Category Archives: Azure

Azure Active Directory Application Proxy – Part 02

In Part 01 of this series I have explained what is Azure AD application proxy and how it works. If you didn’t read it yet you can find it in http://www.rebeladmin.com/2017/06/azure-active-directory-application-proxy-part-01/

In this part of the series I am going to demonstrate how we can configure Azure AD application proxy.

Demo Setup

In my demo environment I have following,

1. Azure AD Premium Subscription

2. Active Directory 2016 on-premises setup 

3. Web application running on IIS

Enable Azure AD proxy

Before we install application proxy connector, we need to enable application proxy. This only need to enable when setup first application proxy.

1. Log in to Azure as Global Administrator

2. Then open Azure Active Directory 

adapp1

3. In next window click on Application proxy

adapp2

4. In next window click on Enable Application Proxy. Then it will explain about feature and click on Yes to enable. 

adapp3

Install Application Connector

Next step in configuration is to install Application Connector. I am going to install this on same application server.

1. Log in to Azure as Global Administrator

2. Then go to Azure Active Directory | Application Proxy 

3. Then in window click on Download connector 

adapp4

4. It will redirect to a page where you can download the connector. After Accepting terms click Download

adapp5

5. Once file is downloaded, double click on AADApplicationProxyConnectorInstaller.exe to start the connector installation. 

adapp6

6. Then it will open up a wizard. Agree to licenses terms and click on install to proceed. 

adapp7

7. During the installation, it asks for Azure login details. Provide an account which have azure global admin privileges. 

adapp8

8. After login details validates it will continue with the setup. Once it completes we ready to publish the application. 

adapp9

Publish Application

Next stage of the configuration is to publish the application.

1. Log in to Azure as Global Administrator

2. Then go to Azure Active Directory | Enterprise Applications 

adapp10

3. Then in next window, click on New Application 

adapp11

4. In categories page, Click on All and then click on on-premises application 

adapp12

5. Then it’s opens a new window where we can provide configuration data for application.

adapp13

In this form,

Name – Unique name to identify the application

Internal Url – Internal Url for the application. 

External Url – This is auto generated by azure and this url will be the one use to access the application via internet. If need certain url changes can be made. 

All other values we can leave default unless there is specify requirement. 

Once information added, click on Add button to publish the application. 

adapp14

6. Once application is published, we can see it under Enterprises Application

adapp15

Testing

Now we have everything ready. Next step is to verify if its working as expected. by default, application do not have any users assigned. So, before we test, we need to allow application access. 

1. Log in to Azure as Global Administrator

2. Then go to Azure Active Directory | Enterprise Applications | All Applications

3. Click on the web app that we published on previous section. 

4. Then click on Users and Groups

adapp16

5. Then click on Add User in next window

adapp17

6. From the list select the users and click on Select

adapp18

7. Click on Assign to complete the process. 

8. Now under the users you can see the assigned users and groups. 

adapp19

9. Now everything ready! Type the public URL in your browser which is generated during application publish process. For our demo, it was https://webapp1-myrebeladmin.msappproxy.net/webapp1/ . As expected it goes to the Azure login page. 

adapp20

10. Log in using a user account assigned for the app. 

11. After successfully authentication I can see my local web app content! 

adapp21

So as expected, we were able to publish a local application to internet without any DNS, firewall or application configuration change.

Hope this was helpful and if you have any questions feel free to contact me on rebeladm@live.com

Azure Active Directory Application Proxy – Part 01

Today I am going to explain about another great feature which comes with Azure Active Directory. Rebeladmin Corp. does have a CRM application which use by its employees.  This is web based app and hosted in internal network. This app uses windows authentication. From internal, users can log in to it with SSO. Rebeladmin Corp. also uses some application hosted in Azure as well as Office 365. These applications are currently used by its users internal and externally. There was recent requirement that users also want to access this CRM application from external. So, what we can do to allow access from external?

