Azure SQL, create users and assign permissions (Manual)

This simple manual has been created to create an user in Azure SQL and assign appropriate permissions. First connect to your SQL server. Either use and AAD admin account or the SQL Admin account.

Once connected, open a New Query window and run the following command on the Master database to create the user on the server in the Master database:

 CREATE LOGIN '<Username>' WITH password='<strong-password>';

Now open again a New Query window, and select the database where you want to provision permissions to the just created user. Make sure to match the Username from the command above.

CREATE USER "<Username>";

The last step is to assign the desired role to the user. Change the value of the role, and match again the Username.

EXEC sp_addrolemember 'db_datawriter', '<Username';

This should do the trick. Let me know if you have any problems or need help.

Deploy Azure Application Gateway with http to https redirect

Azure Application Gateway is an advance type of load-balancer. Where an Azure Load-balancer routes traffic on the transport layer (OSI Layer 4 | TCP + UDP) the Application Gateway is a way more advanced load-balancer. It can route based on URL as well on path’s. On top of that it can do much more, like SSL offloading, autoscaling, redirection, multiple site hosting and the most import of all, it can include a web application firewall (WAF)

Afbeeldingsresultaat voor azure application gateway

With all the features that the Azure application gateway provides, we should be able to setup multiple websites listening on different ports and url’s behind one Azure Application Gateway with just one external IP address.

With this guide you should be able to setup an application gateway with multiple site hostname match and http to https redirect. In this manual we will be using Atlassian Jira and Confluence as an example.

So what are we going to setup:

  • Deploy Azure application gateway
  • Configure 2 external URL’s (jira.2azure.nl and confluence.2azure.nl)
  • We will redirect port 80 to 443 for both websites
  • Jira will be listening on port 8080 internally (Default port)
  • Confluence will be listening on port 8090 internally (Default port)

For this guide the VNET, subnets and the virtual machine hosting both websites have already been deployed. During this guide we will not deploy a Web Application Firewall, I will tell more about that in upcoming blog article.

The setup in an overview.
Continue reading “Deploy Azure Application Gateway with http to https redirect”

Masterclass: Azure Basics

Tonight I was honored to give a masterclass in Azure Basics. By going over the Azure Basics using lab exercises everybody learned how to:

  • Manage Azure subscriptions and resources
  • Configure and manage virtual networks
  • Manage identities 
  • Deploy and manage virtual machines (VMs) 
  • Implement and manage storage

Special thanks to Proxsys for hosting the Masterclass!



How to get the license key for SQL Server Reporting Services in Azure

Last week I received the question from a customer where to get the SQL license key… By default you will see the key during SQL installation, but with an Azure deployed SQL virtual machine you will never get to see the key, as its deployed from the Azure Portal.

Afbeeldingsresultaat voor sql installation wizard license key

Retreive the key from DefaultSetup.ini

So within a few clicks you will be able to retreive the key.

Continue reading “How to get the license key for SQL Server Reporting Services in Azure”

Azure Dedicated Host (now in preview)

If you still have doubts about moving to Azure because of compliance and regulatory requirements, they will now be gone with Azure Dedicated hosts. Still in preview but ready for testing. Azure dedicated hosts are physical machines that are single-tenant configured where you can run your Linux and Windows virtual machines. This includes your own infrastructure, as well as your own maintenance policies for that host.

Visibility and control

Azure Dedicated Hosts provide visibility over the server infrastructure running your Azure Virtual Machines. You get more control over the following:

  • The underlying hardware infrastructure
  • Processor brand, capabilities, and more 
  • Number of cores
  • Type and size of the Azure Virtual Machines you want to deploy

You can mix and match different Azure Virtual Machine sizes within the same virtual machine series on a given host.

If you have any second thoughts, it is now open in preview for testing.

Completed Azure Solutions Architect certification

Last 2 months I’ve been working on renewing my Office 365 and Azure certifications. 4 years ago I already passed the “old” exams: 533, 534, 345, 346 and 347. This saved me a few exams. I was able to upgrade to Azure Administrator and Messaging administrator by passing the upgrade exams. For the Azure Solutions Architect I had to take the AZ-300 and AZ-301 exam as an upgrade exam was only valid for those who have passed the follow up exam of 534: 535.

So here is the final result, I will be looking into the Azure Security exam in the future (AZ-500) as well as the Microsoft 365 Certified Enterprise Administrator Expert (MS100 & MS101)

Disable Windows Firewall on a virtual machine from the Azure Portal

When you accidentally locked your self out from a Virtual Machine in Azure, there is no console access to login and help your self back in to the system.

