Category Archives: Azure

Step-by-Step guide to create Azure file share and Map it in Windows 10

Azure Files is a managed, cloud based file share that can access via SMB protocol. Once you create Azure File share it can be access from anyware using Windows, Linux or macOS. It can also can be mapped as a shared drive to the system.

Azure Files have following benefits, 

Simple – Easy to setup and easy to manage. It also can use with Azure Backup and Azure File Sync. It got everything to use as replacement for on-premises file server. 

Future Proof – When people are moving on-premises workload to Azure, sometime applications needed access to file shares. Azure Files allows to facilitate that requirements easily. Also, if you are maintaining on-premises file servers, when windows versions change, you need to upgrade those as well. Azure File is fully managed service which means no need to worry about versions.  

Reliable – High Availability of on-premises file share depend on many things such as power, File Sync between servers, Bandwidth etc. but with Azure Files you do not need to worry about it as it was already designed and operate with as high available service. You do not need to worry about keeping sync servers in different geographical locations either. 

Integration – Azure Files uses industry standard SMB protocol. It can be manage using Azure CLI, PowerShell, file system I/O APIs, Azure Storage Client Libraries and Azure Storage REST API. There for it allow developers to integrate it with existing systems or new systems easily. 

Let’s see how we can create Azure File Share and map it with Windows 10 PC.

In my demo I am going to use PowerShell for the setup. This is fully supported to setup via Azure Portal. 

Setup Storage Account

1) Log in to Azure Portal using Global Admin Account

2) Click on Cloud Shell in right hand corner


3) Make sure PowerShell console loaded. Same thing can be done by directly connecting to Azure using Azure PowerShell module.


4) Before create storage account I need to find info about my resource group that I am going to use. to do that run Get-AzureRmResourceGroup it will list down the group details along with the location. 


5) Once we retrieve info, we can create new storage account using,

New-AzureRmStorageAccount -ResourceGroupName therebeladmin `

  -Name rebelsa1 `

  -Location northcentralus `

  -SkuName Standard_LRS

In above, -ResourceGroupName specify the resource group name that storage account will belongs to. -Name defines the name of the storage account.  -Location defines the location for storage account. -SkuName defines the storage types. 

Standard_LRS – Locally-redundant storage.

Standard_ZRS – Zone-redundant storage.

Standard_GRS – Geo-redundant storage.

Standard_RAGRS – Read access geo-redundant storage.

Premium_LRS – Premium locally-redundant storage.


Setup Azure File Share

1) Now we have storage account, before we create share, we need to find out storage access key for the account. To do that we can use

Get-AzureRmStorageAccountKey -ResourceGroupName "therebeladmin" -AccountName "rebelsa1"


2) Now we can create file share called “rebelshare” using 

$SAContext = New-AzureStorageContext “rebelsa1” “<storage key>”

New-AzureStorageShare rebelshare -Context $SAContext

In above, rebelsa1 is the storage key and <storage key> need to replace by storage account key found on previous step.


In here it used the default quote which is 5tb. 

Map it to Windows 10 

To map folder to the Windows PC, we can use following PowerShell command,

net use R: \\\rebelshare <storage key> /user:Azure\rebelsa1

In above, it will map the Azure File share we created as R:\ drive. <storage key> need to replace with Azure storage key.


in above I successfully map the share and copied file from my local C: drive. 

Note – In order to map this, share you need to have communication to Azure via SMB ports. If your firewalls blocking it, you will not able to map the drive. This is bit of an issue if you using the map drive in most of public wifi networks. However, you still can access the share using portal. 

This marks the end of this blog post. If you have any questions feel free to contact me on also follow me on twitter @rebeladm to get updates about new blog posts.

How to re-enable Network Interface in Azure VM?

In Hyper-V or VMware virtualization environment, Enable/Disable NIC in a VM is not a big deal. Even if you do not have NIC or valid IP configure, administrators still can connect to VM as it does have “Console” access. Few weeks ago, I received an email from one of my regular blog readers. He accidently disabled NIC in azure vm and he lost RDP access to it. since there is no console access like other on-premises virtualization solution, of cause he was panicking. In this blog post I am going to share what you can do to re-enable your Azure VM NIC in such scenario. 

