Hi everyone! Brandon Wilson here once again with this month’s “Check This Out!” (CTO!) guide.
These posts are only intended to be your guide, to lead you to some content of interest, and are just a way we are trying to help our readers a bit more, whether that is learning, troubleshooting, or just finding new content sources! We will give you a bit of a taste of the blog content itself, provide you a way to get to the source content directly, and help to introduce you to some other blogs you may not be aware of that you might find helpful.
From all of us on the Core Infrastructure and Security Tech Community blog team, thanks for your continued reading and support!
Title: No more limits: simpler server onboarding for large deployments
Source: Azure Arc
Author: Ryan Willis
Publication Date: February 3, 2023
Content excerpt:
Starting today, there's no limit to the number of Azure Arc-enabled servers you can add to a resource group! We listened to your feedback and understood that the previous limit of 5,000 servers per resource group didn't always align with your existing organizational schemes for hybrid and multicloud servers.
Title: Codename Project Bose: Calculate Azure Cost of an Enterprise by cost centers, divisions, projects
Source: Azure Architecture
Author: Pranab Paul
Publication Date: February 13, 2023
Content excerpt:
While working on various customer and partner facing roles, I felt the necessity of a simple and flexible solution to align Azure Cost to the customer’s organizational structure. “Project Bose” is a fully operational prototype derived from the same thought process. This is a side project I am working on during my leisure time. I found various customers derived similar solutions in-house, and there are ISV solutions as well. But there are a few fundamental differences between “Project Bose” and all the other solutions I found. “Project Bose” has a flexible backend and hence any changes in organizational structure can easily be implemented on it without disruption. It is also independent of using Resource Tags, which gives it the opportunity to remain non-vulnerable to erroneous values injected intentionally or non-intentionally by IT-Ops.
Title: Optimize Azure Kubernetes Service Node Cost by Combining OnDemand And Spot VMs
Source: Azure Architecture
Author: Prakash P
Publication Date: February 24, 2023
Content excerpt:
While it's possible to run the Kubernetes nodes either in on-demand or spot node pools separately, we can optimize the application cost without compromising the reliability by placing the pods unevenly on spot and OnDemand VMs using the topology spread constraints. With baseline amount of pods deployed in OnDemand node pool offering reliability, we can scale on spot node pool based on the load at a lower cost.
Title: Azure Automation Run As accounts retiring on 30 September 2023
Source: Azure Governance and Management
Author: Nikita Bajaj
Publication Date: February 16, 2023
Content excerpt:
On 30 September 2023, Azure Automation will retire Run As accounts, and completely move to Managed identities. All runbook executions using Run As accounts, including Classic Run As accounts would not be supported after this date. Moreover, starting 1 April 2023, creation of new Run As accounts in Azure Automation will not be possible. Renewing of certificates for existing RunAs accounts would be possible only till the end of support.
To ensure you are using a supported authentication method, you must migrate all your runbooks to Managed Identities.
Title: Azure portal January 2023 updates
Source: Azure Governance and Management
Author: Allison Cordle
Publication Date: February 24, 2023
Content excerpt:
Virtual Machines > Virtual Machine Scale Sets
Virtual Machines > Virtual Machine Scale Sets
Let's look at each of these updates in greater detail.
Title: Unleash your infrastructure aptitude with our skilling programs
Source: Azure Infrastructure
Author: Lanna Teh
Publication Date: February 21, 2023
Content excerpt:
The technical nature of cloud infrastructure involves components such as virtualization, software as a service (SaaS), storage systems, networking technologies, databases, serverless computing services, and more. As these technologies continue to evolve and become more integrated, it’s increasingly important for companies to understand how they work in order to maximize the potential benefits.
Title: Azure VMware Solution - February 2023 - What's New Update
Source: Azure Migration and Modernization
Author: Amy Colyer
Publication Date: February 8, 2023
Content excerpt:
We are thrilled to announce the February 2023 updates for Azure VMware Solution. A variety of new and highly anticipated features such as Customer Managed Key, Azure NetApp Files and Stretched Clusters are now available. Read on to explore more.
Azure VMware Solution is a VMware validated first party Azure service from Microsoft that provides private clouds containing VMware vSphere clusters built from dedicated bare-metal Azure infrastructure. It enables customers to leverage their existing investments in VMware skills and tools, allowing them to focus on developing and running their VMware-based workloads on Azure.
