João Paulo Costa

Configuring Azure Administrative Units

Hey guys,

I’m back and today I’m going to talk about Azure Administrative Units. The idea to talk about this came from a recent request from one of the customers of the company I currently work for.

The request was that due to the fact that the customer has several sites, in different countries, the IT department needed to have an administrator in each of these locations, but this administrator would still need to manage only the users from that specific location.

Well, to start, I need to say that to make use of Administrative Units, you need to have at least the Azure AD Premium P1 license. That said, let’s get down to business.

Open Azure and go to Azure Active Directory

You will find the Administrative Units option in the Manage blade on the left side.

Click on Administrative Units and then hit Add. The next step will now be to give a name to the Administrative Unit, select which Role the administrator will have and finally select the user who will be the administrator itself.

Well, in this scenario I configured as follows:

Name: France Users
Role: User Administrator
Administrative Unit Administrator: IT Test

To recap, the user “IT Test” will have the role “User Administrator” in the Administrative Unit called “France Users”

OK? Now it’s simple, we just need to put the users that would be managed by the Administrative Unit Administrator manually or through a Dynamic Rule in the Administrative Unit.

Returning to the portal, click on Administrative Units and you should see the Administrative Unit that was created according to the previous steps.

As you can see, by default when you create an Administrative Unit the “Membership Type” option is set to assigned, that is, you need to add users manually.

But we know that this is a flawed process and sooner or later you will miss an user and we know where this can go, so automating this process is the best solution, and that’s where the Dynamic Rule comes in.

Ok, go back to the portal and click on the Administrative Unit you created earlier and you should see something similar to the image below.

Now click on Properties (Preview) and then change the Membership Type option to Dynamic User and then suggest an option called “Add Dynamic Query”

Click on “Add Dynamic Query” and configure the rule that best suits your scenario. In my scenario I will base myself on the user’s Country being “France”.

Hit save twice and the Dynamic Query has been created. That is, every user that is created or changed in Azure AD and in its country of location is France, it will be automatically added to this Administrative Unit.

Ok, within a few minutes you will see that the users blade inside your Administrative Unit will start to be populated by all those users that apply the created rule.

There it’s, my users from France have been added to the Administrative Unit and as you can see the options to add and remove member are greyed out.

Now you might be wondering, how do I test this? Simple, your administrator needs to log either into admin.microsoft.com or mystaff.microsoft.com.

After the logon, ask your Administrative Unit administrator to select the wanted Administrative Unit and he will be able to see all the users he manages.

Or if he logs on the Microsoft 365 admin portal, he will be able to see the below:

Okay, but you may be wondering (again), what if your administrator still decides to access Azure AD? In this case he will still be able to see all users and groups, but he will only be able to manage the users of the Administrative Unit he has rights. All other users will show the greyed out properties.

That’s it folks, a simple and easy solution in case of remote location administrators or small departments and so on. You can explore several scenarios with this setup, enjoy.

See you soon.

Joao Costa

Azure – Unable to acquire token for tenant

In today’s post I will show a recurring problem that can happen when connecting to Azure through PowerShell when we already have a login history from other Azure’s tenants.

As soon as we try to log into Azure via PowerShell, we will get this error stating that an existing token from another subscription could not be acquired (Your access to that subscription may have been removed and the context is still present in the local files).

To clear the historic sessions context in PowerShell we have to execute the command “Clear-AzContext”

After running this command above, you can log in again and check that the error has been fixed and the history has been removed.

And that’s it folks, quick and practical post.
See you soon!

Joao Costa

Manage multiple Azure Contexts using PowerShell

PowerShell for Azure Databricks — Data Thirst

In my day-to-day work I have to deal with several customers and Azure Subscriptions, and for this reason it sometimes becomes exhausting to jump from one Azure Context to another, even when I want to switch to my personal Azure tenant to run some tests.

Today’s article will be short, but simple and useful. After all, I believe it can help in the organization and agility of those who need to manage several subscriptions like me.

Okay, let’s get straight to the point.

As you can see in the image above, once I authenticated an Azure context comes up as the default context.

Important -What is an Azure Context? Microsoft says “Azure contexts are PowerShell objects representing your active subscription to run commands against, and the authentication information needed to connect to an Azure cloud.”

Okay, we already noticed that when I authenticate with the user above, an Azure context is already loaded and so the next command will show which Azure contexts this same user has access to.