In my demo setup, I have an active azure VM running with private IP address. 


I logged in to VM as administrator and disable the NIC.

Now I need to regain the RDP access to server. in order to do that, log in to Azure Portal as Global Administrator and click on Cloud Shell button in right hand top corner. 


When window load up makes sure you are using PowerShell option. 


Now we need to find out the NIC details of the VM that we having issues with. We can do this using,

Get-AzureRmNetworkInterface -ResourceGroupName "REBELADMIN-DEMO" 

In this command, -ResourceGroupName represent the resource group that VM belongs to. In my demo setup I only have one VM under that resource group.  but if you have more VMs it can be hard to find the relevant info. In that case I recommend to use portal itself to view this info.

In here, note down the network interface name, IP address and allocation method you using. 


Now, we need to assign a new IP address to the same nic from same subnet. It can be done using,

$Nic = Get-AzureRmNetworkInterface -ResourceGroupName "REBELADMIN-DEMO" -Name "rebeladmin-vm1123"

$Nic.IpConfigurations[0].PrivateIpAddress = ""

$Nic.IpConfigurations[0].PrivateIpAllocationMethod = "Static"

$Nic.Tag = @{Name = "Name"; Value = "Value"}

Set-AzureRmNetworkInterface -NetworkInterface $Nic

In above commands, rebeladmin-vm1123 represent the network interface name. is the new ip address for the network interface. PrivateIpAllocationMethod define the ip allocation method. Set-AzureRmNetworkInterface cmdlet sets the network interface configuration. 


Great!! Now I got my RDP access back with new IP address.


But it is not the original IP it had, now we can change it back with,

$Nic2 = Get-AzureRmNetworkInterface -ResourceGroupName "REBELADMIN-DEMO" -Name "rebeladmin-vm1123"

$Nic2.IpConfigurations[0].PrivateIpAddress = ""

$Nic2.IpConfigurations[0].PrivateIpAllocationMethod = "Static"

$Nic2.Tag = @{Name = "Name"; Value = "Value"}

Set-AzureRmNetworkInterface -NetworkInterface $Nic2


Once it is applied, I can access server via RDP and now it has same private IP address it had.


If you using dynamic IP allocation method, you need to make it static, then change the ip and go back to dynamic mode. 

This marks the end of this blog post. If you have any questions feel free to contact me on also follow me on twitter @rebeladm to get updates about new blog posts.

Step-by-Step Guide to setup Just-in-Time VM Access in Azure

In most common scenarios hackers targets open ports in servers to gain access. It can be web server port, RDP ports, SQL ports etc. If genuine users also use same ports to access the system it’s hard to keep these ports closed. There are other methods such as firewalls that we can use to secure the access but it will still keep the ports open. when it comes to public clouds, its increase your infrastructure’s public facing part. Its clients, administrators may access services over the internet mostly. In that case it will give more time and room for attackers to target open ports. 

Azure Just-in-Time VM Access is a great option to control this. As an example, if engineers need to do work in their VM’s mostly they RDP in to the system. Let’s assume they work 1 hour per day on servers. so, keeping port open for 24 hours not giving any benefits rather than risk. Using Just-in-Time VM Access we can limit the time it keeps RDP ports open. 

When Just-in-Time VM Access enabled, we can define what VM and what ports will be controlled. In most scenarios you do not need to control access to ports used by your applications or services. It will be more in to ports related to management tasks. This all done by using azure network security group rules. You can find more about NSG using

When this feature used with VM, upon access request to a protected port, it will first check if the user have access permission to it using Azure Role based access control (RBAC). If it all good, then NSG automatically configure to allow access with the time you specified. Once it reached the allowed time limit, NSG will automatically revert configuration in to original state. 

This feature is still on preview but it is not too early to check its capabilities. Also, this feature is only can use with VMs created using Azure Resource Manager (ARM). 


1. Log in to Azure Portal using Global Administrator account. 

2. Go to Security Center > Just-In-Time VM Access 


3. Then it will load the default page.


4. Click on Recommended Tab. It will list down the VMs you have. 


5. In order to enable JIT access, put a tick on the VM you like to protect and then click on Enable JIT on button. if need you can do it for multiple VMs in same time. 


