Configuring Azure Administrative Units

Hey guys,

I’m back and today I’m going to talk about Azure Administrative Units. The idea to talk about this came from a recent request from one of the customers of the company I currently work for.

The request was that due to the fact that the customer has several sites, in different countries, the IT department needed to have an administrator in each of these locations, but this administrator would still need to manage only the users from that specific location.

Well, to start, I need to say that to make use of Administrative Units, you need to have at least the Azure AD Premium P1 license. That said, let’s get down to business.

Open Azure and go to Azure Active Directory


You will find the Administrative Units option in the Manage blade on the left side.

Click on Administrative Units and then hit Add. The next step will now be to give a name to the Administrative Unit, select which Role the administrator will have and  finally select the user who will be the administrator itself.


Well, in this scenario I configured as follows:

  • Name: France Users
  • Role: User Administrator
  • Administrative Unit Administrator: IT Test

To recap, the user “IT Test” will have the role “User Administrator” in the Administrative Unit called “France Users”

OK? Now it’s simple, we just need to put the users that would be managed by the Administrative Unit Administrator manually or through a Dynamic Rule in the Administrative Unit.

Returning to the portal, click on Administrative Units and you should see the Administrative Unit that was created according to the previous steps.


As you can see, by default when you create an Administrative Unit the “Membership Type” option is set to assigned, that is, you need to add users manually.

But we know that this is a flawed process and sooner or later you will miss an user and we know where this can go, so automating this process is the best solution, and that’s where the Dynamic Rule comes in.

Ok, go back to the portal and click on the Administrative Unit you created earlier and you should see something similar to the image below.


Now click on Properties (Preview) and then change the Membership Type option to Dynamic User and then suggest an option called “Add Dynamic Query”


Click on “Add Dynamic Query” and configure the rule that best suits your scenario. In my scenario I will base myself on the user’s Country being “France”.


Hit save twice and the Dynamic Query has been created. That is, every user that is created or changed in Azure AD and in its country of location is France, it will be automatically added to this Administrative Unit.


Ok, within a few minutes you will see that the users blade inside your Administrative Unit will start to be populated by all those users that apply the created rule.


There it’s, my users from France have been added to the Administrative Unit and as you can see the options to add and remove member are greyed out.

Now you might be wondering, how do I test this? Simple, your administrator needs to log either into or


After the logon, ask your Administrative Unit administrator to select the wanted Administrative Unit and he will be able to see all the users he manages.


Or if he logs on the Microsoft 365 admin portal, he will be able to see the below:


Okay, but you may be wondering (again), what if your administrator still decides to access Azure AD? In this case he will still be able to see all users and groups, but he will only be able to manage the users of the Administrative Unit he has rights. All other users will show the greyed out properties.


That’s it folks, a simple and easy solution in case of remote location administrators or small departments and so on. You can explore several scenarios with this setup, enjoy.

See you soon.

Joao Costa

Azure – Unable to acquire token for tenant


In today’s post I will show a recurring problem that can happen when connecting to Azure through PowerShell when we already have a login history from other Azure’s tenants.

As soon as we try to log into Azure via PowerShell, we will get this error stating that an existing token from another subscription could not be acquired (Your access to that subscription may have been removed and the context is still present in the local files).


To clear the historic sessions context in PowerShell we have to execute the command “Clear-AzContext”


After running this command above, you can log in again and check that the error has been fixed and the history has been removed.


And that’s it folks, quick and practical post.
See you soon!

Joao Costa

Manage multiple Azure Contexts using PowerShell

PowerShell for Azure Databricks — Data Thirst

In my day-to-day work I have to deal with several customers and Azure Subscriptions, and for this reason it sometimes becomes exhausting to jump from one Azure Context to another, even when I want to switch to my personal Azure tenant to run some tests.

Today’s article will be short, but simple and useful. After all, I believe it can help in the organization and agility of those who need to manage several subscriptions like me.

Okay, let’s get straight to the point.

Log in with your Azure account;


As you can see in the image above, once I authenticated an Azure context comes up as the default context.

