Keeping up with Azure Changes

If you want to keep up with “all” the changes in Azure, I recommend to to follow the following sites:

Websites with Update Roundups

Azure Updates – https://azure.microsoft.com/en-us/updates/

Azure Blog Updates – https://azure.microsoft.com/en-us/blog/topics/updates/

Last Week in Azure – https://azure.microsoft.com/en-us/blog/topics/last-week-in-azure/

Build Azure – https://buildazure.com/category/azure-weekly/

Podcasts & Videos

The Azure Podcast – http://azpodcast.azurewebsites.net/

Azure Friday – https://azure.microsoft.com/en-us/resources/videos/azure-friday/

Azure Flash Friday – http://www.azureflashfriday.com/

Microsoft Cloud Show – http://www.microsoftcloudshow.com/#

Azure This Week – A Cloud Guru – https://www.youtube.com/playlist?list=PLI1_CQcV71RmnrRBgJNlI1yY_WiOWIXov

Advertisements

O365 PowerShell Module Installs

If you need to configure a new machine in order to execute o365 PS commands, this is your post. You can see similar information in Todd Klindt’s post

suppress the warning you get when installing from the PowerShell Gallery, run this:

Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

Official Microsoft Modules

Sign-in assistant (needed for MSOL and AzureAD Modules)

Microsoft Online
Original Tenant Directory Management
Prefix: MSOL
Install-Module -Name MSOnline

AzureAD
Newer Tenant Directory Management
Prefix: AzureAD
Install-Module azuread

AzureADPreview
Latest Tenant Directory Management
Prefix: AzureAD
Install-Module -Name AzureADPreview

SharePoint Online
Manage SharePoint sites and related services
Prefix: SPO
Install-Module -Name Microsoft.Online.SharePoint.PowerShell

Teams
Microsoft Teams Management
Prefix: Team
Install-Module MicrosoftTeams

Skype for Business
(No PowerShell module install from Gallery)

Flow and PowerApps
Flow and PowerApps management
Prefix: No Prefix
Install-Module -Name Microsoft.PowerApps.PowerShell
Install-Module -Name
 Microsoft.PowerApps.Administration.PowerShell –AllowClobber
(First module works for user, add the second module for Admin management cmdlets)

3rd Party Installs

SharePoint PnP PowerShell
Essential to manage SharePoint and related technologies
Install-Module SharePointPnPPowerShellOnline

Credential Manager
Used to create and retrieve Windows Stored Credentials
Install-Module credentialmanager

If you only need to update the modules, you can execute the follwing command: Update-Module cmdlet.

Configuring Azure MFA in ADFS: Service Principal was not found

Hi All,

Today I’m back with ADFS, the other day I needed to configure ADFS with Azure MFA for a client. In this case, first I configured the ADFS farm (in my case with WS2016), and then I was ready to configure Azure MFA in the Authentication methods for the Intranet and Extranet.

Why? Because it was a requirement for the project that all internal users use MFA in order to authenticate to O365. Thus we can integrate this with ADFS in a very simple (but tricky) steps. As you know, if you have E1 or E3 licenses, you can use Azure MFA by default, is it not necessary to purchase extra licenses in order to use this service. **First point to take into account

For the record, you will need to use the Connect-MSolService cmdlet, so be sure that you have installed the PowerShell modules in your server

Install-module MSOnline
Install-module AzureAD

Once you have installed this, you need to execute the following commands:

$tenantID = “yourtenant.onmicrosoft.com”
$certbase64 = New-AdfsAzureMfaTenantCertificate -TenantID $tenantID

Connect-MsolService
New-MsolServicePrincipalCredential -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -Usage verify -Value $certBase64
Set-AdfsAzureMfaTenant -TenantId $tenantID -ClientId 981f26a1-7f43-403b-a875-f8b09b8cd720

You can check the info in the following article: https://docs.microsoft.com/es-es/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa

But in my case, every time I was executing the command New-MSOLServicePrincipalCredential, I was receiving an error saying: “Principal Service was not found” I double checked if I was Global ADmin in the O365 and Azure subscription and I was!! So… what the hell means that error??