6. Then it lists down the default ports protected with JIT access. 


7. We still can adjust settings for these services. As an example, I need to limit port 3389 (RDP) port Max request time to 1 hour. By default, it is 3 hours. In order to do that click on rule for 3389 and change Max request time value to 1 hour. To apply changes, click on OK at the end.


8. In next window we can see the new value, click on Save to save the config. 


9. If need we also can add our own ports to protection. Let’s assume we need to protect port 8080 access. To do that click on Add button in access configuration page. 


10. Then type port details in the window. Under Protocol we can select TCP, UDP or Any based-on requirement. Under Allowed source IPs access can controlled based on request or specific IP range. Max request time option is to limit the hours. Minimum time we can select is 1 hour. Once changes are done click on OK to apply changes


11. Then click on Save to save the config. 

12. After that, once we go to feature home page we can see the protected VM under Configured tab.


13. If need to edit the current configuration it can do using Edit option as below. 


14. Now configuration is done. Let’s test it out. According to my configuration I have RDP port protected. To request access, select the VM with tick box and then click on request access option. 


15. In next window, I am only going to request access to RDP port. To do that select the correct rule and click on On tab under toggle. Then click on Open Ports button. 


16. Then in the feature home page we can see it got 1 approved requests.


17. After configuration yes, I can access the server via RDP for 1 hour.


18. After one hour, I can’t initiate another new RDP connection. Using Activity log we can view logs related to past activities. 



This marks the end of this blog post. Hope now you have better understanding what is JIT VM access and how to use it. If you have any questions feel free to contact me on also follow me on twitter @rebeladm to get updates about new blog posts.

Step-by-Step guide to create VM with Azure Accelerated networking

In my previous post I have explained what is Azure Accelerated networking and how it works. If you didn’t read it yet, you can do it using . In this post I am going to show how we can create VM with AN and verify its actions. 

There are few limitations we need to aware before we use Azure Accelerated networking. 

1. Can’t use with existing VMs – In order to use AN feature, Virtual machines must be created with Accelerated Networking enabled. This feature cannot enable in existing VMs. 

2. A NIC with AN cannot attached to an existing VM –  A NIC with AN enabled only can attached during the VM creation process. It is not possible to attach it to existing VM. 

3. Azure Resource Manager only – This feature only can use with AR. It can’t use in classic portal. 

In my demo I am going to create new VM in new resource group with Azure Accelerated networking enable. Please note this feature can only enable using Azure CLI and Azure PowerShell.

Here I am going to use Azure CLI. More info about Azure CLI can be found in my blog post 

1. As first step I am going to create new resource group called ANTest in westus region. 

az group create --name ANTest --location westus


2. Then we need to create virtual network. In demo I am creating virtual network called ANTestVNet with address space

az network vnet create --name ANTestVNet --resource-group ANTest --location westus --address-prefix


3. Next step is to create a subnet under selected address space. In my demo I am creating subnet with name ANTestsub1

az network vnet subnet create --address-prefix --name ANTestsub1 --resource-group ANTest --vnet-name ANTestVNet


4. I like to access this vm from internet so I need a public ip attached to it. 

az network public-ip create --name ANTestpubip1 --resource-group ANTest --location westus --allocation-method dynamic

in above I am using dynamically assigned ip rather than static public ip.


5. Now we have everything ready to create NIC. This is the most important part of the job. So the command I am using for it is,

az network nic create --resource-group ANTest --name ANTestNic1 --vnet-name ANTestVNet --subnet ANTestsub1 --accelerated-networking true --public-ip-address ANTestpubip1

in above ANTestNic1 is the NIC name. –accelerated-networking true is the command to enable AN feature. 


6. Next step is to create VM with this new NIC attached. Please note there are only some OS and VM templates support this AN feature. So, make sure you select the correct size. if you use unsupported template, you can’t change enable AN by just changing the template. In my demo I am creating windows server 2016 server with Standard_DS4_v2 vm template.

az vm create --resource-group ANTest --location westus --nics ANTestNic1 --name REBELVM101 --image win2016datacenter --size Standard_DS4_v2 --admin-username rebeladmin --admin-password L0nd0n3322$


once it is completed we can log in to VM and verify. Once this feature enabled you will be able to see Mellanox ConnectX-3 Virtual Function Ethernet Adapter in device manager.


