Jump to content

proximagr

Moderators
 View Profile  See their activity

  • Posts

    2468

  • Joined

  • Last visited

  • Days Won

    12

 Content Type 

Blog Entries posted by proximagr

  1. proximagr
    <p>Azure blob storage is billed based to how much data you use. So you can have an 1023 GB disk but if you use only 20 GB you will be billed for 20 GB. But, <img src="https://s.w.org/images/core/emoji/72x72/1f642.png"alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> , if you write more data, lets say 50 GB and then you erase them, the free space will not automatically be released.</p>
    <p>sandrinodimattia, https://github.com/sandrinodimattia, released an app that allows to check the actual size of a VHD on Azure. It works on both ASM and ARM.</p>
    <p>You can download the executable at: https://github.com/sandrinodimattia/WindowsAzure-VhdSize/releases</p>
    <p>The command is:</p>
    <p>wazvhdsize.exe “storageaccountname” “storageaccountaccesskey==” containername</p>
    <p> </p>
    <p>Source: https://github.com/sandrinodimattia/WindowsAzure-VhdSize</p>
    <p><a class="a2a_button_email" href="http://www.addtoany.com/add_to/email?linkurl=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fcalculate-azure-vhd-actualbilling-size%2F&linkname=Calculate%20Azure%20VHD%20actual%2Fbilling%20size"title="Email" rel="nofollow" target="_blank"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/icons/email.png" width="16" height="16" alt="Email"/></a><a class="a2a_button_print" href="http://www.addtoany.com/add_to/print?linkurl=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fcalculate-azure-vhd-actualbilling-size%2F&linkname=Calculate%20Azure%20VHD%20actual%2Fbilling%20size" title="Print" rel="nofollow" target="_blank"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/icons/print.png" width="16" height="16" alt="Print"/></a><a class="a2a_dd a2a_target addtoany_share_save" href="https://www.addtoany.com/share#url=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fcalculate-azure-vhd-actualbilling-size%2F&title=Calculate%20Azure%20VHD%20actual%2Fbilling%20size" id="wpa2a_4"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/share_save_171_16.png" width="171" height="16" alt="Share"/></a></p><p>The post <a rel="nofollow" href="http://www.e-apostolidis.gr/microsoft/azure/calculate-azure-vhd-actualbilling-size/">Calculate Azure VHD actual/billing size</a> appeared first on <a rel="nofollow" href="http://www.e-apostolidis.gr">Proxima's IT Corner</a>.</p>


    <a href="http://www.e-apostolidis.gr/microsoft/azure/calculate-azure-vhd-actualbilling-size/"class='bbc_url' rel='nofollow external'>Source</a>
  2. proximagr
    Use Azure Security Center to protect your workloads
    At this series of posts we will make a walk along the Azure Security Center, to see some common usage scenarios. Like how we can use it to protect from a Virtual Machine to a whole Data Center.
    To make it easier to understand we will start with a typical Azure IaaS scenario. A Virtual Machine with IIS role to act as Web Server. The steps to create the VM is out this post’s scope. I will simply describe the process. First we create a Windows Server 2016 Virtual Machine. Second we log in and add the Web Server (IIS) role. Third we open the port 80 at the VM’s Network Security Group (NSG) and voila we can browse at the Azure DNS name of the VM and see the IIS default landing page.

    At this point the security of the Web Server is relying on the Network Security Rule, a layer 3 firewall that allows access to the port 80 and of course the Windows Firewall that does exactly the same.
    Lets browse to the Azure Security Center from the Azure Portal. There we see an overview of security settings for the whole subscription.

    First, click the “Compute”. I will skip the overview and go directly to the “VMs and computers” tab. There we see the name of the VM and the five points of interest. Our VM is not monitored, it doesn’t have endpoint protection and it reports some vulnerabilities.
    Recommendation: Enable data collection for subscriptions
    To start resolving the issues click the VM to go to the Recommendations blade. The first recommendation says to enable data collection for the subscription. Of course this is the Log Analytics, OMS (Operations Management Suite) integration. This will enable the subscription resources to report to log analytics.

    Press the “Enable data collection for subscription”. The Data Collection blade will open. There we can enable or disable the automatic provision of the monitoring agent. This is the Microsoft Monitoring Agent that connects a Virtual Machine to Log Analytics and also we can use it for connecting to SCOM.

    The second option is to chose a workspace. IF you have already created an OMS workspace you can choose it. If not let it create a new one automatically. Finally press save.
    Returning to the previous blade you will see that the “Turn on data collection” recommendation, is now in Resolved state.

    Although this recommendation is resolved instantly, the Microsoft Monitoring Agent is not yet installed. Go back to the Compute / Data collection installation status to see the agent installation status.

    Stay tuned for the next Azure Security Center post to resolve more recommendations.
  3. proximagr
    Azure Web Application Firewall (WAF) is a function of the Azure Application Gateway that detects and prevents exploits and attacks to a web application. Using a WAF we add an additional security layer in front of our application. To have a sneak peak at the most common web application attacks, take a look at the OWASP Top 10 Most Critical Web Application Security Risks .
    At my previous posts we have seen how to Protect your Web App using Azure Application Gateway Web Application Firewall and Use Log Analytics to Query the WAF Logs and email those logs to the Admins. At this post I want to share some tips on how to configure the Azure Web Application Firewall.
    The Azure Web Application Firewall, like all WAFs, needs a period of detection “the training period”, in order to gather logs about what is logged as blocked so to configure it accordingly before turning the WAF to Prevention mode. The Azure Web Application Firewall uses OWASP ModSecurity Core Rule Set (CRS). You can select version 2.2.9 or version 3.0 of the OWASP ModSecurity Core Rule Set. These rules include protection against attacks such as SQL injection, cross-site scripting attacks, and session hijacks.
    The configuration of the Azure Web Application Firewall has two parts. One part is the OWASP rules custom configuration, where we can check / uncheck the OWASP rules that the WAF will use to analyse the requests:
    and the second part is the Exclusions and the Request Size Limits:
    Let’s see how we can find out what to exclude and what to customize. Once you setup the Azure Application Gateway and Publish your web application turn of the Firewall in Detection mode. Enable the Diagnostic Logs and send the logs to Log Analytics and start using the we application. I have covered all those steps at my previous posts, Protect your Web App using Azure Application Gateway Web Application Firewall and Use Log Analytics to Query the WAF Logs and email those logs to the Admins. To make it more fun you can actually attack your application using sample attacks, like SQL Injection samples from this link: https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)and Cross-site Scripting (XSS) from this link: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS). Both links are from OWASP for testing.
    After a while run the query to check the Azure Web Application Firewall logs:
     