1. Setup VPN, so users can dial in to VPN and access the application through it. 

2. Use ADFS to provide multi factor authentication and SSO from external. ADFS proxy server can place in DMZ to provide more secure connection from external

3. Use Remote Desktop Gateway and Remote Desktop Servers to host application for external access

4. If users are connecting from specific networks, allow direct access to application using edge firewall rules. 

All above solutions can work but it need additional configurations and resource such as,

1. Firewall rules to control traffic between different network segments (DMZ, LAN, WAN) 

2. Public IP addresses and DNS entries for internet facing components

3. Additional servers to host server roles and applications such as ADFS proxy, ADFS Farm, RDG etc. 

4. Additional licenses cost

5. Additional maintenance cost

6. Skills to configure these additional server roles, firewall rules etc. 

Azure Active Directory Application Proxy can integrate on-premises applications with Azure Active Directory and provide secure access with minimum changes to the existing infrastructure. It doesn’t need VPN, additional firewall rules or any other additional servers’ roles. This experience is similar to accessing applications hosted in azure or accessing office 365. This great feature was there for a while but still lots of people do not use this and some not even aware there is such feature available. Whole point of this blog series in to make public aware of this and encourage them to use this.

Why it’s good?

1. This allows organizations to use existing Azure security features to protect the on-premises workloads similar to azure SaaS workloads. 

2. All the components are hosted in cloud so less maintenance. 

3. Simple to setup and no need additional skills to setup different server roles or applications. 

4. If users already familiar with Azure or other Microsoft hosted solutions, the access experience will be similar. Users will not need to train to use different tools to access the hosted applications. (VPN, Remote Desktop etc.)

5. No requirement for public IP address or public DNS entries. It will use public url which is generated during the configuration process and its from Azure. 

However, not every application supported for this method. According to Microsoft it only supports,

Any web application which uses windows authentication or form-based authentication. 

Applications hosted behind RDG (Remote Desktop Gateway)

Web APIs

How it works?

Let’s see how it’s really works in real world.

post-ad app proxy

1. User accessing the published Url for the application from the internet. This URL is similar to application url which is hosted in Azure. This is the azure generate public URL for on premises app. 

2. Then its redirected to log in page and will be authenticate using Azure AD.

3. After successful authentication, it generates a token and send it to user. 

4. Then request is forwarded to Azure AD application proxy. Then it extracts User principle name (UPN) and security principal name (SPN) from the token.

5. Then the request is forwarded to application proxy connector which is hosted in on-premises. This is act as a broker service between application proxy module and web application. 

6. In next step, application proxy connector requests Kerberos ticket which can use to authenticate web application. This request is made on behalf of the user. 

7. On-premise AD issue Kerberos ticket.

8. Kerberos ticket used to authenticate in to web app. 

9. After successful authentication web app send response to application proxy connector. 

10. Application proxy connector send response to the user and he/she can view the web application content. 

Prerequisites

To implement this we need the followings,

Azure AD Basic or Premium Subscription 

Healthy Directory Sync with on-premises AD

Server to install Azure Application Proxy Connector (this can be same server which host web application) 

Supported web application (earlier I mentioned what type of applications are supported)

In next part of this blog series will look in to configuration of Azure AD application proxy. Hope this was helpful and if you have any questions feel free to contact me on rebeladm@live.com   

MANAGE AZURE ACTIVE DIRECTORY WITH POWERSHELL – PART 02

In previous part of this blog serious, I have explained how we can install Azure AD PowerShell module and how it can use it to manage Azure Active Directory directly using PowerShell Commands. If you not read it yet you can find it using http://www.rebeladmin.com/2017/02/manage-azure-active-directory-powershell-part-01/

In this post, I am going to explain about another set of cmdlets and the ways to use.

Some of the commands which we use for on-premises Active Directory Management works for Azure Active Directory too. only difference is the cmdlet itself. As an example, in on-premises AD, we use New-ADUser to add user, in Azure AD it becomes New-​Msol​User. If you like to know further about command and its use, easiest way to start is using following commands.