Let’s see how it affecting performance. I do have 2 VM created using old method and I am transferring a folder with 10Gb data between them. So, let’s see how the performance looks like. 



And when I do transfer same file between 2 VM with AN enabled I get following performance. 



It’s pretty amazing ha??? 

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on also follow me on twitter @rebeladm to get updates about new blog posts.

Azure Accelerated Networking

Early January Microsoft announced general availability of Azure Accelerated Networking (AN). It is now available for all the regions. This will improve the VM’s performance as its offloading software-define networking from CPU to FPGA-based SmartNICs. To make it more interesting, it can provide up to 30Gbps networking throughput without any additional charge. 

How it works? 

If you worked with Hyper-V clusters, System Center virtualization manager (SCVMM) you may probably aware how virtual switches works. It works as a middle man between virtual machines and physical network to provide greater control over “Communication”. It allows to move workloads between physical hosts, control traffic and isolation using policies, flexible hardware upgrades etc. Azure also uses virtual switches similar to hyper-v. 

Image source: 
You also can read more about it using this link
As you can see in the above image without accelerate networking, traffic always need to pass through the virtual switch and physical hosts before it reaches the physical switch. When Accelerated networking in place, network traffic is directly handled by physical switch by bypassing host and the virtual switch. All the policies you used with virtual switches now can offload to hardware. As it removes the dependency of host to process the packet, we will be able to see lower latency. If there is no AN, Virtual switch process all the policies applying to network traffic. Since it is software based of cause it is need to handle by CPU. But the performance of it depend on the CPU utilization and number of policies. With AN, policies will no longer rely on CPU and it handle by the dedicated hardware. This will reduce jitter. 
There are few limitations applying to this feature. 
1. Can’t use with existing VMs – In order to use AN features, Virtual machines must be created with Accelerated Networking enabled. This feature cannot enable in existing VMs. 
2. A NIC with AN cannot attached to an existing VM –  A NIC with AN enabled only can attached during the VM creation process. It is not possible to attach it to existing VM. 
3. Azure Resource Manager only – This feature only can use with ARM. It can’t use in classic portal. 
Supported VM Instances 
Azure Accelerated Networking is supported on D/DSv2, D/DSv3, E/ESv3, F/Fs/Fsv2, and Ms/Mms Azure VM series. 

Supported Operating Systems
Azure Accelerated Networking is supported on both Linux and Windows operating systems such as, 
Windows Server 2016
Windows Server 2012R2
Ubuntu 16.04
Red Hat Enterprise Linux 7.4
CentOS 7.4
SUSE Linux Enterprise Server 12 SP3
This marks the end of this blog post. Hope this was useful. In next post I will demonstrate how to create VM with AN feature. If you have any questions feel free to contact me on also follow me on twitter @rebeladm to get updates about new blog posts.

Azure DDoS Protection Preview in Action

DDoS attacks are the most commonly using method by attackers against resources which can access via internet. It can be website or application. DDoS attack can crash or slowdown service or application by sending large amount of access requests in short period of time. This applies to public cloud as well. There for Microsoft recently released Azure DDoS protection service to protect workloads in azure from DDoS attacks. This is currently in preview but it is not too early to check its capabilities. 

This feature comes as two versions,

Basic – This comes as part of the Azure subscription without any additional cost. This is same level of real time monitoring and mitigation applies to Microsoft services. This is applying to Azure global network across all region. This applies to Azure IPv4 and IPv6 public ip addresses. 

Standard – This comes with additional traffic monitoring and machine leaning algorithms tunes specifically to protect Azure virtual networks resources such as azure application gateway, azure load balancer. Real time monitoring data is available via Azure Monitor. Users also can enable alerting for the events. Standard protection is coming with additional fee. This applies to Azure IPv4 public ip addresses.

According to Microsoft, under standard subscription following type of DDoS attacks will be prevented. 

Volumetric attacks: The attack's goal is to flood the network layer with a substantial amount of seemingly legitimate traffic. It includes UDP floods, amplification floods, and other spoofed-packet floods. DDoS Protection Standard mitigates these potential multi-gigabyte attacks by absorbing and scrubbing them, leveraging Azure’s global network scale, automatically.

