Microsoft – Page 11 – Get Practical

Recovering local administrator access in Azure VMs

Hey guys!

Let’s assume that for any reason you have lost the local administrator password of a virtual machine in Azure or even don’t remember the initial user created during the deployment of your virtual machine, well, the idea of this post is to solve this your problem, which just seems silly but not unusual.

Starting with the user, in case you don’t remember, it’s a pretty simple task to find out: Go to Azure and make sure your VM is powered on, then select your VM and go to blade “Operations” and select “Run Command” and finally click on “RunPowerShellScript”. This will cause a dialog box to open and in this box you will type the following command in: “Get-LocalUser” and click “Run”.

The output should be presented as the image above, and at this point you will know which are the local users of that VM.

Ok, now that you know which user to use, just type in the password, correct? But let’s say you also don’t remember which password to use (Bad days happen to everyone lol). Well then, I will present two simple ways to reset this local user password.

The easiest and simplest option would be again with your VM selected, go to the blade “Help” and click on “Reset Password”. You will only need to enter the user you want to reset the password and your new password.

(Ps: You will need to be logged into Azure with an user who gives you this right, “RBAC” is a certification exam topic).

If all goes well, you will have the new password and use your local account without any problems.

But let’s assume that this lost password is the domain controller administrator password in Azure. In this case, you will not be able to reset this password as I just showed you above.

Therefore, we will be using the Extensions function in Azure. Through this extension we will run a script to reset the admin password.

The script is very simple and has only one line and has been uploaded to Azure previously.

The script must have the command above: net user LOCALUSER PASSWORD

After creating the script, saving as ResetPassword.ps1 and uploading it to a storage account on azure, select your VM again and in the blade Settings click on Extensions > Add > CustomScriptExtension > Next > RESETPASSWORD.PS1 > Review + Create > Create.

The Azure extension function will run the script on the VM and your password will be reset as configured in the script.

Voila! You will now be able to access your domain controller as you wish. This script can also be used to reset any account’s password.

Obviously the reset options are not limited to what I presented here in this post, especially when it comes to PowerShell commands.

That’s it for today guys, see you next time!

Joao Costa

Study guide for Azure Administrator

Hey guys! Today I come here to share with you my journey to achieve Azure Administrator certification. To get the title of Azure Administrator, you need to pass the Az-104 exam.

My badge validation link

What is expected from an Azure Administrator?

Azure Administrator implements, manages and monitors identity, governance, storage, compute and virtual networks in a cloud environment. Azure Administrator will provision, scale, monitor and adjust resources as appropriate. Candidates must have at least six months of hands-on experience in Azure administration. Candidates should have a strong understanding of Azure core services, workloads, security, and Azure governance.

Candidates for this exam should have experience using PowerShell, Command Line Interface, Azure Portal, and ARM templates.

The exam content:

Manage Azure identities and governance (15-20%)
Implement and manage storage (15-20%)
Deploy and manage Azure compute resources (20-25%)
Configure and manage virtual networking (25-30%)
Monitor and back up Azure resources (10-15%)

What was asked for on my exam?

Many questions based on RBAC (Role-Based Access Control), basically asked what permissions would be needed to perform certain tasks in Azure. I also remember seeing a lot of questions related to locations, ie whether you can interact between resources located in different Azure’s regions. Questions about minimum computing requirements (Virtual Machines), questions about Azure Monitor, Azure Advisor and general questions related to networking.

Some links from previous posts covering the exam content.

RBAC – https://getpractical.co.uk/2021/03/08/understand-azure-role-based-access-control-rbac/

Azure Advisor – https://getpractical.co.uk/2021/05/03/azures-advisor/

Azure Storage – https://getpractical.co.uk/2021/06/14/creating-a-storage-on-azure/

Az-Copy – https://getpractical.co.uk/2021/05/17/how-to-download-and-install-the-azcopy-tool/

My study method:

I always read the outline of the skills measured in each exam.
If there’s anything I’m not familiar with, I’ll read the documentation available in Microsoft Docs (always free and up-to-date).
If I don’t understand what the documents are saying, I use my tenant for proper validations.
I always dedicate 20 to 40 hours (per exam) to perform the laboratories (On Azure you can have a free tenant for 30 days to do your validations).
When it comes to new technology, I start by watching the training available in Microsoft Learn, Pluralsight and/or Udemy.

Azure Free tenant: https://azure.microsoft.com/en-gb/free/

Microsoft Learning: https://docs.microsoft.com/en-us/learn/

Exam skills outline Az-104: https://docs.microsoft.com/en-us/learn/certifications/exams/az-104

I would soon renew my Microsoft 365 certifications, after all I have a large part of my background in Microsoft 365 migrations and I will no doubt share my journey here.

Take as much time as you need to prepare and first of all, don’t be afraid to fail. I’ve failed exams before and this is part of any IT professional’s journey, whether you’re a beginner or not.

If you have any questions, let me know in the comments that I will try to help you improve. In 2022 I will try the Azure Solution Architect exam, which will be my next goal with Azure (Until Microsft updates everything again lol =/).

See you soon guys and good luck studying.

Joao Costa

Azure: Creating a Windows 11 VM

Hi Guys,

In today’s article I will be brief, but I want to demonstrate a subject that is well up to date: How to create a vm with Windows 11 through Cloud Shell in Azure portal.

Let’s go straight to practice: Log into the Azure portal and hit the Cloud Shell icon located on the right side of the search bar.

If you have not yet used the Cloud Shell, on the first access a Resource Group will be created for the Cloud Shell to use it. In the left corner it is also possible to choose between PowerShell or Bash commands (In case you are familiar with Linux), for this example I will use PowerShell command.

Okay, the next step will be to create a resource group for this virtual machine.

