.
Click Review + Create and then click Create.
Now you will verify that the new policy assignment is in effect by attempting to create another Azure Storage account in the resource group without explicitly adding the required tag.
It might take between 5 and 15 minutes for the policy to take effect.
Navigate back to the blade of the resource group hosting the storage account used for the Cloud Shell home drive, which you identified in the previous task.
On the resource group blade, click + Add and then + Marketplace.
On the New blade, search for and select Storage account, and click Create.
On the Basics tab of the Create storage account blade, verify that you are using the Resource Group that the Policy was applied to and specify the following settings (leave others with their defaults), click Review + create and then click Create:
Setting Value
Storage account name any globally unique combination of between 3 and 24 lower case letters and digits, starting with a letter
Once you create the deployment, you should see the Deployment failed message in the Notifications list of the portal. From the Notifications list, navigate to the deployment overview and click the Deployment failed. Click here for details message to identify the reason for the failure.
Verify whether the error message states that the resource deployment was disallowed by the policy.
By clicking the Raw Error tab, you can find more details about the error, including the name of the role definition Require Role tag with Infra value. The deployment failed because the storage account you attempted to create did not have a tag named Role with its value set to Infra.

Setting	Value
Subscription	the name of the Azure subscription you are using in this lab
Resource Group	the name of the resource group containing the Cloud Shell account you identified in the previous task

Setting	Value
Assignment name	Require Role tag with Infra value
Description	Require Role tag with Infra value for all resources in the Cloud Shell resource group
Policy enforcement	Enabled

Setting	Value
Tag Name	Role
Tag Value	Infra

Setting	Value
Storage account name	any globally unique combination of between 3 and 24 lower case letters and digits, starting with a letter

Task 3: Apply tagging via an Azure policy

In this task, we will use a different policy definition to remediate any non-compliant resources.

In the Azure portal, search for and select Policy.
In the Authoring section, click Assignments.
In the list of assignments, right click the ellipsis icon in the row representing the Require Role tag with Infra value policy assignment and use the Delete assignment menu item to delete the assignment.
Click Assign policy and specify the Scope by clicking the ellipsis button and selecting the following values:
Setting Value
Subscription the name of the Azure subscription you are using in this lab
Resource Group the name of the resource group containing the Cloud Shell account you identified in the first task
To specify the Policy definition, click the ellipsis button and then search for and select Inherit a tag from the resource group if missing.

Setting	Value
Subscription	the name of the Azure subscription you are using in this lab
Resource Group	the name of the resource group containing the Cloud Shell account you identified in the first task

Configure the remaining Basics properties of the assignment by specifying the following settings (leave others with their defaults):

Setting	Value
Assignment name	Inherit the Role tag and its Infra value from the Cloud Shell resource group if missing
Description	Inherit the Role tag and its Infra value from the Cloud Shell resource group if missing
Policy enforcement	Enabled

Click Next and set Parameters to the following values:
Setting Value
Tag Name Role
Click Next and, on the Remediation tab, configure the following settings (leave others with their defaults):
Setting Value
Create a remediation task enabled
Policy to remediate Inherit a tag from the resource group if missing
This policy definition includes the Modify effect.
Click Review + Create and then click Create.
To verify that the new policy assignment is in effect, you will create another Azure Storage account in the same resource group without explicitly adding the required tag.
It might take between 5 and 15 minutes for the policy to take effect.
Navigate back to the blade of the resource group hosting the storage account used for the Cloud Shell home drive, which you identified in the first task.
On the resource group blade, click + Add and + Marketplace.
On the New blade, search for and select Storage account, and click Create.
On the Basics tab of the Create storage account blade, verify that you are using the Resource Group that the Policy was applied to and specify the following settings (leave others with their defaults) and click Review + create:
Setting Value
Storage account name any globally unique combination of between 3 and 24 lower case letters and digits, starting with a letter
Verify that this time the validation passed and click Create.
Once the new storage account is provisioned, click Go to resource button and, on the Overview blade of the newly created storage account, note that the tag Role with the value Infra has been automatically assigned to the resource.