Enabled Windows firewall

In the last year I’ve seen a few cases where somebody accidentally locked himself out of a VM by wrongly adjusting the Windows Firewall, making it impossible to manage their virtual machine in Azure. But with Custom script extension it is possible to disable the Windows Firewall to gain access again!

Continue reading “Disable Windows Firewall on a virtual machine from the Azure Portal”

How to setup Azure Lighthouse (Manual)

Microsoft released Lighthouse last weekend, and since this is a great feature, I wanted to implement it as soon as possible, but the Microsoft docs might be a bit confusing, so I wanted to simplify the manual, so here it is! We will be using PowerShell, as this makes life so much easier, and faster.

Requirements:

  • Your admin tenant needs to have a valid Azure subscription
  • You need to have a native user account with the new Owner role in the tenant that you want to manage (Customer tenant)
  • Azure PowerShell module: AZ (Install-Module -Name az)
Continue reading “How to setup Azure Lighthouse (Manual)”

Use PRTG to monitor Azure Backup status

Recently I received the question if it is possible to monitor Azure Backup with PRTG. Now this might seem to be a bit weird, as we could use Azure monitoring. But in this case, it was a service provider that needed a single solution for all their services, including custom dashboards and monitoring.

So, challenge accepted, lets get this done! In this case the customer has a Azure Recovery Service Vault with 2 virtual machines, with a backup schedule of only once every 24 hours with a retention of 30 days.

Our goal will be to have 3 sensors in PRTG with the completed jobs, failed jobs and running jobs. If you follow the next steps you should be able to set this up your self as well.

Continue reading “Use PRTG to monitor Azure Backup status”

Azure File Sync Agent v7 Released

Afbeeldingsresultaat voor azure filesync

Microsoft is working hard on improving Azure File sync. They just announced the new release of the v7 agent. For now only current installed agents get the update. Once all current clients have been updated, the update will be available on Microsoft Update and Microsoft Download Center

Improvements and issues that are fixed

  • Support for larger file share sizes
    • With the preview of larger, 100 TiB Azure file shares, we are increasing the support limits for file sync as well. In this first step, Azure File Sync now supports up to 50 million files in a single, syncing namespace. Other existing limits, for example the number of items per directory level, still apply.
  • Improved Azure Backup file-level restore
    • Individual files restored using Azure Backup are now detected and synced to the server endpoint faster.
  • Improved cloud tiering recall cmdlet reliability
    • The cloud tiering recall cmdlet (Invoke-StorageSyncFileRecall) now supports per file retry count and retry delay, similar to robocopy.
  • Support for TLS 1.2 only (TLS 1.0 and 1.1 is disabled)
    • Azure File Sync now supports using TLS 1.2 only on servers which have TLS 1.0 and 1.1 disabled. Prior to this improvement, server registration would fail if TLS 1.0 and 1.1 was disabled on the server.
  • Miscellaneous performance and reliability improvements for sync and cloud tiering
    • There are several reliability and performance improvements in this release. Some of them are targeted to make cloud tiering more efficient and Azure File Sync as a whole work better in those situations when you have a bandwidth throttling schedule set.

Azure Bastion in Public Preview!

Today Microsoft has announced Azure Bastion. With this new service you will get improved security features and simplified IT managemend with a single click from your webbrowser using the HTML5 web client. This will eliminate the need for a jump server. I am looking forward in using this service in preview and GA.

More information can be found on the Microsoft Azure blog: https://azure.microsoft.com/nl-nl/blog/announcing-the-preview-of-microsoft-azure-bastion/

Top-level Azure Bastion architecture

How to deploy Azure Active Directory Domain Services (AD DS)

Today we will learn how to deploy Azure AD Domain services. So let’s go to the Azure portal and let’s get you started!

Step 1: Go to Azure AD Domain Services and create a new Azure AD Domain services!

Step 2: Now we can start te setup of ADDS, fill in your preferred domain name. You can leave the default which is the same as your Azure Active Directory name ending with .onmicrosoft.com, but I would recommend a public URL like in my case adds.2azure.nl.

Continue reading “How to deploy Azure Active Directory Domain Services (AD DS)”

Office 365 MFA is free of charge!

Where Azure MFA is only included in the paid Azure Active Directory Premium subscriptions (P1/P2 and EM+S suites), there is a free version for the Office 365 apps.