More information about a command can view using,

Get-Help New-​Msol​User -Detailed

Technical Information about thecommand can view using,

Get-Help New-​Msol​User -Full

Online information about the command can view using,

Get-Help New-Msol​User -Online

We also can view some example for the command using,

Get-Help New-Msol​User -Example

power1

We can simply create new user using,

New-MsolUser -UserPrincipalName "jeffm@therebeladmin.com" -DisplayName "Jeff Mak" -FirstName "Jeff" -LastName "Mak" -PasswordNeverExpires $true

power2

In order to create a user, you need to connect to Azure AD with a user who has “Global Admin” role.

In above command UserPrincipalName specify the UPN and user password s set not to expire.

It is obvious sometime we need to change password of an existing account.

Set-MsolUserPassword -UserPrincipalName "jeffm@therebeladmin.com" -NewPassword "pa$$word"

The above command will reset the password for the jeffm@therebeladmin.com in to new password.

Instead of specifying password, following command will generate random password and force user to reset it on next login.

Set-MsolUserPassword -UserPrincipalName "jeffm@therebeladmin.com" -ForceChangePassword $true

power3

Azure Active Directory does have predefined administrative roles with different capabilities. This allows administrators to assign permissions to users to do only certain tasks.

More details about these administrative roles and their capabilities can found on https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles

We can list down these administrative roles using

Get-MsolRole

power4

According to requirements, we can add users to these administrative roles.

Add-MsolRoleMember -RoleName "User Account Administrator" -RoleMemberObjectId "e74c79ec-250f-4a47-80dd-78022455e383"

Above command will add user with object id e74c79ec-250f-4a47-80dd-78022455e383 to the role.

In order to view existing members of different administrator roles, we can use command similar to below.

$RoleMembers = Get-MsolRole -RoleName "User Account Administrator"

Get-MsolRoleMember -RoleObjectId $RoleMembers.ObjectId

This will list down the users with User Account Administrator role assigned.

power5

Apart from the roles, AD also have security groups.

New-MsolGroup -DisplayName "HelpDesk" -Description "Help Desk Users"

Above command creates a group called HelpDesk

power6

power7

A group contains members. We can add members to group using commands similar to below.

Add-MsolGroupMember -GroupObjectId a53cc08c-6ffa-4bd6-8b03-807740e100f1 -GroupMemberType User -GroupMemberObjectId e74c79ec-250f-4a47-80dd-78022455e383

This will add user with object id e74c79ec-250f-4a47-80dd-78022455e383 to group with object id a53cc08c-6ffa-4bd6-8b03-807740e100f1.

We can list down the users of the group using

Get-MsolGroupMember -GroupObjectId a53cc08c-6ffa-4bd6-8b03-807740e100f1

power8

We can view all the groups and their group ids using

Get-MsolGroup

power9

In order to remove member from the security group we can use Remove-MsoLGroupMember cmdlet.

Remove-MsoLGroupMember -GroupObjectId a53cc08c-6ffa-4bd6-8b03-807740e100f1 -GroupMemberType User -GroupmemberObjectId e74c79ec-250f-4a47-80dd-78022455e383

In order to remove a user from administrator role we can use Remove-MsolRoleMember cmdlet.

Remove-MsolRoleMember -RoleName "User Account Administrator" -RoleMemberType User -RoleMemberObjectId "e74c79ec-250f-4a47-80dd-78022455e383"

Above command will remove user with object id e74c79ec-250f-4a47-80dd-78022455e383 from the group User Account Administrator

This is the end of the part 2 of this series. In next part, we will look further in to Azure AD management with PowerShell.

If you have any questions feel free to contact me on rebeladm@live.com

Manage Azure Active Directory with PowerShell – Part 01

In this series of articles, it which will explain how to use PowerShell to manage your Azure Active Directory instance. In Part 01, I am going to show how to connect with Azure AD using PowerShell and show actions of some day to day operation related commands.

In order to use PowerShell with Azure AD, first we need to install Azure Active Directory Module in local computer. there is two version of Azure active directory PowerShell module. One was made for the Public Preview and the latest one released after announces Azure AD GA. You can download module from http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185

If you had the previous version installed, highly recommended to replace it with the new version.

Once installed let’s check its status.

Get-Module MSOnline

mson1

In order to list down all the commands associate cmdlets with the module we can use

Get-Command -Module MSOnline

mson2

Next step is to connect to Azure AD Instance. In order to do that we can use,

Connect-MsolService

It will prompt for the login details. Please use your Azure DC Admin account details. Please note login via Microsoft account not supported.

