Posted on

Azure Shared disks now in Preview!

Microsoft had announced the limited preview of Azure Shared disks. With these announcement it will be possible to migrate clustered environments running Windows Server to Azure. This capability is designed to support SQL Server, Scale-Out File servers, RDS User Profile Disk and SAP ASCS/SCS servers running on Windows. Also Linux-based clustered file systems like GFS2 are supported.

The diagram above shows a 2 node cluster with a single shared disk. Just one node will receive write access, the other node will only receive read access. In case Azure Virtual Machine 1 goes down, write access will be transferred to Azure Virtual Machine 2. This scenario can be extended to more than 2 machines, but multiple shared disks can be attached as well, making it ideal for running parallel jobs or other multi machine tasks.

Disk types

Azure Shared Disks are only available on Premium SSD disks and only greater than P15 (256GiB) Microsoft has announced that Azure Ultra disk support will be released soon. The number of nodes that can be attached to a disk needs to be preset before mounting the disk to any node. Each disk type has its only limitation. The IOPS limit and bandwidth limit are not affected by this number. I would recommend to set this value has high as possible when deploying. In case a shared disk needs resizing to expand the number of nodes, it is required to un-mount the disk from all nodes.

Continue reading “Azure Shared disks now in Preview!”
Posted on

Ethical hacking training at HBO Drechtsteden

Today I had the honors to do another workshop Ethical hacking together with Erik Loef. It is always good to share your knowledge, and help other people with their work, now and in the future. I hope that these students will embrace what they have learned, and that they will apply this newly obtained knowledge at their (future) employers.

No alternative text description for this image
Posted on

OneDrive ADMX files (download)

When you want to migrate an older environment to Office 365 and OneDrive, you might miss the OneDrive GPO settings. Unfortunately Microsoft hasn’t release the download of the ADMX files. You will need to grab them manually from a recent Windows 10 machine, and import them in the right location.

Since I like to simplefy things, I thought it might be convenient to create a prepared ADMX ZIP file with all necessary files, ready for extration. So here is a link to download OneDrive ADMX files. Just simply extract the proper folders to the following location:

Local Domain Controller store:
C:\Windows\PolicyDefinitions\

Central Active Directory store:
\\<your domain>\sysvol\<your domain>\Policies\PolicyDefinitions\

Download OneDrive ADMX Files
Posted on

Microsoft adds IPv6 support for Azure VNets (Preview)

Today I noticed a new checkbox in the Azure Portal. Microsoft has released IPv6 in the Public preview for Azure VNets. Virtual machines will be equipped with a dual-stack IP connectivity. Meaning both will be available. With the ending of IPv4 addresses it makes IPv6 mandatory for everybody.

The new checkbox in Azure

From the Azure portal you can now add IPv6 address to the address scope on the VNet level.

The following diagram shows how IPv6 works as a dual-stack next to IPv4

Continue reading “Microsoft adds IPv6 support for Azure VNets (Preview)”
Posted on

Lock down Microsoft Team creation (Manual)

By default everyone may create a new team in Microsoft Teams. As an organisation admin you might want to control this, or release it a some point. With this manual you should be able to lock down team creation to users that are member of a Azure AD Security group.

STEP 1: First we will need to install the Preview version of the Azure Active Directory PowerShell module for Graph. Open a PowerShell window with Adminstrator privileges and run the following 2 commands:

Uninstall-Module AzureAD
Install-Module AzureADPreview

STEP 2: Now we will need to connect to Azure-AD to perform the necessary actions. Sign in with an admin account when prompted.

#Connect to AAD
$AzureAdCred = Get-Credential 
Connect-AzureAD -Credential $AzureAdCred

STEP 3: In Azure AD using the Azure portal (https://portal.azure.com), create a new security group.

STEP 4: Enter the name of your security group on the top line, and run the following script. 