Title: Deploy Arc for Azure VMware Solution Simply Using PowerShell
Source: Azure Migration and Modernization
Author: Trevor Davis
Publication Date: February 10, 2023
Content excerpt:
What is Arc for Azure VMware Solution? Simply put, it exposes your Azure VMware Solution resources (VMs, networks, datastores, etc.) to the Azure portal.
Using Arc for Azure VMware Solution, those resources can be managed via the Azure portal, even though they are within your vSphere cluster running in an Azure datacenter. Even better, there is no cost to deploy Arc for Azure VMware Solution.
Title: New Azure DDoS Solution for Microsoft Sentinel
Source: Azure Network Security
Author: Saleem Bseeu and Amir Dahan
Publication Date: February 2, 2023
Content excerpt:
Cybercriminals demonstrate increasingly sophisticated tactics using DDoS attacks as multi-purpose tool. While DDoS attacks are commonly used to take down critical systems, applications, and infrastructure, they also serve adversaries for extortion and political or ideological motives. The crown jewel is using DDoS attacks as a smokescreen to conceal data breaches while the attention is directed to the attack. By overwhelming the targeted website or application with a large amount of traffic, the attackers can exploit vulnerabilities and steal sensitive information.
Title: Common causes of SSL/TLS connection issues and solutions
Source: Azure PaaS
Author: Jason Cao
Publication Date: February 1, 2023
Content excerpt:
In the TLS connection common causes and troubleshooting guide (microsoft.com) and TLS connection common causes and troubleshooting guide (microsoft.com), the mechanism of establishing SSL/TLS and tools to troubleshoot SSL/TLS connection were introduced. In this article, I would like to introduce 3 common issues that may occur when establishing SSL/TLS connection and corresponding solutions for windows, Linux, .NET and Java.
Title: Protect Your Data in Azure to Be Ready to Recover
Source: Azure Storage
Author: vmiss33
Publication Date: February 13, 2023
Content excerpt:
We have heard a lot of buzz about the cloud of the last several years as more and more organizations begin to move existing workloads to the cloud, or deploy new ones there. One thing that can sometimes be overlooked is data protection in the cloud.
Title: Azure HPC Cache Updates: New Caching Option, Discounted Pricing, and More!
Source: Azure Storage
Author: Kiana Harris
Publication Date: February 21, 2023
Content excerpt:
We’re excited to announce the preview of Azure HPC Cache Premium Read-Write. This next generation of premium caching for high-performance computing workloads is designed to provide high-bandwidth and low-latency access to files. Azure compute clients are provided with read and write performance like what they would experience from a local NVMe drive.
Title: Cost Optimization options for unattached Azure Managed Disks
Source: Azure Storage
Author: Ali Jafry
Publication Date: February 24, 2023
Content excerpt:
Users often find themselves in a situation where they have managed disks in one or more subscriptions that are no longer attached to a Virtual Machine (VM). These disks may have been attached to a VM in the past that has now either been deleted, or these disks were detached from the VM for some other reason. The user would continue to pay for these unattached disks, whether they need them or not.
Title: Reducing the size of Windows Server Container Images – Part 2
Source: Containers
Author: Akarsh Mishra
Publication Date: February 14, 2023
Content excerpt:
Previously we announced our first major step in reducing the size of the Windows Server Container images by ~40%. Today, we are pleased to announce our next step in this direction by making our delta layers 60-80% smaller while reducing total image size by about 40% as part of the February 2023 release.
Title: NetDevOps on Azure
Source: Core Infrastructure and Security
Author: Andre Pereira
Publication Date: February 1, 2023
Content excerpt:
With every company, across every industry, digitally transforming, tons of modern applications are built at an unprecedented pace and speed, and all rely on the underlying network infrastructure.
Networking enables application components to communicate with each other, its dependencies, other applications (usually through APIs) and its consumers.
To gain abstraction and velocity, more and more organizations are moving from traditional datacentre networks into cloud networks, adopting a wide variety of cloud networking services. NetDevOps comes to the rescue, as an agile approach to help you accelerate your Azure networking deployments and operations.
But before delving into this approach, let’s briefly describe what is in its genesis – DevOps - and understand some of its benefits.
Title: How to Manage Microsoft Defender Policies with Intune on Non-Managed Devices
Source: Core Infrastructure and Security
Author: Atil Gurcan
Publication Date: February 3, 2023
Content excerpt:
From the endpoint security management architecture perspective, this scenario fulfills the gap of managing endpoint security features on unmanaged devices. For Intune managed devices, either cloud-only or co-management scenarios provided the endpoint security management capabilities. Also, Intune and Configuration Manager integration provided similar management capabilities for on-prem (ConfigMgr) managed devices.
