Let’s assume one of user in your sales team log in to https://myapps.microsoft.com and launch salesforce app successfully from his office in UK. Few minutes later the same user made successful login from Canada. Unless user is using remote connection, it is not impossible. Still someone can’t travel that fast 😊. Azure Active Directory capable of detect this type of impossible sign-in activities. However, detection type for this kind of activities is “offline”. Which means reporting latency for these alerts are between 2 to 4 hours. 

Azure cloud app security also capable of detecting these types of activities but it is real-time as it detects activities based on sessions. It helps administrators to react faster and protect infrastructure from potential breach. In this demo, I am going to demonstrate how to fine tune built in azure cloud app security policy for Impossible travel activity and prevent breach. 

Before we start, first we need to integrate SaaS app with cloud app security. In my previous post I demonstrate how to do that. So please go ahead and read it on http://www.rebeladmin.com/2018/09/step-step-guide-block-data-download-using-azure-cloud-app-security/

In my demo I am using salesforce app. 

1. Once integration is done, log in to https://portal.cloudappsecurity.com as global administrator.

2. Then go to Settings | Conditional access app control

3. There you should be able to see your app under Conditional access app control tab. It should be in healthy connected status. 

4. Then click on Control | Policies

5. Under policies, click on impossible travel policy 

6. This is a built-in policy. as you can see it doesn’t have any actions attached to it. if CAS detect such activity, it will still be reported under CAS dashboards. 

7. In my environment, I like to get an alert if its detect such activity. To do that, click on Send alert as email option under Alerts. Then define email address in text box. 

8. I also like to suspend the user account, so it gives my team enough time to review the alert and do the necessary adjustments. To do that, click on All apps under Governance and click on Suspend user check box. 

9. To complete the action, click on Update.

10. Policy is updated now. For testing I am login from two VMs located on two different locations.

11. Once the login is done, I came back to https://portal.cloudappsecurity.com. Then click on Salesforce app.

12. Under the alerts I can see it detected impossible travel activity. Click on it to view more details.

13. In there we can see in-details error description & activity log. 

14. According to policy, I also should get email alert. When I log in to email I can see email alert for the activity as expected. 

15. According to policy it also should suspend the user account. When I try to login again as the same user I got following account lock out error. 

Cool ha? As expected policy detects the activities in real-time and take necessary actions as defined. 

This marks the end of this blog post. If you have any further questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

In my last few blog posts I have talked about Azure AD conditional access policies and how we can use it to control access. In a conditional access policy, we define who have access to what applications from where. This is purely control the access to your app. Azure cloud app security allow us to extend these capabilities further into session level. using cloud app security, we can examine each session to the app in real time basis protect information further. Using cloud app security, we can create policies to,

1. Block downloads – Can define policies to block download of sensitive data. 

2. Protect on downloads – instead of blocking download, we can create policies to allow users to download encrypted document after authentication, even though they are login from unmanaged device. 

3. Monitor risky sessions – we can setup policies to monitor session of risky sign in. all the action from those sessions will be logged for further review. 

4. Block access – If needed we can completely block access to apps if it’s from unmanaged device or non-corporate network.

5. Create read-only mode – we can create policies to create read-only mode for apps (for group of users)

More about cloud app security is available at https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security

In this demo, I am going to demonstrate how to integrate an app with cloud app security and then how we can create policies to control download of sensitive data. In this demo I am going to use salesforce application with CAS and block PDF file downloads. To start,

1. Log in to Azure portal https://portal.azure.com as global administrator

2. Click on Azure Active Directory

3. Then click on Enterprise Applications 

4. Search for Salesforce under All applications and click on it. Note – If it is not existing app, you need to go and add app first and configure it for azure ad sso. 

5. Then click on Conditional access 

6. Click on + New Policy

7. Type name for the policy in new window. Then click on users & groups and select relevant user group for the app. in my demo it is sales & marketing group. at the end click on Done to complete the selection. 

8. Click on Grant under access controls and make sure default Grant access settings selected. 

9. Under the sessions select Use conditional access app control . 

10. At the end click On under Enable policy. Then click on Create to complete the policy. 

11. Then go to https://portal.cloudappsecurity.com and log in as global admin. 

12. Once logged in, click on settings and go to Conditional access app control

13. In new window click on Conditional Access App Control apps tab. There we can see it discovered sales force app. Please note once you configured the initial policy under azure AD, you need to log in to sales force via https://myapps.microsoft.com . Then only it will trigger the update. 