    1



    AzureDiagnostics | where Resource == "PROWAF" and OperationName == "ApplicationGatewayFirewall" | where TimeGenerated &gt; ago(24h) | summarize count() by TimeGenerated, clientIp_s , TimeGenerated , ruleId_s , Message , details_message_s , requestUri_s, details_file_s , hostname_s
    You will get the below results:
    At the Message part of the Log you will see the kind of attack that the WAF has detected.
    At the ruleId_s you can find the OWASP rule ID. With this information you can search the Rule ID at the Advanced rule configuration and uncheck the specific rule. Of course every rule you uncheck you open a security hole. So I recommend to first check if you can alter your application to comply with the rule and only if this is not possible to drop the rule.
    At the details_message_s column also you can find the matched pattern and configure the Exclusions
    Finally you can configure the request size limits according to your application
    Once you finalize your Azure Application Firewall configuration and you no longer have “Blocked” messages change it to “Prevention” mode to start protecting your web application.
    Reference:
    WAF Overview: https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview
    WAF Configuration: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-waf-configuration
    OWASP ModSecurity Core Rule Set (CRS): https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
  4. proximagr
    <p style="text-align: justify;">ExpressRoute is a Microsoft Azure service that provides a private connection between an organization’s on-premises infrastructure and Microsoft Cloud services, such as Microsoft Azure, Office 365, and Dynamics 365.</p>
    <p style="text-align: justify;">Microsoft Azure ExpressRoute was general available back on 2014. To connect to Azure ExpressRoute you need a direct line with an ExpressRoute provider. Now Microsoft announced that Microsoft cloud services can be accessed with Azure ExpressRoute using satellite connectivity, breaking the direct line barriers, making it feasible to connect your data center directly to Microsoft Azure from all around the globe!</p>
    <p style="text-align: justify;"><img src="https://azurecomcdn.azureedge.net/mediahandler/acomblog/media/Default/blog/6fc8736b-b6e9-4959-8692-c602e9d931e4.png"alt="Infographic of High level architecture of ExpressRoute and satellite integration" /></p>
    <p><span style="font-size: 10px;">image from <a href="https://azure.microsoft.com/en-us/blog/satellite-connectivity-expands-reach-of-azure-expressroute-across-the-globe/">https://azure.microsoft.com/en-us/blog/satellite-connectivity-expands-reach-of-azure-expressroute-across-the-globe/</a></span></p>
    <p id="JXlaLtf" style="text-align: justify;">Azure ExpressRoute Satellite connectivity is currently provided by three Microsoft partners, Intelsat, SES, and Viasat. Microsoft expands its already large connectivity, adding Satellite connectivity options at the 54 Regions worldwide making <a href="https://azure.microsoft.com/en-us/global-infrastructure/global-network/">Microsoft’sglobal network</a> one of the largest in the world.</p>
    <p style="text-align: justify;">Source:</p>
    <p style="text-align: justify;"><a href="https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction">https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction</a></p>
    <p style="text-align: justify;"><a href="https://azure.microsoft.com/en-us/blog/satellite-connectivity-expands-reach-of-azure-expressroute-across-the-globe/">https://azure.microsoft.com/en-us/blog/satellite-connectivity-expands-reach-of-azure-expressroute-across-the-globe/</a></p>
    <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-expressroute-adds-satellite-connectivity%2F&linkname=Azure%20ExpressRoute%20adds%20Satellite%20connectivity"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-expressroute-adds-satellite-connectivity%2F&linkname=Azure%20ExpressRoute%20adds%20Satellite%20connectivity" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-expressroute-adds-satellite-connectivity%2F&title=Azure%20ExpressRoute%20adds%20Satellite%20connectivity" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure/azure-expressroute-adds-satellite-connectivity/" data-a2a-title="Azure ExpressRoute adds Satellite connectivity"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure/azure-expressroute-adds-satellite-connectivity/">Azure ExpressRoute adds Satellite connectivity</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>


    <a href="https://www.e-apostolidis.gr/microsoft/azure/azure-expressroute-adds-satellite-connectivity/"class='bbc_url' rel='nofollow external'>Source</a>
  5. proximagr
    <h1 style="text-align: left;">Azure Policy | Enforce tags for resource creation</h1>
    <h2 style="text-align: justify;">Azure Governance</h2>
    <p style="text-align: justify;">After the previous post about <a href="https://www.e-apostolidis.gr/microsoft/azure-policy-limit-the-azure-vm-sizes/"target="_blank" rel="noopener noreferrer">how to use Azure Policy to limit the Azure VM sizes</a>, I continue the series of posts about Azure Governance with a video guide on how to enforce tags for resource creation. The idea is to explain through examples and how-to-guides, the tools that Microsoft Azure provides to help the administrators to enforce rules to all subscriptions. Some examples of those rules are, to help the organizations to stay compliant with their corporate standards, to standardize the resources creation and management, to manage the permissions and access controls, etc.</p>
    <h2 style="text-align: justify;">Azure Policy</h2>
    <p style="text-align: justify;">Azure Policy is a powerful tool for Azure Governance. We can define rules for all Azure Subscriptions the we manage. We can use this rules for simple limitation actions, like permitting only specific VM Series and Sizes that can be created and also more complex rule sets that helps you standardize the whole Azure deployment.</p>
    <h3 style="text-align: justify;">Enforce tags for resource creation</h3>
    <p style="text-align: justify;">So, why tags? Why we need to add tags to all Azure resources? The Microsoft Azure environments are getting bigger and bigger and managed by multiple people and teams. That makes it difficult to understand who created a resource and what is the purpose of that resource. Another critical matter that we need tags is Cost Management. At the Azure Cost Management Portal, we can sort and arrange the resource cost using the Tags. This way we can provide an expense dashboard with the actual cost of the resources per department, project or whatever tags we have added to the Resource.</p>
    <h3 style="text-align: justify;">Guide: Video</h3>
    <p style="text-align: justify;">View my video guide on how to use Azure Policy to enforce tags for resource creation</p>
    <p><iframe id="_ytid_65438" width="840" height="473" data-origwidth="840" data-origheight="473" src="https://www.youtube.com/embed/h6qXy20o0fY?enablejsapi=1&autoplay=0&cc_load_policy=0&iv_load_policy=1&loop=0&modestbranding=1&rel=0&fs=1&playsinline=0&autohide=2&theme=dark&color=red&controls=1&"class="__youtube_prefs__" title="YouTube player" allow="autoplay; encrypted-media" allowfullscreen data-no-lazy="1" data-skipgform_ajax_framebjll=""></iframe></p>
    <p style="text-align: justify;">You can find more at Microsoft Docs: <a href="https://docs.microsoft.com/en-us/azure/governance/policy/">https://docs.microsoft.com/en-us/azure/governance/policy/</a></p>
    <p style="text-align: justify;">
    <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-policy-enforce-tags-for-resource-creation%2F&linkname=Azure%20Policy%20%7C%20Enforce%20tags%20for%20resource%20creation"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-policy-enforce-tags-for-resource-creation%2F&linkname=Azure%20Policy%20%7C%20Enforce%20tags%20for%20resource%20creation" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-policy-enforce-tags-for-resource-creation%2F&title=Azure%20Policy%20%7C%20Enforce%20tags%20for%20resource%20creation" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure/azure-policy-enforce-tags-for-resource-creation/" data-a2a-title="Azure Policy | Enforce tags for resource creation"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure/azure-policy-enforce-tags-for-resource-creation/">Azure Policy | Enforce tags for resource creation</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>


