Microsoft has released multiple security updates in last Patch Tuesday. One off them fixes a high risk vulnerability (CVE-2021-38647) Also know as OMIGOD. This vulnerability can be used remotely, so exploitation is expected soon.
This flaw doesn’t directly affect Windows at all, because it’s a bug in Microsoft’s open source Open Management Infrastruture (OMI) tool that is designed for Linux in general, and for Azure-hosted Linux servers in particular. However, a lot of resources in Azure do use it
A brief overview
Simplified, OMI is Microsoft’s Linux based answer to WMI, that sysadmins use to keep managing their Windows Networks.
Like WMI, the OMI code runs as a priviliged process on your servers so that sysadmins, and system administration software, can query and control what’s going on, such as enumerating processes, kicking off utility programs, and checking up on system configuration settings.
Unfortunately, cyber criminals love WMI/OMI like we sysadmins do.
Sadly, OMIGOD is an OMI bug that, in theory, offers criminals the same sort of distributed power over your Linux servers…
Recently a customer asked me how to save cost on their Azure SQL database without moving away from DTU based subscription model. In this case this customer knows exactly at what time their database is heavily utilized, and when it’s idling. So with a script its easy to automate.
In this manual we are going to size a SQL database from S4 to S3.
Step 1: In this first step we are going to add some modules to your Automation Account. Go to modules, and click on Browse gallery
From the Gallery search for az.accounts, click on it
Next make sure to Import the module
Now browse the Gallery again, this time search for az.sql and make sure to import this module as well.
STEP 2: This next step is important. We will need to create and assign a Run As Account when you’ve chosen not to create a run as account on the setup of your automation Account. Go to Run as Account, and click on Create Azure Run As Account
Click on Create
STEP 3: Now we will need to add some variables to your automation account. These variables will need to be filled with information about your Azure SQL Database and Server. Create the following variables, and make sure that you fill them.
Servername (without database.windows.net)
STEP 4: Now go to runbooks, and create a new runbook!
Give your runbook a name, as type select PowerShell!
In the new opened window copy and paste the code from below. Adjust the variables $Edition and $PricingTier to your needs.
$ResourceGroupName = Get-AutomationVariable -Name "Resourcegroup"
$ServerName = Get-AutomationVariable -Name "Servername"
$DatabaseName = Get-AutomationVariable -Name "Database"
$Edition = "Standard"
$PricingTier = "S4"
# Keep track of time
# Log in to Azure with AZ (standard code)
Write-Verbose -Message 'Connecting to Azure'
# Name of the Azure Run As connection
$ConnectionName = 'AzureRunAsConnection'
# Get the connection properties
$ServicePrincipalConnection = Get-AutomationConnection -Name $ConnectionName
'Log in to Azure...'
$null = Connect-AzAccount `
-TenantId $ServicePrincipalConnection.TenantId `
-ApplicationId $ServicePrincipalConnection.ApplicationId `
# You forgot to turn on 'Create Azure Run As account'
$ErrorMessage = "Connection $ConnectionName not found."
# Something else went wrong
Write-Error -Message $_.Exception.Message
# Getting the database for testing and logging purposes
$MyAzureSqlDatabase = Get-AzSqlDatabase -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName $DatabaseName
Write-Error "$($ServerName)\$($DatabaseName) not found in $($ResourceGroupName)"
Write-Output "Current pricing tier of $($ServerName)\$($DatabaseName): $($MyAzureSqlDatabase.Edition) - $($MyAzureSqlDatabase.CurrentServiceObjectiveName)"
# Set Pricing Tier Database
# Check for incompatible actions
if ($MyAzureSqlDatabase.Edition -eq $Edition -And $MyAzureSqlDatabase.CurrentServiceObjectiveName -eq $PricingTier)
Write-Error "Cannot change pricing tier of $($ServerName)\$($DatabaseName) because the new pricing tier is equal to current pricing tier"
Write-Output "Changing pricing tier to $($Edition) - $($PricingTier)"
$null = Set-AzSqlDatabase -DatabaseName $DatabaseName -ServerName $ServerName -ResourceGroupName $ResourceGroupName -Edition $Edition -RequestedServiceObjectiveName $PricingTier
# Show when finished
$Duration = NEW-TIMESPAN –Start $StartDate –End (GET-DATE)
Write-Output "Done in $([int]$Duration.TotalMinutes) minute(s) and $([int]$Duration.Seconds) second(s)"
Use the menu to Save your runbook, use the Test pane to review the output of your PowerShell script. When ready Publish your runbook!
STEP 5: Last step is to create a schedule. From your workbook go to Schedules, and Add an schedule.
Create a new schedule based on your requirements/needs.
Click create to finalize the process. Now go back to your SQL database. When the change is happening, you should see a update line like below that shows that the pricing tier is being updated!
When users leave the company you might want to retain the email for a longer period than the default 30 days. By enabling litigation hold you can retain mailboxes longer than 30 days, before you disable a user you can set the litigation hold to any value you would like. But at some point you might need the mailbox to be re-enabled for some reason. In this manual I am going to explain how to do it.
STEP 1: Open a new Power Shell window and type the following command
How cool would it be to automate your daily SQL tasks using Azure Automation? Well, really cool off course! So lets start using Azure Automation! So go ahead, if you don’t have an automation account yet, create one by going to Automation Accounts.