Finally, security configuration enforcement integration between MDE and Intune helps security teams to use the same admin interface – Intune console – to deploy Security policies to the devices that are enrolled to MDE only.
Title: ConfigMgr Collection Evaluation Analysis The Easy Way
Source: Core Infrastructure and Security
Author: Jonas Ohmsen
Publication Date: February 6, 2023
Content excerpt:
About a year ago multiple customers asked me to analyze their collection evaluation process. Mostly to see if there is anything we could optimize and to speed up the evaluation process overall.
In the past I used CEViewer, some SQL queries and the total evaluation time as my tools to analyze the process. But since CEViewer was and is no longer supported, I was looking for a different approach.
While the individual evaluation times and the evaluation-queue information in the ConfigMgr console are helpful, I was looking for a method to analyze the evaluation process over a longer period.
The best thing to see historical evaluation information is the data written to CollEval.log.
So, I sat down and wrote a slightly overengineered PowerShell script to make the information from CollEval.log more readable.
Even though the topic is not new anymore, I thought I would share the script and explain a bit what you can do and see with it.
Title: Introduction to Network Trace Analysis 3: TCP Performance
Source: Core Infrastructure and Security
Author: Will Aftring
Publication Date: February 8, 2023
Content excerpt:
Hello everyone, we are back with TCP performance. If you are reading this post I am going to assume you have read the previous post Introduction to Network Trace Analysis 2: Jumping into TCP Connectivity.
There are a ton of caveats and “yes but…”s when these things are considered in the context of virtualization and offloading. I’ll save that can of worms for another post.
So let’s get going.
Title: What is an Azure Load Balancer?
Source: Core Infrastructure and Security
Author: Cary Roys
Publication Date: February 13, 2023
Content excerpt:
A lot of folks who are new to Azure assume that load balancers in Azure are logically equivalent to load balancers in their on-premises data centers. These load balancers are typically a device (sometimes a VM) which functions as a special-purpose router, using some method of determining if the back-end machines are healthy, and some load distribution algorithm. The traffic actually traverses the device, meaning hitting the performance limits of the load balancer could lead to failing requests.
Title: Sorry, OneDrive can’t add your folder right now
Source: Core Infrastructure and Security
Author: Dave Guenthner
Publication Date: February 15, 2023
Content excerpt:
The customer observed that the OneDrive client failed to start with the following notification, “Sorry, OneDrive can’t add your folder right now,” which delivered diminished user experience and overall W365 value proposition. While the user could access their OneDrive data from the browser, they were unable to synchronize content to local machine.
Title: Accessing Microsoft Graph Data with Powershell
Source: Core Infrastructure and Security
Author: Mike Resnick (CSA)
Publication Date: February 16, 2023
Content excerpt:
Hi Mike Resnick here, as Azure AD Graph and Azure AD powershell modules heading for a well deserved retirement, I’m fielding a lot of similar “How to “questions around Azure based process automation and Microsoft Graph.
Based on these conversations and automations I helped create for our clients, I put together a list of methods accessing Microsoft Graph with a brief description of each and where to use them.
Title: Monitoring Storage Replication - Part 1
Source: Core Infrastructure and Security
Author: Felipe Binotto
Publication Date: February 17, 2023
Content excerpt:
We all know how frustrating it can be to receive a call about a storage account not replicating or being unable to fail over. To help prevent this from happening, I am going to show you how to monitor the replication of your storage accounts. Keep in mind that replication logs are not available as part of the storage account's diagnostic settings.
Title: Reporting on Storage Account Access Tier Statistics
Source: Core Infrastructure and Security
Author: Anthony Watherston
Publication Date: February 22, 2023
Content excerpt:
I have a customer with some very large storage accounts – of course as the size of an account gets larger so does the cost. Customers can use Blob Lifecycle Management rules to control when blobs are moved to a lower tier (hot -> cool -> archive), but they can also use blob inventory rules to analyze the blobs contained in that storage account. Each blob has an access tier property which denotes which type of storage that blob is present in. This post helps to automate the retrieval of those details and publish it into a Log Analytics workspace for analysis and reporting.