    <a href="https://www.e-apostolidis.gr/microsoft/azure/azure-policy-enforce-tags-for-resource-creation/"class='bbc_url' rel='nofollow external'>Source</a>
  6. proximagr
    At this post, we will create a Logic App that will query the Log Analytics workspace for the WAF logs of the last 24 hours and send the results in an email, using a free SendGrid account.
    A Web Application Firewall protects your application from common web vulnerabilities. Azure provides enterprise grade Web Application Firewall through the Application Gateway. You can read more at my previous post: https://www.e-apostolidis.gr/microsoft/azure/protect-your-web-application-with-azure-application-gateway-waf/ Use Log Analytics to Query the WAF Logs
    The Application Gateway WAF sends its logs to the Log Analytics workspace. You can see them using a typical query like the below, that will list all events at the past 24 hours.
    AzureDiagnostics | where Resource == “PROWAF” and OperationName == “ApplicationGatewayFirewall” | where TimeGenerated > ago(24h) | summarize count() by TimeGenerated, clientIp_s , TimeGenerated , ruleId_s , Message , details_message_s , requestUri_s, details_file_s , hostname_s
    You can save the query by clicking the Save button and give it a name and a Category.
    We can send those logs as email by using an Azure Logic App and a SendGrid account. You can see how to create a SendGrid free account at my previous post: https://www.e-apostolidis.gr/microsoft/azure/azure-free-smtp-relay-using-sendgrid/ Create a Logic App
    From the portal.azure.com, Create a resource and write “logic app”, click the “Logic App”and press “Create”
    At the Logic App creation wizard add Name, subscription, resource group, location and press Create
    Next the Logic App will be created. Open it and from the Logics App Designer select the “Recurrence” common trigger.
    Change the Recurrence Interval to “1” and the Frequency to “Day” and press the “+ New step”
    search for “log analytics” and select the “Run query and visualize results”
    I will proceed with “Sign in”, you can also use a Service Principal but we will cover this to another post.
    After you login select the Subscription, Resource Group and the Log Analytics Workspace. Next, add the query, for Chart Type select “Html Table” and add a “Next Step”

    search for “sendgrid” and select the “Send email (V2)”
    Add a name for the connection and the API key that you created at the SendGrid creation post and press create. https://www.e-apostolidis.gr/microsoft/azure/azure-free-smtp-relay-using-sendgrid/
    Fill the From address, To address and Subject. At the email body, add dynamic content and select the blocs of the previous set result.
    Press Save to save the Flow and Run to test it.
    The result at my email:

  7. proximagr
    <p>Σήμερα δημοσιεύτηκε η συνέντευξή μου με τίτλο “<span data-offset-key="900n3-0-0">Το Azure εξελίσσεται”</span> στο NetFax τεύχος #4230, <span data-offset-key="900n3-0-0"> όπου συζητάω για τις τάσεις που θα μας απασχολήσουν στο Microsoft Azure & το Cloud! </span></p>
    <p><img class="alignnone size-full wp-image-2796" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/08/netfax4.jpg"alt="νετφαχ" width="568" height="1075" /></p>
    <p>Ευχαριστώ όλη την ομάδα που συνέβαλε για αυτήν την συνέντευξη & φυσικά <span data-offset-key="900n3-0-0">Read more @netfax </span></p>
    <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2F%25ce%25b5%25ce%25bb%25ce%25bb%25ce%25b7%25ce%25bd%25ce%25b9%25ce%25ba%25ce%25ac%2F%25cf%2584%25ce%25bf-azure-%25ce%25b5%25ce%25be%25ce%25b5%25ce%25bb%25ce%25af%25cf%2583%25cf%2583%25ce%25b5%25cf%2584%25ce%25b1%25ce%25b9-%25ce%25bf%25ce%25b9-%25cf%2584%25ce%25ac%25cf%2583%25ce%25b5%25ce%25b9%25cf%2582-%25cf%2580%25ce%25bf%25cf%2585-%25ce%25b8%25ce%25b1-%25ce%25bc%25ce%25b1%25cf%2582-%25ce%25b1%2F&linkname=%CE%A4%CE%BF%20Azure%20%CE%B5%CE%BE%CE%B5%CE%BB%CE%AF%CF%83%CF%83%CE%B5%CF%84%CE%B1%CE%B9%20%26%20%CE%BF%CE%B9%20%CF%84%CE%AC%CF%83%CE%B5%CE%B9%CF%82%20%CF%80%CE%BF%CF%85%20%CE%B8%CE%B1%20%CE%BC%CE%B1%CF%82%20%CE%B1%CF%80%CE%B1%CF%83%CF%87%CE%BF%CE%BB%CE%AE%CF%83%CE%BF%CF%85%CE%BD%21%20%40Netfax"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2F%25ce%25b5%25ce%25bb%25ce%25bb%25ce%25b7%25ce%25bd%25ce%25b9%25ce%25ba%25ce%25ac%2F%25cf%2584%25ce%25bf-azure-%25ce%25b5%25ce%25be%25ce%25b5%25ce%25bb%25ce%25af%25cf%2583%25cf%2583%25ce%25b5%25cf%2584%25ce%25b1%25ce%25b9-%25ce%25bf%25ce%25b9-%25cf%2584%25ce%25ac%25cf%2583%25ce%25b5%25ce%25b9%25cf%2582-%25cf%2580%25ce%25bf%25cf%2585-%25ce%25b8%25ce%25b1-%25ce%25bc%25ce%25b1%25cf%2582-%25ce%25b1%2F&linkname=%CE%A4%CE%BF%20Azure%20%CE%B5%CE%BE%CE%B5%CE%BB%CE%AF%CF%83%CF%83%CE%B5%CF%84%CE%B1%CE%B9%20%26%20%CE%BF%CE%B9%20%CF%84%CE%AC%CF%83%CE%B5%CE%B9%CF%82%20%CF%80%CE%BF%CF%85%20%CE%B8%CE%B1%20%CE%BC%CE%B1%CF%82%20%CE%B1%CF%80%CE%B1%CF%83%CF%87%CE%BF%CE%BB%CE%AE%CF%83%CE%BF%CF%85%CE%BD%21%20%40Netfax" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2F%25ce%25b5%25ce%25bb%25ce%25bb%25ce%25b7%25ce%25bd%25ce%25b9%25ce%25ba%25ce%25ac%2F%25cf%2584%25ce%25bf-azure-%25ce%25b5%25ce%25be%25ce%25b5%25ce%25bb%25ce%25af%25cf%2583%25cf%2583%25ce%25b5%25cf%2584%25ce%25b1%25ce%25b9-%25ce%25bf%25ce%25b9-%25cf%2584%25ce%25ac%25cf%2583%25ce%25b5%25ce%25b9%25cf%2582-%25cf%2580%25ce%25bf%25cf%2585-%25ce%25b8%25ce%25b1-%25ce%25bc%25ce%25b1%25cf%2582-%25ce%25b1%2F&title=%CE%A4%CE%BF%20Azure%20%CE%B5%CE%BE%CE%B5%CE%BB%CE%AF%CF%83%CF%83%CE%B5%CF%84%CE%B1%CE%B9%20%26%20%CE%BF%CE%B9%20%CF%84%CE%AC%CF%83%CE%B5%CE%B9%CF%82%20%CF%80%CE%BF%CF%85%20%CE%B8%CE%B1%20%CE%BC%CE%B1%CF%82%20%CE%B1%CF%80%CE%B1%CF%83%CF%87%CE%BF%CE%BB%CE%AE%CF%83%CE%BF%CF%85%CE%BD%21%20%40Netfax" data-a2a-url="https://www.e-apostolidis.gr/%ce%b5%ce%bb%ce%bb%ce%b7%ce%bd%ce%b9%ce%ba%ce%ac/%cf%84%ce%bf-azure-%ce%b5%ce%be%ce%b5%ce%bb%ce%af%cf%83%cf%83%ce%b5%cf%84%ce%b1%ce%b9-%ce%bf%ce%b9-%cf%84%ce%ac%cf%83%ce%b5%ce%b9%cf%82-%cf%80%ce%bf%cf%85-%ce%b8%ce%b1-%ce%bc%ce%b1%cf%82-%ce%b1/" data-a2a-title="Το Azure εξελίσσεται & οι τάσεις που θα μας απασχολήσουν! @Netfax"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/%ce%b5%ce%bb%ce%bb%ce%b7%ce%bd%ce%b9%ce%ba%ce%ac/%cf%84%ce%bf-azure-%ce%b5%ce%be%ce%b5%ce%bb%ce%af%cf%83%cf%83%ce%b5%cf%84%ce%b1%ce%b9-%ce%bf%ce%b9-%cf%84%ce%ac%cf%83%ce%b5%ce%b9%cf%82-%cf%80%ce%bf%cf%85-%ce%b8%ce%b1-%ce%bc%ce%b1%cf%82-%ce%b1/">Το Azure εξελίσσεται & οι τάσεις που θα μας απασχολήσουν! @Netfax</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>


