Hundreds of Hours of FREE Azure Learning Resources

There are hundreds of hours of free learning resources for learning Microsoft cloud technologies ranging from DevOps to hybrid cloud, to Office 365 and cybersecurity. A few of the most recent offerings are listed here.

Kusto Query Language (KQL) from Scratch. KQL is the language of Azure Log Analytics, which is ubiquitous across the Microsoft cloud. This 4-hour course is a great place to get some hands-on practice.

https://www.pluralsight.com/courses/kusto-query-language-kql-from-scratch

Microsoft Learn. Microsoft Learn is the property replacing Microsoft Virtual Academy as a go-to place for learning Microsoft technologies free of charge.

https://docs.microsoft.com/en-us/learn/

Microsoft Hands-On Labs. Here, you’ll find more than 140 hands-on labs on Microsoft cloud services and hybrid cloud. To get to the content most relevant to you, you can sort the list by job role and topic.

https://www.microsoft.com/handsonlabs

Azure DevOps Hands-On Labs. There are more than a dozen hands-on labs with push-button automation to pre-populate your Azure environment.

https://www.azuredevopslabs.com/

Convert Azure AD B2B Users from Guest to Member: How and Why

The primary difference between a Guest and a Member user lies in their lookup rights in the Azure AD domain. There are some important differences between UserType of Guest vs Member, specifically:

  • Member. A user expects to have access to internal-only sites. This user is not considered an external collaborator. This will be important when trying to exercise rights that come with privileged roles like Global Administrator.
  • Guest. indicates a user who isn’t considered internal to the company. This type of user will have restricted access and lookup rights in the directory.

Read more about this in “Understand the B2B user”.

To convert a user from UserType Guest to Member

Install the Azure AD PowerShell module

Install-Module AzureAD

Authenticate to your Azure AD tenant

Connect-AzureAD

Search for your user by upn (just to be sure).

Get-AzureADUser -SearchString pete.zerger@lumagatena.com

Now, pass the output to Set-AzureADUser, setting UserType to member

Get-AzureADUser -SearchString pete.zerger@lumagatena.com | Set-AzureADUser -UserType member

Repeat the Get-AzureADUser search to confirm the output shows Usertype = Member

Get-AzureADUser -SearchString pete.zerger@lumagatena.com

This would be a handy feature in the UI for sure. There is an actually a request on User Voice for this feature. Vote it up if you agree: Update UserType from portal.

Azure CLI ‘az login’ returns ‘Permission denied’

I recently encountered a fresh install of the Azure CLI on Ubuntu 18.04 LTS that failed at ‘az login’ step with the following error:

[Errno 13] Permission denied: ‘/home/pzerger/.azure/config

When I looked at permissions on the directory with the command below, I saw that my account simply lacked write and execute permisions.

 
ls -la /home/pzerger/.azure/

The Fix

To resolve the issue, I simply ran chmod to grant my account permissions, as shown below.

 
sudo chmod -R 777 /home/pzerger/.azure/config
sudo chmod -R 777 /home/pzerger/.azure

As soon as I did this ‘az login’ worked as designed.

High Resolution Azure Governance Icons

Had a handful of folks reaching out looking for the link from Twitter. Get it below

 

https://gallery.technet.microsoft.com/Azure-Governance-Icons-a2d535ff

By request, this zip file contains five high resolution SVG icons for Azure Governance components, listed below.

  • blueprint.svg
  • governance.svg
  • management-groups.svg
  • policy.svg
  • resource-graph.svg

I suspect these icons will appear in some future release of the icons and stencils from Microsoft, but this will provide an easily accessible source in the interim.

FIX: Cannot boot VM from ISO to install OS

Just sharing a quick fix for an issue you may encounter when working in secure environments.

The issue

I encountered a Hyper-V VM in the lab today that would not boot from an Ubuntu ISO image. No matter what I did, the VM went straight to attempting PXE boot (even with network boot at bottom of boot order list).

The fix

Then, I noticed in the VM Settings, the Enable Secure Boot option was checked. This feature (available only on gen 2, UEFI VMs) prevents unauthorized code from running at boot time…which includes random ISOs mounted to the VM.

image

Uncheck the ‘Enable Secure Boot’ option, and the VM will boot from the ISO as expected.

Read more about Secure Boot at https://blogs.technet.microsoft.com/dubaisec/2016/03/14/diving-into-secure-boot/

HOW-TO: Wireshark-friendly network packet capture with Azure Network Watcher

Earlier this year, Microsoft released a preview of the Azure Network Watcher. It includes a number of network analysis and troubleshooting features, but the packet capture is the one I get the most questions about. The packet capture is fed into a .cap file, of the standard format used with popular network capture tools, such as Wireshark.

