Azure Dedicated Host (now in preview)

If you still have doubts about moving to Azure because of compliance and regulatory requirements, they will now be gone with Azure Dedicated hosts. Still in preview but ready for testing. Azure dedicated hosts are physical machines that are single-tenant configured where you can run your Linux and Windows virtual machines. This includes your own infrastructure, as well as your own maintenance policies for that host.

Visibility and control

Azure Dedicated Hosts provide visibility over the server infrastructure running your Azure Virtual Machines. You get more control over the following:

  • The underlying hardware infrastructure
  • Processor brand, capabilities, and more 
  • Number of cores
  • Type and size of the Azure Virtual Machines you want to deploy

You can mix and match different Azure Virtual Machine sizes within the same virtual machine series on a given host.

If you have any second thoughts, it is now open in preview for testing.

Completed Azure Solutions Architect certification

Last 2 months I’ve been working on renewing my Office 365 and Azure certifications. 4 years ago I already passed the “old” exams: 533, 534, 345, 346 and 347. This saved me a few exams. I was able to upgrade to Azure Administrator and Messaging administrator by passing the upgrade exams. For the Azure Solutions Architect I had to take the AZ-300 and AZ-301 exam as an upgrade exam was only valid for those who have passed the follow up exam of 534: 535.

So here is the final result, I will be looking into the Azure Security exam in the future (AZ-500) as well as the Microsoft 365 Certified Enterprise Administrator Expert (MS100 & MS101)

Disable Windows Firewall on a virtual machine from the Azure Portal

When you accidentally locked your self out from a Virtual Machine in Azure, there is no console access to login and help your self back in to the system.

Enabled Windows firewall

In the last year I’ve seen a few cases where somebody accidentally locked himself out of a VM by wrongly adjusting the Windows Firewall, making it impossible to manage their virtual machine in Azure. But with Custom script extension it is possible to disable the Windows Firewall to gain access again!

Continue reading “Disable Windows Firewall on a virtual machine from the Azure Portal”

Office 365 Set mailbox default language

When you do large migrations, it might be convenient to change the default mailbox language settings for all your end users. By default each user needs to set the default language and time zone at first login to OWA in Office 365.

With the following PowerShell Script you should be able to change it within a few seconds. In this script we used the Dutch language code and Western European Standard time. Change it accordingly.

get-mailbox | Set-MailboxRegionalConfiguration -LocalizeDefaultFolderName: $true -DateFormat dd-MM-yy -Language 1043 -TimeZone "W. Europe Standard Time"
Continue reading “Office 365 Set mailbox default language”

Autopilot with white glove deployment

Microsoft has released an updated autopilot version called white glove! With the traditional autopilot version there was one big disadvantage on delivering a laptop directly from the OEM to the end user, and that was the waiting time for the end user to complete the installation of all applications, settings and policies.

OEM
The original Autopilot deployment (Source: docs.microsoft.com)

With the next release the provisioning will be split. The time consuming part can now be performed by the IT department, IT Partner or even the OEM provider. Giving the end user a short and simple process before they can start using their device.

OEM
The new white glove Autopilot deployment (Source: docs.microsoft.com)

But with new features there are always new requirements. With the new white glove autopilot it is still possible to use both the Azure AD join and the Hybrid Azure AD join scenarios. However these are the new requirements:

  • Windows 10 version 1903 is required
  • An Intune subscription (customer)
  • Physical devices with a TPM 2.0 chip (Virtual machines are not supported!)
  • Physical devices with Ethernet connectivity, Wi-fi is not supported.

Because the OEM or vendor performs the white glove process, this doesn’t require access to an end-user’s on-premise domain infrastructure. This is unlike a typical hybrid Azure AD-joined scenario because rebooting the device is postponed. The device is resealed prior to the time when connectivity to a domain controller is expected, and the domain network is contacted when the device is unboxed on-premise by the end-user.

Set up Office 365 ATP anti-phishing policies

We all know that phishing is going on all the time. But how to defend your organization against these criminals that want to get your login information! The answer is simple, Office 365 Advanced Threat Protection, or short: ATP.

Image result for office 365 atp

So lets get started and start implementing anti-phishing policies. First go to https://protection.office.com/antiphishing and create a new policy.

Continue reading “Set up Office 365 ATP anti-phishing policies”

Office 365 Cloud app security

If you want to improve your security in Office 365 it is recommended to add the EM+S E3 or E5 security suits. This gives you more information about what is happening with your users, but you can configure alerting and actions as well.

So if you have the EM+S licenses, you can go to https://portal.cloudappsecurity.com and start configuring your alerts and policies.

By default there are a lot of default policies, but you can create your own as well! Let me summarize the most important ones that you definitely need to look at:

Continue reading “Office 365 Cloud app security”

How to setup Azure Lighthouse (Manual)

Microsoft released Lighthouse last weekend, and since this is a great feature, I wanted to implement it as soon as possible, but the Microsoft docs might be a bit confusing, so I wanted to simplify the manual, so here it is! We will be using PowerShell, as this makes life so much easier, and faster.

Requirements:

  • Your admin tenant needs to have a valid Azure subscription
  • You need to have a native user account with the new Owner role in the tenant that you want to manage (Customer tenant)
  • Azure PowerShell module: AZ (Install-Module -Name az)
Continue reading “How to setup Azure Lighthouse (Manual)”

Azure Data Share in Preview

Microsoft has announced a new service: Azure Data Share. It is a new data service for sharing data across organizations. This can be used to easily share big files and data with external organisations instead of using FTP or other data sharing services.

