Saving your production workload on Azure using Azure Resource Locks

Think of a scenario where you spend hours or maybe days to setup an environment required for a software. This can be couple of VM’s with required resources and parameters. Now consider a scenario someone in your organization who have access to same Azure subscription or even you who accidently ran a PS command and delete that resource group accidently….OUCH!

To prevent some of the above scenarios we have RBAC (Role Based Access Control) and limit who can access resources but it will never eliminate all the possible scenarios. This is where Azure Resource Locks come into the picture. This nighty feature also shines if your organization have proper cloud management policies are in place.

Good thing is Microsoft Azure Team has introduce this feature everywhere in the Azure portal – you can apply at Subscription, Resource Group, and Resource level and there is a hierarchy. If you apply is on the subscription level every resource is protected from this policy. Or better you may only want to apply this to production Resource Groups and exclude rest, yep it’s possible thanks to Azure policies concept.

For deep dive into this feature please referrer to official Microsoft documentation. You can reach there from here.

Of let’s dive in my friends Smile

The Azure locks come in two flavors. Read-Only and Delete. Read-Only option will not allow you to perform and changes to the resources when applied. This is also really useful when you don’t want any changes carried out to the resources. Eg: Changing VM size or adding disks….etc

Whereas on the Delete option you’re prevented from deleting the resources in a resource group. If Read-Only option not combine then you’re allowed to carry out the changes to the resources.  

Note: Only Owner and User Access Administrator roles can create or delete management locks

Ok I mentioned resource lock option is everywhere on Azure portal. Reason being is Azure team allows you to go into object level and provide this feature. That being said let me share few screenshots to prove the point.

image

Picture 1: Above picture shows Lock option available for a vNet.

image

Picture 2: Above picture shows Lock option available for a virtual disk

image

Picture 3: Above pictures shows the Lock option available for Resource Group

Ok I assume you’re satisfied from my point Smile Now let’s dig down to this feature.

On this scenario we’re a Resource Group called “DemoRG001” which hosts one important VM for a organization and it’s associated resources. After creating this RG we want to make sure to protect the RG and it’s objects from accidental damages from internal team members who are supposed to look after the Azure subscription.

As we saw in the first part of this article, Azure locks can be defined by two types: Read-Only and Delete. Using Azure Portal, click on Resource Groups, and then click on the desired resource group, in our case DemoRG001, and then click on locks.

image

In the new window that is display provide a name for the Lock name section and Lock type and also Notes which can be useful for later review

image

image

Note: If you’re a PS junkie (who shouldn’t be Smile) below is the command to create the required outcome.

New-AzResourceLock -LockName <lockName> -LockLevel CanNotDelete -ResourceGroupName
<resourceGroupName>

Eg: New-AzResourceLock –LockName LCKRG001 -LockLevel CanNotDelete -ResourceGroupName
DemoRG001

Now we’re setup preventing delete option to the resource group. With this feature activated let’s try to delete one of the resource inside the Resource group and observe the outcome.

I’ve tried to delete the vNet and the outcome is as follows,

image

To verify above from PS try Get-AzResourceLock

Error message highlighting the reason as “operation because following scope are locked”

You can try doing this across and object inside the Resource group and the result will be the same.

Audit the actions

If we think carefully about the above scenario we can take into consideration about logs, alerts and security. Think carefully by wearing the security person’s hat. We would like to see who tried to access the resource group and especially try to do malicious activity. Since Activity log capture every activity we can monitor what really happened by observing the logs.

image

image

Azure Resource Lock is a nifty feature and very useful for production environment. Combined this with RBAC will be great combination for granular level control of the resources as well as for security.

Now I know demonstration values more so here goes the video for you Smile

https://www.youtube.com/watch?v=iy1jtyoP7Ok

Any questions lads?

Adding Microsoft PowerShell on Linux Mint

Microsoft PowerShell is a very powerfull tool sys admin need to master. Best thing is it is open source now and can run on Mac and Linux as well. (Hint: That gives you an idea where Microsoft heading)

This particualr blog post mainly focus on serting up PowerShell on Mint Linux platform which is avariant of Debian.

Packages for Linux can be found in the GitHub. Download appropriate for your operating system.

