When you migrate to Azure SQL, you might think that Azure does all SQL maintenance, including the maintenance of your database… But the truth is, you will need to setup some maintenance yourself for your databases. Microsoft doesn’t know what is best for your application or database. With this manual you should be able to setup basic database maintenance on Azure SQL.
With the move to the cloud there might be a time where you would like to remove the Active Directory link (AD Connect) and go for a cloud only strategy. With a few simple steps you can disconnect the AD connect sync from Azure AD.
When you look in your Office 365 environment you will notice that the sync status has different symbols. One for cloud only, and one for Active Directory. To disable the link, open a PowerShell window and run the following steps.
STEP 1: First make sure that you disable the AD Connect sync service by disabling the service, or set it to staging mode.
STEP 2: Connect to your Microsoft Office 365 environment using the following command, and login to the desired environment:
STEP 3: Now run the following command to disable the sync, confirm your actions, you cannot undo this change!
Multi Factor Authentication (MFA) is an added security feature from Azure which I believe that should be enabled by default for everybody in Office 365 and Azure. There for this manual how to enforce (Azure) MFA for all users using Azure Multi Factor Authentication
MFA can prevent unauthorized access in case of the following events:
Sign-ins from anonymous IP addresses
Impossible travel to atypical locations
Sign-ins from unfamiliar locations
Sign-ins from infected devices
Sign-ins from IP addresses with suspicious activities
Using Conditional access we can ensure that your users and company data is safe. Important to know is that Office 365 MFA is free of charge, and if you have Azure AD applications an Azure AD Premium license is required.
If you want to mark your locations as trusted location, you can do that if you have a static public IP. So the first steps are there to define your office locations.
With an increased security and privacy in mind Microsoft has been working on private links to Azure resources. Azure Private Link is a secure way to consume Azure Services like Azure SQL and Azure Storage using a private connection in your own VNet. This will replace the need for IaaS hosted virtual machines with SQL Server or the file server role installed.
Azure Private Link brings Azure services inside the customer’s private VNet. The service resources can be accessed using the private IP address just like any other resource in the VNet. It is basically an NIC inside one of your VNET’s. This will allow all traffic to flow over the internal network, and will not go over the internet. There is no need to put gateways or any other network devices in place to make this happen.
With the transition to Azure AD, you might want to connect your AAD joined devices to the traditional file server as explained in this article: Go Azure AD Joined with on-prem DC and fileserver The next step is to map some network drives with Intune!
Step 1: The first step is to create a PowerShell script that will do the actual drive mappings. This script will be placed on a Azure Blob storage (or your internal domain) where you will be able to manage and maintain the script. This script will be run using a second script that we will deploy with Intune. For your convenience I’ve already prepared the script:
Microsoft has announced the availability of the new Azure data-centers in Switzerland. With 2 data-centers in Switzerland, Zurich and Geneva, Azure has created a full region (West and North)
Microsoft worked together with several Swiss companies as early adopters to improve cloud adoption in Switzerland. As this region is fairly new it might take some time before all Azure and Office 365 services are available.
If you would like to start deploying resources in Azure, it might be that you don’t have access yet. During the initiation phase it is required to request access before you can start utilizing resources in Switzerland. Request access to Azure Switzerland
Tom Keane, Corporate Vice President, Microsoft Azure:
Today, we’re announcing the availability of Azure from our new cloud regions in Switzerland. These new regions and our ongoing global expansion are in response to customer demand as more industry leaders choose Microsoft’s cloud services to further their digital transformations. As we enter new markets, we work to address scenarios where data residency is of critical importance, especially for highly regulated industries seeking the compliance standards and extensive security offered by Azure.
Azure Application Gateway is an advance type of load-balancer. Where an Azure Load-balancer routes traffic on the transport layer (OSI Layer 4 | TCP + UDP) the Application Gateway is a way more advanced load-balancer. It can route based on URL as well on path’s. On top of that it can do much more, like SSL offloading, autoscaling, redirection, multiple site hosting and the most import of all, it can include a web application firewall (WAF)
With all the features that the Azure application gateway provides, we should be able to setup multiple websites listening on different ports and url’s behind one Azure Application Gateway with just one external IP address.
With this guide you should be able to setup an application gateway with multiple site hostname match and http to https redirect. In this manual we will be using Atlassian Jira and Confluence as an example.
So what are we going to setup:
Deploy Azure application gateway
Configure 2 external URL’s (jira.2azure.nl and confluence.2azure.nl)
We will redirect port 80 to 443 for both websites
Jira will be listening on port 8080 internally (Default port)
Confluence will be listening on port 8090 internally (Default port)
For this guide the VNET, subnets and the virtual machine hosting both websites have already been deployed. During this guide we will not deploy a Web Application Firewall, I will tell more about that in upcoming blog article.
Last week I received the question from a customer where to get the SQL license key… By default you will see the key during SQL installation, but with an Azure deployed SQL virtual machine you will never get to see the key, as its deployed from the Azure Portal.
Retreive the key from DefaultSetup.ini
So within a few clicks you will be able to retreive the key.
When you accidentally locked your self out from a Virtual Machine in Azure, there is no console access to login and help your self back in to the system.
