Create a drive mapping using Intune on Azure AD joined devices (Manual)

With the transition to Azure AD, you might want to connect your AAD joined devices to the traditional file server as explained in this article: Go Azure AD Joined with on-prem DC and fileserver The next step is to map some network drives with Intune!

Step 1: The first step is to create a PowerShell script that will do the actual drive mappings. This script will be placed on a Azure Blob storage (or your internal domain) where you will be able to manage and maintain the script. This script will be run using a second script that we will deploy with Intune. For your convenience I’ve already prepared the script:

Continue reading “Create a drive mapping using Intune on Azure AD joined devices (Manual)”

New Azure region: Switzerland

Microsoft has announced the availability of the new Azure data-centers in Switzerland. With 2 data-centers in Switzerland, Zurich and Geneva, Azure has created a full region (West and North)

Microsoft worked together with several Swiss companies as early adopters to improve cloud adoption in Switzerland. As this region is fairly new it might take some time before all Azure and Office 365 services are available.

If you would like to start deploying resources in Azure, it might be that you don’t have access yet. During the initiation phase it is required to request access before you can start utilizing resources in Switzerland. Request access to Azure Switzerland

Tom Keane, Corporate Vice President, Microsoft Azure:

Today, we’re announcing the availability of Azure from our new cloud regions in Switzerland. These new regions and our ongoing global expansion are in response to customer demand as more industry leaders choose Microsoft’s cloud services to further their digital transformations. As we enter new markets, we work to address scenarios where data residency is of critical importance, especially for highly regulated industries seeking the compliance standards and extensive security offered by Azure.

Bulk migrate to OneDrive from personal drive with SharePoint Migration Tool (Manual)

In this manual I will explain step by step how to migrate your users from their personal drive to OneDrive using bulk migration in SharePoint Migration tool. This includes preparing the users OneDrive, granting permissions, and setup SharePoint Migration tool.

Image

Prerequisites

Before we begin, we will need a migration station, I would recommend to use a server designed for this purpose. On the migration server make sure you install the following:

Continue reading “Bulk migrate to OneDrive from personal drive with SharePoint Migration Tool (Manual)”

How to use SharePoint Migration Tool

Last few weeks I’ve been busy with migrating file servers to SharePoint and OneDrive. For this I’ve used the SharePoint Migration tool from Microsoft. Download: Link
With just a few easy steps you are able to migrate your data to SharePoint or OneDrive.

In this manual we will focus on SharePoint only, I will create a OneDrive Manual later on including CSV instruction to perform bulk migrations.

Continue reading “How to use SharePoint Migration Tool”

Azure Ultra Disk performance storage now available!

For very high demanding workloads, storage wise, Azure has released Ultra Disk performance tier for production use. I’ve already written about it in a previous post ( Slow IOPS in Azure VM’s? not anymore!) But now is the time to take a deeper look.

Which disk types do we have in Azure?

In the following table you can see what the difference is between all disk types in Azure. This table should help you to decide which disk to use for specific workloads.

Standard HDDStandard SSDPremium SSDUltra SSD
ScenarioBackup, Fileserver,
non-critical,
infrequent access
Webservers,
lightly used
applications and
dev/test systems
Production and
performance
workloads
IO intensive
workloads.
(SQL/Oracle/
SAP HANA)
Max disk
size
32TB32TB32TB64TB
Max
Throughput
500MiB/s750MiB/s900MiB/s2.000MiB/s
Latency8 > ms< 9 ms1 – 4 ms<1 ms
Max
IOPS
2.0006.00020.000160.000
Continue reading “Azure Ultra Disk performance storage now available!”

Azure SQL configure Azure AD user authentication (Manual)

When moving your applications to the cloud, it makes sense to start using Azure Services to get the best service, highest availability (SLA) and worry free maintenance provided by Azure. The next step is to use Azure AD identities with Azure SQL Database.

Schematic overview of Azure SQL with AAD integration, and optionally synced from on-premise AD.

Within a few steps you will have Azure AD user authentication setup.

