Tuesday, February 19, 2019

Azure - Helpful resources

A living list of helpful resources and links to Azure tools.

Azure Resource Explorer - A tool to view and edit the direct ARM JSON.
Azure Speed test tool - Runs speed tests and determine latency between regions.
Azure Advisors Yammer - Useful for questions - monitored directly from the product team often times.

Azure - Check Invitation Status to guest user

Often times you will need to invite a 3rd party to your Azure AD tenant to support your environment.

When you add them to a resource, they will automatically be invited as a guest user in your Azure AD tenant, however they won't be able to access this until they accept the invitation email.

If you send an invite to a guest user you can see if they have accepted the invitation or not. You also have the option to resend the invitation.


From Azure AD you can search for guest users and drill down into an individual one.

Here is what the email looks like - the key here is the email comes from "invites@microsoft.com" because it can be sent on behalf of this may end up in the junk or spam email folder, so be sure to have them check there.


Monday, February 18, 2019

AZ-102 Study notes - Part 4

Manage identities (15-20%)

Manage Azure Active Directory (AD)

Add custom domains 

Add a purchased domain and add the MX or Text records. (ms=msXXXXXX)
The person who creates the tenant is automatically the global administrator.
TTL must be 60 minutes.
Make suire you don't have any unmanaged PowerBI tenants.

Configure Azure AD Identity Protection

Azure AD identity protection is P2 level and above.
You can force people to register for MFA - once everyone is register you can add everyone.

User / sign on risk prevents or forces MFA sign in from compromised users.

Azure AD Join, and Enterprise State Roaming

With Azure AD settings you can enable local admin rights for Azure AD members.
The local admins are set as device admins.
ESR allows Windows 10 user data to be synced between devices. Data is encrypted. Requires "EMS".

Configure self-service password reset

Password reset - selected groups or all. One or two methods. Email / Office Phone / Mobile Phone / Security questions (and how many 3-5).
Users can be forced to register and can be force to re-register after a period. 
You can be notified on Admin passwords or user password resets.

Implement conditional access policies

Conditional (- platforms, locations, apps, device state, etc.) / Control statements - (Block / grant, MFA, limited experiences, etc)

Manage multiple directories

Each tenant is independent and a domain name can only be used by a single tenant.

Perform an access review

Access reviews allow you to schedule reports when you approve or deny access to a group or application. If a viewer does not response, we can remove automatically or email.

Recommendations suggest best action. Users can advise on reasons.

Implement and manage hybrid identities

Install and configure Azure AD Connect

Requirements:
Azure AD premium
Global Admin of Azure AD
Azure AD connection health agent installed.
Connectivity (outbound - no ssl inspection.)

Configure federation and single sign-on

Use the Azure AD Connect tool to add an AD FS server, add an AD FS WAP server, and configure a federated domain.

Deploy seamless single sign on via the Azure AD Connect tool.
Deploy group policies to enable SSO.

Manage Azure AD Connect

You can configure health alerts from Azure AD connect health in the portal.

Manage password sync and writeback

Premium feature.
Account used must have elevated rights.
Configured through the Azure AD connect utility.

AZ-102 Study notes - Part 3

Continued from a previous series:

Configure and manage virtual networks (15-20%)

Create connectivity between virtual networks

Create and configure VNET peering

Vnet peering is private peering across region or subscriptions but not tenants. 10 per vnet by default, but up to 50.

Via Powershell:
Add-AzureRmVirtualNetworkPeering / 
az network vnet peering create
Create and configure VNET to VNET

Vnet to Vnet connections require public IPs
Only Vnets in the same subscription from the portal.
Add connection under the VNet.
Use the New-AzureRMVirtualNetworkGatewayConnection CMDlet to setup via Powershell.


Verify virtual network connectivity

Get-AzureRmVirtualNetworkGatewayConnection
az network vpn-connection show

Network Watcher Agent extenion.

Flow Logs require NGS rules, a log analytics work-space and a storage account.

Create virtual network gateway

Requires a DYNAMIC public IP address.
Review the SKUs noted in the documentation for gateway:
Basic SKU- Max 10 tunnels, others max 30. 
VPNGw1,2,3 support P2S IKEv2 connection and BGP and each have bandwidth higher then the last.

Configure name resolution

Configure Azure DNS 

Create a new DNS zone from the marketplace or use the powershell commands:

New-AzureRmDNS zone
New-AzureRMDnsRecordSet


Configure custom DNS settings 

Alias records dynamically update if they change in Azure.

Configure DNS zones

DNS zones contain one or more records for a domain.