Azure Data Share, view of sent shares in the Azure portal

Read the Microsoft official announcement for more information:
https://azure.microsoft.com/en-us/blog/announcing-preview-of-azure-data-share/

Watch the video to learn more about Azure data share:
https://channel9.msdn.com/Shows/Azure-Friday/Share-data-simply-and-securely-using-Azure-Data-Share/player?format=ny

AD Connect Force synchronization

If you have an AD Connect server, you sometimes require a faster sync than the default 30 minutes. This can be done very easily by entering one Powershell command. Open a Powershell window, and load the AD Connect Sync Powershell module:

Import-Module ADSync

Once imported, you have 2 options. For a full sync, type the following command:

Start-ADSyncSyncCycle -PolicyType Initial

For just syncing the changes, type the following:

Start-ADSyncSyncCycle -PolicyType Delta

Security & Ethical Hacking hands-on labs

Today I have given a hands on lab with Erik Loef on security and ethical hacking. We had created 5 different labs for the 21 participants to learn them more about security. This way we allowed them to think as a hacker, find out weaknesses in the system, and how to take measures against hackers. We did create the following 5 labs:

  • Wifi hacking (retrieve logindetails from end users by using a roque access point)
  • Create your own virus
  • Exploit a backdoor in Windows
  • Hack a webserver
  • From user to domain admin in 15 minutes

All sessions where created to learn about security. With Azure and Office 365 we do our outmost best to secure your environment. I hope to give you more information in the near future how to improve security in Azure and Office 365.

Go Azure AD joined with on-prem DC and fileserver!

Wouldn’t be cool to migrate all your laptops and desktops to Azure AD, but still have your on-premise file server for the people that can’t say goodbye to their network drives?

Now it is possible! Azure is supporting out of the box, Azure AD domain joined devices to connect with their on-premise domain joined counterparts with credentials (Kerberos) to the good old file and print server!

Requirements

To be able to set this up, you will still need a traditional domain controller with a file/print server. On top of that you will need to synchronize the identities to Azure AD. Make sure that you enable password sync, and start joining the devices to Azure AD.

One other important thing, your device needs to be Windows 10 1607 or higher! Older versions of Windows 10 do not support the Kerberos authentication.

If you now want to map a network drive with the existing NTFS permissions, just map the drive, and start using like you used to do before!

Let’s go password less, because passwords are bad! Part 2

Last week we talked about why passwords are bad. Today we will continue with part 2, how to get the passwords gone, and we will zoom in on Windows Hello for Business!

Afbeeldingsresultaat voor windows hello logo

So what is Windows Hello? Windows Hello is a modern way of authenticating users on their laptop, where this will be a two factor authentication. The first factor is the integrated TPM chip in the device, and the 2nd factor is the bio-metric of the user.

By enabling the TPM chip and the bio-metric data from the end user we will eliminate the need of a password on the users device. Off course the user can use his password to unlock the device in case bio-metric verification fails because of different reasons.

If you have a on-premise domain with Windows Hello for business enabled, it is also possible to enable the convenience PIN, however, I wouldn’t recommend it, as Microsoft has disabled this in Azure AD as well. In short:

  • Windows Hello for Business is: An asymmetric key-pair protected and stored in the TPM, unlock with PIN or Bio-metric Authentication
Continue reading “Let’s go password less, because passwords are bad! Part 2”

Let’s go password less, because passwords are bad! Part 1

Quite a statement, passwords are bad? Today I’d like to explain why you should work on better security by using other authentication methods than just 1 password.

Gerelateerde afbeelding

Why passwords are bad

Password are problematic, very often you see that passwords fall in the hands of unpleasant people. Here are a few things that might happen with a password:

Continue reading “Let’s go password less, because passwords are bad! Part 1”

Use PRTG to monitor Azure Backup status

Recently I received the question if it is possible to monitor Azure Backup with PRTG. Now this might seem to be a bit weird, as we could use Azure monitoring. But in this case, it was a service provider that needed a single solution for all their services, including custom dashboards and monitoring.

So, challenge accepted, lets get this done! In this case the customer has a Azure Recovery Service Vault with 2 virtual machines, with a backup schedule of only once every 24 hours with a retention of 30 days.

Our goal will be to have 3 sensors in PRTG with the completed jobs, failed jobs and running jobs. If you follow the next steps you should be able to set this up your self as well.

Continue reading “Use PRTG to monitor Azure Backup status”

Azure File Sync Agent v7 Released

Afbeeldingsresultaat voor azure filesync

Microsoft is working hard on improving Azure File sync. They just announced the new release of the v7 agent. For now only current installed agents get the update. Once all current clients have been updated, the update will be available on Microsoft Update and Microsoft Download Center

Improvements and issues that are fixed

  • Support for larger file share sizes
    • With the preview of larger, 100 TiB Azure file shares, we are increasing the support limits for file sync as well. In this first step, Azure File Sync now supports up to 50 million files in a single, syncing namespace. Other existing limits, for example the number of items per directory level, still apply.
  • Improved Azure Backup file-level restore
    • Individual files restored using Azure Backup are now detected and synced to the server endpoint faster.
  • Improved cloud tiering recall cmdlet reliability
    • The cloud tiering recall cmdlet (Invoke-StorageSyncFileRecall) now supports per file retry count and retry delay, similar to robocopy.
  • Support for TLS 1.2 only (TLS 1.0 and 1.1 is disabled)
    • Azure File Sync now supports using TLS 1.2 only on servers which have TLS 1.0 and 1.1 disabled. Prior to this improvement, server registration would fail if TLS 1.0 and 1.1 was disabled on the server.
  • Miscellaneous performance and reliability improvements for sync and cloud tiering
    • There are several reliability and performance improvements in this release. Some of them are targeted to make cloud tiering more efficient and Azure File Sync as a whole work better in those situations when you have a bandwidth throttling schedule set.