    <a href="https://www.e-apostolidis.gr/%ce%b5%ce%bb%ce%bb%ce%b7%ce%bd%ce%b9%ce%ba%ce%ac/%cf%84%ce%bf-azure-%ce%b5%ce%be%ce%b5%ce%bb%ce%af%cf%83%cf%83%ce%b5%cf%84%ce%b1%ce%b9-%ce%bf%ce%b9-%cf%84%ce%ac%cf%83%ce%b5%ce%b9%cf%82-%cf%80%ce%bf%cf%85-%ce%b8%ce%b1-%ce%bc%ce%b1%cf%82-%ce%b1/"class='bbc_url' rel='nofollow external'>Source</a>
  8. proximagr
    <h1 style="text-align: justify;">Azure Portal | Playing with Disk Snapshot</h1>
    <p style="text-align: justify;">Disk Snapshot is a powerful tool to manage Azure VMs. It’s simple to create and can help the administrators in various tasks. It’s a fast and efficient way to have a crash-consistent Disk of a Virtual Machine, before performing tasks, updates, configuration changes, application installations, etc. Of course the last line of defence is the Azure Backup, but using the Snapshot you don’t need to wait the whole Backup / Restore times. With snapshots there are two main options to recover the VM. One is using the “swap OS Disk” functionality, which gives you the ease to swap the Operating System disk with one click. The other option is to create a new VIrtual Machine. Beware, if you want to make Azure VM clones, you need to generalize the VM with Sysprep and Capture the VM. Using the Snapshot option you will have an identical VM, with the same IDs.</p>
    <h2 style="text-align: justify;">Snapshot</h2>
    <p style="text-align: justify;">The first step is to create a snapshot from the Virtual Disk. Open the Azure VM, go to Disks, select the OS Disk and press “Create Snapshot”. You don’t actually need to stop the VM. Windows Server operating system stays fully consistent, but no one can guarantee the consistency of any databases currently running. Think of it like the Hyper V CheckPoint functionality. We make checkpoints all the time and we revert to them even in production.</p>
    <p id="yLMWzuR" style="text-align: justify;"><img class="alignnone wp-image-2884 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8c4f41af1.png"alt="disk snapshot" width="773" height="359" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8c4f41af1.png 773w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8c4f41af1-300x139.png 300w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8c4f41af1-768x357.png 768w" sizes="(max-width: 773px) 100vw, 773px" /></p>
    <p style="text-align: justify;">The Create snapshot screen will open. Fill in a name and disk account type (Standard / Premium) and press create.</p>
    <p id="Cvnyhoo" style="text-align: justify;"><img class="alignnone wp-image-2885 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8c81cf6be.png"alt="disk snapshot" width="635" height="448" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8c81cf6be.png 635w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8c81cf6be-300x212.png 300w" sizes="(max-width: 635px) 100vw, 635px" /></p>
    <p style="text-align: justify;">At this point I will create a folder at the VM for revision</p>
    <p id="RNUFdnD" style="text-align: justify;"><img class="alignnone wp-image-2886 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8d0eef630.png"alt="disk snapshot" width="580" height="303" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8d0eef630.png 580w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8d0eef630-300x157.png 300w" sizes="(max-width: 580px) 100vw, 580px" /></p>
    <h2 style="text-align: justify;">Create a Disk</h2>
    <p style="text-align: justify;">To make the snapshot functional, we need to create a Managed Disk resource.</p>
    <p id="TCxcFbJ" style="text-align: justify;"><img class="alignnone wp-image-2888 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8dbd6c9fb.png"alt="disk snapshot" width="614" height="296" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8dbd6c9fb.png 614w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8dbd6c9fb-300x145.png 300w" sizes="(max-width: 614px) 100vw, 614px" /></p>
    <p style="text-align: justify;">At the Create managed disk wizard, select the Region that the Snapshot resides. Then select “Source type” Snapshot and select it. At the Size, select a disk size at least the same as the source disk.</p>
    <p id="CYKOnDl" style="text-align: justify;"><img class="alignnone wp-image-2889" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8e03cea11.png"alt="disk snapshot" width="638" height="656" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8e03cea11.png 833w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8e03cea11-292x300.png 292w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8e03cea11-768x789.png 768w" sizes="(max-width: 638px) 100vw, 638px" /></p>
    <h2 style="text-align: justify;">Swap OS Disk</h2>
    <p style="text-align: justify;">Now that we have created the managed disk, it’s time to use the Swap OS Disk functionality. We have proceeded with the Azure VM’s updates, software updates, configuration changes, and finally we need to roll back those changes. Go to the VM’s Disks and press “Swap OS Disk”</p>
    <p id="pzuGeyg" style="text-align: justify;"><img class="alignnone wp-image-2887" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8d3ca65c2.png"alt="disk snapshot" width="633" height="390" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8d3ca65c2.png 852w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8d3ca65c2-300x185.png 300w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8d3ca65c2-768x472.png 768w" sizes="(max-width: 633px) 100vw, 633px" /></p>
    <p style="text-align: justify;">at the “Swap OS Disk” wizard, select the managed disk that we created.</p>
    <p id="qmhobOc" style="text-align: justify;"><img class="alignnone wp-image-2890 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8e6658951.png"alt="disk snapshot" width="449" height="399" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8e6658951.png 449w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8e6658951-300x267.png 300w" sizes="(max-width: 449px) 100vw, 449px" /></p>
    <p style="text-align: justify;">In the background, the Azure Platform will stop, deallocate the VM and it will re-crate it with the selected OS disk. As you see at the next screenshot the OS disk is the managed disk that we created from teh snapshot.</p>
    <p id="JASxLxW" style="text-align: justify;"><img class="alignnone wp-image-2891 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8eda544ed.png"alt="disk snapshot" width="955" height="484" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8eda544ed.png 955w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8eda544ed-300x152.png 300w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8eda544ed-768x389.png 768w" sizes="(max-width: 955px) 100vw, 955px" /></p>
    <p style="text-align: justify;">I Started the VM and logged in. The folder I created after the snapshot of course is missing <img src="https://s.w.org/images/core/emoji/12.0.0-1/72x72/1f642.png"alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /></p>
    <p style="text-align: justify;"><img class="alignnone wp-image-2892 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8f86e1d8a.png"alt="disk snapshot" width="507" height="258" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8f86e1d8a.png 507w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8f86e1d8a-300x153.png 300w" sizes="(max-width: 507px) 100vw, 507px" /></p>
    <h2 style="text-align: justify;">New Azure VM</h2>
    <p style="text-align: justify;">The other option is to create a new Virtual Machine using the Snapshot. As I wrote before, beware, if you want to make Azure VM clones, you need to generalize the VM with Sysprep and Capture the VM. Using the Snapshot option you will have an identical VM, with the same IDs.</p>
    <p style="text-align: justify;">To create a VM from the Snapshot, just open the Managed Disk that you created from the Snapshot and press Create VM.</p>
    <h2 id="YVnQUGo" style="text-align: justify;"><img class="alignnone wp-image-2893 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8fe63bbc2.png"alt="disk snapshot" width="764" height="401" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8fe63bbc2.png 764w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b8fe63bbc2-300x157.png 300w" sizes="(max-width: 764px) 100vw, 764px" /></h2>
    <p style="text-align: justify;">The Create a virtual machine wizard will open, and at the Operating System Image section, it will have selected the image from the disk. This process is identical to creating a new Hyper V VM from an existing virtual disk.</p>
    <p id="agkkViV" style="text-align: justify;"><img class="alignnone wp-image-2899 size-full" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b9dee55885.png"alt="disk snapshot" width="875" height="838" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b9dee55885.png 875w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b9dee55885-300x287.png 300w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d9b9dee55885-768x736.png 768w" sizes="(max-width: 875px) 100vw, 875px" /></p>
    <p style="text-align: justify;">Follow the Create a virtual machine wizard exactly the same as creating any Azure VM.</p>
    <p>More e-apostolidis.gr posts about managed disks: <a href="https://www.e-apostolidis.gr/tag/managed-disks/">https://www.e-apostolidis.gr/tag/managed-disks/</a></p>
    <p style="text-align: left;">Read more at: <a href="https://docs.microsoft.com/en-us/azure/virtual-machines/windows/managed-disks-overview#managed-disk-snapshots">https://docs.microsoft.com/en-us/azure/virtual-machines/windows/managed-disks-overview#managed-disk-snapshots</a></p>
    <p> </p>
    <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-portal-playing-with-disk-snapshot%2F&linkname=Azure%20Portal%20%7C%20Playing%20with%20Disk%20Snapshot"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-portal-playing-with-disk-snapshot%2F&linkname=Azure%20Portal%20%7C%20Playing%20with%20Disk%20Snapshot" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-portal-playing-with-disk-snapshot%2F&title=Azure%20Portal%20%7C%20Playing%20with%20Disk%20Snapshot" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure/azure-portal-playing-with-disk-snapshot/" data-a2a-title="Azure Portal | Playing with Disk Snapshot"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure/azure-portal-playing-with-disk-snapshot/">Azure Portal | Playing with Disk Snapshot</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>


