Manage your Exchange Online from the Azure Cloud Shell

The Microsoft Exchange product group, recently announced that you can now manage your Exchange Online, via the Azure Cloud Shell.

If you’re not familiar with the Azure Cloud Shell, it’s basically a browser-based Shell experience in the cloud, fully maintained by Microsoft and that you can leverage to manage your Azure and now also Exchange Online subscriptions.

It’s a step towards running automation from anywhere, with minimal to no effort, which to me is one of the next big things coming to us as IT Consultants.

I wrote a blog article recently, on how to use a multi factor authentication account to connect to Exchange Online, and what Microsoft just did was to provide, by default, the Exchange Online Remote PowerShell module, in the Azure Shell. Smart idea and I bet an awesome quick win for them.

So is there any gotchas?

The quick answer is not any major one, but I still want to point a few things. The first one is that you need an Azure Subscription, otherwise you’ll see the below.

ExShell01

Although many Organizations embracing the Microsoft cloud are already using Office 365 AND Azure, some are not. Some just use Office 365 and it’s good to point out that if you want to leverage this new feature, it’s time for you to create that Azure subscription. The only cost you’ll have with using Azure Cloud Shell, is Azure Storage (also mandatory) cost, which is almost insignificant.

Another smaller thing but also worth pointing out, is MFA (Multi Factor Authentication), as Microsoft expects that you have MFA enabled across all accounts. I guess that’s directly related to the fact that this module you’re leveraging is for login with MFA enabled admin accounts.

Finally Microsoft also points out that they will claim sessions that are inactive for more than 20 minutes. Have that in mind when you build your automation, or just when you have your session open for daily work. This is an expected behavior for this type of cloud and container based Shell.

What else should you know?

I am not going to transcribe the article I pointed you to, in the top of this article, but I just want to highlight the main takeaways:

  • You can access the Azure Cloud Shell in several different ways, but via the Azure portal (portal.azure.com) or directly via the Shell portal (shell.azure.com), are the two main ones.
  • All Exchange Online cmdlets should be available.
  • RBAC fidelity is intact
  • This does not mean there’s plans to decommission the current Exchange PowerShell module (yet?) ๐Ÿ™‚
  • You’ll use the Connect-EXOPSSession cmdlet to start the session
  • Microsoft provides SSO (Single Sign-On) just so you don’t have to login twice (i.e Azure Portal and Exchange Online) Yay!!!

And that’s it, enjoy!!!

 

Advertisements

Use Azure automation to start and stop Virtual Machines

If you have Virtual Machines in your Azure subscription, that don’t require 24×7 uptime, this is the blog post for you.

My blog post, where I hope to provide a detailed step by step, is based on the Microsoft official article Start/Stop VMs during off-hours solution in Azure Automation. I highly recommend that you read that article, since this post is more focused on the execution and not necessarily on a detailed explanation of every component.

So what’s the goal here? To be able to, without human interaction, start and stop virtual machines in your Azure subscription, daily. Cool, right?

Before I continue and in case that all you need is to stop Virtual Machines, for that you can leverage a much simpler process, by configuring the “Auto-shutdown” option, under the “Operations” section of a Virtual Machine settings.

autoshut1

But if you need to do both, shutdown and boot up machines, then continue reading.

What are the prerequisites to configure this solution?

To be able to configure the solution to start and stop virtual machines, you need the following:

You can create those resources when you’re enabling the solution, or separately by adding new resources in the “All Resources” tab.

How do I configure the solution?

You have two easy ways of configuring the solution.

Add a new resource in the “All resources” tab

This is the ideal solutionย  specially if you haven’t create the Automation account.

StartStop00

On the left hand side menu, browse to “All Resources”, click new and type “Start/Stop”. The solution would pop up for selection. Click “Create”.

Via your Azure Automation account

If you already have an automation account created, use it to access the Start/Stop VM solution.

ss07

Browse to the automation account and under “Related Resources” click “Start/Stop VM”. Then click “Learn more about and enable the solution”.

You will end up in the same creation page as shown in the option above.