In above picture for Mint Linux I have choosen “powershell_6.2.2-1.ubuntu.18.04_amd64.deb” If you’re insize the Mint Linux platform just click the package downlaod and let the Application Manager do the needful. Once compelted open the terminal and type “pwsh”

If you like to enjoy doing above task from the terminal (Who doens’t like to get hands dirty inside a Linux platform) try below commands

  1. Download the Microsoft repository GPG keys

wget -q https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb

2. Register the Microsoft repository GPG keys

sudo dpkg -i packages-microsoft-prod.deb

3. Update the list of products

sudo apt-get update

4. Enable the “universe” repositories

sudo add-apt-repository universe

5. Install PowerShell

sudo apt-get install -y powershell

6. Start PowerShell

pwsh

That’s it. Now you have two major worlds cobined under one roof to control!

https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-core-on-linux?view=powershell-6

Microsoft Hyper-V S3 Cap warning when upgrading a Hyper-V Virtual Machine (During OS upgrade)

During a recent engagement of upgrade Server 2012 OS to latest version server 2012 R2 I came across with above error preventing me from carrying out the upgrade.

image

This has prevented me carrying out the required upgrade. Errors has been recorded in the the Windows Compatibility Report.htm

Further search revealed Microsoft Hyper-V S3 Cap is an old S3 Trio 765 emulated video device and the driver isn’t included anymore so you’ll get this particular warning. This will never give you an issues. So next step was to go into the Device Manager Expand PCI bus and locate Microsoft Hyper-v S3 Cap and remove it (Sorry folks couldn’t get this screenshot from the live system during that time)

Once removed you can go ahead and try running the in-place upgrade and continue the setup.

Upgrade Windows Server 2019 Evaluation to Full Version Standard to Datacenter

Recently I came across a problem of Windows Server 2019 Standard edition Evaluation version has been setup on production environment. Requirement is to convert this server into server 2019 Datacenter edition. Steps taken are as follows,

1. Make sure you have the correct license key in hand

2. On the source server run the command

Dism /online /Get-CurrentEdition

Above command will show you the current version as well as supported version for activation

To activate via PS run the below command,

DISM /online /Set-Edition:ServerDatacenter /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula

If everything goes smoothly, you’ll be requested to restart the server.

clip_image002

Few areas for you to be aware of,

  • Upgrades from pre-release versions (previews) of Windows Server 2019 are not supported. Perform a clean installation to Windows Server 2019.
  • Upgrades that switch from a Server Core installation to a Server with a Desktop installation (or vice versa) are not supported.
  • Upgrades from a previous Windows Server installation to an evaluation copy of Windows Server are not supported. Evaluation versions should be installed as a clean installation.
  • You can convert the evaluation version of Windows Server 2019 Standard to either Windows Server 2019 Standard (retail) or Datacenter (retail). Similarly, you can convert the evaluation version of Windows Server 2019 Datacenter to the retail version.

Official guide and recommendation from Microsoft can be found in here

Azure AD allows collaboration seamless for any user with any account (towards the dream)

In a world where collaboration rocks we always question the security boundary. By now I do hope all agree answer relies on identity. Our application access and controls should follow identity to allow people to truly provide the required flexibility to work from anywhere whilst maintaining the required security.

In Microsoft Azure Active Directory now they are towards to that dream. Today goes the public preview of allowing to share resources (Applications and data) with people from any organization, whether or not they have Azure AD or an IT department. Earlier Microsoft work closely with Google social IDs for this task.

Under this preview mode end user can use any of their e-mail ID type to access resources on another organization for true B2B collaboration. This is happening via email one-time passcodes (OTP).By using this new capability, you allow guest users to use their work email account for authentication while making sure your corporate resources are protected by the same security standards that are mandated by your partner organization. Once end user get the code and verified that session is valid for 24 hours. OTP codes are valid for 30 minutes. These settings carefully applied with security in mind.

In addition, we can apply additional security through conditional access and Multi-Factor Authentication (MFA) which available under AAP (Azure Active Directory Premium)

Guest user will get one-time passcode if below scenarios are true,

  • They do not have an Azure AD account
  • They do not have a Microsoft account
  • The inviting tenant did not set up Google federation for @gmail.com and @googlemail.com users

OTP 1
(Picture credits goes to Microsoft Techcommunity)

Ok let’s get into action to enable this feature now.