Then click on Continue setup…. link.

14. It will issue a pop-up. Click on Add to proceed.

15. Then under available controls, click on session control.

16. In new window, click on create policy drop down and select session policy

17. In policy window, type name for policy first. Then change policy severity to High. Change session control type to control file download.

Then under activity filters to the policy, set app equals to salesforce. 

Same time remove any other filter in that section. 

18. Then under file filters to the policy, set extension equals to pdf. At last select block under actions.

19. At the end click on create to setup the policy. 

20. According to above policy, if a user trying to download pdf file under salesforce app, it will be blocked. So now it’s time for testing. I logged in to https://myapps.microsoft.com as a user from sales team. Then I click on salesforce app to launch it. 

21. In home page, it says access to salesforce is monitored. Click on continue to salesforce. 

22. Under files, I have a pdf file shared by admin. I click on download option. 

23. As expected, I receive download blocked message.

24. Also, it downloads a .txt file same time which contain details of the block.

25. In cloud app security logs, we can see detail information related to file block. 

This marks the end of this blog post. Hope now you have better understanding how we can protect cloud app content further with cloud app security. If you have any further questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Azure AD application gallery contains thousands of applications already but there can be situations where organizations uses their own applications. In such scenario Azure AD allows to bring these apps to azure.  

In my previous blog post “Step-by-Step guide to Azure AD Password-based single-sign on”, I explained Azure AD password-based single-sign on and how we can use it. If you not read it yet, you can access it  using http://www.rebeladmin.com/2018/09/step-step-guide-azure-ad-password-based-single-sign/ . In this blog post, I am going to demonstrate how we can bring our own app to Azure AD and use Password-based single-sign on with it. 

In my demo environment I have cloud app called Woodgrove Expense Manager and I can access it using https://woodgroveexpensemanager.azurewebsites.net I need my sales and marketing team to use it. Also, I need them to share one login. However, I do not want end user to know these credentials. 

As first part of this demo, I need to integrate my app with Azure AD. To do that,

1. Log in to https://portal.azure.com as global admin.

2. Click on Azure Active Directory on the left-hand panel.

3. Then click on Enterprise applications 

4. In new window, click on + New application 

5. In application panel, click on Non-gallery application 

6. Then in new wizard, type name for app and click on Add

7. In new app window, click on Single sign-on 

8. Then select password-based single sign-on as SSO mode. Under sign-on URL define the application URL. in my demo it is https://woodgroveexpensemanager.azurewebsites.net . at last click on Save to apply the changes. 

9. Once settings are saved, click on Configure Woodgrove Expense Manager Password Single Sign-on Settings

10. In new window, select Manually detect sign-in fields and then capture sign in fields.

11. This will load up new tab with application page. Type the sign in details and then click on sign-in.

12. Then in app window it asks if we want to save captured login details. Click on Ok to capture data. 

13. After that, it will go back to sign-on page, in this page click on Ok, I was able to sign-in to the app successfully and then Ok to save the config.

14. Once configuration is saved, click on user & groups.

15. Then click on Add user

16. From the list of user & groups, I have selected group for my sales & marketing team. Once selection is done, click on Assign credentials.

17. In new window Set Assign credentials to be shared among all group members to Yes and type credentials for the https://woodgroveexpensemanager.azurewebsites.net . To complete the process, click on Ok & then Assign

18. This completes the configuration part. Next step is to test it. for that I am log in to https://myapps.microsoft.com as a user from sales & marketing group. Then click on Woodgrove Expense Manager

19. As expected, without any other additional logins, it log me in to the Woodgrove Expense Manager. cool ha? 

This marks the end of this blog post. Hope now you have better understanding how to bring your own app to Azure AD and use password-based single sign-on with it. If you have any further questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Single-sign on provides seamless sing on experience to multiple systems using one identity platform. Azure AD supports three types of single-sign configuration methods for applications. 

Federated single sign-on – This is the most commonly used SSO type. when it is in use, applications redirect users to Azure AD for authentication. This method can use with any application that use SAML 2.0, WS-Federation, or OpenID Connect authentication protocols.  

Password-based single sign-on – In this method, Azure AD manages credentials for the application and replay when required. In this method end user do not need to know the credentials to access the application. 