Setting	Value
Tag Name	Role

Setting	Value
Create a remediation task	enabled
Policy to remediate	Inherit a tag from the resource group if missing

Setting	Value
Storage account name	any globally unique combination of between 3 and 24 lower case letters and digits, starting with a letter

Clean up resources

Remember to remove any newly created Azure resources that you no longer use.

Removing unused resources ensures you will not see unexpected charges, although keep in mind that Azure policies do not incur extra cost.

In the portal, search for and select Policy.
In the Authoring section, click Assignments, click the ellipsis icon to the right of the assignment you created in the previous task and click Delete assignment.
In the portal, search for and select Storage accounts.
In the list of storage accounts, select the resource group corresponding to the storage account you created in the last task of this lab. Select Tags and click Delete (Trash can to the right) to the Role:Infra tag and press Save.
In the portal, again search for and select Storage accounts or use the menu at the top to select Storage accounts
In the list of storage accounts, select the storage account you created in the last task of this lab, click Delete, when prompted for the confirmation, in the Confirm delete type yes and click Delete.

Review

In this lab, you have:

Created and assigned tags via the Azure portal
Enforced tagging via an Azure policy
Applied tagging via an Azure policy

Sunday, July 18, 2021

Manage Azure Active Directory Identities

July 18, 2021

Objectives

In this lab, you will:

Task 1: Create and configure Azure AD users
Task 2: Create Azure AD groups with assigned and dynamic membership
Task 3: Create an Azure Active Directory (AD) tenant
Task 4: Manage Azure AD guest users

Task 1: Create and configure Azure AD users

In this task, you will create and configure Azure AD users.

If you have previously used the Trial license for Azure AD Premium on this Azure AD Tenant you will need a new Azure AD Tenant or perform the Task 2 after Task 3 in that new Azure AD tenant.

Sign in to the https://portal.azure.com.
In the Azure portal, search for and select Azure Active Directory.
On the Azure Active Directory blade, scroll down to the Manage section, click User settings, and review available configuration options.
On the Azure Active Directory blade, in the Manage section, click Users, and then click your user account to display its Profile settings.
Click edit, in the Settings section, set Usage location to United States and click save to apply the change.
This is necessary in order to assign an Azure AD Premium P2 license to your user account later in this lab.
Navigate back to the Users - All users blade, and then click + New user.
Create a new user with the following settings (leave others with their defaults):
Setting Value
User name az104-01a-aaduser1
Name az104-01a-aaduser1
Let me create the password enabled
Initial password Pa55w.rd124
Usage location United States
Job title Cloud Administrator
Department IT
Copy to clipboard the full User Principal Name (user name plus domain). You will need it later in this task.
In the list of users, click the newly created user account to display its blade.
Review the options available in the Manage section and note that you can identify the Azure AD roles assigned to the user account as well as the user account's permissions to Azure resources.
In the Manage section, click Assigned roles, then click + Add assignment button and assign the User administrator role to az104-01a-aaduser1.
You also have the option of assigning Azure AD roles when provisioning a new user.
Open an InPrivate browser window and sign in to the https://portal.azure.com using the newly created user account. When prompted to update the password, change the password for the user to Pa55w.rd1234.
Rather than typing the user name (including the domain name), you can paste the content of Clipboard.
In the InPrivate browser window, in the Azure portal, search for and select Azure Active Directory.
While this user account can access the Azure Active Directory tenant, it does not have any access to Azure resources. This is expected, since such access would need to be granted explicitly by using Azure Role-Based Access Control.
In the InPrivate browser window, on the Azure AD blade, scroll down to the Manage section, click User settings, and note that you do not have permissions to modify any configuration options.
In the InPrivate browser window, on the Azure AD blade, in the Manage section, click Users, and then click + New user.
Create a new user with the following settings (leave others with their defaults):
Setting Value
User name az104-01a-aaduser2
Name az104-01a-aaduser2
Let me create the password enabled
Initial password Pa55w.rd124
Usage location United States
Job title System Administrator
Department IT
Sign out as the az104-01a-aaduser1 user from the Azure portal and close the InPrivate browser window.

