Avatar of Florent

by Florent

[Azure] Add multiple admins in a subscription in ARM

February 8, 2017 at 8:00 am in Azure, Microsoft, PowerShell by Florent


I had the request to add some users from Azure AD as Owner of the Azure subscription, in ARM. Being feigning and not wanting to add 10 users manually, I decided to create a PowerShell script (if we ask me to do the same another time). This script is available on Technet:


To use it, create a CSV file on the same location as your script, with 3 columns:

  • Email
  • FirstName
  • Lastname


On my 4 users, I only have one as Owner. The script will add 3 others:


Choose your Azure subscription:

If a problem appears during the adding, you’ll have an error message:


And if the adding is ok, you’ll have informational message:


And on my Azure view:


If you have any questions, remarks or suggestions, don’t hesitate to contact me :)

Avatar of Florent

by Florent

[French][Container] Start with Windows Server 2016

June 7, 2016 at 6:00 am in Container, Microsoft, Windows Server 2016 by Florent


If you want to start with containers on Windows Server 2016, I just published a movie that explain the first steps to have a good start. This movie is in french. It is available here:


Don’t hesitate to give me your comments Sourire

Avatar of Florent

by Florent

[Container] Error when you try to add a static mapping rule

June 3, 2016 at 6:00 am in Container, Microsoft, Windows Server 2016 by Florent

With Windows Server 2016, containers are coming as a new feature in  Windows Server. With the TP5, the managing of containers has changed. In fact, to manage network, you don’t need a new switch anymore, but we use the new PowerShell CmdLet New-ContainerNetwork. To add a NAT rule, you need to use the Add-ContainerNetworkAdapterStaticMapping command. So I executed this:

$iiscore = Get-Container -Name $containerNameIIS
Add-ContainerNetworkAdapterStaticMapping -Container $iisCore -AdapterName "$containerNameIIS-NetAda" -ExternalPort 80 -InternalPort 80 -Protocol TCP

But I had the following error:

Add-ContainerNetworkAdapterStaticMapping : The operation failed.


After looking during some minutes, I tried to stop the container and to execute the command again. And this time it works fine:


I verified that the NAT rule has been created correctly:


Conclusion: You MUST stop the container that you want to modify (for the network) to execute the command without error.

Avatar of Florent

by Florent

[Intel NUC] Network driver with Windows Server 2016 TP5

June 1, 2016 at 6:00 am in Intel NUC, Microsoft, Windows Server 2016 by Florent

Because I bought an Intel NUC 6th Generation 3 weeks ago, I tried to deploy Windows Server 2016 TP5 on it. The installation works fine. I downloaded drivers from my laptop from the Intel website, for the version Windows 10 64-bits: https://downloadcenter.intel.com/product/89190

Installation of all drivers is working fine, except for the network card driver. I searched on Internet and I found the solution for my problem on the following blog post: http://www.sqlbrander.com/2015/12/08/running-windows-server-2016-ctp4-on-an-intel-nuc-5i5ryh/ So I adapt it for the TP5.

The following procedure is not official and is not supported, don’t do this in a production environment.

The goal here is to start by deactivating the signature verification of drivers, with following commands:

bcdedit /set TESTSIGNING ON
bcdedit /set nointegritychecks ON

Reboot the server. Download the network card driver here and extract the file to have sources:


We will now modify the network driver. The driver is located in the folder Your_Directory\LAN_Win10_64_20.7.1\PRO1000\Winx64\NDIS65. ForWindows Server 2016 TP5, we wil lmodify the file named e1d65x64.inf. Open it and search the following lines:

ExcludeFromSelect = \

Replace by:



Copy the following lines:

%E15A0NC.DeviceDesc%            = E15A0.10.0.1,       PCI\VEN_8086&DEV_15A0
%E15A0NC.DeviceDesc%            = E15A0.10.0.1,       PCI\VEN_8086&DEV_15A0&SUBSYS_00008086
%E15A1NC.DeviceDesc%            = E15A1.10.0.1,       PCI\VEN_8086&DEV_15A1
%E15A1NC.DeviceDesc%            = E15A1.10.0.1,       PCI\VEN_8086&DEV_15A1&SUBSYS_00008086
%E15A2NC.DeviceDesc%            = E15A2.10.0.1,       PCI\VEN_8086&DEV_15A2
%E15A2NC.DeviceDesc%            = E15A2.10.0.1,       PCI\VEN_8086&DEV_15A2&SUBSYS_00008086
%E15A2NC.DeviceDesc%            = E15A2.10.0.1,       PCI\VEN_8086&DEV_15A2&SUBSYS_00011179
%E15A3NC.DeviceDesc%            = E15A3.10.0.1,       PCI\VEN_8086&DEV_15A3
%E15A3NC.DeviceDesc%            = E15A3.10.0.1,       PCI\VEN_8086&DEV_15A3&SUBSYS_00008086
%E15A3NC.DeviceDesc%            = E15A3.10.0.1,       PCI\VEN_8086&DEV_15A3&SUBSYS_00011179
%E156FNC.DeviceDesc%            = E156F.10.0.1,       PCI\VEN_8086&DEV_156F
%E156FNC.DeviceDesc%            = E156F.10.0.1,       PCI\VEN_8086&DEV_156F&SUBSYS_00008086
%E156FNC.DeviceDesc%            = E156F.10.0.1,       PCI\VEN_8086&DEV_156F&SUBSYS_00011179
%E1570NC.DeviceDesc%            = E1570.10.0.1,       PCI\VEN_8086&DEV_1570
%E1570NC.DeviceDesc%            = E1570.10.0.1,       PCI\VEN_8086&DEV_1570&SUBSYS_00008086
%E1570NC.DeviceDesc%            = E1570.10.0.1,       PCI\VEN_8086&DEV_1570&SUBSYS_00011179
%E15B7NC.DeviceDesc%            = E15B7.10.0.1,       PCI\VEN_8086&DEV_15B7
%E15B7NC.DeviceDesc%            = E15B7.10.0.1,       PCI\VEN_8086&DEV_15B7&SUBSYS_00008086
%E15B7NC.DeviceDesc%            = E15B7.10.0.1,       PCI\VEN_8086&DEV_15B7&SUBSYS_00011179
%E15B8NC.DeviceDesc%            = E15B8.10.0.1,       PCI\VEN_8086&DEV_15B8
%E15B8NC.DeviceDesc%            = E15B8.10.0.1,       PCI\VEN_8086&DEV_15B8&SUBSYS_00008086
%E15B8NC.DeviceDesc%            = E15B8.10.0.1,       PCI\VEN_8086&DEV_15B8&SUBSYS_00011179

And paste them after the following block:

; DisplayName                   Section        DeviceID
; ———–                   ——-        ——–
%E153ANC.DeviceDesc%            = E153A,       PCI\VEN_8086&DEV_153A
%E153ANC.DeviceDesc%            = E153A,       PCI\VEN_8086&DEV_153A&SUBSYS_00008086
%E153ANC.DeviceDesc%            = E153A,       PCI\VEN_8086&DEV_153A&SUBSYS_00011179
%E155ANC.DeviceDesc%            = E155A,       PCI\VEN_8086&DEV_155A
%E155ANC.DeviceDesc%            = E155A,       PCI\VEN_8086&DEV_155A&SUBSYS_00008086
%E155ANC.DeviceDesc%            = E155A,       PCI\VEN_8086&DEV_155A&SUBSYS_00011179
%E15A0NC.DeviceDesc%            = E15A0,       PCI\VEN_8086&DEV_15A0
%E15A0NC.DeviceDesc%            = E15A0,       PCI\VEN_8086&DEV_15A0&SUBSYS_00008086
%E15A2NC.DeviceDesc%            = E15A2,       PCI\VEN_8086&DEV_15A2
%E15A2NC.DeviceDesc%            = E15A2,       PCI\VEN_8086&DEV_15A2&SUBSYS_00008086
%E15A2NC.DeviceDesc%            = E15A2,       PCI\VEN_8086&DEV_15A2&SUBSYS_00011179
%E156FNC.DeviceDesc%            = E156F,       PCI\VEN_8086&DEV_156F
%E156FNC.DeviceDesc%            = E156F,       PCI\VEN_8086&DEV_156F&SUBSYS_00008086
%E156FNC.DeviceDesc%            = E156F,       PCI\VEN_8086&DEV_156F&SUBSYS_00011179
%E15B7NC.DeviceDesc%            = E15B7,       PCI\VEN_8086&DEV_15B7
%E15B7NC.DeviceDesc%            = E15B7,       PCI\VEN_8086&DEV_15B7&SUBSYS_00008086
%E15B7NC.DeviceDesc%            = E15B7,       PCI\VEN_8086&DEV_15B7&SUBSYS_00011179