Give your automation account an name, choose a subscription, resource group and a location and hit the create button!
When you migrate to Azure SQL, you might think that Azure does all SQL maintenance, including the maintenance of your database… But the truth is, you will need to setup some maintenance yourself for your databases. Microsoft doesn’t know what is best for your application or database. With this manual you should be able to setup basic database maintenance on Azure SQL.
By default everyone may create a new team in Microsoft Teams. As an organisation admin you might want to control this, or release it a some point. With this manual you should be able to lock down team creation to users that are member of a Azure AD Security group.
STEP 1: First we will need to install the Preview version of the Azure Active Directory PowerShell module for Graph. Open a PowerShell window with Adminstrator privileges and run the following 2 commands:
The result of the script should give you the updated settings. On the last line you should see EnableGroupCreation. If you want to reverse this setting. Just simply change the following line to True and run the entire script:
$AllowGroupCreation = “True”
If you want another security group, rerun the script with the new group name.
So you want to clean up unused (shared) mailboxes in your Exchange (Online) environment. How to find out which mailboxes have been inactive for a long time? The answer is yet simple again, with a cool Power Shell script.
Next, we just need to change the 2 value’s below, and run it. After running, you don’t get a confirmation. It might take up to 30 minutes before changes are visible in all Office 365 and/or Azure portals.
With the move to the cloud there might be a time where you would like to remove the Active Directory link (AD Connect) and go for a cloud only strategy. With a few simple steps you can disconnect the AD connect sync from Azure AD.
When you look in your Office 365 environment you will notice that the sync status has different symbols. One for cloud only, and one for Active Directory. To disable the link, open a PowerShell window and run the following steps.
STEP 1: First make sure that you disable the AD Connect sync service by disabling the service, or set it to staging mode.
STEP 2: Connect to your Microsoft Office 365 environment using the following command, and login to the desired environment:
STEP 3: Now run the following command to disable the sync, confirm your actions, you cannot undo this change!
STEP 1: First we will need to make sure that our admin account has the correct permissions. Go to the Exchange Online Admin center, and then to permissions – admin roles and click on the + sign to add a new role
We will now create a new role group. Give it the name Address List Management and assign the role Address lists, and make sure to add the administrator account as a member. Click Save when ready.
When you’re migrating from one Exchange environment to another, or from on-premise to Exchange online without using the hybrid setup, the most forgotten part is the migration of the users x500 address. The reason why this is so important is because Exchange uses this to deliver local emails instead of the SMTP address that is normally associated with email. (This also goes along for calendar appointments)
So, by not migrating the x500 address it means that communications will fail when changing calendar appointments, or replying on old emails. To prevent this we will need to export the ExchangeLegacyDN from Active Directory, and import it again as a ProxyAddress in Active Directory.
Export the x500 address (ExchangeLegacyDN)
Step 1: From your source Active Directory, look up the distinguishedName, and copy the content of the value.
A commonly heart end-user frustration with Auto-mapped shared mailboxes is that Send emails from the shared mailbox end up in the send items of the user it self. In the past you would need to set a registry key on the client computer to get this resolved. But with Office 365, there is an easy way to change this behavior for every user.
With PowerShell this job is done in less than a minute in just 2 simple steps.
STEP 1: First connect to Exchange Online using the following commands:
With the transition to Azure AD, you might want to connect your AAD joined devices to the traditional file server as explained in this article: Go Azure AD Joined with on-prem DC and fileserver The next step is to map some network drives with Intune!
Step 1: The first step is to create a PowerShell script that will do the actual drive mappings. This script will be placed on a Azure Blob storage (or your internal domain) where you will be able to manage and maintain the script. This script will be run using a second script that we will deploy with Intune. For your convenience I’ve already prepared the script:
In this manual I will explain step by step how to migrate your users from their personal drive to OneDrive using bulk migration in SharePoint Migration tool. This includes preparing the users OneDrive, granting permissions, and setup SharePoint Migration tool.
Before we begin, we will need a migration station, I would recommend to use a server designed for this purpose. On the migration server make sure you install the following:
When you accidentally locked your self out from a Virtual Machine in Azure, there is no console access to login and help your self back in to the system.
In the last year I’ve seen a few cases where somebody accidentally locked himself out of a VM by wrongly adjusting the Windows Firewall, making it impossible to manage their virtual machine in Azure. But with Custom script extension it is possible to disable the Windows Firewall to gain access again!
Microsoft released Lighthouse last weekend, and since this is a great feature, I wanted to implement it as soon as possible, but the Microsoft docs might be a bit confusing, so I wanted to simplify the manual, so here it is! We will be using PowerShell, as this makes life so much easier, and faster.
Your admin tenant needs to have a valid Azure subscription
You need to have a native user account with the new Owner role in the tenant that you want to manage (Customer tenant)
Azure PowerShell module: AZ (Install-Module -Name az)
Recently we created an AAD tenant that has no on-premises AD domain counterpart. Now we are facing an issue where we want to be able to use the identities in this tenant to log into some servers. It would appear that we would need to domain join these servers, but we can’t do this without AD. The question is, how can we continue to setup these servers?
But today we are going to install a new domain on-premise. The domain name isn’t relevant for the sync with Azure AD / Office 365. But the UPN for the end users is important! So first we can add the UPN domains by going to the Domain and Trusts console. Add the required domain names.