Technical Blog | REBELADMIN

Learn about Active Directory and Various Azure Services

Azure

Manage Privileged access groups with Azure AD Privileged Identity Management (Azure AD PIM)

Azure AD Privileged Identity Management allows organizations to manage, monitor, audit access to sensitive Azure resources. One of the main features of PIM is the ability to provide just-in-time (JIT) access to Azure AD and Azure resources. As an example, a user can request to be a Global Administrator for 1 hour. Once a user requests it through the portal, Approver will receive a notification. Then approver can review the request and approve/deny the request based on justifications. Once the request is approved, the user will have Global administrator privileges for one hour. After one hour, the privileges will remove from the user automatically. Instead of individual users, we also can make cloud groups eligible for the Azure AD role assignment. More info about this configuration is available under one of the previous blog post. So far, we had to manage members or owners of these privilege cloud groups using Azure AD, but now we can provide JIT membership to privilege group using Azure AD PIM.

Note : To use Azure AD PIM, you need to have Azure AD Premium P2 licenses. So, make sure you have the relevant license in place before we go ahead with this config.

In my demo environment, I am going to create a new group called “Temp Administrators“. Then I am going to make it active for Global Administrator role for 3 months. After that configuration, if a user needs to get Global Admin rights, they need to be part of “Temp Administrators” group. I plan to show you how we can manage members of this group using Azure AD PIM.

Create a role-assignable group

As the first step of the configuration, I need to create a cloud group. This group must have the “Azure AD roles can be assigned to the group” option turned on. Otherwise, we can’t assign roles to it.
To do this,

1. Log in to Azure Portal as Global Administrator
2. Search for Azure Active Directory and click on it
3. Go to Groups and click on + New group

Add new Azure AD Group

4. In the new form, set Group type to Security. Then provide a name and description for the group. Next, set Azure AD roles can be assigned to the group (Preview) option to Yes. After, click on create to complete the group setup process

New Azure AD Group Settings

Enable privileged access for a group

The next step of the configuration is to enable privileged access for the newly created group. To do that,

1. Go to Azure Active Directory home page
2. Then go to Groups and click on the group we created in the previous section. On the group properties page, click on Privileged access (preview). Next, click on Enable privileged access button.

Enable privileged access for a group
[Read more…] about Manage Privileged access groups with Azure AD Privileged Identity Management (Azure AD PIM)

Encrypt existing Azure Managed Disks using Server-Side Encryption (SSE) and Customer Managed Keys (CMK)

In my previous blog post, I have explained what is Server-Side Encryption (SSE) for Azure Managed Disks. If you didn’t read it yet, please go ahead and read it using this link. In there I have created a new virtual machine with encrypted managed disks. But sometimes we may have to do the same for the existing Azure Managed Disks. In this blog post, I am going to demonstrate how we can encrypt an existing data disk (Azure Managed Disk) using SSE and CMK.

Prerequisite

Before we go ahead with configuration, we need to make sure the following prerequisites are in place.

Azure Key Vault with DisKEncryptionSet – I have covered the configuration steps for this in my previous blog post https://www.rebeladmin.com/2021/01/encrypt-azure-managed-disks-using-server-side-encryption-sse-and-customer-managed-keys-cmk/. Please go ahead and configure the Azure Key Vault before we proceed further.

Azure PowerShell – For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0

Verify Existing Windows VM Configuration

For the demo, I have created a new Windows VM called REBEL01 in East US Azure region. It is running windows server 2019 data center edition. It is using Standard_DS1_v2 VM size. This VM has two disks. REBEL01_OSDisk is OS disk and REBEL01DataDisk1 is Data Disk.

Virtual Machine Disk Encryption with Platform managed keys

As we can see above, the data disk is encrypted using platform managed keys. This is the default setup for Azure managed disks. My plan is to encrypt this disk with Customer Managed Key (CMK). We can’t encrypt the existing OS disk using the same method.