Log into Azure portal and go to Azure Active Directory –> Organizational relationships –> Users from other organizations –> Settings

select “Enable Email One-Time Passcode for Guests (Preview) after that save the changes.

image

Well that’s all you have to do. Head back to “Users from other organizations” and add the users. Once above task completed it might take little time to apply.

After that when you share the resources with the outside party.

image

When the first time user get the email he/she has to go through the redemption procedure and accept the company policies. Once completed when they try to access the company resources they will be request to sign in prompt and request for a code. Below is such example situation,

OTP 2OTP 3
(Picture credits goes to Microsoft Techcommunity)

What is exciting is the new doors this is opening for companies to allow securely access to their resources to external parties knowing the control they have.

Goodbye MVA and welcome “LEARN”

If you’re a technical person who loves Microsoft technology then you must have spend time on MVA. Microsoft Virtual Academy is one of my favorite place which I spend to learn about Microsoft technology. Starting from basic all the way to level 300 content is there plus do your own knowledge validation and exams. That bean said Microsoft has decided to close the learning site and come with new learning platform. Before I jump into that if you’re a MVA fan then you still have time to complete your pending learning and exams until end of January 2019. Best is visit the MVA site and complete your pending tasks Smile 

image

To view your progress visit Dashboard and complete any pending training courses,

image

So now you’re aware the future awaits for the MVA what that means to you with Microsoft Learn? What is Microsoft Learn?

Microsoft Learn is interactive learning environment that includes short step-by-step tutorials (I can see more in Azure Smile), interactive coding/scripting environments, and task-based achievements that help you advance your technical cloud skills. I like new idea but again change is not welcome by everyone at first glance. Best is you give a try and see how it matters to you.

image

I like the idea of role based training. Along with rapid changes in cloud technology it would be pretty difficult task to keep up with all the technology updates. Ideal would be to have small chunks and learn them. Even Microsoft Azure classroom training has to go through in that path in order to teach for students Smile

In case if you’re missing advance concepts training then Microsoft has provided external training partners web links for you to refer. Such learning partners are LinkedIn & Pluralsight.

image

I do hope Microsoft will not forget IT users who are interested in Windows Server, System Center technology. Fingers crossed for that.

Until that time arrives best is to start with “Azure Fundamentals” training Smile

https://docs.microsoft.com/en-us/learn/paths/azure-fundamentals/

Resetting the VMWare vCenter appliance (VCSA) root password

Ok this is strange problem I came across during my VMWare lab setup. For some reason the password I’ve setup during my vcenter appliance setup is not detecting. Yes I waited enough time for appliance to bootup Smile 

So here I’m wondering how to move to next step without wiping and starting my test lab from the scratch. Based on my research around found out we can reset the root password on Linux appliance. This going to be a post which I will be helpful for me as well as for yo all when struggling through root password issues in VCSA

To provide some background I’m testing VMWare Esxi and vCenter (VCSA) 6.7 setup running on VMWare workstation 14. For this lab setup I did import the VCSA OVA file directedly into the VMWare workstation instead of setting up inside the ESXi server (yes you can do that Smile)

Please note VMware using their own OS called “Photon OS” for their VCSA appliance. 

Ok for the steps guide now.

1. Take a snapshot or backup or your VCSA appliance. Restart the VM and hit letter “e” in your keyboard when you see the “Photon OS splash screen. This will take you to the GRUB boot menu. In the end of first sentence append the parameter rw init=/bin/bash

image

2. After that press F10 to continue the boot. After few seconds you’ll be prompted with  root login. Type passwd. You’ll be prompted to enter the new password. Type the new password and repeat the again for verification. If you’re successful you’ll be prompted.

image 

image

3. Once the steps are completed you can type reboot –f and let the system restart. After that once the system reboot try connecting to vcsa login screen with the new password.

Hope this small steps will save you lot of time. From what I heard if there is new updates to the Photon OS there is a possibility password we setup might not work. Remember these steps to overcome that.

Kindly note I’ve only test this on VMware 6.7 version only. I do believe same will work on 6.5 version as well.