You are browsing the archive for Azure.

Install the Azure Portal app (Preview) to manage your Azure resources

4:04 pm in Azure, Azure Management, Azure Portal app, Cloud, Preview by Wim Matthyssen

In addition to the Azure Portal and the Azure mobile app, there is now another option available to access and manage all your Azure resources, namely the Azure Portal app. Although it is still in preview, it already gives you the same experience as the Azure Portal, without the need of a browser, like Microsoft Edge or Google Chrome.

This comes in handy, when for example you want to connect to the Azure Portal f from any kind of “Management server” or from a Windows client which has restrictions to use any kind of browser.

To get started you first need to browse to https://preview.portal.azure.com/app/Download and click on the Download the Azure Portal app button to start the download.

clip_image002

clip_image004

Once downloaded you need to run the AzurePortalInstaller.exe file.

clip_image006

Once installed you can now open the Azure Portal app from your Windows 10 Start menu or by opening the search icon on the taskbar and looking for azure.

clip_image008clip_image010

You need to sign in with your Azure account and when you have done that you can start using the app for managing all your Azure resources just like you are used to with the Azure Portal.

clip_image012

clip_image014

image

clip_image018

Hope you enjoy this new app, I already do.

Wim Matthyssen (@wmatthyssen)

Azure PowerShell Error: “Your Azure credentials have not been set up or have expired, please run Connect-AzureRmAccount to set up your Azure credentials”

6:28 pm in Azure, Azure credentials, Azure PowerShell by Wim Matthyssen

While working on a new Azure IaaS deployment for a customer, I encountered the following error when running several Azure PowerShell cmdlets.

“Your Azure credentials have not been set up or have expired, please run Connect-AzureRmAccount to set up your Azure credentials”

clip_image002

Running the Connect-AzureRmAccount command for several times, like proposed in the error message, did not solve the problem. Neither did opening a new PowerShell window or even completely restarting my Surface laptop.

clip_image004

I finally got it fixed by running the Remove-AzureRmAccount cmdlet, which removes all credentials and contexts (subscription and tenant information) associated with that specific Azure account.

clip_image006

After executing the Remove-AzureRmccount cmdlet , and after login in again using the Login-AzureRmAccount cmdletall other cmdlets ran again like they should.

clip_image008

clip_image010

Hope this helps!

Wim Matthyssen (@wmatthyssen)

PowerShell: AzCopy download and silent installation

10:52 am in AzCopy, Azure, Download, PowerShell, PowerShell Script, Silent installation by Wim Matthyssen

AzCopy is a free command-line tool that is offered by Microsoft. It allows you to easily copy and transfer data (data migration) from and to Azure storage. It is designed for high performance transfers and can be deployed on both Windows and Linux systems (separate versions). AzCopy for example allows users to copy data between a file system and a storage account, or between storage accounts. Users have the possibility to select items by specifying patterns, like wildcards or prefixes, to identify the needed files for upload or download. It currently supports Microsoft Azure Blob, File and Table storage.

To automate the download and silent installation process of this useful tool, I wrote the below PowerShell script which does all of the following:

  • Create a Temp folder on the C: drive if not already available.
  • Create an AzCopy download folder in C:\Temp if not already available.
  • Download the latest Azcopy .msi (Windows) file.
  • Install AzCopy silently without any user interaction.
  • Delete the .msi file after installation.
  • Remove the AzCopy folder.
  • Exit the PowerShell window.

 PowerShell script

clip_image002

clip_image004

clip_image006

clip_image008

If you prefer you can download the complete script from the TechNet gallery.

More information and how to use AzCopy you can find over here.

This concludes this blog post, have fun using AzCopy for moving or copying data to or between storage accounts.

Wim Matthyssen (@wmatthyssen)

Create an Azure Monitor action group with Azure PowerShell

12:40 pm in action groups, automation, Azure, Azure Monitor, Azure PowerShell, beemug by Wim Matthyssen

Azure Monitor, Microsoft’s built-in monitoring service, allows you to monitor and gain more visibility into the state of your resources from a single place in the Azure portal, to help you quickly find and fix problems.