Linked single sign-on – This allows to link existing single-sign on configuration for an application with Azure AD. This also allows to link applications with Azure or Office 365 portals. 

In this post I am going to explain what is password-based single sign-on and how we can use it with third part SaaS application. 

Azure AD Password-based single sign-on works with any third-party SaaS app which have HTML based sign in page. In this method, application credential will be saved in directory and when required Azure AD will retrieve credentials and pass it to application sign in page on behalf of user. There are two types of credential management methods.

Administrator managed – In this method administrator will create & manage credentials for the application. Credentials will be securely saved in directory and administrator can assign it to user or groups as required. When user access the application, credentials will be retrieved from directory and pass it to application sign in process automatically. So, end user does not require to know the credentials for the app. 

User managed – In this method, administrator assign application to users or groups. When user logins for first time they can enter their own username and password to the application. Then these credentials will be saved securely in directory and use for future logins. In this scenario end user have full control over their own credentials. 

Now it is time to configure Password-based single sign-on for SaaS app and see how it works. in my demo I am going to use twitter app for this. Before we start, we need to create demo account in twitter using https://twitter.com/signup

1. To configure Password-based single sign-on for twitter, log in to https://portal.azure.com as global administrator

2. Then go to Azure Active Directory 

3. In new window, click on Enterprise applications 

4. Then select all applications under application type and search for twitter app. Once app is return under search results, click on it. if you do not have twitter app under the results, click on New Applications to add the app from gallery. 

5. In new windows, click on Single sign-on under Manage. Then from the mode drop down select Password-based single sign-on and click on Save.

6. Click on Overview and then total users to select groups. In my demo I am going to assign it to sales & marketing group. once group is selected, click on Update Credentials. 

7. Then in next window, type the credentials for the app and click on Save. 

8. Once it is done, I logged in to the https://myapps.microsoft.com as member of selected group and click on to launch twitter. 

9. Then it asks me to install the extension. 

10. Once it is done, I relaunch twitter app and it log me in direct.

This marks the end of this blog post. Hope now you have better understanding what is password-based single sign-on and how to use it. If you have any further questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

In my previous blog posts about conditional access polices I talked about location based and application based polices. In this new blog post I am going to cover risk-based conditional access policies. You can access previous blog posts about conditional access policy using following links,

Step-by-Step Guide to configure location-based Azure conditional access policies – http://www.rebeladmin.com/2018/08/step-step-guide-configure-location-based-conditional-access-policies/

Step-by-Step guide to enable MFA for applications using Azure conditional access – http://www.rebeladmin.com/2018/09/step-step-guide-enable-mfa-applications-using-azure-conditional-access/

Azure AD Identity protection can detect six types of suspicious sign-in activities. 

• Users with leaked credentials

• Sign-ins from anonymous IP addresses

• Impossible travel to atypical locations

• Sign-ins from infected devices

• Sign-ins from IP addresses with suspicious activity

• Sign-ins from unfamiliar locations 

These six-types of events are categorized in to 3 levels of risks – High, Medium & Low. 

We can use these risk levels with conditional access policies to protect sensitive application access. In this demo I am going to demonstrate how to create risk-based conditional access policies. 

My finance team accessing Microsoft teams’ app remotely. I like to create policy to block access to app if their sign in risk level is detected as High & Medium. 

To set up the policies,

1. Log in to https://portal.azure.com

2. Click on Azure Active Directory

3. Click on Conditional access

4. In new window, click on New policy to create policy.

5. In policy window, type name for policy & then click on Users & groups. after I select sg-Finance group.

6. Then click on Cloud apps & select Microsoft teams.

7. As next step, click on Conditions | Sign-in risk, then under Configure click on Yes. That will enable sign-in risk policy. We also need to select High & Medium risk levels. 

8. Under access control section select Grant, then click on block access. 

9. At last, click On under enable policy. then click on Create to complete the process. 

10. Now policy is in place. For testing I am going to use what if feature under conditional access policies. This feature in azure allows to create scenario and see if the policy going to apply as expected. This is the best way to test this type of policies as it is not always practical to create real scenario for testing. 

11. To do that, go to Azure Active Directory | Conditional access and then click on what if

12. In new window, I have selected a demo user from finance team, also selected the Microsoft teams as cloud app. Under IP address I just define dummy ip and select the country Afghanistan. For sing-in risk, I choose medium level. once data is in, we need to click on what if button to complete the test. 