Protocol attacks: These attacks render a target inaccessible by exploiting a weakness in the layer 3 and layer 4 protocol stack. It includes, SYN flood attacks, reflection attacks, and other protocol attacks. DDoS Protection Standard mitigates these attacks, differentiating between malicious and legitimate traffic, by interacting with the client and blocking malicious traffic.

Application layer attacks: These attacks target web application packets to disrupt the transmission of data between hosts. It includes HTTP protocol violations, SQL injection, cross-site scripting, and other layer 7 attacks. Use the Azure Application Gateway web application firewall, with DDoS Protection Standard, to provide defense against these attacks.

Also, Standard version features include,

Native platform integration: Natively integrated into Azure and includes configuration through the Azure portal and PowerShell. DDoS Protection Standard understands your resources and resource configuration.

Always-on traffic monitoring: Your application traffic patterns are monitored 24 hour a day, 7 days a week, looking for indicators of DDoS attacks. Mitigation is performed when protection policies are exceeded.

Turn-key protection: Simplified configuration immediately protects all resources on a virtual network as soon as DDoS Protection Standard is enabled. No intervention or user definition is required. DDoS Protection Standard instantly and automatically mitigates the attack, once it is detected.

Adaptive tuning: Intelligent traffic profiling learns your application’s traffic over time, and selects and updates the profile that is the most suitable for your service. The profile adjusts as traffic changes over time.

Layer 3 to layer 7 protection: Provides full stack DDoS protection, when used with an application gateway.

Extensive mitigation scale: Over 60 different attack types can be mitigated, with global capacity, to protect against the largest known DDoS attacks.

Attack metrics: Summarized metrics from each attack are accessible through Azure Monitor.

Attack alerting: Alerts can be configured at the start and stop of an attack, and over the attack’s duration, using built-in attack metrics. Alerts integrate into your operational software like Microsoft Operations Management Suite, Splunk, Azure Storage, Email, and the Azure portal.

Cost guarantee: Data-transfer and application scale-out service credits for documented DDoS attacks.

Let’s see how we can get this feature enable and configure. 

In order to enable Azure DDoS Protection Preview service, first you need to request it using . This feature also only available for East US, East US 2, West US, West Central US, North Europe, West Europe, Japan West, Japan East, East Asia, and Southeast Asia regions.

Enable DDoS Protection Standard Preview in Existing Virtual Network 
1. Once you receive the confirmation email from Azure team, log in to Azure portal as global administrator.
2. Then go to Virtual Networks and click on the Virtual Network that you like to enable DDoS protection. 
3. Then in properties window click on DDoS protection option. 
4. In next window, click on Enabled and then click on Save to enable the feature. 

Enable DDoS Protection Standard Preview in New Virtual Network
1. Once you receive the confirmation email from Azure team, log in to Azure portal as global administrator.
2. Then go to Virtual Networks and click on Add
3. In new page, provide relevant info for virtual network, select a region which support by DDoS feature and then click on Enabled under DDoS protection.
4. At the end click on Create to complete the process. 
DDoS Monitoring 
Using Monitoring metrics, we can review historical DDoS threat related data for selected resources. Also, we can configure email alerts for events. 
In order to do so,
1. Log in to Azure portal as global administrator.
2. Then go to Metrics | Monitor
3. In the page select the relevant subscription, resource group, resource type and resource to view the relevant data. 
4. Then under the available metrics you can select the metrics you like to review. In my demo I am going to use Under DDoS attack or not metric which going to show all the data. 
5. Then it will show the relevant metrics. Using Time Range window, we can change the time and review specific data sets. 
6. Using Char Type option we can change the view of the chart. 
7. In order to configure alerts, click on No alerts configured for this resource. Click to add an alert option
8. Then it opens up window where you can customize metric type, condition, threshold and notification type. 
As you can see the setup, configuration and maintenance of Azure DDoS Protection is straightforward. This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on also follow me on twitter @rebeladm to get updates about new blog posts.

