AZURE-AZ-100

AZURE SUBSCRIPTION
An Azure subscription is a logical unit of Azure services that is linked to an Azure account.
Billing for Azure services is done on a per-subscription basis. If your account is the only
account associated with a subscription, then you are responsible for billing.

Subscriptions help you organize access to cloud service resources. They also help you control
how resource usage is reported, billed, and paid for.

Manage Azure subscriptions

If your Organization has several subscriptions, we need to manage effectively the
policies, manage access and compliance for the same.

We should organize subscriptions into containers called management groups

✔️ Management groups are a relatively new concept in Azure.

Management Groups enable

 Organizational alignment for your Azure subscriptions through custom hierarchies

and grouping.

 Targeting of policies and spend budgets across subscriptions and inheritance down
the hierarchies.

 Compliance a cost reporting by organization (business/teams).

You can build a flexible structure of management groups and subscriptions to
organize your resources into a hierarchy for unified policy and access management

All subscriptions within a management group automatically inherit the conditions

applied to the management group. For example, you can apply policies to a
management group that limits the regions available for virtual machine (VM)
creation. This policy would be applied to all management groups, subscriptions, and
resources under that management group by only allowing VMs to be created in that
region

By creating a hierarchy like this example you can apply a policy, for example, VM locations
limited to US West Region on the group "Infrastructure Team management group" to enable
internal compliance and security policies. This policy will inherit onto both EA subscriptions
under that management group and will apply to all VMs under those subscriptions. As this
policy inherits from the management group to the subscriptions, this security policy cannot
be altered by the resource or subscription owner allowing for improved governance.

 Another scenario where you would use management groups is to provide user access
to multiple subscriptions.
 By moving multiple subscriptions under that management group, you have the ability
create one role-based access control (RBAC) assignment on the management group,
which will inherit that access to all the subscriptions.
 Without the need to script RBAC assignments over multiple subscriptions, one
assignment on the management group can enable users to have access to everything
they need.
Important facts about management groups

 10,000 management groups can be supported in a single directory.

 A management group tree can support up to six levels of depth.
o This limit doesn't include the Root level or the subscription level.
 Each management group and subscription can only support one parent.
 Each management group can have multiple children.
 All subscriptions and management groups are contained within a single
hierarchy in each directory.

Azure accounts

Each subscription has accounts associated with it.

An Azure account is simply an identity in Azure Active Directory (Azure AD) or in a directory
that is trusted by Azure AD, such as a work or school organization. If you don't belong to one
of these organizations, you can sign up for an Azure account by using your Microsoft
Account, which is also trusted by Azure AD.

There are several ways to get an Azure subscription: Enterprise agreements, Microsoft
resellers, Microsoft partners, and a personal free account.

Account administrator
The Account Administrator for a subscription is the only person with access to the
Account Center. The Account Administrator does not have any other access to
services in that subscription; they need to also be the Service Administrator or a co-
administrator for that. For security reasons, the Account Administrator for a
subscription can only be changed with a call to Azure support. The Account
Administrator can easily reassign the Service Administrator for a subscription at the
Account Center at any time.

Service administrator and co-administrator

The Service Administrator is the first co-administrator for a subscription. Like other
co-administrators, the Service Administrator has management access to cloud
resources using the Azure Management Portal, as well as tools like Visual Studio,
other SDKs, and command line tools like PowerShell. The Service Administrator can
also add and remove other co-administrators.

Additionally, Co-administrators can’t delete the Service Administrator from the Azure
Management Portal. Only the Account Administrator can change this assignment at
the Account Center. The Service Administrator is the only user authorized to change
a subscription’s association with a directory in the Azure Management Portal.

✔️ Account Administrators using a Microsoft account must log in every 2 years (or
more frequently) to keep the account active. Inactive accounts are cancelled, and the
related subscriptions removed. There are no login requirements if using a work or
school account. Take a few minutes to look through the list of available roles at the
reference link.

For more information, you can see:

Assigning administrator roles in Azure Active Directory - https://docs.microsoft.com/en-

us/azure/active-directory/users-groups-roles/directory-assign-admin-roles

BILLING
In the move from on-premises computing to cloud-hosted services, tracking and estimating
service usage and related costs are significant concerns.

It’s important to be able to estimate what new resources will cost to run monthly and be
able to project how the billing will look for a given month based on the current spending.