$GroupName = "Your Security Group Name"
$AllowGroupCreation = "False"

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
 if(!$settingsObjectID)
 {
       $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
     $settingsCopy = $template.CreateDirectorySetting()
     New-AzureADDirectorySetting -DirectorySetting $settingsCopy
     $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
 }
 $settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
 $settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
 if($GroupName)
 {
     $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
 }
  else {
 $settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
 }
 Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
 (Get-AzureADDirectorySetting -Id $settingsObjectID).Values

The result of the script should give you the updated settings. On the last line you should see EnableGroupCreation. If you want to reverse this setting. Just simply change the following line to True and run the entire script:

$AllowGroupCreation = “True”

If you want another security group, rerun the script with the new group name.

Posted on

Find inactive mailboxes in Exchange Online

So you want to clean up unused (shared) mailboxes in your Exchange (Online) environment. How to find out which mailboxes have been inactive for a long time? The answer is yet simple again, with a cool Power Shell script.

Afbeeldingsresultaat voor exchange mailbox delete"

First we will connect to Exchange Online

$Credential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection
Import-PSSession $Session
Continue reading “Find inactive mailboxes in Exchange Online”
Posted on

Performance enhancement on Azure Premium SSD Disks

Microsoft has announced SSD bursting capabilities. This means that Premium SSD disks can achieve higher peak loads than the maximum IOPS with a new maximum of 3500 IOPS and a bandwidth up to 170 MiB/s. Together with this announcement Microsoft also announced new disk sizes (4, 8 & 16 GiB)

Explanation

With the new bursting disks you can achieve up to 30 times the provisioned bandwidth, which will give better performance for spiky workloads. Disk bursting is based on a credit system. You will receive bursting credits when traffic is below the provisioned limit. Let me try to explain it using a simple chart.

Continue reading “Performance enhancement on Azure Premium SSD Disks”
Posted on

Change default email address Office 365 group (Manual)

Office 365 Groups are easy to create. However, changing the primary domain name when creating the group might not be that easy from the GUI. However, with Power Shell you can change this easily.

First we will need to open a Power Shell Window, and connect with Exchange Online.

$Credential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection

Import-PSSession $Session

Next, we just need to change the 2 value’s below, and run it. After running, you don’t get a confirmation. It might take up to 30 minutes before changes are visible in all Office 365 and/or Azure portals.

Set-UnifiedGroup –Identity "Group name" –PrimarySmtpAddress primaryaddress@2azure.nl

Sources:
https://docs.microsoft.com/en-us/powershell/module/exchange/users-and-groups/set-unifiedgroup?view=exchange-ps

Credits: Martin van de Giessen

Posted on

Convert AD domain users to Azure AD users (Manual)

With the move to the cloud there might be a time where you would like to remove the Active Directory link (AD Connect) and go for a cloud only strategy. With a few simple steps you can disconnect the AD connect sync from Azure AD.

When you look in your Office 365 environment you will notice that the sync status has different symbols. One for cloud only, and one for Active Directory. To disable the link, open a PowerShell window and run the following steps.

STEP 1: First make sure that you disable the AD Connect sync service by disabling the service, or set it to staging mode.

STEP 2: Connect to your Microsoft Office 365 environment using the following command, and login to the desired environment:

connect-msolservice

STEP 3: Now run the following command to disable the sync, confirm your actions, you cannot undo this change!

Continue reading “Convert AD domain users to Azure AD users (Manual)”
Posted on

In memoriam – Nelleke den Boer

You might have noticed that it’s quiet on 2azure.nl. On the 19th of November my wife got very ill, with unknown brain damage she was hospitalized in the Erasmus University Medical Center. But despite all efforts she passed away on the 6th of December 2019 in the age of 29.

She was my soulmate in everything. Caring for me, for our children, and always interested in other people. Such a lovely wife. You are always in my heart.