Step-by-Step guide to connect down-level devices to Azure AD (in hybrid environment)

Devices runs with Windows 10 and Windows Server 2016 can directly connect to Azure AD. I have used it on my last few posts and explain different features available for Domain Joined Devices. However not every device in an infrastructure runs with Windows 10 or Windows Server 2016. If it is cloud only environment, you can simply connect your VMs in Azure to Azure AD without issue. but if it is remote devices you do not have option than upgrading to windows 10 and windows 2016. In Hybrid Environment with some configuration changes, Azure AD allow to join devices runs with, 

Windows 8.1

Windows 7

Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 R2

In this demo, I am going to explain how we can connect these down-level devices to Azure AD. 

If it is hybrid environment, it will be either federated or non-federated environment. In this post, I am only going to focus on non-federated environment. The configuration and prerequisites are different from one method to another. 

In non-federated environment, 

1. You must have healthy AD synchronization using Azure AD Connect
2. If you are using Seamless single sign-on with Azure AD Connect, it is still supported configuration. more info about it can find using 
3. If down-level devices are using roaming profiles it is not going to work with Azure AD. In that case you need to move to Windows 10
4. You need to have Azure Global Administrator Account and Domain Admin Account to do the configuration changes. 

Create Service Connection Point 
First step of the configuration is to create service connection point (SCP) in local AD so devices can discover Azure AD tenant information during the registration process. 
In order do that we need to run following PowerShell script in Azure AD Connect server. 

Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1";

$aadAdmin = Get-Credential;

Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount [AD connector account] -AzureADCredentials $aadAdmin;
In above,
$aadAdmin – Parameter is to represent the Azure AD admin account used in the configuration. 
[AD connector account] – This should replace with the AD account used for Azure AD Sync
Note – 
This must run from the server you have AD Connect configured
It is recommended to run it from Microsoft Azure Active Directory Module for PowerShell tool. If you use it you do not need to import the module. 
You must have AD DS tools installed on the same server otherwise command will fail. 
Verify Service Connection Point Details
After you run the command successfully we can verify SCP using,

$scp = New-Object System.DirectoryServices.DirectoryEntry;

$scp.Path = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=therebeladmin,DC=com";

In above DC=therebeladmin,DC=com represents the domain. 
If it was successful, you will get response like below. 
Allow Users to Join Devices to Azure AD
Before you joined the devices, first verify if you allow users to connect devices to Azure AD. 
To do that, 
1. Log in to Azure Portal
2. Go to Azure Active Directory 
3. Then Devices
4. Then click on Device Settings
5. Then the settings can find under, User may join devices to Azure AD option. In my demo setup, I am allowing all the users to join devices. 
Join down-level devices to Azure AD
Now we have all the prerequisites ready. Next step is to register device with Azure AD. In my demo, I have a VM which runs Windows 8.1. I am going to add it to Azure AD.
1. Log in to the Device as Administrator
3. Double click on the MSI after download and click on Install to proceed. 
Note – This VM is already part of the local domain. 
4. Then go to Start > Search > PC Settings after that click on Network 
5. The click on Workplace > Join
6. It will prompt for the login and provide the relevant password. 
7. After successful join, it will show following
8. Now I can see the device under Azure AD Devices. 
This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on also follow me on twitter @rebeladm to get updates about new blog posts.

Step-by-Step guide to add Additional Local Administrators to Azure AD Joined Devices

I am sure every engineer knows how “Local Administrators” works in a device. If it’s a device in on-premise Active Directory environment, either domain admin or enterprise will need to add it to Administrators group. if it’s a workgroup environment, another user with local administrator privileges will need to add additional users to Administrators group. 

If it is Azure AD join device, Azure Global Administrators and Device Owner have local administrator rights by default. 



Azure AD allow to define local administrators in device level. however, this is a global setting. If it is need to handle in device level, still you need to login from an account which already have local administrator rights and then add additional users. 

Let’s see how we can do this. 

1) Log in to azure portal as Global Administrator

2) Then click on Azure Active Directory and the Devices


3) Then click on Device Settings


4) By default, Additional local administrators on Azure AD joined devices setting is set to None. click on tab Selected to enable it. 


5) In my demo, I am going to make user local administrator for devices. To do that click on Selected option. 


6) In new window click on Add members to add users. 


7) From the list find the relevant user and click on it to select. Then click on Select


8) Then click on OK


9) Finally click on Save to apply the settings. 