Setting	Value
User name	az104-01a-aaduser1
Name	az104-01a-aaduser1
Let me create the password	enabled
Initial password	Pa55w.rd124
Usage location	United States
Job title	Cloud Administrator
Department	IT

Setting	Value
User name	az104-01a-aaduser2
Name	az104-01a-aaduser2
Let me create the password	enabled
Initial password	Pa55w.rd124
Usage location	United States
Job title	System Administrator
Department	IT

Task 2: Create Azure AD groups with assigned and dynamic membership

In this task, you will create Azure Active Directory groups with assigned and dynamic membership.

Back in the Azure portal where you are signed in with your user account, navigate back to the Overview blade of the Azure AD tenant and, in the Manage section, click Licenses.
Azure AD Premium P1 or P2 licenses are required in order to implement dynamic groups.
In the Manage section, click All products.
Click + Try/Buy and activate the free trial of Azure AD Premium P2.
Refresh the browser window to verify that the activation was successful.
From the Licenses - All products blade, select the Azure Active Directory Premium P2 entry, and assign all license options of Azure AD Premium P2 to your user account and the two newly created user accounts.
In the Azure portal, navigate back to the Azure AD tenant blade and click Groups.
Use the + New group button to create a new group with the following settings:
Setting Value
Group type Security
Group name IT Cloud Administrators
Group description Contoso IT cloud administrators
Membership type Dynamic User
If the Membership type drop-down list is grayed out, wait a few minutes and refresh the browser page.
Click Add dynamic query.
On the Configure Rules tab of the Dynamic membership rules blade, create a new rule with the following settings:
Setting Value
Property jobTitle
Operator Equals
Value Cloud Administrator
Save the rule and, back on the New Group blade, click Create.
Back on the Groups - All groups blade of the Azure AD tenant, click the + New group button and create a new group with the following settings:
Setting Value
Group type Security
Group name IT System Administrators
Group description Contoso IT system administrators
Membership type Dynamic User
Click Add dynamic query.
On the Configure Rules tab of the Dynamic membership rules blade, create a new rule with the following settings:
Setting Value
Property jobTitle
Operator Equals
Value System Administrator
Save the rule and, back on the New Group blade, click Create.
Back on the Groups - All groups blade of the Azure AD tenant, click the + New group button, and create a new group with the following settings:
Setting Value
Group type Security
Group name IT Lab Administrators
Group description Contoso IT Lab administrators
Membership type Assigned
Click No members selected.
From the Add members blade, search and select the IT Cloud Administrators and IT System Administrators groups and, back on the New Group blade, click Create.
Back on the Groups - All groups blade, click the entry representing the IT Cloud Administrators group and, on then display its Members blade. Verify that the az104-01a-aaduser1 appears in the list of group members.
You might experience delays with updates of the dynamic membership groups. To expedite the update, navigate to the group blade, display its Dynamic membership rules blade, Edit the rule listed in the Rule syntax textbox by adding a whitespace at the end, and Save the change.
Navigate back to the Groups - All groups blade, click the entry representing the IT System Administrators group and, on then display its Members blade. Verify that the az104-01a-aaduser2 appears in the list of group members.

Setting	Value
Group type	Security
Group name	IT Cloud Administrators
Group description	Contoso IT cloud administrators
Membership type	Dynamic User

Setting	Value
Property	jobTitle
Operator	Equals
Value	Cloud Administrator

Setting	Value
Group type	Security
Group name	IT System Administrators
Group description	Contoso IT system administrators
Membership type	Dynamic User

Setting	Value
Property	jobTitle
Operator	Equals
Value	System Administrator

Setting	Value
Group type	Security
Group name	IT Lab Administrators
Group description	Contoso IT Lab administrators
Membership type	Assigned

Task 3: Create an Azure Active Directory (AD) tenant

In this task, you will create a new Azure AD tenant.

