Azure Files – Part 2 – Creating a SMB Share

smb-icon

Hello everyone! As promised in the first post about Azure File, today I will demonstrate how to create an Azure Files SMB share. However, first it is necessary to say that when we implement SMB shares with Azure, there are 2 basic scenarios. The first would be server to server and/or applications, in which case you can use standard admin account and access key. If you wanted to use your Active Directory domain identity with Azure Files, you will need to extend your domain to Azure (You can do this in 2 ways), that is, basically add the domain service in the Microsoft cloud, only in this one scenario you can integrate your storage account with identities, your users can each use their own domain account to use their file access privileges.

That said, let’s get down to the minimum requirements for using Azure Files on Windows machines (MacOS and Linux are also supported, but they’re not in the scope of this post).

image

Let’s get started!

Initially, to create an Azure Files you need to create a new Storage Account, because if you try to search Azure Files when creating a new resource, you will notice that nothing will be found.

image

Of course you can use an existing Storage Account, but for this post I will create a new storage account.

The important steps here is to create a resource group and the storage account itself, everything else you can customize according to your need or leave everything as default (If your don’t know how to create a Storage Account go to this post).

image

Hit ‘Review + Create’ and within 2 or 3 minutes you will have everything you need to create your Azure Files, Then click go to the resource. Once you have your new storage account open, hit the ‘File Share’ blade in the vertical menu on the left side.

image

 Just for observation, at the top of the screen above it says that the Active Directory is not configured, i.e. in this scenario I could not use the identity service without first enabling the domain service in Azure.

Continuing with our configuration, hit ‘+ File Share’, type the name, put the amount of GiB needed then select the access tier needed. For this post I selected the cheapest for demonstration purposes, but you must select it according to your need (You can access here the Microsoft link explaining about each tier and pricing).

image

Now that the share has been created, navigate to the one we just created and you can see that there aren’t many options here. The main option is the ‘Connect’ option.

Hit the ‘Connect’ option and you will see that Azure will provide a script for Windows, Linux and MacOS.

Basically you will need to choose which operating system you will have the driver mapped, the driver letter (For Windows OS only) and which authentication method will be used.

image

To finish the only thing to do is run this PowerShell script on the machine where you want to have the driver mapped, with the only requirement being port 445 open for communication with Azure. In this script provided by azure, it already contains the account and password to access the resource, and at the time of execution of the script there is no need to elevate your PowerShell session.

image

The result I hope after executing the script will be the driver mapped as in the example below.

image

It is also possible to add the mapping manually, you just need to follow the following steps.

1 – On the machine you want to map the drive, open Windows Explorer and hit ‘This PC’, then right click on the white space and select Add network location, after that hit ‘Next’ twice and you will end up to a windows that you need to specify the address for the location you want to add.

2-Go back to Azure Files on Azure portal and hit ‘Properties’.

3- Copy URL without the HTTPS and paste on your Windows Explorer screen, but don’t forget to add the ‘\\’ and also change all others for back slash ‘\’.  The result should be this:

image

4- Hit ‘Next’ and give a name for your network location, and hit ‘Next’ again.

5- Finally, it should ask for the user name and password to access the network location, so to grab that you need to go to Azure Portal again and grab it from your Azure Files Storage Account.

image

The credentials accessing format will be:

User: localhost\StorageAccountName

Password: StorageAccountAccessKey

Now you will be able to put your files these will be automatically synced to the cloud or your on-premises environment (Depending on where you create the file).

image

I would also like to demonstrate the features of Azure Files snapshot and how the backup works, but this post is already too big, for this reason I will reserve these subjects for the next ones. If you have any questions, leave in the comments, see you soon!