10) To Test this, I logged in to a Azure Domain Joined Device as 


11) Now to test it, I trying to launch PowerShell console as Administrator. If it works, I shouldn’t get login prompt. 


12) As expected it didn’t ask for admin user name and password as logged in user now have local admin privileges. 



13) Also, when needed, using Remove Members option in Local administrators on devices page, we can remove the users from local administrator group. 


This marks the end of this blog post. If you have any questions feel free to contact me on also follow me on twitter @rebeladm to get updates about new blog posts.

Step-by-Step guide to enable Enterprise State Roaming with Azure Active Directory

If you work with Active Directory you may already know what is roaming profiles is. Roaming profiles allows to sync application and user settings to a file share. When same user login from another computer in to same domain, those settings will sync back from file share. It allows users to have same user experience and data in different corporate devices. Azure Active Directory users may also login from multiple Azure domain joined devices. Enterprise state roaming allows to sync user settings and application settings securely across corporate azure domain joined devices. 

Secured Sync – When this feature enables it will activate free limited Azure Rights Management subscription. It will use to encrypt and decrypt data which is sync to cloud. This will ensure the security of data used by Enterprise State Roaming feature. 

Data Storage – Data storage location for Enterprise State Roaming feature will be align with your Azure Active Directory subscription region. It will not sync between different regions. 

Better Control – This feature can be enable for entire directory or only for selected users. Sync data for each device can review using portal. With help of Azure Support, administrators also can forcefully remove sync data for a device. 

Data Retention – If user account been deleted from directory, profile data will be deleted after 90 days. Administrators also can request (from azure support) to delete specific data from a user profile. If data not been access for 1 year it will consider it as stale data and remove forcefully. It will also happen if Enterprise State Roaming feature is disable in later time. 

Let’s see how we can enable this feature. In order to enable this feature, you must have Azure AD Premium or Enterprise Mobility + Security (EMS) license. Azure AD join devices must be running with Windows 10 (Version 1511, Build 10586 or greater)

1) Log in to Azure Portal as a Global Administrator
2) Go to Azure Active Directory | Devices  
3) Then click on Device Settings 
4) Under device settings there is option says Users may sync settings and app data across devices. In there you can select All or Selected. If you use selected option, you will need to define the users. in my demo, I am going to enable Enterprise State Roaming for entire directory. Once selection is made click on Save
After the feature is enabled we can review the sync status using Azure Active Directory Admin Center. To do this, 
1) Log in to Azure Active Directory Admin Center using
2) Go to Azure Active Directory | Users and Groups 
3) In next window, Click on All users and then click on the relevant user. In my demo it is user
4) Then click on Device in new window. 
5) Then in right hand window select Device sync settings and app data option from show drop down menu.
6) In list it shows the devices, that user logged in and the last sync time. 
Now we have everything ready for testing. Before we start there is few things to remind. This is only sync user and app settings. Not user data. Also, sync is not happening at login/log off event. It happens once user is log in. so if you do not see sync data right away after login, allow sometime and keep eye on last sync time value. 
In my demo, I am login to a pc called REBEL-PC01 as In that pc, I have done certain settings changes. 
Under IE, I added few links to favorites. 
I also change setting on code writer App and change font and default text size to 20.  
After initial sync, I login in to another pc called REBEL-PC02 as In there I expect to see the changes I made. (The sync cycles can take up to 30 minutes. So far I didn’t find way to override this setting) 
As expected I can see same IE favorites list. 
Also, code writer app settings are there. 
As we can see it helps to streamline user experience across corporate devices. This marks the end of this blog post. If you have any questions feel free to contact me on also follow me on twitter @rebeladm to get updates about new blog posts.  

Microsoft Compliance Manager makes it easy to deal with compliance challenges!

If you are living in Europe, you may aware how GDPR (General Data Protection Regulation) is storming through IT world. Service providers, Vendors and pretty much every business who deals with digital data are looking or making plans to face GDPR which is going to enforce from 25 May 2018. Some already compliance and some are still struggling to figure it out. It’s a time people talk about compliances more than ever. Compliances are always painful to deals with. Its involves knowledge, experience, skills, people, time, roles and responsibilities, services and many more. More importantly need to evaluate how these compliances, laws are matching with each business model. There is no single button or shortcuts to make organizations to comply with these compliances which comes time to time. 