Important -What is an Azure Context? Microsoft says “Azure contexts are PowerShell objects representing your active subscription to run commands against, and the authentication information needed to connect to an Azure cloud.”

Okay, we already noticed that when I authenticate with the user above, an Azure context is already loaded and so the next command will show which Azure contexts this same user has access to.


So let’s suppose I want to change which default subscription I want loaded once I authenticate to PowerShell.


Once you’ve changed the default context, you can check along the way: “C:\Users\Username\.Azure\AzureRmContext.json”


You can also rename all other subscriptions to a simpler name, and then you can select them more simply.

Rename-AzContext -SourceName ‘Visual Studio Professional (xxxxxxxx-xxxx-xxxxxx-xxxx-xxxxxxxxxx)’ -TargetName ‘GP_Subscription’

And then when it is selected, you can use the new name placed

Select-AzContext ‘GP_Subscription’

Here we go, now you can choose your default context and also how to rename your context. You can also save these contexts like this when I did a few steps back and then when needed just import the context directly.

Import-AzContext “C:\Users\Username\.azure\CHANGENAME-context.json”

That’s all for today folks, see you soon.

Joao Costa

Azure – Creating a basic environment using PowerShell


Hi folks,

In this article we will deploy a complete environment via PowerShell (Based on the latest series of articles). The intention with this series of articles was to assist you in the creation of each resource and then in an automated way, help in the delivery of projects or start projects with PowerShell.


What’s in this script:

Resource Group;
Storage Account;
File Share;
Containers for Logs;
Network Creation;
Virtual Machine Creation;
Creation Network card;
Creation of the Network Security Group;


New-AzResourceGroup -Name $RGNAME -Location $LOCATION -Tag @{Department=”IT”}

#Storage Account creation

$STRGACCNAME= “strggetpractical02”
$TypeSTRG= “Standard_LRS”
New-AzStorageAccount -ResourceGroupName $RGNAME -Name $STRGACCNAME -Type $TypeSTRG -Location $LOCATION

#Creating a Container for Logs via Powershell

$STORAGEACCOUNT = Get-AzStorageAccount -ResourceGroupName $RGNAME -Name $STRGACCNAME
$CTX = $storageAccount.Context

New-AzStorageContainer -Name $containerName -Context $ctx -Permission blob

#Creating a FileShare

$STORAGEACCOUNT = Get-AzStorageAccount -ResourceGroupName “RG_GETPRACTICAL” -Name $STRGACCNAME
$storageKey = (Get-AzStorageAccountKey -ResourceGroupName $storageAccount.ResourceGroupName -Name $storageAccount.StorageAccountName | select -first 1).Value
$storageContext = New-AzStorageContext -StorageAccountName $storageAccount.StorageAccountName -StorageAccountKey $storageKey
New-AzStorageShare -Name “getpracticalshare” -Context $storageContext

#Creating a Virtual Network

New-AzVirtualNetwork -Name $NameVnet -ResourceGroupName $RGName -Location $location -AddressPrefix
$VirtualNetwork = Get-AzVirtualNetwork -Name $NameVnet -ResourceGroupName $rgName
Add-AzVirtualNetworkSubnetConfig -Name BackEnd -VirtualNetwork $VirtualNetwork -AddressPrefix
Add-AzVirtualNetworkSubnetConfig -Name FrontEnd -VirtualNetwork $VirtualNetwork -AddressPrefix
Add-AzVirtualNetworkSubnetConfig -Name DMZ -VirtualNetwork $VirtualNetwork -AddressPrefix
Add-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $VirtualNetwork -AddressPrefix
Set-AzVirtualNetwork -VirtualNetwork $VirtualNetwork

#Creating the Virtual Machine

# Set values for existing resource group and storage account names.


#Get VM credentials

#$CRED=Get-Credential -Message “Enter the local administrator account name and password.”

$VMLocalAdminUser = “jcosta
$VMLocalAdminSecurePassword = ConvertTo-SecureString “GPractical@2022” -AsPlainText -Force
$CRED=New-Object System.Management.Automation.PSCredential ($VMLocalAdminUser, $VMLocalAdminSecurePassword);

#Set the existing virtual subnet and network index.

