Configuring Azure Administrative Units

Hey guys,

I’m back and today I’m going to talk about Azure Administrative Units. The idea to talk about this came from a recent request from one of the customers of the company I currently work for.

The request was that due to the fact that the customer has several sites, in different countries, the IT department needed to have an administrator in each of these locations, but this administrator would still need to manage only the users from that specific location.

Well, to start, I need to say that to make use of Administrative Units, you need to have at least the Azure AD Premium P1 license. That said, let’s get down to business.

Open Azure and go to Azure Active Directory

AU_01

You will find the Administrative Units option in the Manage blade on the left side.

Click on Administrative Units and then hit Add. The next step will now be to give a name to the Administrative Unit, select which Role the administrator will have and  finally select the user who will be the administrator itself.

AU_02

Well, in this scenario I configured as follows:

  • Name: France Users
  • Role: User Administrator
  • Administrative Unit Administrator: IT Test

To recap, the user “IT Test” will have the role “User Administrator” in the Administrative Unit called “France Users”

OK? Now it’s simple, we just need to put the users that would be managed by the Administrative Unit Administrator manually or through a Dynamic Rule in the Administrative Unit.

Returning to the portal, click on Administrative Units and you should see the Administrative Unit that was created according to the previous steps.

AU_03

As you can see, by default when you create an Administrative Unit the “Membership Type” option is set to assigned, that is, you need to add users manually.

But we know that this is a flawed process and sooner or later you will miss an user and we know where this can go, so automating this process is the best solution, and that’s where the Dynamic Rule comes in.

Ok, go back to the portal and click on the Administrative Unit you created earlier and you should see something similar to the image below.

AU_04

Now click on Properties (Preview) and then change the Membership Type option to Dynamic User and then suggest an option called “Add Dynamic Query”

AU_05

Click on “Add Dynamic Query” and configure the rule that best suits your scenario. In my scenario I will base myself on the user’s Country being “France”.

AU_06

Hit save twice and the Dynamic Query has been created. That is, every user that is created or changed in Azure AD and in its country of location is France, it will be automatically added to this Administrative Unit.

AU_08

Ok, within a few minutes you will see that the users blade inside your Administrative Unit will start to be populated by all those users that apply the created rule.

AU_07

There it’s, my users from France have been added to the Administrative Unit and as you can see the options to add and remove member are greyed out.

Now you might be wondering, how do I test this? Simple, your administrator needs to log either into admin.microsoft.com or mystaff.microsoft.com.

AU_09

After the logon, ask your Administrative Unit administrator to select the wanted Administrative Unit and he will be able to see all the users he manages.

AU_10

Or if he logs on the Microsoft 365 admin portal, he will be able to see the below:

AU_11

Okay, but you may be wondering (again), what if your administrator still decides to access Azure AD? In this case he will still be able to see all users and groups, but he will only be able to manage the users of the Administrative Unit he has rights. All other users will show the greyed out properties.

AU_12

That’s it folks, a simple and easy solution in case of remote location administrators or small departments and so on. You can explore several scenarios with this setup, enjoy.

See you soon.

Joao Costa

Azure – Unable to acquire token for tenant

CAzContext_04

In today’s post I will show a recurring problem that can happen when connecting to Azure through PowerShell when we already have a login history from other Azure’s tenants.

As soon as we try to log into Azure via PowerShell, we will get this error stating that an existing token from another subscription could not be acquired (Your access to that subscription may have been removed and the context is still present in the local files).

CAzContext_01

To clear the historic sessions context in PowerShell we have to execute the command “Clear-AzContext”

CAzContext_02

After running this command above, you can log in again and check that the error has been fixed and the history has been removed.

CAzContext_03

And that’s it folks, quick and practical post.
See you soon!

Joao Costa

Manage multiple Azure Contexts using PowerShell

PowerShell for Azure Databricks — Data Thirst

In my day-to-day work I have to deal with several customers and Azure Subscriptions, and for this reason it sometimes becomes exhausting to jump from one Azure Context to another, even when I want to switch to my personal Azure tenant to run some tests.