13. Once job is executed, result section shows that new policy we just created is applying successfully. This confirms the policy in place is going to work as expected in real world. 

This marks the end of this blog post. Hope now you have better understanding how to configure risk-based azure conditional access policies. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Azure AD conditional access allows to apply MFA (multi factor authentication) rules per application based on groups, locations, sign-in risks. In this demo I am going to show how we can create conditional access policy to control MFA per application. 

1) As first step, I am logging in to https://portal.azure.com as global admin. 

2) Then go to Azure Active Directory

3) Then click on Conditional access 

4) Click on New Policy to create new MFA policy.

5) Then give it a name first, in my demo, my target group is sales & marketing team. So, I click on users & groups and then select the sales & marketing group. 

6) Then click on clouds app and select the application. In my demo I am using Microsoft teams.

7) Then click on Access control. after click on Grant Access and select Require multi-factor authentication. At last click on Select to finish the config. 

8) Then click On under enable policy and after click on create to activate the policy.  

9) Now it is time to test, I am going to log in to https://myapps.microsoft.com with an account belong to sales & marketing group. 

10) Then I click on Microsoft Teams. 

11) Then right away it gave me this new window. This is because I do not have MFA setup for this user. In order to use MFA, first it asking to set it up. 

12) Now, next time when I launch the Microsoft Team, its bring me straight to MFA verification page. This confirms the policy is working as expected. cool ha? 

This marks the end of this blog post. Hope now you have better understanding how to create conditional access policy to control MFA for application. This allows administrators to add additional layer of security to sensitive applications. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

In one of my previous article, I explain how we can create site-to-site VPN connection between local network and azure virtual network. This VPN connection is initiated in your edge firewall or router level. But what if you connecting from remote location such as home? we can use point-to-site method to do that. In this method it will use certificates to do the authentication between end point and azure virtual network. 

So, let’s go ahead and see how we can do that, 

Create Resource Group 

In this exercise, I like to use separate resource group for virtual network and other components. 

1. Log in to Azure portal as global administrator

2. Launch Cloud Shell

3. Then run New-AzureRmResourceGroup -Name REBELVPNRG -Location "East US". In here REBELVPNRG is RG group name and East US is the location.

Create Virtual Network

Now we need to create new virtual network. We can create virtual network using,

New-AzureRmVirtualNetwork -ResourceGroupName REBELVPNRG -Name REBEL-VNET -AddressPrefix 192.168.0.0/16 -Location "East US"

In above, REBEL-VNET is the virtual network name. it uses 192.168.0.0/16 IP address range.

When it comes to network security, we use firewalls for perimeter defense. It helps to define security boundaries for infrastructure. There are many conversations about validity of perimeter defense against modern security threats as its more about identities now. However, firewall is still the most commonly used tool to control in & out communications in a network. 

In Azure so far, we were using Azure Network Security Groups or host firewall to filter network traffic. But now Azure Firewall allow to filter traffic pass through Azure Virtual Networks. It works as fully stateful firewall. It is still in preview mode but it is not too early to test its capabilities. 

Features 

• Built-in High Availability – Firewall manages ingress and egress traffic of the network. So high-availability of edge firewall of your network is really important. Azure firewall is a cloud-based service and comes with built-in high availability. Users do not have to pay or do additional configurations for HA. 

• Domain Based Filtering – Traditional Firewall rules are based on IP addresses. We have to define the networks to allow or deny access. Azure firewall can block or allow access based on FQDN. It is also supported to use wild cards.

• Work as fully stateful firewall – Azure firewall allow to create inbound & outbound rules using networks, FQDN, protocols & ports. So, it can monitor nature of active connections and allow or deny relevant packets through firewall. 

• Outbound Source Network Address Translation (SNAT) – All outgoing traffic from virtual networks are translated in to Azure Firewall Public IP Address. It allows to identify and control traffic leaving from your network to other destinations. 

• Azure Monitor Integrations – All Firewall events are logged in to Azure monitor. If required we can send it to log analytics for further analysis. 

• No need to worry about upgrades – If it is hardware firewall, it has its own capacity limitation. It can be based on port utilization, ram or packet processing power. Since azure firewall is cloud-based service, none of those limitations applies to it. it can scale up whenever it needed. 