So let’s suppose I want to change which default subscription I want loaded once I authenticate to PowerShell.

Once you’ve changed the default context, you can check along the way: “C:\Users\Username\.Azure\AzureRmContext.json”

You can also rename all other subscriptions to a simpler name, and then you can select them more simply.

Rename-AzContext -SourceName ‘Visual Studio Professional (xxxxxxxx-xxxx-xxxxxx-xxxx-xxxxxxxxxx) xxx.xxx@xxx’ -TargetName ‘GP_Subscription’

And then when it is selected, you can use the new name placed

Select-AzContext ‘GP_Subscription’

Here we go, now you can choose your default context and also how to rename your context. You can also save these contexts like this when I did a few steps back and then when needed just import the context directly.

Import-AzContext “C:\Users\Username\.azure\CHANGENAME-context.json”

That’s all for today folks, see you soon.

Joao Costa

Azure – Creating a basic environment using PowerShell

AzEnvironment_01

Hi folks,

In this article we will deploy a complete environment via PowerShell (Based on the latest series of articles). The intention with this series of articles was to assist you in the creation of each resource and then in an automated way, help in the delivery of projects or start projects with PowerShell.

Azure-Script

What’s in this script:

Resource Group;
Storage Account;
File Share;
Containers for Logs;
Network Creation;
Virtual Machine Creation;
Creation Network card;
Creation of the Network Security Group;

#Script:

$RGNAME= “RG_GETPRACTICAL”
$LOCATION= “WESTEUROPE”
New-AzResourceGroup -Name $RGNAME -Location $LOCATION -Tag @{Department=”IT”}

#Storage Account creation

$RGNAME= “RG_GETPRACTICAL”
$LOCATION= “WESTEUROPE”
$STRGACCNAME= “strggetpractical02”
$TypeSTRG= “Standard_LRS”
New-AzStorageAccount -ResourceGroupName $RGNAME -Name $STRGACCNAME -Type $TypeSTRG -Location $LOCATION

#Creating a Container for Logs via Powershell

$STORAGEACCOUNT = Get-AzStorageAccount -ResourceGroupName $RGNAME -Name $STRGACCNAME
$CONTAINERNAME = “logs”
$CTX = $storageAccount.Context

New-AzStorageContainer -Name $containerName -Context $ctx -Permission blob

#Creating a FileShare

$STORAGEACCOUNT = Get-AzStorageAccount -ResourceGroupName “RG_GETPRACTICAL” -Name $STRGACCNAME
$storageKey = (Get-AzStorageAccountKey -ResourceGroupName $storageAccount.ResourceGroupName -Name $storageAccount.StorageAccountName | select -first 1).Value
$storageContext = New-AzStorageContext -StorageAccountName $storageAccount.StorageAccountName -StorageAccountKey $storageKey
New-AzStorageShare -Name “getpracticalshare” -Context $storageContext

#Creating a Virtual Network

$RGName= “RG_GETPRACTICAL”
$LOCATION= “WESTEUROPE”
$NameVnet=”VNet-GETPRACTICAL”
New-AzVirtualNetwork -Name $NameVnet -ResourceGroupName $RGName -Location $location -AddressPrefix 172.16.1.0/24
$VirtualNetwork = Get-AzVirtualNetwork -Name $NameVnet -ResourceGroupName $rgName
Add-AzVirtualNetworkSubnetConfig -Name BackEnd -VirtualNetwork $VirtualNetwork -AddressPrefix 172.16.1.0/26
Add-AzVirtualNetworkSubnetConfig -Name FrontEnd -VirtualNetwork $VirtualNetwork -AddressPrefix 172.16.1.64/26
Add-AzVirtualNetworkSubnetConfig -Name DMZ -VirtualNetwork $VirtualNetwork -AddressPrefix 172.16.1.128/28
Add-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $VirtualNetwork -AddressPrefix 172.16.1.144/28
Set-AzVirtualNetwork -VirtualNetwork $VirtualNetwork

#Creating the Virtual Machine

# Set values for existing resource group and storage account names.

$RGNAME= “RG_GETPRACTICAL”
$LOCATION= “WESTEUROPE”
$NSGName=”NSG-VM-01″

#Get VM credentials

#$CRED=Get-Credential -Message “Enter the local administrator account name and password.”