Configure the solution

The step by step configuration of the solution is actually very simple. As noted in the begging of this post, all you need is to select an automation account, a log analytics workspace and configure the solution details.

startStop01

First you start by selecting an existing or configuring a new Log Analytics workspace. If you create a new one, all you have to do is give it a name, associate it with a resource group (new or existing), select a location and for the Pricing tier keep the “Per GB”.

StartStop02

In the second step, you can select an existing or create a new automation account. If you create a new one, just select the name. The resource group and corresponding location will be locked to the one where the solution is being deployed. Also the Automation Account will be created as a “Run As Account”.

If you’re creating an automation account separately and you can’t see it for selection here, it might be because of several things, such as the account not being created as “Run As” (mandatory) or being in a resource group or location makes it unavailable.

StartStop03

Finally you can configure the most important, which is the solution parameters. Those include the following:

  • Target resource group – Enter the name of the resource group(s) that you want to target. Names are case-sensitive. If you want to target all groups enter “*”. If you want to target multiple use the comma as separator between group names.
  • VM Exlude List – Use this field to exclude any VM’s in your resource group that you don’t want the solution to affect. It’s important to understand that this solution will by default target the entire resource group, unless you exclude VMs here.
  • Daily Start and Stop Time – select the time that you want your VMs to be boot up and shut down, everyday.
  • Email functionality – if you want to receive an email notification each time an action is taken towards a VM (i.e shutdown), select yes and enter the email address you want to get the email on (multiple emails separated by commas).

How do I check if it worked?

Browse to your Automation Account and under “Process Automation > Jobs”.

SS10

Click on the latest job to see more details.

ss11

You can browse between tabs to check the details of the job execution. Pay special attention the the “All Logs” tab, where you can see the actions executed, number of errors and number of warnings.

The bottom line

Personally, I love this solution. It’s easy to deploy and saves me a ton of my Azure monthly credit.

You can go beyond what I showed you in this post and manually edit the job details, to do things like create an end date for the job, but this turn key Azure solution, although not extremely flexible (i.e targets entire workgroups and it’s tricky to specify exceptions in workgroups with a large number of VMs: it’s designed for daily boot up and shut down actions, etc), it’s very useful. 5 stars!!

Use it and give your own opinion. As always, any questions let me know.

Azure automation error “Client assertion contains invalid signature” – Time to renew your Automation account certificate

I was just recently playing with some Azure runbooks and noticed that one of my automation accounts, that I had selected to execute some of that automation, wasn’t working properly.

I had a Virtual Machine scheduled to boot at a specific time and that wasn’t happening. So this was what I did to troubleshoot it.

autoerror01

In the Azure Portal, I went to “All Resources”, filtered by “Automation Accounts” and clicked in the Automation Account that was supposed to be running that runbook.

autoerror02

I was able to immediately see that something wasn’t OK, as you can see above the automation account is showing that the certificates for both the “Run as Account” and the “Classic Run As Account”, are expired. Nevertheless, the job statistics is telling me that 4 jobs were ran and all with success. Odd, right? So lets investigate further.

autoerror03

In the Automation Account menu I went to Process Automation > Jobs, to try and understand what jobs were executed. As you can see the 4 jobs are there, but were they executed with success?

autoerror04

I clicked in one of the jobs. The status was “completed” but browsing to the “Errors” tab you could easily see it failed. “Client assertion contains an invalid signature” was the error.

So lets jump to the quick fix. Renew the automation account certificates.

autoerror05

Back to the automation account > overview page, clicked in the link to resolve the issue and renewed both certificates.

And that’s it, problem solved.

Lessons learned: make sure your automation account is functional and don’t always trust the job statistics shown in the portal.

Goodbye 16-character limit for Azure AD passwords

Finally the change many were waiting for. The password length limit in Azure AD just went up from 16 to 256 characters and is now more in line with the On Premises AD limits.

Is there any immediate impact for the end user?

Not really. Apart from the fact that they will now be allowed to set longer passwords (and you should make them aware of that), the impact from the end user perspective should be null.

What about IT administrators and any external app that leverages Azure AD for integration?

The only thing you’ll probably need to be aware, before you start changing those service account passwords to 200+ character passwords (in the name of maximum security), is can your printer or your 3rd party app, that interacts directly with Azure AD or Office 365, support such long passwords? Be careful with that and you should be fine! ๐Ÿ™‚

 

Manage and forecast your Microsoft Azure spending

“Keep our Azure spending under control” is something that IT administrators and IT consultants hear very often. So how important is it to forecast and control that spending?