Today’s article will be short, but simple and useful. After all, I believe it can help in the organization and agility of those who need to manage several subscriptions like me.

Okay, let’s get straight to the point.

Log in with your Azure account;

image

As you can see in the image above, once I authenticated an Azure context comes up as the default context.

Important -What is an Azure Context? Microsoft says “Azure contexts are PowerShell objects representing your active subscription to run commands against, and the authentication information needed to connect to an Azure cloud.”

Okay, we already noticed that when I authenticate with the user above, an Azure context is already loaded and so the next command will show which Azure contexts this same user has access to.

image

So let’s suppose I want to change which default subscription I want loaded once I authenticate to PowerShell.

image

Once you’ve changed the default context, you can check along the way: “C:\Users\Username\.Azure\AzureRmContext.json”

image

You can also rename all other subscriptions to a simpler name, and then you can select them more simply.

Rename-AzContext -SourceName ‘Visual Studio Professional (xxxxxxxx-xxxx-xxxxxx-xxxx-xxxxxxxxxx) xxx.xxx@xxx’ -TargetName ‘GP_Subscription’

And then when it is selected, you can use the new name placed

Select-AzContext ‘GP_Subscription’

Here we go, now you can choose your default context and also how to rename your context. You can also save these contexts like this when I did a few steps back and then when needed just import the context directly.

Import-AzContext “C:\Users\Username\.azure\CHANGENAME-context.json”

That’s all for today folks, see you soon.

Joao Costa

Azure – Creating a basic environment using PowerShell

AzEnvironment_01

Hi folks,

In this article we will deploy a complete environment via PowerShell (Based on the latest series of articles). The intention with this series of articles was to assist you in the creation of each resource and then in an automated way, help in the delivery of projects or start projects with PowerShell.

Azure-Script

What’s in this script:

Resource Group;
Storage Account;
File Share;
Containers for Logs;
Network Creation;
Virtual Machine Creation;
Creation Network card;
Creation of the Network Security Group;

#Script:

$RGNAME= “RG_GETPRACTICAL”
$LOCATION= “WESTEUROPE”
New-AzResourceGroup -Name $RGNAME -Location $LOCATION -Tag @{Department=”IT”}

#Storage Account creation

$RGNAME= “RG_GETPRACTICAL”
$LOCATION= “WESTEUROPE”
$STRGACCNAME= “strggetpractical02”
$TypeSTRG= “Standard_LRS”
New-AzStorageAccount -ResourceGroupName $RGNAME -Name $STRGACCNAME -Type $TypeSTRG -Location $LOCATION

#Creating a Container for Logs via Powershell

$STORAGEACCOUNT = Get-AzStorageAccount -ResourceGroupName $RGNAME -Name $STRGACCNAME
$CONTAINERNAME = “logs”
$CTX = $storageAccount.Context

New-AzStorageContainer -Name $containerName -Context $ctx -Permission blob

#Creating a FileShare

$STORAGEACCOUNT = Get-AzStorageAccount -ResourceGroupName “RG_GETPRACTICAL” -Name $STRGACCNAME
$storageKey = (Get-AzStorageAccountKey -ResourceGroupName $storageAccount.ResourceGroupName -Name $storageAccount.StorageAccountName | select -first 1).Value
$storageContext = New-AzStorageContext -StorageAccountName $storageAccount.StorageAccountName -StorageAccountKey $storageKey
New-AzStorageShare -Name “getpracticalshare” -Context $storageContext