You will have the following:


Save the file and go to Device Manager, on your network card. Choose Update Driver:


Choose the second option to select the driver modified previously:


Give the path to your driver:


You will have a message to say that the driver is a risk, install it:

The driver is now installed:



You can now access your network with your Intel NUC on Windows Server 2016 TP5.

The last step is to activate the drivers signature verification, with the following commands:

bcdedit /set TESTSIGNING OFF
bcdedit /set nointegritychecks OFF

Reboot the server for the last time, and voila, it works like a charm Sourire

Avatar of Florent

by Florent

[pfSense] VPN S2S with Azure

May 31, 2016 at 6:00 am in Azure, Microsoft, pfSense by Florent

Because I would like to have a VPN @ home and a VPN with Azure, we advise me to use pfSense. This distribution is very flexible and give you the possibility to connect your host/VM with PPPoE with you ISP but also, to have a performant firewall, doing VPN connections with IPSec, OpenVPN, L2TP, etc.

The idea of this article will be to create a S2S VPN with Azure RM via pfSense.

I started by connecting my pfSense VM (1vCPU, 512MB RAM), with PPPoE to my ISP. Because I have a dynamic public IP, I created an account noip.com with a DNS recording. I connected my pfSense to NOIP to update this public IP automatically in Services > Dynamic DNS:


When my VM will restart or my lease will be ended, my IP will be updated directly on my NOIP.


I will now create my VPN on Azure. Go on https://portal.azure.com and connect to your subscription. Be sure to create a virtual network, in Resource Manager:


After, you need to create your Virtual Network Gateway, by choosing the virtual network created previously, and by choosing a a subnet for the Gateway and a public IP. Choose the VPN type, with a VPN type of Route based:


After some minutes, our gateway is ready. We need to create a Local Network Gateway, that will host the public IP of the pfSense and local network where the pfSense is connected to access them:


If you have a public dynamic IP, you can check here: http://scug.be/florent/2016/05/30/powershell-update-your-azure-s2s-vpn-with-dynamic-public-ip/

Now, we need to associate our local network to our virtual gateway. Go on your gateway created previously and click on Add:


Choose Site-to-site (IPSec) with the gateway created previously. Provide a shared key. This key will be used in the pfSense configuration’s:


My connection:



Now, we will configure our pfSense to have the connectivity to Azure. Go in VPN > IPSec and add a new phase 1. Give the public IP address of your Azure gateway, with your shared key:


Deactivate DPD:


Save, and to this phase 1, add a phase 2 by giving the Azure network that you provide during the virtual network creation:


Apply change:


My S2S VPN is now connected:


You can deploy a VM on Azure, with the virtual network where the VPN is connected, without public IP and after, connect to it from your local network:


Enjoy your connectivity to AzureSourire

Avatar of Florent

by Florent

[PowerShell] Update your Azure S2S VPN with Dynamic Public IP

May 30, 2016 at 6:00 am in Azure, Azure Automation, Microsoft, PowerShell by Florent

I created a S2S VPN with my Azure subscription and, because I don’t a fix public IP @ Home, I searched on internet and I found a blog post who speak about this subject: https://www.vnext.be/2013/12/01/windows-azure-s2s-vpn-with-dynamic-public-ip/

The only problem is, that this script is for azure classic and not for Azure RM.