It means that you don’t have registered the SPN for Azure MFA, and to solve this it is very simple, you can purchase a trial of Azure MFA (P1, P2, EMS, o whatever plan where Azure MFA is included) and assign a license to one user, for example in my case, I assigned the license to the test users. It seems that you will not see “Azure Multi-Factor Auth Client” in the list of MSOL Service Principals until you have at least one account with an MFA license on your tenant.

After doing this, I needed to wait a couple of minutes and then I executed again the PS commands that I showed before… and bang!! I was able to register the Azure MFA as authentication method in ADFS Server.

I think that the short history is that using the new ADFS adapter requires MFA licenses. It doesn’t work with an MFA Provider, but MFA licenses can be purchased standalone or the ones included in Azure AD Premium and EMS

That’s all for today!

Azure disk: Managed VS Unmanaged

This question always pursues me, so I want to drop these lines in order to make it clear in my mind and for my customers:

With unmanaged disks, you are responsible for the storage accounts that are used to hold the VHDs that correspond to your VM disks. You pay the storage account rates for the amount of space you use, which is great, you pay for what you use.

A single storage account is capable of supporting 40 standard virtual hard disks at full throttle (20.000 IOPS). In case that you you need to scale out, you will need more than one storage account, which can get complicated.

Managed disks are the newer and recommended disk storage model. You only have to specify the disk type (Premium or Standard) and the size of the disk and automatically, Azure creates and manages both the disk and the storage it uses. You don’t have to worry about storage account limits, which makes them easier to scale out. They also offer several other benefits:

  • Increased reliability: Azure ensures that VHDs associated with high-reliability VMs will be placed in different parts of Azure storage to provide similar levels of resilience.
  • Better security: Managed disks are truly managed resources in the resource group. This means they can use role-based access control to restrict who can work with the VHD data.
  • Snapshot support: Snapshots can be used to create a read-only copy of a VHD. You have to shut down the owning VM but creating the snapshot only takes a few seconds. Once it’s done, you can power on the VM and use the snapshot to create a duplicate VM to troubleshoot a production issue or rollback the VM to the point in time that the snapshot was taken.
  • Backup support: Managed disks can be automatically backed up to different regions for disaster recovery with Azure Backup all without affecting the service of the VM.

EMS in O365 Enterprise plans

From time to time I am being consulted which security features are included in O365 Enterprise plans, so I decided to write them down:

EMS is provided as part of Microsoft 365 E3 and E5 plans, as summarized in the table below.

Product E3 plan E5 plan
Azure AD Premium P1 plan P2 plan
Intune Yes Yes
Azure Information Protection P1 plan P2 plan
Microsoft Advanced Threat Analytics Yes Yes
Cloud App Security No Yes
Configuration Manager Yes Yes

Also we have to take into account that Azure AD is the central identity store for all appplications, and that we have 3 different levels (Basic, P1 and P2). But which features are included on P1?

  • Self-service password reset
  • Write-back from Azure AD to on-premises Active Directory Domain Services (meaning your cloud and on-premises data is linked)
  • Microsoft Azure Multi-Factor Authentication (MFA) for cloud and on-premises apps
  • Conditional access based on group, location, and device state

The following feature is only included in P2

  • Conditional access based on sign-in or user risk (P2 plan only)

Azure File Sync: ERROR_INVALID_REPARSE_DATA

While I was involves in a project where Azure File Sync take most of the part of the project, I found a weird problem with the synchronization. Initially, everything seems ok, it was doing the replication without problem, but at some point (and I don´t know why), it showed an error in the Azure portal:

afs_error.png

The error showed does not helps, so after further investigation I found the following KB of Microsoft:

https://support.microsoft.com/en-us/help/4074597/windows-81-update-kb-4074597

And Also I found some errors in the disk partition, so I need to repair them. After doing those kind of things, the error “dissapeared”:

afs_error1

After some syncs, it started to sync every file from the FS to AFS, so my customer was happy again and me too 🙂