You are browsing the archive for 2016 March.

Avatar of Florent

by Florent

[Azure] Custom RBAC roles

7:00 am in Azure, Microsoft by Florent

From December 2015, Microsoft has given the possibility to create your own RBAC roles. I will show you today, how to do this. To start, connect via PowerShell to your Azure RM subscription:

Login-AzureRm
Select-AzureRmSubscription -SubscriptionId XXXXXXXXXXXXXXXXXXXXX

When you are connected, you can get the list of Resource Providers that are available with the following command:

Get-AzureRmResourceProvider | FT ProviderNameSpace,ResourceTypes

image

That I want here is pretty easy. The user/group that will be in the role that I will create will be able to create/delete network cards and read/join network security group as well as virtual network. I will use the Resource Provider Microsoft.Network to do this. To have the list of all available operations, use the following command:

Get-AzureRmProviderOperation -OperationSearchString Microsoft.Network/* | Select Operation,OperationName

image

Here, actions that interest me are the following:

  • Microsoft.Network/networkInterfaces/read
  • Microsoft.Network/networkInterfaces/write
  • Microsoft.Network/networkInterfaces/delete
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/networkSecurityGroups/join/action
  • Microsoft.Network/virtualNetworks/read
  • Microsoft.Network/virtualNetworks/subnets/read
  • Microsoft.Network/virtualNetworks/subnets/join/action

The first 3 bullets concerned the fact the create/read/delete network card, the 4th and 5th concerned the fact to read NSG and join them and, finally, the last 3 bullets are to read virtual networks, subnets and to get an IP in the pool.

To store network cards, the user need to have the right to write in the Resource Group, and so, to read it. You will add the following 2 lines:

  • Microsoft.Resources/deployments/read
  • Microsoft.Resources/deployments/write

Now that we have all actions, we can create the following JSON file:

{
“Name”: “Admin Network Card”,
“Id”: “67794e3b-eeeb-4e5c-a98b-27cc053a0b35″,
“IsCustom”: true,
“Description”: “Can create and delete Network Interfaces.”,
“Actions”: [
“Microsoft.Network/networkInterfaces/read”,
“Microsoft.Network/networkInterfaces/write”,
“Microsoft.Network/networkInterfaces/delete”,
“Microsoft.Network/networkSecurityGroups/read”,
“Microsoft.Network/networkSecurityGroups/join/action”,
“Microsoft.Network/virtualNetworks/read”,
“Microsoft.Network/virtualNetworks/subnets/read”,
“Microsoft.Network/virtualNetworks/subnets/join/action”,
“Microsoft.Resources/deployments/read”,
“Microsoft.Resources/deployments/write”,
“Microsoft.Authorization/*/read”,
“Microsoft.Resources/subscriptions/resourceGroups/read”,
“Microsoft.Support/*”
],
“NotActions”: [

],
“AssignableScopes”: [
“/subscriptions/XXXXXXXXXXXXXXXXXXX”
]
}

Obviously, modify XXXXXXXXXXXXX with the number of the subscription where it will be possible to use this role. You can add multiple subscription. You can also change the Name and Description:

SNAGHTML15e3629d

Save this file with the extension .json and use the following command to import it:

New-AzureRmRoleDefinition -InputFile C:\Users\flore\Desktop\CustomRole.json

SNAGHTML15e4bfbc

With an administrator account, go in the resource group where the role will be applied and add the new role by clicking on Access > Add > Select a role:

image

Add the account/group that will have the possibility to deploy network cards:

image

image

If you navigate to Access > Roles > Admin Network Card > Properties, you have the possibility to view permissions that will be applied on the RG:

image

image

Now, connect with the account who has rights to deploy a network card:

image

Try to create a NSG (we just have permissions to read/join a NSG):

image

We have an error, it’s normal. The message is clear, we don’t have the good rights to do this:

image

I will now create a virtual network with a subnet and a NSG, with an administrator account. I can now read NSG and virtual network that are in the Resource Groups where I have rights:

image

image

Try now to deploy a new network card that will have the possibility to be attached to a VM:

image

The deployment has been done successfully:

image

image

If you want to modify your role, whitout delete/create it, you just need to get his ID and insert it in your JSON file:

Get-AzureRmRoleDefinition -Name “Admin Network Card”

SNAGHTML15f151a1

After, execute the following command to update it in Azure:

Set-AzureRmRoleDefinition -InputFile C:\Users\flore\Desktop\CustomRole.json

SNAGHTML15f2696a

This new functionality will help you to give the good rights to the good peoples, whitout any impact on the production environment since it is not necessary to be co-administrator of the subscription Sourire

Avatar of Florent

by Florent

[Azure] Server Management Tools

7:00 am in Azure, Microsoft, Nano Server by Florent

One month ago, Microsoft has released a new feature in Azure, Server Management Tools.

This feature will give you the possibility to manage, via web browser, your windows server servers.

I will show you how to deploy this new feature. For this demo, I have 2 servers (on Azure). One Nano server and one Windows Server 2016 Server TP4. Server on Windows Server 2016 TP4 will be the gateway server, where the server management tools feature will be installed. These 2 servers are in the same virtual network, so if you have a Site2Site VPN, you can have your gateway server on your on-premises network. Here is a quick overview from Technet:

We will start by deploying a new Service Management Tools instance. Navigate to Marketplace > Management > More > Server management tools:

image

Fill in information, with the computer name of your managed computer (hostname), your subscription, a resource group, a service management tool gateway (in my case, it will be a new one) and the location (only available in US when this blog post is written):

image

When the deployment is done, click on Browse > Server management tools connections:

image

If the gateway is not configured, you will have a notification message to configure it. Click on it to start the configuration:

image

Choose if you want to install update automatically and click on the button Generate a package link to create a link where sources of the gateway tool will be available. Copy this link in a safe location:

image

On your gateway server, download the archive with the link generated previously and extract it:

image

You have 2 files in this folder. A json file with your gateway parameter and the software. Here is a quick view of your json file:

SNAGHTML10fce0ae

Execute the software package to install the gateway tool:

image

image

image

You have a new service in the gateway server:

image

If you go back to the Azure Portal, in Server management tools gateway, the status is now OK and you will have information of your server:

image

Go back to Server management tools connections. If your gateway is registered correctly, the notification message will ask you credentials of an Admin account of the VM:

image

image

The connection is done:

image

You can use the following tools, directly in the Azure portal:

  • Device Manager: You can see drivers, connected hardware, etc
  • Event Viewer: You can check your logs
  • PowerShell: You can manage your computer via PowerShell
  • Processes: You have the list of processes that are running in your server
  • Registry Editor: You can manage your registry key
  • Roles and Features: You can show which features are installed
  • Services: You can start/stop/pause/resume service

Below some screenshots of these features:

image

image

image

image

image

Before adding your nano server, because I’m in a workgroup, I need to add the host name of my Nano server to the WinRm Trusted list of my gateway. Execute the following command, by replacing by your hostname:

Set-Item -Path WSMan:\localhost\client\TrustedHosts -Value ‘NANO01′ –Force

image

I will now add my Nano Server and link it to my exisiting gateway:

image

I will add credentials that has admin right to manage my nano server by clicking on Manage as:

image

image

I can connect to it through Azure:

image

If you want to connect with the Administrator account, on the target machine, execute the following command to allow remote connection with the administrator account:

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1

And if the server that you will add is not in the same subnet than the gateway, execute the following command to open port 5985 in the firewall:

NETSH advfirewall firewall add rule name=”WinRM 5985″ protocol=TCP dir=in localport=5985 action=allow

I hope this article will help you Sourire

Avatar of Florent

by Florent

[Azure Stack] White Paper about installation and configuration

6:00 am in Azure Stack, Microsoft, TP1 by Florent

HighLevel_Architecture

Hello everyone,

I have the pleasure to annouce that I released today my first WhitePaper. This document we help you to understand, install and use the first version of Azure Stack, TP1.

The link to download the document: https://gallery.technet.microsoft.com/Implement-Azure-Stack-and-56c05f85

This document has been written in English.
Don’t hesitate to give me your impressions and your remarks  Sourire