In addition to enabling the Network Watcher VM extension, we need to enable Network Watcher in each Azure region where we have resources we need to monitor. If you highlight the subscription, we can enable in all Azure regions in one click.

image

Then, we select Network Watcher and click the +Add button.

image

When we configure the packet capture settings, we can configure several options, including source and target machine, as well as the length of time of the capture.

Note: I like the option to store the capture file in a storage account for central storage, but we can also select the File option to store the capture on the target VM.

image

By clicking the +Add filter option, we can configure many of the same types of filters we could with popular capture tools, including ports, addresses and protocols, and take a capture.

image

Once the capture is complete, we can click on the cap file to proceed with download.

image

…which requires we then click a Download link.

image

Then, we can open in the tool of our choice, such as Wireshark.

image

While we can start captures manually, we can also start captures programmatically, such as through Azure Functions.

FAQ: How can I track Windows 10 Azure AD Device Registrations?

This question came up twice for me this week, and the answer is not obvious if you’ve not gone looking for this info before.

You can actually track your Windows device registrations in two places:

One option is through searching your Azure AD Audit logs and filtering on Device Registration.

AAD_DeviceReg

Another is the Azure AD Power BI Dashboard, which received an updated in late June that includes a couple of new reports that include info on registered devices.

Early chapter preview of ‘Inside OMS’ version 2

There have been many inquiries into if the band would be getting back together for a second version of the very popular “Inside the Microsoft Operations Management Suite“. Version 2 is 16 chapters of the latest and greatest of Microsoft OMS…and it’s coming soon.

  • When? I am happy to report we are well into the authoring process and looking to release version 2 around the end of April 2017.
  • Cost? As with the first release, we will deliver a book well worth paying for…except it will again be free!

While we are only a little over a month from completion, we wanted to take a moment to give you  a sneak peak at a couple of the chapters of what is to come.

The “Inside OMS” Team

I am also happy to introduce that the entire author team are all back for v2:

  • Tao Yang, MVP
  • Stanislav Zhelyazkov, MVP
  • Anders Bengtsson, Principal PFE
  • Pete Zerger, CISSP, MVP

OMS has grown considerably since our first release, and to ensure we meet our quality bar as quickly as possible, we are joined by four technical reviewers and an editor! Joining us in the tech reviewer role are some very talented folks, including:

  • Damian Flynn, MVP
  • Kevin Greene, MVP
  • Lee Berg, MVP
  • Steve Buchannan, MVP

Early Chapter Preview

To hold you over until the final release, we are going to share three chapters early…one at a time. Your first taste is a major update, driven by awesome Aussie, Tao Yang. Below, you will find a draft preview of:

Chapter 6: Extending OMS Using Log Search

This chapter covers key topics within OMS Log Analytics, including:

  • Saved Searches
  • OMS Computer Groups
  • Custom Fields
  • Custom Logs
  • Power BI

I’ve reviewed it myself, and I know you will appreciate the more than 70 pages of in-depth guidance in this chapter alone!

Get the preview. You can download the preview release of chapter 6 HERE.

Two more preview chapters will be coming your way in the next week(ish). Stay tuned!

Enable modern authentication for Exchange Online via PowerShell

Modern authentication is disabled in Exchange Online in Office 365  by default. However, you are quite likely to want modern authentication, because modern authentication in Office 365 enables authentication features like multi-factor authentication (MFA) using smart cards, certificate-based authentication, and third-party SAML identity providers.

You can enable modern authentication in Exchange Online via PowerShell. However, I found the article explaining how to enable modern authentication for Exchange Online is missing some detail regarding how to connect to Exchange Online.

For reference, below is a sample script for connecting to Exchange Online

# Capture your credentials to a credential object 
$UserCredential = Get-Credential

# Establish a remote connection to EO in your O365 tenant
$Session = New-PSSession -ConfigurationName Microsoft.Exchange `
-ConnectionUri https://outlook.office365.com/powershell-liveid/ `
-Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session

# Check if modern auth is in place already 
Get-OrganizationConfig | Format-Table -Auto Name,OAuth*
 
# If modern auth setting is false, then enable it
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

# Check again to ensure it comes back as "True"
Get-OrganizationConfig | Format-Table -Auto Name,OAuth*

Questions or comments? Use the comments section below.

5 ways to secure your SQL data in Microsoft Azure

Data security in the cloud is of chief concern not only to healthcare and financial services, but anyone with sensitive data of any kind that should only be disclosed to authorized parties. No discussion of enterprise security would be complete without a look at data protection and governance.