First, we can list down all the domain under the given subscription. To do that we can use,

Get-MsolDomain

mson3

As next steps I like to list down all the users in Azure AD Setup.

Get-MsolUser

mson4

It will list down all the Users in the Azure AD.

I also can search for a specific user based on text patterns. In below example I am searching users with Name which match text “Dishan”

Get-MsolUser -SearchString "Dishan"

Idea of my search is to find some object values for this user. I can combine above command to return all the object value.

Get-MsolUser -SearchString "Dishan" | Select-Object *

mson5

Now we know what are the objects been use and I can make more unique search.

Get-MsolUser | Select-Object DisplayName,whenCreated,LastPasswordChangeTimestamp

Above command will list me all the users with Display Name, Date and Time It was created, and Date and Time of Last Password Change Action.

mson6

Get-MsolUserRole another handy cmdlet. It can use to check the role of a user account.

Get-MsolUserRole -UserPrincipalName "dcadmin@REBELADMIN.onmicrosoft.com" | fl

The above command will find the role for the given user account.

mson7

Get-MsolGroup cmdlet can use to list, filter Groups in the Azure AD.

mson8

Using searchstring can search for the groups based on text patterns.

Get-MsolGroup -SearchString "AAD"

mson9

Get-MsolGroupMember can use to list down the members in the group.

Get-MsolGroupMember -GroupObjectId "77a76005-02df-48d5-af63-91a19ed55a82"

mson10

Remove-MsolUser cmdlet can use to remove the user object from the Azure AD. This can combine with searchstring to search for user and then remove the object same time.

Get-MsolUser -SearchString "user2" | Remove-MsolUser

Above command will search for the user object which have display name similar to user2 and then delete it.

mson11

In next post let’s dig further in to cmdlets which can use to manage Azure AD.

If there is any question, please feel free to contact me on rebeladm@live.com

Step-by-Step guide to configure site-to-site VPN Gateway connection between Azure and on-premises network

When you are in hybrid cloud setup with azure, using site-to-site VPN gateway you can have better continuity for your workloads. in this post, I am going to demonstrate how to set up site-to-site VPN Gateway.

Requirements 

Before start make sure you have following in place. 

1) VPN device – you need to have VPN device in on-premises to create the VPN connection with azure. the supported list of devices can found on here. Also, you need to have the relevant knowledge to configure it on your device. I am not going to cover it in details here as settings are different based on the vendor. 

2) Static Public IP address – your VPN device should have external public IP address and it shouldn’t be NAT. 

3) Valid Azure Subscription – Of because you need active Azure subscription. It can be paid or free trial. 

Create Virtual Network 
 
If you already have virtual network setup in your azure subscription, you will not need to do this step but make sure the settings are correct. 
 
1) Log in to the azure portal.
2) Go to New > Networking > Virtual Network 
vpn1
 
3) Then click on create 
vpn2
 
4) In next page, it will open up the wizard with the VNet information. In their fill the information to match with your configuration.
vpn3
 
Name – Name for the VNet
Address Space – IP range for the VNet. If you have multiple Address ranges, it can add later. 
Subnet name – Name for the subnet you like to add 
Subnet Address range – Subnet IP range (it must be within the Address Space listed before)
Resource Group – Can create new group or select existing group
Location – location of the VNet
 
After that click on create continue.
5) Once VNet created, can modify the address ranges and subnets.
vpn4
 
Create Gateway Subnet 
 
Next step is to create gateway subnet for the VNet. It is recommended to use /28 or /27 for gateway subnet. This need to be done before connecting VNet to the gateway. 
 
1) Log in to the Azure Portal
2) Then go to More Services > Virtual Networks 
vpn5
 
3) Then click on the VNet, created on previous step and click on subnets. Then click on gateway subnet 
vpn6
 
4) In the next window define the subnet for the gateway and click OK
vpn7
vpn8
Create Virtual Network Gateway
 
Next step is to create virtual network gateway. 
 