Joao Costa

Creating a storage on Azure

SA_logo

Today I’m going to show you how to create a storage in the Microsoft Azure portal. So straight to the point, let’s get start: First log on your Azure Portal, next go to the “Search Bar” and type “Storage Accounts“, after that select Storage Accounts and finally click “Create“.

image

Now let’s add the necessary information for each Storage, remembering which organization will have Storages according to your needs. I will detail each configuration (Required ones):

Basics tab

  • Subscription – Select the subscription for the new storage account.
  • Resource group – Create a new resource group for this storage account, or select an existing one. For more information, see Resource groups.
  • Storage account name – Choose a unique name for your storage account. Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only.
  • Region – Select the appropriate region for your storage account. Not all regions are supported for all types of storage accounts or redundancy configurations.
  • Performance – Select Standard performance for general-purpose v2 storage accounts (default). This type of account is recommended by Microsoft for most scenarios. Select Premium for scenarios requiring low latency. After selecting Premium, select the type of premium storage account to create. The following types of premium storage accounts are available:
  • Redundancy – Select your desired redundancy configuration. Not all redundancy options are available for all types of storage accounts in all regions. If you select a geo-redundant configuration (GRS or GZRS), your data is replicated to a data center in a different region. For read access to data in the secondary region, select Make read access to data available in the event of regional unavailability.
  • Advanced tab

    Networking tab
    • Connectivity method – By default, incoming network traffic is routed to the public endpoint for your storage account. You can specify that traffic must be routed to the public endpoint through an Azure virtual network. You can also configure private endpoints for your storage account. For more information, see Use private endpoints for Azure Storage.
    • Routing preference – The network routing preference specifies how network traffic is routed to the public endpoint of your storage account from clients over the internet. By default, a new storage account uses Microsoft network routing. You can also choose to route network traffic through the POP closest to the storage account, which may lower networking costs. For more information, see Network routing preference for Azure Storage.

    Then click Create.

    image

    After creation check it in your Storage accounts and by clicking on settings you can see all the parameters used in the Storage settings.

    image

    Thanks guys and see you on the next post!

    How to connect to Azure from PowerShell

    Today I will talk about how to use PowerShell. I know that there is already integrated access to the browser directly through the Azure portal, but the idea of this post is to show how to access it as in the old days and mainly to help those who do not know where to start.

    Well, let’s get started! If you have not yet installed the PowerShell module, I will demonstrate here how to do this, basically, you will need to open PowerShell as Administrator (Right-click and select “Run as administrator”), then execute the following command (Copy and Paste it):

    If you want the module to be available only to the user performing the procedure on this workstation, choose command 1, if not, you want the module to be available to all users of this workstation, choose command 2.

    1 – Install for Current User

    if ($PSVersionTable.PSEdition -eq 'Desktop' -and (Get-Module -Name AzureRM -ListAvailable)) {
    Write-Warning -Message ('Az module not installed. Having both the AzureRM and ' +
    'Az modules installed at the same time is not supported.')
    } else {
    Install-Module -Name Az -AllowClobber -Scope CurrentUser
    }

    2 – Install for All Users
    if ($PSVersionTable.PSEdition -eq 'Desktop' -and (Get-Module -Name AzureRM -ListAvailable)) {
        Write-Warning -Message ('Az module not installed. Having both the AzureRM and ' +
          'Az modules installed at the same time is not supported.')
    } else {
        Install-Module -Name Az -AllowClobber -Scope AllUsers
    }

    If you try to understand the commands, you will see that only the parameter –Scope is changed. My learning tip here is, always try to understand the command that is being executed, this will help you to become familiar with Cmdlets (CmdLets is the name given to the commands used in PowerShell).

    image

    If you want to understand more about the subject, here are some links that will help you learn.

    • Introducing the Azure Az PowerShell module

    From now on I am assuming you have already installed the Az Module and using PowerShell. Here is the simple command for your reference. The below command will connect to your Azure Account and it will connect to the default subscription.

    Import-Moduloe –Name Az

    Connect-AzAccount

    AzAccountConnected

    And if you have different subscriptions you have to set the default subscription with the below command.