Detach Managed Disk

We can’t change the encryption of a disk that is attached to a running VM. So, we need to detach the disk first. To do that we can use the following commands,

$VM = Get-AzVM -ResourceGroupName “REBELRG1” -Name “REBEL01”
Remove-AzVMDataDisk -VM $VM -Name “REBEL01DataDisk1”

Detach Azure Managed Disk

Then we need to update the VM config using

Update-AzVM -ResourceGroupName “REBELRG1” -VM $VM

Update Azure Virtual Machine Configuration [Read more…] about Encrypt existing Azure Managed Disks using Server-Side Encryption (SSE) and Customer Managed Keys (CMK)

Encrypt Azure Managed Disks using Server-Side Encryption (SSE) and Customer Managed Keys (CMK)

Disk encryption is a basic data protection method for physical & virtual hard disks. It falls under physical data security and it prevents data breaches from stolen hard disks (physical & virtual). By using Azure Disk Encryption, we can encrypt disks within the guest VM. If the guest VM is running Windows OS, Azure Disk Encryption will use BitLocker. If the guest VM is running Linux, it will be depending on DM-Crypt to encrypt virtual disks. But with Server-Side Encryption (SSE) we can encrypt any OS disk/data disk at the storage service level.

By default, Azure Managed disks are encrypted using 256-bit AES encryption. It is FIPS 140-2 compliant. For this, the system uses platform-managed encryption keys. But for compliance requirements, the organization may want to manage its own encryption keys. These keys are called Customer Managed Keys (CMK). In here, instead of the platform, it is the customer’s responsibility to create, import, delete encryption keys. We can use CMK to encrypt managed disk using Azure Disk Encryption or Server-Side Encryption (SSE). In both methods, we have to use the Azure Key Vault to store the encryption keys. A Key vault admin can either import their own RSA keys or generate new RSA keys in the key vault to use with encryption.

When we using Customer Managed Keys (CMK) we need to consider the following,

1. If the CMK feature is enabled for a disk, it can’t be disabled. If you need you can copy data to a new disk without CMK.
2. Only supported Software and HSM RSA keys with 2048 bit, 3072 bit, and 4096-bit sizes.
3. Managed disk created from custom image or snapshot which is encrypted using SSE & CMK must use same CMK to encrypt.
4. All resources related to CMK such as Azure key vault, DisKEncryptionSet, VMs, Managed Disks must use the same subscription and region.
5. Managed disks currently or previously encrypted using Azure Disk Encryption cannot be encrypted using CMK.

Source: https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption#customer-managed-keys

Before we go ahead with configurations let’s see how Server-Side Encryption (SSE) works with Customer Managed Keys (CMK).

1. Admin creates DisKEncryptionSet resource with Azure Key Vault ID and a key URL. This will also create a system-assigned managed identity in Azure Active Directory.
2. Then Azure Key Vault Admin grant permission to this managed identity to perform activities in the relevant key vault.
3. As the next step, VM user can create or associate existing managed disks with DisKEncryptionSet and enable Server-Side Encryption (SSE)
4. Managed disks use system-assigned managed identity in Azure Active Directory to access Key vault
5. Managed disks send a request to Key vault to encrypt or decrypt Data Encryption Key (DEK) to use it with data encryption or decryption.

Let’s go ahead and see how we can use SSE and CMK for managed disk encryption.

For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0

Setup Azure Resource Group

The first step of the configuration is to create a new resource group.

To do that,

Launch PowerShell console and connect to Azure using Connect-AzAccount

Then create a new resource group using,

New-AzResourceGroup -Name REBELRG1 -Location “East US”

Create New Azure Resource Group

In the above, REBELRG1 is the resource group name and East US is the resource group location.

Setup Azure Key Vault

Next, we need to create a new key vault and encryption key.

As the first step, let’s go ahead and enable Azure Key Vault provider within the subscription by using,

Register-AzResourceProvider -ProviderNamespace “Microsoft.KeyVault”

Enable Azure Key Vault Provider

Then, let’s go ahead with Azure Vault setup,

$rkv = New-AzKeyVault -VaultName REBELVMKV1 -Location “East US” -ResourceGroupName REBELRG1 -EnablePurgeProtection

In the above, REBELVMKV1 is the key vault name and it is created under REBELRG1 resource group. –EnablePurgeProtection parameter is used to ensure a deleted key from the vault cannot be permanently deleted until it passes the retention period. This option adds extra protection to keys used inside the vault. This must be enabled otherwise the encryption will fail.

As the next step, we need to create an access policy so currently logged-in user can create encryption keys.

Set-AzKeyVaultAccessPolicy -VaultName REBELVMKV1 -ObjectId xxxxxxxxxxxxxxxx -PermissionsToKeys create,import,delete,list -PermissionsToSecrets set,delete -PassThru

Setup Access Policy

In the above -Objectid value should replace with the actual objectid value of the currently logged in the global admin account. Here -PermissionsToKeys define the permissions allocated for keys and -PermissionsToSecrets defines the permissions allocated for secrets.