1) Log in to azure portal 
2) Go to New > Networking > Virtual Network Gateway 
vpn9
 
3) In next window fill the relevant information and click on Create
vpn10
 
Name – Name for the virtual network gateway
Gateway Type – For our VPN it will be VPN 
VPN Type – Type of the VPN and regular VPN will be route-based
SKU – SKU for the VPN type
Virtual Network – in here select the VNet you have created following previous step
Public IP Address – VPN need to have public IP address. Select public IP from here or if you don’t have, once you click on the option it will allow you to add new one. 
Location – make sure you select the correct region to match with VNet region. 
 
4) It can take up to 45 minutes to complete the task. Once it’s done can see the public IP address details. You need this to configure the VPN device in yours on premises device. 
vpn11
 
Create Local Network Gateway
 
The next step is to create local gateway which represent your local network. To create it,
 
1) Log in to azure portal
2) Go to New > Networking > Local network gateway
vpn12
 
3) Then it will open new wizard and fill the relevant information. After that click on create to proceed
vpn13

Name – Name for the local gateway 
IP Address – Public IP address to represent your VPN device. It should not behind NAT. 
Address Space – This is yours on premises address ranges. You can add multiple ranges.
Resource Group – you can create new resource group or use the same one you were using. 
vpn14
 
Create Site-to-Site VPN
 
Then next step is to create Site-to-Site VPN connection between your VPN device and the virtual network gateway. To create it,
 
1) Log in to azure portal
2) Go to More Services > Virtual network gateways 
vpn15
 
3) Then click on the virtual network gateway you created and, under the settings tab, click on connection
vpn16
 
4) Then click on add
vpn17
 
5) In the wizard fill the relevant information and click ok
vpn18

Name – Name of the connection 
Connection Type – Type of the VPN. Most of the time its site-to-site
Virtual Network Gateway – you need to select the relevant virtual network gateway
Local Network Gateway – in here need to select the relevant local network gateway for your connection
Shared Key – This is the pre-shared key you going to use for the VPN configuration
 
6) Once its created it’s all about configuring the VPN in your VPN device. 
7) Once connected you can see the status in same page by clicking on connection
vpn19

 
 
Hope this was helpful and if you have any questions feel free to contact me on rebeladm@live.com

Which azure active directory edition I should buy?

4ac52e5b-b3ac-4fbd-bbc7-bd4bae8403da

Azure active directory is responsible for providing identity service for Microsoft online service’s needs. When I talk to people about azure AD one of most common problem they ask is what version I should buy? my existing subscription will work for the features I looking for? The myth is, lot of people still thinks azure subscriptions and prices are complicated, but if you understand what each subscription can do it’s not that hard. I have seen people paying for Azure AD premium version when azure AD free version can give the features they needed for their environment and some people struggling to implement features only available for premium version using their free azure AD instance. In this blog post I am going to list down the features for each azure AD version and hope it will help you to decide the version you need for your setup.

There are 4 Azure AD editions,

1) Free

2) Basic

3) Premium P1

4) Premium P2

Free – if you subscribed to any Microsoft online service such as azure or office 365 you will get the free azure AD version. You do not need to pay for this. But it got limited features which I will explain later in this post.

Basic – Designed for task workers with cloud-first needs, this edition provides cloud centric application access and self-service identity management solutions. With the Basic edition of Azure Active Directory, you get productivity enhancing and cost reducing features like group-based access management, self-service password reset for cloud applications, and Azure Active Directory Application Proxy (to publish on-premises web applications using Azure Active Directory), all backed by an enterprise-level SLA of 99.9 percent uptime.
 
Premium P1 – Designed to empower organizations with more demanding identity and access management needs, Azure Active Directory Premium edition adds feature-rich enterprise-level identity management capabilities and enables hybrid users to seamlessly access on-premises and cloud capabilities. This edition includes everything you need for information worker and identity administrators in hybrid environments across application access, self-service identity and access management (IAM), identity protection and security in the cloud. It supports advanced administration and delegation resources like dynamic groups and self-service group management. It includes Microsoft Identity Manager (an on-premises identity and access management suite) and provides cloud write-back capabilities enabling solutions like self-service password reset for your on-premises users.
 