$VNET=Get-AzVirtualNetwork -Name $VNETName -ResourceGroupName $RGName

#Creating a NIC with Pulic IP.

$PIP=New-AzPublicIpAddress -Name $NIC1 -ResourceGroupName $RGName -Location $LOCATION -AllocationMethod Dynamic
$NIC=New-AzNetworkInterface -Name $NIC1 -ResourceGroupName $RGName -Location $LOCATION -SubnetId $vnet.Subnets[$subnetIndex].Id -PublicIpAddressId $PIP.Id

# Creating a NIC without Pulic IP

$VNET=Get-AzVirtualNetworkSubnetConfig -Name Backend -VirtualNetwork $VNET
$NIC=New-AzNetworkInterface -Name $NIC2 -ResourceGroupName $RGName -Location $LOCATION -SubnetId $VNET.Id

#Setting NSG Rules

$RULES=New-AzNetworkSecurityRuleConfig -Name ‘Allow-RDP’ -Direction Inbound -Priority 1000 -Access Allow -SourceAddressPrefix ‘*’ -SourcePortRange ‘*’ -DestinationAddressPrefix ‘*’ -DestinationPortRange 3389 -Protocol Tcp
$NSG=New-AzNetworkSecurityGroup -Name $NSGName -ResourceGroupName $RGName -Location $LOCATION -SecurityRules $RULES

# VM Name and Size


$VM=New-AzVMConfig -VMName $VMName -VMSize $VMSize

#Specify the image and local administrator account and then add the NIC.

$VM=Set-AzVMOperatingSystem -VM $VM -Windows -ComputerName $VMName -Credential $CRED -ProvisionVMAgent -EnableAutoUpdate
$VM=Set-AzVMSourceImage -VM $VM -PublisherName $PUBName -Offer $OFFERName -Skus $SKUName -Version “latest”
$VM=Add-AzVMNetworkInterface -VM $VM -Id $NIC.Id

#Specify the OS disk name and create the VM

$STORAGEACCOUNT=Get-AzStorageAccount -ResourceGroupName $RGNAME -Name $STRGACCNAME
$OSDiskUri=$STORAGEACCOUNT.PrimaryEndpoints.Blob.ToString() + “vhds/” + $VMName + $DISKName + “.vhd”
$VM=Set-AzVMOSDisk -VM $VM -Name $DISKName -VhdUri $OSDiskUri -CreateOption fromImage
New-AzVM -ResourceGroupName $RGName -Location $LOCATION -VM $VM


That’s all for today folks, see you soon.

Joao Paulo Costa

Creating Network Security Group using PowerShell


Hi folks!

Today let’s create the network security group that has a very important role within Microsoft Azure. It works at layer 4, where we can communicate ports and IPs between internal or external networks through a VPN.

Now let’s assign the following variables:



Next, we will create a variable with the name of the port and which rule will be used. In this case, I am creating an “NSG” for RDP access.

$RULES = New-AzNetworkSecurityRuleConfig -Name ‘Default-Allow-RDP’ -Direction Inbound -Priority 1000 -Access Allow -SourceAddressPrefix ‘*’  -SourcePortRange ‘*’ -DestinationAddressPrefix ‘*’ -DestinationPortRange 3389 -Protocol TCP


Now let’s create the NSG, using the following command.

$NSG = New-AzNetworkSecurityGroup -Name $NSGName -ResourceGroupName $RGName -Location $LOCATION -SecurityRules $RULES


Your NSG was successfully created.


Thanks guys and until the next post, where I will demonstrate how to create a virtual machine using all these commands at once.

Joao Paulo Costa

Creating Network Interface using PowerShell


Hey folks,

Continuing our series of articles on how to create resources in Azure using PowerShell, let’s talk about creating the network interface using PowerShell, creating the network interface and assigning it to a VM and associating it to a VNET is easier via shell command.

Now let’s assign some variables to create the network interface.



This “SubnetIndex” variable is very important in the creation process, as it will identify each of your VNETs within your environment. In the case of this article I have a single VNET so I am considering the value “0”, but if you need to pull this value, just run a “Get-AzVirtualNetwork” with the add-ons such as resource group and VNET name.