#Creating a Virtual Network

$RGName= “RG_GETPRACTICAL”
$LOCATION= “WESTEUROPE”
$NameVnet=”VNet-GETPRACTICAL”
New-AzVirtualNetwork -Name $NameVnet -ResourceGroupName $RGName -Location $location -AddressPrefix 172.16.1.0/24
$VirtualNetwork = Get-AzVirtualNetwork -Name $NameVnet -ResourceGroupName $rgName
Add-AzVirtualNetworkSubnetConfig -Name BackEnd -VirtualNetwork $VirtualNetwork -AddressPrefix 172.16.1.0/26
Add-AzVirtualNetworkSubnetConfig -Name FrontEnd -VirtualNetwork $VirtualNetwork -AddressPrefix 172.16.1.64/26
Add-AzVirtualNetworkSubnetConfig -Name DMZ -VirtualNetwork $VirtualNetwork -AddressPrefix 172.16.1.128/28
Add-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $VirtualNetwork -AddressPrefix 172.16.1.144/28
Set-AzVirtualNetwork -VirtualNetwork $VirtualNetwork

#Creating the Virtual Machine

# Set values for existing resource group and storage account names.

$RGNAME= “RG_GETPRACTICAL”
$LOCATION= “WESTEUROPE”
$NSGName=”NSG-VM-01″

#Get VM credentials

#$CRED=Get-Credential -Message “Enter the local administrator account name and password.”

$VMLocalAdminUser = “jcosta
$VMLocalAdminSecurePassword = ConvertTo-SecureString “GPractical@2022” -AsPlainText -Force
$CRED=New-Object System.Management.Automation.PSCredential ($VMLocalAdminUser, $VMLocalAdminSecurePassword);

#Set the existing virtual subnet and network index.

$VNETNAME=”VNet-GETPRACTICAL”
$subnetIndex=0
$VNET=Get-AzVirtualNetwork -Name $VNETName -ResourceGroupName $RGName

#Creating a NIC with Pulic IP.

$NIC1=”NIC1-GP-VM-01″
$PIP=New-AzPublicIpAddress -Name $NIC1 -ResourceGroupName $RGName -Location $LOCATION -AllocationMethod Dynamic
$NIC=New-AzNetworkInterface -Name $NIC1 -ResourceGroupName $RGName -Location $LOCATION -SubnetId $vnet.Subnets[$subnetIndex].Id -PublicIpAddressId $PIP.Id

# Creating a NIC without Pulic IP

$NIC2=”NIC2-GP-VM-01″
$VNET=Get-AzVirtualNetworkSubnetConfig -Name Backend -VirtualNetwork $VNET
$NIC=New-AzNetworkInterface -Name $NIC2 -ResourceGroupName $RGName -Location $LOCATION -SubnetId $VNET.Id
$PIP.Id

#Setting NSG Rules

$RULES=New-AzNetworkSecurityRuleConfig -Name ‘Allow-RDP’ -Direction Inbound -Priority 1000 -Access Allow -SourceAddressPrefix ‘*’ -SourcePortRange ‘*’ -DestinationAddressPrefix ‘*’ -DestinationPortRange 3389 -Protocol Tcp
$NSG=New-AzNetworkSecurityGroup -Name $NSGName -ResourceGroupName $RGName -Location $LOCATION -SecurityRules $RULES

# VM Name and Size

$VMName=”GP-VM-01″

$VMSize=”Standard_DS2_v2″
$VM=New-AzVMConfig -VMName $VMName -VMSize $VMSize

#Specify the image and local administrator account and then add the NIC.

$PUBName=”MicrosoftWindowsServer”
$OFFERName=”WindowsServer”
$SKUName=”2019-Datacenter”
$VM=Set-AzVMOperatingSystem -VM $VM -Windows -ComputerName $VMName -Credential $CRED -ProvisionVMAgent -EnableAutoUpdate
$VM=Set-AzVMSourceImage -VM $VM -PublisherName $PUBName -Offer $OFFERName -Skus $SKUName -Version “latest”
$VM=Add-AzVMNetworkInterface -VM $VM -Id $NIC.Id

#Specify the OS disk name and create the VM

$DISKName=”OSDisk”
$STORAGEACCOUNT=Get-AzStorageAccount -ResourceGroupName $RGNAME -Name $STRGACCNAME
$OSDiskUri=$STORAGEACCOUNT.PrimaryEndpoints.Blob.ToString() + “vhds/” + $VMName + $DISKName + “.vhd”
$VM=Set-AzVMOSDisk -VM $VM -Name $DISKName -VhdUri $OSDiskUri -CreateOption fromImage
New-AzVM -ResourceGroupName $RGName -Location $LOCATION -VM $VM

#EndoftheScript

That’s all for today folks, see you soon.