Premium P2 – Designed with advanced protection for all your users and administrators, this new offering includes all the capabilities in Azure AD Premium P1 as well as our new Identity Protection and Privileged Identity Management. Azure Active Directory Identity Protection leverages billions of signals to provide risk-based conditional access to your applications and critical company data. We also help you manage and protect privileged accounts with Azure Active Directory Privileged Identity Management so you can discover, restrict and monitor administrators and their access to resources and provide just-in-time access when needed.
 
azure ad version 1
azure ad version 2
azure ad version 3
 
You can find more info about the subscriptions from 
 
if you got any question feel free to contact me on rebeladm@live.com

 
Note : Image Source https://f.ch9.ms/thumbnail/4ac52e5b-b3ac-4fbd-bbc7-bd4bae8403da.png

Getting Started with Azure AD B2B collaboration

What is Azure AD B2B ?

By now I assume you have idea what is Azure AD and how it works. If you are new to my blog, please search for Azure AD on my blog and you will be able to find articles explaining about it and its capabilities. Azure AD manage identities for the company and it will allow to control access to resources such as applications. Sometime based on business requirements companies have to share their resources with partners, other companies in group etc. in such scenario Azure AD B2B collaboration supports to share resources with another party using their own identities.

Using Azure AD B2B partners can use Azure AD account they create using the invitation process. Then azure admins can control the access to the applications. Once the tasks are completed those accounts easily can remove from the azure AD and all the permissions to the resources will be revoked. The partner company do not need to have any azure subscription and it allow to provide quick access to the resource with minimum changes.  

How it works?

1) Administrator invites the partner users by uploading the user details using CSV file. This file need to create with specific fields and values and more details can find on https://azure.microsoft.com/en-gb/documentation/articles/active-directory-b2b-references-csv-file-format/

2) Azure portal sends invite emails to the users which is imported using CSV file

3) Users click on email link and sign in using their work credentials (if they have azure AD account) or sign up as an Azure AD B2B collaboration user

4) User log in and access the shared resources

Let’s see it in action 

To enable azure AD B2B collaboration for an Azure AD instance you need to have global administrator privileges. So before you start make sure you got the relevant permissions. 

As I said previously the user accounts details need to be uploaded via a CSV file. In here I have created a simple CSV file with test account.

b2b1

After that log in to azure portal and load the Azure AD instance you already have.

b2b2

Then go to users and click on Add

b2b3

From the wizard select the “Users in Partner Companies” as the type of the user

b2b4

then brows for the CSV file and import

b2b5

after few minutes the user got email with link

b2b6

once click on the link it will load up a page and click next to continue

b2b7

in next page provide a password and click next

b2b8

it will send code to verify email address and once you put it there click on finish

b2b9

once process finish, we can see the new user under the azure AD users

b2b10

now I have application under my directory and when I go to users I can see the new user we setup. I have assign the permission for the new user for the app.

b2b11

So when login to the azure portal as the new partner user now can see the applications which is assigned for the user.

b2b12

Hope this was helpful and if you have questions feel free to contact me on rebeladm@live.com 

Step-by-Step Guide to assign Reserved IP address to Azure VM

In azure all the IP address assignments are dynamic by default. Which means IP addresses can change in restart. There are 2 methods you can use to assign IP address to a VM in azure. its dynamic and static

Why we need static IP addresses ?

1) Application requirements – sometime applications need to connect with fixed IP address. For example, if it’s a database VM it’s important to have static IP address so application settings always can refer to that. 

2) Security – when VM uses static IP addresses we can create firewall rules easily. So there is more control over traffic flow as well. 

In azure, static IP address (public) is count as a service so there will be addition charge for it. 

In azure there is 2 methods to deploy and manage a VM. 

1) By Using Classic Mode

2) By Using Resources Manager 

Assigning a static IP address (public) is different for these 2 methods. In this blog post I am going to demonstrate how to do it using both modes. 

Assign Static IP Address in classic deployment model

Before we start need to make sure following prerequisites are in place. 