Now let’s validate if the network exists within the environment.

$VNET=Get-AzVirtualNetwork -Name $VNETName -ResourceGroupName $RGName


Next we will create a public IP for the network interface.

$PIP=New-AzPublicIpAddress -Name $NIC1 -ResourceGroupName $RGName -Location $LOCATION -AllocationMethod Dynamic


Finally, we will create the network interface associating the public IP and the VNET that exists within our environment.

$NIC=New-AzNetworkInterface -Name $NIC1 -ResourceGroupName $RGName -Location $LOCATION -SubnetId $vnet.Subnets[$subnetIndex].Id -PublicIpAddressId $PIP.Id


Your network interface has now been successfully created.


Thanks guys and until the next post!

Joao Paulo Costa

Creating Virtual Network using PowerShell


Continuing from the last article, today we are going to create a virtual network to allocate Azure resources and leave it in a secure pattern. In this scope, I’m setting up the network with the segmented subnets:

  • BackEnd:
  • FrontEnd:
  • DMZ:
  • Gateway:

Before starting to create the Azure network structure, let’s understand how a network in Azure works.

In Azure, when we create a network, we first choose the “Address Space” that would be an IP block that we would use inside our virtual network and within this block we will consider that each “Subnet” will be a piece of this block, according to the drawing below.


After logging into the “Cloud Shell” select PowerShell, let’s assign some variables to create the network.


These variables are for choosing the resource group where we will provision, the location and the name of your virtual network.


Now let’s assign the network settings pointing the “Address Block”, in this case the Address Space with 256 hots.

New-AzVirtualNetwork -Name $NameVnet -ResourceGroupName $RGName -Location $location -AddressPrefix


See that it has been provisioned but does not contain subnets. now let’s assign some variables. This variable is to validate if the network exists within the environment.

$VirtualNetwork = Get-AzVirtualNetwork -Name $NameVnet -ResourceGroupName $rgName


After validating the existing network, let’s add the subnets as shown in the examples below.

Add-AzVirtualNetworkSubnetConfig -Name BackEnd -VirtualNetwork $VirtualNetwork -AddressPrefix


Next, let’s add the rest of the network scope.

Add-AzVirtualNetworkSubnetConfig -Name FrontEnd -VirtualNetwork $VirtualNetwork -AddressPrefix
Add-AzVirtualNetworkSubnetConfig -Name DMZ -VirtualNetwork $VirtualNetwork -AddressPrefix
Add-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $VirtualNetwork -AddressPrefix


Now let’s run the “Set” command to add the set of subnets that were assigned above.

Set-AzVirtualNetwork -VirtualNetwork $VirtualNetwork


Once your virtual network has been successfully created with its segmented subnets, let’s go to the portal to validate it.


That’s all for today folks, until the next post.

Joao Costa

Creating a Storage Account using PowerShell


Hey everyone,

Today we are going to create a Storage Account for any kind of use and inside this storage account we are going to create a blob for logs and a file share.

In the last post we created a resource group, where we will provision resources during this and the next posts.

Open the Azure Cloud Shell, then choose your subscription, if the cloud shell is already open, we will add the following variables, with the information:

$STRGACCNAME= “strggetpractical01”
$TypeSTRG= “Standard_LRS”


Then we will execute the command “New-AZStorageAccount” to create the storage from the variables assigned above.

New-AzStorageAccount -ResourceGroupName $RGNAME -Name $STRGACCNAME -Type $TypeSTRG -Location $LOCATION


The storage was successfully created.

With the storage created, we are going to create a container to allocate the “Logs” of our environment, for that we are going to assign some variables as well.

$STORAGEACCOUNT = Get-AzStorageAccount -ResourceGroupName $RGNAME -Name $STRGACCNAME
$CTX = $storageAccount.Context


After assigning the variables, let’s run the following command “New-AzStorageContainer” to create the container.

New-AzStorageContainer -Name $containerName -Context $ctx -Permission blob


Your container was successfully created.