Title: Group Policy Analytics Framework
Source: Core Infrastructure and Security
Author: Bindusar Kushwaha
Publication Date: February 22, 2023
Content excerpt:
If we talk about pre-covid times, people were working in offices, data was monitored\controlled using proxy servers and firewalls etc in place. End users were keeping files using roaming profile or folder redirection. File sharing was allowed over SMB. Authentication and authorization were there using Kerberos in Active Directory. In some organizations, USB Stick\Hard Disk was not allowed in office or might be the USB port itself was blocked and such configurations were endless.
And then COVID-19 came, halting all our day-to-day activities.
This unprecedented situation pushed users along with IT Admins to start working from home forcing administrators to change their way of managing organizational devices.
Earlier, users, devices and data were limited to office premises, in a controlled environment. Work from home scenario brought everything onto the open internet. Moreover, admins still need to manage users, devices, and data.
Title: The Nightmare of Validating Certificate Requests
Source: Core Infrastructure and Security
Author: Dagmar Heidecker
Publication Date: February 26, 2023
Content excerpt:
At CRSP we help customers to recover from different types of cyber security incidents. This means that we help more or less with wherever help is needed (from hardening AD and AAD, to restoring Exchange). However, there are some things which are crucial to not getting re-compromised and therefore we don't let our customers come online without: Securing and hardening Active Directory and all kinds of Azure resources.
During the last 1.5 years some papers and articles drew attention to risky misconfiguration of Active Directory Certificate Services (ADCS) and its potential for Active Directory (and Azure) dominance. Therefore, an essential part of our Compromise Recovery engagements deals with introducing unpopular measures like using PAWs (Privileged Access Workstations) or stopping unverified enrollment of certificates allowing custom subjects. The latter involves reviewing certificate template configuration and security settings in Active Directory. Please note that certificate templates are not the only aspect of securing ADCS, but the one we want to focus on in this article.
Title: Integrating Azure Front Door WAF with Azure Container Apps
Source: FastTrack for Azure
Author: Chris Bellee
Publication Date: February 1, 2023
Content excerpt:
Many customers require Web Applications & APIs to only be accessible via a private IP address with a Web Application Firewall on the internet edge, to protect from common exploits and vulnerabilities. Azure Front Door provides global routing and WAF capabilities to satisfy this requirement.
Title: Azure Container Deployment Options
Source: FastTrack for Azure
Author: Faisal Mustafa
Publication Date: February 9, 2023
Content excerpt:
The main scope of this blog is to evaluate and understand the capabilities and limitations of Azure container services to help you choose the optimal platform for your container deployments. The container services in scope for this blog are App Service Web App for Containers, Azure Container Instances (ACI), Azure Container Apps (ACA), and Azure Kubernetes Service (AKS). The blog also elaborates on use cases that map well to respective container services and important details learned while evaluating a container service for customer projects/workloads, such as ACA versus AKS.
Title: The Best Defense is a Good Offense: Security Tips for Azure Machine Learning Solutions
Source: FastTrack for Azure
Author: Kate Baroni
Publication Date: February 21, 2023
Content excerpt:
As cyberattacks grow more sophisticated and cloud solutions more complex, how does an engineering team prioritize security? A good offense.
The tips shared in this article are grounded on the three guiding principles at the core of the Zero Trust security model.
Title: Expanding support for Attack surface reduction rules with Microsoft Intune
Source: Intune Customer Success
Author: Laura Arrizza
Publication Date: February 6, 2023
Content excerpt:
In May 2022, Security Settings Management for Microsoft Defender for Endpoint became generally available. This empowers security teams to configure devices with their desired Antivirus, Endpoint detection and response (EDR), and Firewall settings directly from the Microsoft Intune admin center, without the need for a full device enrollment.
We are expanding our coverage to include settings within the Attack surface reduction (ASR) rules security template with these capabilities.
Title: Azure Policies for Automating Azure Governance - Automating Policies
Source: ITOps Talk
Author: Amy Colyer
Publication Date: February 2, 2023
Content excerpt:
In my earlier Azure Policy post, I covered issues and concerns organizations may face and how many built in Azure policies can address these problems. Now we are going to take it a step further and discuss how to enforce policies and automate their creation. Policies applied at the top level will be inherited by all of the child levels. It is recommended to put best practice policies that cover the entire organization at the Management Group level, and more specific application team policies at the Resource Group level. Try to find a good balance here to ensure you are meeting the policy statements you have defined while also allowing you to easily change policy as required to meet application team requirements as long as they still adhere to core policy rules.
Title: Wired for Hybrid - Episode 3 - What's New in Azure Networking - February 2023 Edition
Source: ITOps Talk
Author: Pierre Roman
Publication Date: February 15, 2023
Content excerpt:
Azure Networking is the foundation of your infrastructure in Azure. So, we’re happy to bring you a monthly update on What’s new in Azure Networking.