Licenses

Current license model for this service is based on size of traffic (of ingress & egress) travel through virtual network. 

Known Issues

As it is still on preview mode, it doesn’t come with any SLA. Therefore, do not use it in your production environment. Also, it has some know issues. You can read about those using https://docs.microsoft.com/en-gb/azure/firewall/overview . 

Demo

In this demo I am going to setup azure firewall and test it using few rules. 

People use safes, security boxes to protect their valuable things. In digital world “Data” is the most valuable thing. Passwords, Connection Strings, Secrets, Data encryption/decryption keys protects access to different data sets. Whoever have access to those will also have access to data behind it (of cause they need to know how to use those 😊). So how we can protect those valuable info? People use different methods. Some use third party software installed on PC to do it. If its large environment some use web application so multiple people have access to it. different vendors use different methods to protect these types of valuable data. Microsoft Azure Key vault is a service which we can use to protect Passwords, Connection Strings, Secrets, Data encryption/decryption keys uses by cloud applications and services. Keys stored in vaults is protected by hardware security modules (HSMs). It is also possible to import or generate keys using HSMs. Any keys process that way will be done according to FIPS 140-2 Level 2 guidelines. You can find about FIPS 140-2 Level 2 using https://www.microsoft.com/en-us/trustcenter/Compliance/FIPS

Benefits of using Key Vault

• Keys saved in vault will be served via URLs. Developers, engineers do not need worry about securing keys. Application or service do not see the keys as vault service process behalf of them.  

• Customers do not have to disclosure their keys to vendors or service providers. They can manage their own keys and allow to access those keys via urls in vendor or service provider applications. Vendor or service providers will not see the keys. 

• By design Microsoft can’t extract or see customer keys. So, its further protected in vendor level too. 

• HSMs are FIPS 140-2 Level 2 validated. So, any industry required to comply with these standards are protected by default. 

• Key usage details are logged. So, you know what’s happening with your keys.  

An Azure Administrator is allowed to do following using Azure Key Vault,

• Create or import a key or secret

• Revoke or delete a key or secret

• Authorize users or applications to access the key vault, which allow them to manage or use its own keys and secrets

• Configure key usage 

• Record key usage

More info about Azure Key vault can find under https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview 

Let’s go ahead and see how we can setup and use Azure Key Vault service. 

Create Azure Key Vault Instance  

 

1) Log in to Azure Portal as global admin.

2) Click on Cloud Shell icon in top right-hand corner. (You also can setup this using portal, Azure CLI or locally installed Azure PowerShell. In this demo I am using Azure PowerShell directly from portal)  

 

 

3) Then select PowerShell for the command type. 

4) Then type Get-AzureRmResourceGroup to list down resource groups. So, we can select the resource group to associate the new key vault. 

 

 

5) If you wish to create key vault under new resource group, you can do it using 

 

New-AzureRmResourceGroup -Name RGName -Location WestUS

 

In above command RGName specify the resource group name and WestUS define the region. You can find the available locations using Get-AzureRmLocation

 

6) Now it’s time to create the vault. We can create it using, 

 

New-AzureRmKeyVault -VaultName 'Rebel-KVault1' -ResourceGroupName 'therebeladmin' -Location 'North Central US'

 

In above VaultName defines the Key Vault name. ResourceGroupName defines the resource group it is associated with. Location defines the location of resource. 

 

 

7) We can view properties of existing key vault using,

 

Get-AzureRmKeyVault "Rebel-KVault1"

 

In above Rebel-KVault1 is the key vault name. 

 

 

Vault URI shows the URL which can use to access the key vault by applications and services. 

 

8) Next step is to create Access Policy for the key vault. Using access policy we can define who have control over key vault, what they can do inside key vault and also what a application or service can do with it. 

 

Set-AzureRmKeyVaultAccessPolicy -VaultName 'Rebel-KVault1' -UserPrincipalName 'user1@rebeladmlive.onmicrosoft.com' -PermissionsToKeys create,delete,list -PermissionsToSecrets set,list,delete -PassThru

 

In above command, user1@rebeladmlive.onmicrosoft.com can create,delete,list keys in Rebel-KVault1. He also can set,list,delete secrets under same vault. 

 

 

We also can set permissions for application to retrieve secrets or keys. 