Joao Paulo Costa

Creating Network Security Group using PowerShell

NSG_01

Hi folks!

Today let’s create the network security group that has a very important role within Microsoft Azure. It works at layer 4, where we can communicate ports and IPs between internal or external networks through a VPN.

Now let’s assign the following variables:

$NSGName=”NSG-VM-01″
$RGName= “RG_GETPRACTICAL”
$LOCATION= “UKSOUTH”

NSG_02

Next, we will create a variable with the name of the port and which rule will be used. In this case, I am creating an “NSG” for RDP access.

$RULES = New-AzNetworkSecurityRuleConfig -Name ‘Default-Allow-RDP’ -Direction Inbound -Priority 1000 -Access Allow -SourceAddressPrefix ‘*’  -SourcePortRange ‘*’ -DestinationAddressPrefix ‘*’ -DestinationPortRange 3389 -Protocol TCP

NSG_03

Now let’s create the NSG, using the following command.

$NSG = New-AzNetworkSecurityGroup -Name $NSGName -ResourceGroupName $RGName -Location $LOCATION -SecurityRules $RULES

NSG_04

Your NSG was successfully created.

NSG_05

Thanks guys and until the next post, where I will demonstrate how to create a virtual machine using all these commands at once.

Joao Paulo Costa

Creating Network Interface using PowerShell

NIC_01

Hey folks,

Continuing our series of articles on how to create resources in Azure using PowerShell, let’s talk about creating the network interface using PowerShell, creating the network interface and assigning it to a VM and associating it to a VNET is easier via shell command.

Now let’s assign some variables to create the network interface.

$RGName= “RG_GETPRACTICAL”
$NIC1=”Nic-GP-VM-01″
$LOCATION= “UKSouth”
$VNETNAME=”VNet-GETPRACTICAL”
$subnetIndex=0

NIC_02

This “SubnetIndex” variable is very important in the creation process, as it will identify each of your VNETs within your environment. In the case of this article I have a single VNET so I am considering the value “0”, but if you need to pull this value, just run a “Get-AzVirtualNetwork” with the add-ons such as resource group and VNET name.

Now let’s validate if the network exists within the environment.

$VNET=Get-AzVirtualNetwork -Name $VNETName -ResourceGroupName $RGName

NIC_03

Next we will create a public IP for the network interface.

$PIP=New-AzPublicIpAddress -Name $NIC1 -ResourceGroupName $RGName -Location $LOCATION -AllocationMethod Dynamic

NIC_04

Finally, we will create the network interface associating the public IP and the VNET that exists within our environment.

$NIC=New-AzNetworkInterface -Name $NIC1 -ResourceGroupName $RGName -Location $LOCATION -SubnetId $vnet.Subnets[$subnetIndex].Id -PublicIpAddressId $PIP.Id

NIC_05

Your network interface has now been successfully created.

NIC_06

Thanks guys and until the next post!

Joao Paulo Costa

Creating Virtual Network using PowerShell

Vnet_01

Continuing from the last article, today we are going to create a virtual network to allocate Azure resources and leave it in a secure pattern. In this scope, I’m setting up the network with the segmented subnets:

  • BackEnd: 172.16.1.0/26
  • FrontEnd: 172.16.1.64/26
  • DMZ: 172.16.1.128/28
  • Gateway: 172.16.1.144/28

Before starting to create the Azure network structure, let’s understand how a network in Azure works.