To notify users that an alert has been triggered, Azure Monitor (and also Service Health alerts) uses action groups. This feature allows an owner of an Azure subscription to group a collection of actions to take when an alert is triggered. Owners can create an action group with functions such as sending an email or SMS, as well as calling a webhook and re-use it across multiple alerts. Action groups can be created through the Azure portal, but to automate the process you can also use Azure PowerShell.

In the below example a new action group, called email-ag, is created. To use the script, copy it and adjust it for your own purpose. Save it as .ps1.

clip_image002

You can check all existing action groups in your subscription, by running the below cmdlet. In my example the previously created action group email-ag is shown.

clip_image004

Like earlier said, you can also Add, validate or manage action groups through the Azure portal by opening Monitor, selecting Alerts and selecting Manage action groups. For more information you can check out the documentation page.

clip_image006

clip_image008

Hope the script comes in handy!

Wim Matthyssen (@wmatthyssen)

Azure: Unable to connect to VMs in a peered VNet from P2S VPN

8:50 am in Azure, Azure Networking, Azure virtual network, P2S client, P2S VPN, RDP, VNet peering by Wim Matthyssen

These days when setting up a greenfield Azure IaaS environment for customers, we use the hub-spoke network topology with shared services. In this topology the HUB network is used as central point of connectivity and a place to host services that can be consumed by the different workloads hosted in the spoke VNets. All spokes are peered with this Hub network, to isolate all workloads. Whenever I work remotely on these environments, I mostly use a Point-to-Site (P2S) connection to securely connect to the different VNets from my client devices.

However last week while deploying a new environment for a customer, I stumbled upon a problem where I couldn’t RDP (private IP addresses) to the virtual machines (VMs) in the different spokes. The RDP access to the VM’s in the Hub VNet worked without any issues.

clip_image002

This is caused, because by design the P2S client will have routes listed for all VMs in the HUB VNet (which hosts the Virtual Network Gateway). However, even though the HUB VNet and the other VNets are connecting via peering, the P2S client will not have any routes presented in its configuration to discover the VMs in the other VNets. In order for the P2S client to be able to reach all VMs (trough for example RDP) located in the peered VNets, a static route for these VNets should be added in the routes.txt file of that specific connection. You can follow the steps below to get this working.

Solution

Open Run, type %appdata% and press Enter.

clip_image004

Open Microsoft – Network – Connections – Cm and select the right connection folder. Next, open the routes.txt file in Notepad (to open just double-click).

clip_image006

Remark

You can also find the correct path to the routes.txt file in the P2S VPN log file. You can open this file by opening your P2S connection and selecting on Properties instead of Connect. In the opened Properties page select View Log. Search for ActionPath, which will show you the location of the file.

clip_image008

clip_image010

End of remark.

In the opened routes.txt file, add the static routes for the other VNets.

For example:

ADD 10.6.0.0 MASK 255.255.240.0 default METRIC default IF default

ADD 10.7.0.0 MASK 255.255.240.0 default METRIC default IF default

ADD 10.8.0.0 MASK 255.255.240.0 default METRIC default IF default

clip_image012

Save the file, and connect again. You should now be able to RDP to all other VMs in the spoke VNets.

Hope this helps and for any questions feel free to contact me through my Twitter handle.

Wim Matthyssen (@wmathyssen)

Configuring VNet peering through the Azure Portal resulted in a Peering Status – Failed

12:19 pm in Azure, Azure Networking, Azure portal, Azure PowerShell, VNet, VNet peering by Wim Matthyssen

Virtual network peering is a mechanism that seamlessly connects two Azure virtual networks (VNets). Once peered, the virtual networks appear as one, and resources can be accessed from both VNets via their private IP Addresses.

While creating a new peering through the Azure Portal, it resulted in a created VNet Peer with a PEERING STATUS Failed. Deleting the Peering also failed. Probably something went wrong in the back or the Portal was stuck and giving failure, showing the Failed status as a result. Like in most cases when you are troubleshooting Azure issues, Azure PowerShell comes to the rescue.

By running below PowerShell script (copy and save as .ps1), I was able to get the resources updated using the get and set command, which successfully Connected the VNet peer.

PowerShell script

clip_image002

I hope the above script comes in handy whenever you face the same issue. Till next time.