 

Set-AzureRmKeyVaultAccessPolicy -VaultName 'Rebel-KVault1' -ServicePrincipalName 'http://crm.rebeladmin.com' -PermissionsToSecrets Get

 

In above, service running on http://crm.rebeladmin.com will have permissions to retrieve secrets from the vault. 

Azure Backup is capable of replacing typical on-premises backup solutions. It is cloud-based, secure, reliable solution. It has four components which can use to backup different types of data.

More details about azure backup and components limitations can be find on https://docs.microsoft.com/en-us/azure/backup/backup-introduction-to-azure-backup 

In this article we are going to look in to Azure VM backup (Azure IaaS VM Backup). 

How Azure VM Backup works? 

Azure VM backup doesn’t need any special agent installed in VM. It also does not need to have any additional components (backup server) install either to enable backup. When very first backup job is triggered, it installs backup extension inside the VM. If its Windows VM, it installs VMSnapshot extension and if its Linux VM, it installs VMSnapshotLinux extension. VM must be in running state in order to install extension. After extension in place, it takes point-in-time snapshot of the VM. If VM is not running during backup window, it takes snapshot of VM storage. If its windows VM, backup service uses Volume Shadow Copy Service (VSS) to get consistence snapshot of VM disk. If its Linux VM, users can create custom scripts to run before and after backup job to keep application consistency. Once snapshot is taken it will transfer to the backup vault. Service can identify the recent changes and only transfer the block of data which changed from last backup. Once the data transfer completes snapshot will removed and recovery point will be created. 

Image Source: https://docs.microsoft.com/en-us/azure/backup/media/backup-azure-vms-introduction/vmbackup-architecture.png 

Performance of backup depends on,

1) Storage account limitations 

2) Number of disks in VM

3) Backup Schedule – if all jobs running in same time it can create traffic jam

According to Microsoft following are recommended when you use Azure backup for Azure VMs. Reference: https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-introduction 

1) Do not schedule more than 40 VMs to backup same time.

2) Schedule VMs backup when minimum IOPs been used in your environment (In relevant storage accounts). 

3) Better not to back up more than 20 disks in single storage account. If you have more than 20 disks in single storage account spread those VMs across the multiple policies to maintain required IOPS. 

4) Do not restore a VM running on Premium storage to same storage account. Also try to avoid restore while backup process is running on same storage account.

5) For Premium VM backup, ensure that storage account that hosts premium disks has at least 50% free space for staging snapshot for a successful backup.

6) Linux VM needs python 2.7 enabled for backup.

Next step is to see this in action.

1) Log in to Azure Portal as Global Administrator

2) First step is to create Azure Recovery Service Vault. In order to do that, go to All Services and click on Recovery Service vaults under storage section. 

3) Then click on Add in new window

4) It will open up wizard and there provide vault name, subscription, resource group and location. Once done, click on Create.

5) Now we have vault created, next step is to create backup policy. To do that click on vault we just created from the Recovery service vault window.

6) Then click on Backup Policies 

7) There is default policy from Azure VM backup. It backup VMs daily and keep it for 30 days.

8) I am going to create new policy to do backup every day at 01:00 am and keep it for 7 days. To do that click on add option in policy window. 

9) Then select the policy type. for VMs, it should be Azure Virtual Machine

10) In next window we can define time and retention period of data. Once done with the details click on Create. 

11) Next step of the configuration is to enable backup. In order to do that, go to the VM you like to backup. Then click on the option Backup 

12) Then in new window select the vault and policy we created before and then click on enable backup

13) Once it is done we can run backup by going in to same backup window. If you like to take ad-hoc backup, click on Backup Now

14) We can see the progress of the backup job by clicking View All Jobs

15) Once backup jobs completed we can see the status of it in same backup window.

16) To test the restore I installed Acrobat Reader in this server and created test folder in desktop. 

17) Now I am going to do a restore to an earlier day. To do that go to VM backup page, then click on Restore VM

18) In next window it asks which backup to restore. I am selecting back up from 3 days.

19) In next window it allows me to restore it as new VM or as disk. In here I am going to restore it as new VM

20) Once selection is done click on Restore to begin the process.

21) We also can check the status of the job using backup job window.

22) Once restore completed, I can see a new VM. 

23) Once log in to the VM I can’t see the folder and application I installed, as expected. 

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.