Get resource usage data

Azure provides a set of Billing REST APIs that give access to resource consumption
and metadata information for Azure subscriptions. This gives you the ability to better
predict and manage Azure costs. These Billing APIs enable you to track and analyze
spending in hourly increments, create spending alerts, and predict future billing
based on current usage trends.

Predict future costs

Although it's challenging to estimate costs ahead of time, Azure has a pricing
calculator that you can use when you estimate the cost of deployed resources. You
can also use the Billing blade in the portal and the Billing REST APIs to estimate
future costs, based on current consumption.

Set up billing alerts

After you’ve deployed your application or solution on Azure, you can create alerts
that send you email when you approach the spending limits that are defined in the
alert.

For more information, you can see:

Azure Cost Management Documentation - https://docs.microsoft.com/en-us/azure/cost-

management/

Billing Alert Service

If you’re the Account Admin for an Azure subscription, you can use the Azure Billing
Alert Service to create customized billing alerts that help you monitor and manage
billing activity for your Azure accounts. Billing alerts is available from the Account
portal.
 You can set up a total of five billing alerts per subscription, with a different threshold and up
to two email recipients for each alert.

Set up billing or credit alerts for your Microsoft Azure subscriptions -

https://docs.microsoft.com/en-us/azure/billing/billing-set-up-alerts

AZURE POLICY

Azure Policy is a service in Azure that you use to create, assign and, manage policies.

These policies enforce different rules over your resources, so those resources stay compliant
with your corporate standards and service level agreements.

The main advantages of Azure policy are in the areas of enforcement and compliance,
scaling, and remediation.

 Enforcement and compliance. Turn on built-in policies or build custom ones for all
resource types. Real time policy evaluation and enforcement. Periodic and on-
demand compliance evaluation.

 Apply policies at scale. Apply policies to a Management Group with control across
your entire organization. Apply multiple policies and aggregate policy states with
policy initiative. Define an exclusion scope.

 Remediation. Real time remediation, and remediation on existing resources (

 Implementing Azure Policy

1. Browse Policy Definitions. A Policy Definition expresses what to evaluate and what
actions to take. Every policy definition has conditions under which it is enforced. And,
it has an accompanying effect that takes place if the conditions are met. For example,
you could prevent VMs from being deployed if they are exposed to a public IP
address.

2. Create Initiative Definitions. An initiative definition is a set of Policy Definitions to

help track your compliance state for a larger goal. For example, ensuring a branch
office is compliant.

3. Scope the Initiative Definition. You can limit the scope of the Initiative Definition to
Management Groups, Subscriptions, or Resource Groups.

4. View Policy Evaluation results. Once an Initiative Definition is assigned, you can
evaluate the state of compliance for all your resources. Individual resources, resource
groups, and subscriptions within a scope can be exempted from the having policy
rules affect it. Exclusions are handled individually for each assignment
 RBAC

 Access management for cloud resources is a critical function for any

organization that is using the cloud.
 Role-based access control (RBAC) helps you manage who has access to Azure
resources, what they can do with those resources, and what areas they have
access to.

Application of RBAC scenarios

 Allow one user to manage virtual machines in a subscription and another user
to manage virtual networks
 Allow a DBA group to manage SQL databases in a subscription
 Allow a user to manage all resources in a resource group, such as virtual
machines, websites, and subnets
 Allow an application to access all resources in a resource group

How RBAC works

 RBAC works on the basis of role assignments

 Role assignment consists of three elements: security principal, role definition, and
scope.
Security principal

A security principal is an object that represents a user, group, or service principal that is
requesting access to Azure resources.

 User - An individual who has a profile in Azure Active Directory. You can also assign
roles to users in other tenants.
 Group - A set of users created in Azure Active Directory. When you assign a role
to a group, all users within that group have that role.
 Service principal - A security identity used by applications or services to access
specific Azure resources. You can think of it as a user identity (username and
password or certificate) for an application.

Role definition

A role definition is a collection of permissions. It's sometimes just called a role. A role
definition lists the operations that can be performed, such as read, write, and delete.
Roles can be high-level, like owner, or specific, like virtual machine reader.

The following lists four fundamental built-in roles. The first three apply to all resource
types.
  Owner - Has full access to all resources including the right to delegate access to
others.
 Contributor - Can create and manage all types of Azure resources but can’t
grant access to others.
 Reader - Can view existing Azure resources.
 User Access Administrator - Lets you manage user access to Azure resources.