So I modified this script to update your dynamic public IP on Azure, to have a limited disruption of your VPN S2S with ARM. At my home, this script is executed every 5 minutes. I will do an Azure Automation version later

Don’t hesitate to give me your comments/remarks Sourire

The link: https://gallery.technet.microsoft.com/Update-AzureRM-S2S-VPN-c46cc39e

Avatar of Florent

by Florent

[Hyper-V] Nested VM can’t start

May 11, 2016 at 6:00 am in Microsoft, Nano Server, Windows Server 2016 by Florent

With Windows Server 2016 TP4, Microsoft added a new feature, Nested Hyper-V. This feature give you the possibility to do virtualization in VMs thatare running on Hyper-V.

On 27th of April, Microsoft has released the TP5 version of Windows Server 2016. Because I’m using my Azure Stack server has host, who is running on Windows Server 2016 TP4, I tried to test the Nested Hyper-V TP5 on this server. I created a Nano Server with the Hyper-V role and I created a VM WS2016TP5 on it:


I started this VM and I had the following error:

Failed to start the virtual machine ‘WS2016TP5’ because one of the Hyper-V components is not running


The problem is that if you want to run the TP5 version of Nested Hyper-V, your Hyper-V server MUST be on TP5 too. I hope I helped you Sourire

Avatar of Florent

by Florent

[WAP] Azure Pack Connector installation and configuration

April 18, 2016 at 6:00 am in Microsoft, WAP, Windows Azure Pack by Florent


Microsoft has releasd in February the first version of the Azure Pack Connector. This plugin will give you the possibility to deploy and manage VMs in Azure, direclty from the Windows Azure Pack interface. On 5th of April, Microsoft has released the version 1.1 of the plugin. It’s with this version that I will show you how to deploy this plugin.

Before starting, be sure to have a valid Azure subscription and an Azure Active Directory. After, download the Azure Pack Connector: https://github.com/Microsoft/Phoenix/releases/tag/v1.1

Copy sources on servers that will host the following 3 components:

  • CMP Server
  • WAP Tenant Extension
  • WAP Admin Extension

Connect on a server that has IIS Manager and generate a Self-Signed certificate or a enterprise certificate, via a PKI. Export this certificate through IIS and import it on each server that will host the 3 previous roles. Import it on the Current User and on the Local Machine, by including all properties and by choosing automatically the right store. After that, open the MMV and add the Certificates snapin on Local Computer. Open the private key of the certificate and add the Everyone group:



This certificate will be used for the encryption.

You must download and install features pack of SQL Server 2014, on each server where the plugin will be installed:

  • Shared Management Objects (SMO)
  • Transact-SQL ScriptDom (SQLDOM)
  • System CLR Types (SQLSysClrTypes)

Restart all servers. We can now start the installation of the plugin. Unzip the archive that you downloaded where the admin extension will be installed and execute the software SetupCMP.exe:


Choose to add new features:


Here, I will select the 2 following features:

  • CMP Server
  • WAP Admin Extension


Accept the license:


Choose where you want to install the software:


Give the name of the SQL Server that will store the database, with the instance name, for the CMP service:


Do the same for the WAP part:


I will use a service account to execute the CMP service. This account must be local administrator of the server. Choose the certificate that you generate at the beginning:


Here you have a resume of your installation:


The installation is done:


In IIS Manager:


In the WAP Admin Portal:


Go now on the server where the Tenant site is hosted and execute the file SetupCMP.exe. The installation is the same, except that you will choose the WAP Tenant Extension:


Choose the existing databasee:



And choose the certificate that you imported:


Install the last feature:



Now go on you SQL instance that hosts the Microsoft.MgmtSvc.Store database (WAP DB) and execute the following request to create a new user and to associate it with the database. You can change the username/password:

USE [master]
USE [Microsoft.MgmtSvc.Store]
CREATE USER [MgmtSvc-CmpWapExtension] FOR LOGIN [MgmtSvc-CmpWapExtension]
ALTER USER [MgmtSvc-CmpWapExtension] WITH DEFAULT_SCHEMA=[dbo]
ALTER ROLE [db_owner] ADD MEMBER [MgmtSvc-CmpWapExtension]


Now, we need to update the connection string of the plugin with the good SQL server name. Go on the server that hosts the CMP extension and open as administrator the Web.config file in the folder C:\inetpub\MgmtSvc-CmpWapExtension. Replace the connection string MicrosoftMgmtSvcStoreContext by the following, adapting with your values:

<add name="MicrosoftMgmtSvcStoreContext" connectionString="Data Source=DEVOC-SQL-001\WAP;Initial Catalog=Microsoft.MgmtSvc.Store;Persist Security Info=True;User ID=MgmtSvc-CmpWapExtension;Password=pass@word1;MultipleActiveResultSets=True" providerName="System.Data.SqlClient"/>


Modify the 2 string before by adding after the database, ;MultipleActiveResultSets=True”


Do the previous 2 steps on each CMP server. Now, associate the certificate that you used during the installation of the plugin in IIS, on each server:


Execute the iisreset on each server to apply modifications. On a server, we will execute the script that will register this new Resource Provider. Go in C:\inetpub\MgmtSvc-CmpWapExtension and execute the script Register-ResourceProvider.ps1. You need to provide the name of the server that hosts the Admin extension and the Tenant extension:


In your portal, the RP is registered correctly:


Now, download the following script https://github.com/Microsoft/Phoenix/blob/master/tools/Create-AADSPN.ps1 and execute it on a computer that has the AzureRM module. This script will create a custom application in your Azure AD:


We will now add the plugin to a plan. You will need the following information (all of these information are available through the output of th previous script):

  • The subscription number of your Azure (subscriptionId)
  • The number of your Azure AD (tenantId)
  • The key that you provide during the creation of the custom application (appKey)
  • The client id number (App ID)

From the administration portal, add the CMP service to a plan:


You will be able to see this, when adding an account:


Provide information that you get before:


Click on the button Add Subscription. If all is right, you will have a green success message:


Add the subscription to a plan by clicking on Add Selected Subscription To Plan:


Choose which image and size that will be available for this plan and click on Save:


In the client portal, you can deploy a VM on Azure:





And the detail:


This new plugin is very interesting to have the possibility to deploy quickly a VM on Azure, but some features are missing, like the possibility to deploy a VM on an Europe datacenter, a Linux VM, etc…


Error 1

After the deployment, I had the following error in the event viewer:

Exception in SyncWorker.SynchWithCmp() : Exception in CmpClient.FetchCmpRequests() : Exception in GetAzureContainers() : The underlying provider failed on Open. – Cannot open database "CMP_DB" requested by the login. The login failed.
Login failed for user ‘DOMAIN\DEVOC-WAPTNT-01$’. :


The 2 computers accounts didn’t have the good rights on the instance that host DBs of the plugin. I added the sysadmin right for each account and the error disappeared.

Error 2

If you have the following error:

Exception in SyncWorker.SyncWithAzure() : Exception in FetchServiceProviderAccountList() : Exception in Decrypt() : Keyset does not exist


Be sure to have the good permission on the certificate Everyone with Full rights to manage private key of the certificate.

Avatar of Florent

by Florent

[MVP] First nomination

April 4, 2016 at 6:00 am in Microsoft, MVP by Florent


Et voilà, from April 1st 2016, Microsoft elected me Microsoft MVP in the Cloud and Datacenter Management category :)

Microsoft gives me this title for my different activities within the Microsoft community.