Nelleke den Boer – Brouwer | 06-01-1990 – 06-12-2019
Posted on

Update Exchange Online Global Address List (GAL)

There are situations where you would like to enforce an update of the Exchange Global Address list (GAL) in Office 365. With a few steps this can easily be done!

STEP 1: First we will need to make sure that our admin account has the correct permissions. Go to the Exchange Online Admin center, and then to permissions – admin roles and click on the + sign to add a new role

We will now create a new role group. Give it the name Address List Management and assign the role Address lists, and make sure to add the administrator account as a member. Click Save when ready.

Continue reading “Update Exchange Online Global Address List (GAL)”
Posted on

Office 365 Set language and time zone for all users with PowerShell (Manual)

When you create a new Office 365 tenant, all user mailboxes will have the default timezone and language. In my case, I work in the Netherlands, the preference for most companies is to set the Time zone to Central European Time (GMT +1) and the language of the users default folders to Dutch.

You can either ask the users to logon to webmail using https://outlook.office.com and fill in the first time question to set the time zone and default language. But how cool would it be to do this for all your users using PowerShell?

First time login screen Outlook Web Access
Continue reading “Office 365 Set language and time zone for all users with PowerShell (Manual)”
Posted on

Azure Risk based conditional access explained and how to set it up!

With the Azure AD Premium P2 license you are entitled for Azure AD Identity Protection. You will get the option in Conditional Access to assign risk level based options to your policies. Azure AD Identity Protection can detect six different types of suspicious sign-in activities with 3 different levels of risks.

Six suspicious sign-in activities and 3 risk levels

With the riks levels combined with conditional access policies we can protect sensitive application and data access. With this article I am going to show you how to create risk-based conditional access policies

So let’s create a Policy and get Conditional Access applied with risk levels

Step 1: Log in to the Azure Portal: https://portal.azure.com

Continue reading “Azure Risk based conditional access explained and how to set it up!”
Posted on

PowerShell script to export and import legacy Exchange x500 addresses (Manual)

When you’re migrating from one Exchange environment to another, or from on-premise to Exchange online without using the hybrid setup, the most forgotten part is the migration of the users x500 address. The reason why this is so important is because Exchange uses this to deliver local emails instead of the SMTP address that is normally associated with email. (This also goes along for calendar appointments)

So, by not migrating the x500 address it means that communications will fail when changing calendar appointments, or replying on old emails. To prevent this we will need to export the ExchangeLegacyDN from Active Directory, and import it again as a ProxyAddress in Active Directory.

Export the x500 address (ExchangeLegacyDN)

Step 1: From your source Active Directory, look up the distinguishedName, and copy the content of the value.

Continue reading “PowerShell script to export and import legacy Exchange x500 addresses (Manual)”
Posted on

Improved Azure Portal design

Today I noticed that the Azure Portal had a new appearance. By default the menu from the left is now hidden, giving you a cleaner view of all the blades, and as well on your dashboards.

But what I really like, is the Auto Refresh button on the dashboard. Although 30 minute interval might still be to long, this can help you get the cool dashboards that you want on a big screen.

Posted on

Enforce (Azure) MFA with Conditional Access policies

Multi Factor Authentication (MFA) is an added security feature from Azure which I believe that should be enabled by default for everybody in Office 365 and Azure. There for this manual how to enforce (Azure) MFA for all users using Azure Multi Factor Authentication

MFA can prevent unauthorized access in case of the following events:

  • Leaked credentials
  • Sign-ins from anonymous IP addresses
  • Impossible travel to atypical locations
  • Sign-ins from unfamiliar locations
  • Sign-ins from infected devices
  • Sign-ins from IP addresses with suspicious activities

Using Conditional access we can ensure that your users and company data is safe. Important to know is that Office 365 MFA is free of charge, and if you have Azure AD applications an Azure AD Premium license is required.

Named location

If you want to mark your locations as trusted location, you can do that if you have a static public IP. So the first steps are there to define your office locations.

Continue reading “Enforce (Azure) MFA with Conditional Access policies”