In the Azure portal, search for and select Azure Active Directory.
Click + Create a tenant and specify the following setting:
Setting Value
Directory type Azure Active Directory
Click Next : Configuration
Setting Value
Organization name Contoso Lab
Initial domain name any valid DNS name consisting of lower case letters and digits and starting with a letter
Country/Region United States
The Initial domain name should not be a legitimate name that potentially matches your organization or another. The green check mark in the Initial domain name text box will indicate that the domain name you typed in is valid and unique.
Click Review + create and then click Create.
Display the blade of the newly created Azure AD tenant by using the Click here to navigate to your new tenant: Contoso Lab link or the Directory + Subscription button (directly to the right of the Cloud Shell button) in the Azure portal toolbar.

Setting	Value
Directory type	Azure Active Directory

Setting	Value
Organization name	Contoso Lab
Initial domain name	any valid DNS name consisting of lower case letters and digits and starting with a letter
Country/Region	United States

Task 4: Manage Azure AD guest users.

In this task, you will create Azure AD guest users and grant them access to resources in an Azure subscription.

In the Azure portal displaying the Contoso Lab Azure AD tenant, in the Manage section, click Users, and then click + New user.
Create a new user with the following settings (leave others with their defaults):
Setting Value
User name az104-01b-aaduser1
Name az104-01b-aaduser1
Let me create the password enabled
Initial password Pa55w.rd124
Job title System Administrator
Department IT
Click on the newly created profile.
Copy to clipboard the full User Principal Name (user name plus domain). You will need it later in this task.
Switch back to your default Azure AD tenant by using the Directory + Subscription button (directly to the right of the Cloud Shell button) in the Azure portal toolbar.
Navigate back to the Users - All users blade, and then click + New guest user.
Create a new guest user with the following settings (leave others with their defaults):
Setting Value
Name az104-01b-aaduser1
Email address the User Principal Name you copied earlier in this task
Usage location United States
Job title Lab Administrator
Department IT
Click Invite.
Back on the Users - All users blade, click the entry representing the newly created guest user account.
On the az104-01b-aaduser1 - Profile blade, click Groups.
Click + Add membership and add the guest user account to the IT Lab Administrators group.

Setting	Value
User name	az104-01b-aaduser1
Name	az104-01b-aaduser1
Let me create the password	enabled
Initial password	Pa55w.rd124
Job title	System Administrator
Department	IT

Setting	Value
Name	az104-01b-aaduser1
Email address	the User Principal Name you copied earlier in this task
Usage location	United States
Job title	Lab Administrator
Department	IT

Clean up resources

Remember to remove any newly created Azure resources that you no longer use. Removing unused resources ensures you will not incur unexpected costs. While, in this case, there are no additional charges associated with Azure Active Directory tenants and their objects, you might want to consider removing the user accounts, the group accounts, and the Azure Active Directory tenant you created in this lab.

In the Azure Portal search for Azure Active Directory in the search bar. Within Azure Active Directory under Manage select Licenses. Once at Licenses under Manage select All Products and then select Azure Active Directory Premium P2 item in the list. Proceed by then selecting Licensed Users. Select the user accounts az104-01a-aaduser1 and az104-01a-aaduser2 to which you assigned licenses in this lab, click Remove license, and, when prompted to confirm, click OK.
In the Azure portal, navigate to the Users - All users blade, click the entry representing the az104-01b-aaduser1 guest user account, on the az104-01b-aaduser1 - Profile blade click Delete, and, when prompted to confirm, click OK.
Repeat the same sequence of steps to delete the remaining user accounts you created in this lab.
Navigate to the Groups - All groups blade, select the groups you created in this lab, click Delete, and, when prompted to confirm, click OK.
In the Azure portal, display the blade of the Contoso Lab Azure AD tenant by using the Directory + Subscription button (directly to the right of the Cloud Shell button) in the Azure portal toolbar.
Navigate to the Users - All users blade, click the entry representing the az104-01b-aaduser1 user account, on the az104-01b-aaduser1 - Profile blade click Delete, and, when prompted to confirm, click OK.
Navigate to the Contoso Lab - Overview blade of the Contoso Lab Azure AD tenant, click Delete tenant, on the Delete tenant 'Contoso Lab' blade, click the Get permission to delete Azure resources link, on the Properties blade of Azure Active Directory, set Access management for Azure resources to Yes and click Save.
Sign out from the Azure portal and sign in back.
Navigate back to the Delete tenant 'Contoso Lab' blade and click Delete.