For purposes of this discussion, data comes in two forms:

  • Structured. Structured data refers to kinds of data with a high level of organization, such as information stored in a relational database, as in Microsoft SQL Server.
  • Unstructured. Unstructured data refers to data that is not contained in a database or some other type of data structure. Examples include email messages, Word documents, PowerPoint presentations and instant messages.

Important considerations in data protection and governance include data classification and rights management, encryption at-rest and in-flight, as well as management and storage of encryption keys and other secrets related to securing data.

Securing Structured Data In-Flight & In Use

SQL Server 2016 (both SQL in VMs and Azure SQL) introduces some new capabilities to prevent unintentional leakage of data by misconfigured applications or security controls. Key highlights are listed below:

#1 Always Encrypted:

This is a client-side encryption capability, enabling the application to encrypt data so the SQL server (or service if using Azure SQL) can never see the data. This is particularly useful for protecting content such as SIN/SSN, Credit Card, and private health identifiers.

Always_Encrypted

#2 Row-Level Security:

This allows the organization to create policies which only return data rows appropriate for the user executing the query. For example, this allows a hospital to only return health information of patients directly related to a nurse, or a bank teller to only see rows returned which are relevant to their role. For more info, see https://msdn.microsoft.com/en-us/library/dn765131.aspx.

#3 Dynamic Data Masking:

This allows the organization to create policies to mask data in a particular field. For example, an agent at a call center may identify callers by the last few digits of their social security number or credit card number, but those pieces of information should not be fully exposed to the agent. Dynamic Data Masking can be configured on the SQL server to return the application query for the credit card numbers as XXXX-XXXX-XXXX-1234.

Dynamic_Data_Masking

These capabilities help prevent and mitigate accidental exposure of data while it is in-flight or in-use by a front-end application. For more info, see https://msdn.microsoft.com/en-us/library/mt130841.aspx.

Securing Structured Data At-Rest

Protection of SQL data at-rest is a feature that has been around for a long time now, which the SQL Server product team at Microsoft has enhanced in the 2016 release.

#4 SQL Transparent Data Encryption

In order to protect structured data at-rest, Microsoft first introduced SQL Transparent Data Encryption in SQL Server 2008. This technology protects data by performing I/O encryption for SQL database and log files. Traditionally a certificate that SQL Server manages (and is stored locally within the SQL master database) would protect this data encryption key (DEK). In June 2016, Microsoft made a significant enhancement to this capability by making generally available a SQL Server Connector for Azure Key Vault.

AKV

Image credit: Microsoft

This allows organizations to separate SQL and Security Administrator roles, enabling a SQL Administrator to leverage a key managed by the security operators in Azure Key Vault, with a full audit trail should the SQL administrator turn rogue. This connector can also be used for encrypting specific database columns and backups, and is backward compatible all the way back to SQL 2008.

More info at https://msdn.microsoft.com/en-us/library/dn198405.aspx

Detecting SQL Threats

In addition to securing SQL data, we also need to consider protecting data sources from the threats that would lead to breach.

#5 SQL Threat Detection

Running SQL in the cloud brings some additional benefits. For databases running on the Azure SQL service, the new SQL Threat Detection service monitors database activity and access, building profiles to identify anomalous behavior or access. If suspicious activity is detected, security personnel can get immediate notification about the activities as they occur. Each notification provides details of the suspicious activity and recommendations on remediating the threat.

SQL Threat Detection for Azure SQL Database can detect threats such as the following:

  • Potential Vulnerabilities: SQL Threat Detection will detect common misconfigurations in application connectivity to the SQL data, and provide recommendations to the administrators to harden the environment.
  • SQL Injection Attacks: One of the most common approaches to data extraction is to insert a SQL query into an unprotected web form, causing the form to return data that was unintended. SQL Threat Detection can identify if an attacker is attempting to leverage this mechanism to extract data.
  • Anomalous Database Access: If a compromised database administrator account starts to execute queries from an abnormal location, SQL Threat Detection can detect and alert on the potential insider threat or identity compromise, enabling the security personnel to update firewall rules or disable the account.

SQL Threat Detection for Azure SQL Database is a powerful new tool in detecting potential data leakage threats. For more info, see https://docs.microsoft.com/en-us/azure/sql-database/sql-database-threat-detection.

I hope you’ve found this short read on some of Microsoft’s capabilities for protecting structured data valuable. Questions or comments? Feel free to leave your thoughts in the comments section at the end of this article.