    <a href="https://www.e-apostolidis.gr/microsoft/azure/azure-portal-playing-with-disk-snapshot/"class='bbc_url' rel='nofollow external'>Source</a>
  9. proximagr
    <p>Happy Friday! My blog post is featured at this week’s Friday Five!</p>
    <p>Check out this week’s <a href="https://techcommunity.microsoft.com/t5/Microsoft-MVP-Award-Program-Blog/Friday-Five-Azure-free-SMTP-relay-using-Sendgrid-Power-Platform/ba-p/894274">FridayFive section of the Microsoft MVP Award Program Blog!</a> My blog post about <a href="https://www.e-apostolidis.gr/microsoft/azure-free-smtp-relay-using-sendgrid/">using SendGrid for free SMTP relay from Azure</a> is featured !!!</p>
    <p id="swHBZZB"><img class="alignnone size-full wp-image-2880 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d97b481a29bb.png"alt="" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d97b481a29bb.png 1239w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d97b481a29bb-300x87.png 300w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d97b481a29bb-768x224.png 768w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d97b481a29bb-1024x298.png 1024w" sizes="(max-width: 1239px) 100vw, 1239px" /></p>
    <p><a href="https://techcommunity.microsoft.com/t5/Microsoft-MVP-Award-Program-Blog/Friday-Five-Azure-free-SMTP-relay-using-Sendgrid-Power-Platform/ba-p/894274">https://techcommunity.microsoft.com/t5/Microsoft-MVP-Award-Program-Blog/Friday-Five-Azure-free-SMTP-relay-using-Sendgrid-Power-Platform/ba-p/894274</a></p>
    <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fgeneral%2Fhappy-friday-my-blog-post-featured-at-this-weeks-friday-five%2F&linkname=Happy%20Friday%21%20My%20blog%20post%20featured%20at%20this%20week%E2%80%99s%20Friday%20Five%21"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fgeneral%2Fhappy-friday-my-blog-post-featured-at-this-weeks-friday-five%2F&linkname=Happy%20Friday%21%20My%20blog%20post%20featured%20at%20this%20week%E2%80%99s%20Friday%20Five%21" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fgeneral%2Fhappy-friday-my-blog-post-featured-at-this-weeks-friday-five%2F&title=Happy%20Friday%21%20My%20blog%20post%20featured%20at%20this%20week%E2%80%99s%20Friday%20Five%21" data-a2a-url="https://www.e-apostolidis.gr/general/happy-friday-my-blog-post-featured-at-this-weeks-friday-five/" data-a2a-title="Happy Friday! My blog post featured at this week’s Friday Five!"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/general/happy-friday-my-blog-post-featured-at-this-weeks-friday-five/">Happy Friday! My blog post featured at this week’s Friday Five!</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>


    <a href="https://www.e-apostolidis.gr/general/happy-friday-my-blog-post-featured-at-this-weeks-friday-five/"class='bbc_url' rel='nofollow external'>Source</a>
  10. proximagr
    Get real insights about your Windows and Linux VMs & VMSSs performance and their dependencies with Azure Monitor. Integrate with Log Analytics for even more in depth analysis and retain the data over time. Health, Performance & Service Map of your VM in a dashboard.
    Deploy to Single VM
    For a single VM, go to the VMs blade, scroll down to the “Monitoring” section, select “Insights” and press “Try now”

    The Azure Monitor Insights Onboarding wizard will open. If your VM is already onboard at a Log Analytics workspace just click Enable. Otherwize select a Log Analytics workspace or create one.