Last but not least let’s create a “File Share” with the following variables.

$STORAGEACCOUNT = Get-AzStorageAccount -ResourceGroupName “RG_GETPRACTICAL” -Name “strggetpractical01”

$storageKey = (Get-AzStorageAccountKey -ResourceGroupName $storageAccount.ResourceGroupName -Name $storageAccount.StorageAccountName | select -first 1).Value

$storageContext = New-AzStorageContext -StorageAccountName $storageAccount.StorageAccountName -StorageAccountKey $storageKey


New-AzureStorageShare -Name “getpracticalshare” -Context $storageContext


The File Share was created successfully, now let’s check the container and the file share that were created.

Container for Logs:


File Share for files:


That’s all for today guys, until the next post!

Joao Costa

Creating Resource Group using Powershell

Hey guys, how are you?

The idea is to learn how to create the resources and finally create an environment with all the resources together.

To start the configuration we have two ways, use the “Azure Cloud Shell” or install the “AZ Module” of powershell.

AZ Module Installation: Powershell Configuration

Access to Azure Cloud Shell: //

For this articles I will use the Azure Cloud Shell.

Let’s start by accessing Cloud Shell, then type in your subscription credentials.


Now let’s create two variables, one indicating the name for the resource group and another indicating the region where we will create the resources.
We will work with variables to facilitate the creation of command lines, in this way we can create complex scripts based on variables.
Let’s create two variables, one with the name of the resource group and the other with the region where we will create the resource group.



After creating the variable, let’s create the command line.

New-AzResourceGroup -Name $RGNAME -Location $LOCATION


As you can see, we are executing the command to create a new resource group with the name given in the variable and with the location we put, in my case I am creating it in “UK South“.


Now you can create the group directly with the “Tag” or make an update on the created group.

To create or update the resource group and assign “Tags“, we will give a name and a value to this tag, according to the command below.

New-AzResourceGroup -Name $RGNAME -Location $LOCATION -Tag @{Department=”IT”}

In the image below, only the update was executed, it asks to confirm if you are going to do the update or not.


Your resource group is now created and tagged.

Thanks guys and until the next post!

Azure Arc – How to add a server into it


Hey guys!

Today I’m going to talk about Azure Arc. This is a very useful tool nowadays, after all we have to work with more complex and heterogeneous environments. Therefore, the idea of being able to manage an entire infrastructure from a single access point saves many hours of work.

Well then, that is the role of Azure Arc. In it you can add Azure or non-azure resources, that is, other resources from other public clouds, on-premises, databases, etc.

Again, this is an intuitive and practical resource to use, let’s get right to the practice again.

Log in with your Azure account on the portal and type in the search bar “Azure Arc”. Open Azure Arc and you should see the Azure Arc Center.


On the home screen you have three tiles options, such as: Add your infrastructure for free, Deploy Azure Services and View Azure Arc Resources.

For this demo, we will use the first tile, so in “Add your infrastructure for free” click Add and then on the next screen, in the Servers tile click Add again.


On the next screen you can choose if you want to add one or more servers, add servers using Azure Migrate or Update Management (Still in preview).


In the tile add a single server, click Generate Script.

From now on I believe you already understand what will happen, Azure will open a wizard that will help you configure and generate a script that will do everything for you, such as downloading the agent, installing the agent and registering the server in Azure. You will only need to run the script on the server you intend to add to Azure Arc.

After clicking on Generate Script, you will see the following screen:


On this screen, you will need to pay attention to the basic requirements for the script to work.

  • Firewall requirements, you will need port 443 to perform this task.
  • You will need permission as a local administrator on the server or servers.
  • Finally, what is the means of communication between Azure and machine, public internet, proxy server or a private endpoint (VPN or Express Route).

Click next and select the options according to your environment.


Click on next and if that’s the case you can add tags to better identify your environment. Or just skip to the next screen.


Or just skip to the next screen.


Now you need to copy or download the script and run it on the intended server.

And as soon as you run the script on the desired server, it will show up in Azure Arc as Connected status.

That’s all for today guys, until the next post.

Joao Costa