I want to thank people that helped and supported me, Romain, JS, Benoit, Christophe, etc (sorry to those that I was not able to mention, but the list is too long :) ) and you, readers.
But the one I thank the most is undoubtedly my wife, Alexandra, who supports me when I work evenings / weekends to bring you new content.

The next for 2016:

And of course, keep blogging, meet new people, discover new products, etc.

Thanks again everyone and see you soon :)

Avatar of Florent

by Florent

[Azure] Custom RBAC roles

March 9, 2016 at 7:00 am in Azure, Microsoft by Florent

From December 2015, Microsoft has given the possibility to create your own RBAC roles. I will show you today, how to do this. To start, connect via PowerShell to your Azure RM subscription:

Select-AzureRmSubscription -SubscriptionId XXXXXXXXXXXXXXXXXXXXX

When you are connected, you can get the list of Resource Providers that are available with the following command:

Get-AzureRmResourceProvider | FT ProviderNameSpace,ResourceTypes


That I want here is pretty easy. The user/group that will be in the role that I will create will be able to create/delete network cards and read/join network security group as well as virtual network. I will use the Resource Provider Microsoft.Network to do this. To have the list of all available operations, use the following command:

Get-AzureRmProviderOperation -OperationSearchString Microsoft.Network/* | Select Operation,OperationName


Here, actions that interest me are the following:

  • Microsoft.Network/networkInterfaces/read
  • Microsoft.Network/networkInterfaces/write
  • Microsoft.Network/networkInterfaces/delete
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/networkSecurityGroups/join/action
  • Microsoft.Network/virtualNetworks/read
  • Microsoft.Network/virtualNetworks/subnets/read
  • Microsoft.Network/virtualNetworks/subnets/join/action

The first 3 bullets concerned the fact the create/read/delete network card, the 4th and 5th concerned the fact to read NSG and join them and, finally, the last 3 bullets are to read virtual networks, subnets and to get an IP in the pool.

To store network cards, the user need to have the right to write in the Resource Group, and so, to read it. You will add the following 2 lines:

  • Microsoft.Resources/deployments/read
  • Microsoft.Resources/deployments/write

Now that we have all actions, we can create the following JSON file:

“Name”: “Admin Network Card”,
“Id”: “67794e3b-eeeb-4e5c-a98b-27cc053a0b35″,
“IsCustom”: true,
“Description”: “Can create and delete Network Interfaces.”,
“Actions”: [
“NotActions”: [

“AssignableScopes”: [

Obviously, modify XXXXXXXXXXXXX with the number of the subscription where it will be possible to use this role. You can add multiple subscription. You can also change the Name and Description:


Save this file with the extension .json and use the following command to import it:

New-AzureRmRoleDefinition -InputFile C:\Users\flore\Desktop\CustomRole.json


With an administrator account, go in the resource group where the role will be applied and add the new role by clicking on Access > Add > Select a role:


Add the account/group that will have the possibility to deploy network cards:



If you navigate to Access > Roles > Admin Network Card > Properties, you have the possibility to view permissions that will be applied on the RG:



Now, connect with the account who has rights to deploy a network card:


Try to create a NSG (we just have permissions to read/join a NSG):


We have an error, it’s normal. The message is clear, we don’t have the good rights to do this:


I will now create a virtual network with a subnet and a NSG, with an administrator account. I can now read NSG and virtual network that are in the Resource Groups where I have rights:



Try now to deploy a new network card that will have the possibility to be attached to a VM:


The deployment has been done successfully:



If you want to modify your role, whitout delete/create it, you just need to get his ID and insert it in your JSON file:

Get-AzureRmRoleDefinition -Name “Admin Network Card”


After, execute the following command to update it in Azure:

Set-AzureRmRoleDefinition -InputFile C:\Users\flore\Desktop\CustomRole.json


This new functionality will help you to give the good rights to the good peoples, whitout any impact on the production environment since it is not necessary to be co-administrator of the subscription Sourire