AZ-102 Study notes - Part 2

Continued from a previous series. Here are my notes created from studying for the AZ-102 exam.
The LinkedIn Series here was helpful:


Implement and manage storage (5-10%)

Configure Azure files

Create Azure file share

Simple process if you've done it before, create a storage account > file share > New File Share.
Use connect to mount the share via CMD / powershell / Linux.
Quota is 5 TiB
Powershell you can create this with the key with the cmdlet New-AzureStorageShare after setting the storage context with New-AzureStorageShare

Create Azure File Sync service

Azure file sync is a "local" Windows Server copy of the Azure file share.
Configure the service from the Azure portal - Create a new Azure File Sync resource from the marketplace.
Configure the on-premise server - disable IE enhanced security. Install the Azure File Sync Agent. Register the server.

Gotchas:
Only local non-removable volumes are supported.
Module is named Az.StorageSync
Server 2012 R2 and above (Standard and DC versions) 2GB of memory is required.
DFS - DFS-N good - DFS-R not unsupported - but recommend replacing with Azure File Sync.

Create Azure sync group

Add a new SyncGroup from the portal. Select a storage account. Select a fileshare. Easy.
Add server endpoint from the cloud console.
Cloud tiering (only hot files on the cloud) has a lot of gothcas (no VSS, limited attributes, no system volume, etc).
.SystemShareInformation folder is used like the System Volume Information folder - no touchy.

Troubleshoot Azure File Sync

Don't remove the server endpoint as this could wipe your data.
Agent install troubleshooting: StorageSyncAgent.msi /l*v Installer.log
Changes can take up to 24 hours to in Azure File Sync.
Portal: Sync or Endpoint Health
Server: Applications and Services Logs\Microsoft\FileSync\Agent\Telemetry event logs.
AFSDiag tool
PDC role needs to be Server 2012 R2+
StorageSync.sys and StorageSyncGuard.sys are the two drivers you need to know.


AZ-102 Study notes - Part 1


These are my AZ-102 study notes in taking the Microsoft Azure Administrator Certification Transition Exam (AZ-102) exam.

Manage Azure subscriptions and resources (5-10%)

Analyze resource utilization and consumption

Use the Cost Management + Billing section to configure budgets and setup alerts to point to an Azure resource group. Credit alerts are generated automatically at 90% and at 100% of your Azure credit balance when using enterprise agreements with monthly commits.

Configure diagnostic settings on resources

From the Azure portal, select Azure Monitor and select diagnostic settings to enable this. Log to a storage account, Event Hub, or Log Analytics.
Use the Set-AzureRMDiagnosticSetting cmdetlet and the -ResourceId switch to enable via Powershell.

Create baseline for resources; create and rest alerts.

Study up on DSC and using Azure Update management as well as update management via automation accounts.

Analyze alerts across subscription; analyze metrics across subscription, Create action groups.

Know how to create alerts using the new log analytics focused Azure monitor (target, criteria, details, and action groups)
Know about smart groups, enabling and disabling rules.
Azure metrics are kept for 93 days.

Monitor for unused resources; monitor spend; report on spend.

Know the spending limit for credit and what it does - stops everything. (no pay as you go - off by default for trial)
Use tags to group by cost center. 
Cost analysis tool. (Creating budgets, alerts, etc.)
Azure Advisor - Monitors for idle resources, resources that can made reserved instances. Unused express route, etc.
Utilize Log Search query functions.

If you're familiar with Log analytics and Kusto query language this should be easy. If not, I would recommend the free plural sight course Kusto Query Language and messing around with a Log Analytics workspace.
Query from up to 100 workspace resources using the workspace() function. You can use the query name, the qualified name, the workspace ID, or the Azure resource ID.
Ie:
workspace("contosoretail-it").Update | count
Similarly with Application insights you can use the app() function to query across AppInsights apps.
Use union to group these.

View alerts in Log Analytics.

Know how to target a Log Analytics workspace for Azure monitor alerts.
Metric measurement vs number of results.

Thursday, December 20, 2018

Azure Point to Site VPN failure with error code 809

I ran into some trouble today troubleshooting a developer's workstation. The issue was when using a Point to Site IKEV2 VPN some clients could not connect - they received an error:


The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem. (Error 809)
The strange thing was that some other workstations seemed fine.


After bashing our collective heads against the wall, checking checking the P2SChild, doing all sorts of network troubleshooting to the endpoint DNS name - azuregateway-8fc2c9e3-26cd-432a-ae47-92b7f6422a5d-e1a7e8cec41d.vpn.azure.com, editing registry, checking firewalls, etc, we finally determined the cause of the issue.

The issue was only apparent on Windows 10 desktops with OS version 1703. After manually updating these Workstations to Windows 10 1803 we no longer received the 809 error.

Moral of the story - Remember to update your Windows 10 versions!

Azure - Helpful resources

A living list of helpful resources and links to Azure tools. Azure Resource Explorer  - A tool to view and edit the direct ARM JSON. Azur...