1.2 Resource Provisioning and Configuration

Quick Answer: Provision Azure AI resources through the portal, CLI, PowerShell, or IaC (ARM/Bicep/Terraform). Each resource has an endpoint URL plus two keys (or Entra ID auth). Choose F0 only for dev (no SLA, hard rate limits) and S0 for production (99.9% SLA). Set a customSubDomainName if you want token-based authentication.

Provisioning methods you must recognize

The exam shows CLI snippets and ARM/Bicep fragments and asks what they do or which flag to change. Learn the verbs and the --kind values.

Azure portal

1. Create a resource -> AI + Machine Learning -> pick the service (e.g. "Azure AI services" for multi-service).
2. Set Subscription, Resource Group, Region, Name, and Pricing tier.
3. Review + Create.

Azure CLI

az group create --name rg-ai-prod --location eastus

# Multi-service resource (one endpoint, many services)
az cognitiveservices account create \
  --name my-ai-services --resource-group rg-ai-prod \
  --kind CognitiveServices --sku S0 --location eastus \
  --custom-domain my-ai-services --yes

# Single-service Vision resource
az cognitiveservices account create \
  --name my-vision --resource-group rg-ai-prod \
  --kind ComputerVision --sku S1 --location eastus --yes

# Read the endpoint and keys
az cognitiveservices account show -n my-ai-services -g rg-ai-prod --query properties.endpoint
az cognitiveservices account keys list -n my-ai-services -g rg-ai-prod

ARM and Bicep (infrastructure as code)

{
  "type": "Microsoft.CognitiveServices/accounts",
  "apiVersion": "2023-05-01",
  "name": "my-ai-services",
  "location": "eastus",
  "kind": "CognitiveServices",
  "sku": { "name": "S0" },
  "properties": { "publicNetworkAccess": "Enabled", "customSubDomainName": "my-ai-services" }
}

resource aiServices 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
  name: 'my-ai-services'
  location: 'eastus'
  kind: 'CognitiveServices'
  sku: { name: 'S0' }
  properties: { publicNetworkAccess: 'Enabled', customSubDomainName: 'my-ai-services' }
}

Pricing tiers and SLA

A common trap: a free tier often allows only one F0 instance of a given kind per subscription. If a deployment fails citing an existing free resource, that is the cause — not a region or quota problem.

On the Exam: Any production scenario requiring an availability guarantee => S0 or higher, because F0 carries no SLA. If a scenario stresses cost during development and ignores SLA, F0 is acceptable.

Endpoint and authentication components

Every resource exposes a small set of values you wire into clients:

# Key-based auth (dev)
from azure.core.credentials import AzureKeyCredential
from azure.ai.vision.imageanalysis import ImageAnalysisClient
client = ImageAnalysisClient(endpoint, AzureKeyCredential(key))

# Entra ID token auth (production) -- requires customSubDomainName
from azure.identity import DefaultAzureCredential
client = ImageAnalysisClient(endpoint, DefaultAzureCredential())

A subtle exam fact: token (Entra ID) authentication only works if the resource has a custom subdomain. The regional *.cognitiveservices.azure.com shared endpoint supports key auth only. If a question says "we enabled managed identity but token auth fails," the missing custom subdomain is the usual culprit.

Zero-downtime key rotation

Two keys exist for exactly one reason: rotate without an outage.

1. App authenticates with Key 1.
2. Regenerate Key 2 — app is unaffected (still on Key 1).
3. Switch the app to Key 2.
4. Regenerate Key 1 — app is unaffected (now on Key 2).

On the Exam: The correct rotation sequence always moves traffic to the other key before regenerating the key in use. Regenerating the active key first causes the very outage the two-key design prevents.

Regional availability and data residency

Not every service lives in every region. Azure OpenAI model availability in particular varies by region and model version. Choose a region that satisfies data residency/compliance (EU data in EU regions), then optimize for latency (closest to users), and plan DR around Azure paired regions.

Resource naming and organization also surface in IaC questions. A multi-service resource and a single-service resource of the same kind cannot share a name within a subscription, and the customSubDomainName must be globally unique because it becomes the host portion of the endpoint URL. Tag resources consistently (environment, owner, cost-center) so Azure Policy and cost reports can group them, and keep each environment (dev, test, prod) in its own resource group so RBAC and lifecycle operations stay isolated.

Reading provisioning questions

Many Domain 1 items hand you a CLI command or a Bicep block and ask one of three things: what does it create, which one line is wrong, or which property to change to meet a new requirement. Train yourself to scan four fields first — --kind/kind (which service), --sku/sku.name (F0 vs S0, hence SLA and rate limits), location (residency and service availability), and customSubDomainName/--custom-domain (whether token auth will work). If a question adds "must support Microsoft Entra ID authentication" to an otherwise valid template, the fix is almost always adding the custom subdomain.

If it adds "must guarantee availability," the fix is changing F0 to S0. If it adds "data cannot leave Germany," the fix is the location. Recognizing which single property each new sentence targets is the entire skill these questions test.

On the Exam: Free tier limits and the one-F0-per-kind-per-subscription rule explain most "the deployment failed" scenarios. Before suspecting quotas or regions, check whether a free instance of that kind already exists.