Continue reading “Azure SQL configure Azure AD user authentication (Manual)”

Azure SQL, create users and assign permissions (Manual)

This simple manual has been created to create an user in Azure SQL and assign appropriate permissions. First connect to your SQL server. Either use and AAD admin account or the SQL Admin account.

Once connected, open a New Query window and run the following command on the Master database to create the user on the server in the Master database:

 CREATE LOGIN '<Username>' WITH password='<strong-password>';

Now open again a New Query window, and select the database where you want to provision permissions to the just created user. Make sure to match the Username from the command above.

CREATE USER "<Username>";

The last step is to assign the desired role to the user. Change the value of the role, and match again the Username.

EXEC sp_addrolemember 'db_datawriter', '<Username';

This should do the trick. Let me know if you have any problems or need help.

Deploy Azure Application Gateway with http to https redirect

Azure Application Gateway is an advance type of load-balancer. Where an Azure Load-balancer routes traffic on the transport layer (OSI Layer 4 | TCP + UDP) the Application Gateway is a way more advanced load-balancer. It can route based on URL as well on path’s. On top of that it can do much more, like SSL offloading, autoscaling, redirection, multiple site hosting and the most import of all, it can include a web application firewall (WAF)

Afbeeldingsresultaat voor azure application gateway

With all the features that the Azure application gateway provides, we should be able to setup multiple websites listening on different ports and url’s behind one Azure Application Gateway with just one external IP address.

With this guide you should be able to setup an application gateway with multiple site hostname match and http to https redirect. In this manual we will be using Atlassian Jira and Confluence as an example.

So what are we going to setup:

  • Deploy Azure application gateway
  • Configure 2 external URL’s (jira.2azure.nl and confluence.2azure.nl)
  • We will redirect port 80 to 443 for both websites
  • Jira will be listening on port 8080 internally (Default port)
  • Confluence will be listening on port 8090 internally (Default port)

For this guide the VNET, subnets and the virtual machine hosting both websites have already been deployed. During this guide we will not deploy a Web Application Firewall, I will tell more about that in upcoming blog article.

The setup in an overview.
Continue reading “Deploy Azure Application Gateway with http to https redirect”

Masterclass: Azure Basics

Tonight I was honored to give a masterclass in Azure Basics. By going over the Azure Basics using lab exercises everybody learned how to:

  • Manage Azure subscriptions and resources
  • Configure and manage virtual networks
  • Manage identities 
  • Deploy and manage virtual machines (VMs) 
  • Implement and manage storage

Special thanks to Proxsys for hosting the Masterclass!



How to get the license key for SQL Server Reporting Services in Azure

Last week I received the question from a customer where to get the SQL license key… By default you will see the key during SQL installation, but with an Azure deployed SQL virtual machine you will never get to see the key, as its deployed from the Azure Portal.

Afbeeldingsresultaat voor sql installation wizard license key

Retreive the key from DefaultSetup.ini

So within a few clicks you will be able to retreive the key.

Continue reading “How to get the license key for SQL Server Reporting Services in Azure”

Azure Dedicated Host (now in preview)

If you still have doubts about moving to Azure because of compliance and regulatory requirements, they will now be gone with Azure Dedicated hosts. Still in preview but ready for testing. Azure dedicated hosts are physical machines that are single-tenant configured where you can run your Linux and Windows virtual machines. This includes your own infrastructure, as well as your own maintenance policies for that host.

Visibility and control

Azure Dedicated Hosts provide visibility over the server infrastructure running your Azure Virtual Machines. You get more control over the following:

  • The underlying hardware infrastructure
  • Processor brand, capabilities, and more 
  • Number of cores
  • Type and size of the Azure Virtual Machines you want to deploy

You can mix and match different Azure Virtual Machine sizes within the same virtual machine series on a given host.

If you have any second thoughts, it is now open in preview for testing.

Completed Azure Solutions Architect certification

Last 2 months I’ve been working on renewing my Office 365 and Azure certifications. 4 years ago I already passed the “old” exams: 533, 534, 345, 346 and 347. This saved me a few exams. I was able to upgrade to Azure Administrator and Messaging administrator by passing the upgrade exams. For the Azure Solutions Architect I had to take the AZ-300 and AZ-301 exam as an upgrade exam was only valid for those who have passed the follow up exam of 534: 535.