Built –IN- Roles.

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

We can create our own customized roles according to our needs

Custom Roles

 Custom roles are stored in an Azure Active Directory (Azure AD) directory and can be
shared across subscriptions.
 Each directory can have up to 2000 custom roles. Custom roles can be created using
Azure PowerShell, Azure CLI, or the REST API.

https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-
roles

View activity logs for RBAC changes

We need information about role-based access control (RBAC) changes, such as for auditing
or troubleshooting purposes

Any time someone makes changes to role assignments or role definitions within your
subscriptions, the changes get logged in Azure activity log

We can see the logs of RBAC changes of past 90days

Operations that are logged

Here are the RBAC-related operations that are logged in Activity Log:

 Create role assignment

 Delete role assignment
 Create or update custom role definition
 Delete custom role definition
Check Resource Limit

Azure provides the ability to see the number of each network resource type that you've
deployed in your subscription and what your subscription limits are. The ability to view
resource usage against limits is helpful to track current usage, and plan for future use.

The limits shown are the limits for your subscription.

If you need to increase a default limit, there is a Request Increase link.

You will complete and submit the support request. All resources have a maximum limit listed
in Azure

Resource Tags
You can apply tags to your Azure resources to logically organize them by categories. Each
tag consists of a name and a value.

This helps us in identifying the resources as well as for ease of administration

 Each resource or resource group can have a maximum of 15 tag name/value pairs.

 Tags applied to the resource group are not inherited by the resources in that
resource group.

 For more information, on Tagging you can see:

 Use tags to organize your Azure resources - https://docs.microsoft.com/en-

us/azure/azure-resource-manager/resource-group-using-tags

 PowerShell (Tagging) - https://docs.microsoft.com/en-us/azure/azure-

resource-manager/resource-group-using-tags#powershell

 CLI (Tagging) - https://docs.microsoft.com/en-us/azure/azure-resource-

manager/resource-group-using-tags#azure-cli

Monitoring &Diagonistics

 Azure includes multiple services that individually perform a specific role or

task in the monitoring space.
 Together, these services deliver a comprehensive solution for collecting,
analyzing, and acting on telemetry from your application and the Azure
resources that support them.
 They can also work to monitor critical on-premises resources to provide a
hybrid monitoring environment.
Azure Monitor - Key Capabilities
Azure Monitor enables core monitoring for Azure services by allowing the collection
of metrics, activity logs, and diagnostic logs

Metrics are available that provide performance statistics for different resources and
even the operating system inside a virtual machine. You can view this data with one
of the explorers in the Azure portal and create alerts based on these metrics

Azure Monitor provides the fastest metrics pipeline (5 minute down to 1 minute), so
you should use it for time critical alerts and notifications.
The above diagram gives a high-level view of Azure Monitor.

At the center of the diagram are the data stores for metrics and logs which are the two
fundamental types of data use by Azure Monitor.

On the left are the sources that collect telemetry from different monitored resources and
populate the data stores.

On the right are the different functions that Azure Monitor performs with this collected
data such as analysis, alerting, and streaming to external systems.

All data collected by Azure Monitor fits into one of two fundamental types, metrics and
logs. Metrics are numerical values that describe some aspect of a system at a point in
time.
For More details

https://docs.microsoft.com/en-us/azure/azure-monitor/overview

https://docs.microsoft.com/en-us/azure/monitoring/monitoring-data-collection

Azure Advisor
 Advisor is a personalized cloud consultant that helps you follow best practices to
optimize your Azure deployments
 It analyzes your resource configuration and usage telemetry and then
recommends solutions that can help you improve the cost effectiveness,
performance, high availability, and security of your Azure resources.

For more information, you can see:

Introduction to Azure Advisor - https://docs.microsoft.com/en-us/azure/advisor/advisor-

overview

Advisor Cost recommendations - https://docs.microsoft.com/en-

us/azure/advisor/advisor-cost-recommendations

https://docs.microsoft.com/en-us/azure/azure-monitor/overview
Alert Rules

Define alert condition includes:

Target selection. For example, storage account.

Alert criteria. For example, Used Capacity.

Alert logic. For example, over a six-hour period whenever the Used Capacity is over
1000000 bytes.

Define alert details includes: Alert rule name, description, and severity. There are five
severity levels, Severity 0 to Severity 4.

Define action group. Create an action group to notify your team via email and text
messages, or automate actions using webhooks and runbooks.