    Set-AzContext ‘YOUR_SUBSCRIPTION_NAME’

    To Discover or list all the Az Module

    Get-Module Az.* -ListAvailable | Select-Object Name -Unique

    To discover the available cmdlets within a module we can use the Get-Command cmdlet. In this example, we browse all cmdlets within the Az.Account module:

    Get-Command -Module Az.Accounts

    You can use the Get-Help command to get help with any specific command

    Get-Help Get-AzVM

    image

    If want to see a few examples against this command you can use this.

    Get-Help Get-AzVM –Examples

    image

    That and everything for today. If you have any questions, leave them in the comments or contact us, it will be a pleasure to answer them Smile.

    Understand Azure Role Based Access Control (RBAC)

    Hi Folks!

    As I said weeks ago, I am studying to take Az-104 exam and I intend to detail here some of the topics that will be covered by the exam. For that reason today I decided to talk about RBACs.

    Identity and Access

    When it comes to identity and access, most organizations that are considering using the public cloud are concerned about two things:

    1. Ensuring that when people leave the organization, they lose access to resources in the cloud.
    2. Striking the right balance between autonomy and central governance – for example, giving project teams the ability to create and manage virtual machines in the cloud while centrally controlling the networks those VMs use to communicate with other resources.

    Azure Active Directory (Azure AD) and Role-Based Access Control (RBAC) work together to make it simple to carry out these goals.

    Azure subscriptions

    First, remember that each Azure subscription is associated with a single Azure AD directory. Users, groups, and applications in that directory can manage resources in the Azure subscription. The subscriptions use Azure AD for single sign-on (SSO) and access management. You can extend your on-premises Active Directory to the cloud by using Azure AD Connect. This feature allows your employees to manage their Azure subscriptions by using their existing work identities. When you disable an on-premises Active Directory account, it automatically loses access to all Azure subscriptions connected with Azure AD.

    What is RBAC?

    Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of resources in Azure. With RBAC, you can grant the exact access that users need to do their jobs. For example, you can use RBAC to let one employee manage virtual machines in a subscription while another manages SQL databases within the same subscription.

    What is role-based access control?

    You grant access by assigning the appropriate RBAC role to users, groups, and applications at a certain scope. The scope of a role assignment can be a subscription, a resource group, or a single resource. A role assigned at a parent scope also grants access to the child scopes contained within it. For example, a user with access to a resource group can manage all the resources it contains, like websites, virtual machines, and subnets. The RBAC role that you assign dictates what resources the user, group, or application can manage within that scope.

    The following diagram depicts how the classic subscription administrator roles, RBAC roles, and Azure AD administrator roles are related at a high level. Roles assigned at a higher scope, like an entire subscription, are inherited by child scopes, like service instances.

    rbac-admin-roles

    In the above diagram, a subscription is associated with only one Azure AD tenant. Also note that a resource group can have multiple resources but is associated with only one subscription. Although it’s not obvious from the diagram, a resource can be bound to only one resource group.

    What can I do with RBAC?

    RBAC allows you to grant access to Azure resources that you control. Suppose you need to manage access to resources in Azure for the development, engineering, and marketing teams. You’ve started to receive access requests, and you need to quickly learn how access management works for Azure resources.

    Here are some scenarios you can implement with RBAC.

    • Allow one user to manage virtual machines in a subscription and another user to manage virtual networks
    • Allow a database administrator group to manage SQL databases in a subscription
    • Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets
    • Allow an application to access all resources in a resource group

    RBAC in the Azure portal

    In several areas in the Azure portal, you’ll see a pane named Access control (IAM), also known as identity and access management. On this pane, you can see who has access to that area and their role. Using this same pane, you can grant or remove access.

    The following shows an example of the Access control (IAM) pane for a resource group. In this example, has been assigned the Contributor role to myself for the GetPractical resource group.

    image

    How does RBAC work?

    You control access to resources using RBAC by creating role assignments, which control how permissions are enforced. To create a role assignment, you need three elements: a security principal, a role definition, and a scope. You can think of these elements as “who”, “what”, and “where”.