Global Administrator account for the Azure Subscription

Azure PowerShell Module installed in local computer – you can download it from http://aka.ms/webpi-azps

In my demo I got a classic virtual machine running and it’s got dynamic public IP address assigned. In demo I am going to show how we can make it as reserved IP address. 

1) Log in to PC where Azure PowerShell Module installed and open the powershell as administrator

2) Then type Add-AzureAccount and press enter

3) Then it will prompt for the azure credential and login as global administrator

rip2

4) Then type New-AzureReservedIP –ReservedIPName DCM01ReservedIP –Location "East US" -ServiceName DCM01  – in the command DCM01ReservedIP is the name for the reserved IP address and Location define the location of the IP address ( can be US, Europe etc.). 

rip3

5) Now it’s done and when I go to DCM01 VM now its shows the IP address as reserved. 

rip4

6) Also in power shell type Get-AzureReservedIP and it will show the reserved IP details 

rip5
 

Using Resource Manager deployment mode

In the resource manager I have a VM running and the public address by default. I need to change it to static. 

rip6

1) To change click on the VM from the virtual machine container 

2) Then click on the public IP address and DNS name

rip7

3) Then it will load the configuration and to change click on the configuration option

rip8

4) It will then list down the public IP configuration, as can see by default its dynamic to set it to static need to click on static option and click on save. This will make the IP address static.

rip9

rip10

Hope this post was helpful and if you have any question feel free to contact me on rebeladm@live.com 

Step-by-Step Guide to Azure AD Privileged Identity Management – Part 1

Privileged Identity Management is boarder topic to discuss with. First thing first do not think it as another feature or product from Microsoft. The way I see it as a lot of methodologies, technologies came together and making a new process. I am saying it because with this concept we need to rethink about how current identities been managed in infrastructure. Administrators, users need to change the way they think about the permissions. 

In any infrastructure we have different type of administrators. It can be domain administrators, local administrators, service administrators. If its hybrid setup it may have cloud administrators too. The question is do you have fully control over these accounts and its permissions? do you aware of their activities using these permissions? how do you know it’s not been compromised already? If I say solution is to revoke these administrator privileges yes it will work but problem is how much additional work to restore this permission when needed? and also how practical it is? it’s also have a social impact too, if you walk down to your users and say that I’m going to revoke your admin privileges what will be their response? 

Privileged access management is not a new topic it’s been in industry for long but problem is still not lot considering about it. Microsoft step up and introduce new products, concepts to bring it forward again as this is definitely needed in current infrastructures to address modern threats towards identities. The good thing about this new tools and technologies, its more automated and the user accounts will have the required permissions whenever they needed. In your infrastructure this can achieve using Microsoft identity manager 2016 but need lot more work with new concepts which I will explain in future posts. Microsoft introduce same concept to the azure cloud as well. In this post we going to look in to this new feature. 

Using azure privileged identity management, we can manage, control and monitor the permissions to the azure resources such as azure AD, office 365, intune and SaaS applications. Identity management will help to do following,

Identify the current azure AD administrators your azure subscriptions have

Just-in-Time administration – This is something I really like. Now you can assign administration permissions on demand for period of time. For example, user A can be office 365 administrator for 11am to 12pm. Once the time limit reach system will revoke the administrator privileges automatically

Reports to view the privileged accounts access history and changes in administrator assignments

Alerts when access to privileged role

Azure AD privileged identity management can manage following organizational roles,

Global Administrator – Has access to all administrative features. The person who signs up for the Azure account becomes a global administrator. Only global administrators can assign other administrator roles. There can be more than one global administrator at your company.

Billing Administrator – Makes purchases, manages subscriptions, manages support tickets, and monitors service health.

Service Administrator – Manages service requests and monitors service health.

User Administrator – Resets passwords, monitors service health, and manages user accounts, user groups, and service requests. Some limitations apply to the permissions of a user management administrator. For example, they cannot delete a global administrator or create other administrators. Also, they cannot reset passwords for billing, global, and service administrators.

Password Administrator – Resets passwords, manages service requests, and monitors service health. Password administrators can reset passwords only for users and other password administrators.