In the last year I’ve seen a few cases where somebody accidentally locked himself out of a VM by wrongly adjusting the Windows Firewall, making it impossible to manage their virtual machine in Azure. But with Custom script extension it is possible to disable the Windows Firewall to gain access again!
Did you ever wonder what’s new in Azure, or what is updated recently? Azure keeps all its updates to Azure in a cool overview, the Azure Heatmap! Check it out using the following url: https://azureheatmap.azurewebsites.net/
Microsoft is working hard on improving Azure File sync. They just announced the new release of the v7 agent. For now only current installed agents get the update. Once all current clients have been updated, the update will be available on Microsoft Update and Microsoft Download Center
Improvements and issues that are fixed
Support for larger file share sizes
With the preview of larger, 100 TiB Azure file shares, we are increasing the support limits for file sync as well. In this first step, Azure File Sync now supports up to 50 million files in a single, syncing namespace. Other existing limits, for example the number of items per directory level, still apply.
Improved Azure Backup file-level restore
Individual files restored using Azure Backup are now detected and synced to the server endpoint faster.
Improved cloud tiering recall cmdlet reliability
The cloud tiering recall cmdlet (Invoke-StorageSyncFileRecall) now supports per file retry count and retry delay, similar to robocopy.
Support for TLS 1.2 only (TLS 1.0 and 1.1 is disabled)
Azure File Sync now supports using TLS 1.2 only on servers which have TLS 1.0 and 1.1 disabled. Prior to this improvement, server registration would fail if TLS 1.0 and 1.1 was disabled on the server.
Miscellaneous performance and reliability improvements for sync and cloud tiering
There are several reliability and performance improvements in this release. Some of them are targeted to make cloud tiering more efficient and Azure File Sync as a whole work better in those situations when you have a bandwidth throttling schedule set.
Today Microsoft has announced Azure Bastion. With this new service you will get improved security features and simplified IT managemend with a single click from your webbrowser using the HTML5 web client. This will eliminate the need for a jump server. I am looking forward in using this service in preview and GA.
You still have your old network drives? Still need to setup a VPN to access your file shares? Or have you migrated all your files to Azure file share but you need a higher performance for your Autocad files?
Wait no longer, Azure File Sync to the rescue! Where you would have your Azure File Share for sharing files, you can use Azure File Sync to make a local cache of your Azure files, or sync your local file server to Azure Files. In this manual we will help you setup Azure File Sync with a existing Azure File Share. I already have a Azure File Share, mapped as a network drive Z:
Recently we created an AAD tenant that has no on-premises AD domain counterpart. Now we are facing an issue where we want to be able to use the identities in this tenant to log into some servers. It would appear that we would need to domain join these servers, but we can’t do this without AD. The question is, how can we continue to setup these servers?
But today we are going to install a new domain on-premise. The domain name isn’t relevant for the sync with Azure AD / Office 365. But the UPN for the end users is important! So first we can add the UPN domains by going to the Domain and Trusts console. Add the required domain names.
Within Azure there are multiple ways to setup MFA. Where you would install MFA server in the past, there is a new extension. Microsoft is going to leave the MFA server behind in the near future (security updates will remain being published for now).
Besides the NPS extension and the MFA on-premise server the best practice is to run MFA from the Azure cloud where possible. But that isn’t always an option. So let’s move on to the NPS extension. Lets start with the requirements.
Requirements: – Server 2016/2019 with ADFS version 4 – Server 2016/2019 hosting NPS services which performs Radius authentication. – Users must be synchronized between local Active directory and Azure Active Directory – Azure AD Premium or EM+S license must be assigned to the user – NPS Extension for Azure MFA (Download link: https://aka.ms/npsmfa)
Recently I received an comparison from Azure with competitors. In the comparison there was stated that by default Azure provides an SLA of 99.95%. However, this is not entirely correct. By default a single basic virtual machine has no SLA at all!
I hear you thinking, what??? let me explain what the options are. First we need to know a bit more of the setup in Azure. For this explanation I will use West & North Europe. These regions do have Availability zones, but this might not always be the case. In the picture below you can review the Azure regions with their options.
So lets zoom in a bit further. In the picture below we have our 2 regions (West & North Europe). Within Region 1 we have 3 separated buildings, creating 3 availability zones.
Monitoring is het allerbelangrijkste wat er is. Dit is het fundamenteel punt in de hele keten, al dan niet het belangrijkste punt. Wat is er nu uiteindelijk belangrijk als je gaat monitoren? Bekijk alles vanuit de eindgebruiker, houd dat altijd als start punt! Uiteindelijk draait het niet om een SPN record wat ontbreekt, maar of een gebruiker nu wel of niet kan werken.
Met Azure Monitoring kan je heel veel componenten in de
gaten houden. Maar waar het uiteindelijk om draait is hoe en wat je opneemt.
Als je heel veel opneemt betekend het dat je dat allemaal in de gaten moet
houden. Dit genereerd ook heel veel meldingen waardoor je een overvloed aan
meldingen krijgt en de relevantie niet goed kan bepalen met als gevolg dat er
uiteindelijk niet gemonitord wordt.
Daarom is het cruciaal om alleen de componenten op te nemen die er toe doen, hou
het klein, schoon en doe het doordacht.