Wim Matthyssen (@wmatthyssen)

Unable to RDP to an Azure VM due to a CredSSP Encryption Oracle Remediation error

7:22 pm in Azure, Cloud, CredSSP, Encryption Oracle Remediation, RDP, Remote Desktop Connection, VM, Windows 10 by Wim Matthyssen

After applying some Windows updates on my Windows 10 Version 1803 home pc I was unable to make a Remote Desktop Connection (RDP) connection to some Microsoft Azure virtual machine(s) (VM).

When I made an RDP connection, I received the following error message:

An authentication error has occurred. The function requested is not supported. Remote computer: <computer name or IP>. This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660.

clip_image002

What is CredSSP and why did it cause the error

The Credential Security Support Provider protocol (CredSSP) is a security protocol utilized to process authentication requests for separate applications like RDP. It allows you to securely forward credentials encrypted from the Windows client to the target servers for remote authentication.

Because of a critical vulnerability that has been discovered in CredSSP, which affects all versions of Windows and could allow remote attackers to exploit RDP and WinRM to steal data and run malicious code, Microsoft has released security update(s).
You can find the list of the corresponding KB number(s) for each operating system here: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886

In my case my recently updated Windows 10 pc could not communicate with a non-updated server (not allowed to setup an insecure RDP connection).

Workaround

To solve the error, first of all, I needed to temporarily change the policy settings on my Windows 10 to gain RDP access to the server.

To do so, open Run and execute gpedit.msc to change the settings in the Local Group Policy Editor. Browse to Computer Configuration / Administrative Templates / System. Open Credentials Delegation in the left pane.

clip_image004

clip_image006

Change the Encryption Oracle Remediation policy to Enabled, and Protection Level to Vulnerable.

clip_image008

You can also use the following PowerShell script to do it in an more automated way: https://gallery.technet.microsoft.com/PowerShell-Workaround-956e0d7e.

Or you can simply use this command line one-liner which can also be run in PowerShell (run as admin):

After this change, I was able to setup an unsecure RDP connection to the server(s) where I installed the missing security update.

clip_image010

After deploying the specific update on the server(s), I was able to connect to it without the error and with the Encryption Oracle Remediation settings reset to the default.

clip_image012

Of course you can also use PowerShell to set everything back to the default (copy and save as .ps1).

Or like before you can simply use a command line one-liner in PowerShell (run as admin):

This concludes this blog post, hope it helps if you face this error.

Wim Matthyssen (@wmatthyssen)

Azure: Clean up unused, inactive or old directories from your Azure subscription

9:31 am in AAD, Azure, Azure Active Directory, Azure AD, Azure tenant, B2B, Cloud, GDPR, MyApps by Wim Matthyssen

I am already working as an Azure Consultant/Architect for almost 5 years. In those 5 years I setup a lot of Azure IaaS/PaaS environments for different customers. To do all the necessary work involved in such setup, I mostly was invited to their Azure tenant as admin with my Microsoft account (personal account) or my work account (B2B user) to do all the necessary work. When all the work was done a thing mostly forgotten is to clean up that specific user in Azure Active Directory (AAD), causing that tenant still showing up or even starting as the default directory when logging on to the Azure portal. After a while you could even be unable to be invited to a new tenant because the maximum of 20 AAD’s is reached for that specific account.

clip_image002

Until some time ago, May 14 2018 to be specific, to unlink those lingering directories you had to contact another global admin of the inviting organization to have that account removed from their AAD tenant. Even as an admin you were not able to delete your own guest account. Sometimes, when a lot of time was passed since you last worked for that customer, finding a global admin for that tenant to delete that user could be a lot of work.

Luckily, thanks to Europe’s General Data Protection Regulation (GDPR), this can now be done in a much easier way. A B2B user can now easily leave an organization on their own (self-service leaving), to which he or she has been invited at any time, without having to contact an administrator.

Keep in mind that when a user leaves an organization, the user account is soft deleted in the directory. By default, the user object moves to the Deleted users state in AAD but is not permanently deleted for 30 days. This soft deletion enables the administrator to restore the user account (including groups and permissions), if the user makes a request to restore the account within that 30-day period.

To leave an organization you can follow the below steps:

Log in with your B2B account at https://myapps.microsoft.com/

When logged in select your name on the access panel in the upper-right corner.

clip_image004

Under Organizations, select the organization you want to leave.

clip_image006

Select your name again in the upper-right corner.

clip_image008

Select Leave organization next to the correct organization.

clip_image010

When asked to confirm, select Leave.

clip_image012

clip_image014

After a while you should receive an email at that specific account, telling you that you left the organization.

clip_image016

Repeat these steps if you need to leave any other organization you are associated with.