Now run the following commands to create your virtual machine

az vm create –resource-group GetPractical –name VMWindows11 –image windows-11-Preview –public-ip-sku Standard –admin-username azureuser –admin-password “GetPractical@Windows11”

All other parameters like disk, cpu, vnet and etc will be created automatically. If you need to customize, you will also need to customize the command or create via GUI portal.

This process should take a few minutes, but once it is finished you will be able to see in the portal that the VM was created successfully.

It’s important to say that at the time I deployed this vm, Windows 11 was still in preview. If at the time of this post the preview version is no longer available, access the following Microsoft docs :

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/cli-ps-findimage

Finally, run the mstsc /v <Public IP Address> command to access your virtual machine with Windows 11 and the result should be as follows:

And that folks, if you have any doubts, leave them in the comments.

Joao Costa

Setting up Azure AD Company Branding

In this blog, I’ll show you how to configure Azure AD company branding options. You can see your organization’s logo and custom color schemes, user hints to provide a familiar and friendly look and feel in your Azure Active Directory. The only prerequisite needed for this configuration is Azure P1 licenses

NOTE:
Before obtaining your images to customize your Azure AD login branding, keep in mind the graphic formats and maximum image and file sizes.

Also keep in mind every time you make a change and test it out, your branding will get cached on one of the many global Azure AD Authentication endpoints. As stated in the documentation changes can take up to an hour to be reflected. Be patient (or keep reloading many times until you hit a new endpoint that will get the new config).
It can take up to an hour for any changes you made to the sign-in page branding to appear.

OK let’s get start.

Go to portal.azure.com and open the Active Directory blade or go directly to the AAD (Azure Active Directory) by clicking the following link: (https://aad.portal.azure.com)

Next Navigate to Azure Active Directory -> Company branding and select to Configure icon to Configure / Edit Company branding

Now click on Configure or Edit the branding configuration and type in the information.

Note: The language is automatically set as your default language based on the Azure subscription setup and it can’t be changed. However, you can configure additional languages by select the New Language option.

Finally click Save at the top of the screen and the company’s branding page is saved in Azure Active Directory.

Add your custom branding to pages by modifying the end of the URL with the text, ?whr=yourdomainname. This specific modification works on different types of pages, including the Multi-Factor Authentication (MFA) setup page, the Self-service Password Reset (SSPR) setup page, and the sign in page.

Whether an application supports customized URLs for branding or not depends on the specific application, and should be checked before attempting to add a custom branding to a page.

Examples:

Original URL: https://aka.ms/MFASetup
Custom URL: https://account.activedirectory.windowsazure.com/proofup.aspx?whr=contoso.com

Original URL: https://aka.ms/SSPR
Custom URL: https://passwordreset.microsoftonline.com/?whr=contoso.com

After you’ve created the Custom branding, if you want to test it, access the page by https://login.microsoftonline.com/<domain name> and you will see your new custom screen.

This time it was a quick post guys, see you soon, thanks!

Joao Costa

Azure – Setting up Conditional Access

Today we are going to talk about Azure Conditional Access. The idea behind Conditional Access is that you can manage and control your IT environment by setting up compliance rules for your users to access company resources, for example Exchange Online, Sharepoint, OneDrive etc.
Basically you will need to create a rule that says, for example, that all users who are outside your physical working environment (Does this still exist?) and who have devices provided by the company and Multi-factor authentication enabled will be able to access Sharepoint. You can choose if you only want to register this information (Report-Only) or if you really want to deny/grant access if the user does not comply with the rules you stipulated above.

In the past, one of the resources used to perform this kind of control was ADFS through claim rules, but many companies thought twice before an implementation due to the complexity of the environment and for adding another point of failure to the environment, after all if ADFS were to fail at all the environment would be unavailable. One of the advantages of ADFS, depending on the need for control is the cost, after all, for Conditional Access to be enabled and it is necessary to have Azure P1 License, ADFS would be the costs of Virtual Machines, public certificate, public IP, NAT and Load Balancing (In an environment with redundancy).

Anyway, let’s leave theory aside and let’s see how to configure Conditional Access.

Go to the Azure Portal and in the search menu type Conditional Access and then click on the Conditional Access blade

As a first step I suggest that you add the trusted locations (Named Locations), that is, known networks. Click on Named Locations and then select one of the options; 1- Countries Locations or 2 – IP Ranges Locations. I opted for option 2 and added the IP/IP Ranges of my trusted locations.

PS. The above IP was used as an example, not a valid IP.

Now that you have trusted locations, let’s create a Conditional Access policy. Still on the Conditional Access blade, click Policies and then New Policy.

Name your policy and choose the user context that will be included or excluded from your policy. In my scenario, I just selected the Test IT user to be included in this policy.

Now in Cloud Apps or Actions you will need to choose which applications will be in the scope of your conditional rule, you can opt for all apps or just select the ones that contain sensitive data. In my example I used SharePoint Online only.

Now that you’ve defined the scope of users, applications and trusted locations, it’s time to configure the conditions that the user will need to “be in” to have access to the resource (Here it’s also possible to configure which conditions the user needs to “be in” to have access denied, works both ways).

In the above scenario; Device Platforms: All, Locations: Applies to all locations and excludes trusted locations, Client Apps: All, Device State: All.

Finally, in the Access control option, you will determine the action that will be taken according to the conditions that the user is trying to access the application (In this scenario SharePoint Online).

Click select and then create.

In my scenario, access to SharePoint will only be possible if the user has MFA enabled, is in an untrusted location and is using a device joined to the domain.

Ok, now I’m going to test access through a personal device to see if conditional Access will or will not allow Sharepoint access (The result should be access denied).

Here we go, access successfully denied \0/. I suggest you play with the tool to suit your needs. If you have any questions, leave in the comments, see you in the next post.