Next, we need a new encryption key to use with disk encryption.

$vk1 = Add-AzKeyVaultKey -VaultName REBELVMKV1 -Name “REBELVMKey” -Destination “Software”

Create Encryption Key

In the above, REBELVMKey is the key name. -Destination is defined as Software as we creating the standard encryption key. If required it can be set to Hardware Security Model (HSM) but it comes with additional cost. [Read more…] about Encrypt Azure Managed Disks using Server-Side Encryption (SSE) and Customer Managed Keys (CMK)

How to Share disk between Azure Virtual Machines? (PowerShell Guide)

If you worked with an application that is based on Windows Server Failover Cluster (WSFC), you may already know that sometimes we have to share virtual disks between servers. Scale-Out File Servers (SoFS), SAP, Remote Desktop Server User Profile Disk, Failover cluster instance (FCI) with SQL Server are some of the examples. If virtual machines are running on VMware, we can do this by enabling Multi-Writer Mode on virtual disks. If it is a Hyper-V environment, we can do the same using Shared disk or VHD Sets features.

Azure managed disks also can share between multiple virtual machines. This help organization to move or deploy applications depending on cluster services and shared disks to Azure. In this demo, I am going to demonstrate how we can share a disk between two Azure VM.

Limitations

• Certain limitations apply to Azure shared disks.
• Share disk feature only available for ultra disks and premium SSDs
• Can only be enabled in data disks, not operating system disks
• Can’t use with Azure Backup or Azure Site Recovery (yet)
• If you are using proximity placement groups, all virtual machines and shared disks must use the same PPG.
maxShares value of the disk defines how many VMs can share the disk simultaneously. For ultra disks, maxShares value is 5.
• For Premium SSDs, the maximum value for maxShares is depending on the disk size. It can be varying from 2-10.

Let’s go ahead and see how we can configure Azure shared disk.

For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0

Create a Resource Group

As the first part of the configuration, I am going to create a new resource group. To do that,

Launch PowerShell console and connect to Azure using Connect-AzAccount

Then create a new resource group using,

New-AzResourceGroup -Name EUSRG1 -Location “East US”

Create Azure Resource Group

In the above, EUSRG1 is the resource group name, and its created-in East US Azure region.

Create Azure VNet

The next step is to create a new virtual network under EUSRG1 resource group. We can create it using,

$vmsubnet = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix “10.0.2.0/24”
New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName EUSRG1 -Location “East US” -AddressPrefix “10.0.0.0/16” -Subnet $vmsubnet

Create Azure Virtual Network

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines. [Read more…] about How to Share disk between Azure Virtual Machines? (PowerShell Guide)

How to Deploy an Azure VM to Availability Zone? (PowerShell Guide)

Azure Availability Zones offers high availability for data and applications. In an Azure region, there can be one or more data centers. Azure Availability Zone is made out of one or more datacentres in the same Azure region, which have independent power, hardware, networking, and cooling. All Zone redundant service will replicate data and application across Availability Zone for high resilience. Each Azure region contains a minimum of three Azure Availability Zones.
More Information about Azure Availability Zones are available on https://docs.microsoft.com/en-us/azure/availability-zones/az-overview

We also can deploy Azure Virtual Machines into Azure Availability Zone for high availability. In this demo, I am going to demonstrate how we can deploy Azure Windows Virtual Machine to Azure Availability Zone by using Azure PowerShell.
Before we start, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0

Create Resource Groups

As the first part of the configuration, I am going to create a new resource group. To do that,

Launch PowerShell console and connect to Azure using Connect-AzAccount

Then create a new resource group using,

New-AzResourceGroup -Name REBELRGEUS -Location “East US”

Setup Azure Resource Group

In the above, I am creating a resource group called REBELRGEUS in East US Azure region.

Create Azure VNet

The next step is to create a new virtual network under REBELRGEUS resource group.

$vmsubnet = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix “10.0.2.0/24”
New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRGEUS -Location “East US” -AddressPrefix “10.0.0.0/16” -Subnet $vmsubnet

Create Azure Virtual Network

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines. [Read more…] about How to Deploy an Azure VM to Availability Zone? (PowerShell Guide)