Title: Automate provisioning and governance of your on-premises applications
Source: Microsoft Entra (Azure AD)
Author: Joseph Dadzie
Publication Date: February 8, 2023
Content excerpt:
I’m excited to announce the general availability of provisioning to on-premises applications using Microsoft Entra Identity Governance. You can now automate provisioning and manage the lifecycle of users in on-premises applications, without requiring any custom code.
Title: Collaborate securely across organizational boundaries and Microsoft clouds
Source: Microsoft Entra (Azure AD)
Author: Robin Goldstein
Publication Date: February 23, 2023
Content excerpt:
Today I’m super excited to announce that the capability to collaborate across Microsoft clouds is generally available! This means there’s now support for Azure Active Directory (Azure AD) B2B collaboration across the following Microsoft clouds:
- Azure Commercial and Azure Government clouds
- Azure Commercial and Azure China clouds (operated by 21Vianet)
Title: What’s new in Microsoft Intune - 2302 (February) edition
Source: Microsoft Intune
Author: Ramya Chitrakar
Publication Date: February 24, 2023
Content excerpt:
In the February Microsoft Intune service release (2302), we're providing integration, troubleshooting, and reporting to help IT admins improve user experiences. We're introducing an exciting integration between Intune and ServiceNow. This is a big step towards enabling helpdesk admins tasked with troubleshooting endpoint issues. We've also just released a major overhaul in reporting for devices without a compliance policy.
Title: The New Microsoft Security Customer Connection Program (CCP)
Source: Security, Compliance, and Identity
Author: Kristina Quick
Publication Date: February 3, 2023
Content excerpt:
The security community is constantly growing, changing, and learning from each other in order to better position the world against cyber security threats.
For years, Microsoft has driven a customer-obsessed development process by hosting two private communities for end-users of Microsoft security products: the Microsoft Cloud Security Private Community and the Microsoft 365 Defender Customer Connection Program. Under a strict confidentiality framework, our engineering teams get direct community feedback and insights for our roadmap plans, new user experience designs, private preview features, and more.
Today, we are happy to announce that these two communities have now come together under one team – The Microsoft Security Customer Connection Program.
Title: IT pros: join us every month for Windows Office Hours!
Source: Windows IT Pro
Author: Heather Poulsen
Publication Date: February 15, 2023
Content excerpt:
To support your efforts to deliver and deploy updates to the Windows devices being used by remote, onsite, and hybrid workers across your organization, and manage those devices effectively, we are continuing our series of weekly "office hours" for IT professionals here on Tech Community.
Title: Skilling snack: From on premises to the cloud
Source: Windows IT Pro
Author: Danny Guillory
Publication Date: February 16, 2023
Content excerpt:
How skilled are you in migration from on premises to the cloud? Whether you've experienced this process in your company, prepare to do so soon, or have inherited cloud or hybrid environments, welcome to the table!
Title: Skilling snack: Intro to Azure Active Directory
Source: Windows IT Pro
Author: Dave Davies
Publication Date: February 23, 2023
Content excerpt:
Passwords. PINs. Windows Hello. Passwordless authentication. Azure Active Directory (Azure AD) is the solution to all your organizational authentication needs, whether exclusively in the cloud or in hybrid environments. Brush up on the types of modern device identity, ways cloud-first devices authenticate to existing resources, tips to approach an Azure AD deployment, and how modern management brings insights to hybrid Azure AD devices. Today’s selection of resources, learning modules, and videos feeds a variety of needs and preferences.
Previous CTO! Guides:
Additional resources:
- Azure documentation
- Azure pricing calculator (VERY handy!)
- Microsoft Azure Well-Architected Framework
- Microsoft Cloud Adoption Framework
- Windows Server documentation
- Windows client documentation for IT Pros
- PowerShell documentation
- Core Infrastructure and Security blog
- Microsoft Tech Community blogs
- Microsoft technical documentation (Microsoft Docs)
- Sysinternals blog
- Microsoft Learn
- Microsoft Support (Knowledge Base)
- Microsoft Archived Content (MSDN/TechNet blogs, MSDN Magazine, MSDN Newsletter, TechNet Newsletter)
Published Mar 03, 2023
Version 1.0BrandonWilson
Joined April 24, 2018
Core Infrastructure and Security Blog
Follow this blog board to get notified when there's new activity