It is always a good idea to enable multi factor authentication, in case your credentials get stolen, the thief will not be able to use them because of the 2nd authentication factor. Microsoft is encouraging all their users to start using MFA, so the made it free of charge for all the apps of the office 365 suite, including Outlook, Teams, Excel, Word and many more.

First Sign in screen

The 2 factor authentication can be setup up fairly easily by the end users self. This can be enforced by the administrator by requiring 2 factor authentication. The first time a user logs on, he or she will get a notification message to setup MFA. Or you can redirect your users to the following portal to setup MFA: https://aka.ms/mfasetup

How to setup MFA for your end users?

In the office 365 portal go to the Active Users tab, and go to the Setup multifactor authentication page (see below)

In the preview version of the admin center, the More menu on the Active Users page, with Setup Azure multi-factor auth selected.
Continue reading “Office 365 MFA is free of charge!”

How to deploy Azure File Sync

You still have your old network drives? Still need to setup a VPN to access your file shares? Or have you migrated all your files to Azure file share but you need a higher performance for your Autocad files?

High level overview of Azure File Share Sync

Wait no longer, Azure File Sync to the rescue! Where you would have your Azure File Share for sharing files, you can use Azure File Sync to make a local cache of your Azure files, or sync your local file server to Azure Files. In this manual we will help you setup Azure File Sync with a existing Azure File Share. I already have a Azure File Share, mapped as a network drive Z:

Azure File Share mapped as the Z: Drive
Continue reading “How to deploy Azure File Sync”

What is Microsoft Enterprise Mobility + Security (EM+S)?

Enterprise Mobility + Security is a Microsoft solution specially developed for management and securing users, company data and applications. This gives you and your users always secured access to your company information without ever worrying about security!

With EM+S we are moving from a managed device to data management and security. This means that it will not only protect your device, but most important, it will take care of security on a document level where you can prevent that confidential data is readable by unauthorized persons.

By using this security suite you can prevent abuse of stolen credentials when one of your users is tricked by a phishing email. You can limit access to company data to only trusted devices (Company and BYOD) by using the Intune portal. But we can limit access to it as well with IP black / white listing. This includes Geoblocking as well, it is impossible to travel from the Netherlands to Russia for example in 5 minutes.

To protect your valuable company data I recommend to always use EM+S for optimal protection. If you want the security to be at its best, E5 is your way to go!

Main features

  • Simple management and security of your devices
  • Multifactor authentication (MFA)
  • Selfservice portal for password reset en securitygroep management
  • Application company portal
  • Mobile device management (MDM)
  • Integrated device management (Laptop/Desktop)
  • Securing company data en restrict access to company data
  • Conditional access (geo-blocking and more)
  • Advanced Threat Protection with reporting
  • Risk-Based conditional access (E5 only)
  • Privileged identity management (E5 only)
  • Intelligent data classification and labeling (E5 only)
Continue reading “What is Microsoft Enterprise Mobility + Security (EM+S)?”

Azure MFA NPS extension replacing MFA Server

Within Azure there are multiple ways to setup MFA. Where you would install MFA server in the past, there is a new extension. Microsoft is going to leave the MFA server behind in the near future (security updates will remain being published for now).

Besides the NPS extension and the MFA on-premise server the best practice is to run MFA from the Azure cloud where possible. But that isn’t always an option. So let’s move on to the NPS extension. Lets start with the requirements.

Requirements:
– Server 2016/2019 with ADFS version 4
– Server 2016/2019 hosting NPS services which performs Radius authentication.
– Users must be synchronized between local Active directory and Azure Active Directory
– Azure AD Premium or EM+S license must be assigned to the user
– NPS Extension for Azure MFA (Download link: https://aka.ms/npsmfa)

Continue reading “Azure MFA NPS extension replacing MFA Server”

Azure virtual machines SLA explained

Recently I received an comparison from Azure with competitors. In the comparison there was stated that by default Azure provides an SLA of 99.95%. However, this is not entirely correct. By default a single basic virtual machine has no SLA at all!

I hear you thinking, what??? let me explain what the options are. First we need to know a bit more of the setup in Azure. For this explanation I will use West & North Europe. These regions do have Availability zones, but this might not always be the case. In the picture below you can review the Azure regions with their options.

Click on the picture to enlarge

So lets zoom in a bit further. In the picture below we have our 2 regions (West & North Europe). Within Region 1 we have 3 separated buildings, creating 3 availability zones.

So lets move on the SLA rules.

Continue reading “Azure virtual machines SLA explained”