    You will start seeing data form the VM in about 20-30 minutes. Deploy to multiple VMs using Azure Policy
    For deploying to multiple VMs, the easiest way is to use Azure Policy
    Go to the Azure Policy, select Assignments and press “Assign initiative”

    The first option is the Scope. Press the three dots “…” at the Scope field. You can choose a a Management Group, a Subscription or a Resource Group. So if you just select a Management Group (And don’t select subscription and resource group), this policy will apply to all Subscriptions under the Management Group and of course to all resources of the subscription. If you choose a Subscription (and don’t select a resource group then the policy will apply to all resources of the subscription. Finally if you choose a resource group then the policy will apply only to this resource group. Later we will see how to select specific VMs in the Subscription or Resource group.

    After selecting the Scope you can add exclusions. There you can check the VMs you don’t want this policy to apply.

    The next step is to select the Policy. At the BASICS section, press the three dots “…” near the “Initiative definition” and find the “Enable Azure Monitor for VMs”

    Next step is to configure the Parameters. There select the Log Analytics workspace that the VM will onboard, or create a new one. Optionally you can provide a list of VMs instead of adding all of them

    Finally press Apply. Back at the Azure Policy main menu you will see the new Definition Assignment.
    View the Health / Performance / Service Map of the VMs
    To view the Azure Monitor of the VMs, go to the VM that you have enabled Insights, select the Insights blade and you will be able to see the health status not only for the common CPU. Memory, Disk,

    But also for the services that run inside the VM and the Azure Monitor discovered.

    By clicking on any service you will have a list of all logs of this service

    At the performance section you have the ability to select time range and have performance analytics for a requisted period of time

    Finally at the MAp, you have a service map of the services and ports that are open and listening


    Product Documentation: https://docs.microsoft.com/en-us/azure/azure-monitor/insights/vminsights-overview
  11. proximagr
    <p>Lets say you have an Office 365 account and cloud only users with mailboxes and now you decide that you want to sync it and match the Office 365 users with your Active Directory users.</p>
    <p>I prepared a lab with one DC and I created a trial Office 365 E3 account with custom domain. I created users with the same username to both. At Active Directory I set the UPN to match the Office 365 user name and also added the email address.</p>
    <p>Next I enabled directory synchronization from Office 365 and installed Azure AD Connect to DC2. After the initial sync i got this error:</p>
    <p><em>Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [Mail [email protected];].</em></p>
    <p>I realized that Office 365 could not map the users, it was trying to create new. So there must be an attribute that needs correction. The solution came form the following blog:</p>
    <p>http://blogs.4ward.it/how-to-map-onprem-active-directory-users-to-existing-office365-users/</p>
    <p>and specifically at the “manual match method” section:</p>
    <p><em>In order to match the user with the cloud user you have to set the Immutable ID of onPremise Active Directory user’s ObjectGUID to the immutableID value of the Office365 user.</em><br /><em>To retrieve the ObjectGUID you can use the following command:</em></p>
    <p><em>Ldifde –d “CN=xxx…,OU=xxx,DC=xxxx,DC=xx” –f c:tempexportuser1.txt</em></p>
    <p><em>“CN=xxx…,OU=xxx,DC=xxxx,DC=xx” is the distinguished name of the user. You can use ADSIEdit or the AD Users & Computer (attribute editor) to find this value</em></p>
    <p><em>In the Textfile exportuser1.txt look for the ObjectGUID. You will find a string like z2Xbu0xFTUapOeDqHRTN1A==</em></p>
    <p><em>Then connect to Windows Azure Active Director and use the command</em></p>
    <p><em>set-MsolUser -UserPrincipalName [email protected] -ImmutableId z2Xbu0xFTUapOeDqHRTN1A==</em></p>
    <p>After that I just forced a delta sync “Start-ADSyncSyncCycle -PolicyType Delta” , the sync was successful and the users in Office 365 changed from “In Clout” to “Synced with Active Directory”</p>
    <p> </p>
    <p><a href="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/How-to-Map-OnPrem-Active-Directory-users-to-existing-Office365-Users.pdf">Howto Map OnPrem Active Directory users to existing Office365 Users</a></p>
    <p>source: http://blogs.4ward.it/how-to-map-onprem-active-directory-users-to-existing-office365-users/</p>
    <p><a class="a2a_button_email" href="http://www.addtoany.com/add_to/email?linkurl=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Foffice-365%2Fmatch-onprem-active-directory-users-existing-office365-users%2F&linkname=Match%20OnPrem%20Active%20Directory%20users%20to%20existing%20Office365%20Users"title="Email" rel="nofollow" target="_blank"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/icons/email.png" width="16" height="16" alt="Email"/></a><a class="a2a_button_print" href="http://www.addtoany.com/add_to/print?linkurl=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Foffice-365%2Fmatch-onprem-active-directory-users-existing-office365-users%2F&linkname=Match%20OnPrem%20Active%20Directory%20users%20to%20existing%20Office365%20Users" title="Print" rel="nofollow" target="_blank"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/icons/print.png" width="16" height="16" alt="Print"/></a><a class="a2a_dd a2a_target addtoany_share_save" href="https://www.addtoany.com/share#url=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Foffice-365%2Fmatch-onprem-active-directory-users-existing-office365-users%2F&title=Match%20OnPrem%20Active%20Directory%20users%20to%20existing%20Office365%20Users" id="wpa2a_6"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/share_save_171_16.png" width="171" height="16" alt="Share"/></a></p><p>The post <a rel="nofollow" href="http://www.e-apostolidis.gr/microsoft/office-365/match-onprem-active-directory-users-existing-office365-users/">Match OnPrem Active Directory users to existing Office365 Users</a> appeared first on <a rel="nofollow" href="http://www.e-apostolidis.gr">Proxima's IT Corner</a>.</p>


    <a href="http://www.e-apostolidis.gr/microsoft/office-365/match-onprem-active-directory-users-existing-office365-users/"class='bbc_url' rel='nofollow external'>Source</a>
  12. proximagr
    At the previous post we created an Azure Front Door to scale our web apps across Azure Regions and also publish them only through the Front Door’s URL. At this post we will create Web Application Firewall (WAF) rules, to protect our web apps. To add WAF functionality to the Front Door we need first to create WAF rules and then attach them to the Front Door
    Create the WAF Rule
    From the Azure Marketplace search for WAF and create a Web Application Firewall
    At the “Create a WAF policy” wizard select “Global WAF (Front Door) for policy, provide the subscription and resource group, give a name for the policy and select if you want it to be created enabled or disabled.
     