So here is the final result, I will be looking into the Azure Security exam in the future (AZ-500) as well as the Microsoft 365 Certified Enterprise Administrator Expert (MS100 & MS101)

Disable Windows Firewall on a virtual machine from the Azure Portal

When you accidentally locked your self out from a Virtual Machine in Azure, there is no console access to login and help your self back in to the system.

Enabled Windows firewall

In the last year I’ve seen a few cases where somebody accidentally locked himself out of a VM by wrongly adjusting the Windows Firewall, making it impossible to manage their virtual machine in Azure. But with Custom script extension it is possible to disable the Windows Firewall to gain access again!

Continue reading “Disable Windows Firewall on a virtual machine from the Azure Portal”

Office 365 Set mailbox default language

When you do large migrations, it might be convenient to change the default mailbox language settings for all your end users. By default each user needs to set the default language and time zone at first login to OWA in Office 365.

With the following PowerShell Script you should be able to change it within a few seconds. In this script we used the Dutch language code and Western European Standard time. Change it accordingly.

get-mailbox | Set-MailboxRegionalConfiguration -LocalizeDefaultFolderName: $true -DateFormat dd-MM-yy -Language 1043 -TimeZone "W. Europe Standard Time"
Continue reading “Office 365 Set mailbox default language”

Autopilot with white glove deployment

Microsoft has released an updated autopilot version called white glove! With the traditional autopilot version there was one big disadvantage on delivering a laptop directly from the OEM to the end user, and that was the waiting time for the end user to complete the installation of all applications, settings and policies.

OEM
The original Autopilot deployment (Source: docs.microsoft.com)

With the next release the provisioning will be split. The time consuming part can now be performed by the IT department, IT Partner or even the OEM provider. Giving the end user a short and simple process before they can start using their device.

OEM
The new white glove Autopilot deployment (Source: docs.microsoft.com)

But with new features there are always new requirements. With the new white glove autopilot it is still possible to use both the Azure AD join and the Hybrid Azure AD join scenarios. However these are the new requirements:

  • Windows 10 version 1903 is required
  • An Intune subscription (customer)
  • Physical devices with a TPM 2.0 chip (Virtual machines are not supported!)
  • Physical devices with Ethernet connectivity, Wi-fi is not supported.

Because the OEM or vendor performs the white glove process, this doesn’t require access to an end-user’s on-premise domain infrastructure. This is unlike a typical hybrid Azure AD-joined scenario because rebooting the device is postponed. The device is resealed prior to the time when connectivity to a domain controller is expected, and the domain network is contacted when the device is unboxed on-premise by the end-user.

Set up Office 365 ATP anti-phishing policies

We all know that phishing is going on all the time. But how to defend your organization against these criminals that want to get your login information! The answer is simple, Office 365 Advanced Threat Protection, or short: ATP.

Image result for office 365 atp

So lets get started and start implementing anti-phishing policies. First go to https://protection.office.com/antiphishing and create a new policy.

Continue reading “Set up Office 365 ATP anti-phishing policies”

Office 365 Cloud app security

If you want to improve your security in Office 365 it is recommended to add the EM+S E3 or E5 security suits. This gives you more information about what is happening with your users, but you can configure alerting and actions as well.

So if you have the EM+S licenses, you can go to https://portal.cloudappsecurity.com and start configuring your alerts and policies.

By default there are a lot of default policies, but you can create your own as well! Let me summarize the most important ones that you definitely need to look at:

Continue reading “Office 365 Cloud app security”

How to setup Azure Lighthouse (Manual)

Microsoft released Lighthouse last weekend, and since this is a great feature, I wanted to implement it as soon as possible, but the Microsoft docs might be a bit confusing, so I wanted to simplify the manual, so here it is! We will be using PowerShell, as this makes life so much easier, and faster.

Requirements:

  • Your admin tenant needs to have a valid Azure subscription
  • You need to have a native user account with the new Owner role in the tenant that you want to manage (Customer tenant)
  • Azure PowerShell module: AZ (Install-Module -Name az)
Continue reading “How to setup Azure Lighthouse (Manual)”