    1. Security principal (who)

    A security principal  is just a fancy name for a user, group, or application that you want to grant access to.

    image

    2. Role definition (what you can do)

    A role definition is a collection of permissions. It’s sometimes just called a role. A role definition lists the permissions that can be performed, such as read, write, and delete. Roles can be high-level, like Owner, or specific, like Virtual Machine Contributor.

    image

    Azure includes several built-in roles that you can use. The following lists four fundamental built-in roles:

    • Owner – Has full access to all resources, including the right to delegate access to others.
    • Contributor – Can create and manage all types of Azure resources, but can’t grant access to others.
    • Reader – Can view existing Azure resources.
    • User Access Administrator – Lets you manage user access to Azure resources.

    If the built-in roles don’t meet the specific needs of your organization, you can create your own custom roles.

    3. Scope (where)

    Scope is where the access applies to. This is helpful if you want to make someone a Website Contributor, but only for one resource group.

    In Azure, you can specify a scope at multiple levels: management group, subscription, resource group, or resource. Scopes are structured in a parent-child relationship. When you grant access at a parent scope, those permissions are inherited by the child scopes. For example, if you assign the Contributor role to a group at the subscription scope, that role is inherited by all resource groups and resources in the subscription.

    image

    Role assignment

    Once you have determined the who, what, and where, you can combine those elements to grant access. A role assignment is the process of binding a role to a security principal at a particular scope, for the purpose of granting access. To grant access, you create a role assignment. To revoke access, you remove a role assignment.

    The following example shows how the Marketing group has been assigned the Contributor role at the sales resource group scope.

    image

    RBAC is an allow model

    RBAC is an allow model. What this means is that when you are assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete. So, if one role assignment grants you read permissions to a resource group and a different role assignment grants you write permissions to the same resource group, you will have read and write permissions on that resource group.

    RBAC has something called NotActions permissions. Use NotActions to create a set of allowed permissions. The access granted by a role, the effective permissions, is computed by subtracting the NotActions operations from the Actions operations. For example, the Contributor role has both Actions and NotActions. The wildcard (*) in Actions indicates that it can perform all operations on the control plane. Then you subtract the following operations in NotActions to compute the effective permissions:

    • Delete roles and role assignments
    • Create roles and role assignments
    • Grants the caller User Access Administrator access at the tenant scope
    • Create or update any blueprint artifacts
    • Delete any blueprint artifacts

    Azure’s Certifications

    Hi Folks!

    Recently I’ve decided to renew my Microsoft certifications and also get new ones. Although I have already good years of experience working with Azure, I never tried to get its certifications, then because of that, I decided to start with Azure’s certifications.

    At the moment my certification target is the exam Az-104: Microsoft Azure Administrator. I’ve started my studies in the middle of January, so 2 weeks ago I decided to have a shot at the exam Az-900: Azure Fundamentals, just to have an idea of how my studies are going on, got approved on that \0/ !!

    image

    My Badge

    The exam isn’t that hard and has a lot of free content on the Microsoft Learn portal to help understand the exam measures (I will leave the link address at the end of the post).

    My study method:

    1. I always read the outline of the skills measured in each exam.
    2. If there’s anything I’m not familiar with, I’ll read the documentation available in Microsoft Docs (always free and up-to-date).
    3. If I don’t understand what the documents are saying, I use my tenant for proper validations.
    4. I always dedicate 20 to 40 hours (per exam) to perform the laboratories (On Azure you can have a free tenant for 30 days to do your validations).
    5. When it comes to new technology, I start by watching the training available in Microsoft Learn, Pluralsight and/or Udemy.

    That’s my method, share in the comments how’s your studies method?

    So from now on, I will start posting my study path to get approved on these certifications and try to share some acquired knowledge for the most important skill measured on the exams.

    Azure Free tenant: https://azure.microsoft.com/en-gb/free/

    Microsoft Learning: https://docs.microsoft.com/en-us/learn/

    Exam skills outline Az-900: https://docs.microsoft.com/en-us/learn/certifications/exams/az-900

    Exam skills outline Az-104: https://docs.microsoft.com/en-us/learn/certifications/exams/az-104

    Got it? Get Practical!