    At the next step select if the policy will prevent the action or just detect and report it. You can change this later too. You can provide a Redirect URL for rules that support redirection. The default status code is 403 but we can change it to e.g. 404. We can also add a custom response body.
    The next step is the rule. We can select one or more predefined rule sets and then customize at will.
    To customize, expand the rule set and select a rule. You can enable / disable the rule and you can change the action to Allow, Block, Lod or Redirect.
    WAF Custom Rule
    The next step is the custom rules. There’s a lot to customise here. First are the rule type settings. Select status of the rule, enabled or disabled. Select the Rule type between Match and Rate limit. If you select rate limit you will be prompt to set rate limit and threshold. The final rule tupe setting is to set the priority of the rule.

    Next is the Conditions (If this) and the action (then that).
    The condition can be Geolocation, IP address, Size or String. After selecting the Match Type the rest options are altered accordingly.

    The action can be Allow traffic, Deny traffic, Log traffic only or Redirect traffic
     
    For the demo I created a rule that will Deny all traffic from The Netherlands, because I can test it from an Azure VM located at the West Europe Region.
    The next step is to associate the rule to the Front Door. After that assign Tags if needed and create the rule.
    Once the Rule is ready, a “Front Door WAF policy” resource will be at the selected Resource Group.
    Inside the Front Door, at the Web application firewall section, you can review the assigned rules.
    Test 1
    From an Azure VM at West Europe Region, I tried to access the Front Door’s URL and we can see my custom 403 body text!
    Test 2
    From my Computer I tested a typical SQL Injection attack from https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) . Again my custom 403 page!

    The post Use Web Application Firewall (WAF) Rules with the Front Door to protect your app appeared first on Apostolidis IT Corner.


  13. proximagr
    Securely scale your Web Apps with Azure Front Door
    There is a big buzz out there about Azure Front Door.  Is it a Load Balancer? A CDN? A Traffic Manager? A Web Application Firewall ? A Reverse Proxy? An Application Gateway?
    So, what is Azure Front Door?
    Azure Front Door actually is all the above and more. It is a global service, that routes web traffic based on performance and availability. A Layer 7 multi-region load balancer with Web Application Firewall (WAF) capabilities, DDoS protection & CDN.
    Azure Front Door is the entry point, the edge, of all Microsoft’s WAN. All Microsoft services, like Office 365 & Bing, are using Azure Front Door.
    The services that Azure Front door provides are:
    Accelerate application performance Increase application availability with smart health probes URL-based routing Multi-site hosting URL redirection Session affinity SSL termination Custom Domain & certificate management Security via custom WAF rules DDoS protection URL rewrite IPv6 and HTTP/2 support At Azure Front Door documentation there is a paragraph that can help to understand the difference between Azure Front Door and other publishing / load balancing Azure solutions and where to use each.
    For pricing information, see Front Door Pricing.
    How to scale your web apps with Front Door
    Create two simple Azure Web apps. Check this guide for a simple guide on how to create Azure App Service: https://www.e-apostolidis.gr/microsoft/azure/azure-start-point-your-first-web-app/
    One at West Europe:

    and one at North Europe:

    Using FTP, I deployed an one-page html site at both regions. I change the text of both site to say “This Web Site is located at North Europe Azure Datacenter”

    and “West Europe” to the other.

    Then create a Front Door. Search for Front Door at Azure marketplace and Create one.

    This is a high level diagram of the Front Door with two Web Apps design that we will create

    The “create a Front Door” wizard will start and we can configure it step by step. First we will create a Frontend host by clicking the + at the Step 1

    At the frontend host we will create the URL that our apps will be available. I added the papostolidis.azurefd.net. of course later you can add your custom domain and add a CNAME to route the traffic to the Front Door.

    Then, at the Backend pools (Step 2), press the + to add the web apps. add a name for the backend pool, like “myapps” and press + ADD a backend to add the apps.

    Select host type, you can add app service, cloud service, storage and custom host (URL). I selected the app service.

    Select the subscription and the app service and add the correct ports for http and https traffic.
    The priority defines if the traffic will be routed to the host with the lower priority number (e.g. 1) and if that host fails will route to the next host with bigger priority number (e.g. 2). If you add the same priority to more than one host then it will follow the weight number.
    The weight number defines the percentage of requests that will be routed to each host.

    The same way add the second web app

    Finally select a path, protocol and interval for the probe that will do health checks to the app to define if it is active or not.

    The third step is to add the routing rules. At the routing rules you can specify:
    The accepted protocol, http or https. the frontend host for this rule the patterns that the route will accept, like www.e-apostolidis.gr/mysite/* or just /* ro root. Route type forward or redirect. The backend pool that this rule will direct the traffic The protocol that the traffic will be forwarded. Here we define the SSL Offload if we select HTTPs for frontend accepted protocol and HTTP for backend. URL Rewrite rules Caching, for static content caching like CDN.
    Once all steps are completed we can move on and create the Front Door

    When the Front Door is ready, we can see the URL at the Overview.

    And browse our web app using the Front Door URL:

    How to protect your web apps with Front Door
    Right now we scaled our web apps. If we use each app’s URL we can still access the app. The first security step is to lock the web apps to be accessed only through the Front Door URL.
    Checking the Azure Front Door FAQ page, https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq it lists the Front Door’s address rance.
    Front Door’s IPv4 backend IP space: 147.243.0.0/16
    Go to the App Service, at the Networking section, select “Configure Access Restrictions”

    Add an allow access restriction with the IP range of the Front Door.

    Automatically a Deny rule will be created for everything else.

    Add the rule to both web apps and then try to access the apps with their direct links.

    Now on, we can access the apps only by using the Front Door URL:

    This is a high level diagram after the restrictions

    At the next article, we will see how to add Web Application Firewall (WAF) Rules to Front Door, Stay Tuned!! 

    The post Securely scale your Web Apps with Azure Front Door appeared first on Apostolidis IT Corner.


  14. proximagr
    Use Service Endpoints to protect an Azure Storage Account inside an Azure Azure Virtual Network
    As we have already saw at a previews post, we can use the Service Endpoints to protect an Azure SQL Server inside an Azure Virtual Network. Today we will see how we can protect a Storage Account.
    First we need to enable the Microsoft.Storage Service Endpoint to an existing Virtual Network or create a new Virtual Network and enable it. At this port I am creating a new Virtual Network, so at the Azure Portal press New and at the search box type “Virtual Network”.
    Enter the name of the Virtual Network and all the required fields. The only difference is to click “Enable” at the Service Endpoints and select the “Microsoft.Storage”.

    After the Virtual Network we can proceed with the Storage Account. Create a Storage Account by going to Azure Portal, press New, search for “Storage Account” and press Create. At the “Create storage account” blade enter all the required fields. The difference here is to click “Enable” at the “Virtual Networks” and select the Virtual Network that you have enabled “Service Endpoints” and select the desired subnet.

    After the Storage Account creation, open the Storage Account and go to the “Firewall and virtual network” setting. and you will see that the selected Virtual Network and Subnet are configured and all other networks and the Internet access are forbidden.

    Now if you go to the File Service of the Storage Account you will get an “Access Denied” message, since you are accessing from the Internet.

    In order to access the Storage Account File Service (And all other services like blob) I created a Virtual Machine inside the Virtual Network and opened the Portal from it. Now I can access the Storage Account services.

