Hey guys,
In this post I will show you one situation I came across this week.
Due some attacks we’ve been suffering, we decided to get all blocked IPs on Expressway and block them also in the local Firewall, as a workaround while we investigate it better.
The thing is, how can we export the list of Banned IP addresses on Expressway?
As I didn’t find anything, I decided to do on my way, automating it.
Continue reading “Expressway – Exporting Banned addresses using PowerShell”
Today’s post is quick and simple folks. In today’s article I will show you how to remove Azure Locks from a Resource Group.
First let’s declare the Resource group variable:
$Resource = “RG_GETPRACTICAL”
After the declared variable we can execute the command “Get-AzResourceLock” using a pipe “|” so we can refer to the Resource Group same as the variable above.
Continue reading “Removing Azure Locks from Resource Group using PowerShell”
Hello guys,
Today I’d like to share one of the issues that I had in Azure of one of the company customers I work for.
The customer has a script that turns VMs ON/OFF based on the time stated on the VM’s tag. For example, a VM has a tag “StartTime: 06:00” and “StopTime: 23:00”, this Azure Function runs every 1 hour and compares the current time with the time stated on the VM’s tag, if the time matches, the VM will be turned ON/OFF.
Everything was working very well, but when the customer decided to increase the number of tagged VMs, the Azure Function started returning with the timeout error. We initially thought it was the “Consumption plan”, which by default has a timeout of 5 minutes. We changed the plan, which allowed unlimited timeout (1 hour recommended by MS). And yet the function continues to give the timeout error.
We decided to split the VMs with a trigger for each subscription (The initial Azure function varies all subscriptions by looking for the tag and comparing the time), it didn’t work either.
We raised a ticket with MS, it took several days of troubleshoot and nothing to find the root cause of the problem. Until I decided to look deeper into the function code and realized that every time the function was executed and the script turned ON/OFF a VM, the function had a significant pause in between turning ON/OFF VMs.
So I decided to add to the code -NoWait and guess what? It worked!! The timeout stopped happening and the function started to be executed in less than 2 minutes, even with several VMs being tagged.
Initial code: Start-AzVM -Name $vm.Name -ResourceGroupName $vm.ResourceGroupName
Final code: Start-AzVM -Name $vm.Name -ResourceGroupName $vm.ResourceGroupName –NoWait
Ps. I don’t want to share the whole code, as I took it from the customer environment.
Apparently the function worker was waiting for a return from the previous command (Stop or Start the tagged VM), but in some cases the return wasn’t happening and the function was getting stuck.
In the moment I added the command to ignore the return (-NoWait) the function started working perfectly again.
That’s all for today guys, see you later!
Joao Costa
Hey guys,
I’m back and today I’m going to talk about Azure Administrative Units. The idea to talk about this came from a recent request from one of the customers of the company I currently work for.
The request was that due to the fact that the customer has several sites, in different countries, the IT department needed to have an administrator in each of these locations, but this administrator would still need to manage only the users from that specific location.
Well, to start, I need to say that to make use of Administrative Units, you need to have at least the Azure AD Premium P1 license. That said, let’s get down to business.
Open Azure and go to Azure Active Directory
You will find the Administrative Units option in the Manage blade on the left side.
Click on Administrative Units and then hit Add. The next step will now be to give a name to the Administrative Unit, select which Role the administrator will have and finally select the user who will be the administrator itself.
Well, in this scenario I configured as follows:
To recap, the user “IT Test” will have the role “User Administrator” in the Administrative Unit called “France Users”
OK? Now it’s simple, we just need to put the users that would be managed by the Administrative Unit Administrator manually or through a Dynamic Rule in the Administrative Unit.
Returning to the portal, click on Administrative Units and you should see the Administrative Unit that was created according to the previous steps.
As you can see, by default when you create an Administrative Unit the “Membership Type” option is set to assigned, that is, you need to add users manually.
But we know that this is a flawed process and sooner or later you will miss an user and we know where this can go, so automating this process is the best solution, and that’s where the Dynamic Rule comes in.
Ok, go back to the portal and click on the Administrative Unit you created earlier and you should see something similar to the image below.
Now click on Properties (Preview) and then change the Membership Type option to Dynamic User and then suggest an option called “Add Dynamic Query”
Click on “Add Dynamic Query” and configure the rule that best suits your scenario. In my scenario I will base myself on the user’s Country being “France”.
Hit save twice and the Dynamic Query has been created. That is, every user that is created or changed in Azure AD and in its country of location is France, it will be automatically added to this Administrative Unit.
Ok, within a few minutes you will see that the users blade inside your Administrative Unit will start to be populated by all those users that apply the created rule.
There it’s, my users from France have been added to the Administrative Unit and as you can see the options to add and remove member are greyed out.
Now you might be wondering, how do I test this? Simple, your administrator needs to log either into admin.microsoft.com or mystaff.microsoft.com.
After the logon, ask your Administrative Unit administrator to select the wanted Administrative Unit and he will be able to see all the users he manages.
Or if he logs on the Microsoft 365 admin portal, he will be able to see the below:
Okay, but you may be wondering (again), what if your administrator still decides to access Azure AD? In this case he will still be able to see all users and groups, but he will only be able to manage the users of the Administrative Unit he has rights. All other users will show the greyed out properties.
That’s it folks, a simple and easy solution in case of remote location administrators or small departments and so on. You can explore several scenarios with this setup, enjoy.
See you soon.
Joao Costa
In today’s post I will show a recurring problem that can happen when connecting to Azure through PowerShell when we already have a login history from other Azure’s tenants.
As soon as we try to log into Azure via PowerShell, we will get this error stating that an existing token from another subscription could not be acquired (Your access to that subscription may have been removed and the context is still present in the local files).
To clear the historic sessions context in PowerShell we have to execute the command “Clear-AzContext”
After running this command above, you can log in again and check that the error has been fixed and the history has been removed.
And that’s it folks, quick and practical post.
See you soon!
Joao Costa
Get Practical 