You will have to wait for the trial license expiration before you can delete the tenant. This does not incur any additional cost.

Review

In this lab, you have:

Created and configured Azure AD users
Created Azure AD groups with assigned and dynamic membership
Created an Azure Active Directory (AD) tenant
Managed Azure AD guest users

Friday, July 16, 2021

Manage Subscriptions and RBAC

July 16, 2021

Objectives

In this lab, you will:

Task 1: Implement Management Groups
Task 2: Create custom RBAC roles
Task 3: Assign RBAC roles

Task 1: Implement Management Groups

In this task, you will create and configure management groups.

Sign in to the https://portal.azure.com.
Search for and select Management groups to navigate to the Management groups blade.
Review the messages at the top of the Management groups blade. If you are seeing the message stating You are registered as a directory admin but do not have the necessary permissions to access the root management group, perfom the following sequence of steps:
1. In the Azure portal, search for and select Azure Active Directory.
2. On the blade displaying properties of your Azure Active Directory tenant, in the vertical menu on the left side, in the Manage section, select Properties.
3. On the Properties blade of your your Azure Active Directory tenant, in the Access management for Azure resources section, select Yes and then select Save.
4. Navigate back to the Management groups blade, and select Refresh.
On the Management groups blade, click + Add.
If you have not previously created Management Groups, select Start using management groups
Create a management group with the following settings:
Setting Value
Management group ID az104-02-mg1
Management group display name az104-02-mg1
In the list of management groups, click the entry representing the newly created management group.
On the az104-02-mg1 blade, click Subscriptions.
On the az104-02-mg1 | Subscriptions blade, click + Add, on the Add subscription blade, in the Subscription drop-down list, seletc the subscription you are using in this lab and click Save.
On the az104-02-mg1 | Subscriptions blade, copy the ID of your Azure subscription into Clipboard. You will need it in the next task.

Setting	Value
Management group ID	az104-02-mg1
Management group display name	az104-02-mg1

Task 2: Create custom RBAC roles

In this task, you will create a definition of a custom RBAC role.

From the lab computer, open the file \Allfiles\Labs\02\az104-02a-customRoleDefinition.json in Notepad and review its content:

json
{
  "Name": "Support Request Contributor (Custom)",
  "IsCustom": true,
  "Description": "Allows to create support requests",
  "Actions": [
      "Microsoft.Resources/subscriptions/resourceGroups/read",
      "Microsoft.Support/*"
  ],
  "NotActions": [
  ],
  "AssignableScopes": [
      "/providers/Microsoft.Management/managementGroups/az104-02-mg1",
      "/subscriptions/SUBSCRIPTION_ID"
  ]
}

Replace the SUBSCRIPTION_ID placeholder in the JSON file with the subscription ID you copied into Clipboard and save the change.
In the Azure portal, open Cloud Shell pane by clicking on the toolbar icon directly to the right of the search textbox.
If prompted to select either Bash or PowerShell, select PowerShell.
If this is the first time you are starting Cloud Shell and you are presented with the You have no storage mounted message, select the subscription you are using in this lab, and click Create storage.
In the toolbar of the Cloud Shell pane, click the Upload/Download files icon, in the drop-down menu click Upload, and upload the file \Allfiles\Labs\02\az104-02a-customRoleDefinition.json into the Cloud Shell home directory.