$VMLocalAdminUser = “jcosta”
$VMLocalAdminSecurePassword = ConvertTo-SecureString “GPractical@2022” -AsPlainText -Force
$CRED=New-Object System.Management.Automation.PSCredential ($VMLocalAdminUser, $VMLocalAdminSecurePassword);

#Set the existing virtual subnet and network index.

$VNETNAME=”VNet-GETPRACTICAL”
$subnetIndex=0
$VNET=Get-AzVirtualNetwork -Name $VNETName -ResourceGroupName $RGName

#Creating a NIC with Pulic IP.

$NIC1=”NIC1-GP-VM-01″
$PIP=New-AzPublicIpAddress -Name $NIC1 -ResourceGroupName $RGName -Location $LOCATION -AllocationMethod Dynamic
$NIC=New-AzNetworkInterface -Name $NIC1 -ResourceGroupName $RGName -Location $LOCATION -SubnetId $vnet.Subnets[$subnetIndex].Id -PublicIpAddressId $PIP.Id

# Creating a NIC without Pulic IP

$NIC2=”NIC2-GP-VM-01″
$VNET=Get-AzVirtualNetworkSubnetConfig -Name Backend -VirtualNetwork $VNET
$NIC=New-AzNetworkInterface -Name $NIC2 -ResourceGroupName $RGName -Location $LOCATION -SubnetId $VNET.Id
$PIP.Id

#Setting NSG Rules

$RULES=New-AzNetworkSecurityRuleConfig -Name ‘Allow-RDP’ -Direction Inbound -Priority 1000 -Access Allow -SourceAddressPrefix ‘*’ -SourcePortRange ‘*’ -DestinationAddressPrefix ‘*’ -DestinationPortRange 3389 -Protocol Tcp
$NSG=New-AzNetworkSecurityGroup -Name $NSGName -ResourceGroupName $RGName -Location $LOCATION -SecurityRules $RULES

# VM Name and Size

$VMName=”GP-VM-01″

$VMSize=”Standard_DS2_v2″
$VM=New-AzVMConfig -VMName $VMName -VMSize $VMSize

#Specify the image and local administrator account and then add the NIC.

$PUBName=”MicrosoftWindowsServer”
$OFFERName=”WindowsServer”
$SKUName=”2019-Datacenter”
$VM=Set-AzVMOperatingSystem -VM $VM -Windows -ComputerName $VMName -Credential $CRED -ProvisionVMAgent -EnableAutoUpdate
$VM=Set-AzVMSourceImage -VM $VM -PublisherName $PUBName -Offer $OFFERName -Skus $SKUName -Version “latest”
$VM=Add-AzVMNetworkInterface -VM $VM -Id $NIC.Id

#Specify the OS disk name and create the VM

$DISKName=”OSDisk”
$STORAGEACCOUNT=Get-AzStorageAccount -ResourceGroupName $RGNAME -Name $STRGACCNAME
$OSDiskUri=$STORAGEACCOUNT.PrimaryEndpoints.Blob.ToString() + “vhds/” + $VMName + $DISKName + “.vhd”
$VM=Set-AzVMOSDisk -VM $VM -Name $DISKName -VhdUri $OSDiskUri -CreateOption fromImage
New-AzVM -ResourceGroupName $RGName -Location $LOCATION -VM $VM

#EndoftheScript

That’s all for today folks, see you soon.

Joao Paulo Costa

Creating Network Security Group using PowerShell

Hi folks!

Today let’s create the network security group that has a very important role within Microsoft Azure. It works at layer 4, where we can communicate ports and IPs between internal or external networks through a VPN.

Now let’s assign the following variables:

$NSGName=”NSG-VM-01″
$RGName= “RG_GETPRACTICAL”
$LOCATION= “UKSOUTH”

Next, we will create a variable with the name of the port and which rule will be used. In this case, I am creating an “NSG” for RDP access.

$RULES = New-AzNetworkSecurityRuleConfig -Name ‘Default-Allow-RDP’ -Direction Inbound -Priority 1000 -Access Allow -SourceAddressPrefix ‘*’ -SourcePortRange ‘*’ -DestinationAddressPrefix ‘*’ -DestinationPortRange 3389 -Protocol TCP

Now let’s create the NSG, using the following command.

$NSG = New-AzNetworkSecurityGroup -Name $NSGName -ResourceGroupName $RGName -Location $LOCATION -SecurityRules $RULES

Your NSG was successfully created.

Thanks guys and until the next post, where I will demonstrate how to create a virtual machine using all these commands at once.

Joao Paulo Costa