Hope this helps and thanks to my colleague Guido (@ggibens) for pinpointing me to this new simplified capability.

Wim Matthyssen (@wmatthyssen)

Azure Backup Server: Unprotected servers still showing up in the Azure portal even though their protection was stopped 3 months ago

9:49 am in Azure, Azure Backup, Azure Backup Server, Azure portal, Cloud, Cloud backup, MABS, MABS v2 by Wim Matthyssen

 

To help protect your hybrid backup setup with an Azure Backup Server (MABS), Microsoft introduced some security features built on three principals – Prevention, Alerting and Recovery. These features are enabled by default for newly create Recovery Services vaults, for existing vaults this link will show you how you can enable them. One of these features related to recovery will ensure you that Azure backup will retain all deleted backup data for 14 days, which ensures you can recover data using any old or recent recovery point(s).

clip_image002

Sometime ago I reconfigured a Protection Group which protected some Hyper-V VMs. Two Domain Controllers (DCs) were taken out of the Group and setup to only backup the C drive and the System State. On the MABS server all configuration went well and did not cause any specific issues or errors. However last week when I was checking the Recovery Services vault used to store the cloud backups,I noticed those two DCs were still showing up in the Backup items overview.

clip_image004

Like you can see, those two VMs are still there with no Disk or Cloud Recovery Points created after the protection was disabled.

clip_image006

To get the issue fixed, I followed some standard steps I always follow when having issues with a MABS. The first one is checking the current Azure Backup Agent version installed on the MABS, which was version 2.0.9109.0. Because there is a newer version available (at the time of writing version 2.0.9118.0), step one was getting that one in place.

clip_image008

To download the latest agent go to your Recovery Services vault blade in the Azure portal. Select Backup and on the Getting Started with Backup blade, select Backup goal. In the drop-down menu(s), select On-premises and Files and folders, click OK. In the Prepare Infrastructure blade, click Download Agent for Windows Server or Windows Client. Save MARSAgentInstaller.exe.

clip_image010

clip_image012

Install the latest agent on the MABS server. After the agent installation completes restart the following service:

Microsoft Azure Recovery Services Management Agent

clip_image014

clip_image016

clip_image018

Although the agent is now at the latest version it still did not fix the protection status of the deleted servers in the Azure portal.

After doing a little more troubleshooting (reading the logs, etc.) , I decided to open an Azure support ticket. The support agent who assisted me, told me, just like I already suspected, that this was currently  the default behavior from the azure backup service in some Azure regions (current backend design behavior like they say). The product team was already aware of this issue and they definitively will fix it in some later update.

If you cannot wait for the update, there is a quicker fix for the issue, you just need to delete the whole MABS server from the Azure portal and reconnect the server all over again. However, for me and even more for the customer this was a no go. So, we will wait for the proper backend update which will hopefully not take that long anymore.

Hope this helps whenever you face the same backup behavior in the Azure portal with your deleted MABS backups.

Wim Matthyssen (@wmatthyssen)

Azure Tip: Use Ctrl+Alt+D to check Azure Portal load times

6:55 pm in Azure, Azure portal, Azure Tip, Cloud, Keyboard shortcut by Wim Matthyssen

 

The Azure Portal is the go-to place to manage all of your Azure services in one hub. I myself spend a lot of time in the portal to build, deploy, modify and manage customers cloud resources. I am sure a lot of you do the same.

But sometimes this portal feels slow without any specific reason and then it is really difficult to find out why. Whenever that is the case there is a keyboard shortcut you can use to check the portal load time of all opened blades.

If you press the keyboard shortcut CTRL + ALT + D you can see the load time and other useful information for every title.

clip_image002

clip_image004

clip_image006

clip_image008

clip_image010

Pressing CTRL + ALT + D again will remove the portal load information.

Beside this useful keyboard shortcut there are some others you can use specifically for the Azure portal. You can open the Keyboard shortcut help item in the Help Menu on the top-right of the portal to see all of these shortcuts.

clip_image012

Hope it helps!

Wim Matthyssen (@wmatthyssen)