    Of course we can add our Public IP and access the Storage Account configuration, make the required changes and then remove it.

    Also we can add / remove existing and new networks

  15. proximagr
    Bulletproof manage your Azure VMs
    Continuing the Azure Security Center posts, today we will see a new feature of the Security Center, called Just in Time VM Access.
    As best security practice, all the management ports of a Virtual Machine should be closed using Network Security Groups. Only the ports required for any published services should be opened, if any.
    However there are many occasions that we are requested to open a management port for administration or a service port for some tests for short time. This action has two major problems, first it requires a lot of administration time, because the administrator must go to the Azure Portal and add a rule at the VM’s NSG. The second problem is that many time the port is forgotten open and this is a major vulnerability since the majority of the Brute Force attacks are performed to the management ports, 22 and 3389.
    Here comes the Azure Security Center, with the Just in Time VM Access feature. With this feature we can use the RBAC of the azure Portal and allow specific users to Request a predefined port to be opened for a short time frame.JIT Configuration
    Lets see how we configure the JIT. First we need to go to the Azure Security Center. Scroll down to the ADVANCED CLOUD DEFENSE and click the “Just in time VM Access”. Since it is at a Preview you need to press the “Try Just in time VM access”

    After we enable JIT, the window displays tree tabs, the Configured, the Recommended and the No recommendation. The Configured tab displays the Virtual Machines that we have already enabled JIT. The recommended are VMs that have NSGs and are recommended to be enabled for JIT. The No recommendation are Classic VMs or VMs that don’t have attached NSG.

    To enable JIT for a VM, go to the Recommended tab, select one or more VMs and press “Enable JIT on x VMs”

    At the “JIT VM access configuration” the Security Center proposes rule with the default management ports. We can add other ports that we need and also remove any of them that are unnecessary.
    At each rule we can configure the Port, the Protocol, the Source IP and the Maximum request time.
    If we leave the “Allowed source IPs” to “Per request” then we allow the requester to decide. One very interesting setting here is that when a user requests access it has the option to allow only the Public IP that he is using at that time automatically.
    With the last option, the “Max request time” we narrow down the maximum time that we will allow a port to be opened.

    After we configure all the parameters we click Save and the VM moves to the Configured tab. At any time we can change the configuration by selecting the VM, press the three dots at the end of the line (…) and click Edit.

    The Propertied button opens the VM’s blade, the Activity log shows all the users that requested access and the Remove of course disabled the JIT.Behind the scene
    What really happens to the VM? if you browse to the NSG that is attached to the VM you will see that all the port rules configured at the JIT are added as NSG Rules with lower priority than all the other rules. All other rules automatically changed priority to higher.

    Lets see how we request access and what happens in the background. To request access go to the Security Center / JIT , select the VM and press “Request Access”

    At the “Request access” blade switch on the desired port, select “My IP” or “IP Range” and the Timerange, all according to the JIT configuration of the VM. Finally press “Open Ports”

    At the above example I select “My IP” so if you go to the VM’s NSG you will see that the 3389 port rule changed to “Allow” and for Source has my current Public IP. Also it moved at first priority.

    After the expiration of the time rage the port will change to “Deny” and move back to its prior priority.
     
    [/url]
    The post Bulletproof manage your Azure VMs appeared first on Apostolidis IT Corner.


    Source
  16. proximagr
    Καλησπέρα στην κοινότητα. Μια ακόμα αναμέτρηση με το τέρας του Exchange. Έχουμε και λέμε, εγκατάσταση με Exchange Server 2010, έχω ρυθμίσει Hybrid με Office 365, DirSync, όλα καλά. Έχουν πάει επάνω users, contacts, distribution groups, mail contacts, έχω περάσει και Mail-Enabled Public Folders όλα καλά. Έλα όμως που στα Distribution Group members ενώ έχουν συγχρονίσει όλα τα members δεν έχει φέρει τους Mail-Enabled Public Folders. Τελικά μετά από ψάξιμο και διάφορα περίπλοκα PowerShell scripts είπα να δοκιμάσω απλά και όμορφα και μάλιστα μέσο GUI το εξής:
    Έφτιαξα ένα Mail Contact, του άλλαξα το TargetAddress να είναι ίδιο με του Mail-Enabled Public Folder, το έβαλα member στο Distribution Group, force DirSync και voilà, έχουμε mail delivery στο Public Folder!!!!
     
    Τώρα Step-By-Step:
     
    Ας πούμε ότι ο Mail-Enabled PF είναι mypublicfolder και το Email Address είναι [email protected]
     
    1. Ανοίξτε το Exchange Management Console
    2. Πηγαίνουμε “Receipient Configuration” / “Mail Contact” / “New Mail Contact”

    3. Επιλέγουμε“New Contact” & click Next
    4. Δίνω ένα όνομα που να θυμίζει τον Public Folder, εγώ έβαλα ένα -O365 στο τέλος:
    Name: mypublicfolder-O365
    Alias: mypublicfolder-O365
    External e-mail address: [email protected]

    5. Click Next, New & τελικά Finish για να δημιουργηθεί Mail Contact
    6. Ανοίγουμε Active Directory Users & Computers
    7. Από το menu στο “View” κάνουμε check το “Advanced Features”
    8. Πάμε στο container που είναι ο Mail Contact, τον επιλέγουμε και με διπλό click ανοίγουμε properties
    9. Πάμε στην καρτέλα “Attribute Editor” και βρίσκουμε το “TargetAddress”

    10.Κάνουμε Editκαι αλλάζουμε την διεύθυνση με αυτήν του Mail-Enable Public Folders , στη συγκεκριμένη περίπτωση βάζουμε: SMTP:[email protected]

    11. Κάνουμε Click OK, Apply και OK για να κλείσουμε το properties.
    12. Πάμε πίσω στο Exchange Management Console και πάμε στο “Reciepient Configuration” / “Distribution Group”

    13.Βρίσκουμε το Distribution Group και προσθέτουμε το Mail-Contact σαν μέλος
    14. Περιμένουμε το DirSync να κάνει ένα full sync ή κάνουμε force και τέλος.
  17. proximagr
    Μόλις έλαβα το πρώτο μου Microsoft Azure MVP award!
    Νοιώθω χαρούμενος και περήφανος που η προσπάθεια και η προσφορά μου στην κοινότητα ανταμείβεται. Πιστεύω στην κοινότητα και στον διαμοιρασμό της γνώσης και αυτό με έχει βοηθήσει πολύ στην ζωή μου και και εγώ με τη σειρά μου προσπαθώ να βοηθήσω στο μέγιστο.
    Όλα ξεκινάνε με αυτό το υπέροχο email Congratulations! We are extremely pleased to present you with the 2018-2019 Microsoft Most Valuable Professional (MVP) Award! This award is given to exceptional technical community leaders who share their remarkable passion, real-world knowledge, and technical expertise with others through demonstration of exemplary commitment. We appreciate your outstanding contributions in the Microsoft Azure technical communities during the past year.

    [/url]
    The post My First Microsoft Azure MVP award! appeared first on Apostolidis IT Corner.


    Source
×
×
  • Create New...