For more information, you can see:

Create an action group by using the Azure portal - https://docs.microsoft.com/en-

us/azure/monitoring-and-diagnostics/monitoring-action-groups#create-an-action-group-by-
using-the-azure-portal

Action specific information - https://docs.microsoft.com/en-us/azure/monitoring-and-

diagnostics/monitoring-action-groups#action-specific-information
 Rate limiting for Voice, SMS, emails, Azure App push notifications and webhook
posts - https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-
alerts-rate-limiting

Activity Log

The Azure Activity Log is a subscription log that provides insight into subscription-level
events that have occurred in Azure.

This includes a range of data, from Azure Resource Manager operational data to updates on
Service Health events. The Activity Log was previously known as “Audit Logs” or “Operational
Logs”.

Using the Activity Log, you can determine the ‘what, who, and when’ for any write operation
taken on the resources in your subscription. For example, who stopped a service. It provides
an audit trail of the activities or operations performed on your resources by someone
working on the Azure platform. You can also understand the status of the operation and
other relevant properties.

This diagram shows many of the things you can do with the activity log including:

 Send data to Log Analytics for advanced search and alerts.

 Query or manage events in the Portal, PowerShell, CLI, and REST API.

 Stream information to Event Hub.

 Archive data to a storage account.

 Analyze data with Power BI.

Query the Activity Log

 Subscription. One or more Azure subscription names.

 Resource group. One or more resource groups within those subscriptions.

 Resource (name). The name of a specific resource.

 Resource type. The type of resource, for example,

Microsoft.Compute/virtualmachines.

 Operation name. The name of an Azure Resource Manager operation, for example,
Microsoft.SQL/servers/Write.

 Timespan. The start and end time for events.

 Category. The event category is described in the next topic.

 Severity. The severity level of the event (Informational, Warning, Error, Critical).

 Event initiated by. The ‘caller,’ or user who performed the operation.
 Search. This is an open text search box that searches for that string across all fields in
all events.

Event Categories

 Administrative. This category contains the record of all create, update, delete, and
action operations performed through Resource Manager. Examples of the types of
events you would see in this category include “create virtual machine” and "delete
network security group". The Administrative category also includes any changes to
role-based access control in a subscription.

 Service Health. This category contains the record of any service health incidents that
have occurred in Azure. An example of the type of event you would see in this
category is “SQL Azure in East US is experiencing downtime.” Service health events
come in five varieties: Action Required, Assisted Recovery, Incident, Maintenance,
Information, or Security.

 Alert. This category contains the record of all activations of Azure alerts. An example
of the type of event you would see in this category is “CPU % on myVM has been
over 80 for the past 5 minutes.”

 Autoscale. This category contains the record of any events related to the operation
of the autoscale engine based on any autoscale settings you have defined in your
 subscription. An example of the type of event you would see in this category is
“Autoscale scale up action failed.”

 Recommendation. This category contains recommendation events from certain

resource types, such as web sites and SQL servers. These events offer
recommendations for how to better utilize your resources.

 Security. This category contains the record of any alerts generated by Azure Security
Center. An example of the type of event you would see in this category is “Suspicious
double extension file executed.”

 Policy and Resource Health. These categories do not contain any events; they are
reserved for future use.

For more information, see:

Create activity log alerts – https://docs.microsoft.com/en-us/azure/monitoring-and-

diagnostics/monitoring-activity-log-alerts

Stream the Azure Activity Log to Event Hubs – https://docs.microsoft.com/en-

us/azure/monitoring-and-diagnostics/monitoring-stream-activity-logs-event-hubs

Archive the Azure Activity Log – https://docs.microsoft.com/en-us/azure/monitoring-and-

diagnostics/monitoring-archive-activity-log

Collect and analyze Azure activity logs in Log Analytics - https://docs.microsoft.com/en-

us/azure/log-analytics/log-analytics-activity
Azure Resource Manager

Azure Resource Manager introduces an entirely new way of thinking about your
Azure resources.

Instead of creating and managing individual resources, you begin by imagining a

complex service, such as a blog, a photo gallery, a SharePoint portal, or a wiki. You
use a template – a resource model of the service – to create a resource group with
the resources that you need to support the service. Then, you can manage and
deploy that resource group as a logical unit.