From the Cloud Shell pane, run the following to create the custom role definition:

powershell
New-AzRoleDefinition -InputFile $HOME/az104-02a-customRoleDefinition.json

Close the Cloud Shell pane.

Task 3: Assign RBAC roles

In this task, you will create an Azure Active Directory user, assign the RBAC role you created in the previous task to that user, and verify that the user can perform the task specified in the RBAC role definition.

In the Azure portal, search for and select Azure Active Directory, on the Azure Active Directory blade, click Users, and then click + New user.
Create a new user with the following settings (leave others with their defaults):
Setting Value
User name az104-02-aaduser1
Name az104-02-aaduser1
Let me create the password enabled
Initial password Pa55w.rd1234
Copy to clipboard the full User name. You will need it later in this lab.
In the Azure portal, navigate back to the az104-02-mg1 management group and display its details.
Click Access control (IAM), click + Add followed by Role assignment, and assign the Support Request Contributor (Custom) role to the newly created user account.
Open an InPrivate browser window and sign in to the https://portal.azure.com using the newly created user account. When prompted to update the password, change the password for the user.
Rather than typing the user name, you can paste the content of Clipboard.
In the InPrivate browser window, in the Azure portal, search and select Resource groups to verify that the az104-02-aaduser1 user can see all resource groups.
In the InPrivate browser window, in the Azure portal, search and select All resources to verify that the az104-02-aaduser1 user cannot see any resources.
In the InPrivate browser window, in the Azure portal, search and select Help + support and then click + New support request.
In the InPrivate browser window, on the Basic tab of the Help + support - New support request blade, type Service and subscription limits in the Summary field and select the Service and subscription limits (quotas) issue type. Note that the subscription you are using in this lab is listed in the Subscription drop-down list.
The presence of the subscription you are using in this lab in the Subscription drop-down list indicates that the account you are using has the permissions required to create the subscription-specific support request.
If you do not see the Service and subscription limits (quotas) option, sign out from the Azure portal and sign in back.
Do not continue with creating the support request. Instead, sign out as the az104-02-aaduser1 user from the Azure portal and close the InPrivate browser window.

Setting	Value
User name	az104-02-aaduser1
Name	az104-02-aaduser1
Let me create the password	enabled
Initial password	Pa55w.rd1234

Clean up resources

Remember to remove any newly created Azure resources that you no longer use.

Removing unused resources ensures you will not see unexpected charges, although, resources created in this lab do not incur extra cost.

In the Azure portal, search for and select Azure Active Directory, on the Azure Active Directory blade, click Users.
On the Users - All users blade, click az104-02-aaduser1.
On the az104-02-aaduser1 - Profile blade, copy the value of Object ID attribute.
In the Azure portal, start a PowerShell session within the Cloud Shell.
From the Cloud Shell pane, run the following to remove the assignment of the custom role definition (replace the [object_ID] placeholder with the value of the object ID attribute of the az104-02-aaduser1 Azure Active Directory user account you copied earlier in this task):
```
powershell
$scope = (Get-AzRoleAssignment -RoleDefinitionName 'Support Request Contributor (Custom)').Scope

Remove-AzRoleAssignment -ObjectId '[object_ID]' -RoleDefinitionName 'Support Request Contributor (Custom)' -Scope $scope
```

From the Cloud Shell pane, run the following to remove the custom role definition:

powershell
Remove-AzRoleDefinition -Name 'Support Request Contributor (Custom)' -Force

In the Azure portal, navigate back to the Users - All users blade of the Azure Active Directory, and delete the az104-02-aaduser1 user account.
In the Azure portal, navigate back to the Management groups blade.
On the Management groups blade, select the ellipsis icon next to your subscription under the az104-02-mg1 management group and select Move to move the subscription to the Tenant Root management group.

[!note] It is likely that the target management group is the Tenant Root management group, unless you created a custom management group hierarchy before running this lab.

Select Refresh to verify that the subscription has successfully moved to the Tenant Root management group.
Navigate back to the Management groups blade, right click the ellipsis icon to the right of the az104-02-mg1 management group and click Delete.