These compliances are also changes based on industry trends or needs. Even your organization comply with certain compliances today, it may not in 6 months’ time. so, continues awareness and skills are also required to maintain the compliance status. For an organization, it’s not one-man job either. Different roles will have different responsibilities to make it possible. Some compliances are just “good to have” type. but some compliances are must for certain business to operate and some compliance are backed by law, so that types leave no choice. 

This whole GDRP experience taught some lessons,

Complexity – when new regulations and compliances are enforced, lack of information, complexity, lack of experience and skills make it difficult for organizations to adopt it in short period of time. This rush and uncertainty can make organizations to make vulnerable moves which can lead in to bigger problems. 

Compatibility with other compliances – Sometime businesses may comply with multiple compliances. So, things you do to comply with one compliance can affect to compliances you already comply with. It is hard to keep track of each and individual actions and measure its impact. 

Commitment – As I explain before, it is not one-man job, different parties, different roles need to make relevant commitment to achieve compliance targets. Organizations always finds it difficult to measure commitments or evaluate task progress throughout the implementation process.  

Tools and methods – As everyone agrees there are no shortcuts to comply with compliances. It is not like installing a software or enabling a service. Organizations needs to go through relevant rules and see how its apply with its infrastructure, business models. But it is not always practical to do all these manually. As an example, GDPR has more than 100 rules. If we not use tools or other methods to see how its apply to existing infrastructure, it can be time consuming, complex process. There are existing tools which gives your reports based on the information you provide but so far, I am not aware of a tool which do real time analysis of infrastructure and reports back about compliances status. 

On Last Ignite event Microsoft introduced Compliance Manager tool which simplifies the compliance adoption process for organization. As a service provider Microsoft also have role to play to make its cloud products comply with these compliances. So, Microsoft creates a service where it explains how it’s done its task and give insight to customers to do their bit in form of tasks. Each of these tasks include detail explanation. Each of these tasks can assign to a user and measure its progress real-time.   

This service is available for Azure and Office 365 customers. This is not only covering GDPR, it also covers other compliance such as ISO 27001:2013, ISO 27018:2014. This is currently on preview and it will generally available in 2018. 

In order to access this tool, you need to have valid Office 365 Subscription. Azure and Dynamic support is coming soon. This also can test using trial Azure account. Once you have login details ready, go to and click on “Launch Compliance Manager” 


In next page, it will ask about the subscription. If you have valid subscription already you can use “Sign In” option. 


After successful authentication, it will load the Dashboard for the compliance manager. 


Each tile represent compliance. Using “Add Assessment” button we can add new compliances to the list. To do it first click on Add Assessment option. 


Then in the pop up select relevant product and click on Next


In next window, you can select the relevant assessments and click on Add to Dashboard


Each of the tile have two sections. One is to list down the controls Microsoft comply with and one is to list down controls customer comply with. 


In order to see these in details click on the assessment name on the tile. 


Then it lists down the section for each control. 


As an example, if I expand one of task related to Microsoft, it explains what is it and what Microsoft did to implement it and who assessed it. 


Now if I do the same for customer controls I can see similar details. But most of it need to be fill by customer. It provides detail description of the assessment. If go to customer actions it gives some insights what customer need to do to pass the assessment. 



It also has two sections where we can add notes about implementation, test plan and management response. 


Using Test Date option we can define the data for assessment. 


Using Test Result drop down we can select the assessment status.


Using Manage Documents option we can upload relevant documents for the task. 



More importantly using Assign button task can assign to another user in the organization. 


In my demo, I am assigning it to user Agnes Schleich with high priority. 


Email notification for this is not working yet, but in future once task been assign, it will send email notification to user. 

Now when I login as user Agnes Schleich to compliance manager, I can see the assigned task under action items.


Cool, isn’t it? Microsoft promised to add more and more assessment in coming months to make life easier with compliances. Once you done evaluation, do not forget to provide feedback using Feedback button. 

This marks the end of this blog post. If you have any questions feel free to contact me on also follow me on twitter @rebeladm to get updates about new blog posts.