In my opinion, it’s extremely important and apparently Microsoft shares that opinion, which is probably one of the several good reasons that lead them to acquire the Israeli cloud startup Cloudyn.

Since the acquisition, in June 2017, Microsoft had the Cloudyn service available through the Azure Portal, but the end goal seems to be to fully replace Cloudyn by Azure Cost Management, by integrating all its features and functionalities.

Basically Microsoft is moving all Cloudyn cost management features from the Cloudyn portal into the Azure portal. Below you have an outline of what to use when, that you can and should read in the “What is the Cloudyn Service?” article.

Forecast1

As you can see above, Microsoft recommends Azure Cost Management for most offers and features.

It’s important that you note that today (this blog post was written in May 2019), Microsoft CSP subscriptions are still in the process of being moved from Cloudyn to Azure Cost Management. That also means that Azure Cost Management only supports Enterprise Agreements, pay-as-you-go and MSDN subscriptions.

It’s also important to note that today you can only register with Cloudyn if you’re in the Microsoft CSP program.

Forecast2

Now that you have some context of the ongoing transition, lets talk about my favorite Azure cost management feature: Forecasting

For those that still have access to Cloudyn, the “Forecast future spending” tutorial is a great read and will allow you to build your reports.

If you want to do leverage an API directly, to do things gather forecast information into your own portal, you can leverage the Forecast API that Microsoft has available.

Finally, if you haven’t already, go through this learning module that will teach you how to Predict Costs and optimize spending for Azure.

There’s so many different things that you can do, in terms of Cost analysis, forecasting and cost management in Azure. Hopefully this post gives you a high level overview and some resources to start from. Stay tuned for more information in future blog posts.

 

 

 

 

Azure Friday – the weekly videos you should not miss

If you’re ramping up your Azure skills, are an experience Azure consultant, administer Azure daily or if you simply like to learn more about the Microsoft Azure technology, then you should dedicate a few minutes per week and listen to the Microsoft Azure Friday live videos.

Videos are usually from around 10 to 15 minutes and include demos and/or very detailed explanations of new or existing services, as well as the Azure product group insight.

It’s very common to see Microsoft publishing multiple videos per week, some will be extremely detailed complex and some more high level.

You can subscribe it or add it to your calendar to make sure you don’t miss it.

Apply best practices with the Microsoft Azure Advisor service

Microsoft Azure has a free and personalized recommendations service, to apply Azure best practices, called Azure Advisor. If you haven’t heard about it or used it before, you should start now.

Microsoft describes the Azure Advisor as a “…personalized cloud consultant that helps you follow best practices to optimize your Azure deployments…”, in this excellent article, where you can read all about it.

The Advisor will give you recommendations for 4 categories:

  • High Availability
  • Security
  • Performance
  • Cost

Lets take a quick look on how you can implement those recommendations. Below you can see the main advisor page of my Azure subscription, which you can access from the bottom left menu option “Advisor”.

adv1

In my case it’s showing me recommendations for both High Availability and Security. If I click in the security recommendations, you’ll see that one of them is regarding Azure Storage accounts.

adv2

2 of my 3 storage accounts have non recommended security settings regarding secure transfer.

adv3

And finally I can see how exactly those settings should be adjusted.

Other very useful articles to learn more about the Azure Advisor:

There’s no additional cost to take advantage of the advisor recommendations. So as I said before, just get started!!

My first experience with the Azure mobile app

Just like the vast majority of my posts, this one is also based in a real life experience.

While on holidays I forgot to prepare an Exchange Server lab for a coworker, to test some scripting. As an Exchange MCM (Microsoft Certified Master) a large percentage of my work is still around Exchange and I do have multiple labs with multiple versions, but they all have one thing in common: they live on Azure and they’re don’t have a 100% uptime, to save on cost.

So I decided to execute the fews steps to prepare the lab, that included not much more than booting up some virtual machines, from the Microsoft Azure mobile app, while enjoying the sun in an amazing beach! ๐Ÿ™‚

The first thing that I did was download the app.