In Azure, when we create a network, we first choose the “Address Space” that would be an IP block that we would use inside our virtual network and within this block we will consider that each “Subnet” will be a piece of this block, according to the drawing below.

Vnet_02

After logging into the “Cloud Shell” select PowerShell, let’s assign some variables to create the network.

$RGName= “RG_GETPRACTICAL”
$LOCATION= “UKSOUTH”
$NameVnet=”VNet-GETPRACTICAL

These variables are for choosing the resource group where we will provision, the location and the name of your virtual network.

Vnet_03

Now let’s assign the network settings pointing the “Address Block”, in this case the Address Space 172.16.1.0/24 with 256 hots.

New-AzVirtualNetwork -Name $NameVnet -ResourceGroupName $RGName -Location $location -AddressPrefix 172.16.1.0/24

Vnet_04

See that it has been provisioned but does not contain subnets. now let’s assign some variables. This variable is to validate if the network exists within the environment.

$VirtualNetwork = Get-AzVirtualNetwork -Name $NameVnet -ResourceGroupName $rgName

Vnet_05

After validating the existing network, let’s add the subnets as shown in the examples below.

Add-AzVirtualNetworkSubnetConfig -Name BackEnd -VirtualNetwork $VirtualNetwork -AddressPrefix 172.16.1.0/26

Vnet_06

Next, let’s add the rest of the network scope.

Add-AzVirtualNetworkSubnetConfig -Name FrontEnd -VirtualNetwork $VirtualNetwork -AddressPrefix 172.16.1.64/26
Add-AzVirtualNetworkSubnetConfig -Name DMZ -VirtualNetwork $VirtualNetwork -AddressPrefix 172.16.1.128/28
Add-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $VirtualNetwork -AddressPrefix 172.16.1.144/28

Vnet_07

Now let’s run the “Set” command to add the set of subnets that were assigned above.

Set-AzVirtualNetwork -VirtualNetwork $VirtualNetwork

Vnet_08

Once your virtual network has been successfully created with its segmented subnets, let’s go to the portal to validate it.

Vnet_09

That’s all for today folks, until the next post.

Joao Costa

Creating a Storage Account using PowerShell

cloud-file

Hey everyone,

Today we are going to create a Storage Account for any kind of use and inside this storage account we are going to create a blob for logs and a file share.

In the last post we created a resource group, where we will provision resources during this and the next posts.

Open the Azure Cloud Shell, then choose your subscription, if the cloud shell is already open, we will add the following variables, with the information:

$RGNAME= “RG_GETPRACTICAL”
$LOCATION= “UKSOUTH”
$STRGACCNAME= “strggetpractical01”
$TypeSTRG= “Standard_LRS”

STRG_01

Then we will execute the command “New-AZStorageAccount” to create the storage from the variables assigned above.

New-AzStorageAccount -ResourceGroupName $RGNAME -Name $STRGACCNAME -Type $TypeSTRG -Location $LOCATION

STRG_02

The storage was successfully created.

With the storage created, we are going to create a container to allocate the “Logs” of our environment, for that we are going to assign some variables as well.

$STORAGEACCOUNT = Get-AzStorageAccount -ResourceGroupName $RGNAME -Name $STRGACCNAME
$CONTAINERNAME = “logs”
$CTX = $storageAccount.Context

STRG_03

After assigning the variables, let’s run the following command “New-AzStorageContainer” to create the container.

New-AzStorageContainer -Name $containerName -Context $ctx -Permission blob

STRG_04

Your container was successfully created.

Last but not least let’s create a “File Share” with the following variables.