Let’s see how to enable azure AD privileged identity management,
Before start make sure you got global administrator privileges to the azure AD directory that you going to enable this feature.
 
1) Log in to the azure portal as global administrator
2) Go to New > Security + Identity > Azure AD privileged identity management 
 
aim1
 
3) Then click on create to start the process
 
aim2
 
4) In first step it will identify the privileged roles exist in current directory. In my demo I have 3 roles. In same page you can view what are these accounts by clicking on each role. After review click on next
 
aim3
 
5) In next window its list which accounts eligible for activate the roles. Select the account you want and click on next
 
aim4
 
6) In next window can review the changes. As per my selection only one account will remain as permanent admin. To complete click on OK
 
aim5
 
7) Once it’s done, you can load the console from the dashboard. 
 
aim6
 
In part 2 of the post I will explain what we can do with it in details. 
If you got any questions feel free to contact me on rebeladm@live.com
 
Reference :  https://azure.microsoft.com/en-us/documentation/articles/active-directory-privileged-identity-management-configure/

Get Started with Azure Security Center

Whenever we talk about cloud, one of the main questions still comes from customers is “what about security?“. Azure cloud built by using SDL (Security Development Lifecycle) from initial planning to product launch. It’s continues uses different measurements, safeguards to protect the infrastructures and customer data. You can find details about azure security on https://www.microsoft.com/en-us/TrustCenter/Security/AzureSecurity

Microsoft releases Azure Security Center to allow you to prevent, detect and respond to the threats against you azure resources with more visibility. Based on your requirements, can use different policies with resources groups.

Azure security center capabilities focused on 3 areas (https://azure.microsoft.com/en-us/documentation/articles/security-center-intro/),

Capabilities

Details

Prevent

·         Monitors the security state of your Azure resources

·         Defines policies for your Azure subscriptions and resource groups based on your company’s security requirements, the types of applications that you use, and the sensitivity of your data

·         Uses policy-driven security recommendations to guide service owners through the process of implementing needed controls

·         Rapidly deploys security services and appliances from Microsoft and partners

 

Detect

·         Automatically collects and analyzes security data from your Azure resources, the network, and partner solutions like antimalware programs and firewalls

·         Leverages global threat intelligence from Microsoft products and services, the Microsoft Digital Crimes Unit (DCU), the Microsoft Security Response Center (MSRC), and external feeds

·         Applies advanced analytics, including machine learning and behavioral analysis

 

Respond

·         Provides prioritized security incidents/alerts

·         Offers insights into the source of the attack and impacted resources

·         Suggests ways to stop the current attack and help prevent future attacks

Azure Security Center currently in Preview but it’s still worth to try and see its capabilities.
Let’s see how we can enable and start using it.

1)    You need to have valid azure subscription and you need to log in as global administrator.
2)    Then go to browse and type security. There you can see security center. Click on there to start.

sec1

3)    Then we can see the main window.

sec2

4)    If it’s red something not right :) to start with lets click on virtual machines.

sec3

5)    As we can see the data collection off. We need data collect from VM to detect the problems. Let’s go ahead and enable data collection.
6)    Click on Policy tile, and then it will load up the policy page. As can see data collection is off.  Click on the policy.

sec4

sec5

7)    Click on “On” and then click on Save

sec6

sec7

8)    After that we can see the recommendations based on collected data and security policy.  We can follow each recommendation and fix the security threats.

sec8

sec15


How to apply custom policy for the different resources?

1)    By default the default prevention policy will be inherited to all the resources. But we can apply custom policy based on the requirement. To start with click on policy tile again, and click on the arrow next to policy to list the resources. As we can see security policy inherited.

sec9

2)    To change, click on the resource to select, and in next tile, for the inherit policy click “unique” and click on “Save

sec10

3)    After save, click on prevention policy

sec11

4)    There you can change the policy settings and click ok to apply the policy settings.

sec12

5)    This new settings are unique for the resource now.

sec13

Enable Email Notifications

You can enable notifications in azure security center so if any issues detected you will get notifications. It’s currently runs with limited features.
Currently it can only enable on default prevention policy.

sec14

Hope this article helps and if you got any question feel free to contact me on rebeladm@live.com