Note: I have an iPhone so all my experience is based on the Apple version of the app

My first impression of the app was that it’s basic but for simple tasks (like mine of booting up my lab), it gets the job done.

There are two main sections you should consider, when you open the app.

In the top left you can:

  • Add accounts
  • Switch between subscriptions
  • Edit your account settings

In the top right you can filter per service or resource type.

In the example I’ve filtered just to see my virtual machines.

Continuing with the virtual machine example, you’ll be able to see details like activity log, metrics, resource health, virtual machine power state and all main properties.

You’ll also be able to easily execute the most common actions in virtual machines, that being start/stop, restart and connect, in an handy action ribbon in the bottom of the app (as shown above), when you have the virtual machine selected.

In summary, for most resources you’ll be able to at least check the activity log and the properties, but the actions you can perform are, in general limited. I won’t enumerate them one by one but another example, adding to the ones I gave regarding virtual machine actions, would be to edit access permissions in a storage account.

Nevertheless I do rate this app and highly recommend you use it, as it’s amazing for basic actions and very complete for monitoring purposes.

Kudos to the wordpress app as well, since I decided to write this blog post using the wordpress mobile app, while still seating at the beach! ๐Ÿ˜‰

Allow external RDP to your newly created Azure VM

One of the first things you do, after you create your new Azure virtual machine, is remote desktop into it.

Depending on the type of Azure environment you have, you might want to define the best access policy to the virtual machines, determining for example if you need to be connected to a VPN corporate network or not.

In my example, my Azure subscription is used for testing and therefore I will allow external access to my virtual machine.

It’s also important to understand that, to give remote desktop access to the virtual machine, what you need to configure are Inbound Port Rules in the network security group.

You have three options when it comes to configuring security access policies to a new Virtual Machine.

Option 1: Select the ports you want open, during the virtual machine creation

This is the simplest option, unless you want to keep things organized and manageable by using the same network security group for multiple virtual machines (see option 3).

When creating the virtual machine in the main menu you should see a section called “Select inbound ports”, after selecting the “Allow selected ports” right above that one.

InboundPorts01

All you have to do is select the ports that you want to open, for example 443, 25 and 3389 for an Exchange Server and the new network security group will be configured automatically.

Option 2: Create a new virtual machine with default settings. Once the VM is created edit the newly created Network Security Group.

This is the option you should follow in case you either forgot or chosen not to follow the option above and you didn’t selected an existing and already configured network security group, during the virtual machine creation.

A newly created network security group, should have the following Inbound Port Rules created as default:

NSG01

And what you need to do is add an inbound port rule.

You can do it via the azure portal, by either going to the virtual machine and then the networking section under settings and clicking “Add Inbound Port Rule” under the correspondent tab.

You can also go directly to the network security group (under all resources) and then the inbound security rules under settings and clicking “Add”.

NSG02

 

The above is how the inbound rule should look like. You can click in the “Basic” button in the top left to select from an existing service template. There’s an excellent article on how to open ports to a virtual machine with the Azure portal, that you might also look at for additional details.

Option 3: Create a new Network Security group and select it when creating the new virtual machine.

The other more advanced option is to create a network security group and use it for multiple Virtual Machines when you create them. That way you won’t have unique security groups per virtual machine and you won’t have to keep opening one or multiple services for those virtual machines, each time you create a new one.

I won’t go into details on how to create the network security group. For that just follow the official guidance on the link above.

Once you have your group created and upon creation of the new Virtual Machine, make sure you select it, instead of the default option to create a new one.

InboundPorts02

When creating the virtual machine, in the “Networking” tab, selected “Advanced” under “NIC network security group” and select an existing security group.

And that’s it. It’s a very simple process and one you need done if you want to start accessing those Virtual Machines or publishing services like HTTPS or SMTP. Hopefully after reading this post you understand the several options you have.

All of the above can of course be done via PowerShell, but to keep this post as simple as possible, I’ve used the portal.

Note: I want to make clear that you should not allow Internet unrestricted access to your virtual machine, unless it’s a test machine where you have no type of sensitive data. Even in those cases you can always easily set the source address or range of addresses for that inbound port rule.