$STORAGEACCOUNT = Get-AzStorageAccount -ResourceGroupName “RG_GETPRACTICAL” -Name “strggetpractical01”

$storageKey = (Get-AzStorageAccountKey -ResourceGroupName $storageAccount.ResourceGroupName -Name $storageAccount.StorageAccountName | select -first 1).Value

$storageContext = New-AzStorageContext -StorageAccountName $storageAccount.StorageAccountName -StorageAccountKey $storageKey

STRG_05

New-AzureStorageShare -Name “getpracticalshare” -Context $storageContext

STRG_06

The File Share was created successfully, now let’s check the container and the file share that were created.

Container for Logs:

STRG_07

File Share for files:

STRG_08

That’s all for today guys, until the next post!

Joao Costa

Creating Resource Group using Powershell

Hey guys, how are you?

The idea is to learn how to create the resources and finally create an environment with all the resources together.

To start the configuration we have two ways, use the “Azure Cloud Shell” or install the “AZ Module” of powershell.

AZ Module Installation: Powershell Configuration

Access to Azure Cloud Shell: //shell.azure.com/

For this articles I will use the Azure Cloud Shell.

Let’s start by accessing Cloud Shell, then type in your subscription credentials.

RG01

Now let’s create two variables, one indicating the name for the resource group and another indicating the region where we will create the resources.
We will work with variables to facilitate the creation of command lines, in this way we can create complex scripts based on variables.
Let’s create two variables, one with the name of the resource group and the other with the region where we will create the resource group.

$RGNAME= “RG_GETPRACTICAL”
$LOCATION= “UKSOUTH”

RG02

After creating the variable, let’s create the command line.

New-AzResourceGroup -Name $RGNAME -Location $LOCATION

RG03

As you can see, we are executing the command to create a new resource group with the name given in the variable and with the location we put, in my case I am creating it in “UK South“.

RG04

Now you can create the group directly with the “Tag” or make an update on the created group.

To create or update the resource group and assign “Tags“, we will give a name and a value to this tag, according to the command below.

New-AzResourceGroup -Name $RGNAME -Location $LOCATION -Tag @{Department=”IT”}

In the image below, only the update was executed, it asks to confirm if you are going to do the update or not.

RG05

Your resource group is now created and tagged.

Thanks guys and until the next post!

Goodbye 2021 and Welcome 2022! #ThankYou

thankyou

Hey guys!

Today I just come here to thank you and share with you our goals achieved with the blog in this first year. We (Bruno and I) started this blog in February 2021, more precisely on 11/02/2021. Our idea was to share our knowledge and experience, help other people, learn and evolve as professionals. Honestly, we are very happy with our results and even more with our knowledge evolution, throughout the year we received several feedbacks and we were really happy with the idea of having helped some people and maybe many others around the world. Of course we need to say that it is daring to create a blog in a language that is not our native language, and this was and is a great challenge for us, but we believe that the message has been delivered and we hope that in 2022 we can make everything even better , always aiming to evolve.

Blog Statistics

As a bloggers focusing on Microsoft cloud computing and Cisco collaboration, it is always fun and challenging. The traffic to our blog grew significantly as it’s first year. In almost 1 year, this blog hits over 15 thousand views with 40 blog posts.

Views01

This blog was viewed as follows:

Monthly Average Views: 1.437

Most Visited Month: September

Most Visited day: September 13th

Most popular Blog Post: Cisco Finesse – Disconnection Problems

Most Popular day: Tuesday (21% of views)

Most Popular hour: 3:00 pm (7% of views)

Blog Followers: 21 (A huge Thank you!)

views02

Comparing the first post with only 2 views (Bruno and I lol), with the most viewed post so far with 2,111 views.

Views

Where did the readers come from? TOP 10 Referrers

Referrers

Where did the readers come from? TOP 10 Countries

Views03

As I said before, a hell of a year of growth and evolution for this humble blog.

We can’t wait for 2022, which will come with interesting personal and professional challenges.

And in closing, I would like to wish everyone a happy new year, thanks to all readers and followers. May you all have a healthy, successful and outstanding New Year!


Thanks you for reading, see you in 2022!

You are welcome to share your thoughts and suggestions in the comment section below

Got it? Get Practical!