There are three primary concepts in Resource Manager:

Resource. A resource is simply a single service instance in Azure. Most services in

Azure can be represented as a resource. For example, a Web App instance is a
resource. An App Service Plan is also a resource. Even a SQL Database instance is a
resource.

Resource Group. A resource group is a logical grouping of resources. For example, a

Resource Group where you would deploy a VM compute instance may be composed
of a Network Interface Card (NIC), a Virtual Machine, a Virtual Network, and a Public
IP Address.

Resource Group Template. A resource group template is a JSON file that allows you
to declaratively describe a set of resources. These resources can then be added to a
 new or existing resource group. For example, a template could contain the
configuration necessary to create two API App instances, a Mobile App instance and
a Document DB instance.

Azure Resource Manager - https://docs.microsoft.com/en-us/azure/azure-resource-

manager/resource-group-overview

ARM TEMPLATES

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-
authoring-templates

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-
manager-quickstart-create-templates-use-the-portal

Template Advantages

Templates are generally preferred to manually deploying resources for a number of

reasons:

 A template can ensure idempotency, which from a RESTful service standpoint means
that multiple identical requests produce the same results as a single request. This
results in no side effects on the server, and the result of the request may differ,
because the resource state has changed between requests. If you deploy an identical
template to multiple resource groups, they would functionally be the same.

 A template can simplify orchestration as you only need to deploy the template to
deploy all of your resources. Normally this would take multiple operations.

 A template allows you to configure multiple resources simultaneously and use

variables/parameters/functions to create dependencies between resources. For
example you can require that a VM is created before a Web App because you need
the VM's public IP address for one of the Web App's settings. Another example is to
 require that a Storage account is created before a VM so that you can place the
VHDs in that storage account.

 A template is a JSON file so it can be configured and managed using a source control
provider, and used as part of any continuous integration process.

 Templates can parameterize input and output values so they can be reused across
many different scenarios. Templates can also be nested so you can reuse smaller
templates as part of a larger orchestration.

Resource Group Deployments

 Resources can be deployed to any new or existing resource group.

 Deployment of resources to a resource group becomes a job where you can track the
template execution. If deployment fails, the output of the job can describe why the
deployment failed.
 Whether the deployment is a single resource to a group or a template to a group,
you can use the information to fix any errors and redeploy
 Deployments are incremental; if a resource group contains 2 web apps and you
decide to deploy a third, the existing web apps will not be removed
 Currently, immutable deployments are not supported in a resource group. To
implement an immutable deployment, you must create a new resource group.
 Resources can only exist in one resource group.
 Resource Groups cannot be renamed.
 Resource Groups can have resources of many different types (services).
 Resource Groups can have resources from many different regions.

Resource Manager Locks

A common concern with resources provisioned in Azure is the ease with which they can
be deleted. An over-zealous or careless administrator can accidentally erase months of
work with a few clicks. Resource manager locks allow organizations to put a structure in
place that prevents the accidental deletion of resources in Azure. You can associate the
lock with a subscription, resource group, or resource. Locks are inherited by child
resources.
 Locks come in two varieties.

 Read-Only locks, which prevent any changes to the resource.

 Delete locks, which prevent deletion.

✔️ Only Owner and User Access Administrator roles can create or delete
management locks.

Moving Resources

Sometimes you may need to move resources to either a new subscription or a

new resource group in the same subscription.

 When moving resources, both the source group and the target group are locked
during the operation.
 Write and delete operations are blocked on the resource groups until the move
completes.
 This lock means you can't add, update, or delete resources in the resource
groups, but it doesn't mean the resources are frozen. For example, if you move a
virtual machine to a new resource group, an application accessing the virtual
machine experiences no downtime.
 You can't change the location of the resource. Moving a resource only moves it to
a new resource group. The new resource group may have a different location, but
that doesn't change the location of the resource.

Move resources to new resource group or subscription

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-move-resources
Use caution when deleting a resource group. Deleting a resource group deletes all the
resources contained within it. That resource group might contain resources that resources in
other resource groups depend on.

AZURE STORAGE
Azure Storage is a service that you can use to store files, messages, tables, and
other types of information.
You can use Azure storage on its own—for example as a file share—but it is often
used by developers as a store for working data.
Azure storage is also used by IaaS virtual machines, and PaaS cloud services. You
can generally think of Azure storage in three categories

Storage for Virtual Machines This includes disks and files. Disks are persistent block
storage for Azure IaaS virtual machines. Files are fully managed file shares in the
cloud.

Unstructured Data This includes Blobs and Data Lake Store. Blobs are highly
scaleable, REST based cloud object store. Data Lake Store is Hadoop Distributed File
System (HDFS) as a service.

Structured Data This includes Tables, Cosmos DB, and Azure SQL DB. Tables are a
key/value, auto-scaling NoSQL store. Cosmos DB is a globally distributed database
service. Azure SQL DB is a fully managed database-as-a-service built on SQL.

Azure Storage Accounts

An Azure storage account provides a unique namespace in the cloud to store and
access your data objects in Azure Storage.
A storage account contains any blobs, files, queues, tables, and disks that you
create under that account.

Storage Account Types (Kinds)

When you create a storage account you can choose from: Storage (general purpose v1),
Storage V2 (general purpose v2), and Blob storage.
 A general-purpose storage account gives you access to Azure Storage services
such as tables, queues, files, blobs and Azure virtual machine disks under a single
account. This type of storage account has two performance tiers:

 A standard storage performance tier which allows you to store tables, queues, files,
blobs, and Azure virtual machine disks.

 A premium storage performance tier which currently only supports Azure virtual
machine disks.

A Blob storage account is a specialized storage account for storing your

unstructured data as blobs (objects) in Azure Storage. Blob storage has different tiers
based on frequency of use:

 A Hot access tier which indicates that the objects in the storage account will be more
frequently accessed.

 A Cool access tier which indicates that the objects in the storage account will be less
frequently accessed.

 An Archive access tier which only applies to blob level storage in the general
purpose v2 accounts.

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-deployment-
model

https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
 Standard storage accounts are backed by magnetic drives (HDD) and provide the
lowest cost per GB. They are best for applications that require bulk storage or where
data is accessed infrequently.

Premium storage accounts are backed by solid state drives (SSD) and offer
consistent low-latency performance. They can only be used with Azure virtual
machine disks and are best for I/O-intensive applications, like databases.
Additionally, virtual machines that use Premium storage for all disks qualify for a
99.99% SLA, even when running outside an availability set

Storage Account Endpoints

Every object that you store in Azure Storage has a unique URL address. The storage
account name forms the subdomain of that address. The combination of subdomain
and domain name, which is specific to each service, forms an endpoint for your
storage account.

For example, if your storage account is named mystorageaccount, then the default
endpoints for your storage account are:

 Blob service: http://mystorageaccount.blob.core.windows.net

 Table service: http://mystorageaccount.table.core.windows.net

 Queue service: http://mystorageaccount.queue.core.windows.net

 File service: http://mystorageaccount.file.core.windows.net

The URL for accessing an object in a storage account is built by appending the
object's location in the storage account to the endpoint. For example, to
access myblob in the mycontainer, use this format:
http://mystorageaccount.blob.core.windows.net/mycontainer/myblob.

✔️A Blob storage account only exposes the Blob service endpoint. And, you can also
configure a custom domain name to use with your storage account.

Storage Account Endpoints - https://docs.microsoft.com/en-

us/azure/storage/common/storage-create-storage-
account?toc=%2fazure%2fstorage%2fblobs%2ftoc.json#storage-account-endpoints
Configuring Custom Domain Names

You can specify a custom domain for accessing blob content instead of using the Azure
URLs. There are two ways to configure this service: Direct CNAME mapping and an
intermediary domain.

Direct CNAME mapping for example, to enable a custom domain for the
blobs.contoso.com sub domain to an Azure storage account, create a CNAME record
that points from blobs.contoso.com to the Azure storage account [storage
account].blob.core.windows.net. The following example maps a domain to an Azure
storage account in DNS:

CNAME record Target

blobs.contoso.com contosoblobs.blob.core.windows.net

Intermediary mapping with asverify Mapping a domain that is already in use

within Azure may result in minor downtime as the domain is updated. If you have an
application with an SLA, by using the domain you can avoid the downtime by using a
second option, the asverify subdomain, to validate the domain. By prepending
asverify to your own subdomain, you permit Azure to recognize your custom domain
without modifying the DNS record for the domain. After you modify the DNS record
for the domain, it will be mapped to the blob endpoint with no downtime.

The following examples maps a domain to the Azure storage account in DNS with
the asverify intermediary domain:

CNAME record Target

asverify.blobs.contoso.com asverify.contosoblobs.blob.core.windows.net
For More information refer below link

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-custom-
domain-name